fix: replace weak hash functions with SHA-256

gyp/pylib/gyp/MSVSNew.py

@@ -34,7 +34,7 @@ def MakeGuid(name, seed="msvs_new"):
 
   Args:
     name: Target name.
-    seed: Seed for MD5 hash.
+    seed: Seed for SHA-256 hash.
   Returns:
     A GUID-line string calculated from the name and seed.
 
@@ -44,8 +44,8 @@ def MakeGuid(name, seed="msvs_new"):
   determine the GUID to refer to explicitly.  It also means that the GUID will
   not change when the project for a target is rebuilt.
   """
-    # Calculate a MD5 signature for the seed and name.
-    d = hashlib.md5((str(seed) + str(name)).encode("utf-8")).hexdigest().upper()
+    # Calculate a SHA-256 signature for the seed and name.
+    d = hashlib.sha256((str(seed) + str(name)).encode("utf-8")).hexdigest().upper()
     # Convert most of the signature to GUID form (discard the rest)
     guid = (
         "{"

gyp/pylib/gyp/generator/make.py

@@ -78,7 +78,7 @@
 
         # Copy additional generator configuration data from Xcode, which is shared
         # by the Mac Make generator.
         import gyp.generator.xcode as xcode_generator
 
         global generator_additional_non_configuration_keys
         generator_additional_non_configuration_keys = getattr(
@@ -2163,7 +2163,7 @@
             # - The multi-output rule will have an do-nothing recipe.
 
             # Hash the target name to avoid generating overlong filenames.
-            cmddigest = hashlib.sha1(
+            cmddigest = hashlib.sha256(
                 (command or self.target).encode("utf-8")
             ).hexdigest()
             intermediate = "%s.intermediate" % cmddigest

gyp/pylib/gyp/generator/ninja.py

@@ -811,7 +811,7 @@
                 if self.flavor == "win":
                     # WriteNewNinjaRule uses unique_name to create a rsp file on win.
                     extra_bindings.append(
-                        ("unique_name", hashlib.md5(outputs[0]).hexdigest())
+                        ("unique_name", hashlib.sha256(outputs[0].encode("utf-8")).hexdigest())
                     )
 
                 self.ninja.build(
@@ -1995,7 +1995,7 @@
 
         # Copy additional generator configuration data from Xcode, which is shared
         # by the Mac Ninja generator.
         import gyp.generator.xcode as xcode_generator
 
         generator_additional_non_configuration_keys = getattr(
             xcode_generator, "generator_additional_non_configuration_keys", []
@@ -2018,7 +2018,7 @@
 
         # Copy additional generator configuration data from VS, which is shared
         # by the Windows Ninja generator.
         import gyp.generator.msvs as msvs_generator
 
         generator_additional_non_configuration_keys = getattr(
             msvs_generator, "generator_additional_non_configuration_keys", []
@@ -2088,7 +2088,7 @@
         return pool_size
 
     if sys.platform in ("win32", "cygwin"):
         import ctypes
 
         class MEMORYSTATUSEX(ctypes.Structure):
             _fields_ = [
@@ -2811,7 +2811,7 @@
             build_file, name, toolset
         )
         qualified_target_for_hash = qualified_target_for_hash.encode("utf-8")
-        hash_for_rules = hashlib.md5(qualified_target_for_hash).hexdigest()
+        hash_for_rules = hashlib.sha256(qualified_target_for_hash).hexdigest()
 
         base_path = os.path.dirname(build_file)
         obj = "obj"

gyp/pylib/gyp/xcodeproj_file.py

@@ -431,7 +431,7 @@ def _HashUpdate(hash, data):
             hash.update(data)
 
         if seed_hash is None:
-            seed_hash = hashlib.sha1()
+            seed_hash = hashlib.sha256()
 
         hash = seed_hash.copy()
 
@@ -454,8 +454,8 @@ def _HashUpdate(hash, data):
                 child.ComputeIDs(recursive, overwrite, child_hash)
 
         if overwrite or self.id is None:
-            # Xcode IDs are only 96 bits (24 hex characters), but a SHA-1 digest is
-            # is 160 bits.  Instead of throwing out 64 bits of the digest, xor them
+            # Xcode IDs are only 96 bits (24 hex characters), but a SHA-256 digest is
+            # is 256 bits.  Instead of throwing out bits of the digest, xor them
             # into the portion that gets used.
             assert hash.digest_size % 4 == 0
             digest_int_count = hash.digest_size // 4