From 34b0151e125a6698f57ea476ccfa922c6275edf1 Mon Sep 17 00:00:00 2001
From: Joey Hess <joeyh@joeyh.name>
Date: Sat, 20 May 2017 15:16:40 -0400
Subject: move unsafe hashing out of instance to avoid misuse

Avoids breaking backwards compat and should avoid future foot-shooting.
---
 Hash.hs | 22 ++++++++++++++++++----
 1 file changed, 18 insertions(+), 4 deletions(-)

(limited to 'Hash.hs')

diff --git a/Hash.hs b/Hash.hs
index 89b0384..cb90c85 100644
--- a/Hash.hs
+++ b/Hash.hs
@@ -41,7 +41,7 @@ instance Hashable a => Hashable (Tagged a) where
 
 instance Hashable a => Hashable (Activity a) where
 	hash (Activity a mps mpe mt s) = hash $ Tagged "Activity"
-		[hash a, hash mps, hash mpe, hash mt, hash s]
+		[hash a, hashOfMaybeUnsafe mps, hashOfMaybeUnsafe mpe, hash mt, hash s]
 
 instance Hashable Entered where
 	hash v = hash $ Tagged "Entered"
@@ -52,7 +52,7 @@ instance Hashable Seen where
 
 instance Hashable ControlAction where
 	hash (EnteredRejected h1 h2) = hash $ Tagged "EnteredRejected"
-		[hash h1, hash h2]
+		[hash h1, hashOfMaybeUnsafe h2]
 	hash (SessionKey pk v) = hash $ Tagged "SessionKey" [hash pk, hash v]
 	hash (SessionKeyAccepted pk) = hash $ Tagged "SessionKeyAccepted" pk
 	hash (SessionKeyRejected pk) = hash $ Tagged "SessionKeyRejected" pk
@@ -83,7 +83,21 @@ instance Hashable ElapsedTime where
 instance Hashable [Hash] where
 	hash = hash . B.concat . map (val . hashValue)
 
--- | Hash empty string for Nothing
+-- | Hash a Maybe Hash, such that 
+--   hash Nothing /= hash (Just (hash (mempty :: B.ByteString)))
 instance Hashable (Maybe Hash) where
+	hash (Just v) = hash (val (hashValue v))
 	hash Nothing = hash (mempty :: B.ByteString)
-	hash (Just v) = hash v
+
+-- | Hash a Maybe Hash using the Hash value as-is, or the hash of the empty
+-- string for Nothing.
+--
+-- Note that this is only safe to use when the input value can't possibly
+-- itself be the hash of an empty string. For example, the hash of an
+-- Activity is safe, because it's the hash of a non-empty string.
+--
+-- This is only used to avoid breaking backwards compatability; the
+-- above instance for Maybe Hash should be used for anything new.
+hashOfMaybeUnsafe :: Maybe Hash -> Hash
+hashOfMaybeUnsafe (Just v) = hash v
+hashOfMaybeUnsafe Nothing = hash (mempty :: B.ByteString)
-- 
cgit v1.2.3