Refine hashing usages (OrchardCMS#15621)

src/OrchardCore.Build/Dependencies.props

@@ -66,6 +66,7 @@
     <PackageManagement Include="StackExchange.Redis" Version="2.7.33" />
     <PackageManagement Include="StyleCop.Analyzers" Version="1.1.118" />
     <PackageManagement Include="System.Linq.Async" Version="6.0.1" />
+    <PackageManagement Include="System.IO.Hashing" Version="8.0.0" />
     <PackageManagement Include="xunit" Version="2.7.0" />
     <PackageManagement Include="xunit.analyzers" Version="1.11.0" />
     <PackageManagement Include="xunit.runner.visualstudio" Version="2.5.7" />

src/OrchardCore.Modules/OrchardCore.Media/OrchardCore.Media.csproj

@@ -44,6 +44,7 @@
     <PackageReference Include="Shortcodes" />
     <PackageReference Include="SixLabors.ImageSharp.Web" />
     <PackageReference Include="System.Linq.Async" />
+    <PackageReference Include="System.IO.Hashing" />
   </ItemGroup>
 
 </Project>

src/OrchardCore.Modules/OrchardCore.Media/Processing/MediaTokenService.cs

@@ -165,8 +165,6 @@ private string GetHash(string queryStringTokenKey)
 
                 entry.SlidingExpiration = TimeSpan.FromHours(5);
 
-                using var hmac = new HMACSHA256(_hashKey);
-
                 // 'queryStringTokenKey' also contains prefix.
                 var chars = queryStringTokenKey.AsSpan(TokenCacheKeyPrefix.Length);
 
@@ -177,11 +175,11 @@ private string GetHash(string queryStringTokenKey)
                     : new byte[requiredLength];
 
                 // 256 for SHA-256, fits in stack nicely.
-                Span<byte> hashBytes = stackalloc byte[hmac.HashSize];
+                Span<byte> hashBytes = stackalloc byte[HMACSHA256.HashSizeInBytes];
 
                 var stringBytesLength = Encoding.UTF8.GetBytes(chars, stringBytes);
 
-                hmac.TryComputeHash(stringBytes[..stringBytesLength], hashBytes, out var hashBytesLength);
+                HMACSHA256.TryHashData(_hashKey, stringBytes[..stringBytesLength], hashBytes, out var hashBytesLength);
 
                 entry.Value = result = Convert.ToBase64String(hashBytes[..hashBytesLength]);
             }

src/OrchardCore.Modules/OrchardCore.Media/Processing/MediaTokenSettingsUpdater.cs

@@ -15,6 +15,8 @@ namespace OrchardCore.Media.Processing
     /// </summary>
     public class MediaTokenSettingsUpdater : FeatureEventHandler, IModularTenantEvents
     {
+        private const int DefaultMediaTokenKeySize = 64;
+
         private readonly ISiteService _siteService;
         private readonly ShellSettings _shellSettings;
 
@@ -38,10 +40,7 @@ public async Task ActivatedAsync()
             {
                 var siteSettings = await _siteService.LoadSiteSettingsAsync();
 
-                var rng = RandomNumberGenerator.Create();
-
-                mediaTokenSettings.HashKey = new byte[64];
-                rng.GetBytes(mediaTokenSettings.HashKey);
+                mediaTokenSettings.HashKey = RandomNumberGenerator.GetBytes(DefaultMediaTokenKeySize);
                 siteSettings.Put(mediaTokenSettings);
 
                 await _siteService.UpdateSiteSettingsAsync(siteSettings);
@@ -65,10 +64,7 @@ private async Task SetMediaTokenSettingsAsync(IFeatureInfo feature)
             var siteSettings = await _siteService.LoadSiteSettingsAsync();
             var mediaTokenSettings = siteSettings.As<MediaTokenSettings>();
 
-            var rng = RandomNumberGenerator.Create();
-
-            mediaTokenSettings.HashKey = new byte[64];
-            rng.GetBytes(mediaTokenSettings.HashKey);
+            mediaTokenSettings.HashKey = RandomNumberGenerator.GetBytes(DefaultMediaTokenKeySize);
             siteSettings.Put(mediaTokenSettings);
 
             await _siteService.UpdateSiteSettingsAsync(siteSettings);

src/OrchardCore.Modules/OrchardCore.Media/Services/AttachedMediaFieldFileService.cs

@@ -1,8 +1,7 @@
 using System;
 using System.Collections.Generic;
+using System.IO.Hashing;
 using System.Linq;
-using System.Security.Cryptography;
-using System.Text;
 using System.Threading.Tasks;
 using Microsoft.AspNetCore.Http;
 using Microsoft.Extensions.Logging;
@@ -126,20 +125,9 @@ private string GetContentItemFolder(ContentItem contentItem)
         private async Task<string> GetFileHashAsync(string filePath)
         {
             using var fs = await _fileStore.GetFileStreamAsync(filePath);
-            using HashAlgorithm hashAlgorithm = MD5.Create();
-            var hash = hashAlgorithm.ComputeHash(fs);
-            return ByteArrayToHexString(hash);
-        }
-
-        public static string ByteArrayToHexString(byte[] bytes)
-        {
-            var sb = new StringBuilder();
-            foreach (var b in bytes)
-            {
-                sb.Append(b.ToString("x2").ToLower());
-            }
-
-            return sb.ToString();
+            var hash = new XxHash32();
+            await hash.AppendAsync(fs);
+            return Convert.ToHexString(hash.GetCurrentHash()).ToLowerInvariant();
         }
 
         private static string GetFileExtension(string path)

src/OrchardCore.Modules/OrchardCore.Media/Services/ChunkFileUploadService.cs

@@ -1,9 +1,9 @@
 using System;
 using System.Collections.Generic;
 using System.IO;
+using System.IO.Hashing;
 using System.Linq;
 using System.Net.Http.Headers;
-using System.Security.Cryptography;
 using System.Text;
 using System.Threading;
 using System.Threading.Tasks;
@@ -200,9 +200,14 @@ private static FileStream CreateTemporaryFile(string tempPath, long size)
 
     private static string CalculateHash(params string[] parts)
     {
-        var hash = SHA256.HashData(Encoding.UTF8.GetBytes(string.Join(string.Empty, parts)));
+        var hash = new XxHash64();
 
-        return Convert.ToHexString(hash);
+        foreach (var part in parts)
+        {
+            hash.Append(Encoding.UTF8.GetBytes(part));
+        }
+
+        return Convert.ToHexString(hash.GetCurrentHash());
     }
 
     private sealed class ChunkedFormFile : IFormFile, IDisposable

src/OrchardCore.Modules/OrchardCore.Twitter/Services/TwitterClientMessageHandler.cs

@@ -38,7 +38,7 @@ protected override async Task<HttpResponseMessage> SendAsync(HttpRequestMessage
 
         public virtual string GetNonce()
         {
-            return Convert.ToBase64String(new ASCIIEncoding().GetBytes(_clock.UtcNow.Ticks.ToString()));
+            return Convert.ToBase64String(Encoding.ASCII.GetBytes(_clock.UtcNow.Ticks.ToString()));
         }
 
         public async Task ConfigureOAuthAsync(HttpRequestMessage request)
@@ -100,11 +100,7 @@ public async Task ConfigureOAuthAsync(HttpRequestMessage request)
 
             var secret = string.Concat(_twitterSettings.ConsumerSecret, "&", _twitterSettings.AccessTokenSecret);
 
-            string signature;
-            using (var hasher = new HMACSHA1(Encoding.ASCII.GetBytes(secret)))
-            {
-                signature = Convert.ToBase64String(hasher.ComputeHash(Encoding.ASCII.GetBytes(baseString)));
-            }
+            var signature = Convert.ToBase64String(HMACSHA1.HashData(key: Encoding.UTF8.GetBytes(secret), source: Encoding.UTF8.GetBytes(baseString)));
 
             var sb = new StringBuilder();
             sb.Append("oauth_consumer_key=\"").Append(Uri.EscapeDataString(_twitterSettings.ConsumerKey)).Append("\", ");