From: Lars Schneider <larsxschneider@gmail.com>
To: Jeff King <peff@peff.net>
Cc: "Jakub Narębski" <jnareb@gmail.com>, "Joey Hess" <id@joeyh.name>,
git@vger.kernel.org
Subject: Re: SHA1 collisions found
Date: Sat, 25 Feb 2017 23:35:27 +0100 [thread overview]
Message-ID: <D74A82FF-BF00-481F-9B2A-4AF8EF3D062F@gmail.com> (raw)
In-Reply-To: <20170224230604.nt37uw5y3uehukfd@sigill.intra.peff.net>
> On 25 Feb 2017, at 00:06, Jeff King <peff@peff.net> wrote:
>
> On Fri, Feb 24, 2017 at 11:47:46PM +0100, Jakub Narębski wrote:
>
>> I have just read on ArsTechnica[1] that while Git repository could be
>> corrupted (though this would require attackers to spend great amount
>> of resources creating their own collision, while as said elsewhere
>> in this thread allegedly easy to detect), putting two proof-of-concept
>> different PDFs with same size and SHA-1 actually *breaks* Subversion.
>> Repository can become corrupt, and stop accepting new commits.
>>
>> From what I understand people tried this, and Git doesn't exhibit
>> such problem. I wonder what assumptions SVN made that were broken...
>
> To be clear, nobody has generated a sha1 collision in Git yet, and you
> cannot blindly use the shattered PDFs to do so. Git's notion of the
> SHA-1 of an object include the header, so somebody would have to do a
> shattered-level collision search for something that starts with the
> correct "blob 1234\0" header.
>
> So we don't actually know how Git would behave in the face of a SHA-1
> collision. It would be pretty easy to simulate it with something like:
>
> ---
> diff --git a/block-sha1/sha1.c b/block-sha1/sha1.c
> index 22b125cf8..1be5b5ba3 100644
> --- a/block-sha1/sha1.c
> +++ b/block-sha1/sha1.c
> @@ -231,6 +231,16 @@ void blk_SHA1_Update(blk_SHA_CTX *ctx, const void *data, unsigned long len)
> memcpy(ctx->W, data, len);
> }
>
> +/* sha1 of blobs containing "foo\n" and "bar\n" */
> +static const unsigned char foo_sha1[] = {
> + 0x25, 0x7c, 0xc5, 0x64, 0x2c, 0xb1, 0xa0, 0x54, 0xf0, 0x8c,
> + 0xc8, 0x3f, 0x2d, 0x94, 0x3e, 0x56, 0xfd, 0x3e, 0xbe, 0x99
> +};
> +static const unsigned char bar_sha1[] = {
> + 0x57, 0x16, 0xca, 0x59, 0x87, 0xcb, 0xf9, 0x7d, 0x6b, 0xb5,
> + 0x49, 0x20, 0xbe, 0xa6, 0xad, 0xde, 0x24, 0x2d, 0x87, 0xe6
> +};
> +
> void blk_SHA1_Final(unsigned char hashout[20], blk_SHA_CTX *ctx)
> {
> static const unsigned char pad[64] = { 0x80 };
> @@ -248,4 +258,8 @@ void blk_SHA1_Final(unsigned char hashout[20], blk_SHA_CTX *ctx)
> /* Output hash */
> for (i = 0; i < 5; i++)
> put_be32(hashout + i * 4, ctx->H[i]);
> +
> + /* pretend "foo" and "bar" collide */
> + if (!memcmp(hashout, bar_sha1, 20))
> + memcpy(hashout, foo_sha1, 20);
> }
That's a good idea! I wonder if it would make sense to setup an
additional job in TravisCI that patches every Git version with some hash
collisions and then runs special tests. This way we could ensure Git
behaves reasonable in case of a collision. E.g. by printing errors and
not crashing or corrupting the repo. Do you think that would be worth
the effort?
- Lars
next prev parent reply other threads:[~2017-02-25 22:35 UTC|newest]
Thread overview: 136+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-02-23 16:43 SHA1 collisions found Joey Hess
2017-02-23 17:00 ` David Lang
2017-02-23 17:02 ` Junio C Hamano
2017-02-23 17:12 ` David Lang
2017-02-23 20:49 ` Jakub Narębski
2017-02-23 20:57 ` Jeff King
2017-02-23 17:18 ` Junio C Hamano
2017-02-23 17:35 ` Joey Hess
2017-02-23 17:52 ` Linus Torvalds
2017-02-23 18:21 ` Joey Hess
2017-02-23 18:31 ` Joey Hess
2017-02-23 19:13 ` Morten Welinder
2017-02-24 15:52 ` Geert Uytterhoeven
2017-02-23 18:40 ` Linus Torvalds
2017-02-23 18:46 ` Jeff King
2017-02-23 19:09 ` Linus Torvalds
2017-02-23 19:32 ` Jeff King
2017-02-23 19:47 ` Linus Torvalds
2017-02-23 19:57 ` Jeff King
[not found] ` <alpine.LFD.2.20.1702231428540.30435@i7.lan>
2017-02-23 22:43 ` Jeff King
2017-02-23 22:50 ` Linus Torvalds
2017-02-23 23:05 ` Jeff King
2017-02-23 23:05 ` [PATCH 1/3] add collision-detecting sha1 implementation Jeff King
2017-02-23 23:15 ` Stefan Beller
2017-02-24 0:01 ` Jeff King
2017-02-24 0:12 ` Linus Torvalds
2017-02-24 0:16 ` Jeff King
2017-02-23 23:05 ` [PATCH 2/3] sha1dc: adjust header includes for git Jeff King
2017-02-23 23:06 ` [PATCH 3/3] Makefile: add USE_SHA1DC knob Jeff King
2017-02-24 18:36 ` HW42
2017-02-24 18:57 ` Jeff King
2017-02-23 23:14 ` SHA1 collisions found Linus Torvalds
2017-02-28 18:41 ` Junio C Hamano
2017-02-28 19:07 ` Junio C Hamano
2017-02-28 19:20 ` Jeff King
2017-03-01 8:57 ` Dan Shumow
2017-02-28 19:34 ` Linus Torvalds
2017-02-28 19:52 ` Shawn Pearce
2017-02-28 22:56 ` Linus Torvalds
2017-02-28 21:22 ` Dan Shumow
2017-02-28 22:50 ` Marc Stevens
2017-02-28 23:11 ` Linus Torvalds
2017-03-01 19:05 ` Jeff King
2017-02-23 20:47 ` Øyvind A. Holm
2017-02-23 20:46 ` Joey Hess
2017-02-23 18:42 ` Jeff King
2017-02-23 17:52 ` David Lang
2017-02-23 19:20 ` David Lang
2017-02-23 17:19 ` Linus Torvalds
2017-02-23 17:29 ` Linus Torvalds
2017-02-23 18:10 ` Joey Hess
2017-02-23 18:29 ` Linus Torvalds
2017-02-23 18:38 ` Junio C Hamano
2017-02-24 9:42 ` Duy Nguyen
2017-02-25 19:04 ` brian m. carlson
2017-02-27 13:29 ` René Scharfe
2017-02-28 13:25 ` brian m. carlson
2017-02-24 15:13 ` Ian Jackson
2017-02-24 17:04 ` ankostis
2017-02-24 17:23 ` Jason Cooper
2017-02-25 23:22 ` ankostis
2017-02-24 17:32 ` Junio C Hamano
2017-02-24 17:45 ` David Lang
2017-02-24 18:14 ` Junio C Hamano
2017-02-24 18:58 ` Stefan Beller
2017-02-24 19:20 ` Junio C Hamano
2017-02-24 20:05 ` ankostis
2017-02-24 20:32 ` Junio C Hamano
2017-02-25 0:31 ` ankostis
2017-02-26 0:16 ` Jason Cooper
2017-02-26 17:38 ` brian m. carlson
2017-02-26 19:11 ` Linus Torvalds
2017-02-26 21:38 ` Ævar Arnfjörð Bjarmason
2017-02-26 21:52 ` Jeff King
2017-02-27 13:00 ` Transition plan for git to move to a new hash function Ian Jackson
2017-02-27 14:37 ` Why BLAKE2? Markus Trippelsdorf
2017-02-27 15:42 ` Ian Jackson
2017-02-27 19:26 ` Transition plan for git to move to a new hash function Tony Finch
2017-02-28 21:47 ` brian m. carlson
2017-03-02 18:13 ` Ian Jackson
2017-03-04 22:49 ` brian m. carlson
2017-03-05 13:45 ` Ian Jackson
2017-03-05 23:45 ` brian m. carlson
2017-02-24 20:05 ` SHA1 collisions found Junio C Hamano
2017-02-24 20:33 ` Philip Oakley
2017-02-24 23:39 ` Jeff King
2017-02-25 0:39 ` Linus Torvalds
2017-02-25 0:54 ` Linus Torvalds
2017-02-25 1:16 ` Jeff King
2017-02-26 18:55 ` Junio C Hamano
2017-02-25 6:10 ` Junio C Hamano
2017-02-26 1:13 ` Jason Cooper
2017-02-26 5:18 ` Jeff King
2017-02-26 18:30 ` brian m. carlson
2017-03-02 21:46 ` Brandon Williams
2017-03-03 11:13 ` Jeff King
2017-03-03 14:54 ` Ian Jackson
2017-03-03 22:18 ` Jeff King
2017-03-02 19:55 ` Linus Torvalds
2017-03-02 20:43 ` Junio C Hamano
2017-03-02 21:21 ` Linus Torvalds
2017-03-02 21:54 ` Joey Hess
2017-03-02 22:27 ` Linus Torvalds
2017-03-03 1:50 ` Mike Hommey
2017-03-03 2:19 ` Linus Torvalds
2017-03-03 11:04 ` Jeff King
2017-03-03 21:47 ` Stefan Beller
2017-02-25 1:00 ` David Lang
2017-02-25 1:15 ` Stefan Beller
2017-02-25 1:21 ` Jeff King
2017-02-25 1:39 ` David Lang
2017-02-25 1:47 ` Jeff King
2017-02-25 1:56 ` David Lang
2017-02-25 2:28 ` Jacob Keller
2017-02-25 2:26 ` Jacob Keller
2017-02-25 5:39 ` grarpamp
2017-02-24 23:43 ` Ian Jackson
2017-02-25 0:06 ` Ian Jackson
2017-02-25 18:50 ` brian m. carlson
2017-02-25 19:26 ` Jeff King
2017-02-25 22:09 ` Mike Hommey
2017-02-26 17:38 ` brian m. carlson
2017-02-24 22:47 ` Jakub Narębski
2017-02-24 22:53 ` Santiago Torres
2017-02-24 23:05 ` Jakub Narębski
2017-02-24 23:24 ` Øyvind A. Holm
2017-02-24 23:06 ` Jeff King
2017-02-24 23:35 ` Jakub Narębski
2017-02-25 22:35 ` Lars Schneider [this message]
2017-02-26 0:46 ` Jeff King
2017-02-26 18:22 ` Junio C Hamano
2017-02-26 18:57 ` Thomas Braun
2017-02-26 21:30 ` Jeff King
2017-02-27 9:57 ` Geert Uytterhoeven
2017-02-27 10:43 ` Jeff King
2017-02-27 12:39 ` Morten Welinder
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: http://vger.kernel.org/majordomo-info.html
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=D74A82FF-BF00-481F-9B2A-4AF8EF3D062F@gmail.com \
--to=larsxschneider@gmail.com \
--cc=git@vger.kernel.org \
--cc=id@joeyh.name \
--cc=jnareb@gmail.com \
--cc=peff@peff.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://80x24.org/mirrors/git.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).