[PATCH] replace sha1 with another algorithm

[PATCH] replace sha1 with another algorithm

[Jeff King]

SHA-1 is due to be cryptographically broken sometime in the
next decade, with collision attacks becoming possible. But
we don't have to wait! We can act now and replace it,
treating us to all of the pain of a flag day without any
delay!

We could of course use the SHA-2 family, or wait for the
upcoming SHA-3. But any good cryptographer knows that you
should _never_ use a standard algorithm. It's always better
to roll your own. After all, if _you_ can't break it, how
could anyone else?

Signed-off-by: Jeff King <peff@peff.net>
Reviewed-by: Brandon Casey <drafnel@gmail.com>
Mocked-by: Rick Balocca <richard.balocca@ericsson.com>
Enjoyed-by: Elijah Newren <newren@gmail.com>
---
 block-sha1/sha1.h |    2 +-
 cache.h           |    4 +++-
 sha1_file.c       |   32 ++++++++++++++++++++++++++++++++
 3 files changed, 36 insertions(+), 2 deletions(-)

diff --git a/block-sha1/sha1.h b/block-sha1/sha1.h
index b864df6..49331e3 100644
--- a/block-sha1/sha1.h
+++ b/block-sha1/sha1.h
@@ -19,4 +19,4 @@
 #define git_SHA_CTX	blk_SHA_CTX
 #define git_SHA1_Init	blk_SHA1_Init
 #define git_SHA1_Update	blk_SHA1_Update
-#define git_SHA1_Final	blk_SHA1_Final
+#define real_git_SHA1_Final	blk_SHA1_Final
diff --git a/cache.h b/cache.h
index 2e6ad36..068062b 100644
--- a/cache.h
+++ b/cache.h
@@ -13,9 +13,11 @@
 #define git_SHA_CTX	SHA_CTX
 #define git_SHA1_Init	SHA1_Init
 #define git_SHA1_Update	SHA1_Update
-#define git_SHA1_Final	SHA1_Final
+#define real_git_SHA1_Final	SHA1_Final
 #endif
 
+void git_SHA1_Final(unsigned char out[20], git_SHA_CTX *ctx);
+
 #include <zlib.h>
 typedef struct git_zstream {
 	z_stream z;
diff --git a/sha1_file.c b/sha1_file.c
index 27f3b9b..23e0107 100644
--- a/sha1_file.c
+++ b/sha1_file.c
@@ -2833,3 +2833,35 @@ void assert_sha1_type(const unsigned char *sha1, enum object_type expect)
 		die("%s is not a valid '%s' object", sha1_to_hex(sha1),
 		    typename(expect));
 }
+
+static void xor_bytes(unsigned char *out, unsigned char *a, unsigned char *b,
+		      unsigned n)
+{
+	unsigned i;
+	for (i = 0; i < n; i++)
+		out[i] = a[i] ^ b[i];
+}
+
+static void mix_hash(unsigned char *h, unsigned n)
+{
+	unsigned char out[20];
+	unsigned mid = n / 2;
+
+	if (2*mid < n)
+		return;
+
+	xor_bytes(out, h, h + mid, mid);
+	xor_bytes(out + mid, h + mid, h, mid);
+	memcpy(h, out, n);
+
+	/* If a little bit of mixing is good, then a lot must be GREAT! */
+	mix_hash(h, mid);
+	mix_hash(h + mid, mid);
+}
+
+void git_SHA1_Final(unsigned char out[20], git_SHA_CTX *ctx)
+{
+	/* We build on top of the regular SHA1, but then "enhance" it. */
+	real_git_SHA1_Final(out, ctx);
+	mix_hash(out, 20);
+}
-- 
1.7.7.troll

Re: [PATCH] replace sha1 with another algorithm

[Michael J Gruber]

Jeff King venit, vidit, dixit 26.10.2011 02:12:
> SHA-1 is due to be cryptographically broken sometime in the
> next decade, with collision attacks becoming possible. But
> we don't have to wait! We can act now and replace it,
> treating us to all of the pain of a flag day without any
> delay!
> 
> We could of course use the SHA-2 family, or wait for the
> upcoming SHA-3. But any good cryptographer knows that you
> should _never_ use a standard algorithm. It's always better
> to roll your own. After all, if _you_ can't break it, how
> could anyone else?
> 
> Signed-off-by: Jeff King <peff@peff.net>
> Reviewed-by: Brandon Casey <drafnel@gmail.com>
> Mocked-by: Rick Balocca <richard.balocca@ericsson.com>
> Enjoyed-by: Elijah Newren <newren@gmail.com>
Awaited-by: Michael J Gruber <git@drmicha.warpmail.net>

Still remembering an earlier GitTogether's l33t l10n....
> ---
>  block-sha1/sha1.h |    2 +-
>  cache.h           |    4 +++-
>  sha1_file.c       |   32 ++++++++++++++++++++++++++++++++
>  3 files changed, 36 insertions(+), 2 deletions(-)
> 
> diff --git a/block-sha1/sha1.h b/block-sha1/sha1.h
> index b864df6..49331e3 100644
> --- a/block-sha1/sha1.h
> +++ b/block-sha1/sha1.h
> @@ -19,4 +19,4 @@
>  #define git_SHA_CTX	blk_SHA_CTX
>  #define git_SHA1_Init	blk_SHA1_Init
>  #define git_SHA1_Update	blk_SHA1_Update
> -#define git_SHA1_Final	blk_SHA1_Final
> +#define real_git_SHA1_Final	blk_SHA1_Final
> diff --git a/cache.h b/cache.h
> index 2e6ad36..068062b 100644
> --- a/cache.h
> +++ b/cache.h
> @@ -13,9 +13,11 @@
>  #define git_SHA_CTX	SHA_CTX
>  #define git_SHA1_Init	SHA1_Init
>  #define git_SHA1_Update	SHA1_Update
> -#define git_SHA1_Final	SHA1_Final
> +#define real_git_SHA1_Final	SHA1_Final
>  #endif
>  
> +void git_SHA1_Final(unsigned char out[20], git_SHA_CTX *ctx);
> +
>  #include <zlib.h>
>  typedef struct git_zstream {
>  	z_stream z;
> diff --git a/sha1_file.c b/sha1_file.c
> index 27f3b9b..23e0107 100644
> --- a/sha1_file.c
> +++ b/sha1_file.c
> @@ -2833,3 +2833,35 @@ void assert_sha1_type(const unsigned char *sha1, enum object_type expect)
>  		die("%s is not a valid '%s' object", sha1_to_hex(sha1),
>  		    typename(expect));
>  }
> +
> +static void xor_bytes(unsigned char *out, unsigned char *a, unsigned char *b,
> +		      unsigned n)
> +{
> +	unsigned i;
> +	for (i = 0; i < n; i++)
> +		out[i] = a[i] ^ b[i];
> +}
> +
> +static void mix_hash(unsigned char *h, unsigned n)
> +{
> +	unsigned char out[20];

unsigned char out[n];

;)

> +	unsigned mid = n / 2;
> +
> +	if (2*mid < n)
> +		return;
> +
> +	xor_bytes(out, h, h + mid, mid);
> +	xor_bytes(out + mid, h + mid, h, mid);
> +	memcpy(h, out, n);
> +
> +	/* If a little bit of mixing is good, then a lot must be GREAT! */
> +	mix_hash(h, mid);
> +	mix_hash(h + mid, mid);

n a power of 2 anyone...

> +}
> +
> +void git_SHA1_Final(unsigned char out[20], git_SHA_CTX *ctx)
> +{
> +	/* We build on top of the regular SHA1, but then "enhance" it. */
> +	real_git_SHA1_Final(out, ctx);
> +	mix_hash(out, 20);
> +}
>--
>1.7.7.troll

;)

Re: [PATCH] replace sha1 with another algorithm

[Junio C Hamano]

Jeff King <peff@peff.net> writes:

> +static void xor_bytes(unsigned char *out, unsigned char *a, unsigned char *b,
> +		      unsigned n)
> +{
> +	unsigned i;
> +	for (i = 0; i < n; i++)
> +		out[i] = a[i] ^ b[i];
> +}
> +
> +static void mix_hash(unsigned char *h, unsigned n)
> +{
> +	unsigned char out[20];
> +	unsigned mid = n / 2;
> +
> +	if (2*mid < n)
> +		return;
> +
> +	xor_bytes(out, h, h + mid, mid);
> +	xor_bytes(out + mid, h + mid, h, mid);
> +	memcpy(h, out, n);
> +
> +	/* If a little bit of mixing is good, then a lot must be GREAT! */
> +	mix_hash(h, mid);
> +	mix_hash(h + mid, mid);
> +}

You seem to want to reduce the hash down to 5-bytes by duplicating the
same value on the left and right half, and duplicate that four times to
fill 20-byte buffer, but doesn't this look unnecessarily inefficient way
to achieve that?

Re: [PATCH] replace sha1 with another algorithm

[Jeff King]

On Wed, Oct 26, 2011 at 12:44:15PM -0700, Junio C Hamano wrote:

> > +static void mix_hash(unsigned char *h, unsigned n)
> > +{
> > +	unsigned char out[20];
> > +	unsigned mid = n / 2;
> > +
> > +	if (2*mid < n)
> > +		return;
> > +
> > +	xor_bytes(out, h, h + mid, mid);
> > +	xor_bytes(out + mid, h + mid, h, mid);
> > +	memcpy(h, out, n);
> > +
> > +	/* If a little bit of mixing is good, then a lot must be GREAT! */
> > +	mix_hash(h, mid);
> > +	mix_hash(h + mid, mid);
> > +}
> 
> You seem to want to reduce the hash down to 5-bytes by duplicating the
> same value on the left and right half, and duplicate that four times to
> fill 20-byte buffer, but doesn't this look unnecessarily inefficient way
> to achieve that?

Well, yeah. But when you're writing a really bad hashing algorithm, I
feel like obfuscating the bugs is key.

-Peff