bug#37420: [PATCH] Recommend against SHA-1 for security-related applications

bug#37420: [PATCH] Recommend against SHA-1 for security-related applications

[Stefan Kangas]

[-- Attachment #1: Type: text/plain, Size: 385 bytes --]

SHA-1 has now seen collision attacks:
https://www.zdnet.com/article/sha-1-collision-attacks-are-now-actually-practical-and-a-looming-danger/

We should clarify that these attacks are not only theoretical, and
actively discourage using it in security-related applications in the
Elisp Manual.  The attached patch is an attempt at doing that.

Any comments?

Best regards,
Stefan Kangas

[-- Attachment #2: 0001-Recommend-against-SHA-1-for-security-related-applica.patch --]
[-- Type: text/x-patch, Size: 1646 bytes --]

From 53a42470604e3db6e2f0552eb3481fa64a853458 Mon Sep 17 00:00:00 2001
From: Stefan Kangas <stefankangas@gmail.com>
Date: Mon, 16 Sep 2019 10:45:14 +0200
Subject: [PATCH] Recommend against SHA-1 for security-related applications

* doc/lispref/text.texi (Checksum/Hash): Clarify that SHA-1 is not
collision resistant.
---
 doc/lispref/text.texi | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/doc/lispref/text.texi b/doc/lispref/text.texi
index 7ce54f59c6..949797c3ef 100644
--- a/doc/lispref/text.texi
+++ b/doc/lispref/text.texi
@@ -4710,12 +4710,12 @@ Checksum/Hash
 SHA-1, SHA-2, SHA-224, SHA-256, SHA-384 and SHA-512.  MD5 is the
 oldest of these algorithms, and is commonly used in @dfn{message
 digests} to check the integrity of messages transmitted over a
-network.  MD5 is not collision resistant (i.e., it is possible to
-deliberately design different pieces of data which have the same MD5
-hash), so you should not used it for anything security-related.  A
-similar theoretical weakness also exists in SHA-1.  Therefore, for
-security-related applications you should use the other hash types,
-such as SHA-2.
+network.  MD5 and SHA-1 are not collision resistant (i.e., it is
+possible to deliberately design different pieces of data which have
+the same MD5 or SHA-1 hash), so you should not use them for anything
+security-related.  For security-related applications you should use
+the other hash types, such as SHA-2 (@code{sha224}, @code{sha256},
+@code{sha384} or @code{sha512}).
 
 @defun secure-hash-algorithms
 This function returns a list of symbols representing algorithms that
-- 
2.20.1

bug#37420: [PATCH] Recommend against SHA-1 for security-related applications

[Lars Ingebrigtsen]

Stefan Kangas <stefan@marxist.se> writes:

> We should clarify that these attacks are not only theoretical, and
> actively discourage using it in security-related applications in the
> Elisp Manual.  The attached patch is an attempt at doing that.

Looks good to me.

-- 
(domestic pets only, the antidote for overdose, milk.)
   bloggy blog: http://lars.ingebrigtsen.no

bug#37420: [PATCH] Recommend against SHA-1 for security-related applications

[Stefan Kangas]

[-- Attachment #1: Type: text/plain, Size: 618 bytes --]

Lars Ingebrigtsen <larsi@gnus.org> writes:

> > We should clarify that these attacks are not only theoretical, and
> > actively discourage using it in security-related applications in the
> > Elisp Manual.  The attached patch is an attempt at doing that.
>
> Looks good to me.

Thanks.  I thought a bit more about this, and would like to suggest
the attached slightly more ambitious patch which also recommends
against them in the doc strings of sha1, md5 and secure-hash.

(I also changed so the doc strings consistently say SHA-1 instead of
SHA1, which seems to be more correct AFAICT.)

Best regards,
Stefan Kangas

[-- Attachment #2: 0001-Recommend-against-SHA-1-and-MD5-for-security.patch --]
[-- Type: text/x-patch, Size: 4014 bytes --]

From 9a49ffb8ec5ede05bc6d7100066d9eda7efdde46 Mon Sep 17 00:00:00 2001
From: Stefan Kangas <stefankangas@gmail.com>
Date: Mon, 16 Sep 2019 10:45:14 +0200
Subject: [PATCH] Recommend against SHA-1 and MD5 for security

* doc/lispref/text.texi (Checksum/Hash):
* src/fns.c (Fmd5, Fsecure_hash):
* lisp/subr.el (sha1): Doc fix to recommend against SHA-1 and MD5 for
security-related applications, since they are not collision
resistant.  (Bug#37420)
---
 doc/lispref/text.texi | 12 ++++++------
 lisp/subr.el          |  8 ++++++--
 src/fns.c             | 11 +++++++++--
 3 files changed, 21 insertions(+), 10 deletions(-)

diff --git a/doc/lispref/text.texi b/doc/lispref/text.texi
index 7ce54f59c6..54b89cff5a 100644
--- a/doc/lispref/text.texi
+++ b/doc/lispref/text.texi
@@ -4710,12 +4710,12 @@ Checksum/Hash
 SHA-1, SHA-2, SHA-224, SHA-256, SHA-384 and SHA-512.  MD5 is the
 oldest of these algorithms, and is commonly used in @dfn{message
 digests} to check the integrity of messages transmitted over a
-network.  MD5 is not collision resistant (i.e., it is possible to
-deliberately design different pieces of data which have the same MD5
-hash), so you should not used it for anything security-related.  A
-similar theoretical weakness also exists in SHA-1.  Therefore, for
-security-related applications you should use the other hash types,
-such as SHA-2.
+network.  MD5 and SHA-1 are not collision resistant (i.e., it is
+possible to deliberately design different pieces of data which have
+the same MD5 or SHA-1 hash), so you should not use them for anything
+security-related.  For security-related applications you should use
+the other hash types, such as SHA-2 (e.g. @code{sha384} or
+@code{sha512}).
 
 @defun secure-hash-algorithms
 This function returns a list of symbols representing algorithms that
diff --git a/lisp/subr.el b/lisp/subr.el
index 0b47da884b..45b99a82d2 100644
--- a/lisp/subr.el
+++ b/lisp/subr.el
@@ -3120,11 +3120,15 @@ field-at-pos
       raw-field)))
 
 (defun sha1 (object &optional start end binary)
-  "Return the SHA1 (Secure Hash Algorithm) of an OBJECT.
+  "Return the SHA-1 (Secure Hash Algorithm) of an OBJECT.
 OBJECT is either a string or a buffer.  Optional arguments START and
 END are character positions specifying which portion of OBJECT for
 computing the hash.  If BINARY is non-nil, return a string in binary
-form."
+form.
+
+Note that SHA-1 is not collision resistant and should not be used
+for anything security-related.  See `secure-hash' for
+alternatives."
   (secure-hash 'sha1 object start end binary))
 
 (defun function-get (f prop &optional autoload)
diff --git a/src/fns.c b/src/fns.c
index df921e28f3..20047be63d 100644
--- a/src/fns.c
+++ b/src/fns.c
@@ -5379,7 +5379,10 @@ DEFUN ("md5", Fmd5, Smd5, 1, 5, 0,
 command `prefer-coding-system') is used.
 
 If NOERROR is non-nil, silently assume the `raw-text' coding if the
-guesswork fails.  Normally, an error is signaled in such case.  */)
+guesswork fails.  Normally, an error is signaled in such case.
+
+Note that MD5 is not collision resistant and should not be used for
+anything security-related.  See `secure-hash' for alternatives.  */)
   (Lisp_Object object, Lisp_Object start, Lisp_Object end, Lisp_Object coding_system, Lisp_Object noerror)
 {
   return secure_hash (Qmd5, object, start, end, coding_system, noerror, Qnil);
@@ -5396,7 +5399,11 @@ DEFUN ("secure-hash", Fsecure_hash, Ssecure_hash, 2, 5, 0,
 
 The full list of algorithms can be obtained with `secure-hash-algorithms'.
 
-If BINARY is non-nil, returns a string in binary form.  */)
+If BINARY is non-nil, returns a string in binary form.
+
+Note that MD5 and SHA-1 are not collision resistant and should not be
+used for anything security-related.  Use one of the other hash types
+for security-related applications.  */)
   (Lisp_Object algorithm, Lisp_Object object, Lisp_Object start, Lisp_Object end, Lisp_Object binary)
 {
   return secure_hash (algorithm, object, start, end, Qnil, Qnil, binary);
-- 
2.20.1

bug#37420: [PATCH] Recommend against SHA-1 for security-related applications

[Lars Ingebrigtsen]

Stefan Kangas <stefan@marxist.se> writes:

> (I also changed so the doc strings consistently say SHA-1 instead of
> SHA1, which seems to be more correct AFAICT.)

Yup.


[...]

> +Note that SHA-1 is not collision resistant and should not be used
> +for anything security-related.  See `secure-hash' for
> +alternatives."

Looks good.

-- 
(domestic pets only, the antidote for overdose, milk.)
   bloggy blog: http://lars.ingebrigtsen.no

bug#37420: [PATCH] Recommend against SHA-1 for security-related applications

[Stefan Kangas]

[-- Attachment #1: Type: text/plain, Size: 283 bytes --]

Lars Ingebrigtsen <larsi@gnus.org> writes:

> Looks good.

Thanks.

As I was playing around with this a bit more, I also came up with
another patch (attached) to be committed on top of the first one.
This patch adds tests and makes some minor doc fixes.

Best regards,
Stefan Kangas

[-- Attachment #2: 0001-Add-tests-for-secure-hash-and-improve-doc-string.patch --]
[-- Type: text/x-patch, Size: 4090 bytes --]

From 64ba95dd564f22910b48f8644db4013f9fe65eb1 Mon Sep 17 00:00:00 2001
From: Stefan Kangas <stefankangas@gmail.com>
Date: Mon, 16 Sep 2019 23:39:58 +0200
Subject: [PATCH] Add tests for secure-hash and improve doc string

* src/fns.c (Fsecure_hash_algorithms): Fix typo.
(Fsecure_hash): Add algorithm list to doc string.
* test/src/fns-tests.el (test-secure-hash): New test.
---
 src/fns.c                                         | 11 ++++++++++-
 .../emacs-lisp/package-resources/archive-contents |  5 ++++-
 test/src/fns-tests.el                             | 15 +++++++++++++++
 3 files changed, 29 insertions(+), 2 deletions(-)

diff --git a/src/fns.c b/src/fns.c
index df921e28f3..5f53e596a1 100644
--- a/src/fns.c
+++ b/src/fns.c
@@ -5084,7 +5084,7 @@ make_digest_string (Lisp_Object digest, int digest_size)
 
 DEFUN ("secure-hash-algorithms", Fsecure_hash_algorithms,
        Ssecure_hash_algorithms, 0, 0, 0,
-       doc: /* Return a list of all the supported `secure_hash' algorithms. */)
+       doc: /* Return a list of all the supported `secure-hash' algorithms. */)
   (void)
 {
   return list (Qmd5, Qsha1, Qsha224, Qsha256, Qsha384, Qsha512);
@@ -5390,6 +5390,15 @@ DEFUN ("secure-hash", Fsecure_hash, Ssecure_hash, 2, 5, 0,
 ALGORITHM is a symbol specifying the hash to use:
 md5, sha1, sha224, sha256, sha384 or sha512.
 
+These symbols corresponds to the following hashing algorithms:
+
+    md5    - MD5
+    sha1   - SHA-1
+    sha224 - SHA-2 / SHA-224
+    sha256 - SHA-2 / SHA-384
+    sha384 - SHA-2 / SHA-384
+    sha512 - SHA-2 / SHA-512
+
 The two optional arguments START and END are positions specifying for
 which part of OBJECT to compute the hash.  If nil or omitted, uses the
 whole OBJECT.
diff --git a/test/lisp/emacs-lisp/package-resources/archive-contents b/test/lisp/emacs-lisp/package-resources/archive-contents
index e2f92304f8..fbbcdfa640 100644
--- a/test/lisp/emacs-lisp/package-resources/archive-contents
+++ b/test/lisp/emacs-lisp/package-resources/archive-contents
@@ -1,9 +1,12 @@
+;; RFC3339 timestamp
+;; Last-Updated: 2014-01-16T05:43:35.000Z
 (1
  (simple-single .
                 [(1 3)
                  nil "A single-file package with no dependencies" single
                  ((:url . "http://doodles.au")
-                  (:keywords quote ("frobnicate")))])
+                  (:keywords quote ("frobnicate"))
+                  (:hash )])
  (simple-depend .
                 [(1 0)
                  ((simple-single (1 3))) "A single-file package with a dependency." single])
diff --git a/test/src/fns-tests.el b/test/src/fns-tests.el
index 7d56da77cf..5be9a9eb7b 100644
--- a/test/src/fns-tests.el
+++ b/test/src/fns-tests.el
@@ -858,4 +858,19 @@ test-hash-function-that-mutates-hash-table
        (puthash k k h)))
     (should (= 100 (hash-table-count h)))))
 
+(ert-deftest test-secure-hash ()
+  (should (equal (secure-hash 'md5    "foobar") "3858f62230ac3c915f300c664312c63f"))
+  (should (equal (secure-hash 'sha1   "foobar") "8843d7f92416211de9ebb963ff4ce28125932878"))
+  (should (equal (secure-hash 'sha224 "foobar") (concat "de76c3e567fca9d246f5f8d3b2e704a3"
+                                                        "8c3c5e258988ab525f941db8")))
+  (should (equal (secure-hash 'sha256 "foobar") (concat "c3ab8ff13720e8ad9047dd39466b3c89"
+                                                        "74e592c2fa383d4a3960714caef0c4f2")))
+  (should (equal (secure-hash 'sha384 "foobar") (concat "3c9c30d9f665e74d515c842960d4a451"
+                                                        "c83a0125fd3de7392d7b37231af10c72"
+                                                        "ea58aedfcdf89a5765bf902af93ecf06")))
+  (should (equal (secure-hash 'sha512 "foobar") (concat "0a50261ebd1a390fed2bf326f2673c14"
+                                                        "5582a6342d523204973d0219337f8161"
+                                                        "6a8069b012587cf5635f6925f1b56c36"
+                                                        "0230c19b273500ee013e030601bf2425"))))
+
 (provide 'fns-tests)
-- 
2.20.1

bug#37420: [PATCH] Recommend against SHA-1 for security-related applications

[Lars Ingebrigtsen]

Stefan Kangas <stefan@marxist.se> writes:

> +These symbols corresponds to the following hashing algorithms:
> +
> +    md5    - MD5
> +    sha1   - SHA-1
> +    sha224 - SHA-2 / SHA-224
> +    sha256 - SHA-2 / SHA-384
> +    sha384 - SHA-2 / SHA-384
> +    sha512 - SHA-2 / SHA-512

I'm not sure these really clarify all that much?  But I don't object to
it.


[...]

> --- a/test/lisp/emacs-lisp/package-resources/archive-contents
> +++ b/test/lisp/emacs-lisp/package-resources/archive-contents
> @@ -1,9 +1,12 @@
> +;; RFC3339 timestamp
> +;; Last-Updated: 2014-01-16T05:43:35.000Z
>  (1
>   (simple-single .
>                  [(1 3)
>                   nil "A single-file package with no dependencies" single
>                   ((:url . "http://doodles.au")
> -                  (:keywords quote ("frobnicate")))])
> +                  (:keywords quote ("frobnicate"))
> +                  (:hash )])

Hm...  is this related?

-- 
(domestic pets only, the antidote for overdose, milk.)
   bloggy blog: http://lars.ingebrigtsen.no

bug#37420: [PATCH] Recommend against SHA-1 for security-related applications

[Stefan Kangas]

Lars Ingebrigtsen <larsi@gnus.org> writes:

> > +These symbols corresponds to the following hashing algorithms:
> > +
> > +    md5    - MD5
> > +    sha1   - SHA-1
> > +    sha224 - SHA-2 / SHA-224
> > +    sha256 - SHA-2 / SHA-384
> > +    sha384 - SHA-2 / SHA-384
> > +    sha512 - SHA-2 / SHA-512
>
> I'm not sure these really clarify all that much?  But I don't object to
> it.

They would help people like me who don't use this stuff very often and
can't remember which one is SHA-1, SHA-2, SHA-3, etc.  Of course, one
could expect users to fire up a web browser and search the web for
details instead.  But as it stands, we don't document anywhere that
sha512 is indeed SHA-2 as far as I can tell.

> > --- a/test/lisp/emacs-lisp/package-resources/archive-contents
[...]
> Hm...  is this related?

No, please disregard that.  I fixed it but then attached the wrong
patch to the email.

Best regards,
Stefan Kangas

bug#37420: [PATCH] Recommend against SHA-1 for security-related applications

[Eli Zaretskii]

> From: Stefan Kangas <stefan@marxist.se>
> Date: Mon, 16 Sep 2019 23:50:33 +0200
> Cc: 37420@debbugs.gnu.org
> 
> +These symbols corresponds to the following hashing algorithms:
> +
> +    md5    - MD5
> +    sha1   - SHA-1
> +    sha224 - SHA-2 / SHA-224
> +    sha256 - SHA-2 / SHA-384
> +    sha384 - SHA-2 / SHA-384
> +    sha512 - SHA-2 / SHA-512

Please always use "--" to imply an em-dash in plain text.  In this
case, perhaps an even better way would be to explicitly say
"corresponds to".

Thanks.

bug#37420: [PATCH] Recommend against SHA-1 for security-related applications

[Robert Pluim]

>>>>> On Tue, 17 Sep 2019 09:05:09 +0300, Eli Zaretskii <eliz@gnu.org> said:

    >> From: Stefan Kangas <stefan@marxist.se>
    >> Date: Mon, 16 Sep 2019 23:50:33 +0200
    >> Cc: 37420@debbugs.gnu.org
    >> 
    >> +These symbols corresponds to the following hashing algorithms:
    >> +
    >> +    md5    - MD5
    >> +    sha1   - SHA-1
    >> +    sha224 - SHA-2 / SHA-224
    >> +    sha256 - SHA-2 / SHA-384
    >> +    sha384 - SHA-2 / SHA-384
    >> +    sha512 - SHA-2 / SHA-512

    Eli> Please always use "--" to imply an em-dash in plain text.  In this
    Eli> case, perhaps an even better way would be to explicitly say
    Eli> "corresponds to".

You have sha256 -> SHA-384

Robert

bug#37420: [PATCH] Recommend against SHA-1 for security-related applications

[Stefan Kangas]

[-- Attachment #1: Type: text/plain, Size: 853 bytes --]

Robert Pluim <rpluim@gmail.com> writes:

> >>>>> On Tue, 17 Sep 2019 09:05:09 +0300, Eli Zaretskii <eliz@gnu.org> said:
>
>     >> From: Stefan Kangas <stefan@marxist.se>
>     >> Date: Mon, 16 Sep 2019 23:50:33 +0200
>     >> Cc: 37420@debbugs.gnu.org
>     >>
>     >> +These symbols corresponds to the following hashing algorithms:
>     >> +
>     >> +    md5    - MD5
>     >> +    sha1   - SHA-1
>     >> +    sha224 - SHA-2 / SHA-224
>     >> +    sha256 - SHA-2 / SHA-384
>     >> +    sha384 - SHA-2 / SHA-384
>     >> +    sha512 - SHA-2 / SHA-512
>
>     Eli> Please always use "--" to imply an em-dash in plain text.  In this
>     Eli> case, perhaps an even better way would be to explicitly say
>     Eli> "corresponds to".
>
> You have sha256 -> SHA-384

Thanks Eli and Robert.  How about the attached patch?

Best regards,
Stefan Kangas

[-- Attachment #2: 0001-Add-tests-for-secure-hash-and-improve-doc-string.patch --]
[-- Type: text/x-patch, Size: 3247 bytes --]

From 63457d19d76f11797d455408ba840d8c04a9458e Mon Sep 17 00:00:00 2001
From: Stefan Kangas <stefankangas@gmail.com>
Date: Mon, 16 Sep 2019 23:42:56 +0200
Subject: [PATCH] Add tests for secure-hash and improve doc string

* src/fns.c (Fsecure_hash_algorithms): Fix typo.
(Fsecure_hash): Add algorithm list to doc string.
* test/src/fns-tests.el (test-secure-hash): New test.
---
 src/fns.c             |  9 +++++++--
 test/src/fns-tests.el | 15 +++++++++++++++
 2 files changed, 22 insertions(+), 2 deletions(-)

diff --git a/src/fns.c b/src/fns.c
index b800f1c47f..fa52e5e197 100644
--- a/src/fns.c
+++ b/src/fns.c
@@ -5081,7 +5081,7 @@ make_digest_string (Lisp_Object digest, int digest_size)
 
 DEFUN ("secure-hash-algorithms", Fsecure_hash_algorithms,
        Ssecure_hash_algorithms, 0, 0, 0,
-       doc: /* Return a list of all the supported `secure_hash' algorithms. */)
+       doc: /* Return a list of all the supported `secure-hash' algorithms. */)
   (void)
 {
   return list (Qmd5, Qsha1, Qsha224, Qsha256, Qsha384, Qsha512);
@@ -5388,7 +5388,12 @@ DEFUN ("md5", Fmd5, Smd5, 1, 5, 0,
 DEFUN ("secure-hash", Fsecure_hash, Ssecure_hash, 2, 5, 0,
        doc: /* Return the secure hash of OBJECT, a buffer or string.
 ALGORITHM is a symbol specifying the hash to use:
-md5, sha1, sha224, sha256, sha384 or sha512.
+- md5    corresponds to MD5
+- sha1   corresponds to SHA-1
+- sha224 corresponds to SHA-2 (SHA-224)
+- sha256 corresponds to SHA-2 (SHA-256)
+- sha384 corresponds to SHA-2 (SHA-384)
+- sha512 corresponds to SHA-2 (SHA-512)
 
 The two optional arguments START and END are positions specifying for
 which part of OBJECT to compute the hash.  If nil or omitted, uses the
diff --git a/test/src/fns-tests.el b/test/src/fns-tests.el
index 7d56da77cf..5be9a9eb7b 100644
--- a/test/src/fns-tests.el
+++ b/test/src/fns-tests.el
@@ -858,4 +858,19 @@ test-hash-function-that-mutates-hash-table
        (puthash k k h)))
     (should (= 100 (hash-table-count h)))))
 
+(ert-deftest test-secure-hash ()
+  (should (equal (secure-hash 'md5    "foobar") "3858f62230ac3c915f300c664312c63f"))
+  (should (equal (secure-hash 'sha1   "foobar") "8843d7f92416211de9ebb963ff4ce28125932878"))
+  (should (equal (secure-hash 'sha224 "foobar") (concat "de76c3e567fca9d246f5f8d3b2e704a3"
+                                                        "8c3c5e258988ab525f941db8")))
+  (should (equal (secure-hash 'sha256 "foobar") (concat "c3ab8ff13720e8ad9047dd39466b3c89"
+                                                        "74e592c2fa383d4a3960714caef0c4f2")))
+  (should (equal (secure-hash 'sha384 "foobar") (concat "3c9c30d9f665e74d515c842960d4a451"
+                                                        "c83a0125fd3de7392d7b37231af10c72"
+                                                        "ea58aedfcdf89a5765bf902af93ecf06")))
+  (should (equal (secure-hash 'sha512 "foobar") (concat "0a50261ebd1a390fed2bf326f2673c14"
+                                                        "5582a6342d523204973d0219337f8161"
+                                                        "6a8069b012587cf5635f6925f1b56c36"
+                                                        "0230c19b273500ee013e030601bf2425"))))
+
 (provide 'fns-tests)
-- 
2.20.1

bug#37420: [PATCH] Recommend against SHA-1 for security-related applications

[Lars Ingebrigtsen]

Stefan Kangas <stefan@marxist.se> writes:

> Thanks Eli and Robert.  How about the attached patch?

Looks good to me, but one tiny thing:

> +(ert-deftest test-secure-hash ()
> +  (should (equal (secure-hash 'md5    "foobar") "3858f62230ac3c915f300c664312c63f"))
> +  (should (equal (secure-hash 'sha1   "foobar") "8843d7f92416211de9ebb963ff4ce28125932878"))
> +  (should (equal (secure-hash 'sha224 "foobar") (concat "de76c3e567fca9d246f5f8d3b2e704a3"
> +                                                        "8c3c5e258988ab525f94

Perhaps the lines should be folded to avoid too-long lines?

-- 
(domestic pets only, the antidote for overdose, milk.)
   bloggy blog: http://lars.ingebrigtsen.no

bug#37420: [PATCH] Recommend against SHA-1 for security-related applications

[Stefan Kangas]

Lars Ingebrigtsen <larsi@gnus.org> writes:

> > Thanks Eli and Robert.  How about the attached patch?
>
> Looks good to me, but one tiny thing:
>
> > +(ert-deftest test-secure-hash ()
> > +  (should (equal (secure-hash 'md5    "foobar") "3858f62230ac3c915f300c664312c63f"))
> > +  (should (equal (secure-hash 'sha1   "foobar") "8843d7f92416211de9ebb963ff4ce28125932878"))
> > +  (should (equal (secure-hash 'sha224 "foobar") (concat "de76c3e567fca9d246f5f8d3b2e704a3"
> > +                                                        "8c3c5e258988ab525f94
>
> Perhaps the lines should be folded to avoid too-long lines?

Thanks; fixed and pushed as commit ef8fadf8c1.

Best regards,
Stefan Kangas

bug#37420: [PATCH] Recommend against SHA-1 for security-related applications

[Eli Zaretskii]

> From: Lars Ingebrigtsen <larsi@gnus.org>
> Date: Mon, 16 Sep 2019 22:34:15 +0200
> Cc: 37420@debbugs.gnu.org
> 
> Stefan Kangas <stefan@marxist.se> writes:
> 
> > (I also changed so the doc strings consistently say SHA-1 instead of
> > SHA1, which seems to be more correct AFAICT.)
> 
> Yup.

Should we perhaps do something to help those who know this under the
name "SHA1"?

bug#37420: [PATCH] Recommend against SHA-1 for security-related applications

[Stefan Kangas]

Eli Zaretskii <eliz@gnu.org> writes:

> > > (I also changed so the doc strings consistently say SHA-1 instead of
> > > SHA1, which seems to be more correct AFAICT.)
> >
> > Yup.
>
> Should we perhaps do something to help those who know this under the
> name "SHA1"?

Is there any risk that some users believe that these would be two
different algorithms?  My guess would be no, but I might be wrong.

Best regards,
Stefan Kangas

bug#37420: [PATCH] Recommend against SHA-1 for security-related applications

[Eli Zaretskii]

> From: Stefan Kangas <stefan@marxist.se>
> Date: Tue, 17 Sep 2019 11:09:25 +0200
> Cc: Lars Ingebrigtsen <larsi@gnus.org>, 37420@debbugs.gnu.org
> 
> > Should we perhaps do something to help those who know this under the
> > name "SHA1"?
> 
> Is there any risk that some users believe that these would be two
> different algorithms?  My guess would be no, but I might be wrong.

I have no idea, but I personally didn't even know SHA1 has another
name, let alone a more "official" one.

bug#37420: [PATCH] Recommend against SHA-1 for security-related applications

[Stefan Kangas]

Eli Zaretskii <eliz@gnu.org> writes:

> > > Should we perhaps do something to help those who know this under the
> > > name "SHA1"?
> >
> > Is there any risk that some users believe that these would be two
> > different algorithms?  My guess would be no, but I might be wrong.
>
> I have no idea, but I personally didn't even know SHA1 has another
> name, let alone a more "official" one.

This is the spelling in RFC 3174: https://tools.ietf.org/html/rfc3174

Perhaps SHA1 is just a common typo?

Best regards,
Stefan Kangas

bug#37420: [PATCH] Recommend against SHA-1 for security-related applications

[Stefan Kangas]

Stefan Kangas <stefan@marxist.se> writes:

> This is the spelling in RFC 3174: https://tools.ietf.org/html/rfc3174

Taking a closer look, they actually use "SHA1" in the document
headline, but "SHA-1" in the body text.  So it's a bit of a mess.

I guess the important thing is that we use one spelling consistently
to avoid confusing users even more.

Best regards,
Stefan Kangas

bug#37420: [PATCH] Recommend against SHA-1 for security-related applications

[Stefan Kangas]

Lars Ingebrigtsen <larsi@gnus.org> writes:

> > +Note that SHA-1 is not collision resistant and should not be used
> > +for anything security-related.  See `secure-hash' for
> > +alternatives."
>
> Looks good.

Thanks.  Since there were no other comments, I've now committed this
first patch as commit 6d50010b34.  I'll address the second patch in a
separate email.

Best regards,
Stefan Kangas