From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.org!.POSTED.blaine.gmane.org!not-for-mail From: Stefan Kangas Newsgroups: gmane.emacs.bugs Subject: bug#37420: [PATCH] Recommend against SHA-1 for security-related applications Date: Sat, 28 Sep 2019 12:19:58 +0200 Message-ID: References: <87v9tsv65b.fsf@gnus.org> <87ef0grneg.fsf@gnus.org> <83muf3wj8q.fsf@gnu.org> Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="000000000000e9a0d005939a58b2" Injection-Info: blaine.gmane.org; posting-host="blaine.gmane.org:195.159.176.226"; logging-data="1814"; mail-complaints-to="usenet@blaine.gmane.org" Cc: Lars Ingebrigtsen , 37420@debbugs.gnu.org To: Robert Pluim Original-X-From: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org Sat Sep 28 12:21:21 2019 Return-path: Envelope-to: geb-bug-gnu-emacs@m.gmane.org Original-Received: from lists.gnu.org ([209.51.188.17]) by blaine.gmane.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.89) (envelope-from ) id 1iE9qq-0000Lp-Vc for geb-bug-gnu-emacs@m.gmane.org; Sat, 28 Sep 2019 12:21:21 +0200 Original-Received: from localhost ([::1]:60066 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1iE9qp-0004I0-QE for geb-bug-gnu-emacs@m.gmane.org; Sat, 28 Sep 2019 06:21:19 -0400 Original-Received: from eggs.gnu.org ([2001:470:142:3::10]:51313) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1iE9qb-0004Ed-Qt for bug-gnu-emacs@gnu.org; Sat, 28 Sep 2019 06:21:07 -0400 Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1iE9qa-0003VJ-1E for bug-gnu-emacs@gnu.org; Sat, 28 Sep 2019 06:21:05 -0400 Original-Received: from debbugs.gnu.org ([209.51.188.43]:40574) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1iE9qY-0003SF-Bl for bug-gnu-emacs@gnu.org; Sat, 28 Sep 2019 06:21:02 -0400 Original-Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1iE9qY-0000CJ-67 for bug-gnu-emacs@gnu.org; Sat, 28 Sep 2019 06:21:02 -0400 X-Loop: help-debbugs@gnu.org Resent-From: Stefan Kangas Original-Sender: "Debbugs-submit" Resent-CC: bug-gnu-emacs@gnu.org Resent-Date: Sat, 28 Sep 2019 10:21:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 37420 X-GNU-PR-Package: emacs X-GNU-PR-Keywords: patch Original-Received: via spool by 37420-submit@debbugs.gnu.org id=B37420.1569666016678 (code B ref 37420); Sat, 28 Sep 2019 10:21:02 +0000 Original-Received: (at 37420) by debbugs.gnu.org; 28 Sep 2019 10:20:16 +0000 Original-Received: from localhost ([127.0.0.1]:49395 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1iE9po-0000Ar-Ea for submit@debbugs.gnu.org; Sat, 28 Sep 2019 06:20:16 -0400 Original-Received: from mail-pl1-f179.google.com ([209.85.214.179]:45202) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1iE9pn-0000Ab-71 for 37420@debbugs.gnu.org; Sat, 28 Sep 2019 06:20:15 -0400 Original-Received: by mail-pl1-f179.google.com with SMTP id u12so2022966pls.12 for <37420@debbugs.gnu.org>; Sat, 28 Sep 2019 03:20:15 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=R7u8RFFmHi3ouMSY7U6lldszzJSlz2ds45tmNlSnkOQ=; b=Cobs6qKjHqemkWKhFLUYzbYQ5xQjiQJ4GHO+COg6wxWdkRcymLNXIj5W+NLUj1nntN iYOKku+OxeQpkBDAvYWTMCxuSs24D/Bm9Xy5m7vNPtq3wV9Sf8Wqj8ghYNqkTKAb4+6z 9dJYO21U/48FuuHKK697jkDy80rqTOpeuKT1jNJ6CIjFm0AO8Y0jQu06YsK5maTdZWj0 YTyXfc4HZYPv1nCKncOG3mS4wUY7Qmvqqr5TCF2fzAKT15+yV8K5c3ziDkWLJkNCoins fHTJm2R9OCvp5zXkbveH9C2zPxpCrb4RgWce7H/rZJSV5u2T8WRy662ftXLZeH9uEPrI 3/eA== X-Gm-Message-State: APjAAAWh9WQaLTa9I9l/9FBCCg8daQqZY1LJB1zYLPmZDZH+ujwJ5hCU Y2RXeEJlmbLXQfSETQv9QVZcr9A7f39x3FqO/5g= X-Google-Smtp-Source: APXvYqy/DhIm3J2sIg7pRpGP7VJCL+g2Y20lTeaY4OnRk8hK9VKnqDhkASnwJ7JWfe8/zXtOgXwd97m1803wbnSk1wk= X-Received: by 2002:a17:902:326:: with SMTP id 35mr10027325pld.128.1569666009472; Sat, 28 Sep 2019 03:20:09 -0700 (PDT) In-Reply-To: X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-Received-From: 209.51.188.43 X-BeenThere: bug-gnu-emacs@gnu.org List-Id: "Bug reports for GNU Emacs, the Swiss army knife of text editors" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org Original-Sender: "bug-gnu-emacs" Xref: news.gmane.org gmane.emacs.bugs:167467 Archived-At: --000000000000e9a0d005939a58b2 Content-Type: text/plain; charset="UTF-8" Robert Pluim writes: > >>>>> On Tue, 17 Sep 2019 09:05:09 +0300, Eli Zaretskii said: > > >> From: Stefan Kangas > >> Date: Mon, 16 Sep 2019 23:50:33 +0200 > >> Cc: 37420@debbugs.gnu.org > >> > >> +These symbols corresponds to the following hashing algorithms: > >> + > >> + md5 - MD5 > >> + sha1 - SHA-1 > >> + sha224 - SHA-2 / SHA-224 > >> + sha256 - SHA-2 / SHA-384 > >> + sha384 - SHA-2 / SHA-384 > >> + sha512 - SHA-2 / SHA-512 > > Eli> Please always use "--" to imply an em-dash in plain text. In this > Eli> case, perhaps an even better way would be to explicitly say > Eli> "corresponds to". > > You have sha256 -> SHA-384 Thanks Eli and Robert. How about the attached patch? Best regards, Stefan Kangas --000000000000e9a0d005939a58b2 Content-Type: text/x-patch; charset="US-ASCII"; name="0001-Add-tests-for-secure-hash-and-improve-doc-string.patch" Content-Disposition: attachment; filename="0001-Add-tests-for-secure-hash-and-improve-doc-string.patch" Content-Transfer-Encoding: base64 Content-ID: X-Attachment-Id: f_k13eljby0 RnJvbSA2MzQ1N2QxOWQ3NmYxMTc5N2Q0NTU0MDhiYTg0MGQ4YzA0YTk0NThlIE1vbiBTZXAgMTcg MDA6MDA6MDAgMjAwMQpGcm9tOiBTdGVmYW4gS2FuZ2FzIDxzdGVmYW5rYW5nYXNAZ21haWwuY29t PgpEYXRlOiBNb24sIDE2IFNlcCAyMDE5IDIzOjQyOjU2ICswMjAwClN1YmplY3Q6IFtQQVRDSF0g QWRkIHRlc3RzIGZvciBzZWN1cmUtaGFzaCBhbmQgaW1wcm92ZSBkb2Mgc3RyaW5nCgoqIHNyYy9m bnMuYyAoRnNlY3VyZV9oYXNoX2FsZ29yaXRobXMpOiBGaXggdHlwby4KKEZzZWN1cmVfaGFzaCk6 IEFkZCBhbGdvcml0aG0gbGlzdCB0byBkb2Mgc3RyaW5nLgoqIHRlc3Qvc3JjL2Zucy10ZXN0cy5l bCAodGVzdC1zZWN1cmUtaGFzaCk6IE5ldyB0ZXN0LgotLS0KIHNyYy9mbnMuYyAgICAgICAgICAg ICB8ICA5ICsrKysrKystLQogdGVzdC9zcmMvZm5zLXRlc3RzLmVsIHwgMTUgKysrKysrKysrKysr KysrCiAyIGZpbGVzIGNoYW5nZWQsIDIyIGluc2VydGlvbnMoKyksIDIgZGVsZXRpb25zKC0pCgpk aWZmIC0tZ2l0IGEvc3JjL2Zucy5jIGIvc3JjL2Zucy5jCmluZGV4IGI4MDBmMWM0N2YuLmZhNTJl NWUxOTcgMTAwNjQ0Ci0tLSBhL3NyYy9mbnMuYworKysgYi9zcmMvZm5zLmMKQEAgLTUwODEsNyAr NTA4MSw3IEBAIG1ha2VfZGlnZXN0X3N0cmluZyAoTGlzcF9PYmplY3QgZGlnZXN0LCBpbnQgZGln ZXN0X3NpemUpCiAKIERFRlVOICgic2VjdXJlLWhhc2gtYWxnb3JpdGhtcyIsIEZzZWN1cmVfaGFz aF9hbGdvcml0aG1zLAogICAgICAgIFNzZWN1cmVfaGFzaF9hbGdvcml0aG1zLCAwLCAwLCAwLAot ICAgICAgIGRvYzogLyogUmV0dXJuIGEgbGlzdCBvZiBhbGwgdGhlIHN1cHBvcnRlZCBgc2VjdXJl X2hhc2gnIGFsZ29yaXRobXMuICovKQorICAgICAgIGRvYzogLyogUmV0dXJuIGEgbGlzdCBvZiBh bGwgdGhlIHN1cHBvcnRlZCBgc2VjdXJlLWhhc2gnIGFsZ29yaXRobXMuICovKQogICAodm9pZCkK IHsKICAgcmV0dXJuIGxpc3QgKFFtZDUsIFFzaGExLCBRc2hhMjI0LCBRc2hhMjU2LCBRc2hhMzg0 LCBRc2hhNTEyKTsKQEAgLTUzODgsNyArNTM4OCwxMiBAQCBERUZVTiAoIm1kNSIsIEZtZDUsIFNt ZDUsIDEsIDUsIDAsCiBERUZVTiAoInNlY3VyZS1oYXNoIiwgRnNlY3VyZV9oYXNoLCBTc2VjdXJl X2hhc2gsIDIsIDUsIDAsCiAgICAgICAgZG9jOiAvKiBSZXR1cm4gdGhlIHNlY3VyZSBoYXNoIG9m IE9CSkVDVCwgYSBidWZmZXIgb3Igc3RyaW5nLgogQUxHT1JJVEhNIGlzIGEgc3ltYm9sIHNwZWNp ZnlpbmcgdGhlIGhhc2ggdG8gdXNlOgotbWQ1LCBzaGExLCBzaGEyMjQsIHNoYTI1Niwgc2hhMzg0 IG9yIHNoYTUxMi4KKy0gbWQ1ICAgIGNvcnJlc3BvbmRzIHRvIE1ENQorLSBzaGExICAgY29ycmVz cG9uZHMgdG8gU0hBLTEKKy0gc2hhMjI0IGNvcnJlc3BvbmRzIHRvIFNIQS0yIChTSEEtMjI0KQor LSBzaGEyNTYgY29ycmVzcG9uZHMgdG8gU0hBLTIgKFNIQS0yNTYpCistIHNoYTM4NCBjb3JyZXNw b25kcyB0byBTSEEtMiAoU0hBLTM4NCkKKy0gc2hhNTEyIGNvcnJlc3BvbmRzIHRvIFNIQS0yIChT SEEtNTEyKQogCiBUaGUgdHdvIG9wdGlvbmFsIGFyZ3VtZW50cyBTVEFSVCBhbmQgRU5EIGFyZSBw b3NpdGlvbnMgc3BlY2lmeWluZyBmb3IKIHdoaWNoIHBhcnQgb2YgT0JKRUNUIHRvIGNvbXB1dGUg dGhlIGhhc2guICBJZiBuaWwgb3Igb21pdHRlZCwgdXNlcyB0aGUKZGlmZiAtLWdpdCBhL3Rlc3Qv c3JjL2Zucy10ZXN0cy5lbCBiL3Rlc3Qvc3JjL2Zucy10ZXN0cy5lbAppbmRleCA3ZDU2ZGE3N2Nm Li41YmU5YTllYjdiIDEwMDY0NAotLS0gYS90ZXN0L3NyYy9mbnMtdGVzdHMuZWwKKysrIGIvdGVz dC9zcmMvZm5zLXRlc3RzLmVsCkBAIC04NTgsNCArODU4LDE5IEBAIHRlc3QtaGFzaC1mdW5jdGlv bi10aGF0LW11dGF0ZXMtaGFzaC10YWJsZQogICAgICAgIChwdXRoYXNoIGsgayBoKSkpCiAgICAg KHNob3VsZCAoPSAxMDAgKGhhc2gtdGFibGUtY291bnQgaCkpKSkpCiAKKyhlcnQtZGVmdGVzdCB0 ZXN0LXNlY3VyZS1oYXNoICgpCisgIChzaG91bGQgKGVxdWFsIChzZWN1cmUtaGFzaCAnbWQ1ICAg ICJmb29iYXIiKSAiMzg1OGY2MjIzMGFjM2M5MTVmMzAwYzY2NDMxMmM2M2YiKSkKKyAgKHNob3Vs ZCAoZXF1YWwgKHNlY3VyZS1oYXNoICdzaGExICAgImZvb2JhciIpICI4ODQzZDdmOTI0MTYyMTFk ZTllYmI5NjNmZjRjZTI4MTI1OTMyODc4IikpCisgIChzaG91bGQgKGVxdWFsIChzZWN1cmUtaGFz aCAnc2hhMjI0ICJmb29iYXIiKSAoY29uY2F0ICJkZTc2YzNlNTY3ZmNhOWQyNDZmNWY4ZDNiMmU3 MDRhMyIKKyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgIjhjM2M1ZTI1ODk4OGFiNTI1Zjk0MWRiOCIpKSkKKyAgKHNob3VsZCAoZXF1YWwgKHNl Y3VyZS1oYXNoICdzaGEyNTYgImZvb2JhciIpIChjb25jYXQgImMzYWI4ZmYxMzcyMGU4YWQ5MDQ3 ZGQzOTQ2NmIzYzg5IgorICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAiNzRlNTkyYzJmYTM4M2Q0YTM5NjA3MTRjYWVmMGM0ZjIiKSkpCisgIChz aG91bGQgKGVxdWFsIChzZWN1cmUtaGFzaCAnc2hhMzg0ICJmb29iYXIiKSAoY29uY2F0ICIzYzlj MzBkOWY2NjVlNzRkNTE1Yzg0Mjk2MGQ0YTQ1MSIKKyAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgImM4M2EwMTI1ZmQzZGU3MzkyZDdiMzcyMzFh ZjEwYzcyIgorICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAiZWE1OGFlZGZjZGY4OWE1NzY1YmY5MDJhZjkzZWNmMDYiKSkpCisgIChzaG91bGQg KGVxdWFsIChzZWN1cmUtaGFzaCAnc2hhNTEyICJmb29iYXIiKSAoY29uY2F0ICIwYTUwMjYxZWJk MWEzOTBmZWQyYmYzMjZmMjY3M2MxNCIKKyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgIjU1ODJhNjM0MmQ1MjMyMDQ5NzNkMDIxOTMzN2Y4MTYx IgorICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAiNmE4MDY5YjAxMjU4N2NmNTYzNWY2OTI1ZjFiNTZjMzYiCisgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIwMjMwYzE5YjI3MzUwMGVlMDEz ZTAzMDYwMWJmMjQyNSIpKSkpCisKIChwcm92aWRlICdmbnMtdGVzdHMpCi0tIAoyLjIwLjEKCg== --000000000000e9a0d005939a58b2--