From: Stefan Kangas <stefan@marxist.se>
To: Lars Ingebrigtsen <larsi@gnus.org>
Cc: 37420@debbugs.gnu.org
Subject: bug#37420: [PATCH] Recommend against SHA-1 for security-related applications
Date: Mon, 16 Sep 2019 22:29:43 +0200 [thread overview]
Message-ID: <CADwFkmnLsGMS2P44KyiLLH0sw_JAMpgmkpaBOC6_qCbQzRck3Q@mail.gmail.com> (raw)
In-Reply-To: <87v9tsv65b.fsf@gnus.org>
[-- Attachment #1: Type: text/plain, Size: 618 bytes --]
Lars Ingebrigtsen <larsi@gnus.org> writes:
> > We should clarify that these attacks are not only theoretical, and
> > actively discourage using it in security-related applications in the
> > Elisp Manual. The attached patch is an attempt at doing that.
>
> Looks good to me.
Thanks. I thought a bit more about this, and would like to suggest
the attached slightly more ambitious patch which also recommends
against them in the doc strings of sha1, md5 and secure-hash.
(I also changed so the doc strings consistently say SHA-1 instead of
SHA1, which seems to be more correct AFAICT.)
Best regards,
Stefan Kangas
[-- Attachment #2: 0001-Recommend-against-SHA-1-and-MD5-for-security.patch --]
[-- Type: text/x-patch, Size: 4014 bytes --]
From 9a49ffb8ec5ede05bc6d7100066d9eda7efdde46 Mon Sep 17 00:00:00 2001
From: Stefan Kangas <stefankangas@gmail.com>
Date: Mon, 16 Sep 2019 10:45:14 +0200
Subject: [PATCH] Recommend against SHA-1 and MD5 for security
* doc/lispref/text.texi (Checksum/Hash):
* src/fns.c (Fmd5, Fsecure_hash):
* lisp/subr.el (sha1): Doc fix to recommend against SHA-1 and MD5 for
security-related applications, since they are not collision
resistant. (Bug#37420)
---
doc/lispref/text.texi | 12 ++++++------
lisp/subr.el | 8 ++++++--
src/fns.c | 11 +++++++++--
3 files changed, 21 insertions(+), 10 deletions(-)
diff --git a/doc/lispref/text.texi b/doc/lispref/text.texi
index 7ce54f59c6..54b89cff5a 100644
--- a/doc/lispref/text.texi
+++ b/doc/lispref/text.texi
@@ -4710,12 +4710,12 @@ Checksum/Hash
SHA-1, SHA-2, SHA-224, SHA-256, SHA-384 and SHA-512. MD5 is the
oldest of these algorithms, and is commonly used in @dfn{message
digests} to check the integrity of messages transmitted over a
-network. MD5 is not collision resistant (i.e., it is possible to
-deliberately design different pieces of data which have the same MD5
-hash), so you should not used it for anything security-related. A
-similar theoretical weakness also exists in SHA-1. Therefore, for
-security-related applications you should use the other hash types,
-such as SHA-2.
+network. MD5 and SHA-1 are not collision resistant (i.e., it is
+possible to deliberately design different pieces of data which have
+the same MD5 or SHA-1 hash), so you should not use them for anything
+security-related. For security-related applications you should use
+the other hash types, such as SHA-2 (e.g. @code{sha384} or
+@code{sha512}).
@defun secure-hash-algorithms
This function returns a list of symbols representing algorithms that
diff --git a/lisp/subr.el b/lisp/subr.el
index 0b47da884b..45b99a82d2 100644
--- a/lisp/subr.el
+++ b/lisp/subr.el
@@ -3120,11 +3120,15 @@ field-at-pos
raw-field)))
(defun sha1 (object &optional start end binary)
- "Return the SHA1 (Secure Hash Algorithm) of an OBJECT.
+ "Return the SHA-1 (Secure Hash Algorithm) of an OBJECT.
OBJECT is either a string or a buffer. Optional arguments START and
END are character positions specifying which portion of OBJECT for
computing the hash. If BINARY is non-nil, return a string in binary
-form."
+form.
+
+Note that SHA-1 is not collision resistant and should not be used
+for anything security-related. See `secure-hash' for
+alternatives."
(secure-hash 'sha1 object start end binary))
(defun function-get (f prop &optional autoload)
diff --git a/src/fns.c b/src/fns.c
index df921e28f3..20047be63d 100644
--- a/src/fns.c
+++ b/src/fns.c
@@ -5379,7 +5379,10 @@ DEFUN ("md5", Fmd5, Smd5, 1, 5, 0,
command `prefer-coding-system') is used.
If NOERROR is non-nil, silently assume the `raw-text' coding if the
-guesswork fails. Normally, an error is signaled in such case. */)
+guesswork fails. Normally, an error is signaled in such case.
+
+Note that MD5 is not collision resistant and should not be used for
+anything security-related. See `secure-hash' for alternatives. */)
(Lisp_Object object, Lisp_Object start, Lisp_Object end, Lisp_Object coding_system, Lisp_Object noerror)
{
return secure_hash (Qmd5, object, start, end, coding_system, noerror, Qnil);
@@ -5396,7 +5399,11 @@ DEFUN ("secure-hash", Fsecure_hash, Ssecure_hash, 2, 5, 0,
The full list of algorithms can be obtained with `secure-hash-algorithms'.
-If BINARY is non-nil, returns a string in binary form. */)
+If BINARY is non-nil, returns a string in binary form.
+
+Note that MD5 and SHA-1 are not collision resistant and should not be
+used for anything security-related. Use one of the other hash types
+for security-related applications. */)
(Lisp_Object algorithm, Lisp_Object object, Lisp_Object start, Lisp_Object end, Lisp_Object binary)
{
return secure_hash (algorithm, object, start, end, Qnil, Qnil, binary);
--
2.20.1
next prev parent reply other threads:[~2019-09-16 20:29 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-09-16 8:53 bug#37420: [PATCH] Recommend against SHA-1 for security-related applications Stefan Kangas
2019-09-16 11:21 ` Lars Ingebrigtsen
2019-09-16 20:29 ` Stefan Kangas [this message]
2019-09-16 20:34 ` Lars Ingebrigtsen
2019-09-16 21:50 ` Stefan Kangas
2019-09-16 22:25 ` Lars Ingebrigtsen
2019-09-17 9:17 ` Stefan Kangas
2019-09-17 6:05 ` Eli Zaretskii
2019-09-17 13:37 ` Robert Pluim
2019-09-28 10:19 ` Stefan Kangas
2019-09-28 19:55 ` Lars Ingebrigtsen
2019-10-04 15:33 ` Stefan Kangas
2019-09-17 5:50 ` Eli Zaretskii
2019-09-17 9:09 ` Stefan Kangas
2019-09-17 11:53 ` Eli Zaretskii
2019-09-17 12:08 ` Stefan Kangas
2019-09-17 12:14 ` Stefan Kangas
2019-09-20 18:50 ` Stefan Kangas
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CADwFkmnLsGMS2P44KyiLLH0sw_JAMpgmkpaBOC6_qCbQzRck3Q@mail.gmail.com \
--to=stefan@marxist.se \
--cc=37420@debbugs.gnu.org \
--cc=larsi@gnus.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this external index
https://git.savannah.gnu.org/cgit/emacs.git
https://git.savannah.gnu.org/cgit/emacs/org-mode.git
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.