You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@subversion.apache.org by as...@apache.org on 2017/05/08 20:34:56 UTC
svn commit: r1794454 -
/subversion/trunk/tools/hook-scripts/reject-detected-sha1-collisions.sh
Author: astieger
Date: Mon May 8 20:34:56 2017
New Revision: 1794454
URL: http://svn.apache.org/viewvc?rev=1794454&view=rev
Log:
Another hook to reject SHA-1 collisions, using counter-cryptanalysis
* tools/hook-scripts/reject-detected-sha1-collisions.sh:
Based on reject-known-sha1-collisions.sh, using sha1collisiondetection
Added:
subversion/trunk/tools/hook-scripts/reject-detected-sha1-collisions.sh
- copied, changed from r1794441, subversion/trunk/tools/hook-scripts/reject-known-sha1-collisions.sh
Copied: subversion/trunk/tools/hook-scripts/reject-detected-sha1-collisions.sh (from r1794441, subversion/trunk/tools/hook-scripts/reject-known-sha1-collisions.sh)
URL: http://svn.apache.org/viewvc/subversion/trunk/tools/hook-scripts/reject-detected-sha1-collisions.sh?p2=subversion/trunk/tools/hook-scripts/reject-detected-sha1-collisions.sh&p1=subversion/trunk/tools/hook-scripts/reject-known-sha1-collisions.sh&r1=1794441&r2=1794454&rev=1794454&view=diff
==============================================================================
--- subversion/trunk/tools/hook-scripts/reject-known-sha1-collisions.sh (original)
+++ subversion/trunk/tools/hook-scripts/reject-detected-sha1-collisions.sh Mon May 8 20:34:56 2017
@@ -20,20 +20,20 @@
#
# $Id$
#
-# Prevents some SHA-1 collisions to be committed
-# Test for the 320 byte prefix found on https://shattered.io/
-# If the files are committed in the same transaction, svnlook
-# will error out itself due to the apparent corruption in the
-# candidate revision
+# Prevents detected SHA-1 collisions from being committed.
+# Uses sha1dcsum of sha1collisiondetection to detect
+# crytoanalytic collision attacks against SHA-1. The
+# detection works on a single side of the collision.
+# https://github.com/cr-marcstevens/sha1collisiondetection
+# commit 5ee29e5 or later
REPOS="$1"
TXN="$2"
SVNLOOK=/usr/bin/svnlook
GREP=/usr/bin/grep
SED=/usr/bin/sed
-# GNU coreutils versions of these tools are required:
-SHA1SUM=/usr/bin/sha1sum
HEAD=/usr/bin/head
+SHA1DCSUM=/usr/bin/sha1dcsum
$SVNLOOK changed -t "$TXN" "$REPOS"
if [ $? -ne 0 ]; then
@@ -42,9 +42,9 @@ if [ $? -ne 0 ]; then
fi
$SVNLOOK changed -t "$TXN" "$REPOS" | $GREP -Ev '^D ' | $SED -e 's/^. //' | $GREP -v '/$' | while IFS= read -r FILE; do
- PREFIX=`$SVNLOOK cat -t "$TXN" "$REPOS" "$FILE" | $HEAD -c320 | $SHA1SUM | cut -c-40`
- if [ x"$PREFIX" = x'f92d74e3874587aaf443d1db961d4e26dde13e9c' ]; then
- echo "known SHA-1 collision rejected" >&2
+ $SVNLOOK cat -t "$TXN" "$REPOS" "$FILE" | $SHA1DCSUM - | $GREP -qv " \*coll\* "
+ if [ $? -ne 0 ]; then
+ echo "detected SHA-1 collision rejected" >&2
exit 3
fi
done