You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@subversion.apache.org by as...@apache.org on 2017/05/08 20:34:56 UTC

svn commit: r1794454 - /subversion/trunk/tools/hook-scripts/reject-detected-sha1-collisions.sh

Author: astieger
Date: Mon May  8 20:34:56 2017
New Revision: 1794454

URL: http://svn.apache.org/viewvc?rev=1794454&view=rev
Log:
Another hook to reject SHA-1 collisions, using counter-cryptanalysis

* tools/hook-scripts/reject-detected-sha1-collisions.sh:
  Based on reject-known-sha1-collisions.sh, using sha1collisiondetection

Added:
    subversion/trunk/tools/hook-scripts/reject-detected-sha1-collisions.sh
      - copied, changed from r1794441, subversion/trunk/tools/hook-scripts/reject-known-sha1-collisions.sh

Copied: subversion/trunk/tools/hook-scripts/reject-detected-sha1-collisions.sh (from r1794441, subversion/trunk/tools/hook-scripts/reject-known-sha1-collisions.sh)
URL: http://svn.apache.org/viewvc/subversion/trunk/tools/hook-scripts/reject-detected-sha1-collisions.sh?p2=subversion/trunk/tools/hook-scripts/reject-detected-sha1-collisions.sh&p1=subversion/trunk/tools/hook-scripts/reject-known-sha1-collisions.sh&r1=1794441&r2=1794454&rev=1794454&view=diff
==============================================================================
--- subversion/trunk/tools/hook-scripts/reject-known-sha1-collisions.sh (original)
+++ subversion/trunk/tools/hook-scripts/reject-detected-sha1-collisions.sh Mon May  8 20:34:56 2017
@@ -20,20 +20,20 @@
 #
 # $Id$
 #
-# Prevents some SHA-1 collisions to be committed
-# Test for the 320 byte prefix found on https://shattered.io/
-# If the files are committed in the same transaction, svnlook
-# will error out itself due to the apparent corruption in the
-# candidate revision
+# Prevents detected SHA-1 collisions from being committed.
+# Uses sha1dcsum of sha1collisiondetection to detect
+# crytoanalytic collision attacks against SHA-1. The
+# detection works on a single side of the collision.
+# https://github.com/cr-marcstevens/sha1collisiondetection
+# commit 5ee29e5 or later
 
 REPOS="$1"
 TXN="$2"
 SVNLOOK=/usr/bin/svnlook
 GREP=/usr/bin/grep
 SED=/usr/bin/sed
-# GNU coreutils versions of these tools are required:
-SHA1SUM=/usr/bin/sha1sum
 HEAD=/usr/bin/head
+SHA1DCSUM=/usr/bin/sha1dcsum
 
 $SVNLOOK changed -t "$TXN" "$REPOS"
 if [ $? -ne 0 ]; then
@@ -42,9 +42,9 @@ if [ $? -ne 0 ]; then
 fi
 
 $SVNLOOK changed -t "$TXN" "$REPOS" | $GREP -Ev '^D ' | $SED -e 's/^.   //' | $GREP -v '/$' | while IFS= read -r FILE; do
-  PREFIX=`$SVNLOOK cat -t "$TXN" "$REPOS" "$FILE" | $HEAD -c320 | $SHA1SUM | cut -c-40`
-  if [ x"$PREFIX" = x'f92d74e3874587aaf443d1db961d4e26dde13e9c' ]; then
-        echo "known SHA-1 collision rejected" >&2
+  $SVNLOOK cat -t "$TXN" "$REPOS" "$FILE" | $SHA1DCSUM - | $GREP -qv " \*coll\* "
+  if [ $? -ne 0 ]; then
+        echo "detected SHA-1 collision rejected" >&2
         exit 3
   fi
 done