GNU bug report logs - #37420
[PATCH] Recommend against SHA-1 for security-related applications

Previous Next

Package: emacs;

Reported by: Stefan Kangas <stefan <at> marxist.se>

Date: Mon, 16 Sep 2019 08:54:02 UTC

Severity: normal

Tags: patch

Done: Stefan Kangas <stefan <at> marxist.se>

Bug is archived. No further changes may be made.

Full log

View this message in rfc822 format

From: help-debbugs <at> gnu.org (GNU bug Tracking System)
To: Stefan Kangas <stefan <at> marxist.se>
Subject: bug#37420: closed (Re: bug#37420: [PATCH] Recommend against SHA-1
 for security-related applications)
Date: Fri, 04 Oct 2019 15:35:02 +0000

[Message part 1 (text/plain, inline)]
Your bug report

#37420: [PATCH] Recommend against SHA-1 for security-related applications

which was filed against the emacs package, has been closed.

The explanation is attached below, along with your original report.
If you require more details, please reply to 37420 <at> debbugs.gnu.org.

-- 
37420: http://debbugs.gnu.org/cgi/bugreport.cgi?bug=37420
GNU Bug Tracking System
Contact help-debbugs <at> gnu.org with problems

[Message part 2 (message/rfc822, inline)]
From: Stefan Kangas <stefan <at> marxist.se>
To: Lars Ingebrigtsen <larsi <at> gnus.org>
Cc: 37420-done <at> debbugs.gnu.org, Robert Pluim <rpluim <at> gmail.com>,
 Eli Zaretskii <eliz <at> gnu.org>
Subject: Re: bug#37420: [PATCH] Recommend against SHA-1 for security-related
 applications
Date: Fri, 4 Oct 2019 17:33:54 +0200

Lars Ingebrigtsen <larsi <at> gnus.org> writes:

> > Thanks Eli and Robert.  How about the attached patch?
>
> Looks good to me, but one tiny thing:
>
> > +(ert-deftest test-secure-hash ()
> > +  (should (equal (secure-hash 'md5    "foobar") "3858f62230ac3c915f300c664312c63f"))
> > +  (should (equal (secure-hash 'sha1   "foobar") "8843d7f92416211de9ebb963ff4ce28125932878"))
> > +  (should (equal (secure-hash 'sha224 "foobar") (concat "de76c3e567fca9d246f5f8d3b2e704a3"
> > +                                                        "8c3c5e258988ab525f94
>
> Perhaps the lines should be folded to avoid too-long lines?

Thanks; fixed and pushed as commit ef8fadf8c1.

Best regards,
Stefan Kangas


[Message part 3 (message/rfc822, inline)]
From: Stefan Kangas <stefan <at> marxist.se>
To: bug-gnu-emacs <at> gnu.org
Subject: [PATCH] Recommend against SHA-1 for security-related applications
Date: Mon, 16 Sep 2019 10:53:27 +0200

[Message part 4 (text/plain, inline)]
SHA-1 has now seen collision attacks:
https://www.zdnet.com/article/sha-1-collision-attacks-are-now-actually-practical-and-a-looming-danger/

We should clarify that these attacks are not only theoretical, and
actively discourage using it in security-related applications in the
Elisp Manual.  The attached patch is an attempt at doing that.

Any comments?

Best regards,
Stefan Kangas

[0001-Recommend-against-SHA-1-for-security-related-applica.patch (text/x-patch, attachment)]
This bug report was last modified 5 years and 233 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.