[ tl;dr: See last paragraph for a concrete question about ra_serf. ] Karl Fogel wrote on Fri, 20 Jan 2023 17:18 +00:00: > Yes. A hash is considered "broken" the moment security researches > can generate a collision.
Consider the following uses of hash functions in our code: - FSFS rep-cache uses SHA-1. - The ra_serf download optimization uses SHA-1. - The commit editor uses MD5 in apply_textdelta() and close_file(). The first one is fine, because FSFS rejects collisions in new commits (as pointed out upthread). The second one is not necessarily fine: a variation of the attack you (kfogel) described could make a client wrongly trigger the optimization and end up with the wrong fulltext. The third one is fine, because the delta and its resulting fulltext's checksum don't travel separately. So, there you have it: a use of SHA-1 which can stay as-is, a use of SHA-1 which may need attention, and a use of MD5 which can stay as-is — all in the same codebase. Thus, whether a hash function is "broken" or not depends on the context in which it is used. ---- To be clear, the ra_serf thing which "may need attention" is the use of «final_sha1_checksum» in subversion/libsvn_ra_serf/update.c. That's a place where we assume SHA-1 is one-to-one. Cheers, Daniel
