Skip to content

Add 7.0-preview5 SHA hash algorithm known issue#7524

Merged
eerhardt merged 1 commit intomainfrom
eerhardt-crypto-known-issue
Jun 9, 2022
Merged

Add 7.0-preview5 SHA hash algorithm known issue#7524
eerhardt merged 1 commit intomainfrom
eerhardt-crypto-known-issue

Conversation

@eerhardt
Copy link
Member

@eerhardt eerhardt commented Jun 8, 2022

No description provided.

@eerhardt eerhardt requested a review from vcsjones June 8, 2022 15:17
@eerhardt eerhardt mentioned this pull request Jun 8, 2022
Merged
vcsjones
vcsjones approved these changes Jun 8, 2022
View reviewed changes
Copy link
Member

@vcsjones vcsjones left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Technical details look right to me.

@eerhardt eerhardt requested a review from bartonjs June 8, 2022 15:51
@bartonjs
Copy link
Member

bartonjs commented Jun 8, 2022

It can't happen for single-page requests... do we know the upper-bound on "safe" values?

Assume all bytes are valued greater than 99. So it's something like {"digest":"SHA256","content":[]} with the middle filled in with Max(0, (4 * content.Length) - 1) on a 1024-byte page. If my identifiers and whitespace is right, then that's 32 overhead bytes, so 4L - 1 < (1024-32) => 4L - 1 < 992, 4L < 993, L < 248.25, so the hash of anything 248 bytes or smaller is immune to the race.

Is that worth mentioning (after verifying the numbers)?

@eerhardt
Copy link
Member Author

eerhardt commented Jun 8, 2022

I'm not sure it is worth mentioning. Could someone do something useful with that information?

If someone is affected by this - I would tell them to stay on 7.0-preview4 until 7.0-preview6 was released. That seems like the most appropriate action rather than trying to workaround it just for preview5.

@eerhardt eerhardt merged commit 88b704a into main Jun 9, 2022
@eerhardt eerhardt deleted the eerhardt-crypto-known-issue branch June 9, 2022 20:28
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@vcsjones vcsjones vcsjones approved these changes

@bartonjs bartonjs bartonjs approved these changes

@rbhanda rbhanda Awaiting requested review from rbhanda rbhanda is a code owner

@leecow leecow Awaiting requested review from leecow leecow is a code owner

@dcwhittaker dcwhittaker Awaiting requested review from dcwhittaker

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@eerhardt @bartonjs @vcsjones