1#!/bin/sh 2# 3# Licensed to the Apache Software Foundation (ASF) under one 4# or more contributor license agreements. See the NOTICE file 5# distributed with this work for additional information 6# regarding copyright ownership. The ASF licenses this file 7# to you under the Apache License, Version 2.0 (the 8# "License"); you may not use this file except in compliance 9# with the License. You may obtain a copy of the License at 10# 11# http://www.apache.org/licenses/LICENSE-2.0 12# 13# Unless required by applicable law or agreed to in writing, 14# software distributed under the License is distributed on an 15# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY 16# KIND, either express or implied. See the License for the 17# specific language governing permissions and limitations 18# under the License. 19# 20# 21# $Id: reject-detected-sha1-collisions.sh 1794454 2017-05-08 20:34:56Z astieger $ 22# 23# Prevents detected SHA-1 collisions from being committed. 24# Uses sha1dcsum of sha1collisiondetection to detect 25# crytoanalytic collision attacks against SHA-1. The 26# detection works on a single side of the collision. 27# https://github.com/cr-marcstevens/sha1collisiondetection 28# commit 5ee29e5 or later 29 30REPOS="$1" 31TXN="$2" 32SVNLOOK=/usr/bin/svnlook 33GREP=/usr/bin/grep 34SED=/usr/bin/sed 35HEAD=/usr/bin/head 36SHA1DCSUM=/usr/bin/sha1dcsum 37 38$SVNLOOK changed -t "$TXN" "$REPOS" 39if [ $? -ne 0 ]; then 40 echo "svnlook failed, possible SHA-1 collision" >&2 41 exit 2 42fi 43 44$SVNLOOK changed -t "$TXN" "$REPOS" | $GREP -Ev '^D ' | $SED -e 's/^. //' | $GREP -v '/$' | while IFS= read -r FILE; do 45 $SVNLOOK cat -t "$TXN" "$REPOS" "$FILE" | $SHA1DCSUM - | $GREP -qv " \*coll\* " 46 if [ $? -ne 0 ]; then 47 echo "detected SHA-1 collision rejected" >&2 48 exit 3 49 fi 50done 51