<table border="1" cellspacing="0" cellpadding="8">
    <tr>
        <th>Issue</th>
        <td>
            <a href=https://github.com/llvm/llvm-project/issues/89271>89271</a>
        </td>
    </tr>

    <tr>
        <th>Summary</th>
        <td>
            [lldb] Migrate from MD5 to a cryptographically secure hash for remote protocol
        </td>
    </tr>

    <tr>
      <th>Labels</th>
      <td>
            new issue
      </td>
    </tr>

    <tr>
      <th>Assignees</th>
      <td>
      </td>
    </tr>

    <tr>
      <th>Reporter</th>
      <td>
          emaste
      </td>
    </tr>
</table>

<pre>
    MD5 is susceptible to collisions and is becoming increasingly so, and is thus not appropriate where a cryptographically secure hash is required. Even if the use case in LLDB is unlikely to be subject to a practical attack there is some potential for workflow confusion due to hash collisions - determining that files are identical and thus do not need to be transferred does require a good hash.

MD5 has been known to be weak for quite some time, but increasingly simple collisions are being found - for example, these two 72-character ASCII strings differ by one byte, but have identical MD5 hashes:

`TEXTCOLLBYfGiJUETHQ4hAcKSMd5zYpgqf1YRDhkmxHkhPWptrkoyz28wnI9V0aHeAuaKnak`
`TEXTCOLLBYfGiJUETHQ4hEcKSMd5zYpgqf1YRDhkmxHkhPWptrkoyz28wnI9V0aHeAuaKnak`
` ^` note difference here
(from https://twitter.com/realhashbreaker/status/1770161965006008570)

This issue is a followup from https://github.com/llvm/llvm-project/pull/88812 and in particular https://github.com/llvm/llvm-project/pull/88812#issuecomment-2061565125 based on a response to my comment there. I had assumed that the use of MD5 originated with GDB, but the investigation in the pull request shows it was added in https://github.com/llvm/llvm-project/commit/e0f8f574c7f41f5b61ec01aa290d52fc55a3f3c9 and is our extension.

As mentioned in the linked comment we can add a `vFile:betterHash` (or a more general `hash:<kind>`) and try to use that, falling back to MD5 if the remote lacks support.
</pre>
<img width="1px" height="1px" alt="" src="http://email.email.llvm.org/o/eJykVU1z2zgM_TXyBROPRFm2fPAhieMm23T2o9mPHiESkrimSJWkorq_fge00013djrT6cWyPRDw3gMegCHozhLtsuomq_YLnGLv_I4GDJEWjVOn3bt9BTpAmIKkMerGEEQH0hmjg3Y2AFrFAQ1JN2jbgbbSEwZtO3OC4DJx-xIS-ymAdRFwHL0bvcZIMPfkCRCkP43RdR7HXks0_C7JyRP0GHp-29PHSXtSS7h7Jgu6hdgTTIFAYiDQFh4f9zccOVmjj2RODLQhCFPzN8nIvxBGjzJyAcAYUR45iafE0A0Eo4tko0YDrfMwO39sjZtBOttOTBfUlPgnUK9EuAJFkfygLUsQe4zQakMBkJMrzplqWnVWQbkkhCVSF5TRow0teU8KlKMvfAGhc06lisss32f59fmTG9MjC08WjtbN9pJpJjwm-B8nHenMK-qBuBPNFP_TID2Mhr7qpydoiGm0brIKrlIu-oQcyDliT4Egzg424kr2yIqSh-v3tw8PEKLXtgugdNuSh-YEzhI0p_ilfI_PryW50OgpZOX1a37ZOn-6--vp9ufHx5sP7Rv90-93T_e_rvpr-fb9O1V9_jB2H9viw2_7_jh8uj_2v_w5Rn90p8-inu3D9o8c7-l6wrcWj9k6_3bOux_LCVl1xw_rIl2Yk5UEPFqXIFG33g3QxzgmouKQiUOcdYzkl9INmTh4QsNKNJ7wSD4ThxAxTiETh2KzyYt1sV1Xeb7O87ra5JnYvlbrqdcBdAhTmmWE1hnj5mmE_ynb6dhPzaWqMc8vj6vRO3ZKJg7jZEwmDnVdF-JsXwsj-qjlZND_WL5MlAmodMNANl6JfF1U66oQFTQYSIGzgOApjM6G5LbhBJfgs12X8AA9KsAQpoEdxH572QauTTPlvO60xUgKZh17eLO_eZlAjtT2mULUHUZ2tbbpT0aZfEchQujdHEBHmDEAKkVJhO9mzsA1f6G8rdtqs5KbdlW0VbMuSOYFotjmqhKtrCos21JuX7alm9h1kSzb8ivnXwdgLbSzZ0wM3Wh7JPVFppm3omXYgJCt8-eDNpSV1w3xwN1j6NPYitp5QBicJ-jIkkfD0TyFzLG8PWqrspKHOxNnZNGnvcpKs-ysaYvG8L5o0j51Sf7LevY0sCcMyiPfkHF0Pi4XaleqbbnFBe2KTVGu1kUp6kW_22yxIdGWq5WgepPTWlTberst5AqL1VaVC70TuVjlq6IuNqJe1ctGlKWscqHKTVvUWGSrnAbUZsldWDrfLdKo7eqt2BQLgw2ZkI6dEJbms2EyIfj2-V3qXDN1IVvlRocY_s0SdTTpShqjmqzawzvdeT5fyV5MOF2Xbx8x3qMXQUbvopPOLCZvdt89Uwk274VE658AAAD__-gwnQk">