GitLab

NOTE: This is a confidential ticket because it may describe a vulnerability.

I suggest replacing FNV-1a in BIND with SipHash: https://131002.net/siphash/siphash.pdf

BIND uses FNV-1a for the hashtables with a random starting seed (the offset basis).. but IMO it falls short of being a true universal hash function because I suspect it would map to different buckets based on the initial offset basis chosen, but colliding keys would still map to the same buckets regardless of the initial offset basis (the bucket# may be different).

SipHash is a more robust hash function and it suggests the hash table function as an application. The change to SipHash would be fairly easy, but note that some parts of BIND may perform incremental hashing (i.e., they add input data to compute the hash from different places of the library). So the hash function would need to follow an API similar to the HMAC contexts in BIND, OR, the data would have to be concatenated into a buffer as a whole before hashing.

I suspect collisions may be exploitable by hash flooding (there have also been previous reports of these). See section 7 of the siphash paper and references [13], etc. in the paper for details.

See this presentation: https://media.ccc.de/v/29c3-5152-en-hashflooding_dos_reloaded_h264