From 6bd74d69ddbf68871fdcb8a2705298e350056208 Mon Sep 17 00:00:00 2001
From: Linus Jahn <lnj@kaidan.im>
Date: Wed, 31 Aug 2022 16:50:11 +0200
Subject: BobContentId: Improve security warning about SHA-1

---
 src/base/QXmppBitsOfBinaryContentId.cpp | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

(limited to 'src/base/QXmppBitsOfBinaryContentId.cpp')

diff --git a/src/base/QXmppBitsOfBinaryContentId.cpp b/src/base/QXmppBitsOfBinaryContentId.cpp
index 4a599c2d..877e08f7 100644
--- a/src/base/QXmppBitsOfBinaryContentId.cpp
+++ b/src/base/QXmppBitsOfBinaryContentId.cpp
@@ -60,6 +60,10 @@ QXmppBitsOfBinaryContentIdPrivate::QXmppBitsOfBinaryContentIdPrivate()
 ///  * SHA-3 (SHA3-224, SHA3-256, SHA3-384, SHA3-512)
 ///  * BLAKE2 (BLAKE2b256, BLAKE2b512) (requires Qt 6, since QXmpp 1.5)
 ///
+/// \note Security notice: When using the content IDs to cache data between multiple entities it is
+/// important to avoid hash collisions. SHA-1 cannot fulfill this requirement. You SHOULD use
+/// another more secure hash algorithm if you do this.
+///
 /// \since QXmpp 1.2
 ///
 
@@ -200,8 +204,6 @@ QCryptographicHash::Algorithm QXmppBitsOfBinaryContentId::algorithm() const
 ///
 /// \note Only change this, if you know what you do. The XEP allows other
 /// hashing algorithms than SHA-1 to be used, but not all clients support this.
-/// Since in most cases the content id is not security relevant it is not a
-/// problem to continue using SHA-1.
 ///
 void QXmppBitsOfBinaryContentId::setAlgorithm(QCryptographicHash::Algorithm algo)
 {
-- 
cgit v1.2.3