refactor

- align `gix-hash` integration tests with 'new' style.
- reorganize `hasher` module to avoid duplicate paths to the same types/functions.
- use shorter paths to `gix_hash::hasher|io` everywhere.

Author: Byron

gix-features/src/hash.rs

@@ -2,9 +2,9 @@
 
 /// Compute a CRC32 hash from the given `bytes`, returning the CRC32 hash.
 ///
-/// When calling this function for the first time, `previous_value` should be `0`. Otherwise it
-/// should be the previous return value of this function to provide a hash of multiple sequential
-/// chunks of `bytes`.
+/// When calling this function for the first time, `previous_value` should be `0`.
+/// Otherwise, it should be the previous return value of this function to provide a hash
+/// of multiple sequential chunks of `bytes`.
 #[cfg(feature = "crc32")]
 pub fn crc32_update(previous_value: u32, bytes: &[u8]) -> u32 {
     let mut h = crc32fast::Hasher::new_with_initial(previous_value);

gix-hash/src/hasher.rs

@@ -0,0 +1,71 @@
+/// The error returned by [`Hasher::try_finalize()`](crate::Hasher::try_finalize()).
+#[derive(Debug, thiserror::Error)]
+#[allow(missing_docs)]
+pub enum Error {
+    #[error("Detected SHA-1 collision attack with digest {digest}")]
+    CollisionAttack { digest: crate::ObjectId },
+}
+
+pub(super) mod _impl {
+    use crate::hasher::Error;
+    use sha1_checked::{CollisionResult, Digest};
+
+    /// An implementation of the Sha1 hash, which can be used once.
+    ///
+    /// We use [`sha1_checked`] to implement the same collision detection
+    /// algorithm as Git.
+    #[derive(Clone)]
+    pub struct Hasher(sha1_checked::Sha1);
+
+    impl Hasher {
+        /// Let's not provide a public default implementation to force people to go through [`hasher()`].
+        fn default() -> Self {
+            // This matches the configuration used by Git, which only uses
+            // the collision detection to bail out, rather than computing
+            // alternate “safe hashes” for inputs where a collision attack
+            // was detected.
+            Self(sha1_checked::Builder::default().safe_hash(false).build())
+        }
+    }
+
+    impl Hasher {
+        /// Digest the given `bytes`.
+        pub fn update(&mut self, bytes: &[u8]) {
+            self.0.update(bytes);
+        }
+
+        /// Finalize the hash and produce an object ID.
+        ///
+        /// Returns [`Error`] if a collision attack is detected.
+        #[inline]
+        pub fn try_finalize(self) -> Result<crate::ObjectId, Error> {
+            match self.0.try_finalize() {
+                CollisionResult::Ok(digest) => Ok(crate::ObjectId::Sha1(digest.into())),
+                CollisionResult::Mitigated(_) => {
+                    // SAFETY: `CollisionResult::Mitigated` is only
+                    // returned when `safe_hash()` is on. `Hasher`’s field
+                    // is private, and we only construct it in the
+                    // `Default` instance, which turns `safe_hash()` off.
+                    //
+                    // As of Rust 1.84.1, the compiler can’t figure out
+                    // this function cannot panic without this.
+                    #[allow(unsafe_code)]
+                    unsafe {
+                        std::hint::unreachable_unchecked()
+                    }
+                }
+                CollisionResult::Collision(digest) => Err(Error::CollisionAttack {
+                    digest: crate::ObjectId::Sha1(digest.into()),
+                }),
+            }
+        }
+    }
+
+    /// Produce a hasher suitable for the given `kind` of hash.
+    #[inline]
+    pub fn hasher(kind: crate::Kind) -> Hasher {
+        match kind {
+            crate::Kind::Sha1 => Hasher::default(),
+        }
+    }
+}