From 80b3994500a1fd50e0d0484d2ffb14604032fe2a Mon Sep 17 00:00:00 2001 From: Emery Hemingway Date: Thu, 19 Apr 2018 09:50:09 +0200 Subject: [PATCH] prepare_port: prefer SHA256 file verification SHA1 is susceptible to collision attacks and is generally deprecated. Source code archives are particularly vulnerable because the hash digest can be tweaked by hiding by arbitrary data in code comments and files not processed during build. With this in mind the 'prepare_port' tool now attempts to verify digests as SHA256 with a fallback to SHA1. When CHECK_HASH=no is set the tool will refuse to verify digests as SHA1. The use of SHA1 for creating unique port versions is retained because the hashes are produced locally from inputs stored in a git history. Issue #2767 --- tool/ports/mk/install.mk | 23 ++++++++++++++++++----- 1 file changed, 18 insertions(+), 5 deletions(-) diff --git a/tool/ports/mk/install.mk b/tool/ports/mk/install.mk index 00fca6ea3e..255c9e5c8c 100644 --- a/tool/ports/mk/install.mk +++ b/tool/ports/mk/install.mk @@ -59,7 +59,9 @@ include $(GENODE_DIR)/tool/ports/mk/common.inc $(call check_tool,wget) $(call check_tool,patch) -$(call check_tool, $(HASHSUM)) +$(call check_tool,sha1sum) +$(call check_tool,sha256sum) +$(call check_tool,$(HASHSUM)) # # Assertion for the presence of a LICENSE and VERSION declarations in the port @@ -193,6 +195,19 @@ _svn_dir = $(call _assert,$(DIR($1)),Missing declaration of DIR($*)) _file_name = $(call _prefer,$(NAME($1)),$(notdir $(URL($1)))) +_verify_sha256 = \ + ($(ECHO) "$(SHA($1)) $(call _file_name,$1)" \ + | sha256sum -c > /dev/null 2> /dev/null) + +# Generate shell code for verifying a file +ifeq ($(CHECK_HASH),no) +_verify_sha1 = ($(ECHO) CHECK_HASH=no enables only SHA256 checksums; false) +else +_verify_sha1 = \ + ($(ECHO) "$(SHA($1)) $(call _file_name,$1)" \ + | sha1sum -c > /dev/null 2> /dev/null) +endif + # Some downloads are available via HTTPS only, but wget < 3.14 does not support # server-name identification, which is used by some sites. So, we disable # certificate checking in wget and check the validity of the download via SIG @@ -206,10 +221,8 @@ _file_name = $(call _prefer,$(NAME($1)),$(notdir $(URL($1)))) (test -f $$name || $(MSG_DOWNLOAD)$(URL($*))); \ (test -f $$name || wget --quiet --no-check-certificate $(URL($*)) -O $$name) || \ ($(ECHO) Error: Download for $* failed; false) - $(VERBOSE)\ - ($(ECHO) "$(SHA($*)) $(call _file_name,$*)" |\ - $(HASHSUM) -c > /dev/null 2> /dev/null) || \ - ($(ECHO) Error: Hash sum check for $* failed; false) + $(VERBOSE) $(call _verify_sha256,$*) || $(call _verify_sha1,$*) \ + || ($(ECHO) Error: Hash sum check for $* failed; false) ##