[Toybox] protect against sha*sum misconfiguration?

enh enh at google.com
Fri Aug 23 08:08:42 PDT 2019


On Fri, Aug 23, 2019 at 7:55 AM Rob Landley <rob at landley.net> wrote:
>
> On 8/22/19 2:54 PM, enh via Toybox wrote:
> > i accidentally ended up with a toybox binary that had the sha*sum
> > binaries enabled, but TOYBOX_LIBCRYPTO disabled. this silently output
> > md5sums instead. seems like a compile-time error would have been
> > ideal, and a run-time error still better than just silently doing the
> > wrong thing.
>
> Sigh. My _plan_ was to implement sha*sum in the built-in logic, I just haven't
> gotten around to it yet. (In the meantime they default "n" like the rest of the
> pending stuff, but of course you don't use that. :)

ain't nobody got time for kconfig.

> > runtime's easy enough; something like
> >
> >   if (!CFG_TOYBOX_LIBCRYPTO) error_exit("toybox built without libcrypto");
> >
> > in sha1sum_main (which implements all the sha*sums). but i feel like a
> > build-time check would be better, and i'm not sure about the right way
> > to write that?
>
> Well, it already says "depends on TOYBOX_LIBCRYPTO" in the kconfig entries so
> you shouldn't be _able_ to select it if you've disabled that. (It shouldn't show
> up in menuconfig, you'd have to hand-edit your config file. Is this a kconfig
> bug or did you do that?)

i always do that --- when you have three configs (device, linux, mac)
to maintain and you're tracking upstream so it's a question of "add
the newly added thing with a yes or a no" rather than "browse hundreds
of options like a tourist", manual edits seem like the only sensible
way to go?

> If you want to guard against _THAT_, we can put USE_TOYBOX_LIBCRYPTO() around
> the NEWTOY lines for those three. (They nest.) Or I can just try to find time to
> implement sha3 and friends. :)

ah, i hadn't realized that... i'll send you a patch for that later as
a safety measure until there are fallback implementations of the shas
(note that even sha1 isn't implemented: all the shas end up as md5).

> Sigh, what are we up to. Let's check the drinking game page...
>
> https://valerieaurora.org/hash.html
>
> Looks like sha3 is still current.

the table at the bottom of https://en.wikipedia.org/wiki/SHA-1 is
similar. (arm64 has sha3 hardware acceleration, but as long as x86-64
doesn't, i don't expect to see md5 and sha1 disappear any time soon.)

> Rob
> _______________________________________________
> Toybox mailing list
> Toybox at lists.landley.net
> http://lists.landley.net/listinfo.cgi/toybox-landley.net



More information about the Toybox mailing list