Thought to apply a better encryption mechanism.
Replace all occurance of md5sum to sha256sum .
Signed-off-by: Bhaskar Chowdhury <[email protected]>
---
kernel/gen_kheaders.sh | 27 ++++++++++++++-------------
1 file changed, 14 insertions(+), 13 deletions(-)
diff --git a/kernel/gen_kheaders.sh b/kernel/gen_kheaders.sh
index 0c78e64f747d..1abf2d83039c 100755
--- a/kernel/gen_kheaders.sh
+++ b/kernel/gen_kheaders.sh
@@ -3,6 +3,7 @@
# This script generates an archive consisting of kernel headers
# for CONFIG_IKHEADERS.
+# Replace md5sum to sha256sum
set -e
sfile="$(readlink -f "$0")"
outdir="$(pwd)"
@@ -37,22 +38,22 @@ all_dirs="$all_dirs $dir_list"
# When Kconfig regenerates include/generated/autoconf.h, its timestamp is
# updated, but the contents might be still the same. When any CONFIG option is
# changed, Kconfig touches the corresponding timestamp file include/config/*.
-# Hence, the md5sum detects the configuration change anyway. We do not need to
+# Hence, the sha256sum detects the configuration change anyway. We do not need to
# check include/generated/autoconf.h explicitly.
#
-# Ignore them for md5 calculation to avoid pointless regeneration.
-headers_md5="$(find $all_dirs -name "*.h" |
+# Ignore them for sha256 calculation to avoid pointless regeneration.
+headers_sha256="$(find $all_dirs -name "*.h" |
grep -v "include/generated/compile.h" |
grep -v "include/generated/autoconf.h" |
- xargs ls -l | md5sum | cut -d ' ' -f1)"
+ xargs ls -l | sha256sum| cut -d ' ' -f1)"
# Any changes to this script will also cause a rebuild of the archive.
-this_file_md5="$(ls -l $sfile | md5sum | cut -d ' ' -f1)"
-if [ -f $tarfile ]; then tarfile_md5="$(md5sum $tarfile | cut -d ' ' -f1)"; fi
-if [ -f kernel/kheaders.md5 ] &&
- [ "$(head -n 1 kernel/kheaders.md5)" = "$headers_md5" ] &&
- [ "$(head -n 2 kernel/kheaders.md5 | tail -n 1)" = "$this_file_md5" ] &&
- [ "$(tail -n 1 kernel/kheaders.md5)" = "$tarfile_md5" ]; then
+this_file_sha256="$(ls -l $sfile | sha256sum| cut -d ' ' -f1)"
+if [ -f $tarfile ]; then tarfile_sha256="$(sha256sum $tarfile | cut -d ' ' -f1)"; fi
+if [ -f kernel/kheaders.sha256 ] &&
+ [ "$(head -n 1 kernel/kheaders.sha256)" = "$headers_sha256" ] &&
+ [ "$(head -n 2 kernel/kheaders.sha256 | tail -n 1)" = "$this_file_sha256" ] &&
+ [ "$(tail -n 1 kernel/kheaders.sha256)" = "$tarfile_sha256" ]; then
exit
fi
@@ -88,8 +89,8 @@ find $cpio_dir -printf "./%P\n" | LC_ALL=C sort | \
--owner=0 --group=0 --numeric-owner --no-recursion \
-I $XZ -cf $tarfile -C $cpio_dir/ -T - > /dev/null
-echo $headers_md5 > kernel/kheaders.md5
-echo "$this_file_md5" >> kernel/kheaders.md5
-echo "$(md5sum $tarfile | cut -d ' ' -f1)" >> kernel/kheaders.md5
+echo $headers_sha256 > kernel/kheaders.sha256
+echo "$this_file_sha256" >> kernel/kheaders.sha256
+echo "$(sha256sum $tarfile | cut -d ' ' -f1)" >> kernel/kheaders.sha256
rm -rf $cpio_dir
--
2.35.1
On Fri, Sep 23, 2022 at 4:06 AM Bhaskar Chowdhury <[email protected]> wrote:
> Thought to apply a better encryption mechanism.
MD5 and SHA256 are secure (or, in the case of MD5, not so secure) hash
algorithms, not encryption mechanisms.
> Replace all occurance of md5sum to sha256sum .
Looking at this script, I'm not convinced that it relies on MD5 being
a cryptophically secure hash function. It appears to me as if this
script uses MD5 to simply detect innocent changes to a set of files as
opposed to guarding against malicious attacks. I also found that
sha256sum takes almost three times longer than md5sum. So, in the
absence of security requirements, md5sum might actually be the better
choice because it's faster.
On 11:12 Fri 23 Sep 2022, Daniel Mentz wrote:
>On Fri, Sep 23, 2022 at 4:06 AM Bhaskar Chowdhury <[email protected]> wrote:
>> Thought to apply a better encryption mechanism.
>
>MD5 and SHA256 are secure (or, in the case of MD5, not so secure) hash
>algorithms, not encryption mechanisms.
>
>> Replace all occurance of md5sum to sha256sum .
>
>Looking at this script, I'm not convinced that it relies on MD5 being
>a cryptophically secure hash function. It appears to me as if this
>script uses MD5 to simply detect innocent changes to a set of files as
>opposed to guarding against malicious attacks. I also found that
>sha256sum takes almost three times longer than md5sum. So, in the
>absence of security requirements, md5sum might actually be the better
>choice because it's faster.
Al righto! Then...no issues, give it a pass.
--
Thanks,
Bhaskar
"Here's looking at you kid"-- Casablanca
https://about.me/unixbhaskar