packages: apply usign padding workarounds to package indexes if needed
authorJo-Philipp Wich <jo@mein.io>
Wed, 7 Aug 2019 05:15:07 +0000 (07:15 +0200)
committerJo-Philipp Wich <jo@mein.io>
Wed, 7 Aug 2019 05:15:07 +0000 (07:15 +0200)
Since usign miscalculates SHA-512 digests for input sizes of exactly
64 + N * 128 + 110 or 64 + N * 128 + 111 bytes, we need to apply some
white space padding to avoid triggering the hashing edge case.

While usign itself has been fixed already, there is still many firmwares
in the wild which use broken usign versions to verify current package
indexes so we'll need to carry this workaround in the forseeable future.

Ref: https://forum.openwrt.org/t/signature-check-failed/41945
Ref: https://git.openwrt.org/5a52b379902471cef495687547c7b568142f66d2
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
package/Makefile

index abbf5f91f2e1177bcc5e189558a825bc0922abe5..58c1ba2bbf655c76c214c59c68652665c5b3666f 100644 (file)
@@ -84,8 +84,12 @@ $(curdir)/index: FORCE
                mkdir -p $$d; \
                cd $$d || continue; \
                $(SCRIPT_DIR)/ipkg-make-index.sh . 2>&1 > Packages.manifest; \
-               grep -vE '^(Maintainer|LicenseFiles|Source|SourceName|Require)' Packages.manifest > Packages && \
-                       gzip -9nc Packages > Packages.gz; \
+               grep -vE '^(Maintainer|LicenseFiles|Source|SourceName|Require)' Packages.manifest > Packages; \
+               case "$$(((64 + $$(stat -L -c%s Packages)) % 128))" in 110|111) \
+                       $(call ERROR_MESSAGE,WARNING: Applying padding in $$d/Packages to workaround usign SHA-512 bug!); \
+                       { echo ""; echo ""; } >> Packages;; \
+               esac; \
+               gzip -9nc Packages > Packages.gz; \
        ); done
 ifdef CONFIG_SIGNED_PACKAGES
        @echo Signing package index...