-
-
Notifications
You must be signed in to change notification settings - Fork 194
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Verify FTL binary integrity #2072
Conversation
Signed-off-by: DL6ER <[email protected]>
Signed-off-by: DL6ER <[email protected]>
Signed-off-by: DL6ER <[email protected]>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Shouldn't this be better part of the build.sh
instead?
Which part do you mean? This test is mostly intended towards corruption caused by SD card issues and similar happenings. The build script is never run on user systems. |
Ok, I think I misinterpreted the use and scope of this PR. It's probably designed for such things: https://discourse.pi-hole.net/t/ftl-crashed/72441 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Do we really need this --skip-end
code? How many binaries do you know that append their checksum at the end? How many users do you expect to use FTL
to check another binary?
Are you logging checksum mismatches during startup also to the logfiles or only to the database?
Apparently the message is logged to Lines 832 to 833 in cdba28e
FTL/src/database/message-table.c Lines 1523 to 1535 in cdba28e
|
Well, this is a fair point. It needed to get the "real" SHA256 checksum of the FTL binary but this may be irrelevant as we have (a) the new We could use
There is actually typo in the code so you'd need to write, e.g., edit or ...
but this is not really any prettier |
Suggestion: If the issue is the use of pihole-FTL with 2 arguments ( Change the function to Note: |
I think this is what I still think we could remove the Crazy. maybe even impossible: can we append the sha to the binary from the binary already including the sha? Or is this a chicken-egg-situation? |
You are right, including a checksum in the data being used to compute the checksum creates a paradoxical situation. The issue here is called a "Circular Dependency": When you compute a checksum, the algorithm processes all the data to generate a unique hash value that represents the data's integrity. If the checksum itself is part of the data, the value of the checksum would influence the result of the checksum computation. This creates a circular dependency: the checksum value depends on the data, which includes the checksum value. Hence, this will result in an infinite loop computing the checksum over and over. Example Scenario:Imagine you have a file with the following content:
You want to compute the checksum of the entire file, including the placeholder for the checksum.
This new data will produce a different checksum, say To avoid this problem, the only possible solution is to store the checksum is separately from the data it verifies. For example:
By keeping the checksum separate, you ensure that the data remains consistent during the checksum computation, allowing for accurate verification of data integrity. How about using hash collisions?One might think that since the SHA256 algorithm is simple (enough) and since the number of collisions is infinite, there should be a way to find a modification for the given hash so the checksum over the entire file (incl. the hash) results this exact hash. But currently there is no algorithm known to find a file that produces the given hash within a practically acceptable time. This property is called pre-image resistance. By "no algorithm known" we mean no algorithm except of brute-forcing, which in case of SHA-256 would require the computing power of the whole world for a time longer than the Universe exists to date. SHA-256 was designed to be used for cryptographic purposes and pre-image resistance is a desired property - see also here. |
Signed-off-by: DL6ER <[email protected]>
Signed-off-by: DL6ER <[email protected]>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The hash used by FTL to verify itself is a different one, though. It is the edit See the bottom of #2072 (comment) how to retrieve it without |
Co-authored-by: yubiuser <[email protected]> Signed-off-by: Dominik <[email protected]>
What does this implement/fix?
This PR adds automatic binary verification to
pihole-FTL
. Technically, this works by modifying CMake to append theahs265sum
checksum after the end of the binary. During startup (or when manually callingpihole-FTL verify
), FTL computes its own checksum (skipping the final 256 bit!) and compares it to the checksum stored in said last 256 bit.On error, we also log a message to the diagnosis system:
Unfortunately, the automatic test has to be run at a rather late time in binary startup (when the database is already initialized), or we could not add the message. However, this is hopefully early enough.
Otherwise, the manual
pihole-FTL verify
command allows for easy testing without having to manually downloading the (possibly already outdated/already overwritten) branch-wisesha
files from the FTL webserver:Related issue or feature (if applicable): N/A
Pull request in docs with documentation (if applicable): N/A
By submitting this pull request, I confirm the following:
git rebase
)Checklist:
developmental
branch.