[PATCH] review requested, add sha256 to mtree + small fixes
Anton Berezin
tobez at FreeBSD.org
Thu Mar 17 03:05:41 PST 2005
Since we now have sha256 in libmd, I think it is time to add it to
mtree(1).
The patch against fresh HEAD does the following:
- adds sha256 support;
- makes recommended procedure for integrity checking consistent;
- fixes a bug with -f spec1 -f spec2 comparison, which prevented
test/tes03.sh from running successfully.
I would like to commit it and MFC it after sha256 is MFCed.
Index: Makefile
===================================================================
RCS file: /home/ncvs/src/usr.sbin/mtree/Makefile,v
retrieving revision 1.26
diff -u -r1.26 Makefile
--- Makefile 5 Nov 2003 22:26:07 -0000 1.26
+++ Makefile 17 Mar 2005 10:18:59 -0000
@@ -10,7 +10,7 @@
WARNS?= 4
-CFLAGS+= -DMD5 -DSHA1 -DRMD160
+CFLAGS+= -DMD5 -DSHA1 -DRMD160 -DSHA256
DPADD= ${LIBMD}
LDADD= -lmd
Index: compare.c
===================================================================
RCS file: /home/ncvs/src/usr.sbin/mtree/compare.c,v
retrieving revision 1.33
diff -u -r1.33 compare.c
--- compare.c 11 Jan 2004 19:25:56 -0000 1.33
+++ compare.c 17 Mar 2005 10:21:56 -0000
@@ -52,6 +52,9 @@
#ifdef SHA1
#include <sha.h>
#endif
+#ifdef SHA256
+#include <sha256.h>
+#endif
#include <stdint.h>
#include <stdio.h>
#include <time.h>
@@ -294,6 +297,24 @@
}
}
#endif /* RMD160 */
+#ifdef SHA256
+ if (s->flags & F_SHA256) {
+ char *new_digest, buf[65];
+
+ new_digest = SHA256_File(p->fts_accpath, buf);
+ if (!new_digest) {
+ LABEL;
+ printf("%sSHA-256: %s: %s\n", tab, p->fts_accpath,
+ strerror(errno));
+ tab = "\t";
+ } else if (strcmp(new_digest, s->sha256digest)) {
+ LABEL;
+ printf("%sSHA-256 expected %s found %s\n",
+ tab, s->sha256digest, new_digest);
+ tab = "\t";
+ }
+ }
+#endif /* SHA256 */
if (s->flags & F_SLINK &&
strcmp(cp = rlink(p->fts_accpath), s->slink)) {
Index: create.c
===================================================================
RCS file: /home/ncvs/src/usr.sbin/mtree/create.c,v
retrieving revision 1.36
diff -u -r1.36 create.c
--- create.c 11 Jan 2004 19:38:48 -0000 1.36
+++ create.c 17 Mar 2005 10:22:58 -0000
@@ -52,6 +52,9 @@
#ifdef RMD160
#include <ripemd.h>
#endif
+#ifdef SHA256
+#include <sha256.h>
+#endif
#include <pwd.h>
#include <stdint.h>
#include <stdio.h>
@@ -249,6 +252,16 @@
output(indent, &offset, "ripemd160digest=%s", digest);
}
#endif /* RMD160 */
+#ifdef SHA256
+ if (keys & F_SHA256 && S_ISREG(p->fts_statp->st_mode)) {
+ char *digest, buf[65];
+
+ digest = SHA256_File(p->fts_accpath, buf);
+ if (!digest)
+ err(1, "%s", p->fts_accpath);
+ output(indent, &offset, "sha256digest=%s", digest);
+ }
+#endif /* SHA256 */
if (keys & F_SLINK &&
(p->fts_info == FTS_SL || p->fts_info == FTS_SLNONE))
output(indent, &offset, "link=%s", rlink(p->fts_accpath));
Index: misc.c
===================================================================
RCS file: /home/ncvs/src/usr.sbin/mtree/misc.c,v
retrieving revision 1.15
diff -u -r1.15 misc.c
--- misc.c 11 Jan 2004 19:25:56 -0000 1.15
+++ misc.c 17 Mar 2005 10:23:14 -0000
@@ -72,6 +72,9 @@
#ifdef SHA1
{"sha1digest", F_SHA1, NEEDVALUE},
#endif
+#ifdef SHA256
+ {"sha256digest", F_SHA256, NEEDVALUE},
+#endif
{"size", F_SIZE, NEEDVALUE},
{"time", F_TIME, NEEDVALUE},
{"type", F_TYPE, NEEDVALUE},
Index: mtree.8
===================================================================
RCS file: /home/ncvs/src/usr.sbin/mtree/mtree.8,v
retrieving revision 1.50
diff -u -r1.50 mtree.8
--- mtree.8 13 Feb 2005 22:25:29 -0000 1.50
+++ mtree.8 17 Mar 2005 10:27:57 -0000
@@ -204,6 +204,12 @@
160-1
.Pq Dq Tn SHA-1
message digest of the file.
+.It Cm sha256digest
+The
+.Tn FIPS
+180-2
+.Pq Dq Tn SHA-256
+message digest of the file.
.It Cm ripemd160digest
The
.Tn RIPEMD160
@@ -317,21 +323,21 @@
that
.Nm
.Fl K
-.Cm sha1digest
+.Cm sha256digest
be run on the file systems, and a copy of the results stored on a different
machine, or, at least, in encrypted form.
The output file itself should be digested using the
-.Xr md5 1
+.Xr sha256 1
utility.
Then, periodically,
.Nm
and
-.Xr md5 1
+.Xr sha256 1
should be run against the on-line specifications.
While it is possible for the bad guys to change the on-line specifications
to conform to their modified binaries, it is believed to be
impractical for them to create a modified specification which has
-the same MD5 digest as the original.
+the same SHA-256 digest as the original.
.Pp
The
.Fl d
@@ -372,6 +378,10 @@
.Fx 4.0 ,
as new attacks have demonstrated weaknesses in
.Tn MD5 .
+The
+.Tn SHA-256
+digest was added in
+.Fx 6.0 .
Support for file flags was added in
.Fx 4.0 ,
and mostly comes from
Index: mtree.h
===================================================================
RCS file: /home/ncvs/src/usr.sbin/mtree/mtree.h,v
retrieving revision 1.6
diff -u -r1.6 mtree.h
--- mtree.h 21 Oct 2003 08:27:05 -0000 1.6
+++ mtree.h 17 Mar 2005 10:29:34 -0000
@@ -46,6 +46,7 @@
u_long cksum; /* check sum */
char *md5digest; /* MD5 digest */
char *sha1digest; /* SHA-1 digest */
+ char *sha256digest; /* SHA-256 digest */
char *rmd160digest; /* RIPEMD160 digest */
char *slink; /* symbolic link reference */
uid_t st_uid; /* uid */
@@ -76,6 +77,7 @@
#define F_SHA1 0x20000 /* SHA-1 digest */
#define F_RMD160 0x40000 /* RIPEMD160 digest */
#define F_FLAGS 0x80000 /* file flags */
+#define F_SHA256 0x100000 /* SHA-256 digest */
u_int flags; /* items set */
#define F_BLOCK 0x001 /* block special */
Index: spec.c
===================================================================
RCS file: /home/ncvs/src/usr.sbin/mtree/spec.c,v
retrieving revision 1.21
diff -u -r1.21 spec.c
--- spec.c 19 Nov 2003 15:28:21 -0000 1.21
+++ spec.c 17 Mar 2005 10:30:01 -0000
@@ -194,6 +194,11 @@
if(!ip->sha1digest)
errx(1, "strdup");
break;
+ case F_SHA256:
+ ip->sha256digest = strdup(val);
+ if(!ip->sha256digest)
+ errx(1, "strdup");
+ break;
case F_RMD160:
ip->rmd160digest = strdup(val);
if(!ip->rmd160digest)
Index: specspec.c
===================================================================
RCS file: /home/ncvs/src/usr.sbin/mtree/specspec.c,v
retrieving revision 1.5
diff -u -r1.5 specspec.c
--- specspec.c 7 Aug 2004 10:04:29 -0000 1.5
+++ specspec.c 17 Mar 2005 10:58:15 -0000
@@ -82,6 +82,8 @@
printf(" sha1digest=%s", n->sha1digest);
if (f & F_RMD160)
printf(" rmd160digest=%s", n->rmd160digest);
+ if (f & F_SHA256)
+ printf(" sha256digest=%s", n->sha256digest);
if (f & F_FLAGS)
printf(" flags=%s", flags_to_string(n->st_flags));
printf("\n");
@@ -160,6 +162,8 @@
differs |= F_SHA1;
if (FS(n1, n2, F_RMD160, rmd160digest))
differs |= F_RMD160;
+ if (FS(n1, n2, F_SHA256, sha256digest))
+ differs |= F_SHA256;
if (FF(n1, n2, F_FLAGS, st_flags))
differs |= F_FLAGS;
if (differs) {
@@ -213,19 +217,19 @@
asprintf(&np, "%s%s/", path, c2->name);
i = walk_in_the_forest(c1, c2, np);
free(np);
- i = compare_nodes(c1, c2, path);
+ i += compare_nodes(c1, c2, path);
} else if (c2 == NULL && c1->type == F_DIR) {
asprintf(&np, "%s%s/", path, c1->name);
i = walk_in_the_forest(c1, c2, np);
free(np);
- i = compare_nodes(c1, c2, path);
+ i += compare_nodes(c1, c2, path);
} else if (c1 == NULL || c2 == NULL) {
i = compare_nodes(c1, c2, path);
} else if (c1->type == F_DIR && c2->type == F_DIR) {
asprintf(&np, "%s%s/", path, c1->name);
i = walk_in_the_forest(c1, c2, np);
free(np);
- i = compare_nodes(c1, c2, path);
+ i += compare_nodes(c1, c2, path);
} else {
i = compare_nodes(c1, c2, path);
}
Index: test/test03.sh
===================================================================
RCS file: /home/ncvs/src/usr.sbin/mtree/test/test03.sh,v
retrieving revision 1.1
diff -u -r1.1 test03.sh
--- test/test03.sh 5 Nov 2003 22:26:39 -0000 1.1
+++ test/test03.sh 17 Mar 2005 10:31:11 -0000
@@ -15,7 +15,7 @@
rm -rf ${TMP}
mkdir -p ${TMP}
-K=uid,uname,gid,gname,flags,md5digest,size,ripemd160digest,sha1digest,cksum
+K=uid,uname,gid,gname,flags,md5digest,size,ripemd160digest,sha1digest,sha256digest,cksum
rm -rf _FOO
mkdir _FOO
Cheers,
\Anton.
--
The moronity of the universe is a monotonically increasing function. --
Jarkko Hietaniemi
More information about the freebsd-audit
mailing list