From b4130f0910d90370a18fab47b82620513c17a4db Mon Sep 17 00:00:00 2001 From: Christian Weisgerber Date: Sun, 8 Jul 2012 21:19:43 +0000 Subject: Add support for the "sha256digest" keyword to create/compare SHA-256 digests of files. In the man page, also replace SHA-1 with SHA-256 in the examples section. Man page formatting tweak and ok schwarze@ --- usr.sbin/mtree/compare.c | 21 +++++++++++++++++++-- usr.sbin/mtree/create.c | 14 ++++++++++++-- usr.sbin/mtree/misc.c | 3 ++- usr.sbin/mtree/mtree.8 | 18 +++++++++++------- usr.sbin/mtree/mtree.h | 4 +++- usr.sbin/mtree/spec.c | 7 ++++++- 6 files changed, 53 insertions(+), 14 deletions(-) diff --git a/usr.sbin/mtree/compare.c b/usr.sbin/mtree/compare.c index adc121c0088..21c0fca9ba1 100644 --- a/usr.sbin/mtree/compare.c +++ b/usr.sbin/mtree/compare.c @@ -1,5 +1,5 @@ /* $NetBSD: compare.c,v 1.11 1996/09/05 09:56:48 mycroft Exp $ */ -/* $OpenBSD: compare.c,v 1.22 2009/10/27 23:59:53 deraadt Exp $ */ +/* $OpenBSD: compare.c,v 1.23 2012/07/08 21:19:42 naddy Exp $ */ /*- * Copyright (c) 1989, 1993 @@ -39,8 +39,9 @@ #include #include #include -#include #include +#include +#include #include "mtree.h" #include "extern.h" @@ -287,6 +288,22 @@ typeerr: LABEL; tab = "\t"; } } + if (s->flags & F_SHA256) { + char *new_digest, buf[SHA256_DIGEST_STRING_LENGTH]; + + new_digest = SHA256File(p->fts_accpath, buf); + if (!new_digest) { + LABEL; + printf("%sSHA256File: %s: %s\n", tab, p->fts_accpath, + strerror(errno)); + tab = "\t"; + } else if (strcmp(new_digest, s->sha256digest)) { + LABEL; + printf("%sSHA256 (%s, %s)\n", tab, s->sha256digest, + new_digest); + tab = "\t"; + } + } if (s->flags & F_SLINK && strcmp(cp = rlink(name), s->slink)) { LABEL; (void)printf("%slink ref (%s, %s)\n", tab, cp, s->slink); diff --git a/usr.sbin/mtree/create.c b/usr.sbin/mtree/create.c index 21319a6fb4f..1ce2ba94a07 100644 --- a/usr.sbin/mtree/create.c +++ b/usr.sbin/mtree/create.c @@ -1,5 +1,5 @@ /* $NetBSD: create.c,v 1.11 1996/09/05 09:24:19 mycroft Exp $ */ -/* $OpenBSD: create.c,v 1.26 2009/10/27 23:59:53 deraadt Exp $ */ +/* $OpenBSD: create.c,v 1.27 2012/07/08 21:19:42 naddy Exp $ */ /*- * Copyright (c) 1989, 1993 @@ -44,8 +44,9 @@ #include #include #include -#include #include +#include +#include #include "mtree.h" #include "extern.h" @@ -223,6 +224,15 @@ statf(int indent, FTSENT *p) else output(indent, &offset, "sha1digest=%s", sha1digest); } + if (keys & F_SHA256 && S_ISREG(p->fts_statp->st_mode)) { + char *sha256digest, buf[SHA256_DIGEST_STRING_LENGTH]; + + sha256digest = SHA256File(p->fts_accpath,buf); + if (!sha256digest) + error("%s: %s", p->fts_accpath, strerror(errno)); + else + output(indent, &offset, "sha256digest=%s", sha256digest); + } if (keys & F_SLINK && (p->fts_info == FTS_SL || p->fts_info == FTS_SLNONE)) { name = rlink(p->fts_accpath); diff --git a/usr.sbin/mtree/misc.c b/usr.sbin/mtree/misc.c index c6ebebcf662..b0d7de646c3 100644 --- a/usr.sbin/mtree/misc.c +++ b/usr.sbin/mtree/misc.c @@ -1,4 +1,4 @@ -/* $OpenBSD: misc.c,v 1.18 2004/08/01 18:32:20 deraadt Exp $ */ +/* $OpenBSD: misc.c,v 1.19 2012/07/08 21:19:42 naddy Exp $ */ /* $NetBSD: misc.c,v 1.4 1995/03/07 21:26:23 cgd Exp $ */ /*- @@ -64,6 +64,7 @@ static KEY keylist[] = { {"optional", F_OPT, 0}, {"rmd160digest",F_RMD160, NEEDVALUE}, {"sha1digest", F_SHA1, NEEDVALUE}, + {"sha256digest",F_SHA256, NEEDVALUE}, {"size", F_SIZE, NEEDVALUE}, {"time", F_TIME, NEEDVALUE}, {"type", F_TYPE, NEEDVALUE}, diff --git a/usr.sbin/mtree/mtree.8 b/usr.sbin/mtree/mtree.8 index 8464dcb4986..bb691a7252b 100644 --- a/usr.sbin/mtree/mtree.8 +++ b/usr.sbin/mtree/mtree.8 @@ -1,4 +1,4 @@ -.\" $OpenBSD: mtree.8,v 1.35 2010/09/03 11:22:36 jmc Exp $ +.\" $OpenBSD: mtree.8,v 1.36 2012/07/08 21:19:42 naddy Exp $ .\" $NetBSD: mtree.8,v 1.4 1995/03/07 21:26:25 cgd Exp $ .\" .\" Copyright (c) 1989, 1990, 1993 @@ -30,7 +30,7 @@ .\" .\" @(#)mtree.8 8.2 (Berkeley) 12/11/93 .\" -.Dd $Mdocdate: September 3 2010 $ +.Dd $Mdocdate: July 8 2012 $ .Dt MTREE 8 .Os .Sh NAME @@ -156,7 +156,7 @@ No keywords have default values, and if a keyword has no value set, no checks based on it are performed. .Pp Currently supported keywords are as follows: -.Bl -tag -width Cm +.Bl -tag -width sha256digest .It Cm cksum The checksum of the file using the default algorithm specified by the @@ -193,6 +193,8 @@ not in the file hierarchy. The RIPEMD-160 message digest of the file. .It Cm sha1digest The SHA-1 message digest of the file. +.It Cm sha256digest +The SHA-256 message digest of the file. .It Cm size The size, in bytes, of the file. .It Cm time @@ -305,21 +307,21 @@ it is recommended that .Nm mtree .Fl cK -.Cm sha1digest +.Cm sha256digest be run on the file systems, and a copy of the results stored on a different machine, or, at least, in encrypted form. The output file itself should be digested using the -.Xr sha1 1 +.Xr sha256 1 utility. Then, periodically, .Nm mtree and -.Xr sha1 1 +.Xr sha256 1 should be run against the on-line specifications. While it is possible for the bad guys to change the on-line specifications to conform to their modified binaries, it is believed to be impractical for them to create a modified specification which has -the same SHA1 digest as the original. +the same SHA-256 digest as the original. .Pp The .Fl d @@ -336,11 +338,13 @@ distribution. .Xr cksum 1 , .Xr md5 1 , .Xr sha1 1 , +.Xr sha256 1 , .Xr stat 2 , .Xr fts 3 , .Xr md5 3 , .Xr rmd160 3 , .Xr sha1 3 , +.Xr sha2 3 , .Xr hier 7 , .Xr chown 8 .Sh HISTORY diff --git a/usr.sbin/mtree/mtree.h b/usr.sbin/mtree/mtree.h index c3a1f519032..55e1702aff9 100644 --- a/usr.sbin/mtree/mtree.h +++ b/usr.sbin/mtree/mtree.h @@ -1,4 +1,4 @@ -/* $OpenBSD: mtree.h,v 1.12 2008/10/08 12:17:02 kili Exp $ */ +/* $OpenBSD: mtree.h,v 1.13 2012/07/08 21:19:42 naddy Exp $ */ /* $NetBSD: mtree.h,v 1.7 1995/03/07 21:26:27 cgd Exp $ */ /*- @@ -53,6 +53,7 @@ typedef struct _node { char *md5digest; /* MD5 digest */ char *rmd160digest; /* RIPEMD-160 digest */ char *sha1digest; /* SHA-1 digest */ + char *sha256digest; /* SHA-256 digest */ char *slink; /* symbolic link reference */ uid_t st_uid; /* uid */ gid_t st_gid; /* gid */ @@ -82,6 +83,7 @@ typedef struct _node { #define F_VISIT 0x040000 /* file visited */ #define F_FLAGS 0x080000 /* file flags */ #define F_NOCHANGE 0x100000 /* do not change owner/mode */ +#define F_SHA256 0x200000 /* SHA-256 digest */ u_int32_t flags; /* items set */ #define F_BLOCK 0x001 /* block special */ diff --git a/usr.sbin/mtree/spec.c b/usr.sbin/mtree/spec.c index 2bf0a42c962..f8caec2cb20 100644 --- a/usr.sbin/mtree/spec.c +++ b/usr.sbin/mtree/spec.c @@ -1,5 +1,5 @@ /* $NetBSD: spec.c,v 1.6 1995/03/07 21:12:12 cgd Exp $ */ -/* $OpenBSD: spec.c,v 1.25 2009/10/27 23:59:53 deraadt Exp $ */ +/* $OpenBSD: spec.c,v 1.26 2012/07/08 21:19:42 naddy Exp $ */ /*- * Copyright (c) 1989, 1993 @@ -235,6 +235,11 @@ set(char *t, NODE *ip) if (!ip->sha1digest) error("%s", strerror(errno)); break; + case F_SHA256: + ip->sha256digest = strdup(val); + if (!ip->sha256digest) + error("%s", strerror(errno)); + break; case F_SIZE: ip->st_size = strtouq(val, &ep, 10); if (*ep) -- cgit v1.2.3