Hi, A patch to get away from SHA1 in spamd
Index: sync.c =================================================================== RCS file: /cvs/src/libexec/spamd/sync.c,v retrieving revision 1.12 diff -u -p -r1.12 sync.c --- sync.c 20 Oct 2016 21:09:46 -0000 1.12 +++ sync.c 25 Feb 2017 14:18:17 -0000 @@ -30,7 +30,7 @@ #include <stdlib.h> #include <string.h> #include <unistd.h> -#include <sha1.h> +#include <sha2.h> #include <syslog.h> #include <stdint.h> @@ -142,7 +142,7 @@ sync_init(const char *iface, const char } } - sync_key = SHA1File(SPAM_SYNC_KEY, NULL); + sync_key = SHA256File(SPAM_SYNC_KEY, NULL); if (sync_key == NULL) { if (errno != ENOENT) { fprintf(stderr, "failed to open sync key: %s\n", @@ -276,7 +276,7 @@ sync_recv(void) /* Compute and validate HMAC */ memcpy(hmac[0], hdr->sh_hmac, SPAM_SYNC_HMAC_LEN); explicit_bzero(hdr->sh_hmac, SPAM_SYNC_HMAC_LEN); - HMAC(EVP_sha1(), sync_key, strlen(sync_key), buf, len, + HMAC(EVP_sha256(), sync_key, strlen(sync_key), buf, len, hmac[1], &hmac_len); if (bcmp(hmac[0], hmac[1], SPAM_SYNC_HMAC_LEN) != 0) goto trunc; @@ -441,7 +441,7 @@ sync_update(time_t now, char *helo, char helolen = strlen(helo) + 1; HMAC_CTX_init(&ctx); - HMAC_Init(&ctx, sync_key, strlen(sync_key), EVP_sha1()); + HMAC_Init(&ctx, sync_key, strlen(sync_key), EVP_sha256()); sglen = sizeof(sg) + fromlen + tolen + helolen; padlen = SPAM_ALIGN(sglen) - sglen; @@ -523,7 +523,7 @@ sync_addr(time_t now, time_t expire, cha memset(&sd, 0, sizeof(sd)); HMAC_CTX_init(&ctx); - HMAC_Init(&ctx, sync_key, strlen(sync_key), EVP_sha1()); + HMAC_Init(&ctx, sync_key, strlen(sync_key), EVP_sha256()); /* Add SPAM sync packet header */ hdr.sh_version = SPAM_SYNC_VERSION; Index: sync.h =================================================================== RCS file: /cvs/src/libexec/spamd/sync.h,v retrieving revision 1.3 diff -u -p -r1.3 sync.h --- sync.h 22 May 2008 19:54:11 -0000 1.3 +++ sync.h 25 Feb 2017 14:18:17 -0000 @@ -19,6 +19,8 @@ #ifndef _SPAMD_SYNC #define _SPAMD_SYNC +#include <sha2.h> + /* * spamd(8) synchronisation protocol. * @@ -27,7 +29,7 @@ * It is a simple Type-Length-Value based protocol, it allows easy * extension with future subtypes and bulk transfers by sending multiple * entries at once. The unencrypted messages will be authenticated using - * HMAC-SHA1. + * HMAC-SHA256. * * the spamd(8) synchronisation protocol is not intended to be used as * a public SPAM sender database or distribution between vendors. @@ -36,7 +38,7 @@ #define SPAM_SYNC_VERSION 2 #define SPAM_SYNC_MCASTADDR "224.0.1.240" /* XXX choose valid address */ #define SPAM_SYNC_MCASTTTL IP_DEFAULT_MULTICAST_TTL -#define SPAM_SYNC_HMAC_LEN 20 /* SHA1 */ +#define SPAM_SYNC_HMAC_LEN SHA256_DIGEST_LENGTH #define SPAM_SYNC_MAXSIZE 1408 #define SPAM_SYNC_KEY "/etc/mail/spamd.key"