From SHA1 to SHA256 in spamd sync

Denis Fondras Sat, 25 Feb 2017 06:23:40 -0800

Hi,

A patch to get away from SHA1 in spamd



Index: sync.c
===================================================================
RCS file: /cvs/src/libexec/spamd/sync.c,v
retrieving revision 1.12
diff -u -p -r1.12 sync.c
--- sync.c      20 Oct 2016 21:09:46 -0000      1.12
+++ sync.c      25 Feb 2017 14:18:17 -0000
@@ -30,7 +30,7 @@
 #include <stdlib.h>
 #include <string.h>
 #include <unistd.h>
-#include <sha1.h>
+#include <sha2.h>
 #include <syslog.h>
 #include <stdint.h>
 
@@ -142,7 +142,7 @@ sync_init(const char *iface, const char 
                }
        }
 
-       sync_key = SHA1File(SPAM_SYNC_KEY, NULL);
+       sync_key = SHA256File(SPAM_SYNC_KEY, NULL);
        if (sync_key == NULL) {
                if (errno != ENOENT) {
                        fprintf(stderr, "failed to open sync key: %s\n",
@@ -276,7 +276,7 @@ sync_recv(void)
        /* Compute and validate HMAC */
        memcpy(hmac[0], hdr->sh_hmac, SPAM_SYNC_HMAC_LEN);
        explicit_bzero(hdr->sh_hmac, SPAM_SYNC_HMAC_LEN);
-       HMAC(EVP_sha1(), sync_key, strlen(sync_key), buf, len,
+       HMAC(EVP_sha256(), sync_key, strlen(sync_key), buf, len,
            hmac[1], &hmac_len);
        if (bcmp(hmac[0], hmac[1], SPAM_SYNC_HMAC_LEN) != 0)
                goto trunc;
@@ -441,7 +441,7 @@ sync_update(time_t now, char *helo, char
        helolen = strlen(helo) + 1;
 
        HMAC_CTX_init(&ctx);
-       HMAC_Init(&ctx, sync_key, strlen(sync_key), EVP_sha1());
+       HMAC_Init(&ctx, sync_key, strlen(sync_key), EVP_sha256());
 
        sglen = sizeof(sg) + fromlen + tolen + helolen;
        padlen = SPAM_ALIGN(sglen) - sglen;
@@ -523,7 +523,7 @@ sync_addr(time_t now, time_t expire, cha
        memset(&sd, 0, sizeof(sd));
 
        HMAC_CTX_init(&ctx);
-       HMAC_Init(&ctx, sync_key, strlen(sync_key), EVP_sha1());
+       HMAC_Init(&ctx, sync_key, strlen(sync_key), EVP_sha256());
 
        /* Add SPAM sync packet header */
        hdr.sh_version = SPAM_SYNC_VERSION;
Index: sync.h
===================================================================
RCS file: /cvs/src/libexec/spamd/sync.h,v
retrieving revision 1.3
diff -u -p -r1.3 sync.h
--- sync.h      22 May 2008 19:54:11 -0000      1.3
+++ sync.h      25 Feb 2017 14:18:17 -0000
@@ -19,6 +19,8 @@
 #ifndef _SPAMD_SYNC
 #define _SPAMD_SYNC
 
+#include <sha2.h>
+
 /*
  * spamd(8) synchronisation protocol.
  *
@@ -27,7 +29,7 @@
  * It is a simple Type-Length-Value based protocol, it allows easy
  * extension with future subtypes and bulk transfers by sending multiple
  * entries at once. The unencrypted messages will be authenticated using
- * HMAC-SHA1.
+ * HMAC-SHA256.
  *
  * the spamd(8) synchronisation protocol is not intended to be used as
  * a public SPAM sender database or distribution between vendors.
@@ -36,7 +38,7 @@
 #define SPAM_SYNC_VERSION      2
 #define SPAM_SYNC_MCASTADDR    "224.0.1.240"   /* XXX choose valid address */
 #define SPAM_SYNC_MCASTTTL     IP_DEFAULT_MULTICAST_TTL
-#define SPAM_SYNC_HMAC_LEN     20      /* SHA1 */
+#define SPAM_SYNC_HMAC_LEN     SHA256_DIGEST_LENGTH
 #define SPAM_SYNC_MAXSIZE      1408
 #define SPAM_SYNC_KEY          "/etc/mail/spamd.key"

From SHA1 to SHA256 in spamd sync

Reply via email to