Hi, A patch to get away from SHA1 in dhcpd
Index: sync.c =================================================================== RCS file: /cvs/src/usr.sbin/dhcpd/sync.c,v retrieving revision 1.23 diff -u -p -r1.23 sync.c --- sync.c 13 Feb 2017 23:04:05 -0000 1.23 +++ sync.c 25 Feb 2017 15:12:52 -0000 @@ -32,7 +32,7 @@ #include <errno.h> #include <netdb.h> -#include <sha1.h> +#include <sha2.h> #include <string.h> #include <syslog.h> #include <unistd.h> @@ -140,7 +140,7 @@ sync_init(const char *iface, const char } } - sync_key = SHA1File(DHCP_SYNC_KEY, NULL); + sync_key = SHA256File(DHCP_SYNC_KEY, NULL); if (sync_key == NULL) { if (errno != ENOENT) { log_warn("failed to open sync key"); @@ -270,7 +270,7 @@ sync_recv(void) /* Compute and validate HMAC */ memcpy(hmac[0], hdr->sh_hmac, DHCP_SYNC_HMAC_LEN); explicit_bzero(hdr->sh_hmac, DHCP_SYNC_HMAC_LEN); - HMAC(EVP_sha1(), sync_key, strlen(sync_key), buf, len, + HMAC(EVP_sha256(), sync_key, strlen(sync_key), buf, len, hmac[1], &hmac_len); if (bcmp(hmac[0], hmac[1], DHCP_SYNC_HMAC_LEN) != 0) goto trunc; @@ -404,7 +404,7 @@ sync_lease(struct lease *lease) memset(&pad, 0, sizeof(pad)); HMAC_CTX_init(&ctx); - HMAC_Init(&ctx, sync_key, strlen(sync_key), EVP_sha1()); + HMAC_Init(&ctx, sync_key, strlen(sync_key), EVP_sha256()); leaselen = sizeof(lv); padlen = DHCP_ALIGN(leaselen) - leaselen; Index: sync.h =================================================================== RCS file: /cvs/src/usr.sbin/dhcpd/sync.h,v retrieving revision 1.5 diff -u -p -r1.5 sync.h --- sync.h 4 Oct 2016 22:47:51 -0000 1.5 +++ sync.h 25 Feb 2017 15:12:52 -0000 @@ -20,6 +20,8 @@ #ifndef _DHCPD_SYNC #define _DHCPD_SYNC +#include <sha2.h> + /* * dhcpd(8) synchronisation protocol. * @@ -28,14 +30,14 @@ * It is a simple Type-Length-Value based protocol, it allows easy * extension with future subtypes and bulk transfers by sending multiple * entries at once. The unencrypted messages will be authenticated using - * HMAC-SHA1. + * HMAC-SHA256. * */ #define DHCP_SYNC_VERSION 1 #define DHCP_SYNC_MCASTADDR "224.0.1.240" /* XXX choose valid address */ #define DHCP_SYNC_MCASTTTL IP_DEFAULT_MULTICAST_TTL -#define DHCP_SYNC_HMAC_LEN 20 /* SHA1 */ +#define DHCP_SYNC_HMAC_LEN SHA256_DIGEST_LENGTH #define DHCP_SYNC_MAXSIZE 1408 #define DHCP_SYNC_KEY "/var/db/dhcpd.key"