Hi Naddy, Christian Weisgerber wrote on Sat, Jul 07, 2012 at 03:40:00PM +0200:
> This adds support for the "sha256digest" keyword to create/compare > SHA2-256 digests of files. In the man page, also replace SHA-1 > with SHA2-256 in the examples section. Looks reasonable to me and survived light testing on i386. The following slightly improves the formatting: Index: mtree.8 =================================================================== RCS file: /cvs/src/usr.sbin/mtree/mtree.8,v retrieving revision 1.35 diff -u -r1.35 mtree.8 --- mtree.8 3 Sep 2010 11:22:36 -0000 1.35 +++ mtree.8 7 Jul 2012 15:19:00 -0000 @@ -156,7 +156,7 @@ checks based on it are performed. .Pp Currently supported keywords are as follows: -.Bl -tag -width Cm +.Bl -tag -width sha256digest .It Cm cksum The checksum of the file using the default algorithm specified by the Here is a security(8) diff to go with it: Index: security =================================================================== RCS file: /cvs/src/libexec/security/security,v retrieving revision 1.18 diff -u -p -r1.18 security --- security 17 May 2012 16:06:03 -0000 1.18 +++ security 7 Jul 2012 15:09:58 -0000 @@ -2,7 +2,7 @@ # $OpenBSD: security,v 1.18 2012/05/17 16:06:03 pascal Exp $ # -# Copyright (c) 2011 Ingo Schwarze <schwa...@openbsd.org> +# Copyright (c) 2011, 2012 Ingo Schwarze <schwa...@openbsd.org> # Copyright (c) 2011 Andrew Fresh <and...@afresh1.com> # # Permission to use, copy, modify, and distribute this software for any @@ -20,7 +20,7 @@ use warnings; use strict; -require Digest::MD5; +use Digest::SHA qw(sha256_hex); use Errno qw(ENOENT); use Fcntl qw(:mode); use File::Basename qw(basename); @@ -689,7 +689,7 @@ sub check_disks { # # Create the mtree tree specifications using: # -# mtree -cx -p DIR -K md5digest,type >/etc/mtree/DIR.secure +# mtree -cx -p DIR -K sha256digest,type > /etc/mtree/DIR.secure # chown root:wheel /etc/mtree/DIR.secure # chmod 600 /etc/mtree/DIR.secure # @@ -764,56 +764,57 @@ sub backup_if_changed { } } -sub backup_md5 { +sub backup_digest { my ($orig) = @_; my ($backup) = $orig =~ m{^/?(.*)}; $backup =~ s{/}{_}g; - my $current = BACKUP_DIR . "$backup.current.md5"; - $backup = BACKUP_DIR . "$backup.backup.md5"; + my $current = BACKUP_DIR . "$backup.current.sha256"; + $backup = BACKUP_DIR . "$backup.backup.sha256"; - my $md5_new = 0; + my $digest_new = 0; if (-s $orig) { if (open my $fh, '<', $orig) { binmode $fh; - $md5_new = Digest::MD5->new->addfile($fh)->hexdigest; + local $/; + $digest_new = sha256_hex(<$fh>); close $fh; } else { nag 1, "open: $orig: $!"; } } - my $md5_old = 0; + my $digest_old = 0; if (-s $current) { if (open my $fh, '<', $current) { - $md5_old = <$fh>; + $digest_old = <$fh>; close $fh; - chomp $md5_old; + chomp $digest_old; } else { nag 1, "open: $current: $!"; } } - return if $md5_old eq $md5_new; + return if $digest_old eq $digest_new; - if ($md5_old && $md5_new) { + if ($digest_old && $digest_new) { copy $current, $backup; chown 0, 0, $backup; chmod 0600, $backup; - } elsif ($md5_old) { - $check_title = "======\n$orig removed MD5 checksum\n======"; + } elsif ($digest_old) { + $check_title = "======\n$orig removed SHA-256 checksum\n======"; unlink $current; - } elsif ($md5_new) { - $check_title = "======\n$orig new MD5 checksum\n======"; + } elsif ($digest_new) { + $check_title = "======\n$orig new SHA-256 checksum\n======"; } - if ($md5_new) { + if ($digest_new) { if (open my $fh, '>', $current) { - print $fh "$md5_new\n"; + print $fh "$digest_new\n"; close $fh; } else { nag 1, "open: $current: $!\n"; } chown 0, 0, $current; chmod 0600, $current; } - nag $md5_old, "OLD: $md5_old"; - nag $md5_new, "NEW: $md5_new"; + nag $digest_old, "OLD: $digest_old"; + nag $digest_new, "NEW: $digest_new"; } # List of files that get backed up and checked for any modifications. Each @@ -842,8 +843,8 @@ sub check_changelist { if ($plus) { $check_title = - "======\n$_ MD5 checksums\n======"; - backup_md5 $_; + "======\n$_ SHA-256 checksums\n======"; + backup_digest $_; } else { $check_title = "======\n$_ diffs (-OLD +NEW)\n======";