tildeslash / Monit / issues / #561 - Allow other checksum checks — Bitbucket

Issue #561 new

Former user created an issue 2017-02-23

Due to the recent finding that collisions in SHA-1 can be found 100,000 times faster than a brute force, introduction of SHA256 checksum checks.

The impact of this allows malicious code to be deployed to the hosts that will still pass checksum checks due to collision existence allowing malware to be installed without detection.

SHA-1 Collision Sources: https://security.googleblog.com/2017/02/announcing-first-sha1-collision.html?m=1 http://shattered.io/

Comments (2)

Kevin Kirsche
Thought I was logged in before. Comment to track this.
- 2017-02-23T18:15:23+00:00
Tildeslash repo owner
- changed title to Allow other checksum checks
Make title more general. We should support all checksum's supported by OpenSSL.
```
IF CHANGED [DIGEST] CHECKSUM THEN action
and
IF FAILED [DIGEST] CHECKSUM [EXPECT checksum] THEN action
```
Where DIGEST is any Message Digest supported by OpenSSL. The reason we currently are limited to MD5 and SHA-1 is because we provide separate implementations with Monit. Instead we should require Monit to be linked with OpenSSL and the DIGEST entry is simply a lookup table to implementations in OpenSSL.

In the process we should also remove our "own" MD5 and SHA-1 implementations.
- 2017-03-07T20:22:53+00:00
Log in to comment

Assignee: Tildeslash

Type: proposal

Priority: major

Status: new

Component: Monit

Version: –

Votes: 3

Watchers: 3