Allow other checksum checks
Due to the recent finding that collisions in SHA-1 can be found 100,000 times faster than a brute force, introduction of SHA256 checksum checks.
The impact of this allows malicious code to be deployed to the hosts that will still pass checksum checks due to collision existence allowing malware to be installed without detection.
SHA-1 Collision Sources: https://security.googleblog.com/2017/02/announcing-first-sha1-collision.html?m=1 http://shattered.io/
Comments (2)
-
-
repo owner - changed title to Allow other checksum checks
Make title more general. We should support all checksum's supported by OpenSSL.
IF CHANGED [DIGEST] CHECKSUM THEN action and IF FAILED [DIGEST] CHECKSUM [EXPECT checksum] THEN action
Where DIGEST is any Message Digest supported by OpenSSL. The reason we currently are limited to MD5 and SHA-1 is because we provide separate implementations with Monit. Instead we should require Monit to be linked with OpenSSL and the DIGEST entry is simply a lookup table to implementations in OpenSSL.
In the process we should also remove our "own" MD5 and SHA-1 implementations.
- Log in to comment
Thought I was logged in before. Comment to track this.