From patchwork Sat Sep 15 01:10:15 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Peter_M=C3=BCller?= X-Patchwork-Id: 1935 Return-Path: Received: from mail01.ipfire.org (mail01.i.ipfire.org [172.28.1.200]) by web02.i.ipfire.org (Postfix) with ESMTP id 53FC960DE2 for ; Fri, 14 Sep 2018 17:10:21 +0200 (CEST) Received: from mail01.i.ipfire.org (localhost [IPv6:::1]) by mail01.ipfire.org (Postfix) with ESMTP id BEB68110F7E6; Fri, 14 Sep 2018 16:10:20 +0100 (BST) Received: from mx-nbg.link38.eu (mx-nbg.link38.eu [IPv6:2a03:4000:6:432c:1f9e:48:ac3:199]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mx-nbg.link38.eu", Issuer "Let's Encrypt Authority X3" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id D635610FE227 for ; Fri, 14 Sep 2018 16:10:17 +0100 (BST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=link38.eu; s=201803; t=1536937816; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding:in-reply-to: references; bh=C8FkdOZ1E3fIgh5JfcGBc/4CmzCfbEChkyvQVsixcjs=; b=N1HZZfRVizkACf7Aj69haiMCP+rEQzeBO5/dd3plQ5INv2U26KcVslru1jma8aqxnfA7si 8NaKfPjyFpvK/Y359M75QxvpDcNirYkLPUl89tcTYOdeGySPbsrnYjD5YzqzTTwePmHsgB IBu3vNHS5Ap3T3X73fycQOrxjDvartjkw0C+QdvhMtilEJSXARVVdzGeg1KaQgSxLlUufy ZLgnafS/kh5MoRkyi/GDcBMRjixweXBU5k0LeR1OK2wLwQ8uTgdoB5JZnMiwkWtirQaPe2 EirJu6tsdqKFyze497sdC9yTxImOClVo5nuolVmALaF1lG1RUhQ1NRxAxCysgQ== From: =?utf-8?q?Peter_M=C3=BCller?= To: development@lists.ipfire.org Subject: [PATCH] use SHA256 for image checksums Date: Fri, 14 Sep 2018 17:10:15 +0200 Message-Id: <20180914151015.5605-1-peter.mueller@link38.eu> MIME-Version: 1.0 Authentication-Results: mail01.ipfire.org; dkim=pass header.d=link38.eu; dmarc=pass (policy=none) header.from=link38.eu; spf=pass smtp.mailfrom=peter.mueller@link38.eu X-Spamd-Result: default: False [-11.54 / 11.00]; ARC_NA(0.00)[]; R_DKIM_ALLOW(-0.20)[link38.eu]; FROM_HAS_DN(0.00)[]; R_SPF_ALLOW(-0.20)[+ip6:2a03:4000:6:432c:1f9e:48:ac3:199]; TO_MATCH_ENVRCPT_ALL(0.00)[]; MIME_GOOD(-0.10)[text/plain]; TO_DN_NONE(0.00)[]; RCPT_COUNT_ONE(0.00)[1]; DKIM_TRACE(0.00)[link38.eu:+]; RCVD_IN_DNSWL_MED(-2.00)[9.9.1.0.3.c.a.0.8.4.0.0.e.9.f.1.c.2.3.4.6.0.0.0.0.0.0.4.3.0.a.2.list.dnswl.org : 127.0.6.2]; MID_CONTAINS_FROM(1.00)[]; MX_GOOD(-0.01)[cached: mx-nbg.link38.eu]; DMARC_POLICY_ALLOW(-0.25)[link38.eu,none]; NEURAL_HAM(-3.00)[-0.999,0]; RCVD_COUNT_ZERO(0.00)[0]; FROM_EQ_ENVFROM(0.00)[]; IP_SCORE(-3.78)[ip: (-9.91), ipnet: 2a03:4000::/32(-4.95), asn: 197540(-3.96), country: DE(-0.09)]; ASN(0.00)[asn:197540, ipnet:2a03:4000::/32, country:DE]; RCVD_TLS_ALL(0.00)[]; BAYES_HAM(-3.00)[100.00%] X-Spam-Status: No, score=-11.54 X-Rspamd-Server: mail01.i.ipfire.org X-BeenThere: development@lists.ipfire.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: IPFire development talk List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: development-bounces@lists.ipfire.org Sender: "Development" SHA1 is legacy crypto and known to be weak (collision attacks). Thereof, SHA256 is used instead to provide strong checksums for verifying our release images. Partially fixes: #11345 Signed-off-by: Peter Müller --- webapp/backend/releases.py | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/webapp/backend/releases.py b/webapp/backend/releases.py index 79e3468..fa63a44 100644 --- a/webapp/backend/releases.py +++ b/webapp/backend/releases.py @@ -279,16 +279,16 @@ class Release(Object): return file def __file_hash(self, filename): - sha1 = hashlib.sha1() + sha256 = hashlib.sha256() with open(filename) as f: buf_size = 1024 buf = f.read(buf_size) while buf: - sha1.update(buf) + sha256.update(buf) buf = f.read(buf_size) - return sha1.hexdigest() + return sha256.hexdigest() def scan_files(self, basepath="/srv/mirror0"): if not self.path: