mtree * MD5 = better security

Idea from: Dr. John T. Wroclawski

usr.sbin/mtree/Makefile

@@ -1,8 +1,12 @@
-#	@(#)Makefile	8.1 (Berkeley) 6/6/93
+#	From: @(#)Makefile	8.1 (Berkeley) 6/6/93
+#	$Id$
 
 PROG=	mtree
 SRCS=	compare.c crc.c create.c misc.c mtree.c spec.c verify.c
 MAN8=	mtree.8
 .PATH:	${.CURDIR}/../../usr.bin/cksum
 
+DPADD+=	${LIBMD}
+LDADD+=	-lmd
+
 .include <bsd.prog.mk>

usr.sbin/mtree/compare.c

@@ -43,6 +43,7 @@ static char sccsid[] = "@(#)compare.c	8.1 (Berkeley) 6/6/93";
 #include <stdio.h>
 #include <time.h>
 #include <unistd.h>
+#include <md5.h>
 #include "mtree.h"
 #include "extern.h"
 
@@ -200,6 +201,26 @@ typeerr:		LABEL;
 			}
 			tab = "\t";
 		}
+	if (s->flags & F_MD5) {
+		char *new_digest;
+		
+		new_digest = MD5File(p->fts_accpath);
+		if (!new_digest) {
+			LABEL;
+			printf("%sMD5File: %s: %s\n", tab, p->fts_accpath,
+			       strerror(errno));
+			tab = "\t";
+		} else if (strcmp(new_digest, s->md5digest)) {
+			LABEL;
+			printf("%sMD5 (%s, %s)\n", tab, s->md5digest, 
+			       new_digest);
+			tab = "\t";
+			free(new_digest);
+		} else {
+			free(new_digest);
+		}
+	}
+
 	if (s->flags & F_SLINK && strcmp(cp = rlink(name), s->slink)) {
 		LABEL;
 		(void)printf("%slink ref (%s, %s)\n", tab, cp, s->slink);

usr.sbin/mtree/create.c

@@ -46,6 +46,7 @@ static char sccsid[] = "@(#)create.c	8.1 (Berkeley) 6/6/93";
 #include <errno.h>
 #include <unistd.h>
 #include <stdio.h>
+#include <md5.h>
 #include "mtree.h"
 #include "extern.h"
 
@@ -187,6 +188,16 @@ statf(indent, p)
 		(void)close(fd);
 		output(indent, &offset, "cksum=%lu", val);
 	}
+	if (keys & F_MD5 && S_ISREG(p->fts_statp->st_mode)) {
+		char *md5digest = MD5File(p->fts_accpath);
+
+		if (!md5digest) {
+			err("%s: %s", p->fts_accpath, strerror(errno));
+		} else {
+			output(indent, &offset, "md5digest=%s", md5digest);
+			free(md5digest);
+		}
+	}
 	if (keys & F_SLINK &&
 	    (p->fts_info == FTS_SL || p->fts_info == FTS_SLNONE))
 		output(indent, &offset, "link=%s", rlink(p->fts_accpath));

usr.sbin/mtree/misc.c

@@ -57,6 +57,7 @@ static KEY keylist[] = {
 	{"gname",	F_GNAME,	NEEDVALUE},
 	{"ignore",	F_IGN,		0},
 	{"link",	F_SLINK,	NEEDVALUE},
+	{"md5digest",	F_MD5,		NEEDVALUE},
 	{"mode",	F_MODE,		NEEDVALUE},
 	{"nlink",	F_NLINK,	NEEDVALUE},
 	{"size",	F_SIZE,		NEEDVALUE},

usr.sbin/mtree/mtree.8

@@ -29,9 +29,10 @@
 .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 .\" SUCH DAMAGE.
 .\"
-.\"     @(#)mtree.8	8.2 (Berkeley) 12/11/93
+.\"     From: @(#)mtree.8	8.2 (Berkeley) 12/11/93
+.\"	$Id$
 .\"
-.Dd December 11, 1993
+.Dd February 9, 1995
 .Dt MTREE 8
 .Os
 .Sh NAME
@@ -134,6 +135,8 @@ Ignore any file hierarchy below this file.
 The file group as a numeric value.
 .It Cm gname
 The file group as a symbolic name.
+.It Cm md5digest
+The MD5 message digest of the file.
 .It Cm mode
 The current file's permissions as a numeric (octal) or symbolic
 value.
@@ -232,28 +235,33 @@ option is used.
 To detect system binaries that have been ``trojan horsed'', it is recommended
 that
 .Nm mtree
+.Fl K
+.Cm md5digest
 be run on the file systems, and a copy of the results stored on a different
 machine, or, at least, in encrypted form.
-The seed for the
-.Fl s
-option should not be an obvious value and the final checksum should not be
-stored on-line under any circumstances!
+The output file itself should be digested using the
+.Xr md5 1
+utility.
 Then, periodically,
 .Nm mtree
-should be run against the on-line specifications and the final checksum
-compared with the previous value.
+and
+.Xr md5 1
+should be run against the on-line specifications.
 While it is possible for the bad guys to change the on-line specifications
-to conform to their modified binaries, it shouldn't be possible for them
-to make it produce the same final checksum value.
-If the final checksum value changes, the off-line copies of the specification
-can be used to detect which of the binaries have actually been modified.
+to conform to their modified binaries, it is believed to be
+impractical for them to create a modified specification which has
+the same MD5 digest as the original.
 .Pp
 The
 .Fl d
 and
 .Fl u
 options can be used in combination to create directory hierarchies
-for distributions and other such things.
+for distributions and other such things; the files in
+.Pa /etc/mtree
+were used to create almost all diectories in this
+.Tn FreeBSD
+distribution.
 .Sh FILES
 .Bl -tag -width /etc/mtree -compact
 .It Pa /etc/mtree
@@ -264,10 +272,17 @@ system specification directory
 .Xr chown 1 ,
 .Xr chgrp 1 ,
 .Xr cksum 1 ,
+.Xr md5 1 ,
 .Xr stat 2 ,
 .Xr fts 3 ,
+.Xr md5 3
 .Sh HISTORY
 The
 .Nm mtree
 utility appeared in
 .Bx 4.3 Reno .
+The MD5 digest capability was added in
+.Tn FreeBSD
+2.1, in response to the widespread use of programs which can spoof
+.Xr cksum 1 .
+

usr.sbin/mtree/mtree.h

@@ -47,6 +47,7 @@ typedef struct _node {
 	off_t	st_size;			/* size */
 	struct timespec	st_mtimespec;		/* last modification time */
 	u_long	cksum;				/* check sum */
+	char	*md5digest;			/* MD5 digest */
 	char	*slink;				/* symbolic link reference */
 	uid_t	st_uid;				/* uid */
 	gid_t	st_gid;				/* gid */
@@ -69,6 +70,7 @@ typedef struct _node {
 #define	F_UID	0x1000				/* uid */
 #define	F_UNAME	0x2000				/* user name */
 #define	F_VISIT	0x4000				/* file visited */
+#define F_MD5	0x8000				/* MD5 digest */
 	u_short	flags;				/* items set */
 
 #define	F_BLOCK	0x001				/* block special */

usr.sbin/mtree/spec.c

@@ -181,6 +181,12 @@ set(t, ip)
 			if (*ep)
 				err("invalid checksum %s", val);
 			break;
+		case F_MD5:
+			ip->md5digest = strdup(val);
+			if(!ip->md5digest) {
+				err("%s", strerror(errno));
+			}
+			break;
 		case F_GID:
 			ip->st_gid = strtoul(val, &ep, 10);
 			if (*ep)