Date: Wed, 19 Feb 2025 10:41:40 GMT From: Kristof Provost <kp@FreeBSD.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org Subject: git: 9d5c83a0b84c - main - pf: convert to use sha512 for pf iss Message-ID: <202502191041.51JAfeCw035400@gitrepo.freebsd.org>
next in thread | raw e-mail | index | archive | help
The branch main has been updated by kp: URL: https://cgit.FreeBSD.org/src/commit/?id=9d5c83a0b84caab2fbc4be22a7008b280aaedc80 commit 9d5c83a0b84caab2fbc4be22a7008b280aaedc80 Author: Kristof Provost <kp@FreeBSD.org> AuthorDate: 2025-02-11 16:37:16 +0000 Commit: Kristof Provost <kp@FreeBSD.org> CommitDate: 2025-02-19 10:41:09 +0000 pf: convert to use sha512 for pf iss ok deraadt dlg Obtained from: OpenBSD, tedu <tedu@openbsd.org>, 842fba9566 Sponsored by: Rubicon Communications, LLC ("Netgate") --- sys/netpfil/pf/pf.c | 32 ++++++++++++++++++-------------- 1 file changed, 18 insertions(+), 14 deletions(-) diff --git a/sys/netpfil/pf/pf.c b/sys/netpfil/pf/pf.c index 2a1ee73b3aef..0e816f1205c5 100644 --- a/sys/netpfil/pf/pf.c +++ b/sys/netpfil/pf/pf.c @@ -54,7 +54,6 @@ #include <sys/kthread.h> #include <sys/limits.h> #include <sys/mbuf.h> -#include <sys/md5.h> #include <sys/random.h> #include <sys/refcount.h> #include <sys/sdt.h> @@ -63,6 +62,8 @@ #include <sys/taskqueue.h> #include <sys/ucred.h> +#include <crypto/sha2/sha512.h> + #include <net/if.h> #include <net/if_var.h> #include <net/if_private.h> @@ -176,7 +177,7 @@ VNET_DEFINE(u_int32_t, ticket_altqs_inactive); VNET_DEFINE(int, altqs_inactive_open); VNET_DEFINE(u_int32_t, ticket_pabuf); -VNET_DEFINE(MD5_CTX, pf_tcp_secret_ctx); +VNET_DEFINE(SHA512_CTX, pf_tcp_secret_ctx); #define V_pf_tcp_secret_ctx VNET(pf_tcp_secret_ctx) VNET_DEFINE(u_char, pf_tcp_secret[16]); #define V_pf_tcp_secret VNET(pf_tcp_secret) @@ -5050,35 +5051,38 @@ pf_calc_mss(struct pf_addr *addr, sa_family_t af, int rtableid, u_int16_t offer) static u_int32_t pf_tcp_iss(struct pf_pdesc *pd) { - MD5_CTX ctx; - u_int32_t digest[4]; + SHA512_CTX ctx; + union { + uint8_t bytes[SHA512_DIGEST_LENGTH]; + uint32_t words[1]; + } digest; if (V_pf_tcp_secret_init == 0) { arc4random_buf(&V_pf_tcp_secret, sizeof(V_pf_tcp_secret)); - MD5Init(&V_pf_tcp_secret_ctx); - MD5Update(&V_pf_tcp_secret_ctx, V_pf_tcp_secret, + SHA512_Init(&V_pf_tcp_secret_ctx); + SHA512_Update(&V_pf_tcp_secret_ctx, V_pf_tcp_secret, sizeof(V_pf_tcp_secret)); V_pf_tcp_secret_init = 1; } ctx = V_pf_tcp_secret_ctx; - MD5Update(&ctx, (char *)&pd->hdr.tcp.th_sport, sizeof(u_short)); - MD5Update(&ctx, (char *)&pd->hdr.tcp.th_dport, sizeof(u_short)); + SHA512_Update(&ctx, (char *)&pd->hdr.tcp.th_sport, sizeof(u_short)); + SHA512_Update(&ctx, (char *)&pd->hdr.tcp.th_dport, sizeof(u_short)); switch (pd->af) { case AF_INET6: - MD5Update(&ctx, (char *)&pd->src->v6, sizeof(struct in6_addr)); - MD5Update(&ctx, (char *)&pd->dst->v6, sizeof(struct in6_addr)); + SHA512_Update(&ctx, (char *)&pd->src->v6, sizeof(struct in6_addr)); + SHA512_Update(&ctx, (char *)&pd->dst->v6, sizeof(struct in6_addr)); break; case AF_INET: - MD5Update(&ctx, (char *)&pd->src->v4, sizeof(struct in_addr)); - MD5Update(&ctx, (char *)&pd->dst->v4, sizeof(struct in_addr)); + SHA512_Update(&ctx, (char *)&pd->src->v4, sizeof(struct in_addr)); + SHA512_Update(&ctx, (char *)&pd->dst->v4, sizeof(struct in_addr)); break; } - MD5Final((u_char *)digest, &ctx); + SHA512_Final(digest.bytes, &ctx); V_pf_tcp_iss_off += 4096; #define ISN_RANDOM_INCREMENT (4096 - 1) - return (digest[0] + (arc4random() & ISN_RANDOM_INCREMENT) + + return (digest.words[0] + (arc4random() & ISN_RANDOM_INCREMENT) + V_pf_tcp_iss_off); #undef ISN_RANDOM_INCREMENT }
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202502191041.51JAfeCw035400>