From nobody Wed Feb 19 10:41:40 2025
X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4YyXxx25hfz5p9d8;
	Wed, 19 Feb 2025 10:41:41 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "mxrelay.nyi.freebsd.org", Issuer "R11" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4YyXxw5rLkz3lRG;
	Wed, 19 Feb 2025 10:41:40 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim;
	t=1739961700;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=Xd9IOsX7SimzGit4NcpbIqwKLs8k22SgLofvQDYF1ko=;
	b=BsTmTSZ+XHRiRYfqOFZR4yYxjuFFEzPp+BB888a07vUfGmlQV+G9jjJb3KPInEGxYXYpgo
	YnDDjYa8Ogjei77QBQkfiU+yiTPWZe2rDqx6ECG7bgi4lO3G+auxhBsgXSafA6GlFvpBJm
	HZqjbvtQrtWK7wz5anNnBT6b1bNpznFxsE2KwQsYLzOY817s9gf/c6gM25PRU5PRUSF2tx
	sNh1AcY1TtCzWbXdTeCbUFGg0S5pfzVagLDpjSpxXddIN3gI9w/lcIYV3En8Lbez9HeyyV
	IUW7KJt362QRXXkmp5f8Xh4Z8fivi5Gbv2DRBHsnx5/JqFuqDsRtji7t9bDw4Q==
ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1739961700; a=rsa-sha256; cv=none;
	b=QJzOVVRjJFqALdHkVzeHV5RXRc/ob6i3yoY6oznXPe/SAOizuNPB3vQDDiJMFQpoxwfGtQ
	03WjokSp5XU88ljhVhcwV5q1LAJLAulN1mQkApClDZW6+jNaQt+LOPaLI28G5uKtjAuuA7
	1VuvsrVM8PEQQ2q9FoxAN4yXdmE+LVgNgh93tdDM65k7pj+XCC87BUyFmct9nJNY9LyySy
	BsfOz/HRrRdWTxFN/GMe52g2nazCknpx/4tpO7dLXZZPJrbNVFROOjRG7UIQO6otF0r9sM
	e/SmWR1XhHbHnK+g9PpqRjDGnfGFnl+tyKMCL43Y6AN13N97hHuu1QCegf+JWA==
ARC-Authentication-Results: i=1;
	mx1.freebsd.org;
	none
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org;
	s=dkim; t=1739961700;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=Xd9IOsX7SimzGit4NcpbIqwKLs8k22SgLofvQDYF1ko=;
	b=YLWmRMqCHU7rUI9XNiTDOpzA5M+VLh9LeyaFj4/85mIGscyLnTG6e7/AcDm40fjyWhN9gg
	wcVGRLDtdutp7aHu8dIbeJXXsj1ANRfvUKTS9W5idxaxWR3nqALeVzkUpxVOHYFwEZ/Gyh
	X3dAGpiWg47hkDkJ4qBlx2PzzUm6yOgqDYnRdaAjqpsdjrtn80JNBcj9E0ZHXLc3QcaFnP
	lVCAHT3hsV/KRnoGPvwjY4FfCCMPi06njH2Gtst07DI2U9nGQQFkIAU657o2blnwrEqoyd
	pNwW3Q3Fy4QTMmw+LDqHk93GIriewPKvBs3lOUPjW2ujKd4aGkCvk84v7pj5MA==
Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(Client did not present a certificate)
	by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4YyXxw59Sjz12mf;
	Wed, 19 Feb 2025 10:41:40 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from gitrepo.freebsd.org ([127.0.1.44])
	by gitrepo.freebsd.org (8.18.1/8.18.1) with ESMTP id 51JAfeDk035403;
	Wed, 19 Feb 2025 10:41:40 GMT
	(envelope-from git@gitrepo.freebsd.org)
Received: (from git@localhost)
	by gitrepo.freebsd.org (8.18.1/8.18.1/Submit) id 51JAfeCw035400;
	Wed, 19 Feb 2025 10:41:40 GMT
	(envelope-from git)
Date: Wed, 19 Feb 2025 10:41:40 GMT
Message-Id: <202502191041.51JAfeCw035400@gitrepo.freebsd.org>
To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org,
        dev-commits-src-main@FreeBSD.org
From: Kristof Provost <kp@FreeBSD.org>
Subject: git: 9d5c83a0b84c - main - pf: convert to use sha512 for
  pf iss
List-Id: Commit messages for all branches of the src repository <dev-commits-src-all.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all
List-Help: <mailto:dev-commits-src-all+help@freebsd.org>
List-Post: <mailto:dev-commits-src-all@freebsd.org>
List-Subscribe: <mailto:dev-commits-src-all+subscribe@freebsd.org>
List-Unsubscribe: <mailto:dev-commits-src-all+unsubscribe@freebsd.org>
X-BeenThere: dev-commits-src-all@freebsd.org
Sender: owner-dev-commits-src-all@FreeBSD.org
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-Git-Committer: kp
X-Git-Repository: src
X-Git-Refname: refs/heads/main
X-Git-Reftype: branch
X-Git-Commit: 9d5c83a0b84caab2fbc4be22a7008b280aaedc80
Auto-Submitted: auto-generated

The branch main has been updated by kp:

URL: https://cgit.FreeBSD.org/src/commit/?id=9d5c83a0b84caab2fbc4be22a7008b280aaedc80

commit 9d5c83a0b84caab2fbc4be22a7008b280aaedc80
Author:     Kristof Provost <kp@FreeBSD.org>
AuthorDate: 2025-02-11 16:37:16 +0000
Commit:     Kristof Provost <kp@FreeBSD.org>
CommitDate: 2025-02-19 10:41:09 +0000

    pf: convert to use sha512 for pf iss
    
    ok deraadt dlg
    
    Obtained from:  OpenBSD, tedu <tedu@openbsd.org>, 842fba9566
    Sponsored by:   Rubicon Communications, LLC ("Netgate")
---
 sys/netpfil/pf/pf.c | 32 ++++++++++++++++++--------------
 1 file changed, 18 insertions(+), 14 deletions(-)

diff --git a/sys/netpfil/pf/pf.c b/sys/netpfil/pf/pf.c
index 2a1ee73b3aef..0e816f1205c5 100644
--- a/sys/netpfil/pf/pf.c
+++ b/sys/netpfil/pf/pf.c
@@ -54,7 +54,6 @@
 #include <sys/kthread.h>
 #include <sys/limits.h>
 #include <sys/mbuf.h>
-#include <sys/md5.h>
 #include <sys/random.h>
 #include <sys/refcount.h>
 #include <sys/sdt.h>
@@ -63,6 +62,8 @@
 #include <sys/taskqueue.h>
 #include <sys/ucred.h>
 
+#include <crypto/sha2/sha512.h>
+
 #include <net/if.h>
 #include <net/if_var.h>
 #include <net/if_private.h>
@@ -176,7 +177,7 @@ VNET_DEFINE(u_int32_t,			 ticket_altqs_inactive);
 VNET_DEFINE(int,			 altqs_inactive_open);
 VNET_DEFINE(u_int32_t,			 ticket_pabuf);
 
-VNET_DEFINE(MD5_CTX,			 pf_tcp_secret_ctx);
+VNET_DEFINE(SHA512_CTX,			 pf_tcp_secret_ctx);
 #define	V_pf_tcp_secret_ctx		 VNET(pf_tcp_secret_ctx)
 VNET_DEFINE(u_char,			 pf_tcp_secret[16]);
 #define	V_pf_tcp_secret			 VNET(pf_tcp_secret)
@@ -5050,35 +5051,38 @@ pf_calc_mss(struct pf_addr *addr, sa_family_t af, int rtableid, u_int16_t offer)
 static u_int32_t
 pf_tcp_iss(struct pf_pdesc *pd)
 {
-	MD5_CTX ctx;
-	u_int32_t digest[4];
+	SHA512_CTX ctx;
+	union {
+		uint8_t bytes[SHA512_DIGEST_LENGTH];
+		uint32_t words[1];
+	} digest;
 
 	if (V_pf_tcp_secret_init == 0) {
 		arc4random_buf(&V_pf_tcp_secret, sizeof(V_pf_tcp_secret));
-		MD5Init(&V_pf_tcp_secret_ctx);
-		MD5Update(&V_pf_tcp_secret_ctx, V_pf_tcp_secret,
+		SHA512_Init(&V_pf_tcp_secret_ctx);
+		SHA512_Update(&V_pf_tcp_secret_ctx, V_pf_tcp_secret,
 		    sizeof(V_pf_tcp_secret));
 		V_pf_tcp_secret_init = 1;
 	}
 
 	ctx = V_pf_tcp_secret_ctx;
 
-	MD5Update(&ctx, (char *)&pd->hdr.tcp.th_sport, sizeof(u_short));
-	MD5Update(&ctx, (char *)&pd->hdr.tcp.th_dport, sizeof(u_short));
+	SHA512_Update(&ctx, (char *)&pd->hdr.tcp.th_sport, sizeof(u_short));
+	SHA512_Update(&ctx, (char *)&pd->hdr.tcp.th_dport, sizeof(u_short));
 	switch (pd->af) {
 	case AF_INET6:
-		MD5Update(&ctx, (char *)&pd->src->v6, sizeof(struct in6_addr));
-		MD5Update(&ctx, (char *)&pd->dst->v6, sizeof(struct in6_addr));
+		SHA512_Update(&ctx, (char *)&pd->src->v6, sizeof(struct in6_addr));
+		SHA512_Update(&ctx, (char *)&pd->dst->v6, sizeof(struct in6_addr));
 		break;
 	case AF_INET:
-		MD5Update(&ctx, (char *)&pd->src->v4, sizeof(struct in_addr));
-		MD5Update(&ctx, (char *)&pd->dst->v4, sizeof(struct in_addr));
+		SHA512_Update(&ctx, (char *)&pd->src->v4, sizeof(struct in_addr));
+		SHA512_Update(&ctx, (char *)&pd->dst->v4, sizeof(struct in_addr));
 		break;
 	}
-	MD5Final((u_char *)digest, &ctx);
+	SHA512_Final(digest.bytes, &ctx);
 	V_pf_tcp_iss_off += 4096;
 #define	ISN_RANDOM_INCREMENT (4096 - 1)
-	return (digest[0] + (arc4random() & ISN_RANDOM_INCREMENT) +
+	return (digest.words[0] + (arc4random() & ISN_RANDOM_INCREMENT) +
 	    V_pf_tcp_iss_off);
 #undef	ISN_RANDOM_INCREMENT
 }