diff options
| author | Ted Unangst <tedu@cvs.openbsd.org> | 2014-11-16 17:37:43 +0000 |
|---|---|---|
| committer | Ted Unangst <tedu@cvs.openbsd.org> | 2014-11-16 17:37:43 +0000 |
| commit | 8a93269e19baba44ca661f8656b81932b78044c3 (patch) | |
| tree | 66af6d33fa3df19b09d48494a1d1e3cfb4aeb01d /sys/net/pf.c | |
| parent | 386bae0df97a5bd0b655f46d05fa84ebd7cd2066 (diff) | |
convert to use sha512 for pf iss. ok deraadt dlg
Diffstat (limited to 'sys/net/pf.c')
| -rw-r--r-- | sys/net/pf.c | 35 |
1 files changed, 19 insertions, 16 deletions
diff --git a/sys/net/pf.c b/sys/net/pf.c index 40d9a8e88e2..5ea4baf9b45 100644 --- a/sys/net/pf.c +++ b/sys/net/pf.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pf.c,v 1.892 2014/11/16 11:58:14 dlg Exp $ */ +/* $OpenBSD: pf.c,v 1.893 2014/11/16 17:37:42 tedu Exp $ */ /* * Copyright (c) 2001 Daniel Hartmeier @@ -53,7 +53,7 @@ #include <sys/rwlock.h> #include <sys/syslog.h> -#include <crypto/md5.h> +#include <crypto/sha2.h> #include <net/if.h> #include <net/if_types.h> @@ -105,7 +105,7 @@ struct pf_queuehead *pf_queues_inactive; struct pf_status pf_status; -MD5_CTX pf_tcp_secret_ctx; +SHA2_CTX pf_tcp_secret_ctx; u_char pf_tcp_secret[16]; int pf_tcp_secret_init; int pf_tcp_iss_off; @@ -3031,38 +3031,41 @@ pf_set_rt_ifp(struct pf_state *s, struct pf_addr *saddr) u_int32_t pf_tcp_iss(struct pf_pdesc *pd) { - MD5_CTX ctx; - u_int32_t digest[4]; + SHA2_CTX ctx; + union { + uint8_t bytes[SHA512_DIGEST_LENGTH]; + uint32_t words[1]; + } digest; if (pf_tcp_secret_init == 0) { arc4random_buf(pf_tcp_secret, sizeof(pf_tcp_secret)); - MD5Init(&pf_tcp_secret_ctx); - MD5Update(&pf_tcp_secret_ctx, pf_tcp_secret, + SHA512Init(&pf_tcp_secret_ctx); + SHA512Update(&pf_tcp_secret_ctx, pf_tcp_secret, sizeof(pf_tcp_secret)); pf_tcp_secret_init = 1; } ctx = pf_tcp_secret_ctx; - MD5Update(&ctx, (char *)&pd->rdomain, sizeof(pd->rdomain)); - MD5Update(&ctx, (char *)&pd->hdr.tcp->th_sport, sizeof(u_short)); - MD5Update(&ctx, (char *)&pd->hdr.tcp->th_dport, sizeof(u_short)); + SHA512Update(&ctx, (char *)&pd->rdomain, sizeof(pd->rdomain)); + SHA512Update(&ctx, (char *)&pd->hdr.tcp->th_sport, sizeof(u_short)); + SHA512Update(&ctx, (char *)&pd->hdr.tcp->th_dport, sizeof(u_short)); switch (pd->af) { #ifdef INET case AF_INET: - MD5Update(&ctx, (char *)&pd->src->v4, sizeof(struct in_addr)); - MD5Update(&ctx, (char *)&pd->dst->v4, sizeof(struct in_addr)); + SHA512Update(&ctx, (char *)&pd->src->v4, sizeof(struct in_addr)); + SHA512Update(&ctx, (char *)&pd->dst->v4, sizeof(struct in_addr)); break; #endif /* INET */ #ifdef INET6 case AF_INET6: - MD5Update(&ctx, (char *)&pd->src->v6, sizeof(struct in6_addr)); - MD5Update(&ctx, (char *)&pd->dst->v6, sizeof(struct in6_addr)); + SHA512Update(&ctx, (char *)&pd->src->v6, sizeof(struct in6_addr)); + SHA512Update(&ctx, (char *)&pd->dst->v6, sizeof(struct in6_addr)); break; #endif /* INET6 */ } - MD5Final((u_char *)digest, &ctx); + SHA512Final(digest.bytes, &ctx); pf_tcp_iss_off += 4096; - return (digest[0] + tcp_iss + pf_tcp_iss_off); + return (digest.words[0] + tcp_iss + pf_tcp_iss_off); } void |