Commit Graph

1192 Commits

Author SHA1 Message Date
Ed Maste
0657b2325d ssh: correct parse_cert_times case for hex "to" time
This appeared to be a copy-paste error from the "from" time case above.

Reported by:	Coverity Scan
CID:		1500407
Reviewed by:	markj
MFC after:	3 days
Sponsored by:	The FreeBSD Foundation
Differential Revision:	https://reviews.freebsd.org/D37252
2022-11-03 10:10:28 -04:00
Jung-uk Kim
cfc39718e9 OpenSSL: Merge OpenSSL 1.1.1s
Merge commit 'b6b67f23b82101d4c04c89f81d726b902ab77106'
2022-11-01 18:58:59 -04:00
Jung-uk Kim
b6b67f23b8 Import OpenSSL 1.1.1s 2022-11-01 18:43:36 -04:00
Ed Maste
38a52bd3b5 ssh: update to OpenSSH 9.1p1
Release notes are available at https://www.openssh.com/txt/release-9.1

9.1 contains fixes for three minor memory safety problems; these have
lready been merged to the copy of OpenSSH 9.0 that is in the FreeBSD base
system.

Some highlights copied from the release notes:

Potentially-incompatible changes
--------------------------------

 * ssh(1), sshd(8): SetEnv directives in ssh_config and sshd_config
   are now first-match-wins to match other directives. Previously
   if an environment variable was multiply specified the last set
   value would have been used. bz3438

 * ssh-keygen(8): ssh-keygen -A (generate all default host key types)
   will no longer generate DSA keys, as these are insecure and have
   not been used by default for some years.

New features
------------

 * ssh(1), sshd(8): add a RequiredRSASize directive to set a minimum
   RSA key length. Keys below this length will be ignored for user
   authentication and for host authentication in sshd(8).

 * sftp-server(8): add a "users-groups-by-id@openssh.com" extension
   request that allows the client to obtain user/group names that
   correspond to a set of uids/gids.

 * sftp(1): use "users-groups-by-id@openssh.com" sftp-server
   extension (when available) to fill in user/group names for
   directory listings.

 * sftp-server(8): support the "home-directory" extension request
   defined in draft-ietf-secsh-filexfer-extensions-00. This overlaps
   a bit with the existing "expand-path@openssh.com", but some other
   clients support it.

 * ssh-keygen(1), sshd(8): allow certificate validity intervals,
   sshsig verification times and authorized_keys expiry-time options
   to accept dates in the UTC time zone in addition to the default
   of interpreting them in the system time zone. YYYYMMDD and
   YYMMDDHHMM[SS] dates/times will be interpreted as UTC if suffixed
   with a 'Z' character.

   Also allow certificate validity intervals to be specified in raw
   seconds-since-epoch as hex value, e.g. -V 0x1234:0x4567890. This
   is intended for use by regress tests and other tools that call
   ssh-keygen as part of a CA workflow. bz3468

 * sftp(1): allow arguments to the sftp -D option, e.g. sftp -D
   "/usr/libexec/sftp-server -el debug3"

 * ssh-keygen(1): allow the existing -U (use agent) flag to work
   with "-Y sign" operations, where it will be interpreted to require
   that the private keys is hosted in an agent; bz3429

MFC after:	2 weeks
Relnotes:	Yes
Sponsored by:	The FreeBSD Foundation
2022-10-19 10:27:11 -04:00
Ed Maste
fca7ac55f8 ssh: remove pre- and post-merge update steps
We no longer use the pre- and post-merge scripts to strip/add RCS tags.
The tags have been removed from main, but persist on older branches.

While here renumber the steps in the update documentation using a more
conventional scheme.

Sponsored by:	The FreeBSD Foundation
Differential Revision:	https://reviews.freebsd.org/D36904
2022-10-12 13:54:08 -04:00
Ed Maste
a1e39f96d2 nanobsd: remove unmodified copies of ssh config files
Nanobsd included copies of ssh_config and sshd_config.  The former is
identical to the one provided by the base system, and the latter is
identical except for PermitRootLogin, which is updated by nanobsd's
cust_allow_ssh_root anyhow.  Remove nanobsd's copies and use the
existing base system ones.

Reported by:	Jose Luis Duran <jlduran@gmail.com> in D34937
Reviewed by:	Jose Luis Duran <jlduran@gmail.com>, imp
Sponsored by:	The FreeBSD Foundation
Differential Revision:	https://reviews.freebsd.org/D36933
2022-10-11 12:53:57 -04:00
Ed Maste
963c7b084b ssh-keysign: fix double free in error path
From OpenSSH-portable commit 141535b904b6, OpenBSD commit 3d21aa127b1f.

MFC after:		3 days
2022-10-04 16:34:37 -04:00
Ed Maste
666605ad2d ssh-keygen: fix double free in error path
From OpenSSH-portable commit 5062ad48814b, OpenBSD commit 39f35e16ba87.

MFC after:	3 days
2022-10-04 16:33:11 -04:00
Ed Maste
5e5ebbee81 ssh-keyscan: Strictly enforce the maximum allowed SSH2 banner size
From OpenSSH-portable commit ff89b1bed807, OpenBSD commit 6ae664f9f4db.

MFC after:	3 days
2022-10-04 16:30:00 -04:00
Ed Maste
6f7bc8e7a3 ssh: describe deprecated options in general in update doc
Rename "HPN" to more general "Retired patches."  We handle two now-
removed patches the same way: to avoid breaking existing configurations
we accept, but ignore, the option.

Sponsored by:	The FreeBSD Foundation
2022-09-04 20:11:03 -04:00
Ed Maste
97be6fced7 openssh: Remove description of VersionAddendum in upgrade doc 2022-08-19 10:39:17 -04:00
Ed Maste
bffe60ead0 ssh: retire client VersionAddendum
FreeBSD introduced VersionAddendum for the server as a local change in
2001 in commit 933ca70f8f and later extended it to the client in
commit 9e2cbe04ff.

In 2012 upstream added support for server VersionAddendum, in commit
23528816dc10.  They do not support it for the client.

The argument for supporting this in the client is not nearly as strong
as for the server, so retire this option to reduce the scope of our
local patch set.  This also avoids some cases of conflicts in ssh_config
during update, as a user's configuration would typically follow the
commented-out default VersionAddendum value.

Reviewed by:	gordon, glebius
Relnotes:	yes
Sponsored by:	The FreeBSD Foundation
Differential Revision:	https://reviews.freebsd.org/D32930
2022-08-19 10:38:42 -04:00
Jung-uk Kim
64cbf7cebc OpenSSL: Merge OpenSSL 1.1.1q
Merge commit 'f874e59ffcd8b5ecd018ad8311d78e866340f3e9'
2022-07-05 11:47:01 -04:00
Jung-uk Kim
f874e59ffc Import OpenSSL 1.1.1q 2022-07-05 11:27:51 -04:00
Jung-uk Kim
83eaf7ae0a OpenSSL: Merge OpenSSL 1.1.1p
Merge commit '54ae8e38f717f22963c2a87f48af6ecefc6b3e9b'
2022-06-21 13:34:41 -04:00
Jung-uk Kim
54ae8e38f7 Import OpenSSL 1.1.1p 2022-06-21 10:36:39 -04:00
Ed Maste
9f009e066f sshd_config: clarify password authentication options
Passwords may be accepted by both the PasswordAuthentication and
KbdInteractiveAuthentication authentication schemes.  Add a reference to
the latter in the description/comment for PasswordAuthentication, as it
otherwise may seem that "PasswordAuthentication no" implies passwords
will be disallowed.

This situation should be clarified with more extensive documentation on
the authentication schemes and configuration options, but that should be
done in coordination with upstream OpenSSH.  This is a minimal change
that will hopefully clarify the situation without requiring an extensive
local patch set.

PR:		263045
Reviewed by:	manu (earlier version)
MFC after:	2 weeks
Sponsored by:	The FreeBSD Foundation
Differential Revision:	https://reviews.freebsd.org/D35272
2022-06-08 16:20:46 -04:00
Ed Maste
0e12eb7b58 ssh: update sshd_config for prohibit-password option
The PermitRootLogin option "prohibit-password" was added as a synonym
for "without-password" in 2015.  Then in 2017 these were swapped:
"prohibit-password" became the canonical option and "without-password"
became a deprecated synonym (in OpenSSH commit 071325f458).

The UsePAM description in sshd_config still mentioned
"without-password."  Update it to match the new canonical option.

Sponsored by:	The FreeBSD Foundation
MFC after:	1 week
2022-05-12 11:16:09 -04:00
John Baldwin
913616b885 OpenSSL: KTLS: Enable KTLS for receiving as well in TLS 1.3
This removes a guard condition that prevents KTLS being enabled for
receiving in TLS 1.3.  Use the correct sequence number and BIO for
receive vs transmit offload.

Approved by:	jkim
Obtained from:	OpenSSL commit 7c78932b9a4330fb7c8db72b3fb37cbff1401f8b
MFC after:	1 week
Sponsored by:	Netflix
Differential Revision:	https://reviews.freebsd.org/D34976
2022-05-04 13:08:36 -07:00
John Baldwin
c0f977bfb6 OpenSSL: KTLS: Handle TLS 1.3 in ssl3_get_record.
- Don't unpad records, check the outer record type, or extract the
  inner record type from TLS 1.3 records handled by the kernel.  KTLS
  performs all of these steps and returns the inner record type in the
  TLS header.

- When checking the length of a received TLS 1.3 record don't allow
  for the extra byte for the nested record type when KTLS is used.

- Pass a pointer to the record type in the TLS header to the
  SSL3_RT_INNER_CONTENT_TYPE message callback.  For KTLS, the old
  pointer pointed to the last byte of payload rather than the record
  type.  For the non-KTLS case, the TLS header has been updated with
  the inner type before this callback is invoked.

Approved by:	jkim
Obtained from:	OpenSSL commit a5fb9605329fb939abb536c1604d44a511741624
MFC after:	1 week
Sponsored by:	Netflix
Differential Revision:	https://reviews.freebsd.org/D34975
2022-05-04 13:08:27 -07:00
John Baldwin
4f1f9c5502 OpenSSL: KTLS: Add using_ktls helper variable in ssl3_get_record().
When KTLS receive is enabled, pending data may still be present due to
read ahead.  This data must still be processed the same as records
received without KTLS.  To ease readability (especially in
consideration of additional checks which will be added for TLS 1.3),
add a helper variable 'using_ktls' that is true when the KTLS receive
path is being used to receive a record.

Approved by:	jkim
Obtained from:	OpenSSL commit 031132c297e54cbc20404a0bf8de6ed863196399
MFC after:	1 week
Sponsored by:	Netflix
Differential Revision:	https://reviews.freebsd.org/D34974
2022-05-04 13:08:17 -07:00
John Baldwin
019cff03b3 OpenSSL: KTLS: Check for unprocessed receive records in ktls_configure_crypto.
KTLS implementations currently assume that the start of the in-kernel
socket buffer is aligned with the start of a TLS record for the
receive side.  The socket option to enable KTLS specifies the TLS
sequence number of this initial record.

When read ahead is enabled, data can be pending in the SSL read buffer
after negotiating session keys.  This pending data must be examined to
ensurs that the kernel's socket buffer does not contain a partial TLS
record as well as to determine the correct sequence number of the
first TLS record to be processed by the kernel.

In preparation for enabling receive kernel offload for TLS 1.3, move
the existing logic to handle read ahead from t1_enc.c into ktls.c and
invoke it from ktls_configure_crypto().

Approved by:	jkim
Obtained from:	OpenSSL commit 85773128d0e80cd8dcc772a6931d385b8cf4acd1
MFC after:	1 week
Sponsored by:	Netflix
Differential Revision:	https://reviews.freebsd.org/D34973
2022-05-04 13:08:03 -07:00
John Baldwin
f6e5fcdc84 OpenSSL: Cleanup record length checks for KTLS
In some corner cases the check for packets
which exceed the allowed record length was missing
when KTLS is initially enabled, when some
unprocessed packets are still pending.

Approved by:	jkim
Obtained from:	OpenSSL commit 8fff986d52606e1a33f9404504535e2e2aee3e8b
MFC after:	1 week
Sponsored by:	Netflix
Differential Revision:	https://reviews.freebsd.org/D34972
2022-05-04 13:07:36 -07:00
Jung-uk Kim
34252e89a9 OpenSSL: Merge OpenSSL 1.1.1o
Merge commit 'cf0ffd7607ed8f39829c6951a65a55fa1eb3aafe'
2022-05-03 15:07:06 -04:00
Jung-uk Kim
cf0ffd7607 Import OpenSSL 1.1.1o 2022-05-03 11:01:12 -04:00
Ed Maste
6e24fe6128 ssh: use upstream SSH_OPENSSL_VERSION macro
With the upgrade to OpenSSH 6.7p1 in commit a0ee8cc636 we replaced
WITH_OPENSSL ifdefs with an OPENSSL_VERSION macro, later changing it
to OPENSSL_VERSION_STRING.

A few years later OpenSSH made an equivalent change (with a different
macro name), in commit 4d94b031ff88.  Switch to the macro name they
chose.

MFC after:	1 week
Sponsored by:	The FreeBSD Foundation
2022-04-23 20:07:57 -04:00
Ed Maste
835ee05f3c ssh: drop $FreeBSD$ from crypto/openssh
After we moved to git $FreeBSD$ is no longer expanded and serves no
purpose.  Remove them from OpenSSH to reduce diffs against upstream.

Sponsored by:	The FreeBSD Foundation
2022-04-22 19:12:23 -04:00
Ed Maste
1978059263 ssh: remove duplicate setting of MAIL env var
We already set it earlier in do_setup_env().

Fixes:		19261079b7 ("openssh: update to OpenSSH v8.7p1")
MFC after:	1 week
Sponsored by:	The FreeBSD Foundation
2022-04-19 10:30:52 -04:00
Ed Maste
613b4b7971 ssh: apply style(9) to version_addendum
Reported by:	allanjude (in review D29953)
Fixes:		462c32cb8d ("Upgrade OpenSSH to 6.1p1.")
MFC after:	1 week
Sponsored by:	The FreeBSD Foundation
2022-04-18 18:13:42 -04:00
Ed Maste
eb45bc6829 ssh-agent: move -x description to correct spot in man page
MFC after:	3 days
Sponsored by:	The FreeBSD Foundation
2022-04-17 17:43:20 -04:00
Ed Maste
e2cec5ba2c ssh: correct version number (9.0)
Reported by:	flo
Fixes:		87c1498d1a ("ssh: update to OpenSSH v9.0p1")
Sponsored by:	The FreeBSD Foundation
2022-04-15 12:10:35 -04:00
Ed Maste
9fce8d4140 ssh: apply post-release patch from V_9_0 branch
upstream: clear io_want/io_ready flags at start of poll() cycle;

avoids plausible spin during rekeying if channel io_want flags are reused
across cycles. ok markus@ deraadt@
2022-04-15 11:04:54 -04:00
Ed Maste
fb5aabcb99 scp: switch to using the SFTP protocol by default
From upstream release notes https://www.openssh.com/txt/release-9.0

This release switches scp(1) from using the legacy scp/rcp protocol
to using the SFTP protocol by default.

Legacy scp/rcp performs wildcard expansion of remote filenames (e.g.
"scp host:* .") through the remote shell. This has the side effect of
requiring double quoting of shell meta-characters in file names
included on scp(1) command-lines, otherwise they could be interpreted
as shell commands on the remote side.

This creates one area of potential incompatibility: scp(1) when using
the SFTP protocol no longer requires this finicky and brittle quoting,
and attempts to use it may cause transfers to fail. We consider the
removal of the need for double-quoting shell characters in file names
to be a benefit and do not intend to introduce bug-compatibility for
legacy scp/rcp in scp(1) when using the SFTP protocol.

Another area of potential incompatibility relates to the use of remote
paths relative to other user's home directories, for example -
"scp host:~user/file /tmp". The SFTP protocol has no native way to
expand a ~user path. However, sftp-server(8) in OpenSSH 8.7 and later
support a protocol extension "expand-path@openssh.com" to support
this.

In case of incompatibility, the scp(1) client may be instructed to use
the legacy scp/rcp using the -O flag.

Relnotes:	Yes
Sponsored by:	The FreeBSD Foundation
2022-04-15 10:47:28 -04:00
Ed Maste
87c1498d1a ssh: update to OpenSSH v9.0p1
Release notes are available at https://www.openssh.com/txt/release-9.0

Some highlights:

 * ssh(1), sshd(8): use the hybrid Streamlined NTRU Prime + x25519 key
   exchange method by default ("sntrup761x25519-sha512@openssh.com").
   The NTRU algorithm is believed to resist attacks enabled by future
   quantum computers and is paired with the X25519 ECDH key exchange
   (the previous default) as a backstop against any weaknesses in
   NTRU Prime that may be discovered in the future. The combination
   ensures that the hybrid exchange offers at least as good security
   as the status quo.

 * sftp-server(8): support the "copy-data" extension to allow server-
   side copying of files/data, following the design in
   draft-ietf-secsh-filexfer-extensions-00. bz2948

 * sftp(1): add a "cp" command to allow the sftp client to perform
   server-side file copies.

This commit excludes the scp(1) change to use the SFTP protocol by
default; that change will immediately follow.

MFC after:	1 month
Relnotes:	Yes
Sponsored by:	The FreeBSD Foundation
2022-04-15 10:41:08 -04:00
Ed Maste
58def461e2 ssh: update with post-release V_8_9 branch commits
MFC after:	1 month
Sponsored by:	The FreeBSD Foundation
2022-04-13 16:53:20 -04:00
Ed Maste
1323ec5712 ssh: update to OpenSSH v8.9p1
Release notes are available at https://www.openssh.com/txt/release-8.9

Some highlights:

 * ssh(1), sshd(8), ssh-add(1), ssh-agent(1): add a system for
   restricting forwarding and use of keys added to ssh-agent(1)

 * ssh(1), sshd(8): add the sntrup761x25519-sha512@openssh.com hybrid
   ECDH/x25519 + Streamlined NTRU Prime post-quantum KEX to the
   default KEXAlgorithms list (after the ECDH methods but before the
   prime-group DH ones). The next release of OpenSSH is likely to
   make this key exchange the default method.

 * sshd(8), portable OpenSSH only: this release removes in-built
   support for MD5-hashed passwords. If you require these on your
   system then we recommend linking against libxcrypt or similar.

Future deprecation notice
=========================

A near-future release of OpenSSH will switch scp(1) from using the
legacy scp/rcp protocol to using SFTP by default.

Legacy scp/rcp performs wildcard expansion of remote filenames (e.g.
"scp host:* .") through the remote shell. This has the side effect of
requiring double quoting of shell meta-characters in file names
included on scp(1) command-lines, otherwise they could be interpreted
as shell commands on the remote side.

MFC after:	1 month
Relnotes:	Yes
Sponsored by:	The FreeBSD Foundation
2022-04-13 16:00:56 -04:00
Jung-uk Kim
5ac766ab8e OpenSSL: Merge OpenSSL 1.1.1n 2022-03-15 19:37:45 -04:00
Jung-uk Kim
d6d3d40098 Import OpenSSL 1.1.1n 2022-03-15 18:18:15 -04:00
Gordon Tetlow
fdc418f15e Fix a bug in BN_mod_sqrt() that can cause it to loop forever.
Obtained from:	OpenSSL Project
Security:	CVE-2022-0778
2022-03-15 09:48:59 -07:00
Ed Maste
cea0d3689e ssh: update sshd_config(5) for RSA/SHA-1 signature removal
OpenSSH 8.8p1 removed RSA/SHA-1 signatures by default, but failed to
update sshd_config(5).  It was updated upstream after the release in
b711bc01a7ec and da4035523406.

Fixes:		8c22023ca5 ("ssh: disable RSA/SHA-1 signatures")
Sponsored by:	The FreeBSD Foundation
2022-03-08 16:56:56 -05:00
Ed Maste
822d379b1f ssh: regen sk_config.h after 73104d5838 2022-03-05 20:00:04 -05:00
Ed Maste
73104d5838 ssh: generate SK config file using private cbor and fido2 libs
Specify -lprivatecbor and -lprivatefido2 in OpenSSH's configure.ac, and
pass -I paths to libcbor and libfido2's contrib src location.

MFC after:	3 days
Sponsored by:	The FreeBSD Foundation
Differential Revision:	https://reviews.freebsd.org/D34440
2022-03-05 19:57:22 -05:00
Ed Maste
92ef98b8fa ssh: use standalone config file for security key support
An upcoming OpenSSH update has multiple config.h settings that change
depending on whether builtin security key support is enabled.  Prepare
for this by moving ENABLE_SK_INTERNAL to a new sk_config.h header
(similar to the approach used for optional krb5 support) and optionally
including that, instead of defining the macro directly from CFLAGS.

Reviewed by:	kevans
MFC after:	2 weeks
Sponsored by:	The FreeBSD Foundation
Differential Revision:	https://reviews.freebsd.org/D34407
2022-03-02 09:35:12 -05:00
Ed Maste
f1421a8972 ssh: correct configure option name
The option is security-key-builtin not security-key-internal.  There is
no change to the generated config.h because the option defaults off
anyway.

MFC after:	3 days
Fixes:		87152f3405 ("ssh: disble internal security key...")
Sponsored by:	The FreeBSD Foundation
2022-03-01 09:41:51 -05:00
Mark Johnston
9340d69e57 openssh: Add a note to check for deprecated and removed config options
Suggested by:	emaste
MFC after:	1 week
Sponsored by:	The FreeBSD Foundation
2022-03-01 09:38:44 -05:00
Ed Maste
ab7d095969 ssh: add command to push tag to FREEBSD-upgrade instructions
Because it appears `git push --follow-tags` may push extra, undesired
tags document both techniques (pushing the specific vendor/openssh/X.YpZ
tag and pushing all with --follow-tags, using --dry-run first).

Discussed with:	imp, lwhsu
Sponsored by:	The FreeBSD Foundation
Differential Revision:	https://reviews.freebsd.org/D33605
2022-02-23 13:47:28 -05:00
Ed Maste
2e6ec1e4fe ssh: remove 11.x from FREEBSD-upgrade instructions
11.x is no longer supported.
2022-02-23 13:36:27 -05:00
John Baldwin
aa72082549 OpenSSL: Fix the same BIO_FLAGS macro definition
Also add comment to the public header to avoid
making another conflict in future.

Reviewed by:	jkim
Obtained from:	OpenSSL commit 5d4975ecd88ac17d0749513a8fac9a7c7befd900
MFC after:	1 week
Sponsored by:	Netflix
Differential Revision:	https://reviews.freebsd.org/D34135
2022-02-01 10:38:49 -08:00
Ed Maste
e38610abca ssh: remove unused header
Fixes:		0746301c49 ("ssh: pass 0 to procctl(2) to operate...")
Sponsored by:	The FreeBSD Foundation
2022-01-31 17:15:21 -05:00
Ed Maste
0746301c49 ssh: pass 0 to procctl(2) to operate on self
As of f833ab9dd1 procctl(2) allows idtype P_PID with id = 0 as a
shortcut for the calling process ID.  The shortcut also bypasses the
p_cansee / p_candebug test (since the process is able to act on itself.)

At present if the security.bsd.unprivileged_proc_debug sysctl is 0 then
procctl(P_PID, getpid(), ... for a process to act on itself will fail,
but procctl(P_PID, 0, ... will succeed.  This should likely be addressed
with a kernel change.

In any case the id = 0 shortcut is a tiny optimization for a process to
act on itself and allows the self-procctl to succeed, so use it in ssh.

Reported by:	Shawn Webb
Reviewed by:	kib
Sponsored by:	The FreeBSD Foundation
Differential Revision:	https://reviews.freebsd.org/D33970
2022-01-20 19:54:49 -05:00