Commit Graph

1006 Commits

Author SHA1 Message Date
Dag-Erling Smørgrav
d93a896ef9 Upgrade to OpenSSH 7.5p1. 2017-08-04 12:57:24 +00:00
Xin LI
49426905b3 MFV r320905: Import upstream fix for CVE-2017-11103.
In _krb5_extract_ticket() the KDC-REP service name must be obtained from
encrypted version stored in 'enc_part' instead of the unencrypted version
stored in 'ticket'.  Use of the unecrypted version provides an
opportunity for successful server impersonation and other attacks.

Submitted by:	hrs
Obtained from:	Heimdal
Security:	FreeBSD-SA-17:05.heimdal
Security:	CVE-2017-11103
2017-07-12 07:19:06 +00:00
Jung-uk Kim
ed7112f094 Merge OpenSSL 1.0.2l. 2017-05-25 20:52:16 +00:00
Jung-uk Kim
12df5ad9af Import OpenSSL 1.0.2l. 2017-05-25 19:38:38 +00:00
Kurt Lidl
342b8b88ba Refine and update blacklist support in sshd
Adjust notification points slightly to catch all auth failures,
rather than just the ones caused by bad usernames.

Modify notification point for bad usernames to send new type of
BLACKLIST_BAD_USER. (Support in libblacklist will be forthcoming soon.)
Add guards to allow library headers to expose the enum of action values.

Reviewed by:	des
Approved by:	des
Sponsored by:	The FreeBSD Foundation
2017-05-12 15:20:12 +00:00
Andrew Turner
e7fca4bb42 Fix linking with lld by marking OPENSSL_armcap_P as hidden.
Linking with lld fails as it contains a relative address, however the data
this address is for may be relocated from the shared object to the main
executable.

Fix this by adding the hidden attribute. This stops moving this value to
the main executable. It seems this is implicit upstream as it uses a
version script.

Approved by:	jkim
Sponsored by:	DARPA, AFRL
2017-04-07 12:41:57 +00:00
Dag-Erling Smørgrav
ca86bcf253 Upgrade to OpenSSH 7.4p1. 2017-03-06 01:37:05 +00:00
Dag-Erling Smørgrav
0999bc4881 Re-apply part of r311585 which was inadvertantly reverted in the upgrade
to 7.3p1.  The other part (which adds -DLIBWRAP to sshd's CFLAGS) is
still in place.

Reported by:	ngie
2017-03-03 14:25:55 +00:00
Dag-Erling Smørgrav
6d6e8a4a09 Forgot to bump the version addendum date. 2017-03-03 01:50:10 +00:00
Dag-Erling Smørgrav
076ad2f836 Upgrade to OpenSSH 7.3p1. 2017-03-02 00:11:32 +00:00
Warner Losh
fbbd9655e5 Renumber copyright clause 4
Renumber cluase 4 to 3, per what everybody else did when BSD granted
them permission to remove clause 3. My insistance on keeping the same
numbering for legal reasons is too pedantic, so give up on that point.

Submitted by:	Jan Schaumann <jschauma@stevens.edu>
Pull Request:	https://github.com/freebsd/freebsd/pull/96
2017-02-28 23:42:47 +00:00
Dag-Erling Smørgrav
4fcbf74fb1 Avoid picking up MIT Kerberos from ports (if installed). 2017-02-26 19:00:55 +00:00
Dag-Erling Smørgrav
8f7bfc76bd Fix amusingly harmless mis-merge. 2017-02-26 16:34:58 +00:00
Kurt Lidl
5057f65606 Only notify blacklistd for successful logins in auth.c
Reported by:	Rick Adams
Reviewed by:	des
MFC after:	3 days
Sponsored by:	The FreeBSD Foundation
2017-02-19 20:35:39 +00:00
Jung-uk Kim
6cf8931a2f Merge OpenSSL 1.0.2k. 2017-01-26 19:10:29 +00:00
Jung-uk Kim
5315173646 Import OpenSSL 1.0.2k. 2017-01-26 18:32:12 +00:00
Xin LI
9ea45e75fa MFV r311913:
Fix multiple OpenSSH vulnerabilities.

Submitted by:	des
Approved by:	so
2017-01-11 05:49:39 +00:00
Enji Cooper
233932cc2a Conditionalize building libwrap support into sshd
Only build libwrap support into sshd if MK_TCP_WRAPPERS != no

This will unbreak the build if libwrap has been removed from the system

MFC after:	2 weeks
PR:		210141
Submitted by:	kpect@protonmail.com
Differential Revision:	D9049
2017-01-07 08:08:35 +00:00
Xin LI
56e6c4251c MFV r308196:
Fix OpenSSH remote Denial of Service vulnerability.

Security:	CVE-2016-8858
2016-11-02 06:49:25 +00:00
Jung-uk Kim
7518a9bd2b Build OpenSSL assembly sources for aarch64. Tested with ThunderX by andrew. 2016-10-26 20:02:22 +00:00
Jung-uk Kim
f1fe58d376 Merge OpenSSL 1.0.2j. 2016-09-26 14:22:17 +00:00
Jung-uk Kim
e656c34a18 Import OpenSSL 1.0.2j. 2016-09-26 14:13:11 +00:00
Jung-uk Kim
aeb5019c48 Merge OpenSSL 1.0.2i. 2016-09-22 13:27:44 +00:00
Jung-uk Kim
e1b483878d Import OpenSSL 1.0.2i. 2016-09-22 13:04:03 +00:00
Kurt Lidl
b2af61ec69 Add refactored blacklist support to sshd
Change the calls to of blacklist_init() and blacklist_notify to be
macros defined in the blacklist_client.h file.  This avoids
the need for #ifdef USE_BLACKLIST / #endif except in the
blacklist.c file.

Remove redundent initialization attempts from within
blacklist_notify - everything always goes through
blacklistd_init().

Added UseBlacklist option to sshd, which defaults to off.
To enable the functionality, use '-o UseBlacklist=yes' on
the command line, or uncomment in the sshd_config file.

Reviewed by:	des
Approved by:	des
MFC after:		1 week
Sponsored by:	The FreeBSD Foundation
Differential Revision:	https://reviews.freebsd.org/D7051
2016-08-30 14:09:24 +00:00
Jung-uk Kim
43e4bca77d Build OpenSSL assembly sources for arm. Tested with Raspberry Pi 2 Model B.
MFC after:	1 week
2016-08-22 20:59:34 +00:00
Ed Maste
4620ba2e32 Remove duplicate symbol from libhx509 version-script.map
Upstream commit r21331 (7758a5d0) added semiprivate function
_hx509_request_to_pkcs10 twice. This change has been committed upstream
as 8ef0071d.
2016-08-22 18:50:57 +00:00
Dag-Erling Smørgrav
144a80bd9a Try to check whether each key file exists before adding it, and bail out
if we didn't find any of them.  This reduces log spam about key files for
deprecated algorithms, which we look for but don't generate.

PR:		208254
MFC after:	3 days
2016-08-08 10:46:18 +00:00
Dag-Erling Smørgrav
9ded33068e Remove DSA from default cipher list and disable SSH1.
Upstream did this a long time ago, but we kept DSA and SSH1 in FreeBSD for
reasons which boil down to POLA.  Now is a good time to catch up.

MFC after:	3 days
Relnotes:	yes
2016-08-03 16:08:21 +00:00
Ed Maste
bb04182c90 Remove duplicate symbols from libroken version-script.map
Upstream commit r24759 (efed563) prefixed some symbols with rk_, but
introduced 6 duplicate symbols in the version script (because the
rk_-prefixed versions of the symbols were already present).
2016-07-21 18:12:39 +00:00
Glen Barber
faebc97a1c Revert r301551, which added blacklistd(8) to sshd(8).
This change has functional impact, and other concerns raised
by the OpenSSH maintainer.

Requested by:	des
PR:		210479 (related)
Approved by:	re (marius)
Sponsored by:	The FreeBSD Foundation
2016-06-24 23:22:42 +00:00
Kurt Lidl
c0cc364181 Add blacklist support to sshd
Reviewed by:	rpaulo
Approved by:	rpaulo (earlier version of changes)
Relnotes:	YES
Sponsored by:	The FreeBSD Foundation
Differential Revision:	https://reviews.freebsd.org/D5915
2016-06-07 16:18:09 +00:00
Andriy Gapon
056f620e09 openssl: change SHLIB_VERSION_NUMBER to reflect the reality
Some consumers actually use this definition.

We probably need some procedure to ensure that SHLIB_VERSION_NUMBER
is updated whenever we change the library version in
secure/lib/libssl/Makefile.
2016-06-03 14:09:38 +00:00
Conrad Meyer
f74fc68670 libkrb5: Fix potential double-free
If krb5_make_principal fails, tmp_creds.server may remain a pointer to freed
memory and then be double-freed.  After freeing it the first time, initialize
it to NULL, which causes subsequent krb5_free_principal calls to do the right
thing.

Reported by:	Coverity
CID:		1273430
Sponsored by:	EMC / Isilon Storage Division
2016-05-11 23:25:59 +00:00
Jung-uk Kim
b8721c1643 Merge OpenSSL 1.0.2h.
Relnotes:	yes
2016-05-03 18:50:10 +00:00
Jung-uk Kim
57f1256b1a Import OpenSSL 1.0.2h. 2016-05-03 18:00:27 +00:00
Dag-Erling Smørgrav
c3c6c935fc Re-add AES-CBC ciphers to the default cipher list on the server.
PR:		207679
2016-03-11 00:23:10 +00:00
Dag-Erling Smørgrav
acc1a9ef83 Upgrade to OpenSSH 7.2p2. 2016-03-11 00:15:29 +00:00
Jung-uk Kim
4c6a0400b9 Merge OpenSSL 1.0.2g.
Relnotes:	yes
2016-03-01 22:08:28 +00:00
Jung-uk Kim
9aeed18ad7 Import OpenSSL 1.0.2g. 2016-03-01 17:57:01 +00:00
Dag-Erling Smørgrav
b4245df0a8 Document our modified default value for PermitRootLogin. 2016-02-02 10:02:38 +00:00
Jung-uk Kim
8180e704ac Merge OpenSSL 1.0.2f.
Relnotes:	yes
2016-01-28 20:15:22 +00:00
Jung-uk Kim
c188d4cade Import OpenSSL 1.0.2f. 2016-01-28 18:41:59 +00:00
Dag-Erling Smørgrav
c4cd1fa410 Switch UseDNS back on 2016-01-27 13:40:44 +00:00
Dag-Erling Smørgrav
6362080245 r294563 was incomplete; re-add the client-side options as well. 2016-01-22 14:22:11 +00:00
Dag-Erling Smørgrav
6f3513465d Instead of removing the NoneEnabled option, mark it as unsupported.
(should have done this in r291198, but didn't think of it until now)
2016-01-22 13:13:46 +00:00
Dag-Erling Smørgrav
0591b689c2 Update the instructions and the list of major local modifications. 2016-01-21 12:42:31 +00:00
Dag-Erling Smørgrav
a067b78c9c Explain why we don't include VersionAddendum in the debug mode banner. 2016-01-21 12:41:02 +00:00
Dag-Erling Smørgrav
fc1ba28a5c Upgrade to OpenSSH 7.1p2. 2016-01-21 11:54:34 +00:00
Dag-Erling Smørgrav
acf8e75eb0 Enable DSA keys by default. They were disabled in OpenSSH 6.9p1.
Noticed by:	glebius
2016-01-21 11:10:14 +00:00