Commit Graph

1141 Commits

Author SHA1 Message Date
Ed Maste
0746301c49 ssh: pass 0 to procctl(2) to operate on self
As of f833ab9dd1 procctl(2) allows idtype P_PID with id = 0 as a
shortcut for the calling process ID.  The shortcut also bypasses the
p_cansee / p_candebug test (since the process is able to act on itself.)

At present if the security.bsd.unprivileged_proc_debug sysctl is 0 then
procctl(P_PID, getpid(), ... for a process to act on itself will fail,
but procctl(P_PID, 0, ... will succeed.  This should likely be addressed
with a kernel change.

In any case the id = 0 shortcut is a tiny optimization for a process to
act on itself and allows the self-procctl to succeed, so use it in ssh.

Reported by:	Shawn Webb
Reviewed by:	kib
Sponsored by:	The FreeBSD Foundation
Differential Revision:	https://reviews.freebsd.org/D33970
2022-01-20 19:54:49 -05:00
Gleb Smirnoff
ca573c9a17 sshd: update the libwrap patch to drop connections early
OpenSSH has dropped libwrap support in OpenSSH 6.7p in 2014
(f2719b7c in github.com/openssh/openssh-portable) and we
maintain the patch ourselves since 2016 (a0ee8cc636).

Over the years, the libwrap support has deteriotated and probably
that was reason for removal upstream.  Original idea of libwrap was
to drop illegitimate connection as soon as possible, but over the
years the code was pushed further down and down and ended in the
forked client connection handler.

The negative effects of late dropping is increasing attack surface
for hosts that are to be dropped anyway.  Apart from hypothetical
future vulnerabilities in connection handling, today a malicious
host listed in /etc/hosts.allow still can trigger sshd to enter
connection throttling mode, which is enabled by default (see
MaxStartups in sshd_config(5)), effectively casting DoS attack.
Note that on OpenBSD this attack isn't possible, since they enable
MaxStartups together with UseBlacklist.

A only negative effect from early drop, that I can imagine, is that
now main listener parses file in /etc, and if our root filesystems
goes bad, it would get stuck.  But unlikely you'd be able to login
in that case anyway.

Implementation details:

- For brevity we reuse the same struct request_info.  This isn't
  a documented feature of libwrap, but code review, viewing data
  in a debugger and real life testing shows that if we clear
  RQ_CLIENT_NAME and RQ_CLIENT_ADDR every time, it works as intended.
- We set SO_LINGER on the socket to force immediate connection reset.
- We log message exactly as libwrap's refuse() would do.

Differential revision:	https://reviews.freebsd.org/D33044
2022-01-02 18:32:30 -08:00
Ed Maste
8c22023ca5 ssh: disable RSA/SHA-1 signatures
From OpenSSH 8.8p1's release notes:

---

Potentially-incompatible changes
================================

This release disables RSA signatures using the SHA-1 hash algorithm
by default. This change has been made as the SHA-1 hash algorithm is
cryptographically broken, and it is possible to create chosen-prefix
hash collisions for <USD$50K [1]

For most users, this change should be invisible and there is
no need to replace ssh-rsa keys. OpenSSH has supported RFC8332
RSA/SHA-256/512 signatures since release 7.2 and existing ssh-rsa keys
will automatically use the stronger algorithm where possible.

Incompatibility is more likely when connecting to older SSH
implementations that have not been upgraded or have not closely tracked
improvements in the SSH protocol. For these cases, it may be necessary
to selectively re-enable RSA/SHA1 to allow connection and/or user
authentication via the HostkeyAlgorithms and PubkeyAcceptedAlgorithms
options. For example, the following stanza in ~/.ssh/config will enable
RSA/SHA1 for host and user authentication for a single destination host:

    Host old-host
        HostkeyAlgorithms +ssh-rsa
	PubkeyAcceptedAlgorithms +ssh-rsa

We recommend enabling RSA/SHA1 only as a stopgap measure until legacy
implementations can be upgraded or reconfigured with another key type
(such as ECDSA or Ed25519).

[1] "SHA-1 is a Shambles: First Chosen-Prefix Collision on SHA-1 and
    Application to the PGP Web of Trust" Leurent, G and Peyrin, T
    (2020) https://eprint.iacr.org/2020/014.pdf

---

Relnotes:	Yes
Sponsored by:	The FreeBSD Foundation
2021-12-19 11:03:45 -05:00
Ed Maste
e9e8876a4d ssh: update to OpenSSH v8.8p1
OpenSSH v8.8p1 was motivated primarily by a security update and
deprecation of RSA/SHA1 signatures.  It also has a few minor bug fixes.

The security update was already applied to FreeBSD as an independent
change, and the RSA/SHA1 deprecation is excluded from this commit but
will immediately follow.

MFC after:	1 month
Relnotes:	Yes
Sponsored by:	The FreeBSD Foundation
2021-12-19 11:02:02 -05:00
Jung-uk Kim
b2bf0c7e5f OpenSSL: Merge OpenSSL 1.1.1m
Merge commit '56eae1b760adf10835560a9ee595549a1f10410f'
2021-12-14 16:03:52 -05:00
John Baldwin
27bb8830d5 SSL_sendfile: Replace ERR_raise_data with SYSerr.
ERR_raise_data is only present in OpenSSL 3.0 and later.

Reviewed by:	jkim
Obtained from:	CheriBSD
MFC after:	1 week
Differential Revision:	https://reviews.freebsd.org/D33363
2021-12-14 10:07:38 -08:00
Ed Maste
bdcfd222ce Remove FREEBSD-vendor files
These files were intended to track version and perhaps maintainership
information for contrib software.  However, they were never used beyond
bzip2, netcat, and OpenSSH, and generally haven't been kept up to date
recently (my OpenSSH 8.7p1 update notwithstanding).  Just remove them to
avoid having confusing or outdated information.

Suggested by:	des
MFC after:	1 week
Sponsored by:	The FreeBSD Foundation
2021-12-06 16:36:44 -05:00
Piotr Kubaj
3a60869237 Add assembly optimized code for OpenSSL on powerpc, powerpc64 and powerpc64le
Summary:
1. 34ab13b7d8
needs to be merged for ELFv2 support on big-endian.
2. crypto/openssl/crypto/ppccap.c needs to be patched.
Same reason as in https://github.com/openssl/openssl/pull/17082.

Approved by:	jkim, jhibbits
MFC after:	1 month
Differential Revision: https://reviews.freebsd.org/D33076
2021-11-23 23:26:53 +01:00
Allan Jude
d9bb798725 openssl: Fix detection of ARMv7 and ARM64 CPU features
OpenSSL assumes the same value for AT_HWCAP=16 (Linux)
So it ends up calling elf_auxv_info() with AT_CANARY which
returns ENOENT, and all acceleration features are disabled.

With this, my ARM64 test machine runs the benchmark
`openssl speed -evp aes-256-gcm` nearly 20x faster
going from 100 MB/sec to 2000 MB/sec

It also improves sha256 from 300 MB/sec to 1800 MB/sec

This fix has been accepted but not yet merged upstream:
https://github.com/openssl/openssl/pull/17082

PR:		259937
Reviewed by:	manu, imp
MFC after:	immediate
Relnotes:	yes
Fixes:		88e852c0b5 ("OpenSSL: Merge OpenSSL 1.1.1j")
Sponsored by:	Ampere Computing LLC
Sponsored by:	Klara Inc.
Differential Revision:	https://reviews.freebsd.org/D33060
2021-11-22 18:10:43 +00:00
Ed Maste
438fd19dc3 ssh: mention nanobsd config files in upgrade instructions
Sponsored by:	The FreeBSD Foundation
2021-11-20 16:38:18 -05:00
Ed Maste
e9a994639b ssh: enable FIDO/U2F keys
Description of FIDO/U2F support (from OpenSSH 8.2 release notes,
https://www.openssh.com/txt/release-8.2):

  This release adds support for FIDO/U2F hardware authenticators to
  OpenSSH. U2F/FIDO are open standards for inexpensive two-factor
  authentication hardware that are widely used for website
  authentication.  In OpenSSH FIDO devices are supported by new public
  key types "ecdsa-sk" and "ed25519-sk", along with corresponding
  certificate types.

  ssh-keygen(1) may be used to generate a FIDO token-backed key, after
  which they may be used much like any other key type supported by
  OpenSSH, so long as the hardware token is attached when the keys are
  used. FIDO tokens also generally require the user explicitly
  authorise operations by touching or tapping them.

  Generating a FIDO key requires the token be attached, and will
  usually require the user tap the token to confirm the operation:

    $ ssh-keygen -t ecdsa-sk -f ~/.ssh/id_ecdsa_sk
    Generating public/private ecdsa-sk key pair.
    You may need to touch your security key to authorize key generation.
    Enter file in which to save the key (/home/djm/.ssh/id_ecdsa_sk):
    Enter passphrase (empty for no passphrase):
    Enter same passphrase again:
    Your identification has been saved in /home/djm/.ssh/id_ecdsa_sk
    Your public key has been saved in /home/djm/.ssh/id_ecdsa_sk.pub

  This will yield a public and private key-pair. The private key file
  should be useless to an attacker who does not have access to the
  physical token. After generation, this key may be used like any
  other supported key in OpenSSH and may be listed in authorized_keys,
  added to ssh-agent(1), etc. The only additional stipulation is that
  the FIDO token that the key belongs to must be attached when the key
  is used.

To enable FIDO/U2F support, this change regenerates ssh_namespace.h,
adds ssh-sk-helper, and sets ENABLE_SK_INTERNAL (unless building
WITHOUT_USB).

devd integration is not included in this change, and is under
investigation for the base system.  In the interim the security/u2f-devd
port can be installed to provide appropriate devd rules.

Reviewed by:	delphij, kevans
Relnotes:	Yes
Sponsored by:	The FreeBSD Foundation
Differential Revision:	https://reviews.freebsd.org/D32509
2021-11-04 13:01:44 -04:00
Ed Maste
87152f3405 ssh: disble internal security key support in generated config.h
We want to set ENABLE_SK_INTERNAL only when building with USB support.
We'll leave it off in config.h and enble it via our bespoke build's
Makefile.inc.

Sponsored by:	The FreeBSD Foundation
2021-11-01 15:45:37 -04:00
Ed Maste
172fa4aa75 OpenSSH: cherry-pick "need initgroups() before setresgid()"
From openssh-portable commits f3cbe43e28fe and bf944e3794ef.
2021-10-08 21:29:25 -04:00
Ed Maste
adb56e58e8 openssh: use global state for blacklist in grace_alarm_handler
Obtained from:	security/openssh-portable
Fixes:		19261079b7 ("openssh: update to OpenSSH v8.7p1")
Sponsored by:	The FreeBSD Foundation
2021-09-16 14:10:11 -04:00
Ed Maste
0f9bafdfc3 openssh: pass ssh context to BLACKLIST_NOTIFY
Fixes:		19261079b7 ("openssh: update to OpenSSH v8.7p1")
Sponsored by:	The FreeBSD Foundation
2021-09-14 13:44:39 -04:00
Ed Maste
1f290c707a openssh: regen config.h
Fixes:		19261079b7 ("openssh: update to OpenSSH v8.7p1")
Reported by:	O. Hartmann
Sponsored by:	The FreeBSD Foundation
2021-09-09 20:16:14 -04:00
Ed Maste
b645ee1815 openssh: remove update notes about upstreamed changes
Two local changes were committed upstream and are present in OpenSSH
8.7p1.  Remove references from FREEBSD-upgrade now that we have updated
to that version.
2021-09-09 09:57:22 -04:00
Ed Maste
0e642632e6 openssh: remove unnecessary $FreeBSD$ tags
Diff reduction against upstream: remove $FreeBSD$ tags from files where
the tag itself is the only difference from upstream.
2021-09-07 21:52:06 -04:00
Ed Maste
19261079b7 openssh: update to OpenSSH v8.7p1
Some notable changes, from upstream's release notes:

- sshd(8): Remove support for obsolete "host/port" syntax.
- ssh(1): When prompting whether to record a new host key, accept the key
  fingerprint as a synonym for "yes".
- ssh-keygen(1): when acting as a CA and signing certificates with an RSA
  key, default to using the rsa-sha2-512 signature algorithm.
- ssh(1), sshd(8), ssh-keygen(1): this release removes the "ssh-rsa"
  (RSA/SHA1) algorithm from those accepted for certificate signatures.
- ssh-sk-helper(8): this is a new binary. It is used by the FIDO/U2F
  support to provide address-space isolation for token middleware
  libraries (including the internal one).
- ssh(1): this release enables UpdateHostkeys by default subject to some
  conservative preconditions.
- scp(1): this release changes the behaviour of remote to remote copies
  (e.g. "scp host-a:/path host-b:") to transfer through the local host
  by default.
- scp(1): experimental support for transfers using the SFTP protocol as
  a replacement for the venerable SCP/RCP protocol that it has
  traditionally used.

Additional integration work is needed to support FIDO/U2F in the base
system.

Deprecation Notice
------------------

OpenSSH will disable the ssh-rsa signature scheme by default in the
next release.

Reviewed by:	imp
MFC after:	1 month
Relnotes:	Yes
Sponsored by:	The FreeBSD Foundation
Differential Revision:	https://reviews.freebsd.org/D29985
2021-09-07 21:05:51 -04:00
Ed Maste
b0025f9b7f openssh: update default version addendum in man pages
Fixes:		2f513db72b ("Upgrade to OpenSSH 7.9p1.")
MFC after:	3 days
Sponsored by:	The FreeBSD Foundation
2021-09-04 11:33:13 -04:00
Ed Maste
ba91e31f47 openssh: remove login class restrictions leftovers
MFC after:	2 weeks
Fixes:		27ceebbc24 ("openssh: simplify login class...")
Sponsored by:	The FreeBSD Foundation
2021-09-03 16:07:47 -04:00
Ed Maste
258f5f79bb openssh: restore local change to gssapi include logic
/usr/include/gssapi.h claims that it is deprecated, and gssapi/gssapi.h
should be used instead.  So, test HAVE_GSSAPI_GSSAPI_H first falling
back to HAVE_GSSAPI_H.

This will be submitted upstream.

Fixes:		6eac665c81 ("openssh: diff reduction against...")
Sponsored by:	The FreeBSD Foundation
Differential Revision:	https://reviews.freebsd.org/D31810
2021-09-03 16:07:47 -04:00
Ed Maste
6eac665c81 openssh: diff reduction against upstream 7.9p1
Clean up whitespace and nonfunctional differences, and unused functions.
2021-09-02 15:10:44 -04:00
Ed Maste
c7b4c21ee4 openssh: regenerate freebsd-namespace.h
For some reason poly64 was omitted when this file was last generated
(perhaps it was inlined by the Clang version then in use).

MFC after:	1 week
Sponsored by:	The FreeBSD Foundation
2021-09-02 09:45:14 -04:00
Ed Maste
b3e858f762 openssh: tag generated file with @generated
Tools like Phabricator use the @generated tag to identify files that
may be excluded from review by default.

MFC after:	1 week
Sponsored by:	The FreeBSD Foundation
2021-09-02 09:44:58 -04:00
Ed Maste
7b529268a5 openssh: regenerate config.h
Since config.h was last regenerated FreeBSD has added (a stub) libdl,
and has removed sys/dir.h.  Regenerate config.h to avoid spurious
additional changes when OpenSSH is next updated.

There should be no issue if this change is MFC'd, but I don't plan to do
so.  Although configure checks for libdl HAVE_LIBDL isn't even used, and
sys/dir.h was non-functional before being removed.  The state of these
two config.h settings should make no difference in the built OpenSSH.

Sponsored by:	The FreeBSD Foundation
2021-09-01 20:42:41 -04:00
Ed Maste
36cd1e5e8c openssh: disable libwrap (TCP wrappers) at configure time
We define LIBWRAP at build time in secure/usr.sbin/sshd/Makefile if
WITH_TCPWRAPPERS is in effect, so it should not be set in config.h.

MFC after:	1 week
Sponsored by:	The FreeBSD Foundation
2021-09-01 20:42:41 -04:00
Ed Maste
5e4dd21fd6 openssh: clarify krb5 use in freebsd-configure
freebsd-configure.sh runs configure twice, --with-kerberos5 and
--without-kerberos5, in order to build a config.h that defaults to
kerberos5 disabled, and a small config file that represents the
differences.

Rename config.h.orig to config.h.kerberos5 to clarify the intent of this
script.

MFC after:	1 week
Sponsored by:	The FreeBSD Foundation
2021-09-01 20:42:34 -04:00
Ed Maste
f3fd885074 openssh: update note about class-based login restrictions 2021-09-01 16:09:56 -04:00
Ed Maste
27ceebbc24 openssh: simplify login class restrictions
Login class-based restrictions were introduced in 5b400a39b8.  The
code was adapted for sshd's Capsicum sandbox and received many changes
over time, including at least fc3c19a9fc, bd393de91c, and
e8c56fba29.

During an attempt to upstream the work a much simpler approach was
suggested.  Adopt it now in the in-tree OpenSSH to reduce conflicts with
future updates.

Submitted by:	Yuchiro Naito (against OpenSSH-portable on GitHub)
Obtained from:	https://github.com/openssh/openssh-portable/pull/262
Reviewed by:	allanjude, kevans
MFC after:	2 weeks
Differential Revision:	https://reviews.freebsd.org/D31760
2021-09-01 15:53:09 -04:00
Jung-uk Kim
9a3ae0cdef Import OpenSSL 1.1.1l 2021-09-01 00:26:38 -04:00
Ed Maste
35a0342508 openssh: add information about a local change 2021-08-30 15:35:03 -04:00
Gordon Tetlow
aef815e787 Fix multiple OpenSSL vulnerabilities.
Approved by:	so
Security:	SA-21:16.openssl
Security:	CVE-2021-3711
Security:	CVE-2021-3712
2021-08-24 11:26:45 -07:00
John Baldwin
6372fd253e OpenSSL: Add support for Chacha20-Poly1305 to kernel TLS on FreeBSD.
FreeBSD's kernel TLS supports Chacha20 for both TLS 1.2 and TLS 1.3.

NB: This commit has not yet been merged upstream as it is deemed a new
feature and did not make the feature freeze cutoff for OpenSSL 3.0.

Reviewed by:	jkim
MFC after:	5 days
Sponsored by:	Netflix
Differential Revision:	https://reviews.freebsd.org/D31443
2021-08-17 14:41:42 -07:00
John Baldwin
d6e78ecb0b OpenSSL: Refactor KTLS tests to better support TLS 1.3.
Most of this upstream commit touched tests not included in the
vendor import.  The one change merged in is to remove a constant
only present in an internal header to appease the older tests.

Reviewed by:	jkim
Obtained from:	OpenSSL (e1fdd5262e4a45ce3aaa631768e877ee7b6da21b)
MFC after:	5 days
Sponsored by:	Netflix
Differential Revision:	https://reviews.freebsd.org/D31442
2021-08-17 14:41:37 -07:00
John Baldwin
a208223130 OpenSSL: Update KTLS documentation
KTLS support has been changed to be off by default, and configuration is
via a single "option" rather two "modes". Documentation is updated
accordingly.

Reviewed by:	jkim
Obtained from:	OpenSSL (6878f4300213cfd7d4f01e26a8b97f70344da100)
MFC after:	5 days
Sponsored by:	Netflix
Differential Revision:	https://reviews.freebsd.org/D31441
2021-08-17 14:41:31 -07:00
John Baldwin
62ca9fc1ad OpenSSL: Only enable KTLS if it is explicitly configured
It has always been the case that KTLS is not compiled by default. However
if it is compiled then it was automatically used unless specifically
configured not to. This is problematic because it avoids any crypto
implementations from providers. A user who configures all crypto to use
the FIPS provider may unexpectedly find that TLS related crypto is actually
being performed outside of the FIPS boundary.

Instead we change KTLS so that it is disabled by default.

We also swap to using a single "option" (i.e. SSL_OP_ENABLE_KTLS) rather
than two separate "modes", (i.e. SSL_MODE_NO_KTLS_RX and
SSL_MODE_NO_KTLS_TX).

Reviewed by:	jkim
Obtained from:	OpenSSL (a3a54179b6754fbed6d88e434baac710a83aaf80)
MFC after:	5 days
Sponsored by:	Netflix
Differential Revision:	https://reviews.freebsd.org/D31440
2021-08-17 14:41:24 -07:00
John Baldwin
63c6d3e283 OpenSSL: ktls: Initial support for ChaCha20-Poly1305
Linux kernel is going to support ChaCha20-Poly1305 in TLS offload.
Add support for this cipher.

Reviewed by:	jkim
Obtained from:	OpenSSL (3aa7212e0a4fd1533c8a28b8587dd8b022f3a66f)
MFC after:	5 days
Sponsored by:	Netflix
Differential Revision:	https://reviews.freebsd.org/D31439
2021-08-17 14:41:19 -07:00
John Baldwin
334d228a20 OpenSSL: Correct the return value of BIO_get_ktls_*().
BIO_get_ktls_send() and BIO_get_ktls_recv() are documented as
returning either 0 or 1.  However, they were actually returning the
internal value of the associated BIO flag for the true case instead of
1.

Also trim redundant ternary operators.

Reviewed by:	jkim
Obtained from:	OpenSSL (f16e52b67c9261bdc7e1284a50502a802921ac6d)
MFC after:	5 days
Sponsored by:	Netflix
Differential Revision:	https://reviews.freebsd.org/D31438
2021-08-17 14:41:12 -07:00
Guangyuan Yang
80ba60f643 kerberos.8: Replace dead link
Replace it with a tutorial hosted on kerberos.org and the classic
"dialogue" from Bill Bryant. The change has been reported and
merged upstream (https://github.com/heimdal/heimdal/commit/7f3445f1b7).

MFC after:	3 days
PR:		251854
Reported by:	ktullavik@gmail.com
Submitted by:	bjk (upstream github)
Reviewed by:	bcr
2021-05-16 01:37:09 -04:00
Ed Maste
d55bf492f8 Revert "Add workaround for a QoS-related bug in VMWare Workstation."
This reverts commit 77c2fe20df.

The VMware Workstation issue was fixed in 2019[1], and we'd rather not
carry unnecessary local changes in OpenSSH.

[1] https://communities.vmware.com/t5/VMware-Workstation-Pro/Regression-ssh-results-in-broken-pipe-upon-connecting-in-Vmware/m-p/486105/highlight/true#M25470

PR:		234426
Discussed with:	yuripv
Approved by:	des
MFC after:	2 weeks
Sponsored by:	The FreeBSD Foundation
2021-04-25 17:17:22 -04:00
Ed Maste
576b477ba4 openssh: add a note about pushing vendor updates
Sponsored by:	The FreeBSD Foundation
2021-04-23 15:36:42 -04:00
Jung-uk Kim
b6c1fdcdf5 OpenSSL: Merge OpenSSL 1.1.1k
Merge commit '94fa08a4bcdfbb3434b025d67d014af3b18e5380'
2021-03-25 11:45:19 -04:00
Jung-uk Kim
94fa08a4bc Import OpenSSL 1.1.1k. 2021-03-25 11:05:31 -04:00
Ed Maste
519496a598 openssh: document two changes that are now upstream
These patches can be removed once we update to 8.5p1 or later.
2021-02-22 14:03:28 -05:00
Oleksandr Tymoshenko
9b2f020c14 Handle partial data re-sending on ktls/sendfile on FreeBSD
Add a handler for EBUSY sendfile error in addition to
EAGAIN. With EBUSY returned the data still can be partially
sent and user code has to be notified about it, otherwise it
may try to send data multiple times.

PR:		251969
Reviewed by:	jkim
Obtained from:	OpenSSL (dfcfd17f2818cf520ce6381aed9ec3d2fc12170d)
MFC after:	1 week
Sponsored by:	Netflix (merging to FreeBSD)
Differential Revision:	https://reviews.freebsd.org/D28714
2021-02-17 14:51:55 -08:00
Jung-uk Kim
b840816061 OpenSSL: Remove obsolete include directory
This directory was deprecated since OpenSSL 1.1.1e.

https://github.com/openssl/openssl/pull/9681
2021-02-16 22:53:37 -05:00
Jung-uk Kim
88e852c0b5 OpenSSL: Merge OpenSSL 1.1.1j
Merge commit '4f55bd5321b72491d4eff396e4928e9ab0706735'
2021-02-16 17:00:27 -05:00
Jung-uk Kim
4f55bd5321 Import OpenSSL 1.1.1j. 2021-02-16 14:54:02 -05:00
Ed Maste
74c59ab790 openssh: port upgrade doc and script to git
Sponsored by:	The FreeBSD Foundation
Differential Revision:	https://reviews.freebsd.org/D28564
2021-02-14 16:41:11 -05:00