Commit Graph

1234 Commits

Author SHA1 Message Date
Allan Jude
d9bb798725 openssl: Fix detection of ARMv7 and ARM64 CPU features
OpenSSL assumes the same value for AT_HWCAP=16 (Linux)
So it ends up calling elf_auxv_info() with AT_CANARY which
returns ENOENT, and all acceleration features are disabled.

With this, my ARM64 test machine runs the benchmark
`openssl speed -evp aes-256-gcm` nearly 20x faster
going from 100 MB/sec to 2000 MB/sec

It also improves sha256 from 300 MB/sec to 1800 MB/sec

This fix has been accepted but not yet merged upstream:
https://github.com/openssl/openssl/pull/17082

PR:		259937
Reviewed by:	manu, imp
MFC after:	immediate
Relnotes:	yes
Fixes:		88e852c0b5 ("OpenSSL: Merge OpenSSL 1.1.1j")
Sponsored by:	Ampere Computing LLC
Sponsored by:	Klara Inc.
Differential Revision:	https://reviews.freebsd.org/D33060
2021-11-22 18:10:43 +00:00
Ed Maste
438fd19dc3 ssh: mention nanobsd config files in upgrade instructions
Sponsored by:	The FreeBSD Foundation
2021-11-20 16:38:18 -05:00
Ed Maste
e9a994639b ssh: enable FIDO/U2F keys
Description of FIDO/U2F support (from OpenSSH 8.2 release notes,
https://www.openssh.com/txt/release-8.2):

  This release adds support for FIDO/U2F hardware authenticators to
  OpenSSH. U2F/FIDO are open standards for inexpensive two-factor
  authentication hardware that are widely used for website
  authentication.  In OpenSSH FIDO devices are supported by new public
  key types "ecdsa-sk" and "ed25519-sk", along with corresponding
  certificate types.

  ssh-keygen(1) may be used to generate a FIDO token-backed key, after
  which they may be used much like any other key type supported by
  OpenSSH, so long as the hardware token is attached when the keys are
  used. FIDO tokens also generally require the user explicitly
  authorise operations by touching or tapping them.

  Generating a FIDO key requires the token be attached, and will
  usually require the user tap the token to confirm the operation:

    $ ssh-keygen -t ecdsa-sk -f ~/.ssh/id_ecdsa_sk
    Generating public/private ecdsa-sk key pair.
    You may need to touch your security key to authorize key generation.
    Enter file in which to save the key (/home/djm/.ssh/id_ecdsa_sk):
    Enter passphrase (empty for no passphrase):
    Enter same passphrase again:
    Your identification has been saved in /home/djm/.ssh/id_ecdsa_sk
    Your public key has been saved in /home/djm/.ssh/id_ecdsa_sk.pub

  This will yield a public and private key-pair. The private key file
  should be useless to an attacker who does not have access to the
  physical token. After generation, this key may be used like any
  other supported key in OpenSSH and may be listed in authorized_keys,
  added to ssh-agent(1), etc. The only additional stipulation is that
  the FIDO token that the key belongs to must be attached when the key
  is used.

To enable FIDO/U2F support, this change regenerates ssh_namespace.h,
adds ssh-sk-helper, and sets ENABLE_SK_INTERNAL (unless building
WITHOUT_USB).

devd integration is not included in this change, and is under
investigation for the base system.  In the interim the security/u2f-devd
port can be installed to provide appropriate devd rules.

Reviewed by:	delphij, kevans
Relnotes:	Yes
Sponsored by:	The FreeBSD Foundation
Differential Revision:	https://reviews.freebsd.org/D32509
2021-11-04 13:01:44 -04:00
Ed Maste
87152f3405 ssh: disble internal security key support in generated config.h
We want to set ENABLE_SK_INTERNAL only when building with USB support.
We'll leave it off in config.h and enble it via our bespoke build's
Makefile.inc.

Sponsored by:	The FreeBSD Foundation
2021-11-01 15:45:37 -04:00
Ed Maste
172fa4aa75 OpenSSH: cherry-pick "need initgroups() before setresgid()"
From openssh-portable commits f3cbe43e28fe and bf944e3794ef.
2021-10-08 21:29:25 -04:00
Ed Maste
adb56e58e8 openssh: use global state for blacklist in grace_alarm_handler
Obtained from:	security/openssh-portable
Fixes:		19261079b7 ("openssh: update to OpenSSH v8.7p1")
Sponsored by:	The FreeBSD Foundation
2021-09-16 14:10:11 -04:00
Ed Maste
0f9bafdfc3 openssh: pass ssh context to BLACKLIST_NOTIFY
Fixes:		19261079b7 ("openssh: update to OpenSSH v8.7p1")
Sponsored by:	The FreeBSD Foundation
2021-09-14 13:44:39 -04:00
Ed Maste
1f290c707a openssh: regen config.h
Fixes:		19261079b7 ("openssh: update to OpenSSH v8.7p1")
Reported by:	O. Hartmann
Sponsored by:	The FreeBSD Foundation
2021-09-09 20:16:14 -04:00
Ed Maste
b645ee1815 openssh: remove update notes about upstreamed changes
Two local changes were committed upstream and are present in OpenSSH
8.7p1.  Remove references from FREEBSD-upgrade now that we have updated
to that version.
2021-09-09 09:57:22 -04:00
Ed Maste
0e642632e6 openssh: remove unnecessary $FreeBSD$ tags
Diff reduction against upstream: remove $FreeBSD$ tags from files where
the tag itself is the only difference from upstream.
2021-09-07 21:52:06 -04:00
Ed Maste
19261079b7 openssh: update to OpenSSH v8.7p1
Some notable changes, from upstream's release notes:

- sshd(8): Remove support for obsolete "host/port" syntax.
- ssh(1): When prompting whether to record a new host key, accept the key
  fingerprint as a synonym for "yes".
- ssh-keygen(1): when acting as a CA and signing certificates with an RSA
  key, default to using the rsa-sha2-512 signature algorithm.
- ssh(1), sshd(8), ssh-keygen(1): this release removes the "ssh-rsa"
  (RSA/SHA1) algorithm from those accepted for certificate signatures.
- ssh-sk-helper(8): this is a new binary. It is used by the FIDO/U2F
  support to provide address-space isolation for token middleware
  libraries (including the internal one).
- ssh(1): this release enables UpdateHostkeys by default subject to some
  conservative preconditions.
- scp(1): this release changes the behaviour of remote to remote copies
  (e.g. "scp host-a:/path host-b:") to transfer through the local host
  by default.
- scp(1): experimental support for transfers using the SFTP protocol as
  a replacement for the venerable SCP/RCP protocol that it has
  traditionally used.

Additional integration work is needed to support FIDO/U2F in the base
system.

Deprecation Notice
------------------

OpenSSH will disable the ssh-rsa signature scheme by default in the
next release.

Reviewed by:	imp
MFC after:	1 month
Relnotes:	Yes
Sponsored by:	The FreeBSD Foundation
Differential Revision:	https://reviews.freebsd.org/D29985
2021-09-07 21:05:51 -04:00
Ed Maste
b0025f9b7f openssh: update default version addendum in man pages
Fixes:		2f513db72b ("Upgrade to OpenSSH 7.9p1.")
MFC after:	3 days
Sponsored by:	The FreeBSD Foundation
2021-09-04 11:33:13 -04:00
Ed Maste
ba91e31f47 openssh: remove login class restrictions leftovers
MFC after:	2 weeks
Fixes:		27ceebbc24 ("openssh: simplify login class...")
Sponsored by:	The FreeBSD Foundation
2021-09-03 16:07:47 -04:00
Ed Maste
258f5f79bb openssh: restore local change to gssapi include logic
/usr/include/gssapi.h claims that it is deprecated, and gssapi/gssapi.h
should be used instead.  So, test HAVE_GSSAPI_GSSAPI_H first falling
back to HAVE_GSSAPI_H.

This will be submitted upstream.

Fixes:		6eac665c81 ("openssh: diff reduction against...")
Sponsored by:	The FreeBSD Foundation
Differential Revision:	https://reviews.freebsd.org/D31810
2021-09-03 16:07:47 -04:00
Ed Maste
6eac665c81 openssh: diff reduction against upstream 7.9p1
Clean up whitespace and nonfunctional differences, and unused functions.
2021-09-02 15:10:44 -04:00
Ed Maste
c7b4c21ee4 openssh: regenerate freebsd-namespace.h
For some reason poly64 was omitted when this file was last generated
(perhaps it was inlined by the Clang version then in use).

MFC after:	1 week
Sponsored by:	The FreeBSD Foundation
2021-09-02 09:45:14 -04:00
Ed Maste
b3e858f762 openssh: tag generated file with @generated
Tools like Phabricator use the @generated tag to identify files that
may be excluded from review by default.

MFC after:	1 week
Sponsored by:	The FreeBSD Foundation
2021-09-02 09:44:58 -04:00
Ed Maste
7b529268a5 openssh: regenerate config.h
Since config.h was last regenerated FreeBSD has added (a stub) libdl,
and has removed sys/dir.h.  Regenerate config.h to avoid spurious
additional changes when OpenSSH is next updated.

There should be no issue if this change is MFC'd, but I don't plan to do
so.  Although configure checks for libdl HAVE_LIBDL isn't even used, and
sys/dir.h was non-functional before being removed.  The state of these
two config.h settings should make no difference in the built OpenSSH.

Sponsored by:	The FreeBSD Foundation
2021-09-01 20:42:41 -04:00
Ed Maste
36cd1e5e8c openssh: disable libwrap (TCP wrappers) at configure time
We define LIBWRAP at build time in secure/usr.sbin/sshd/Makefile if
WITH_TCPWRAPPERS is in effect, so it should not be set in config.h.

MFC after:	1 week
Sponsored by:	The FreeBSD Foundation
2021-09-01 20:42:41 -04:00
Ed Maste
5e4dd21fd6 openssh: clarify krb5 use in freebsd-configure
freebsd-configure.sh runs configure twice, --with-kerberos5 and
--without-kerberos5, in order to build a config.h that defaults to
kerberos5 disabled, and a small config file that represents the
differences.

Rename config.h.orig to config.h.kerberos5 to clarify the intent of this
script.

MFC after:	1 week
Sponsored by:	The FreeBSD Foundation
2021-09-01 20:42:34 -04:00
Ed Maste
f3fd885074 openssh: update note about class-based login restrictions 2021-09-01 16:09:56 -04:00
Ed Maste
27ceebbc24 openssh: simplify login class restrictions
Login class-based restrictions were introduced in 5b400a39b8.  The
code was adapted for sshd's Capsicum sandbox and received many changes
over time, including at least fc3c19a9fc, bd393de91c, and
e8c56fba29.

During an attempt to upstream the work a much simpler approach was
suggested.  Adopt it now in the in-tree OpenSSH to reduce conflicts with
future updates.

Submitted by:	Yuchiro Naito (against OpenSSH-portable on GitHub)
Obtained from:	https://github.com/openssh/openssh-portable/pull/262
Reviewed by:	allanjude, kevans
MFC after:	2 weeks
Differential Revision:	https://reviews.freebsd.org/D31760
2021-09-01 15:53:09 -04:00
Jung-uk Kim
9a3ae0cdef Import OpenSSL 1.1.1l 2021-09-01 00:26:38 -04:00
Jung-uk Kim
c1d1798abd Import OpenSSL 1.1.1l 2021-08-31 22:23:22 -04:00
Ed Maste
35a0342508 openssh: add information about a local change 2021-08-30 15:35:03 -04:00
Gordon Tetlow
aef815e787 Fix multiple OpenSSL vulnerabilities.
Approved by:	so
Security:	SA-21:16.openssl
Security:	CVE-2021-3711
Security:	CVE-2021-3712
2021-08-24 11:26:45 -07:00
John Baldwin
6372fd253e OpenSSL: Add support for Chacha20-Poly1305 to kernel TLS on FreeBSD.
FreeBSD's kernel TLS supports Chacha20 for both TLS 1.2 and TLS 1.3.

NB: This commit has not yet been merged upstream as it is deemed a new
feature and did not make the feature freeze cutoff for OpenSSL 3.0.

Reviewed by:	jkim
MFC after:	5 days
Sponsored by:	Netflix
Differential Revision:	https://reviews.freebsd.org/D31443
2021-08-17 14:41:42 -07:00
John Baldwin
d6e78ecb0b OpenSSL: Refactor KTLS tests to better support TLS 1.3.
Most of this upstream commit touched tests not included in the
vendor import.  The one change merged in is to remove a constant
only present in an internal header to appease the older tests.

Reviewed by:	jkim
Obtained from:	OpenSSL (e1fdd5262e4a45ce3aaa631768e877ee7b6da21b)
MFC after:	5 days
Sponsored by:	Netflix
Differential Revision:	https://reviews.freebsd.org/D31442
2021-08-17 14:41:37 -07:00
John Baldwin
a208223130 OpenSSL: Update KTLS documentation
KTLS support has been changed to be off by default, and configuration is
via a single "option" rather two "modes". Documentation is updated
accordingly.

Reviewed by:	jkim
Obtained from:	OpenSSL (6878f4300213cfd7d4f01e26a8b97f70344da100)
MFC after:	5 days
Sponsored by:	Netflix
Differential Revision:	https://reviews.freebsd.org/D31441
2021-08-17 14:41:31 -07:00
John Baldwin
62ca9fc1ad OpenSSL: Only enable KTLS if it is explicitly configured
It has always been the case that KTLS is not compiled by default. However
if it is compiled then it was automatically used unless specifically
configured not to. This is problematic because it avoids any crypto
implementations from providers. A user who configures all crypto to use
the FIPS provider may unexpectedly find that TLS related crypto is actually
being performed outside of the FIPS boundary.

Instead we change KTLS so that it is disabled by default.

We also swap to using a single "option" (i.e. SSL_OP_ENABLE_KTLS) rather
than two separate "modes", (i.e. SSL_MODE_NO_KTLS_RX and
SSL_MODE_NO_KTLS_TX).

Reviewed by:	jkim
Obtained from:	OpenSSL (a3a54179b6754fbed6d88e434baac710a83aaf80)
MFC after:	5 days
Sponsored by:	Netflix
Differential Revision:	https://reviews.freebsd.org/D31440
2021-08-17 14:41:24 -07:00
John Baldwin
63c6d3e283 OpenSSL: ktls: Initial support for ChaCha20-Poly1305
Linux kernel is going to support ChaCha20-Poly1305 in TLS offload.
Add support for this cipher.

Reviewed by:	jkim
Obtained from:	OpenSSL (3aa7212e0a4fd1533c8a28b8587dd8b022f3a66f)
MFC after:	5 days
Sponsored by:	Netflix
Differential Revision:	https://reviews.freebsd.org/D31439
2021-08-17 14:41:19 -07:00
John Baldwin
334d228a20 OpenSSL: Correct the return value of BIO_get_ktls_*().
BIO_get_ktls_send() and BIO_get_ktls_recv() are documented as
returning either 0 or 1.  However, they were actually returning the
internal value of the associated BIO flag for the true case instead of
1.

Also trim redundant ternary operators.

Reviewed by:	jkim
Obtained from:	OpenSSL (f16e52b67c9261bdc7e1284a50502a802921ac6d)
MFC after:	5 days
Sponsored by:	Netflix
Differential Revision:	https://reviews.freebsd.org/D31438
2021-08-17 14:41:12 -07:00
Guangyuan Yang
80ba60f643 kerberos.8: Replace dead link
Replace it with a tutorial hosted on kerberos.org and the classic
"dialogue" from Bill Bryant. The change has been reported and
merged upstream (https://github.com/heimdal/heimdal/commit/7f3445f1b7).

MFC after:	3 days
PR:		251854
Reported by:	ktullavik@gmail.com
Submitted by:	bjk (upstream github)
Reviewed by:	bcr
2021-05-16 01:37:09 -04:00
Ed Maste
d55bf492f8 Revert "Add workaround for a QoS-related bug in VMWare Workstation."
This reverts commit 77c2fe20df.

The VMware Workstation issue was fixed in 2019[1], and we'd rather not
carry unnecessary local changes in OpenSSH.

[1] https://communities.vmware.com/t5/VMware-Workstation-Pro/Regression-ssh-results-in-broken-pipe-upon-connecting-in-Vmware/m-p/486105/highlight/true#M25470

PR:		234426
Discussed with:	yuripv
Approved by:	des
MFC after:	2 weeks
Sponsored by:	The FreeBSD Foundation
2021-04-25 17:17:22 -04:00
Ed Maste
576b477ba4 openssh: add a note about pushing vendor updates
Sponsored by:	The FreeBSD Foundation
2021-04-23 15:36:42 -04:00
Jung-uk Kim
94fa08a4bc Import OpenSSL 1.1.1k. 2021-03-25 11:05:31 -04:00
Jung-uk Kim
b6c1fdcdf5 OpenSSL: Merge OpenSSL 1.1.1k
Merge commit '94fa08a4bcdfbb3434b025d67d014af3b18e5380'
2021-03-25 11:45:19 -04:00
Ed Maste
519496a598 openssh: document two changes that are now upstream
These patches can be removed once we update to 8.5p1 or later.
2021-02-22 14:03:28 -05:00
Oleksandr Tymoshenko
9b2f020c14 Handle partial data re-sending on ktls/sendfile on FreeBSD
Add a handler for EBUSY sendfile error in addition to
EAGAIN. With EBUSY returned the data still can be partially
sent and user code has to be notified about it, otherwise it
may try to send data multiple times.

PR:		251969
Reviewed by:	jkim
Obtained from:	OpenSSL (dfcfd17f2818cf520ce6381aed9ec3d2fc12170d)
MFC after:	1 week
Sponsored by:	Netflix (merging to FreeBSD)
Differential Revision:	https://reviews.freebsd.org/D28714
2021-02-17 14:51:55 -08:00
Jung-uk Kim
b840816061 OpenSSL: Remove obsolete include directory
This directory was deprecated since OpenSSL 1.1.1e.

https://github.com/openssl/openssl/pull/9681
2021-02-16 22:53:37 -05:00
Jung-uk Kim
88e852c0b5 OpenSSL: Merge OpenSSL 1.1.1j
Merge commit '4f55bd5321b72491d4eff396e4928e9ab0706735'
2021-02-16 17:00:27 -05:00
Jung-uk Kim
4f55bd5321 Import OpenSSL 1.1.1j. 2021-02-16 14:54:02 -05:00
Ed Maste
74c59ab790 openssh: port upgrade doc and script to git
Sponsored by:	The FreeBSD Foundation
Differential Revision:	https://reviews.freebsd.org/D28564
2021-02-14 16:41:11 -05:00
Ed Maste
a62dc346f6 ssh: remove ssh-hpn leftovers
This was introduced in 8998619212, and left behind when the hpn-ssh
patches were removed in 60c59fad88.  Although Being able to log
SO_RCVBUF in debug mode might have some small value on its own, it's
not worth carrying an extra diff against upstream.

Reviewed by:	kevans
MFC after:	3 days
Sponsored by:	The FreeBSD Foundation
Differential Revision:	https://reviews.freebsd.org/D28610
2021-02-12 10:11:06 -05:00
Ed Maste
9e14b918f9 ssh: remove unused variable
This was introduced in 03f6c5cd93, which added use of
sysctl net.inet.ip.portrange.reservedhigh instead of IPPORT_RESERVED,
but it appears the rest of that change was lost in some subsequent
update.

The change should probably be restored, but until then there is no
reason to leave an unused variable around.

MFC after:	3 days
Sponsored by:	The FreeBSD Foundation
2021-02-11 22:22:30 -05:00
Ed Maste
154adbbeb8 ssh: diff reduction against OpenBSD, remove unused includes
These appear to be leftovers from ca86bcf253 and f7167e0ea0

MFC after:	3 days
Sponsored by:	The FreeBSD Foundation
2021-02-11 21:37:31 -05:00
John Baldwin
aa906e2a49 OpenSSL: Support for kernel TLS offload (KTLS)
This merges upstream patches from OpenSSL's master branch to add
KTLS infrastructure for TLS 1.0-1.3 including both RX and TX
offload and SSL_sendfile support on both Linux and FreeBSD.

Note that TLS 1.3 only supports TX offload.

A new WITH/WITHOUT_OPENSSL_KTLS determines if OpenSSL is built with
KTLS support.  It defaults to enabled on amd64 and disabled on all
other architectures.

Reviewed by:	jkim (earlier version)
Approved by:	secteam
Obtained from:	OpenSSL (patches from master)
MFC after:	1 week
Relnotes:	yes
Sponsored by:	Netflix
Differential Revision:	https://reviews.freebsd.org/D28273
2021-01-28 10:24:13 -08:00
Jung-uk Kim
c3c73b4f0a Merge OpenSSL 1.1.1i. 2020-12-09 02:05:14 +00:00
Jung-uk Kim
970a464089 Import OpenSSL 1.1.1i. 2020-12-08 18:10:16 +00:00
Ed Maste
2c9ac5855b OpenSSL: address CVE-2020-1971
OpenSSL commit 3db2c9f3:
Complain if we are attempting to encode with an invalid ASN.1 template

OpenSSL commit 43a7033:
Check that multi-strings/CHOICE types don't use implicit tagging

OpenSSL commit f960d812:
Correctly compare EdiPartyName in GENERAL_NAME_cmp()

Obtained from:	OpenSSL 3db2c9f3, 43a7033, f960d812
Security:	CVE-2020-1971
2020-12-08 16:43:35 +00:00
Stefan Eßer
1f474190fc Replace literal uses of /usr/local in C sources with _PATH_LOCALBASE
Literal references to /usr/local exist in a large number of files in
the FreeBSD base system. Many are in contributed software, in configuration
files, or in the documentation, but 19 uses have been identified in C
source files or headers outside the contrib and sys/contrib directories.

This commit makes it possible to set _PATH_LOCALBASE in paths.h to use
a different prefix for locally installed software.

In order to avoid changes to openssh source files, LOCALBASE is passed to
the build via Makefiles under src/secure. While _PATH_LOCALBASE could have
been used here, there is precedent in the construction of the path used to
a xauth program which depends on the LOCALBASE value passed on the compiler
command line to select a non-default directory.

This could be changed in a later commit to make the openssh build
consistently use _PATH_LOCALBASE. It is considered out-of-scope for this
commit.

Reviewed by:	imp
MFC after:	1 month
Differential Revision:	https://reviews.freebsd.org/D26942
2020-10-27 11:29:11 +00:00
Jung-uk Kim
58f351825a Merge OpenSSL 1.1.1h. 2020-09-22 16:18:31 +00:00
Jung-uk Kim
92f02b3b0f Import OpenSSL 1.1.1h. 2020-09-22 14:27:08 +00:00
Jung-uk Kim
63c1bb5162 Fix Clang version detection.
We prepend "FreeBSD" to Clang version string.  This broke compiler test for
AVX instruction support.

Reported by:	jhb
2020-08-26 16:55:28 +00:00
Ed Maste
e426c74375 sshd: allow UseBlocklist alias for UseBlacklist
blacklistd has been renamed to blocklistd upstream, and a future
import into FreeBSD will follow that change.  Support the new name
as an alias in config files.

Reviewed by:	bz, delphij
MFC after:	1 week
Sponsored by:	The FreeBSD Foundation
Differential Revision:	https://reviews.freebsd.org/D25865
2020-07-29 00:34:24 +00:00
Ed Maste
952d18a214 ssh: Remove AES-CBC ciphers from default server and client lists
A base system OpenSSH update in 2016 or so removed a number of ciphers
from the default lists offered by the server/client, due to known
weaknesses.  This caused POLA issues for some users and prompted
PR207679; the ciphers were restored to the default lists in r296634.

When upstream removed these ciphers from the default server list, they
moved them to the client-only default list.  They were subsequently
removed from the client default, in OpenSSH 7.9p1.

The change has persisted long enough.  Remove these extra ciphers from
both the server and client default lists, in advance of FreeBSD 13.

Reviewed by:	markm, rgrimes
Sponsored by:	The FreeBSD Foundation
Differential Revision:	https://reviews.freebsd.org/D25833
2020-07-28 00:24:12 +00:00
Ed Maste
ea64ebd08c openssh: refer to OpenSSL not SSLeay, part 2
This change was made upstream between 7.9p1 and 8.0p1.  We've made local
changes in the same places for handling the version_addendum; apply the
SSLeay_version to OpenSSL_version change in advance of importing 8.0p1.
This should have been part of r363225.

Obtained from:	OpenSSH-portable a65784c9f9c5
MFC with:	r363225
Sponsored by:	The FreeBSD Foundation
2020-07-15 18:49:00 +00:00
Ed Maste
6471c6bd75 openssh: refer to OpenSSL not SSLeay
This change was made upstream between 7.9p1 and 8.0p1.  We've made local
changes in the same places for handling the version_addendum; apply the
SSLeay_version to OpenSSL_version change in advance of importing 8.0p1.

Obtained from:	OpenSSH-portable a65784c9f9c5
Sponsored by:	The FreeBSD Foundation
2020-07-15 15:35:26 +00:00
Mateusz Piotrowski
f4b792fa67 Fix trailing-comma-related typos in the tree when the Xr macro is used
MFC after:	1 week
2020-06-27 11:13:45 +00:00
Xin LI
8d8b292321 Don't log normal login_getpwclass(3) result.
The logging was introduced in r314527 but doesn't appear to be useful
for regular operation, and as the result, for users with no class set
(very common) the administrator would see a message like this in their
auth.log:

  sshd[44251]: user root login class [preauth]

(note that the class was "" because that's what's typically configured
for most users; we would get 'default' if lc->lc_class is chosen)

Remove this log as it can be annoying as the lookup happen before
authentication and repeats, and our code is not acting upon lc_class
or pw_class directly anyways.

Reviewed by:	cem, imp
MFC after:	1 week
Differential Revision:	https://reviews.freebsd.org/D24997
2020-06-26 04:46:45 +00:00
Jung-uk Kim
cfac584b60 Merge OpenSSL 1.1.1g. 2020-04-21 19:38:32 +00:00
Jung-uk Kim
65aa3028e5 Import OpenSSL 1.1.1g. 2020-04-21 19:07:46 +00:00
Gordon Tetlow
c79d631acd Fix OpenSSL remote denial of service.
See https://www.openssl.org/news/secadv/20200421.txt for details.

Approved by:	so
Security:	CVE-2020-1967
2020-04-21 15:44:20 +00:00
Jung-uk Kim
11c7efe3a4 Merge OpenSSL 1.1.1f. 2020-03-31 15:47:55 +00:00
Jung-uk Kim
b6cfecdc04 Import OpenSSL 1.1.1f. 2020-03-31 15:25:23 +00:00
Kyle Evans
6d0d51a41c openssh: -fno-common fix from upstream f47d72ddad
This is currently staged in vendor/ as part of the 8.0p1 import, which isn't
quite ready to land. Given that this is a simple one-line fix, apply it now
as the fallout will be pretty minimal.

-fno-common will become the default in GCC10/LLVM11.

MFC after:	3 days
2020-03-29 19:14:27 +00:00
Jung-uk Kim
17f01e9963 Merge OpenSSL 1.1.1e. 2020-03-18 02:13:12 +00:00
Jung-uk Kim
aa144ced5d Import OpenSSL 1.1.1e. 2020-03-17 21:27:57 +00:00
Ed Maste
99b201c331 Add a note about deleted files in OpenSSH upgrade instructions 2020-02-25 22:15:25 +00:00
Ed Maste
23f6a81e49 Update version in openssh FREEBSD-vendor metadata
It appears that FREEBSD-vendor is an idea that never really took off
and we should probably just remove it, but until then we might as well
record the correct version.
2020-02-14 22:32:33 +00:00
Ed Maste
9fcda2f48d Update OpenSSH upgrade instructions to use https, not ftp
ftp://ftp.openbsd.org/ does not work.
2020-02-14 19:33:50 +00:00
Ed Maste
2f513db72b Upgrade to OpenSSH 7.9p1.
MFC after:	2 months
Sponsored by:	The FreeBSD Foundation
2020-02-14 19:06:59 +00:00
Ed Maste
e491358c94 sshd: add upgrade process note about TCP wrappers
We need to add user-facing deprecation notices for TCP wrappers; start
with a note in the upgrade process docmentation.

Sponsored by:	The FreeBSD Foundation
2020-02-14 18:59:50 +00:00
Ed Maste
4c3ccd967e openssh: add a note about libwrap in config.h
LIBWRAP is defined by the Makefile based on MK_TCP_WRAPPERS and should
not be defined in config.h.

PR:		210141
Sponsored by:	The FreeBSD Foundation
2020-02-14 17:05:35 +00:00
Ed Maste
e8c56fba29 sshd: make getpwclass wrapper MON_ISAUTH not MON_AUTH
In r339216 a privsep wrapper was added for login_getpwclass to address
PR 231172.  Unfortunately the change used the MON_AUTH flag in the
wrapper, and MON_AUTH includes MON_AUTHDECIDE which triggers an
auth_log() on each invocation.  getpwclass() does not participate in the
authentication decision, so should be MON_ISAUTH instead.

PR:		234793
Submitted by:	Henry Hu
Reviewed by:	Yuichiro NAITO
MFC after:	1 week
2019-11-20 16:30:37 +00:00
Jung-uk Kim
da327cd22e Merge OpenSSL 1.1.1d. 2019-09-10 21:08:17 +00:00
Jung-uk Kim
fbc3ad1ae1 Import OpenSSL 1.1.1d. 2019-09-10 17:40:53 +00:00
Dmitry Chagin
c5afec6e89 Complete LOCAL_PEERCRED support. Cache pid of the remote process in the
struct xucred. Do not bump XUCRED_VERSION as struct layout is not changed.

PR:		215202
Reviewed by:	tijl
MFC after:	1 week
Differential Revision:	https://reviews.freebsd.org/D20415
2019-05-30 14:24:26 +00:00
Jung-uk Kim
610a21fd82 Merge OpenSSL 1.1.1c. 2019-05-28 21:54:12 +00:00
Jung-uk Kim
375b8e6770 Import OpenSSL 1.1.1c. 2019-05-28 20:08:17 +00:00
Dag-Erling Smørgrav
77c2fe20df Add workaround for a QoS-related bug in VMWare Workstation.
Submitted by:	yuripv
Differential Revision:	https://reviews.freebsd.org/D18636
2019-03-27 15:17:29 +00:00
Ed Maste
0967215db7 Merge r345574 from vendor-crypto:
upstream: when checking that filenames sent by the server side

match what the client requested, be prepared to handle shell-style brace
alternations, e.g. "{foo,bar}".

"looks good to me" millert@ + in snaps for the last week courtesy
deraadt@

OpenBSD-Commit-ID: 3b1ce7639b0b25b2248e3a30f561a548f6815f3e

Discussed with: des
Obtained from:	OpenSSH-portable 3d896c157c722bc47adca51a58dca859225b5874
2019-03-27 14:35:38 +00:00
Jung-uk Kim
6935a639f0 Merge OpenSSL 1.1.1b. 2019-02-26 19:31:33 +00:00
Jung-uk Kim
851f7386fd Import OpenSSL 1.1.1b. 2019-02-26 18:06:51 +00:00
Ed Maste
afde517053 scp: validate filenames provided by server against wildcard in client
OpenSSH-portable commits:

check in scp client that filenames sent during remote->local directory
copies satisfy the wildcard specified by the user.

This checking provides some protection against a malicious server
sending unexpected filenames, but it comes at a risk of rejecting wanted
files due to differences between client and server wildcard expansion rules.

For this reason, this also adds a new -T flag to disable the check.

reported by Harry Sintonen
fix approach suggested by markus@;
has been in snaps for ~1wk courtesy deraadt@

OpenBSD-Commit-ID: 00f44b50d2be8e321973f3c6d014260f8f7a8eda

Minor patch conflict (getopt) resolved.

Obtained from: OpenSSH-portable 391ffc4b9d31fa1f4ad566499fef9176ff8a07dc

scp: add -T to usage();

OpenBSD-Commit-ID: a7ae14d9436c64e1bd05022329187ea3a0ce1899

Obtained from: OpenSSH-portable 2c21b75a7be6ebdcbceaebb43157c48dbb36f3d8

PR:		234965
Approved by:	des
MFC after:	3 days
Obtained from:	OpenSSH-portable 391ffc4b9d, 2c21b75a7b
Sponsored by:	The FreeBSD Foundation
Differential Revision:	https://reviews.freebsd.org/D19076
2019-02-21 22:45:54 +00:00
Ed Maste
d366f891b1 scp: disallow empty or current directory
Obtained from:	OpenBSD scp.c 1.198
Security:	CVE-2018-20685
Sponsored by:	The FreeBSD Foundation
2019-01-15 15:35:14 +00:00
Cy Schubert
086566c1c1 Remove unused sqlite3 bundled with heimdal.
Reported by:	delphij@
2019-01-09 01:09:42 +00:00
Jung-uk Kim
49ea0a812a Do not complain when /dev/crypto does not exist.
Now the new devcrypto engine is enabled since r342009, many users started
seeing "Could not open /dev/crypto: No such file or directory".  Disable
the annoying error message as it is not very useful anyway.

Note the patch was submitted upstream.

https://github.com/openssl/openssl/pull/7896
2018-12-14 01:06:34 +00:00
Jung-uk Kim
c9cf7b5cb1 Merge OpenSSL 1.1.1a. 2018-11-20 21:10:04 +00:00
Jung-uk Kim
8c3f9abd70 Import OpenSSL 1.1.1a. 2018-11-20 18:59:41 +00:00
Glen Barber
f07f1918ad Update SHLIB_VERSION_NUMBER following the OpenSSL shared library
number bump.

Reported by:	jkim
Discussed with:	kib
MFC after:	immediate
Sponsored by:	The FreeBSD Foundation
2018-10-25 18:46:45 +00:00
Dag-Erling Smørgrav
b319ead8be Try harder to sanitize the environment before running configure.
Remove a workaround for older Unbound versions that used sbrk.

Approved by:	re (gjb)
2018-10-10 22:29:06 +00:00
Glen Barber
1da7787f71 Merge the remainder of the projects/openssl111 branch to head.
- Update OpenSSL to version 1.1.1.
- Update Kerberos/Heimdal API for OpenSSL 1.1.1 compatibility.
- Bump __FreeBSD_version.

Approved by:	re (kib)
Sponsored by:	The FreeBSD Foundation
2018-10-09 21:28:26 +00:00
Dag-Erling Smørgrav
bd393de91c Fix portability issues with the Capsicum patch committed in r339216:
- Wrap access to pw_change and pw_expire in the appropriate #ifdefs.
- Wrap calls to login_cap(3) API in appropriate #ifdefs.
- Add wrapper for transferring time_t, which is still only 32 bits wide
  on FreeBSD i386.
- Use a temporary variable to deserialize size_t.

Approved by:	re (gjb)
2018-10-09 19:27:42 +00:00
Ed Maste
4660a83eac Regenerate ssh_namespace.h for OpenSSL 1.1.1 update 2018-10-09 17:29:31 +00:00
Glen Barber
7c32835287 MFH r338661 through r339253.
Sponsored by:	The FreeBSD Foundation
2018-10-09 14:27:55 +00:00
Ed Maste
c0a542de36 openssh: regenerate ssh-namespace.h after r339213 and r339216
Reported by:	des
Approved by:	re (rgrimes)
2018-10-09 03:11:59 +00:00
Glen Barber
fc3f42d80f MFH r339206-r339212, r339215-r339239
Sponsored by:	The FreeBSD Foundation
2018-10-08 18:06:40 +00:00
Ed Maste
fc3c19a9fc sshd: address capsicum issues
* Add a wrapper to proxy login_getpwclass(3) as it is not allowed in
  capability mode.
* Cache timezone data via caph_cache_tzdata() as we cannot access the
  timezone file.
* Reverse resolve hostname before entering capability mode.

PR:		231172
Submitted by:	naito.yuichiro@gmail.com
Reviewed by:	cem, des
Approved by:	re (rgrimes)
MFC after:	3 weeks
Differential Revision:	https://reviews.freebsd.org/D17128
2018-10-06 21:32:55 +00:00
Ed Maste
2a01feabb3 openssh: cherry-pick OpenSSL 1.1.1 compatibility
Compatibility with existing OpenSSL versions is maintained.

Upstream commits:
482d23bcac upstream: hold our collective noses and use the openssl-1.1.x
48f54b9d12 adapt -portable to OpenSSL 1.1x API
86e0a9f3d2 upstream: use only openssl-1.1.x API here too
a3fd8074e2 upstream: missed a bit of openssl-1.0.x API in this unittest
cce8cbe0ed Fix openssl-1.1 fallout for --without-openssl.

Trivial conflicts in sshkey.c and test_sshkey.c were resolved.

Connect libressl-api-compat.c to the build, and regenerate config.h

Reviewed by:	des
Approved by:	re (rgrimes)
MFC after:	2 seeks
Sponsored by:	The FreeBSD Foundation
Differential Revision:	https://reviews.freebsd.org/D17444
2018-10-06 14:38:34 +00:00
John Baldwin
e4456411a8 Update the existing heimdal implementation for OpenSSL 1.1.
Existing work is underway to import a newer version of heimdal, but
this patchset gets us to a fully working tree to enable more wide
spread testing of OpenSSL 1.1 for now.

I've also enabled WARNS=1 for kerberos (which is the reason for the
change in libroken).  Having -Werror enabled was useful during the
1.1 updates and we probably should have warnings enabled by default
for kerberos anyway.

This passes make tinderbox, and I have also done some very light
runtime testing on amd64.

Reviewed by:	bjk, jkim, emaste
Differential Revision:	https://reviews.freebsd.org/D17276
2018-10-05 16:35:24 +00:00
Ed Maste
4b6d416b32 openssh: connect libressl-api-compat.c and regen config.h
Differential Revision:	https://reviews.freebsd.org/D17390
2018-10-03 16:38:36 +00:00
Ed Maste
9e15a1058d openssh: add openbsd-compat/libressl-api-compat.c
Missed in migrating changeset from git to svn for r338811

Reported by:	jhb
2018-10-03 16:06:17 +00:00
Jung-uk Kim
9887b02239 Add a hack to build on ARMv4 and ARMv5. 2018-09-23 02:51:54 +00:00
Ed Maste
3e058dbd7b openssh: cherry-pick OpenSSL 1.1.1 compatibility
Upstream commits:
482d23bcac upstream: hold our collective noses and use the openssl-1.1.x
48f54b9d12 adapt -portable to OpenSSL 1.1x API
86e0a9f3d2 upstream: use only openssl-1.1.x API here too
a3fd8074e2 upstream: missed a bit of openssl-1.0.x API in this unittest
cce8cbe0ed Fix openssl-1.1 fallout for --without-openssl.

Trivial conflicts in sshkey.c and test_sshkey.c were resolved.

Sponsored by:	The FreeBSD Foundation
2018-09-19 21:18:44 +00:00
Ed Maste
c6de6086cf openssh: rename local macro to avoid OpenSSL 1.1.1 conflict
Local changes introduced an OPENSSH_VERSION macro, but this conflicts
with a macro of the same name introduced with OepnsSL 1.1.1

Reviewed by:	des
Approved by:	re (gjb)
MFC after:	1 week
Sponsored by:	The FreeBSD Foundation
2018-09-19 20:52:47 +00:00
Ed Maste
5d5f8b31cb openssh: rename local macro to avoid OpenSSL 1.1.1 conflict
Local changes introduced an OPENSSH_VERSION macro, but this conflicts
with a macro of the same name introduced with OpenSSL 1.1.1.
2018-09-19 19:13:29 +00:00
Jung-uk Kim
548ad621b5 Add generated header file for openssl(1). 2018-09-19 00:32:48 +00:00
Jung-uk Kim
e78c4f2d77 Add generated header files for FreeBSD. 2018-09-19 00:08:27 +00:00
Jung-uk Kim
eabbf3ff4b Update SHLIB_VERSION_NUMBER to 9.
Prodded by:	avg
2018-09-14 14:40:09 +00:00
Jung-uk Kim
e71b70530d Update OpenSSL to 1.1.1.
Note it does not update build infrastructure.
2018-09-13 20:40:51 +00:00
Jung-uk Kim
a43ce912fc Import OpenSSL 1.1.1. 2018-09-13 19:18:07 +00:00
Dag-Erling Smørgrav
190cef3d52 Upgrade to OpenSSH 7.8p1.
Approved by:	re (kib@)
2018-09-10 16:20:12 +00:00
Cy Schubert
76f6651cf0 Avoid printing extraneous function names when searching man page
database (apropos, man -k). This commit Replaces .SS with .SH,
similar to the man page provided by original heimdal (as in port).

PR:		230573
Submitted by:	yuripv@yuripv.net
Approved by:	re (rgrimes@)
MFC after:	3 days
2018-08-29 06:04:54 +00:00
Xin LI
c1e80940f3 Update userland arc4random() with OpenBSD's Chacha20 based arc4random().
ObsoleteFiles.inc:

    Remove manual pages for arc4random_addrandom(3) and
    arc4random_stir(3).

  contrib/ntp/lib/isc/random.c:
  contrib/ntp/sntp/libevent/evutil_rand.c:

    Eliminate in-tree usage of arc4random_addrandom().

  crypto/heimdal/lib/roken/rand.c:
  crypto/openssh/config.h:

    Eliminate in-tree usage of arc4random_stir().

  include/stdlib.h:

    Remove arc4random_stir() and arc4random_addrandom() prototypes,
    provide temporary shims for transistion period.

  lib/libc/gen/Makefile.inc:

    Hook arc4random-compat.c to build, add hint for Chacha20 source for
    kernel, and remove arc4random_addrandom(3) and arc4random_stir(3)
    links.

  lib/libc/gen/arc4random.c:

    Adopt OpenBSD arc4random.c,v 1.54 with bare minimum changes, use the
    sys/crypto/chacha20 implementation of keystream.

  lib/libc/gen/Symbol.map:

    Remove arc4random_stir and arc4random_addrandom interfaces.

  lib/libc/gen/arc4random.h:

    Adopt OpenBSD arc4random.h,v 1.4 but provide _ARC4_LOCK of our own.

  lib/libc/gen/arc4random.3:

    Adopt OpenBSD arc4random.3,v 1.35 but keep FreeBSD r114444 and
    r118247.

  lib/libc/gen/arc4random-compat.c:

    Compatibility shims for arc4random_stir and arc4random_addrandom
    functions to preserve ABI.  Log once when called but do nothing
    otherwise.

  lib/libc/gen/getentropy.c:
  lib/libc/include/libc_private.h:

    Fold __arc4_sysctl into getentropy.c (renamed to arnd_sysctl).
    Remove from libc_private.h as a result.

  sys/crypto/chacha20/chacha.c:
  sys/crypto/chacha20/chacha.h:

    Make it possible to use the kernel implementation in libc.

PR:		182610
Reviewed by:	cem, markm
Obtained from:	OpenBSD
Relnotes:	yes
Differential Revision:	https://reviews.freebsd.org/D16760
2018-08-19 17:40:50 +00:00
Jung-uk Kim
dea77ea6fc Merge OpenSSL 1.0.2p. 2018-08-14 17:48:02 +00:00
Jung-uk Kim
43a67e02da Import OpenSSL 1.0.2p. 2018-08-14 16:18:14 +00:00
Dag-Erling Smørgrav
f2a2dfa729 Merge upstream patch to unbreak tunnel forwarding.
Reported by:	cy@
2018-05-16 14:04:39 +00:00
Dag-Erling Smørgrav
47dd1d1b61 Upgrade to OpenSSH 7.7p1. 2018-05-11 13:22:43 +00:00
Dag-Erling Smørgrav
4f52dfbb8d Upgrade to OpenSSH 7.6p1. This will be followed shortly by 7.7p1.
This completely removes client-side support for the SSH 1 protocol,
which was already disabled in 12 but is still enabled in 11.  For that
reason, we will not be able to merge 7.6p1 or newer back to 11.
2018-05-08 23:13:11 +00:00
Dag-Erling Smørgrav
b23ddc5855 Update the repository URLs. 2018-05-06 13:21:44 +00:00
Jung-uk Kim
dee36b4f92 Merge OpenSSL 1.0.2o. 2018-03-27 17:17:58 +00:00
Jung-uk Kim
02be298e50 Import OpenSSL 1.0.2o. 2018-03-27 17:03:01 +00:00
Jung-uk Kim
0c731de94c Add declaration of SSL_get_selected_srtp_profile() for OpenSSL.
Because there was an extra declaration in the vendor version, we locally
removed the second one in r238405 with 1.0.1c.  Later, upstream fixed it in
1.0.2d but they removed the first one.  Therefore, both were removed in our
version unfortunately.  Now we revert to the vendor one to re-add it.

MFC after:		3 days
Differential Revision:	https://reviews.freebsd.org/D10525
2018-01-25 23:38:05 +00:00
Jung-uk Kim
c4ad4dffb3 Merge OpenSSL 1.0.2n. 2017-12-07 18:02:57 +00:00
Jung-uk Kim
4f94f84d84 Import OpenSSL 1.0.2n. 2017-12-07 17:37:15 +00:00
Jung-uk Kim
47902a71f3 Merge OpenSSL 1.0.2m. 2017-11-02 18:04:29 +00:00
Jung-uk Kim
b6a9311a3e Import OpenSSL 1.0.2m. 2017-11-02 17:35:19 +00:00
Dag-Erling Smørgrav
d93a896ef9 Upgrade to OpenSSH 7.5p1. 2017-08-04 12:57:24 +00:00
Xin LI
49426905b3 MFV r320905: Import upstream fix for CVE-2017-11103.
In _krb5_extract_ticket() the KDC-REP service name must be obtained from
encrypted version stored in 'enc_part' instead of the unencrypted version
stored in 'ticket'.  Use of the unecrypted version provides an
opportunity for successful server impersonation and other attacks.

Submitted by:	hrs
Obtained from:	Heimdal
Security:	FreeBSD-SA-17:05.heimdal
Security:	CVE-2017-11103
2017-07-12 07:19:06 +00:00
Jung-uk Kim
ed7112f094 Merge OpenSSL 1.0.2l. 2017-05-25 20:52:16 +00:00
Jung-uk Kim
12df5ad9af Import OpenSSL 1.0.2l. 2017-05-25 19:38:38 +00:00
Kurt Lidl
342b8b88ba Refine and update blacklist support in sshd
Adjust notification points slightly to catch all auth failures,
rather than just the ones caused by bad usernames.

Modify notification point for bad usernames to send new type of
BLACKLIST_BAD_USER. (Support in libblacklist will be forthcoming soon.)
Add guards to allow library headers to expose the enum of action values.

Reviewed by:	des
Approved by:	des
Sponsored by:	The FreeBSD Foundation
2017-05-12 15:20:12 +00:00
Andrew Turner
e7fca4bb42 Fix linking with lld by marking OPENSSL_armcap_P as hidden.
Linking with lld fails as it contains a relative address, however the data
this address is for may be relocated from the shared object to the main
executable.

Fix this by adding the hidden attribute. This stops moving this value to
the main executable. It seems this is implicit upstream as it uses a
version script.

Approved by:	jkim
Sponsored by:	DARPA, AFRL
2017-04-07 12:41:57 +00:00
Dag-Erling Smørgrav
ca86bcf253 Upgrade to OpenSSH 7.4p1. 2017-03-06 01:37:05 +00:00
Dag-Erling Smørgrav
0999bc4881 Re-apply part of r311585 which was inadvertantly reverted in the upgrade
to 7.3p1.  The other part (which adds -DLIBWRAP to sshd's CFLAGS) is
still in place.

Reported by:	ngie
2017-03-03 14:25:55 +00:00
Dag-Erling Smørgrav
6d6e8a4a09 Forgot to bump the version addendum date. 2017-03-03 01:50:10 +00:00
Dag-Erling Smørgrav
076ad2f836 Upgrade to OpenSSH 7.3p1. 2017-03-02 00:11:32 +00:00
Warner Losh
fbbd9655e5 Renumber copyright clause 4
Renumber cluase 4 to 3, per what everybody else did when BSD granted
them permission to remove clause 3. My insistance on keeping the same
numbering for legal reasons is too pedantic, so give up on that point.

Submitted by:	Jan Schaumann <jschauma@stevens.edu>
Pull Request:	https://github.com/freebsd/freebsd/pull/96
2017-02-28 23:42:47 +00:00
Dag-Erling Smørgrav
4fcbf74fb1 Avoid picking up MIT Kerberos from ports (if installed). 2017-02-26 19:00:55 +00:00
Dag-Erling Smørgrav
8f7bfc76bd Fix amusingly harmless mis-merge. 2017-02-26 16:34:58 +00:00
Kurt Lidl
5057f65606 Only notify blacklistd for successful logins in auth.c
Reported by:	Rick Adams
Reviewed by:	des
MFC after:	3 days
Sponsored by:	The FreeBSD Foundation
2017-02-19 20:35:39 +00:00
Jung-uk Kim
6cf8931a2f Merge OpenSSL 1.0.2k. 2017-01-26 19:10:29 +00:00
Jung-uk Kim
5315173646 Import OpenSSL 1.0.2k. 2017-01-26 18:32:12 +00:00
Xin LI
9ea45e75fa MFV r311913:
Fix multiple OpenSSH vulnerabilities.

Submitted by:	des
Approved by:	so
2017-01-11 05:49:39 +00:00
Enji Cooper
233932cc2a Conditionalize building libwrap support into sshd
Only build libwrap support into sshd if MK_TCP_WRAPPERS != no

This will unbreak the build if libwrap has been removed from the system

MFC after:	2 weeks
PR:		210141
Submitted by:	kpect@protonmail.com
Differential Revision:	D9049
2017-01-07 08:08:35 +00:00
Xin LI
56e6c4251c MFV r308196:
Fix OpenSSH remote Denial of Service vulnerability.

Security:	CVE-2016-8858
2016-11-02 06:49:25 +00:00
Jung-uk Kim
7518a9bd2b Build OpenSSL assembly sources for aarch64. Tested with ThunderX by andrew. 2016-10-26 20:02:22 +00:00
Jung-uk Kim
f1fe58d376 Merge OpenSSL 1.0.2j. 2016-09-26 14:22:17 +00:00
Jung-uk Kim
e656c34a18 Import OpenSSL 1.0.2j. 2016-09-26 14:13:11 +00:00