Commit Graph

1153 Commits

Author SHA1 Message Date
Jung-uk Kim
5ac766ab8e OpenSSL: Merge OpenSSL 1.1.1n 2022-03-15 19:37:45 -04:00
Gordon Tetlow
fdc418f15e Fix a bug in BN_mod_sqrt() that can cause it to loop forever.
Obtained from:	OpenSSL Project
Security:	CVE-2022-0778
2022-03-15 09:48:59 -07:00
Ed Maste
cea0d3689e ssh: update sshd_config(5) for RSA/SHA-1 signature removal
OpenSSH 8.8p1 removed RSA/SHA-1 signatures by default, but failed to
update sshd_config(5).  It was updated upstream after the release in
b711bc01a7ec and da4035523406.

Fixes:		8c22023ca5 ("ssh: disable RSA/SHA-1 signatures")
Sponsored by:	The FreeBSD Foundation
2022-03-08 16:56:56 -05:00
Ed Maste
822d379b1f ssh: regen sk_config.h after 73104d5838 2022-03-05 20:00:04 -05:00
Ed Maste
73104d5838 ssh: generate SK config file using private cbor and fido2 libs
Specify -lprivatecbor and -lprivatefido2 in OpenSSH's configure.ac, and
pass -I paths to libcbor and libfido2's contrib src location.

MFC after:	3 days
Sponsored by:	The FreeBSD Foundation
Differential Revision:	https://reviews.freebsd.org/D34440
2022-03-05 19:57:22 -05:00
Ed Maste
92ef98b8fa ssh: use standalone config file for security key support
An upcoming OpenSSH update has multiple config.h settings that change
depending on whether builtin security key support is enabled.  Prepare
for this by moving ENABLE_SK_INTERNAL to a new sk_config.h header
(similar to the approach used for optional krb5 support) and optionally
including that, instead of defining the macro directly from CFLAGS.

Reviewed by:	kevans
MFC after:	2 weeks
Sponsored by:	The FreeBSD Foundation
Differential Revision:	https://reviews.freebsd.org/D34407
2022-03-02 09:35:12 -05:00
Ed Maste
f1421a8972 ssh: correct configure option name
The option is security-key-builtin not security-key-internal.  There is
no change to the generated config.h because the option defaults off
anyway.

MFC after:	3 days
Fixes:		87152f3405 ("ssh: disble internal security key...")
Sponsored by:	The FreeBSD Foundation
2022-03-01 09:41:51 -05:00
Mark Johnston
9340d69e57 openssh: Add a note to check for deprecated and removed config options
Suggested by:	emaste
MFC after:	1 week
Sponsored by:	The FreeBSD Foundation
2022-03-01 09:38:44 -05:00
Ed Maste
ab7d095969 ssh: add command to push tag to FREEBSD-upgrade instructions
Because it appears `git push --follow-tags` may push extra, undesired
tags document both techniques (pushing the specific vendor/openssh/X.YpZ
tag and pushing all with --follow-tags, using --dry-run first).

Discussed with:	imp, lwhsu
Sponsored by:	The FreeBSD Foundation
Differential Revision:	https://reviews.freebsd.org/D33605
2022-02-23 13:47:28 -05:00
Ed Maste
2e6ec1e4fe ssh: remove 11.x from FREEBSD-upgrade instructions
11.x is no longer supported.
2022-02-23 13:36:27 -05:00
John Baldwin
aa72082549 OpenSSL: Fix the same BIO_FLAGS macro definition
Also add comment to the public header to avoid
making another conflict in future.

Reviewed by:	jkim
Obtained from:	OpenSSL commit 5d4975ecd88ac17d0749513a8fac9a7c7befd900
MFC after:	1 week
Sponsored by:	Netflix
Differential Revision:	https://reviews.freebsd.org/D34135
2022-02-01 10:38:49 -08:00
Ed Maste
e38610abca ssh: remove unused header
Fixes:		0746301c49 ("ssh: pass 0 to procctl(2) to operate...")
Sponsored by:	The FreeBSD Foundation
2022-01-31 17:15:21 -05:00
Ed Maste
0746301c49 ssh: pass 0 to procctl(2) to operate on self
As of f833ab9dd1 procctl(2) allows idtype P_PID with id = 0 as a
shortcut for the calling process ID.  The shortcut also bypasses the
p_cansee / p_candebug test (since the process is able to act on itself.)

At present if the security.bsd.unprivileged_proc_debug sysctl is 0 then
procctl(P_PID, getpid(), ... for a process to act on itself will fail,
but procctl(P_PID, 0, ... will succeed.  This should likely be addressed
with a kernel change.

In any case the id = 0 shortcut is a tiny optimization for a process to
act on itself and allows the self-procctl to succeed, so use it in ssh.

Reported by:	Shawn Webb
Reviewed by:	kib
Sponsored by:	The FreeBSD Foundation
Differential Revision:	https://reviews.freebsd.org/D33970
2022-01-20 19:54:49 -05:00
Gleb Smirnoff
ca573c9a17 sshd: update the libwrap patch to drop connections early
OpenSSH has dropped libwrap support in OpenSSH 6.7p in 2014
(f2719b7c in github.com/openssh/openssh-portable) and we
maintain the patch ourselves since 2016 (a0ee8cc636).

Over the years, the libwrap support has deteriotated and probably
that was reason for removal upstream.  Original idea of libwrap was
to drop illegitimate connection as soon as possible, but over the
years the code was pushed further down and down and ended in the
forked client connection handler.

The negative effects of late dropping is increasing attack surface
for hosts that are to be dropped anyway.  Apart from hypothetical
future vulnerabilities in connection handling, today a malicious
host listed in /etc/hosts.allow still can trigger sshd to enter
connection throttling mode, which is enabled by default (see
MaxStartups in sshd_config(5)), effectively casting DoS attack.
Note that on OpenBSD this attack isn't possible, since they enable
MaxStartups together with UseBlacklist.

A only negative effect from early drop, that I can imagine, is that
now main listener parses file in /etc, and if our root filesystems
goes bad, it would get stuck.  But unlikely you'd be able to login
in that case anyway.

Implementation details:

- For brevity we reuse the same struct request_info.  This isn't
  a documented feature of libwrap, but code review, viewing data
  in a debugger and real life testing shows that if we clear
  RQ_CLIENT_NAME and RQ_CLIENT_ADDR every time, it works as intended.
- We set SO_LINGER on the socket to force immediate connection reset.
- We log message exactly as libwrap's refuse() would do.

Differential revision:	https://reviews.freebsd.org/D33044
2022-01-02 18:32:30 -08:00
Ed Maste
8c22023ca5 ssh: disable RSA/SHA-1 signatures
From OpenSSH 8.8p1's release notes:

---

Potentially-incompatible changes
================================

This release disables RSA signatures using the SHA-1 hash algorithm
by default. This change has been made as the SHA-1 hash algorithm is
cryptographically broken, and it is possible to create chosen-prefix
hash collisions for <USD$50K [1]

For most users, this change should be invisible and there is
no need to replace ssh-rsa keys. OpenSSH has supported RFC8332
RSA/SHA-256/512 signatures since release 7.2 and existing ssh-rsa keys
will automatically use the stronger algorithm where possible.

Incompatibility is more likely when connecting to older SSH
implementations that have not been upgraded or have not closely tracked
improvements in the SSH protocol. For these cases, it may be necessary
to selectively re-enable RSA/SHA1 to allow connection and/or user
authentication via the HostkeyAlgorithms and PubkeyAcceptedAlgorithms
options. For example, the following stanza in ~/.ssh/config will enable
RSA/SHA1 for host and user authentication for a single destination host:

    Host old-host
        HostkeyAlgorithms +ssh-rsa
	PubkeyAcceptedAlgorithms +ssh-rsa

We recommend enabling RSA/SHA1 only as a stopgap measure until legacy
implementations can be upgraded or reconfigured with another key type
(such as ECDSA or Ed25519).

[1] "SHA-1 is a Shambles: First Chosen-Prefix Collision on SHA-1 and
    Application to the PGP Web of Trust" Leurent, G and Peyrin, T
    (2020) https://eprint.iacr.org/2020/014.pdf

---

Relnotes:	Yes
Sponsored by:	The FreeBSD Foundation
2021-12-19 11:03:45 -05:00
Ed Maste
e9e8876a4d ssh: update to OpenSSH v8.8p1
OpenSSH v8.8p1 was motivated primarily by a security update and
deprecation of RSA/SHA1 signatures.  It also has a few minor bug fixes.

The security update was already applied to FreeBSD as an independent
change, and the RSA/SHA1 deprecation is excluded from this commit but
will immediately follow.

MFC after:	1 month
Relnotes:	Yes
Sponsored by:	The FreeBSD Foundation
2021-12-19 11:02:02 -05:00
Jung-uk Kim
b2bf0c7e5f OpenSSL: Merge OpenSSL 1.1.1m
Merge commit '56eae1b760adf10835560a9ee595549a1f10410f'
2021-12-14 16:03:52 -05:00
John Baldwin
27bb8830d5 SSL_sendfile: Replace ERR_raise_data with SYSerr.
ERR_raise_data is only present in OpenSSL 3.0 and later.

Reviewed by:	jkim
Obtained from:	CheriBSD
MFC after:	1 week
Differential Revision:	https://reviews.freebsd.org/D33363
2021-12-14 10:07:38 -08:00
Ed Maste
bdcfd222ce Remove FREEBSD-vendor files
These files were intended to track version and perhaps maintainership
information for contrib software.  However, they were never used beyond
bzip2, netcat, and OpenSSH, and generally haven't been kept up to date
recently (my OpenSSH 8.7p1 update notwithstanding).  Just remove them to
avoid having confusing or outdated information.

Suggested by:	des
MFC after:	1 week
Sponsored by:	The FreeBSD Foundation
2021-12-06 16:36:44 -05:00
Piotr Kubaj
3a60869237 Add assembly optimized code for OpenSSL on powerpc, powerpc64 and powerpc64le
Summary:
1. 34ab13b7d8
needs to be merged for ELFv2 support on big-endian.
2. crypto/openssl/crypto/ppccap.c needs to be patched.
Same reason as in https://github.com/openssl/openssl/pull/17082.

Approved by:	jkim, jhibbits
MFC after:	1 month
Differential Revision: https://reviews.freebsd.org/D33076
2021-11-23 23:26:53 +01:00
Allan Jude
d9bb798725 openssl: Fix detection of ARMv7 and ARM64 CPU features
OpenSSL assumes the same value for AT_HWCAP=16 (Linux)
So it ends up calling elf_auxv_info() with AT_CANARY which
returns ENOENT, and all acceleration features are disabled.

With this, my ARM64 test machine runs the benchmark
`openssl speed -evp aes-256-gcm` nearly 20x faster
going from 100 MB/sec to 2000 MB/sec

It also improves sha256 from 300 MB/sec to 1800 MB/sec

This fix has been accepted but not yet merged upstream:
https://github.com/openssl/openssl/pull/17082

PR:		259937
Reviewed by:	manu, imp
MFC after:	immediate
Relnotes:	yes
Fixes:		88e852c0b5 ("OpenSSL: Merge OpenSSL 1.1.1j")
Sponsored by:	Ampere Computing LLC
Sponsored by:	Klara Inc.
Differential Revision:	https://reviews.freebsd.org/D33060
2021-11-22 18:10:43 +00:00
Ed Maste
438fd19dc3 ssh: mention nanobsd config files in upgrade instructions
Sponsored by:	The FreeBSD Foundation
2021-11-20 16:38:18 -05:00
Ed Maste
e9a994639b ssh: enable FIDO/U2F keys
Description of FIDO/U2F support (from OpenSSH 8.2 release notes,
https://www.openssh.com/txt/release-8.2):

  This release adds support for FIDO/U2F hardware authenticators to
  OpenSSH. U2F/FIDO are open standards for inexpensive two-factor
  authentication hardware that are widely used for website
  authentication.  In OpenSSH FIDO devices are supported by new public
  key types "ecdsa-sk" and "ed25519-sk", along with corresponding
  certificate types.

  ssh-keygen(1) may be used to generate a FIDO token-backed key, after
  which they may be used much like any other key type supported by
  OpenSSH, so long as the hardware token is attached when the keys are
  used. FIDO tokens also generally require the user explicitly
  authorise operations by touching or tapping them.

  Generating a FIDO key requires the token be attached, and will
  usually require the user tap the token to confirm the operation:

    $ ssh-keygen -t ecdsa-sk -f ~/.ssh/id_ecdsa_sk
    Generating public/private ecdsa-sk key pair.
    You may need to touch your security key to authorize key generation.
    Enter file in which to save the key (/home/djm/.ssh/id_ecdsa_sk):
    Enter passphrase (empty for no passphrase):
    Enter same passphrase again:
    Your identification has been saved in /home/djm/.ssh/id_ecdsa_sk
    Your public key has been saved in /home/djm/.ssh/id_ecdsa_sk.pub

  This will yield a public and private key-pair. The private key file
  should be useless to an attacker who does not have access to the
  physical token. After generation, this key may be used like any
  other supported key in OpenSSH and may be listed in authorized_keys,
  added to ssh-agent(1), etc. The only additional stipulation is that
  the FIDO token that the key belongs to must be attached when the key
  is used.

To enable FIDO/U2F support, this change regenerates ssh_namespace.h,
adds ssh-sk-helper, and sets ENABLE_SK_INTERNAL (unless building
WITHOUT_USB).

devd integration is not included in this change, and is under
investigation for the base system.  In the interim the security/u2f-devd
port can be installed to provide appropriate devd rules.

Reviewed by:	delphij, kevans
Relnotes:	Yes
Sponsored by:	The FreeBSD Foundation
Differential Revision:	https://reviews.freebsd.org/D32509
2021-11-04 13:01:44 -04:00
Ed Maste
87152f3405 ssh: disble internal security key support in generated config.h
We want to set ENABLE_SK_INTERNAL only when building with USB support.
We'll leave it off in config.h and enble it via our bespoke build's
Makefile.inc.

Sponsored by:	The FreeBSD Foundation
2021-11-01 15:45:37 -04:00
Ed Maste
172fa4aa75 OpenSSH: cherry-pick "need initgroups() before setresgid()"
From openssh-portable commits f3cbe43e28fe and bf944e3794ef.
2021-10-08 21:29:25 -04:00
Ed Maste
adb56e58e8 openssh: use global state for blacklist in grace_alarm_handler
Obtained from:	security/openssh-portable
Fixes:		19261079b7 ("openssh: update to OpenSSH v8.7p1")
Sponsored by:	The FreeBSD Foundation
2021-09-16 14:10:11 -04:00
Ed Maste
0f9bafdfc3 openssh: pass ssh context to BLACKLIST_NOTIFY
Fixes:		19261079b7 ("openssh: update to OpenSSH v8.7p1")
Sponsored by:	The FreeBSD Foundation
2021-09-14 13:44:39 -04:00
Ed Maste
1f290c707a openssh: regen config.h
Fixes:		19261079b7 ("openssh: update to OpenSSH v8.7p1")
Reported by:	O. Hartmann
Sponsored by:	The FreeBSD Foundation
2021-09-09 20:16:14 -04:00
Ed Maste
b645ee1815 openssh: remove update notes about upstreamed changes
Two local changes were committed upstream and are present in OpenSSH
8.7p1.  Remove references from FREEBSD-upgrade now that we have updated
to that version.
2021-09-09 09:57:22 -04:00
Ed Maste
0e642632e6 openssh: remove unnecessary $FreeBSD$ tags
Diff reduction against upstream: remove $FreeBSD$ tags from files where
the tag itself is the only difference from upstream.
2021-09-07 21:52:06 -04:00
Ed Maste
19261079b7 openssh: update to OpenSSH v8.7p1
Some notable changes, from upstream's release notes:

- sshd(8): Remove support for obsolete "host/port" syntax.
- ssh(1): When prompting whether to record a new host key, accept the key
  fingerprint as a synonym for "yes".
- ssh-keygen(1): when acting as a CA and signing certificates with an RSA
  key, default to using the rsa-sha2-512 signature algorithm.
- ssh(1), sshd(8), ssh-keygen(1): this release removes the "ssh-rsa"
  (RSA/SHA1) algorithm from those accepted for certificate signatures.
- ssh-sk-helper(8): this is a new binary. It is used by the FIDO/U2F
  support to provide address-space isolation for token middleware
  libraries (including the internal one).
- ssh(1): this release enables UpdateHostkeys by default subject to some
  conservative preconditions.
- scp(1): this release changes the behaviour of remote to remote copies
  (e.g. "scp host-a:/path host-b:") to transfer through the local host
  by default.
- scp(1): experimental support for transfers using the SFTP protocol as
  a replacement for the venerable SCP/RCP protocol that it has
  traditionally used.

Additional integration work is needed to support FIDO/U2F in the base
system.

Deprecation Notice
------------------

OpenSSH will disable the ssh-rsa signature scheme by default in the
next release.

Reviewed by:	imp
MFC after:	1 month
Relnotes:	Yes
Sponsored by:	The FreeBSD Foundation
Differential Revision:	https://reviews.freebsd.org/D29985
2021-09-07 21:05:51 -04:00
Ed Maste
b0025f9b7f openssh: update default version addendum in man pages
Fixes:		2f513db72b ("Upgrade to OpenSSH 7.9p1.")
MFC after:	3 days
Sponsored by:	The FreeBSD Foundation
2021-09-04 11:33:13 -04:00
Ed Maste
ba91e31f47 openssh: remove login class restrictions leftovers
MFC after:	2 weeks
Fixes:		27ceebbc24 ("openssh: simplify login class...")
Sponsored by:	The FreeBSD Foundation
2021-09-03 16:07:47 -04:00
Ed Maste
258f5f79bb openssh: restore local change to gssapi include logic
/usr/include/gssapi.h claims that it is deprecated, and gssapi/gssapi.h
should be used instead.  So, test HAVE_GSSAPI_GSSAPI_H first falling
back to HAVE_GSSAPI_H.

This will be submitted upstream.

Fixes:		6eac665c81 ("openssh: diff reduction against...")
Sponsored by:	The FreeBSD Foundation
Differential Revision:	https://reviews.freebsd.org/D31810
2021-09-03 16:07:47 -04:00
Ed Maste
6eac665c81 openssh: diff reduction against upstream 7.9p1
Clean up whitespace and nonfunctional differences, and unused functions.
2021-09-02 15:10:44 -04:00
Ed Maste
c7b4c21ee4 openssh: regenerate freebsd-namespace.h
For some reason poly64 was omitted when this file was last generated
(perhaps it was inlined by the Clang version then in use).

MFC after:	1 week
Sponsored by:	The FreeBSD Foundation
2021-09-02 09:45:14 -04:00
Ed Maste
b3e858f762 openssh: tag generated file with @generated
Tools like Phabricator use the @generated tag to identify files that
may be excluded from review by default.

MFC after:	1 week
Sponsored by:	The FreeBSD Foundation
2021-09-02 09:44:58 -04:00
Ed Maste
7b529268a5 openssh: regenerate config.h
Since config.h was last regenerated FreeBSD has added (a stub) libdl,
and has removed sys/dir.h.  Regenerate config.h to avoid spurious
additional changes when OpenSSH is next updated.

There should be no issue if this change is MFC'd, but I don't plan to do
so.  Although configure checks for libdl HAVE_LIBDL isn't even used, and
sys/dir.h was non-functional before being removed.  The state of these
two config.h settings should make no difference in the built OpenSSH.

Sponsored by:	The FreeBSD Foundation
2021-09-01 20:42:41 -04:00
Ed Maste
36cd1e5e8c openssh: disable libwrap (TCP wrappers) at configure time
We define LIBWRAP at build time in secure/usr.sbin/sshd/Makefile if
WITH_TCPWRAPPERS is in effect, so it should not be set in config.h.

MFC after:	1 week
Sponsored by:	The FreeBSD Foundation
2021-09-01 20:42:41 -04:00
Ed Maste
5e4dd21fd6 openssh: clarify krb5 use in freebsd-configure
freebsd-configure.sh runs configure twice, --with-kerberos5 and
--without-kerberos5, in order to build a config.h that defaults to
kerberos5 disabled, and a small config file that represents the
differences.

Rename config.h.orig to config.h.kerberos5 to clarify the intent of this
script.

MFC after:	1 week
Sponsored by:	The FreeBSD Foundation
2021-09-01 20:42:34 -04:00
Ed Maste
f3fd885074 openssh: update note about class-based login restrictions 2021-09-01 16:09:56 -04:00
Ed Maste
27ceebbc24 openssh: simplify login class restrictions
Login class-based restrictions were introduced in 5b400a39b8.  The
code was adapted for sshd's Capsicum sandbox and received many changes
over time, including at least fc3c19a9fc, bd393de91c, and
e8c56fba29.

During an attempt to upstream the work a much simpler approach was
suggested.  Adopt it now in the in-tree OpenSSH to reduce conflicts with
future updates.

Submitted by:	Yuchiro Naito (against OpenSSH-portable on GitHub)
Obtained from:	https://github.com/openssh/openssh-portable/pull/262
Reviewed by:	allanjude, kevans
MFC after:	2 weeks
Differential Revision:	https://reviews.freebsd.org/D31760
2021-09-01 15:53:09 -04:00
Jung-uk Kim
9a3ae0cdef Import OpenSSL 1.1.1l 2021-09-01 00:26:38 -04:00
Ed Maste
35a0342508 openssh: add information about a local change 2021-08-30 15:35:03 -04:00
Gordon Tetlow
aef815e787 Fix multiple OpenSSL vulnerabilities.
Approved by:	so
Security:	SA-21:16.openssl
Security:	CVE-2021-3711
Security:	CVE-2021-3712
2021-08-24 11:26:45 -07:00
John Baldwin
6372fd253e OpenSSL: Add support for Chacha20-Poly1305 to kernel TLS on FreeBSD.
FreeBSD's kernel TLS supports Chacha20 for both TLS 1.2 and TLS 1.3.

NB: This commit has not yet been merged upstream as it is deemed a new
feature and did not make the feature freeze cutoff for OpenSSL 3.0.

Reviewed by:	jkim
MFC after:	5 days
Sponsored by:	Netflix
Differential Revision:	https://reviews.freebsd.org/D31443
2021-08-17 14:41:42 -07:00
John Baldwin
d6e78ecb0b OpenSSL: Refactor KTLS tests to better support TLS 1.3.
Most of this upstream commit touched tests not included in the
vendor import.  The one change merged in is to remove a constant
only present in an internal header to appease the older tests.

Reviewed by:	jkim
Obtained from:	OpenSSL (e1fdd5262e4a45ce3aaa631768e877ee7b6da21b)
MFC after:	5 days
Sponsored by:	Netflix
Differential Revision:	https://reviews.freebsd.org/D31442
2021-08-17 14:41:37 -07:00
John Baldwin
a208223130 OpenSSL: Update KTLS documentation
KTLS support has been changed to be off by default, and configuration is
via a single "option" rather two "modes". Documentation is updated
accordingly.

Reviewed by:	jkim
Obtained from:	OpenSSL (6878f4300213cfd7d4f01e26a8b97f70344da100)
MFC after:	5 days
Sponsored by:	Netflix
Differential Revision:	https://reviews.freebsd.org/D31441
2021-08-17 14:41:31 -07:00
John Baldwin
62ca9fc1ad OpenSSL: Only enable KTLS if it is explicitly configured
It has always been the case that KTLS is not compiled by default. However
if it is compiled then it was automatically used unless specifically
configured not to. This is problematic because it avoids any crypto
implementations from providers. A user who configures all crypto to use
the FIPS provider may unexpectedly find that TLS related crypto is actually
being performed outside of the FIPS boundary.

Instead we change KTLS so that it is disabled by default.

We also swap to using a single "option" (i.e. SSL_OP_ENABLE_KTLS) rather
than two separate "modes", (i.e. SSL_MODE_NO_KTLS_RX and
SSL_MODE_NO_KTLS_TX).

Reviewed by:	jkim
Obtained from:	OpenSSL (a3a54179b6754fbed6d88e434baac710a83aaf80)
MFC after:	5 days
Sponsored by:	Netflix
Differential Revision:	https://reviews.freebsd.org/D31440
2021-08-17 14:41:24 -07:00
John Baldwin
63c6d3e283 OpenSSL: ktls: Initial support for ChaCha20-Poly1305
Linux kernel is going to support ChaCha20-Poly1305 in TLS offload.
Add support for this cipher.

Reviewed by:	jkim
Obtained from:	OpenSSL (3aa7212e0a4fd1533c8a28b8587dd8b022f3a66f)
MFC after:	5 days
Sponsored by:	Netflix
Differential Revision:	https://reviews.freebsd.org/D31439
2021-08-17 14:41:19 -07:00