Commit Graph

1186 Commits

Author SHA1 Message Date
Ed Maste
963c7b084b ssh-keysign: fix double free in error path
From OpenSSH-portable commit 141535b904b6, OpenBSD commit 3d21aa127b1f.

MFC after:		3 days
2022-10-04 16:34:37 -04:00
Ed Maste
666605ad2d ssh-keygen: fix double free in error path
From OpenSSH-portable commit 5062ad48814b, OpenBSD commit 39f35e16ba87.

MFC after:	3 days
2022-10-04 16:33:11 -04:00
Ed Maste
5e5ebbee81 ssh-keyscan: Strictly enforce the maximum allowed SSH2 banner size
From OpenSSH-portable commit ff89b1bed807, OpenBSD commit 6ae664f9f4db.

MFC after:	3 days
2022-10-04 16:30:00 -04:00
Ed Maste
6f7bc8e7a3 ssh: describe deprecated options in general in update doc
Rename "HPN" to more general "Retired patches."  We handle two now-
removed patches the same way: to avoid breaking existing configurations
we accept, but ignore, the option.

Sponsored by:	The FreeBSD Foundation
2022-09-04 20:11:03 -04:00
Ed Maste
97be6fced7 openssh: Remove description of VersionAddendum in upgrade doc 2022-08-19 10:39:17 -04:00
Ed Maste
bffe60ead0 ssh: retire client VersionAddendum
FreeBSD introduced VersionAddendum for the server as a local change in
2001 in commit 933ca70f8f and later extended it to the client in
commit 9e2cbe04ff.

In 2012 upstream added support for server VersionAddendum, in commit
23528816dc10.  They do not support it for the client.

The argument for supporting this in the client is not nearly as strong
as for the server, so retire this option to reduce the scope of our
local patch set.  This also avoids some cases of conflicts in ssh_config
during update, as a user's configuration would typically follow the
commented-out default VersionAddendum value.

Reviewed by:	gordon, glebius
Relnotes:	yes
Sponsored by:	The FreeBSD Foundation
Differential Revision:	https://reviews.freebsd.org/D32930
2022-08-19 10:38:42 -04:00
Jung-uk Kim
64cbf7cebc OpenSSL: Merge OpenSSL 1.1.1q
Merge commit 'f874e59ffcd8b5ecd018ad8311d78e866340f3e9'
2022-07-05 11:47:01 -04:00
Jung-uk Kim
f874e59ffc Import OpenSSL 1.1.1q 2022-07-05 11:27:51 -04:00
Jung-uk Kim
83eaf7ae0a OpenSSL: Merge OpenSSL 1.1.1p
Merge commit '54ae8e38f717f22963c2a87f48af6ecefc6b3e9b'
2022-06-21 13:34:41 -04:00
Jung-uk Kim
54ae8e38f7 Import OpenSSL 1.1.1p 2022-06-21 10:36:39 -04:00
Ed Maste
9f009e066f sshd_config: clarify password authentication options
Passwords may be accepted by both the PasswordAuthentication and
KbdInteractiveAuthentication authentication schemes.  Add a reference to
the latter in the description/comment for PasswordAuthentication, as it
otherwise may seem that "PasswordAuthentication no" implies passwords
will be disallowed.

This situation should be clarified with more extensive documentation on
the authentication schemes and configuration options, but that should be
done in coordination with upstream OpenSSH.  This is a minimal change
that will hopefully clarify the situation without requiring an extensive
local patch set.

PR:		263045
Reviewed by:	manu (earlier version)
MFC after:	2 weeks
Sponsored by:	The FreeBSD Foundation
Differential Revision:	https://reviews.freebsd.org/D35272
2022-06-08 16:20:46 -04:00
Ed Maste
0e12eb7b58 ssh: update sshd_config for prohibit-password option
The PermitRootLogin option "prohibit-password" was added as a synonym
for "without-password" in 2015.  Then in 2017 these were swapped:
"prohibit-password" became the canonical option and "without-password"
became a deprecated synonym (in OpenSSH commit 071325f458).

The UsePAM description in sshd_config still mentioned
"without-password."  Update it to match the new canonical option.

Sponsored by:	The FreeBSD Foundation
MFC after:	1 week
2022-05-12 11:16:09 -04:00
John Baldwin
913616b885 OpenSSL: KTLS: Enable KTLS for receiving as well in TLS 1.3
This removes a guard condition that prevents KTLS being enabled for
receiving in TLS 1.3.  Use the correct sequence number and BIO for
receive vs transmit offload.

Approved by:	jkim
Obtained from:	OpenSSL commit 7c78932b9a4330fb7c8db72b3fb37cbff1401f8b
MFC after:	1 week
Sponsored by:	Netflix
Differential Revision:	https://reviews.freebsd.org/D34976
2022-05-04 13:08:36 -07:00
John Baldwin
c0f977bfb6 OpenSSL: KTLS: Handle TLS 1.3 in ssl3_get_record.
- Don't unpad records, check the outer record type, or extract the
  inner record type from TLS 1.3 records handled by the kernel.  KTLS
  performs all of these steps and returns the inner record type in the
  TLS header.

- When checking the length of a received TLS 1.3 record don't allow
  for the extra byte for the nested record type when KTLS is used.

- Pass a pointer to the record type in the TLS header to the
  SSL3_RT_INNER_CONTENT_TYPE message callback.  For KTLS, the old
  pointer pointed to the last byte of payload rather than the record
  type.  For the non-KTLS case, the TLS header has been updated with
  the inner type before this callback is invoked.

Approved by:	jkim
Obtained from:	OpenSSL commit a5fb9605329fb939abb536c1604d44a511741624
MFC after:	1 week
Sponsored by:	Netflix
Differential Revision:	https://reviews.freebsd.org/D34975
2022-05-04 13:08:27 -07:00
John Baldwin
4f1f9c5502 OpenSSL: KTLS: Add using_ktls helper variable in ssl3_get_record().
When KTLS receive is enabled, pending data may still be present due to
read ahead.  This data must still be processed the same as records
received without KTLS.  To ease readability (especially in
consideration of additional checks which will be added for TLS 1.3),
add a helper variable 'using_ktls' that is true when the KTLS receive
path is being used to receive a record.

Approved by:	jkim
Obtained from:	OpenSSL commit 031132c297e54cbc20404a0bf8de6ed863196399
MFC after:	1 week
Sponsored by:	Netflix
Differential Revision:	https://reviews.freebsd.org/D34974
2022-05-04 13:08:17 -07:00
John Baldwin
019cff03b3 OpenSSL: KTLS: Check for unprocessed receive records in ktls_configure_crypto.
KTLS implementations currently assume that the start of the in-kernel
socket buffer is aligned with the start of a TLS record for the
receive side.  The socket option to enable KTLS specifies the TLS
sequence number of this initial record.

When read ahead is enabled, data can be pending in the SSL read buffer
after negotiating session keys.  This pending data must be examined to
ensurs that the kernel's socket buffer does not contain a partial TLS
record as well as to determine the correct sequence number of the
first TLS record to be processed by the kernel.

In preparation for enabling receive kernel offload for TLS 1.3, move
the existing logic to handle read ahead from t1_enc.c into ktls.c and
invoke it from ktls_configure_crypto().

Approved by:	jkim
Obtained from:	OpenSSL commit 85773128d0e80cd8dcc772a6931d385b8cf4acd1
MFC after:	1 week
Sponsored by:	Netflix
Differential Revision:	https://reviews.freebsd.org/D34973
2022-05-04 13:08:03 -07:00
John Baldwin
f6e5fcdc84 OpenSSL: Cleanup record length checks for KTLS
In some corner cases the check for packets
which exceed the allowed record length was missing
when KTLS is initially enabled, when some
unprocessed packets are still pending.

Approved by:	jkim
Obtained from:	OpenSSL commit 8fff986d52606e1a33f9404504535e2e2aee3e8b
MFC after:	1 week
Sponsored by:	Netflix
Differential Revision:	https://reviews.freebsd.org/D34972
2022-05-04 13:07:36 -07:00
Jung-uk Kim
34252e89a9 OpenSSL: Merge OpenSSL 1.1.1o
Merge commit 'cf0ffd7607ed8f39829c6951a65a55fa1eb3aafe'
2022-05-03 15:07:06 -04:00
Jung-uk Kim
cf0ffd7607 Import OpenSSL 1.1.1o 2022-05-03 11:01:12 -04:00
Ed Maste
6e24fe6128 ssh: use upstream SSH_OPENSSL_VERSION macro
With the upgrade to OpenSSH 6.7p1 in commit a0ee8cc636 we replaced
WITH_OPENSSL ifdefs with an OPENSSL_VERSION macro, later changing it
to OPENSSL_VERSION_STRING.

A few years later OpenSSH made an equivalent change (with a different
macro name), in commit 4d94b031ff88.  Switch to the macro name they
chose.

MFC after:	1 week
Sponsored by:	The FreeBSD Foundation
2022-04-23 20:07:57 -04:00
Ed Maste
835ee05f3c ssh: drop $FreeBSD$ from crypto/openssh
After we moved to git $FreeBSD$ is no longer expanded and serves no
purpose.  Remove them from OpenSSH to reduce diffs against upstream.

Sponsored by:	The FreeBSD Foundation
2022-04-22 19:12:23 -04:00
Ed Maste
1978059263 ssh: remove duplicate setting of MAIL env var
We already set it earlier in do_setup_env().

Fixes:		19261079b7 ("openssh: update to OpenSSH v8.7p1")
MFC after:	1 week
Sponsored by:	The FreeBSD Foundation
2022-04-19 10:30:52 -04:00
Ed Maste
613b4b7971 ssh: apply style(9) to version_addendum
Reported by:	allanjude (in review D29953)
Fixes:		462c32cb8d ("Upgrade OpenSSH to 6.1p1.")
MFC after:	1 week
Sponsored by:	The FreeBSD Foundation
2022-04-18 18:13:42 -04:00
Ed Maste
eb45bc6829 ssh-agent: move -x description to correct spot in man page
MFC after:	3 days
Sponsored by:	The FreeBSD Foundation
2022-04-17 17:43:20 -04:00
Ed Maste
e2cec5ba2c ssh: correct version number (9.0)
Reported by:	flo
Fixes:		87c1498d1a ("ssh: update to OpenSSH v9.0p1")
Sponsored by:	The FreeBSD Foundation
2022-04-15 12:10:35 -04:00
Ed Maste
9fce8d4140 ssh: apply post-release patch from V_9_0 branch
upstream: clear io_want/io_ready flags at start of poll() cycle;

avoids plausible spin during rekeying if channel io_want flags are reused
across cycles. ok markus@ deraadt@
2022-04-15 11:04:54 -04:00
Ed Maste
fb5aabcb99 scp: switch to using the SFTP protocol by default
From upstream release notes https://www.openssh.com/txt/release-9.0

This release switches scp(1) from using the legacy scp/rcp protocol
to using the SFTP protocol by default.

Legacy scp/rcp performs wildcard expansion of remote filenames (e.g.
"scp host:* .") through the remote shell. This has the side effect of
requiring double quoting of shell meta-characters in file names
included on scp(1) command-lines, otherwise they could be interpreted
as shell commands on the remote side.

This creates one area of potential incompatibility: scp(1) when using
the SFTP protocol no longer requires this finicky and brittle quoting,
and attempts to use it may cause transfers to fail. We consider the
removal of the need for double-quoting shell characters in file names
to be a benefit and do not intend to introduce bug-compatibility for
legacy scp/rcp in scp(1) when using the SFTP protocol.

Another area of potential incompatibility relates to the use of remote
paths relative to other user's home directories, for example -
"scp host:~user/file /tmp". The SFTP protocol has no native way to
expand a ~user path. However, sftp-server(8) in OpenSSH 8.7 and later
support a protocol extension "expand-path@openssh.com" to support
this.

In case of incompatibility, the scp(1) client may be instructed to use
the legacy scp/rcp using the -O flag.

Relnotes:	Yes
Sponsored by:	The FreeBSD Foundation
2022-04-15 10:47:28 -04:00
Ed Maste
87c1498d1a ssh: update to OpenSSH v9.0p1
Release notes are available at https://www.openssh.com/txt/release-9.0

Some highlights:

 * ssh(1), sshd(8): use the hybrid Streamlined NTRU Prime + x25519 key
   exchange method by default ("sntrup761x25519-sha512@openssh.com").
   The NTRU algorithm is believed to resist attacks enabled by future
   quantum computers and is paired with the X25519 ECDH key exchange
   (the previous default) as a backstop against any weaknesses in
   NTRU Prime that may be discovered in the future. The combination
   ensures that the hybrid exchange offers at least as good security
   as the status quo.

 * sftp-server(8): support the "copy-data" extension to allow server-
   side copying of files/data, following the design in
   draft-ietf-secsh-filexfer-extensions-00. bz2948

 * sftp(1): add a "cp" command to allow the sftp client to perform
   server-side file copies.

This commit excludes the scp(1) change to use the SFTP protocol by
default; that change will immediately follow.

MFC after:	1 month
Relnotes:	Yes
Sponsored by:	The FreeBSD Foundation
2022-04-15 10:41:08 -04:00
Ed Maste
58def461e2 ssh: update with post-release V_8_9 branch commits
MFC after:	1 month
Sponsored by:	The FreeBSD Foundation
2022-04-13 16:53:20 -04:00
Ed Maste
1323ec5712 ssh: update to OpenSSH v8.9p1
Release notes are available at https://www.openssh.com/txt/release-8.9

Some highlights:

 * ssh(1), sshd(8), ssh-add(1), ssh-agent(1): add a system for
   restricting forwarding and use of keys added to ssh-agent(1)

 * ssh(1), sshd(8): add the sntrup761x25519-sha512@openssh.com hybrid
   ECDH/x25519 + Streamlined NTRU Prime post-quantum KEX to the
   default KEXAlgorithms list (after the ECDH methods but before the
   prime-group DH ones). The next release of OpenSSH is likely to
   make this key exchange the default method.

 * sshd(8), portable OpenSSH only: this release removes in-built
   support for MD5-hashed passwords. If you require these on your
   system then we recommend linking against libxcrypt or similar.

Future deprecation notice
=========================

A near-future release of OpenSSH will switch scp(1) from using the
legacy scp/rcp protocol to using SFTP by default.

Legacy scp/rcp performs wildcard expansion of remote filenames (e.g.
"scp host:* .") through the remote shell. This has the side effect of
requiring double quoting of shell meta-characters in file names
included on scp(1) command-lines, otherwise they could be interpreted
as shell commands on the remote side.

MFC after:	1 month
Relnotes:	Yes
Sponsored by:	The FreeBSD Foundation
2022-04-13 16:00:56 -04:00
Jung-uk Kim
5ac766ab8e OpenSSL: Merge OpenSSL 1.1.1n 2022-03-15 19:37:45 -04:00
Jung-uk Kim
d6d3d40098 Import OpenSSL 1.1.1n 2022-03-15 18:18:15 -04:00
Gordon Tetlow
fdc418f15e Fix a bug in BN_mod_sqrt() that can cause it to loop forever.
Obtained from:	OpenSSL Project
Security:	CVE-2022-0778
2022-03-15 09:48:59 -07:00
Ed Maste
cea0d3689e ssh: update sshd_config(5) for RSA/SHA-1 signature removal
OpenSSH 8.8p1 removed RSA/SHA-1 signatures by default, but failed to
update sshd_config(5).  It was updated upstream after the release in
b711bc01a7ec and da4035523406.

Fixes:		8c22023ca5 ("ssh: disable RSA/SHA-1 signatures")
Sponsored by:	The FreeBSD Foundation
2022-03-08 16:56:56 -05:00
Ed Maste
822d379b1f ssh: regen sk_config.h after 73104d5838 2022-03-05 20:00:04 -05:00
Ed Maste
73104d5838 ssh: generate SK config file using private cbor and fido2 libs
Specify -lprivatecbor and -lprivatefido2 in OpenSSH's configure.ac, and
pass -I paths to libcbor and libfido2's contrib src location.

MFC after:	3 days
Sponsored by:	The FreeBSD Foundation
Differential Revision:	https://reviews.freebsd.org/D34440
2022-03-05 19:57:22 -05:00
Ed Maste
92ef98b8fa ssh: use standalone config file for security key support
An upcoming OpenSSH update has multiple config.h settings that change
depending on whether builtin security key support is enabled.  Prepare
for this by moving ENABLE_SK_INTERNAL to a new sk_config.h header
(similar to the approach used for optional krb5 support) and optionally
including that, instead of defining the macro directly from CFLAGS.

Reviewed by:	kevans
MFC after:	2 weeks
Sponsored by:	The FreeBSD Foundation
Differential Revision:	https://reviews.freebsd.org/D34407
2022-03-02 09:35:12 -05:00
Ed Maste
f1421a8972 ssh: correct configure option name
The option is security-key-builtin not security-key-internal.  There is
no change to the generated config.h because the option defaults off
anyway.

MFC after:	3 days
Fixes:		87152f3405 ("ssh: disble internal security key...")
Sponsored by:	The FreeBSD Foundation
2022-03-01 09:41:51 -05:00
Mark Johnston
9340d69e57 openssh: Add a note to check for deprecated and removed config options
Suggested by:	emaste
MFC after:	1 week
Sponsored by:	The FreeBSD Foundation
2022-03-01 09:38:44 -05:00
Ed Maste
ab7d095969 ssh: add command to push tag to FREEBSD-upgrade instructions
Because it appears `git push --follow-tags` may push extra, undesired
tags document both techniques (pushing the specific vendor/openssh/X.YpZ
tag and pushing all with --follow-tags, using --dry-run first).

Discussed with:	imp, lwhsu
Sponsored by:	The FreeBSD Foundation
Differential Revision:	https://reviews.freebsd.org/D33605
2022-02-23 13:47:28 -05:00
Ed Maste
2e6ec1e4fe ssh: remove 11.x from FREEBSD-upgrade instructions
11.x is no longer supported.
2022-02-23 13:36:27 -05:00
John Baldwin
aa72082549 OpenSSL: Fix the same BIO_FLAGS macro definition
Also add comment to the public header to avoid
making another conflict in future.

Reviewed by:	jkim
Obtained from:	OpenSSL commit 5d4975ecd88ac17d0749513a8fac9a7c7befd900
MFC after:	1 week
Sponsored by:	Netflix
Differential Revision:	https://reviews.freebsd.org/D34135
2022-02-01 10:38:49 -08:00
Ed Maste
e38610abca ssh: remove unused header
Fixes:		0746301c49 ("ssh: pass 0 to procctl(2) to operate...")
Sponsored by:	The FreeBSD Foundation
2022-01-31 17:15:21 -05:00
Ed Maste
0746301c49 ssh: pass 0 to procctl(2) to operate on self
As of f833ab9dd1 procctl(2) allows idtype P_PID with id = 0 as a
shortcut for the calling process ID.  The shortcut also bypasses the
p_cansee / p_candebug test (since the process is able to act on itself.)

At present if the security.bsd.unprivileged_proc_debug sysctl is 0 then
procctl(P_PID, getpid(), ... for a process to act on itself will fail,
but procctl(P_PID, 0, ... will succeed.  This should likely be addressed
with a kernel change.

In any case the id = 0 shortcut is a tiny optimization for a process to
act on itself and allows the self-procctl to succeed, so use it in ssh.

Reported by:	Shawn Webb
Reviewed by:	kib
Sponsored by:	The FreeBSD Foundation
Differential Revision:	https://reviews.freebsd.org/D33970
2022-01-20 19:54:49 -05:00
Gleb Smirnoff
ca573c9a17 sshd: update the libwrap patch to drop connections early
OpenSSH has dropped libwrap support in OpenSSH 6.7p in 2014
(f2719b7c in github.com/openssh/openssh-portable) and we
maintain the patch ourselves since 2016 (a0ee8cc636).

Over the years, the libwrap support has deteriotated and probably
that was reason for removal upstream.  Original idea of libwrap was
to drop illegitimate connection as soon as possible, but over the
years the code was pushed further down and down and ended in the
forked client connection handler.

The negative effects of late dropping is increasing attack surface
for hosts that are to be dropped anyway.  Apart from hypothetical
future vulnerabilities in connection handling, today a malicious
host listed in /etc/hosts.allow still can trigger sshd to enter
connection throttling mode, which is enabled by default (see
MaxStartups in sshd_config(5)), effectively casting DoS attack.
Note that on OpenBSD this attack isn't possible, since they enable
MaxStartups together with UseBlacklist.

A only negative effect from early drop, that I can imagine, is that
now main listener parses file in /etc, and if our root filesystems
goes bad, it would get stuck.  But unlikely you'd be able to login
in that case anyway.

Implementation details:

- For brevity we reuse the same struct request_info.  This isn't
  a documented feature of libwrap, but code review, viewing data
  in a debugger and real life testing shows that if we clear
  RQ_CLIENT_NAME and RQ_CLIENT_ADDR every time, it works as intended.
- We set SO_LINGER on the socket to force immediate connection reset.
- We log message exactly as libwrap's refuse() would do.

Differential revision:	https://reviews.freebsd.org/D33044
2022-01-02 18:32:30 -08:00
Ed Maste
8c22023ca5 ssh: disable RSA/SHA-1 signatures
From OpenSSH 8.8p1's release notes:

---

Potentially-incompatible changes
================================

This release disables RSA signatures using the SHA-1 hash algorithm
by default. This change has been made as the SHA-1 hash algorithm is
cryptographically broken, and it is possible to create chosen-prefix
hash collisions for <USD$50K [1]

For most users, this change should be invisible and there is
no need to replace ssh-rsa keys. OpenSSH has supported RFC8332
RSA/SHA-256/512 signatures since release 7.2 and existing ssh-rsa keys
will automatically use the stronger algorithm where possible.

Incompatibility is more likely when connecting to older SSH
implementations that have not been upgraded or have not closely tracked
improvements in the SSH protocol. For these cases, it may be necessary
to selectively re-enable RSA/SHA1 to allow connection and/or user
authentication via the HostkeyAlgorithms and PubkeyAcceptedAlgorithms
options. For example, the following stanza in ~/.ssh/config will enable
RSA/SHA1 for host and user authentication for a single destination host:

    Host old-host
        HostkeyAlgorithms +ssh-rsa
	PubkeyAcceptedAlgorithms +ssh-rsa

We recommend enabling RSA/SHA1 only as a stopgap measure until legacy
implementations can be upgraded or reconfigured with another key type
(such as ECDSA or Ed25519).

[1] "SHA-1 is a Shambles: First Chosen-Prefix Collision on SHA-1 and
    Application to the PGP Web of Trust" Leurent, G and Peyrin, T
    (2020) https://eprint.iacr.org/2020/014.pdf

---

Relnotes:	Yes
Sponsored by:	The FreeBSD Foundation
2021-12-19 11:03:45 -05:00
Ed Maste
e9e8876a4d ssh: update to OpenSSH v8.8p1
OpenSSH v8.8p1 was motivated primarily by a security update and
deprecation of RSA/SHA1 signatures.  It also has a few minor bug fixes.

The security update was already applied to FreeBSD as an independent
change, and the RSA/SHA1 deprecation is excluded from this commit but
will immediately follow.

MFC after:	1 month
Relnotes:	Yes
Sponsored by:	The FreeBSD Foundation
2021-12-19 11:02:02 -05:00
Jung-uk Kim
b2bf0c7e5f OpenSSL: Merge OpenSSL 1.1.1m
Merge commit '56eae1b760adf10835560a9ee595549a1f10410f'
2021-12-14 16:03:52 -05:00
Jung-uk Kim
56eae1b760 Import OpenSSL 1.1.1m. 2021-12-14 13:30:54 -05:00
John Baldwin
27bb8830d5 SSL_sendfile: Replace ERR_raise_data with SYSerr.
ERR_raise_data is only present in OpenSSL 3.0 and later.

Reviewed by:	jkim
Obtained from:	CheriBSD
MFC after:	1 week
Differential Revision:	https://reviews.freebsd.org/D33363
2021-12-14 10:07:38 -08:00