Commit Graph

1129 Commits

Author SHA1 Message Date
Ed Maste
172fa4aa75 OpenSSH: cherry-pick "need initgroups() before setresgid()"
From openssh-portable commits f3cbe43e28fe and bf944e3794ef.
2021-10-08 21:29:25 -04:00
Ed Maste
adb56e58e8 openssh: use global state for blacklist in grace_alarm_handler
Obtained from:	security/openssh-portable
Fixes:		19261079b7 ("openssh: update to OpenSSH v8.7p1")
Sponsored by:	The FreeBSD Foundation
2021-09-16 14:10:11 -04:00
Ed Maste
0f9bafdfc3 openssh: pass ssh context to BLACKLIST_NOTIFY
Fixes:		19261079b7 ("openssh: update to OpenSSH v8.7p1")
Sponsored by:	The FreeBSD Foundation
2021-09-14 13:44:39 -04:00
Ed Maste
1f290c707a openssh: regen config.h
Fixes:		19261079b7 ("openssh: update to OpenSSH v8.7p1")
Reported by:	O. Hartmann
Sponsored by:	The FreeBSD Foundation
2021-09-09 20:16:14 -04:00
Ed Maste
b645ee1815 openssh: remove update notes about upstreamed changes
Two local changes were committed upstream and are present in OpenSSH
8.7p1.  Remove references from FREEBSD-upgrade now that we have updated
to that version.
2021-09-09 09:57:22 -04:00
Ed Maste
0e642632e6 openssh: remove unnecessary $FreeBSD$ tags
Diff reduction against upstream: remove $FreeBSD$ tags from files where
the tag itself is the only difference from upstream.
2021-09-07 21:52:06 -04:00
Ed Maste
19261079b7 openssh: update to OpenSSH v8.7p1
Some notable changes, from upstream's release notes:

- sshd(8): Remove support for obsolete "host/port" syntax.
- ssh(1): When prompting whether to record a new host key, accept the key
  fingerprint as a synonym for "yes".
- ssh-keygen(1): when acting as a CA and signing certificates with an RSA
  key, default to using the rsa-sha2-512 signature algorithm.
- ssh(1), sshd(8), ssh-keygen(1): this release removes the "ssh-rsa"
  (RSA/SHA1) algorithm from those accepted for certificate signatures.
- ssh-sk-helper(8): this is a new binary. It is used by the FIDO/U2F
  support to provide address-space isolation for token middleware
  libraries (including the internal one).
- ssh(1): this release enables UpdateHostkeys by default subject to some
  conservative preconditions.
- scp(1): this release changes the behaviour of remote to remote copies
  (e.g. "scp host-a:/path host-b:") to transfer through the local host
  by default.
- scp(1): experimental support for transfers using the SFTP protocol as
  a replacement for the venerable SCP/RCP protocol that it has
  traditionally used.

Additional integration work is needed to support FIDO/U2F in the base
system.

Deprecation Notice
------------------

OpenSSH will disable the ssh-rsa signature scheme by default in the
next release.

Reviewed by:	imp
MFC after:	1 month
Relnotes:	Yes
Sponsored by:	The FreeBSD Foundation
Differential Revision:	https://reviews.freebsd.org/D29985
2021-09-07 21:05:51 -04:00
Ed Maste
b0025f9b7f openssh: update default version addendum in man pages
Fixes:		2f513db72b ("Upgrade to OpenSSH 7.9p1.")
MFC after:	3 days
Sponsored by:	The FreeBSD Foundation
2021-09-04 11:33:13 -04:00
Ed Maste
ba91e31f47 openssh: remove login class restrictions leftovers
MFC after:	2 weeks
Fixes:		27ceebbc24 ("openssh: simplify login class...")
Sponsored by:	The FreeBSD Foundation
2021-09-03 16:07:47 -04:00
Ed Maste
258f5f79bb openssh: restore local change to gssapi include logic
/usr/include/gssapi.h claims that it is deprecated, and gssapi/gssapi.h
should be used instead.  So, test HAVE_GSSAPI_GSSAPI_H first falling
back to HAVE_GSSAPI_H.

This will be submitted upstream.

Fixes:		6eac665c81 ("openssh: diff reduction against...")
Sponsored by:	The FreeBSD Foundation
Differential Revision:	https://reviews.freebsd.org/D31810
2021-09-03 16:07:47 -04:00
Ed Maste
6eac665c81 openssh: diff reduction against upstream 7.9p1
Clean up whitespace and nonfunctional differences, and unused functions.
2021-09-02 15:10:44 -04:00
Ed Maste
c7b4c21ee4 openssh: regenerate freebsd-namespace.h
For some reason poly64 was omitted when this file was last generated
(perhaps it was inlined by the Clang version then in use).

MFC after:	1 week
Sponsored by:	The FreeBSD Foundation
2021-09-02 09:45:14 -04:00
Ed Maste
b3e858f762 openssh: tag generated file with @generated
Tools like Phabricator use the @generated tag to identify files that
may be excluded from review by default.

MFC after:	1 week
Sponsored by:	The FreeBSD Foundation
2021-09-02 09:44:58 -04:00
Ed Maste
7b529268a5 openssh: regenerate config.h
Since config.h was last regenerated FreeBSD has added (a stub) libdl,
and has removed sys/dir.h.  Regenerate config.h to avoid spurious
additional changes when OpenSSH is next updated.

There should be no issue if this change is MFC'd, but I don't plan to do
so.  Although configure checks for libdl HAVE_LIBDL isn't even used, and
sys/dir.h was non-functional before being removed.  The state of these
two config.h settings should make no difference in the built OpenSSH.

Sponsored by:	The FreeBSD Foundation
2021-09-01 20:42:41 -04:00
Ed Maste
36cd1e5e8c openssh: disable libwrap (TCP wrappers) at configure time
We define LIBWRAP at build time in secure/usr.sbin/sshd/Makefile if
WITH_TCPWRAPPERS is in effect, so it should not be set in config.h.

MFC after:	1 week
Sponsored by:	The FreeBSD Foundation
2021-09-01 20:42:41 -04:00
Ed Maste
5e4dd21fd6 openssh: clarify krb5 use in freebsd-configure
freebsd-configure.sh runs configure twice, --with-kerberos5 and
--without-kerberos5, in order to build a config.h that defaults to
kerberos5 disabled, and a small config file that represents the
differences.

Rename config.h.orig to config.h.kerberos5 to clarify the intent of this
script.

MFC after:	1 week
Sponsored by:	The FreeBSD Foundation
2021-09-01 20:42:34 -04:00
Ed Maste
f3fd885074 openssh: update note about class-based login restrictions 2021-09-01 16:09:56 -04:00
Ed Maste
27ceebbc24 openssh: simplify login class restrictions
Login class-based restrictions were introduced in 5b400a39b8.  The
code was adapted for sshd's Capsicum sandbox and received many changes
over time, including at least fc3c19a9fc, bd393de91c, and
e8c56fba29.

During an attempt to upstream the work a much simpler approach was
suggested.  Adopt it now in the in-tree OpenSSH to reduce conflicts with
future updates.

Submitted by:	Yuchiro Naito (against OpenSSH-portable on GitHub)
Obtained from:	https://github.com/openssh/openssh-portable/pull/262
Reviewed by:	allanjude, kevans
MFC after:	2 weeks
Differential Revision:	https://reviews.freebsd.org/D31760
2021-09-01 15:53:09 -04:00
Jung-uk Kim
9a3ae0cdef Import OpenSSL 1.1.1l 2021-09-01 00:26:38 -04:00
Ed Maste
35a0342508 openssh: add information about a local change 2021-08-30 15:35:03 -04:00
Gordon Tetlow
aef815e787 Fix multiple OpenSSL vulnerabilities.
Approved by:	so
Security:	SA-21:16.openssl
Security:	CVE-2021-3711
Security:	CVE-2021-3712
2021-08-24 11:26:45 -07:00
John Baldwin
6372fd253e OpenSSL: Add support for Chacha20-Poly1305 to kernel TLS on FreeBSD.
FreeBSD's kernel TLS supports Chacha20 for both TLS 1.2 and TLS 1.3.

NB: This commit has not yet been merged upstream as it is deemed a new
feature and did not make the feature freeze cutoff for OpenSSL 3.0.

Reviewed by:	jkim
MFC after:	5 days
Sponsored by:	Netflix
Differential Revision:	https://reviews.freebsd.org/D31443
2021-08-17 14:41:42 -07:00
John Baldwin
d6e78ecb0b OpenSSL: Refactor KTLS tests to better support TLS 1.3.
Most of this upstream commit touched tests not included in the
vendor import.  The one change merged in is to remove a constant
only present in an internal header to appease the older tests.

Reviewed by:	jkim
Obtained from:	OpenSSL (e1fdd5262e4a45ce3aaa631768e877ee7b6da21b)
MFC after:	5 days
Sponsored by:	Netflix
Differential Revision:	https://reviews.freebsd.org/D31442
2021-08-17 14:41:37 -07:00
John Baldwin
a208223130 OpenSSL: Update KTLS documentation
KTLS support has been changed to be off by default, and configuration is
via a single "option" rather two "modes". Documentation is updated
accordingly.

Reviewed by:	jkim
Obtained from:	OpenSSL (6878f4300213cfd7d4f01e26a8b97f70344da100)
MFC after:	5 days
Sponsored by:	Netflix
Differential Revision:	https://reviews.freebsd.org/D31441
2021-08-17 14:41:31 -07:00
John Baldwin
62ca9fc1ad OpenSSL: Only enable KTLS if it is explicitly configured
It has always been the case that KTLS is not compiled by default. However
if it is compiled then it was automatically used unless specifically
configured not to. This is problematic because it avoids any crypto
implementations from providers. A user who configures all crypto to use
the FIPS provider may unexpectedly find that TLS related crypto is actually
being performed outside of the FIPS boundary.

Instead we change KTLS so that it is disabled by default.

We also swap to using a single "option" (i.e. SSL_OP_ENABLE_KTLS) rather
than two separate "modes", (i.e. SSL_MODE_NO_KTLS_RX and
SSL_MODE_NO_KTLS_TX).

Reviewed by:	jkim
Obtained from:	OpenSSL (a3a54179b6754fbed6d88e434baac710a83aaf80)
MFC after:	5 days
Sponsored by:	Netflix
Differential Revision:	https://reviews.freebsd.org/D31440
2021-08-17 14:41:24 -07:00
John Baldwin
63c6d3e283 OpenSSL: ktls: Initial support for ChaCha20-Poly1305
Linux kernel is going to support ChaCha20-Poly1305 in TLS offload.
Add support for this cipher.

Reviewed by:	jkim
Obtained from:	OpenSSL (3aa7212e0a4fd1533c8a28b8587dd8b022f3a66f)
MFC after:	5 days
Sponsored by:	Netflix
Differential Revision:	https://reviews.freebsd.org/D31439
2021-08-17 14:41:19 -07:00
John Baldwin
334d228a20 OpenSSL: Correct the return value of BIO_get_ktls_*().
BIO_get_ktls_send() and BIO_get_ktls_recv() are documented as
returning either 0 or 1.  However, they were actually returning the
internal value of the associated BIO flag for the true case instead of
1.

Also trim redundant ternary operators.

Reviewed by:	jkim
Obtained from:	OpenSSL (f16e52b67c9261bdc7e1284a50502a802921ac6d)
MFC after:	5 days
Sponsored by:	Netflix
Differential Revision:	https://reviews.freebsd.org/D31438
2021-08-17 14:41:12 -07:00
Guangyuan Yang
80ba60f643 kerberos.8: Replace dead link
Replace it with a tutorial hosted on kerberos.org and the classic
"dialogue" from Bill Bryant. The change has been reported and
merged upstream (https://github.com/heimdal/heimdal/commit/7f3445f1b7).

MFC after:	3 days
PR:		251854
Reported by:	ktullavik@gmail.com
Submitted by:	bjk (upstream github)
Reviewed by:	bcr
2021-05-16 01:37:09 -04:00
Ed Maste
d55bf492f8 Revert "Add workaround for a QoS-related bug in VMWare Workstation."
This reverts commit 77c2fe20df.

The VMware Workstation issue was fixed in 2019[1], and we'd rather not
carry unnecessary local changes in OpenSSH.

[1] https://communities.vmware.com/t5/VMware-Workstation-Pro/Regression-ssh-results-in-broken-pipe-upon-connecting-in-Vmware/m-p/486105/highlight/true#M25470

PR:		234426
Discussed with:	yuripv
Approved by:	des
MFC after:	2 weeks
Sponsored by:	The FreeBSD Foundation
2021-04-25 17:17:22 -04:00
Ed Maste
576b477ba4 openssh: add a note about pushing vendor updates
Sponsored by:	The FreeBSD Foundation
2021-04-23 15:36:42 -04:00
Jung-uk Kim
b6c1fdcdf5 OpenSSL: Merge OpenSSL 1.1.1k
Merge commit '94fa08a4bcdfbb3434b025d67d014af3b18e5380'
2021-03-25 11:45:19 -04:00
Jung-uk Kim
94fa08a4bc Import OpenSSL 1.1.1k. 2021-03-25 11:05:31 -04:00
Ed Maste
519496a598 openssh: document two changes that are now upstream
These patches can be removed once we update to 8.5p1 or later.
2021-02-22 14:03:28 -05:00
Oleksandr Tymoshenko
9b2f020c14 Handle partial data re-sending on ktls/sendfile on FreeBSD
Add a handler for EBUSY sendfile error in addition to
EAGAIN. With EBUSY returned the data still can be partially
sent and user code has to be notified about it, otherwise it
may try to send data multiple times.

PR:		251969
Reviewed by:	jkim
Obtained from:	OpenSSL (dfcfd17f2818cf520ce6381aed9ec3d2fc12170d)
MFC after:	1 week
Sponsored by:	Netflix (merging to FreeBSD)
Differential Revision:	https://reviews.freebsd.org/D28714
2021-02-17 14:51:55 -08:00
Jung-uk Kim
b840816061 OpenSSL: Remove obsolete include directory
This directory was deprecated since OpenSSL 1.1.1e.

https://github.com/openssl/openssl/pull/9681
2021-02-16 22:53:37 -05:00
Jung-uk Kim
88e852c0b5 OpenSSL: Merge OpenSSL 1.1.1j
Merge commit '4f55bd5321b72491d4eff396e4928e9ab0706735'
2021-02-16 17:00:27 -05:00
Jung-uk Kim
4f55bd5321 Import OpenSSL 1.1.1j. 2021-02-16 14:54:02 -05:00
Ed Maste
74c59ab790 openssh: port upgrade doc and script to git
Sponsored by:	The FreeBSD Foundation
Differential Revision:	https://reviews.freebsd.org/D28564
2021-02-14 16:41:11 -05:00
Ed Maste
a62dc346f6 ssh: remove ssh-hpn leftovers
This was introduced in 8998619212, and left behind when the hpn-ssh
patches were removed in 60c59fad88.  Although Being able to log
SO_RCVBUF in debug mode might have some small value on its own, it's
not worth carrying an extra diff against upstream.

Reviewed by:	kevans
MFC after:	3 days
Sponsored by:	The FreeBSD Foundation
Differential Revision:	https://reviews.freebsd.org/D28610
2021-02-12 10:11:06 -05:00
Ed Maste
9e14b918f9 ssh: remove unused variable
This was introduced in 03f6c5cd93, which added use of
sysctl net.inet.ip.portrange.reservedhigh instead of IPPORT_RESERVED,
but it appears the rest of that change was lost in some subsequent
update.

The change should probably be restored, but until then there is no
reason to leave an unused variable around.

MFC after:	3 days
Sponsored by:	The FreeBSD Foundation
2021-02-11 22:22:30 -05:00
Ed Maste
154adbbeb8 ssh: diff reduction against OpenBSD, remove unused includes
These appear to be leftovers from ca86bcf253 and f7167e0ea0

MFC after:	3 days
Sponsored by:	The FreeBSD Foundation
2021-02-11 21:37:31 -05:00
John Baldwin
aa906e2a49 OpenSSL: Support for kernel TLS offload (KTLS)
This merges upstream patches from OpenSSL's master branch to add
KTLS infrastructure for TLS 1.0-1.3 including both RX and TX
offload and SSL_sendfile support on both Linux and FreeBSD.

Note that TLS 1.3 only supports TX offload.

A new WITH/WITHOUT_OPENSSL_KTLS determines if OpenSSL is built with
KTLS support.  It defaults to enabled on amd64 and disabled on all
other architectures.

Reviewed by:	jkim (earlier version)
Approved by:	secteam
Obtained from:	OpenSSL (patches from master)
MFC after:	1 week
Relnotes:	yes
Sponsored by:	Netflix
Differential Revision:	https://reviews.freebsd.org/D28273
2021-01-28 10:24:13 -08:00
Jung-uk Kim
c3c73b4f0a Merge OpenSSL 1.1.1i. 2020-12-09 02:05:14 +00:00
Jung-uk Kim
970a464089 Import OpenSSL 1.1.1i. 2020-12-08 18:10:16 +00:00
Ed Maste
2c9ac5855b OpenSSL: address CVE-2020-1971
OpenSSL commit 3db2c9f3:
Complain if we are attempting to encode with an invalid ASN.1 template

OpenSSL commit 43a7033:
Check that multi-strings/CHOICE types don't use implicit tagging

OpenSSL commit f960d812:
Correctly compare EdiPartyName in GENERAL_NAME_cmp()

Obtained from:	OpenSSL 3db2c9f3, 43a7033, f960d812
Security:	CVE-2020-1971
2020-12-08 16:43:35 +00:00
Stefan Eßer
1f474190fc Replace literal uses of /usr/local in C sources with _PATH_LOCALBASE
Literal references to /usr/local exist in a large number of files in
the FreeBSD base system. Many are in contributed software, in configuration
files, or in the documentation, but 19 uses have been identified in C
source files or headers outside the contrib and sys/contrib directories.

This commit makes it possible to set _PATH_LOCALBASE in paths.h to use
a different prefix for locally installed software.

In order to avoid changes to openssh source files, LOCALBASE is passed to
the build via Makefiles under src/secure. While _PATH_LOCALBASE could have
been used here, there is precedent in the construction of the path used to
a xauth program which depends on the LOCALBASE value passed on the compiler
command line to select a non-default directory.

This could be changed in a later commit to make the openssh build
consistently use _PATH_LOCALBASE. It is considered out-of-scope for this
commit.

Reviewed by:	imp
MFC after:	1 month
Differential Revision:	https://reviews.freebsd.org/D26942
2020-10-27 11:29:11 +00:00
Jung-uk Kim
58f351825a Merge OpenSSL 1.1.1h. 2020-09-22 16:18:31 +00:00
Jung-uk Kim
92f02b3b0f Import OpenSSL 1.1.1h. 2020-09-22 14:27:08 +00:00
Jung-uk Kim
63c1bb5162 Fix Clang version detection.
We prepend "FreeBSD" to Clang version string.  This broke compiler test for
AVX instruction support.

Reported by:	jhb
2020-08-26 16:55:28 +00:00
Ed Maste
e426c74375 sshd: allow UseBlocklist alias for UseBlacklist
blacklistd has been renamed to blocklistd upstream, and a future
import into FreeBSD will follow that change.  Support the new name
as an alias in config files.

Reviewed by:	bz, delphij
MFC after:	1 week
Sponsored by:	The FreeBSD Foundation
Differential Revision:	https://reviews.freebsd.org/D25865
2020-07-29 00:34:24 +00:00