Commit Graph

1089 Commits

Author SHA1 Message Date
Ed Maste
154adbbeb8 ssh: diff reduction against OpenBSD, remove unused includes
These appear to be leftovers from ca86bcf253 and f7167e0ea0

MFC after:	3 days
Sponsored by:	The FreeBSD Foundation
2021-02-11 21:37:31 -05:00
John Baldwin
aa906e2a49 OpenSSL: Support for kernel TLS offload (KTLS)
This merges upstream patches from OpenSSL's master branch to add
KTLS infrastructure for TLS 1.0-1.3 including both RX and TX
offload and SSL_sendfile support on both Linux and FreeBSD.

Note that TLS 1.3 only supports TX offload.

A new WITH/WITHOUT_OPENSSL_KTLS determines if OpenSSL is built with
KTLS support.  It defaults to enabled on amd64 and disabled on all
other architectures.

Reviewed by:	jkim (earlier version)
Approved by:	secteam
Obtained from:	OpenSSL (patches from master)
MFC after:	1 week
Relnotes:	yes
Sponsored by:	Netflix
Differential Revision:	https://reviews.freebsd.org/D28273
2021-01-28 10:24:13 -08:00
Jung-uk Kim
c3c73b4f0a Merge OpenSSL 1.1.1i. 2020-12-09 02:05:14 +00:00
Jung-uk Kim
970a464089 Import OpenSSL 1.1.1i. 2020-12-08 18:10:16 +00:00
Ed Maste
2c9ac5855b OpenSSL: address CVE-2020-1971
OpenSSL commit 3db2c9f3:
Complain if we are attempting to encode with an invalid ASN.1 template

OpenSSL commit 43a7033:
Check that multi-strings/CHOICE types don't use implicit tagging

OpenSSL commit f960d812:
Correctly compare EdiPartyName in GENERAL_NAME_cmp()

Obtained from:	OpenSSL 3db2c9f3, 43a7033, f960d812
Security:	CVE-2020-1971
2020-12-08 16:43:35 +00:00
Stefan Eßer
1f474190fc Replace literal uses of /usr/local in C sources with _PATH_LOCALBASE
Literal references to /usr/local exist in a large number of files in
the FreeBSD base system. Many are in contributed software, in configuration
files, or in the documentation, but 19 uses have been identified in C
source files or headers outside the contrib and sys/contrib directories.

This commit makes it possible to set _PATH_LOCALBASE in paths.h to use
a different prefix for locally installed software.

In order to avoid changes to openssh source files, LOCALBASE is passed to
the build via Makefiles under src/secure. While _PATH_LOCALBASE could have
been used here, there is precedent in the construction of the path used to
a xauth program which depends on the LOCALBASE value passed on the compiler
command line to select a non-default directory.

This could be changed in a later commit to make the openssh build
consistently use _PATH_LOCALBASE. It is considered out-of-scope for this
commit.

Reviewed by:	imp
MFC after:	1 month
Differential Revision:	https://reviews.freebsd.org/D26942
2020-10-27 11:29:11 +00:00
Jung-uk Kim
58f351825a Merge OpenSSL 1.1.1h. 2020-09-22 16:18:31 +00:00
Jung-uk Kim
92f02b3b0f Import OpenSSL 1.1.1h. 2020-09-22 14:27:08 +00:00
Jung-uk Kim
63c1bb5162 Fix Clang version detection.
We prepend "FreeBSD" to Clang version string.  This broke compiler test for
AVX instruction support.

Reported by:	jhb
2020-08-26 16:55:28 +00:00
Ed Maste
e426c74375 sshd: allow UseBlocklist alias for UseBlacklist
blacklistd has been renamed to blocklistd upstream, and a future
import into FreeBSD will follow that change.  Support the new name
as an alias in config files.

Reviewed by:	bz, delphij
MFC after:	1 week
Sponsored by:	The FreeBSD Foundation
Differential Revision:	https://reviews.freebsd.org/D25865
2020-07-29 00:34:24 +00:00
Ed Maste
952d18a214 ssh: Remove AES-CBC ciphers from default server and client lists
A base system OpenSSH update in 2016 or so removed a number of ciphers
from the default lists offered by the server/client, due to known
weaknesses.  This caused POLA issues for some users and prompted
PR207679; the ciphers were restored to the default lists in r296634.

When upstream removed these ciphers from the default server list, they
moved them to the client-only default list.  They were subsequently
removed from the client default, in OpenSSH 7.9p1.

The change has persisted long enough.  Remove these extra ciphers from
both the server and client default lists, in advance of FreeBSD 13.

Reviewed by:	markm, rgrimes
Sponsored by:	The FreeBSD Foundation
Differential Revision:	https://reviews.freebsd.org/D25833
2020-07-28 00:24:12 +00:00
Ed Maste
ea64ebd08c openssh: refer to OpenSSL not SSLeay, part 2
This change was made upstream between 7.9p1 and 8.0p1.  We've made local
changes in the same places for handling the version_addendum; apply the
SSLeay_version to OpenSSL_version change in advance of importing 8.0p1.
This should have been part of r363225.

Obtained from:	OpenSSH-portable a65784c9f9c5
MFC with:	r363225
Sponsored by:	The FreeBSD Foundation
2020-07-15 18:49:00 +00:00
Ed Maste
6471c6bd75 openssh: refer to OpenSSL not SSLeay
This change was made upstream between 7.9p1 and 8.0p1.  We've made local
changes in the same places for handling the version_addendum; apply the
SSLeay_version to OpenSSL_version change in advance of importing 8.0p1.

Obtained from:	OpenSSH-portable a65784c9f9c5
Sponsored by:	The FreeBSD Foundation
2020-07-15 15:35:26 +00:00
Mateusz Piotrowski
f4b792fa67 Fix trailing-comma-related typos in the tree when the Xr macro is used
MFC after:	1 week
2020-06-27 11:13:45 +00:00
Xin LI
8d8b292321 Don't log normal login_getpwclass(3) result.
The logging was introduced in r314527 but doesn't appear to be useful
for regular operation, and as the result, for users with no class set
(very common) the administrator would see a message like this in their
auth.log:

  sshd[44251]: user root login class [preauth]

(note that the class was "" because that's what's typically configured
for most users; we would get 'default' if lc->lc_class is chosen)

Remove this log as it can be annoying as the lookup happen before
authentication and repeats, and our code is not acting upon lc_class
or pw_class directly anyways.

Reviewed by:	cem, imp
MFC after:	1 week
Differential Revision:	https://reviews.freebsd.org/D24997
2020-06-26 04:46:45 +00:00
Jung-uk Kim
cfac584b60 Merge OpenSSL 1.1.1g. 2020-04-21 19:38:32 +00:00
Jung-uk Kim
65aa3028e5 Import OpenSSL 1.1.1g. 2020-04-21 19:07:46 +00:00
Gordon Tetlow
c79d631acd Fix OpenSSL remote denial of service.
See https://www.openssl.org/news/secadv/20200421.txt for details.

Approved by:	so
Security:	CVE-2020-1967
2020-04-21 15:44:20 +00:00
Jung-uk Kim
11c7efe3a4 Merge OpenSSL 1.1.1f. 2020-03-31 15:47:55 +00:00
Jung-uk Kim
b6cfecdc04 Import OpenSSL 1.1.1f. 2020-03-31 15:25:23 +00:00
Kyle Evans
6d0d51a41c openssh: -fno-common fix from upstream f47d72ddad
This is currently staged in vendor/ as part of the 8.0p1 import, which isn't
quite ready to land. Given that this is a simple one-line fix, apply it now
as the fallout will be pretty minimal.

-fno-common will become the default in GCC10/LLVM11.

MFC after:	3 days
2020-03-29 19:14:27 +00:00
Jung-uk Kim
17f01e9963 Merge OpenSSL 1.1.1e. 2020-03-18 02:13:12 +00:00
Jung-uk Kim
aa144ced5d Import OpenSSL 1.1.1e. 2020-03-17 21:27:57 +00:00
Ed Maste
99b201c331 Add a note about deleted files in OpenSSH upgrade instructions 2020-02-25 22:15:25 +00:00
Ed Maste
23f6a81e49 Update version in openssh FREEBSD-vendor metadata
It appears that FREEBSD-vendor is an idea that never really took off
and we should probably just remove it, but until then we might as well
record the correct version.
2020-02-14 22:32:33 +00:00
Ed Maste
9fcda2f48d Update OpenSSH upgrade instructions to use https, not ftp
ftp://ftp.openbsd.org/ does not work.
2020-02-14 19:33:50 +00:00
Ed Maste
2f513db72b Upgrade to OpenSSH 7.9p1.
MFC after:	2 months
Sponsored by:	The FreeBSD Foundation
2020-02-14 19:06:59 +00:00
Ed Maste
e491358c94 sshd: add upgrade process note about TCP wrappers
We need to add user-facing deprecation notices for TCP wrappers; start
with a note in the upgrade process docmentation.

Sponsored by:	The FreeBSD Foundation
2020-02-14 18:59:50 +00:00
Ed Maste
4c3ccd967e openssh: add a note about libwrap in config.h
LIBWRAP is defined by the Makefile based on MK_TCP_WRAPPERS and should
not be defined in config.h.

PR:		210141
Sponsored by:	The FreeBSD Foundation
2020-02-14 17:05:35 +00:00
Ed Maste
e8c56fba29 sshd: make getpwclass wrapper MON_ISAUTH not MON_AUTH
In r339216 a privsep wrapper was added for login_getpwclass to address
PR 231172.  Unfortunately the change used the MON_AUTH flag in the
wrapper, and MON_AUTH includes MON_AUTHDECIDE which triggers an
auth_log() on each invocation.  getpwclass() does not participate in the
authentication decision, so should be MON_ISAUTH instead.

PR:		234793
Submitted by:	Henry Hu
Reviewed by:	Yuichiro NAITO
MFC after:	1 week
2019-11-20 16:30:37 +00:00
Jung-uk Kim
da327cd22e Merge OpenSSL 1.1.1d. 2019-09-10 21:08:17 +00:00
Jung-uk Kim
fbc3ad1ae1 Import OpenSSL 1.1.1d. 2019-09-10 17:40:53 +00:00
Dmitry Chagin
c5afec6e89 Complete LOCAL_PEERCRED support. Cache pid of the remote process in the
struct xucred. Do not bump XUCRED_VERSION as struct layout is not changed.

PR:		215202
Reviewed by:	tijl
MFC after:	1 week
Differential Revision:	https://reviews.freebsd.org/D20415
2019-05-30 14:24:26 +00:00
Jung-uk Kim
610a21fd82 Merge OpenSSL 1.1.1c. 2019-05-28 21:54:12 +00:00
Jung-uk Kim
375b8e6770 Import OpenSSL 1.1.1c. 2019-05-28 20:08:17 +00:00
Dag-Erling Smørgrav
77c2fe20df Add workaround for a QoS-related bug in VMWare Workstation.
Submitted by:	yuripv
Differential Revision:	https://reviews.freebsd.org/D18636
2019-03-27 15:17:29 +00:00
Ed Maste
0967215db7 Merge r345574 from vendor-crypto:
upstream: when checking that filenames sent by the server side

match what the client requested, be prepared to handle shell-style brace
alternations, e.g. "{foo,bar}".

"looks good to me" millert@ + in snaps for the last week courtesy
deraadt@

OpenBSD-Commit-ID: 3b1ce7639b0b25b2248e3a30f561a548f6815f3e

Discussed with: des
Obtained from:	OpenSSH-portable 3d896c157c722bc47adca51a58dca859225b5874
2019-03-27 14:35:38 +00:00
Jung-uk Kim
6935a639f0 Merge OpenSSL 1.1.1b. 2019-02-26 19:31:33 +00:00
Jung-uk Kim
851f7386fd Import OpenSSL 1.1.1b. 2019-02-26 18:06:51 +00:00
Ed Maste
afde517053 scp: validate filenames provided by server against wildcard in client
OpenSSH-portable commits:

check in scp client that filenames sent during remote->local directory
copies satisfy the wildcard specified by the user.

This checking provides some protection against a malicious server
sending unexpected filenames, but it comes at a risk of rejecting wanted
files due to differences between client and server wildcard expansion rules.

For this reason, this also adds a new -T flag to disable the check.

reported by Harry Sintonen
fix approach suggested by markus@;
has been in snaps for ~1wk courtesy deraadt@

OpenBSD-Commit-ID: 00f44b50d2be8e321973f3c6d014260f8f7a8eda

Minor patch conflict (getopt) resolved.

Obtained from: OpenSSH-portable 391ffc4b9d31fa1f4ad566499fef9176ff8a07dc

scp: add -T to usage();

OpenBSD-Commit-ID: a7ae14d9436c64e1bd05022329187ea3a0ce1899

Obtained from: OpenSSH-portable 2c21b75a7be6ebdcbceaebb43157c48dbb36f3d8

PR:		234965
Approved by:	des
MFC after:	3 days
Obtained from:	OpenSSH-portable 391ffc4b9d, 2c21b75a7b
Sponsored by:	The FreeBSD Foundation
Differential Revision:	https://reviews.freebsd.org/D19076
2019-02-21 22:45:54 +00:00
Ed Maste
d366f891b1 scp: disallow empty or current directory
Obtained from:	OpenBSD scp.c 1.198
Security:	CVE-2018-20685
Sponsored by:	The FreeBSD Foundation
2019-01-15 15:35:14 +00:00
Cy Schubert
086566c1c1 Remove unused sqlite3 bundled with heimdal.
Reported by:	delphij@
2019-01-09 01:09:42 +00:00
Jung-uk Kim
49ea0a812a Do not complain when /dev/crypto does not exist.
Now the new devcrypto engine is enabled since r342009, many users started
seeing "Could not open /dev/crypto: No such file or directory".  Disable
the annoying error message as it is not very useful anyway.

Note the patch was submitted upstream.

https://github.com/openssl/openssl/pull/7896
2018-12-14 01:06:34 +00:00
Jung-uk Kim
c9cf7b5cb1 Merge OpenSSL 1.1.1a. 2018-11-20 21:10:04 +00:00
Jung-uk Kim
8c3f9abd70 Import OpenSSL 1.1.1a. 2018-11-20 18:59:41 +00:00
Glen Barber
f07f1918ad Update SHLIB_VERSION_NUMBER following the OpenSSL shared library
number bump.

Reported by:	jkim
Discussed with:	kib
MFC after:	immediate
Sponsored by:	The FreeBSD Foundation
2018-10-25 18:46:45 +00:00
Dag-Erling Smørgrav
b319ead8be Try harder to sanitize the environment before running configure.
Remove a workaround for older Unbound versions that used sbrk.

Approved by:	re (gjb)
2018-10-10 22:29:06 +00:00
Glen Barber
1da7787f71 Merge the remainder of the projects/openssl111 branch to head.
- Update OpenSSL to version 1.1.1.
- Update Kerberos/Heimdal API for OpenSSL 1.1.1 compatibility.
- Bump __FreeBSD_version.

Approved by:	re (kib)
Sponsored by:	The FreeBSD Foundation
2018-10-09 21:28:26 +00:00
Dag-Erling Smørgrav
bd393de91c Fix portability issues with the Capsicum patch committed in r339216:
- Wrap access to pw_change and pw_expire in the appropriate #ifdefs.
- Wrap calls to login_cap(3) API in appropriate #ifdefs.
- Add wrapper for transferring time_t, which is still only 32 bits wide
  on FreeBSD i386.
- Use a temporary variable to deserialize size_t.

Approved by:	re (gjb)
2018-10-09 19:27:42 +00:00
Ed Maste
4660a83eac Regenerate ssh_namespace.h for OpenSSL 1.1.1 update 2018-10-09 17:29:31 +00:00