krb5_ret_preincipal() returns a non-zero return code when
a garbage principal is passed to it. Unfortunately ret_principal_ent()
does not check the return code, with garbage pointing to what would
have been the principal. This results in a segfault when free() is
called.
PR: 267944, 267972
Reported by: Robert Morris <rtm@lcs.mit.edu>
MFC after: 3 days
In addition to garbage realm data, also handle garbage dbname, acl_file,
stash_file, and invalid bitmask garbage data.
PR: 267912
Reported by: Robert Morris <rtm@lcs.mit.edu>
MFC after: 3 days
Fix a NULL dereference in _kadm5_s_init_context() when the client
sends a mangled realm message.
PR: 267912
Reported by: Robert Morris <rtm@lcs.mit.edu>
MFC after: 3 days
Should the sender send a string without a terminating NUL, ensure that
the NUL terminates the string regardless.
And while at it only process the version string when bytes are returned.
PR: 267884
Reported by: Robert Morris <rtm@lcs.mit.edu>
MFC after: 3 days
Differential Revision: https://reviews.freebsd.org/D37471
Part of ed549cb0c5 zeroed out a data structure in the resulting code-file
when a TUTCTime type was freed. This part of the patch applies to Heimdal
7.1+ and not our Heimdal 1.5.2.
PR: 267827
Reported by: Peter Much <pmc@citylink.dinoex.sub.org>
Tested by: Peter Much <pmc@citylink.dinoex.sub.org>
Fixes: ed549cb0c5
MFC after: TBD with philip@
The following issues are patched:
- CVE-2022-42898 PAC parse integer overflows
- CVE-2022-3437 Overflows and non-constant time leaks in DES{,3} and arcfour
- CVE-2021-44758 NULL dereference DoS in SPNEGO acceptors
- CVE-2022-44640 Heimdal KDC: invalid free in ASN.1 codec
Note that CVE-2022-44640 is a severe vulnerability, possibly a 10.0
on the Common Vulnerability Scoring System (CVSS) v3, as we believe
it should be possible to get an RCE on a KDC, which means that
credentials can be compromised that can be used to impersonate
anyone in a realm or forest of realms.
Heimdal's ASN.1 compiler generates code that allows specially
crafted DER encodings of CHOICEs to invoke the wrong free function
on the decoded structure upon decode error. This is known to impact
the Heimdal KDC, leading to an invalid free() of an address partly
or wholly under the control of the attacker, in turn leading to a
potential remote code execution (RCE) vulnerability.
This error affects the DER codec for all extensible CHOICE types
used in Heimdal, though not all cases will be exploitable. We have
not completed a thorough analysis of all the Heimdal components
affected, thus the Kerberos client, the X.509 library, and other
parts, may be affected as well.
This bug has been in Heimdal's ASN.1 compiler since 2005, but it may
only affect Heimdal 1.6 and up. It was first reported by Douglas
Bagnall, though it had been found independently by the Heimdal
maintainers via fuzzing a few weeks earlier.
While no zero-day exploit is known, such an exploit will likely be
available soon after public disclosure.
- CVE-2019-14870: Validate client attributes in protocol-transition
- CVE-2019-14870: Apply forwardable policy in protocol-transition
- CVE-2019-14870: Always lookup impersonate client in DB
Sponsored by: so (philip)
Obtained from: so (philip)
Tested by: philip, cy
MFC after: immediately
Old versions of FreeBSD do not support using id 0 to refer to the
current pid for procctl, so pass getpid() explicitly.
Although this is not required in current FreeBSD branches I am merging
it to reduce differences with upstream.
Obtained from: OpenSSH commit 0f7e1eba5525
This appeared to be a copy-paste error from the "from" time case above.
Reported by: Coverity Scan
CID: 1500407
Reviewed by: markj
MFC after: 3 days
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D37252
Release notes are available at https://www.openssh.com/txt/release-9.1
9.1 contains fixes for three minor memory safety problems; these have
lready been merged to the copy of OpenSSH 9.0 that is in the FreeBSD base
system.
Some highlights copied from the release notes:
Potentially-incompatible changes
--------------------------------
* ssh(1), sshd(8): SetEnv directives in ssh_config and sshd_config
are now first-match-wins to match other directives. Previously
if an environment variable was multiply specified the last set
value would have been used. bz3438
* ssh-keygen(8): ssh-keygen -A (generate all default host key types)
will no longer generate DSA keys, as these are insecure and have
not been used by default for some years.
New features
------------
* ssh(1), sshd(8): add a RequiredRSASize directive to set a minimum
RSA key length. Keys below this length will be ignored for user
authentication and for host authentication in sshd(8).
* sftp-server(8): add a "users-groups-by-id@openssh.com" extension
request that allows the client to obtain user/group names that
correspond to a set of uids/gids.
* sftp(1): use "users-groups-by-id@openssh.com" sftp-server
extension (when available) to fill in user/group names for
directory listings.
* sftp-server(8): support the "home-directory" extension request
defined in draft-ietf-secsh-filexfer-extensions-00. This overlaps
a bit with the existing "expand-path@openssh.com", but some other
clients support it.
* ssh-keygen(1), sshd(8): allow certificate validity intervals,
sshsig verification times and authorized_keys expiry-time options
to accept dates in the UTC time zone in addition to the default
of interpreting them in the system time zone. YYYYMMDD and
YYMMDDHHMM[SS] dates/times will be interpreted as UTC if suffixed
with a 'Z' character.
Also allow certificate validity intervals to be specified in raw
seconds-since-epoch as hex value, e.g. -V 0x1234:0x4567890. This
is intended for use by regress tests and other tools that call
ssh-keygen as part of a CA workflow. bz3468
* sftp(1): allow arguments to the sftp -D option, e.g. sftp -D
"/usr/libexec/sftp-server -el debug3"
* ssh-keygen(1): allow the existing -U (use agent) flag to work
with "-Y sign" operations, where it will be interpreted to require
that the private keys is hosted in an agent; bz3429
MFC after: 2 weeks
Relnotes: Yes
Sponsored by: The FreeBSD Foundation
We no longer use the pre- and post-merge scripts to strip/add RCS tags.
The tags have been removed from main, but persist on older branches.
While here renumber the steps in the update documentation using a more
conventional scheme.
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D36904
Nanobsd included copies of ssh_config and sshd_config. The former is
identical to the one provided by the base system, and the latter is
identical except for PermitRootLogin, which is updated by nanobsd's
cust_allow_ssh_root anyhow. Remove nanobsd's copies and use the
existing base system ones.
Reported by: Jose Luis Duran <jlduran@gmail.com> in D34937
Reviewed by: Jose Luis Duran <jlduran@gmail.com>, imp
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D36933
Rename "HPN" to more general "Retired patches." We handle two now-
removed patches the same way: to avoid breaking existing configurations
we accept, but ignore, the option.
Sponsored by: The FreeBSD Foundation
FreeBSD introduced VersionAddendum for the server as a local change in
2001 in commit 933ca70f8f and later extended it to the client in
commit 9e2cbe04ff.
In 2012 upstream added support for server VersionAddendum, in commit
23528816dc10. They do not support it for the client.
The argument for supporting this in the client is not nearly as strong
as for the server, so retire this option to reduce the scope of our
local patch set. This also avoids some cases of conflicts in ssh_config
during update, as a user's configuration would typically follow the
commented-out default VersionAddendum value.
Reviewed by: gordon, glebius
Relnotes: yes
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D32930
Passwords may be accepted by both the PasswordAuthentication and
KbdInteractiveAuthentication authentication schemes. Add a reference to
the latter in the description/comment for PasswordAuthentication, as it
otherwise may seem that "PasswordAuthentication no" implies passwords
will be disallowed.
This situation should be clarified with more extensive documentation on
the authentication schemes and configuration options, but that should be
done in coordination with upstream OpenSSH. This is a minimal change
that will hopefully clarify the situation without requiring an extensive
local patch set.
PR: 263045
Reviewed by: manu (earlier version)
MFC after: 2 weeks
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D35272
The PermitRootLogin option "prohibit-password" was added as a synonym
for "without-password" in 2015. Then in 2017 these were swapped:
"prohibit-password" became the canonical option and "without-password"
became a deprecated synonym (in OpenSSH commit 071325f458).
The UsePAM description in sshd_config still mentioned
"without-password." Update it to match the new canonical option.
Sponsored by: The FreeBSD Foundation
MFC after: 1 week
This removes a guard condition that prevents KTLS being enabled for
receiving in TLS 1.3. Use the correct sequence number and BIO for
receive vs transmit offload.
Approved by: jkim
Obtained from: OpenSSL commit 7c78932b9a4330fb7c8db72b3fb37cbff1401f8b
MFC after: 1 week
Sponsored by: Netflix
Differential Revision: https://reviews.freebsd.org/D34976
- Don't unpad records, check the outer record type, or extract the
inner record type from TLS 1.3 records handled by the kernel. KTLS
performs all of these steps and returns the inner record type in the
TLS header.
- When checking the length of a received TLS 1.3 record don't allow
for the extra byte for the nested record type when KTLS is used.
- Pass a pointer to the record type in the TLS header to the
SSL3_RT_INNER_CONTENT_TYPE message callback. For KTLS, the old
pointer pointed to the last byte of payload rather than the record
type. For the non-KTLS case, the TLS header has been updated with
the inner type before this callback is invoked.
Approved by: jkim
Obtained from: OpenSSL commit a5fb9605329fb939abb536c1604d44a511741624
MFC after: 1 week
Sponsored by: Netflix
Differential Revision: https://reviews.freebsd.org/D34975
When KTLS receive is enabled, pending data may still be present due to
read ahead. This data must still be processed the same as records
received without KTLS. To ease readability (especially in
consideration of additional checks which will be added for TLS 1.3),
add a helper variable 'using_ktls' that is true when the KTLS receive
path is being used to receive a record.
Approved by: jkim
Obtained from: OpenSSL commit 031132c297e54cbc20404a0bf8de6ed863196399
MFC after: 1 week
Sponsored by: Netflix
Differential Revision: https://reviews.freebsd.org/D34974
KTLS implementations currently assume that the start of the in-kernel
socket buffer is aligned with the start of a TLS record for the
receive side. The socket option to enable KTLS specifies the TLS
sequence number of this initial record.
When read ahead is enabled, data can be pending in the SSL read buffer
after negotiating session keys. This pending data must be examined to
ensurs that the kernel's socket buffer does not contain a partial TLS
record as well as to determine the correct sequence number of the
first TLS record to be processed by the kernel.
In preparation for enabling receive kernel offload for TLS 1.3, move
the existing logic to handle read ahead from t1_enc.c into ktls.c and
invoke it from ktls_configure_crypto().
Approved by: jkim
Obtained from: OpenSSL commit 85773128d0e80cd8dcc772a6931d385b8cf4acd1
MFC after: 1 week
Sponsored by: Netflix
Differential Revision: https://reviews.freebsd.org/D34973
In some corner cases the check for packets
which exceed the allowed record length was missing
when KTLS is initially enabled, when some
unprocessed packets are still pending.
Approved by: jkim
Obtained from: OpenSSL commit 8fff986d52606e1a33f9404504535e2e2aee3e8b
MFC after: 1 week
Sponsored by: Netflix
Differential Revision: https://reviews.freebsd.org/D34972
With the upgrade to OpenSSH 6.7p1 in commit a0ee8cc636 we replaced
WITH_OPENSSL ifdefs with an OPENSSL_VERSION macro, later changing it
to OPENSSL_VERSION_STRING.
A few years later OpenSSH made an equivalent change (with a different
macro name), in commit 4d94b031ff88. Switch to the macro name they
chose.
MFC after: 1 week
Sponsored by: The FreeBSD Foundation
After we moved to git $FreeBSD$ is no longer expanded and serves no
purpose. Remove them from OpenSSH to reduce diffs against upstream.
Sponsored by: The FreeBSD Foundation
We already set it earlier in do_setup_env().
Fixes: 19261079b7 ("openssh: update to OpenSSH v8.7p1")
MFC after: 1 week
Sponsored by: The FreeBSD Foundation
upstream: clear io_want/io_ready flags at start of poll() cycle;
avoids plausible spin during rekeying if channel io_want flags are reused
across cycles. ok markus@ deraadt@
From upstream release notes https://www.openssh.com/txt/release-9.0
This release switches scp(1) from using the legacy scp/rcp protocol
to using the SFTP protocol by default.
Legacy scp/rcp performs wildcard expansion of remote filenames (e.g.
"scp host:* .") through the remote shell. This has the side effect of
requiring double quoting of shell meta-characters in file names
included on scp(1) command-lines, otherwise they could be interpreted
as shell commands on the remote side.
This creates one area of potential incompatibility: scp(1) when using
the SFTP protocol no longer requires this finicky and brittle quoting,
and attempts to use it may cause transfers to fail. We consider the
removal of the need for double-quoting shell characters in file names
to be a benefit and do not intend to introduce bug-compatibility for
legacy scp/rcp in scp(1) when using the SFTP protocol.
Another area of potential incompatibility relates to the use of remote
paths relative to other user's home directories, for example -
"scp host:~user/file /tmp". The SFTP protocol has no native way to
expand a ~user path. However, sftp-server(8) in OpenSSH 8.7 and later
support a protocol extension "expand-path@openssh.com" to support
this.
In case of incompatibility, the scp(1) client may be instructed to use
the legacy scp/rcp using the -O flag.
Relnotes: Yes
Sponsored by: The FreeBSD Foundation
Release notes are available at https://www.openssh.com/txt/release-9.0
Some highlights:
* ssh(1), sshd(8): use the hybrid Streamlined NTRU Prime + x25519 key
exchange method by default ("sntrup761x25519-sha512@openssh.com").
The NTRU algorithm is believed to resist attacks enabled by future
quantum computers and is paired with the X25519 ECDH key exchange
(the previous default) as a backstop against any weaknesses in
NTRU Prime that may be discovered in the future. The combination
ensures that the hybrid exchange offers at least as good security
as the status quo.
* sftp-server(8): support the "copy-data" extension to allow server-
side copying of files/data, following the design in
draft-ietf-secsh-filexfer-extensions-00. bz2948
* sftp(1): add a "cp" command to allow the sftp client to perform
server-side file copies.
This commit excludes the scp(1) change to use the SFTP protocol by
default; that change will immediately follow.
MFC after: 1 month
Relnotes: Yes
Sponsored by: The FreeBSD Foundation
Release notes are available at https://www.openssh.com/txt/release-8.9
Some highlights:
* ssh(1), sshd(8), ssh-add(1), ssh-agent(1): add a system for
restricting forwarding and use of keys added to ssh-agent(1)
* ssh(1), sshd(8): add the sntrup761x25519-sha512@openssh.com hybrid
ECDH/x25519 + Streamlined NTRU Prime post-quantum KEX to the
default KEXAlgorithms list (after the ECDH methods but before the
prime-group DH ones). The next release of OpenSSH is likely to
make this key exchange the default method.
* sshd(8), portable OpenSSH only: this release removes in-built
support for MD5-hashed passwords. If you require these on your
system then we recommend linking against libxcrypt or similar.
Future deprecation notice
=========================
A near-future release of OpenSSH will switch scp(1) from using the
legacy scp/rcp protocol to using SFTP by default.
Legacy scp/rcp performs wildcard expansion of remote filenames (e.g.
"scp host:* .") through the remote shell. This has the side effect of
requiring double quoting of shell meta-characters in file names
included on scp(1) command-lines, otherwise they could be interpreted
as shell commands on the remote side.
MFC after: 1 month
Relnotes: Yes
Sponsored by: The FreeBSD Foundation
OpenSSH 8.8p1 removed RSA/SHA-1 signatures by default, but failed to
update sshd_config(5). It was updated upstream after the release in
b711bc01a7ec and da4035523406.
Fixes: 8c22023ca5 ("ssh: disable RSA/SHA-1 signatures")
Sponsored by: The FreeBSD Foundation
Specify -lprivatecbor and -lprivatefido2 in OpenSSH's configure.ac, and
pass -I paths to libcbor and libfido2's contrib src location.
MFC after: 3 days
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D34440
An upcoming OpenSSH update has multiple config.h settings that change
depending on whether builtin security key support is enabled. Prepare
for this by moving ENABLE_SK_INTERNAL to a new sk_config.h header
(similar to the approach used for optional krb5 support) and optionally
including that, instead of defining the macro directly from CFLAGS.
Reviewed by: kevans
MFC after: 2 weeks
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D34407
The option is security-key-builtin not security-key-internal. There is
no change to the generated config.h because the option defaults off
anyway.
MFC after: 3 days
Fixes: 87152f3405 ("ssh: disble internal security key...")
Sponsored by: The FreeBSD Foundation
Because it appears `git push --follow-tags` may push extra, undesired
tags document both techniques (pushing the specific vendor/openssh/X.YpZ
tag and pushing all with --follow-tags, using --dry-run first).
Discussed with: imp, lwhsu
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D33605
Also add comment to the public header to avoid
making another conflict in future.
Reviewed by: jkim
Obtained from: OpenSSL commit 5d4975ecd88ac17d0749513a8fac9a7c7befd900
MFC after: 1 week
Sponsored by: Netflix
Differential Revision: https://reviews.freebsd.org/D34135
As of f833ab9dd1 procctl(2) allows idtype P_PID with id = 0 as a
shortcut for the calling process ID. The shortcut also bypasses the
p_cansee / p_candebug test (since the process is able to act on itself.)
At present if the security.bsd.unprivileged_proc_debug sysctl is 0 then
procctl(P_PID, getpid(), ... for a process to act on itself will fail,
but procctl(P_PID, 0, ... will succeed. This should likely be addressed
with a kernel change.
In any case the id = 0 shortcut is a tiny optimization for a process to
act on itself and allows the self-procctl to succeed, so use it in ssh.
Reported by: Shawn Webb
Reviewed by: kib
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D33970
OpenSSH has dropped libwrap support in OpenSSH 6.7p in 2014
(f2719b7c in github.com/openssh/openssh-portable) and we
maintain the patch ourselves since 2016 (a0ee8cc636).
Over the years, the libwrap support has deteriotated and probably
that was reason for removal upstream. Original idea of libwrap was
to drop illegitimate connection as soon as possible, but over the
years the code was pushed further down and down and ended in the
forked client connection handler.
The negative effects of late dropping is increasing attack surface
for hosts that are to be dropped anyway. Apart from hypothetical
future vulnerabilities in connection handling, today a malicious
host listed in /etc/hosts.allow still can trigger sshd to enter
connection throttling mode, which is enabled by default (see
MaxStartups in sshd_config(5)), effectively casting DoS attack.
Note that on OpenBSD this attack isn't possible, since they enable
MaxStartups together with UseBlacklist.
A only negative effect from early drop, that I can imagine, is that
now main listener parses file in /etc, and if our root filesystems
goes bad, it would get stuck. But unlikely you'd be able to login
in that case anyway.
Implementation details:
- For brevity we reuse the same struct request_info. This isn't
a documented feature of libwrap, but code review, viewing data
in a debugger and real life testing shows that if we clear
RQ_CLIENT_NAME and RQ_CLIENT_ADDR every time, it works as intended.
- We set SO_LINGER on the socket to force immediate connection reset.
- We log message exactly as libwrap's refuse() would do.
Differential revision: https://reviews.freebsd.org/D33044
From OpenSSH 8.8p1's release notes:
---
Potentially-incompatible changes
================================
This release disables RSA signatures using the SHA-1 hash algorithm
by default. This change has been made as the SHA-1 hash algorithm is
cryptographically broken, and it is possible to create chosen-prefix
hash collisions for <USD$50K [1]
For most users, this change should be invisible and there is
no need to replace ssh-rsa keys. OpenSSH has supported RFC8332
RSA/SHA-256/512 signatures since release 7.2 and existing ssh-rsa keys
will automatically use the stronger algorithm where possible.
Incompatibility is more likely when connecting to older SSH
implementations that have not been upgraded or have not closely tracked
improvements in the SSH protocol. For these cases, it may be necessary
to selectively re-enable RSA/SHA1 to allow connection and/or user
authentication via the HostkeyAlgorithms and PubkeyAcceptedAlgorithms
options. For example, the following stanza in ~/.ssh/config will enable
RSA/SHA1 for host and user authentication for a single destination host:
Host old-host
HostkeyAlgorithms +ssh-rsa
PubkeyAcceptedAlgorithms +ssh-rsa
We recommend enabling RSA/SHA1 only as a stopgap measure until legacy
implementations can be upgraded or reconfigured with another key type
(such as ECDSA or Ed25519).
[1] "SHA-1 is a Shambles: First Chosen-Prefix Collision on SHA-1 and
Application to the PGP Web of Trust" Leurent, G and Peyrin, T
(2020) https://eprint.iacr.org/2020/014.pdf
---
Relnotes: Yes
Sponsored by: The FreeBSD Foundation
OpenSSH v8.8p1 was motivated primarily by a security update and
deprecation of RSA/SHA1 signatures. It also has a few minor bug fixes.
The security update was already applied to FreeBSD as an independent
change, and the RSA/SHA1 deprecation is excluded from this commit but
will immediately follow.
MFC after: 1 month
Relnotes: Yes
Sponsored by: The FreeBSD Foundation
These files were intended to track version and perhaps maintainership
information for contrib software. However, they were never used beyond
bzip2, netcat, and OpenSSH, and generally haven't been kept up to date
recently (my OpenSSH 8.7p1 update notwithstanding). Just remove them to
avoid having confusing or outdated information.
Suggested by: des
MFC after: 1 week
Sponsored by: The FreeBSD Foundation
OpenSSL assumes the same value for AT_HWCAP=16 (Linux)
So it ends up calling elf_auxv_info() with AT_CANARY which
returns ENOENT, and all acceleration features are disabled.
With this, my ARM64 test machine runs the benchmark
`openssl speed -evp aes-256-gcm` nearly 20x faster
going from 100 MB/sec to 2000 MB/sec
It also improves sha256 from 300 MB/sec to 1800 MB/sec
This fix has been accepted but not yet merged upstream:
https://github.com/openssl/openssl/pull/17082
PR: 259937
Reviewed by: manu, imp
MFC after: immediate
Relnotes: yes
Fixes: 88e852c0b5 ("OpenSSL: Merge OpenSSL 1.1.1j")
Sponsored by: Ampere Computing LLC
Sponsored by: Klara Inc.
Differential Revision: https://reviews.freebsd.org/D33060
Description of FIDO/U2F support (from OpenSSH 8.2 release notes,
https://www.openssh.com/txt/release-8.2):
This release adds support for FIDO/U2F hardware authenticators to
OpenSSH. U2F/FIDO are open standards for inexpensive two-factor
authentication hardware that are widely used for website
authentication. In OpenSSH FIDO devices are supported by new public
key types "ecdsa-sk" and "ed25519-sk", along with corresponding
certificate types.
ssh-keygen(1) may be used to generate a FIDO token-backed key, after
which they may be used much like any other key type supported by
OpenSSH, so long as the hardware token is attached when the keys are
used. FIDO tokens also generally require the user explicitly
authorise operations by touching or tapping them.
Generating a FIDO key requires the token be attached, and will
usually require the user tap the token to confirm the operation:
$ ssh-keygen -t ecdsa-sk -f ~/.ssh/id_ecdsa_sk
Generating public/private ecdsa-sk key pair.
You may need to touch your security key to authorize key generation.
Enter file in which to save the key (/home/djm/.ssh/id_ecdsa_sk):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/djm/.ssh/id_ecdsa_sk
Your public key has been saved in /home/djm/.ssh/id_ecdsa_sk.pub
This will yield a public and private key-pair. The private key file
should be useless to an attacker who does not have access to the
physical token. After generation, this key may be used like any
other supported key in OpenSSH and may be listed in authorized_keys,
added to ssh-agent(1), etc. The only additional stipulation is that
the FIDO token that the key belongs to must be attached when the key
is used.
To enable FIDO/U2F support, this change regenerates ssh_namespace.h,
adds ssh-sk-helper, and sets ENABLE_SK_INTERNAL (unless building
WITHOUT_USB).
devd integration is not included in this change, and is under
investigation for the base system. In the interim the security/u2f-devd
port can be installed to provide appropriate devd rules.
Reviewed by: delphij, kevans
Relnotes: Yes
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D32509
We want to set ENABLE_SK_INTERNAL only when building with USB support.
We'll leave it off in config.h and enble it via our bespoke build's
Makefile.inc.
Sponsored by: The FreeBSD Foundation
Two local changes were committed upstream and are present in OpenSSH
8.7p1. Remove references from FREEBSD-upgrade now that we have updated
to that version.
Some notable changes, from upstream's release notes:
- sshd(8): Remove support for obsolete "host/port" syntax.
- ssh(1): When prompting whether to record a new host key, accept the key
fingerprint as a synonym for "yes".
- ssh-keygen(1): when acting as a CA and signing certificates with an RSA
key, default to using the rsa-sha2-512 signature algorithm.
- ssh(1), sshd(8), ssh-keygen(1): this release removes the "ssh-rsa"
(RSA/SHA1) algorithm from those accepted for certificate signatures.
- ssh-sk-helper(8): this is a new binary. It is used by the FIDO/U2F
support to provide address-space isolation for token middleware
libraries (including the internal one).
- ssh(1): this release enables UpdateHostkeys by default subject to some
conservative preconditions.
- scp(1): this release changes the behaviour of remote to remote copies
(e.g. "scp host-a:/path host-b:") to transfer through the local host
by default.
- scp(1): experimental support for transfers using the SFTP protocol as
a replacement for the venerable SCP/RCP protocol that it has
traditionally used.
Additional integration work is needed to support FIDO/U2F in the base
system.
Deprecation Notice
------------------
OpenSSH will disable the ssh-rsa signature scheme by default in the
next release.
Reviewed by: imp
MFC after: 1 month
Relnotes: Yes
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D29985
/usr/include/gssapi.h claims that it is deprecated, and gssapi/gssapi.h
should be used instead. So, test HAVE_GSSAPI_GSSAPI_H first falling
back to HAVE_GSSAPI_H.
This will be submitted upstream.
Fixes: 6eac665c81 ("openssh: diff reduction against...")
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D31810
For some reason poly64 was omitted when this file was last generated
(perhaps it was inlined by the Clang version then in use).
MFC after: 1 week
Sponsored by: The FreeBSD Foundation
Tools like Phabricator use the @generated tag to identify files that
may be excluded from review by default.
MFC after: 1 week
Sponsored by: The FreeBSD Foundation
Since config.h was last regenerated FreeBSD has added (a stub) libdl,
and has removed sys/dir.h. Regenerate config.h to avoid spurious
additional changes when OpenSSH is next updated.
There should be no issue if this change is MFC'd, but I don't plan to do
so. Although configure checks for libdl HAVE_LIBDL isn't even used, and
sys/dir.h was non-functional before being removed. The state of these
two config.h settings should make no difference in the built OpenSSH.
Sponsored by: The FreeBSD Foundation
We define LIBWRAP at build time in secure/usr.sbin/sshd/Makefile if
WITH_TCPWRAPPERS is in effect, so it should not be set in config.h.
MFC after: 1 week
Sponsored by: The FreeBSD Foundation
freebsd-configure.sh runs configure twice, --with-kerberos5 and
--without-kerberos5, in order to build a config.h that defaults to
kerberos5 disabled, and a small config file that represents the
differences.
Rename config.h.orig to config.h.kerberos5 to clarify the intent of this
script.
MFC after: 1 week
Sponsored by: The FreeBSD Foundation
Login class-based restrictions were introduced in 5b400a39b8. The
code was adapted for sshd's Capsicum sandbox and received many changes
over time, including at least fc3c19a9fc, bd393de91c, and
e8c56fba29.
During an attempt to upstream the work a much simpler approach was
suggested. Adopt it now in the in-tree OpenSSH to reduce conflicts with
future updates.
Submitted by: Yuchiro Naito (against OpenSSH-portable on GitHub)
Obtained from: https://github.com/openssh/openssh-portable/pull/262
Reviewed by: allanjude, kevans
MFC after: 2 weeks
Differential Revision: https://reviews.freebsd.org/D31760
FreeBSD's kernel TLS supports Chacha20 for both TLS 1.2 and TLS 1.3.
NB: This commit has not yet been merged upstream as it is deemed a new
feature and did not make the feature freeze cutoff for OpenSSL 3.0.
Reviewed by: jkim
MFC after: 5 days
Sponsored by: Netflix
Differential Revision: https://reviews.freebsd.org/D31443
Most of this upstream commit touched tests not included in the
vendor import. The one change merged in is to remove a constant
only present in an internal header to appease the older tests.
Reviewed by: jkim
Obtained from: OpenSSL (e1fdd5262e4a45ce3aaa631768e877ee7b6da21b)
MFC after: 5 days
Sponsored by: Netflix
Differential Revision: https://reviews.freebsd.org/D31442
KTLS support has been changed to be off by default, and configuration is
via a single "option" rather two "modes". Documentation is updated
accordingly.
Reviewed by: jkim
Obtained from: OpenSSL (6878f4300213cfd7d4f01e26a8b97f70344da100)
MFC after: 5 days
Sponsored by: Netflix
Differential Revision: https://reviews.freebsd.org/D31441
It has always been the case that KTLS is not compiled by default. However
if it is compiled then it was automatically used unless specifically
configured not to. This is problematic because it avoids any crypto
implementations from providers. A user who configures all crypto to use
the FIPS provider may unexpectedly find that TLS related crypto is actually
being performed outside of the FIPS boundary.
Instead we change KTLS so that it is disabled by default.
We also swap to using a single "option" (i.e. SSL_OP_ENABLE_KTLS) rather
than two separate "modes", (i.e. SSL_MODE_NO_KTLS_RX and
SSL_MODE_NO_KTLS_TX).
Reviewed by: jkim
Obtained from: OpenSSL (a3a54179b6754fbed6d88e434baac710a83aaf80)
MFC after: 5 days
Sponsored by: Netflix
Differential Revision: https://reviews.freebsd.org/D31440
Linux kernel is going to support ChaCha20-Poly1305 in TLS offload.
Add support for this cipher.
Reviewed by: jkim
Obtained from: OpenSSL (3aa7212e0a4fd1533c8a28b8587dd8b022f3a66f)
MFC after: 5 days
Sponsored by: Netflix
Differential Revision: https://reviews.freebsd.org/D31439
BIO_get_ktls_send() and BIO_get_ktls_recv() are documented as
returning either 0 or 1. However, they were actually returning the
internal value of the associated BIO flag for the true case instead of
1.
Also trim redundant ternary operators.
Reviewed by: jkim
Obtained from: OpenSSL (f16e52b67c9261bdc7e1284a50502a802921ac6d)
MFC after: 5 days
Sponsored by: Netflix
Differential Revision: https://reviews.freebsd.org/D31438
Replace it with a tutorial hosted on kerberos.org and the classic
"dialogue" from Bill Bryant. The change has been reported and
merged upstream (https://github.com/heimdal/heimdal/commit/7f3445f1b7).
MFC after: 3 days
PR: 251854
Reported by: ktullavik@gmail.com
Submitted by: bjk (upstream github)
Reviewed by: bcr
Add a handler for EBUSY sendfile error in addition to
EAGAIN. With EBUSY returned the data still can be partially
sent and user code has to be notified about it, otherwise it
may try to send data multiple times.
PR: 251969
Reviewed by: jkim
Obtained from: OpenSSL (dfcfd17f2818cf520ce6381aed9ec3d2fc12170d)
MFC after: 1 week
Sponsored by: Netflix (merging to FreeBSD)
Differential Revision: https://reviews.freebsd.org/D28714
This was introduced in 8998619212, and left behind when the hpn-ssh
patches were removed in 60c59fad88. Although Being able to log
SO_RCVBUF in debug mode might have some small value on its own, it's
not worth carrying an extra diff against upstream.
Reviewed by: kevans
MFC after: 3 days
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D28610
This was introduced in 03f6c5cd93, which added use of
sysctl net.inet.ip.portrange.reservedhigh instead of IPPORT_RESERVED,
but it appears the rest of that change was lost in some subsequent
update.
The change should probably be restored, but until then there is no
reason to leave an unused variable around.
MFC after: 3 days
Sponsored by: The FreeBSD Foundation
This merges upstream patches from OpenSSL's master branch to add
KTLS infrastructure for TLS 1.0-1.3 including both RX and TX
offload and SSL_sendfile support on both Linux and FreeBSD.
Note that TLS 1.3 only supports TX offload.
A new WITH/WITHOUT_OPENSSL_KTLS determines if OpenSSL is built with
KTLS support. It defaults to enabled on amd64 and disabled on all
other architectures.
Reviewed by: jkim (earlier version)
Approved by: secteam
Obtained from: OpenSSL (patches from master)
MFC after: 1 week
Relnotes: yes
Sponsored by: Netflix
Differential Revision: https://reviews.freebsd.org/D28273
OpenSSL commit 3db2c9f3:
Complain if we are attempting to encode with an invalid ASN.1 template
OpenSSL commit 43a7033:
Check that multi-strings/CHOICE types don't use implicit tagging
OpenSSL commit f960d812:
Correctly compare EdiPartyName in GENERAL_NAME_cmp()
Obtained from: OpenSSL 3db2c9f3, 43a7033, f960d812
Security: CVE-2020-1971
Literal references to /usr/local exist in a large number of files in
the FreeBSD base system. Many are in contributed software, in configuration
files, or in the documentation, but 19 uses have been identified in C
source files or headers outside the contrib and sys/contrib directories.
This commit makes it possible to set _PATH_LOCALBASE in paths.h to use
a different prefix for locally installed software.
In order to avoid changes to openssh source files, LOCALBASE is passed to
the build via Makefiles under src/secure. While _PATH_LOCALBASE could have
been used here, there is precedent in the construction of the path used to
a xauth program which depends on the LOCALBASE value passed on the compiler
command line to select a non-default directory.
This could be changed in a later commit to make the openssh build
consistently use _PATH_LOCALBASE. It is considered out-of-scope for this
commit.
Reviewed by: imp
MFC after: 1 month
Differential Revision: https://reviews.freebsd.org/D26942
blacklistd has been renamed to blocklistd upstream, and a future
import into FreeBSD will follow that change. Support the new name
as an alias in config files.
Reviewed by: bz, delphij
MFC after: 1 week
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D25865
A base system OpenSSH update in 2016 or so removed a number of ciphers
from the default lists offered by the server/client, due to known
weaknesses. This caused POLA issues for some users and prompted
PR207679; the ciphers were restored to the default lists in r296634.
When upstream removed these ciphers from the default server list, they
moved them to the client-only default list. They were subsequently
removed from the client default, in OpenSSH 7.9p1.
The change has persisted long enough. Remove these extra ciphers from
both the server and client default lists, in advance of FreeBSD 13.
Reviewed by: markm, rgrimes
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D25833
This change was made upstream between 7.9p1 and 8.0p1. We've made local
changes in the same places for handling the version_addendum; apply the
SSLeay_version to OpenSSL_version change in advance of importing 8.0p1.
This should have been part of r363225.
Obtained from: OpenSSH-portable a65784c9f9c5
MFC with: r363225
Sponsored by: The FreeBSD Foundation
This change was made upstream between 7.9p1 and 8.0p1. We've made local
changes in the same places for handling the version_addendum; apply the
SSLeay_version to OpenSSL_version change in advance of importing 8.0p1.
Obtained from: OpenSSH-portable a65784c9f9c5
Sponsored by: The FreeBSD Foundation
The logging was introduced in r314527 but doesn't appear to be useful
for regular operation, and as the result, for users with no class set
(very common) the administrator would see a message like this in their
auth.log:
sshd[44251]: user root login class [preauth]
(note that the class was "" because that's what's typically configured
for most users; we would get 'default' if lc->lc_class is chosen)
Remove this log as it can be annoying as the lookup happen before
authentication and repeats, and our code is not acting upon lc_class
or pw_class directly anyways.
Reviewed by: cem, imp
MFC after: 1 week
Differential Revision: https://reviews.freebsd.org/D24997
This is currently staged in vendor/ as part of the 8.0p1 import, which isn't
quite ready to land. Given that this is a simple one-line fix, apply it now
as the fallout will be pretty minimal.
-fno-common will become the default in GCC10/LLVM11.
MFC after: 3 days
It appears that FREEBSD-vendor is an idea that never really took off
and we should probably just remove it, but until then we might as well
record the correct version.
We need to add user-facing deprecation notices for TCP wrappers; start
with a note in the upgrade process docmentation.
Sponsored by: The FreeBSD Foundation
In r339216 a privsep wrapper was added for login_getpwclass to address
PR 231172. Unfortunately the change used the MON_AUTH flag in the
wrapper, and MON_AUTH includes MON_AUTHDECIDE which triggers an
auth_log() on each invocation. getpwclass() does not participate in the
authentication decision, so should be MON_ISAUTH instead.
PR: 234793
Submitted by: Henry Hu
Reviewed by: Yuichiro NAITO
MFC after: 1 week
struct xucred. Do not bump XUCRED_VERSION as struct layout is not changed.
PR: 215202
Reviewed by: tijl
MFC after: 1 week
Differential Revision: https://reviews.freebsd.org/D20415
