Summary:
Release notes can be found at
https://www.openssl.org/news/openssl-3.0-notes.html .
Obtained from: https://www.openssl.org/source/openssl-3.0.10.tar.gz
Test Plan:
```
$ git status
On branch vendor/openssl-3.0
Your branch is up to date with 'origin/vendor/openssl-3.0'.
nothing to commit, working tree clean
$ (cd ..; fetch https://www.openssl.org/source/openssl-${OSSLVER}.tar.gzhttps://www.openssl.org/source/openssl-${OSSLVER}.tar.gz.asc)
openssl-3.0.10.tar.gz 14 MB 15 MBps 01s
openssl-3.0.10.tar.gz.asc 833 B 11 MBps 00s
$ set | egrep '(XLIST|OSSLVER)='
OSSLVER=3.0.10
XLIST=FREEBSD-Xlist
$ gpg --list-keys
/home/khorben/.gnupg/pubring.kbx
--------------------------------
pub rsa4096 2011-03-01 [SCA]
DC34EE5DB2417BCC151E5100E5F8F8212F77A498
uid [ unknown] Willem Toorop <willem@nlnetlabs.nl>
sub rsa4096 2011-03-01 [E]
pub rsa4096 2014-10-04 [SC] [expires: 2024-01-30]
EFC0A467D613CB83C7ED6D30D894E2CE8B3D79F5
uid [ unknown] OpenSSL security team <openssl-security@openssl.org>
uid [ unknown] OpenSSL OMC <openssl-omc@openssl.org>
uid [ unknown] OpenSSL Security <openssl-security@openssl.org>
sub rsa4096 2014-10-04 [E] [expires: 2024-01-30]
$ gpg --verify ../openssl-${OSSLVER}.tar.gz.asc ../openssl-${OSSLVER}.tar.gz
gpg: Signature made Tue Aug 1 15:47:28 2023 CEST
gpg: using RSA key EFC0A467D613CB83C7ED6D30D894E2CE8B3D79F5
gpg: Good signature from "OpenSSL security team <openssl-security@openssl.org>" [unknown]
gpg: aka "OpenSSL OMC <openssl-omc@openssl.org>" [unknown]
gpg: aka "OpenSSL Security <openssl-security@openssl.org>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: EFC0 A467 D613 CB83 C7ED 6D30 D894 E2CE 8B3D 79F5
$ tar -x -X $XLIST -f ../openssl-${OSSLVER}.tar.gz -C ..
$ rsync --exclude FREEBSD.* --delete -avzz ../openssl-${OSSLVER}/* .
[...]
$ diff -arq ../openssl-${OSSLVER} .
Only in .: .git
Only in .: FREEBSD-Xlist
Only in .: FREEBSD-upgrade
$ git status FREEBSD*
On branch vendor/openssl-3.0
Your branch is up to date with 'origin/vendor/openssl-3.0'.
nothing to commit, working tree clean
```
Subscribers: imp
Differential Revision: https://reviews.freebsd.org/D41293
Older versions of FreeBSD included the HPN patch set and provided
client-side VersionAddendum. Both of these changes have been retired
but we've retained the option parsing for backwards compatibility to
avoid breaking upgrades. Add comment references to the relevant
commits.
Sponsored by: The FreeBSD Foundation
This is a compromise between POLA and practical reasoning. We don't
want to block the main server loop in an attempt to resolve. But we
need to keep the format of the logged message as is, for sake of
sshguard and other scripts. So let's print just the IP address twice,
this is what libwrap's refuse() would do if it failed to resolve.
Reviewed by: philip
PR: 269456
Differential revision: https://reviews.freebsd.org/D40069
This part of ca573c9a17 proved to be unnecessary. As the removed
comment says, we set them merely for logging syntax errors, as we log
refusals ourselves. However, inside the libwrap the parser logs any
syntax errors with tcpd_warn() which has hardcoded LOG_WARNING inside.
Reviewed by: philip, emaste
Differential revision: https://reviews.freebsd.org/D40068
From the release notes:
Changes since OpenSSH 9.3
=========================
This release fixes a security bug.
Security
========
Fix CVE-2023-38408 - a condition where specific libaries loaded via
ssh-agent(1)'s PKCS#11 support could be abused to achieve remote
code execution via a forwarded agent socket if the following
conditions are met:
* Exploitation requires the presence of specific libraries on
the victim system.
* Remote exploitation requires that the agent was forwarded
to an attacker-controlled system.
Exploitation can also be prevented by starting ssh-agent(1) with an
empty PKCS#11/FIDO allowlist (ssh-agent -P '') or by configuring
an allowlist that contains only specific provider libraries.
This vulnerability was discovered and demonstrated to be exploitable
by the Qualys Security Advisory team.
In addition to removing the main precondition for exploitation,
this release removes the ability for remote ssh-agent(1) clients
to load PKCS#11 modules by default (see below).
Potentially-incompatible changes
--------------------------------
* ssh-agent(8): the agent will now refuse requests to load PKCS#11
modules issued by remote clients by default. A flag has been added
to restore the previous behaviour "-Oallow-remote-pkcs11".
Note that ssh-agent(8) depends on the SSH client to identify
requests that are remote. The OpenSSH >=8.9 ssh(1) client does
this, but forwarding access to an agent socket using other tools
may circumvent this restriction.
CVE: CVE-2023-38408
Sponsored by: The FreeBSD Foundation
OpenSSL 3 supports a modular architecture, allowing different providers
to bring specific implementations of cryptographical algorithms. One
such provider, "fips", ships with OpenSSL 3 directly, and groups
algorithms that can be FIPS 140-2 validated.
The import of OpenSSL 3.0.9 was building this provider incorrectly,
missing symbols required for proper operation.
In addition, without the change in OpenSSL's crypto/bn/bn_const.c, the
FIPS module fails loading: `Undefined symbol "ossl_bignum_modp_1536_p"`.
This change is consistent with crypto/bn/bn_dh.c though.
Sponsored by: The FreeBSD Foundation
Pull Request: https://github.com/freebsd/freebsd-src/pull/787
They break the !amd64 builds due to an underspecified include path and
will be re-applied once that's fixed.
Reported by: Ronald Klop <ronald-lists@klop.ws>
OpenSSL 3 supports a modular architecture, allowing different providers
to bring specific implementations of cryptographical algorithms. One
such provider, "fips", ships with OpenSSL 3 directly, and groups
algorithms that can be FIPS 140-2 validated.
The import of OpenSSL 3.0.9 was building this provider incorrectly,
missing symbols required for proper operation.
In addition, without the change in OpenSSL's crypto/bn/bn_const.c, the
FIPS module fails loading: `Undefined symbol "ossl_bignum_modp_1536_p"`.
This change is consistent with crypto/bn/bn_dh.c though.
Sponsored by: The FreeBSD Foundation
Pull Request: https://github.com/freebsd/freebsd-src/pull/787
Migrate to OpenSSL 3.0 in advance of FreeBSD 14.0. OpenSSL 1.1.1 (the
version we were previously using) will be EOL as of 2023-09-11.
Most of the base system has already been updated for a seamless switch
to OpenSSL 3.0. For many components we've added
`-DOPENSSL_API_COMPAT=0x10100000L` to CFLAGS to specify the API version,
which avoids deprecation warnings from OpenSSL 3.0. Changes have also
been made to avoid OpenSSL APIs that were already deprecated in OpenSSL
1.1.1. The process of updating to contemporary APIs can continue after
this merge.
Additional changes are still required for libarchive and Kerberos-
related libraries or tools; workarounds will immediately follow this
commit. Fixes are in progress in the upstream projects and will be
incorporated when those are next updated.
There are some performance regressions in benchmarks (certain tests in
`openssl speed`) and in some OpenSSL consumers in ports (e.g. haproxy).
Investigation will continue for these.
Netflix's testing showed no functional regression and a rather small,
albeit statistically significant, increase in CPU consumption with
OpenSSL 3.0.
Thanks to ngie@ and des@ for updating base system components, to
antoine@ and bofh@ for ports exp-runs and port fixes/workarounds, and to
Netflix and everyone who tested prior to commit or contributed to this
update in other ways.
PR: 271615
PR: 271656 [exp-run]
Relnotes: Yes
Sponsored by: The FreeBSD Foundation
Summary:
Release notes can be found at
https://www.openssl.org/news/openssl-3.0-notes.html .
Obtained from: https://www.openssl.org/source/openssl-3.0.9.tar.gz
Test Plan:
```
$ git status
On branch vendor/openssl-3.0
Your branch is up to date with 'origin/vendor/openssl-3.0'.
nothing to commit, working tree clean
$ (cd ..; fetch http://www.openssl.org/source/openssl-${OSSLVER}.tar.gzhttp://www.openssl.org/source/openssl-${OSSLVER}.tar.gz.asc)
openssl-3.0.9.tar.gz 14 MB 74 MBps 01s
openssl-3.0.9.tar.gz.asc 833 B 10 MBps 00s
$ set | egrep '(XLIST|OSSLVER)='
OSSLVER=3.0.9
XLIST=FREEBSD-Xlist
$ gpg --list-keys
/home/khorben/.gnupg/pubring.kbx
--------------------------------
pub rsa4096 2021-07-16 [SC] [expires: 2031-07-14]
A21FAB74B0088AA361152586B8EF1A6BA9DA2D5C
uid [ unknown] Tomáš Mráz <tm@t8m.info>
uid [ unknown] Tomáš Mráz <tomas@arleto.cz>
uid [ unknown] Tomáš Mráz <tomas@openssl.org>
sub rsa4096 2021-07-16 [S] [expires: 2027-07-15]
sub rsa4096 2021-07-16 [E] [expires: 2031-07-14]
$ gpg --verify ../openssl-${OSSLVER}.tar.gz.asc ../openssl-${OSSLVER}.tar.gz
gpg: Signature made Tue May 30 14:32:24 2023 CEST
gpg: using RSA key DC7032662AF885E2F47F243F527466A21CA79E6D
gpg: Good signature from "Tomáš Mráz <tm@t8m.info>" [unknown]
gpg: aka "Tomáš Mráz <tomas@arleto.cz>" [unknown]
gpg: aka "Tomáš Mráz <tomas@openssl.org>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: A21F AB74 B008 8AA3 6115 2586 B8EF 1A6B A9DA 2D5C
Subkey fingerprint: DC70 3266 2AF8 85E2 F47F 243F 5274 66A2 1CA7 9E6D
$ tar -x -X $XLIST -f ../openssl-${OSSLVER}.tar.gz -C ..
$ rsync --exclude FREEBSD.* --delete -avzz ../openssl-${OSSLVER}/* .
[...]
$ diff -arq ../openssl-${OSSLVER} .
Only in .: .git
Only in .: FREEBSD-Xlist
Only in .: FREEBSD-upgrade
$ git status FREEBSD*
On branch vendor/openssl-3.0
Your branch is up to date with 'origin/vendor/openssl-3.0'.
nothing to commit, working tree clean
```
We changed the CheckHostIP default to "no" years ago. Upstream has now
made the same change, so do not list it as a local change any longer.
I did not just remove the "Modified client-side defaults" section to
avoid having to renumber everything, and we may add a new local change
in the future.
Sponsored by: The FreeBSD Foundation
As Coverity reports:
Overwriting tmp in tmp = make_absolute_pwd_glob(tmp, remote_path)
leaks the storage that tmp points to.
Consume the first arg in make_absolute_pwd_glob, and add xstrdup() to
the one case which did not assign to the same variable that was passed
in. With this change make_absolute() and make_absolute_pwd_glob() have
the same semantics with respect to freeing the input string.
This change was reported to OpenSSH in
https://lists.mindrot.org/pipermail/openssh-unix-dev/2022-November/040497.html
but was not acted on. It appears that OpenBSD subsequently received a
Coverity report for the same issue (their Coverity ID 405196) but fixed
only the specific instance reported by Coverity.
This change reverts OpenBSD's sftp.c 1.228 / OpenSSH-portable
commit 36c6c3eff5e4.
Reported by: Coverity Scan
CID: 1500409
Reviewed by: markj
MFC after: 1 month
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D37253
"adrl" is a pseudo-instruction used to calculate an address relative
to PC. It's not recognized by clang resulting in a compilation error.
I've stumbled upon it when trying to integrate the bsaes-armv7 assmebly
logic into FreeBSD kernel, which uses clang as it's default compiler.
Note that this affect the build only if BSAES_ASM_EXTENDED_KEY is
defined, which is not the default option in OpenSSL.
The solution here is to replace it with an add instruction.
This mimics what has already been done in !BSAES_ASM_EXTENDED_KEY logic.
Because of that I've marked this as trivial CLA.
No objections from: jkim
Obtained from: OpenSSL commit 27093ba73372935fe4ef91d0a45ce6ea90a1ac8e
Differential Revision: https://reviews.freebsd.org/D39091
This release fixes a number of security bugs and has minor new
features and bug fixes. Security fixes, from the release notes
(https://www.openssh.com/txt/release-9.3):
This release contains fixes for a security problem and a memory
safety problem. The memory safety problem is not believed to be
exploitable, but we report most network-reachable memory faults as
security bugs.
* ssh-add(1): when adding smartcard keys to ssh-agent(1) with the
per-hop destination constraints (ssh-add -h ...) added in OpenSSH
8.9, a logic error prevented the constraints from being
communicated to the agent. This resulted in the keys being added
without constraints. The common cases of non-smartcard keys and
keys without destination constraints are unaffected. This problem
was reported by Luci Stanescu.
* ssh(1): Portable OpenSSH provides an implementation of the
getrrsetbyname(3) function if the standard library does not
provide it, for use by the VerifyHostKeyDNS feature. A
specifically crafted DNS response could cause this function to
perform an out-of-bounds read of adjacent stack data, but this
condition does not appear to be exploitable beyond denial-of-
service to the ssh(1) client.
The getrrsetbyname(3) replacement is only included if the system's
standard library lacks this function and portable OpenSSH was not
compiled with the ldns library (--with-ldns). getrrsetbyname(3) is
only invoked if using VerifyHostKeyDNS to fetch SSHFP records. This
problem was found by the Coverity static analyzer.
Sponsored by: The FreeBSD Foundation
Make it clear that the 'freebsd-configure.sh' and 'freebsd-namespace.sh'
scripts are run from the crypto/openssh directory.
Sponsored by: The FreeBSD Foundation
Fixes: bf2e2524a2 ("ssh: canonicize the host name before...")
Fixes: 3e74849a1e ("ssh: canonicize the host name before...")
Reviewed by: rew
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D38441
Summary:
Release notes can be found at
https://www.openssl.org/news/openssl-3.0-notes.html .
Obtained from: https://www.openssl.org/source/openssl-3.0.8.tar.gz
Differential Revision: https://reviews.freebsd.org/D38835
Test Plan:
```
$ git status
On branch vendor/openssl-3.0
nothing to commit, working tree clean
$ (cd ..; fetch http://www.openssl.org/source/openssl-${OSSLVER}.tar.gzhttp://www.openssl.org/source/openssl-${OSSLVER}.tar.gz.asc)
openssl-3.0.8.tar.gz 14 MB 4507 kBps 04s
openssl-3.0.8.tar.gz.asc 833 B 10 MBps 00s
$ set | egrep '(XLIST|OSSLVER)='
OSSLVER=3.0.8
XLIST=FREEBSD-Xlist
$ gpg --list-keys
/home/ngie/.gnupg/pubring.kbx
-----------------------------
pub rsa4096 2014-10-04 [SC]
7953AC1FBC3DC8B3B292393ED5E9E43F7DF9EE8C
uid [ unknown] Richard Levitte <richard@levitte.org>
uid [ unknown] Richard Levitte <levitte@lp.se>
uid [ unknown] Richard Levitte <levitte@openssl.org>
sub rsa4096 2014-10-04 [E]
$ gpg --verify openssl-${OSSLVER}.tar.gz.asc openssl-${OSSLVER}.tar.gz
gpg: Signature made Tue Feb 7 05:43:55 2023 PST
gpg: using RSA key 7953AC1FBC3DC8B3B292393ED5E9E43F7DF9EE8C
gpg: Good signature from "Richard Levitte <richard@levitte.org>" [unknown]
gpg: aka "Richard Levitte <levitte@lp.se>" [unknown]
gpg: aka "Richard Levitte <levitte@openssl.org>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 7953 AC1F BC3D C8B3 B292 393E D5E9 E43F 7DF9 EE8C
$ (cd vendor.checkout/; git status; find . -type f -or -type l | cut -c 3- | sort > ../old)
On branch vendor/openssl-3.0
nothing to commit, working tree clean
$ tar -x -X $XLIST -f ../openssl-${OSSLVER}.tar.gz -C ..
$ rsync --exclude FREEBSD.* --delete -avzz ../openssl-${OSSLVER}/* .
$ cat .git
gitdir: /home/ngie/git/freebsd-src/.git/worktrees/vendor.checkout
$ diff -arq ../openssl-3.0.8 .
Only in .: .git
Only in .: FREEBSD-Xlist
Only in .: FREEBSD-upgrade
$ git status FREEBSD*
On branch vendor/openssl-3.0
nothing to commit, working tree clean
$
```
Reviewers: emaste, jkim
Subscribers: imp, andrew, dab
Differential Revision: https://reviews.freebsd.org/D38835
Revert to upstream's default. Using VerifyHostKeyDNS may depend on a
trusted nameserver and network path.
This reverts commit 83c6a5242c.
Reported by: David Leadbeater, G-Research
Reviewed by: gordon
Relnotes: Yes
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D38648
When the client sends kadmind a create principal (kadm_create) request
kadm_s_create_principal() returns an error before zeroing out ent (an
hdb entry structure wrapper -- hdb_entry_ex), resulting in a NULL
reference.
Fix obtained from upstream commit 35ea4955a.
PR: 268059
Reported by: Robert Morris <rtm@lcs.mit.edu>
Obtained from: Heimdal commit 35ea4955a
MFC after: 3 days
We introduced hostname canonicalization in 2002, while upstream OpenSSH
added similar support in 2014.
It would be good to review our handling of CNAMEs in hostname
canonicalization.
Sponsored by: The FreeBSD Foundation
Administrators can enable it if required.
Reviewed by: bz, kevans
Relnotes: Yes
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D37411
Release notes are available at https://www.openssh.com/txt/release-9.2
OpenSSH 9.2 contains fixes for two security problems and a memory safety
problem. The memory safety problem is not believed to be exploitable.
These fixes have already been committed to OpenSSH 9.1 in FreeBSD.
Some other notable items from the release notes:
* ssh(1): add a new EnableEscapeCommandline ssh_config(5) option that
controls whether the client-side ~C escape sequence that provides a
command-line is available. Among other things, the ~C command-line
could be used to add additional port-forwards at runtime.
* sshd(8): add support for channel inactivity timeouts via a new
sshd_config(5) ChannelTimeout directive. This allows channels that
have not seen traffic in a configurable interval to be
automatically closed. Different timeouts may be applied to session,
X11, agent and TCP forwarding channels.
* sshd(8): add a sshd_config UnusedConnectionTimeout option to
terminate client connections that have no open channels for a
length of time. This complements the ChannelTimeout option above.
* sshd(8): add a -V (version) option to sshd like the ssh client has.
* scp(1), sftp(1): add a -X option to both scp(1) and sftp(1) to
allow control over some SFTP protocol parameters: the copy buffer
length and the number of in-flight requests, both of which are used
during upload/download. Previously these could be controlled in
sftp(1) only. This makes them available in both SFTP protocol
clients using the same option character sequence.
* ssh-keyscan(1): allow scanning of complete CIDR address ranges,
e.g. "ssh-keyscan 192.168.0.0/24". If a CIDR range is passed, then
it will be expanded to all possible addresses in the range
including the all-0s and all-1s addresses. bz#976
* ssh(1): support dynamic remote port forwarding in escape
command-line's -R processing. bz#3499
MFC after: 1 week
Sponsored by: The FreeBSD Foundation
never write a name with bad characters to a known_hosts file.
replace recently-added valid_domain() check for hostnames going to
known_hosts with a more relaxed check for bad characters.
Obtained from: OpenSSH-portable commit 445363433ba2
Obtained from: OpenSSH-portable commit 3cae9f92a318
Sponsored by: The FreeBSD Foundation
its first argument unless it was one of the special keywords "any" or
"none".
Obtained from: OpenSSH-portable commit b3daa8dc5823
Sponsored by: The FreeBSD Foundation
ssh_config and ssh_config.5 no longer contain the VersionAddendum,
so remove instructions to update these files.
Fixes: bffe60ead0 ("ssh: retire client VersionAddendum")
Sponsored By: The FreeBSD Foundation
We documented "[Use]PrivilegeSeparation defaults to sandbox" as one of
our modifications to ssh's server-side defaults, but this is not (any
longer) a difference from upstream.
Sponsored by: The FreeBSD Foundation
kadm5_c_get_principal() should check the return code from
kadm5_ret_principal_ent(). As it doesn't it assumes success when
there is none and can lead to potential vulnerability. Fix this.
Reported by: rtm@csail.mit.edu
MFC after: 3 days
Zero length client requests result in a bus fault when attempting to
free malloc()ed pointers within the requests softc. Return an error
when the request is zero length.
This properly fixes PR/268062 without regressions.
PR: 268062
Reported by: Robert Morris <rtm@lcs.mit.edu>
MFC after: 3 days
Zero length client requests result in a bus fault when attempting to
free malloc()ed pointers within the requests softc. Return an error
when the request is zero length.
PR: 268062
Reported by: Robert Morris <rtm@lcs.mit.edu>
MFC after: 3 days
A malformed principal will cause kadmind to segfault. The PR
addresses only when chpass is requested but delete is also affected.
Fix both.
PR: 268002
Reported by: Robert Morris <rtm@lcs.mit.edu>
MFC after: 3 days
krb5_ret_preincipal() returns a non-zero return code when
a garbage principal is passed to it. Unfortunately ret_principal_ent()
does not check the return code, with garbage pointing to what would
have been the principal. This results in a segfault when free() is
called.
PR: 267944, 267972
Reported by: Robert Morris <rtm@lcs.mit.edu>
MFC after: 3 days
In addition to garbage realm data, also handle garbage dbname, acl_file,
stash_file, and invalid bitmask garbage data.
PR: 267912
Reported by: Robert Morris <rtm@lcs.mit.edu>
MFC after: 3 days
Fix a NULL dereference in _kadm5_s_init_context() when the client
sends a mangled realm message.
PR: 267912
Reported by: Robert Morris <rtm@lcs.mit.edu>
MFC after: 3 days
Should the sender send a string without a terminating NUL, ensure that
the NUL terminates the string regardless.
And while at it only process the version string when bytes are returned.
PR: 267884
Reported by: Robert Morris <rtm@lcs.mit.edu>
MFC after: 3 days
Differential Revision: https://reviews.freebsd.org/D37471
Part of ed549cb0c5 zeroed out a data structure in the resulting code-file
when a TUTCTime type was freed. This part of the patch applies to Heimdal
7.1+ and not our Heimdal 1.5.2.
PR: 267827
Reported by: Peter Much <pmc@citylink.dinoex.sub.org>
Tested by: Peter Much <pmc@citylink.dinoex.sub.org>
Fixes: ed549cb0c5
MFC after: TBD with philip@
The following issues are patched:
- CVE-2022-42898 PAC parse integer overflows
- CVE-2022-3437 Overflows and non-constant time leaks in DES{,3} and arcfour
- CVE-2021-44758 NULL dereference DoS in SPNEGO acceptors
- CVE-2022-44640 Heimdal KDC: invalid free in ASN.1 codec
Note that CVE-2022-44640 is a severe vulnerability, possibly a 10.0
on the Common Vulnerability Scoring System (CVSS) v3, as we believe
it should be possible to get an RCE on a KDC, which means that
credentials can be compromised that can be used to impersonate
anyone in a realm or forest of realms.
Heimdal's ASN.1 compiler generates code that allows specially
crafted DER encodings of CHOICEs to invoke the wrong free function
on the decoded structure upon decode error. This is known to impact
the Heimdal KDC, leading to an invalid free() of an address partly
or wholly under the control of the attacker, in turn leading to a
potential remote code execution (RCE) vulnerability.
This error affects the DER codec for all extensible CHOICE types
used in Heimdal, though not all cases will be exploitable. We have
not completed a thorough analysis of all the Heimdal components
affected, thus the Kerberos client, the X.509 library, and other
parts, may be affected as well.
This bug has been in Heimdal's ASN.1 compiler since 2005, but it may
only affect Heimdal 1.6 and up. It was first reported by Douglas
Bagnall, though it had been found independently by the Heimdal
maintainers via fuzzing a few weeks earlier.
While no zero-day exploit is known, such an exploit will likely be
available soon after public disclosure.
- CVE-2019-14870: Validate client attributes in protocol-transition
- CVE-2019-14870: Apply forwardable policy in protocol-transition
- CVE-2019-14870: Always lookup impersonate client in DB
Sponsored by: so (philip)
Obtained from: so (philip)
Tested by: philip, cy
MFC after: immediately
Old versions of FreeBSD do not support using id 0 to refer to the
current pid for procctl, so pass getpid() explicitly.
Although this is not required in current FreeBSD branches I am merging
it to reduce differences with upstream.
Obtained from: OpenSSH commit 0f7e1eba5525
This appeared to be a copy-paste error from the "from" time case above.
Reported by: Coverity Scan
CID: 1500407
Reviewed by: markj
MFC after: 3 days
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D37252
Release notes are available at https://www.openssh.com/txt/release-9.1
9.1 contains fixes for three minor memory safety problems; these have
lready been merged to the copy of OpenSSH 9.0 that is in the FreeBSD base
system.
Some highlights copied from the release notes:
Potentially-incompatible changes
--------------------------------
* ssh(1), sshd(8): SetEnv directives in ssh_config and sshd_config
are now first-match-wins to match other directives. Previously
if an environment variable was multiply specified the last set
value would have been used. bz3438
* ssh-keygen(8): ssh-keygen -A (generate all default host key types)
will no longer generate DSA keys, as these are insecure and have
not been used by default for some years.
New features
------------
* ssh(1), sshd(8): add a RequiredRSASize directive to set a minimum
RSA key length. Keys below this length will be ignored for user
authentication and for host authentication in sshd(8).
* sftp-server(8): add a "users-groups-by-id@openssh.com" extension
request that allows the client to obtain user/group names that
correspond to a set of uids/gids.
* sftp(1): use "users-groups-by-id@openssh.com" sftp-server
extension (when available) to fill in user/group names for
directory listings.
* sftp-server(8): support the "home-directory" extension request
defined in draft-ietf-secsh-filexfer-extensions-00. This overlaps
a bit with the existing "expand-path@openssh.com", but some other
clients support it.
* ssh-keygen(1), sshd(8): allow certificate validity intervals,
sshsig verification times and authorized_keys expiry-time options
to accept dates in the UTC time zone in addition to the default
of interpreting them in the system time zone. YYYYMMDD and
YYMMDDHHMM[SS] dates/times will be interpreted as UTC if suffixed
with a 'Z' character.
Also allow certificate validity intervals to be specified in raw
seconds-since-epoch as hex value, e.g. -V 0x1234:0x4567890. This
is intended for use by regress tests and other tools that call
ssh-keygen as part of a CA workflow. bz3468
* sftp(1): allow arguments to the sftp -D option, e.g. sftp -D
"/usr/libexec/sftp-server -el debug3"
* ssh-keygen(1): allow the existing -U (use agent) flag to work
with "-Y sign" operations, where it will be interpreted to require
that the private keys is hosted in an agent; bz3429
MFC after: 2 weeks
Relnotes: Yes
Sponsored by: The FreeBSD Foundation
We no longer use the pre- and post-merge scripts to strip/add RCS tags.
The tags have been removed from main, but persist on older branches.
While here renumber the steps in the update documentation using a more
conventional scheme.
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D36904
Nanobsd included copies of ssh_config and sshd_config. The former is
identical to the one provided by the base system, and the latter is
identical except for PermitRootLogin, which is updated by nanobsd's
cust_allow_ssh_root anyhow. Remove nanobsd's copies and use the
existing base system ones.
Reported by: Jose Luis Duran <jlduran@gmail.com> in D34937
Reviewed by: Jose Luis Duran <jlduran@gmail.com>, imp
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D36933
Rename "HPN" to more general "Retired patches." We handle two now-
removed patches the same way: to avoid breaking existing configurations
we accept, but ignore, the option.
Sponsored by: The FreeBSD Foundation
FreeBSD introduced VersionAddendum for the server as a local change in
2001 in commit 933ca70f8f and later extended it to the client in
commit 9e2cbe04ff.
In 2012 upstream added support for server VersionAddendum, in commit
23528816dc10. They do not support it for the client.
The argument for supporting this in the client is not nearly as strong
as for the server, so retire this option to reduce the scope of our
local patch set. This also avoids some cases of conflicts in ssh_config
during update, as a user's configuration would typically follow the
commented-out default VersionAddendum value.
Reviewed by: gordon, glebius
Relnotes: yes
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D32930
Passwords may be accepted by both the PasswordAuthentication and
KbdInteractiveAuthentication authentication schemes. Add a reference to
the latter in the description/comment for PasswordAuthentication, as it
otherwise may seem that "PasswordAuthentication no" implies passwords
will be disallowed.
This situation should be clarified with more extensive documentation on
the authentication schemes and configuration options, but that should be
done in coordination with upstream OpenSSH. This is a minimal change
that will hopefully clarify the situation without requiring an extensive
local patch set.
PR: 263045
Reviewed by: manu (earlier version)
MFC after: 2 weeks
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D35272
The PermitRootLogin option "prohibit-password" was added as a synonym
for "without-password" in 2015. Then in 2017 these were swapped:
"prohibit-password" became the canonical option and "without-password"
became a deprecated synonym (in OpenSSH commit 071325f458).
The UsePAM description in sshd_config still mentioned
"without-password." Update it to match the new canonical option.
Sponsored by: The FreeBSD Foundation
MFC after: 1 week
This removes a guard condition that prevents KTLS being enabled for
receiving in TLS 1.3. Use the correct sequence number and BIO for
receive vs transmit offload.
Approved by: jkim
Obtained from: OpenSSL commit 7c78932b9a4330fb7c8db72b3fb37cbff1401f8b
MFC after: 1 week
Sponsored by: Netflix
Differential Revision: https://reviews.freebsd.org/D34976
- Don't unpad records, check the outer record type, or extract the
inner record type from TLS 1.3 records handled by the kernel. KTLS
performs all of these steps and returns the inner record type in the
TLS header.
- When checking the length of a received TLS 1.3 record don't allow
for the extra byte for the nested record type when KTLS is used.
- Pass a pointer to the record type in the TLS header to the
SSL3_RT_INNER_CONTENT_TYPE message callback. For KTLS, the old
pointer pointed to the last byte of payload rather than the record
type. For the non-KTLS case, the TLS header has been updated with
the inner type before this callback is invoked.
Approved by: jkim
Obtained from: OpenSSL commit a5fb9605329fb939abb536c1604d44a511741624
MFC after: 1 week
Sponsored by: Netflix
Differential Revision: https://reviews.freebsd.org/D34975
When KTLS receive is enabled, pending data may still be present due to
read ahead. This data must still be processed the same as records
received without KTLS. To ease readability (especially in
consideration of additional checks which will be added for TLS 1.3),
add a helper variable 'using_ktls' that is true when the KTLS receive
path is being used to receive a record.
Approved by: jkim
Obtained from: OpenSSL commit 031132c297e54cbc20404a0bf8de6ed863196399
MFC after: 1 week
Sponsored by: Netflix
Differential Revision: https://reviews.freebsd.org/D34974
KTLS implementations currently assume that the start of the in-kernel
socket buffer is aligned with the start of a TLS record for the
receive side. The socket option to enable KTLS specifies the TLS
sequence number of this initial record.
When read ahead is enabled, data can be pending in the SSL read buffer
after negotiating session keys. This pending data must be examined to
ensurs that the kernel's socket buffer does not contain a partial TLS
record as well as to determine the correct sequence number of the
first TLS record to be processed by the kernel.
In preparation for enabling receive kernel offload for TLS 1.3, move
the existing logic to handle read ahead from t1_enc.c into ktls.c and
invoke it from ktls_configure_crypto().
Approved by: jkim
Obtained from: OpenSSL commit 85773128d0e80cd8dcc772a6931d385b8cf4acd1
MFC after: 1 week
Sponsored by: Netflix
Differential Revision: https://reviews.freebsd.org/D34973
In some corner cases the check for packets
which exceed the allowed record length was missing
when KTLS is initially enabled, when some
unprocessed packets are still pending.
Approved by: jkim
Obtained from: OpenSSL commit 8fff986d52606e1a33f9404504535e2e2aee3e8b
MFC after: 1 week
Sponsored by: Netflix
Differential Revision: https://reviews.freebsd.org/D34972
With the upgrade to OpenSSH 6.7p1 in commit a0ee8cc636 we replaced
WITH_OPENSSL ifdefs with an OPENSSL_VERSION macro, later changing it
to OPENSSL_VERSION_STRING.
A few years later OpenSSH made an equivalent change (with a different
macro name), in commit 4d94b031ff88. Switch to the macro name they
chose.
MFC after: 1 week
Sponsored by: The FreeBSD Foundation
After we moved to git $FreeBSD$ is no longer expanded and serves no
purpose. Remove them from OpenSSH to reduce diffs against upstream.
Sponsored by: The FreeBSD Foundation
We already set it earlier in do_setup_env().
Fixes: 19261079b7 ("openssh: update to OpenSSH v8.7p1")
MFC after: 1 week
Sponsored by: The FreeBSD Foundation
upstream: clear io_want/io_ready flags at start of poll() cycle;
avoids plausible spin during rekeying if channel io_want flags are reused
across cycles. ok markus@ deraadt@
From upstream release notes https://www.openssh.com/txt/release-9.0
This release switches scp(1) from using the legacy scp/rcp protocol
to using the SFTP protocol by default.
Legacy scp/rcp performs wildcard expansion of remote filenames (e.g.
"scp host:* .") through the remote shell. This has the side effect of
requiring double quoting of shell meta-characters in file names
included on scp(1) command-lines, otherwise they could be interpreted
as shell commands on the remote side.
This creates one area of potential incompatibility: scp(1) when using
the SFTP protocol no longer requires this finicky and brittle quoting,
and attempts to use it may cause transfers to fail. We consider the
removal of the need for double-quoting shell characters in file names
to be a benefit and do not intend to introduce bug-compatibility for
legacy scp/rcp in scp(1) when using the SFTP protocol.
Another area of potential incompatibility relates to the use of remote
paths relative to other user's home directories, for example -
"scp host:~user/file /tmp". The SFTP protocol has no native way to
expand a ~user path. However, sftp-server(8) in OpenSSH 8.7 and later
support a protocol extension "expand-path@openssh.com" to support
this.
In case of incompatibility, the scp(1) client may be instructed to use
the legacy scp/rcp using the -O flag.
Relnotes: Yes
Sponsored by: The FreeBSD Foundation
Release notes are available at https://www.openssh.com/txt/release-9.0
Some highlights:
* ssh(1), sshd(8): use the hybrid Streamlined NTRU Prime + x25519 key
exchange method by default ("sntrup761x25519-sha512@openssh.com").
The NTRU algorithm is believed to resist attacks enabled by future
quantum computers and is paired with the X25519 ECDH key exchange
(the previous default) as a backstop against any weaknesses in
NTRU Prime that may be discovered in the future. The combination
ensures that the hybrid exchange offers at least as good security
as the status quo.
* sftp-server(8): support the "copy-data" extension to allow server-
side copying of files/data, following the design in
draft-ietf-secsh-filexfer-extensions-00. bz2948
* sftp(1): add a "cp" command to allow the sftp client to perform
server-side file copies.
This commit excludes the scp(1) change to use the SFTP protocol by
default; that change will immediately follow.
MFC after: 1 month
Relnotes: Yes
Sponsored by: The FreeBSD Foundation
Release notes are available at https://www.openssh.com/txt/release-8.9
Some highlights:
* ssh(1), sshd(8), ssh-add(1), ssh-agent(1): add a system for
restricting forwarding and use of keys added to ssh-agent(1)
* ssh(1), sshd(8): add the sntrup761x25519-sha512@openssh.com hybrid
ECDH/x25519 + Streamlined NTRU Prime post-quantum KEX to the
default KEXAlgorithms list (after the ECDH methods but before the
prime-group DH ones). The next release of OpenSSH is likely to
make this key exchange the default method.
* sshd(8), portable OpenSSH only: this release removes in-built
support for MD5-hashed passwords. If you require these on your
system then we recommend linking against libxcrypt or similar.
Future deprecation notice
=========================
A near-future release of OpenSSH will switch scp(1) from using the
legacy scp/rcp protocol to using SFTP by default.
Legacy scp/rcp performs wildcard expansion of remote filenames (e.g.
"scp host:* .") through the remote shell. This has the side effect of
requiring double quoting of shell meta-characters in file names
included on scp(1) command-lines, otherwise they could be interpreted
as shell commands on the remote side.
MFC after: 1 month
Relnotes: Yes
Sponsored by: The FreeBSD Foundation
OpenSSH 8.8p1 removed RSA/SHA-1 signatures by default, but failed to
update sshd_config(5). It was updated upstream after the release in
b711bc01a7ec and da4035523406.
Fixes: 8c22023ca5 ("ssh: disable RSA/SHA-1 signatures")
Sponsored by: The FreeBSD Foundation
