aboutsummaryrefslogtreecommitdiff
path: root/crypto
Commit message (Collapse)AuthorAgeFilesLines
...
| * | Import OpenSSL 1.1.1j.vendor/openssl/1.1.1jJung-uk Kim2021-02-16111-52/+186
| | |
* | | openssh: port upgrade doc and script to gitEd Maste2021-02-142-18/+22
| | | | | | | | | | | | | | | Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D28564
* | | ssh: remove ssh-hpn leftoversEd Maste2021-02-121-6/+0
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This was introduced in 8998619212f3a, and left behind when the hpn-ssh patches were removed in 60c59fad8806. Although Being able to log SO_RCVBUF in debug mode might have some small value on its own, it's not worth carrying an extra diff against upstream. Reviewed by: kevans MFC after: 3 days Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D28610
* | | ssh: remove unused variableEd Maste2021-02-121-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This was introduced in 03f6c5cd93ec, which added use of sysctl net.inet.ip.portrange.reservedhigh instead of IPPORT_RESERVED, but it appears the rest of that change was lost in some subsequent update. The change should probably be restored, but until then there is no reason to leave an unused variable around. MFC after: 3 days Sponsored by: The FreeBSD Foundation
* | | ssh: diff reduction against OpenBSD, remove unused includesEd Maste2021-02-122-2/+0
| | | | | | | | | | | | | | | | | | | | | These appear to be leftovers from ca86bcf2531c7 and f7167e0ea0bf5 MFC after: 3 days Sponsored by: The FreeBSD Foundation
* | | OpenSSL: Support for kernel TLS offload (KTLS)John Baldwin2021-01-2834-86/+1428
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This merges upstream patches from OpenSSL's master branch to add KTLS infrastructure for TLS 1.0-1.3 including both RX and TX offload and SSL_sendfile support on both Linux and FreeBSD. Note that TLS 1.3 only supports TX offload. A new WITH/WITHOUT_OPENSSL_KTLS determines if OpenSSL is built with KTLS support. It defaults to enabled on amd64 and disabled on all other architectures. Reviewed by: jkim (earlier version) Approved by: secteam Obtained from: OpenSSL (patches from master) MFC after: 1 week Relnotes: yes Sponsored by: Netflix Differential Revision: https://reviews.freebsd.org/D28273
* | | Merge OpenSSL 1.1.1i.Jung-uk Kim2020-12-0935-119/+186
|\| | | | | | | | | | | Notes: svn path=/head/; revision=368472
| * | Import OpenSSL 1.1.1i.vendor/openssl/1.1.1iJung-uk Kim2020-12-0819-73/+183
| | | | | | | | | | | | | | | Notes: svn path=/vendor-crypto/openssl/dist/; revision=368456 svn path=/vendor-crypto/openssl/1.1.1i/; revision=368457; tag=vendor/openssl/1.1.1i
* | | OpenSSL: address CVE-2020-1971Ed Maste2020-12-086-10/+89
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | OpenSSL commit 3db2c9f3: Complain if we are attempting to encode with an invalid ASN.1 template OpenSSL commit 43a7033: Check that multi-strings/CHOICE types don't use implicit tagging OpenSSL commit f960d812: Correctly compare EdiPartyName in GENERAL_NAME_cmp() Obtained from: OpenSSL 3db2c9f3, 43a7033, f960d812 Security: CVE-2020-1971 Notes: svn path=/head/; revision=368447
* | | Replace literal uses of /usr/local in C sources with _PATH_LOCALBASEStefan Eßer2020-10-271-1/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Literal references to /usr/local exist in a large number of files in the FreeBSD base system. Many are in contributed software, in configuration files, or in the documentation, but 19 uses have been identified in C source files or headers outside the contrib and sys/contrib directories. This commit makes it possible to set _PATH_LOCALBASE in paths.h to use a different prefix for locally installed software. In order to avoid changes to openssh source files, LOCALBASE is passed to the build via Makefiles under src/secure. While _PATH_LOCALBASE could have been used here, there is precedent in the construction of the path used to a xauth program which depends on the LOCALBASE value passed on the compiler command line to select a non-default directory. This could be changed in a later commit to make the openssh build consistently use _PATH_LOCALBASE. It is considered out-of-scope for this commit. Reviewed by: imp MFC after: 1 month Differential Revision: https://reviews.freebsd.org/D26942 Notes: svn path=/head/; revision=367075
* | | Merge OpenSSL 1.1.1h.Jung-uk Kim2020-09-22250-3915/+2134
|\| | | | | | | | | | | Notes: svn path=/head/; revision=366004
| * | Import OpenSSL 1.1.1h.vendor/openssl/1.1.1hJung-uk Kim2020-09-2286-3246/+1210
| | | | | | | | | | | | | | | Notes: svn path=/vendor-crypto/openssl/dist/; revision=365997 svn path=/vendor-crypto/openssl/1.1.1h/; revision=365998; tag=vendor/openssl/1.1.1h
* | | Fix Clang version detection.Jung-uk Kim2020-08-2622-22/+22
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | We prepend "FreeBSD" to Clang version string. This broke compiler test for AVX instruction support. Reported by: jhb Notes: svn path=/head/; revision=364822
* | | sshd: allow UseBlocklist alias for UseBlacklistEd Maste2020-07-292-1/+7
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | blacklistd has been renamed to blocklistd upstream, and a future import into FreeBSD will follow that change. Support the new name as an alias in config files. Reviewed by: bz, delphij MFC after: 1 week Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D25865 Notes: svn path=/head/; revision=363657
* | | ssh: Remove AES-CBC ciphers from default server and client listsEd Maste2020-07-283-12/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | A base system OpenSSH update in 2016 or so removed a number of ciphers from the default lists offered by the server/client, due to known weaknesses. This caused POLA issues for some users and prompted PR207679; the ciphers were restored to the default lists in r296634. When upstream removed these ciphers from the default server list, they moved them to the client-only default list. They were subsequently removed from the client default, in OpenSSH 7.9p1. The change has persisted long enough. Remove these extra ciphers from both the server and client default lists, in advance of FreeBSD 13. Reviewed by: markm, rgrimes Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D25833 Notes: svn path=/head/; revision=363627
* | | openssh: refer to OpenSSL not SSLeay, part 2Ed Maste2020-07-152-2/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This change was made upstream between 7.9p1 and 8.0p1. We've made local changes in the same places for handling the version_addendum; apply the SSLeay_version to OpenSSL_version change in advance of importing 8.0p1. This should have been part of r363225. Obtained from: OpenSSH-portable a65784c9f9c5 MFC with: r363225 Sponsored by: The FreeBSD Foundation Notes: svn path=/head/; revision=363235
* | | openssh: refer to OpenSSL not SSLeayEd Maste2020-07-152-2/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This change was made upstream between 7.9p1 and 8.0p1. We've made local changes in the same places for handling the version_addendum; apply the SSLeay_version to OpenSSL_version change in advance of importing 8.0p1. Obtained from: OpenSSH-portable a65784c9f9c5 Sponsored by: The FreeBSD Foundation Notes: svn path=/head/; revision=363225
* | | Fix trailing-comma-related typos in the tree when the Xr macro is usedMateusz Piotrowski2020-06-271-1/+1
| | | | | | | | | | | | | | | | | | | | | MFC after: 1 week Notes: svn path=/head/; revision=362676
* | | Don't log normal login_getpwclass(3) result.Xin LI2020-06-261-2/+0
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The logging was introduced in r314527 but doesn't appear to be useful for regular operation, and as the result, for users with no class set (very common) the administrator would see a message like this in their auth.log: sshd[44251]: user root login class [preauth] (note that the class was "" because that's what's typically configured for most users; we would get 'default' if lc->lc_class is chosen) Remove this log as it can be annoying as the lookup happen before authentication and repeats, and our code is not acting upon lc_class or pw_class directly anyways. Reviewed by: cem, imp MFC after: 1 week Differential Revision: https://reviews.freebsd.org/D24997 Notes: svn path=/head/; revision=362642
* | | Merge OpenSSL 1.1.1g.Jung-uk Kim2020-04-2138-614/+1739
|\| | | | | | | | | | | Notes: svn path=/head/; revision=360175
| * | Import OpenSSL 1.1.1g.vendor/openssl/1.1.1gJung-uk Kim2020-04-2113-192/+1240
| | | | | | | | | | | | | | | Notes: svn path=/vendor-crypto/openssl/dist/; revision=360173 svn path=/vendor-crypto/openssl/1.1.1g/; revision=360174; tag=vendor/openssl/1.1.1g
* | | Fix OpenSSL remote denial of service.Gordon Tetlow2020-04-211-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | See https://www.openssl.org/news/secadv/20200421.txt for details. Approved by: so Security: CVE-2020-1967 Notes: svn path=/head/; revision=360146
* | | Merge OpenSSL 1.1.1f.Jung-uk Kim2020-03-3126-242/+267
|\| | | | | | | | | | | Notes: svn path=/head/; revision=359486
| * | Import OpenSSL 1.1.1f.vendor/openssl/1.1.1fJung-uk Kim2020-03-3114-217/+192
| | | | | | | | | | | | | | | Notes: svn path=/vendor-crypto/openssl/dist/; revision=359482 svn path=/vendor-crypto/openssl/1.1.1f/; revision=359483; tag=vendor/openssl/1.1.1f
* | | openssh: -fno-common fix from upstream f47d72ddadKyle Evans2020-03-291-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This is currently staged in vendor/ as part of the 8.0p1 import, which isn't quite ready to land. Given that this is a simple one-line fix, apply it now as the fallout will be pretty minimal. -fno-common will become the default in GCC10/LLVM11. MFC after: 3 days Notes: svn path=/head/; revision=359424
* | | Merge OpenSSL 1.1.1e.Jung-uk Kim2020-03-18901-2971/+6878
|\| | | | | | | | | | | Notes: svn path=/head/; revision=359060
| * | Import OpenSSL 1.1.1e.vendor/openssl/1.1.1eJung-uk Kim2020-03-17730-3949/+2328
| | | | | | | | | | | | | | | Notes: svn path=/vendor-crypto/openssl/dist/; revision=359051 svn path=/vendor-crypto/openssl/1.1.1e/; revision=359052; tag=vendor/openssl/1.1.1e
* | | Add a note about deleted files in OpenSSH upgrade instructionsEd Maste2020-02-251-0/+5
| | | | | | | | | | | | Notes: svn path=/head/; revision=358323
* | | Update version in openssh FREEBSD-vendor metadataEd Maste2020-02-141-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | It appears that FREEBSD-vendor is an idea that never really took off and we should probably just remove it, but until then we might as well record the correct version. Notes: svn path=/head/; revision=357939
* | | Update OpenSSH upgrade instructions to use https, not ftpEd Maste2020-02-141-1/+1
| | | | | | | | | | | | | | | | | | | | | ftp://ftp.openbsd.org/ does not work. Notes: svn path=/head/; revision=357932
* | | Upgrade to OpenSSH 7.9p1.Ed Maste2020-02-1481-1756/+2557
|\ \ \ | | |/ | |/| | | | | | | | | | | | | | | | MFC after: 2 months Sponsored by: The FreeBSD Foundation Notes: svn path=/head/; revision=357926
* | | sshd: add upgrade process note about TCP wrappersEd Maste2020-02-141-0/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | We need to add user-facing deprecation notices for TCP wrappers; start with a note in the upgrade process docmentation. Sponsored by: The FreeBSD Foundation Notes: svn path=/head/; revision=357925
* | | openssh: add a note about libwrap in config.hEd Maste2020-02-141-0/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | LIBWRAP is defined by the Makefile based on MK_TCP_WRAPPERS and should not be defined in config.h. PR: 210141 Sponsored by: The FreeBSD Foundation Notes: svn path=/head/; revision=357922
* | | sshd: make getpwclass wrapper MON_ISAUTH not MON_AUTHEd Maste2019-11-201-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | In r339216 a privsep wrapper was added for login_getpwclass to address PR 231172. Unfortunately the change used the MON_AUTH flag in the wrapper, and MON_AUTH includes MON_AUTHDECIDE which triggers an auth_log() on each invocation. getpwclass() does not participate in the authentication decision, so should be MON_ISAUTH instead. PR: 234793 Submitted by: Henry Hu Reviewed by: Yuichiro NAITO MFC after: 1 week Notes: svn path=/head/; revision=354897
* | | Merge OpenSSL 1.1.1d.Jung-uk Kim2019-09-10269-10545/+2999
|\ \ \ | | |/ | |/| | | | Notes: svn path=/head/; revision=352191
| * | Import OpenSSL 1.1.1d.vendor/openssl/1.1.1dJung-uk Kim2019-09-10100-9867/+1673
| | | | | | | | | | | | | | | Notes: svn path=/vendor-crypto/openssl/dist/; revision=352163 svn path=/vendor-crypto/openssl/1.1.1d/; revision=352164; tag=vendor/openssl/1.1.1d
* | | Complete LOCAL_PEERCRED support. Cache pid of the remote process in theDmitry Chagin2019-05-301-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | struct xucred. Do not bump XUCRED_VERSION as struct layout is not changed. PR: 215202 Reviewed by: tijl MFC after: 1 week Differential Revision: https://reviews.freebsd.org/D20415 Notes: svn path=/head/; revision=348419
* | | Merge OpenSSL 1.1.1c.Jung-uk Kim2019-05-28168-2108/+3528
|\| | | | | | | | | | | Notes: svn path=/head/; revision=348340
| * | Import OpenSSL 1.1.1c.vendor/openssl/1.1.1cJung-uk Kim2019-05-2872-754/+1882
| | | | | | | | | | | | | | | Notes: svn path=/vendor-crypto/openssl/dist/; revision=348333 svn path=/vendor-crypto/openssl/1.1.1c/; revision=348334; tag=vendor/openssl/1.1.1c
* | | Add workaround for a QoS-related bug in VMWare Workstation.Dag-Erling Smørgrav2019-03-271-0/+22
| | | | | | | | | | | | | | | | | | | | | | | | Submitted by: yuripv Differential Revision: https://reviews.freebsd.org/D18636 Notes: svn path=/head/; revision=345579
* | | Merge r345574 from vendor-crypto:Ed Maste2019-03-271-12/+270
|\ \ \ | | |/ | |/| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | upstream: when checking that filenames sent by the server side match what the client requested, be prepared to handle shell-style brace alternations, e.g. "{foo,bar}". "looks good to me" millert@ + in snaps for the last week courtesy deraadt@ OpenBSD-Commit-ID: 3b1ce7639b0b25b2248e3a30f561a548f6815f3e Discussed with: des Obtained from: OpenSSH-portable 3d896c157c722bc47adca51a58dca859225b5874 Notes: svn path=/head/; revision=345576
* | | Merge OpenSSL 1.1.1b.Jung-uk Kim2019-02-26301-3540/+5472
|\ \ \ | | |/ | |/| | | | Notes: svn path=/head/; revision=344602
| * | Import OpenSSL 1.1.1b.vendor/openssl/1.1.1bJung-uk Kim2019-02-26100-2915/+4309
| | | | | | | | | | | | | | | Notes: svn path=/vendor-crypto/openssl/dist/; revision=344595 svn path=/vendor-crypto/openssl/1.1.1b/; revision=344596; tag=vendor/openssl/1.1.1b
* | | scp: validate filenames provided by server against wildcard in clientEd Maste2019-02-212-11/+42
|\ \ \ | | |/ | |/| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | OpenSSH-portable commits: check in scp client that filenames sent during remote->local directory copies satisfy the wildcard specified by the user. This checking provides some protection against a malicious server sending unexpected filenames, but it comes at a risk of rejecting wanted files due to differences between client and server wildcard expansion rules. For this reason, this also adds a new -T flag to disable the check. reported by Harry Sintonen fix approach suggested by markus@; has been in snaps for ~1wk courtesy deraadt@ OpenBSD-Commit-ID: 00f44b50d2be8e321973f3c6d014260f8f7a8eda Minor patch conflict (getopt) resolved. Obtained from: OpenSSH-portable 391ffc4b9d31fa1f4ad566499fef9176ff8a07dc scp: add -T to usage(); OpenBSD-Commit-ID: a7ae14d9436c64e1bd05022329187ea3a0ce1899 Obtained from: OpenSSH-portable 2c21b75a7be6ebdcbceaebb43157c48dbb36f3d8 PR: 234965 Approved by: des MFC after: 3 days Obtained from: OpenSSH-portable 391ffc4b9d, 2c21b75a7b Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D19076 Notes: svn path=/head/; revision=344449
* | | scp: disallow empty or current directoryEd Maste2019-01-151-1/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | Obtained from: OpenBSD scp.c 1.198 Security: CVE-2018-20685 Sponsored by: The FreeBSD Foundation Notes: svn path=/head/; revision=343043
* | | Remove unused sqlite3 bundled with heimdal.Cy Schubert2019-01-096-139196/+0
| | | | | | | | | | | | | | | | | | | | | Reported by: delphij@ Notes: svn path=/head/; revision=342871
* | | Do not complain when /dev/crypto does not exist.Jung-uk Kim2018-12-141-0/+5
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Now the new devcrypto engine is enabled since r342009, many users started seeing "Could not open /dev/crypto: No such file or directory". Disable the annoying error message as it is not very useful anyway. Note the patch was submitted upstream. https://github.com/openssl/openssl/pull/7896 Notes: svn path=/head/; revision=342057
* | | Merge OpenSSL 1.1.1a.Jung-uk Kim2018-11-20145-1026/+2062
|\ \ \ | | |/ | |/| | | | Notes: svn path=/head/; revision=340703
| * | Import OpenSSL 1.1.1a.vendor/openssl/1.1.1aJung-uk Kim2018-11-2052-392/+734
| | | | | | | | | | | | | | | Notes: svn path=/vendor-crypto/openssl/dist/; revision=340690 svn path=/vendor-crypto/openssl/1.1.1a/; revision=340691; tag=vendor/openssl/1.1.1a
* | | Update SHLIB_VERSION_NUMBER following the OpenSSL shared libraryGlen Barber2018-10-251-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | number bump. Reported by: jkim Discussed with: kib MFC after: immediate Sponsored by: The FreeBSD Foundation Notes: svn path=/head/; revision=339741
generated by cgit v1.2.3 (git 2.25.1) at 2024-07-04 10:22:05 +0000