| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
This change fills out the requirements for doing vendor updates,
documents the new vendor update process, and guides whoever needs to do
the next version update a bit better than the documentation did prior to
this change so everyone can pitch in with version updates a bit better.
Convert the document to Markdown while here to make it easier to
render/print out the directions in a structured format.
MFC after: 2 weeks
Differential Revision: https://reviews.freebsd.org/D53190
|
| |
|
|
|
|
|
|
|
|
| |
When iterating over known addresses for the requested target host name,
skip those that are not supported by the running kernel.
MFC after: 1 week
PR: 195231
Reviewed by: emaste
Differential Revision: https://reviews.freebsd.org/D53588
|
| |
|
|
|
|
|
|
|
|
|
| |
This doesn't actually do anything useful, since getifaddrs() will only
return supported addresses. The root cause of the issue described in
the PR lies earlier in the connection timeline, around the start of the
ssh_create_socket() function.
This reverts commit e5ff8e7977434b150a66bb3e472c6d0e0f644cfa.
PR: 195231
|
| |
|
|
|
|
|
|
|
|
|
| |
When selecting an address to bind to, skip IPv4 addresses if the kernel
does not support the inet feature, and IPv6 addresses if the kernel does
not support the inet6 feature.
PR: 195231
MFC after: 1 week
Reviewed by: emaste
Differential Revision: https://reviews.freebsd.org/D53561
|
| |
|
|
|
|
|
|
|
| |
Apply openssh-portable commit 8b6c1f402feb by deraadt@openbsd.org
Obtained from: openssh-portable
PR: 288773
Reported by: wosch
Sponsored by: The FreeBSD Foundation
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The .pc files generated in the root directory are used as part of the
build; they should never be installed. Use the versions from the
exporters subdirectory--which should be installed--as the .pc files
which are distributed with FreeBSD. This avoids the need for "fixing up"
these files after the fact (see `crypto/openssl/BSDmakefile` for more
details as part of this change).
Garbage collect `secure/lib/libcrypto/Makefile.version`, et al,
as they're orphaned files. They were technically unused prior to this
change as the vendor process properly embeds the version numbers in
various files, but this commit formalizes the removal.
This correction/clarification on the .pc files will be made in an
upcoming release of OpenSSL [1].
References:
1. https://github.com/openssl/openssl/issues/28803
Suggested by: Richard Levitte (OpenSSL project)
MFC after: 3 days
Differential Revision: https://reviews.freebsd.org/D53043
|
| |
|
|
|
|
|
|
|
|
|
|
| |
These files contain build host paths and other configuration details
that can be regenerated via the standard vendor import process. Don't
clutter up the FreeBSD tree with these files.
Add the paths to .gitignore to prevent them from accidentally being
added in a future update.
MFC after: 1 week
Differential Revision: https://reviews.freebsd.org/D53044
|
| |
|
|
|
|
|
|
|
|
|
| |
BLOCKLIST_NOTIFY() is called within a signal handler for the alarm after
the grace period has expired that may only take async-signal safe
actions.
Reviewed by: emaste
Fixes: e02003bce726 ("openssh: blocklist: Use NetBSD probes")
MFC after: 1 day
Differential Revision: https://reviews.freebsd.org/D53109
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Follow up upstream rename from blacklist to blocklist.
- Old names and rc scripts are still valid, but emitting an ugly warning
- Old firewall rules and anchor names should work, but emitting an ugly
warning
- Old MK_BLACKLIST* knobs are wired to the new ones
Although care has been taken not to break current configurations, this
is a large patch containing mostly duplicated code. If issues arise, it
will be swiftly reverted.
Reviewed by: ivy (pkgbase)
Approved by: emaste (mentor)
MFC after: 2 days
Relnotes: yes
|
| |
|
|
|
|
|
|
|
| |
Fixes the ports that prefer static linking:
https://reviews.freebsd.org/D49277
Reviewed by: ivy, dch, cy
Sponsored by: SkunkWerks, GmbH
Differential Revision: https://reviews.freebsd.org/D52910
|
| |
|
|
|
|
| |
MFC with: 046c625e9382
Fixes: 046c625e9382 ("crypto/openssl: update to 3.5.4")
Reported by: Herbert J. Skuhra <herbert@gojira.at>
|
| |
|
|
|
|
|
|
|
|
|
| |
Commit 5000d023a446 added a new flag to the dump option.
This patch documents this new flag.
This is a content change.
MFC after: 3 days
Fixes: 5000d023a446 ("heimdal-kadmin: Add support for the -f dump option")
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The "-f" dump option allows a dump of the Heimdal
KDC in a format that the MIT kdb5_util command can
load into a MIT KDC's database.
This makes transitioning from the Heimdal KDC to
the current MIT one feasible without having to
re-create the KDC database from scratch.
glebius@ did the initial work, cherry picking these
commits from the Heimdal sources on github and then doing
extensive merge conflict resolution and other fixes so
that it would build.
Heimdal commit fca5399 authored by Nico Williams:
Initial commit for second approach for multiple kvno. NOT TESTED!
Heimdal commit 57f1545 authored by Nico Williams:
Add support for writing to KDB and dumping HDB to MIT KDB dump format
Before this change Heimdal could read KDBs. Now it can write to
them too.
Heimdal can now also dump HDBs (including KDBs) in MIT format,
which can then be imported with kdb5_util load.
This is intended to help in migrations from MIT to Heimdal by
allowing migrations from Heimdal to MIT so that it is possible
to rollback from Heimdal to MIT should there be any issues. The
idea is to allow a) running Heimdal kdc/kadmind with a KDB, or
b) running Heimdal with an HDB converted from a KDB and then
rollback by dumping the HDB and loading a KDB.
Note that not all TL data types are supported, only two: last
password change and modify-by. This is the minimum necessary.
PKINIT users may need to add support for KRB5_TL_USER_CERTIFICATE,
and for databases with K/M history we may need to add KRB5_TL_MKVNO
support.
This resulted in a Heimdal kadmin that would dump
the KDC database in MIT format. However, there
were issues when this dump was loaded into the
current MIT KDC in FreeBSD current/15.0.
The changes I did to make the dump more useful are listed below:
When "-f MIT" is used for "kadmin -l dump" it writes
the dump out in MIT format. This dump format is understood
by the MIT kdb5_util command. The patch modifies the above
so that the MIT KDC's master key keytab file can be provided
as the argument to "-f" so that the principals are re-encrypted in
it. This allows any principal with at least one strong encryption
type key to work without needing a change_password.
The strong encryption types supported by the Heimdal KDC are:
aes256-cts-hmac-sha1-96
aes128-cts-hmac-sha1-96
The issues my changes address are:
- If there are weak encryption keys in a principal's entry,
MIT's kadmin.local will report that the principcal's entry
is incomplete or corrupted.
- The keys are encrypted in Heimdal's master key. The
"-d" option can be used on the "kadmin -l dump" to
de-encrypt them, but the passwords will not work on the
current MIT KDC.
To try and deal with the above issues, this patch modied the above to:
- Does not dump the weak keys.
- Re-encrypts the strong keys in MIT's master key if the argument
to "-f" is actually a filename which holds the MIT KDC's
master key keytab and not "MIT".
- For principals that only have weak keys, it generates
a fake strong key. This key will not work on the MIT
KDC, but the principal entry will work once a
change_password is done to it.
- It always generates a "modified_by" entry, faking one if
not already present in the Heimdal KDC database.
This was necessary, since the MIT kadmin will
report that the principal entry is "incomplete or
corrupted" without one.
It also fixed a problem where "get principal" no longer
worked after the initial patch was applied.
A man page update will be done as a separate commit.
I believe this commit is acceptable since the Heimdal
sources are now essentially deprecated in favor of the
MIT sources and that this new "-f" patch simplifies
the transition to the MIT KDC.
Discussed with: glebius, cy
MFC after: 3 days
|
| |\
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This change includes all necessary changes required to update to OpenSSL
3.5.4.
More information about the 3.5.4 release can be found in the relevant
release notes (see 8e12a5c4eb3507846b5 for more details).
Merge commit '8e12a5c4eb3507846b507d0afe87d115af41df40'
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This change adds OpenSSL 3.5.4 from upstream [1].
The 3.5.4 artifact was been verified via PGP key [2] and by SHA256 checksum [3].
This is a security release, but also contains several bugfixes.
More information about the release (from a high level) can be found in
the release notes [4].
1. https://github.com/openssl/openssl/releases/download/openssl-3.5.4/openssl-3.5.4.tar.gz
2. https://github.com/openssl/openssl/releases/download/openssl-3.5.4/openssl-3.5.4.tar.gz.asc
3. https://github.com/openssl/openssl/releases/download/openssl-3.5.4/openssl-3.5.4.tar.gz.sha256
4. https://github.com/openssl/openssl/blob/openssl-3.5.4/NEWS.md
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Out-of-bounds read & write in RFC 3211 KEK Unwrap (CVE-2025-9230)
Timing side-channel in SM2 algorithm on 64 bit ARM (CVE-2025-9231)
Out-of-bounds read in HTTP client no_proxy handling (CVE-2025-9232)
Obtained from: OpenSSL
Approved by: so
Security: FreeBSD-SA-25:08.openssl
Security: CVE-2025-9230
Security: CVE-2025-9231
Security: CVE-2025-9232
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Use NetBSD probe locations for consistency. We have submitted all
improved or missing probes, keeping them synchronized with NetBSD (our
blocklist upstream) should simplify upgrades and maintenance, as the
locations of these probes are a moving target, depending on upstream
OpenSSH changes.
Additionally, use BLACKLIST_AUTH_FAIL exclusively for now. At the time
of this commit BLACKLIST_BAD_USER, is a no-op. However, it will change
in a future upgrade.
Also, enhance blacklist notification messages for better debugging by
making them more descriptive.
Reviewed by: emaste
Approved by: emaste (mentor)
MFC after: 1 week
Differential Revision: https://reviews.freebsd.org/D52749
|
| | |
| |
| |
| |
| |
| |
| |
| |
| | |
This change updates the build artifacts to match the 3.5.3 release. Much
of the change involves updating version numbers and release dates to
match the release version's metadata.
MFC after: 1 week
MFC with: 88b8b7f0c4e9948667a2279e78e975a784049cba
|
| |\|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This change updates the sources for crypto/openssl. The subsequent
commit will update the build artifacts to match the 3.5.3 release.
More details about the update can be found in the related vendor branch
commits.
MFC after: 1 week
Merge commit 'aed904c48f330dc76da942a8ee2d6eef9d11f572'
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This change adds OpenSSL 3.5.3 from upstream [1].
The 3.5.3 artifact was been verified via PGP key [2] and by SHA256 checksum [3].
This is a minor release with a single major bugfix to multithreading
support with `OSSL_STORE_CTX`.
More information about the release (from a high level) can be found in
the release notes [4].
1. https://github.com/openssl/openssl/releases/download/openssl-3.5.3/openssl-3.5.3.tar.gz
2. https://github.com/openssl/openssl/releases/download/openssl-3.5.3/openssl-3.5.3.tar.gz.asc
3. https://github.com/openssl/openssl/releases/download/openssl-3.5.3/openssl-3.5.3.tar.gz.sha256
4. https://github.com/openssl/openssl/blob/openssl-3.5.3/NEWS.md
|
| | |
| |
| |
| |
| |
| |
| | |
Sources obtained from [1] and verified via the organization's PGP key [2].
1. https://github.com/openssl/openssl/releases/download/openssl-3.5.2/openssl-3.5.2.tar.gz
2. https://github.com/openssl/openssl/releases/download/openssl-3.5.2/openssl-3.5.2.tar.gz.asc
|
| | |
| |
| |
| |
| |
| |
| |
| |
| | |
Tests contains a file that contains spaces in it. This causes the
freebsd-update build scripts some issues. As we don't need the tests
directory let's simply remove it.
MFC after: 3 days or as determined by re@
MFC to: stable/15
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Prior to this change, CC was not being passed through to Configure,
which was resulting in failures when Configure was running compiler
checks.
Pass through CC via `WRK_ENV` to Configure so the compiler is defined
properly as part of the initial build.
MFC after: 1 month
Fixes: d18058b7b850 ("crypto/openssl: apply polish to new vendor import process")
Differential Revision: https://reviews.freebsd.org/D52595
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This change does the following 2 things:
- Makes the build more repeatable by isolating the environment. This
prevents bmake from leaking variables into gmake and makes the overall
process a bit more robust.
- Add debug printouts to make the process more straightforward to the
reader and whoever is executing doing the current vendor import.
MFC after: 1 month
Differential Revision: https://reviews.freebsd.org/D52420
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
FreeBSD introduced VersionAddendum for the server as a local change in
2001 in commit 933ca70f8f88 and later extended it to the client in
commit 9e2cbe04ff4f.
In 2012 upstream added support for server VersionAddendum, in commit
23528816dc10. They did not add client support.
We removed the client support in commit bffe60ead024 ("ssh: retire
client VersionAddendum").
As of the 10.0p2 release upstream has added client-side VersionAddendum.
Make note of this in FREEBSD-upgrade's patches section.
Sponsored by: The FreeBSD Foundation
|
| |\ \
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Full release notes are available at
https://www.openssh.com/txt/release-10.0
Selected highlights from the release notes:
Potentially-incompatible changes
- This release removes support for the weak DSA signature algorithm.
[This change was previously merged to FreeBSD main.]
- This release has the version number 10.0 and announces itself as
"SSH-2.0-OpenSSH_10.0". Software that naively matches versions using
patterns like "OpenSSH_1*" may be confused by this.
- sshd(8): this release removes the code responsible for the user
authentication phase of the protocol from the per-connection
sshd-session binary to a new sshd-auth binary.
Security
- sshd(8): fix the DisableForwarding directive, which was failing to
disable X11 forwarding and agent forwarding as documented.
[This change was previously merged to FreeBSD main.]
New features
- ssh(1): the hybrid post-quantum algorithm mlkem768x25519-sha256 is now
used by default for key agreement.
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D51630
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | | |
Reviewed by: des
Differential revision: https://reviews.freebsd.org/D52100
Merge commit 'e5fe63eaf1d35ebbeac17eeed04cf873fbb9b3da' into main
|
| | | |
| | |
| | |
| | | |
Requested by des in D52100.
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
This change adds a custom BSD makefile containing multiple high-level PHONY
targets, similar to targets provided by the ports framework.
The Makefile does the following:
- Reruns Configure with a deterministic set of arguments to ensure that
all appropriate features have been enabled/disabled in OpenSSL.
- Preens the pkgconfig files to remove duplicate paths in their
`CFLAGS` and `includedir` variables.
- Rebuilds all ASM files to ensure that the content contained is fresh.
- Rebuilds all manpages to ensure that the content contained in the
manpages is fresh.
Some additional work needs to be done to make the manpage regeneration
"operation" reproducible (the date the manpages were generated is
embedded in the files).
All dynamic configuration previously captured in
`include/openssl/configuration.h` and `include/crypto/bn_conf.h` has been
moved to `freebsd/include/dynamic_freebsd_configuration.h` and
`freebsd/include/crypto/bn_conf.h`, respectively. This helps
ensure that future updates don't wipe out FreeBSD customizations to
these files, which tune behavior on a per-target architecture basis, e.g.,
ARM vs x86, 32-bit vs 64-bit, etc.
MFC after: 1 month
Differential Revision: https://reviews.freebsd.org/D51663
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
According to https://krbdev.mit.edu/rt/Ticket/Display.html?id=9181,
The function verify_mic_v3() in src/lib/gssapi/krb5/verify_mic.c
calls kg_verify_checksum_v3() as it returns an OM_uint32 status
but kg_verify_checksum_v3() returns a krb5_boolean which has
the opposite interpretation:
- OM_uint32 0 is GSS_S_COMPLETE so no error
- krb5_boolean 0 is false so failure
This patch will be in MIT KRB5 1.22.1.
Obtained from: Greg Hudson <rt@krbdev.mit.edu> on krbdev.mit.edu ML.
Reviewed by: ivy, ngie
Differential review: https://reviews.freebsd.org/D51990
|
| | | |
| | |
| | |
| | |
| | |
| | | |
This reverts commit 239e8c98636a7578cc67a6f9d54d14c71b095e36.
Fixes: 9da2fe96ff ("kern: fix setgroups(2) and getgroups(2) [...]")
|
| | | |
| | |
| | |
| | | |
Merge commit 'd82a140dad3a571d66abb2da24acbba90191f168'
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Current and traditional FreeBSD behavior means that getegid() here is
the first element in the prior setgroups() call, if any, so we may
inadvertently wipe out our rgid with the unprivileged gid. This is
rendered somewhat harmless by the fact that we're losing the privileged
gid -- we'll still regain it as the egid in restore_uid() later by way
of restoring saved_egroups, rather than by intentionally restoring it
from getgid().
This will be promptly reverted if we can get setgroups(2)/getgroups(2)
changed in FreeBSD 15.0, but it seemed wise to get this technically
correct for previous branches.
Reviewed by: jlduran
Differential Revision: https://reviews.freebsd.org/D51753
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Migrate to OpenSSL 3.5 in advance of FreeBSD 15.0. OpenSSL 3.0 will be
EOL after 2026-09-07.
Approved by: philip (mentor)
Sponsored by: Alpha-Omega Beach Cleaning Project
Sponsored by: The FreeBSD Foundation
Differential revision: https://reviews.freebsd.org/D51613
|
| |\ \ \
| | |/
| |/|
| | |
| | |
| | | |
Approved by: philip (mentor)
Sponsored by: Alpha-Omega Beach Cleaning Project
Sponsored by: The FreeBSD Foundation
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
This change adds OpenSSL 3.5.1 from upstream [1].
The 3.5.1 artifact was been verified via PGP key [2] and by SHA256 checksum [3].
More information about the release (from a high level) can be found in
the release notes [4].
1. https://github.com/openssl/openssl/releases/download/openssl-3.5.1/openssl-3.5.1.tar.gz
2. https://github.com/openssl/openssl/releases/download/openssl-3.5.1/openssl-3.5.1.tar.gz.asc
3. https://github.com/openssl/openssl/releases/download/openssl-3.5.1/openssl-3.5.1.tar.gz.sha256
4. https://github.com/openssl/openssl/blob/openssl-3.5.1/NEWS.md
Reviewed by: ngie, philip
Approved by: philip (mentor)
Sponsored by: The FreeBSD Foundation
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
This change completes the import of OpenSSL 3.5.0 from upstream.
The source archive has been verified via PGP and SHA256:
1. https://github.com/openssl/openssl/releases/download/openssl-3.5.0/openssl-3.5.0.tar.gz
2. https://github.com/openssl/openssl/releases/download/openssl-3.5.0/openssl-3.5.0.tar.gz.asc
3. https://github.com/openssl/openssl/releases/download/openssl-3.5.0/openssl-3.5.0.tar.gz.sha256
4. https://github.com/openssl/openssl/blob/openssl-3.5.0/NEWS.md
Reviewed by: ngie, philip
Approved by: philip (mentor)
Sponsored by: The FreeBSD Foundation
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
This change adds OpenSSL 3.5.0 from upstream [1].
The 3.5.0 artifact was been verified via PGP key [2] and by SHA256 checksum [3].
More information about the release (from a high level) can be found in
the release notes [4].
1. https://github.com/openssl/openssl/releases/download/openssl-3.5.0/openssl-3.5.0.tar.gz
2. https://github.com/openssl/openssl/releases/download/openssl-3.5.0/openssl-3.5.0.tar.gz.asc
3. https://github.com/openssl/openssl/releases/download/openssl-3.5.0/openssl-3.5.0.tar.gz.sha256
4. https://github.com/openssl/openssl/blob/openssl-3.5.0/NEWS.md
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
This stub isn't actually used on modern versions of OpenSSL for which
OpenSSH uses EVP_CIPHER_CTX_get_updated_iv instead via a wrapper macro.
However, the wrapper macro conflicted with the existing namespace
macro triggering an error on GCC:
In file included from crypto/openssh/sshd-session.c:65:
crypto/openssh/openbsd-compat/openssl-compat.h:71:11: error: "EVP_CIPHER_CTX_get_iv" redefined [-Werror]
71 | # define EVP_CIPHER_CTX_get_iv EVP_CIPHER_CTX_get_updated_iv
| ^~~~~~~~~~~~~~~~~~~~~
In file included from <command-line>:
crypto/openssh/ssh_namespace.h:12:9: note: this is the location of the previous definition
12 | #define EVP_CIPHER_CTX_get_iv Fssh_EVP_CIPHER_CTX_get_iv
| ^~~~~~~~~~~~~~~~~~~~~
The error was masked on clang due to MIT krb5 adding a blanket
-Wno-macro-redefined. Building sshd-session without Kerberos support
was sufficient to trigger a warning from clang.
Reviewed by: des
Differential Revision: https://reviews.freebsd.org/D51810
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
This was previously included due to nested includes in Heimdal's
headers. Without this, the build fails with an error due to redefining
AT_FDCWD.
clang:
In file included from crypto/openssh/sshd-session.c:46:
/usr/obj/.../tmp/usr/include/fcntl.h:232:9: error: 'AT_FDCWD' macro redefined [-Werror,-Wmacro-redefined]
232 | #define AT_FDCWD -100
| ^
crypto/openssh/openbsd-compat/bsd-misc.h:69:10: note: previous definition is here
69 | # define AT_FDCWD (-2)
| ^
GCC (can't be disabled):
In file included from crypto/openssh/sshd-session.c:46:
sys/sys/fcntl.h:232:9: error: "AT_FDCWD" redefined [-Werror]
232 | #define AT_FDCWD -100
| ^~~~~~~~
In file included from crypto/openssh/openbsd-compat/openbsd-compat.h:218,
from crypto/openssh/includes.h:173,
from crypto/openssh/sshd-session.c:30:
openssh/openbsd-compat/bsd-misc.h:69:10: note: this is the location of the previous definition
69 | # define AT_FDCWD (-2)
| ^~~~~~~~
Reviewed by: des
Differential Revision: https://reviews.freebsd.org/D51809
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
This conflicts with ALIGN() from <sys/param.h>. Rather than trying
to excise <sys/param.h> from all of krb5, rename the macro.
Reviewed by: des (previous version), cy
Differential Revision: https://reviews.freebsd.org/D51574
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Upstream had a poor description for KbdInteractiveAuthentication prior
to the 10.0p2 release. We use KbdInteractiveAuthentication for PAM
authentication, and we replaced the poor description with a note about
use by PAM.
In 10.0p2 the upstream description has been fixed. Incorporate that
text now as it is an improvement and avoids a conflict in the upcoming
10.0p2 import.
Reviewed by: jhb
Sponsored by: The FreeBSD Foundation
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
libedit breaks the bootstrap on MacOS and Linux.
Activate libedit only for the regular build not for the bootstrap
tools
While here fix the definition of the dependency chain between
libkrb5ss and libedit (and libtinfow) via src.libnames.mk
Remove a local patch to find the readline compatible header and
find them via proper CFLAGS.
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Remove HEIMDAL=1 from openssh/krb5_config.h and move the definition
to the Makefile in order to control whether we're building under
Heimdal or MIT.
Add MIT KRB5 LIBS and INCLUDES to the openssh build.
Sponsored by: The FreeBSD Foundation
Reviewed by: markj
Differential revision: https://reviews.freebsd.org/D50782
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | | |
These patches fix the MIT KRB5 on FreeBSD. Some are obtained from
ports/security/krb5-121.
Sponsored by: The FreeBSD Foundation
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Import MIT KRB5 1.21.3, which will gracefully replace KTH Heimdal.
The tarball used in this import is the same tarball used in
ports/krb5-121.
The Makefiles to add MIT KRB5 to the build will be added later.
Obtained from: http://web.mit.edu/kerberos/dist/
Sponsored by: The FreeBSD Foundation
Add 'crypto/krb5/' from commit '8f7d3ef26dec89a92ec0665de84a5936310a5574'
git-subtree-dir: crypto/krb5
git-subtree-mainline: bf6873c5786e333d679a7838d28812febf479a8a
git-subtree-split: 8f7d3ef26dec89a92ec0665de84a5936310a5574
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Also remove some dead assignments.
Obtained from: openssl (e78c8b791c0e03e750ef7196bc7bfee8e5bd00a0)
MFC after: 2 weeks
Requested by: Phillip Sabatino
Sponsored by: Dell, Inc.
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
The net result of this change is the removal of a few comments from
config.h; it has no direct user-facing impact as DSA was already
disabled as of commit 0b707d5fe8b6 ("ssh: Disable support for DSA
keys").
Reviewed by: jlduran, philip
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D49739
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
DSA is deprecated and upstream OpenSSH is in the process of removing it.
From OpenSSH-portable 10.0, cherry-pick the configure change so that we
can independently decide what to merge to stable branches.
This change has no direct user-facing impact, as the upstream configure
script is not used in the FreeBSD build process. It is worth noting as
part of OpenSSH's full removal of DSA support.
Reviewed by: jlduran, philip
Relnotes: Yes
Obtained from: OpenSSH-portable 6c9872faa1c2
Sponsored by: The FreeBSD Foundation
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
This option was documented as disabling X11 and agent forwarding but it
failed to do so. Spotted by Tim Rice.
Obtained from: OpenBSD d31ec64016fc
Sponsored by: The FreeBSD Foundation
|
