aboutsummaryrefslogtreecommitdiff
path: root/secure/usr.bin
Commit message (Collapse)AuthorAgeFilesLines
* crypto/openssl: update generated files to match 3.5.4 artifactsEnji Cooper2025-10-0761-61/+61
| | | | | | MFC with: 046c625e9382 Fixes: 046c625e9382 ("crypto/openssl: update to 3.5.4") Reported by: Herbert J. Skuhra <herbert@gojira.at>
* crypto/openssl: update build artifacts for the 3.5.3 releaseEnji Cooper2025-09-2261-71/+70
| | | | | | | | | This change updates the build artifacts to match the 3.5.3 release. Much of the change involves updating version numbers and release dates to match the release version's metadata. MFC after: 1 week MFC with: 88b8b7f0c4e9948667a2279e78e975a784049cba
* Remove MK_GSSAPILexi Winter2025-08-201-1/+1
| | | | | | | | | | | | | | | For MIT Kerberos, MK_GSSAPI has no meaning: GSSAPI is a required part of Kerberos and is always built if MK_KERBEROS is enabled. Backport this behaviour to Heimdal so it works the same way. While here, change Heimdal's libcom_err and compile_et to be selected by MK_KERBEROS, not MK_KERBEROS_SUPPORT, since these are part of Kerberos and third-party users might need it even if Kerberos support is disabled in the base system. This means MK_KERBEROS_SUPPORT installs the same files with both MIT and Heimdal. Reviewed by: cy Differential Revision: https://reviews.freebsd.org/D51859
* openssl: Import version 3.5.1Pierre Pronchery2025-08-0763-9192/+6356
| | | | | | | | | | Migrate to OpenSSL 3.5 in advance of FreeBSD 15.0. OpenSSL 3.0 will be EOL after 2026-09-07. Approved by: philip (mentor) Sponsored by: Alpha-Omega Beach Cleaning Project Sponsored by: The FreeBSD Foundation Differential revision: https://reviews.freebsd.org/D51613
* gssapi,krb5: Replace libgssapi with the MIT versionCy Schubert2025-08-071-0/+4
| | | | | | | | | | | | | | | | | | | | | | | | | lib/libgssapi is based on Heimdal. As on Linux systems, the MIT libgssapi_krb5 replaces it. With both gssapi libraries and header files installed results in broken buildworld (gssd) and ports that will not build without modifications to support the MIT gssapi in an alternate location. 73ed0c7992fd removed the MIT GSSAPI headers from /usr/include. Apps using MIT KRB5 gssapi functions and structures will fail to build without this patch. This patch includes a temporary patch to usr.sbin/gssd to allow it to build with this patch. rmacklem@ has a patch for this and for kgssapi that uses this patch to resolve kgssapi issues for NFS with Kerberos. This patch is an updated version of D51661 to allow it to build following additional patchs to the tree. This should have been implmented with 7e35117eb07f. Fixes: 7e35117eb07f, 73ed0c7992fd Differential Revision: https://reviews.freebsd.org/D51661
* secure: Add ssh-sk-client to all consumers of libsshJohn Baldwin2025-04-222-2/+2
| | | | | | | These all failed to link with ld.bfd used by GCC due to Fssh_sshsk_sign being an unresolved symbol. Fixes: 65d8491719bb ("secure: Adapt Makefile to ssh-sk-client everywhere")
* secure: Adapt Makefile to ssh-sk-client everywhereJose Luis Duran2025-04-175-6/+5
| | | | | | | | | Upstream commit 7b47b40b1 ("adapt Makefile to ssh-sk-client everywhere") adapted the Makefiles to ssh-sk-client. Do the same here. Reviewed by: emaste Approved by: emaste (mentor) Differential Revision: https://reviews.freebsd.org/D49795
* secure: Rearrange Makefile SRCS to match upstream Makefile.inJose Luis Duran2025-04-173-4/+3
| | | | | | | | | | | SRCS entries are kept in the same order and with the same line breaks as upstream, to make comparison easier. No functional change intended. Reviewed by: emaste Approved by: emaste (mentor) Differential Revision: https://reviews.freebsd.org/D49793
* ssh: Consolidate HAVE_LDNS / LIBWRAP in ssh.mkEd Maste2025-02-207-44/+2
| | | | | | | | | | | Commit 9d63429fa163 ("ssh: move common Makefile boilerplate to a new ssh.mk") introduced ssh.mk for common OpenSSH paths and flags, as part of enabling FIDO/U2F. Move duplicated MK_LDNS and MK_TCP_WRAPPERS handling there. Reviewed by: kevans Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D31896
* ssh: tidy include handlingEd Maste2025-02-201-2/+0
| | | | | | | | | | | Centralize optional krb5_config.h handling in ssh.mk. Do not add headers (that are committed to the src tree) to SRCS as there is no need. Reviewed by: imp, jlduran, kevans (all earlier) MFC after: 1 month Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D34409
* ssh: Move XAUTH_PATH setting to ssh.mkEd Maste2025-02-101-4/+0
| | | | | | | | | | | | | | XAUTH_PATH is normally set (in the upstream build infrastructure) in config.h. We previously set it in ssh and sshd's Makefiles if LOCALBASE is set, and over time have sometimes also defined it in config.h. Leave it unset in config.h and move the CFLAGS logic to to ssh.mk so that it will be set when building all ssh libraries and programs but still be set by LOCALBASE. Reviewed by: jlduran Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D48907
* manuals: Remove trailing spacesGraham Percival2024-11-041-1/+1
| | | | | | | | | | This does not change the rendered ascii at all. Signed-off-by: Graham Percival <gperciva@tarsnap.com> Reviewed by: mhorne, Alexander Ziaee <concussious.bugzilla@runbox.com> MFC after: 3 days Sponsored by: Tarsnap Backup Inc. Pull Request: https://github.com/freebsd/freebsd-src/pull/1473
* Remove residual blank line at start of MakefileWarner Losh2024-07-1511-11/+0
| | | | | | | This is a residual of the $FreeBSD$ removal. MFC After: 3 days (though I'll just run the command on the branches) Sponsored by: Netflix
* ssh: Update to OpenSSH 9.6p1Ed Maste2024-01-051-1/+1
| | | | | | | | | | | | | | | | From the release notes, > This release contains a number of security fixes, some small features > and bugfixes. The most significant change in 9.6p1 is a set of fixes for a newly- discovered weakness in the SSH transport protocol. The fix was already merged into FreeBSD and released as FreeBSD-SA-23:19.openssh. Full release notes at https://www.openssh.com/txt/release-9.6 Relnotes: Yes Sponsored by: The FreeBSD Foundation
* secure: Remove ancient SCCS tags.Warner Losh2023-11-2760-120/+0
| | | | | | | | Remove ancient SCCS tags from the tree, automated scripting, with two minor fixup to keep things compiling. All the common forms in the tree were removed with a perl script. Sponsored by: Netflix
* OpenSSL: update to 3.0.11Pierre Pronchery2023-10-0960-197/+206
| | | | | | | | | | OpenSSL 3.0.11 addresses: POLY1305 MAC implementation corrupts XMM registers on Windows (CVE-2023-4807) Relnotes: Yes Pull request: https://github.com/freebsd/freebsd-src/pull/852 Sponsored by: The FreeBSD Foundation
* Remove $FreeBSD$: one-line sh patternWarner Losh2023-08-1622-22/+0
| | | | Remove /^\s*#[#!]?\s*\$FreeBSD\$.*$\n/
* OpenSSL: update to 3.0.10Pierre Pronchery2023-08-1060-87/+102
| | | | | | | | | | | | | OpenSSL 3.0.10 addresses: - CVE-2023-3817 - CVE-2023-3446 - CVE-2023-2975 (Note that the vendor branch commit incorrectly referenced 3.0.9.) Relnotes: Yes Pull request: https://github.com/freebsd/freebsd-src/pull/808 Sponsored by: The FreeBSD Foundation
* Merge OpenSSL 3.0.9Pierre Pronchery2023-06-2366-6451/+12456
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Migrate to OpenSSL 3.0 in advance of FreeBSD 14.0. OpenSSL 1.1.1 (the version we were previously using) will be EOL as of 2023-09-11. Most of the base system has already been updated for a seamless switch to OpenSSL 3.0. For many components we've added `-DOPENSSL_API_COMPAT=0x10100000L` to CFLAGS to specify the API version, which avoids deprecation warnings from OpenSSL 3.0. Changes have also been made to avoid OpenSSL APIs that were already deprecated in OpenSSL 1.1.1. The process of updating to contemporary APIs can continue after this merge. Additional changes are still required for libarchive and Kerberos- related libraries or tools; workarounds will immediately follow this commit. Fixes are in progress in the upstream projects and will be incorporated when those are next updated. There are some performance regressions in benchmarks (certain tests in `openssl speed`) and in some OpenSSL consumers in ports (e.g. haproxy). Investigation will continue for these. Netflix's testing showed no functional regression and a rather small, albeit statistically significant, increase in CPU consumption with OpenSSL 3.0. Thanks to ngie@ and des@ for updating base system components, to antoine@ and bofh@ for ports exp-runs and port fixes/workarounds, and to Netflix and everyone who tested prior to commit or contributed to this update in other ways. PR: 271615 PR: 271656 [exp-run] Relnotes: Yes Sponsored by: The FreeBSD Foundation
* OpenSSL: Regen manual pages for OpenSSL 1.1.1uJung-uk Kim2023-05-3049-49/+49
|
* Update/fix Makefile.depend for userlandSimon J. Gerraty2023-04-198-32/+1
|
* OpenSSL: Regen manual pages for OpenSSL 1.1.1tJung-uk Kim2023-02-0749-49/+49
|
* OpenSSL: Regen manual pages for OpenSSL 1.1.1sJung-uk Kim2022-11-0149-59/+63
|
* ssh: update to OpenSSH 9.1p1Ed Maste2022-10-191-1/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Release notes are available at https://www.openssh.com/txt/release-9.1 9.1 contains fixes for three minor memory safety problems; these have lready been merged to the copy of OpenSSH 9.0 that is in the FreeBSD base system. Some highlights copied from the release notes: Potentially-incompatible changes -------------------------------- * ssh(1), sshd(8): SetEnv directives in ssh_config and sshd_config are now first-match-wins to match other directives. Previously if an environment variable was multiply specified the last set value would have been used. bz3438 * ssh-keygen(8): ssh-keygen -A (generate all default host key types) will no longer generate DSA keys, as these are insecure and have not been used by default for some years. New features ------------ * ssh(1), sshd(8): add a RequiredRSASize directive to set a minimum RSA key length. Keys below this length will be ignored for user authentication and for host authentication in sshd(8). * sftp-server(8): add a "users-groups-by-id@openssh.com" extension request that allows the client to obtain user/group names that correspond to a set of uids/gids. * sftp(1): use "users-groups-by-id@openssh.com" sftp-server extension (when available) to fill in user/group names for directory listings. * sftp-server(8): support the "home-directory" extension request defined in draft-ietf-secsh-filexfer-extensions-00. This overlaps a bit with the existing "expand-path@openssh.com", but some other clients support it. * ssh-keygen(1), sshd(8): allow certificate validity intervals, sshsig verification times and authorized_keys expiry-time options to accept dates in the UTC time zone in addition to the default of interpreting them in the system time zone. YYYYMMDD and YYMMDDHHMM[SS] dates/times will be interpreted as UTC if suffixed with a 'Z' character. Also allow certificate validity intervals to be specified in raw seconds-since-epoch as hex value, e.g. -V 0x1234:0x4567890. This is intended for use by regress tests and other tools that call ssh-keygen as part of a CA workflow. bz3468 * sftp(1): allow arguments to the sftp -D option, e.g. sftp -D "/usr/libexec/sftp-server -el debug3" * ssh-keygen(1): allow the existing -U (use agent) flag to work with "-Y sign" operations, where it will be interpreted to require that the private keys is hosted in an agent; bz3429 MFC after: 2 weeks Relnotes: Yes Sponsored by: The FreeBSD Foundation
* OpenSSL: Regen manual pages for OpenSSL 1.1.1qJung-uk Kim2022-07-0549-49/+49
|
* OpenSSL: Regen manual pages for OpenSSL 1.1.1pJung-uk Kim2022-06-2149-98/+98
|
* OpenSSL: Merge OpenSSL 1.1.1oJung-uk Kim2022-05-0349-49/+49
|
* OpenSSL: Merge OpenSSL 1.1.1nJung-uk Kim2022-03-1549-50/+53
|
* OpenSSL: Merge OpenSSL 1.1.1mJung-uk Kim2021-12-1449-52/+61
|
* ssh: move common Makefile boilerplate to a new ssh.mkEd Maste2021-11-037-15/+7
| | | | | | | | | | This moves SSHDIR and ssh_namespace.h handling to a common location, and will simplify future work such as adding U2F support (D32509). Reviewed by: kevans MFC after: 1 week Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D32808
* openssh: update to OpenSSH v8.7p1Ed Maste2021-09-083-3/+4
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Some notable changes, from upstream's release notes: - sshd(8): Remove support for obsolete "host/port" syntax. - ssh(1): When prompting whether to record a new host key, accept the key fingerprint as a synonym for "yes". - ssh-keygen(1): when acting as a CA and signing certificates with an RSA key, default to using the rsa-sha2-512 signature algorithm. - ssh(1), sshd(8), ssh-keygen(1): this release removes the "ssh-rsa" (RSA/SHA1) algorithm from those accepted for certificate signatures. - ssh-sk-helper(8): this is a new binary. It is used by the FIDO/U2F support to provide address-space isolation for token middleware libraries (including the internal one). - ssh(1): this release enables UpdateHostkeys by default subject to some conservative preconditions. - scp(1): this release changes the behaviour of remote to remote copies (e.g. "scp host-a:/path host-b:") to transfer through the local host by default. - scp(1): experimental support for transfers using the SFTP protocol as a replacement for the venerable SCP/RCP protocol that it has traditionally used. Additional integration work is needed to support FIDO/U2F in the base system. Deprecation Notice ------------------ OpenSSH will disable the ssh-rsa signature scheme by default in the next release. Reviewed by: imp MFC after: 1 month Relnotes: Yes Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D29985
* OpenSSL: Regen manual pages for 1.1.1lJung-uk Kim2021-09-0149-102/+102
|
* pkgbase: Put openssl in its own packageEmmanuel Vadot2021-05-131-0/+1
| | | | | | | | This is useful for upgrade and also to make tiny jail so they won't depend on FreeBSD-utilities (where openssl was packaged before). MFC after: 1 month Differential Revision: https://reviews.freebsd.org/D30081
* Revert "Add workaround for a QoS-related bug in VMWare Workstation."Ed Maste2021-04-251-3/+0
| | | | | | | | | | | | | | | This reverts commit 77c2fe20df6a9a7c1a353e1a4ab2ba80fefab881. The VMware Workstation issue was fixed in 2019[1], and we'd rather not carry unnecessary local changes in OpenSSH. [1] https://communities.vmware.com/t5/VMware-Workstation-Pro/Regression-ssh-results-in-broken-pipe-upon-connecting-in-Vmware/m-p/486105/highlight/true#M25470 PR: 234426 Discussed with: yuripv Approved by: des MFC after: 2 weeks Sponsored by: The FreeBSD Foundation
* OpenSSL: Regen manual pages for 1.1.1kJung-uk Kim2021-03-2549-49/+49
|
* OpenSSL: Regen manual pages for OpenSSL 1.1.1j.Jung-uk Kim2021-02-1650-106/+106
|
* OpenSSL: Regenerate manual pages.Jung-uk Kim2021-01-2849-51/+51
| | | | MFC after: 1 week
* Merge OpenSSL 1.1.1i.Jung-uk Kim2020-12-0947-98/+102
| | | | Notes: svn path=/head/; revision=368472
* Replace literal uses of /usr/local in C sources with _PATH_LOCALBASEStefan Eßer2020-10-271-0/+4
| | | | | | | | | | | | | | | | | | | | | | | | | | | Literal references to /usr/local exist in a large number of files in the FreeBSD base system. Many are in contributed software, in configuration files, or in the documentation, but 19 uses have been identified in C source files or headers outside the contrib and sys/contrib directories. This commit makes it possible to set _PATH_LOCALBASE in paths.h to use a different prefix for locally installed software. In order to avoid changes to openssh source files, LOCALBASE is passed to the build via Makefiles under src/secure. While _PATH_LOCALBASE could have been used here, there is precedent in the construction of the path used to a xauth program which depends on the LOCALBASE value passed on the compiler command line to select a non-default directory. This could be changed in a later commit to make the openssh build consistently use _PATH_LOCALBASE. It is considered out-of-scope for this commit. Reviewed by: imp MFC after: 1 month Differential Revision: https://reviews.freebsd.org/D26942 Notes: svn path=/head/; revision=367075
* Merge OpenSSL 1.1.1h.Jung-uk Kim2020-09-2249-195/+197
| | | | Notes: svn path=/head/; revision=366004
* Merge OpenSSL 1.1.1g.Jung-uk Kim2020-04-2149-51/+51
| | | | Notes: svn path=/head/; revision=360175
* Merge OpenSSL 1.1.1f.Jung-uk Kim2020-03-3149-49/+49
| | | | Notes: svn path=/head/; revision=359486
* Merge OpenSSL 1.1.1e.Jung-uk Kim2020-03-1849-121/+167
| | | | Notes: svn path=/head/; revision=359060
* Update Makefile.depend filesSimon J. Gerraty2019-12-111-2/+2
| | | | | | | | | | | | | Update a bunch of Makefile.depend files as a result of adding Makefile.depend.options files Reviewed by: bdrewery MFC after: 1 week Sponsored by: Juniper Networks Differential Revision: https://reviews.freebsd.org/D22494 Notes: svn path=/head/; revision=355617
* Add Makefile.depend.optionsSimon J. Gerraty2019-12-111-0/+6
| | | | | | | | | | | | | | | | | | | | Leaf directories that have dependencies impacted by options need a Makefile.depend.options file to avoid churn in Makefile.depend DIRDEPS for cases such as OPENSSL, TCP_WRAPPERS etc can be set in local.dirdeps-options.mk which can add to those set in Makefile.depend.options See share/mk/dirdeps-options.mk Reviewed by: bdrewery MFC after: 1 week Sponsored by: Juniper Networks Differential Revision: https://reviews.freebsd.org/D22469 Notes: svn path=/head/; revision=355616
* Merge OpenSSL 1.1.1d.Jung-uk Kim2019-09-1049-110/+111
| | | | Notes: svn path=/head/; revision=352191
* Merge OpenSSL 1.1.1c.Jung-uk Kim2019-05-2849-69/+69
| | | | Notes: svn path=/head/; revision=348340
* Add workaround for a QoS-related bug in VMWare Workstation.Dag-Erling Smørgrav2019-03-271-0/+3
| | | | | | | | Submitted by: yuripv Differential Revision: https://reviews.freebsd.org/D18636 Notes: svn path=/head/; revision=345579
* Merge OpenSSL 1.1.1b.Jung-uk Kim2019-02-2649-678/+898
| | | | Notes: svn path=/head/; revision=344602
* Merge OpenSSL 1.1.1a.Jung-uk Kim2018-11-2049-106/+167
| | | | Notes: svn path=/head/; revision=340703
generated by cgit v1.2.3 (git 2.25.1) at 2025-12-15 22:52:31 +0000