| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
|
|
|
| |
Summary:
1. https://github.com/openssl/openssl/commit/34ab13b7d8e3e723adb60be8142e38b7c9cd382a
needs to be merged for ELFv2 support on big-endian.
2. crypto/openssl/crypto/ppccap.c needs to be patched.
Same reason as in https://github.com/openssl/openssl/pull/17082.
Approved by: jkim, jhibbits
MFC after: 1 month
Differential Revision: https://reviews.freebsd.org/D33076
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Description of FIDO/U2F support (from OpenSSH 8.2 release notes,
https://www.openssh.com/txt/release-8.2):
This release adds support for FIDO/U2F hardware authenticators to
OpenSSH. U2F/FIDO are open standards for inexpensive two-factor
authentication hardware that are widely used for website
authentication. In OpenSSH FIDO devices are supported by new public
key types "ecdsa-sk" and "ed25519-sk", along with corresponding
certificate types.
ssh-keygen(1) may be used to generate a FIDO token-backed key, after
which they may be used much like any other key type supported by
OpenSSH, so long as the hardware token is attached when the keys are
used. FIDO tokens also generally require the user explicitly
authorise operations by touching or tapping them.
Generating a FIDO key requires the token be attached, and will
usually require the user tap the token to confirm the operation:
$ ssh-keygen -t ecdsa-sk -f ~/.ssh/id_ecdsa_sk
Generating public/private ecdsa-sk key pair.
You may need to touch your security key to authorize key generation.
Enter file in which to save the key (/home/djm/.ssh/id_ecdsa_sk):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/djm/.ssh/id_ecdsa_sk
Your public key has been saved in /home/djm/.ssh/id_ecdsa_sk.pub
This will yield a public and private key-pair. The private key file
should be useless to an attacker who does not have access to the
physical token. After generation, this key may be used like any
other supported key in OpenSSH and may be listed in authorized_keys,
added to ssh-agent(1), etc. The only additional stipulation is that
the FIDO token that the key belongs to must be attached when the key
is used.
To enable FIDO/U2F support, this change regenerates ssh_namespace.h,
adds ssh-sk-helper, and sets ENABLE_SK_INTERNAL (unless building
WITHOUT_USB).
devd integration is not included in this change, and is under
investigation for the base system. In the interim the security/u2f-devd
port can be installed to provide appropriate devd rules.
Reviewed by: delphij, kevans
Relnotes: Yes
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D32509
|
|
|
|
|
|
|
|
|
|
| |
This moves SSHDIR and ssh_namespace.h handling to a common location,
and will simplify future work such as adding U2F support (D32509).
Reviewed by: kevans
MFC after: 1 week
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D32808
|
|
|
|
|
|
|
| |
SRCS entries are kept in the same order and with the same line breaks
as upstream, to make comparison easier.
Reported by: des
|
|
|
|
|
|
|
|
|
|
|
|
| |
Link against the ssh-sk-helper client rather than the sk internal
implementation.
PR: 258384
Tested by: madpilot
Fixes: f448c3ed4ae1 ("openssh: Add new source files to libssl")
Fixes: 19261079b743 ("openssh: update to OpenSSH v8.7p1")
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D32529
|
|
|
|
|
|
|
|
|
| |
Add some new OpenSSH v8.7p1 source files to the ones being used to
build libssl to avoid missing symbols.
PR: 258384
Fixes: 19261079b743 ("openssh: update to OpenSSH v8.7p1")
Approved by: kevans (src)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Some notable changes, from upstream's release notes:
- sshd(8): Remove support for obsolete "host/port" syntax.
- ssh(1): When prompting whether to record a new host key, accept the key
fingerprint as a synonym for "yes".
- ssh-keygen(1): when acting as a CA and signing certificates with an RSA
key, default to using the rsa-sha2-512 signature algorithm.
- ssh(1), sshd(8), ssh-keygen(1): this release removes the "ssh-rsa"
(RSA/SHA1) algorithm from those accepted for certificate signatures.
- ssh-sk-helper(8): this is a new binary. It is used by the FIDO/U2F
support to provide address-space isolation for token middleware
libraries (including the internal one).
- ssh(1): this release enables UpdateHostkeys by default subject to some
conservative preconditions.
- scp(1): this release changes the behaviour of remote to remote copies
(e.g. "scp host-a:/path host-b:") to transfer through the local host
by default.
- scp(1): experimental support for transfers using the SFTP protocol as
a replacement for the venerable SCP/RCP protocol that it has
traditionally used.
Additional integration work is needed to support FIDO/U2F in the base
system.
Deprecation Notice
------------------
OpenSSH will disable the ssh-rsa signature scheme by default in the
next release.
Reviewed by: imp
MFC after: 1 month
Relnotes: Yes
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D29985
|
|
|
|
|
| |
- Four (4) added
- Two (2) removed
|
|
|
|
| |
No functional change expected.
|
| |
|
|
|
|
|
|
|
| |
Old certctl commands still work for compatability, but are deprecated.
Approved by: secteam (gordon)
Differential Revision: https://reviews.freebsd.org/D30807
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This code was originally written for non-reentrant crypt(3).
In 5f521d7ba72, a thread-safe crypt_r(3) was introduced. However,
it looks like the DES implementation is still not re-entrant;
routines like setup_salt() or des_setkey() still use global
variables.
Instead of something drastic, eg removing DES support altogether,
just mark those variables as thread-local. This adds about 30kB
of data per thread.
Given that this only applies to DES, I think the impact is minimal.
Reviewed By: markj
Sponsored by: NetApp, Inc.
Sponsored by: Klara, Inc.
Differential Revision: https://reviews.freebsd.org/D30674
|
|
|
|
|
|
|
|
|
|
| |
While here, trim a spurious local: I missed when added SSL_sendfile.
PR: 255277
Reported by: yuri
Reviewed by: jkim
MFC after: 1 week
Differential Revision: https://reviews.freebsd.org/D30483
|
|
|
|
|
|
|
|
| |
This is useful for upgrade and also to make tiny jail so they won't
depend on FreeBSD-utilities (where openssl was packaged before).
MFC after: 1 month
Differential Revision: https://reviews.freebsd.org/D30081
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This reverts commit 77c2fe20df6a9a7c1a353e1a4ab2ba80fefab881.
The VMware Workstation issue was fixed in 2019[1], and we'd rather not
carry unnecessary local changes in OpenSSH.
[1] https://communities.vmware.com/t5/VMware-Workstation-Pro/Regression-ssh-results-in-broken-pipe-upon-connecting-in-Vmware/m-p/486105/highlight/true#M25470
PR: 234426
Discussed with: yuripv
Approved by: des
MFC after: 2 weeks
Sponsored by: The FreeBSD Foundation
|
|
|
|
|
|
|
| |
This adds a specific note that these are explicitly trusted for
server auth.
MFC after: 3 days
|
|
|
|
|
|
| |
- Fifteen (15) removed
MFC after: 3 days
|
|
|
|
|
|
|
|
|
|
|
|
| |
Our current processor was identified as trusting cert not explicitly
marked for SERVER_AUTH, as well as certs that were tagged with
DISTRUST_AFTER.
Update the script to handle both scenarios. This patch was originally
authored by mandree@ for ports, and it was subsequently ported to base
caroot.
MFC after: 3 days
|
|
|
|
|
|
|
| |
- Three (3) added
- Two (2) removed
MFC after: 3 days
|
| |
|
|
|
|
|
|
| |
This is regen for 9b2f020c14af71a2606012143432dd717c7cf90e.
MFC after: 1 week
|
|
|
|
|
|
| |
This directory was deprecated since OpenSSL 1.1.1e.
https://github.com/openssl/openssl/pull/9681
|
| |
|
|
|
|
| |
MFC after: 1 week
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This merges upstream patches from OpenSSL's master branch to add
KTLS infrastructure for TLS 1.0-1.3 including both RX and TX
offload and SSL_sendfile support on both Linux and FreeBSD.
Note that TLS 1.3 only supports TX offload.
A new WITH/WITHOUT_OPENSSL_KTLS determines if OpenSSL is built with
KTLS support. It defaults to enabled on amd64 and disabled on all
other architectures.
Reviewed by: jkim (earlier version)
Approved by: secteam
Obtained from: OpenSSL (patches from master)
MFC after: 1 week
Relnotes: yes
Sponsored by: Netflix
Differential Revision: https://reviews.freebsd.org/D28273
|
|
|
|
|
|
|
|
| |
This debatably could have waited until the next update would have taken
place, but it's easier to see what changes if we get it out of the way
now.
MFC after: 3 days
|
|
|
|
|
|
|
|
|
|
|
| |
Summary:
- One (1) added
- Ten (10) removed
MFC after: 3 days
Notes:
svn path=/head/; revision=368555
|
|
|
|
| |
Notes:
svn path=/head/; revision=368472
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Literal references to /usr/local exist in a large number of files in
the FreeBSD base system. Many are in contributed software, in configuration
files, or in the documentation, but 19 uses have been identified in C
source files or headers outside the contrib and sys/contrib directories.
This commit makes it possible to set _PATH_LOCALBASE in paths.h to use
a different prefix for locally installed software.
In order to avoid changes to openssh source files, LOCALBASE is passed to
the build via Makefiles under src/secure. While _PATH_LOCALBASE could have
been used here, there is precedent in the construction of the path used to
a xauth program which depends on the LOCALBASE value passed on the compiler
command line to select a non-default directory.
This could be changed in a later commit to make the openssh build
consistently use _PATH_LOCALBASE. It is considered out-of-scope for this
commit.
Reviewed by: imp
MFC after: 1 month
Differential Revision: https://reviews.freebsd.org/D26942
Notes:
svn path=/head/; revision=367075
|
|
|
|
|
|
|
| |
Sponsored by: Netflix
Notes:
svn path=/head/; revision=366898
|
|
|
|
| |
Notes:
svn path=/head/; revision=366004
|
|
|
|
|
|
|
|
|
|
|
| |
Count:
- Two (2) removed
- Three (3) added
MFC after: 3 days
Notes:
svn path=/head/; revision=365896
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The current default is provided in various Makefile.inc in some top-level
directories and covers a good portion of the tree, but doesn't cover parts
of the build a little deeper (e.g. libcasper).
Provide a default in src.sys.mk and set WARNS to it in bsd.sys.mk if that
variable is defined. This lets us relatively cleanly provide a default WARNS
no matter where you're building in the src tree without breaking things
outside of the tree.
Crunchgen has been updated as a bootstrap tool to work on this change
because it needs r365605 at a minimum to succeed. The cleanup necessary to
successfully walk over this change on WITHOUT_CLEAN builds has been added.
There is a supplemental project to this to list all of the warnings that are
encountered when the environment has WARNS=6 NO_WERROR=yes:
https://warns.kevans.dev -- this project will hopefully eventually go away
in favor of CI doing a much better job than it.
Reviewed by: emaste, brooks, ngie (all earlier version)
Reviewed by: emaste, arichardson (depend-cleanup.sh change)
Differential Revision: https://reviews.freebsd.org/D26455
Notes:
svn path=/head/; revision=365887
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The proper procedure was not followed in r364943; all of these that were
deleted should have instead been moved over to the blacklist so that certctl
can DTRT.
Users must still `certctl rehash` after this, but this should generally be
done by one of mergemaster/etcupdate/freebsd-update/pkgbase already; note
that freebsd-update doesn't come into play for this particular update, as
these have not yet made it into a release.
Future work (after svn -> git) will likely change the script that updatecert
invokes to facilitate the process, rather than trusting that kevans or
whomever updates in the future will remember.
Reported by: Helge Oldach <freebsd oldach net>
MFC after: 3 days
Notes:
svn path=/head/; revision=365248
|
|
|
|
|
|
|
|
|
|
|
| |
Stats:
- Seven (7) removed
- Four (4) added
MFC after: 3 days
Notes:
svn path=/head/; revision=364943
|
|
|
|
| |
Notes:
svn path=/head/; revision=364823
|
|
|
|
|
|
|
|
|
|
|
|
| |
This solves an issue on stable/12 that causes certs to not get installed.
ls is apparently not in PATH during installworld, so TRUSTED_CERTS ends up
blank and nothing gets installed. We don't really require anything
ls-specific, though, so let's just simplify it.
MFC after: 3 days
Notes:
svn path=/head/; revision=364600
|
|
|
|
|
|
|
|
|
|
|
| |
In practice this isn't used in OpenSSL outside of some sparc-specific
code.
Reviewed by: delphij
Differential Revision: https://reviews.freebsd.org/D26058
Notes:
svn path=/head/; revision=364218
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
SSLv3 has been deprecated since 2015 (and broken since 2014: "POODLE"); it
should not have shipped in FreeBSD 11 (2016) or 12 (2018). No one should use
it, and if they must, they can use some implementation outside of base.
There are three symbols removed with OPENSSL_NO_SSL3_METHOD:
SSLv3_client_method
SSLv3_method
SSLv3_server_method
These symbols exist to request an explicit SSLv3 connection to a server.
There is no good reason for an application to link or invoke these symbols
instead of TLS_method(), et al (née SSLv23_method, et al). Applications
that do so have broken cryptography.
Define these symbols for some pedantic definition of ABI stability, but
remove the functionality again (r361392) after r362620.
Reviewed by: gordon, jhb (earlier-but-equivalent version both)
Discussed with: bjk, kib
Differential Revision: https://reviews.freebsd.org/D25493
Notes:
svn path=/head/; revision=362818
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This define caused a couple of symbols to disappear. To keep ABI
compatibility, we are going to keep the symbols exposed, but leave SSLv3 as
not in the default config (this is what OPENSSL_NO_SSL3 achieves). The
ramifications of this is an application can still use SSLv3 if it
specifically calls the SSLv3_method family of APIs.
Reported by: kib, others
Reviewed by: kib
Differential Revision: https://reviews.freebsd.org/D25451
Notes:
svn path=/head/; revision=362620
|
|
|
|
|
|
|
|
|
|
| |
/usr/lib32 and let 32-bit libcrypto search that location instead of
/usr/lib/engines.
Reviewed by: jkim
Notes:
svn path=/head/; revision=361700
|
|
|
|
|
|
|
|
|
|
|
|
| |
This is the default configuration in OpenSSL 1.1.1 already. This moves
to align with that default.
Reported by: jmg
Approved by: jkim, cem, emaste, philip
Differential Revision: https://reviews.freebsd.org/D24945
Notes:
svn path=/head/; revision=361392
|
|
|
|
| |
Notes:
svn path=/head/; revision=360175
|
|
|
|
| |
Notes:
svn path=/head/; revision=359486
|
|
|
|
| |
Notes:
svn path=/head/; revision=359061
|
|
|
|
| |
Notes:
svn path=/head/; revision=359060
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The original intention for caroot was to be packaged separately, perhaps so
that users can have a more/less conservative upgrade policy for this
separated from the rest of base.
secure/caroot/Makefile doesn't have anything interesting to package, but its
subdirectories might. Move the PACKAGE= to Makefile.inc so both blacklisted
and trusted get packaged consistently into the correct one rather than the
default -utilities. Also tag the directories for package=caroot, as they
could also be empty; blacklisted is empty by default, but trusted is not.
Add a post-install script to do certctl rehash, along with a note should we
eventually come up with a way to detect that files have been added or
removed that requires a rehash.
-caroot gets a dependency on -utilities, as that's where we provide certctl
at the moment. We can perhaps reconsider this and put certctl into this
package in the future, but there are some bits within -utilities that
unconditionally invoke certctl so let's hold off for now.
Reviewed by: manu (earlier version, before -utilities dep added)
Differential Revision: https://reviews.freebsd.org/D23352
Notes:
svn path=/head/; revision=357264
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This kind of automagica got picked up in trusted/ prior to the initial
commit, but never got applied over in blacklisted. Ideally no one will be
using blacklisted/ to store arbitrary certs that they don't intend to
blacklist, so we should just install anything that's in here rather than
force consumer to first copy cert into place and then modify the file
listing in the Makefile.
Wise man once say: "it is better to restrict too much, than not enough.
sometimes."
Notes:
svn path=/head/; revision=357193
|
|
|
|
|
|
|
|
|
|
| |
This directory stages certdata into .OBJDIR and processes it, but does not
actually build a prog-shaped object; bsd.obj.mk provides the minimal support
that we actually need, an .OBJDIR and descent into subdirs. This is
admittedly the nittiest of nits.
Notes:
svn path=/head/; revision=357084
|
|
|
|
|
|
|
|
|
|
| |
Note config.5 and crypto.7 are not installed because we have conflicts.
Requested by: phk
MFC after: 1 month
Notes:
svn path=/head/; revision=356963
|