aboutsummaryrefslogtreecommitdiff
path: root/secure
Commit message (Collapse)AuthorAgeFilesLines
* OpenSSL: Regen manual pages for OpenSSL 1.1.1pJung-uk Kim4 days536-1075/+1087
|
* OpenSSL: Merge OpenSSL 1.1.1oJung-uk Kim2022-05-03535-537/+547
|
* ssh: update to OpenSSH v8.9p1Ed Maste2022-04-131-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Release notes are available at https://www.openssh.com/txt/release-8.9 Some highlights: * ssh(1), sshd(8), ssh-add(1), ssh-agent(1): add a system for restricting forwarding and use of keys added to ssh-agent(1) * ssh(1), sshd(8): add the sntrup761x25519-sha512@openssh.com hybrid ECDH/x25519 + Streamlined NTRU Prime post-quantum KEX to the default KEXAlgorithms list (after the ECDH methods but before the prime-group DH ones). The next release of OpenSSH is likely to make this key exchange the default method. * sshd(8), portable OpenSSH only: this release removes in-built support for MD5-hashed passwords. If you require these on your system then we recommend linking against libxcrypt or similar. Future deprecation notice ========================= A near-future release of OpenSSH will switch scp(1) from using the legacy scp/rcp protocol to using SFTP by default. Legacy scp/rcp performs wildcard expansion of remote filenames (e.g. "scp host:* .") through the remote shell. This has the side effect of requiring double quoting of shell meta-characters in file names included on scp(1) command-lines, otherwise they could be interpreted as shell commands on the remote side. MFC after: 1 month Relnotes: Yes Sponsored by: The FreeBSD Foundation
* OpenSSL: Merge OpenSSL 1.1.1nJung-uk Kim2022-03-15536-567/+664
|
* ssh: use standalone config file for security key supportEd Maste2022-03-021-1/+2
| | | | | | | | | | | | | An upcoming OpenSSH update has multiple config.h settings that change depending on whether builtin security key support is enabled. Prepare for this by moving ENABLE_SK_INTERNAL to a new sk_config.h header (similar to the approach used for optional krb5 support) and optionally including that, instead of defining the macro directly from CFLAGS. Reviewed by: kevans MFC after: 2 weeks Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D34407
* OpenSSL: Merge OpenSSL 1.1.1mJung-uk Kim2021-12-14536-616/+650
|
* Add assembly optimized code for OpenSSL on powerpc, powerpc64 and powerpc64lePiotr Kubaj2021-11-233-2/+272
| | | | | | | | | | | | Summary: 1. https://github.com/openssl/openssl/commit/34ab13b7d8e3e723adb60be8142e38b7c9cd382a needs to be merged for ELFv2 support on big-endian. 2. crypto/openssl/crypto/ppccap.c needs to be patched. Same reason as in https://github.com/openssl/openssl/pull/17082. Approved by: jkim, jhibbits MFC after: 1 month Differential Revision: https://reviews.freebsd.org/D33076
* ssh: enable FIDO/U2F keysEd Maste2021-11-043-1/+23
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Description of FIDO/U2F support (from OpenSSH 8.2 release notes, https://www.openssh.com/txt/release-8.2): This release adds support for FIDO/U2F hardware authenticators to OpenSSH. U2F/FIDO are open standards for inexpensive two-factor authentication hardware that are widely used for website authentication. In OpenSSH FIDO devices are supported by new public key types "ecdsa-sk" and "ed25519-sk", along with corresponding certificate types. ssh-keygen(1) may be used to generate a FIDO token-backed key, after which they may be used much like any other key type supported by OpenSSH, so long as the hardware token is attached when the keys are used. FIDO tokens also generally require the user explicitly authorise operations by touching or tapping them. Generating a FIDO key requires the token be attached, and will usually require the user tap the token to confirm the operation: $ ssh-keygen -t ecdsa-sk -f ~/.ssh/id_ecdsa_sk Generating public/private ecdsa-sk key pair. You may need to touch your security key to authorize key generation. Enter file in which to save the key (/home/djm/.ssh/id_ecdsa_sk): Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /home/djm/.ssh/id_ecdsa_sk Your public key has been saved in /home/djm/.ssh/id_ecdsa_sk.pub This will yield a public and private key-pair. The private key file should be useless to an attacker who does not have access to the physical token. After generation, this key may be used like any other supported key in OpenSSH and may be listed in authorized_keys, added to ssh-agent(1), etc. The only additional stipulation is that the FIDO token that the key belongs to must be attached when the key is used. To enable FIDO/U2F support, this change regenerates ssh_namespace.h, adds ssh-sk-helper, and sets ENABLE_SK_INTERNAL (unless building WITHOUT_USB). devd integration is not included in this change, and is under investigation for the base system. In the interim the security/u2f-devd port can be installed to provide appropriate devd rules. Reviewed by: delphij, kevans Relnotes: Yes Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D32509
* ssh: move common Makefile boilerplate to a new ssh.mkEd Maste2021-11-0314-32/+18
| | | | | | | | | | This moves SSHDIR and ssh_namespace.h handling to a common location, and will simplify future work such as adding U2F support (D32509). Reviewed by: kevans MFC after: 1 week Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D32808
* libssh: Rearrange Makefile SRCS to match upstream Makefile.inEd Maste2021-10-201-4/+7
| | | | | | | SRCS entries are kept in the same order and with the same line breaks as upstream, to make comparison easier. Reported by: des
* libssh: correct libssh src file listEd Maste2021-10-181-1/+1
| | | | | | | | | | | | Link against the ssh-sk-helper client rather than the sk internal implementation. PR: 258384 Tested by: madpilot Fixes: f448c3ed4ae1 ("openssh: Add new source files to libssl") Fixes: 19261079b743 ("openssh: update to OpenSSH v8.7p1") Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D32529
* openssh: Add new source files to libsslGuido Falsi2021-09-091-1/+2
| | | | | | | | | Add some new OpenSSH v8.7p1 source files to the ones being used to build libssl to avoid missing symbols. PR: 258384 Fixes: 19261079b743 ("openssh: update to OpenSSH v8.7p1") Approved by: kevans (src)
* openssh: update to OpenSSH v8.7p1Ed Maste2021-09-085-13/+15
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Some notable changes, from upstream's release notes: - sshd(8): Remove support for obsolete "host/port" syntax. - ssh(1): When prompting whether to record a new host key, accept the key fingerprint as a synonym for "yes". - ssh-keygen(1): when acting as a CA and signing certificates with an RSA key, default to using the rsa-sha2-512 signature algorithm. - ssh(1), sshd(8), ssh-keygen(1): this release removes the "ssh-rsa" (RSA/SHA1) algorithm from those accepted for certificate signatures. - ssh-sk-helper(8): this is a new binary. It is used by the FIDO/U2F support to provide address-space isolation for token middleware libraries (including the internal one). - ssh(1): this release enables UpdateHostkeys by default subject to some conservative preconditions. - scp(1): this release changes the behaviour of remote to remote copies (e.g. "scp host-a:/path host-b:") to transfer through the local host by default. - scp(1): experimental support for transfers using the SFTP protocol as a replacement for the venerable SCP/RCP protocol that it has traditionally used. Additional integration work is needed to support FIDO/U2F in the base system. Deprecation Notice ------------------ OpenSSH will disable the ssh-rsa signature scheme by default in the next release. Reviewed by: imp MFC after: 1 month Relnotes: Yes Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D29985
* caroot: update root storeKyle Evans2021-09-046-0/+481
| | | | | - Four (4) added - Two (2) removed
* OpenSSL: Reduce diff with the upstreamJung-uk Kim2021-09-011-0/+5
| | | | No functional change expected.
* OpenSSL: Regen manual pages for 1.1.1lJung-uk Kim2021-09-01536-1121/+1135
|
* secure/caroot, certctl: Rename secure/caroot/blacklistedCeri Davies2021-06-1840-12/+12
| | | | | | | Old certctl commands still work for compatability, but are deprecated. Approved by: secteam (gordon) Differential Revision: https://reviews.freebsd.org/D30807
* crypt_r(3): fix reentrancy problems with DESEdward Tomasz Napierala2021-06-151-29/+29
| | | | | | | | | | | | | | | | | | | This code was originally written for non-reentrant crypt(3). In 5f521d7ba72, a thread-safe crypt_r(3) was introduced. However, it looks like the DES implementation is still not re-entrant; routines like setup_salt() or des_setkey() still use global variables. Instead of something drastic, eg removing DES support altogether, just mark those variables as thread-local. This adds about 30kB of data per thread. Given that this only applies to DES, I think the impact is minimal. Reviewed By: markj Sponsored by: NetApp, Inc. Sponsored by: Klara, Inc. Differential Revision: https://reviews.freebsd.org/D30674
* libcrypto: Add symbol versions for symbols added since 1.1.1d.John Baldwin2021-05-282-2/+16
| | | | | | | | | | While here, trim a spurious local: I missed when added SSL_sendfile. PR: 255277 Reported by: yuri Reviewed by: jkim MFC after: 1 week Differential Revision: https://reviews.freebsd.org/D30483
* pkgbase: Put openssl in its own packageEmmanuel Vadot2021-05-133-1/+3
| | | | | | | | This is useful for upgrade and also to make tiny jail so they won't depend on FreeBSD-utilities (where openssl was packaged before). MFC after: 1 month Differential Revision: https://reviews.freebsd.org/D30081
* Revert "Add workaround for a QoS-related bug in VMWare Workstation."Ed Maste2021-04-251-3/+0
| | | | | | | | | | | | | | | This reverts commit 77c2fe20df6a9a7c1a353e1a4ab2ba80fefab881. The VMware Workstation issue was fixed in 2019[1], and we'd rather not carry unnecessary local changes in OpenSSH. [1] https://communities.vmware.com/t5/VMware-Workstation-Pro/Regression-ssh-results-in-broken-pipe-upon-connecting-in-Vmware/m-p/486105/highlight/true#M25470 PR: 234426 Discussed with: yuripv Approved by: des MFC after: 2 weeks Sponsored by: The FreeBSD Foundation
* caroot: reroll the remaining certsKyle Evans2021-04-13125-0/+250
| | | | | | | This adds a specific note that these are explicitly trusted for server auth. MFC after: 3 days
* caroot: remove certs distrusted for server authKyle Evans2021-04-1315-0/+0
| | | | | | - Fifteen (15) removed MFC after: 3 days
* caroot: update CA bundle processorKyle Evans2021-04-131-12/+43
| | | | | | | | | | | | Our current processor was identified as trusting cert not explicitly marked for SERVER_AUTH, as well as certs that were tagged with DISTRUST_AFTER. Update the script to handle both scenarios. This patch was originally authored by mandree@ for ports, and it was subsequently ported to base caroot. MFC after: 3 days
* caroot: routine cert updateKyle Evans2021-04-135-0/+263
| | | | | | | - Three (3) added - Two (2) removed MFC after: 3 days
* OpenSSL: Regen manual pages for 1.1.1kJung-uk Kim2021-03-25535-536/+536
|
* OpenSSL: Regen manual page for the previous commitJung-uk Kim2021-02-171-2/+3
| | | | | | This is regen for 9b2f020c14af71a2606012143432dd717c7cf90e. MFC after: 1 week
* OpenSSL: Remove obsolete include directoryJung-uk Kim2021-02-171-1/+0
| | | | | | This directory was deprecated since OpenSSL 1.1.1e. https://github.com/openssl/openssl/pull/9681
* OpenSSL: Regen manual pages for OpenSSL 1.1.1j.Jung-uk Kim2021-02-16539-1167/+642
|
* OpenSSL: Regenerate manual pages.Jung-uk Kim2021-01-28537-644/+1269
| | | | MFC after: 1 week
* OpenSSL: Support for kernel TLS offload (KTLS)John Baldwin2021-01-284-5/+28
| | | | | | | | | | | | | | | | | | | | This merges upstream patches from OpenSSL's master branch to add KTLS infrastructure for TLS 1.0-1.3 including both RX and TX offload and SSL_sendfile support on both Linux and FreeBSD. Note that TLS 1.3 only supports TX offload. A new WITH/WITHOUT_OPENSSL_KTLS determines if OpenSSL is built with KTLS support. It defaults to enabled on amd64 and disabled on all other architectures. Reviewed by: jkim (earlier version) Approved by: secteam Obtained from: OpenSSL (patches from master) MFC after: 1 week Relnotes: yes Sponsored by: Netflix Differential Revision: https://reviews.freebsd.org/D28273
* caroot: drop $FreeBSD$ expansion from root bundleKyle Evans2020-12-28139-139/+139
| | | | | | | | This debatably could have waited until the next update would have taken place, but it's easier to see what changes if we get it out of the way now. MFC after: 3 days
* caroot: update bundleKyle Evans2020-12-1111-0/+134
| | | | | | | | | | | Summary: - One (1) added - Ten (10) removed MFC after: 3 days Notes: svn path=/head/; revision=368555
* Merge OpenSSL 1.1.1i.Jung-uk Kim2020-12-09434-875/+877
| | | | Notes: svn path=/head/; revision=368472
* Replace literal uses of /usr/local in C sources with _PATH_LOCALBASEStefan Eßer2020-10-272-0/+8
| | | | | | | | | | | | | | | | | | | | | | | | | | | Literal references to /usr/local exist in a large number of files in the FreeBSD base system. Many are in contributed software, in configuration files, or in the documentation, but 19 uses have been identified in C source files or headers outside the contrib and sys/contrib directories. This commit makes it possible to set _PATH_LOCALBASE in paths.h to use a different prefix for locally installed software. In order to avoid changes to openssh source files, LOCALBASE is passed to the build via Makefiles under src/secure. While _PATH_LOCALBASE could have been used here, there is precedent in the construction of the path used to a xauth program which depends on the LOCALBASE value passed on the compiler command line to select a non-default directory. This could be changed in a later commit to make the openssh build consistently use _PATH_LOCALBASE. It is considered out-of-scope for this commit. Reviewed by: imp MFC after: 1 month Differential Revision: https://reviews.freebsd.org/D26942 Notes: svn path=/head/; revision=367075
* Move generated OpenSSL assembly routines into the kernel sources.John Baldwin2020-10-2083-204615/+2
| | | | | | | Sponsored by: Netflix Notes: svn path=/head/; revision=366898
* Merge OpenSSL 1.1.1h.Jung-uk Kim2020-09-22537-1617/+1745
| | | | Notes: svn path=/head/; revision=366004
* caroot: update base storeKyle Evans2020-09-195-0/+265
| | | | | | | | | | | Count: - Two (2) removed - Three (3) added MFC after: 3 days Notes: svn path=/head/; revision=365896
* build: provide a default WARNS for all in-tree buildsKyle Evans2020-09-181-0/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | The current default is provided in various Makefile.inc in some top-level directories and covers a good portion of the tree, but doesn't cover parts of the build a little deeper (e.g. libcasper). Provide a default in src.sys.mk and set WARNS to it in bsd.sys.mk if that variable is defined. This lets us relatively cleanly provide a default WARNS no matter where you're building in the src tree without breaking things outside of the tree. Crunchgen has been updated as a bootstrap tool to work on this change because it needs r365605 at a minimum to succeed. The cleanup necessary to successfully walk over this change on WITHOUT_CLEAN builds has been added. There is a supplemental project to this to list all of the warnings that are encountered when the environment has WARNS=6 NO_WERROR=yes: https://warns.kevans.dev -- this project will hopefully eventually go away in favor of CI doing a much better job than it. Reviewed by: emaste, brooks, ngie (all earlier version) Reviewed by: emaste, arichardson (depend-cleanup.sh change) Differential Revision: https://reviews.freebsd.org/D26455 Notes: svn path=/head/; revision=365887
* caroot: properly remove old distrusted rootsKyle Evans2020-09-027-0/+698
| | | | | | | | | | | | | | | | | | | | | The proper procedure was not followed in r364943; all of these that were deleted should have instead been moved over to the blacklist so that certctl can DTRT. Users must still `certctl rehash` after this, but this should generally be done by one of mergemaster/etcupdate/freebsd-update/pkgbase already; note that freebsd-update doesn't come into play for this particular update, as these have not yet made it into a release. Future work (after svn -> git) will likely change the script that updatecert invokes to facilitate the process, rather than trusting that kevans or whomever updates in the future will remember. Reported by: Helge Oldach <freebsd oldach net> MFC after: 3 days Notes: svn path=/head/; revision=365248
* carrot: update bundleKyle Evans2020-08-2911-698/+401
| | | | | | | | | | | Stats: - Seven (7) removed - Four (4) added MFC after: 3 days Notes: svn path=/head/; revision=364943
* Regen X86 assembly files after r364822.Jung-uk Kim2020-08-2622-86/+44039
| | | | Notes: svn path=/head/; revision=364823
* caroot: switch to using echo+shell glob to enumerate certsKyle Evans2020-08-232-2/+2
| | | | | | | | | | | | This solves an issue on stable/12 that causes certs to not get installed. ls is apparently not in PATH during installworld, so TRUSTED_CERTS ends up blank and nothing gets installed. We don't really require anything ls-specific, though, so let's just simplify it. MFC after: 3 days Notes: svn path=/head/; revision=364600
* Fix a typo in the cpp macro defined for PIC.John Baldwin2020-08-131-1/+1
| | | | | | | | | | | In practice this isn't used in OpenSSL outside of some sparc-specific code. Reviewed by: delphij Differential Revision: https://reviews.freebsd.org/D26058 Notes: svn path=/head/; revision=364218
* Replace OPENSSL_NO_SSL3_METHODs with dummiesConrad Meyer2020-07-013-0/+51
| | | | | | | | | | | | | | | | | | | | | | | | | | | SSLv3 has been deprecated since 2015 (and broken since 2014: "POODLE"); it should not have shipped in FreeBSD 11 (2016) or 12 (2018). No one should use it, and if they must, they can use some implementation outside of base. There are three symbols removed with OPENSSL_NO_SSL3_METHOD: SSLv3_client_method SSLv3_method SSLv3_server_method These symbols exist to request an explicit SSLv3 connection to a server. There is no good reason for an application to link or invoke these symbols instead of TLS_method(), et al (née SSLv23_method, et al). Applications that do so have broken cryptography. Define these symbols for some pedantic definition of ABI stability, but remove the functionality again (r361392) after r362620. Reviewed by: gordon, jhb (earlier-but-equivalent version both) Discussed with: bjk, kib Differential Revision: https://reviews.freebsd.org/D25493 Notes: svn path=/head/; revision=362818
* Revert OPENSSL_NO_SSL3_METHOD to keep ABI compatibility.Gordon Tetlow2020-06-251-3/+0
| | | | | | | | | | | | | | | This define caused a couple of symbols to disappear. To keep ABI compatibility, we are going to keep the symbols exposed, but leave SSLv3 as not in the default config (this is what OPENSSL_NO_SSL3 achieves). The ramifications of this is an application can still use SSLv3 if it specifically calls the SSLv3_method family of APIs. Reported by: kib, others Reviewed by: kib Differential Revision: https://reviews.freebsd.org/D25451 Notes: svn path=/head/; revision=362620
* Install 32-bit libcrypto engines in /usr/lib32/engines instead ofTijl Coosemans2020-06-012-2/+2
| | | | | | | | | | /usr/lib32 and let 32-bit libcrypto search that location instead of /usr/lib/engines. Reviewed by: jkim Notes: svn path=/head/; revision=361700
* Remove support for SSLv3 from the OpenSSL build.Gordon Tetlow2020-05-221-0/+6
| | | | | | | | | | | | This is the default configuration in OpenSSL 1.1.1 already. This moves to align with that default. Reported by: jmg Approved by: jkim, cem, emaste, philip Differential Revision: https://reviews.freebsd.org/D24945 Notes: svn path=/head/; revision=361392
* Merge OpenSSL 1.1.1g.Jung-uk Kim2020-04-21536-541/+753
| | | | Notes: svn path=/head/; revision=360175
* Merge OpenSSL 1.1.1f.Jung-uk Kim2020-03-31534-540/+565
| | | | Notes: svn path=/head/; revision=359486