This option was documented as disabling X11 and agent forwarding but it
failed to do so. Spotted by Tim Rice.
Obtained from: OpenBSD d31ec64016fc
Sponsored by: The FreeBSD Foundation
(cherry picked from commit 3620d70511dc8bf45752028dac0af6f157ec6146)
Our class-based login restrictions patch was merged upstream in commit
c276672fc0e9 ("Class-imposed login restrictions").
Sponsored by: The FreeBSD Foundation
(cherry picked from commit 79979aa44d1b7fd5d04fd574ba8702f76c81c80c)
In version 9.8, the server was split into a listener binary, sshd(8),
and a per-session binary "sshd-session".
Our blacklistd changes also have to be moved from sshd.c to
sshd-session.c.
Reviewed by: emaste
Approved by: emaste (mentor)
Fixes: 0fdf8fae8b56 ("openssh: Update to 9.8p1")
MFC after: 3 days
Differential Revision: https://reviews.freebsd.org/D49116
(cherry picked from commit 61d8af38bf1c5328c27ccfcd8a3b73e9e8604d16)
This release exists primarily to fix two security bugs. The fixes have
been independently imported into FreeBSD. This import serves to update
the ssh and sshd version number.
A few minor bug fixes are also included; see the upstream release notes
for full details of the 9.9p2 release
(https://www.openssh.com/releasenotes.html).
Sponsored by: The FreeBSD Foundation
(cherry picked from commit 0ae642c7dd0c2cfd965a22bf73876cd26cceadd2)
Approved by: re (accelerated MFC)
Highlights from the release notes are reproduced below. Bug fixes and
improvements that were previously merged into FreeBSD have been elided.
See the upstream release notes for full details of the 9.9p1 release
(https://www.openssh.com/releasenotes.html).
---
Future deprecation notice
=========================
OpenSSH plans to remove support for the DSA signature algorithm in
early 2025.
Potentially-incompatible changes
--------------------------------
* ssh(1): remove support for pre-authentication compression.
* ssh(1), sshd(8): processing of the arguments to the "Match"
configuration directive now follows more shell-like rules for
quoted strings, including allowing nested quotes and \-escaped
characters.
New features
------------
* ssh(1), sshd(8): add support for a new hybrid post-quantum key
exchange based on the FIPS 203 Module-Lattice Key Enapsulation
mechanism (ML-KEM) combined with X25519 ECDH as described by
https://datatracker.ietf.org/doc/html/draft-kampanakis-curdle-ssh-pq-ke-03
This algorithm "mlkem768x25519-sha256" is available by default.
* ssh(1), sshd(8), ssh-agent(1): prevent private keys from being
included in core dump files for most of their lifespans. This is
in addition to pre-existing controls in ssh-agent(1) and sshd(8)
that prevented coredumps. This feature is supported on OpenBSD,
Linux and FreeBSD.
* All: convert key handling to use the libcrypto EVP_PKEY API, with
the exception of DSA.
Bugfixes
--------
* sshd(8): do not apply authorized_keys options when signature
verification fails. Prevents more restrictive key options being
incorrectly applied to subsequent keys in authorized_keys. bz3733
* ssh-keygen(1): include pathname in some of ssh-keygen's passphrase
prompts. Helps the user know what's going on when ssh-keygen is
invoked via other tools. Requested in GHPR503
* ssh(1), ssh-add(1): make parsing user@host consistently look for
the last '@' in the string rather than the first. This makes it
possible to more consistently use usernames that contain '@'
characters.
* ssh(1), sshd(8): be more strict in parsing key type names. Only
allow short names (e.g "rsa") in user-interface code and require
full SSH protocol names (e.g. "ssh-rsa") everywhere else. bz3725
* ssh-keygen(1): clarify that ed25519 is the default key type
generated and clarify that rsa-sha2-512 is the default signature
scheme when RSA is in use. GHPR505
---
Reviewed by: jlduran (build infrastructure)
Reviewed by: cy (build infrastructure)
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D48947
(cherry picked from commit 3d9fd9fcb432750f3716b28f6ccb0104cd9d351a)
Approved by: re (accelerated MFC)
Highlights from the release notes are reproduced below. Some security
and bug fixes were previously merged into FreeBSD and have been elided.
See the upstream release notes for full details
(https://www.openssh.com/releasenotes.html).
---
Future deprecation notice
=========================
OpenSSH plans to remove support for the DSA signature algorithm in
early 2025.
Potentially-incompatible changes
--------------------------------
* sshd(8): the server will now block client addresses that
repeatedly fail authentication, repeatedly connect without ever
completing authentication or that crash the server. See the
discussion of PerSourcePenalties below for more information.
Operators of servers that accept connections from many users, or
servers that accept connections from addresses behind NAT or
proxies may need to consider these settings.
* sshd(8): the server has been split into a listener binary, sshd(8),
and a per-session binary "sshd-session". This allows for a much
smaller listener binary, as it no longer needs to support the SSH
protocol. As part of this work, support for disabling privilege
separation (which previously required code changes to disable) and
disabling re-execution of sshd(8) has been removed. Further
separation of sshd-session into additional, minimal binaries is
planned for the future.
* sshd(8): several log messages have changed. In particular, some
log messages will be tagged with as originating from a process
named "sshd-session" rather than "sshd".
* ssh-keyscan(1): this tool previously emitted comment lines
containing the hostname and SSH protocol banner to standard error.
This release now emits them to standard output, but adds a new
"-q" flag to silence them altogether.
* sshd(8): (portable OpenSSH only) sshd will no longer use argv[0]
as the PAM service name. A new "PAMServiceName" sshd_config(5)
directive allows selecting the service name at runtime. This
defaults to "sshd". bz2101
New features
------------
* sshd(8): sshd(8) will now penalise client addresses that, for various
reasons, do not successfully complete authentication. This feature is
controlled by a new sshd_config(5) PerSourcePenalties option and is
on by default.
* ssh(8): allow the HostkeyAlgorithms directive to disable the
implicit fallback from certificate host key to plain host keys.
Portability
-----------
* sshd(8): expose SSH_AUTH_INFO_0 always to PAM auth modules
unconditionally. The previous behaviour was to expose it only when
particular authentication methods were in use.
* ssh(1), ssh-agent(8): allow the presence of the WAYLAND_DISPLAY
environment variable to enable SSH_ASKPASS, similarly to the X11
DISPLAY environment variable. GHPR479
---
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D48914
(cherry picked from commit 0fdf8fae8b569bf9fff3b5171e669dcd7cf9c79e)
(cherry picked from commit b4bb480ae9294d7e4b375f0ead9ae57517c79ef3)
(cherry picked from commit e95979047aec384852102cf8bb1d55278ea77eeb)
(cherry picked from commit dcb4ae528d357f34e4a4b4882c2757c67c98e395)
Approved by: re (accelerated MFC)
In 2000 (commit a95c122521) we changed the CheckHostIP default to
"no". We added text to ssh_config(5) documenting FreeBSD's default.
In 2021 OpenSSH made the same change, released with OpenSSH 8.5p1.
When we imported the update the added text remained, resulting in:
If the option is set to no (the default), the check will not be
executed. The default is no.
Remove the now-redundant text.
Fixes: 206be79acb ("Vendor import of OpenSSH 8.5p1")
Sponsored by: The FreeBSD Foundation
(cherry picked from commit 06016adaccca1958cdde4edf845f5b972be7ffc0)
XAUTH_PATH is normally set (in the upstream build infrastructure) in
config.h. We previously set it in ssh and sshd's Makefiles if LOCALBASE
is set, and over time have sometimes also defined it in config.h.
Leave it unset in config.h and move the CFLAGS logic to to ssh.mk so
that it will be set when building all ssh libraries and programs but
still be set by LOCALBASE.
Reviewed by: jlduran
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D48907
(cherry picked from commit a63701848fe5462c4e8bbff0131bb42979e603ec)
Obtained from: OpenSSH 38df39ecf278
Security: CVE-2025-26465
Approved by: so
Sponsored by: The FreeBSD Foundation
(cherry picked from commit 170059d6d33cf4e890067097f3c0beb3061cabbd)
Obtained from: OpenSSH 5e07dee272c3
Security: CVE-2025-26466
Approved by: so
Sponsored by: The FreeBSD Foundation
(cherry picked from commit 8a16d0831e70530b2fbd682e748bd051de35f192)
OpenSSH-portable had a configure bug that prevented it from detecting
OpenSSL ED25519 support, fixed in 8d0e46c1ddb5 ("Fix OpenSSL ED25519
support detection"). This will come in with the OpenSSH 9.8p1 update,
but fix the error in config.h now.
Reported by: jlduran
Reviewed by: jlduran
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D48942
(cherry picked from commit 975c6f3337039d14ecf87d674af72ac5ab0fee02)
This release incorporates the following bug fixes and mitigations:
- Fixed possible denial of service in X.509 name checks ([CVE-2024-6119])
- Fixed possible buffer overread in SSL_select_next_proto() ([CVE-2024-5535])
Release notes can be found at:
https://openssl-library.org/news/openssl-3.0-notes/index.html
Co-authored-by: gordon
MFC after: 1 week
Differential Revision: https://reviews.freebsd.org/D46602
Merge commit '108164cf95d9594884c2dcccba2691335e6f221b'
(cherry picked from commit a7148ab39c03abd4d1a84997c70bf96f15dd2a09)
Update config/build info for OpenSSL 3.0.15
This is a companion commit to the OpenSSL 3.0.15 update.
`opensslv.h` was regenerated via the following process:
```
cd crypto/openssl
./config
git reset --hard
gmake include/openssl/opensslv.h
```
`Makefile.inc` has been updated to match.
MFC after: 1 week
MFC with: a7148ab39c03abd4d1a84997c70bf96f15dd2a09
Differential Revision: https://reviews.freebsd.org/D46603
(cherry picked from commit cc717b574d7faa2e0b2de1a985076286cef74187)
sys/crypto/openssl: update powerpc* ASM
This change updates the crypto powerpc* ASM via the prescribed process
documented in `crypto/openssl/FREEBSD-upgrade`.
This change syncs the ASM with 3.0.15's generated ASM.
MFC after: 1 week
MFC with: a7148ab39c03abd4d1a84997c70bf96f15dd2a09
MFC with: cc717b574d7faa2e0b2de1a985076286cef74187
Differential Revision: https://reviews.freebsd.org/D46604
(cherry picked from commit 77864b545b0aaa91bc78b1156c477825007a6233)
The incorrectly typed data is read only, used in a compare operation, so
neither remote code execution, nor memory content disclosure were possible.
However, applications performing certificate name checks were vulnerable to
denial of service.
The GENERAL_TYPE data type is a union, and we must take care to access the
correct member, based on `gen->type`, not all the member fields have the same
structure, and a segfault is possible if the wrong member field is read.
The code in question was lightly refactored with the intent to make it more
obviously correct.
Security: CVE-2024-6119
Obtained from: OpenSSL Project
(cherry picked from commit 1486960d6cdb052e4fc0109a56a0597b4e902ba1)
Under certain circumstances it may call log(3), which is not async-
signal-safe.
For now just remove the blacklist integration from this path, which
means that blacklistd will not detect and firewall hosts that establish
a connection but do nothing further.
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D46203
(cherry picked from commit 2739a6845031e69be7c03461a9335d8bbb9f59bd)
(cherry picked from commit 3d3bae9b95388169d396adc8007585699c5a23e0)
Approved by: so
This fixes a clang 19 warning:
crypto/heimdal/lib/krb5/deprecated.c:75:17: error: comparison of different enumeration types ('krb5_keytype' (aka 'enum ENCTYPE') and 'enum krb5_keytype_old') [-Werror,-Wenum-compare]
75 | if (keytype != KEYTYPE_DES || context->etypes_des == NULL)
| ~~~~~~~ ^ ~~~~~~~~~~~
In https://github.com/heimdal/heimdal/commit/3bebbe5323 this was solved
by adding a cast. That commit is rather large, so I'm only applying the
one-liner here.
MFC after: 3 days
(cherry picked from commit 6f25b46721a18cf4f036d041e7e5d275800a00b3)
Autoconf 2.72 uses '' rather tha `' in comments in config.h, from
autoconf commit 64df9b4523fe ("Autoconf now quotes 'like this' instead
of `like this'").
Switch quoting style now to minimize diffs on the next OpenSSH update
and config.h regen.
Reviewed by: gordon, philip
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D45840
(cherry picked from commit 94416c6939f431b29286a71bb2797e749df9645c)
Cherry-pick fix:
upstream: when sending ObscureKeystrokeTiming chaff packets, we
can't rely on channel_did_enqueue to tell that there is data to send. This
flag indicates that the channels code enqueued a packet on _this_ ppoll()
iteration, not that data was enqueued in _any_ ppoll() iteration in the
timeslice. ok markus@
OpenBSD-Commit-ID: 009b74fd2769b36b5284a0188ade182f00564136
Obtained from: openssh-portable 146c420d29d0
Reviewed by: gordon
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D45823
(cherry picked from commit b81424adf7181d816c10b1345aaa3305ab0ec304)
Add missing AARCH64_VALID_CALL_TARGET to armv8_rng_probe(). Also add
these to the functions defined by gen_random(), and note that this Perl
sub prints the assembler out directly, not going via the $code xlate
mechanism (and therefore coming before the include of arm_arch.h). So
fix this too.
In KeccakF1600_int, AARCH64_SIGN_LINK_REGISTER functions as
AARCH64_VALID_CALL_TARGET on BTI-only builds, so it needs to come before
the 'adr' line.
Change-Id: If241efe71591c88253a3e36647ced00300c3c1a3
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17653)
Obtained from: OpenSSL 3a23f01268ec
(cherry picked from commit 41777819236110907dd4cff98ef70dfd0629f744)
This change adds optional support for
- Armv8.3-A Pointer Authentication (PAuth) and
- Armv8.5-A Branch Target Identification (BTI)
features to the perl scripts.
Both features can be enabled with additional compiler flags.
Unless any of these are enabled explicitly there is no code change at
all.
The extensions are briefly described below. Please read the appropriate
chapters of the Arm Architecture Reference Manual for the complete
specification.
Scope
-----
This change only affects generated assembly code.
Armv8.3-A Pointer Authentication
--------------------------------
Pointer Authentication extension supports the authentication of the
contents of registers before they are used for indirect branching
or load.
PAuth provides a probabilistic method to detect corruption of register
values. PAuth signing instructions generate a Pointer Authentication
Code (PAC) based on the value of a register, a seed and a key.
The generated PAC is inserted into the original value in the register.
A PAuth authentication instruction recomputes the PAC, and if it matches
the PAC in the register, restores its original value. In case of a
mismatch, an architecturally unmapped address is generated instead.
With PAuth, mitigation against ROP (Return-oriented Programming) attacks
can be implemented. This is achieved by signing the contents of the
link-register (LR) before it is pushed to stack. Once LR is popped,
it is authenticated. This way a stack corruption which overwrites the
LR on the stack is detectable.
The PAuth extension adds several new instructions, some of which are not
recognized by older hardware. To support a single codebase for both pre
Armv8.3-A targets and newer ones, only NOP-space instructions are added
by this patch. These instructions are treated as NOPs on hardware
which does not support Armv8.3-A. Furthermore, this patch only considers
cases where LR is saved to the stack and then restored before branching
to its content. There are cases in the code where LR is pushed to stack
but it is not used later. We do not address these cases as they are not
affected by PAuth.
There are two keys available to sign an instruction address: A and B.
PACIASP and PACIBSP only differ in the used keys: A and B, respectively.
The keys are typically managed by the operating system.
To enable generating code for PAuth compile with
-mbranch-protection=<mode>:
- standard or pac-ret: add PACIASP and AUTIASP, also enables BTI
(read below)
- pac-ret+b-key: add PACIBSP and AUTIBSP
Armv8.5-A Branch Target Identification
--------------------------------------
Branch Target Identification features some new instructions which
protect the execution of instructions on guarded pages which are not
intended branch targets.
If Armv8.5-A is supported by the hardware, execution of an instruction
changes the value of PSTATE.BTYPE field. If an indirect branch
lands on a guarded page the target instruction must be one of the
BTI <jc> flavors, or in case of a direct call or jump it can be any
other instruction. If the target instruction is not compatible with the
value of PSTATE.BTYPE a Branch Target Exception is generated.
In short, indirect jumps are compatible with BTI <j> and <jc> while
indirect calls are compatible with BTI <c> and <jc>. Please refer to the
specification for the details.
Armv8.3-A PACIASP and PACIBSP are implicit branch target
identification instructions which are equivalent with BTI c or BTI jc
depending on system register configuration.
BTI is used to mitigate JOP (Jump-oriented Programming) attacks by
limiting the set of instructions which can be jumped to.
BTI requires active linker support to mark the pages with BTI-enabled
code as guarded. For ELF64 files BTI compatibility is recorded in the
.note.gnu.property section. For a shared object or static binary it is
required that all linked units support BTI. This means that even a
single assembly file without the required note section turns-off BTI
for the whole binary or shared object.
The new BTI instructions are treated as NOPs on hardware which does
not support Armv8.5-A or on pages which are not guarded.
To insert this new and optional instruction compile with
-mbranch-protection=standard (also enables PAuth) or +bti.
When targeting a guarded page from a non-guarded page, weaker
compatibility restrictions apply to maintain compatibility between
legacy and new code. For detailed rules please refer to the Arm ARM.
Compiler support
----------------
Compiler support requires understanding '-mbranch-protection=<mode>'
and emitting the appropriate feature macros (__ARM_FEATURE_BTI_DEFAULT
and __ARM_FEATURE_PAC_DEFAULT). The current state is the following:
-------------------------------------------------------
| Compiler | -mbranch-protection | Feature macros |
+----------+---------------------+--------------------+
| clang | 9.0.0 | 11.0.0 |
+----------+---------------------+--------------------+
| gcc | 9 | expected in 10.1+ |
-------------------------------------------------------
Available Platforms
------------------
Arm Fast Model and QEMU support both extensions.
https://developer.arm.com/tools-and-software/simulation-models/fast-modelshttps://www.qemu.org/
Implementation Notes
--------------------
This change adds BTI landing pads even to assembly functions which are
likely to be directly called only. In these cases, landing pads might
be superfluous depending on what code the linker generates.
Code size and performance impact for these cases would be negligible.
Interaction with C code
-----------------------
Pointer Authentication is a per-frame protection while Branch Target
Identification can be turned on and off only for all code pages of a
whole shared object or static binary. Because of these properties if
C/C++ code is compiled without any of the above features but assembly
files support any of them unconditionally there is no incompatibility
between the two.
Useful Links
------------
To fully understand the details of both PAuth and BTI it is advised to
read the related chapters of the Arm Architecture Reference Manual
(Arm ARM):
https://developer.arm.com/documentation/ddi0487/latest/
Additional materials:
"Providing protection for complex software"
https://developer.arm.com/architectures/learn-the-architecture/providing-protection-for-complex-software
Arm Compiler Reference Guide Version 6.14: -mbranch-protection
https://developer.arm.com/documentation/101754/0614/armclang-Reference/armclang-Command-line-Options/-mbranch-protection?lang=en
Arm C Language Extensions (ACLE)
https://developer.arm.com/docs/101028/latest
Addional Notes
--------------
This patch is a copy of the work done by Tamas Petz in boringssl. It
contains the changes from the following commits:
aarch64: support BTI and pointer authentication in assembly
Change-Id: I4335f92e2ccc8e209c7d68a0a79f1acdf3aeb791
URL: https://boringssl-review.googlesource.com/c/boringssl/+/42084
aarch64: Improve conditional compilation
Change-Id: I14902a64e5f403c2b6a117bc9f5fb1a4f4611ebf
URL: https://boringssl-review.googlesource.com/c/boringssl/+/43524
aarch64: Fix name of gnu property note section
Change-Id: I6c432d1c852129e9c273f6469a8b60e3983671ec
URL: https://boringssl-review.googlesource.com/c/boringssl/+/44024
Change-Id: I2d95ebc5e4aeb5610d3b226f9754ee80cf74a9af
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16674)
Reviewed by: emaste, Pierre Pronchery <pierre@freebsdfoundation.org>
Obtained from: OpenSSL 19e277dd19f2
Differential Revision: https://reviews.freebsd.org/D41940
(cherry picked from commit 1bd9ca8b7548e5f573ae8186f3519f4bedff3a92)
Reported by: Qualys Threat Research Unit (TRU)
Approved by: so
Security: FreeBSD-SA-24:04.openssh
Security: CVE-2024-6387
(cherry picked from commit 2abea9df01655633aabbb9bf3204c90722001202)
This is a companion commit to the OpenSSL 3.0.14 update.
MFC after: 3 days
MFC with: 44096ebd22ddd0081a357011714eff8963614b65
(cherry picked from commit 303596eac3f5a7fed63f1084028d811919d37eaf)
This release resolves 3 upstream found CVEs:
- Fixed potential use after free after SSL_free_buffers() is called (CVE-2024-4741)
- Fixed an issue where checking excessively long DSA keys or parameters may be very slow (CVE-2024-4603)
- Fixed unbounded memory growth with session handling in TLSv1.3 (CVE-2024-2511)
MFC after: 3 days
Merge commit '1070e7dca8223387baf5155524b28f62bfe7da3c'
(cherry picked from commit 44096ebd22ddd0081a357011714eff8963614b65)
Import upstream 6747e1628:
asn1: Use unsigned bitfields for named bitsets
Signed 1-bit bitfields are undefined in C.
This should fix the following warnings, which for unknown reasons are
errors in CI:
/usr/src/crypto/heimdal/lib/hx509/ca.c:1020:22: warning: implicit truncation from 'int' to a one-bit wide bit-field changes value from 1 to -1 [-Wsingle-bit-bitfield-constant-conversion]
1020 | ku.digitalSignature = 1;
| ^ ~
/usr/src/crypto/heimdal/lib/hx509/ca.c:1021:21: warning: implicit truncation from 'int' to a one-bit wide bit-field changes value from 1 to -1 [-Wsingle-bit-bitfield-constant-conversion]
1021 | ku.keyEncipherment = 1;
| ^ ~
/usr/src/crypto/heimdal/lib/hx509/ca.c:1028:17: warning: implicit truncation from 'int' to a one-bit wide bit-field changes value from 1 to -1 [-Wsingle-bit-bitfield-constant-conversion]
1028 | ku.keyCertSign = 1;
| ^ ~
/usr/src/crypto/heimdal/lib/hx509/ca.c:1029:13: warning: implicit truncation from 'int' to a one-bit wide bit-field changes value from 1 to -1 [-Wsingle-bit-bitfield-constant-conversion]
1029 | ku.cRLSign = 1;
| ^ ~
PR: 276960
Fixes: 1b7487592987
MFC after: 1 week
(cherry picked from commit 219b6e442308d5353b2af5f0771ce9b887b70754)
Import upstream 19d378f44:
ASN.1 INTEGERs will now compile to C int64_t or uint64_t, depending
on whether the constraint ranges include numbers that cannot be
represented in 32-bit ints and whether they include negative
numbers.
Template backend support included. check-template is now built with
--template, so we know we're testing it.
Tests included.
Also adjusts the generated files:
* asn1parse.c, asn1parse.h (not strictly necessary, but nice to have)
* der-protos.h, which needs a bunch of new prototypes. I copied these
from a der-protos.h generated by the upstream build system, which
uses a perl script for this.
* adjust printf format strings for int64_t. Upstream uses %lld for this,
but that is not portable, and leads to lots of -Werror warnings.
This should fix target-dependent differences between headers generated
by asn1_compile. For example, when cross compiling world from amd64 to
i386, the generated cms_asn1.h header has:
CMSRC2CBCParameter ::= SEQUENCE {
rc2ParameterVersion INTEGER (0..-1),
iv OCTET STRING,
}
while a native build on i386 has:
CMSRC2CBCParameter ::= SEQUENCE {
rc2ParameterVersion INTEGER (0..2147483647),
iv OCTET STRING,
}
These are _both_ wrong, since the source file, cms.asn1, has:
CMSRC2CBCParameter ::= SEQUENCE {
rc2ParameterVersion INTEGER (0..4294967295),
iv OCTET STRING -- exactly 8 octets
}
PR: 276960
Reviewed by: cy, emaste
MFC after: 1 week
Differential Revision: https://reviews.freebsd.org/D44814
Differential Revision: https://reviews.freebsd.org/D44815
(cherry picked from commit 1b7487592987c91020063a311a14dc15b6e58075)
This release contains mostly bugfixes.
It also makes support for the DSA signature algorithm a compile-time
option, with plans to disable it upstream later this year and remove
support entirely in 2025.
Full release notes at https://www.openssh.com/txt/release-9.7
Relnotes: Yes
Sponsored by: The FreeBSD Foundation
(cherry picked from commit a91a246563dffa876a52f53a98de4af9fa364c52)
A flawed logical condition allows a malicious actor to remotely
trigger a NULL pointer dereference using a crafted negTokenInit
token.
Upstream notes:
Reported to Heimdal by Michał Kępień <michal@isc.org>.
From the report:
Acknowledgement
---------------
This flaw was found while working on addressing ZDI-CAN-12302: ISC BIND
TKEY Query Heap-based Buffer Overflow Remote Code Execution
Vulnerability, which was reported to ISC by Trend Micro's Zero Day
Security: CVE-2022-3116
Obtained from: upstream 7a19658c1
(cherry picked from commit fc773115fa2dbb6c01377f2ed47dabf79a4e361a)
Import upstream 38c797e1a.
Upstream notes:
RFC8062 Section 7 requires verification of the PA-PKINIT-KX key
excahnge when anonymous PKINIT is used. Failure to do so can
permit an active attacker to become a man-in-the-middle.
Reported by: emaste
Obtained from: upstream 38c797e1a
Security: CVE-2019-12098
(cherry picked from commit 60616b445eb5b01597092fef5b14549f95000130)
Upstream's explanation of the problem:
S4U2Self is an extension to Kerberos used in Active Directory to allow
a service to request a kerberos ticket to itself from the Kerberos Key
Distribution Center (KDC) for a non-Kerberos authenticated user
(principal in Kerboros parlance). This is useful to allow internal
code paths to be standardized around Kerberos.
S4U2Proxy (constrained-delegation) is an extension of this mechanism
allowing this impersonation to a second service over the network. It
allows a privileged server that obtained a S4U2Self ticket to itself
to then assert the identity of that principal to a second service and
present itself as that principal to get services from the second
service.
There is a flaw in Samba's AD DC in the Heimdal KDC. When the Heimdal
KDC checks the checksum that is placed on the S4U2Self packet by the
server to protect the requested principal against modification, it
does not confirm that the checksum algorithm that protects the user
name (principal) in the request is keyed. This allows a
man-in-the-middle attacker who can intercept the request to the KDC to
modify the packet by replacing the user name (principal) in the
request with any desired user name (principal) that exists in the KDC
and replace the checksum protecting that name with a CRC32 checksum
(which requires no prior knowledge to compute).
This would allow a S4U2Self ticket requested on behalf of user name
(principal) user@EXAMPLE.COM to any service to be changed to a
S4U2Self ticket with a user name (principal) of
Administrator@EXAMPLE.COM. This ticket would then contain the PAC of
the modified user name (principal).
Reported by: emaste
Security: CVE-2018-16860
Obtained from: Upstream c6257cc2c
(cherry picked from commit 24339377490f9e362d040712b534d2963decd2d7)
Apply upstream b1e699103. This fixes a bug introduced by upstream
f469fc6 which may in some cases enable bypass of capath policy.
Upstream writes in their commit log:
Note, this may break sites that rely on the bug. With the bug some
incomplete [capaths] worked, that should not have. These may now break
authentication in some cross-realm configurations.
Reported by: emaste
Security: CVE-2017-6594
Obtained from: upstream b1e699103
(cherry picked from commit f8041e3628bd70cf5562a9c13eb3d6af8463e720)
* Fixed PKCS12 Decoding crashes ([CVE-2024-0727])
* Fixed Excessive time spent checking invalid RSA public keys
([CVE-2023-6237])
* Fixed POLY1305 MAC implementation corrupting vector registers on
PowerPC CPUs which support PowerISA 2.07 ([CVE-2023-6129])
* Fix excessive time spent in DH check / generation with large Q
parameter value ([CVE-2023-5678])
Release notes can be found at
https://www.openssl.org/news/openssl-3.0-notes.html.
Approved by: emaste
Merge commit '9dd13e84fa8eca8f3462bd55485aa3da8c37f54a'
(cherry picked from commit e0c4386e7e71d93b0edc0c8fa156263fc4a8b0b6)
Weak crypto is provided by the openssl legacy provider which is
not load by default. Load the legacy providers as needed.
When the legacy provider is loaded into the default context the default
provider will no longer be automatically loaded. Without the default
provider the various kerberos applicaions and functions will abort().
This is the second attempt at this patch. Instead of linking
secure/lib/libcrypto at build time we now link it at runtime, avoiding
buildworld failures under Linux and MacOS. This is because
TARGET_ENDIANNESS is undefined at pre-build time.
PR: 272835
Tested by: netchild
Joerg Pulz <Joerg.Pulz@frm2.tum.de> (previous version)
(cherry picked from commit 476d63e091c2e663b51d18acf6acb282e1f22bbc)
From the release notes,
> This release contains a number of security fixes, some small features
> and bugfixes.
The most significant change in 9.6p1 is a set of fixes for a newly-
discovered weakness in the SSH transport protocol. The fix was already
merged into FreeBSD and released as FreeBSD-SA-23:19.openssh.
Full release notes at https://www.openssh.com/txt/release-9.6
Relnotes: Yes
Sponsored by: The FreeBSD Foundation
(cherry picked from commit 069ac18495ad8fde2748bc94b0f80a50250bb01d)
Cherry-picked from OpenSSH commit 7ef3787c84b6:
This makes ssh(1) refuse user or host names provided on the
commandline that contain most shell metacharacters.
Some programs that invoke ssh(1) using untrusted data do not filter
metacharacters in arguments they supply. This could create
interactions with user-specified ProxyCommand and other directives
that allow shell injection attacks to occur.
It's a mistake to invoke ssh(1) with arbitrary untrusted arguments,
but getting this stuff right can be tricky, so this should prevent
most obvious ways of creating risky situations. It however is not
and cannot be perfect: ssh(1) has no practical way of interpreting
what shell quoting rules are in use and how they interact with the
user's specified ProxyCommand.
To allow configurations that use strange user or hostnames to
continue to work, this strictness is applied only to names coming
from the commandline. Names specified using User or Hostname
directives in ssh_config(5) are not affected.
feedback/ok millert@ markus@ dtucker@ deraadt@
OpenBSD-Commit-ID: 3b487348b5964f3e77b6b4d3da4c3b439e94b2d9
This adds a protocol extension to improve the integrity of the SSH
transport protocol, particular in and around the initial key exchange
(KEX) phase.
Full details of the extension are in the PROTOCOL file.
OpenBSD-Commit-ID: 2a66ac962f0a630d7945fee54004ed9e9c439f14
Approved by: so (implicit)
Obtained from: https://anongit.mindrot.org/openssh.git/patch/?id=1edb00c58f8a6875fad6a497aa2bacf37f9e6cd5
Security: CVE-2023-48795
(cherry picked from commit 92f58c69a14c0afe910145f177c0e8aeaf9c7da4)
OpenSSL 3.0.12 addresses:
* Fix incorrect key and IV resizing issues when calling
EVP_EncryptInit_ex2(), EVP_DecryptInit_ex2() or EVP_CipherInit_ex2()
with OSSL_PARAM parameters that alter the key or IV length
([CVE-2023-5363]).
Relnotes: Yes
Sponsored by: The FreeBSD Foundation
(cherry picked from commit ad991e4c142ebabad7aef488ad97b189ecabb270)
(cherry picked from commit 575878a533823aa3e5bab715928d9cdffbc4dcbc)
This removes a guard condition that prevents KTLS being enabled for
receiving in TLS 1.3. Use the correct sequence number and BIO for
receive vs transmit offload.
Obtained from: OpenSSL commit 7c78932b9a4330fb7c8db72b3fb37cbff1401f8b
(cherry picked from commit 6ed16d17333c5b1895aff35ddc1d46834f53a9eb)
- Don't unpad records, check the outer record type, or extract the
inner record type from TLS 1.3 records handled by the kernel. KTLS
performs all of these steps and returns the inner record type in the
TLS header.
- When checking the length of a received TLS 1.3 record don't allow
for the extra byte for the nested record type when KTLS is used.
- Pass a pointer to the record type in the TLS header to the
SSL3_RT_INNER_CONTENT_TYPE message callback. For KTLS, the old
pointer pointed to the last byte of payload rather than the record
type. For the non-KTLS case, the TLS header has been updated with
the inner type before this callback is invoked.
Obtained from: OpenSSL commit a5fb9605329fb939abb536c1604d44a511741624)
(cherry picked from commit c085ca5245797ae17fc69353bbdf7584acb2feaa)
When KTLS receive is enabled, pending data may still be present due to
read ahead. This data must still be processed the same as records
received without KTLS. To ease readability (especially in
consideration of additional checks which will be added for TLS 1.3),
add a helper variable 'using_ktls' that is true when the KTLS receive
path is being used to receive a record.
Obtained from: OpenSSL commit 031132c297e54cbc20404a0bf8de6ed863196399
(cherry picked from commit 0fc28f22d5b6a75d8a0449262a05cefe1040f982)
KTLS implementations currently assume that the start of the in-kernel
socket buffer is aligned with the start of a TLS record for the
receive side. The socket option to enable KTLS specifies the TLS
sequence number of this initial record.
When read ahead is enabled, data can be pending in the SSL read buffer
after negotiating session keys. This pending data must be examined to
ensurs that the kernel's socket buffer does not contain a partial TLS
record as well as to determine the correct sequence number of the
first TLS record to be processed by the kernel.
In preparation for enabling receive kernel offload for TLS 1.3, move
the existing logic to handle read ahead from t1_enc.c into ktls.c and
invoke it from ktls_configure_crypto().
Obtained from: OpenSSL commit 85773128d0e80cd8dcc772a6931d385b8cf4acd1
(cherry picked from commit eee55a22b20214ca41cd6b1bbea79b863c8c11ac)
