Our class-based login restrictions patch was merged upstream in commit
c276672fc0e9 ("Class-imposed login restrictions").
Sponsored by: The FreeBSD Foundation
This release exists primarily to fix two security bugs. The fixes have
been independently imported into FreeBSD. This import serves to update
the ssh and sshd version number.
A few minor bug fixes are also included; see the upstream release notes
for full details of the 9.9p2 release
(https://www.openssh.com/releasenotes.html).
Sponsored by: The FreeBSD Foundation
We use the source mdoc man pages (i.e., ssh-sk-helper.8) not the
rendered ones included in the OpenSSH releases.
Fixes: 0fdf8fae8b ("openssh: Update to 9.8p1")
Sponsored by: The FreeBSD Foundation
Highlights from the release notes are reproduced below. Bug fixes and
improvements that were previously merged into FreeBSD have been elided.
See the upstream release notes for full details of the 9.9p1 release
(https://www.openssh.com/releasenotes.html).
---
Future deprecation notice
=========================
OpenSSH plans to remove support for the DSA signature algorithm in
early 2025.
Potentially-incompatible changes
--------------------------------
* ssh(1): remove support for pre-authentication compression.
* ssh(1), sshd(8): processing of the arguments to the "Match"
configuration directive now follows more shell-like rules for
quoted strings, including allowing nested quotes and \-escaped
characters.
New features
------------
* ssh(1), sshd(8): add support for a new hybrid post-quantum key
exchange based on the FIPS 203 Module-Lattice Key Enapsulation
mechanism (ML-KEM) combined with X25519 ECDH as described by
https://datatracker.ietf.org/doc/html/draft-kampanakis-curdle-ssh-pq-ke-03
This algorithm "mlkem768x25519-sha256" is available by default.
* ssh(1), sshd(8), ssh-agent(1): prevent private keys from being
included in core dump files for most of their lifespans. This is
in addition to pre-existing controls in ssh-agent(1) and sshd(8)
that prevented coredumps. This feature is supported on OpenBSD,
Linux and FreeBSD.
* All: convert key handling to use the libcrypto EVP_PKEY API, with
the exception of DSA.
Bugfixes
--------
* sshd(8): do not apply authorized_keys options when signature
verification fails. Prevents more restrictive key options being
incorrectly applied to subsequent keys in authorized_keys. bz3733
* ssh-keygen(1): include pathname in some of ssh-keygen's passphrase
prompts. Helps the user know what's going on when ssh-keygen is
invoked via other tools. Requested in GHPR503
* ssh(1), ssh-add(1): make parsing user@host consistently look for
the last '@' in the string rather than the first. This makes it
possible to more consistently use usernames that contain '@'
characters.
* ssh(1), sshd(8): be more strict in parsing key type names. Only
allow short names (e.g "rsa") in user-interface code and require
full SSH protocol names (e.g. "ssh-rsa") everywhere else. bz3725
* ssh-keygen(1): clarify that ed25519 is the default key type
generated and clarify that rsa-sha2-512 is the default signature
scheme when RSA is in use. GHPR505
---
Reviewed by: jlduran (build infrastructure)
Reviewed by: cy (build infrastructure)
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D48947
Highlights from the release notes are reproduced below. Some security
and bug fixes were previously merged into FreeBSD and have been elided.
See the upstream release notes for full details
(https://www.openssh.com/releasenotes.html).
---
Future deprecation notice
=========================
OpenSSH plans to remove support for the DSA signature algorithm in
early 2025.
Potentially-incompatible changes
--------------------------------
* sshd(8): the server will now block client addresses that
repeatedly fail authentication, repeatedly connect without ever
completing authentication or that crash the server. See the
discussion of PerSourcePenalties below for more information.
Operators of servers that accept connections from many users, or
servers that accept connections from addresses behind NAT or
proxies may need to consider these settings.
* sshd(8): the server has been split into a listener binary, sshd(8),
and a per-session binary "sshd-session". This allows for a much
smaller listener binary, as it no longer needs to support the SSH
protocol. As part of this work, support for disabling privilege
separation (which previously required code changes to disable) and
disabling re-execution of sshd(8) has been removed. Further
separation of sshd-session into additional, minimal binaries is
planned for the future.
* sshd(8): several log messages have changed. In particular, some
log messages will be tagged with as originating from a process
named "sshd-session" rather than "sshd".
* ssh-keyscan(1): this tool previously emitted comment lines
containing the hostname and SSH protocol banner to standard error.
This release now emits them to standard output, but adds a new
"-q" flag to silence them altogether.
* sshd(8): (portable OpenSSH only) sshd will no longer use argv[0]
as the PAM service name. A new "PAMServiceName" sshd_config(5)
directive allows selecting the service name at runtime. This
defaults to "sshd". bz2101
New features
------------
* sshd(8): sshd(8) will now penalise client addresses that, for various
reasons, do not successfully complete authentication. This feature is
controlled by a new sshd_config(5) PerSourcePenalties option and is
on by default.
* ssh(8): allow the HostkeyAlgorithms directive to disable the
implicit fallback from certificate host key to plain host keys.
Portability
-----------
* sshd(8): expose SSH_AUTH_INFO_0 always to PAM auth modules
unconditionally. The previous behaviour was to expose it only when
particular authentication methods were in use.
* ssh(1), ssh-agent(8): allow the presence of the WAYLAND_DISPLAY
environment variable to enable SSH_ASKPASS, similarly to the X11
DISPLAY environment variable. GHPR479
---
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D48914
In 2000 (commit a95c122521) we changed the CheckHostIP default to
"no". We added text to ssh_config(5) documenting FreeBSD's default.
In 2021 OpenSSH made the same change, released with OpenSSH 8.5p1.
When we imported the update the added text remained, resulting in:
If the option is set to no (the default), the check will not be
executed. The default is no.
Remove the now-redundant text.
Fixes: 206be79acb ("Vendor import of OpenSSH 8.5p1")
Sponsored by: The FreeBSD Foundation
OpenSSH-portable had a configure bug that prevented it from detecting
OpenSSL ED25519 support, fixed in 8d0e46c1ddb5 ("Fix OpenSSL ED25519
support detection"). This will come in with the OpenSSH 9.8p1 update,
but fix the error in config.h now.
Reported by: jlduran
Reviewed by: jlduran
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D48942
This is the upstream default -- from the 9.8p1 release notes:
Future deprecation notice
=========================
OpenSSH plans to remove support for the DSA signature algorithm in
early 2025. This release disables DSA by default at compile time.
DSA, as specified in the SSHv2 protocol, is inherently weak - being
limited to a 160 bit private key and use of the SHA1 digest. Its
estimated security level is only 80 bits symmetric equivalent.
OpenSSH has disabled DSA keys by default since 2015 but has retained
run-time optional support for them. DSA was the only mandatory-to-
implement algorithm in the SSHv2 RFCs, mostly because alternative
algorithms were encumbered by patents when the SSHv2 protocol was
specified.
This has not been the case for decades at this point and better
algorithms are well supported by all actively-maintained SSH
implementations. We do not consider the costs of maintaining DSA
in OpenSSH to be justified and hope that removing it from OpenSSH
can accelerate its wider deprecation in supporting cryptography
libraries.
This release, and its deactivation of DSA by default at compile-time,
marks the second step in our timeline to finally deprecate DSA. The
final step of removing DSA support entirely is planned for the first
OpenSSH release of 2025.
---
The config.h comment /* DSA keys explicitly enabled */ is somewhat
confusing, but this is what upstream's ./configure generates.
Reviewed by: jlduran
Relnotes: Yes
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D48910
XAUTH_PATH is normally set (in the upstream build infrastructure) in
config.h. We previously set it in ssh and sshd's Makefiles if LOCALBASE
is set, and over time have sometimes also defined it in config.h.
Leave it unset in config.h and move the CFLAGS logic to to ssh.mk so
that it will be set when building all ssh libraries and programs but
still be set by LOCALBASE.
Reviewed by: jlduran
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D48907
This is a companion commit to the OpenSSL 3.0.15 update.
`opensslv.h` was regenerated via the following process:
```
cd crypto/openssl
./config
git reset --hard
gmake include/openssl/opensslv.h
```
`Makefile.inc` has been updated to match.
MFC after: 1 week
MFC with: a7148ab39c
Differential Revision: https://reviews.freebsd.org/D46603
This release incorporates the following bug fixes and mitigations:
- Fixed possible denial of service in X.509 name checks ([CVE-2024-6119])
- Fixed possible buffer overread in SSL_select_next_proto() ([CVE-2024-5535])
Release notes can be found at:
https://openssl-library.org/news/openssl-3.0-notes/index.html
Co-authored-by: gordon
MFC after: 1 week
Differential Revision: https://reviews.freebsd.org/D46602
Merge commit '108164cf95d9594884c2dcccba2691335e6f221b'
This release incorporates the following bug fixes and mitigations:
- Fixed possible denial of service in X.509 name checks ([CVE-2024-6119])
- Fixed possible buffer overread in SSL_select_next_proto() ([CVE-2024-5535])
Release notes can be found at:
https://openssl-library.org/news/openssl-3.0-notes/index.html
The incorrectly typed data is read only, used in a compare operation, so
neither remote code execution, nor memory content disclosure were possible.
However, applications performing certificate name checks were vulnerable to
denial of service.
The GENERAL_TYPE data type is a union, and we must take care to access the
correct member, based on `gen->type`, not all the member fields have the same
structure, and a segfault is possible if the wrong member field is read.
The code in question was lightly refactored with the intent to make it more
obviously correct.
CVE-2024-6119
(cherry picked from commit 1486960d6cdb052e4fc0109a56a0597b4e902ba1)
Under certain circumstances it may call log(3), which is not async-
signal-safe.
For now just remove the blacklist integration from this path, which
means that blacklistd will not detect and firewall hosts that establish
a connection but do nothing further.
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D46203
This fixes a clang 19 warning:
crypto/heimdal/lib/krb5/deprecated.c:75:17: error: comparison of different enumeration types ('krb5_keytype' (aka 'enum ENCTYPE') and 'enum krb5_keytype_old') [-Werror,-Wenum-compare]
75 | if (keytype != KEYTYPE_DES || context->etypes_des == NULL)
| ~~~~~~~ ^ ~~~~~~~~~~~
In https://github.com/heimdal/heimdal/commit/3bebbe5323 this was solved
by adding a cast. That commit is rather large, so I'm only applying the
one-liner here.
MFC after: 3 days
GCC 14 (but not earlier versions) warns about a missing prototype
for getrandom(). Include <sys/random.h> explicitly to bring in the
prototype rather than depending on a nested include. While here,
stop defining sysctl_random() since it is no longer used.
Reviewed by: brooks
Fixes: 838b6caaba openssl: use getrandom(2) instead of probing for getentropy(2)
Differential Revision: https://reviews.freebsd.org/D45995
The probing for getentropy(2) relies on re-declaring getentropy(2)
as weak and checking the address, but this is incompatible with
the _FORTIFY_SOURCE symbol renaming scheme. It's always present on
all supported FreeBSD versions now so we could cut it down to
unconditional use, but there's another segment for getrandom(2)
already that's cleaner to just add us to.
We should upstream this.
Reviewed by: kib (earlier version), markj
Sponsored by: Klara, Inc.
Sponsored by: Stormshield
Differential Revision: https://reviews.freebsd.org/D45976
Cherry-pick fix:
upstream: when sending ObscureKeystrokeTiming chaff packets, we
can't rely on channel_did_enqueue to tell that there is data to send. This
flag indicates that the channels code enqueued a packet on _this_ ppoll()
iteration, not that data was enqueued in _any_ ppoll() iteration in the
timeslice. ok markus@
OpenBSD-Commit-ID: 009b74fd2769b36b5284a0188ade182f00564136
Obtained from: openssh-portable 146c420d29d0
Reviewed by: gordon
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D45823
Autoconf 2.72 uses '' rather tha `' in comments in config.h, from
autoconf commit 64df9b4523fe ("Autoconf now quotes 'like this' instead
of `like this'").
Switch quoting style now to minimize diffs on the next OpenSSH update
and config.h regen.
Reviewed by: gordon, philip
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D45840
This release resolves 3 upstream found CVEs:
- Fixed potential use after free after SSL_free_buffers() is called (CVE-2024-4741)
- Fixed an issue where checking excessively long DSA keys or parameters may be very slow (CVE-2024-4603)
- Fixed unbounded memory growth with session handling in TLSv1.3 (CVE-2024-2511)
MFC after: 3 days
Merge commit '1070e7dca8223387baf5155524b28f62bfe7da3c'
This release resolves 3 upstream found CVEs:
- Fixed potential use after free after SSL_free_buffers() is called (CVE-2024-4741)
- Fixed an issue where checking excessively long DSA keys or parameters may be very slow (CVE-2024-4603)
- Fixed unbounded memory growth with session handling in TLSv1.3 (CVE-2024-2511)
FreeBSD also defines {make|swap|get|set}context for backward
compatibility, despite also exposing POSIX_VERSION 200809L in FreeBSD
15-current.
FreeBSD has defined these interfaces since FreeBSD 4.7, released over 20
years ago, so no further nuance in FreeBSD version number is necessary.
Pull Request: https://github.com/openssl/openssl/pull/23885
Sponsored by: Netflix
This change is still under review and should not have been merged
directly to main (yet).
This is a case and point for using `push.default` to nothing instead of
matching or simple.
This reverts commit 42ce242e35.
This change introduces a static copy of the fips and legacy linker version maps
generated by the OpenSSL 3.0.13 build process.
This unbreaks the fips and legacy providers by not exposing unnecessary
symbols from the fips/legacy provider shared objects shared with other
providers (base, default) and libcrypto.
More discussion:
Prior to this change, loading the fips provider indirectly from a
FreeBSD 14.0-CURRENT and 15.0-CURRENT host would result in a
process-wide deadlock when invoking select OpenSSL APIs
(CONF_modules_load* in this particular example).
Speaking with the upstream maintainers [1], it became obvious that
the FreeBSD base system was incorrectly building/linking the fips
provider, resulting in a symbol collision at runtime, and thus a
process-wide deadlock in specific circumstances. The fips provider
would deadlock when trying to acquire a write lock on internal
structures which should have only been available to the base and
default providers, as certain preprocessor ifdefs only allow specific
internal calls to be made with the base and default providers.
1. https://github.com/openssl/openssl/issues/24202
Differential Revision: https://reviews.freebsd.org/D44892
Import upstream 6747e1628:
asn1: Use unsigned bitfields for named bitsets
Signed 1-bit bitfields are undefined in C.
This should fix the following warnings, which for unknown reasons are
errors in CI:
/usr/src/crypto/heimdal/lib/hx509/ca.c:1020:22: warning: implicit truncation from 'int' to a one-bit wide bit-field changes value from 1 to -1 [-Wsingle-bit-bitfield-constant-conversion]
1020 | ku.digitalSignature = 1;
| ^ ~
/usr/src/crypto/heimdal/lib/hx509/ca.c:1021:21: warning: implicit truncation from 'int' to a one-bit wide bit-field changes value from 1 to -1 [-Wsingle-bit-bitfield-constant-conversion]
1021 | ku.keyEncipherment = 1;
| ^ ~
/usr/src/crypto/heimdal/lib/hx509/ca.c:1028:17: warning: implicit truncation from 'int' to a one-bit wide bit-field changes value from 1 to -1 [-Wsingle-bit-bitfield-constant-conversion]
1028 | ku.keyCertSign = 1;
| ^ ~
/usr/src/crypto/heimdal/lib/hx509/ca.c:1029:13: warning: implicit truncation from 'int' to a one-bit wide bit-field changes value from 1 to -1 [-Wsingle-bit-bitfield-constant-conversion]
1029 | ku.cRLSign = 1;
| ^ ~
PR: 276960
Fixes: 1b74875929
MFC after: 1 week
Import upstream 19d378f44:
ASN.1 INTEGERs will now compile to C int64_t or uint64_t, depending
on whether the constraint ranges include numbers that cannot be
represented in 32-bit ints and whether they include negative
numbers.
Template backend support included. check-template is now built with
--template, so we know we're testing it.
Tests included.
Also adjusts the generated files:
* asn1parse.c, asn1parse.h (not strictly necessary, but nice to have)
* der-protos.h, which needs a bunch of new prototypes. I copied these
from a der-protos.h generated by the upstream build system, which
uses a perl script for this.
* adjust printf format strings for int64_t. Upstream uses %lld for this,
but that is not portable, and leads to lots of -Werror warnings.
This should fix target-dependent differences between headers generated
by asn1_compile. For example, when cross compiling world from amd64 to
i386, the generated cms_asn1.h header has:
CMSRC2CBCParameter ::= SEQUENCE {
rc2ParameterVersion INTEGER (0..-1),
iv OCTET STRING,
}
while a native build on i386 has:
CMSRC2CBCParameter ::= SEQUENCE {
rc2ParameterVersion INTEGER (0..2147483647),
iv OCTET STRING,
}
These are _both_ wrong, since the source file, cms.asn1, has:
CMSRC2CBCParameter ::= SEQUENCE {
rc2ParameterVersion INTEGER (0..4294967295),
iv OCTET STRING -- exactly 8 octets
}
PR: 276960
Reviewed by: cy, emaste
MFC after: 1 week
Differential Revision: https://reviews.freebsd.org/D44814
Differential Revision: https://reviews.freebsd.org/D44815
Support for a client VersionAddendum was removed in bffe60ead0, but
the option was retained (as oDeprecated) as a transition aid.
Sufficient time has passed that it can be removed.
Sponsored by: The FreeBSD Foundation
This release contains mostly bugfixes.
It also makes support for the DSA signature algorithm a compile-time
option, with plans to disable it upstream later this year and remove
support entirely in 2025.
Full release notes at https://www.openssh.com/txt/release-9.7
Relnotes: Yes
Sponsored by: The FreeBSD Foundation
For one reason or another these symbols aren't present so don't try to
make them available for linkage.
In the case of libroken these seem to be compatability bits we don't
need a thus don't compile. For others it seems to rot upstream, but
I've not investigated deeply.
Reviewed by: cy
Differential Revision: https://reviews.freebsd.org/D44246
This symbol table entry came in with the 1.5 import (commit
7c450da7b4), but the only other mention is a commented out entry in
lib/wind/libwind-exports.def.
Reviewed by: cy
Differential Revision: https://reviews.freebsd.org/D44245
A flawed logical condition allows a malicious actor to remotely
trigger a NULL pointer dereference using a crafted negTokenInit
token.
Upstream notes:
Reported to Heimdal by Michał Kępień <michal@isc.org>.
From the report:
Acknowledgement
---------------
This flaw was found while working on addressing ZDI-CAN-12302: ISC BIND
TKEY Query Heap-based Buffer Overflow Remote Code Execution
Vulnerability, which was reported to ISC by Trend Micro's Zero Day
Security: CVE-2022-3116
Obtained from: upstream 7a19658c1
MFC after: 1 week
Import upstream 38c797e1a.
Upstream notes:
RFC8062 Section 7 requires verification of the PA-PKINIT-KX key
excahnge when anonymous PKINIT is used. Failure to do so can
permit an active attacker to become a man-in-the-middle.
Reported by: emaste
Obtained from: upstream 38c797e1a
Security: CVE-2019-12098
MFC after: 1 week
Apply upstream 22749e918 to fix a buffer overflow.
Upstream notes:
If len_len is equal to total_len - 1 (i.e. the input consists only of a
0x60 byte and a length), the expression 'total_len - 1 - len_len - 1',
used as the 'len' parameter to der_get_length(), will overflow to
SIZE_MAX. Then der_get_length() will proceed to read, unconstrained,
whatever data follows in memory. Add a check to ensure that doesn't
happen
This is similar to samba CVE-2022-3437.
Reported by: emaste
Security: CVE-2022-41916
Obtained from: upstream 22749e918
MFC after: 1 week
Upstream's explanation of the problem:
S4U2Self is an extension to Kerberos used in Active Directory to allow
a service to request a kerberos ticket to itself from the Kerberos Key
Distribution Center (KDC) for a non-Kerberos authenticated user
(principal in Kerboros parlance). This is useful to allow internal
code paths to be standardized around Kerberos.
S4U2Proxy (constrained-delegation) is an extension of this mechanism
allowing this impersonation to a second service over the network. It
allows a privileged server that obtained a S4U2Self ticket to itself
to then assert the identity of that principal to a second service and
present itself as that principal to get services from the second
service.
There is a flaw in Samba's AD DC in the Heimdal KDC. When the Heimdal
KDC checks the checksum that is placed on the S4U2Self packet by the
server to protect the requested principal against modification, it
does not confirm that the checksum algorithm that protects the user
name (principal) in the request is keyed. This allows a
man-in-the-middle attacker who can intercept the request to the KDC to
modify the packet by replacing the user name (principal) in the
request with any desired user name (principal) that exists in the KDC
and replace the checksum protecting that name with a CRC32 checksum
(which requires no prior knowledge to compute).
This would allow a S4U2Self ticket requested on behalf of user name
(principal) user@EXAMPLE.COM to any service to be changed to a
S4U2Self ticket with a user name (principal) of
Administrator@EXAMPLE.COM. This ticket would then contain the PAC of
the modified user name (principal).
Reported by: emaste
Security: CVE-2018-16860
Obtained from: Upstream c6257cc2c
MFC after: 1 week
Apply upstream b1e699103. This fixes a bug introduced by upstream
f469fc6 which may in some cases enable bypass of capath policy.
Upstream writes in their commit log:
Note, this may break sites that rely on the bug. With the bug some
incomplete [capaths] worked, that should not have. These may now break
authentication in some cross-realm configurations.
Reported by: emaste
Security: CVE-2017-6594
Obtained from: upstream b1e699103
MFC after: 1 week
