These files were intended to track version and perhaps maintainership
information for contrib software. However, they were never used beyond
bzip2, netcat, and OpenSSH, and generally haven't been kept up to date
recently (my OpenSSH 8.7p1 update notwithstanding). Just remove them to
avoid having confusing or outdated information.
Suggested by: des
MFC after: 1 week
Sponsored by: The FreeBSD Foundation
(cherry picked from commit bdcfd222ce)
OpenSSL assumes the same value for AT_HWCAP=16 (Linux)
So it ends up calling elf_auxv_info() with AT_CANARY which
returns ENOENT, and all acceleration features are disabled.
With this, my ARM64 test machine runs the benchmark
`openssl speed -evp aes-256-gcm` nearly 20x faster
going from 100 MB/sec to 2000 MB/sec
It also improves sha256 from 300 MB/sec to 1800 MB/sec
This fix has been accepted but not yet merged upstream:
https://github.com/openssl/openssl/pull/17082
PR: 259937
Reviewed by: manu, imp
MFC after: immediate
Relnotes: yes
Fixes: 88e852c0b5 ("OpenSSL: Merge OpenSSL 1.1.1j")
Sponsored by: Ampere Computing LLC
Sponsored by: Klara Inc.
Differential Revision: https://reviews.freebsd.org/D33060
(cherry picked from commit d9bb798725)
Diff reduction against upstream: remove $FreeBSD$ tags from files where
the tag itself is the only difference from upstream.
(cherry picked from commit 0e642632e6)
/usr/include/gssapi.h claims that it is deprecated, and gssapi/gssapi.h
should be used instead. So, test HAVE_GSSAPI_GSSAPI_H first falling
back to HAVE_GSSAPI_H.
This will be submitted upstream.
Fixes: 6eac665c81 ("openssh: diff reduction against...")
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D31810
(cherry picked from commit 258f5f79bb)
From openssh-portable commits f3cbe43e28fe and bf944e3794ef, backported
to OpenSSH 7.9p1 on stable/13.
Reviewed by: delphij
Security: CVE-2021-41617
Differential Revision: https://reviews.freebsd.org/D32460
(cherry picked from commit 172fa4aa75)
Login class-based restrictions were introduced in 5b400a39b8. The
code was adapted for sshd's Capsicum sandbox and received many changes
over time, including at least fc3c19a9fc, bd393de91c, and
e8c56fba29.
During an attempt to upstream the work a much simpler approach was
suggested. Adopt it now in the in-tree OpenSSH to reduce conflicts with
future updates.
Submitted by: Yuchiro Naito (against OpenSSH-portable on GitHub)
Obtained from: https://github.com/openssh/openssh-portable/pull/262
Reviewed by: allanjude, kevans
MFC after: 2 weeks
Differential Revision: https://reviews.freebsd.org/D31760
(cherry picked from commit 27ceebbc24)
For some reason poly64 was omitted when this file was last generated
(perhaps it was inlined by the Clang version then in use).
MFC after: 1 week
Sponsored by: The FreeBSD Foundation
(cherry picked from commit c7b4c21ee4)
We define LIBWRAP at build time in secure/usr.sbin/sshd/Makefile if
WITH_TCPWRAPPERS is in effect, so it should not be set in config.h.
MFC after: 1 week
Sponsored by: The FreeBSD Foundation
(cherry picked from commit 36cd1e5e8c)
freebsd-configure.sh runs configure twice, --with-kerberos5 and
--without-kerberos5, in order to build a config.h that defaults to
kerberos5 disabled, and a small config file that represents the
differences.
Rename config.h.orig to config.h.kerberos5 to clarify the intent of this
script.
MFC after: 1 week
Sponsored by: The FreeBSD Foundation
(cherry picked from commit 5e4dd21fd6)
Tools like Phabricator use the @generated tag to identify files that
may be excluded from review by default.
MFC after: 1 week
Sponsored by: The FreeBSD Foundation
(cherry picked from commit b3e858f762)
FreeBSD's kernel TLS supports Chacha20 for both TLS 1.2 and TLS 1.3.
NB: This commit has not yet been merged upstream as it is deemed a new
feature and did not make the feature freeze cutoff for OpenSSL 3.0.
Reviewed by: jkim
Sponsored by: Netflix
Differential Revision: https://reviews.freebsd.org/D31443
(cherry picked from commit 6372fd253e)
Most of this upstream commit touched tests not included in the
vendor import. The one change merged in is to remove a constant
only present in an internal header to appease the older tests.
Reviewed by: jkim
Obtained from: OpenSSL (e1fdd5262e4a45ce3aaa631768e877ee7b6da21b)
Sponsored by: Netflix
Differential Revision: https://reviews.freebsd.org/D31442
(cherry picked from commit d6e78ecb0b)
KTLS support has been changed to be off by default, and configuration is
via a single "option" rather two "modes". Documentation is updated
accordingly.
Reviewed by: jkim
Obtained from: OpenSSL (6878f4300213cfd7d4f01e26a8b97f70344da100)
Sponsored by: Netflix
Differential Revision: https://reviews.freebsd.org/D31441
(cherry picked from commit a208223130)
It has always been the case that KTLS is not compiled by default. However
if it is compiled then it was automatically used unless specifically
configured not to. This is problematic because it avoids any crypto
implementations from providers. A user who configures all crypto to use
the FIPS provider may unexpectedly find that TLS related crypto is actually
being performed outside of the FIPS boundary.
Instead we change KTLS so that it is disabled by default.
We also swap to using a single "option" (i.e. SSL_OP_ENABLE_KTLS) rather
than two separate "modes", (i.e. SSL_MODE_NO_KTLS_RX and
SSL_MODE_NO_KTLS_TX).
Reviewed by: jkim
Obtained from: OpenSSL (a3a54179b6754fbed6d88e434baac710a83aaf80)
Sponsored by: Netflix
Differential Revision: https://reviews.freebsd.org/D31440
(cherry picked from commit 62ca9fc1ad)
Linux kernel is going to support ChaCha20-Poly1305 in TLS offload.
Add support for this cipher.
Reviewed by: jkim
Obtained from: OpenSSL (3aa7212e0a4fd1533c8a28b8587dd8b022f3a66f)
Sponsored by: Netflix
Differential Revision: https://reviews.freebsd.org/D31439
(cherry picked from commit 63c6d3e283)
BIO_get_ktls_send() and BIO_get_ktls_recv() are documented as
returning either 0 or 1. However, they were actually returning the
internal value of the associated BIO flag for the true case instead of
1.
Also trim redundant ternary operators.
Reviewed by: jkim
Obtained from: OpenSSL (f16e52b67c9261bdc7e1284a50502a802921ac6d)
Sponsored by: Netflix
Differential Revision: https://reviews.freebsd.org/D31438
(cherry picked from commit 334d228a20)
Replace it with a tutorial hosted on kerberos.org and the classic
"dialogue" from Bill Bryant. The change has been reported and
merged upstream (https://github.com/heimdal/heimdal/commit/7f3445f1b7).
PR: 251854
Reported by: ktullavik@gmail.com
Submitted by: bjk (upstream github)
Reviewed by: bcr
(cherry picked from commit 80ba60f643)
Add a handler for EBUSY sendfile error in addition to
EAGAIN. With EBUSY returned the data still can be partially
sent and user code has to be notified about it, otherwise it
may try to send data multiple times.
PR: 251969
Obtained from: OpenSSL (dfcfd17f2818cf520ce6381aed9ec3d2fc12170d)
Sponsored by: Netflix (merging to FreeBSD)
(cherry picked from commit 9b2f020c14)
This was introduced in 03f6c5cd93, which added use of
sysctl net.inet.ip.portrange.reservedhigh instead of IPPORT_RESERVED,
but it appears the rest of that change was lost in some subsequent
update.
The change should probably be restored, but until then there is no
reason to leave an unused variable around.
MFC after: 3 days
Sponsored by: The FreeBSD Foundation
(cherry picked from commit 9e14b918f9)
This was introduced in 8998619212, and left behind when the hpn-ssh
patches were removed in 60c59fad88. Although Being able to log
SO_RCVBUF in debug mode might have some small value on its own, it's
not worth carrying an extra diff against upstream.
Reviewed by: kevans
MFC after: 3 days
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D28610
(cherry picked from commit a62dc346f6)
These appear to be leftovers from ca86bcf253 and f7167e0ea0
MFC after: 3 days
Sponsored by: The FreeBSD Foundation
(cherry picked from commit 154adbbeb8)
This merges upstream patches from OpenSSL's master branch to add
KTLS infrastructure for TLS 1.0-1.3 including both RX and TX
offload and SSL_sendfile support on both Linux and FreeBSD.
Note that TLS 1.3 only supports TX offload.
A new WITH/WITHOUT_OPENSSL_KTLS determines if OpenSSL is built with
KTLS support. It defaults to enabled on amd64 and disabled on all
other architectures.
Sponsored by: Netflix
(cherry picked from commit aa906e2a49)
OpenSSL commit 3db2c9f3:
Complain if we are attempting to encode with an invalid ASN.1 template
OpenSSL commit 43a7033:
Check that multi-strings/CHOICE types don't use implicit tagging
OpenSSL commit f960d812:
Correctly compare EdiPartyName in GENERAL_NAME_cmp()
Obtained from: OpenSSL 3db2c9f3, 43a7033, f960d812
Security: CVE-2020-1971
Literal references to /usr/local exist in a large number of files in
the FreeBSD base system. Many are in contributed software, in configuration
files, or in the documentation, but 19 uses have been identified in C
source files or headers outside the contrib and sys/contrib directories.
This commit makes it possible to set _PATH_LOCALBASE in paths.h to use
a different prefix for locally installed software.
In order to avoid changes to openssh source files, LOCALBASE is passed to
the build via Makefiles under src/secure. While _PATH_LOCALBASE could have
been used here, there is precedent in the construction of the path used to
a xauth program which depends on the LOCALBASE value passed on the compiler
command line to select a non-default directory.
This could be changed in a later commit to make the openssh build
consistently use _PATH_LOCALBASE. It is considered out-of-scope for this
commit.
Reviewed by: imp
MFC after: 1 month
Differential Revision: https://reviews.freebsd.org/D26942
blacklistd has been renamed to blocklistd upstream, and a future
import into FreeBSD will follow that change. Support the new name
as an alias in config files.
Reviewed by: bz, delphij
MFC after: 1 week
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D25865
A base system OpenSSH update in 2016 or so removed a number of ciphers
from the default lists offered by the server/client, due to known
weaknesses. This caused POLA issues for some users and prompted
PR207679; the ciphers were restored to the default lists in r296634.
When upstream removed these ciphers from the default server list, they
moved them to the client-only default list. They were subsequently
removed from the client default, in OpenSSH 7.9p1.
The change has persisted long enough. Remove these extra ciphers from
both the server and client default lists, in advance of FreeBSD 13.
Reviewed by: markm, rgrimes
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D25833
This change was made upstream between 7.9p1 and 8.0p1. We've made local
changes in the same places for handling the version_addendum; apply the
SSLeay_version to OpenSSL_version change in advance of importing 8.0p1.
This should have been part of r363225.
Obtained from: OpenSSH-portable a65784c9f9c5
MFC with: r363225
Sponsored by: The FreeBSD Foundation
This change was made upstream between 7.9p1 and 8.0p1. We've made local
changes in the same places for handling the version_addendum; apply the
SSLeay_version to OpenSSL_version change in advance of importing 8.0p1.
Obtained from: OpenSSH-portable a65784c9f9c5
Sponsored by: The FreeBSD Foundation
The logging was introduced in r314527 but doesn't appear to be useful
for regular operation, and as the result, for users with no class set
(very common) the administrator would see a message like this in their
auth.log:
sshd[44251]: user root login class [preauth]
(note that the class was "" because that's what's typically configured
for most users; we would get 'default' if lc->lc_class is chosen)
Remove this log as it can be annoying as the lookup happen before
authentication and repeats, and our code is not acting upon lc_class
or pw_class directly anyways.
Reviewed by: cem, imp
MFC after: 1 week
Differential Revision: https://reviews.freebsd.org/D24997
