Commit Graph

3084 Commits

Author SHA1 Message Date
christos 1023804e38 * TROUSERS_0_3_14
- Changes to support OpenSSL 1.1.0
- Removed some warnings for proper builds
- Changes to allow building on OS X
- Fixed memory leaks
- Fixed failure to recognize connections from localhost over IPv6
- Fixed for an exploitable local denial of service in tcsd

* TROUSERS_0_3_13
- Changed exported functions which had a name too common, to avoid collision
- Assessed daemon security using manual techniques and coverit
- Fixed major security bugs and memory leaks
- Added debug support to run tcsd with a different user/group
- Daemon now properly closes sockets before shutting down

* TROUSERS_0_3_12
- Added new network code for RPC, which supports IPv6
- Users of client applications can configure the hostname of the tcsd server
they want to connect through the TSS_TCSD_HOSTNAME env var (only works if
application didn't set a hostname in the context)
- Added disable_ipv4 and disable_ipv6 config options for server

* TROUSERS_0_3_11
- Fix build process for distros
- License was changed from GPL to BSD
- Many bugfixes
- updated man pages
2019-01-07 14:57:23 +00:00
christos ba1213d69a regen 2019-01-06 22:22:02 +00:00
christos 6210d3c848 PR/53838: Scole Mail: OPENSSL_rdtsc() is reading a time counter
for randomness, and the powerpc code uses mftbu and mftb for access.
The 601 is different than other powerpcs. It doesn't have a time
base register (TBR), but a real time clock (RTC) so it needs to
use different calls like mfrtcu/mfrtcl instead.
2019-01-06 22:20:50 +00:00
christos a391bfdb6d add new file (Robert Swindells) 2018-12-09 21:39:48 +00:00
christos deb6f0161a Add engines infrastructure, not hooked to the build:
1. sets needs to be fixed
2. need to decide if I am going to add engine.so.MAJOR or use engine.so
   like OpenSSL wants
3. padlock is MD (x86) needs asm to be added, and conditionally built
2018-12-08 23:24:01 +00:00
christos bf8eace1c0 Merge conflicts 2018-12-08 22:35:42 +00:00
christos f4f044c4b1 Changes between 1.1.1 and 1.1.1a [20 Nov 2018]
*) Timing vulnerability in DSA signature generation

     The OpenSSL DSA signature algorithm has been shown to be vulnerable to a
     timing side channel attack. An attacker could use variations in the signing
     algorithm to recover the private key.

     This issue was reported to OpenSSL on 16th October 2018 by Samuel Weiser.
     (CVE-2018-0734)
     [Paul Dale]

  *) Timing vulnerability in ECDSA signature generation

     The OpenSSL ECDSA signature algorithm has been shown to be vulnerable to a
     timing side channel attack. An attacker could use variations in the signing
     algorithm to recover the private key.

     This issue was reported to OpenSSL on 25th October 2018 by Samuel Weiser.
     (CVE-2018-0735)
     [Paul Dale]

  *) Added EVP_PKEY_ECDH_KDF_X9_63 and ecdh_KDF_X9_63() as replacements for
     the EVP_PKEY_ECDH_KDF_X9_62 KDF type and ECDH_KDF_X9_62(). The old names
     are retained for backwards compatibility.
     [Antoine Salon]

  *) Fixed the issue that RAND_add()/RAND_seed() silently discards random input
     if its length exceeds 4096 bytes. The limit has been raised to a buffer size
     of two gigabytes and the error handling improved.

     This issue was reported to OpenSSL by Dr. Falko Strenzke. It has been
     categorized as a normal bug, not a security issue, because the DRBG reseeds
     automatically and is fully functional even without additional randomness
     provided by the application.
2018-12-08 22:33:03 +00:00
christos 0ef48146df Put back devcrypto (what was called cryptodev) engine support. 2018-12-08 17:07:27 +00:00
maya 5e0e9ff149 Don't expose a getauxval symbol.
The code already knows how to handle it, but it assumes anyone who uses
GCC or clang might resolve the getauxval function to something eventually.

The only time we will expose getauxval is if a package tries to substitute
getauxval too, and then code will start having mysterious failures.

getauxval is purely a linux function (as far as I can see), so limit it to
that.

PR pkg/53387, PR port-arm/53386
2018-11-20 07:30:17 +00:00
ozaki-r 16fc099a65 Use Cm instead of Li or Ar for fixed command strings 2018-11-19 04:54:37 +00:00
mlelstv 3118701f5e Fix some error handling, json support, keyring handling. 2018-11-13 14:52:30 +00:00
martin f6fb28f512 Ooops - fix editor accident in previous 2018-10-15 12:45:52 +00:00
martin ad88e5ac0b Define OPENSSL_NO_EC_NISTP_64_GCC_128 for sparc64, the code does
not work there (or maybe any big endian machine).
Fixes PR bin/53670.
2018-10-15 12:27:58 +00:00
maxv f1c81f6829 Remove dead files that have never been built, and likely can't build since
they are not correct C files.
2018-10-14 08:36:09 +00:00
maxv 0fe8cb7566 Clean up setkey: remove dead wood, KNF, localify, and slightly improve. 2018-10-14 08:27:39 +00:00
maxv 7666e47285 Fix SF#24: incorrect authentication algorithms, copy-pasto. 2018-10-13 15:38:28 +00:00
maxv 2be45af163 Fix ticket SF#91: pass the correct size for tbuf. 2018-10-13 15:17:45 +00:00
maxv 05d534bebd Reduce the diff against the latest release. Also remove netbsd-import.sh,
since we are upstream now.
2018-10-13 15:08:51 +00:00
christos f84d9921ff Add the EC_GFp_nistp*_method's 2018-10-10 14:57:31 +00:00
martin c822cfe197 On 32bit platforms set OPENSSL_NO_EC_NISTP_64_GCC_128 again, the non
standard __uint128_t is required for the code, but only provided by gcc
on 64bit archs.
2018-10-10 06:16:55 +00:00
christos 34a6ee4275 enable OPENSSL_NO_EC_NISTP_64_GCC_128, requested by wiz 2018-10-10 01:29:25 +00:00
christos be750853ee elide a warning that triggers on arm/clang 2018-10-08 18:01:23 +00:00
christos 006807b168 Skip man pages that conflict (but have different case with libc: {hmac,md5}.3
and libdes: des_random_key.3)
2018-10-08 16:31:35 +00:00
christos 5f39f5717b disable another clang warning 2018-10-06 15:31:09 +00:00
christos 52b4b66650 From Thomas Reim:
Current racoon code cannot detect duplicate last fragments as it uses
the fragment flag instead of the fragment number.

The code does not consider that the IKE payload fragments might not be
received in the correct order. In this case, packet complete detection
will again fail and VPN clients abandoned from VPN service.
Nevertheless, clients still can add fragments to the fragment queue and
fill it up to the possible 255 fragments. Only duplicates are detected,
but not the fragments with a number greater than the last fragment
number.

The last fragment number is kept in the Phase 1 handler
after fragment queue deletion, which may lead to error notifications
after succesful reassembly of the IKE phase 1 message.

In general, the 2017's CVE fix added laconic and difficult to understand
failure notifications, which do not much help for analysis, why a VPN
client was blocked by racoon server.

This patch fixes the code and aligns it to Microsoft/Cisco IKE
fragmentation specification. It provides error logging which is in line
with above specification and adds some debug info to the logs to better
support analysis VPN client blackballing.

XXX: pullup-8
2018-10-05 20:12:37 +00:00
joerg 04f39e5059 Add missing format string annotation. 2018-10-04 13:38:41 +00:00
christos 1eb7c866e6 Don't treat mostly connection closed events as filtering events.
There a a failed to negotiate instance too, but I don't want to generate
more diff.
2018-10-02 22:44:07 +00:00
christos 6ed279ad58 Undo previous change. It made filtering a lot more aggressive. 2018-10-02 22:40:28 +00:00
christos 451f4db714 PR/53646: Thomas Reim: Incorrect detection of the packet complete code in
fragment list check.

While the fix in https://launchpad.net/~rdratlos/+archive/ubuntu/racoon

	- if (i > last_frag) /* It is complete */
	+ if (i >= last_frag) /* It is complete */

has the correct behavior, it violates the test for successful
completion of the invariant of the loop:

    for (i = 1; i <= last_frag; i++) {
	if (!check_fragment_index())
	    break;
    }
    if (i > last_frag)
	return ok;

It is better to move the check for NULL in the loop earlier, so that
the final iteration is done and the test is kept the same. It makes
the code easier to understand and preserves the original intent.

XXX: pullup-8
2018-10-02 18:49:24 +00:00
christos 277582e5d7 Use hex string syntax to prevent overflow warnings for character constants
>= 128.
2018-10-02 13:53:51 +00:00
christos 949cd49583 Annotate format functions and fix format errors. 2018-09-30 19:23:13 +00:00
martin 7cf9d82c2e Newer gcc seems to use __ARM_ARCH_ISA_THUMB to tell use we have thumb
instructions available
2018-09-30 09:46:41 +00:00
martin cde2e090ac Regen 2018-09-29 19:45:18 +00:00
martin 2cc7a20425 Upstream does not support armv4 any more - but it is trivial to add
add regen time. Make the "regen" target here do it.
2018-09-29 19:44:57 +00:00
christos 5c87189615 be less aggressive about blocking connections from disconnected sessions. 2018-09-29 15:10:44 +00:00
christos 52fef4034c fix build 2018-09-28 17:28:01 +00:00
christos 9c90d67021 Remove debugging accidentally left in! Noticed by Tobias Ulmer 2018-09-27 18:18:53 +00:00
christos 285c5abcb8 use the standard code instead of ours 2018-09-25 14:17:49 +00:00
christos 0d38e0d044 no need for our copy of memequal 2018-09-25 14:16:33 +00:00
christos d6dadc43cc put back sparccap.c; too hard to iron out the bn_mont stuff. 2018-09-24 20:36:51 +00:00
christos 777e7b79f5 sparcv9cap is a c file. 2018-09-24 20:15:38 +00:00
christos 72ff73fc7e use sparcv9cap.S 2018-09-24 19:50:51 +00:00
christos ed78d1de0f Don't include the libc CRYPTO_memcmp file (it has a different prototype
now) and it is provided by openssl in C, or use the assembly versions.
2018-09-24 11:03:39 +00:00
christos d06d8258da don't override the sha man page provided by libc. 2018-09-24 11:02:12 +00:00
christos 9f80cc1672 sparc has memcmp and cpuid 2018-09-24 00:45:12 +00:00
christos 9d109c93ae we provide memcmp and rdtsc 2018-09-23 21:44:01 +00:00
christos d99d513f3c Kill stack protector warnings.
XXX: need to understand why gcc complains; it is not obvious to me.
2018-09-23 21:43:00 +00:00
christos 600c077f8b oops forgot to commit (add libcryptotest) 2018-09-23 15:08:41 +00:00
christos e0ea3921ea merge conflicts 2018-09-23 13:32:54 +00:00
christos 13d40330b8 OpenSSL CHANGES
_______________

 This is a high-level summary of the most important changes.
 For a full list of changes, see the git commit log; for example,
 https://github.com/openssl/openssl/commits/ and pick the appropriate
 release branch.

 Changes between 1.1.0i and 1.1.1 [11 Sep 2018]

  *) Add a new ClientHello callback. Provides a callback interface that gives
     the application the ability to adjust the nascent SSL object at the
     earliest stage of ClientHello processing, immediately after extensions have
     been collected but before they have been processed. In particular, this
     callback can adjust the supported TLS versions in response to the contents
     of the ClientHello
     [Benjamin Kaduk]

  *) Add SM2 base algorithm support.
     [Jack Lloyd]

  *) s390x assembly pack: add (improved) hardware-support for the following
     cryptographic primitives: sha3, shake, aes-gcm, aes-ccm, aes-ctr, aes-ofb,
     aes-cfb/cfb8, aes-ecb.
     [Patrick Steuer]

  *) Make EVP_PKEY_asn1_new() a bit stricter about its input.  A NULL pem_str
     parameter is no longer accepted, as it leads to a corrupt table.  NULL
     pem_str is reserved for alias entries only.
     [Richard Levitte]

  *) Use the new ec_scalar_mul_ladder scaffold to implement a specialized ladder
     step for prime curves. The new implementation is based on formulae from
     differential addition-and-doubling in homogeneous projective coordinates
     from Izu-Takagi "A fast parallel elliptic curve multiplication resistant
     against side channel attacks" and Brier-Joye "Weierstrass Elliptic Curves
     and Side-Channel Attacks" Eq. (8) for y-coordinate recovery, modified
     to work in projective coordinates.
     [Billy Bob Brumley, Nicola Tuveri]

  *) Change generating and checking of primes so that the error rate of not
     being prime depends on the intended use based on the size of the input.
     For larger primes this will result in more rounds of Miller-Rabin.
     The maximal error rate for primes with more than 1080 bits is lowered
     to 2^-128.
     [Kurt Roeckx, Annie Yousar]

  *) Increase the number of Miller-Rabin rounds for DSA key generating to 64.
     [Kurt Roeckx]

  *) The 'tsget' script is renamed to 'tsget.pl', to avoid confusion when
     moving between systems, and to avoid confusion when a Windows build is
     done with mingw vs with MSVC.  For POSIX installs, there's still a
     symlink or copy named 'tsget' to avoid that confusion as well.
     [Richard Levitte]

  *) Revert blinding in ECDSA sign and instead make problematic addition
     length-invariant. Switch even to fixed-length Montgomery multiplication.
     [Andy Polyakov]

  *) Use the new ec_scalar_mul_ladder scaffold to implement a specialized ladder
     step for binary curves. The new implementation is based on formulae from
     differential addition-and-doubling in mixed Lopez-Dahab projective
     coordinates, modified to independently blind the operands.
     [Billy Bob Brumley, Sohaib ul Hassan, Nicola Tuveri]

  *) Add a scaffold to optionally enhance the Montgomery ladder implementation
     for `ec_scalar_mul_ladder` (formerly `ec_mul_consttime`) allowing
     EC_METHODs to implement their own specialized "ladder step", to take
     advantage of more favorable coordinate systems or more efficient
     differential addition-and-doubling algorithms.
     [Billy Bob Brumley, Sohaib ul Hassan, Nicola Tuveri]

  *) Modified the random device based seed sources to keep the relevant
     file descriptors open rather than reopening them on each access.
     This allows such sources to operate in a chroot() jail without
     the associated device nodes being available. This behaviour can be
     controlled using RAND_keep_random_devices_open().
     [Paul Dale]

  *) Numerous side-channel attack mitigations have been applied. This may have
     performance impacts for some algorithms for the benefit of improved
     security. Specific changes are noted in this change log by their respective
     authors.
     [Matt Caswell]

  *) AIX shared library support overhaul. Switch to AIX "natural" way of
     handling shared libraries, which means collecting shared objects of
     different versions and bitnesses in one common archive. This allows to
     mitigate conflict between 1.0 and 1.1 side-by-side installations. It
     doesn't affect the way 3rd party applications are linked, only how
     multi-version installation is managed.
     [Andy Polyakov]

  *) Make ec_group_do_inverse_ord() more robust and available to other
     EC cryptosystems, so that irrespective of BN_FLG_CONSTTIME, SCA
     mitigations are applied to the fallback BN_mod_inverse().
     When using this function rather than BN_mod_inverse() directly, new
     EC cryptosystem implementations are then safer-by-default.
     [Billy Bob Brumley]

  *) Add coordinate blinding for EC_POINT and implement projective
     coordinate blinding for generic prime curves as a countermeasure to
     chosen point SCA attacks.
     [Sohaib ul Hassan, Nicola Tuveri, Billy Bob Brumley]

  *) Add blinding to ECDSA and DSA signatures to protect against side channel
     attacks discovered by Keegan Ryan (NCC Group).
     [Matt Caswell]

  *) Enforce checking in the pkeyutl command line app to ensure that the input
     length does not exceed the maximum supported digest length when performing
     a sign, verify or verifyrecover operation.
     [Matt Caswell]

  *) SSL_MODE_AUTO_RETRY is enabled by default. Applications that use blocking
     I/O in combination with something like select() or poll() will hang. This
     can be turned off again using SSL_CTX_clear_mode().
     Many applications do not properly handle non-application data records, and
     TLS 1.3 sends more of such records. Setting SSL_MODE_AUTO_RETRY works
     around the problems in those applications, but can also break some.
     It's recommended to read the manpages about SSL_read(), SSL_write(),
     SSL_get_error(), SSL_shutdown(), SSL_CTX_set_mode() and
     SSL_CTX_set_read_ahead() again.
     [Kurt Roeckx]

  *) When unlocking a pass phrase protected PEM file or PKCS#8 container, we
     now allow empty (zero character) pass phrases.
     [Richard Levitte]

  *) Apply blinding to binary field modular inversion and remove patent
     pending (OPENSSL_SUN_GF2M_DIV) BN_GF2m_mod_div implementation.
     [Billy Bob Brumley]

  *) Deprecate ec2_mult.c and unify scalar multiplication code paths for
     binary and prime elliptic curves.
     [Billy Bob Brumley]

  *) Remove ECDSA nonce padding: EC_POINT_mul is now responsible for
     constant time fixed point multiplication.
     [Billy Bob Brumley]

  *) Revise elliptic curve scalar multiplication with timing attack
     defenses: ec_wNAF_mul redirects to a constant time implementation
     when computing fixed point and variable point multiplication (which
     in OpenSSL are mostly used with secret scalars in keygen, sign,
     ECDH derive operations).
     [Billy Bob Brumley, Nicola Tuveri, Cesar Pereida García,
      Sohaib ul Hassan]

  *) Updated CONTRIBUTING
     [Rich Salz]

  *) Updated DRBG / RAND to request nonce and additional low entropy
     randomness from the system.
     [Matthias St. Pierre]

  *) Updated 'openssl rehash' to use OpenSSL consistent default.
     [Richard Levitte]

  *) Moved the load of the ssl_conf module to libcrypto, which helps
     loading engines that libssl uses before libssl is initialised.
     [Matt Caswell]

  *) Added EVP_PKEY_sign() and EVP_PKEY_verify() for EdDSA
     [Matt Caswell]

  *) Fixed X509_NAME_ENTRY_set to get multi-valued RDNs right in all cases.
     [Ingo Schwarze, Rich Salz]

  *) Added output of accepting IP address and port for 'openssl s_server'
     [Richard Levitte]

  *) Added a new API for TLSv1.3 ciphersuites:
        SSL_CTX_set_ciphersuites()
        SSL_set_ciphersuites()
     [Matt Caswell]

  *) Memory allocation failures consistenly add an error to the error
     stack.
     [Rich Salz]

  *) Don't use OPENSSL_ENGINES and OPENSSL_CONF environment values
     in libcrypto when run as setuid/setgid.
     [Bernd Edlinger]

  *) Load any config file by default when libssl is used.
     [Matt Caswell]

  *) Added new public header file <openssl/rand_drbg.h> and documentation
     for the RAND_DRBG API. See manual page RAND_DRBG(7) for an overview.
     [Matthias St. Pierre]

  *) QNX support removed (cannot find contributors to get their approval
     for the license change).
     [Rich Salz]

  *) TLSv1.3 replay protection for early data has been implemented. See the
     SSL_read_early_data() man page for further details.
     [Matt Caswell]

  *) Separated TLSv1.3 ciphersuite configuration out from TLSv1.2 ciphersuite
     configuration. TLSv1.3 ciphersuites are not compatible with TLSv1.2 and
     below. Similarly TLSv1.2 ciphersuites are not compatible with TLSv1.3.
     In order to avoid issues where legacy TLSv1.2 ciphersuite configuration
     would otherwise inadvertently disable all TLSv1.3 ciphersuites the
     configuration has been separated out. See the ciphers man page or the
     SSL_CTX_set_ciphersuites() man page for more information.
     [Matt Caswell]

  *) On POSIX (BSD, Linux, ...) systems the ocsp(1) command running
     in responder mode now supports the new "-multi" option, which
     spawns the specified number of child processes to handle OCSP
     requests.  The "-timeout" option now also limits the OCSP
     responder's patience to wait to receive the full client request
     on a newly accepted connection. Child processes are respawned
     as needed, and the CA index file is automatically reloaded
     when changed.  This makes it possible to run the "ocsp" responder
     as a long-running service, making the OpenSSL CA somewhat more
     feature-complete.  In this mode, most diagnostic messages logged
     after entering the event loop are logged via syslog(3) rather than
     written to stderr.
     [Viktor Dukhovni]

  *) Added support for X448 and Ed448. Heavily based on original work by
     Mike Hamburg.
     [Matt Caswell]

  *) Extend OSSL_STORE with capabilities to search and to narrow the set of
     objects loaded.  This adds the functions OSSL_STORE_expect() and
     OSSL_STORE_find() as well as needed tools to construct searches and
     get the search data out of them.
     [Richard Levitte]

  *) Support for TLSv1.3 added. Note that users upgrading from an earlier
     version of OpenSSL should review their configuration settings to ensure
     that they are still appropriate for TLSv1.3. For further information see:
     https://wiki.openssl.org/index.php/TLS1.3
     [Matt Caswell]

  *) Grand redesign of the OpenSSL random generator

     The default RAND method now utilizes an AES-CTR DRBG according to
     NIST standard SP 800-90Ar1. The new random generator is essentially
     a port of the default random generator from the OpenSSL FIPS 2.0
     object module. It is a hybrid deterministic random bit generator
     using an AES-CTR bit stream and which seeds and reseeds itself
     automatically using trusted system entropy sources.

     Some of its new features are:
      o Support for multiple DRBG instances with seed chaining.
      o The default RAND method makes use of a DRBG.
      o There is a public and private DRBG instance.
      o The DRBG instances are fork-safe.
      o Keep all global DRBG instances on the secure heap if it is enabled.
      o The public and private DRBG instance are per thread for lock free
        operation
     [Paul Dale, Benjamin Kaduk, Kurt Roeckx, Rich Salz, Matthias St. Pierre]

  *) Changed Configure so it only says what it does and doesn't dump
     so much data.  Instead, ./configdata.pm should be used as a script
     to display all sorts of configuration data.
     [Richard Levitte]

  *) Added processing of "make variables" to Configure.
     [Richard Levitte]

  *) Added SHA512/224 and SHA512/256 algorithm support.
     [Paul Dale]

  *) The last traces of Netware support, first removed in 1.1.0, have
     now been removed.
     [Rich Salz]

  *) Get rid of Makefile.shared, and in the process, make the processing
     of certain files (rc.obj, or the .def/.map/.opt files produced from
     the ordinal files) more visible and hopefully easier to trace and
     debug (or make silent).
     [Richard Levitte]

  *) Make it possible to have environment variable assignments as
     arguments to config / Configure.
     [Richard Levitte]

  *) Add multi-prime RSA (RFC 8017) support.
     [Paul Yang]

  *) Add SM3 implemented according to GB/T 32905-2016
     [ Jack Lloyd <jack.lloyd@ribose.com>,
       Ronald Tse <ronald.tse@ribose.com>,
       Erick Borsboom <erick.borsboom@ribose.com> ]

  *) Add 'Maximum Fragment Length' TLS extension negotiation and support
     as documented in RFC6066.
     Based on a patch from Tomasz Moń
     [Filipe Raimundo da Silva]

  *) Add SM4 implemented according to GB/T 32907-2016.
     [ Jack Lloyd <jack.lloyd@ribose.com>,
       Ronald Tse <ronald.tse@ribose.com>,
       Erick Borsboom <erick.borsboom@ribose.com> ]

  *) Reimplement -newreq-nodes and ERR_error_string_n; the
     original author does not agree with the license change.
     [Rich Salz]

  *) Add ARIA AEAD TLS support.
     [Jon Spillett]

  *) Some macro definitions to support VS6 have been removed.  Visual
     Studio 6 has not worked since 1.1.0
     [Rich Salz]

  *) Add ERR_clear_last_mark(), to allow callers to clear the last mark
     without clearing the errors.
     [Richard Levitte]

  *) Add "atfork" functions.  If building on a system that without
     pthreads, see doc/man3/OPENSSL_fork_prepare.pod for application
     requirements.  The RAND facility now uses/requires this.
     [Rich Salz]

  *) Add SHA3.
     [Andy Polyakov]

  *) The UI API becomes a permanent and integral part of libcrypto, i.e.
     not possible to disable entirely.  However, it's still possible to
     disable the console reading UI method, UI_OpenSSL() (use UI_null()
     as a fallback).

     To disable, configure with 'no-ui-console'.  'no-ui' is still
     possible to use as an alias.  Check at compile time with the
     macro OPENSSL_NO_UI_CONSOLE.  The macro OPENSSL_NO_UI is still
     possible to check and is an alias for OPENSSL_NO_UI_CONSOLE.
     [Richard Levitte]

  *) Add a STORE module, which implements a uniform and URI based reader of
     stores that can contain keys, certificates, CRLs and numerous other
     objects.  The main API is loosely based on a few stdio functions,
     and includes OSSL_STORE_open, OSSL_STORE_load, OSSL_STORE_eof,
     OSSL_STORE_error and OSSL_STORE_close.
     The implementation uses backends called "loaders" to implement arbitrary
     URI schemes.  There is one built in "loader" for the 'file' scheme.
     [Richard Levitte]

  *) Add devcrypto engine.  This has been implemented against cryptodev-linux,
     then adjusted to work on FreeBSD 8.4 as well.
     Enable by configuring with 'enable-devcryptoeng'.  This is done by default
     on BSD implementations, as cryptodev.h is assumed to exist on all of them.
     [Richard Levitte]

  *) Module names can prefixed with OSSL_ or OPENSSL_.  This affects
     util/mkerr.pl, which is adapted to allow those prefixes, leading to
     error code calls like this:

         OSSL_FOOerr(OSSL_FOO_F_SOMETHING, OSSL_FOO_R_WHATEVER);

     With this change, we claim the namespaces OSSL and OPENSSL in a manner
     that can be encoded in C.  For the foreseeable future, this will only
     affect new modules.
     [Richard Levitte and Tim Hudson]

  *) Removed BSD cryptodev engine.
     [Rich Salz]

  *) Add a build target 'build_all_generated', to build all generated files
     and only that.  This can be used to prepare everything that requires
     things like perl for a system that lacks perl and then move everything
     to that system and do the rest of the build there.
     [Richard Levitte]

  *) In the UI interface, make it possible to duplicate the user data.  This
     can be used by engines that need to retain the data for a longer time
     than just the call where this user data is passed.
     [Richard Levitte]

  *) Ignore the '-named_curve auto' value for compatibility of applications
     with OpenSSL 1.0.2.
     [Tomas Mraz <tmraz@fedoraproject.org>]

  *) Fragmented SSL/TLS alerts are no longer accepted. An alert message is 2
     bytes long. In theory it is permissible in SSLv3 - TLSv1.2 to fragment such
     alerts across multiple records (some of which could be empty). In practice
     it make no sense to send an empty alert record, or to fragment one. TLSv1.3
     prohibts this altogether and other libraries (BoringSSL, NSS) do not
     support this at all. Supporting it adds significant complexity to the
     record layer, and its removal is unlikely to cause inter-operability
     issues.
     [Matt Caswell]

  *) Add the ASN.1 types INT32, UINT32, INT64, UINT64 and variants prefixed
     with Z.  These are meant to replace LONG and ZLONG and to be size safe.
     The use of LONG and ZLONG is discouraged and scheduled for deprecation
     in OpenSSL 1.2.0.
     [Richard Levitte]

  *) Add the 'z' and 'j' modifiers to BIO_printf() et al formatting string,
     'z' is to be used for [s]size_t, and 'j' - with [u]int64_t.
     [Richard Levitte, Andy Polyakov]

  *) Add EC_KEY_get0_engine(), which does for EC_KEY what RSA_get0_engine()
     does for RSA, etc.
     [Richard Levitte]

  *) Have 'config' recognise 64-bit mingw and choose 'mingw64' as the target
     platform rather than 'mingw'.
     [Richard Levitte]

  *) The functions X509_STORE_add_cert and X509_STORE_add_crl return
     success if they are asked to add an object which already exists
     in the store. This change cascades to other functions which load
     certificates and CRLs.
     [Paul Dale]

  *) x86_64 assembly pack: annotate code with DWARF CFI directives to
     facilitate stack unwinding even from assembly subroutines.
     [Andy Polyakov]

  *) Remove VAX C specific definitions of OPENSSL_EXPORT, OPENSSL_EXTERN.
     Also remove OPENSSL_GLOBAL entirely, as it became a no-op.
     [Richard Levitte]

  *) Remove the VMS-specific reimplementation of gmtime from crypto/o_times.c.
     VMS C's RTL has a fully up to date gmtime() and gmtime_r() since V7.1,
     which is the minimum version we support.
     [Richard Levitte]

  *) Certificate time validation (X509_cmp_time) enforces stricter
     compliance with RFC 5280. Fractional seconds and timezone offsets
     are no longer allowed.
     [Emilia Käsper]

  *) Add support for ARIA
     [Paul Dale]

  *) s_client will now send the Server Name Indication (SNI) extension by
     default unless the new "-noservername" option is used. The server name is
     based on the host provided to the "-connect" option unless overridden by
     using "-servername".
     [Matt Caswell]

  *) Add support for SipHash
     [Todd Short]

  *) OpenSSL now fails if it receives an unrecognised record type in TLS1.0
     or TLS1.1. Previously this only happened in SSLv3 and TLS1.2. This is to
     prevent issues where no progress is being made and the peer continually
     sends unrecognised record types, using up resources processing them.
     [Matt Caswell]

  *) 'openssl passwd' can now produce SHA256 and SHA512 based output,
     using the algorithm defined in
     https://www.akkadia.org/drepper/SHA-crypt.txt
     [Richard Levitte]

  *) Heartbeat support has been removed; the ABI is changed for now.
     [Richard Levitte, Rich Salz]

  *) Support for SSL_OP_NO_ENCRYPT_THEN_MAC in SSL_CONF_cmd.
     [Emilia Käsper]

  *) The RSA "null" method, which was partially supported to avoid patent
     issues, has been replaced to always returns NULL.
     [Rich Salz]
2018-09-23 13:17:27 +00:00
maxv c1cd5851ce Remove dead references to netinet6/ipsec.h. 2018-09-06 09:54:36 +00:00
maxv 6890048b2b sync with reality 2018-09-06 09:38:05 +00:00
christos 85196978fc fix memory leaks: https://github.com/NetBSD/src/issues/6 2018-08-28 09:10:28 +00:00
tnn 6aea9f691d annotate pthread_exit as __dead (to appease clang) 2018-08-27 17:47:48 +00:00
christos 55a4608bfb merge conflicts 2018-08-26 07:46:36 +00:00
christos 78a9456a0a Potentially-incompatible changes
================================

This release includes a number of changes that may affect existing
configurations:

 * ssh-keygen(1): write OpenSSH format private keys by default
   instead of using OpenSSL's PEM format. The OpenSSH format,
   supported in OpenSSH releases since 2014 and described in the
   PROTOCOL.key file in the source distribution, offers substantially
   better protection against offline password guessing and supports
   key comments in private keys. If necessary, it is possible to write
   old PEM-style keys by adding "-m PEM" to ssh-keygen's arguments
   when generating or updating a key.

 * sshd(8): remove internal support for S/Key multiple factor
   authentication. S/Key may still be used via PAM or BSD auth.

 * ssh(1): remove vestigal support for running ssh(1) as setuid. This
   used to be required for hostbased authentication and the (long
   gone) rhosts-style authentication, but has not been necessary for
   a long time. Attempting to execute ssh as a setuid binary, or with
   uid != effective uid will now yield a fatal error at runtime.

 * sshd(8): the semantics of PubkeyAcceptedKeyTypes and the similar
   HostbasedAcceptedKeyTypes options have changed. These now specify
   signature algorithms that are accepted for their respective
   authentication mechanism, where previously they specified accepted
   key types. This distinction matters when using the RSA/SHA2
   signature algorithms "rsa-sha2-256", "rsa-sha2-512" and their
   certificate counterparts. Configurations that override these
   options but omit these algorithm names may cause unexpected
   authentication failures (no action is required for configurations
   that accept the default for these options).

 * sshd(8): the precedence of session environment variables has
   changed. ~/.ssh/environment and environment="..." options in
   authorized_keys files can no longer override SSH_* variables set
   implicitly by sshd.

 * ssh(1)/sshd(8): the default IPQoS used by ssh/sshd has changed.
   They will now use DSCP AF21 for interactive traffic and CS1 for
   bulk.  For a detailed rationale, please see the commit message:
   https://cvsweb.openbsd.org/src/usr.bin/ssh/readconf.c#rev1.284
2018-08-26 07:39:56 +00:00
kre 6016e29be1 Revert previous and do it the way it is supposed to be done.
Thanks to the heads up from rjs@
2018-08-18 23:35:18 +00:00
kre 8df699ecee Allow the symbols in the newly added conf_ssl.c to be exposed as globals. 2018-08-18 17:37:25 +00:00
rjs b338538cf3 Add conf_ssl.c to build. 2018-08-18 16:40:02 +00:00
christos 2500041cec merge conflicts 2018-08-18 08:59:03 +00:00
christos 132cc1c4ae Changes between 1.1.0h and 1.1.0i [14 Aug 2018]
*) Client DoS due to large DH parameter

     During key agreement in a TLS handshake using a DH(E) based ciphersuite a
     malicious server can send a very large prime value to the client. This will
     cause the client to spend an unreasonably long period of time generating a
     key for this prime resulting in a hang until the client has finished. This
     could be exploited in a Denial Of Service attack.

     This issue was reported to OpenSSL on 5th June 2018 by Guido Vranken
     (CVE-2018-0732)
     [Guido Vranken]

  *) Cache timing vulnerability in RSA Key Generation

     The OpenSSL RSA Key generation algorithm has been shown to be vulnerable to
     a cache timing side channel attack. An attacker with sufficient access to
     mount cache timing attacks during the RSA key generation process could
     recover the private key.

     This issue was reported to OpenSSL on 4th April 2018 by Alejandro Cabrera
     Aldaya, Billy Brumley, Cesar Pereida Garcia and Luis Manuel Alvarez Tapia.
     (CVE-2018-0737)
     [Billy Brumley]

  *) Make EVP_PKEY_asn1_new() a bit stricter about its input.  A NULL pem_str
     parameter is no longer accepted, as it leads to a corrupt table.  NULL
     pem_str is reserved for alias entries only.
     [Richard Levitte]

  *) Revert blinding in ECDSA sign and instead make problematic addition
     length-invariant. Switch even to fixed-length Montgomery multiplication.
     [Andy Polyakov]

  *) Change generating and checking of primes so that the error rate of not
     being prime depends on the intended use based on the size of the input.
     For larger primes this will result in more rounds of Miller-Rabin.
     The maximal error rate for primes with more than 1080 bits is lowered
     to 2^-128.
     [Kurt Roeckx, Annie Yousar]

  *) Increase the number of Miller-Rabin rounds for DSA key generating to 64.
     [Kurt Roeckx]

  *) Add blinding to ECDSA and DSA signatures to protect against side channel
     attacks discovered by Keegan Ryan (NCC Group).
     [Matt Caswell]

  *) When unlocking a pass phrase protected PEM file or PKCS#8 container, we
     now allow empty (zero character) pass phrases.
     [Richard Levitte]

  *) Certificate time validation (X509_cmp_time) enforces stricter
     compliance with RFC 5280. Fractional seconds and timezone offsets
     are no longer allowed.
     [Emilia Käsper]

  *) Fixed a text canonicalisation bug in CMS

     Where a CMS detached signature is used with text content the text goes
     through a canonicalisation process first prior to signing or verifying a
     signature. This process strips trailing space at the end of lines, converts
     line terminators to CRLF and removes additional trailing line terminators
     at the end of a file. A bug in the canonicalisation process meant that
     some characters, such as form-feed, were incorrectly treated as whitespace
     and removed. This is contrary to the specification (RFC5485). This fix
     could mean that detached text data signed with an earlier version of
     OpenSSL 1.1.0 may fail to verify using the fixed version, or text data
     signed with a fixed OpenSSL may fail to verify with an earlier version of
     OpenSSL 1.1.0. A workaround is to only verify the canonicalised text data
     and use the "-binary" flag (for the "cms" command line application) or set
     the SMIME_BINARY/PKCS7_BINARY/CMS_BINARY flags (if using CMS_verify()).
     [Matt Caswell]
2018-08-18 08:30:43 +00:00
christos 0fdeed761f add another exit 254 to avoid blacklistd notification 2018-08-13 09:55:20 +00:00
christos fd2346d686 avoid redefinition 2018-08-13 09:54:19 +00:00
christos efb7d8e3ed sprinke const 2018-08-13 09:53:51 +00:00
christos d06e49026c change some 255's to 254's to avoid being too aggressive blacklisting. 2018-08-09 08:32:41 +00:00
christos a6c76c426a Add missing functions for racoon2 to compile under netbsd-8
From Chuck Zmudzinski
XXX: pullup-8 (to openssl not openssl.old)
2018-08-08 19:19:36 +00:00
kre 08d8416c00 Add a "gcc is stupid" comment to the previous change, as even
the most cursory analysis shows that the var ("eg") is not (cannot
be) used unitialialised, just gcc is too dumb to work it out.

In this case, the code could be rewritten easily enough to
appease even gcc, but that would cause unnecessary code churn,
and some minor duplication, so just put up with the nonsense init...
2018-08-03 12:49:41 +00:00
kamil 33878bd4a3 Appease GCC in the openssh code when built with UBSan
Initialize eg to NULL in sshkey_ecdsa_key_to_nid().
The compiler warns that it might be uninitialized.
2018-08-03 04:32:12 +00:00
christos e4d58523d5 remove -DGHASH_ASM_X86; it is already defined. 2018-08-01 13:46:58 +00:00
christos ff9b27fb63 Add missing defines:
https://github.com/openssl/openssl/pull/6828
When ghash-x86.S is generated with -DOPENSSL_IA32_SSE2 we need to compile
gcm128.c with the same flags.
Reported by manu@
2018-08-01 11:39:53 +00:00
kamil f57bc4a2fe Avoid undefined behavior in netpgpverify/sha2.c
Do not change the signedness bit with a left shift operation.
Cast to unsigned integer to prevent this.

sha2.c:79:16, left shift of 154 by 24 places cannot be represented in type 'int'

Detected with micro-UBSan in the user mode.
2018-07-26 00:31:13 +00:00
kamil 518ec213b0 Avoid undefined behavior in netpgpverify
Do not change the signedness bit with a left shift operation.
Cast to unsigned integer to prevent this.

pgpsum.c:187:18, left shift of 130 by 24 places cannot be represented in type 'int'

Detected with micro-UBSan in the user mode.
2018-07-26 00:26:45 +00:00
wiz 21ab6dd43b Fix Dd argument. 2018-07-18 16:42:49 +00:00
joerg 2b1a674ab1 Drop special case for clang/aarch64. 2018-07-17 18:56:24 +00:00
christos 44192cc494 limit the aarch64 hack to clang. 2018-07-16 00:47:54 +00:00
christos 3426f2b9a5 select assembler based on ACTIVE_CC 2018-07-16 00:08:12 +00:00
martin f9113cc07d Provide an explicit dependency on heimbase 2018-07-12 11:13:50 +00:00
sevan 0266197a3e Amend whitelisted filesystem paths ssh-agent will look for PKCS11 related
libraries so that things work out of the box with pkgsrc without having to
explicitly whitelist things.

ok christos
2018-07-10 22:12:08 +00:00
martin d9126d9021 Explicit heimbase dependency (similar to other recent MKREPRO fixes) 2018-07-10 13:17:36 +00:00
martin 7afa4d19cf Explicit libheimbase dependency, similar to Christos' change to
libheimntlm/Makefile, hopefully fixing another MKREPRO fallout.
XXX pullup 8
2018-07-06 08:54:30 +00:00
martin ed5800cebe Add explicit path to libwind - patch from Christos, may fix some MKREPRO
fallout. XXX pullup 8
2018-07-06 08:31:43 +00:00
christos 9c2395c2ef Since now we are called from cleanup_exit() make sure that we have a state
to work with. Found by ASAN.
2018-06-24 15:36:31 +00:00
kamil 911756fc6b Do not reference buffer after the code scope {}
rk_getpwuid_r() returns a pointer pwd->pw_dir to a buffer pwbuf[].

It's not safe to store another a copy of pwd->pw_dir in outter scope and
use it out of the scope where there exists pwbuf[].

This fixes a problem reported by ASan under MKSANITIZER.
2018-06-16 18:51:36 +00:00
riastradh 74179ba271 Disable loading XMSS keys by default too.
Nobody should be using XMSS host keys without an explicit decision,
because they're qualitatively different from all other types of host
keys in that they require keeping state.

This also eliminates a harmless but confusing warning that began
after we stopped generating XMSS keys by default.
2018-06-07 15:26:09 +00:00
maxv 9cc33dc2c2 drop __P, suggested by sevan 2018-05-28 20:45:38 +00:00
maxv 02ed4ce0ae drop __P, suggested by sevan 2018-05-28 20:34:45 +00:00
maxv d5ded68d11 fix -Wold-style-definition 2018-05-28 19:52:18 +00:00
maxv a8c2f61e83 Remove ipsec_bindump, there is no prototype, so the function can't be used. 2018-05-28 19:39:21 +00:00
maxv ff1d84b094 fix -Wdiscarded-qualifiers 2018-05-28 19:36:42 +00:00
maxv abcef802a2 fix -Wunused and -Wold-style-definition 2018-05-28 19:22:40 +00:00
christos e1b6c9c92d remove DES_random_key.3 since it is in libdes. 2018-05-24 19:03:47 +00:00
christos 649a6add8b Increase strictness of blacklistd patches to include timeouts, operating
system errors, and pam failures.
2018-05-23 16:04:13 +00:00
christos 2ded5b1a5c rename {MD5,HMAC} to openssl_{MD5,HMAC}. Also add man pages for openssl_MD2
and openssl_MD4 to avoid conflicts with case-preserving but case-insensitive
filesystems and the corresponding libc lower case man pages.
2018-05-23 01:58:40 +00:00
maxv df9d65850f Add a note about FreeBSD. 2018-05-20 09:14:18 +00:00
maxv dc0ca504c7 Update, after ten years. Importantly, add a "History" section, to explain
what's going on.

We have now become "upstream", and most of the ipsec-tools development is
done in NetBSD's CVS. However, many distributions still take their
tarballs from SourceForge (which is defunct, and not maintained).
2018-05-20 08:55:25 +00:00
maxv 4eb599a9b3 Style. 2018-05-20 06:15:45 +00:00
maxv 79383b8281 Remove dead code, and style. 2018-05-19 20:40:40 +00:00
maxv e2ff693411 Remove unused 'error' variables, it's obvious they should have no use. 2018-05-19 20:21:23 +00:00
maxv 165b31ce96 Use strict prototypes, when they don't introduce more warnings than they fix.
Also localify a few functions.
2018-05-19 20:14:56 +00:00
maxv abe88a07be Remove unused labels, functions, and function prototypes. 2018-05-19 19:47:47 +00:00