Commit Graph

3175 Commits

Author SHA1 Message Date
bouyer
b611e603fe Fix ldap: ldap_sasl_bind_s() doens't like a NULL struct berval *, pass
a pointer to a zero'd struct instead.
While there use LDAP_SASL_SIMPLE instead of NULL for mechanism,
and check return of ldap_set_option().
2020-11-25 16:41:39 +00:00
christos
1f569f5e9e Reduce previous 2020-11-25 14:15:41 +00:00
kardel
d2c7ed0706 Fix address advancing for i386 and other 32-bit platforms.
Makes racoon grok IPv6 addresses again on these platforms.
2020-11-25 10:57:11 +00:00
rin
a8c74629f6 Support aarch64eb in */config.guess.
Cherry-picked from upstream:
https://git.savannah.gnu.org/gitweb/?p=config.git;a=commit;h=1c4398015583eb77bc043234f5734be055e64bea

Everything except external/apache2/llvm/dist/llvm/cmake/config.guess
is patched, which is under vendor tag and cannot be modified. I expect
that this file is not actually used as we use hand-crafted version of
configure script instead of cmake for building LLVM.

Note that external/apache2/llvm/autoconf/autoconf/config.guess has
already been committed on Oct. 20, but commit message disappeared as
cvs aborted due to "permission denied" when trying to modify the file
mentioned above. Sorry for confusing you.

Also note that GMP uses its own config.guess Patch for
external/lgpl3/gmp/dist/config.guess is provided by ryo@. Thanks!
2020-11-17 10:35:10 +00:00
christos
ddcfec6c59 eliminate direct use of _res for threaded programs. 2020-11-12 19:43:18 +00:00
wiz
64c690aaaf Sync with netpgpverify-20201101 from pkgsrc (the master for this).
No effective change except for version bump.
2020-11-01 11:29:17 +00:00
rin
9df0660400 Define OPENSSL_NO_EC_NISTP_64_GCC_128 also for aarch64eb.
Fix ssh-keygen(1) on aarch64eb. Also, all tests in tests/crypto pass
with this change.

As martin pointed out when this macro was defined for sparc64,

http://cvsweb.netbsd.org/bsdweb.cgi/src/crypto/external/bsd/openssl/include/openssl/opensslconf.h#rev1.5

this code seems broken on LP64BE architectures.

At the moment, mips64eb is not affected since only N32 is supported as
userland. Also, we do not support powerpc64 (eb) yet. But we may need to
take care of them in future.
2020-10-19 12:46:04 +00:00
jhigh
8ab16d0aaa absorb issuer fingerprint (RFC4880bis 5.2.3.28) in libverify.c 2020-10-17 23:08:57 +00:00
jhigh
ce6d35b1c7 allow netpgp to absorb gpg2 subpkt 33 for list/enc/decrypt rsa keys 2020-10-14 05:19:41 +00:00
jakllsch
690eb549db openssl: Define OPENSSL_NO_EC_NISTP_64_GCC_128 for Alpha too
The ecp_nistp521.c code depends on doing unaligned 64-bit accesses,
which the NetBSD/alpha kernel doesn't like to trap and emulate.

fixes PR lib/55701
2020-10-08 16:00:09 +00:00
christos
527b700deb revert previous octal conversion code (broken and not worth it). 2020-10-05 14:34:03 +00:00
simonb
05d9ab5269 Whitespace nit. 2020-10-05 11:29:36 +00:00
christos
68ed46e98d Add BN_oct2bn(3) for factor(6) 2020-10-04 19:32:48 +00:00
mrg
f93ccc75a2 build the 32 bit aesfx-sparcv9.S for sparc64 32 bit comapt libs.
now libcrypto works -m32.
2020-09-15 09:22:32 +00:00
tsutsui
f3129b73c8 Restore a local change for PR/54740 lost during openssl 1.1.1e merge.
syslogd(8) complains "Could not open /dev/crypto: Device not configured"
again when pseudo-device crypto(4) is not configured in a kernel.
 http://cvsweb.netbsd.org/bsdweb.cgi/src/crypto/external/bsd/openssl/dist/crypto/engine/eng_devcrypto.c#rev1.5
 http://cvsweb.netbsd.org/bsdweb.cgi/src/crypto/external/bsd/openssl/dist/crypto/engine/eng_devcrypto.c#rev1.7

Should be pullued up to netbsd-9.
2020-09-12 09:37:01 +00:00
mrg
302ad48f11 move $VERSION from Makefile.inc into the single Makefile that uses it.
this should do two nice things:
- eliminate "nbsed" missing messages in builds
- slightly speed up the build by removing a few dozen exec sed calls
2020-07-23 07:53:35 +00:00
riastradh
52c1c2aa09 Expand on importance of not using fpu for crypto if there's no fpu. 2020-07-19 15:33:08 +00:00
rin
be3287e65b PR port-powerpc/55425
Update comment; FPU emulation seems to work just fine now. However,
FPU-optimized code should still be avoided for better performance,
if FPU is not present.
2020-07-15 08:14:41 +00:00
rin
9552a516cb Part of PR port-powerpc/55425
openssl fails on FPU emulation for powerpc

When machdep.fpu_present sysctl variable can be retrieved, and
its value is zero, avoid using FPU arithmetic.

FPU is absent and emulated by kernel in that case, and calculation
results are not correct in bit-to-bit precision.

This behavior should be useful even if we could fix FPU emulation;
it is much faster to skip FPU arithmetic in general, rather than
relying upon emulation by kernel via illegal instruction handler.
2020-07-07 01:47:47 +00:00
christos
d17d6789f7 remove unneeded ifdefs 2020-06-22 22:43:56 +00:00
christos
104994135b Always compile in v8 support. 2020-06-22 19:56:36 +00:00
christos
76972ec9cb reduce diff with upstream. we always compile with v8 assembly and
detect at runtime.
2020-06-22 19:55:43 +00:00
christos
f372d530aa use the C version of keccak 2020-06-22 16:34:57 +00:00
christos
9365305b9e regen 2020-06-22 16:26:52 +00:00
christos
20a155e502 Regen and disable keccak asm 2020-06-22 16:26:29 +00:00
christos
388ed38b51 Revert the conditional use of vsx on keccak. Upstream wants to disable it
instead (dot-asm:
So that both assembly modules export SHA3_absorb_vsx... Either way,
it makes lesser sense to deploy vector keccak1600p8-ppc.pl, because
benefits are not that clear. It's only nominally faster than scalar
module on POWER8 but significantly slower on POWER9. Because POWER9
is better equipped to handle non-vector code. On related note,
there is version optimized for little-endian, as well as 32-bit
version. [And since MIPS was mentioned, there is even MIPS module...]
2020-06-22 16:25:08 +00:00
christos
f67c3d4d13 Revert to the upstream version 2020-06-21 22:17:35 +00:00
christos
89e0a7cfa4 Revert to the upstream version, there are no more warnings 2020-06-21 22:16:53 +00:00
christos
2247b70a62 regen 2020-06-21 22:16:16 +00:00
christos
839917e6b8 Re-enable the v9 testing and assembly 2020-06-21 22:16:08 +00:00
christos
6d97491368 fix pasto (noted by Viktor Duchovny) 2020-06-17 03:22:06 +00:00
christos
2f0bfbf344 Rename blacklist -> blocklist 2020-06-15 01:57:29 +00:00
christos
481219a259 fix wrong size addition (Andrew Cagney)
XXX: This file is nearly identical with /usr/src/sys/netipsec/key_debug.c
and should be merged.
2020-06-05 15:19:08 +00:00
christos
91395abedd delete previous and fix bug instead. 2020-05-29 12:15:30 +00:00
christos
bdbda1b005 Fix printf format error. 2020-05-29 12:14:49 +00:00
kamil
27054a0c3f Specify -Wno-format-nonlitera for scp.c (OpenSSH)
Fixes build with Clang/LLVM.
2020-05-29 10:01:23 +00:00
christos
8db691be90 Merge conflicts 2020-05-28 17:05:49 +00:00
christos
c7b0de4713 OpenSSH 8.3 was released on 2020-05-27. It is available from the
mirrors listed at https://www.openssh.com/.

OpenSSH is a 100% complete SSH protocol 2.0 implementation and
includes sftp client and server support.

Once again, we would like to thank the OpenSSH community for their
continued support of the project, especially those who contributed
code or patches, reported bugs, tested snapshots or donated to the
project. More information on donations may be found at:
https://www.openssh.com/donations.html

Future deprecation notice
=========================

It is now possible[1] to perform chosen-prefix attacks against the
SHA-1 algorithm for less than USD$50K. For this reason, we will be
disabling the "ssh-rsa" public key signature algorithm by default in a
near-future release.

This algorithm is unfortunately still used widely despite the
existence of better alternatives, being the only remaining public key
signature algorithm specified by the original SSH RFCs.

The better alternatives include:

 * The RFC8332 RSA SHA-2 signature algorithms rsa-sha2-256/512. These
   algorithms have the advantage of using the same key type as
   "ssh-rsa" but use the safe SHA-2 hash algorithms. These have been
   supported since OpenSSH 7.2 and are already used by default if the
   client and server support them.

 * The ssh-ed25519 signature algorithm. It has been supported in
   OpenSSH since release 6.5.

 * The RFC5656 ECDSA algorithms: ecdsa-sha2-nistp256/384/521. These
   have been supported by OpenSSH since release 5.7.

To check whether a server is using the weak ssh-rsa public key
algorithm, for host authentication, try to connect to it after
removing the ssh-rsa algorithm from ssh(1)'s allowed list:

    ssh -oHostKeyAlgorithms=-ssh-rsa user@host

If the host key verification fails and no other supported host key
types are available, the server software on that host should be
upgraded.

A future release of OpenSSH will enable UpdateHostKeys by default
to allow the client to automatically migrate to better algorithms.
Users may consider enabling this option manually. Vendors of devices
that implement the SSH protocol should ensure that they support the
new signature algorithms for RSA keys.

[1] "SHA-1 is a Shambles: First Chosen-Prefix Collision on SHA-1 and
    Application to the PGP Web of Trust" Leurent, G and Peyrin, T
    (2020) https://eprint.iacr.org/2020/014.pdf

Security
========

 * scp(1): when receiving files, scp(1) could be become desynchronised
   if a utimes(2) system call failed. This could allow file contents
   to be interpreted as file metadata and thereby permit an adversary
   to craft a file system that, when copied with scp(1) in a
   configuration that caused utimes(2) to fail (e.g. under a SELinux
   policy or syscall sandbox), transferred different file names and
   contents to the actual file system layout.

   Exploitation of this is not likely as utimes(2) does not fail under
   normal circumstances. Successful exploitation is not silent - the
   output of scp(1) would show transfer errors followed by the actual
   file(s) that were received.

   Finally, filenames returned from the peer are (since openssh-8.0)
   matched against the user's requested destination, thereby
   disallowing a successful exploit from writing files outside the
   user's selected target glob (or directory, in the case of a
   recursive transfer). This ensures that this attack can achieve no
   more than a hostile peer is already able to achieve within the scp
   protocol.

Potentially-incompatible changes
================================

This release includes a number of changes that may affect existing
configurations:

 * sftp(1): reject an argument of "-1" in the same way as ssh(1) and
   scp(1) do instead of accepting and silently ignoring it.

Changes since OpenSSH 8.2
=========================

The focus of this release is bug fixing.

New Features
------------

 * sshd(8): make IgnoreRhosts a tri-state option: "yes" to ignore
   rhosts/shosts, "no" allow rhosts/shosts or (new) "shosts-only"
   to allow .shosts files but not .rhosts.

 * sshd(8): allow the IgnoreRhosts directive to appear anywhere in a
   sshd_config, not just before any Match blocks; bz3148

 * ssh(1): add %TOKEN percent expansion for the LocalFoward and
   RemoteForward keywords when used for Unix domain socket forwarding.
   bz#3014

 * all: allow loading public keys from the unencrypted envelope of a
   private key file if no corresponding public key file is present.

 * ssh(1), sshd(8): prefer to use chacha20 from libcrypto where
   possible instead of the (slower) portable C implementation included
   in OpenSSH.

 * ssh-keygen(1): add ability to dump the contents of a binary key
   revocation list via "ssh-keygen -lQf /path" bz#3132

Bugfixes
--------

 * ssh(1): fix IdentitiesOnly=yes to also apply to keys loaded from
   a PKCS11Provider; bz#3141

 * ssh-keygen(1): avoid NULL dereference when trying to convert an
   invalid RFC4716 private key.

 * scp(1): when performing remote-to-remote copies using "scp -3",
   start the second ssh(1) channel with BatchMode=yes enabled to
   avoid confusing and non-deterministic ordering of prompts.

 * ssh(1), ssh-keygen(1): when signing a challenge using a FIDO token,
   perform hashing of the message to be signed in the middleware layer
   rather than in OpenSSH code. This permits the use of security key
   middlewares that perform the hashing implicitly, such as Windows
   Hello.

 * ssh(1): fix incorrect error message for "too many known hosts
   files." bz#3149

 * ssh(1): make failures when establishing "Tunnel" forwarding
   terminate the connection when ExitOnForwardFailure is enabled;
   bz#3116

 * ssh-keygen(1): fix printing of fingerprints on private keys and add
   a regression test for same.

 * sshd(8): document order of checking AuthorizedKeysFile (first) and
   AuthorizedKeysCommand (subsequently, if the file doesn't match);
   bz#3134

 * sshd(8): document that /etc/hosts.equiv and /etc/shosts.equiv are
   not considered for HostbasedAuthentication when the target user is
   root; bz#3148

 * ssh(1), ssh-keygen(1): fix NULL dereference in private certificate
   key parsing (oss-fuzz #20074).

 * ssh(1), sshd(8): more consistency between sets of %TOKENS are
   accepted in various configuration options.

 * ssh(1), ssh-keygen(1): improve error messages for some common
   PKCS#11 C_Login failure cases; bz#3130

 * ssh(1), sshd(8): make error messages for problems during SSH banner
   exchange consistent with other SSH transport-layer error messages
   and ensure they include the relevant IP addresses bz#3129

 * various: fix a number of spelling errors in comments and debug/error
   messages

 * ssh-keygen(1), ssh-add(1): when downloading FIDO2 resident keys
   from a token, don't prompt for a PIN until the token has told us
   that it needs one. Avoids double-prompting on devices that
   implement on-device authentication.

 * sshd(8), ssh-keygen(1): no-touch-required FIDO certificate option
   should be an extension, not a critical option.

 * ssh(1), ssh-keygen(1), ssh-add(1): offer a better error message
   when trying to use a FIDO key function and SecurityKeyProvider is
   empty.

 * ssh-add(1), ssh-agent(8): ensure that a key lifetime fits within
   the values allowed by the wire format (u32). Prevents integer
   wraparound of the timeout values. bz#3119

 * ssh(1): detect and prevent trivial configuration loops when using
    ProxyJump. bz#3057.

Portability
-----------

 * Detect systems where signals flagged with SA_RESTART will interrupt
   select(2). POSIX permits implementations to choose whether
   select(2) will return when interrupted with a SA_RESTART-flagged
   signal, but OpenSSH requires interrupting behaviour.

 * Several compilation fixes for HP/UX and AIX.

 * On platforms that do not support setting process-wide routing
   domains (all excepting OpenBSD at present), fail to accept a
   configuration attempts to set one at process start time rather than
   fatally erroring at run time. bz#3126

 * Improve detection of egrep (used in regression tests) on platforms
   that offer a poor default one (e.g. Solaris).

 * A number of shell portability fixes for the regression tests.

 * Fix theoretical infinite loop in the glob(3) replacement
   implementation.

 * Fix seccomp sandbox compilation problems for some Linux
   configurations bz#3085

 * Improved detection of libfido2 and some compilation fixes for some
   configurations when --with-security-key-builtin is selected.
2020-05-28 17:02:58 +00:00
msaitoh
8012ca3f0e Remove extra semicolon. 2020-05-14 08:34:17 +00:00
christos
cb15ac971c - in script mode always output errors to stderr prefixed by the program name.
- in command mode always output errors to stdout not prefixed " " "
- perror(3) -> warn(3)
2020-05-12 16:17:58 +00:00
christos
b11fb1d040 Keep track of the filename to print in error messages.
Change quoting of error string from [] to `'.
2020-05-12 14:29:06 +00:00
christos
95c1f4af32 prefix errors with the program name and use stderr. 2020-05-10 19:54:49 +00:00
nia
866a00cd61 Define OPENSSL_CPUID_OBJ in general CPPFLAGS instead of CRYPTOCPPFLAGS
This is used in various parts of the distribution, defining it here
avoids future problems with CPU-specific features not being detected.
2020-05-09 13:16:41 +00:00
nia
bd2e44e0b4 Ensure that -DOPENSSL_CPUID_OBJ is passed when compiling AES EVP bits
This way CPUs that support AES-NI actually get detected properly ;_;

(... just one part of the puzzle)
2020-05-09 12:20:50 +00:00
agc
472564b29d Bring over changes from source of truth in pkgsrc - bump version to 20200503
Update netpgpverify and libnetpgpverify to version 20200503

	ensure all exported functions use a unique prfix, so that they don't
	conflict with symbols (both data and text) in libcrypto. this works for
	statically linked binaries and libraries, rather then the version map which
	only works for dynalically-linked.
2020-05-04 00:18:34 +00:00
christos
6fc1bc48bc Add a linker map to hide all the symbols the this library accidentally
exported. In particular the following symbols:

DSA_SIG_free
DSA_SIG_new
DSA_do_sign
DSA_do_verify
DSA_free
DSA_new
DSA_size
RSA_check_key
RSA_free
RSA_generate_key
RSA_new
RSA_private_decrypt
RSA_private_encrypt
RSA_public_decrypt
RSA_public_encrypt

conflict with libcrypto and break pkg_add which links against both
libraries.
2020-05-03 21:46:37 +00:00
nia
951b888a45 Fix the detection of KERN_ARND by OpenSSL.
Firstly, include the correct headers. Then, make sure that requests
never exceed 256 bytes.

Disable a hack for old FreeBSD versions, just in case it actually gets
used.

This should mean that OpenSSL doesn't ever fall back to reading from
/dev/urandom.

XXX pullup, XXX upstream.
2020-04-30 10:59:02 +00:00
christos
cd7cff00f7 merge conflicts 2020-04-24 19:37:09 +00:00
christos
a7640a27fb Changes between 1.1.1f and 1.1.1g [21 Apr 2020]
*) Fixed segmentation fault in SSL_check_chain()
     Server or client applications that call the SSL_check_chain() function
     during or after a TLS 1.3 handshake may crash due to a NULL pointer
     dereference as a result of incorrect handling of the
     "signature_algorithms_cert" TLS extension. The crash occurs if an invalid
     or unrecognised signature algorithm is received from the peer. This could
     be exploited by a malicious peer in a Denial of Service attack.
     (CVE-2020-1967)
     [Benjamin Kaduk]

  *) Added AES consttime code for no-asm configurations
     an optional constant time support for AES was added
     when building openssl for no-asm.
     Enable with: ./config no-asm -DOPENSSL_AES_CONST_TIME
     Disable with: ./config no-asm -DOPENSSL_NO_AES_CONST_TIME
     At this time this feature is by default disabled.
     It will be enabled by default in 3.0.
     [Bernd Edlinger]
2020-04-24 19:34:15 +00:00
jhigh
3fba244ae4 added blowfish symmetric cipher per RFC4880 9.2 2020-04-18 19:27:48 +00:00