Commit Graph

3143 Commits

Author SHA1 Message Date
christos 481219a259 fix wrong size addition (Andrew Cagney)
XXX: This file is nearly identical with /usr/src/sys/netipsec/key_debug.c
and should be merged.
2020-06-05 15:19:08 +00:00
christos 91395abedd delete previous and fix bug instead. 2020-05-29 12:15:30 +00:00
christos bdbda1b005 Fix printf format error. 2020-05-29 12:14:49 +00:00
kamil 27054a0c3f Specify -Wno-format-nonlitera for scp.c (OpenSSH)
Fixes build with Clang/LLVM.
2020-05-29 10:01:23 +00:00
christos 8db691be90 Merge conflicts 2020-05-28 17:05:49 +00:00
christos c7b0de4713 OpenSSH 8.3 was released on 2020-05-27. It is available from the
mirrors listed at https://www.openssh.com/.

OpenSSH is a 100% complete SSH protocol 2.0 implementation and
includes sftp client and server support.

Once again, we would like to thank the OpenSSH community for their
continued support of the project, especially those who contributed
code or patches, reported bugs, tested snapshots or donated to the
project. More information on donations may be found at:
https://www.openssh.com/donations.html

Future deprecation notice
=========================

It is now possible[1] to perform chosen-prefix attacks against the
SHA-1 algorithm for less than USD$50K. For this reason, we will be
disabling the "ssh-rsa" public key signature algorithm by default in a
near-future release.

This algorithm is unfortunately still used widely despite the
existence of better alternatives, being the only remaining public key
signature algorithm specified by the original SSH RFCs.

The better alternatives include:

 * The RFC8332 RSA SHA-2 signature algorithms rsa-sha2-256/512. These
   algorithms have the advantage of using the same key type as
   "ssh-rsa" but use the safe SHA-2 hash algorithms. These have been
   supported since OpenSSH 7.2 and are already used by default if the
   client and server support them.

 * The ssh-ed25519 signature algorithm. It has been supported in
   OpenSSH since release 6.5.

 * The RFC5656 ECDSA algorithms: ecdsa-sha2-nistp256/384/521. These
   have been supported by OpenSSH since release 5.7.

To check whether a server is using the weak ssh-rsa public key
algorithm, for host authentication, try to connect to it after
removing the ssh-rsa algorithm from ssh(1)'s allowed list:

    ssh -oHostKeyAlgorithms=-ssh-rsa user@host

If the host key verification fails and no other supported host key
types are available, the server software on that host should be
upgraded.

A future release of OpenSSH will enable UpdateHostKeys by default
to allow the client to automatically migrate to better algorithms.
Users may consider enabling this option manually. Vendors of devices
that implement the SSH protocol should ensure that they support the
new signature algorithms for RSA keys.

[1] "SHA-1 is a Shambles: First Chosen-Prefix Collision on SHA-1 and
    Application to the PGP Web of Trust" Leurent, G and Peyrin, T
    (2020) https://eprint.iacr.org/2020/014.pdf

Security
========

 * scp(1): when receiving files, scp(1) could be become desynchronised
   if a utimes(2) system call failed. This could allow file contents
   to be interpreted as file metadata and thereby permit an adversary
   to craft a file system that, when copied with scp(1) in a
   configuration that caused utimes(2) to fail (e.g. under a SELinux
   policy or syscall sandbox), transferred different file names and
   contents to the actual file system layout.

   Exploitation of this is not likely as utimes(2) does not fail under
   normal circumstances. Successful exploitation is not silent - the
   output of scp(1) would show transfer errors followed by the actual
   file(s) that were received.

   Finally, filenames returned from the peer are (since openssh-8.0)
   matched against the user's requested destination, thereby
   disallowing a successful exploit from writing files outside the
   user's selected target glob (or directory, in the case of a
   recursive transfer). This ensures that this attack can achieve no
   more than a hostile peer is already able to achieve within the scp
   protocol.

Potentially-incompatible changes
================================

This release includes a number of changes that may affect existing
configurations:

 * sftp(1): reject an argument of "-1" in the same way as ssh(1) and
   scp(1) do instead of accepting and silently ignoring it.

Changes since OpenSSH 8.2
=========================

The focus of this release is bug fixing.

New Features
------------

 * sshd(8): make IgnoreRhosts a tri-state option: "yes" to ignore
   rhosts/shosts, "no" allow rhosts/shosts or (new) "shosts-only"
   to allow .shosts files but not .rhosts.

 * sshd(8): allow the IgnoreRhosts directive to appear anywhere in a
   sshd_config, not just before any Match blocks; bz3148

 * ssh(1): add %TOKEN percent expansion for the LocalFoward and
   RemoteForward keywords when used for Unix domain socket forwarding.
   bz#3014

 * all: allow loading public keys from the unencrypted envelope of a
   private key file if no corresponding public key file is present.

 * ssh(1), sshd(8): prefer to use chacha20 from libcrypto where
   possible instead of the (slower) portable C implementation included
   in OpenSSH.

 * ssh-keygen(1): add ability to dump the contents of a binary key
   revocation list via "ssh-keygen -lQf /path" bz#3132

Bugfixes
--------

 * ssh(1): fix IdentitiesOnly=yes to also apply to keys loaded from
   a PKCS11Provider; bz#3141

 * ssh-keygen(1): avoid NULL dereference when trying to convert an
   invalid RFC4716 private key.

 * scp(1): when performing remote-to-remote copies using "scp -3",
   start the second ssh(1) channel with BatchMode=yes enabled to
   avoid confusing and non-deterministic ordering of prompts.

 * ssh(1), ssh-keygen(1): when signing a challenge using a FIDO token,
   perform hashing of the message to be signed in the middleware layer
   rather than in OpenSSH code. This permits the use of security key
   middlewares that perform the hashing implicitly, such as Windows
   Hello.

 * ssh(1): fix incorrect error message for "too many known hosts
   files." bz#3149

 * ssh(1): make failures when establishing "Tunnel" forwarding
   terminate the connection when ExitOnForwardFailure is enabled;
   bz#3116

 * ssh-keygen(1): fix printing of fingerprints on private keys and add
   a regression test for same.

 * sshd(8): document order of checking AuthorizedKeysFile (first) and
   AuthorizedKeysCommand (subsequently, if the file doesn't match);
   bz#3134

 * sshd(8): document that /etc/hosts.equiv and /etc/shosts.equiv are
   not considered for HostbasedAuthentication when the target user is
   root; bz#3148

 * ssh(1), ssh-keygen(1): fix NULL dereference in private certificate
   key parsing (oss-fuzz #20074).

 * ssh(1), sshd(8): more consistency between sets of %TOKENS are
   accepted in various configuration options.

 * ssh(1), ssh-keygen(1): improve error messages for some common
   PKCS#11 C_Login failure cases; bz#3130

 * ssh(1), sshd(8): make error messages for problems during SSH banner
   exchange consistent with other SSH transport-layer error messages
   and ensure they include the relevant IP addresses bz#3129

 * various: fix a number of spelling errors in comments and debug/error
   messages

 * ssh-keygen(1), ssh-add(1): when downloading FIDO2 resident keys
   from a token, don't prompt for a PIN until the token has told us
   that it needs one. Avoids double-prompting on devices that
   implement on-device authentication.

 * sshd(8), ssh-keygen(1): no-touch-required FIDO certificate option
   should be an extension, not a critical option.

 * ssh(1), ssh-keygen(1), ssh-add(1): offer a better error message
   when trying to use a FIDO key function and SecurityKeyProvider is
   empty.

 * ssh-add(1), ssh-agent(8): ensure that a key lifetime fits within
   the values allowed by the wire format (u32). Prevents integer
   wraparound of the timeout values. bz#3119

 * ssh(1): detect and prevent trivial configuration loops when using
    ProxyJump. bz#3057.

Portability
-----------

 * Detect systems where signals flagged with SA_RESTART will interrupt
   select(2). POSIX permits implementations to choose whether
   select(2) will return when interrupted with a SA_RESTART-flagged
   signal, but OpenSSH requires interrupting behaviour.

 * Several compilation fixes for HP/UX and AIX.

 * On platforms that do not support setting process-wide routing
   domains (all excepting OpenBSD at present), fail to accept a
   configuration attempts to set one at process start time rather than
   fatally erroring at run time. bz#3126

 * Improve detection of egrep (used in regression tests) on platforms
   that offer a poor default one (e.g. Solaris).

 * A number of shell portability fixes for the regression tests.

 * Fix theoretical infinite loop in the glob(3) replacement
   implementation.

 * Fix seccomp sandbox compilation problems for some Linux
   configurations bz#3085

 * Improved detection of libfido2 and some compilation fixes for some
   configurations when --with-security-key-builtin is selected.
2020-05-28 17:02:58 +00:00
msaitoh 8012ca3f0e Remove extra semicolon. 2020-05-14 08:34:17 +00:00
christos cb15ac971c - in script mode always output errors to stderr prefixed by the program name.
- in command mode always output errors to stdout not prefixed " " "
- perror(3) -> warn(3)
2020-05-12 16:17:58 +00:00
christos b11fb1d040 Keep track of the filename to print in error messages.
Change quoting of error string from [] to `'.
2020-05-12 14:29:06 +00:00
christos 95c1f4af32 prefix errors with the program name and use stderr. 2020-05-10 19:54:49 +00:00
nia 866a00cd61 Define OPENSSL_CPUID_OBJ in general CPPFLAGS instead of CRYPTOCPPFLAGS
This is used in various parts of the distribution, defining it here
avoids future problems with CPU-specific features not being detected.
2020-05-09 13:16:41 +00:00
nia bd2e44e0b4 Ensure that -DOPENSSL_CPUID_OBJ is passed when compiling AES EVP bits
This way CPUs that support AES-NI actually get detected properly ;_;

(... just one part of the puzzle)
2020-05-09 12:20:50 +00:00
agc 472564b29d Bring over changes from source of truth in pkgsrc - bump version to 20200503
Update netpgpverify and libnetpgpverify to version 20200503

	ensure all exported functions use a unique prfix, so that they don't
	conflict with symbols (both data and text) in libcrypto. this works for
	statically linked binaries and libraries, rather then the version map which
	only works for dynalically-linked.
2020-05-04 00:18:34 +00:00
christos 6fc1bc48bc Add a linker map to hide all the symbols the this library accidentally
exported. In particular the following symbols:

DSA_SIG_free
DSA_SIG_new
DSA_do_sign
DSA_do_verify
DSA_free
DSA_new
DSA_size
RSA_check_key
RSA_free
RSA_generate_key
RSA_new
RSA_private_decrypt
RSA_private_encrypt
RSA_public_decrypt
RSA_public_encrypt

conflict with libcrypto and break pkg_add which links against both
libraries.
2020-05-03 21:46:37 +00:00
nia 951b888a45 Fix the detection of KERN_ARND by OpenSSL.
Firstly, include the correct headers. Then, make sure that requests
never exceed 256 bytes.

Disable a hack for old FreeBSD versions, just in case it actually gets
used.

This should mean that OpenSSL doesn't ever fall back to reading from
/dev/urandom.

XXX pullup, XXX upstream.
2020-04-30 10:59:02 +00:00
christos cd7cff00f7 merge conflicts 2020-04-24 19:37:09 +00:00
christos a7640a27fb Changes between 1.1.1f and 1.1.1g [21 Apr 2020]
*) Fixed segmentation fault in SSL_check_chain()
     Server or client applications that call the SSL_check_chain() function
     during or after a TLS 1.3 handshake may crash due to a NULL pointer
     dereference as a result of incorrect handling of the
     "signature_algorithms_cert" TLS extension. The crash occurs if an invalid
     or unrecognised signature algorithm is received from the peer. This could
     be exploited by a malicious peer in a Denial of Service attack.
     (CVE-2020-1967)
     [Benjamin Kaduk]

  *) Added AES consttime code for no-asm configurations
     an optional constant time support for AES was added
     when building openssl for no-asm.
     Enable with: ./config no-asm -DOPENSSL_AES_CONST_TIME
     Disable with: ./config no-asm -DOPENSSL_NO_AES_CONST_TIME
     At this time this feature is by default disabled.
     It will be enabled by default in 3.0.
     [Bernd Edlinger]
2020-04-24 19:34:15 +00:00
jhigh 3fba244ae4 added blowfish symmetric cipher per RFC4880 9.2 2020-04-18 19:27:48 +00:00
christos 92970ed163 Switch sha3 to the assembly version (fix the build) 2020-04-15 21:29:28 +00:00
christos 1712f82d5c We can only use the SHA3 assembly routines if we have VSX 2020-04-11 22:41:06 +00:00
christos 84a88c1152 merge conflicts 2020-04-05 21:53:44 +00:00
christos cbd0443d58 Changes between 1.1.1e and 1.1.1f [31 Mar 2020]
*) Revert the change of EOF detection while reading in libssl to avoid
     regressions in applications depending on the current way of reporting
     the EOF. As the existing method is not fully accurate the change to
     reporting the EOF via SSL_ERROR_SSL is kept on the current development
     branch and will be present in the 3.0 release.
     [Tomas Mraz]

  *) Revised BN_generate_prime_ex to not avoid factors 3..17863 in p-1
     when primes for RSA keys are computed.
     Since we previously always generated primes == 2 (mod 3) for RSA keys,
     the 2-prime and 3-prime RSA modules were easy to distinguish, since
     N = p*q = 1 (mod 3), but N = p*q*r = 2 (mod 3). Therefore fingerprinting
     2-prime vs. 3-prime RSA keys was possible by computing N mod 3.
     This avoids possible fingerprinting of newly generated RSA modules.
     [Bernd Edlinger]
2020-04-05 21:50:44 +00:00
christos abd445f9f1 restore previous unsigned change. 2020-03-29 14:58:22 +00:00
joerg b328a94938 Fix format string usage. 2020-03-23 22:21:34 +00:00
christos 7826a661ac reduce diff with upstream 2020-03-22 20:13:15 +00:00
christos 59ca9d0b73 reduce diff with upstream. 2020-03-22 20:09:17 +00:00
christos 2eb1e87a4e eliminate diff with upstream. 2020-03-22 20:07:05 +00:00
christos c0b5e3e6b8 put back removed code 2020-03-22 20:05:29 +00:00
christos 3f4f058346 add back missing goto; 2020-03-22 20:01:48 +00:00
christos 314235bf3d always use fdin 2020-03-22 19:56:07 +00:00
christos 8c273a821d cryptlib header moved 2020-03-22 17:35:29 +00:00
christos 3f8590da2c Add more casts. 2020-03-22 02:30:15 +00:00
christos a6fb1bf611 remove defines now defined in crypto/dso_conf.h 2020-03-22 00:54:03 +00:00
christos 52629741cc merge conflicts 2020-03-22 00:53:02 +00:00
christos 7d0047200d Changes between 1.1.1d and 1.1.1e [17 Mar 2020]
*) Properly detect EOF while reading in libssl. Previously if we hit an EOF
     while reading in libssl then we would report an error back to the
     application (SSL_ERROR_SYSCALL) but errno would be 0. We now add
     an error to the stack (which means we instead return SSL_ERROR_SSL) and
     therefore give a hint as to what went wrong.
     [Matt Caswell]

  *) Check that ed25519 and ed448 are allowed by the security level. Previously
     signature algorithms not using an MD were not being checked that they were
     allowed by the security level.
     [Kurt Roeckx]

  *) Fixed SSL_get_servername() behaviour. The behaviour of SSL_get_servername()
     was not quite right. The behaviour was not consistent between resumption
     and normal handshakes, and also not quite consistent with historical
     behaviour. The behaviour in various scenarios has been clarified and
     it has been updated to make it match historical behaviour as closely as
     possible.
     [Matt Caswell]

  *) [VMS only] The header files that the VMS compilers include automatically,
     __DECC_INCLUDE_PROLOGUE.H and __DECC_INCLUDE_EPILOGUE.H, use pragmas that
     the C++ compiler doesn't understand.  This is a shortcoming in the
     compiler, but can be worked around with __cplusplus guards.

     C++ applications that use OpenSSL libraries must be compiled using the
     qualifier '/NAMES=(AS_IS,SHORTENED)' to be able to use all the OpenSSL
     functions.  Otherwise, only functions with symbols of less than 31
     characters can be used, as the linker will not be able to successfully
     resolve symbols with longer names.
     [Richard Levitte]

  *) Corrected the documentation of the return values from the EVP_DigestSign*
     set of functions.  The documentation mentioned negative values for some
     errors, but this was never the case, so the mention of negative values
     was removed.

     Code that followed the documentation and thereby check with something
     like 'EVP_DigestSignInit(...) <= 0' will continue to work undisturbed.
     [Richard Levitte]

  *) Fixed an an overflow bug in the x64_64 Montgomery squaring procedure
     used in exponentiation with 512-bit moduli. No EC algorithms are
     affected. Analysis suggests that attacks against 2-prime RSA1024,
     3-prime RSA1536, and DSA1024 as a result of this defect would be very
     difficult to perform and are not believed likely. Attacks against DH512
     are considered just feasible. However, for an attack the target would
     have to re-use the DH512 private key, which is not recommended anyway.
     Also applications directly using the low level API BN_mod_exp may be
     affected if they use BN_FLG_CONSTTIME.
     (CVE-2019-1551)
     [Andy Polyakov]

  *) Added a new method to gather entropy on VMS, based on SYS$GET_ENTROPY.
     The presence of this system service is determined at run-time.
     [Richard Levitte]

  *) Added newline escaping functionality to a filename when using openssl dgst.
     This output format is to replicate the output format found in the '*sum'
     checksum programs. This aims to preserve backward compatibility.
     [Matt Eaton, Richard Levitte, and Paul Dale]

  *) Print all values for a PKCS#12 attribute with 'openssl pkcs12', not just
     the first value.
     [Jon Spillett]
2020-03-22 00:49:02 +00:00
jhigh a91379283f cleanly fail initialization on empty keyring 2020-03-21 01:07:21 +00:00
christos f2a5b71abf Add a libm dependency 2020-03-04 17:30:40 +00:00
christos baa64ea854 Enable ssh-sk-helper 2020-03-03 00:43:20 +00:00
christos 30f9a377b9 Enable compression 2020-03-02 15:23:17 +00:00
christos a2362fee00 Redo the sshsk_sign() stuff properly, but putting the helper in libssh.so 2020-03-01 20:59:52 +00:00
christos 01bcaf9378 fix a sign-compare issue (for the pam module) 2020-03-01 14:51:06 +00:00
kim b7528a1009 Sync with OpenSSH 8.2p1 sample configs
- Add GSSAPIAuthentication and related options
- Add KerberosAuthentication and related options
- Bring in the lengthy but useful comment block about
  the side-effect of UsePAM with regards to PermitRootLogin.
2020-03-01 08:21:38 +00:00
mgorny 445aa34b1d Workaround build failure due to -Werror=format-nonliteral
Reviewed by kamil.
2020-02-29 20:44:15 +00:00
thorpej 3f10cc736d earmv5 / earmv5eb is a valid MACHINE_ARCH, so match it when
setting __ARM_MAX_ARCH__.
2020-02-29 17:14:40 +00:00
tnn 5b19b2d2d5 annotate xvasprintf w/ format string attribute 2020-02-29 14:03:17 +00:00
kim 648e402b3e Remove unreferenced SSH_RELEASE 2020-02-28 17:50:29 +00:00
kim cbed902728 Fix duplicate entries in the keywords list. 2020-02-28 17:27:34 +00:00
kim 18db4c45f2 Cleanup
- Match the case of the UsePAM keyword used in the manual page and code,
  to aid case-sensitive grep etc.
- Remove references to obsole UseLogin and UsePrivilegeSeparation keywords.
- Whitespace police
2020-02-28 10:59:58 +00:00
kim cbc2c8ca59 Move NetBSD.org-specific entry above the match-all entry
The first matching entry that sets an option "wins." Therefore more
specific matches should be provided before the "Host *" entry that
matches everything. This way options set in the more specific entry will
not be accidentally made ineffective by the match-all entry.
2020-02-28 10:41:48 +00:00
christos 8ae8526a32 fix date 2020-02-27 00:27:44 +00:00