Commit Graph

1322 Commits

Author SHA1 Message Date
Li-Wen Hsu
dab59af3bc
Canonicalize the name of the FreeBSD Foundation
Reviewed by:	emaste
Sponsored by:	The FreeBSD Foundation
2024-10-24 05:03:07 +08:00
Gordon Tetlow
cab90be6a5
openssl: Remove the specific version numbers from the instructions. 2024-09-08 09:45:31 -07:00
Enji Cooper
cc717b574d Update config/build info for OpenSSL 3.0.15
This is a companion commit to the OpenSSL 3.0.15 update.

`opensslv.h` was regenerated via the following process:

```
cd crypto/openssl
./config
git reset --hard
gmake include/openssl/opensslv.h
```

`Makefile.inc` has been updated to match.

MFC after:	1 week
MFC with:	a7148ab39c
Differential Revision:	https://reviews.freebsd.org/D46603
2024-09-07 21:34:18 -07:00
Enji Cooper
a7148ab39c openssl: Import OpenSSL 3.0.15.
This release incorporates the following bug fixes and mitigations:
- Fixed possible denial of service in X.509 name checks ([CVE-2024-6119])
- Fixed possible buffer overread in SSL_select_next_proto() ([CVE-2024-5535])

Release notes can be found at:
https://openssl-library.org/news/openssl-3.0-notes/index.html

Co-authored-by:	gordon
MFC after:	1 week
Differential Revision:	https://reviews.freebsd.org/D46602

Merge commit '108164cf95d9594884c2dcccba2691335e6f221b'
2024-09-07 21:31:22 -07:00
Gordon Tetlow
4086a0635d
openssl: Update upgrade instructions.
Update download locations.
Remove references to FREEBSD-Xlist.
Remove reference to the fips module that has been removed.
2024-09-07 23:45:05 +00:00
Gordon Tetlow
108164cf95
openssl: Import OpenSSL 3.0.15.
This release incorporates the following bug fixes and mitigations:
- Fixed possible denial of service in X.509 name checks ([CVE-2024-6119])
- Fixed possible buffer overread in SSL_select_next_proto() ([CVE-2024-5535])

Release notes can be found at:
https://openssl-library.org/news/openssl-3.0-notes/index.html
2024-09-03 20:56:17 -07:00
Gordon Tetlow
fbd465f263
openssl: Bring over fix for CVE-2024-6119 from vendor/openssl-3.0.
Merge commit 'e60dbfd00b009d424dfc5446d132872c93dd0aed'
2024-09-03 09:49:23 -07:00
Viktor Dukhovni
e60dbfd00b
Avoid type errors in EAI-related name check logic.
The incorrectly typed data is read only, used in a compare operation, so
neither remote code execution, nor memory content disclosure were possible.
However, applications performing certificate name checks were vulnerable to
denial of service.

The GENERAL_TYPE data type is a union, and we must take care to access the
correct member, based on `gen->type`, not all the member fields have the same
structure, and a segfault is possible if the wrong member field is read.

The code in question was lightly refactored with the intent to make it more
obviously correct.

CVE-2024-6119

(cherry picked from commit 1486960d6cdb052e4fc0109a56a0597b4e902ba1)
2024-09-01 15:50:31 -07:00
Ed Maste
3d3bae9b95 sshd: bump VersionAddendum for 2739a68450
Reported by: markj
Fixes: 2739a68450 ("sshd: remove blacklist call from grace_alarm_...")
Sponsored by: The FreeBSD Foundation
2024-08-06 15:23:33 -04:00
Ed Maste
2739a68450 sshd: remove blacklist call from grace_alarm_timer
Under certain circumstances it may call log(3), which is not async-
signal-safe.

For now just remove the blacklist integration from this path, which
means that blacklistd will not detect and firewall hosts that establish
a connection but do nothing further.

Sponsored by:	The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D46203
2024-08-06 15:14:00 -04:00
Dimitry Andric
6f25b46721 Fix enum warning in heimdal
This fixes a clang 19 warning:

crypto/heimdal/lib/krb5/deprecated.c:75:17: error: comparison of different enumeration types ('krb5_keytype' (aka 'enum ENCTYPE') and 'enum krb5_keytype_old') [-Werror,-Wenum-compare]
   75 |     if (keytype != KEYTYPE_DES || context->etypes_des == NULL)
      |         ~~~~~~~ ^  ~~~~~~~~~~~

In https://github.com/heimdal/heimdal/commit/3bebbe5323 this was solved
by adding a cast. That commit is rather large, so I'm only applying the
one-liner here.

MFC after:	3 days
2024-07-30 21:24:17 +02:00
John Baldwin
0244e0a177 openssl: Add <sys/random.h> include for getrandom()
GCC 14 (but not earlier versions) warns about a missing prototype
for getrandom().  Include <sys/random.h> explicitly to bring in the
prototype rather than depending on a nested include.  While here,
stop defining sysctl_random() since it is no longer used.

Reviewed by:	brooks
Fixes:		838b6caaba openssl: use getrandom(2) instead of probing for getentropy(2)
Differential Revision:	https://reviews.freebsd.org/D45995
2024-07-29 16:38:49 -04:00
Kyle Evans
838b6caaba openssl: use getrandom(2) instead of probing for getentropy(2)
The probing for getentropy(2) relies on re-declaring getentropy(2)
as weak and checking the address, but this is incompatible with
the _FORTIFY_SOURCE symbol renaming scheme.  It's always present on
all supported FreeBSD versions now so we could cut it down to
unconditional use, but there's another segment for getrandom(2)
already that's cleaner to just add us to.

We should upstream this.

Reviewed by:	kib (earlier version), markj
Sponsored by:	Klara, Inc.
Sponsored by:	Stormshield
Differential Revision:	https://reviews.freebsd.org/D45976
2024-07-16 00:12:27 -05:00
Warner Losh
e9ac41698b Remove residual blank line at start of Makefile
This is a residual of the $FreeBSD$ removal.

MFC After: 3 days (though I'll just run the command on the branches)
Sponsored by: Netflix
2024-07-15 16:43:39 -06:00
Ed Maste
b81424adf7 OpenSSH: correct logic error in ObscureKeystrokeTiming
Cherry-pick fix:
upstream: when sending ObscureKeystrokeTiming chaff packets, we
can't rely on channel_did_enqueue to tell that there is data to send. This
flag indicates that the channels code enqueued a packet on _this_ ppoll()
iteration, not that data was enqueued in _any_ ppoll() iteration in the
timeslice. ok markus@

OpenBSD-Commit-ID: 009b74fd2769b36b5284a0188ade182f00564136

Obtained from:	openssh-portable 146c420d29d0
Reviewed by:	gordon
Sponsored by:	The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D45823
2024-07-05 09:16:40 -04:00
Ed Maste
94416c6939 openssh: use '' instead of `' in config.h
Autoconf 2.72 uses '' rather tha `' in comments in config.h, from
autoconf commit 64df9b4523fe ("Autoconf now quotes 'like this' instead
of `like this'").

Switch quoting style now to minimize diffs on the next OpenSSH update
and config.h regen.

Reviewed by:	gordon, philip
Sponsored by:	The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D45840
2024-07-03 14:22:50 -04:00
Philip Paeps
2abea9df01 openssh: Fix pre-authentication remote code execution in sshd.
Reported by:	Qualys Threat Research Unit (TRU)
Approved by:	so
Security:	FreeBSD-SA-24:04.openssh
Security:	CVE-2024-6387
2024-07-01 16:20:01 +08:00
Enji Cooper
303596eac3 Update config/build info for OpenSSL
This is a companion commit to the OpenSSL 3.0.14 update.

MFC after:      3 days
MFC with:       44096ebd22
2024-06-26 16:51:25 -07:00
Enji Cooper
44096ebd22 Update to OpenSSL 3.0.14
This release resolves 3 upstream found CVEs:
- Fixed potential use after free after SSL_free_buffers() is called (CVE-2024-4741)
- Fixed an issue where checking excessively long DSA keys or parameters may be very slow (CVE-2024-4603)
- Fixed unbounded memory growth with session handling in TLSv1.3 (CVE-2024-2511)

MFC after:	3 days
Merge commit '1070e7dca8223387baf5155524b28f62bfe7da3c'
2024-06-26 16:50:13 -07:00
Enji Cooper
1070e7dca8 Import OpenSSL 3.0.14
This release resolves 3 upstream found CVEs:
- Fixed potential use after free after SSL_free_buffers() is called (CVE-2024-4741)
- Fixed an issue where checking excessively long DSA keys or parameters may be very slow (CVE-2024-4603)
- Fixed unbounded memory growth with session handling in TLSv1.3 (CVE-2024-2511)
2024-06-20 16:24:17 -07:00
Warner Losh
a8fe2d331b posix_async: FreeBSD also defines {make|swap|get|set}context
FreeBSD also defines {make|swap|get|set}context for backward
compatibility, despite also exposing POSIX_VERSION 200809L in FreeBSD
15-current.

FreeBSD has defined these interfaces since FreeBSD 4.7, released over 20
years ago, so no further nuance in FreeBSD version number is necessary.

Pull Request:		https://github.com/openssl/openssl/pull/23885
Sponsored by:		Netflix
2024-05-31 10:53:39 -06:00
Cy Schubert
a0d7d68a2d heimdal: Fix compiling hdb ldap as a module
Fix build when WITH_OPENLDAP defined.

PR:		278430
Obtained from:	Upstream c1c7da7f79
2024-04-23 22:54:20 -07:00
Enji Cooper
572948d00d Revert "OpenSSL: use the upstream provided version.map files for the fips/legacy providers"
This change is still under review and should not have been merged
directly to main (yet).

This is a case and point for using `push.default` to nothing instead of
matching or simple.

This reverts commit 42ce242e35.
2024-04-21 09:58:31 -07:00
Enji Cooper
42ce242e35 OpenSSL: use the upstream provided version.map files for the fips/legacy providers
This change introduces a static copy of the fips and legacy linker version maps
generated by the OpenSSL 3.0.13 build process.

This unbreaks the fips and legacy providers by not exposing unnecessary
symbols from the fips/legacy provider shared objects shared with other
providers (base, default) and libcrypto.

More discussion:

Prior to this change, loading the fips provider indirectly from a
FreeBSD 14.0-CURRENT and 15.0-CURRENT host would result in a
process-wide deadlock when invoking select OpenSSL APIs
(CONF_modules_load* in this particular example).

Speaking with the upstream maintainers [1], it became obvious that
the FreeBSD base system was incorrectly building/linking the fips
provider, resulting in a symbol collision at runtime, and thus a
process-wide deadlock in specific circumstances. The fips provider
would deadlock when trying to acquire a write lock on internal
structures which should have only been available to the base and
default providers, as certain preprocessor ifdefs only allow specific
internal calls to be made with the base and default providers.

1. https://github.com/openssl/openssl/issues/24202

Differential Revision:	https://reviews.freebsd.org/D44892
2024-04-21 09:35:19 -07:00
Dimitry Andric
219b6e4423 heimdal: asn1: Use unsigned bitfields for named bitsets
Import upstream 6747e1628:

  asn1: Use unsigned bitfields for named bitsets

  Signed 1-bit bitfields are undefined in C.

This should fix the following warnings, which for unknown reasons are
errors in CI:

  /usr/src/crypto/heimdal/lib/hx509/ca.c:1020:22: warning: implicit truncation from 'int' to a one-bit wide bit-field changes value from 1 to -1 [-Wsingle-bit-bitfield-constant-conversion]
   1020 |         ku.digitalSignature = 1;
        |                             ^ ~
  /usr/src/crypto/heimdal/lib/hx509/ca.c:1021:21: warning: implicit truncation from 'int' to a one-bit wide bit-field changes value from 1 to -1 [-Wsingle-bit-bitfield-constant-conversion]
   1021 |         ku.keyEncipherment = 1;
        |                            ^ ~
  /usr/src/crypto/heimdal/lib/hx509/ca.c:1028:17: warning: implicit truncation from 'int' to a one-bit wide bit-field changes value from 1 to -1 [-Wsingle-bit-bitfield-constant-conversion]
   1028 |         ku.keyCertSign = 1;
        |                        ^ ~
  /usr/src/crypto/heimdal/lib/hx509/ca.c:1029:13: warning: implicit truncation from 'int' to a one-bit wide bit-field changes value from 1 to -1 [-Wsingle-bit-bitfield-constant-conversion]
   1029 |         ku.cRLSign = 1;
        |                    ^ ~

PR:		276960
Fixes:		1b74875929
MFC after:	1 week
2024-04-17 19:49:30 +02:00
Dimitry Andric
1b74875929 heimdal: Add 64-bit integer support to ASN.1 compiler
Import upstream 19d378f44:

  ASN.1 INTEGERs will now compile to C int64_t or uint64_t, depending
  on whether the constraint ranges include numbers that cannot be
  represented in 32-bit ints and whether they include negative
  numbers.

  Template backend support included.  check-template is now built with
  --template, so we know we're testing it.

  Tests included.

Also adjusts the generated files:
* asn1parse.c, asn1parse.h (not strictly necessary, but nice to have)
* der-protos.h, which needs a bunch of new prototypes. I copied these
  from a der-protos.h generated by the upstream build system, which
  uses a perl script for this.
* adjust printf format strings for int64_t. Upstream uses %lld for this,
  but that is not portable, and leads to lots of -Werror warnings.

This should fix target-dependent differences between headers generated
by asn1_compile. For example, when cross compiling world from amd64 to
i386, the generated cms_asn1.h header has:

  CMSRC2CBCParameter ::= SEQUENCE {
    rc2ParameterVersion   INTEGER (0..-1),
    iv                    OCTET STRING,
  }

while a native build on i386 has:

  CMSRC2CBCParameter ::= SEQUENCE {
    rc2ParameterVersion   INTEGER (0..2147483647),
    iv                    OCTET STRING,
  }

These are _both_ wrong, since the source file, cms.asn1, has:

  CMSRC2CBCParameter ::= SEQUENCE {
          rc2ParameterVersion   INTEGER (0..4294967295),
          iv                    OCTET STRING -- exactly 8 octets
  }

PR:		276960
Reviewed by:	cy, emaste
MFC after:	1 week
Differential Revision: https://reviews.freebsd.org/D44814
Differential Revision: https://reviews.freebsd.org/D44815
2024-04-17 18:12:43 +02:00
Ed Maste
e600fc7295 ssh: remove deprecated client VersionAddendum
Support for a client VersionAddendum was removed in bffe60ead0, but
the option was retained (as oDeprecated) as a transition aid.
Sufficient time has passed that it can be removed.

Sponsored by:	The FreeBSD Foundation
2024-03-18 10:20:18 -04:00
Ed Maste
a91a246563 ssh: Update to OpenSSH 9.7p1
This release contains mostly bugfixes.

It also makes support for the DSA signature algorithm a compile-time
option, with plans to disable it upstream later this year and remove
support entirely in 2025.

Full release notes at https://www.openssh.com/txt/release-9.7

Relnotes:	Yes
Sponsored by:	The FreeBSD Foundation
2024-03-18 10:00:57 -04:00
Brooks Davis
cec2adb0d3 heimdal: don't try to expose nonexistant symbols
For one reason or another these symbols aren't present so don't try to
make them available for linkage.

In the case of libroken these seem to be compatability bits we don't
need a thus don't compile.  For others it seems to rot upstream, but
I've not investigated deeply.

Reviewed by:	cy
Differential Revision:	https://reviews.freebsd.org/D44246
2024-03-07 00:55:11 +00:00
Brooks Davis
de4386d174 heimdal: don't export nonexistant _wind_ucs2read
This symbol table entry came in with the 1.5 import (commit
7c450da7b4), but the only other mention is a commented out entry in
lib/wind/libwind-exports.def.

Reviewed by:	cy
Differential Revision:	https://reviews.freebsd.org/D44245
2024-03-07 00:54:55 +00:00
Cy Schubert
5130b35ef5 Revert "heimdal: CVE-2022-41916: Check for overflow in _gsskrb5_get_mech()"
This was already applied by ed549cb0c5.

Repored by:	Gunther Nikl <gnikl@justmail.de>

This reverts commit 9286d46a79.
2024-02-16 09:31:13 -08:00
Cy Schubert
fc773115fa heimdal: Fix NULL deref
A flawed logical condition allows a malicious actor to remotely
trigger a NULL pointer dereference using a crafted negTokenInit
token.

Upstream notes:

    Reported to Heimdal by Michał Kępień <michal@isc.org>.

    From the report:

    Acknowledgement
    ---------------

    This flaw was found while working on addressing ZDI-CAN-12302: ISC BIND
    TKEY Query Heap-based Buffer Overflow Remote Code Execution
    Vulnerability, which was reported to ISC by Trend Micro's Zero Day

Security:	CVE-2022-3116
Obtained from:	upstream 7a19658c1
MFC after:	1 week
2024-02-15 13:27:55 -08:00
Cy Schubert
60616b445e heimdal: always confirm PA-PKINIT-KX for anon PKINIT
Import upstream 38c797e1a.

Upstream notes:

    RFC8062 Section 7 requires verification of the PA-PKINIT-KX key
    excahnge when anonymous PKINIT is used.  Failure to do so can
    permit an active attacker to become a man-in-the-middle.

Reported by:	emaste
Obtained from:	upstream 38c797e1a
Security:	CVE-2019-12098
MFC after:	1 week
2024-02-15 13:27:55 -08:00
Cy Schubert
9286d46a79 heimdal: CVE-2022-41916: Check for overflow in _gsskrb5_get_mech()
Apply upstream 22749e918 to fix a buffer overflow.

Upstream notes:

    If len_len is equal to total_len - 1 (i.e. the input consists only of a
    0x60 byte and a length), the expression 'total_len - 1 - len_len - 1',
    used as the 'len' parameter to der_get_length(), will overflow to
    SIZE_MAX. Then der_get_length() will proceed to read, unconstrained,
    whatever data follows in memory. Add a check to ensure that doesn't
    happen

This is similar to samba CVE-2022-3437.

Reported by:	emaste
Security:	CVE-2022-41916
Obtained from:	upstream 22749e918
MFC after:	1 week
2024-02-15 13:27:55 -08:00
Cy Schubert
2433937749 Heimdal: CVE-2018-16860 Heimdal KDC: Reject PA-S4U2Self with unkeyed checksum
Upstream's explanation of the problem:

    S4U2Self is an extension to Kerberos used in Active Directory to allow
    a service to request a kerberos ticket to itself from the Kerberos Key
    Distribution Center (KDC) for a non-Kerberos authenticated user
    (principal in Kerboros parlance). This is useful to allow internal
    code paths to be standardized around Kerberos.

    S4U2Proxy (constrained-delegation) is an extension of this mechanism
    allowing this impersonation to a second service over the network. It
    allows a privileged server that obtained a S4U2Self ticket to itself
    to then assert the identity of that principal to a second service and
    present itself as that principal to get services from the second
    service.

    There is a flaw in Samba's AD DC in the Heimdal KDC. When the Heimdal
    KDC checks the checksum that is placed on the S4U2Self packet by the
    server to protect the requested principal against modification, it
    does not confirm that the checksum algorithm that protects the user
    name (principal) in the request is keyed.  This allows a
    man-in-the-middle attacker who can intercept the request to the KDC to
    modify the packet by replacing the user name (principal) in the
    request with any desired user name (principal) that exists in the KDC
    and replace the checksum protecting that name with a CRC32 checksum
    (which requires no prior knowledge to compute).

    This would allow a S4U2Self ticket requested on behalf of user name
    (principal) user@EXAMPLE.COM to any service to be changed to a
    S4U2Self ticket with a user name (principal) of
    Administrator@EXAMPLE.COM. This ticket would then contain the PAC of
    the modified user name (principal).

Reported by:	emaste
Security:	CVE-2018-16860
Obtained from:	Upstream c6257cc2c
MFC after:	1 week
2024-02-15 13:27:54 -08:00
Cy Schubert
f8041e3628 Heimdal: Fix transit path validation CVE-2017-6594
Apply upstream b1e699103. This fixes a bug introduced by upstream
f469fc6 which may in some cases enable bypass of capath policy.

Upstream writes in their commit log:

    Note, this may break sites that rely on the bug.  With the bug some
    incomplete [capaths] worked, that should not have.  These may now break
    authentication in some cross-realm configurations.

Reported by:	emaste
Security:	CVE-2017-6594
Obtained from:	upstream b1e699103
MFC after:	1 week
2024-02-15 13:27:54 -08:00
Cy Schubert
da63ac1b07 OpenSSL: Update date string
Reported by:	"Herbert J. Skuhra" <herbert@gojira.at>
Fixes:		74fe298c82
MFC after:	3 days
2024-02-05 12:09:08 -08:00
Cy Schubert
74fe298c82 OpenSSL: Update version strings
Reported by:	"Herbert J. Skuhra" <herbert@gojira.at>
Fixes:		9eb4e0b42d
MFC after:	3 days
2024-02-02 16:34:36 -08:00
Cy Schubert
e0c4386e7e OpenSSL: Vendor import of OpenSSL 3.0.13
* Fixed PKCS12 Decoding crashes ([CVE-2024-0727])
 * Fixed Excessive time spent checking invalid RSA public keys
   ([CVE-2023-6237])
 * Fixed POLY1305 MAC implementation corrupting vector registers on
   PowerPC CPUs which support PowerISA 2.07 ([CVE-2023-6129])
 * Fix excessive time spent in DH check / generation with large Q
   parameter value ([CVE-2023-5678])

Release notes can be found at
            https://www.openssl.org/news/openssl-3.0-notes.html.

Approved by:	emaste
MFC after:	3 days

Merge commit '9dd13e84fa8eca8f3462bd55485aa3da8c37f54a'
2024-02-02 13:21:36 -08:00
Cy Schubert
9dd13e84fa OpenSSL: Vendor import of OpenSSL 3.0.13
* Fixed PKCS12 Decoding crashes ([CVE-2024-0727])
* Fixed Excessive time spent checking invalid RSA public keys
  ([CVE-2023-6237])
* Fixed POLY1305 MAC implementation corrupting vector registers on
  PowerPC CPUs which support PowerISA 2.07 ([CVE-2023-6129])
* Fix excessive time spent in DH check / generation with large Q
  parameter value ([CVE-2023-5678])

Release notes can be found at
	https://www.openssl.org/news/openssl-3.0-notes.html.
2024-02-02 01:48:38 -08:00
Cy Schubert
476d63e091 kerberos: Fix numerous segfaults when using weak crypto
Weak crypto is provided by the openssl legacy provider which is
not load by default. Load the legacy providers as needed.

When the legacy provider is loaded into the default context the default
provider will no longer be automatically loaded. Without the default
provider the various kerberos applicaions and functions will abort().

This is the second attempt at this patch. Instead of linking
secure/lib/libcrypto at build time we now link it at runtime, avoiding
buildworld failures under Linux and MacOS. This is because
TARGET_ENDIANNESS is undefined at pre-build time.

PR:		272835
MFC after:	3 days
X-MFC:		only to stable/14
Tested by:	netchild
		Joerg Pulz <Joerg.Pulz@frm2.tum.de> (previous version)
2024-01-17 23:46:57 -08:00
Cy Schubert
3091cdb11f Revert "kerberos: Fix numerous segfaults when using weak crypto"
This revision breaks Linux and MacOS cross builds because
TARGET_ENDIANNESS is not define during bootstrapping on these
platforms.

I think the correct approach would be to separate the new
fbsd_ossl_provider_load() and unload functions into their own
library (instead of libroken). This avoids the less desirable
option of including bsd.cpu.mk in secure/lib/Makefile.common,
which does build but could complicate future work.

Reported by:	jrtc27

This reverts commit cb350ba7bf.
2024-01-11 23:42:33 -08:00
Cy Schubert
cb350ba7bf kerberos: Fix numerous segfaults when using weak crypto
Weak crypto is provided by the openssl legacy provider which is
not load by default. Load the legacy providers as needed.

When the legacy provider is loaded into the default context the default
provider will no longer be automatically loaded. Without the default
provider the various kerberos applicaions and functions will abort().

PR:			272835
MFC after:		3 days
Differential Revision:	https://reviews.freebsd.org/D43009
Tested by:		netchild, Joerg Pulz <Joerg.Pulz@frm2.tum.de>
2024-01-11 05:26:42 -08:00
Ed Maste
069ac18495 ssh: Update to OpenSSH 9.6p1
From the release notes,

> This release contains a number of security fixes, some small features
> and bugfixes.

The most significant change in 9.6p1 is a set of fixes for a newly-
discovered weakness in the SSH transport protocol.  The fix was already
merged into FreeBSD and released as FreeBSD-SA-23:19.openssh.

Full release notes at https://www.openssh.com/txt/release-9.6

Relnotes:	Yes
Sponsored by:	The FreeBSD Foundation
2024-01-04 22:16:30 -05:00
Jens Schweikhardt
53d908d6eb Correct three typos in manuals. 2024-01-04 21:35:25 +01:00
Cy Schubert
fc55c20355 heimdal: Fix man page and documentation typos
Reported by:	Jens Schweikhardt <schweikh@schweikhardt.net>
MFC:		1 week
2024-01-04 10:35:59 -08:00
Gordon Tetlow
92f58c69a1
Implement "strict key exchange" in ssh and sshd.
This adds a protocol extension to improve the integrity of the SSH
transport protocol, particular in and around the initial key exchange
(KEX) phase.

Full details of the extension are in the PROTOCOL file.

OpenBSD-Commit-ID: 2a66ac962f0a630d7945fee54004ed9e9c439f14

Approved by:	so (implicit)
Obtained from:	https://anongit.mindrot.org/openssh.git/patch/?id=1edb00c58f8a6875fad6a497aa2bacf37f9e6cd5
Security:	CVE-2023-48795
2023-12-18 08:22:22 -08:00
Ed Maste
ad991e4c14 OpenSSL: update to 3.0.12
OpenSSL 3.0.12 addresses:

 * Fix incorrect key and IV resizing issues when calling
   EVP_EncryptInit_ex2(), EVP_DecryptInit_ex2() or EVP_CipherInit_ex2()
   with OSSL_PARAM parameters that alter the key or IV length
   ([CVE-2023-5363]).

Relnotes:	Yes
Sponsored by:	The FreeBSD Foundation
2023-10-24 14:55:56 -04:00
Ed Maste
825caf7e12 OpenSSL: Vendor import of OpenSSL 3.0.12
* Fix incorrect key and IV resizing issues when calling
   EVP_EncryptInit_ex2(), EVP_DecryptInit_ex2() or EVP_CipherInit_ex2()
   with OSSL_PARAM parameters that alter the key or IV length
   ([CVE-2023-5363]).

Sponsored by:	The FreeBSD Foundation
2023-10-24 13:48:36 -04:00
Daiki Ueno
6ed16d1733 KTLS: Enable KTLS for receiving as well in TLS 1.3
This removes a guard condition that prevents KTLS being enabled for
receiving in TLS 1.3.  Use the correct sequence number and BIO for
receive vs transmit offload.

Obtained from:	OpenSSL commit 7c78932b9a4330fb7c8db72b3fb37cbff1401f8b
2023-10-19 11:34:58 -07:00