aboutsummaryrefslogtreecommitdiffstats
path: root/crypto
Commit message (Collapse)AuthorAgeFilesLines
* Fix OpenSSL NULL pointer de-reference.releng/11.4Gordon Tetlow2020-12-145-6/+85
| | | | | | | | | Approved by: so Security: FreeBSD-SA-20:33.openssl Security: CVE-2020-1971 Notes: svn path=/releng/11.4/; revision=368643
* MFC r333552,333558-333568,333573,338568-338569,339275,339278,339294,340037,Cy Schubert2020-01-041-12/+11
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | r349720,356228: r333552 (des): Upgrade Unbound to 1.6.0. More to follow. r333558 (des): Upgrade Unbound to 1.6.1. More to follow. r333559 (des): Upgrade Unbound to 1.6.2. More to follow. r333560 (des): Upgrade Unbound to 1.6.3. More to follow. r333561 (des): Upgrade Unbound to 1.6.4. More to follow. r333562 (des): Upgrade Unbound to 1.6.5. More to follow. r333563 (des): Upgrade Unbound to 1.6.6. More to follow. r333564 (des): Upgrade Unbound to 1.6.7. More to follow. r333565 (des): No reason to keep this around. r333566 (des): Upgrade Unbound to 1.6.8. More to follow. r333567 (des): Upgrade Unbound to 1.7.0. More to follow. r333568 (des): Upgrade Unbound to 1.7.1. r333573 (des): Rename all Unbound binaries and man pages from unbound* to local-unbound*. PR: 222902 r338568 (des): Upgrade Unbound to 1.7.2. More to follow. r338569 (des): Upgrade Unbound to 1.7.3. More to follow. r339275 (des): Upgrade Unbound to 1.8.0. More to follow. r339278 (des): Upgrade to 1.8.1. r339294 (des): Try harder to sanitize the environment before running configure. Remove a workaround for older Unbound versions that used sbrk. r340037 (des): Merge upstream r4932: turn so-reuseport option off by default. r349720 (des): Upgrade Unbound to 1.9.2. MFC r356228 (cy): MFV r356143: Update unbound 1.9.2 --> 1.9.6. Security: CVE-2017-15105 (fixed by 1.6.7) CVE-2019-18934 (fixed by 1.9.5) Notes: svn path=/stable/11/; revision=356345
* Merge OpenSSL 1.0.2u.Jung-uk Kim2020-01-0211-210/+267
| | | | Notes: svn path=/stable/11/; revision=356290
* sftp: disallow creation (of empty files) in read-only modeEd Maste2019-12-131-2/+2
| | | | | | | | | | | | | Direct commit to stable/11; already fixed in newer OpenSSH in 12 and later. PR: 233801 Reported by: Dani Obtained from: OpenBSD 1.111 Security: CVE-2017-15906 Notes: svn path=/stable/11/; revision=355731
* Merge OpenSSL 1.0.2t.Jung-uk Kim2019-09-1033-167/+708
| | | | Notes: svn path=/stable/11/; revision=352193
* Merge OpenSSL 1.0.2s.Jung-uk Kim2019-05-2926-157/+281
| | | | | | | Approved by: re (kib) Notes: svn path=/stable/11/; revision=348343
* Merge OpenSSL 1.0.2r.Jung-uk Kim2019-02-2634-178/+525
| | | | Notes: svn path=/stable/11/; revision=344604
* MFC r343043: scp: disallow empty or current directoryEd Maste2019-01-161-1/+2
| | | | | | | | | Obtained from: OpenBSD scp.c 1.198 Security: CVE-2018-20685 Sponsored by: The FreeBSD Foundation Notes: svn path=/stable/11/; revision=343097
* Merge OpenSSL 1.0.2q.Jung-uk Kim2018-11-2056-201/+922
| | | | Notes: svn path=/stable/11/; revision=340704
* MFC r338810: openssh: rename local macro to avoid OpenSSL 1.1.1 conflictEd Maste2018-10-103-7/+7
| | | | | | | | | | Local changes introduced an OPENSSH_VERSION macro, but this conflicts with a macro of the same name introduced with OepnsSL 1.1.1 Sponsored by: The FreeBSD Foundation Notes: svn path=/stable/11/; revision=339285
* Avoid printing extraneous function names when searching man pageCy Schubert2018-09-051-3/+2
| | | | | | | | | | | database (apropos, man -k). This commit Replaces .SS with .SH, similar to the man page provided by original heimdal (as in port). PR: 230573 Submitted by: yuripv@yuripv.net Notes: svn path=/stable/11/; revision=338464
* MFC: r337791Jung-uk Kim2018-08-17123-946/+1519
| | | | | | | Merge OpenSSL 1.0.2p. Notes: svn path=/stable/11/; revision=337982
* MFC: r331627Jung-uk Kim2018-03-27156-809/+951
| | | | | | | Merge OpenSSL 1.0.2o. Notes: svn path=/stable/11/; revision=331638
* MFC: r328419Jung-uk Kim2018-01-291-0/+1
| | | | | | | | | Add declaration of SSL_get_selected_srtp_profile() for OpenSSL. Differential Revision: https://reviews.freebsd.org/D10525 Notes: svn path=/stable/11/; revision=328556
* MFC: r326662Jung-uk Kim2017-12-0737-82/+278
| | | | | | | Merge OpenSSL 1.0.2n. Notes: svn path=/stable/11/; revision=326663
* MFC: r325328Jung-uk Kim2017-11-02133-348/+1576
| | | | | | | Merge OpenSSL 1.0.2m. Notes: svn path=/stable/11/; revision=325337
* MFC: r318899Jung-uk Kim2017-11-02126-742/+1415
| | | | | | | Merge OpenSSL 1.0.2l. Notes: svn path=/stable/11/; revision=325335
* MFC: r316607 (andrew)Jung-uk Kim2017-11-021-0/+1
| | | | | | | | | | | | | | | Fix linking with lld by marking OPENSSL_armcap_P as hidden. Linking with lld fails as it contains a relative address, however the data this address is for may be relocated from the shared object to the main executable. Fix this by adding the hidden attribute. This stops moving this value to the main executable. It seems this is implicit upstream as it uses a version script. Notes: svn path=/stable/11/; revision=325334
* MFC: r307976Jung-uk Kim2017-11-023-3/+2
| | | | | | | Build OpenSSL assembly sources for aarch64. Notes: svn path=/stable/11/; revision=325333
* MFH (r322052): Upgrade OpenSSH to 7.5p1.Dag-Erling Smørgrav2017-09-0273-3033/+2313
| | | | Notes: svn path=/stable/11/; revision=323136
* MFH (r314306,r314720): Upgrade OpenSSH to 7.4p1.Dag-Erling Smørgrav2017-09-02196-6750/+5993
| | | | Notes: svn path=/stable/11/; revision=323134
* MFH (r314527,r314576,r314601,r317998): Upgrade OpenSSH to 7.3p1.Dag-Erling Smørgrav2017-09-02155-3241/+5942
| | | | Notes: svn path=/stable/11/; revision=323129
* Apply upstream fix:Xin LI2017-08-101-0/+5
| | | | | | | | | | | | | | | Skip passwords longer than 1k in length so clients can't easily DoS sshd by sending very long passwords, causing it to spend CPU hashing them. feedback djm@, ok markus@. Brought to our attention by tomas.kuthan at oracle.com, shilei-c at 360.cn and coredump at autistici.org Security: CVE-2016-6515 Security: FreeBSD-SA-17:06.openssh Notes: svn path=/stable/11/; revision=322341
* MFC r320906: MFV r320905: Import upstream fix for CVE-2017-11103.Xin LI2017-07-121-2/+2
| | | | | | | | | | | | | | | In _krb5_extract_ticket() the KDC-REP service name must be obtained from encrypted version stored in 'enc_part' instead of the unencrypted version stored in 'ticket'. Use of the unecrypted version provides an opportunity for successful server impersonation and other attacks. Submitted by: hrs Obtained from: Heimdal Security: FreeBSD-SA-17:05.heimdal Security: CVE-2017-11103 Notes: svn path=/stable/11/; revision=320907
* MFC r318242: Refine and update blacklist support in sshdKurt Lidl2017-05-178-16/+23
| | | | | | | | | | | | | | | Adjust notification points slightly to catch all auth failures, rather than just the ones caused by bad usernames. Modify notification point for bad usernames to send new type of BLACKLIST_BAD_USER. (Support in libblacklist will be forthcoming soon.) Add guards to allow library headers to expose the enum of action values. Reviewed by: des Relnotes: yes Sponsored by: The FreeBSD Foundation Notes: svn path=/stable/11/; revision=318402
* MFC r304624: Remove duplicate symbol from libhx509 version-script.mapEd Maste2017-04-031-1/+0
| | | | | | | | | | | Upstream commit r21331 (7758a5d0) added semiprivate function _hx509_request_to_pkcs10 twice. This change has been committed upstream as 8ef0071d. Sponsored by: The FreeBSD Foundation Notes: svn path=/stable/11/; revision=316465
* MFC r303156: Remove duplicate symbols from libroken version-script.mapEd Maste2017-04-031-6/+0
| | | | | | | | | | | Upstream commit r24759 (efed563) prefixed some symbols with rk_, but introduced 6 duplicate symbols in the version script (because the rk_-prefixed versions of the symbols were already present). Sponsored by: The FreeBSD Foundation Notes: svn path=/stable/11/; revision=316463
* MFC r313965:Kurt Lidl2017-02-221-2/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Only notify blacklistd for successful logins in auth.c Before this change, every pass through auth.c resulted in a call to blacklist_notify(). In a normal remote login, there would be a failed login flagged for the printing of the "xxx login:" prompt, before the remote user could enter a password. If the user successfully entered a good password, then a good login would be flagged, and everything would be OK. If the user entered an incorrect password, there would be another failed login flagged in auth1.c (or auth2.c) for the actual bad password attempt. Finally, when sshd got around to issuing the second "xxx login:" prompt, there would be yet another failed login notice sent to blacklistd. So, if there was a 3 bad logins limit set (the default), the system would actually block the address after the first bad password attempt. Reported by: Rick Adams Reviewed by: des Sponsored by: The FreeBSD Foundation Notes: svn path=/stable/11/; revision=314072
* MFC r311585:Enji Cooper2017-02-041-1/+1
| | | | | | | | | | | | | Conditionalize building libwrap support into sshd Only build libwrap support into sshd if MK_TCP_WRAPPERS != no This will unbreak the build if libwrap has been removed from the system PR: 210141 Notes: svn path=/stable/11/; revision=313243
* MFC: r312825Jung-uk Kim2017-01-26100-634/+836
| | | | | | | Merge OpenSSL 1.0.2k. Notes: svn path=/stable/11/; revision=312826
* MFC r311914: MFV r311913:Xin LI2017-01-118-15/+55
| | | | | | | | | | Fix multiple OpenSSH vulnerabilities. Submitted by: des Approved by: so Notes: svn path=/stable/11/; revision=311915
* MFC r308197: MFV r308196:Xin LI2016-11-021-0/+1
| | | | | | | | | Fix OpenSSH remote Denial of Service vulnerability. Security: CVE-2016-8858 Notes: svn path=/stable/11/; revision=308198
* MFC: r306342Jung-uk Kim2016-09-268-8/+26
| | | | | | | Merge OpenSSL 1.0.2j. Notes: svn path=/stable/11/; revision=306343
* MFC: r306193Jung-uk Kim2016-09-22222-1347/+3936
| | | | | | | Merge OpenSSL 1.0.2u. Notes: svn path=/stable/11/; revision=306195
* MFC r305065: Add refactored blacklist support to sshdKurt Lidl2016-09-0612-1/+195
| | | | | | | | | | | | | | | | | | | | | Change the calls to of blacklist_init() and blacklist_notify to be macros defined in the blacklist_client.h file. This avoids the need for #ifdef USE_BLACKLIST / #endif except in the blacklist.c file. Remove redundent initialization attempts from within blacklist_notify - everything always goes through blacklistd_init(). Added UseBlacklist option to sshd, which defaults to off. To enable the functionality, use '-o UseBlacklist=yes' on the command line, or uncomment in the sshd_config file. Approved by: des Sponsored by: The FreeBSD Foundation Notes: svn path=/stable/11/; revision=305476
* MFC: r304636Jung-uk Kim2016-08-312-3/+3
| | | | | | | Build OpenSSL assembly sources for arm. Notes: svn path=/stable/11/; revision=305152
* MFH (r303832): check whether each key file exists before adding itDag-Erling Smørgrav2016-08-111-10/+15
| | | | | | | | PR: 208254 Approved by: re (kib) Notes: svn path=/stable/11/; revision=303952
* MFH (r303716, r303719): drop SSH1 support, disable DSA by defaultDag-Erling Smørgrav2016-08-057-40/+19
| | | | | | | | | PR: 208254 Approved by: re (gjb) Relnotes: yes Notes: svn path=/stable/11/; revision=303770
* Revert r301551, which added blacklistd(8) to sshd(8).Glen Barber2016-06-248-145/+0
| | | | | | | | | | | | | This change has functional impact, and other concerns raised by the OpenSSH maintainer. Requested by: des PR: 210479 (related) Approved by: re (marius) Sponsored by: The FreeBSD Foundation Notes: svn path=/head/; revision=302182
* Add blacklist support to sshdKurt Lidl2016-06-078-0/+145
| | | | | | | | | | | Reviewed by: rpaulo Approved by: rpaulo (earlier version of changes) Relnotes: YES Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D5915 Notes: svn path=/head/; revision=301551
* openssl: change SHLIB_VERSION_NUMBER to reflect the realityAndriy Gapon2016-06-031-1/+1
| | | | | | | | | | | Some consumers actually use this definition. We probably need some procedure to ensure that SHLIB_VERSION_NUMBER is updated whenever we change the library version in secure/lib/libssl/Makefile. Notes: svn path=/head/; revision=301271
* libkrb5: Fix potential double-freeConrad Meyer2016-05-111-0/+1
| | | | | | | | | | | | | | If krb5_make_principal fails, tmp_creds.server may remain a pointer to freed memory and then be double-freed. After freeing it the first time, initialize it to NULL, which causes subsequent krb5_free_principal calls to do the right thing. Reported by: Coverity CID: 1273430 Sponsored by: EMC / Isilon Storage Division Notes: svn path=/head/; revision=299495
* Merge OpenSSL 1.0.2h.Jung-uk Kim2016-05-0367-263/+1117
|\ | | | | | | | | | | | | Relnotes: yes Notes: svn path=/head/; revision=298998
| * Import OpenSSL 1.0.2h.vendor/openssl/1.0.2hJung-uk Kim2016-05-0338-122/+334
| | | | | | | | | | Notes: svn path=/vendor-crypto/openssl/dist/; revision=298991 svn path=/vendor-crypto/openssl/1.0.2h/; revision=298992; tag=vendor/openssl/1.0.2h
* | Re-add AES-CBC ciphers to the default cipher list on the server.Dag-Erling Smørgrav2016-03-113-4/+12
| | | | | | | | | | | | | | PR: 207679 Notes: svn path=/head/; revision=296634
* | Upgrade to OpenSSH 7.2p2.Dag-Erling Smørgrav2016-03-11140-3291/+5765
|\ \ | | | | | | | | | Notes: svn path=/head/; revision=296633
* \ \ Merge OpenSSL 1.0.2g.Jung-uk Kim2016-03-0183-1318/+2668
|\ \ \ | | |/ | |/| | | | | | | | | | | | | Relnotes: yes Notes: svn path=/head/; revision=296279
| * | Import OpenSSL 1.0.2g.vendor/openssl/1.0.2gJung-uk Kim2016-03-0140-1046/+1741
| | | | | | | | | | | | | | | Notes: svn path=/vendor-crypto/openssl/dist/; revision=296273 svn path=/vendor-crypto/openssl/1.0.2g/; revision=296274; tag=vendor/openssl/1.0.2g
* | | Document our modified default value for PermitRootLogin.Dag-Erling Smørgrav2016-02-022-2/+2
| | | | | | | | | | | | Notes: svn path=/head/; revision=295139
* | | Merge OpenSSL 1.0.2f.Jung-uk Kim2016-01-28136-443/+844
|\| | | | | | | | | | | | | | | | | | | | Relnotes: yes Notes: svn path=/head/; revision=295009