aboutsummaryrefslogtreecommitdiffstats
path: root/crypto
Commit message (Collapse)AuthorAgeFilesLines
* Fix OpenSSL multiple vulnerabilities. [13:03]releng/9.0Xin LI2013-04-02102-623/+2334
| | | | | | | | | | | | | Fix BIND remote denial of service. [13:04] Security: CVE-2013-0166, CVE-2013-0169 Security: FreeBSD-SA-13:03.openssl Security: CVE-2013-2266 Security: FreeBSD-SA-13:04.bind Approved by: so Notes: svn path=/releng/9.0/; revision=249029
* Update the previous openssl fix. [12:01]Bjoern A. Zeeb2012-05-302-9/+8
| | | | | | | | | | | Fix a bug in crypt(3) ignoring characters of a passphrase. [12:02] Security: FreeBSD-SA-12:01.openssl (revised) Security: FreeBSD-SA-12:02.crypt Approved by: so (bz, simon) Notes: svn path=/releng/9.0/; revision=236304
* Fix multiple OpenSSL vulnerabilities.Bjoern A. Zeeb2012-05-0311-39/+162
| | | | | | | | | | Security: CVE-2011-4576, CVE-2011-4619, CVE-2011-4109 Security: CVE-2012-0884, CVE-2012-2110 Security: FreeBSD-SA-12:01.openssl Approved by: so (bz,simon) Notes: svn path=/releng/9.0/; revision=234954
* Fix a problem whereby a corrupt DNS record can cause named to crash. [11:06]Colin Percival2011-12-231-0/+3
| | | | | | | | | | | | | | | | | | | | | | | Add an API for alerting internal libc routines to the presence of "unsafe" paths post-chroot, and use it in ftpd. [11:07] Fix a buffer overflow in telnetd. [11:08] Make pam_ssh ignore unpassphrased keys unless the "nullok" option is specified. [11:09] Add sanity checking of service names in pam_start. [11:10] Approved by: so (cperciva) Approved by: re (bz) Security: FreeBSD-SA-11:06.bind Security: FreeBSD-SA-11:07.chroot Security: FreeBSD-SA-11:08.telnetd Security: FreeBSD-SA-11:09.pam_ssh Security: FreeBSD-SA-11:10.pam Notes: svn path=/releng/9.0/; revision=228843
* MFH r225852: regenerate after hpn patchDag-Erling Smørgrav2011-10-041-1/+4
| | | | | | | Approved by: re (kib) Notes: svn path=/stable/9/; revision=225983
* Remove the svn:keywords property and restore the historical $FreeBSD$ tag.Dag-Erling Smørgrav2011-09-161-1/+1
| | | | | | | | Approved by: re (kib) MFC after: 3 weeks Notes: svn path=/head/; revision=225614
* Fix SSL memory handlig for (EC)DH cipher suites, in particular forXin LI2011-09-082-7/+21
| | | | | | | | | | | | multi-threaded use of ECDH. Security: CVE-2011-3210 Reviewed by: stas Obtained from: OpenSSL CVS Approved by: re (kib) Notes: svn path=/head/; revision=225446
* Fix two more $FreeBSD$ keywords.Brooks Davis2011-08-032-2/+2
| | | | | | | | Reported by: pluknet Approved by: re (implicit) Notes: svn path=/head/; revision=224642
* Add support for dynamically adjusted buffers to allow the full use ofBrooks Davis2011-08-0331-43/+747
| | | | | | | | | | | | | | | | | | | | | | | | | | | | the bandwidth of long fat pipes (i.e. 100Mbps+ trans-oceanic or trans-continental links). Bandwidth-delay products up to 64MB are supported. Also add support (not compiled by default) for the None cypher. The None cypher can only be enabled on non-interactive sessions (those without a pty where -T was not used) and must be enabled in both the client and server configuration files and on the client command line. Additionally, the None cypher will only be activated after authentication is complete. To enable the None cypher you must add -DNONE_CIPHER_ENABLED to CFLAGS via the make command line or in /etc/make.conf. This code is a style(9) compliant version of these features extracted from the patches published at: http://www.psc.edu/networking/projects/hpn-ssh/ Merging this patch has been a collaboration between me and Bjoern. Reviewed by: bz Approved by: re (kib), des (maintainer) Notes: svn path=/head/; revision=224638
* Fix clang warning (why is there nowhere yyparse() is declared?).Ben Laurie2011-05-181-0/+1
| | | | | | | Approved by: philip (mentor) Notes: svn path=/head/; revision=222081
* Merge two upstream patches from vendor branch. No functional changes.Dag-Erling Smørgrav2011-05-052-2/+3
|\ | | | | | | Notes: svn path=/head/; revision=221487
* | Upgrade to OpenSSH 5.8p2.Dag-Erling Smørgrav2011-05-04126-4246/+5749
|\| | | | | | | Notes: svn path=/head/; revision=221420
* | Fix Incorrectly formatted ClientHello SSL/TLS handshake messages couldSimon L. B. Nielsen2011-02-121-1/+7
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | cause OpenSSL to parse past the end of the message. Note: Applications are only affected if they act as a server and call SSL_CTX_set_tlsext_status_cb on the server's SSL_CTX. This includes Apache httpd >= 2.3.3, if configured with "SSLUseStapling On". Security: http://www.openssl.org/news/secadv_20110208.txt Security: CVE-2011-0014 Obtained from: OpenSSL CVS Notes: svn path=/head/; revision=218625
* | Merge OpenSSL 0.9.8q into head.Simon L. B. Nielsen2010-12-0317-30/+146
|\ \ | | | | | | | | | | | | | | | | | | | | | | | | Security: CVE-2010-4180 Security: http://www.openssl.org/news/secadv_20101202.txt MFC after: 3 days Notes: svn path=/head/; revision=216166
| * | Import OpenSSL 0.9.8q.vendor/openssl/0.9.8qSimon L. B. Nielsen2010-12-027-10/+44
| | | | | | | | | | | | | | | Notes: svn path=/vendor-crypto/openssl/dist/; revision=216135 svn path=/vendor-crypto/openssl/0.9.8q/; revision=216136; tag=vendor/openssl/0.9.8q
* | | Merge OpenSSL 0.9.8p into head.Simon L. B. Nielsen2010-11-22127-535/+876
|\| | | | | | | | | | | | | | | | | | | | | | | Security: CVE-2010-3864 Security: http://www.openssl.org/news/secadv_20101116.txt Notes: svn path=/head/; revision=215697
| * | Import OpenSSL 0.9.8p.vendor/openssl/0.9.8pSimon L. B. Nielsen2010-11-2150-187/+276
| | | | | | | | | | | | | | | Notes: svn path=/vendor-crypto/openssl/dist/; revision=215643 svn path=/vendor-crypto/openssl/0.9.8p/; revision=215644; tag=vendor/openssl/0.9.8p
* | | Fix double-free in OpenSSL's SSL ECDH code.Simon L. B. Nielsen2010-11-141-0/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | It has yet to be determined if this warrants a FreeBSD Security Advisory, but we might as well get it fixed in the normal branches. Obtained from: OpenSSL CVS Security: CVE-2010-2939 X-MFC after: Not long... Notes: svn path=/head/; revision=215288
* | | Upgrade to OpenSSH 5.6p1.Dag-Erling Smørgrav2010-11-1168-979/+3236
|\ \ \ | | |/ | |/| | | | Notes: svn path=/head/; revision=215116
* | | Forgot to svn rm this when I imported 5.4p1.Dag-Erling Smørgrav2010-11-101-25/+0
| | | | | | | | | | | | Notes: svn path=/head/; revision=215083
* | | Remove copyright strings printed at login time via login(1) or sshd(8).Ed Maste2010-09-281-18/+0
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | It is not clear to what this copyright should apply, and this is in line with what other operating systems do. For ssh specifically, printing of the copyright string is not in the upstream version so this reduces our FreeBSD-local diffs. Approved by: core, des (ssh) Notes: svn path=/head/; revision=213250
* | | Bring in OpenSSL checkin 19821:Rui Paulo2010-09-212-6/+13
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Make inline assembler clang-friendly [from HEAD]. openssl/crypto/md32_common.h 1.45.2.1 -> 1.45.2.2 openssl/crypto/rc5/rc5_locl.h 1.8 -> 1.8.8.1 Approved by: simon Notes: svn path=/head/; revision=212961
* | | More commasDag-Erling Smørgrav2010-06-012-2/+2
| | | | | | | | | | | | Notes: svn path=/head/; revision=208724
* | | Missing commasDag-Erling Smørgrav2010-06-0111-11/+11
| | | | | | | | | | | | Notes: svn path=/head/; revision=208709
* | | Fix .Dd line: FreeBSD's mdoc code doesn't understand OpenBSD's $Mdocdate$.Colin Percival2010-05-281-1/+1
| | | | | | | | | | | | | | | | | | | | | MFC after: 3 days Notes: svn path=/head/; revision=208606
* | | Upgrade to OpenSSH 5.5p1.Dag-Erling Smørgrav2010-04-2825-88/+254
|\| | | | | | | | | | | Notes: svn path=/head/; revision=207319
* | | Enhance r199804 by marking the daemonised child as immune to OOM insteadKonstantin Belousov2010-04-081-4/+4
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | of short-living parent. Only mark the master process that accepts connections, do not protect connection handlers spawned from inetd. Submitted by: Mykola Dzham <i levsha me> Reviewed by: attilio MFC after: 1 week Notes: svn path=/head/; revision=206397
* | | Merge OpenSSL 0.9.8n into head.Simon L. B. Nielsen2010-04-0128-37/+115
|\ \ \ | | |/ | |/| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This fixes CVE-2010-0740 which only affected -CURRENT (OpenSSL 0.9.8m) but not -STABLE branches. I have not yet been able to find out if CVE-2010-0433 impacts FreeBSD. This will be investigated further. Security: CVE-2010-0433, CVE-2010-0740 Security: http://www.openssl.org/news/secadv_20100324.txt Notes: svn path=/head/; revision=206046
| * | Import OpenSSL 0.9.8n.vendor/openssl/0.9.8nSimon L. B. Nielsen2010-04-0114-23/+51
| | | | | | | | | | | | | | | Notes: svn path=/vendor-crypto/openssl/dist/; revision=206035 svn path=/vendor-crypto/openssl/0.9.8n/; revision=206037; tag=vendor/openssl/0.9.8n
* | | Readd $FreeBSD$ to the OpenSSL config file as that's useful forSimon L. B. Nielsen2010-03-131-0/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | mergemaster. Suggested by: dougb Notes: svn path=/head/; revision=205137
* | | Merge OpenSSL 0.9.8m into head.Simon L. B. Nielsen2010-03-13238-19819/+4290
|\| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This also "reverts" some FreeBSD local changes so we should now be back to using entirely stock OpenSSL. The local changes were simple $FreeBSD$ lines additions, which were required in the CVS days, and the patch for FreeBSD-SA-09:15.ssl which has been superseded with OpenSSL 0.9.8m's RFC5746 'TLS renegotiation extension' support. MFC after: 3 weeks Notes: svn path=/head/; revision=205128
| * | Import OpenSSL 0.9.8m.vendor/openssl/0.9.8mSimon L. B. Nielsen2010-02-28113-16066/+1266
| | | | | | | | | | | | | | | Notes: svn path=/vendor-crypto/openssl/dist/; revision=204477 svn path=/vendor-crypto/openssl/0.9.8m/; revision=204478; tag=vendor/openssl/0.9.8m
* | | Upgrade to OpenSSH 5.4p1.Dag-Erling Smørgrav2010-03-09124-3006/+10880
|\ \ \ | | |/ | |/| | | | | | | | | | | | | MFC after: 1 month Notes: svn path=/head/; revision=204917
* | | Add a missing $FreeBSD$ string.Ed Schouten2010-01-131-0/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | I was requested to add this string to any file that was modified by my commit, which I forgot to do so. Requested by: des Notes: svn path=/head/; revision=202231
* | | Make OpenSSH work with utmpx.Ed Schouten2010-01-134-27/+56
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | - Partially revert r184122 (sshd.c). Our ut_host is now big enough to fit proper hostnames. - Change config.h to match reality. - defines.h requires UTMPX_FILE to be set by <utmpx.h> before it allows the utmpx code to work. This makes no sense to me. I've already mentioned this upstream. - Add our own platform-specific handling of lastlog. The version I will send to the OpenSSH folks will use proper autoconf generated definitions instead of `#if 1'. Notes: svn path=/head/; revision=202213
* | | The size of credential messages is limited by CMGROUP_MAX rather thanBrooks Davis2010-01-031-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | NGROUPS. MFC after: 1 week Notes: svn path=/head/; revision=201444
* | | Disable SSL renegotiation in order to protect against a seriousColin Percival2009-12-033-5/+12
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | protocol flaw. [09:15] Correctly handle failures from unsetenv resulting from a corrupt environment in rtld-elf. [09:16] Fix permissions in freebsd-update in order to prevent leakage of sensitive files. [09:17] Approved by: so (cperciva) Security: FreeBSD-SA-09:15.ssl Security: FreeBSD-SA-09:16.rtld Security: FreeBSD-SA-09:17.freebsd-udpate Notes: svn path=/head/; revision=200054
* | | Avoid sshd, cron, syslogd and inetd to be killed under high-pressure swapAttilio Rao2009-11-251-0/+5
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | environments. Please note that this can't be done while such processes run in jails. Note: in future it would be interesting to find a way to do that selectively for any desired proccess (choosen by user himself), probabilly via a ptrace interface or whatever. Obtained from: Sandvine Incorporated Reviewed by: emaste, arch@ Sponsored by: Sandvine Incorporated MFC: 1 month Notes: svn path=/head/; revision=199804
* | | Fix globbingDag-Erling Smørgrav2009-11-101-0/+2
| | | | | | | | | | | | | | | | | | | | | | | | Noticed by: delphij, David Cornejo <dave@dogwood.com> Forgotten by: des Notes: svn path=/head/; revision=199131
* | | Remove dupe.Dag-Erling Smørgrav2009-10-111-1/+0
| | | | | | | | | | | | Notes: svn path=/head/; revision=197957
* | | Add more symbols that need to be masked:Dag-Erling Smørgrav2009-10-051-1/+19
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | - initialized and uninitialized data - symbols from roaming_dummy.c which end up in pam_ssh Update the command line used to generate the #defines. Notes: svn path=/head/; revision=197785
* | | Upgrade to OpenSSH 5.3p1.Dag-Erling Smørgrav2009-10-0173-1077/+1931
|\| | | | | | | | | | | Notes: svn path=/head/; revision=197679
* | | Merge DTLS fixes from vendor-crypto/openssl/dist:Simon L. B. Nielsen2009-08-234-17/+47
|\ \ \ | | |/ | |/| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | - Fix memory consumption bug with "future epoch" DTLS records. - Fix fragment handling memory leak. - Do not access freed data structure. - Fix DTLS fragment bug - out-of-sequence message handling which could result in NULL pointer dereference in dtls1_process_out_of_seq_message(). Note that this will not get FreeBSD Security Advisory as DTLS is experimental in OpenSSL. MFC after: 1 week Security: CVE-2009-1377 CVE-2009-1378 CVE-2009-1379 CVE-2009-1387 Notes: svn path=/head/; revision=196474
| * | Import DTLS fix from upstream OpenSSL 0.9.8 branch:Simon L. B. Nielsen2009-08-232-0/+15
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Fix memory consumption bug with "future epoch" DTLS records. Note that this will not get FreeBSD Security Advisory as DTLS is experimental in OpenSSL. Security: CVE-2009-1377 Obtained from: OpenSSL CVS http://cvs.openssl.org/chngview?cn=18187 Notes: svn path=/vendor-crypto/openssl/dist/; revision=196461
* | | Update and remove CVS-specific itemsDag-Erling Smørgrav2009-08-131-3/+1
| | | | | | | | | | | | | | | | | | | | | Approved by: re (kib) Notes: svn path=/head/; revision=196164
* | | Remove symlinks in OpenSSL's testing framework. These are not requiredSimon L. B. Nielsen2009-08-1243-43/+0
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | for normal build, and doesn't export well to CVS. If they are needed later a script will be added to recreate the symlinks when needed at build time. Approved by: re (rwatson) Notes: svn path=/head/; revision=196133
* | | Use the closefrom(2) system call.John Baldwin2009-06-162-2/+1
| | | | | | | | | | | | | | | | | | | | | Reviewed by: des Notes: svn path=/head/; revision=194297
* | | Merge OpenSSL 0.9.8k into head.Simon L. B. Nielsen2009-06-14795-14045/+76865
|\| | | | | | | | | | | | | | | | | | | | Approved by: re Notes: svn path=/head/; revision=194206
| * | Import OpenSSL 0.9.8k.vendor/openssl/0.9.8kSimon L. B. Nielsen2009-06-07361-3926/+24367
| | | | | | | | | | | | | | | Notes: svn path=/vendor-crypto/openssl/dist/; revision=193645 svn path=/vendor-crypto/openssl/0.9.8k/; revision=193646; tag=vendor/openssl/0.9.8k
| * | Vendor import of OpenSSL 0.9.8i.vendor/openssl/0.9.8iSimon L. B. Nielsen2008-09-21212-6663/+19478
| | | | | | | | | | | | | | | Notes: svn path=/vendor-crypto/openssl/dist/; revision=183234 svn path=/vendor-crypto/openssl/0.9.8i/; revision=193572; tag=vendor/openssl/0.9.8i