1
0
mirror of https://git.FreeBSD.org/src.git synced 2024-12-04 09:09:56 +00:00
Commit Graph

1302 Commits

Author SHA1 Message Date
Warner Losh
a8fe2d331b posix_async: FreeBSD also defines {make|swap|get|set}context
FreeBSD also defines {make|swap|get|set}context for backward
compatibility, despite also exposing POSIX_VERSION 200809L in FreeBSD
15-current.

FreeBSD has defined these interfaces since FreeBSD 4.7, released over 20
years ago, so no further nuance in FreeBSD version number is necessary.

Pull Request:		https://github.com/openssl/openssl/pull/23885
Sponsored by:		Netflix
2024-05-31 10:53:39 -06:00
Cy Schubert
a0d7d68a2d heimdal: Fix compiling hdb ldap as a module
Fix build when WITH_OPENLDAP defined.

PR:		278430
Obtained from:	Upstream c1c7da7f79
2024-04-23 22:54:20 -07:00
Enji Cooper
572948d00d Revert "OpenSSL: use the upstream provided version.map files for the fips/legacy providers"
This change is still under review and should not have been merged
directly to main (yet).

This is a case and point for using `push.default` to nothing instead of
matching or simple.

This reverts commit 42ce242e35.
2024-04-21 09:58:31 -07:00
Enji Cooper
42ce242e35 OpenSSL: use the upstream provided version.map files for the fips/legacy providers
This change introduces a static copy of the fips and legacy linker version maps
generated by the OpenSSL 3.0.13 build process.

This unbreaks the fips and legacy providers by not exposing unnecessary
symbols from the fips/legacy provider shared objects shared with other
providers (base, default) and libcrypto.

More discussion:

Prior to this change, loading the fips provider indirectly from a
FreeBSD 14.0-CURRENT and 15.0-CURRENT host would result in a
process-wide deadlock when invoking select OpenSSL APIs
(CONF_modules_load* in this particular example).

Speaking with the upstream maintainers [1], it became obvious that
the FreeBSD base system was incorrectly building/linking the fips
provider, resulting in a symbol collision at runtime, and thus a
process-wide deadlock in specific circumstances. The fips provider
would deadlock when trying to acquire a write lock on internal
structures which should have only been available to the base and
default providers, as certain preprocessor ifdefs only allow specific
internal calls to be made with the base and default providers.

1. https://github.com/openssl/openssl/issues/24202

Differential Revision:	https://reviews.freebsd.org/D44892
2024-04-21 09:35:19 -07:00
Dimitry Andric
219b6e4423 heimdal: asn1: Use unsigned bitfields for named bitsets
Import upstream 6747e1628:

  asn1: Use unsigned bitfields for named bitsets

  Signed 1-bit bitfields are undefined in C.

This should fix the following warnings, which for unknown reasons are
errors in CI:

  /usr/src/crypto/heimdal/lib/hx509/ca.c:1020:22: warning: implicit truncation from 'int' to a one-bit wide bit-field changes value from 1 to -1 [-Wsingle-bit-bitfield-constant-conversion]
   1020 |         ku.digitalSignature = 1;
        |                             ^ ~
  /usr/src/crypto/heimdal/lib/hx509/ca.c:1021:21: warning: implicit truncation from 'int' to a one-bit wide bit-field changes value from 1 to -1 [-Wsingle-bit-bitfield-constant-conversion]
   1021 |         ku.keyEncipherment = 1;
        |                            ^ ~
  /usr/src/crypto/heimdal/lib/hx509/ca.c:1028:17: warning: implicit truncation from 'int' to a one-bit wide bit-field changes value from 1 to -1 [-Wsingle-bit-bitfield-constant-conversion]
   1028 |         ku.keyCertSign = 1;
        |                        ^ ~
  /usr/src/crypto/heimdal/lib/hx509/ca.c:1029:13: warning: implicit truncation from 'int' to a one-bit wide bit-field changes value from 1 to -1 [-Wsingle-bit-bitfield-constant-conversion]
   1029 |         ku.cRLSign = 1;
        |                    ^ ~

PR:		276960
Fixes:		1b74875929
MFC after:	1 week
2024-04-17 19:49:30 +02:00
Dimitry Andric
1b74875929 heimdal: Add 64-bit integer support to ASN.1 compiler
Import upstream 19d378f44:

  ASN.1 INTEGERs will now compile to C int64_t or uint64_t, depending
  on whether the constraint ranges include numbers that cannot be
  represented in 32-bit ints and whether they include negative
  numbers.

  Template backend support included.  check-template is now built with
  --template, so we know we're testing it.

  Tests included.

Also adjusts the generated files:
* asn1parse.c, asn1parse.h (not strictly necessary, but nice to have)
* der-protos.h, which needs a bunch of new prototypes. I copied these
  from a der-protos.h generated by the upstream build system, which
  uses a perl script for this.
* adjust printf format strings for int64_t. Upstream uses %lld for this,
  but that is not portable, and leads to lots of -Werror warnings.

This should fix target-dependent differences between headers generated
by asn1_compile. For example, when cross compiling world from amd64 to
i386, the generated cms_asn1.h header has:

  CMSRC2CBCParameter ::= SEQUENCE {
    rc2ParameterVersion   INTEGER (0..-1),
    iv                    OCTET STRING,
  }

while a native build on i386 has:

  CMSRC2CBCParameter ::= SEQUENCE {
    rc2ParameterVersion   INTEGER (0..2147483647),
    iv                    OCTET STRING,
  }

These are _both_ wrong, since the source file, cms.asn1, has:

  CMSRC2CBCParameter ::= SEQUENCE {
          rc2ParameterVersion   INTEGER (0..4294967295),
          iv                    OCTET STRING -- exactly 8 octets
  }

PR:		276960
Reviewed by:	cy, emaste
MFC after:	1 week
Differential Revision: https://reviews.freebsd.org/D44814
Differential Revision: https://reviews.freebsd.org/D44815
2024-04-17 18:12:43 +02:00
Ed Maste
e600fc7295 ssh: remove deprecated client VersionAddendum
Support for a client VersionAddendum was removed in bffe60ead0, but
the option was retained (as oDeprecated) as a transition aid.
Sufficient time has passed that it can be removed.

Sponsored by:	The FreeBSD Foundation
2024-03-18 10:20:18 -04:00
Ed Maste
a91a246563 ssh: Update to OpenSSH 9.7p1
This release contains mostly bugfixes.

It also makes support for the DSA signature algorithm a compile-time
option, with plans to disable it upstream later this year and remove
support entirely in 2025.

Full release notes at https://www.openssh.com/txt/release-9.7

Relnotes:	Yes
Sponsored by:	The FreeBSD Foundation
2024-03-18 10:00:57 -04:00
Brooks Davis
cec2adb0d3 heimdal: don't try to expose nonexistant symbols
For one reason or another these symbols aren't present so don't try to
make them available for linkage.

In the case of libroken these seem to be compatability bits we don't
need a thus don't compile.  For others it seems to rot upstream, but
I've not investigated deeply.

Reviewed by:	cy
Differential Revision:	https://reviews.freebsd.org/D44246
2024-03-07 00:55:11 +00:00
Brooks Davis
de4386d174 heimdal: don't export nonexistant _wind_ucs2read
This symbol table entry came in with the 1.5 import (commit
7c450da7b4), but the only other mention is a commented out entry in
lib/wind/libwind-exports.def.

Reviewed by:	cy
Differential Revision:	https://reviews.freebsd.org/D44245
2024-03-07 00:54:55 +00:00
Cy Schubert
5130b35ef5 Revert "heimdal: CVE-2022-41916: Check for overflow in _gsskrb5_get_mech()"
This was already applied by ed549cb0c5.

Repored by:	Gunther Nikl <gnikl@justmail.de>

This reverts commit 9286d46a79.
2024-02-16 09:31:13 -08:00
Cy Schubert
fc773115fa heimdal: Fix NULL deref
A flawed logical condition allows a malicious actor to remotely
trigger a NULL pointer dereference using a crafted negTokenInit
token.

Upstream notes:

    Reported to Heimdal by Michał Kępień <michal@isc.org>.

    From the report:

    Acknowledgement
    ---------------

    This flaw was found while working on addressing ZDI-CAN-12302: ISC BIND
    TKEY Query Heap-based Buffer Overflow Remote Code Execution
    Vulnerability, which was reported to ISC by Trend Micro's Zero Day

Security:	CVE-2022-3116
Obtained from:	upstream 7a19658c1
MFC after:	1 week
2024-02-15 13:27:55 -08:00
Cy Schubert
60616b445e heimdal: always confirm PA-PKINIT-KX for anon PKINIT
Import upstream 38c797e1a.

Upstream notes:

    RFC8062 Section 7 requires verification of the PA-PKINIT-KX key
    excahnge when anonymous PKINIT is used.  Failure to do so can
    permit an active attacker to become a man-in-the-middle.

Reported by:	emaste
Obtained from:	upstream 38c797e1a
Security:	CVE-2019-12098
MFC after:	1 week
2024-02-15 13:27:55 -08:00
Cy Schubert
9286d46a79 heimdal: CVE-2022-41916: Check for overflow in _gsskrb5_get_mech()
Apply upstream 22749e918 to fix a buffer overflow.

Upstream notes:

    If len_len is equal to total_len - 1 (i.e. the input consists only of a
    0x60 byte and a length), the expression 'total_len - 1 - len_len - 1',
    used as the 'len' parameter to der_get_length(), will overflow to
    SIZE_MAX. Then der_get_length() will proceed to read, unconstrained,
    whatever data follows in memory. Add a check to ensure that doesn't
    happen

This is similar to samba CVE-2022-3437.

Reported by:	emaste
Security:	CVE-2022-41916
Obtained from:	upstream 22749e918
MFC after:	1 week
2024-02-15 13:27:55 -08:00
Cy Schubert
2433937749 Heimdal: CVE-2018-16860 Heimdal KDC: Reject PA-S4U2Self with unkeyed checksum
Upstream's explanation of the problem:

    S4U2Self is an extension to Kerberos used in Active Directory to allow
    a service to request a kerberos ticket to itself from the Kerberos Key
    Distribution Center (KDC) for a non-Kerberos authenticated user
    (principal in Kerboros parlance). This is useful to allow internal
    code paths to be standardized around Kerberos.

    S4U2Proxy (constrained-delegation) is an extension of this mechanism
    allowing this impersonation to a second service over the network. It
    allows a privileged server that obtained a S4U2Self ticket to itself
    to then assert the identity of that principal to a second service and
    present itself as that principal to get services from the second
    service.

    There is a flaw in Samba's AD DC in the Heimdal KDC. When the Heimdal
    KDC checks the checksum that is placed on the S4U2Self packet by the
    server to protect the requested principal against modification, it
    does not confirm that the checksum algorithm that protects the user
    name (principal) in the request is keyed.  This allows a
    man-in-the-middle attacker who can intercept the request to the KDC to
    modify the packet by replacing the user name (principal) in the
    request with any desired user name (principal) that exists in the KDC
    and replace the checksum protecting that name with a CRC32 checksum
    (which requires no prior knowledge to compute).

    This would allow a S4U2Self ticket requested on behalf of user name
    (principal) user@EXAMPLE.COM to any service to be changed to a
    S4U2Self ticket with a user name (principal) of
    Administrator@EXAMPLE.COM. This ticket would then contain the PAC of
    the modified user name (principal).

Reported by:	emaste
Security:	CVE-2018-16860
Obtained from:	Upstream c6257cc2c
MFC after:	1 week
2024-02-15 13:27:54 -08:00
Cy Schubert
f8041e3628 Heimdal: Fix transit path validation CVE-2017-6594
Apply upstream b1e699103. This fixes a bug introduced by upstream
f469fc6 which may in some cases enable bypass of capath policy.

Upstream writes in their commit log:

    Note, this may break sites that rely on the bug.  With the bug some
    incomplete [capaths] worked, that should not have.  These may now break
    authentication in some cross-realm configurations.

Reported by:	emaste
Security:	CVE-2017-6594
Obtained from:	upstream b1e699103
MFC after:	1 week
2024-02-15 13:27:54 -08:00
Cy Schubert
da63ac1b07 OpenSSL: Update date string
Reported by:	"Herbert J. Skuhra" <herbert@gojira.at>
Fixes:		74fe298c82
MFC after:	3 days
2024-02-05 12:09:08 -08:00
Cy Schubert
74fe298c82 OpenSSL: Update version strings
Reported by:	"Herbert J. Skuhra" <herbert@gojira.at>
Fixes:		9eb4e0b42d
MFC after:	3 days
2024-02-02 16:34:36 -08:00
Cy Schubert
e0c4386e7e OpenSSL: Vendor import of OpenSSL 3.0.13
* Fixed PKCS12 Decoding crashes ([CVE-2024-0727])
 * Fixed Excessive time spent checking invalid RSA public keys
   ([CVE-2023-6237])
 * Fixed POLY1305 MAC implementation corrupting vector registers on
   PowerPC CPUs which support PowerISA 2.07 ([CVE-2023-6129])
 * Fix excessive time spent in DH check / generation with large Q
   parameter value ([CVE-2023-5678])

Release notes can be found at
            https://www.openssl.org/news/openssl-3.0-notes.html.

Approved by:	emaste
MFC after:	3 days

Merge commit '9dd13e84fa8eca8f3462bd55485aa3da8c37f54a'
2024-02-02 13:21:36 -08:00
Cy Schubert
9dd13e84fa OpenSSL: Vendor import of OpenSSL 3.0.13
* Fixed PKCS12 Decoding crashes ([CVE-2024-0727])
* Fixed Excessive time spent checking invalid RSA public keys
  ([CVE-2023-6237])
* Fixed POLY1305 MAC implementation corrupting vector registers on
  PowerPC CPUs which support PowerISA 2.07 ([CVE-2023-6129])
* Fix excessive time spent in DH check / generation with large Q
  parameter value ([CVE-2023-5678])

Release notes can be found at
	https://www.openssl.org/news/openssl-3.0-notes.html.
2024-02-02 01:48:38 -08:00
Cy Schubert
476d63e091 kerberos: Fix numerous segfaults when using weak crypto
Weak crypto is provided by the openssl legacy provider which is
not load by default. Load the legacy providers as needed.

When the legacy provider is loaded into the default context the default
provider will no longer be automatically loaded. Without the default
provider the various kerberos applicaions and functions will abort().

This is the second attempt at this patch. Instead of linking
secure/lib/libcrypto at build time we now link it at runtime, avoiding
buildworld failures under Linux and MacOS. This is because
TARGET_ENDIANNESS is undefined at pre-build time.

PR:		272835
MFC after:	3 days
X-MFC:		only to stable/14
Tested by:	netchild
		Joerg Pulz <Joerg.Pulz@frm2.tum.de> (previous version)
2024-01-17 23:46:57 -08:00
Cy Schubert
3091cdb11f Revert "kerberos: Fix numerous segfaults when using weak crypto"
This revision breaks Linux and MacOS cross builds because
TARGET_ENDIANNESS is not define during bootstrapping on these
platforms.

I think the correct approach would be to separate the new
fbsd_ossl_provider_load() and unload functions into their own
library (instead of libroken). This avoids the less desirable
option of including bsd.cpu.mk in secure/lib/Makefile.common,
which does build but could complicate future work.

Reported by:	jrtc27

This reverts commit cb350ba7bf.
2024-01-11 23:42:33 -08:00
Cy Schubert
cb350ba7bf kerberos: Fix numerous segfaults when using weak crypto
Weak crypto is provided by the openssl legacy provider which is
not load by default. Load the legacy providers as needed.

When the legacy provider is loaded into the default context the default
provider will no longer be automatically loaded. Without the default
provider the various kerberos applicaions and functions will abort().

PR:			272835
MFC after:		3 days
Differential Revision:	https://reviews.freebsd.org/D43009
Tested by:		netchild, Joerg Pulz <Joerg.Pulz@frm2.tum.de>
2024-01-11 05:26:42 -08:00
Ed Maste
069ac18495 ssh: Update to OpenSSH 9.6p1
From the release notes,

> This release contains a number of security fixes, some small features
> and bugfixes.

The most significant change in 9.6p1 is a set of fixes for a newly-
discovered weakness in the SSH transport protocol.  The fix was already
merged into FreeBSD and released as FreeBSD-SA-23:19.openssh.

Full release notes at https://www.openssh.com/txt/release-9.6

Relnotes:	Yes
Sponsored by:	The FreeBSD Foundation
2024-01-04 22:16:30 -05:00
Jens Schweikhardt
53d908d6eb Correct three typos in manuals. 2024-01-04 21:35:25 +01:00
Cy Schubert
fc55c20355 heimdal: Fix man page and documentation typos
Reported by:	Jens Schweikhardt <schweikh@schweikhardt.net>
MFC:		1 week
2024-01-04 10:35:59 -08:00
Gordon Tetlow
92f58c69a1
Implement "strict key exchange" in ssh and sshd.
This adds a protocol extension to improve the integrity of the SSH
transport protocol, particular in and around the initial key exchange
(KEX) phase.

Full details of the extension are in the PROTOCOL file.

OpenBSD-Commit-ID: 2a66ac962f0a630d7945fee54004ed9e9c439f14

Approved by:	so (implicit)
Obtained from:	https://anongit.mindrot.org/openssh.git/patch/?id=1edb00c58f8a6875fad6a497aa2bacf37f9e6cd5
Security:	CVE-2023-48795
2023-12-18 08:22:22 -08:00
Ed Maste
ad991e4c14 OpenSSL: update to 3.0.12
OpenSSL 3.0.12 addresses:

 * Fix incorrect key and IV resizing issues when calling
   EVP_EncryptInit_ex2(), EVP_DecryptInit_ex2() or EVP_CipherInit_ex2()
   with OSSL_PARAM parameters that alter the key or IV length
   ([CVE-2023-5363]).

Relnotes:	Yes
Sponsored by:	The FreeBSD Foundation
2023-10-24 14:55:56 -04:00
Ed Maste
825caf7e12 OpenSSL: Vendor import of OpenSSL 3.0.12
* Fix incorrect key and IV resizing issues when calling
   EVP_EncryptInit_ex2(), EVP_DecryptInit_ex2() or EVP_CipherInit_ex2()
   with OSSL_PARAM parameters that alter the key or IV length
   ([CVE-2023-5363]).

Sponsored by:	The FreeBSD Foundation
2023-10-24 13:48:36 -04:00
Daiki Ueno
6ed16d1733 KTLS: Enable KTLS for receiving as well in TLS 1.3
This removes a guard condition that prevents KTLS being enabled for
receiving in TLS 1.3.  Use the correct sequence number and BIO for
receive vs transmit offload.

Obtained from:	OpenSSL commit 7c78932b9a4330fb7c8db72b3fb37cbff1401f8b
2023-10-19 11:34:58 -07:00
Daiki Ueno
c085ca5245 KTLS: Handle TLS 1.3 in ssl3_get_record.
- Don't unpad records, check the outer record type, or extract the
  inner record type from TLS 1.3 records handled by the kernel.  KTLS
  performs all of these steps and returns the inner record type in the
  TLS header.

- When checking the length of a received TLS 1.3 record don't allow
  for the extra byte for the nested record type when KTLS is used.

- Pass a pointer to the record type in the TLS header to the
  SSL3_RT_INNER_CONTENT_TYPE message callback.  For KTLS, the old
  pointer pointed to the last byte of payload rather than the record
  type.  For the non-KTLS case, the TLS header has been updated with
  the inner type before this callback is invoked.

Obtained from:	OpenSSL commit a5fb9605329fb939abb536c1604d44a511741624)
2023-10-19 11:34:58 -07:00
John Baldwin
0fc28f22d5 KTLS: Add using_ktls helper variable in ssl3_get_record().
When KTLS receive is enabled, pending data may still be present due to
read ahead.  This data must still be processed the same as records
received without KTLS.  To ease readability (especially in
consideration of additional checks which will be added for TLS 1.3),
add a helper variable 'using_ktls' that is true when the KTLS receive
path is being used to receive a record.

Obtained from:	OpenSSL commit 031132c297e54cbc20404a0bf8de6ed863196399
2023-10-19 11:34:58 -07:00
John Baldwin
eee55a22b2 KTLS: Check for unprocessed receive records in ktls_configure_crypto.
KTLS implementations currently assume that the start of the in-kernel
socket buffer is aligned with the start of a TLS record for the
receive side.  The socket option to enable KTLS specifies the TLS
sequence number of this initial record.

When read ahead is enabled, data can be pending in the SSL read buffer
after negotiating session keys.  This pending data must be examined to
ensurs that the kernel's socket buffer does not contain a partial TLS
record as well as to determine the correct sequence number of the
first TLS record to be processed by the kernel.

In preparation for enabling receive kernel offload for TLS 1.3, move
the existing logic to handle read ahead from t1_enc.c into ktls.c and
invoke it from ktls_configure_crypto().

Obtained from:	OpenSSL commit 85773128d0e80cd8dcc772a6931d385b8cf4acd1
2023-10-19 11:34:58 -07:00
John Baldwin
3de4f78d46 Add support for Chacha20-Poly1305 to kernel TLS on FreeBSD.
FreeBSD's kernel TLS supports Chacha20 for both TLS 1.2 and TLS 1.3.

Obtained from:	OpenSSL commit 77f3936928068bee9d7e0c6939709ac179cb1059
2023-10-19 11:34:58 -07:00
Pierre Pronchery
6f1af0d7d2 OpenSSL: update to 3.0.11
OpenSSL 3.0.11 addresses:

    POLY1305 MAC implementation corrupts XMM registers on Windows (CVE-2023-4807)

Relnotes:	Yes
Pull request:	https://github.com/freebsd/freebsd-src/pull/852
Sponsored by:	The FreeBSD Foundation
2023-10-09 15:00:26 -04:00
Ed Maste
edf8578117 ssh: Update to OpenSSH 9.5p1
Excerpts from the release notes:

Potentially incompatible changes
--------------------------------

 * ssh-keygen(1): generate Ed25519 keys by default.
   [NOTE: This change was already merged into FreeBSD.]

 * sshd(8): the Subsystem directive now accurately preserves quoting of
   subsystem commands and arguments.

New features
------------

 * ssh(1): add keystroke timing obfuscation to the client.

 * ssh(1), sshd(8): Introduce a transport-level ping facility.

 * sshd(8): allow override of Sybsystem directives in sshd Match blocks.

Full release notes at https://www.openssh.com/txt/release-9.5

Relnotes:	Yes
Sponsored by:	The FreeBSD Foundation
2023-10-09 13:28:17 -04:00
Tom Cosgrove
4177781923 aarch64: fix branch target indications in arm64cpuid.pl and keccak1600
Add missing AARCH64_VALID_CALL_TARGET to armv8_rng_probe(). Also add
these to the functions defined by gen_random(), and note that this Perl
sub prints the assembler out directly, not going via the $code xlate
mechanism (and therefore coming before the include of arm_arch.h). So
fix this too.

In KeccakF1600_int, AARCH64_SIGN_LINK_REGISTER functions as
AARCH64_VALID_CALL_TARGET on BTI-only builds, so it needs to come before
the 'adr' line.

Change-Id: If241efe71591c88253a3e36647ced00300c3c1a3

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17653)

Obtained from:	OpenSSL 3a23f01268ec
2023-10-02 17:12:49 +01:00
Russ Butler
1bd9ca8b75 aarch64: support BTI and pointer authentication in assembly
This change adds optional support for
- Armv8.3-A Pointer Authentication (PAuth) and
- Armv8.5-A Branch Target Identification (BTI)
features to the perl scripts.

Both features can be enabled with additional compiler flags.
Unless any of these are enabled explicitly there is no code change at
all.

The extensions are briefly described below. Please read the appropriate
chapters of the Arm Architecture Reference Manual for the complete
specification.

Scope
-----

This change only affects generated assembly code.

Armv8.3-A Pointer Authentication
--------------------------------

Pointer Authentication extension supports the authentication of the
contents of registers before they are used for indirect branching
or load.

PAuth provides a probabilistic method to detect corruption of register
values. PAuth signing instructions generate a Pointer Authentication
Code (PAC) based on the value of a register, a seed and a key.
The generated PAC is inserted into the original value in the register.
A PAuth authentication instruction recomputes the PAC, and if it matches
the PAC in the register, restores its original value. In case of a
mismatch, an architecturally unmapped address is generated instead.

With PAuth, mitigation against ROP (Return-oriented Programming) attacks
can be implemented. This is achieved by signing the contents of the
link-register (LR) before it is pushed to stack. Once LR is popped,
it is authenticated. This way a stack corruption which overwrites the
LR on the stack is detectable.

The PAuth extension adds several new instructions, some of which are not
recognized by older hardware. To support a single codebase for both pre
Armv8.3-A targets and newer ones, only NOP-space instructions are added
by this patch. These instructions are treated as NOPs on hardware
which does not support Armv8.3-A. Furthermore, this patch only considers
cases where LR is saved to the stack and then restored before branching
to its content. There are cases in the code where LR is pushed to stack
but it is not used later. We do not address these cases as they are not
affected by PAuth.

There are two keys available to sign an instruction address: A and B.
PACIASP and PACIBSP only differ in the used keys: A and B, respectively.
The keys are typically managed by the operating system.

To enable generating code for PAuth compile with
-mbranch-protection=<mode>:

- standard or pac-ret: add PACIASP and AUTIASP, also enables BTI
  (read below)
- pac-ret+b-key: add PACIBSP and AUTIBSP

Armv8.5-A Branch Target Identification
--------------------------------------

Branch Target Identification features some new instructions which
protect the execution of instructions on guarded pages which are not
intended branch targets.

If Armv8.5-A is supported by the hardware, execution of an instruction
changes the value of PSTATE.BTYPE field. If an indirect branch
lands on a guarded page the target instruction must be one of the
BTI <jc> flavors, or in case of a direct call or jump it can be any
other instruction. If the target instruction is not compatible with the
value of PSTATE.BTYPE a Branch Target Exception is generated.

In short, indirect jumps are compatible with BTI <j> and <jc> while
indirect calls are compatible with BTI <c> and <jc>. Please refer to the
specification for the details.

Armv8.3-A PACIASP and PACIBSP are implicit branch target
identification instructions which are equivalent with BTI c or BTI jc
depending on system register configuration.

BTI is used to mitigate JOP (Jump-oriented Programming) attacks by
limiting the set of instructions which can be jumped to.

BTI requires active linker support to mark the pages with BTI-enabled
code as guarded. For ELF64 files BTI compatibility is recorded in the
.note.gnu.property section. For a shared object or static binary it is
required that all linked units support BTI. This means that even a
single assembly file without the required note section turns-off BTI
for the whole binary or shared object.

The new BTI instructions are treated as NOPs on hardware which does
not support Armv8.5-A or on pages which are not guarded.

To insert this new and optional instruction compile with
-mbranch-protection=standard (also enables PAuth) or +bti.

When targeting a guarded page from a non-guarded page, weaker
compatibility restrictions apply to maintain compatibility between
legacy and new code. For detailed rules please refer to the Arm ARM.

Compiler support
----------------

Compiler support requires understanding '-mbranch-protection=<mode>'
and emitting the appropriate feature macros (__ARM_FEATURE_BTI_DEFAULT
and __ARM_FEATURE_PAC_DEFAULT). The current state is the following:

-------------------------------------------------------
| Compiler | -mbranch-protection | Feature macros     |
+----------+---------------------+--------------------+
| clang    | 9.0.0               | 11.0.0             |
+----------+---------------------+--------------------+
| gcc      | 9                   | expected in 10.1+  |
-------------------------------------------------------

Available Platforms
------------------

Arm Fast Model and QEMU support both extensions.

https://developer.arm.com/tools-and-software/simulation-models/fast-models
https://www.qemu.org/

Implementation Notes
--------------------

This change adds BTI landing pads even to assembly functions which are
likely to be directly called only. In these cases, landing pads might
be superfluous depending on what code the linker generates.
Code size and performance impact for these cases would be negligible.

Interaction with C code
-----------------------

Pointer Authentication is a per-frame protection while Branch Target
Identification can be turned on and off only for all code pages of a
whole shared object or static binary. Because of these properties if
C/C++ code is compiled without any of the above features but assembly
files support any of them unconditionally there is no incompatibility
between the two.

Useful Links
------------

To fully understand the details of both PAuth and BTI it is advised to
read the related chapters of the Arm Architecture Reference Manual
(Arm ARM):
https://developer.arm.com/documentation/ddi0487/latest/

Additional materials:

"Providing protection for complex software"
https://developer.arm.com/architectures/learn-the-architecture/providing-protection-for-complex-software

Arm Compiler Reference Guide Version 6.14: -mbranch-protection
https://developer.arm.com/documentation/101754/0614/armclang-Reference/armclang-Command-line-Options/-mbranch-protection?lang=en

Arm C Language Extensions (ACLE)
https://developer.arm.com/docs/101028/latest

Addional Notes
--------------

This patch is a copy of the work done by Tamas Petz in boringssl. It
contains the changes from the following commits:

aarch64: support BTI and pointer authentication in assembly
    Change-Id: I4335f92e2ccc8e209c7d68a0a79f1acdf3aeb791
    URL: https://boringssl-review.googlesource.com/c/boringssl/+/42084
aarch64: Improve conditional compilation
    Change-Id: I14902a64e5f403c2b6a117bc9f5fb1a4f4611ebf
    URL: https://boringssl-review.googlesource.com/c/boringssl/+/43524
aarch64: Fix name of gnu property note section
    Change-Id: I6c432d1c852129e9c273f6469a8b60e3983671ec
    URL: https://boringssl-review.googlesource.com/c/boringssl/+/44024

Change-Id: I2d95ebc5e4aeb5610d3b226f9754ee80cf74a9af

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16674)

Reviewed by:	emaste, Pierre Pronchery <pierre@freebsdfoundation.org>
Obtained from:	OpenSSL 19e277dd19f2
Differential Revision:	https://reviews.freebsd.org/D41940
2023-10-02 17:12:49 +01:00
Pierre Pronchery
6a770c0498 openssl: document the update process
This is directly inspired from the equivalent document for OpenSSH.

Sponsored by: The FreeBSD Foundation
2023-09-25 11:43:58 -04:00
Pierre Pronchery
315108b816 openssl: Vendor import of OpenSSL 3.0.11
Major changes between OpenSSL 3.0.10 and OpenSSL 3.0.11:

* Fix POLY1305 MAC implementation corrupting XMM registers on Windows
  ([CVE-2023-4807])

Release notes can otherwise be found at
https://www.openssl.org/news/openssl-3.0-notes.html.

Obtained from:	https://www.openssl.org/source/openssl-3.0.11.tar.gz
Sponsored by:	The FreeBSD Foundation

Test Plan:
```
$ git status
On branch vendor/openssl-3.0
Your branch is up to date with 'origin/vendor/openssl-3.0'.

nothing to commit, working tree clean
$ OSSLVER=3.0.11
$ XLIST=FREEBSD-Xlist
$ (cd ..; fetch https://www.openssl.org/source/openssl-${OSSLVER}.tar.gz https://www.openssl.org/source/openssl-${OSSLVER}.tar.gz.asc)
openssl-3.0.11.tar.gz                                   14 MB   17 MBps    01s
openssl-3.0.11.tar.gz.asc                              833  B 8301 kBps    00s
$ gpg --list-keys
/home/khorben/.gnupg/pubring.kbx
--------------------------------
pub   rsa4096 2011-03-01 [SCA]
  DC34EE5DB2417BCC151E5100E5F8F8212F77A498
uid           [ unknown] Willem Toorop <willem@nlnetlabs.nl>
sub   rsa4096 2011-03-01 [E]

pub   rsa4096 2014-10-04 [SC] [expires: 2024-01-30]
  EFC0A467D613CB83C7ED6D30D894E2CE8B3D79F5
uid           [ unknown] OpenSSL security team <openssl-security@openssl.org>
uid           [ unknown] OpenSSL OMC <openssl-omc@openssl.org>
uid           [ unknown] OpenSSL Security <openssl-security@openssl.org>
sub   rsa4096 2014-10-04 [E] [expires: 2024-01-30]

$ gpg --verify ../openssl-${OSSLVER}.tar.gz.asc ../openssl-${OSSLVER}.tar.gz
gpg: Signature made Tue Sep 19 15:02:51 2023 CEST
gpg:                using RSA key EFC0A467D613CB83C7ED6D30D894E2CE8B3D79F5
gpg: Good signature from "OpenSSL security team <openssl-security@openssl.org>" [unknown]
gpg:                 aka "OpenSSL OMC <openssl-omc@openssl.org>" [unknown]
gpg:                 aka "OpenSSL Security <openssl-security@openssl.org>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: EFC0 A467 D613 CB83 C7ED  6D30 D894 E2CE 8B3D 79F5
$ tar -x -X $XLIST -f ../openssl-${OSSLVER}.tar.gz -C ..
$ rsync --exclude FREEBSD.* --delete -av ../openssl-${OSSLVER}/* .
[...]
$ diff -arq ../openssl-${OSSLVER}  .
Only in .: .git
Only in .: FREEBSD-Xlist
Only in .: FREEBSD-upgrade
Only in .: appveyor.yml
$ git status FREEBSD*
On branch vendor/openssl-3.0
Your branch is up to date with 'origin/vendor/openssl-3.0'.

nothing to commit, working tree clean
```
2023-09-22 11:55:26 -04:00
Ed Maste
c9315099f6 ssh-keygen: Generate Ed25519 keys when invoked without arguments
Ed25519 keys are convenient because they're much smaller, and the next
OpenSSH release (9.5) will switch to them by default.  Apply the change
to FreeBSD main now, to help identify issues as early as possible.

Reviewed by:	kevans, karels, des
Relnotes:	Yes
Obtained from:	OpenBSD 9de458a24986
Sponsored by:	The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D41773
2023-09-07 13:34:21 -04:00
Tom Cosgrove
eba6abafc1 OpenSSL: Fix handling of the "0:" label in arm-xlate.pl
When $label == "0", $label is not truthy, so `if ($label)` thinks there isn't
a label. Correct this by looking at the result of the s/// command.

Verified that there are no changes in the .S files created during a normal
build, and that the "0:" labels appear in the translation given in the error
report (and they are the only difference in the before and after output).

Obtained from:	OpenSSL commit 9607f5ccf285ac9988a86f95c5ad9f92b556a843

Reviewed by:	markj
Differential Revision:	https://reviews.freebsd.org/D41587
2023-08-29 14:38:11 -07:00
Warner Losh
e8f2e3b6dd Two more $FreeBSD$ stragglers 2023-08-25 15:14:19 -06:00
Ed Maste
1b91d634a5 ssh: fix OpenSSH 9.4 regression with multiplexed sessions
Upstream commit message:
upstream: fix regression in OpenSSH 9.4 (mux.c r1.99) that caused
multiplexed sessions to ignore SIGINT under some circumstances.
Reported by / feedback naddy@, ok dtucker@

OpenBSD-Commit-ID: 4d5c6c894664f50149153fd4764f21f43e7d7e5a

Fixes: 535af610a4 ("ssh: Update to OpenSSH 9.4p1")
Obtained from:	OpenSSH 803e22eabd3b
Sponsored by:	The FreeBSD Foundation
2023-08-20 15:20:49 -04:00
Ed Maste
14e78a3656 ssh: Remove note about memory leak now resolved upstream
OpenSSH 9.4p1 (updated in commit 535af610a4) includes the memory leak
fix that we originally applied in 69c72a57af ("sftp: avoid leaking
path arg in calls to make_absolute_pwd_glob.").

Sponsored by:	The FreeBSD Foundation
2023-08-15 11:56:08 -04:00
Ed Maste
33a23ef287 ssh: correct VersionAddendum date
Reported by:	Herbert J. Skuhra <herbert@gojira.at>
Fixes:		535af610a4 ("ssh: Update to OpenSSH 9.4p1")
Sponsored by:	The FreeBSD Foundation
2023-08-15 09:30:31 -04:00
Ed Maste
535af610a4 ssh: Update to OpenSSH 9.4p1
Excerpts from the release notes:

 * ssh-agent(1): PKCS#11 modules must now be specified by their full
   paths. Previously dlopen(3) could search for them in system
   library directories.

 * ssh(1): allow forwarding Unix Domain sockets via ssh -W.

 * ssh(1): add support for configuration tags to ssh(1).
   This adds a ssh_config(5) "Tag" directive and corresponding
   "Match tag" predicate that may be used to select blocks of
   configuration similar to the pf.conf(5) keywords of the same
   name.

 * ssh(1): add a "match localnetwork" predicate. This allows matching
   on the addresses of available network interfaces and may be used to
   vary the effective client configuration based on network location.

 * ssh-agent(1): improve isolation between loaded PKCS#11 modules
   by running separate ssh-pkcs11-helpers for each loaded provider.

 * ssh-agent(1), ssh(1): improve defences against invalid PKCS#11
   modules being loaded by checking that the requested module
   contains the required symbol before loading it.

 * ssh(1): don't incorrectly disable hostname canonicalization when
   CanonicalizeHostname=yes and ProxyJump was expicitly set to
   "none". bz3567

Full release notes at https://www.openssh.com/txt/release-9.4

Relnotes:	Yes
Sponsored by:	The FreeBSD Foundation
2023-08-10 23:10:18 -04:00
Jung-uk Kim
6b405053c9 OpenSSL: clean up botched merges in OpenSSL 3.0.9 import
No functional change intended.
2023-08-10 22:36:15 -04:00
Jung-uk Kim
fb055b01eb OpenSSL: regen opensslv.h for OpenSSL 3.0.10 2023-08-10 20:17:23 -04:00
Pierre Pronchery
aa79573457 OpenSSL: update to 3.0.10
OpenSSL 3.0.10 addresses:
- CVE-2023-3817
- CVE-2023-3446
- CVE-2023-2975

(Note that the vendor branch commit incorrectly referenced 3.0.9.)

Relnotes:	Yes
Pull request:	https://github.com/freebsd/freebsd-src/pull/808
Sponsored by:	The FreeBSD Foundation
2023-08-10 12:07:32 -04:00