summaryrefslogtreecommitdiffstats
path: root/secure
Commit message (Collapse)AuthorAgeFilesLines
* MFS (r296781):des2016-03-1412-42/+7
| | | | | | | | | | MFH (r296633): upgrade to 7.2p2 (fixes xauth command injection bug) MFH (r296634): re-add aes-cbc to server-side default cipher list MFH (r296651, r296657): fix gcc build of pam_ssh PR: 207679 Security: CVE-2016-3115 Approved by: re (marius)
* Re-enable SSLv2 support to restore ABI.jkim2016-03-046-36/+0
| | | | | | | | | | | | | | | | | | | | Excerpt from CHANGES: Even if "enable-ssl2" is used, users who want to negotiate SSLv2 via the version-flexible SSLv23_method() will need to explicitly call either of: SSL_CTX_clear_options(ctx, SSL_OP_NO_SSLv2); or SSL_clear_options(ssl, SSL_OP_NO_SSLv2); as appropriate. Even if either of those is used, or the application explicitly uses the version-specific SSLv2_method() or its client and server variants, SSLv2 ciphers vulnerable to exhaustive search key recovery have been removed. Specifically, the SSLv2 40-bit EXPORT ciphers, and SSLv2 56-bit DES are no longer available. Approved by: re (marius, gjb), so (delphij)
* Merge OpenSSL 1.0.1s. This is a security update.delphij2016-03-02347-603/+1181
| | | | | Relnotes: yes Approved by: re (so@ implicit)
* MFH (r265214, r294333, r294407, r294467): misc prop fixesdes2016-02-072-14/+17
| | | | | | | | | | | | | | | | MFH (r285975, r287143): register mergeinfo for security fixes MFH (r294497, r294498, r295139): internal documentation MFH (r294328): upgrade to openssh 6.7p1, re-add libwrap MFH (r294332): upgrade to openssh 6.8p1 MFH (r294367): update pam_ssh for api changes MFH (r294909): switch usedns back on MFH (r294336): upgrade to openssh 6.9p1 MFH (r294495): re-enable dsa keys MFH (r294464): upgrade to openssh 7.0p1 MFH (r294496): upgrade to openssh 7.1p2 Approved by: re (gjb) Relnotes: yes
* Merge OpenSSL 1.0.1r.jkim2016-01-28340-704/+897
| | | | Relnotes: yes
* MFH (r291198, r291260, r291261, r291375, r294325, r294335, r294563)des2016-01-243-12/+0
| | | | Remove the HPN and None cipher patches.
* MFC r291941:bdrewery2016-01-0712-34/+17
| | | | Replace unneeded manual dependency on header by adding it to SRCS.
* MFC r289393:bdrewery2015-12-044-1/+9
| | | | Add more SUBDIR_PARALLEL.
* MFC r289360,r289361,r289378,r289430,r289605,r289676:bdrewery2015-12-041-2/+2
| | | | | | | | | | | | | | | | | | | r289360: Add temporary workaround for .MAKE being applied to _worldtmp, since r251750. r289361: Consider top-level targets to be .PHONY as bmake won't build them otherwise if a file with the same name is found in the directory. r289378: Mark sub-make targets as .MAKE and .PHONY to handle -n and always-build properly. r289430: Remove .MAKE from targets that do more than just run sub-makes, such as calling rm or mtree. r289605: Add missing .PHONY for parallel subdir target. r289676: Add some missing '+', .MAKE, and .PHONY modifiers.
* Merge OpenSSL 1.0.1q.jkim2015-12-03340-739/+749
|
* MFC r290178:ngie2015-11-091-1/+2
| | | | | | | | | Fix GOST engine cipher linkage by adding e_gost_err.c to SRCS so it picks up undefined symbols, like "ERR_load_GOST_strings" PR: 184805 Submitted by: Ivan IvanZhdanov <ivan.zhdanov@gmail.com> Sponsored by: EMC / Isilon Storage Division
* MFC: r290121jkim2015-11-021-2/+10
| | | | Define endianness for non-x86 platforms.
* MFC r287981:bdrewery2015-10-031-8/+0
| | | | Replace afterinstall: hack from r111083 with 'make delete-old' functionality.
* MFC: r285329jkim2015-07-09338-344/+357
| | | | | | | Merge OpenSSL 1.0.1p. Approved by: re (gjb) Relnotes: yes
* MFC: r284329jkim2015-06-12338-339/+339
| | | | | | | | | Merge OpenSSL 1.0.1o. Note it is instantly merged because it restores ABI compatibility broken by the previous OpenSSL 1.0.1n. Relnotes: yes
* MFC: r284283jkim2015-06-11338-759/+807
| | | | Merge OpenSSL 1.0.1n.
* MFC: r280297jkim2015-03-20345-715/+1438
| | | | | | Merge OpenSSL 1.0.1m. Relnotes: yes
* Fix multiple OpenSSL vulnerabilities.delphij2015-03-191-1/+9
| | | | | | | | | | Security: FreeBSD-SA-15:06.openssl Security: CVE-2015-0209 Security: CVE-2015-0286 Security: CVE-2015-0287 Security: CVE-2015-0288 Security: CVE-2015-0289 Security: CVE-2015-0293
* MFC: r277274jkim2015-01-231-3/+3
| | | | Update buildinf.h to make SSLeay_version(3) little bit more useful.
* MFC: r277270jkim2015-01-23335-336/+336
| | | | | | Merge OpenSSL 1.0.1l. Relnotes: yes
* MFC: r276861, r276863jkim2015-01-09335-4325/+7347
| | | | Merge OpenSSL 1.0.1k.
* MFC r264400,r265836:ngie2014-12-311-1/+1
| | | | | | | | | | | | | | r264400: NO_MAN= has been deprecated in favor of MAN= for some time, go ahead and finish the job. ncurses is now the only Makefile in the tree that uses it since it wasn't a simple mechanical change, and will be addressed in a future commit. r265836: Remove last two NO_MAN= in the tree. In both of these cases, MAN= is what is needed.
* MFC: r273144, r273146jkim2014-10-15337-437/+672
| | | | | | Merge OpenSSL 1.0.1j. Relnotes: yes
* MFC: r269682jkim2014-08-07335-444/+1107
| | | | Merge OpenSSL 1.0.1i.
* MFC: r267256jkim2014-06-09333-352/+400
| | | | | | Merge OpenSSL 1.0.1h. Approved by: so (delphij)
* MFC r265995:delphij2014-05-281-1/+1
| | | | | | Switch using the new $2b$ format by default, when bcrypt is used. Relnotes: default Blowfish crypt(3) format have been changed to $2b$.
* MFC r265003:kib2014-05-041-0/+10
| | | | Fix order of libthr and libc in the global dso list for sshd.
* MFC r264741: Add placeholder Kyuafiles for various top-level hierarchies.jmmv2014-04-2810-1/+71
| | | | This is "make tinderbox" clean.
* MFH (r263712): upgrade openssh to 6.6p1des2014-04-122-5/+5
| | | | MFH (r264308): restore p level in debugging output
* MFC: r261037, r264278jkim2014-04-10336-917/+838
| | | | Merge OpenSSL 1.0.1f and 1.0.1g.
* MFC r262501:delphij2014-03-271-33/+52
| | | | | | | | | | | | | | | | | | Refresh our implementation of OpenBSD's Blowfish password format. Notable changes: - Support of $2b$ password format to address a problem where very long passwords (more than 256 characters, when an integer overflow would happen and cause the length to wrap at 256). - Updated pseudo code in comments to reflect the reality. - Removed our local shortcut of processing magic string and rely on the centralized and tigntened validation. - Diff reduction from upstream. For now we are still generating the older $2a$ format of password but we will migrate to the new format once the format is formally finalized.
* MFH (r261320): upgrade openssh to 6.5p1des2014-02-272-6/+10
| | | | MFH (r261340): enable sandboxing by default
* Unbreak the WITHOUT_KERBEROS build and try to reduce the odds of ades2013-09-233-4/+12
| | | | | | | | | repeat performance by introducing a script that runs configure with and without Kerberos, diffs the result and generates krb5_config.h, which contains the preprocessor macros that need to be defined in the Kerberos case and undefined otherwise. Approved by: re (marius)
* Replace claims that DES is a strong cryptosystem with a warning statingdes2013-09-211-28/+7
| | | | | | that it should no longer be considered secure. Approved by: re (gjb)
* Clean up the OpenSSH build. It is now possible to build most componentsdes2013-09-1012-46/+190
| | | | | | | | | | as static binaries, if desired. The one exception is sshd, which runs into trouble due to libpam.a's includion of pam_ssh. Make OpenSSH use LDNS if available. This allows it to verify signed SSHFP records. Approved by: re (blanket)
* Make libldns and libssh private.des2013-09-0812-0/+12
| | | | Approved by: re (blanket)
* Remove references to MK_IDEA.ed2013-04-273-21/+1
| | | | | | As of r249959, we want to build with IDEA support enabled unconditionally. As this change removed the MK_IDEA flag, update these Makefiles accordingly.
* Upgrade to OpenSSH 6.2p1. The most important new features are supportdes2013-03-221-4/+4
| | | | for a key revocation list and more fine-grained authentication control.
* Retire the mislabeled ENABLE_SUID_SSH knob.des2013-03-221-3/+1
|
* Merge OpenSSL 1.0.1e.jkim2013-02-13336-731/+736
| | | | Approved by: secteam (simon), benl (silence)
* Add a src.conf(5) option to allow users to compile in the "NONE cipher",bz2013-01-173-0/+12
| | | | | | | | | which, only after authentication, disables crypto, and only for sessions without a terminal. Submitted by: Jeremy Chadwick (freebsd jdc.parodius.com) PR: bin/163095 MFC after: 10 days
* Fix typo; s/ouput/outputkevlo2012-11-071-1/+1
|
* Upgrade OpenSSH to 6.1p1.des2012-09-031-2/+0
|
* Sort ASM definitions by crypto module for slightly easier maintenance.jkim2012-07-121-2/+4
| | | | Specifically, GHASH_ASM belongs to crypto/modes.
* Merge OpenSSL 1.0.1c.jkim2012-07-12394-13827/+67060
| | | | Approved by: benl (maintainer)
* Regen ca(1) for r237658. This re-applies r227458, i.e., add a missing "be".jkim2012-06-271-1/+1
|
* Merge OpenSSL 0.9.8x.jkim2012-06-27278-561/+567
| | | | | | Reviewed by: stas Approved by: benl (maintainer) MFC after: 3 days
* Update the previous openssl fix. [12:01]bz2012-05-301-1/+1
| | | | | | | | Fix a bug in crypt(3) ignoring characters of a passphrase. [12:02] Security: FreeBSD-SA-12:01.openssl (revised) Security: FreeBSD-SA-12:02.crypt Approved by: so (bz, simon)
* Restore the ability to use a non-standard LOCALBASE to sshdeadler2012-03-242-0/+8
| | | | | | | | | Add the ability to use a non-standard LOCALBASE to ssh Submitted by: jhb Reviewed by: des Approved by: cperciva MFC after: 0 days (with r233136)
* X11BASE is not used any more and has been killed by the x11 team.eadler2012-03-192-26/+0
| | | | | | Reviewed by: ??? Approved by: ??? MFC after: 3 days
OpenPOWER on IntegriCloud