HardenedBSD/src c643ce1 — kerberos5/lib/libroken fbsd_ossl_provider_load.c Makefile, sbin/route route.c
Merge branch 'freebsd/14-stable/main' into hardened/14-stable/master
HardenedBSD/src 17e941a — kerberos5/lib/libroken fbsd_ossl_provider_load.c
kerberos5: Mitigate the possibility of using an old libcrypto By using the full library name (libcrypto.so.30) we avoid the exposure of using an old, possibly vulnerable, library. Reported by: jrtc27 Fixes: 476d63e091c2 (cherry picked from commit 0990136ed1753ac7837206f9c5f4b83ccff6c405)
| Delta | File | |
|---|---|---|
| +2 | -1 | kerberos5/lib/libroken/fbsd_ossl_provider_load.c |
| +2 | -1 | 1 files |
HardenedBSD/src c7db2e1 — crypto/heimdal/lib/krb5 salt.c context.c, kerberos5/include fbsd_ossl_provider.h crypto-headers.h
kerberos: Fix numerous segfaults when using weak crypto
Weak crypto is provided by the openssl legacy provider which is
not load by default. Load the legacy providers as needed.
When the legacy provider is loaded into the default context the default
provider will no longer be automatically loaded. Without the default
provider the various kerberos applicaions and functions will abort().
This is the second attempt at this patch. Instead of linking
secure/lib/libcrypto at build time we now link it at runtime, avoiding
buildworld failures under Linux and MacOS. This is because
TARGET_ENDIANNESS is undefined at pre-build time.
PR: 272835
Tested by: netchild
Joerg Pulz <Joerg.Pulz at frm2.tum.de> (previous version)
(cherry picked from commit 476d63e091c2e663b51d18acf6acb282e1f22bbc)
HardenedBSD/src fc8bb52 — contrib/kyua .cirrus.yml, contrib/kyua/utils/process executor_pid_test.cpp executor.cpp
Merge remote-tracking branch 'origin/hardened/current/master' into hardened/current/cross-dso-cfi
| Delta | File | |
|---|---|---|
| +208 | -0 | contrib/kyua/utils/process/executor_pid_test.cpp |
| +42 | -16 | contrib/kyua/utils/process/executor.cpp |
| +25 | -0 | contrib/kyua/.cirrus.yml |
| +14 | -5 | sys/fs/msdosfs/msdosfs_vnops.c |
| +14 | -4 | sys/fs/msdosfs/msdosfs_vfsops.c |
| +15 | -1 | usr.bin/cksum/cksum.1 |
| +318 | -26 | 25 files not shown |
| +363 | -45 | 31 files |
HardenedBSD/src 22947db — contrib/kyua .cirrus.yml, contrib/kyua/utils/process executor_pid_test.cpp executor.cpp
Merge branch 'freebsd/current/main' into hardened/current/master
| Delta | File | |
|---|---|---|
| +208 | -0 | contrib/kyua/utils/process/executor_pid_test.cpp |
| +42 | -16 | contrib/kyua/utils/process/executor.cpp |
| +25 | -0 | contrib/kyua/.cirrus.yml |
| +14 | -5 | sys/fs/msdosfs/msdosfs_vnops.c |
| +14 | -4 | sys/fs/msdosfs/msdosfs_vfsops.c |
| +15 | -1 | usr.bin/cksum/cksum.1 |
| +318 | -26 | 25 files not shown |
| +363 | -45 | 31 files |
HardenedBSD/src 0990136 — kerberos5/lib/libroken fbsd_ossl_provider_load.c
kerberos5: Mitigate the possibility of using an old libcrypto By using the full library name (libcrypto.so.30) we avoid the exposure of using an old, possibly vulnerable, library. Reported by: jrtc27 MFC after: 3 days X-MFC with: 476d63e091c2 Fixes: 476d63e091c2
| Delta | File | |
|---|---|---|
| +2 | -1 | kerberos5/lib/libroken/fbsd_ossl_provider_load.c |
| +2 | -1 | 1 files |
HardenedBSD/src 629b26a — crypto/heimdal/lib/kadm5 create_s.c, crypto/heimdal/lib/krb5 salt.c
Merge remote-tracking branch 'origin/hardened/current/master' into hardened/current/cross-dso-cfi
HardenedBSD/src cef3756 — crypto/heimdal/lib/kadm5 create_s.c, crypto/heimdal/lib/krb5 salt.c context.c
Merge branch 'freebsd/current/main' into hardened/current/master
HardenedBSD/src 476d63e — crypto/heimdal/lib/kadm5 create_s.c, crypto/heimdal/lib/krb5 salt.c context.c
kerberos: Fix numerous segfaults when using weak crypto
Weak crypto is provided by the openssl legacy provider which is
not load by default. Load the legacy providers as needed.
When the legacy provider is loaded into the default context the default
provider will no longer be automatically loaded. Without the default
provider the various kerberos applicaions and functions will abort().
This is the second attempt at this patch. Instead of linking
secure/lib/libcrypto at build time we now link it at runtime, avoiding
buildworld failures under Linux and MacOS. This is because
TARGET_ENDIANNESS is undefined at pre-build time.
PR: 272835
MFC after: 3 days
X-MFC: only to stable/14
Tested by: netchild
Joerg Pulz <Joerg.Pulz at frm2.tum.de> (previous version)
HardenedBSD/src ede5e81 — . Makefile.inc1, kerberos5/lib/libroken fbsd_ossl_provider_load.c Makefile
Merge remote-tracking branch 'origin/hardened/current/master' into hardened/current/cross-dso-cfi
| Delta | File | |
|---|---|---|
| +111 | -0 | tests/sys/kern/shutdown_dgram.c |
| +33 | -41 | share/man/man4/xen.4 |
| +0 | -41 | kerberos5/lib/libroken/fbsd_ossl_provider_load.c |
| +3 | -8 | kerberos5/lib/libroken/Makefile |
| +0 | -9 | sys/netinet/ip_divert.c |
| +3 | -4 | Makefile.inc1 |
| +150 | -103 | 12 files not shown |
| +154 | -133 | 18 files |
HardenedBSD/src fec0d8e — . Makefile.inc1, kerberos5/lib/libroken fbsd_ossl_provider_load.c Makefile
Merge branch 'freebsd/current/main' into hardened/current/master
| Delta | File | |
|---|---|---|
| +111 | -0 | tests/sys/kern/shutdown_dgram.c |
| +33 | -41 | share/man/man4/xen.4 |
| +0 | -41 | kerberos5/lib/libroken/fbsd_ossl_provider_load.c |
| +3 | -8 | kerberos5/lib/libroken/Makefile |
| +0 | -9 | sys/netinet/ip_divert.c |
| +3 | -4 | Makefile.inc1 |
| +150 | -103 | 12 files not shown |
| +154 | -133 | 18 files |
HardenedBSD/src 3091cdb — . Makefile.inc1, crypto/heimdal/lib/kadm5 create_s.c
Revert "kerberos: Fix numerous segfaults when using weak crypto" This revision breaks Linux and MacOS cross builds because TARGET_ENDIANNESS is not define during bootstrapping on these platforms. I think the correct approach would be to separate the new fbsd_ossl_provider_load() and unload functions into their own library (instead of libroken). This avoids the less desirable option of including bsd.cpu.mk in secure/lib/Makefile.common, which does build but could complicate future work. Reported by: jrtc27 This reverts commit cb350ba7bf7ca7c4cb97ed2c20ab45af60382cfb.
HardenedBSD/src d6f9747 — kerberos5/lib/libroken fbsd_ossl_provider_load.c, lib/libc/sys Symbol.map
Merge remote-tracking branch 'origin/hardened/current/master' into hardened/current/cross-dso-cfi
| Delta | File | |
|---|---|---|
| +41 | -0 | kerberos5/lib/libroken/fbsd_ossl_provider_load.c |
| +13 | -24 | sys/kern/vfs_subr.c |
| +27 | -0 | sys/vm/vnode_pager.c |
| +6 | -21 | sys/fs/nfsclient/nfs_clvnops.c |
| +15 | -5 | usr.bin/top/machine.c |
| +11 | -8 | lib/libc/sys/Symbol.map |
| +113 | -58 | 26 files not shown |
| +196 | -145 | 32 files |
HardenedBSD/src 125974c — kerberos5/lib/libroken fbsd_ossl_provider_load.c, lib/libc/sys Symbol.map
Merge branch 'freebsd/current/main' into hardened/current/master
| Delta | File | |
|---|---|---|
| +41 | -0 | kerberos5/lib/libroken/fbsd_ossl_provider_load.c |
| +13 | -24 | sys/kern/vfs_subr.c |
| +27 | -0 | sys/vm/vnode_pager.c |
| +6 | -21 | sys/fs/nfsclient/nfs_clvnops.c |
| +15 | -5 | usr.bin/top/machine.c |
| +11 | -8 | lib/libc/sys/Symbol.map |
| +113 | -58 | 26 files not shown |
| +196 | -145 | 32 files |
HardenedBSD/src cb350ba — . Makefile.inc1, crypto/heimdal/lib/krb5 salt.c context.c
kerberos: Fix numerous segfaults when using weak crypto Weak crypto is provided by the openssl legacy provider which is not load by default. Load the legacy providers as needed. When the legacy provider is loaded into the default context the default provider will no longer be automatically loaded. Without the default provider the various kerberos applicaions and functions will abort(). PR: 272835 MFC after: 3 days Differential Revision: https://reviews.freebsd.org/D43009 Tested by: netchild, Joerg Pulz <Joerg.Pulz at frm2.tum.de>