FreeBSD source tree https://cgit-dev.freebsd.org/src/atom?h=release%2F13.1.0 2022-04-18T16:37:53Z 2022-04-18T16:37:53Z Mark Johnston markj@FreeBSD.org 2022-03-07T13:42:57Z urn:sha1:6edd55f882b32bf5e74c9892920c0e40ba697d1f Use it instead of the existing ctf.h from OpenSolaris. This makes it easier to use CTF in the core kernel, and to extend the CTF format to support wider type IDs. The imported ctf.h is modified to depend only on _types.h, and also to provide macros which use the "parent" bit of a type ID to refer to types in a parent CTF container. No functional change intended. Approved by: re (gjb) Reviewed by: Domagoj Stolfa, emaste Sponsored by: The FreeBSD Foundation (cherry picked from commit 2d5d2a986ce1a93b8567dbdf3f80bc2b545d6998) (cherry picked from commit 3681c4f065f1028ff84b654cfbfb238f2723b78c) 2022-03-17T12:26:10Z Hans Petter Selasky hselasky@FreeBSD.org 2022-03-13T14:17:06Z urn:sha1:1e126edff1611abf495f64aba852c66232218dda When there are multiple devices sharing the same USB vendor and product ID, the wrong device may be selected. Fix this by also matching the bus and device address, ugen<X>.<Y> . Sponsored by: NVIDIA Networking Approved by: re (gjb) (cherry picked from commit 16346e1401b8b369e251bc70781349fb9b813cef) (cherry picked from commit 90afe1886f5250dc32134b5851adf6cffa4a46d4) 2022-02-20T12:29:44Z John Baldwin jhb@FreeBSD.org 2022-02-10T17:57:49Z urn:sha1:b2127b6f1ae2b92eba1892e6f5257e3f6795fed5 Install headers from LLVM's libunwind in place of the headers from libcxxrt and allow C applications to use the library. As part of this, remove include/unwind.h and switch libthr over to using the installed unwind.h. Reviewed by: dim, emaste MFC after: 10 days Differential Revision: https://reviews.freebsd.org/D34065 (cherry picked from commit c00d345665366a89aaba7244d6f078dc756f4c53) 2022-02-10T18:09:57Z Ed Maste emaste@FreeBSD.org 2021-12-19T16:02:02Z urn:sha1:8464ad72e0874fb70c5eb96fe14225c18d06fb3a OpenSSH v8.8p1 was motivated primarily by a security update and deprecation of RSA/SHA1 signatures. It also has a few minor bug fixes. The security update was already applied to FreeBSD as an independent change, and the RSA/SHA1 deprecation is excluded from this commit but will immediately follow. MFC after: 1 month Relnotes: Yes Sponsored by: The FreeBSD Foundation (cherry picked from commit e9e8876a4d6afc1ad5315faaa191b25121a813d7) (cherry picked from commit 2ffb13149c8e46cb7d7e891b237255615906dc60) 2022-02-10T00:03:21Z Ed Maste emaste@FreeBSD.org 2021-10-07T03:31:17Z urn:sha1:a613d68fff9af03730e1c18438f85d80649547e4 Description of FIDO/U2F support (from OpenSSH 8.2 release notes, https://www.openssh.com/txt/release-8.2): This release adds support for FIDO/U2F hardware authenticators to OpenSSH. U2F/FIDO are open standards for inexpensive two-factor authentication hardware that are widely used for website authentication. In OpenSSH FIDO devices are supported by new public key types "ecdsa-sk" and "ed25519-sk", along with corresponding certificate types. ssh-keygen(1) may be used to generate a FIDO token-backed key, after which they may be used much like any other key type supported by OpenSSH, so long as the hardware token is attached when the keys are used. FIDO tokens also generally require the user explicitly authorise operations by touching or tapping them. Generating a FIDO key requires the token be attached, and will usually require the user tap the token to confirm the operation: $ ssh-keygen -t ecdsa-sk -f ~/.ssh/id_ecdsa_sk Generating public/private ecdsa-sk key pair. You may need to touch your security key to authorize key generation. Enter file in which to save the key (/home/djm/.ssh/id_ecdsa_sk): Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /home/djm/.ssh/id_ecdsa_sk Your public key has been saved in /home/djm/.ssh/id_ecdsa_sk.pub This will yield a public and private key-pair. The private key file should be useless to an attacker who does not have access to the physical token. After generation, this key may be used like any other supported key in OpenSSH and may be listed in authorized_keys, added to ssh-agent(1), etc. The only additional stipulation is that the FIDO token that the key belongs to must be attached when the key is used. To enable FIDO/U2F support, this change regenerates ssh_namespace.h, adds ssh-sk-helper, and sets ENABLE_SK_INTERNAL (unless building WITHOUT_USB). devd integration is not included in this change, and is under investigation for the base system. In the interim the security/u2f-devd port can be installed to provide appropriate devd rules. Reviewed by: delphij, kevans Relnotes: Yes Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D32509 (cherry picked from commit e9a994639b2af232f994ba2ad23ca45a17718d2b) 2022-02-09T21:24:54Z Ed Maste emaste@FreeBSD.org 2021-10-07T01:52:05Z urn:sha1:c437ff145cbe5a6173f49472fe5f1ae4c686f121 From https://github.com/Yubico/libfido2: libfido2 provides library functionality and command-line tools to communicate with a FIDO device over USB, and to verify attestation and assertion signatures. libfido2 supports the FIDO U2F (CTAP 1) and FIDO 2.0 (CTAP 2) protocols. libfido2 will be used by ssh to support FIDO/U2F keys. It is currently intended only for use by ssh, and so is installed as a PRIVATELIB and is placed in the ssh pkgbase package. This is currently disabled for the 32-bit library build as libfido2 is not compatible with the COMPAT_32BIT hack in usb_ioctl.h. Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D32448 (cherry picked from commit 7b1e19ad78c6a3f84f81cb1a16a39500f0337062) (cherry picked from commit 93942379cced89ad4ac653f262ac8277a8550853) 2022-02-09T21:24:32Z Ed Maste emaste@FreeBSD.org 2021-10-07T00:42:40Z urn:sha1:e610bb4a8527a4964bcd70b7ea2b1986d5bbc5d9 From https://github.com/PJK/libcbor: libcbor is a C library for parsing and generating CBOR, the general- purpose schema-less binary data format. libcbor will be used by ssh to support FIDO/U2F keys. It is currently intended only for use by ssh, and so is installed as a PRIVATELIB and is placed in the ssh pkgbase package. cbor_export.h and configuration.h were generated by the upstream CMake build. We could create them with bmake rules instead (as NetBSD has done) but this is a fine start. This is currently disabled for the 32-bit library build as libfido2 is not compatible with the COMPAT_32BIT hack in usb_ioctl.h, and there is no need for libcbor without libfido2. Reviewed by: kevans MFC after: 2 weeks Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D32347 (cherry picked from commit 2e85df652caef859c532b7e1e8a178c75f1a4a92) 2022-02-09T17:39:51Z Ed Maste emaste@FreeBSD.org 2021-10-09T00:15:43Z urn:sha1:bbe50accc9ee80dd6b2636d8648c9748a3bfb30c Reviewed by: kevans Fixes: 5551c573554e ("Rework PRIVATELIB") Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D32384 (cherry picked from commit 032448cd2c52161aa03fd4ee5bf243d78d61b53e) 2022-02-09T17:39:51Z Ed Maste emaste@FreeBSD.org 2021-12-01T21:49:16Z urn:sha1:b5ed0dcc83088088a652efd0cf909c334ed2c4b3 In fact MK_CXX does not control whether /usr/bin/c++ is built -- it is installed as a link to Clang (which is always a C/C++ compiler), and it already exists in OptionalObsoleteFiles under MK_TOOLCHAIN. Sponsored by: The FreeBSD Foundation (cherry picked from commit c3f345ae3c0fac0684f83cff72ae23da18468777) 2022-02-09T17:39:50Z Ed Maste emaste@FreeBSD.org 2021-12-01T21:38:10Z urn:sha1:77a3ace8fec6b9624129b28b012b1e60bbc950d8 /usr/bin/CC is installed by usr.bin/clang/clang/Makefile, as with /usr/bin/cc, /usr/bin/cpp, etc., and is not controlled by MK_CXX. Move it to the same section as those tools. (It may be that these should all be under MK_TOOLCHAIN == no || MK_CLANG_IS_CC == no, but that seems like unnecessary complexity.) Sponsored by: The FreeBSD Foundation (cherry picked from commit f7ea22e2115329b7a4f2c6620e59e644f509a4ca)