813f89879d
Changes: 2019.78 - 27 March 2019 - Fix dbclient regression in 2019.77. After exiting the terminal would be left in a bad state. Reported by Ryan Woodsmall 2019.77 - 23 March 2019 - Fix server -R option with ECDSA - only advertise one key size which will be accepted. Reported by Peter Krefting, 2018.76 regression. - Fix server regression in 2018.76 where multiple client -R forwards were all forwarded to the first destination. Reported by Iddo Samet. - Make failure delay more consistent to avoid revealing valid usernames, set server password limit of 100 characters. Problem reported by usd responsible disclosure team - Change handling of failed authentication to avoid disclosing valid usernames, CVE-2018-15599. - Fix dbclient to reliably return the exit code from the remote server. Reported by W. Mike Petullo - Fix export of 521-bit ECDSA keys, from Christian Hohnstädt - Add -o Port=xxx option to work with sshfs, from xcko - Merged fuzzing code, see FUZZER-NOTES.md - Add a DROPBEAR_SVR_MULTIUSER=0 compile option to run on single-user Linux kernels (CONFIG_MULTIUSER disabled). From Patrick Stewart - Increase allowed username to 100 characters, reported by W. Mike Petullo - Update config.sub and config.guess, should now work with RISC-V - Cygwin compile fix from karel-m - Don't require GNU sed (accidentally in 2018.76), reported by Samuel Hsu - Fix for IRIX and writev(), reported by Kazuo Kuroi - Other fixes and cleanups from François Perrad, Andre McCurdy, Konstantin Demin, Michael Jones, Pawel Rapkiewicz 2018.76 - 27 February 2018 > > > Configuration/compatibility changes IMPORTANT Custom configuration is now specified in localoptions.h rather than options.h Available options and defaults can be seen in default_options.h To migrate your configuration, compare your customised options.h against the upstream options.h from your relevant version. Any customised options should be put in localoptions.h in the build directory. - "configure --enable-static" should now be used instead of "make STATIC=1" This will avoid 'hardened build' flags that conflict with static binaries - Set 'hardened build' flags by default if supported by the compiler. These can be disabled with configure --disable-harden if needed. -Wl,-pie -Wl,-z,now -Wl,-z,relro -fstack-protector-strong -D_FORTIFY_SOURCE=2 # spectre v2 mitigation -mfunction-return=thunk -mindirect-branch=thunk Spectre patch from Loganaden Velvindron - "dropbear -r" option for hostkeys no longer attempts to load the default hostkey paths as well. If desired these can be specified manually. Patch from CamVan Nguyen - group1-sha1 key exchange is disabled in the server by default since the fixed 1024-bit group may be susceptible to attacks - twofish ciphers are now disabled in the default configuration - Default generated ECDSA key size is now 256 (rather than 521) for better interoperability - Minimum RSA key length has been increased to 1024 bits > > > Other features and fixes - Add runtime -T max_auth_tries option from Kevin Darbyshire-Bryant - Add 'dbclient -J &fd' to allow dbclient to connect over an existing socket. See dbclient manpage for a socat example. Patch from Harald Becker - Add "-c forced_command" option. Patch from Jeremy Kerr - Restricted group -G option added with patch from stellarpower - Support server-chosen TCP forwarding ports, patch from houseofkodai - Allow choosing outgoing address for dbclient with -b [bind_address][:bind_port] Patch from houseofkodai - Makefile will now rebuild object files when header files are modified - Add group14-256 and group16 key exchange options - curve25519-sha256 also supported without @libssh.org suffix - Update bundled libtomcrypt to 1.18.1, libtommath to 1.0.1 This fixes building with some recent versions of clang - Set PAM_RHOST which is needed by modules such as pam_abl - Improvements to DSS and RSA public key validation, found by OSS-Fuzz. - Don't exit when an authorized_keys file has malformed entries. Found by OSS-Fuzz - Fix null-pointer crash with malformed ECDSA or DSS keys. Found by OSS-Fuzz - Numerous code cleanups and small issues fixed by Francois Perrad - Test for pkt_sched.h rather than SO_PRIORITY which was problematic with some musl platforms. Reported by Oliver Schneider and Andrew Bainbridge - Fix some platform portability problems, from Ben Gardner - Add EXEEXT filename suffix for building dropbearmulti, from William Foster - Support --enable-<option> properly for configure, from Stefan Hauser - configure have_openpty result can be cached, from Eric Bénard - handle platforms that return close() < -1 on failure, from Marco Wenzel - Build and configuration cleanups from Michael Witten - Fix libtomcrypt/libtommath linking order, from Andre McCurdy - Fix old Linux platforms that have SYS_clock_gettime but not CLOCK_MONOTONIC - Update curve25519-donna implementation to current version
61 lines
1.7 KiB
Makefile
61 lines
1.7 KiB
Makefile
# $NetBSD: Makefile,v 1.36 2019/06/10 13:44:35 nia Exp $
|
|
|
|
DISTNAME= dropbear-2019.78
|
|
CATEGORIES= security
|
|
MASTER_SITES= https://matt.ucc.asn.au/dropbear/releases/
|
|
EXTRACT_SUFX= .tar.bz2
|
|
|
|
MAINTAINER= snj@NetBSD.org
|
|
HOMEPAGE= https://matt.ucc.asn.au/dropbear/dropbear.html
|
|
COMMENT= Small SSH2 server and client, aimed at embedded market
|
|
LICENSE= modified-bsd
|
|
|
|
GNU_CONFIGURE= yes
|
|
CONFIGURE_ARGS+= --sysconfdir=${PKG_SYSCONFDIR:Q} --disable-bundled-libtom
|
|
USE_TOOLS+= gmake
|
|
|
|
PKG_OPTIONS_VAR= PKG_OPTIONS.dropbear
|
|
PKG_SUPPORTED_OPTIONS= pam
|
|
|
|
.include "../../mk/bsd.prefs.mk"
|
|
.include "../../mk/bsd.options.mk"
|
|
|
|
.if !empty(PKG_OPTIONS:Mpam)
|
|
. include "../../mk/pam.buildlink3.mk"
|
|
CONFIGURE_ARGS+= --enable-pam
|
|
SUBST_CLASSES+= pam
|
|
SUBST_MESSAGE.pam= Enabling PAM in options.h
|
|
SUBST_STAGE.pam= pre-configure
|
|
SUBST_FILES.pam= options.h
|
|
SUBST_SED.pam= -e "s/ENABLE_SVR_PASSWORD_AUTH/ENABLE_SVR_PAM_AUTH/"
|
|
.endif
|
|
|
|
OWN_DIRS+= ${PKG_SYSCONFDIR}/dropbear
|
|
|
|
SUBST_CLASSES+= config
|
|
SUBST_MESSAGE.config= Fixing path to config directory.
|
|
SUBST_STAGE.config= post-build
|
|
SUBST_FILES.config= dropbear.8 dropbearkey.1
|
|
SUBST_SED.config= -e "s,/etc/dropbear/,"${PKG_SYSCONFDIR:Q}"/dropbear/,g"
|
|
|
|
# used by dbscp
|
|
CPPFLAGS+= -DDROPBEAR_PATH_SSH_PROGRAM="\"${PREFIX}/bin/dbclient\""
|
|
|
|
.include "../../x11/xauth/builtin.mk"
|
|
|
|
CPPFLAGS+= -DXAUTH_COMMAND="\"${XAUTHBASE}/bin/xauth\""
|
|
|
|
CFLAGS.NetBSD+= -DHAVE_NETINET_IN_SYSTM_H
|
|
LDFLAGS.SunOS+= -lsocket -lnsl
|
|
|
|
INSTALLATION_DIRS= share/doc/dropbear ${PKGMANDIR}/man1 ${PKGMANDIR}/man8
|
|
|
|
BUILD_TARGET= all scp
|
|
|
|
post-install:
|
|
${INSTALL_PROGRAM} ${WRKSRC}/scp ${DESTDIR}/${PREFIX}/bin/dbscp
|
|
|
|
.include "../../devel/zlib/buildlink3.mk"
|
|
.include "../../math/ltm/buildlink3.mk"
|
|
.include "../../security/libtomcrypt/buildlink3.mk"
|
|
.include "../../mk/bsd.pkg.mk"
|