freebsd/ports
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
ports/security/dropbear/Makefile
Piotr Kubaj 84ed9d88c7 security/dropbear: update to 2025.89 
Changelog:
- Security: Avoid privilege escalation via unix stream forwarding in Dropbear
  server. Other programs on a system may authenticate unix sockets via
  SO_PEERCRED, which would be root user for Dropbear forwarded connections,
  allowing root privilege escalation.
  Reported by Turistu, and thanks for advice on the fix.
  This is tracked as CVE-2025-14282, and affects 2024.84 to 2025.88.

  It is fixed by dropping privileges of the dropbear process after
  authentication. Unix stream sockets are now disallowed when a
  forced command is used, either with authorized_key restrictions or
  "dropbear -c command".

  In previous affected releases running with "dropbear -j" (will also disable
  TCP fowarding) or building with localoptions.h/distrooptions.h
  "#define DROPBEAR_SVR_LOCALSTREAMFWD 0" is a mitigation.

- Security: Include scp fix for CVE-2019-6111. This allowed
  a malicious server to overwrite arbitrary local files.
  The missing fix was reported by Ashish Kunwar.

- Server dropping privileges post-auth is enabled by default. This requires
  setresgid() support, so some platforms such as netbsd or macos will have to
  disable DROPBEAR_SVR_DROP_PRIVS in localoptions.h. Unix stream forwarding is
  not available if DROPBEAR_SVR_DROP_PRIVS is disabled.

  Remote server TCP socket forwarding will now use OS privileged port
  restrictions rather than having a fixed "allow >=1024 for non-root" rule.

  A future release may implement privilege dropping for netbsd/macos.

- Fix a regression in 2025.87 when RSA and DSS are not built. This would lead
  to a crash at startup with bad_bufptr().
  Reported by Dani Schmitt and Sebastian Priebe.

- Don't limit channel window to 500MB. That is could cause stuck connections
  if peers advise a large window and don't send an increment within 500MB.
  Affects SSH.NET https://github.com/sshnet/SSH.NET/issues/1671
  Reported by Rob Hague.

- Ignore -g -s when passwords arent enabled. Patch from Norbert Lange.
  Ignore -m (disable MOTD), -j/-k (tcp forwarding) when not enabled.

- Report SIGBUS and SIGTRAP signals. Patch from Loïc Mangeonjean.

- Fix incorrect server auth delay. Was meant to be 250-350ms, it was actually
  150-350ms or possibly negative (zero). Reported by pickaxprograms.

- Fix building without public key options. Thanks to Konstantin Demin

- Fix building with proxycmd but without netcat. Thanks to Konstantin Demin

- Fix incorrect path documentation for distrooptions, thanks to Todd Zullinger

- Fix SO_REUSEADDR for TCP tests, reported by vt-alt.
2025-12-22 08:05:51 +01:00

177 lines
5.9 KiB
Makefile
Raw Permalink Blame History

PORTNAME= dropbear
PORTVERSION= 2025.89
CATEGORIES= security
MASTER_SITES= https://matt.ucc.asn.au/dropbear/releases/
MAINTAINER= pkubaj@FreeBSD.org
COMMENT= SSH 2 server, designed to be usable in small memory environments
WWW= https://matt.ucc.asn.au/dropbear/dropbear.html
LICENSE= MIT
LICENSE_FILE= ${WRKSRC}/LICENSE
USES= cpe gmake tar:bzip2
CPE_VENDOR= dropbear_ssh_project
CPE_PRODUCT= dropbear_ssh
GNU_CONFIGURE= yes
USE_RC_SUBR= ${PORTNAME}
ALL_TARGET= all scp
OPTIONS_DEFINE= SMALL_CODE PORTS_LIBTOM STATIC X11FWD
OPTIONS_DEFAULT= AES128 AES256 CURVE25519 ECDSA ED25519 GCM \
GROUP14_SHA256 GROUP16 PORTS_LIBTOM RSA SHA2_256 \
MLKEM768 SNTRUP761
OPTIONS_MULTI= ENC KEY KEX MAC MODE
OPTIONS_MULTI_ENC= 3DES AES128 AES256 CHACHA20POLY1305
OPTIONS_MULTI_KEY= DSS ECDSA ED25519 RSA
OPTIONS_MULTI_KEX= CURVE25519 ECDH GROUP1 GROUP14_SHA1 GROUP14_SHA256 \
GROUP16 MLKEM768 SNTRUP761
OPTIONS_MULTI_MAC= MD5 RSA_SHA1 SHA1 SHA1_96 SHA2_256 SHA2_512
OPTIONS_MULTI_MODE= CBC CTR GCM
3DES_DESC= Enable 3DES-based encryption
AES128_DESC= Enable AES128-based encryption
AES256_DESC= Enable AES256-based encryption
CBC_DESC= Use CBC mode for ciphers (less secure)
CHACHA20POLY1305_DESC= Enable chacha20poly1305-based encryption
CTR_DESC= Use CTR mode for ciphers
CURVE25519_DESC= Enable Curve25519
DSS_DESC= Enable DSS (insecure)
ECDH_DESC= Enable ECDH (insecure)
ECDSA_DESC= Enable ECDSA public key support
ED25519_DESC= Enable ED25519 public key support
GCM_DESC= Enable GCM mode for ciphers (more secure)
GROUP14_SHA1_DESC= Enable Group14 Diffie-Helman with SHA1 (insecure)
GROUP14_SHA256_DESC= Enable Group14 Diffie-Helman with SHA256
GROUP16_DESC= Enable Group16 Diffie-Hellman
GROUP1_DESC= Enable Group1 Diffie-Hellman (insecure)
MD5_DESC= Enable MD5 MAC (broken)
MLKEM768_DESC= Enable mlkem768 key exchange algorithm (recommended)
SNTRUP761_DESC= Enable sntrup761 key exchange algorithm (recommended)
PORTS_LIBTOM_DESC= Use libtomcrypt/libtommath in ports tree
RSA_DESC= Enable RSA public key support
RSA_SHA1_DESC= Enable RSA SHA1 MAC (insecure)
SHA1_96_DESC= Enable SHA1_96 MAC (less secure)
SHA1_DESC= Enable SHA1 MAC (less secure)
SHA2_256_DESC= Enable SHA2_256 MAC
SHA2_512_DESC= Enable SHA2_512 MAC
SMALL_CODE_DESC= Make binary smaller in exchange for 50% performance hit
X11FWD_DESC= Enable X11 forwarding
3DES_IMPLIES= CTR
CBC_IMPLIES= CTR
PORTS_LIBTOM_USES= localbase:ldflags
PORTS_LIBTOM_CONFIGURE_ON= --disable-bundled-libtom
PORTS_LIBTOM_CONFIGURE_OFF= --enable-bundled-libtom
STATIC_CONFIGURE_ENABLE= static
.include <bsd.port.options.mk>
.if ${PORT_OPTIONS:MPORTS_LIBTOM} && ${PORT_OPTIONS:MSTATIC}
BUILD_DEPENDS= ${LOCALBASE}/lib/libtomcrypt.a:security/libtomcrypt \
${LOCALBASE}/lib/libtommath.a:math/libtommath
.endif
.if ${PORT_OPTIONS:MPORTS_LIBTOM} && !${PORT_OPTIONS:MSTATIC}
LIB_DEPENDS= libtomcrypt.so:security/libtomcrypt \
libtommath.so:math/libtommath
.endif
post-patch:
@${REINPLACE_CMD} -e "s,_PRIV_FILENAME \"/etc/,_PRIV_FILENAME \"${PREFIX}/etc/,g; \
s,/usr/bin/X11/,${LOCALBASE}/,g" ${WRKSRC}/src/default_options.h
post-patch-SMALL_CODE-off:
@${ECHO} "#define DROPBEAR_SMALL_CODE 0" >> ${WRKSRC}/localoptions.h
post-patch-3DES-on:
@${ECHO} "#define DROPBEAR_3DES 1" >> ${WRKSRC}/localoptions.h
post-patch-AES128-off:
@${ECHO} "#define DROPBEAR_AES128 0" >> ${WRKSRC}/localoptions.h
post-patch-AES256-off:
@${ECHO} "#define DROPBEAR_AES256 0" >> ${WRKSRC}/localoptions.h
post-patch-CHACHA20POLY1305-off:
@${ECHO} "#define DROPBEAR_CHACHA20POLY1305 0" >> ${WRKSRC}/localoptions.h
post-patch-CBC-on:
@${ECHO} "#define DROPBEAR_ENABLE_CBC_MODE 1" >> ${WRKSRC}/localoptions.h
post-patch-CTR-off:
@${ECHO} "#define DROPBEAR_ENABLE_CTR_MODE 0" >> ${WRKSRC}/localoptions.h
post-patch-GCM-on:
@${ECHO} "#define DROPBEAR_ENABLE_GCM_MODE 1" >> ${WRKSRC}/localoptions.h
post-patch-CURVE25519-off:
@${ECHO} "#define DROPBEAR_CURVE25519 0" >> ${WRKSRC}/localoptions.h
post-patch-DSS-on:
@${ECHO} "#define DROPBEAR_DSS 1" >> ${WRKSRC}/localoptions.h
post-patch-ECDH-off:
@${ECHO} "#define DROPBEAR_ECDH 0" >> ${WRKSRC}/localoptions.h
post-patch-GROUP1-off:
@${ECHO} "#define DROPBEAR_DH_GROUP1 0" >> ${WRKSRC}/localoptions.h
post-patch-GROUP14_SHA1-off:
@${ECHO} "#define DROPBEAR_DH_GROUP14_SHA1 0" >> ${WRKSRC}/localoptions.h
post-patch-GROUP14_SHA256-off:
@${ECHO} "#define DROPBEAR_DH_GROUP14_SHA256 0" >> ${WRKSRC}/localoptions.h
post-patch-GROUP16-on:
@${ECHO} "#define DROPBEAR_DH_GROUP16 1" >> ${WRKSRC}/localoptions.h
post-patch-RSA-off:
@${ECHO} "#define DROPBEAR_RSA 0" >> ${WRKSRC}/localoptions.h
post-patch-RSA_SHA1-off:
@${ECHO} "#define DROPBEAR_RSA_SHA1 0" >> ${WRKSRC}/localoptions.h
post-patch-ECDSA-off:
@${ECHO} "#define DROPBEAR_ECDSA 0" >> ${WRKSRC}/localoptions.h
post-patch-ED25519-off:
@${ECHO} "#define DROPBEAR_E25519 0" >> ${WRKSRC}/localoptions.h
post-patch-MD5-on:
@${ECHO} "#define DROPBEAR_MD5_HMAC 1" >> ${WRKSRC}/localoptions.h
post-patch-MLKEM768-off:
@${ECHO} "#define DROPBEAR_MLKEM768 0" >> ${WRKSRC}/localoptions.h
post-patch-SHA1-off:
@${ECHO} "#define DROPBEAR_SHA1_HMAC 0" >> ${WRKSRC}/localoptions.h
post-patch-SHA1_96-off:
@${ECHO} "#define DROPBEAR_SHA1_96_HMAC 0" >> ${WRKSRC}/localoptions.h
post-patch-SHA2_256-off:
@${ECHO} "#define DROPBEAR_SHA2_256_HMAC 0" >> ${WRKSRC}/localoptions.h
post-patch-SHA2_512-on:
@${ECHO} "#define DROPBEAR_SHA2_512_HMAC 1" >> ${WRKSRC}/localoptions.h
post-patch-SNTRUP761-off:
@${ECHO} "#define DROPBEAR_SNTRUP761 0" >> ${WRKSRC}/localoptions.h
post-patch-X11FWD-on:
@${ECHO} "#define DROPBEAR_X11FWD 1" >> ${WRKSRC}/localoptions.h
post-install:
@${MKDIR} ${STAGEDIR}${PREFIX}/etc/dropbear
${INSTALL_PROGRAM} ${WRKSRC}/scp ${STAGEDIR}${PREFIX}/bin/dbscp
${STRIP_CMD} ${STAGEDIR}${PREFIX}/bin/dropbearconvert
${STRIP_CMD} ${STAGEDIR}${PREFIX}/bin/dropbearkey
${STRIP_CMD} ${STAGEDIR}${PREFIX}/bin/dbclient
${STRIP_CMD} ${STAGEDIR}${PREFIX}/sbin/dropbear
.include <bsd.port.mk>
Reference in New Issue View Git Blame Copy Permalink