freebsd/ports
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
ports/security/dropbear/Makefile
Piotr Kubaj 1d4b5836a9 security/dropbear: update to 2025.88 
Changelog:
- Security: Don't allow dbclient hostname arguments to be interpreted
  by the shell.

  dbclient hostname arguments with a comma (for multihop) would be
  passed to the shell which could result in running arbitrary shell
  commands locally. That could be a security issue in situations
  where dbclient is passed untrusted hostname arguments.

  Now the multihop command is executed directly, no shell is involved.
  Thanks to Marcin Nowak for the report, tracked as CVE-2025-47203

- Fix compatibility for htole64 and htole32, regression in 2025.87
  Patch from Peter Fichtner to work with old GCC versions, and
  patch from Matt Robinson to check different header files.

- Fix building on older compilers or libc that don't support
  static_assert(). Regression in 2025.87

- Support ~R in the client to force a key re-exchange.

- Improve strict KEX handling. Dropbear previously would allow other
  packets at the end of key exchange prior to receiving the remote
  peer's NEWKEYS message, which should be forbidden by strict KEX.
  Reported by Fabian Bäumer.
2025-05-08 10:02:00 +02:00

177 lines
5.9 KiB
Makefile
Raw Blame History

PORTNAME= dropbear
PORTVERSION= 2025.88
CATEGORIES= security
MASTER_SITES= https://matt.ucc.asn.au/dropbear/releases/
MAINTAINER= pkubaj@FreeBSD.org
COMMENT= SSH 2 server, designed to be usable in small memory environments
WWW= https://matt.ucc.asn.au/dropbear/dropbear.html
LICENSE= MIT
LICENSE_FILE= ${WRKSRC}/LICENSE
USES= cpe gmake tar:bzip2
CPE_VENDOR= dropbear_ssh_project
CPE_PRODUCT= dropbear_ssh
GNU_CONFIGURE= yes
USE_RC_SUBR= ${PORTNAME}
ALL_TARGET= all scp
OPTIONS_DEFINE= SMALL_CODE PORTS_LIBTOM STATIC X11FWD
OPTIONS_DEFAULT= AES128 AES256 CURVE25519 ECDSA ED25519 GCM \
GROUP14_SHA256 GROUP16 PORTS_LIBTOM RSA SHA2_256 \
MLKEM768 SNTRUP761
OPTIONS_MULTI= ENC KEY KEX MAC MODE
OPTIONS_MULTI_ENC= 3DES AES128 AES256 CHACHA20POLY1305
OPTIONS_MULTI_KEY= DSS ECDSA ED25519 RSA
OPTIONS_MULTI_KEX= CURVE25519 ECDH GROUP1 GROUP14_SHA1 GROUP14_SHA256 \
GROUP16 MLKEM768 SNTRUP761
OPTIONS_MULTI_MAC= MD5 RSA_SHA1 SHA1 SHA1_96 SHA2_256 SHA2_512
OPTIONS_MULTI_MODE= CBC CTR GCM
3DES_DESC= Enable 3DES-based encryption
AES128_DESC= Enable AES128-based encryption
AES256_DESC= Enable AES256-based encryption
CBC_DESC= Use CBC mode for ciphers (less secure)
CHACHA20POLY1305_DESC= Enable chacha20poly1305-based encryption
CTR_DESC= Use CTR mode for ciphers
CURVE25519_DESC= Enable Curve25519
DSS_DESC= Enable DSS (insecure)
ECDH_DESC= Enable ECDH (insecure)
ECDSA_DESC= Enable ECDSA public key support
ED25519_DESC= Enable ED25519 public key support
GCM_DESC= Enable GCM mode for ciphers (more secure)
GROUP14_SHA1_DESC= Enable Group14 Diffie-Helman with SHA1 (insecure)
GROUP14_SHA256_DESC= Enable Group14 Diffie-Helman with SHA256
GROUP16_DESC= Enable Group16 Diffie-Hellman
GROUP1_DESC= Enable Group1 Diffie-Hellman (insecure)
MD5_DESC= Enable MD5 MAC (broken)
MLKEM768_DESC= Enable mlkem768 key exchange algorithm (recommended)
SNTRUP761_DESC= Enable sntrup761 key exchange algorithm (recommended)
PORTS_LIBTOM_DESC= Use libtomcrypt/libtommath in ports tree
RSA_DESC= Enable RSA public key support
RSA_SHA1_DESC= Enable RSA SHA1 MAC (insecure)
SHA1_96_DESC= Enable SHA1_96 MAC (less secure)
SHA1_DESC= Enable SHA1 MAC (less secure)
SHA2_256_DESC= Enable SHA2_256 MAC
SHA2_512_DESC= Enable SHA2_512 MAC
SMALL_CODE_DESC= Make binary smaller in exchange for 50% performance hit
X11FWD_DESC= Enable X11 forwarding
3DES_IMPLIES= CTR
CBC_IMPLIES= CTR
PORTS_LIBTOM_USES= localbase:ldflags
PORTS_LIBTOM_CONFIGURE_ON= --disable-bundled-libtom
PORTS_LIBTOM_CONFIGURE_OFF= --enable-bundled-libtom
STATIC_CONFIGURE_ENABLE= static
.include <bsd.port.options.mk>
.if ${PORT_OPTIONS:MPORTS_LIBTOM} && ${PORT_OPTIONS:MSTATIC}
BUILD_DEPENDS= ${LOCALBASE}/lib/libtomcrypt.a:security/libtomcrypt \
${LOCALBASE}/lib/libtommath.a:math/libtommath
.endif
.if ${PORT_OPTIONS:MPORTS_LIBTOM} && !${PORT_OPTIONS:MSTATIC}
LIB_DEPENDS= libtomcrypt.so:security/libtomcrypt \
libtommath.so:math/libtommath
.endif
post-patch:
@${REINPLACE_CMD} -e "s,_PRIV_FILENAME \"/etc/,_PRIV_FILENAME \"${PREFIX}/etc/,g; \
s,/usr/bin/X11/,${LOCALBASE}/,g" ${WRKSRC}/src/default_options.h
post-patch-SMALL_CODE-off:
@${ECHO} "#define DROPBEAR_SMALL_CODE 0" >> ${WRKSRC}/localoptions.h
post-patch-3DES-on:
@${ECHO} "#define DROPBEAR_3DES 1" >> ${WRKSRC}/localoptions.h
post-patch-AES128-off:
@${ECHO} "#define DROPBEAR_AES128 0" >> ${WRKSRC}/localoptions.h
post-patch-AES256-off:
@${ECHO} "#define DROPBEAR_AES256 0" >> ${WRKSRC}/localoptions.h
post-patch-CHACHA20POLY1305-off:
@${ECHO} "#define DROPBEAR_CHACHA20POLY1305 0" >> ${WRKSRC}/localoptions.h
post-patch-CBC-on:
@${ECHO} "#define DROPBEAR_ENABLE_CBC_MODE 1" >> ${WRKSRC}/localoptions.h
post-patch-CTR-off:
@${ECHO} "#define DROPBEAR_ENABLE_CTR_MODE 0" >> ${WRKSRC}/localoptions.h
post-patch-GCM-on:
@${ECHO} "#define DROPBEAR_ENABLE_GCM_MODE 1" >> ${WRKSRC}/localoptions.h
post-patch-CURVE25519-off:
@${ECHO} "#define DROPBEAR_CURVE25519 0" >> ${WRKSRC}/localoptions.h
post-patch-DSS-on:
@${ECHO} "#define DROPBEAR_DSS 1" >> ${WRKSRC}/localoptions.h
post-patch-ECDH-off:
@${ECHO} "#define DROPBEAR_ECDH 0" >> ${WRKSRC}/localoptions.h
post-patch-GROUP1-off:
@${ECHO} "#define DROPBEAR_DH_GROUP1 0" >> ${WRKSRC}/localoptions.h
post-patch-GROUP14_SHA1-off:
@${ECHO} "#define DROPBEAR_DH_GROUP14_SHA1 0" >> ${WRKSRC}/localoptions.h
post-patch-GROUP14_SHA256-off:
@${ECHO} "#define DROPBEAR_DH_GROUP14_SHA256 0" >> ${WRKSRC}/localoptions.h
post-patch-GROUP16-on:
@${ECHO} "#define DROPBEAR_DH_GROUP16 1" >> ${WRKSRC}/localoptions.h
post-patch-RSA-off:
@${ECHO} "#define DROPBEAR_RSA 0" >> ${WRKSRC}/localoptions.h
post-patch-RSA_SHA1-off:
@${ECHO} "#define DROPBEAR_RSA_SHA1 0" >> ${WRKSRC}/localoptions.h
post-patch-ECDSA-off:
@${ECHO} "#define DROPBEAR_ECDSA 0" >> ${WRKSRC}/localoptions.h
post-patch-ED25519-off:
@${ECHO} "#define DROPBEAR_E25519 0" >> ${WRKSRC}/localoptions.h
post-patch-MD5-on:
@${ECHO} "#define DROPBEAR_MD5_HMAC 1" >> ${WRKSRC}/localoptions.h
post-patch-MLKEM768-off:
@${ECHO} "#define DROPBEAR_MLKEM768 0" >> ${WRKSRC}/localoptions.h
post-patch-SHA1-off:
@${ECHO} "#define DROPBEAR_SHA1_HMAC 0" >> ${WRKSRC}/localoptions.h
post-patch-SHA1_96-off:
@${ECHO} "#define DROPBEAR_SHA1_96_HMAC 0" >> ${WRKSRC}/localoptions.h
post-patch-SHA2_256-off:
@${ECHO} "#define DROPBEAR_SHA2_256_HMAC 0" >> ${WRKSRC}/localoptions.h
post-patch-SHA2_512-on:
@${ECHO} "#define DROPBEAR_SHA2_512_HMAC 1" >> ${WRKSRC}/localoptions.h
post-patch-SNTRUP761-off:
@${ECHO} "#define DROPBEAR_SNTRUP761 0" >> ${WRKSRC}/localoptions.h
post-patch-X11FWD-on:
@${ECHO} "#define DROPBEAR_X11FWD 1" >> ${WRKSRC}/localoptions.h
post-install:
@${MKDIR} ${STAGEDIR}${PREFIX}/etc/dropbear
${INSTALL_PROGRAM} ${WRKSRC}/scp ${STAGEDIR}${PREFIX}/bin/dbscp
${STRIP_CMD} ${STAGEDIR}${PREFIX}/bin/dropbearconvert
${STRIP_CMD} ${STAGEDIR}${PREFIX}/bin/dropbearkey
${STRIP_CMD} ${STAGEDIR}${PREFIX}/bin/dbclient
${STRIP_CMD} ${STAGEDIR}${PREFIX}/sbin/dropbear
.include <bsd.port.mk>
Reference in New Issue View Git Blame Copy Permalink