Skip to content

Commit

Permalink
security/dropbear: update to 2022.83
Browse files Browse the repository at this point in the history
Features and Changes:
  Note >> for compatibility/configuration changes

- >> Disable DROPBEAR_DSS by default
  It is only 1024 bit and uses sha1, most distros disable it by default already.

- Added DROPBEAR_RSA_SHA1 option to allow disabling sha1 rsa signatures.
  >> RSA with sha1 will be disabled in a future release (rsa keys will continue
  to work OK, with sha256 signatures used instead).

- Add option for requiring both password and pubkey (-t)
  Patch from Jackkal

- Add 'no-touch-required' and 'verify-required' options for sk keys
  Patch from Egor Duda

  - >> DROPBEAR_SK_KEYS config option now replaces separate DROPBEAR_SK_ECDSA
  and DROPBEAR_SK_ED25519 options.

- Add 'permitopen' option for authorized_keys to restrict forwarded ports
  Patch from Tuomas Haikarainen

- >> Added LTM_CFLAGS configure argument to set flags for building
  bundled libtommath. This also restores the previous arguments used
  in 2020.81 (-O3 -funroll-loops). That gives a big speedup for RSA
  key generation, which regressed in 2022.82.
  There is a tradeoff with code size, so -Os can be used if required.
  mkj/dropbear#174
  Reported by David Bernard

- Add '-z' flag to disable setting QoS traffic class. This may be necessary
  to work with broken networks or network drivers, exposed after changes to use
  AF21 in 2022.82
  mkj/dropbear#193
  Reported by yuhongwei380, patch from Petr Štetiar

- Allow overriding user shells with COMPAT_USER_SHELLS
  Based on a patch from Matt Robinson

- Improve permission error message
  Patch from k-kurematsu

- >> Remove HMAC_MD5 entirely

Regression fixes from 2022.82:

- Fix X11 build

- Fix build warning

- Fix compilation when disabling pubkey authentication
  Patch from MaxMougg

- Fix MAX_UNAUTH_CLIENTS regression
  Reported by ptpt52

- Avoid using slower prime testing in bundled libtomcrypt when DSS is disabled
  mkj/dropbear#174
  Suggested by Steffen Jaeckel

- Fix Dropbear plugin support
  mkj/dropbear#194
  Reported by Struan Bartlett

Other fixes:

- Fix long standing incorrect compression size check. Dropbear
  (client or server) would erroneously exit with
  "bad packet, oversized decompressed"
  when receiving a compressed packet of exactly the maximum size.

- Fix missing setsid() removed in 2020.79
  mkj/dropbear#180
  Reported and debugged by m5jt and David Bernard

- Try keyboard-interactive auth before password, in dbclient.
  This was unintentionally changed back in 2013
  mkj/dropbear#190
  Patch from Michele Giacomoli

- Drain the terminal when reading the fingerprint confirmation response
  mkj/dropbear#191
  Patch from Michele Giacomoli

- Fix utx wtmp variable typo. This has been wrong for a long time but
  only recently became a problem when wtmp was detected.
  mkj/dropbear#189
  Patch from Michele Giacomoli

- Improve configure test for hardening options.
  Fixes building on AIX
  mkj/dropbear#158

- Fix debian/dropbear.init newline
  From wulei-student

Infrastructure:

- Test off-by-default compile options
- Set -Wundef to catch typos in #if statements
  • Loading branch information
pkubaj committed Nov 15, 2022
1 parent 00ef172 commit 1711222
Show file tree
Hide file tree
Showing 2 changed files with 14 additions and 6 deletions.
14 changes: 11 additions & 3 deletions security/dropbear/Makefile
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
PORTNAME= dropbear
PORTVERSION= 2022.82
PORTVERSION= 2022.83
CATEGORIES= security
MASTER_SITES= https://matt.ucc.asn.au/dropbear/releases/

Expand All @@ -23,10 +23,10 @@ OPTIONS_DEFAULT= AES128 AES256 CURVE25519 ECDSA ED25519 GCM \
GROUP14_SHA256 GROUP16 RSA SHA2_256
OPTIONS_MULTI= ENC KEY KEX MAC MODE
OPTIONS_MULTI_ENC= 3DES AES128 AES256 CHACHA20POLY1305
OPTIONS_MULTI_KEY= ECDSA ED25519 RSA
OPTIONS_MULTI_KEY= DSS ECDSA ED25519 RSA
OPTIONS_MULTI_KEX= CURVE25519 ECDH GROUP1 GROUP14_SHA1 GROUP14_SHA256 \
GROUP16
OPTIONS_MULTI_MAC= MD5 SHA1 SHA1_96 SHA2_256 SHA2_512
OPTIONS_MULTI_MAC= MD5 RSA_SHA1 SHA1 SHA1_96 SHA2_256 SHA2_512
OPTIONS_MULTI_MODE= CBC CTR GCM

3DES_DESC= Enable 3DES-based encryption
Expand All @@ -36,6 +36,7 @@ CBC_DESC= Use CBC mode for ciphers (less secure)
CHACHA20POLY1305_DESC= Enable chacha20poly1305-based encryption
CTR_DESC= Use CTR mode for ciphers
CURVE25519_DESC= Enable Curve25519
DSS_DESC= Enable DSS (insecure)
ECDH_DESC= Enable ECDH (insecure)
ECDSA_DESC= Enable ECDSA public key support
ED25519_DESC= Enable ED25519 public key support
Expand All @@ -46,6 +47,7 @@ GROUP16_DESC= Enable Group16 Diffie-Hellman
GROUP1_DESC= Enable Group1 Diffie-Hellman (insecure)
MD5_DESC= Enable MD5 MAC (broken)
RSA_DESC= Enable RSA public key support
RSA_SHA1_DESC= Enable RSA SHA1 MAC (insecure)
SHA1_96_DESC= Enable SHA1_96 MAC (less secure)
SHA1_DESC= Enable SHA1 MAC (less secure)
SHA2_256_DESC= Enable SHA2_256 MAC
Expand Down Expand Up @@ -89,6 +91,9 @@ post-patch-GCM-on:
post-patch-CURVE25519-off:
@${ECHO} "#define DROPBEAR_CURVE25519 0" >> ${WRKSRC}/localoptions.h

post-patch-DSS-on:
@${ECHO} "#define DROPBEAR_DSS 1" >> ${WRKSRC}/localoptions.h

post-patch-ECDH-off:
@${ECHO} "#define DROPBEAR_ECDH 0" >> ${WRKSRC}/localoptions.h

Expand All @@ -107,6 +112,9 @@ post-patch-GROUP16-on:
post-patch-RSA-off:
@${ECHO} "#define DROPBEAR_RSA 0" >> ${WRKSRC}/localoptions.h

post-patch-RSA_SHA1-off:
@${ECHO} "#define DROPBEAR_RSA_SHA1 0" >> ${WRKSRC}/localoptions.h

post-patch-ECDSA-off:
@${ECHO} "#define DROPBEAR_ECDSA 0" >> ${WRKSRC}/localoptions.h

Expand Down
6 changes: 3 additions & 3 deletions security/dropbear/distinfo
Original file line number Diff line number Diff line change
@@ -1,3 +1,3 @@
TIMESTAMP = 1649278626
SHA256 (dropbear-2022.82.tar.bz2) = 3a038d2bbc02bf28bbdd20c012091f741a3ec5cbe460691811d714876aad75d1
SIZE (dropbear-2022.82.tar.bz2) = 2309514
TIMESTAMP = 1668547002
SHA256 (dropbear-2022.83.tar.bz2) = bc5a121ffbc94b5171ad5ebe01be42746d50aa797c9549a4639894a16749443b
SIZE (dropbear-2022.83.tar.bz2) = 2322904

0 comments on commit 1711222

Please sign in to comment.