From nobody Tue Nov 15 21:53:04 2022
X-Original-To: dev-commits-ports-main@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4NBg0J3Qfvz4d8bF;
	Tue, 15 Nov 2022 21:53:04 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4NBg0J2kpKz3C0p;
	Tue, 15 Nov 2022 21:53:04 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim;
	t=1668549184;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=27uaChfNGoRM/zgyvrUy4Dov+Jgc9rWmfM9aappt9sI=;
	b=nu3nyQ4CVywB9u9uq1ZweeDUqgTsK4oqaVEhVwKIVqIfHJLcrxS9DW8S4PWOZuxulMrA8M
	OFk1CqXADDILTBNTeY6HgppVOs5UHLKw5ic+A2V5vA1B6uma/J8LkTupeKLEYuvyB52zSB
	oTELjvLwez7D7BtZqO2oDYkRcZJx66OFRwROHVgzQHP5NsH6hrmMSeLGXbsbu58FjCGZ5i
	0H62OkSjaPjfPpigX+l2x2Ffam86MS/g350UAV7wAMLtkl9kjAn6U0xg6f2XhSGHZaewE9
	HcaBblLFW7uzsCdww3RxGG8Rkd0cEgw6jCpiibXCLh7XP9uILCCavXOtjlQfvA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org;
	s=dkim; t=1668549184;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=27uaChfNGoRM/zgyvrUy4Dov+Jgc9rWmfM9aappt9sI=;
	b=GVT0legPyR1VqsHCYq4/3yEN/C1+Q2zUMHXcH+vpPRJpCSzZxWLeM80lQo/4qHXt/GII8x
	iSW/heqKbfMEvXOOR0Vb8xbmiQQjKjakBq8dy8X1tRMbl+u8xXPqj3Bm2oz3SejhkoYW0H
	qqAnzg891nnMKUyfP6AlsyxkD2ow83J3qsnOdSdCPqaoWL/Dl34IKQZdT5TD2IdT/UaHEj
	RjyDkh99q17oGjWa/faCi/AdV79dTifwfXNUdNQQnAVLvpZJo3AYbyli/WRZpMO/BEJ2xf
	18y0AN0fNhOcrBTbOeMkpg7BmBlzEpT5kKzMJMmPZKChURyqAUOrvlRpc6K/Ng==
ARC-Authentication-Results: i=1;
	mx1.freebsd.org;
	none
ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1668549184; a=rsa-sha256; cv=none;
	b=X631XjHh7vshc3+g8MiGIFK41ZWJa9VYB52QljzsGH2VpGvSDjUUcjTodi/9g7wv/MH3qG
	LL4VNNPHOkrAG9bXJkkTwuaErJMo5Y3Mahooyeq10mj1Cy2zh3QAAl5ftsOsf1xwtKyVet
	L6UcwSQIYMkQHNLt/1ZHgVY0kE4fe1ir4aDzdKI4t02UaQDm66ClaQtp1GYEWUYIyHjQI/
	cq0oyoCPVnX/2nFFB11X9NcOCLB5xPnIT7cKoddnnSWlytTZZV/pudAOEcg7QifpdU+Qgs
	RT9udId+4/+LQNcqDM/13hmlW2oLf0fLloOgtfuo1WugiPTPmNPKu3+YynfiKg==
Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(Client did not present a certificate)
	by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4NBg0J1TMnzctQ;
	Tue, 15 Nov 2022 21:53:04 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from gitrepo.freebsd.org ([127.0.1.44])
	by gitrepo.freebsd.org (8.16.1/8.16.1) with ESMTP id 2AFLr4x5085366;
	Tue, 15 Nov 2022 21:53:04 GMT
	(envelope-from git@gitrepo.freebsd.org)
Received: (from git@localhost)
	by gitrepo.freebsd.org (8.16.1/8.16.1/Submit) id 2AFLr4G9085365;
	Tue, 15 Nov 2022 21:53:04 GMT
	(envelope-from git)
Date: Tue, 15 Nov 2022 21:53:04 GMT
Message-Id: <202211152153.2AFLr4G9085365@gitrepo.freebsd.org>
To: ports-committers@FreeBSD.org, dev-commits-ports-all@FreeBSD.org,
        dev-commits-ports-main@FreeBSD.org
From: Piotr Kubaj <pkubaj@FreeBSD.org>
Subject: git: 17112226551b - main - security/dropbear: update to 2022.83
List-Id: Commits to the main branch of the FreeBSD ports repository <dev-commits-ports-main.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/dev-commits-ports-main
List-Help: <mailto:dev-commits-ports-main+help@freebsd.org>
List-Post: <mailto:dev-commits-ports-main@freebsd.org>
List-Subscribe: <mailto:dev-commits-ports-main+subscribe@freebsd.org>
List-Unsubscribe: <mailto:dev-commits-ports-main+unsubscribe@freebsd.org>
Sender: owner-dev-commits-ports-main@freebsd.org
X-BeenThere: dev-commits-ports-main@freebsd.org
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-Git-Committer: pkubaj
X-Git-Repository: ports
X-Git-Refname: refs/heads/main
X-Git-Reftype: branch
X-Git-Commit: 17112226551be3350d06a66040413a26f252cb30
Auto-Submitted: auto-generated
X-ThisMailContainsUnwantedMimeParts: N

The branch main has been updated by pkubaj:

URL: https://cgit.FreeBSD.org/ports/commit/?id=17112226551be3350d06a66040413a26f252cb30

commit 17112226551be3350d06a66040413a26f252cb30
Author:     Piotr Kubaj <pkubaj@FreeBSD.org>
AuthorDate: 2022-11-15 21:32:03 +0000
Commit:     Piotr Kubaj <pkubaj@FreeBSD.org>
CommitDate: 2022-11-15 21:52:51 +0000

    security/dropbear: update to 2022.83
    
    Features and Changes:
      Note >> for compatibility/configuration changes
    
    - >> Disable DROPBEAR_DSS by default
      It is only 1024 bit and uses sha1, most distros disable it by default already.
    
    - Added DROPBEAR_RSA_SHA1 option to allow disabling sha1 rsa signatures.
      >> RSA with sha1 will be disabled in a future release (rsa keys will continue
      to work OK, with sha256 signatures used instead).
    
    - Add option for requiring both password and pubkey (-t)
      Patch from Jackkal
    
    - Add 'no-touch-required' and 'verify-required' options for sk keys
      Patch from Egor Duda
    
      - >> DROPBEAR_SK_KEYS config option now replaces separate DROPBEAR_SK_ECDSA
      and DROPBEAR_SK_ED25519 options.
    
    - Add 'permitopen' option for authorized_keys to restrict forwarded ports
      Patch from Tuomas Haikarainen
    
    - >> Added LTM_CFLAGS configure argument to set flags for building
      bundled libtommath. This also restores the previous arguments used
      in 2020.81 (-O3 -funroll-loops). That gives a big speedup for RSA
      key generation, which regressed in 2022.82.
      There is a tradeoff with code size, so -Os can be used if required.
      https://github.com/mkj/dropbear/issues/174
      Reported by David Bernard
    
    - Add '-z' flag to disable setting QoS traffic class. This may be necessary
      to work with broken networks or network drivers, exposed after changes to use
      AF21 in 2022.82
      https://github.com/mkj/dropbear/issues/193
      Reported by yuhongwei380, patch from Petr Štetiar
    
    - Allow overriding user shells with COMPAT_USER_SHELLS
      Based on a patch from Matt Robinson
    
    - Improve permission error message
      Patch from k-kurematsu
    
    - >> Remove HMAC_MD5 entirely
    
    Regression fixes from 2022.82:
    
    - Fix X11 build
    
    - Fix build warning
    
    - Fix compilation when disabling pubkey authentication
      Patch from MaxMougg
    
    - Fix MAX_UNAUTH_CLIENTS regression
      Reported by ptpt52
    
    - Avoid using slower prime testing in bundled libtomcrypt when DSS is disabled
      https://github.com/mkj/dropbear/issues/174
      Suggested by Steffen Jaeckel
    
    - Fix Dropbear plugin support
      https://github.com/mkj/dropbear/issues/194
      Reported by Struan Bartlett
    
    Other fixes:
    
    - Fix long standing incorrect compression size check. Dropbear
      (client or server) would erroneously exit with
      "bad packet, oversized decompressed"
      when receiving a compressed packet of exactly the maximum size.
    
    - Fix missing setsid() removed in 2020.79
      https://github.com/mkj/dropbear/issues/180
      Reported and debugged by m5jt and David Bernard
    
    - Try keyboard-interactive auth before password, in dbclient.
      This was unintentionally changed back in 2013
      https://github.com/mkj/dropbear/pull/190
      Patch from Michele Giacomoli
    
    - Drain the terminal when reading the fingerprint confirmation response
      https://github.com/mkj/dropbear/pull/191
      Patch from Michele Giacomoli
    
    - Fix utx wtmp variable typo. This has been wrong for a long time but
      only recently became a problem when wtmp was detected.
      https://github.com/mkj/dropbear/pull/189
      Patch from Michele Giacomoli
    
    - Improve configure test for hardening options.
      Fixes building on AIX
      https://github.com/mkj/dropbear/issues/158
    
    - Fix debian/dropbear.init newline
      From wulei-student
    
    Infrastructure:
    
    - Test off-by-default compile options
    - Set -Wundef to catch typos in #if statements
---
 security/dropbear/Makefile | 14 +++++++++++---
 security/dropbear/distinfo |  6 +++---
 2 files changed, 14 insertions(+), 6 deletions(-)

diff --git a/security/dropbear/Makefile b/security/dropbear/Makefile
index 7afc1bf72496..b4d920a1c25f 100644
--- a/security/dropbear/Makefile
+++ b/security/dropbear/Makefile
@@ -1,5 +1,5 @@
 PORTNAME=	dropbear
-PORTVERSION=	2022.82
+PORTVERSION=	2022.83
 CATEGORIES=	security
 MASTER_SITES=	https://matt.ucc.asn.au/dropbear/releases/
 
@@ -23,10 +23,10 @@ OPTIONS_DEFAULT=	AES128 AES256 CURVE25519 ECDSA ED25519 GCM \
 			GROUP14_SHA256 GROUP16 RSA SHA2_256
 OPTIONS_MULTI=		ENC KEY KEX MAC MODE
 OPTIONS_MULTI_ENC=	3DES AES128 AES256 CHACHA20POLY1305
-OPTIONS_MULTI_KEY=	ECDSA ED25519 RSA
+OPTIONS_MULTI_KEY=	DSS ECDSA ED25519 RSA
 OPTIONS_MULTI_KEX=	CURVE25519 ECDH GROUP1 GROUP14_SHA1 GROUP14_SHA256 \
 			GROUP16
-OPTIONS_MULTI_MAC=	MD5 SHA1 SHA1_96 SHA2_256 SHA2_512
+OPTIONS_MULTI_MAC=	MD5 RSA_SHA1 SHA1 SHA1_96 SHA2_256 SHA2_512
 OPTIONS_MULTI_MODE=	CBC CTR GCM
 
 3DES_DESC=		Enable 3DES-based encryption
@@ -36,6 +36,7 @@ CBC_DESC=		Use CBC mode for ciphers (less secure)
 CHACHA20POLY1305_DESC=	Enable chacha20poly1305-based encryption
 CTR_DESC=		Use CTR mode for ciphers
 CURVE25519_DESC=	Enable Curve25519
+DSS_DESC=		Enable DSS (insecure)
 ECDH_DESC=		Enable ECDH (insecure)
 ECDSA_DESC=		Enable ECDSA public key support
 ED25519_DESC=		Enable ED25519 public key support
@@ -46,6 +47,7 @@ GROUP16_DESC=		Enable Group16 Diffie-Hellman
 GROUP1_DESC=		Enable Group1 Diffie-Hellman (insecure)
 MD5_DESC=		Enable MD5 MAC (broken)
 RSA_DESC=		Enable RSA public key support
+RSA_SHA1_DESC=		Enable RSA SHA1 MAC (insecure)
 SHA1_96_DESC=		Enable SHA1_96 MAC (less secure)
 SHA1_DESC=		Enable SHA1 MAC (less secure)
 SHA2_256_DESC=		Enable SHA2_256 MAC
@@ -89,6 +91,9 @@ post-patch-GCM-on:
 post-patch-CURVE25519-off:
 	@${ECHO} "#define DROPBEAR_CURVE25519 0" >> ${WRKSRC}/localoptions.h
 
+post-patch-DSS-on:
+	@${ECHO} "#define DROPBEAR_DSS 1" >> ${WRKSRC}/localoptions.h
+
 post-patch-ECDH-off:
 	@${ECHO} "#define DROPBEAR_ECDH 0" >> ${WRKSRC}/localoptions.h
 
@@ -107,6 +112,9 @@ post-patch-GROUP16-on:
 post-patch-RSA-off:
 	@${ECHO} "#define DROPBEAR_RSA 0" >> ${WRKSRC}/localoptions.h
 
+post-patch-RSA_SHA1-off:
+	@${ECHO} "#define DROPBEAR_RSA_SHA1 0" >> ${WRKSRC}/localoptions.h
+
 post-patch-ECDSA-off:
 	@${ECHO} "#define DROPBEAR_ECDSA 0" >> ${WRKSRC}/localoptions.h
 
diff --git a/security/dropbear/distinfo b/security/dropbear/distinfo
index 2eb40d600511..74bcc7f48d49 100644
--- a/security/dropbear/distinfo
+++ b/security/dropbear/distinfo
@@ -1,3 +1,3 @@
-TIMESTAMP = 1649278626
-SHA256 (dropbear-2022.82.tar.bz2) = 3a038d2bbc02bf28bbdd20c012091f741a3ec5cbe460691811d714876aad75d1
-SIZE (dropbear-2022.82.tar.bz2) = 2309514
+TIMESTAMP = 1668547002
+SHA256 (dropbear-2022.83.tar.bz2) = bc5a121ffbc94b5171ad5ebe01be42746d50aa797c9549a4639894a16749443b
+SIZE (dropbear-2022.83.tar.bz2) = 2322904