mirror/freebsd-ports
1
0
Fork 0
mirror of https://git.FreeBSD.org/ports.git synced 2025-01-13 07:34:50 +00:00
Code Issues Releases Activity
c7e5dc97d7
freebsd-ports/security/openssh-portable/Makefile
Bryan Drewery 3849667982 security/openssh-portable: Update to 8.8p1 
Changelog:	https://www.openssh.com/txt/release-8.8
Security:	CVE-2021-41617
2021-10-12 11:06:52 -07:00

242 lines
7.7 KiB
Makefile
Raw Blame History

# Created by: dwcjr@inethouston.net
PORTNAME= openssh
DISTVERSION= 8.8p1
PORTREVISION= 0
PORTEPOCH= 1
CATEGORIES= security
MASTER_SITES= OPENBSD/OpenSSH/portable
PKGNAMESUFFIX?= -portable
MAINTAINER= bdrewery@FreeBSD.org
COMMENT= The portable version of OpenBSD's OpenSSH
LICENSE= OPENSSH
LICENSE_NAME= OpenSSH Licenses
LICENSE_FILE= ${WRKSRC}/LICENCE
LICENSE_PERMS= dist-mirror dist-sell pkg-mirror pkg-sell auto-accept
CONFLICTS?= openssh-3.* ssh-1.* ssh2-3.* openssh-portable-devel-*
USES= alias autoreconf compiler:c11 cpe localbase ncurses \
pkgconfig ssl
GNU_CONFIGURE= yes
CONFIGURE_ARGS= --prefix=${PREFIX} \
--with-ssl-engine \
--with-mantype=man \
--with-Werror
ETCOLD= ${PREFIX}/etc
CPE_VENDOR= openbsd
FLAVORS= default hpn gssapi
default_CONFLICTS_INSTALL= openssh-portable-hpn openssh-portable-gssapi \
openssh-portable-x509
hpn_CONFLICTS_INSTALL= openssh-portable openssh-portable-gssapi \
openssh-portable-x509
hpn_PKGNAMESUFFIX= -portable-hpn
gssapi_CONFLICTS_INSTALL= openssh-portable openssh-portable-hpn \
openssh-portable-x509
gssapi_PKGNAMESUFFIX= -portable-gssapi
OPTIONS_DEFINE= DOCS PAM TCP_WRAPPERS LIBEDIT BSM \
HPN KERB_GSSAPI \
LDNS NONECIPHER XMSS FIDO_U2F BLACKLISTD
OPTIONS_DEFAULT= LIBEDIT PAM TCP_WRAPPERS LDNS FIDO_U2F
.if ${FLAVOR:U} == hpn
OPTIONS_DEFAULT+= HPN NONECIPHER
.endif
.if ${FLAVOR:U} == gssapi
OPTIONS_DEFAULT+= KERB_GSSAPI MIT
.endif
OPTIONS_RADIO= KERBEROS
OPTIONS_RADIO_KERBEROS= MIT HEIMDAL HEIMDAL_BASE
TCP_WRAPPERS_DESC= tcp_wrappers support
BSM_DESC= OpenBSM Auditing
KERB_GSSAPI_DESC= Kerberos/GSSAPI patch (req: GSSAPI)
HPN_DESC= HPN-SSH patch
LDNS_DESC= SSHFP/LDNS support
HEIMDAL_DESC= Heimdal Kerberos (security/heimdal)
HEIMDAL_BASE_DESC= Heimdal Kerberos (base)
MIT_DESC= MIT Kerberos (security/krb5)
NONECIPHER_DESC= NONE Cipher support
XMSS_DESC= XMSS key support (experimental)
FIDO_U2F_DESC= FIDO/U2F support (security/libfido2)
BLACKLISTD_DESC= FreeBSD blacklistd(8) support
OPTIONS_SUB= yes
TCP_WRAPPERS_EXTRA_PATCHES=${FILESDIR}/extra-patch-tcpwrappers
LDNS_CONFIGURE_WITH= ldns=${LOCALBASE}
LDNS_LIB_DEPENDS= libldns.so:dns/ldns
LDNS_EXTRA_PATCHES= ${FILESDIR}/extra-patch-ldns
HPN_CONFIGURE_WITH= hpn
NONECIPHER_CONFIGURE_WITH= nonecipher
MIT_LIB_DEPENDS= libkrb5.so.3:security/krb5
HEIMDAL_LIB_DEPENDS= libkrb5.so.26:security/heimdal
PAM_CONFIGURE_WITH= pam
TCP_WRAPPERS_CONFIGURE_WITH= tcp-wrappers
LIBEDIT_CONFIGURE_WITH= libedit
LIBEDIT_USES= libedit
BSM_CONFIGURE_ON= --with-audit=bsm
FIDO_U2F_LIB_DEPENDS= libfido2.so:security/libfido2
FIDO_U2F_CONFIGURE_ON= --with-security-key-builtin
FIDO_U2F_CONFIGURE_OFF= --disable-security-key
# Until https://reviews.freebsd.org/D27289 is committed
FIDO_U2F_EXTRA_PATCHES= ${FILESDIR}/extra-patch-libfido2-configure.ac
BLACKLISTD_EXTRA_PATCHES= ${FILESDIR}/extra-patch-blacklistd
ETCDIR?= ${PREFIX}/etc/ssh
.include <bsd.port.pre.mk>
PATCH_SITES+= http://mirror.shatow.net/freebsd/${PORTNAME}/:DEFAULT,hpn,gsskex
# Must add this patch before HPN due to conflicts
.if ${PORT_OPTIONS:MKERB_GSSAPI} || ${FLAVOR:U} == gssapi
BROKEN= KERB_GSSAPI No patch for ${DISTVERSION} yet.
. if ${PORT_OPTIONS:MHPN} || ${PORT_OPTIONS:MNONECIPHER}
# Needed glue for applying HPN patch without conflict
EXTRA_PATCHES+= ${FILESDIR}/extra-patch-hpn-gss-glue
. endif
# - See https://sources.debian.org/data/main/o/openssh/ for which subdir to
# pull from.
GSSAPI_DEBIAN_SUBDIR= ${DISTVERSION}-2
# - Debian does not use a versioned filename so we trick fetch to make one for
# us with the ?<anything>=/ trick.
PATCH_SITES+= https://sources.debian.org/data/main/o/openssh/1:${GSSAPI_DEBIAN_SUBDIR}/debian/patches/gssapi.patch?dummy=/:gsskex
# Bump this when updating the patch location
GSSAPI_UPDATE_DATE= 20200607
PATCHFILES+= openssh-${DISTVERSION}-gsskex-all-20141021-debian-rh-${GSSAPI_UPDATE_DATE}.patch:-p1:gsskex
EXTRA_PATCHES+= ${FILESDIR}/extra-patch-gssapi-sshconnect2.c
EXTRA_PATCHES+= ${FILESDIR}/extra-patch-gssapi-kexgssc.c
EXTRA_PATCHES+= ${FILESDIR}/extra-patch-gssapi-kexgsss.c
.endif
.if ${PORT_OPTIONS:MBLACKLISTD}
CONFIGURE_LIBS+= -lblacklist
.endif
# https://www.psc.edu/hpn-ssh https://github.com/rapier1/openssh-portable/tree/hpn-openssl1.1-7_7_P1
.if ${PORT_OPTIONS:MHPN} || ${PORT_OPTIONS:MNONECIPHER}
#BROKEN= HPN: Not yet updated for ${DISTVERSION} yet.
PORTDOCS+= HPN-README
HPN_VERSION= 14v15
HPN_DISTVERSION= 7.7p1
#PATCH_SITES+= SOURCEFORGE/hpnssh/HPN-SSH%20${HPN_VERSION}%20${HPN_DISTVERSION}/:hpn
#PATCHFILES+= ${PORTNAME}-${HPN_DISTVERSION}-hpnssh${HPN_VERSION}.diff.gz:-p1:hpn
EXTRA_PATCHES+= ${FILESDIR}/extra-patch-hpn:-p2
.elif !${PORT_OPTIONS:MHPN} && !${PORT_OPTIONS:MNONECIPHER}
# Apply compatibility patch
EXTRA_PATCHES+= ${FILESDIR}/extra-patch-hpn-compat
.endif
CONFIGURE_ARGS+= --disable-utmp --disable-wtmp --disable-wtmpx --without-lastlog
# Keep this last
EXTRA_PATCHES+= ${FILESDIR}/extra-patch-version-addendum
.if ${PORT_OPTIONS:MHEIMDAL_BASE} && ${PORT_OPTIONS:MKERB_GSSAPI}
BROKEN= KERB_GSSAPI Requires either MIT or HEMIDAL, does not build with base Heimdal currently
.endif
.if ${PORT_OPTIONS:MHEIMDAL_BASE} && !exists(/usr/lib/libkrb5.so)
IGNORE= you have selected HEIMDAL_BASE but do not have heimdal installed in base
.endif
.if ${PORT_OPTIONS:MMIT} || ${PORT_OPTIONS:MHEIMDAL} || ${PORT_OPTIONS:MHEIMDAL_BASE}
. if ${PORT_OPTIONS:MHEIMDAL_BASE}
CONFIGURE_LIBS+= -lgssapi_krb5
CONFIGURE_ARGS+= --with-kerberos5=/usr
. else
CONFIGURE_ARGS+= --with-kerberos5=${LOCALBASE}
. endif
. if ${OPENSSLBASE} == "/usr"
CONFIGURE_ARGS+= --without-rpath
LDFLAGS= # empty
. endif
.else
. if ${PORT_OPTIONS:MKERB_GSSAPI}
IGNORE= KERB_GSSAPI requires one of MIT HEIMDAL or HEIMDAL_BASE
. endif
.endif
.if ${OPENSSLBASE} != "/usr"
CONFIGURE_ARGS+= --with-ssl-dir=${OPENSSLBASE}
.endif
EMPTYDIR= /var/empty
USE_RC_SUBR= openssh
# After all
CONFIGURE_ARGS+= --sysconfdir=${ETCDIR} --with-privsep-path=${EMPTYDIR}
.if !empty(CONFIGURE_LIBS)
CONFIGURE_ARGS+= --with-libs='${CONFIGURE_LIBS}'
.endif
CONFIGURE_ARGS+= --with-xauth=${LOCALBASE}/bin/xauth
RC_SCRIPT_NAME= openssh
VERSION_ADDENDUM_DEFAULT?= ${OPSYS}-${PKGNAME}
CFLAGS+= ${CFLAGS_${CHOSEN_COMPILER_TYPE}}
CFLAGS_gcc= -Wno-stringop-truncation -Wno-stringop-overflow
SSH_ASKPASS_PATH?= ${LOCALBASE}/bin/ssh-askpass
post-patch:
@${REINPLACE_CMD} \
-e 's|install: \(.*\) host-key check-config|install: \1|g' \
${WRKSRC}/Makefile.in
@${REINPLACE_CMD} \
-e 's|$$[{(]libexecdir[})]/ssh-askpass|${SSH_ASKPASS_PATH}|' \
${WRKSRC}/Makefile.in ${WRKSRC}/configure.ac
@${REINPLACE_CMD} \
-e 's|\(VersionAddendum\) none|\1 ${VERSION_ADDENDUM_DEFAULT}|' \
${WRKSRC}/sshd_config
@${REINPLACE_CMD} \
-e 's|%%SSH_VERSION_FREEBSD_PORT%%|${VERSION_ADDENDUM_DEFAULT}|' \
${WRKSRC}/sshd_config.5
@${ECHO_CMD} '#define SSH_VERSION_FREEBSD_PORT "${VERSION_ADDENDUM_DEFAULT}"' >> \
${WRKSRC}/version.h
post-configure-XMSS-on:
@${ECHO_CMD} "#define WITH_XMSS 1" >> ${WRKSRC}/config.h
post-configure-BLACKLISTD-on:
@${ECHO_CMD} "#define USE_BLACKLIST 1" >> ${WRKSRC}/config.h
post-install:
${MV} ${STAGEDIR}${ETCDIR}/moduli \
${STAGEDIR}${ETCDIR}/moduli.sample
${MV} ${STAGEDIR}${ETCDIR}/ssh_config \
${STAGEDIR}${ETCDIR}/ssh_config.sample
${MV} ${STAGEDIR}${ETCDIR}/sshd_config \
${STAGEDIR}${ETCDIR}/sshd_config.sample
.if ${PORT_OPTIONS:MHPN} || ${PORT_OPTIONS:MNONECIPHER}
${MKDIR} ${STAGEDIR}${DOCSDIR}
${INSTALL_DATA} ${WRKSRC}/HPN-README ${STAGEDIR}${DOCSDIR}
.endif
test: build
cd ${WRKSRC} && ${SETENV} -i \
OBJ=${WRKDIR} ${MAKE_ENV:NHOME=*} \
TEST_SHELL=${SH} \
SUDO="${SUDO}" \
LOGNAME="${LOGNAME}" \
HOME="${HOME}" \
TEST_SSH_TRACE=yes \
PATH=${WRKSRC}:${PREFIX}/bin:${PREFIX}/sbin:${PATH} \
${MAKE_CMD} ${MAKE_FLAGS} ${MAKEFILE} ${MAKE_ARGS} tests
.include <bsd.port.post.mk>
Reference in New Issue View Git Blame Copy Permalink