diff --git a/graphics/pecl-imagick/Makefile b/graphics/pecl-imagick/Makefile index c0021457cba7..4c30d266e11a 100644 --- a/graphics/pecl-imagick/Makefile +++ b/graphics/pecl-imagick/Makefile @@ -1,18 +1,18 @@ PORTNAME= imagick PORTVERSION= 3.7.0 PORTREVISION= 2 CATEGORIES= graphics MAINTAINER= 000.fbsd@quip.cz COMMENT?= PHP wrapper to the ImageMagick/GraphicsMagick library WWW= https://pecl.php.net/package/imagick LICENSE= PHP301 -USES= cpe php:pecl localbase magick +USES= cpe php:pecl localbase magick:nox11 CPE_VENDOR= php CONFIGURE_ARGS= --with-imagick=${LOCALBASE} .include diff --git a/lang/python311/Makefile b/lang/python311/Makefile index e7deddcbf3e3..886b2f26b338 100644 --- a/lang/python311/Makefile +++ b/lang/python311/Makefile @@ -1,155 +1,155 @@ PORTNAME= python DISTVERSION= ${PYTHON_DISTVERSION} CATEGORIES= lang python MASTER_SITES= PYTHON/ftp/python/${DISTVERSION:C/[a-z].*//} PKGNAMESUFFIX= ${PYTHON_SUFFIX} DISTNAME= Python-${DISTVERSION} DIST_SUBDIR= python MAINTAINER= python@FreeBSD.org COMMENT= Interpreted object-oriented programming language WWW= https://www.python.org/ LICENSE= PSFL LIB_DEPENDS= libffi.so:devel/libffi USES= compiler:c11 cpe ncurses pathfix pkgconfig \ python:${PYTHON_DISTVERSION:R},env readline shebangfix ssl tar:xz PATHFIX_MAKEFILEIN= Makefile.pre.in USE_LDCONFIG= yes GNU_CONFIGURE= yes python_CMD= ${PREFIX}/bin/python${PYTHON_DISTVERSION:R} SHEBANG_FILES= Lib/*.py Lib/*/*.py Lib/*/*/*.py Lib/*/*/*/*.py SHEBANG_FILES+= Lib/test/ziptestdata/exe_with_z64 \ Lib/test/ziptestdata/exe_with_zip \ Lib/test/ziptestdata/header.sh DISABLED_EXTENSIONS= _sqlite3 _tkinter _gdbm CONFIGURE_ARGS+= --enable-shared --without-ensurepip \ --with-system-ffi CONFIGURE_ENV+= OPT="" # Null out OPT to respect user CFLAGS and remove optimizations INSTALL_TARGET= altinstall # Don't want cloberring of unprefixed files TEST_TARGET= buildbottest TEST_ARGS= TESTOPTS=-j${MAKE_JOBS_NUMBER} MAKE_ARGS+= INSTALL_SHARED="${INSTALL_LIB}" # Strip shared library SUB_FILES= pkg-message SUB_LIST= PYTHON_SUFFIX=${PYTHON_SUFFIX} PLIST_SUB= ABI=${ABIFLAGS} \ DISTVERSION=${DISTVERSION} \ OSMAJOR=${OSVERSION:C/([0-9]*)[0-9]{5}/\1/} # For plat-freebsd* in pkg-plist. https://bugs.python.org/issue19554 OPTIONS_DEFINE= DEBUG IPV6 LIBMPDEC LTO NLS PYMALLOC OPTIONS_DEFAULT= LIBMPDEC LTO PYMALLOC OPTIONS_EXCLUDE_riscv64= LTO OPTIONS_RADIO= HASH OPTIONS_RADIO_HASH= FNV SIPHASH OPTIONS_SUB= yes LIBMPDEC_DESC= Use libmpdec from ports instead of bundled version NLS_DESC= Enable gettext support for the locale module PYMALLOC_DESC= Enable specialized mallocs HASH_DESC= Hash Algorithm (PEP-456) FNV_DESC= Modified Fowler-Noll-Vo Algorithm SIPHASH_DESC= SipHash24 Algorithm FNV_CONFIGURE_ON= --with-hash-algorithm=fnv SIPHASH_CONFIGURE_ON= --with-hash-algorithm=siphash24 DEBUG_CONFIGURE_WITH= pydebug IPV6_CONFIGURE_ENABLE= ipv6 LIBMPDEC_CONFIGURE_ON= --with-system-libmpdec LIBMPDEC_LIB_DEPENDS= libmpdec.so:math/mpdecimal LTO_CONFIGURE_ON= --with-lto=thin # Use CPPFLAGS over CFLAGS due to -I ordering, causing elementtree and pyexpat # to break in Python 2.7, or preprocessor complaints in Python >= 3.3 # Upstream Issue: https://bugs.python.org/issue6299 NLS_USES= gettext NLS_CPPFLAGS= -I${LOCALBASE}/include NLS_LIBS= -L${LOCALBASE}/lib -lintl NLS_CONFIGURE_ENV_OFF= ac_cv_lib_intl_textdomain=no ac_cv_header_libintl_h=no PYMALLOC_CONFIGURE_WITH= pymalloc .include "${.CURDIR}/Makefile.version" .include .if ${PORT_OPTIONS:MDEBUG} ABIFLAGS:= d${ABIFLAGS} .endif .if !empty(ABIFLAGS) PLIST_FILES+= bin/python${PYTHON_VER}${ABIFLAGS} \ bin/python${PYTHON_VER}${ABIFLAGS}-config \ libdata/pkgconfig/python-${PYTHON_VER}${ABIFLAGS}.pc \ libdata/pkgconfig/python-${PYTHON_VER}${ABIFLAGS}-embed.pc .endif .if ${ARCH} == sparc64 CFLAGS+= -DPYTHON_DEFAULT_RECURSION_LIMIT=900 .endif # See https://bugs.freebsd.org/115940 and https://bugs.freebsd.org/193650 .if !exists(/usr/bin/ypcat) || defined(WITHOUT_NIS) PLIST_SUB+= NO_NIS="@comment " DISABLED_EXTENSIONS+= nis .else PLIST_SUB+= NO_NIS="" .endif -.if ${SSL_DEFAULT:Mlibressl*} +#.if ${SSL_DEFAULT:Mlibressl*} EXTRA_PATCHES+= ${PATCHDIR}/libressl CONFIGURE_ENV+= ac_cv_working_openssl_hashlib=yes -.endif +#.endif post-patch: # disable the detection of includes and library from e2fsprogs-libuuid, # which introduces hidden dependency and breaks build @${REINPLACE_CMD} -e 's|uuid/uuid.h|ignore_&|' ${WRKSRC}/configure # disable detection of multiarch as it breaks with clang >= 13, which adds a # major.minor version number in -print-multiarch output, confusing Python @${REINPLACE_CMD} -e 's|^\( *MULTIARCH=\).*--print-multiarch.*|\1|' ${WRKSRC}/configure # Apply DISABLED_EXTENSIONS @${ECHO_CMD} '*disabled*' > ${WRKSRC}/Modules/Setup.local . for _module in ${DISABLED_EXTENSIONS} @${ECHO_CMD} ${_module} >> ${WRKSRC}/Modules/Setup.local . endfor post-install: .if ! ${PORT_OPTIONS:MDEBUG} ${RM} ${STAGEDIR}${PREFIX}/lib/libpython3.so # Upstream Issue: https://bugs.python.org/issue17975 .endif ${LN} -sf libpython${PYTHON_VER}${ABIFLAGS}.so.1.0 ${STAGEDIR}${PREFIX}/lib/libpython${PYTHON_VER}${ABIFLAGS}.so.1 # This code block exists for the qemu-user enabled cross build environment. # When using this environment in poudriere, CC is not set to the default # of /usr/bin/cc and a cross-compile toolchain is used. We need to hand # edit this so that the run time configuration for python matches what the # FreeBSD base system provides. sbruno 02Aug2017 .if ${CC} == /nxb-bin/usr/bin/cc @${REINPLACE_CMD} -e 's=/nxb-bin==' \ ${STAGEDIR}${PREFIX}/lib/python${PYTHON_VER}/_sysconfigdata_${ABIFLAGS}_freebsd${OSREL:R}_.py @cd ${WRKSRC} && ${SETENV} LD_LIBRARY_PATH=${WRKSRC} \ ./python -E -m compileall -d ${PREFIX}/lib/python${PYTHON_VER} \ ${STAGEDIR}${PREFIX}/lib/python${PYTHON_VER}/_sysconfigdata_${ABIFLAGS}_freebsd${OSREL:R}_.py @cd ${WRKSRC} && ${SETENV} LD_LIBRARY_PATH=${WRKSRC} \ ./python -E -O -m compileall -d ${PREFIX}/lib/python${PYTHON_VER} \ ${STAGEDIR}${PREFIX}/lib/python${PYTHON_VER}/_sysconfigdata_${ABIFLAGS}_freebsd${OSREL:R}_.py @${REINPLACE_CMD} -e 's=/nxb-bin==' \ ${STAGEDIR}${PREFIX}/lib/python${PYTHON_VER}/config-${PYTHON_VER}${ABIFLAGS}/Makefile .endif for i in ${STAGEDIR}${PREFIX}/lib/python${PYTHON_VER}/lib-dynload/*.so; do \ ${STRIP_CMD} $$i; done # Strip shared extensions ${INSTALL_DATA} ${WRKSRC}/Tools/gdb/libpython.py \ ${STAGEDIR}${PREFIX}/lib/libpython${PYTHON_VER}${ABIFLAGS}.so.1.0-gdb.py .include diff --git a/security/openssh-portable/Makefile b/security/openssh-portable/Makefile index 70d027db63a2..351a41d6e976 100644 --- a/security/openssh-portable/Makefile +++ b/security/openssh-portable/Makefile @@ -1,241 +1,247 @@ PORTNAME= openssh DISTVERSION= 9.3p2 PORTREVISION= 1 PORTEPOCH= 1 CATEGORIES= security MASTER_SITES= OPENBSD/OpenSSH/portable PKGNAMESUFFIX?= -portable MAINTAINER= bdrewery@FreeBSD.org COMMENT= The portable version of OpenBSD's OpenSSH WWW= https://www.openssh.com/portable.html LICENSE= OPENSSH LICENSE_NAME= OpenSSH Licenses LICENSE_FILE= ${WRKSRC}/LICENCE LICENSE_PERMS= dist-mirror dist-sell pkg-mirror pkg-sell auto-accept CONFLICTS?= openssh-3.* ssh-1.* ssh2-3.* openssh-portable-devel USES= alias autoreconf compiler:c11 cpe localbase ncurses \ pkgconfig ssl GNU_CONFIGURE= yes CONFIGURE_ARGS= --prefix=${PREFIX} \ --with-ssl-engine \ --with-mantype=man \ --with-Werror ETCOLD= ${PREFIX}/etc CPE_VENDOR= openbsd FLAVORS= default hpn gssapi default_CONFLICTS_INSTALL= openssh-portable-hpn openssh-portable-gssapi \ openssh-portable-x509 hpn_CONFLICTS_INSTALL= openssh-portable openssh-portable-gssapi \ openssh-portable-x509 hpn_PKGNAMESUFFIX= -portable-hpn gssapi_CONFLICTS_INSTALL= openssh-portable openssh-portable-hpn \ openssh-portable-x509 gssapi_PKGNAMESUFFIX= -portable-gssapi OPTIONS_DEFINE= DOCS PAM TCP_WRAPPERS LIBEDIT BSM \ HPN KERB_GSSAPI \ - LDNS NONECIPHER XMSS FIDO_U2F BLACKLISTD + LDNS NONECIPHER XMSS FIDO_U2F BLACKLISTD BADUSER OPTIONS_DEFAULT= LIBEDIT PAM TCP_WRAPPERS LDNS FIDO_U2F .if ${FLAVOR:U} == hpn OPTIONS_DEFAULT+= HPN NONECIPHER .endif .if ${FLAVOR:U} == gssapi OPTIONS_DEFAULT+= KERB_GSSAPI MIT .endif OPTIONS_RADIO= KERBEROS OPTIONS_RADIO_KERBEROS= MIT HEIMDAL HEIMDAL_BASE TCP_WRAPPERS_DESC= tcp_wrappers support BSM_DESC= OpenBSM Auditing KERB_GSSAPI_DESC= Kerberos/GSSAPI patch (req: GSSAPI) HPN_DESC= HPN-SSH patch LDNS_DESC= SSHFP/LDNS support HEIMDAL_DESC= Heimdal Kerberos (security/heimdal) HEIMDAL_BASE_DESC= Heimdal Kerberos (base) MIT_DESC= MIT Kerberos (security/krb5) NONECIPHER_DESC= NONE Cipher support XMSS_DESC= XMSS key support (experimental) FIDO_U2F_DESC= FIDO/U2F support (security/libfido2) BLACKLISTD_DESC= FreeBSD blacklistd(8) support +BADUSER_DESC= Treat "Invalid user" as blacklistd AUTH_FAIL OPTIONS_SUB= yes PAM_EXTRA_PATCHES= ${FILESDIR}/extra-patch-pam-sshd_config TCP_WRAPPERS_EXTRA_PATCHES=${FILESDIR}/extra-patch-tcpwrappers LDNS_CONFIGURE_WITH= ldns=${LOCALBASE} LDNS_LIB_DEPENDS= libldns.so:dns/ldns LDNS_EXTRA_PATCHES= ${FILESDIR}/extra-patch-ldns HPN_CONFIGURE_WITH= hpn NONECIPHER_CONFIGURE_WITH= nonecipher MIT_LIB_DEPENDS= libkrb5.so.3:security/krb5 HEIMDAL_LIB_DEPENDS= libkrb5.so.26:security/heimdal PAM_CONFIGURE_WITH= pam TCP_WRAPPERS_CONFIGURE_WITH= tcp-wrappers LIBEDIT_CONFIGURE_WITH= libedit LIBEDIT_USES= libedit BSM_CONFIGURE_ON= --with-audit=bsm FIDO_U2F_LIB_DEPENDS= libfido2.so:security/libfido2 FIDO_U2F_CONFIGURE_ON= --with-security-key-builtin FIDO_U2F_CONFIGURE_OFF= --disable-security-key BLACKLISTD_EXTRA_PATCHES= ${FILESDIR}/extra-patch-blacklistd +BADUSER_IMPLIES= BLACKLISTD ETCDIR?= ${PREFIX}/etc/ssh .include PATCH_SITES+= http://mirror.shatow.net/freebsd/${PORTNAME}/:DEFAULT,hpn,gsskex # Must add this patch before HPN due to conflicts .if ${PORT_OPTIONS:MKERB_GSSAPI} || ${FLAVOR:U} == gssapi #BROKEN= KERB_GSSAPI No patch for ${DISTVERSION} yet. . if ${PORT_OPTIONS:MHPN} || ${PORT_OPTIONS:MNONECIPHER} # Needed glue for applying HPN patch without conflict EXTRA_PATCHES+= ${FILESDIR}/extra-patch-hpn-gss-glue . endif # - See https://sources.debian.org/data/main/o/openssh/ for which subdir to # pull from. GSSAPI_DEBIAN_VERSION= 9.4p1 GSSAPI_DEBIAN_SUBDIR= ${GSSAPI_DEBIAN_VERSION:U${DISTVERSION}}-1 # - Debian does not use a versioned filename so we trick fetch to make one for # us with the ?=/ trick. PATCH_SITES+= https://sources.debian.org/data/main/o/openssh/1:${GSSAPI_DEBIAN_SUBDIR}/debian/patches/gssapi.patch?dummy=/:gsskex # Bump this when updating the patch location GSSAPI_DISTVERSION= 9.4p1 PATCHFILES+= openssh-${GSSAPI_DISTVERSION:U${DISTVERSION}}-gsskex-all-debian-rh-${GSSAPI_DISTVERSION}.patch:-p1:gsskex EXTRA_PATCHES+= ${FILESDIR}/extra-patch-gssapi-auth2-gss.c EXTRA_PATCHES+= ${FILESDIR}/extra-patch-gssapi-kexgssc.c EXTRA_PATCHES+= ${FILESDIR}/extra-patch-gssapi-kexgsss.c .endif .if ${PORT_OPTIONS:MBLACKLISTD} CONFIGURE_LIBS+= -lblacklist .endif # https://www.psc.edu/hpn-ssh https://github.com/rapier1/openssh-portable/tree/hpn-openssl1.1-7_7_P1 .if ${PORT_OPTIONS:MHPN} || ${PORT_OPTIONS:MNONECIPHER} #BROKEN= HPN: Not yet updated for ${DISTVERSION} yet. PORTDOCS+= HPN-README HPN_VERSION= 14v15 HPN_DISTVERSION= 7.7p1 #PATCH_SITES+= SOURCEFORGE/hpnssh/HPN-SSH%20${HPN_VERSION}%20${HPN_DISTVERSION}/:hpn #PATCHFILES+= ${PORTNAME}-${HPN_DISTVERSION}-hpnssh${HPN_VERSION}.diff.gz:-p1:hpn EXTRA_PATCHES+= ${FILESDIR}/extra-patch-hpn:-p2 .elif !${PORT_OPTIONS:MHPN} && !${PORT_OPTIONS:MNONECIPHER} # Apply compatibility patch EXTRA_PATCHES+= ${FILESDIR}/extra-patch-hpn-compat .endif CONFIGURE_ARGS+= --disable-utmp --disable-wtmp --disable-wtmpx --without-lastlog # Keep this last EXTRA_PATCHES+= ${FILESDIR}/extra-patch-version-addendum .if ${PORT_OPTIONS:MHEIMDAL_BASE} && ${PORT_OPTIONS:MKERB_GSSAPI} BROKEN= KERB_GSSAPI Requires either MIT or HEMIDAL, does not build with base Heimdal currently .endif .if ${PORT_OPTIONS:MHEIMDAL_BASE} && !exists(/usr/lib/libkrb5.so) IGNORE= you have selected HEIMDAL_BASE but do not have heimdal installed in base .endif .if ${PORT_OPTIONS:MMIT} || ${PORT_OPTIONS:MHEIMDAL} || ${PORT_OPTIONS:MHEIMDAL_BASE} . if ${PORT_OPTIONS:MHEIMDAL_BASE} CONFIGURE_LIBS+= -lgssapi_krb5 CONFIGURE_ARGS+= --with-kerberos5=/usr . else CONFIGURE_ARGS+= --with-kerberos5=${LOCALBASE} . endif . if ${OPENSSLBASE} == "/usr" CONFIGURE_ARGS+= --without-rpath LDFLAGS= # empty . endif .else . if ${PORT_OPTIONS:MKERB_GSSAPI} IGNORE= KERB_GSSAPI requires one of MIT HEIMDAL or HEIMDAL_BASE . endif .endif .if ${OPENSSLBASE} != "/usr" CONFIGURE_ARGS+= --with-ssl-dir=${OPENSSLBASE} .endif EMPTYDIR= /var/empty USE_RC_SUBR= openssh # After all CONFIGURE_ARGS+= --sysconfdir=${ETCDIR} --with-privsep-path=${EMPTYDIR} .if !empty(CONFIGURE_LIBS) CONFIGURE_ARGS+= --with-libs='${CONFIGURE_LIBS}' .endif CONFIGURE_ARGS+= --with-xauth=${LOCALBASE}/bin/xauth RC_SCRIPT_NAME= openssh VERSION_ADDENDUM_DEFAULT?= ${OPSYS}-${PKGNAME} CFLAGS+= ${CFLAGS_${CHOSEN_COMPILER_TYPE}} CFLAGS_gcc= -Wno-stringop-truncation -Wno-stringop-overflow SSH_ASKPASS_PATH?= ${LOCALBASE}/bin/ssh-askpass post-patch: @${REINPLACE_CMD} \ -e 's|install: \(.*\) host-key check-config|install: \1|g' \ ${WRKSRC}/Makefile.in @${REINPLACE_CMD} \ -e 's|$$[{(]libexecdir[})]/ssh-askpass|${SSH_ASKPASS_PATH}|' \ ${WRKSRC}/Makefile.in ${WRKSRC}/configure.ac @${REINPLACE_CMD} \ -e 's|\(VersionAddendum\) none|\1 ${VERSION_ADDENDUM_DEFAULT}|' \ ${WRKSRC}/sshd_config @${REINPLACE_CMD} \ -e 's|%%SSH_VERSION_FREEBSD_PORT%%|${VERSION_ADDENDUM_DEFAULT}|' \ ${WRKSRC}/sshd_config.5 @${ECHO_CMD} '#define SSH_VERSION_FREEBSD_PORT "${VERSION_ADDENDUM_DEFAULT}"' >> \ ${WRKSRC}/version.h +post-patch-BADUSER-on: + @${REINPLACE_CMD} \ + -e 's|BLACKLIST_BAD_USER|BLACKLIST_AUTH_FAIL|' ${WRKSRC}/auth.c + post-configure-XMSS-on: @${ECHO_CMD} "#define WITH_XMSS 1" >> ${WRKSRC}/config.h post-configure-BLACKLISTD-on: @${ECHO_CMD} "#define USE_BLACKLIST 1" >> ${WRKSRC}/config.h post-install: ${MV} ${STAGEDIR}${ETCDIR}/moduli \ ${STAGEDIR}${ETCDIR}/moduli.sample ${MV} ${STAGEDIR}${ETCDIR}/ssh_config \ ${STAGEDIR}${ETCDIR}/ssh_config.sample ${MV} ${STAGEDIR}${ETCDIR}/sshd_config \ ${STAGEDIR}${ETCDIR}/sshd_config.sample .if ${PORT_OPTIONS:MHPN} || ${PORT_OPTIONS:MNONECIPHER} ${MKDIR} ${STAGEDIR}${DOCSDIR} ${INSTALL_DATA} ${WRKSRC}/HPN-README ${STAGEDIR}${DOCSDIR} .endif test: build cd ${WRKSRC} && ${SETENV} -i \ OBJ=${WRKDIR} ${MAKE_ENV:NHOME=*} \ TEST_SHELL=${SH} \ SUDO="${SUDO}" \ LOGNAME="${LOGNAME}" \ HOME="${HOME}" \ TEST_SSH_TRACE=yes \ PATH=${WRKSRC}:${PREFIX}/bin:${PREFIX}/sbin:${PATH} \ ${MAKE_CMD} ${MAKE_FLAGS} ${MAKEFILE} ${MAKE_ARGS} tests .include diff --git a/security/openssh-portable/files/extra-patch-blacklistd b/security/openssh-portable/files/extra-patch-blacklistd index 7bb88b2961fe..127bfe8bcb3a 100644 --- a/security/openssh-portable/files/extra-patch-blacklistd +++ b/security/openssh-portable/files/extra-patch-blacklistd @@ -1,428 +1,428 @@ --- blacklist.c.orig 2021-04-28 13:37:52.679784000 -0700 +++ blacklist.c 2021-04-28 13:56:45.677805000 -0700 @@ -0,0 +1,92 @@ +/*- + * Copyright (c) 2015 The NetBSD Foundation, Inc. + * Copyright (c) 2016 The FreeBSD Foundation, Inc. + * All rights reserved. + * + * Portions of this software were developed by Kurt Lidl + * under sponsorship from the FreeBSD Foundation. + * + * This code is derived from software contributed to The NetBSD Foundation + * by Christos Zoulas. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS + * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED + * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS + * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR + * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + * POSSIBILITY OF SUCH DAMAGE. + */ + +#include "includes.h" + +#include +#include +#include +#include +#include +#include +#include + +#include "ssh.h" +#include "packet.h" +#include "log.h" +#include "misc.h" +#include +#include "blacklist_client.h" + +static struct blacklist *blstate = NULL; + +/* internal definition from bl.h */ +struct blacklist *bl_create(bool, char *, void (*)(int, const char *, va_list)); + +/* impedence match vsyslog() to sshd's internal logging levels */ +void +im_log(int priority, const char *message, va_list args) +{ + LogLevel imlevel; + + switch (priority) { + case LOG_ERR: + imlevel = SYSLOG_LEVEL_ERROR; + break; + case LOG_DEBUG: + imlevel = SYSLOG_LEVEL_DEBUG1; + break; + case LOG_INFO: + imlevel = SYSLOG_LEVEL_INFO; + break; + default: + imlevel = SYSLOG_LEVEL_DEBUG2; + } + do_log2(imlevel, message, args); +} + +void +blacklist_init(void) +{ + + blstate = bl_create(false, NULL, im_log); +} + +void +blacklist_notify(int action, struct ssh *ssh, const char *msg) +{ + + if (blstate != NULL && ssh_packet_connection_is_on_socket(ssh)) + (void)blacklist_r(blstate, action, + ssh_packet_get_connection_in(ssh), msg); +} --- blacklist_client.h.orig 2020-11-16 16:45:22.823087000 -0800 +++ blacklist_client.h 2020-11-16 16:45:09.761962000 -0800 @@ -0,0 +1,61 @@ +/*- + * Copyright (c) 2015 The NetBSD Foundation, Inc. + * Copyright (c) 2016 The FreeBSD Foundation, Inc. + * All rights reserved. + * + * Portions of this software were developed by Kurt Lidl + * under sponsorship from the FreeBSD Foundation. + * + * This code is derived from software contributed to The NetBSD Foundation + * by Christos Zoulas. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS + * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED + * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS + * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR + * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + * POSSIBILITY OF SUCH DAMAGE. + */ + +#ifndef BLACKLIST_CLIENT_H +#define BLACKLIST_CLIENT_H + +#ifndef BLACKLIST_API_ENUM +enum { + BLACKLIST_AUTH_OK = 0, + BLACKLIST_AUTH_FAIL, + BLACKLIST_ABUSIVE_BEHAVIOR, + BLACKLIST_BAD_USER +}; +#endif + +#ifdef USE_BLACKLIST +void blacklist_init(void); +void blacklist_notify(int, struct ssh *, const char *); + +#define BLACKLIST_INIT() blacklist_init() +#define BLACKLIST_NOTIFY(x, ssh, msg) blacklist_notify(x, ssh, msg) + +#else + +#define BLACKLIST_INIT() +#define BLACKLIST_NOTIFY(x, ssh, msg) + +#endif + + +#endif /* BLACKLIST_CLIENT_H */ --- servconf.c.orig 2021-04-15 20:55:25.000000000 -0700 +++ servconf.c 2021-04-28 13:36:19.591999000 -0700 @@ -172,6 +172,7 @@ initialize_server_options(ServerOptions *options) options->max_sessions = -1; options->banner = NULL; options->use_dns = -1; + options->use_blacklist = -1; options->client_alive_interval = -1; options->client_alive_count_max = -1; options->num_authkeys_files = 0; @@ -410,6 +411,8 @@ fill_default_server_options(ServerOptions *options) options->max_sessions = DEFAULT_SESSIONS_MAX; if (options->use_dns == -1) options->use_dns = 0; + if (options->use_blacklist == -1) + options->use_blacklist = 0; if (options->client_alive_interval == -1) options->client_alive_interval = 0; if (options->client_alive_count_max == -1) @@ -506,6 +509,7 @@ typedef enum { sGatewayPorts, sPubkeyAuthentication, sPubkeyAcceptedAlgorithms, sXAuthLocation, sSubsystem, sMaxStartups, sMaxAuthTries, sMaxSessions, sBanner, sUseDNS, sHostbasedAuthentication, + sUseBlacklist, sHostbasedUsesNameFromPacketOnly, sHostbasedAcceptedAlgorithms, sHostKeyAlgorithms, sPerSourceMaxStartups, sPerSourceNetBlockSize, sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile, @@ -642,6 +646,8 @@ static struct { { "maxsessions", sMaxSessions, SSHCFG_ALL }, { "banner", sBanner, SSHCFG_ALL }, { "usedns", sUseDNS, SSHCFG_GLOBAL }, + { "useblacklist", sUseBlacklist, SSHCFG_GLOBAL }, + { "useblocklist", sUseBlacklist, SSHCFG_GLOBAL } /* alias */, { "verifyreversemapping", sDeprecated, SSHCFG_GLOBAL }, { "reversemappingcheck", sDeprecated, SSHCFG_GLOBAL }, { "clientaliveinterval", sClientAliveInterval, SSHCFG_ALL }, @@ -1692,6 +1698,10 @@ process_server_config_line_depth(ServerOptions *option intptr = &options->use_dns; goto parse_flag; + case sUseBlacklist: + intptr = &options->use_blacklist; + goto parse_flag; + case sLogFacility: log_facility_ptr = &options->log_facility; arg = strdelim(&cp); @@ -2872,6 +2882,7 @@ dump_config(ServerOptions *o) dump_cfg_fmtint(sCompression, o->compression); dump_cfg_fmtint(sGatewayPorts, o->fwd_opts.gateway_ports); dump_cfg_fmtint(sUseDNS, o->use_dns); + dump_cfg_fmtint(sUseBlacklist, o->use_blacklist); dump_cfg_fmtint(sAllowTcpForwarding, o->allow_tcp_forwarding); dump_cfg_fmtint(sAllowAgentForwarding, o->allow_agent_forwarding); dump_cfg_fmtint(sDisableForwarding, o->disable_forwarding); --- servconf.h.orig 2020-11-16 15:51:00.752090000 -0800 +++ servconf.h 2020-11-16 15:51:02.962173000 -0800 @@ -179,6 +179,7 @@ typedef struct { int max_sessions; char *banner; /* SSH-2 banner message */ int use_dns; + int use_blacklist; int client_alive_interval; /* * poke the client this often to * see if it's still there --- auth-pam.c.orig 2020-11-16 15:52:45.816578000 -0800 +++ auth-pam.c 2020-11-16 15:54:19.796583000 -0800 @@ -105,6 +105,7 @@ extern char *__progname; #include "ssh-gss.h" #endif #include "monitor_wrap.h" +#include "blacklist_client.h" extern ServerOptions options; extern struct sshbuf *loginmsg; @@ -916,6 +917,10 @@ sshpam_query(void *ctx, char **name, char **info, sshbuf_free(buffer); return (0); } + /* XXX: ssh context unavailable here, unclear if this is even needed. + BLACKLIST_NOTIFY(BLACKLIST_BAD_USER, + the_active_state, sshpam_authctxt->user); + */ error("PAM: %s for %s%.100s from %.100s", msg, sshpam_authctxt->valid ? "" : "illegal user ", sshpam_authctxt->user, sshpam_rhost); --- auth.c.orig 2020-11-16 15:52:45.824171000 -0800 +++ auth.c 2020-11-16 15:57:51.091969000 -0800 @@ -76,6 +76,7 @@ #include "ssherr.h" #include "compat.h" #include "channels.h" +#include "blacklist_client.h" /* import */ extern ServerOptions options; @@ -331,8 +332,11 @@ auth_log(struct ssh *ssh, int authenticated, int parti authmsg = "Postponed"; else if (partial) authmsg = "Partial"; - else + else { authmsg = authenticated ? "Accepted" : "Failed"; + if (authenticated) + BLACKLIST_NOTIFY(BLACKLIST_AUTH_OK, ssh, "ssh"); + } if ((extra = format_method_key(authctxt)) == NULL) { if (authctxt->auth_method_info != NULL) @@ -586,6 +590,7 @@ getpwnamallow(struct ssh *ssh, const char *user) aix_restoreauthdb(); #endif if (pw == NULL) { + BLACKLIST_NOTIFY(BLACKLIST_BAD_USER, ssh, user); logit("Invalid user %.100s from %.100s port %d", user, ssh_remote_ipaddr(ssh), ssh_remote_port(ssh)); #ifdef CUSTOM_FAILED_LOGIN --- auth2.c.orig 2020-11-16 17:10:36.772062000 -0800 +++ auth2.c 2020-11-16 17:12:04.852943000 -0800 @@ -58,6 +58,7 @@ #endif #include "monitor_wrap.h" #include "digest.h" +#include "blacklist_client.h" /* import */ extern ServerOptions options; @@ -295,6 +296,7 @@ input_userauth_request(int type, u_int32_t seq, struct } else { /* Invalid user, fake password information */ authctxt->pw = fakepw(); + BLACKLIST_NOTIFY(BLACKLIST_BAD_USER, ssh, "ssh"); #ifdef SSH_AUDIT_EVENTS PRIVSEP(audit_event(ssh, SSH_INVALID_USER)); #endif @@ -448,8 +450,10 @@ userauth_finish(struct ssh *ssh, int authenticated, co } else { /* Allow initial try of "none" auth without failure penalty */ if (!partial && !authctxt->server_caused_failure && - (authctxt->attempt > 1 || strcmp(method, "none") != 0)) + (authctxt->attempt > 1 || strcmp(method, "none") != 0)) { authctxt->failures++; + BLACKLIST_NOTIFY(BLACKLIST_AUTH_FAIL, ssh, "ssh"); + } if (authctxt->failures >= options.max_authtries) { #ifdef SSH_AUDIT_EVENTS PRIVSEP(audit_event(ssh, SSH_LOGIN_EXCEED_MAXTRIES)); --- packet.c.orig 2020-11-16 15:52:45.839070000 -0800 +++ packet.c 2020-11-16 15:56:09.285418000 -0800 @@ -96,6 +96,7 @@ #include "packet.h" #include "ssherr.h" #include "sshbuf.h" +#include "blacklist_client.h" #ifdef PACKET_DEBUG #define DBG(x) x @@ -1882,6 +1883,7 @@ sshpkt_vfatal(struct ssh *ssh, int r, const char *fmt, case SSH_ERR_NO_KEX_ALG_MATCH: case SSH_ERR_NO_HOSTKEY_ALG_MATCH: if (ssh && ssh->kex && ssh->kex->failed_choice) { + BLACKLIST_NOTIFY(BLACKLIST_AUTH_FAIL, ssh, "ssh"); ssh_packet_clear_keys(ssh); errno = oerrno; logdie("Unable to negotiate with %s: %s. " --- sshd.c.orig 2021-08-19 21:03:49.000000000 -0700 +++ sshd.c 2021-09-10 10:37:17.926747000 -0700 @@ -123,6 +123,7 @@ #include "version.h" #include "ssherr.h" #include "sk-api.h" +#include "blacklist_client.h" #include "srclimit.h" #include "dh.h" @@ -366,6 +367,8 @@ grace_alarm_handler(int sig) kill(0, SIGTERM); } + BLACKLIST_NOTIFY(BLACKLIST_AUTH_FAIL, the_active_state, "ssh"); + /* Log error and exit. */ if (use_privsep && pmonitor != NULL && pmonitor->m_pid <= 0) cleanup_exit(255); /* don't log in privsep child */ @@ -2225,6 +2228,9 @@ main(int ac, char **av) if ((loginmsg = sshbuf_new()) == NULL) fatal_f("sshbuf_new failed"); auth_debug_reset(); + + if (options.use_blacklist) + BLACKLIST_INIT(); if (use_privsep) { if (privsep_preauth(ssh) == 1) --- Makefile.in.orig 2022-10-03 07:51:42.000000000 -0700 +++ Makefile.in 2022-10-09 10:50:06.401377000 -0700 @@ -185,6 +185,8 @@ FIXALGORITHMSCMD= $(SHELL) $(srcdir)/fixalgorithms $(S FIXALGORITHMSCMD= $(SHELL) $(srcdir)/fixalgorithms $(SED) \ @UNSUPPORTED_ALGORITHMS@ +LIBSSH_OBJS+= blacklist.o + all: $(CONFIGFILES) $(MANPAGES) $(TARGETS) $(LIBSSH_OBJS): Makefile.in config.h --- sshd_config.orig 2020-11-16 16:57:14.276036000 -0800 +++ sshd_config 2020-11-16 16:57:42.183846000 -0800 @@ -94,6 +94,7 @@ #PrintLastLog yes #TCPKeepAlive yes #PermitUserEnvironment no +#UseBlacklist no #Compression delayed #ClientAliveInterval 0 #ClientAliveCountMax 3 ---- sshd_config.5.orig 2020-11-16 16:57:58.533307000 -0800 -+++ sshd_config.5 2020-11-16 17:00:02.635070000 -0800 -@@ -1703,6 +1703,20 @@ for authentication using - .Cm TrustedUserCAKeys . - For more details on certificates, see the CERTIFICATES section in - .Xr ssh-keygen 1 . +--- sshd_config.5.orig 2023-03-15 22:28:19.000000000 +0100 ++++ sshd_config.5 2023-06-18 12:46:57.234767000 +0200 +@@ -1855,6 +1855,20 @@ + is to never expire connections for having no open channels. + This option may be useful in conjunction with + .Cm ChannelTimeout . +.It Cm UseBlacklist +Specifies whether +.Xr sshd 8 +attempts to send authentication success and failure messages +to the +.Xr blacklistd 8 +daemon. +The default is +.Cm no . +For forward compatibility with an upcoming +.Xr blacklistd +rename, the +.Cm UseBlocklist +alias can be used instead. .It Cm UseDNS Specifies whether .Xr sshd 8 --- monitor.c.orig 2020-11-16 17:24:03.457283000 -0800 +++ monitor.c 2020-11-16 17:25:57.642510000 -0800 @@ -96,6 +96,7 @@ #include "match.h" #include "ssherr.h" #include "sk-api.h" +#include "blacklist_client.h" #ifdef GSSAPI static Gssctxt *gsscontext = NULL; @@ -342,8 +343,11 @@ monitor_child_preauth(struct ssh *ssh, struct monitor if (ent->flags & (MON_AUTHDECIDE|MON_ALOG)) { auth_log(ssh, authenticated, partial, auth_method, auth_submethod); - if (!partial && !authenticated) + if (!partial && !authenticated) { authctxt->failures++; + BLACKLIST_NOTIFY(BLACKLIST_AUTH_FAIL, + ssh, "ssh"); + } if (authenticated || partial) { auth2_update_session_info(authctxt, auth_method, auth_submethod); @@ -1228,6 +1232,7 @@ mm_answer_keyallowed(struct ssh *ssh, int sock, struct } else { /* Log failed attempt */ auth_log(ssh, 0, 0, auth_method, NULL); + BLACKLIST_NOTIFY(BLACKLIST_AUTH_FAIL, ssh, "ssh"); free(cuser); free(chost); } diff --git a/www/vaultwarden-web_vault/Makefile b/www/vaultwarden-web_vault/Makefile index 70728c592c5c..bcde4a5095c1 100644 --- a/www/vaultwarden-web_vault/Makefile +++ b/www/vaultwarden-web_vault/Makefile @@ -1,29 +1,29 @@ PORTNAME= vaultwarden -PORTVERSION= 2023.7.1 +PORTVERSION= 2023.8.2 DISTVERSIONPREFIX= v CATEGORIES= www security MASTER_SITES= https://github.com/dani-garcia/bw_web_builds/releases/download/${DISTVERSIONPREFIX}${DISTVERSION}/ PKGNAMESUFFIX= _web-vault DISTNAME= bw_web_${DISTVERSIONPREFIX}${DISTVERSION} MAINTAINER= mr@FreeBSD.org COMMENT= Vaultwarden WebUI WWW= https://github.com/dani-garcia/bw_web_builds LICENSE= GPLv3 WRKSRC= ${WRKDIR}/web-vault NO_ARCH= yes NO_BUILD= yes SUB_LIST= WWWGRP=${WWWGRP} \ WWWOWN=${WWWOWN} do-install: @${MKDIR} ${STAGEDIR}${WWWDIR}/web-vault (cd ${WRKSRC} && ${COPYTREE_SHARE} . ${STAGEDIR}/${WWWDIR}/web-vault) (cd ${WRKSRC}; ${FIND} . -not -type d) | ${SORT} | \ ${SED} -e 's,^\.,${WWWDIR_REL}/web-vault,' >> ${TMPPLIST} .include diff --git a/www/vaultwarden-web_vault/distinfo b/www/vaultwarden-web_vault/distinfo index 553f2b0f1a4d..c414f6dad8d1 100644 --- a/www/vaultwarden-web_vault/distinfo +++ b/www/vaultwarden-web_vault/distinfo @@ -1,3 +1,3 @@ -TIMESTAMP = 1693656296 -SHA256 (bw_web_v2023.7.1.tar.gz) = 0d7ea02eb13cc7b29c875af7ecc787c0a4990c22df13a024f0589e6faa3703d4 -SIZE (bw_web_v2023.7.1.tar.gz) = 10744083 +TIMESTAMP = 1696592157 +SHA256 (bw_web_v2023.8.2.tar.gz) = 99c403b98074e2df4b2c0f55e5e04191912db1f4bf90e5145b5b58889853e9c7 +SIZE (bw_web_v2023.8.2.tar.gz) = 10887487