4d3fc8b057
This release fixes a number of security bugs and has minor new features and bug fixes. Security fixes, from the release notes (https://www.openssh.com/txt/release-9.3): This release contains fixes for a security problem and a memory safety problem. The memory safety problem is not believed to be exploitable, but we report most network-reachable memory faults as security bugs. * ssh-add(1): when adding smartcard keys to ssh-agent(1) with the per-hop destination constraints (ssh-add -h ...) added in OpenSSH 8.9, a logic error prevented the constraints from being communicated to the agent. This resulted in the keys being added without constraints. The common cases of non-smartcard keys and keys without destination constraints are unaffected. This problem was reported by Luci Stanescu. * ssh(1): Portable OpenSSH provides an implementation of the getrrsetbyname(3) function if the standard library does not provide it, for use by the VerifyHostKeyDNS feature. A specifically crafted DNS response could cause this function to perform an out-of-bounds read of adjacent stack data, but this condition does not appear to be exploitable beyond denial-of- service to the ssh(1) client. The getrrsetbyname(3) replacement is only included if the system's standard library lacks this function and portable OpenSSH was not compiled with the ldns library (--with-ldns). getrrsetbyname(3) is only invoked if using VerifyHostKeyDNS to fetch SSHFP records. This problem was found by the Coverity static analyzer. Sponsored by: The FreeBSD Foundation
71 lines
1.9 KiB
Makefile
71 lines
1.9 KiB
Makefile
# $FreeBSD$
|
|
|
|
.include <src.opts.mk>
|
|
.include "${SRCTOP}/secure/ssh.mk"
|
|
|
|
LIB= ssh
|
|
PRIVATELIB= true
|
|
SHLIB_MAJOR= 5
|
|
SRCS= ssh_api.c ssherr.c \
|
|
sshbuf.c sshkey.c sshbuf-getput-basic.c \
|
|
sshbuf-misc.c sshbuf-getput-crypto.c krl.c bitmap.c
|
|
SRCS+= authfd.c authfile.c \
|
|
canohost.c channels.c cipher.c cipher-aes.c cipher-aesctr.c \
|
|
cleanup.c \
|
|
compat.c fatal.c hostfile.c \
|
|
log.c match.c moduli.c nchan.c packet.c \
|
|
readpass.c ttymodes.c xmalloc.c addr.c addrmatch.c \
|
|
atomicio.c dispatch.c mac.c misc.c utf8.c \
|
|
monitor_fdpass.c rijndael.c ssh-dss.c ssh-ecdsa.c ssh-ecdsa-sk.c \
|
|
ssh-ed25519-sk.c ssh-rsa.c dh.c \
|
|
msg.c progressmeter.c dns.c entropy.c umac.c umac128.c \
|
|
ssh-pkcs11.c smult_curve25519_ref.c \
|
|
poly1305.c chacha.c cipher-chachapoly.c cipher-chachapoly-libcrypto.c \
|
|
ssh-ed25519.c digest-openssl.c digest-libc.c \
|
|
hmac.c ed25519.c hash.c \
|
|
kex.c kexdh.c kexgex.c kexecdh.c kexc25519.c \
|
|
kexgexc.c kexgexs.c \
|
|
kexsntrup761x25519.c sntrup761.c kexgen.c \
|
|
sftp-realpath.c platform-pledge.c platform-tracing.c platform-misc.c \
|
|
sshbuf-io.c
|
|
SRCS+= ssh-sk-client.c
|
|
|
|
PACKAGE= ssh
|
|
|
|
# gss-genr.c should be in $SRCS but causes linking problems, so it is
|
|
# compiled directly into sshd instead.
|
|
|
|
# Portability layer
|
|
SRCS+= bcrypt_pbkdf.c blowfish.c bsd-misc.c bsd-signal.c explicit_bzero.c \
|
|
fmt_scaled.c freezero.c glob.c \
|
|
libressl-api-compat.c \
|
|
mktemp.c \
|
|
openssl-compat.c port-net.c \
|
|
recallocarray.c strtonum.c timingsafe_bcmp.c vis.c xcrypt.c
|
|
|
|
.if ${MK_LDNS} == "no"
|
|
SRCS+= getrrsetbyname.c
|
|
.else
|
|
LDNSDIR= ${SRCTOP}/contrib/ldns
|
|
CFLAGS+= -DHAVE_LDNS=1 -I${LDNSDIR}
|
|
SRCS+= getrrsetbyname-ldns.c
|
|
LIBADD+= ldns
|
|
.endif
|
|
|
|
.if ${MK_GSSAPI} != "no" && ${MK_KERBEROS_SUPPORT} != "no"
|
|
CFLAGS+= -include krb5_config.h
|
|
SRCS+= krb5_config.h
|
|
.endif
|
|
|
|
.if defined(LOCALBASE)
|
|
CFLAGS+= -D_PATH_SSH_ASKPASS_DEFAULT='"${LOCALBASE}/bin/ssh-askpass"'
|
|
.endif
|
|
|
|
NO_LINT=
|
|
|
|
LIBADD+= crypto crypt z
|
|
|
|
.include <bsd.lib.mk>
|
|
|
|
.PATH: ${SSHDIR} ${SSHDIR}/openbsd-compat
|