security/dropbear: update to 2022.83

Features and Changes:
  Note >> for compatibility/configuration changes

- >> Disable DROPBEAR_DSS by default
  It is only 1024 bit and uses sha1, most distros disable it by default already.

- Added DROPBEAR_RSA_SHA1 option to allow disabling sha1 rsa signatures.
  >> RSA with sha1 will be disabled in a future release (rsa keys will continue
  to work OK, with sha256 signatures used instead).

- Add option for requiring both password and pubkey (-t)
  Patch from Jackkal

- Add 'no-touch-required' and 'verify-required' options for sk keys
  Patch from Egor Duda

  - >> DROPBEAR_SK_KEYS config option now replaces separate DROPBEAR_SK_ECDSA
  and DROPBEAR_SK_ED25519 options.

- Add 'permitopen' option for authorized_keys to restrict forwarded ports
  Patch from Tuomas Haikarainen

- >> Added LTM_CFLAGS configure argument to set flags for building
  bundled libtommath. This also restores the previous arguments used
  in 2020.81 (-O3 -funroll-loops). That gives a big speedup for RSA
  key generation, which regressed in 2022.82.
  There is a tradeoff with code size, so -Os can be used if required.
  https://github.com/mkj/dropbear/issues/174
  Reported by David Bernard

- Add '-z' flag to disable setting QoS traffic class. This may be necessary
  to work with broken networks or network drivers, exposed after changes to use
  AF21 in 2022.82
  https://github.com/mkj/dropbear/issues/193
  Reported by yuhongwei380, patch from Petr Štetiar

- Allow overriding user shells with COMPAT_USER_SHELLS
  Based on a patch from Matt Robinson

- Improve permission error message
  Patch from k-kurematsu

- >> Remove HMAC_MD5 entirely

Regression fixes from 2022.82:

- Fix X11 build

- Fix build warning

- Fix compilation when disabling pubkey authentication
  Patch from MaxMougg

- Fix MAX_UNAUTH_CLIENTS regression
  Reported by ptpt52

- Avoid using slower prime testing in bundled libtomcrypt when DSS is disabled
  https://github.com/mkj/dropbear/issues/174
  Suggested by Steffen Jaeckel

- Fix Dropbear plugin support
  https://github.com/mkj/dropbear/issues/194
  Reported by Struan Bartlett

Other fixes:

- Fix long standing incorrect compression size check. Dropbear
  (client or server) would erroneously exit with
  "bad packet, oversized decompressed"
  when receiving a compressed packet of exactly the maximum size.

- Fix missing setsid() removed in 2020.79
  https://github.com/mkj/dropbear/issues/180
  Reported and debugged by m5jt and David Bernard

- Try keyboard-interactive auth before password, in dbclient.
  This was unintentionally changed back in 2013
  https://github.com/mkj/dropbear/pull/190
  Patch from Michele Giacomoli

- Drain the terminal when reading the fingerprint confirmation response
  https://github.com/mkj/dropbear/pull/191
  Patch from Michele Giacomoli

- Fix utx wtmp variable typo. This has been wrong for a long time but
  only recently became a problem when wtmp was detected.
  https://github.com/mkj/dropbear/pull/189
  Patch from Michele Giacomoli

- Improve configure test for hardening options.
  Fixes building on AIX
  https://github.com/mkj/dropbear/issues/158

- Fix debian/dropbear.init newline
  From wulei-student

Infrastructure:

- Test off-by-default compile options
- Set -Wundef to catch typos in #if statements

2 files changed, 14 insertions, 6 deletions

diff --git a/security/dropbear/Makefile b/security/dropbear/Makefile
index 7afc1bf72496..b4d920a1c25f 100644
--- a/security/dropbear/Makefile
+++ b/security/dropbear/Makefile
@@ -1,5 +1,5 @@
 PORTNAME=	dropbear
-PORTVERSION=	2022.82
+PORTVERSION=	2022.83
 CATEGORIES=	security
 MASTER_SITES=	https://matt.ucc.asn.au/dropbear/releases/
 
@@ -23,10 +23,10 @@ OPTIONS_DEFAULT=	AES128 AES256 CURVE25519 ECDSA ED25519 GCM \
 			GROUP14_SHA256 GROUP16 RSA SHA2_256
 OPTIONS_MULTI=		ENC KEY KEX MAC MODE
 OPTIONS_MULTI_ENC=	3DES AES128 AES256 CHACHA20POLY1305
-OPTIONS_MULTI_KEY=	ECDSA ED25519 RSA
+OPTIONS_MULTI_KEY=	DSS ECDSA ED25519 RSA
 OPTIONS_MULTI_KEX=	CURVE25519 ECDH GROUP1 GROUP14_SHA1 GROUP14_SHA256 \
 			GROUP16
-OPTIONS_MULTI_MAC=	MD5 SHA1 SHA1_96 SHA2_256 SHA2_512
+OPTIONS_MULTI_MAC=	MD5 RSA_SHA1 SHA1 SHA1_96 SHA2_256 SHA2_512
 OPTIONS_MULTI_MODE=	CBC CTR GCM
 
 3DES_DESC=		Enable 3DES-based encryption
@@ -36,6 +36,7 @@ CBC_DESC=		Use CBC mode for ciphers (less secure)
 CHACHA20POLY1305_DESC=	Enable chacha20poly1305-based encryption
 CTR_DESC=		Use CTR mode for ciphers
 CURVE25519_DESC=	Enable Curve25519
+DSS_DESC=		Enable DSS (insecure)
 ECDH_DESC=		Enable ECDH (insecure)
 ECDSA_DESC=		Enable ECDSA public key support
 ED25519_DESC=		Enable ED25519 public key support
@@ -46,6 +47,7 @@ GROUP16_DESC=		Enable Group16 Diffie-Hellman
 GROUP1_DESC=		Enable Group1 Diffie-Hellman (insecure)
 MD5_DESC=		Enable MD5 MAC (broken)
 RSA_DESC=		Enable RSA public key support
+RSA_SHA1_DESC=		Enable RSA SHA1 MAC (insecure)
 SHA1_96_DESC=		Enable SHA1_96 MAC (less secure)
 SHA1_DESC=		Enable SHA1 MAC (less secure)
 SHA2_256_DESC=		Enable SHA2_256 MAC
@@ -89,6 +91,9 @@ post-patch-GCM-on:
 post-patch-CURVE25519-off:
 	@${ECHO} "#define DROPBEAR_CURVE25519 0" >> ${WRKSRC}/localoptions.h
 
+post-patch-DSS-on:
+	@${ECHO} "#define DROPBEAR_DSS 1" >> ${WRKSRC}/localoptions.h
+
 post-patch-ECDH-off:
 	@${ECHO} "#define DROPBEAR_ECDH 0" >> ${WRKSRC}/localoptions.h
 
@@ -107,6 +112,9 @@ post-patch-GROUP16-on:
 post-patch-RSA-off:
 	@${ECHO} "#define DROPBEAR_RSA 0" >> ${WRKSRC}/localoptions.h
 
+post-patch-RSA_SHA1-off:
+	@${ECHO} "#define DROPBEAR_RSA_SHA1 0" >> ${WRKSRC}/localoptions.h
+
 post-patch-ECDSA-off:
 	@${ECHO} "#define DROPBEAR_ECDSA 0" >> ${WRKSRC}/localoptions.h
 
diff --git a/security/dropbear/distinfo b/security/dropbear/distinfo
index 2eb40d600511..74bcc7f48d49 100644
--- a/security/dropbear/distinfo
+++ b/security/dropbear/distinfo
@@ -1,3 +1,3 @@
-TIMESTAMP = 1649278626
-SHA256 (dropbear-2022.82.tar.bz2) = 3a038d2bbc02bf28bbdd20c012091f741a3ec5cbe460691811d714876aad75d1
-SIZE (dropbear-2022.82.tar.bz2) = 2309514
+TIMESTAMP = 1668547002
+SHA256 (dropbear-2022.83.tar.bz2) = bc5a121ffbc94b5171ad5ebe01be42746d50aa797c9549a4639894a16749443b
+SIZE (dropbear-2022.83.tar.bz2) = 2322904