view debian/rules @ 1715:3974f087d9c0

Disallow leading lines before the ident for server (#102) Per RFC4253 4.2 clients must be able to process other lines of data before the version string, server behavior is not defined neither with MUST/SHOULD nor with MAY. If server process up to 50 lines too - it may cause too long hanging session with invalid/evil client that consume host resources and potentially may lead to DDoS on poor embedded boxes. Let's require first line from client to be version string and fail early if it's not - matches both RFC and real OpenSSH behavior.
author Vladislav Grishenko <themiron@users.noreply.github.com>
date Mon, 15 Jun 2020 18:22:18 +0500
parents 7b68e581985f
children
line wrap: on
line source

#!/usr/bin/make -f

export DEB_BUILD_MAINT_OPTIONS = hardening=+all
DPKG_EXPORT_BUILDFLAGS = 1
include /usr/share/dpkg/buildflags.mk

#export DH_OPTIONS
DEB_HOST_GNU_TYPE ?=$(shell dpkg-architecture -qDEB_HOST_GNU_TYPE)
DEB_BUILD_GNU_TYPE ?=$(shell dpkg-architecture -qDEB_BUILD_GNU_TYPE)

STRIP =strip
ifneq (,$(findstring nostrip,$(DEB_BUILD_OPTIONS)))
  STRIP =: nostrip
endif

CONFFLAGS =
CC =gcc
ifneq (,$(findstring diet,$(DEB_BUILD_OPTIONS)))
  CONFFLAGS =--disable-zlib
  CC =diet -v -Os gcc -nostdinc
endif

DIR =$(shell pwd)/debian/dropbear

patch: deb-checkdir patch-stamp
patch-stamp:
	for i in `ls -1 debian/diff/*.diff || :`; do \
	  patch -p1 <$$i || exit 1; \
	done
	touch patch-stamp

config.status: patch-stamp configure
	CC='$(CC)' \
	CFLAGS='$(CFLAGS)'' -DSFTPSERVER_PATH="\"/usr/lib/sftp-server\""' \
	  ./configure --host='$(DEB_HOST_GNU_TYPE)' \
	    --build='$(DEB_BUILD_GNU_TYPE)' --prefix=/usr \
	    --mandir=\$${prefix}/share/man --infodir=\$${prefix}/share/info \
	    $(CONFFLAGS)

build: deb-checkdir build-stamp
build-stamp: config.status
	$(MAKE) CC='$(CC)' LD='$(CC)'
	touch build-stamp

clean: deb-checkdir deb-checkuid
	test ! -r Makefile || $(MAKE) distclean
	rm -f libtomcrypt/Makefile libtommath/Makefile
	test ! -e patch-stamp || \
	  for i in `ls -1r debian/diff/*.diff || :`; do \
	    patch -p1 -R <$$i; \
	  done
	rm -f patch-stamp build-stamp config.log config.status
	rm -rf '$(DIR)'
	rm -f debian/files debian/substvars debian/copyright changelog

install: deb-checkdir deb-checkuid build-stamp
	rm -rf '$(DIR)'
	install -d -m0755 '$(DIR)'/etc/dropbear
	# programs
	install -d -m0755 '$(DIR)'/usr/sbin
	install -m0755 dropbear '$(DIR)'/usr/sbin/dropbear
	install -d -m0755 '$(DIR)'/usr/bin
	install -m0755 dbclient '$(DIR)'/usr/bin/dbclient
	install -m0755 dropbearkey '$(DIR)'/usr/bin/dropbearkey
	install -d -m0755 '$(DIR)'/usr/lib/dropbear
	install -m0755 dropbearconvert \
	  '$(DIR)'/usr/lib/dropbear/dropbearconvert
	$(STRIP) -R .comment -R .note '$(DIR)'/usr/sbin/* \
	  '$(DIR)'/usr/bin/* '$(DIR)'/usr/lib/dropbear/*
	# init and run scripts
	install -d -m0755 '$(DIR)'/etc/init.d
	install -m0755 debian/dropbear.init '$(DIR)'/etc/init.d/dropbear
	install -m0755 debian/service/run '$(DIR)'/etc/dropbear/run
	install -d -m0755 '$(DIR)'/etc/dropbear/log
	install -m0755 debian/service/log '$(DIR)'/etc/dropbear/log/run
	ln -s /var/log/dropbear '$(DIR)'/etc/dropbear/log/main
	# man pages
	install -d -m0755 '$(DIR)'/usr/share/man/man8
	install -d -m0755 '$(DIR)'/usr/share/man/man1
	install -m644 dropbear.8 '$(DIR)'/usr/share/man/man8/
	for i in dbclient.1 dropbearkey.1 dropbearconvert.1; do \
	  install -m644 $$i '$(DIR)'/usr/share/man/man1/ || exit 1; \
	done
	gzip -9 '$(DIR)'/usr/share/man/man8/*.8
	gzip -9 '$(DIR)'/usr/share/man/man1/*.1
	# copyright, changelog
	cat debian/copyright.in LICENSE >debian/copyright
	test -r changelog || ln -s CHANGES changelog

binary-indep:

binary-arch: install dropbear.deb
	test '$(CC)' != 'gcc' || \
	  dpkg-shlibdeps '$(DIR)'/usr/sbin/* '$(DIR)'/usr/bin/* \
	    '$(DIR)'/usr/lib/dropbear/*
	dpkg-gencontrol -isp -pdropbear -P'$(DIR)'
	dpkg -b '$(DIR)' ..

binary: binary-arch binary-indep

.PHONY: patch build clean install binary-indep binary-arch binary

include debian/implicit