summaryrefslogtreecommitdiffstats
path: root/meta/recipes-core/dropbear
Commit message (Collapse)AuthorAgeFilesLines
* dropbear: remove localoptions.h in source searchingAndrej Valek2018-09-202-52/+0
| | | | | | | - localoptions.h is automatically searched in build directory Signed-off-by: Andrej Valek <andrej.valek@siemens.com> Signed-off-by: Ross Burton <ross.burton@intel.com>
* dropbear: Fix CVE-2018-15599Mingli Yu2018-09-063-6/+254
| | | | | | | | | | | Wait to fail invalid usernames to fix CVE-2018-15599 Rework 0006-dropbear-configuration-file.patch to fix fuzz warnings Signed-off-by: Mingli Yu <Mingli.Yu@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* dropbear.inc: add dependency on virtual/crypt to fix build with glibc-2.28Martin Jansa2018-08-141-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | configure tests crypt() existence with: dnl We test for crypt() specially. On Linux (and others?) it resides in libcrypt dnl but we don't want link all binaries to -lcrypt, just dropbear server. dnl OS X doesn't need -lcrypt AC_CHECK_FUNC(crypt, found_crypt_func=here) AC_CHECK_LIB(crypt, crypt, [ CRYPTLIB="-lcrypt" found_crypt_func=here ]) AC_SUBST(CRYPTLIB) if test "t$found_crypt_func" = there; then AC_DEFINE(HAVE_CRYPT, 1, [crypt() function]) fi but that silently fails with glibc-2.28 and a bit later do_compile fails with; http://errors.yoctoproject.org/Errors/Details/185895/ ../dropbear-2018.76/sysoptions.h:237:3: error: #error "DROPBEAR_SVR_PASSWORD_AUTH requires `crypt()'." #error "DROPBEAR_SVR_PASSWORD_AUTH requires `crypt()'." ^~~~~ Add dependency on virtual/crypt so that do_configure detects it correctly. Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* dropbear: add default config file to disable root loginJackie Huang2018-07-072-0/+5
| | | | | | | | | | root login is disabled by default for openssh and we can enable it through IMAGE_FEATURES 'debug-tweaks' or 'allow-empty-password', so change to the same default behavior for dropbear. Signed-off-by: Jackie Huang <jackie.huang@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* dropbear: drop obsolete patch 0004-fix-2kb-keys.patchAndre McCurdy2018-06-072-20/+0
| | | | | | | | | | | | | | | | | | | The origins of the patch date back to early 2005 (prior to the start of git history in oe-core) to fix a hardcoded limit on the maximum size of remote host keys: http://familiar.handhelds.narkive.com/b1VGg2bI/problem-w-dropbear-ssh The hardcoded limit was fixed upstream in dropbear 0.47: https://github.com/mkj/dropbear/commit/736f370dce614b717193f45d084e9e009de723ce The patch has therefore been obsolete since then. It went unnoticed until now as the patch has continued to apply - it modifies a value which is not used. Signed-off-by: Andre McCurdy <armccurdy@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* dropbear: drop run time detection of read-only rootfsAndre McCurdy2018-06-041-18/+8
| | | | | | | | | | | | | | Previously, when dropbear was started via its init script, relocation of DROPBEAR_RSAKEY_DIR to support read-only rootfs was handled at run time from within the init script. Update the init script to take advantage of the read-only rootfs config setup by read_only_rootfs_hook() and therefore be consistent with startup under systemd (where relocation of DROPBEAR_RSAKEY_DIR is handled by the read_only_rootfs_hook() at build time). Signed-off-by: Andre McCurdy <armccurdy@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* dropbear: update to 2018.76Andrej Valek2018-05-049-265/+92
| | | | | | | | | | - update dropbear to version 2018.76 - refresh and drop obsolete patches - add option to use localoptions.h header file - do not use harden stuff, which leads to QA warning Signed-off-by: Andrej Valek <andrej.valek@siemens.com> Signed-off-by: Ross Burton <ross.burton@intel.com>
* dropbear: refresh patchesRoss Burton2018-03-071-10/+7
| | | | | | | | | | | | | | | | The patch tool will apply patches by default with "fuzz", which is where if the hunk context isn't present but what is there is close enough, it will force the patch in. Whilst this is useful when there's just whitespace changes, when applied to source it is possible for a patch applied with fuzz to produce broken code which still compiles (see #10450). This is obviously bad. We'd like to eventually have do_patch() rejecting any fuzz on these grounds. For that to be realistic the existing patches with fuzz need to be rebased and reviewed. Signed-off-by: Ross Burton <ross.burton@intel.com>
* dropbear: reduce local pending patchesDengke Du2017-07-172-11/+13
| | | | | Signed-off-by: Dengke Du <dengke.du@windriver.com> Signed-off-by: Ross Burton <ross.burton@intel.com>
* dropbear: upgrade 2016.74 -> 2017.75Dengke Du2017-06-033-50/+5
| | | | | | | | | Drop patch support-out-of-tree-builds.patch: Because the upstream has already contain it. Signed-off-by: Dengke Du <dengke.du@windriver.com> Signed-off-by: Ross Burton <ross.burton@intel.com>
* dropbear: drop support for DSA host keys in dropbear init scriptAndre McCurdy2017-03-101-30/+6
| | | | | | | | | | | Bring the dropbear init script into sync with the systemd service file (dropbearkey.service supports RSA host keys only) and with recent versions of openssh which deprecate DSA host keys. https://www.gentoo.org/support/news-items/2015-08-13-openssh-weak-keys.html Signed-off-by: Andre McCurdy <armccurdy@gmail.com> Signed-off-by: Ross Burton <ross.burton@intel.com>
* recipes: Make use of the new bb.utils.filter() functionPeter Kjellerstedt2017-03-011-3/+3
| | | | | Signed-off-by: Peter Kjellerstedt <peter.kjellerstedt@axis.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* dropbear: deterministic selection of system -vs- bundled libtom libsAndre McCurdy2016-09-191-0/+4
| | | | | | | | | | | | Dropbear will use system versions of libtommath and libtomcrypt if available. To make builds deterministic, add a PACKAGECONFIG option to choose system libs or force use of the bundled versions. Note that currently there are no libtommath or libtomcrypt recipes in oe-core, so default to using the bundled versions. Signed-off-by: Andre McCurdy <armccurdy@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* dropbear: fix -ltomcrypt -ltommath order when using system libtom libsAndre McCurdy2016-09-192-0/+49
| | | | | | | | | | | | | To prevent build failures when using system libtom libraries and linking with --as-needed, LIBTOM_LIBS should be in the order -ltomcrypt -ltommath, not the other way around, ie libs should be prepended to LIBTOM_LIBS as they are found, not appended. Note that LIBTOM_LIBS is not used when linking with the bundled libtom libs. Signed-off-by: Andre McCurdy <armccurdy@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* dropbear/init: Allow extra arguments for key generationMike Looijmans2016-08-171-2/+2
| | | | | | | | | | | | | | | | | | This patch adds DROPBEAR_RSAKEY_ARGS and DROPBEAR_DSSKEY_ARGS optional parameters to /etc/default/dropbear. The contents are simply passed to the 'dropbearkey' program when generating a host key. The default keysize for RSA is currently 2048 bits. It takes a CortexA9 running at 700MHz between 4 and 10 seconds to calculate a keypair. The board boots Linux in about a second, but you have to wait for several seconds because of the keypair generation. This patch allows one to put the line DROPBEAR_RSAKEY_ARGS="-s 1024" into /etc/default/dropbear, and have a host key generated in about 0.2 seconds on the same CPU. This is particulary useful for read-only rootfs systems which generate a key on each boot. Signed-off-by: Mike Looijmans <mike.looijmans@topic.nl> Signed-off-by: Ross Burton <ross.burton@intel.com>
* dropbear: upgrade to 2016.74Maxin B. John2016-08-012-7/+7
| | | | | | | 2016.73 -> 2016.74 Signed-off-by: Maxin B. John <maxin.john@intel.com> Signed-off-by: Ross Burton <ross.burton@intel.com>
* meta: update patch metadataRoss Burton2016-07-081-1/+1
| | | | | | Enforce the correct tag names across all of oe-core for consistency. Signed-off-by: Ross Burton <ross.burton@intel.com>
* dropbear: Remove incorrect SFTPSERVER_PATH from CFLAGSDominic Sacré2016-05-301-1/+0
| | | | | | | | | | | | Openssh now installs the sftp-server binary as /usr/libexec/sftp-server, whereas the dropbear recipe assumes a different path. Dropbear uses the correct path by default, so it's no longer necessary to override SFTPSERVER_PATH via CFLAGS. This fixes SFTP access to systems using dropbear as the SSH server. Signed-off-by: Dominic Sacré <dominic.sacre@gmx.de> Signed-off-by: Ross Burton <ross.burton@intel.com>
* dropbear: Upgrade 2015.71 -> 2016.73Jussi Kukkonen2016-05-253-5/+50
| | | | | | | Backport a patch to fix out-of-tree build. Signed-off-by: Jussi Kukkonen <jussi.kukkonen@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* dropbear.inc: drop legacy CFLAGS and LD tweaksAndre McCurdy2015-12-121-3/+0
| | | | | | | | | The CFLAGS and LD tweaks in dropbear.inc date back to 2005/2006 and whatever issue they worked around back then seems to have been fixed in the latest versions of dropbear. Signed-off-by: Andre McCurdy <armccurdy@gmail.com> Signed-off-by: Ross Burton <ross.burton@intel.com>
* dropbear: update 2015.70 -> 2015.71Andre McCurdy2015-12-122-5/+5
| | | | | | | | | | | | | | | | | | | 2015.71 - 3 December 2015 - Fix "bad buf_incrpos" when data is transferred, broke in 2015.69 - Fix crash on exit when -p address:port is used, broke in 2015.68 - Fix building with only ENABLE_CLI_REMOTETCPFWD given, patch from Konstantin Tokarev - Fix bad configure script test which didn't work with dash shell, patch from Juergen Daubert, broke in 2015.70 - Fix server race condition that could cause sessions to hang on exit, https://github.com/robotframework/SSHLibrary/issues/128 Signed-off-by: Andre McCurdy <armccurdy@gmail.com> Signed-off-by: Ross Burton <ross.burton@intel.com>
* dropbear: Upgrade 2015.68 -> 2015.70Jussi Kukkonen2015-12-123-13/+22
| | | | | | | Tweak a pam patch to make it apply on current source. Signed-off-by: Jussi Kukkonen <jussi.kukkonen@intel.com> Signed-off-by: Ross Burton <ross.burton@intel.com>
* dropbear: fix key generation when systemd is in use and rootfs is readonlyAlexander Kanavin2015-10-012-3/+9
| | | | | Signed-off-by: Alexander Kanavin <alexander.kanavin@linux.intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* dropbear: update to 2015.68Alexander Kanavin2015-08-313-5/+5
| | | | | | | | | LICENSE checksum has changed because the copyright year was changed from 2014 to 2015 in it: https://github.com/mkj/dropbear/commit/19e1afbd1ca6d306166ce74bcd6c6889f8d196f3 Signed-off-by: Alexander Kanavin <alexander.kanavin@linux.intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* dropbear: 2014.66 -> 2015.67Robert Yang2015-06-112-4/+4
| | | | Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
* dropbear: upgrade to 2014.66Paul Eggleton2015-01-074-6/+6
| | | | | | | | | * Upgrade to upstream 2014.66; incorporates several minor bugfix releases. * LIC_FILES_CHKSUM changed because the copyright year changed; there was no change to the license text itself. Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com>
* dropbear: add pam modules dependenciesWenzong Fan2014-09-161-0/+7
| | | | | | | | | | | | | | | If pam distro feature enabled, dropbear will need below pam rpms to work: * libpam-runtime * pam-plugin-deny * pam-plugin-permit * pam-plugin-unix Just add the runtime dependencies explicitly. Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com> Signed-off-by: Ross Burton <ross.burton@intel.com>
* dropbear: add missing patch headerPaul Eggleton2014-05-151-1/+3
| | | | | | | | * Add a brief subject mentioning what the patch is for * Add Upstream-Status Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com> Signed-off-by: Saul Wold <sgw@linux.intel.com>
* dropbear: avoid pipe with sedMatthieu Crapet2014-05-081-14/+14
| | | | | | | | | | | | Replace: cat <file> | sed -e xxx By: sed -e xxx <file> + fix indentation Signed-off-by: Matthieu Crapet <Matthieu.Crapet@ingenico.com> Signed-off-by: Saul Wold <sgw@linux.intel.com>
* Globally replace 'base_contains' calls with 'bb.utils.contains'Otavio Salvador2014-04-251-4/+4
| | | | | | | | | The base_contains is kept as a compatibility method and we ought to not use it in OE-Core so we can remove it from base metadata in future. Signed-off-by: Otavio Salvador <otavio@ossystems.com.br> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* dropbear: upgrade to 2014.63Paul Eggleton2014-02-284-69/+4
| | | | | | | | Drop 0002-static_build_fix.patch since an equivalent fix has been merged upstream. Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* dropbear: add systemd unit filesChen Qi2014-01-284-1/+45
| | | | | | | | | | This patch mainly comes from meta-systemd with a few modifications. The purpose is to get rid of the LSB init scripts in systemd images. [YOCTO #4420] Signed-off-by: Chen Qi <Qi.Chen@windriver.com> Signed-off-by: Saul Wold <sgw@linux.intel.com>
* dropbear: Refresh pam patch so it applies against recent versionRichard Purdie2014-01-141-10/+7
| | | | | | | Patch application failed on the autobuilder for pam, this refresh of the patch should resolve the build failure. Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* dropbear: upgrade to 2013.62Paul Eggleton2014-01-1410-6/+6
| | | | | | | | | | LIC_FILES_CHKSUM has changed with the introduction of a BSD-3-Clause algorithm (curve25519-donna); this has prompted a re-evaluation of the LICENSE value which should now reflect the licenses declared in the upstream documentation. Thanks to Beth Flanagan for helping with this. Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com> Signed-off-by: Saul Wold <sgw@linux.intel.com>
* classes/recipes: More optimal DISTRO_FEATURES referencesRichard Purdie2013-12-051-8/+4
| | | | | | | Using the contains function results in more optimal sstate checksums resulting in better cache reuse as we as more consistent code. Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* dropbear: set SUMMARY instead of DESCRIPTIONPaul Eggleton2013-12-031-1/+1
| | | | | | Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com> Signed-off-by: Saul Wold <sgw@linux.intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* dropbear: update to 2013.60 versionMaxin B. John2013-10-2610-23/+13
| | | | | | | | update to latest version 2013.60 Update 0006-dropbear-configuration-file.patch for 2013.60 Signed-off-by: Maxin B. John <maxin.john@enea.com> Signed-off-by: Saul Wold <sgw@linux.intel.com>
* dropbear: pass SFTPSERVER_PATH explicitlyRoy Li2013-09-261-0/+1
| | | | | | | | | | The default value of SFTPSERVER_PATH is "/usr/libexec/sftp-server" defined in dropbear-2013.58/option.h, but after commit 406bd38b423[bitbake.conf: change libexecdir to ${libdir}/${BPN}], sftp-server is provided by openssh package, and is installed into ${libdir}/openssh, so we pass it explicitly. Signed-off-by: Roy Li <rongqing.li@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* dropbear: a fix for hang in dropbearkey, built for x32Nitin A Kamble2013-05-242-1/+142
| | | | | | | | | | | | | | | | | | This commit fixes runtime hang of 'dropbearkey' utility, built for a x32 target abi system. The hang was observed while generating ssh keys, with this command: dropbearkey -t dss -f private The issue is fixed by changing the code, where 'long' in x86_64 mode is assumed as 64bit quantity. With the x32 abi, the processor is in x86_64 mode, but the 'long' is a 32bit quantity. Hence the fix uses 'long long' instead of 'long' to define/access 64bit data variables. Fixes bug: [YOCTO #4496] Signed-off-by: Nitin A Kamble <nitin.a.kamble@intel.com> Signed-off-by: Saul Wold <sgw@linux.intel.com>
* dropbear: update to 2013.58Eric Bénard2013-04-2911-164/+109
| | | | | | | | | - patches updated - nopw-option.patch dropped as the option is integrated since 2013.56 - compile tested for ARMv5 target Signed-off-by: Eric Bénard <eric@eukrea.com> Signed-off-by: Saul Wold <sgw@linux.intel.com>
* dropbear: update patch upstream statusPaul Eggleton2013-03-091-1/+1
| | | | | | | Blank password option patch has now been accepted upstream. Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* dropbear: use pidfile for daemon start/stop/restartRoman I Khimov2013-02-151-4/+5
| | | | | | | | Old init script killed all dropbear processes when doing stop/restart including open SSH sessions which is very annoying. Signed-off-by: Roman I Khimov <khimov@altell.ru> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* dropbear: fix RPROVIDESMartin Jansa2013-02-041-1/+2
| | | | | Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* dropbear: Deal with truncated host keys by removing themHolger Hans Peter Freyther2013-01-202-1/+7
| | | | | | | | | | Dropbear does not start when the host key is empty and it is possible that a device is switched off before the host key is generated. This is possible because the dropbearkey code doesn't create a temporary file first. Detect truncated keys and then remove them which will lead to the re-generation. This way the dropbear process will always start. Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* dropbear: allow configuring blank password option at runtimePaul Eggleton2013-01-183-23/+108
| | | | | | | | | | | Instead of using IMAGE_FEATURES to control something within a recipe, allow this to be set at runtime, avoiding the need to rebuild dropbear when we want to change this option. First half of the fix for [YOCTO #2578]. Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com> Signed-off-by: Saul Wold <sgw@linux.intel.com>
* dropbear: use new update-alternativesMark Hatle2012-05-302-7/+8
| | | | Signed-off-by: Mark Hatle <mark.hatle@windriver.com>
* dropbear: fix include dependent PR generationSteffen Sledz2012-05-252-1/+3
| | | | Signed-off-by: Steffen Sledz <sledz@dresearch-fe.de>
* dropbear: Allow tasks to be safely re-executedRichard Purdie2012-04-161-10/+1
| | | | | | | | | | Re-running the debug_patch task would cause the build to fail. This patch moves the extra patch handling directly into SRC_URI and removes the need for the separate task, allowing safe re-execution of each task. [YOCTO #2194] Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* dropbear: upgrade to 2012.55Shane Wang2012-03-213-6/+6
| | | | Signed-off-by: Shane Wang <shane.wang@intel.com>
* dropbear: fix CRYPTLIB patchSaul Wold2012-01-032-20/+49
| | | | Signed-off-by: Saul Wold <sgw@linux.intel.com>