diff options
Diffstat (limited to 'meta/recipes-core/dropbear')
13 files changed, 140 insertions, 335 deletions
diff --git a/meta/recipes-core/dropbear/dropbear/0001-urandom-xauth-changes-to-options.h.patch b/meta/recipes-core/dropbear/dropbear/0001-urandom-xauth-changes-to-options.h.patch index dc9d5782e8..c74f09e484 100644 --- a/meta/recipes-core/dropbear/dropbear/0001-urandom-xauth-changes-to-options.h.patch +++ b/meta/recipes-core/dropbear/dropbear/0001-urandom-xauth-changes-to-options.h.patch @@ -2,22 +2,22 @@ Subject: [PATCH 1/6] urandom-xauth-changes-to-options.h Upstream-Status: Inappropriate [configuration] --- - options.h | 2 +- + src/default_options.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) -diff --git a/options.h b/options.h -index 7d06322..71a21c2 100644 ---- a/options.h -+++ b/options.h -@@ -247,7 +247,7 @@ much traffic. */ +diff --git a/src/default_options.h b/src/default_options.h +index 6e970bb..ccc8b47 100644 +--- a/src/default_options.h ++++ b/src/default_options.h +@@ -311,7 +311,7 @@ group1 in Dropbear server too */ + /* The command to invoke for xauth when using X11 forwarding. * "-q" for quiet */ - #ifndef XAUTH_COMMAND -#define XAUTH_COMMAND "/usr/bin/xauth -q" +#define XAUTH_COMMAND "xauth -q" - #endif - /* if you want to enable running an sftp server (such as the one included with + + /* If you want to enable running an sftp server (such as the one included with -- -1.7.11.7 +2.34.1 diff --git a/meta/recipes-core/dropbear/dropbear/0003-configure.patch b/meta/recipes-core/dropbear/dropbear/0003-configure.patch deleted file mode 100644 index 8469a50eff..0000000000 --- a/meta/recipes-core/dropbear/dropbear/0003-configure.patch +++ /dev/null @@ -1,43 +0,0 @@ -From 58dd24a80ca0f400d0761afd9ce2b7f684fc9125 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Eric=20B=C3=A9nard?= <eric@eukrea.com> -Date: Thu, 25 Apr 2013 00:27:25 +0200 -Subject: [PATCH] configure: add a variable to allow openpty check to be cached - -Upstream-Status: Submitted [ https://github.com/mkj/dropbear/pull/48 ] - -Signed-off-by: Dengke Du <dengke.du@windriver.com> ---- - configure.ac | 11 ++++++++--- - 1 file changed, 8 insertions(+), 3 deletions(-) - -diff --git a/configure.ac b/configure.ac -index 893b904..245408d 100644 ---- a/configure.ac -+++ b/configure.ac -@@ -177,15 +177,20 @@ AC_ARG_ENABLE(openpty, - AC_MSG_NOTICE(Not using openpty) - else - AC_MSG_NOTICE(Using openpty if available) -- AC_SEARCH_LIBS(openpty, util, [AC_DEFINE(HAVE_OPENPTY,,Have openpty() function)]) -+ AC_SEARCH_LIBS(openpty, util, [dropbear_cv_func_have_openpty=yes]) - fi - ], - [ - AC_MSG_NOTICE(Using openpty if available) -- AC_SEARCH_LIBS(openpty, util, [AC_DEFINE(HAVE_OPENPTY)]) -+ AC_SEARCH_LIBS(openpty, util, [dropbear_cv_func_have_openpty=yes]) - ] - ) -- -+ -+if test "x$dropbear_cv_func_have_openpty" = "xyes"; then -+ AC_DEFINE(HAVE_OPENPTY,,Have openpty() function) -+ no_ptc_check=yes -+ no_ptmx_check=yes -+fi - - AC_ARG_ENABLE(syslog, - [ --disable-syslog Don't include syslog support], --- -2.8.1 - diff --git a/meta/recipes-core/dropbear/dropbear/0004-fix-2kb-keys.patch b/meta/recipes-core/dropbear/dropbear/0004-fix-2kb-keys.patch deleted file mode 100644 index 7539d2034f..0000000000 --- a/meta/recipes-core/dropbear/dropbear/0004-fix-2kb-keys.patch +++ /dev/null @@ -1,22 +0,0 @@ -Subject: [PATCH 4/6] fix 2kb keys - -Upstream-Status: Inappropriate [configuration] ---- - kex.h | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/kex.h b/kex.h -index 72430e9..375c677 100644 ---- a/kex.h -+++ b/kex.h -@@ -67,6 +67,6 @@ struct KEXState { - }; - - --#define MAX_KEXHASHBUF 2000 -+#define MAX_KEXHASHBUF 3000 - - #endif /* _KEX_H_ */ --- -1.7.11.7 - diff --git a/meta/recipes-core/dropbear/dropbear/0005-dropbear-enable-pam.patch b/meta/recipes-core/dropbear/dropbear/0005-dropbear-enable-pam.patch index 539cb12e91..fe667ddc25 100644 --- a/meta/recipes-core/dropbear/dropbear/0005-dropbear-enable-pam.patch +++ b/meta/recipes-core/dropbear/dropbear/0005-dropbear-enable-pam.patch @@ -3,7 +3,7 @@ From: Jussi Kukkonen <jussi.kukkonen@intel.com> Date: Wed, 2 Dec 2015 11:36:02 +0200 Subject: Enable pam -We need modify file option.h besides enabling pam in +We need modify file default_options.h besides enabling pam in configure if we want dropbear to support pam. Upstream-Status: Pending @@ -11,26 +11,31 @@ Upstream-Status: Pending Signed-off-by: Xiaofeng Yan <xiaofeng.yan@windriver.com> Signed-off-by: Jussi Kukkonen <jussi.kukkonen@intel.com> --- - options.h | 4 ++-- + src/default_options.h | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) -diff --git a/options.h b/options.h -index 94261f6..90bfe2f 100644 ---- a/options.h -+++ b/options.h -@@ -208,10 +208,10 @@ If you test it please contact the Dropbear author */ +diff --git a/src/default_options.h b/src/default_options.h +index 0e3d027..349338c 100644 +--- a/src/default_options.h ++++ b/src/default_options.h +@@ -210,7 +210,7 @@ group1 in Dropbear server too */ - /* This requires crypt() */ - #ifdef HAVE_CRYPT --#define ENABLE_SVR_PASSWORD_AUTH -+/*#define ENABLE_SVR_PASSWORD_AUTH*/ - #endif - /* PAM requires ./configure --enable-pam */ --/*#define ENABLE_SVR_PAM_AUTH */ -+#define ENABLE_SVR_PAM_AUTH - #define ENABLE_SVR_PUBKEY_AUTH + /* Authentication Types - at least one required. + RFC Draft requires pubkey auth, and recommends password */ +-#define DROPBEAR_SVR_PASSWORD_AUTH 1 ++#define DROPBEAR_SVR_PASSWORD_AUTH 0 - /* Whether to take public key options in + /* Note: PAM auth is quite simple and only works for PAM modules which just do + * a simple "Login: " "Password: " (you can edit the strings in svr-authpam.c). +@@ -218,7 +218,7 @@ group1 in Dropbear server too */ + * but there's an interface via a PAM module. It won't work for more complex + * PAM challenge/response. + * You can't enable both PASSWORD and PAM. */ +-#define DROPBEAR_SVR_PAM_AUTH 0 ++#define DROPBEAR_SVR_PAM_AUTH 1 + + /* ~/.ssh/authorized_keys authentication. + * You must define DROPBEAR_SVR_PUBKEY_AUTH in order to use plugins. */ -- -2.1.4 +2.25.1 diff --git a/meta/recipes-core/dropbear/dropbear/0006-dropbear-configuration-file.patch b/meta/recipes-core/dropbear/dropbear/0006-dropbear-configuration-file.patch index fa4c8d0a67..f54f634a4e 100644 --- a/meta/recipes-core/dropbear/dropbear/0006-dropbear-configuration-file.patch +++ b/meta/recipes-core/dropbear/dropbear/0006-dropbear-configuration-file.patch @@ -1,4 +1,7 @@ -Subject: [PATCH 6/6] dropbear configuration file +From e3a5db1b6d3f6382a15b2266458c26c645a10f18 Mon Sep 17 00:00:00 2001 +From: Mingli Yu <Mingli.Yu@windriver.com> +Date: Thu, 6 Sep 2018 15:54:00 +0800 +Subject: [PATCH] dropbear configuration file dropbear: Change the path ("/etc/pam.d/sshd" as default) to find a pam configuration file \ to "/etc/pam.d/dropbear for dropbear when enabling pam supporting" @@ -7,12 +10,17 @@ Upstream-Status: Inappropriate [configuration] Signed-off-by: Maxin B. John <maxin.john@enea.com> Signed-off-by: Xiaofeng Yan <xiaofeng.yan@windriver.com> +Signed-off-by: Mingli Yu <Mingli.Yu@windriver.com> --- -diff -Naur dropbear-2013.60-orig/svr-authpam.c dropbear-2013.60/svr-authpam.c ---- dropbear-2013.60-orig/svr-authpam.c 2013-10-16 16:34:53.000000000 +0200 -+++ dropbear-2013.60/svr-authpam.c 2013-10-21 17:04:04.969416055 +0200 -@@ -211,7 +211,7 @@ - userData.passwd = password; + src/svr-authpam.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/srec/svr-authpam.c b/src/svr-authpam.c +index d201bc9..165ec5c 100644 +--- a/src/svr-authpam.c ++++ b/src/svr-authpam.c +@@ -223,7 +223,7 @@ void svr_auth_pam(int valid_user) { + } /* Init pam */ - if ((rc = pam_start("sshd", NULL, &pamConv, &pamHandlep)) != PAM_SUCCESS) { @@ -20,3 +28,6 @@ diff -Naur dropbear-2013.60-orig/svr-authpam.c dropbear-2013.60/svr-authpam.c dropbear_log(LOG_WARNING, "pam_start() failed, rc=%d, %s", rc, pam_strerror(pamHandlep, rc)); goto cleanup; +-- +2.7.4 + diff --git a/meta/recipes-core/dropbear/dropbear/0007-dropbear-fix-for-x32-abi.patch b/meta/recipes-core/dropbear/dropbear/0007-dropbear-fix-for-x32-abi.patch deleted file mode 100644 index 60b302b5cd..0000000000 --- a/meta/recipes-core/dropbear/dropbear/0007-dropbear-fix-for-x32-abi.patch +++ /dev/null @@ -1,140 +0,0 @@ -Upstream-Status: Pending - -The dropbearkey utility built in x32 abi format, when generating ssh -keys, was getting lost in the infinite loop. - -This patch fixes the issue by fixing types of variables and -parameters of functions used in the code, which were getting -undesired size, when compiled with the x32 abi toolchain. - -2013/05/23 -Received this fix from H J Lu. - -Signed-off-by: Nitin A Kamble <nitin.a.kamble@intel.com> - -# HG changeset patch -# User H.J. Lu <hjl.tools@gmail.com> -# Date 1369344079 25200 -# Node ID a10a1c46b857cc8a3923c3bb6d1504aa25b6052f -# Parent e76614145aea67f66e4a4257685c771efba21aa1 -Typdef mp_digit to unsigned long long for MP_64BIT - -When GCC is used with MP_64BIT, we should typedef mp_digit to unsigned -long long instead of unsigned long since for x32, unsigned long is -32-bit and unsigned long long is 64-bit and it is safe to use unsigned -long long for 64-bit integer with GCC. - -diff -r e76614145aea -r a10a1c46b857 libtommath/tommath.h ---- a/libtommath/tommath.h Thu Apr 18 22:57:47 2013 +0800 -+++ b/libtommath/tommath.h Thu May 23 14:21:19 2013 -0700 -@@ -73,7 +73,7 @@ - typedef signed long long long64; - #endif - -- typedef unsigned long mp_digit; -+ typedef unsigned long long mp_digit; - typedef unsigned long mp_word __attribute__ ((mode(TI))); - - #define DIGIT_BIT 60 -# HG changeset patch -# User H.J. Lu <hjl.tools@gmail.com> -# Date 1369344241 25200 -# Node ID c7555a4cb7ded3a88409ba85f4027baa7af5f536 -# Parent a10a1c46b857cc8a3923c3bb6d1504aa25b6052f -Cast to mp_digit when updating *rho - -There is - -int -mp_montgomery_setup (mp_int * n, mp_digit * rho) - -We should cast to mp_digit instead of unsigned long when updating -*rho since mp_digit may be unsigned long long and unsigned long long -may be different from unsigned long, like in x32. - -diff -r a10a1c46b857 -r c7555a4cb7de libtommath/bn_mp_montgomery_setup.c ---- a/libtommath/bn_mp_montgomery_setup.c Thu May 23 14:21:19 2013 -0700 -+++ b/libtommath/bn_mp_montgomery_setup.c Thu May 23 14:24:01 2013 -0700 -@@ -48,7 +48,7 @@ - #endif - - /* rho = -1/m mod b */ -- *rho = (unsigned long)(((mp_word)1 << ((mp_word) DIGIT_BIT)) - x) & MP_MASK; -+ *rho = (mp_digit)(((mp_word)1 << ((mp_word) DIGIT_BIT)) - x) & MP_MASK; - - return MP_OKAY; - } -# HG changeset patch -# User H.J. Lu <hjl.tools@gmail.com> -# Date 1369344541 25200 -# Node ID 7c656e7071a6412688b2f30a529a9afac6c7bf5a -# Parent c7555a4cb7ded3a88409ba85f4027baa7af5f536 -Define LTC_FAST_TYPE to unsigned long long for __x86_64__ - -We should define LTC_FAST_TYPE to unsigned long long instead of unsigned -long if __x86_64__ to support x32 where unsigned long long is 64-bit -and unsigned long is 32-bit. - -diff -r c7555a4cb7de -r 7c656e7071a6 libtomcrypt/src/headers/tomcrypt_cfg.h ---- a/libtomcrypt/src/headers/tomcrypt_cfg.h Thu May 23 14:24:01 2013 -0700 -+++ b/libtomcrypt/src/headers/tomcrypt_cfg.h Thu May 23 14:29:01 2013 -0700 -@@ -74,7 +74,7 @@ - #define ENDIAN_LITTLE - #define ENDIAN_64BITWORD - #define LTC_FAST -- #define LTC_FAST_TYPE unsigned long -+ #define LTC_FAST_TYPE unsigned long long - #endif - - /* detect PPC32 */ -# HG changeset patch -# User H.J. Lu <hjl.tools@gmail.com> -# Date 1369344730 25200 -# Node ID a7d4690158fae4ede2c4e5b56233e83730bf38ee -# Parent 7c656e7071a6412688b2f30a529a9afac6c7bf5a -Use unsigned long long aas unsigned 64-bit integer for x86-64 GCC - -We should use unsigned long long instead of unsigned long as unsigned -64-bit integer for x86-64 GCC to support x32 where unsigned long is -32-bit. - -diff -r 7c656e7071a6 -r a7d4690158fa libtomcrypt/src/headers/tomcrypt_macros.h ---- a/libtomcrypt/src/headers/tomcrypt_macros.h Thu May 23 14:29:01 2013 -0700 -+++ b/libtomcrypt/src/headers/tomcrypt_macros.h Thu May 23 14:32:10 2013 -0700 -@@ -343,7 +343,7 @@ - /* 64-bit Rotates */ - #if !defined(__STRICT_ANSI__) && defined(__GNUC__) && defined(__x86_64__) && !defined(LTC_NO_ASM) - --static inline unsigned long ROL64(unsigned long word, int i) -+static inline unsigned long long ROL64(unsigned long long word, int i) - { - asm("rolq %%cl,%0" - :"=r" (word) -@@ -351,7 +351,7 @@ - return word; - } - --static inline unsigned long ROR64(unsigned long word, int i) -+static inline unsigned long long ROR64(unsigned long long word, int i) - { - asm("rorq %%cl,%0" - :"=r" (word) -@@ -361,7 +361,7 @@ - - #ifndef LTC_NO_ROLC - --static inline unsigned long ROL64c(unsigned long word, const int i) -+static inline unsigned long long ROL64c(unsigned long long word, const int i) - { - asm("rolq %2,%0" - :"=r" (word) -@@ -369,7 +369,7 @@ - return word; - } - --static inline unsigned long ROR64c(unsigned long word, const int i) -+static inline unsigned long long ROR64c(unsigned long long word, const int i) - { - asm("rorq %2,%0" - :"=r" (word) - diff --git a/meta/recipes-core/dropbear/dropbear/dropbear-disable-weak-ciphers.patch b/meta/recipes-core/dropbear/dropbear/dropbear-disable-weak-ciphers.patch new file mode 100644 index 0000000000..f998caa255 --- /dev/null +++ b/meta/recipes-core/dropbear/dropbear/dropbear-disable-weak-ciphers.patch @@ -0,0 +1,31 @@ +From c347ece05a7fdbf50d76cb136b9ed45caed333f6 Mon Sep 17 00:00:00 2001 +From: Joseph Reynolds <joseph.reynolds1@ibm.com> +Date: Thu, 20 Jun 2019 16:29:15 -0500 +Subject: [PATCH] dropbear: new feature: disable-weak-ciphers + +This feature disables all CBC, SHA1, and diffie-hellman group1 ciphers +in the dropbear ssh server and client since they're considered weak ciphers +and we want to support the stong algorithms. + +Upstream-Status: Inappropriate [configuration] +Signed-off-by: Joseph Reynolds <joseph.reynolds1@ibm.com> +--- + src/default_options.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/default_options.h b/src/default_options.h +index d417588..bc5200f 100644 +--- a/src/default_options.h ++++ b/src/default_options.h +@@ -180,7 +180,7 @@ IMPORTANT: Some options will require "make clean" after changes */ + * Small systems should generally include either curve25519 or ecdh for performance. + * curve25519 is less widely supported but is faster + */ +-#define DROPBEAR_DH_GROUP14_SHA1 1 ++#define DROPBEAR_DH_GROUP14_SHA1 0 + #define DROPBEAR_DH_GROUP14_SHA256 1 + #define DROPBEAR_DH_GROUP16 0 + #define DROPBEAR_CURVE25519 1 +-- +2.25.1 + diff --git a/meta/recipes-core/dropbear/dropbear/dropbear.default b/meta/recipes-core/dropbear/dropbear/dropbear.default new file mode 100644 index 0000000000..522453a86c --- /dev/null +++ b/meta/recipes-core/dropbear/dropbear/dropbear.default @@ -0,0 +1,2 @@ +# Disallow root logins by default +DROPBEAR_EXTRA_ARGS="-w" diff --git a/meta/recipes-core/dropbear/dropbear/dropbearkey.service b/meta/recipes-core/dropbear/dropbear/dropbearkey.service index c49053d57c..71a12a6110 100644 --- a/meta/recipes-core/dropbear/dropbear/dropbearkey.service +++ b/meta/recipes-core/dropbear/dropbear/dropbearkey.service @@ -11,3 +11,4 @@ Type=oneshot ExecStart=@BASE_BINDIR@/mkdir -p ${DROPBEAR_RSAKEY_DIR} ExecStart=@SBINDIR@/dropbearkey -t rsa -f ${DROPBEAR_RSAKEY_DIR}/dropbear_rsa_host_key RemainAfterExit=yes +Nice=10 diff --git a/meta/recipes-core/dropbear/dropbear/fix-libtomcrypt-libtommath-ordering.patch b/meta/recipes-core/dropbear/dropbear/fix-libtomcrypt-libtommath-ordering.patch deleted file mode 100644 index 2b05e1893d..0000000000 --- a/meta/recipes-core/dropbear/dropbear/fix-libtomcrypt-libtommath-ordering.patch +++ /dev/null @@ -1,49 +0,0 @@ -From f37fa9a41f248fa41dd74a41c66cb41a291c03d2 Mon Sep 17 00:00:00 2001 -From: Andre McCurdy <armccurdy@gmail.com> -Date: Fri, 16 Sep 2016 12:18:23 -0700 -Subject: [PATCH] fix libtomcrypt/libtommath ordering - -To prevent build failures when using system libtom libraries and -linking with --as-needed, LIBTOM_LIBS should be in the order --ltomcrypt -ltommath, not the other way around, ie libs should be -prepended to LIBTOM_LIBS as they are found, not appended. - -Note that LIBTOM_LIBS is not used when linking with the bundled -libtom libs. - -Upstream-Status: Backport [ https://github.com/mkj/dropbear/commit/f9e6bc2aecab0f4b5b529e07a92cc63c8a66cd4b ] - -Signed-off-by: Andre McCurdy <armccurdy@gmail.com> -Signed-off-by: Dengke Du <dengke.du@windriver.com> ---- - configure.ac | 8 ++++---- - 1 file changed, 4 insertions(+), 4 deletions(-) - -diff --git a/configure.ac b/configure.ac -index 245408d..d624853 100644 ---- a/configure.ac -+++ b/configure.ac -@@ -393,16 +393,16 @@ AC_ARG_ENABLE(bundled-libtom, - AC_MSG_NOTICE(Forcing bundled libtom*) - else - BUNDLED_LIBTOM=0 -- AC_CHECK_LIB(tommath, mp_exptmod, LIBTOM_LIBS="$LIBTOM_LIBS -ltommath", -+ AC_CHECK_LIB(tommath, mp_exptmod, LIBTOM_LIBS="-ltommath $LIBTOM_LIBS", - [AC_MSG_ERROR([Missing system libtommath and --disable-bundled-libtom was specified])] ) -- AC_CHECK_LIB(tomcrypt, register_cipher, LIBTOM_LIBS="$LIBTOM_LIBS -ltomcrypt", -+ AC_CHECK_LIB(tomcrypt, register_cipher, LIBTOM_LIBS="-ltomcrypt $LIBTOM_LIBS", - [AC_MSG_ERROR([Missing system libtomcrypt and --disable-bundled-libtom was specified])] ) - fi - ], - [ - BUNDLED_LIBTOM=0 -- AC_CHECK_LIB(tommath, mp_exptmod, LIBTOM_LIBS="$LIBTOM_LIBS -ltommath", BUNDLED_LIBTOM=1) -- AC_CHECK_LIB(tomcrypt, register_cipher, LIBTOM_LIBS="$LIBTOM_LIBS -ltomcrypt", BUNDLED_LIBTOM=1) -+ AC_CHECK_LIB(tommath, mp_exptmod, LIBTOM_LIBS="-ltommath $LIBTOM_LIBS", BUNDLED_LIBTOM=1) -+ AC_CHECK_LIB(tomcrypt, register_cipher, LIBTOM_LIBS="-ltomcrypt $LIBTOM_LIBS", BUNDLED_LIBTOM=1) - ] - ) - --- -2.8.1 - diff --git a/meta/recipes-core/dropbear/dropbear/init b/meta/recipes-core/dropbear/dropbear/init index f6e1c462fa..ffab7a2362 100755 --- a/meta/recipes-core/dropbear/dropbear/init +++ b/meta/recipes-core/dropbear/dropbear/init @@ -17,8 +17,11 @@ NAME=dropbear DESC="Dropbear SSH server" PIDFILE=/var/run/dropbear.pid +# These values may be replaced by those from /etc/default/dropbear +DROPBEAR_RSAKEY_DIR="/etc/dropbear" DROPBEAR_PORT=22 DROPBEAR_EXTRA_ARGS= +DROPBEAR_RSAKEY_ARGS= NO_START=0 set -e @@ -28,32 +31,19 @@ test "$NO_START" = "0" || exit 0 test -x "$DAEMON" || exit 0 test ! -h /var/service/dropbear || exit 0 -readonly_rootfs=0 -for flag in `awk '{ if ($2 == "/") { split($4,FLAGS,",") } }; END { for (f in FLAGS) print FLAGS[f] }' </proc/mounts`; do - case $flag in - ro) - readonly_rootfs=1 - ;; - esac -done - -if [ $readonly_rootfs = "1" ]; then - mkdir -p /var/lib/dropbear - DROPBEAR_RSAKEY_DEFAULT="/var/lib/dropbear/dropbear_rsa_host_key" -else - DROPBEAR_RSAKEY_DEFAULT="/etc/dropbear/dropbear_rsa_host_key" -fi - test -z "$DROPBEAR_BANNER" || \ DROPBEAR_EXTRA_ARGS="$DROPBEAR_EXTRA_ARGS -b $DROPBEAR_BANNER" test -n "$DROPBEAR_RSAKEY" || \ - DROPBEAR_RSAKEY=$DROPBEAR_RSAKEY_DEFAULT + DROPBEAR_RSAKEY="${DROPBEAR_RSAKEY_DIR}/dropbear_rsa_host_key" gen_keys() { if [ -f "$DROPBEAR_RSAKEY" -a ! -s "$DROPBEAR_RSAKEY" ]; then rm $DROPBEAR_RSAKEY || true fi - test -f $DROPBEAR_RSAKEY || dropbearkey -t rsa -f $DROPBEAR_RSAKEY $DROPBEAR_RSAKEY_ARGS + if [ ! -f "$DROPBEAR_RSAKEY" ]; then + mkdir -p ${DROPBEAR_RSAKEY%/*} + dropbearkey -t rsa -f $DROPBEAR_RSAKEY $DROPBEAR_RSAKEY_ARGS + fi } case "$1" in diff --git a/meta/recipes-core/dropbear/dropbear_2017.75.bb b/meta/recipes-core/dropbear/dropbear_2017.75.bb deleted file mode 100644 index cfb0d199b3..0000000000 --- a/meta/recipes-core/dropbear/dropbear_2017.75.bb +++ /dev/null @@ -1,5 +0,0 @@ -require dropbear.inc - -SRC_URI[md5sum] = "e57e9b9d25705dcb073ba15c416424fd" -SRC_URI[sha256sum] = "6cbc1dcb1c9709d226dff669e5604172a18cf5dbf9a201474d5618ae4465098c" - diff --git a/meta/recipes-core/dropbear/dropbear.inc b/meta/recipes-core/dropbear/dropbear_2024.84.bb index b6b436c584..69c7b04c55 100644 --- a/meta/recipes-core/dropbear/dropbear.inc +++ b/meta/recipes-core/dropbear/dropbear_2024.84.bb @@ -1,28 +1,29 @@ SUMMARY = "A lightweight SSH and SCP implementation" HOMEPAGE = "http://matt.ucc.asn.au/dropbear/dropbear.html" +DESCRIPTION = "Dropbear is a relatively small SSH server and client. It runs on a variety of POSIX-based platforms. Dropbear is open source software, distributed under a MIT-style license. Dropbear is particularly useful for "embedded"-type Linux (or other Unix) systems, such as wireless routers." SECTION = "console/network" # some files are from other projects and have others license terms: # public domain, OpenSSH 3.5p1, OpenSSH3.6.1p2, PuTTY LICENSE = "MIT & BSD-3-Clause & BSD-2-Clause & PD" -LIC_FILES_CHKSUM = "file://LICENSE;md5=a5ec40cafba26fc4396d0b550f824e01" +LIC_FILES_CHKSUM = "file://LICENSE;md5=25cf44512b7bc8966a48b6b1a9b7605f" -DEPENDS = "zlib" -RPROVIDES_${PN} = "ssh sshd" - -DEPENDS += "${@bb.utils.contains('DISTRO_FEATURES', 'pam', 'libpam', '', d)}" +DEPENDS = "zlib virtual/crypt" +RPROVIDES:${PN} = "ssh sshd" +RCONFLICTS:${PN} = "openssh-sshd openssh" SRC_URI = "http://matt.ucc.asn.au/dropbear/releases/dropbear-${PV}.tar.bz2 \ file://0001-urandom-xauth-changes-to-options.h.patch \ - file://0003-configure.patch \ - file://0004-fix-2kb-keys.patch \ - file://0007-dropbear-fix-for-x32-abi.patch \ - file://fix-libtomcrypt-libtommath-ordering.patch \ file://init \ file://dropbearkey.service \ file://dropbear@.service \ file://dropbear.socket \ - ${@bb.utils.contains('DISTRO_FEATURES', 'pam', '${PAM_SRC_URI}', '', d)} " + file://dropbear.default \ + ${@bb.utils.contains('DISTRO_FEATURES', 'pam', '${PAM_SRC_URI}', '', d)} \ + ${@bb.utils.contains('PACKAGECONFIG', 'disable-weak-ciphers', 'file://dropbear-disable-weak-ciphers.patch', '', d)} \ + " + +SRC_URI[sha256sum] = "16e22b66b333d6b7e504c43679d04ed6ca30f2838db40a21f935c850dfc01009" PAM_SRC_URI = "file://0005-dropbear-enable-pam.patch \ file://0006-dropbear-configuration-file.patch \ @@ -33,24 +34,38 @@ PAM_PLUGINS = "libpam-runtime \ pam-plugin-permit \ pam-plugin-unix \ " -RDEPENDS_${PN} += "${@bb.utils.contains('DISTRO_FEATURES', 'pam', '${PAM_PLUGINS}', '', d)}" - inherit autotools update-rc.d systemd +CVE_PRODUCT = "dropbear_ssh" + INITSCRIPT_NAME = "dropbear" INITSCRIPT_PARAMS = "defaults 10" -SYSTEMD_SERVICE_${PN} = "dropbear.socket" +SYSTEMD_SERVICE:${PN} = "dropbear.socket" SBINCOMMANDS = "dropbear dropbearkey dropbearconvert" BINCOMMANDS = "dbclient ssh scp" EXTRA_OEMAKE = 'MULTI=1 SCPPROGRESS=1 PROGRAMS="${SBINCOMMANDS} ${BINCOMMANDS}"' -PACKAGECONFIG ?= "" +PACKAGECONFIG ?= "disable-weak-ciphers ${@bb.utils.filter('DISTRO_FEATURES', 'pam', d)}" +PACKAGECONFIG[pam] = "--enable-pam,--disable-pam,libpam,${PAM_PLUGINS}" PACKAGECONFIG[system-libtom] = "--disable-bundled-libtom,--enable-bundled-libtom,libtommath libtomcrypt" +PACKAGECONFIG[disable-weak-ciphers] = "" +PACKAGECONFIG[enable-x11-forwarding] = "" + +# This option appends to CFLAGS and LDFLAGS from OE +# This is causing [textrel] QA warning +EXTRA_OECONF += "--disable-harden" + +# musl does not implement wtmp/logwtmp APIs +EXTRA_OECONF:append:libc-musl = " --disable-wtmp --disable-lastlog" -EXTRA_OECONF += "\ - ${@bb.utils.contains('DISTRO_FEATURES', 'pam', '--enable-pam', '--disable-pam', d)}" +do_configure:append() { + echo "/* Dropbear features */" > ${B}/localoptions.h + if ${@bb.utils.contains('PACKAGECONFIG', 'enable-x11-forwarding', 'true', 'false', d)}; then + echo "#define DROPBEAR_X11FWD 1" >> ${B}/localoptions.h + fi +} do_install() { install -d ${D}${sysconfdir} \ @@ -61,9 +76,16 @@ do_install() { ${D}${sbindir} \ ${D}${localstatedir} + install -m 0644 ${WORKDIR}/dropbear.default ${D}${sysconfdir}/default/dropbear + install -m 0755 dropbearmulti ${D}${sbindir}/ - ln -s ${sbindir}/dropbearmulti ${D}${bindir}/dbclient + for i in ${BINCOMMANDS} + do + # ssh and scp symlinks are created by update-alternatives + if [ $i = ssh ] || [ $i = scp ]; then continue; fi + ln -s ${sbindir}/dropbearmulti ${D}${bindir}/$i + done for i in ${SBINCOMMANDS} do ln -s ./dropbearmulti ${D}${sbindir}/$i @@ -80,24 +102,24 @@ do_install() { fi # deal with systemd unit files - install -d ${D}${systemd_unitdir}/system - install -m 0644 ${WORKDIR}/dropbearkey.service ${D}${systemd_unitdir}/system - install -m 0644 ${WORKDIR}/dropbear@.service ${D}${systemd_unitdir}/system - install -m 0644 ${WORKDIR}/dropbear.socket ${D}${systemd_unitdir}/system + install -d ${D}${systemd_system_unitdir} + install -m 0644 ${WORKDIR}/dropbearkey.service ${D}${systemd_system_unitdir} + install -m 0644 ${WORKDIR}/dropbear@.service ${D}${systemd_system_unitdir} + install -m 0644 ${WORKDIR}/dropbear.socket ${D}${systemd_system_unitdir} sed -i -e 's,@BASE_BINDIR@,${base_bindir},g' \ -e 's,@BINDIR@,${bindir},g' \ -e 's,@SBINDIR@,${sbindir},g' \ - ${D}${systemd_unitdir}/system/dropbear.socket ${D}${systemd_unitdir}/system/*.service + ${D}${systemd_system_unitdir}/dropbear.socket ${D}${systemd_system_unitdir}/*.service } inherit update-alternatives ALTERNATIVE_PRIORITY = "20" -ALTERNATIVE_${PN} = "scp ssh" +ALTERNATIVE:${PN} = "${@bb.utils.filter('BINCOMMANDS', 'scp ssh', d)}" ALTERNATIVE_TARGET = "${sbindir}/dropbearmulti" -pkg_postrm_append_${PN} () { +pkg_postrm:${PN} () { if [ -f "${sysconfdir}/dropbear/dropbear_rsa_host_key" ]; then rm ${sysconfdir}/dropbear/dropbear_rsa_host_key fi @@ -105,3 +127,5 @@ pkg_postrm_append_${PN} () { rm ${sysconfdir}/dropbear/dropbear_dss_host_key fi } + +CONFFILES:${PN} = "${sysconfdir}/default/dropbear" |