diff options
Diffstat (limited to 'meta/recipes-core/dropbear')
| -rw-r--r-- | meta/recipes-core/dropbear/dropbear/0001-urandom-xauth-changes-to-options.h.patch | 22 | ||||
| -rw-r--r-- | meta/recipes-core/dropbear/dropbear/0005-dropbear-enable-pam.patch | 26 | ||||
| -rw-r--r-- | meta/recipes-core/dropbear/dropbear/0006-dropbear-configuration-file.patch | 17 | ||||
| -rw-r--r-- | meta/recipes-core/dropbear/dropbear/CVE-2018-15599.patch | 236 | ||||
| -rw-r--r-- | meta/recipes-core/dropbear/dropbear/dropbear-disable-weak-ciphers.patch | 28 | ||||
| -rw-r--r-- | meta/recipes-core/dropbear/dropbear/dropbearkey.service | 1 | ||||
| -rw-r--r-- | meta/recipes-core/dropbear/dropbear_2018.76.bb | 5 | ||||
| -rw-r--r-- | meta/recipes-core/dropbear/dropbear_2024.85.bb (renamed from meta/recipes-core/dropbear/dropbear.inc) | 68 |
8 files changed, 102 insertions, 301 deletions
diff --git a/meta/recipes-core/dropbear/dropbear/0001-urandom-xauth-changes-to-options.h.patch b/meta/recipes-core/dropbear/dropbear/0001-urandom-xauth-changes-to-options.h.patch index 684641dcbd..9c1dd3f606 100644 --- a/meta/recipes-core/dropbear/dropbear/0001-urandom-xauth-changes-to-options.h.patch +++ b/meta/recipes-core/dropbear/dropbear/0001-urandom-xauth-changes-to-options.h.patch @@ -1,15 +1,18 @@ -Subject: [PATCH 1/6] urandom-xauth-changes-to-options.h +From cdc6a4a57a86d8116a92a5d905993e65cf723556 Mon Sep 17 00:00:00 2001 +From: Richard Purdie <richard@openedhand.com> +Date: Wed, 31 Aug 2005 10:45:47 +0000 +Subject: [PATCH] urandom-xauth-changes-to-options.h Upstream-Status: Inappropriate [configuration] --- - default_options.h | 2 +- + src/default_options.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) -diff --git a/default_options.h b/default_options.h -index 3b75eb8..1fd8082 100644 ---- a/default_options.h -+++ b/default_options.h -@@ -243,7 +243,7 @@ Homedir is prepended unless path begins with / */ +diff --git a/src/default_options.h b/src/default_options.h +index 6e970bb..ccc8b47 100644 +--- a/src/default_options.h ++++ b/src/default_options.h +@@ -311,7 +311,7 @@ group1 in Dropbear server too */ /* The command to invoke for xauth when using X11 forwarding. * "-q" for quiet */ @@ -17,7 +20,4 @@ index 3b75eb8..1fd8082 100644 +#define XAUTH_COMMAND "xauth -q" - /* if you want to enable running an sftp server (such as the one included with --- -1.7.11.7 - + /* If you want to enable running an sftp server (such as the one included with diff --git a/meta/recipes-core/dropbear/dropbear/0005-dropbear-enable-pam.patch b/meta/recipes-core/dropbear/dropbear/0005-dropbear-enable-pam.patch index 857681520c..6743f506e9 100644 --- a/meta/recipes-core/dropbear/dropbear/0005-dropbear-enable-pam.patch +++ b/meta/recipes-core/dropbear/dropbear/0005-dropbear-enable-pam.patch @@ -1,7 +1,7 @@ -From b8cece92ba19aa77ac013ea161bfe4c7147747c9 Mon Sep 17 00:00:00 2001 +From 253ca01f0fc50dbaeb2ff8bcece0c34256eba94f Mon Sep 17 00:00:00 2001 From: Jussi Kukkonen <jussi.kukkonen@intel.com> Date: Wed, 2 Dec 2015 11:36:02 +0200 -Subject: Enable pam +Subject: [PATCH] Enable pam We need modify file default_options.h besides enabling pam in configure if we want dropbear to support pam. @@ -11,14 +11,14 @@ Upstream-Status: Pending Signed-off-by: Xiaofeng Yan <xiaofeng.yan@windriver.com> Signed-off-by: Jussi Kukkonen <jussi.kukkonen@intel.com> --- - default_options.h | 4 ++-- + src/default_options.h | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) -diff --git a/default_options.h b/default_options.h -index 3b75eb8..8617cd0 100644 ---- a/default_options.h -+++ b/default_options.h -@@ -179,7 +179,7 @@ group1 in Dropbear server too */ +diff --git a/src/default_options.h b/src/default_options.h +index ccc8b47..12768d1 100644 +--- a/src/default_options.h ++++ b/src/default_options.h +@@ -228,7 +228,7 @@ group1 in Dropbear server too */ /* Authentication Types - at least one required. RFC Draft requires pubkey auth, and recommends password */ @@ -27,16 +27,12 @@ index 3b75eb8..8617cd0 100644 /* Note: PAM auth is quite simple and only works for PAM modules which just do * a simple "Login: " "Password: " (you can edit the strings in svr-authpam.c). -@@ -187,7 +187,7 @@ group1 in Dropbear server too */ +@@ -236,7 +236,7 @@ group1 in Dropbear server too */ * but there's an interface via a PAM module. It won't work for more complex * PAM challenge/response. * You can't enable both PASSWORD and PAM. */ -#define DROPBEAR_SVR_PAM_AUTH 0 +#define DROPBEAR_SVR_PAM_AUTH 1 - /* ~/.ssh/authorized_keys authentication */ - #define DROPBEAR_SVR_PUBKEY_AUTH 1 - --- -2.1.4 - + /* ~/.ssh/authorized_keys authentication. + * You must define DROPBEAR_SVR_PUBKEY_AUTH in order to use plugins. */ diff --git a/meta/recipes-core/dropbear/dropbear/0006-dropbear-configuration-file.patch b/meta/recipes-core/dropbear/dropbear/0006-dropbear-configuration-file.patch index deed78ffb9..44861088cc 100644 --- a/meta/recipes-core/dropbear/dropbear/0006-dropbear-configuration-file.patch +++ b/meta/recipes-core/dropbear/dropbear/0006-dropbear-configuration-file.patch @@ -1,4 +1,4 @@ -From e3a5db1b6d3f6382a15b2266458c26c645a10f18 Mon Sep 17 00:00:00 2001 +From 16b147f97f0938cddb55ec1c90bc919c13f26fc0 Mon Sep 17 00:00:00 2001 From: Mingli Yu <Mingli.Yu@windriver.com> Date: Thu, 6 Sep 2018 15:54:00 +0800 Subject: [PATCH] dropbear configuration file @@ -12,14 +12,14 @@ Signed-off-by: Maxin B. John <maxin.john@enea.com> Signed-off-by: Xiaofeng Yan <xiaofeng.yan@windriver.com> Signed-off-by: Mingli Yu <Mingli.Yu@windriver.com> --- - svr-authpam.c | 2 +- + src/svr-authpam.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) -diff --git a/svr-authpam.c b/svr-authpam.c -index d201bc9..165ec5c 100644 ---- a/svr-authpam.c -+++ b/svr-authpam.c -@@ -223,7 +223,7 @@ void svr_auth_pam(int valid_user) { +diff --git a/src/svr-authpam.c b/src/svr-authpam.c +index ec14632..026102f 100644 +--- a/src/svr-authpam.c ++++ b/src/svr-authpam.c +@@ -224,7 +224,7 @@ void svr_auth_pam(int valid_user) { } /* Init pam */ @@ -28,6 +28,3 @@ index d201bc9..165ec5c 100644 dropbear_log(LOG_WARNING, "pam_start() failed, rc=%d, %s", rc, pam_strerror(pamHandlep, rc)); goto cleanup; --- -2.7.4 - diff --git a/meta/recipes-core/dropbear/dropbear/CVE-2018-15599.patch b/meta/recipes-core/dropbear/dropbear/CVE-2018-15599.patch deleted file mode 100644 index 912545c957..0000000000 --- a/meta/recipes-core/dropbear/dropbear/CVE-2018-15599.patch +++ /dev/null @@ -1,236 +0,0 @@ -From 256e2abb8150f9fea33cd026597dbe70f0379296 Mon Sep 17 00:00:00 2001 -From: Matt Johnston <matt@ucc.asn.au> -Date: Thu, 23 Aug 2018 23:43:12 +0800 -Subject: [PATCH] Wait to fail invalid usernames - -Wait to fail invalid usernames - -Upstream-Status: Backport [https://secure.ucc.asn.au/hg/dropbear/rev/5d2d1021ca00] -CVE: CVE-2018-15599 -Signed-off-by: Mingli Yu <Mingli.Yu@windriver.com> ---- - auth.h | 6 +++--- - svr-auth.c | 19 +++++-------------- - svr-authpam.c | 26 ++++++++++++++++++++++---- - svr-authpasswd.c | 27 ++++++++++++++------------- - svr-authpubkey.c | 11 ++++++++++- - 5 files changed, 54 insertions(+), 35 deletions(-) - -diff --git a/auth.h b/auth.h -index da498f5..98f5468 100644 ---- a/auth.h -+++ b/auth.h -@@ -37,9 +37,9 @@ void recv_msg_userauth_request(void); - void send_msg_userauth_failure(int partial, int incrfail); - void send_msg_userauth_success(void); - void send_msg_userauth_banner(const buffer *msg); --void svr_auth_password(void); --void svr_auth_pubkey(void); --void svr_auth_pam(void); -+void svr_auth_password(int valid_user); -+void svr_auth_pubkey(int valid_user); -+void svr_auth_pam(int valid_user); - - #if DROPBEAR_SVR_PUBKEY_OPTIONS_BUILT - int svr_pubkey_allows_agentfwd(void); -diff --git a/svr-auth.c b/svr-auth.c -index 64d97aa..1f364ca 100644 ---- a/svr-auth.c -+++ b/svr-auth.c -@@ -149,10 +149,8 @@ void recv_msg_userauth_request() { - if (methodlen == AUTH_METHOD_PASSWORD_LEN && - strncmp(methodname, AUTH_METHOD_PASSWORD, - AUTH_METHOD_PASSWORD_LEN) == 0) { -- if (valid_user) { -- svr_auth_password(); -- goto out; -- } -+ svr_auth_password(valid_user); -+ goto out; - } - } - #endif -@@ -164,10 +162,8 @@ void recv_msg_userauth_request() { - if (methodlen == AUTH_METHOD_PASSWORD_LEN && - strncmp(methodname, AUTH_METHOD_PASSWORD, - AUTH_METHOD_PASSWORD_LEN) == 0) { -- if (valid_user) { -- svr_auth_pam(); -- goto out; -- } -+ svr_auth_pam(valid_user); -+ goto out; - } - } - #endif -@@ -177,12 +173,7 @@ void recv_msg_userauth_request() { - if (methodlen == AUTH_METHOD_PUBKEY_LEN && - strncmp(methodname, AUTH_METHOD_PUBKEY, - AUTH_METHOD_PUBKEY_LEN) == 0) { -- if (valid_user) { -- svr_auth_pubkey(); -- } else { -- /* pubkey has no failure delay */ -- send_msg_userauth_failure(0, 0); -- } -+ svr_auth_pubkey(valid_user); - goto out; - } - #endif -diff --git a/svr-authpam.c b/svr-authpam.c -index 05e4f3e..d201bc9 100644 ---- a/svr-authpam.c -+++ b/svr-authpam.c -@@ -178,13 +178,14 @@ pamConvFunc(int num_msg, - * Keyboard interactive would be a lot nicer, but since PAM is synchronous, it - * gets very messy trying to send the interactive challenges, and read the - * interactive responses, over the network. */ --void svr_auth_pam() { -+void svr_auth_pam(int valid_user) { - - struct UserDataS userData = {NULL, NULL}; - struct pam_conv pamConv = { - pamConvFunc, - &userData /* submitted to pamvConvFunc as appdata_ptr */ - }; -+ const char* printable_user = NULL; - - pam_handle_t* pamHandlep = NULL; - -@@ -204,12 +205,23 @@ void svr_auth_pam() { - - password = buf_getstring(ses.payload, &passwordlen); - -+ /* We run the PAM conversation regardless of whether the username is valid -+ in case the conversation function has an inherent delay. -+ Use ses.authstate.username rather than ses.authstate.pw_name. -+ After PAM succeeds we then check the valid_user flag too */ -+ - /* used to pass data to the PAM conversation function - don't bother with - * strdup() etc since these are touched only by our own conversation - * function (above) which takes care of it */ -- userData.user = ses.authstate.pw_name; -+ userData.user = ses.authstate.username; - userData.passwd = password; - -+ if (ses.authstate.pw_name) { -+ printable_user = ses.authstate.pw_name; -+ } else { -+ printable_user = "<invalid username>"; -+ } -+ - /* Init pam */ - if ((rc = pam_start("sshd", NULL, &pamConv, &pamHandlep)) != PAM_SUCCESS) { - dropbear_log(LOG_WARNING, "pam_start() failed, rc=%d, %s", -@@ -242,7 +254,7 @@ void svr_auth_pam() { - rc, pam_strerror(pamHandlep, rc)); - dropbear_log(LOG_WARNING, - "Bad PAM password attempt for '%s' from %s", -- ses.authstate.pw_name, -+ printable_user, - svr_ses.addrstring); - send_msg_userauth_failure(0, 1); - goto cleanup; -@@ -253,12 +265,18 @@ void svr_auth_pam() { - rc, pam_strerror(pamHandlep, rc)); - dropbear_log(LOG_WARNING, - "Bad PAM password attempt for '%s' from %s", -- ses.authstate.pw_name, -+ printable_user, - svr_ses.addrstring); - send_msg_userauth_failure(0, 1); - goto cleanup; - } - -+ if (!valid_user) { -+ /* PAM auth succeeded but the username isn't allowed in for another reason -+ (checkusername() failed) */ -+ send_msg_userauth_failure(0, 1); -+ } -+ - /* successful authentication */ - dropbear_log(LOG_NOTICE, "PAM password auth succeeded for '%s' from %s", - ses.authstate.pw_name, -diff --git a/svr-authpasswd.c b/svr-authpasswd.c -index bdee2aa..69c7d8a 100644 ---- a/svr-authpasswd.c -+++ b/svr-authpasswd.c -@@ -48,22 +48,14 @@ static int constant_time_strcmp(const char* a, const char* b) { - - /* Process a password auth request, sending success or failure messages as - * appropriate */ --void svr_auth_password() { -+void svr_auth_password(int valid_user) { - - char * passwdcrypt = NULL; /* the crypt from /etc/passwd or /etc/shadow */ - char * testcrypt = NULL; /* crypt generated from the user's password sent */ -- char * password; -+ char * password = NULL; - unsigned int passwordlen; -- - unsigned int changepw; - -- passwdcrypt = ses.authstate.pw_passwd; -- --#ifdef DEBUG_HACKCRYPT -- /* debugging crypt for non-root testing with shadows */ -- passwdcrypt = DEBUG_HACKCRYPT; --#endif -- - /* check if client wants to change password */ - changepw = buf_getbool(ses.payload); - if (changepw) { -@@ -73,12 +65,21 @@ void svr_auth_password() { - } - - password = buf_getstring(ses.payload, &passwordlen); -- -- /* the first bytes of passwdcrypt are the salt */ -- testcrypt = crypt(password, passwdcrypt); -+ if (valid_user) { -+ /* the first bytes of passwdcrypt are the salt */ -+ passwdcrypt = ses.authstate.pw_passwd; -+ testcrypt = crypt(password, passwdcrypt); -+ } - m_burn(password, passwordlen); - m_free(password); - -+ /* After we have got the payload contents we can exit if the username -+ is invalid. Invalid users have already been logged. */ -+ if (!valid_user) { -+ send_msg_userauth_failure(0, 1); -+ return; -+ } -+ - if (testcrypt == NULL) { - /* crypt() with an invalid salt like "!!" */ - dropbear_log(LOG_WARNING, "User account '%s' is locked", -diff --git a/svr-authpubkey.c b/svr-authpubkey.c -index aa6087c..ff481c8 100644 ---- a/svr-authpubkey.c -+++ b/svr-authpubkey.c -@@ -79,7 +79,7 @@ static int checkfileperm(char * filename); - - /* process a pubkey auth request, sending success or failure message as - * appropriate */ --void svr_auth_pubkey() { -+void svr_auth_pubkey(int valid_user) { - - unsigned char testkey; /* whether we're just checking if a key is usable */ - char* algo = NULL; /* pubkey algo */ -@@ -102,6 +102,15 @@ void svr_auth_pubkey() { - keybloblen = buf_getint(ses.payload); - keyblob = buf_getptr(ses.payload, keybloblen); - -+ if (!valid_user) { -+ /* Return failure once we have read the contents of the packet -+ required to validate a public key. -+ Avoids blind user enumeration though it isn't possible to prevent -+ testing for user existence if the public key is known */ -+ send_msg_userauth_failure(0, 0); -+ goto out; -+ } -+ - /* check if the key is valid */ - if (checkpubkey(algo, algolen, keyblob, keybloblen) == DROPBEAR_FAILURE) { - send_msg_userauth_failure(0, 0); diff --git a/meta/recipes-core/dropbear/dropbear/dropbear-disable-weak-ciphers.patch b/meta/recipes-core/dropbear/dropbear/dropbear-disable-weak-ciphers.patch new file mode 100644 index 0000000000..a20781d31d --- /dev/null +++ b/meta/recipes-core/dropbear/dropbear/dropbear-disable-weak-ciphers.patch @@ -0,0 +1,28 @@ +From c8a0c8e87b772576f3a431c3b4cacaf5aa001dcc Mon Sep 17 00:00:00 2001 +From: Joseph Reynolds <joseph.reynolds1@ibm.com> +Date: Thu, 20 Jun 2019 16:29:15 -0500 +Subject: [PATCH] dropbear: new feature: disable-weak-ciphers + +This feature disables all CBC, SHA1, and diffie-hellman group1 ciphers +in the dropbear ssh server and client since they're considered weak ciphers +and we want to support the stong algorithms. + +Upstream-Status: Inappropriate [configuration] +Signed-off-by: Joseph Reynolds <joseph.reynolds1@ibm.com> +--- + src/default_options.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/default_options.h b/src/default_options.h +index 12768d1..2b07497 100644 +--- a/src/default_options.h ++++ b/src/default_options.h +@@ -197,7 +197,7 @@ IMPORTANT: Some options will require "make clean" after changes */ + * Small systems should generally include either curve25519 or ecdh for performance. + * curve25519 is less widely supported but is faster + */ +-#define DROPBEAR_DH_GROUP14_SHA1 1 ++#define DROPBEAR_DH_GROUP14_SHA1 0 + #define DROPBEAR_DH_GROUP14_SHA256 1 + #define DROPBEAR_DH_GROUP16 0 + #define DROPBEAR_CURVE25519 1 diff --git a/meta/recipes-core/dropbear/dropbear/dropbearkey.service b/meta/recipes-core/dropbear/dropbear/dropbearkey.service index c49053d57c..71a12a6110 100644 --- a/meta/recipes-core/dropbear/dropbear/dropbearkey.service +++ b/meta/recipes-core/dropbear/dropbear/dropbearkey.service @@ -11,3 +11,4 @@ Type=oneshot ExecStart=@BASE_BINDIR@/mkdir -p ${DROPBEAR_RSAKEY_DIR} ExecStart=@SBINDIR@/dropbearkey -t rsa -f ${DROPBEAR_RSAKEY_DIR}/dropbear_rsa_host_key RemainAfterExit=yes +Nice=10 diff --git a/meta/recipes-core/dropbear/dropbear_2018.76.bb b/meta/recipes-core/dropbear/dropbear_2018.76.bb deleted file mode 100644 index 36a58d5cef..0000000000 --- a/meta/recipes-core/dropbear/dropbear_2018.76.bb +++ /dev/null @@ -1,5 +0,0 @@ -require dropbear.inc - -SRC_URI[md5sum] = "c3912f7fcdcc57c99937e4a79480d2c2" -SRC_URI[sha256sum] = "f2fb9167eca8cf93456a5fc1d4faf709902a3ab70dd44e352f3acbc3ffdaea65" - diff --git a/meta/recipes-core/dropbear/dropbear.inc b/meta/recipes-core/dropbear/dropbear_2024.85.bb index d92a2f3991..54001414d0 100644 --- a/meta/recipes-core/dropbear/dropbear.inc +++ b/meta/recipes-core/dropbear/dropbear_2024.85.bb @@ -1,26 +1,29 @@ SUMMARY = "A lightweight SSH and SCP implementation" HOMEPAGE = "http://matt.ucc.asn.au/dropbear/dropbear.html" +DESCRIPTION = "Dropbear is a relatively small SSH server and client. It runs on a variety of POSIX-based platforms. Dropbear is open source software, distributed under a MIT-style license. Dropbear is particularly useful for "embedded"-type Linux (or other Unix) systems, such as wireless routers." SECTION = "console/network" # some files are from other projects and have others license terms: # public domain, OpenSSH 3.5p1, OpenSSH3.6.1p2, PuTTY LICENSE = "MIT & BSD-3-Clause & BSD-2-Clause & PD" -LIC_FILES_CHKSUM = "file://LICENSE;md5=a5ec40cafba26fc4396d0b550f824e01" +LIC_FILES_CHKSUM = "file://LICENSE;md5=25cf44512b7bc8966a48b6b1a9b7605f" DEPENDS = "zlib virtual/crypt" -RPROVIDES_${PN} = "ssh sshd" - -DEPENDS += "${@bb.utils.contains('DISTRO_FEATURES', 'pam', 'libpam', '', d)}" +RPROVIDES:${PN} = "ssh sshd" +RCONFLICTS:${PN} = "openssh-sshd openssh" SRC_URI = "http://matt.ucc.asn.au/dropbear/releases/dropbear-${PV}.tar.bz2 \ - file://CVE-2018-15599.patch \ file://0001-urandom-xauth-changes-to-options.h.patch \ file://init \ file://dropbearkey.service \ file://dropbear@.service \ file://dropbear.socket \ file://dropbear.default \ - ${@bb.utils.contains('DISTRO_FEATURES', 'pam', '${PAM_SRC_URI}', '', d)} " + ${@bb.utils.contains('DISTRO_FEATURES', 'pam', '${PAM_SRC_URI}', '', d)} \ + ${@bb.utils.contains('PACKAGECONFIG', 'disable-weak-ciphers', 'file://dropbear-disable-weak-ciphers.patch', '', d)} \ + " + +SRC_URI[sha256sum] = "86b036c433a69d89ce51ebae335d65c47738ccf90d13e5eb0fea832e556da502" PAM_SRC_URI = "file://0005-dropbear-enable-pam.patch \ file://0006-dropbear-configuration-file.patch \ @@ -31,29 +34,39 @@ PAM_PLUGINS = "libpam-runtime \ pam-plugin-permit \ pam-plugin-unix \ " -RDEPENDS_${PN} += "${@bb.utils.contains('DISTRO_FEATURES', 'pam', '${PAM_PLUGINS}', '', d)}" - inherit autotools update-rc.d systemd +CVE_PRODUCT = "dropbear_ssh" + INITSCRIPT_NAME = "dropbear" INITSCRIPT_PARAMS = "defaults 10" -SYSTEMD_SERVICE_${PN} = "dropbear.socket" +SYSTEMD_SERVICE:${PN} = "dropbear.socket" SBINCOMMANDS = "dropbear dropbearkey dropbearconvert" BINCOMMANDS = "dbclient ssh scp" EXTRA_OEMAKE = 'MULTI=1 SCPPROGRESS=1 PROGRAMS="${SBINCOMMANDS} ${BINCOMMANDS}"' -PACKAGECONFIG ?= "" +PACKAGECONFIG ?= "disable-weak-ciphers ${@bb.utils.filter('DISTRO_FEATURES', 'pam', d)}" +PACKAGECONFIG[pam] = "--enable-pam,--disable-pam,libpam,${PAM_PLUGINS}" PACKAGECONFIG[system-libtom] = "--disable-bundled-libtom,--enable-bundled-libtom,libtommath libtomcrypt" - -EXTRA_OECONF += "\ - ${@bb.utils.contains('DISTRO_FEATURES', 'pam', '--enable-pam', '--disable-pam', d)}" +PACKAGECONFIG[disable-weak-ciphers] = "" +PACKAGECONFIG[enable-x11-forwarding] = "" # This option appends to CFLAGS and LDFLAGS from OE # This is causing [textrel] QA warning EXTRA_OECONF += "--disable-harden" +# musl does not implement wtmp/logwtmp APIs +EXTRA_OECONF:append:libc-musl = " --disable-wtmp --disable-lastlog" + +do_configure:append() { + echo "/* Dropbear features */" > ${B}/localoptions.h + if ${@bb.utils.contains('PACKAGECONFIG', 'enable-x11-forwarding', 'true', 'false', d)}; then + echo "#define DROPBEAR_X11FWD 1" >> ${B}/localoptions.h + fi +} + do_install() { install -d ${D}${sysconfdir} \ ${D}${sysconfdir}/init.d \ @@ -63,11 +76,16 @@ do_install() { ${D}${sbindir} \ ${D}${localstatedir} - install -m 0644 ${WORKDIR}/dropbear.default ${D}${sysconfdir}/default/dropbear + install -m 0644 ${UNPACKDIR}/dropbear.default ${D}${sysconfdir}/default/dropbear install -m 0755 dropbearmulti ${D}${sbindir}/ - ln -s ${sbindir}/dropbearmulti ${D}${bindir}/dbclient + for i in ${BINCOMMANDS} + do + # ssh and scp symlinks are created by update-alternatives + if [ $i = ssh ] || [ $i = scp ]; then continue; fi + ln -s ${sbindir}/dropbearmulti ${D}${bindir}/$i + done for i in ${SBINCOMMANDS} do ln -s ./dropbearmulti ${D}${sbindir}/$i @@ -76,32 +94,32 @@ do_install() { -e 's,/usr/sbin,${sbindir},g' \ -e 's,/var,${localstatedir},g' \ -e 's,/usr/bin,${bindir},g' \ - -e 's,/usr,${prefix},g' ${WORKDIR}/init > ${D}${sysconfdir}/init.d/dropbear + -e 's,/usr,${prefix},g' ${UNPACKDIR}/init > ${D}${sysconfdir}/init.d/dropbear chmod 755 ${D}${sysconfdir}/init.d/dropbear if [ "${@bb.utils.filter('DISTRO_FEATURES', 'pam', d)}" ]; then install -d ${D}${sysconfdir}/pam.d - install -m 0644 ${WORKDIR}/dropbear ${D}${sysconfdir}/pam.d/ + install -m 0644 ${UNPACKDIR}/dropbear ${D}${sysconfdir}/pam.d/ fi # deal with systemd unit files - install -d ${D}${systemd_unitdir}/system - install -m 0644 ${WORKDIR}/dropbearkey.service ${D}${systemd_unitdir}/system - install -m 0644 ${WORKDIR}/dropbear@.service ${D}${systemd_unitdir}/system - install -m 0644 ${WORKDIR}/dropbear.socket ${D}${systemd_unitdir}/system + install -d ${D}${systemd_system_unitdir} + install -m 0644 ${UNPACKDIR}/dropbearkey.service ${D}${systemd_system_unitdir} + install -m 0644 ${UNPACKDIR}/dropbear@.service ${D}${systemd_system_unitdir} + install -m 0644 ${UNPACKDIR}/dropbear.socket ${D}${systemd_system_unitdir} sed -i -e 's,@BASE_BINDIR@,${base_bindir},g' \ -e 's,@BINDIR@,${bindir},g' \ -e 's,@SBINDIR@,${sbindir},g' \ - ${D}${systemd_unitdir}/system/dropbear.socket ${D}${systemd_unitdir}/system/*.service + ${D}${systemd_system_unitdir}/dropbear.socket ${D}${systemd_system_unitdir}/*.service } inherit update-alternatives ALTERNATIVE_PRIORITY = "20" -ALTERNATIVE_${PN} = "scp ssh" +ALTERNATIVE:${PN} = "${@bb.utils.filter('BINCOMMANDS', 'scp ssh', d)}" ALTERNATIVE_TARGET = "${sbindir}/dropbearmulti" -pkg_postrm_append_${PN} () { +pkg_postrm:${PN} () { if [ -f "${sysconfdir}/dropbear/dropbear_rsa_host_key" ]; then rm ${sysconfdir}/dropbear/dropbear_rsa_host_key fi @@ -109,3 +127,5 @@ pkg_postrm_append_${PN} () { rm ${sysconfdir}/dropbear/dropbear_dss_host_key fi } + +CONFFILES:${PN} = "${sysconfdir}/default/dropbear" |