summaryrefslogtreecommitdiffstats
path: root/meta/recipes-core/dropbear
diff options
context:
space:
mode:
Diffstat (limited to 'meta/recipes-core/dropbear')
-rw-r--r--meta/recipes-core/dropbear/dropbear/0001-Fix-proxycmd-without-netcat.patch74
-rw-r--r--meta/recipes-core/dropbear/dropbear/0001-urandom-xauth-changes-to-options.h.patch20
-rw-r--r--meta/recipes-core/dropbear/dropbear/0005-dropbear-enable-pam.patch21
-rw-r--r--meta/recipes-core/dropbear/dropbear/0006-dropbear-configuration-file.patch17
-rw-r--r--meta/recipes-core/dropbear/dropbear/CVE-2023-36328.patch144
-rw-r--r--meta/recipes-core/dropbear/dropbear/dropbear-disable-weak-ciphers.patch31
-rw-r--r--meta/recipes-core/dropbear/dropbear/dropbearkey.service2
-rw-r--r--meta/recipes-core/dropbear/dropbear_2025.88.bb (renamed from meta/recipes-core/dropbear/dropbear_2022.83.bb)27
8 files changed, 115 insertions, 221 deletions
diff --git a/meta/recipes-core/dropbear/dropbear/0001-Fix-proxycmd-without-netcat.patch b/meta/recipes-core/dropbear/dropbear/0001-Fix-proxycmd-without-netcat.patch
new file mode 100644
index 0000000000..967b66322f
--- /dev/null
+++ b/meta/recipes-core/dropbear/dropbear/0001-Fix-proxycmd-without-netcat.patch
@@ -0,0 +1,74 @@
1From 5cc0127000db5f7567b54d0495fb91a8e452fe09 Mon Sep 17 00:00:00 2001
2From: Konstantin Demin <rockdrilla@gmail.com>
3Date: Fri, 9 May 2025 22:39:35 +0300
4Subject: [PATCH] Fix proxycmd without netcat
5
6fixes e5a0ef27c2 "Execute multihop commands directly, no shell"
7
8Signed-off-by: Konstantin Demin <rockdrilla@gmail.com>
9
10Upstream-Status: Backport [https://github.com/mkj/dropbear/commit/5cc0127000db5f7567b54d0495fb91a8e452fe09]
11Signed-off-by: Peter Marko <peter.marko@siemens.com>
12---
13 src/cli-main.c | 12 +++++++++++-
14 1 file changed, 11 insertions(+), 1 deletion(-)
15
16diff --git a/src/cli-main.c b/src/cli-main.c
17index 2fafa88..0a052a3 100644
18--- a/src/cli-main.c
19+++ b/src/cli-main.c
20@@ -77,7 +77,11 @@ int main(int argc, char ** argv) {
21 }
22
23 #if DROPBEAR_CLI_PROXYCMD
24- if (cli_opts.proxycmd || cli_opts.proxyexec) {
25+ if (cli_opts.proxycmd
26+#if DROPBEAR_CLI_MULTIHOP
27+ || cli_opts.proxyexec
28+#endif
29+ ) {
30 cli_proxy_cmd(&sock_in, &sock_out, &proxy_cmd_pid);
31 if (signal(SIGINT, kill_proxy_sighandler) == SIG_ERR ||
32 signal(SIGTERM, kill_proxy_sighandler) == SIG_ERR ||
33@@ -110,11 +114,13 @@ static void shell_proxy_cmd(const void *user_data_cmd) {
34 dropbear_exit("Failed to run '%s'\n", cmd);
35 }
36
37+#if DROPBEAR_CLI_MULTIHOP
38 static void exec_proxy_cmd(const void *unused) {
39 (void)unused;
40 run_command(cli_opts.proxyexec[0], cli_opts.proxyexec, ses.maxfd);
41 dropbear_exit("Failed to run '%s'\n", cli_opts.proxyexec[0]);
42 }
43+#endif
44
45 static void cli_proxy_cmd(int *sock_in, int *sock_out, pid_t *pid_out) {
46 char * cmd_arg = NULL;
47@@ -145,9 +151,11 @@ static void cli_proxy_cmd(int *sock_in, int *sock_out, pid_t *pid_out) {
48 cmd_arg = m_malloc(shell_cmdlen);
49 snprintf(cmd_arg, shell_cmdlen, "exec %s", cli_opts.proxycmd);
50 exec_fn = shell_proxy_cmd;
51+#if DROPBEAR_CLI_MULTIHOP
52 } else {
53 /* No shell */
54 exec_fn = exec_proxy_cmd;
55+#endif
56 }
57
58 ret = spawn_command(exec_fn, cmd_arg, sock_out, sock_in, NULL, pid_out);
59@@ -159,6 +167,7 @@ static void cli_proxy_cmd(int *sock_in, int *sock_out, pid_t *pid_out) {
60 cleanup:
61 m_free(cli_opts.proxycmd);
62 m_free(cmd_arg);
63+#if DROPBEAR_CLI_MULTIHOP
64 if (cli_opts.proxyexec) {
65 char **a = NULL;
66 for (a = cli_opts.proxyexec; *a; a++) {
67@@ -166,6 +175,7 @@ cleanup:
68 }
69 m_free(cli_opts.proxyexec);
70 }
71+#endif
72 }
73
74 static void kill_proxy_sighandler(int UNUSED(signo)) {
diff --git a/meta/recipes-core/dropbear/dropbear/0001-urandom-xauth-changes-to-options.h.patch b/meta/recipes-core/dropbear/dropbear/0001-urandom-xauth-changes-to-options.h.patch
index 99adcfd770..0687e5dab1 100644
--- a/meta/recipes-core/dropbear/dropbear/0001-urandom-xauth-changes-to-options.h.patch
+++ b/meta/recipes-core/dropbear/dropbear/0001-urandom-xauth-changes-to-options.h.patch
@@ -1,15 +1,18 @@
1Subject: [PATCH 1/6] urandom-xauth-changes-to-options.h 1From cdc6a4a57a86d8116a92a5d905993e65cf723556 Mon Sep 17 00:00:00 2001
2From: Richard Purdie <richard@openedhand.com>
3Date: Wed, 31 Aug 2005 10:45:47 +0000
4Subject: [PATCH] urandom-xauth-changes-to-options.h
2 5
3Upstream-Status: Inappropriate [configuration] 6Upstream-Status: Inappropriate [configuration]
4--- 7---
5 default_options.h | 2 +- 8 src/default_options.h | 2 +-
6 1 file changed, 1 insertion(+), 1 deletion(-) 9 1 file changed, 1 insertion(+), 1 deletion(-)
7 10
8diff --git a/default_options.h b/default_options.h 11diff --git a/src/default_options.h b/src/default_options.h
9index 349338c..5ffac25 100644 12index 6e970bb..ccc8b47 100644
10--- a/default_options.h 13--- a/src/default_options.h
11+++ b/default_options.h 14+++ b/src/default_options.h
12@@ -289,7 +289,7 @@ group1 in Dropbear server too */ 15@@ -317,7 +317,7 @@ group1 in Dropbear server too */
13 16
14 /* The command to invoke for xauth when using X11 forwarding. 17 /* The command to invoke for xauth when using X11 forwarding.
15 * "-q" for quiet */ 18 * "-q" for quiet */
@@ -18,6 +21,3 @@ index 349338c..5ffac25 100644
18 21
19 22
20 /* If you want to enable running an sftp server (such as the one included with 23 /* If you want to enable running an sftp server (such as the one included with
21--
222.25.1
23
diff --git a/meta/recipes-core/dropbear/dropbear/0005-dropbear-enable-pam.patch b/meta/recipes-core/dropbear/dropbear/0005-dropbear-enable-pam.patch
index 32c3ea5f08..6743f506e9 100644
--- a/meta/recipes-core/dropbear/dropbear/0005-dropbear-enable-pam.patch
+++ b/meta/recipes-core/dropbear/dropbear/0005-dropbear-enable-pam.patch
@@ -1,7 +1,7 @@
1From b8cece92ba19aa77ac013ea161bfe4c7147747c9 Mon Sep 17 00:00:00 2001 1From 253ca01f0fc50dbaeb2ff8bcece0c34256eba94f Mon Sep 17 00:00:00 2001
2From: Jussi Kukkonen <jussi.kukkonen@intel.com> 2From: Jussi Kukkonen <jussi.kukkonen@intel.com>
3Date: Wed, 2 Dec 2015 11:36:02 +0200 3Date: Wed, 2 Dec 2015 11:36:02 +0200
4Subject: Enable pam 4Subject: [PATCH] Enable pam
5 5
6We need modify file default_options.h besides enabling pam in 6We need modify file default_options.h besides enabling pam in
7configure if we want dropbear to support pam. 7configure if we want dropbear to support pam.
@@ -11,14 +11,14 @@ Upstream-Status: Pending
11Signed-off-by: Xiaofeng Yan <xiaofeng.yan@windriver.com> 11Signed-off-by: Xiaofeng Yan <xiaofeng.yan@windriver.com>
12Signed-off-by: Jussi Kukkonen <jussi.kukkonen@intel.com> 12Signed-off-by: Jussi Kukkonen <jussi.kukkonen@intel.com>
13--- 13---
14 default_options.h | 4 ++-- 14 src/default_options.h | 4 ++--
15 1 file changed, 2 insertions(+), 2 deletions(-) 15 1 file changed, 2 insertions(+), 2 deletions(-)
16 16
17diff --git a/default_options.h b/default_options.h 17diff --git a/src/default_options.h b/src/default_options.h
18index 0e3d027..349338c 100644 18index ccc8b47..12768d1 100644
19--- a/default_options.h 19--- a/src/default_options.h
20+++ b/default_options.h 20+++ b/src/default_options.h
21@@ -210,7 +210,7 @@ group1 in Dropbear server too */ 21@@ -228,7 +228,7 @@ group1 in Dropbear server too */
22 22
23 /* Authentication Types - at least one required. 23 /* Authentication Types - at least one required.
24 RFC Draft requires pubkey auth, and recommends password */ 24 RFC Draft requires pubkey auth, and recommends password */
@@ -27,7 +27,7 @@ index 0e3d027..349338c 100644
27 27
28 /* Note: PAM auth is quite simple and only works for PAM modules which just do 28 /* Note: PAM auth is quite simple and only works for PAM modules which just do
29 * a simple "Login: " "Password: " (you can edit the strings in svr-authpam.c). 29 * a simple "Login: " "Password: " (you can edit the strings in svr-authpam.c).
30@@ -218,7 +218,7 @@ group1 in Dropbear server too */ 30@@ -236,7 +236,7 @@ group1 in Dropbear server too */
31 * but there's an interface via a PAM module. It won't work for more complex 31 * but there's an interface via a PAM module. It won't work for more complex
32 * PAM challenge/response. 32 * PAM challenge/response.
33 * You can't enable both PASSWORD and PAM. */ 33 * You can't enable both PASSWORD and PAM. */
@@ -36,6 +36,3 @@ index 0e3d027..349338c 100644
36 36
37 /* ~/.ssh/authorized_keys authentication. 37 /* ~/.ssh/authorized_keys authentication.
38 * You must define DROPBEAR_SVR_PUBKEY_AUTH in order to use plugins. */ 38 * You must define DROPBEAR_SVR_PUBKEY_AUTH in order to use plugins. */
39--
402.25.1
41
diff --git a/meta/recipes-core/dropbear/dropbear/0006-dropbear-configuration-file.patch b/meta/recipes-core/dropbear/dropbear/0006-dropbear-configuration-file.patch
index deed78ffb9..44861088cc 100644
--- a/meta/recipes-core/dropbear/dropbear/0006-dropbear-configuration-file.patch
+++ b/meta/recipes-core/dropbear/dropbear/0006-dropbear-configuration-file.patch
@@ -1,4 +1,4 @@
1From e3a5db1b6d3f6382a15b2266458c26c645a10f18 Mon Sep 17 00:00:00 2001 1From 16b147f97f0938cddb55ec1c90bc919c13f26fc0 Mon Sep 17 00:00:00 2001
2From: Mingli Yu <Mingli.Yu@windriver.com> 2From: Mingli Yu <Mingli.Yu@windriver.com>
3Date: Thu, 6 Sep 2018 15:54:00 +0800 3Date: Thu, 6 Sep 2018 15:54:00 +0800
4Subject: [PATCH] dropbear configuration file 4Subject: [PATCH] dropbear configuration file
@@ -12,14 +12,14 @@ Signed-off-by: Maxin B. John <maxin.john@enea.com>
12Signed-off-by: Xiaofeng Yan <xiaofeng.yan@windriver.com> 12Signed-off-by: Xiaofeng Yan <xiaofeng.yan@windriver.com>
13Signed-off-by: Mingli Yu <Mingli.Yu@windriver.com> 13Signed-off-by: Mingli Yu <Mingli.Yu@windriver.com>
14--- 14---
15 svr-authpam.c | 2 +- 15 src/svr-authpam.c | 2 +-
16 1 file changed, 1 insertion(+), 1 deletion(-) 16 1 file changed, 1 insertion(+), 1 deletion(-)
17 17
18diff --git a/svr-authpam.c b/svr-authpam.c 18diff --git a/src/svr-authpam.c b/src/svr-authpam.c
19index d201bc9..165ec5c 100644 19index ec14632..026102f 100644
20--- a/svr-authpam.c 20--- a/src/svr-authpam.c
21+++ b/svr-authpam.c 21+++ b/src/svr-authpam.c
22@@ -223,7 +223,7 @@ void svr_auth_pam(int valid_user) { 22@@ -224,7 +224,7 @@ void svr_auth_pam(int valid_user) {
23 } 23 }
24 24
25 /* Init pam */ 25 /* Init pam */
@@ -28,6 +28,3 @@ index d201bc9..165ec5c 100644
28 dropbear_log(LOG_WARNING, "pam_start() failed, rc=%d, %s", 28 dropbear_log(LOG_WARNING, "pam_start() failed, rc=%d, %s",
29 rc, pam_strerror(pamHandlep, rc)); 29 rc, pam_strerror(pamHandlep, rc));
30 goto cleanup; 30 goto cleanup;
31--
322.7.4
33
diff --git a/meta/recipes-core/dropbear/dropbear/CVE-2023-36328.patch b/meta/recipes-core/dropbear/dropbear/CVE-2023-36328.patch
deleted file mode 100644
index ec50d69816..0000000000
--- a/meta/recipes-core/dropbear/dropbear/CVE-2023-36328.patch
+++ /dev/null
@@ -1,144 +0,0 @@
1From beba892bc0d4e4ded4d667ab1d2a94f4d75109a9 Mon Sep 17 00:00:00 2001
2From: czurnieden <czurnieden@gmx.de>
3Date: Fri, 8 Sep 2023 10:07:32 +0000
4Subject: [PATCH] Fix possible integer overflow
5
6CVE: CVE-2023-36328
7
8Upstream-Status: Backport [https://github.com/libtom/libtommath/commit/beba892bc0d4e4ded4d667ab1d2a94f4d75109a9]
9
10Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
11---
12 libtommath/bn_mp_2expt.c | 4 ++++
13 libtommath/bn_mp_grow.c | 4 ++++
14 libtommath/bn_mp_init_size.c | 5 +++++
15 libtommath/bn_mp_mul_2d.c | 4 ++++
16 libtommath/bn_s_mp_mul_digs.c | 4 ++++
17 libtommath/bn_s_mp_mul_digs_fast.c | 4 ++++
18 libtommath/bn_s_mp_mul_high_digs.c | 4 ++++
19 libtommath/bn_s_mp_mul_high_digs_fast.c | 4 ++++
20 8 files changed, 33 insertions(+)
21
22diff --git a/libtommath/bn_mp_2expt.c b/libtommath/bn_mp_2expt.c
23index 0ae3df1..ca6fbc3 100644
24--- a/libtommath/bn_mp_2expt.c
25+++ b/libtommath/bn_mp_2expt.c
26@@ -12,6 +12,10 @@ mp_err mp_2expt(mp_int *a, int b)
27 {
28 mp_err err;
29
30+ if (b < 0) {
31+ return MP_VAL;
32+ }
33+
34 /* zero a as per default */
35 mp_zero(a);
36
37diff --git a/libtommath/bn_mp_grow.c b/libtommath/bn_mp_grow.c
38index 9e904c5..2b16826 100644
39--- a/libtommath/bn_mp_grow.c
40+++ b/libtommath/bn_mp_grow.c
41@@ -9,6 +9,10 @@ mp_err mp_grow(mp_int *a, int size)
42 int i;
43 mp_digit *tmp;
44
45+ if (size < 0) {
46+ return MP_VAL;
47+ }
48+
49 /* if the alloc size is smaller alloc more ram */
50 if (a->alloc < size) {
51 /* reallocate the array a->dp
52diff --git a/libtommath/bn_mp_init_size.c b/libtommath/bn_mp_init_size.c
53index d622687..5fefa96 100644
54--- a/libtommath/bn_mp_init_size.c
55+++ b/libtommath/bn_mp_init_size.c
56@@ -6,6 +6,11 @@
57 /* init an mp_init for a given size */
58 mp_err mp_init_size(mp_int *a, int size)
59 {
60+
61+ if (size < 0) {
62+ return MP_VAL;
63+ }
64+
65 size = MP_MAX(MP_MIN_PREC, size);
66
67 /* alloc mem */
68diff --git a/libtommath/bn_mp_mul_2d.c b/libtommath/bn_mp_mul_2d.c
69index 87354de..2744163 100644
70--- a/libtommath/bn_mp_mul_2d.c
71+++ b/libtommath/bn_mp_mul_2d.c
72@@ -9,6 +9,10 @@ mp_err mp_mul_2d(const mp_int *a, int b, mp_int *c)
73 mp_digit d;
74 mp_err err;
75
76+ if (b < 0) {
77+ return MP_VAL;
78+ }
79+
80 /* copy */
81 if (a != c) {
82 if ((err = mp_copy(a, c)) != MP_OKAY) {
83diff --git a/libtommath/bn_s_mp_mul_digs.c b/libtommath/bn_s_mp_mul_digs.c
84index 64509d4..2d2f5b0 100644
85--- a/libtommath/bn_s_mp_mul_digs.c
86+++ b/libtommath/bn_s_mp_mul_digs.c
87@@ -16,6 +16,10 @@ mp_err s_mp_mul_digs(const mp_int *a, const mp_int *b, mp_int *c, int digs)
88 mp_word r;
89 mp_digit tmpx, *tmpt, *tmpy;
90
91+ if (digs < 0) {
92+ return MP_VAL;
93+ }
94+
95 /* can we use the fast multiplier? */
96 if ((digs < MP_WARRAY) &&
97 (MP_MIN(a->used, b->used) < MP_MAXFAST)) {
98diff --git a/libtommath/bn_s_mp_mul_digs_fast.c b/libtommath/bn_s_mp_mul_digs_fast.c
99index b2a287b..d6dd3cc 100644
100--- a/libtommath/bn_s_mp_mul_digs_fast.c
101+++ b/libtommath/bn_s_mp_mul_digs_fast.c
102@@ -26,6 +26,10 @@ mp_err s_mp_mul_digs_fast(const mp_int *a, const mp_int *b, mp_int *c, int digs)
103 mp_digit W[MP_WARRAY];
104 mp_word _W;
105
106+ if (digs < 0) {
107+ return MP_VAL;
108+ }
109+
110 /* grow the destination as required */
111 if (c->alloc < digs) {
112 if ((err = mp_grow(c, digs)) != MP_OKAY) {
113diff --git a/libtommath/bn_s_mp_mul_high_digs.c b/libtommath/bn_s_mp_mul_high_digs.c
114index 2bb2a50..c9dd355 100644
115--- a/libtommath/bn_s_mp_mul_high_digs.c
116+++ b/libtommath/bn_s_mp_mul_high_digs.c
117@@ -15,6 +15,10 @@ mp_err s_mp_mul_high_digs(const mp_int *a, const mp_int *b, mp_int *c, int digs)
118 mp_word r;
119 mp_digit tmpx, *tmpt, *tmpy;
120
121+ if (digs < 0) {
122+ return MP_VAL;
123+ }
124+
125 /* can we use the fast multiplier? */
126 if (MP_HAS(S_MP_MUL_HIGH_DIGS_FAST)
127 && ((a->used + b->used + 1) < MP_WARRAY)
128diff --git a/libtommath/bn_s_mp_mul_high_digs_fast.c b/libtommath/bn_s_mp_mul_high_digs_fast.c
129index a2c4fb6..afe3e4b 100644
130--- a/libtommath/bn_s_mp_mul_high_digs_fast.c
131+++ b/libtommath/bn_s_mp_mul_high_digs_fast.c
132@@ -19,6 +19,10 @@ mp_err s_mp_mul_high_digs_fast(const mp_int *a, const mp_int *b, mp_int *c, int
133 mp_digit W[MP_WARRAY];
134 mp_word _W;
135
136+ if (digs < 0) {
137+ return MP_VAL;
138+ }
139+
140 /* grow the destination as required */
141 pa = a->used + b->used;
142 if (c->alloc < pa) {
143--
1442.35.5
diff --git a/meta/recipes-core/dropbear/dropbear/dropbear-disable-weak-ciphers.patch b/meta/recipes-core/dropbear/dropbear/dropbear-disable-weak-ciphers.patch
deleted file mode 100644
index 5c60868ed8..0000000000
--- a/meta/recipes-core/dropbear/dropbear/dropbear-disable-weak-ciphers.patch
+++ /dev/null
@@ -1,31 +0,0 @@
1From c347ece05a7fdbf50d76cb136b9ed45caed333f6 Mon Sep 17 00:00:00 2001
2From: Joseph Reynolds <joseph.reynolds1@ibm.com>
3Date: Thu, 20 Jun 2019 16:29:15 -0500
4Subject: [PATCH] dropbear: new feature: disable-weak-ciphers
5
6This feature disables all CBC, SHA1, and diffie-hellman group1 ciphers
7in the dropbear ssh server and client since they're considered weak ciphers
8and we want to support the stong algorithms.
9
10Upstream-Status: Inappropriate [configuration]
11Signed-off-by: Joseph Reynolds <joseph.reynolds1@ibm.com>
12---
13 default_options.h | 2 +-
14 1 file changed, 1 insertion(+), 1 deletion(-)
15
16diff --git a/default_options.h b/default_options.h
17index d417588..bc5200f 100644
18--- a/default_options.h
19+++ b/default_options.h
20@@ -180,7 +180,7 @@ IMPORTANT: Some options will require "make clean" after changes */
21 * Small systems should generally include either curve25519 or ecdh for performance.
22 * curve25519 is less widely supported but is faster
23 */
24-#define DROPBEAR_DH_GROUP14_SHA1 1
25+#define DROPBEAR_DH_GROUP14_SHA1 0
26 #define DROPBEAR_DH_GROUP14_SHA256 1
27 #define DROPBEAR_DH_GROUP16 0
28 #define DROPBEAR_CURVE25519 1
29--
302.25.1
31
diff --git a/meta/recipes-core/dropbear/dropbear/dropbearkey.service b/meta/recipes-core/dropbear/dropbear/dropbearkey.service
index 71a12a6110..501e47124f 100644
--- a/meta/recipes-core/dropbear/dropbear/dropbearkey.service
+++ b/meta/recipes-core/dropbear/dropbear/dropbearkey.service
@@ -9,6 +9,6 @@ Environment="DROPBEAR_RSAKEY_DIR=/etc/dropbear"
9EnvironmentFile=-/etc/default/dropbear 9EnvironmentFile=-/etc/default/dropbear
10Type=oneshot 10Type=oneshot
11ExecStart=@BASE_BINDIR@/mkdir -p ${DROPBEAR_RSAKEY_DIR} 11ExecStart=@BASE_BINDIR@/mkdir -p ${DROPBEAR_RSAKEY_DIR}
12ExecStart=@SBINDIR@/dropbearkey -t rsa -f ${DROPBEAR_RSAKEY_DIR}/dropbear_rsa_host_key 12ExecStart=@SBINDIR@/dropbearkey -t rsa -f ${DROPBEAR_RSAKEY_DIR}/dropbear_rsa_host_key $DROPBEAR_RSAKEY_ARGS
13RemainAfterExit=yes 13RemainAfterExit=yes
14Nice=10 14Nice=10
diff --git a/meta/recipes-core/dropbear/dropbear_2022.83.bb b/meta/recipes-core/dropbear/dropbear_2025.88.bb
index 528eff1a10..72a886d907 100644
--- a/meta/recipes-core/dropbear/dropbear_2022.83.bb
+++ b/meta/recipes-core/dropbear/dropbear_2025.88.bb
@@ -19,12 +19,12 @@ SRC_URI = "http://matt.ucc.asn.au/dropbear/releases/dropbear-${PV}.tar.bz2 \
19 file://dropbear@.service \ 19 file://dropbear@.service \
20 file://dropbear.socket \ 20 file://dropbear.socket \
21 file://dropbear.default \ 21 file://dropbear.default \
22 file://0001-Fix-proxycmd-without-netcat.patch \
22 ${@bb.utils.contains('DISTRO_FEATURES', 'pam', '${PAM_SRC_URI}', '', d)} \ 23 ${@bb.utils.contains('DISTRO_FEATURES', 'pam', '${PAM_SRC_URI}', '', d)} \
23 ${@bb.utils.contains('PACKAGECONFIG', 'disable-weak-ciphers', 'file://dropbear-disable-weak-ciphers.patch', '', d)} \
24 file://CVE-2023-36328.patch \
25 " 24 "
26 25
27SRC_URI[sha256sum] = "bc5a121ffbc94b5171ad5ebe01be42746d50aa797c9549a4639894a16749443b" 26SRC_URI[sha256sum] = "783f50ea27b17c16da89578fafdb6decfa44bb8f6590e5698a4e4d3672dc53d4"
27MIRRORS += "http://matt.ucc.asn.au/dropbear/releases/ https://dropbear.nl/mirror/releases/"
28 28
29PAM_SRC_URI = "file://0005-dropbear-enable-pam.patch \ 29PAM_SRC_URI = "file://0005-dropbear-enable-pam.patch \
30 file://0006-dropbear-configuration-file.patch \ 30 file://0006-dropbear-configuration-file.patch \
@@ -48,11 +48,10 @@ SBINCOMMANDS = "dropbear dropbearkey dropbearconvert"
48BINCOMMANDS = "dbclient ssh scp" 48BINCOMMANDS = "dbclient ssh scp"
49EXTRA_OEMAKE = 'MULTI=1 SCPPROGRESS=1 PROGRAMS="${SBINCOMMANDS} ${BINCOMMANDS}"' 49EXTRA_OEMAKE = 'MULTI=1 SCPPROGRESS=1 PROGRAMS="${SBINCOMMANDS} ${BINCOMMANDS}"'
50 50
51PACKAGECONFIG ?= "disable-weak-ciphers ${@bb.utils.filter('DISTRO_FEATURES', 'pam', d)}" 51PACKAGECONFIG ?= "${@bb.utils.filter('DISTRO_FEATURES', 'pam x11', d)}"
52PACKAGECONFIG[pam] = "--enable-pam,--disable-pam,libpam,${PAM_PLUGINS}" 52PACKAGECONFIG[pam] = "--enable-pam,--disable-pam,libpam,${PAM_PLUGINS}"
53PACKAGECONFIG[system-libtom] = "--disable-bundled-libtom,--enable-bundled-libtom,libtommath libtomcrypt" 53PACKAGECONFIG[system-libtom] = "--disable-bundled-libtom,--enable-bundled-libtom,libtommath libtomcrypt"
54PACKAGECONFIG[disable-weak-ciphers] = "" 54PACKAGECONFIG[x11] = ",,,,xauth"
55PACKAGECONFIG[enable-x11-forwarding] = ""
56 55
57# This option appends to CFLAGS and LDFLAGS from OE 56# This option appends to CFLAGS and LDFLAGS from OE
58# This is causing [textrel] QA warning 57# This is causing [textrel] QA warning
@@ -63,7 +62,7 @@ EXTRA_OECONF:append:libc-musl = " --disable-wtmp --disable-lastlog"
63 62
64do_configure:append() { 63do_configure:append() {
65 echo "/* Dropbear features */" > ${B}/localoptions.h 64 echo "/* Dropbear features */" > ${B}/localoptions.h
66 if ${@bb.utils.contains('PACKAGECONFIG', 'enable-x11-forwarding', 'true', 'false', d)}; then 65 if ${@bb.utils.contains('PACKAGECONFIG', 'x11', 'true', 'false', d)}; then
67 echo "#define DROPBEAR_X11FWD 1" >> ${B}/localoptions.h 66 echo "#define DROPBEAR_X11FWD 1" >> ${B}/localoptions.h
68 fi 67 fi
69} 68}
@@ -77,7 +76,7 @@ do_install() {
77 ${D}${sbindir} \ 76 ${D}${sbindir} \
78 ${D}${localstatedir} 77 ${D}${localstatedir}
79 78
80 install -m 0644 ${WORKDIR}/dropbear.default ${D}${sysconfdir}/default/dropbear 79 install -m 0644 ${UNPACKDIR}/dropbear.default ${D}${sysconfdir}/default/dropbear
81 80
82 install -m 0755 dropbearmulti ${D}${sbindir}/ 81 install -m 0755 dropbearmulti ${D}${sbindir}/
83 82
@@ -95,18 +94,18 @@ do_install() {
95 -e 's,/usr/sbin,${sbindir},g' \ 94 -e 's,/usr/sbin,${sbindir},g' \
96 -e 's,/var,${localstatedir},g' \ 95 -e 's,/var,${localstatedir},g' \
97 -e 's,/usr/bin,${bindir},g' \ 96 -e 's,/usr/bin,${bindir},g' \
98 -e 's,/usr,${prefix},g' ${WORKDIR}/init > ${D}${sysconfdir}/init.d/dropbear 97 -e 's,/usr,${prefix},g' ${UNPACKDIR}/init > ${D}${sysconfdir}/init.d/dropbear
99 chmod 755 ${D}${sysconfdir}/init.d/dropbear 98 chmod 755 ${D}${sysconfdir}/init.d/dropbear
100 if [ "${@bb.utils.filter('DISTRO_FEATURES', 'pam', d)}" ]; then 99 if [ "${@bb.utils.filter('DISTRO_FEATURES', 'pam', d)}" ]; then
101 install -d ${D}${sysconfdir}/pam.d 100 install -d ${D}${sysconfdir}/pam.d
102 install -m 0644 ${WORKDIR}/dropbear ${D}${sysconfdir}/pam.d/ 101 install -m 0644 ${UNPACKDIR}/dropbear ${D}${sysconfdir}/pam.d/
103 fi 102 fi
104 103
105 # deal with systemd unit files 104 # deal with systemd unit files
106 install -d ${D}${systemd_system_unitdir} 105 install -d ${D}${systemd_system_unitdir}
107 install -m 0644 ${WORKDIR}/dropbearkey.service ${D}${systemd_system_unitdir} 106 install -m 0644 ${UNPACKDIR}/dropbearkey.service ${D}${systemd_system_unitdir}
108 install -m 0644 ${WORKDIR}/dropbear@.service ${D}${systemd_system_unitdir} 107 install -m 0644 ${UNPACKDIR}/dropbear@.service ${D}${systemd_system_unitdir}
109 install -m 0644 ${WORKDIR}/dropbear.socket ${D}${systemd_system_unitdir} 108 install -m 0644 ${UNPACKDIR}/dropbear.socket ${D}${systemd_system_unitdir}
110 sed -i -e 's,@BASE_BINDIR@,${base_bindir},g' \ 109 sed -i -e 's,@BASE_BINDIR@,${base_bindir},g' \
111 -e 's,@BINDIR@,${bindir},g' \ 110 -e 's,@BINDIR@,${bindir},g' \
112 -e 's,@SBINDIR@,${sbindir},g' \ 111 -e 's,@SBINDIR@,${sbindir},g' \
@@ -130,3 +129,5 @@ pkg_postrm:${PN} () {
130} 129}
131 130
132CONFFILES:${PN} = "${sysconfdir}/default/dropbear" 131CONFFILES:${PN} = "${sysconfdir}/default/dropbear"
132
133FILES:${PN} += "${systemd_system_unitdir}/dropbearkey.service"