diff options
Diffstat (limited to 'meta/recipes-core/dropbear')
-rw-r--r-- | meta/recipes-core/dropbear/dropbear/0001-Fix-proxycmd-without-netcat.patch | 74 | ||||
-rw-r--r-- | meta/recipes-core/dropbear/dropbear/0001-urandom-xauth-changes-to-options.h.patch | 20 | ||||
-rw-r--r-- | meta/recipes-core/dropbear/dropbear/0005-dropbear-enable-pam.patch | 21 | ||||
-rw-r--r-- | meta/recipes-core/dropbear/dropbear/0006-dropbear-configuration-file.patch | 17 | ||||
-rw-r--r-- | meta/recipes-core/dropbear/dropbear/CVE-2023-36328.patch | 144 | ||||
-rw-r--r-- | meta/recipes-core/dropbear/dropbear/dropbear-disable-weak-ciphers.patch | 31 | ||||
-rw-r--r-- | meta/recipes-core/dropbear/dropbear/dropbearkey.service | 2 | ||||
-rw-r--r-- | meta/recipes-core/dropbear/dropbear_2025.88.bb (renamed from meta/recipes-core/dropbear/dropbear_2022.83.bb) | 27 |
8 files changed, 115 insertions, 221 deletions
diff --git a/meta/recipes-core/dropbear/dropbear/0001-Fix-proxycmd-without-netcat.patch b/meta/recipes-core/dropbear/dropbear/0001-Fix-proxycmd-without-netcat.patch new file mode 100644 index 0000000000..967b66322f --- /dev/null +++ b/meta/recipes-core/dropbear/dropbear/0001-Fix-proxycmd-without-netcat.patch | |||
@@ -0,0 +1,74 @@ | |||
1 | From 5cc0127000db5f7567b54d0495fb91a8e452fe09 Mon Sep 17 00:00:00 2001 | ||
2 | From: Konstantin Demin <rockdrilla@gmail.com> | ||
3 | Date: Fri, 9 May 2025 22:39:35 +0300 | ||
4 | Subject: [PATCH] Fix proxycmd without netcat | ||
5 | |||
6 | fixes e5a0ef27c2 "Execute multihop commands directly, no shell" | ||
7 | |||
8 | Signed-off-by: Konstantin Demin <rockdrilla@gmail.com> | ||
9 | |||
10 | Upstream-Status: Backport [https://github.com/mkj/dropbear/commit/5cc0127000db5f7567b54d0495fb91a8e452fe09] | ||
11 | Signed-off-by: Peter Marko <peter.marko@siemens.com> | ||
12 | --- | ||
13 | src/cli-main.c | 12 +++++++++++- | ||
14 | 1 file changed, 11 insertions(+), 1 deletion(-) | ||
15 | |||
16 | diff --git a/src/cli-main.c b/src/cli-main.c | ||
17 | index 2fafa88..0a052a3 100644 | ||
18 | --- a/src/cli-main.c | ||
19 | +++ b/src/cli-main.c | ||
20 | @@ -77,7 +77,11 @@ int main(int argc, char ** argv) { | ||
21 | } | ||
22 | |||
23 | #if DROPBEAR_CLI_PROXYCMD | ||
24 | - if (cli_opts.proxycmd || cli_opts.proxyexec) { | ||
25 | + if (cli_opts.proxycmd | ||
26 | +#if DROPBEAR_CLI_MULTIHOP | ||
27 | + || cli_opts.proxyexec | ||
28 | +#endif | ||
29 | + ) { | ||
30 | cli_proxy_cmd(&sock_in, &sock_out, &proxy_cmd_pid); | ||
31 | if (signal(SIGINT, kill_proxy_sighandler) == SIG_ERR || | ||
32 | signal(SIGTERM, kill_proxy_sighandler) == SIG_ERR || | ||
33 | @@ -110,11 +114,13 @@ static void shell_proxy_cmd(const void *user_data_cmd) { | ||
34 | dropbear_exit("Failed to run '%s'\n", cmd); | ||
35 | } | ||
36 | |||
37 | +#if DROPBEAR_CLI_MULTIHOP | ||
38 | static void exec_proxy_cmd(const void *unused) { | ||
39 | (void)unused; | ||
40 | run_command(cli_opts.proxyexec[0], cli_opts.proxyexec, ses.maxfd); | ||
41 | dropbear_exit("Failed to run '%s'\n", cli_opts.proxyexec[0]); | ||
42 | } | ||
43 | +#endif | ||
44 | |||
45 | static void cli_proxy_cmd(int *sock_in, int *sock_out, pid_t *pid_out) { | ||
46 | char * cmd_arg = NULL; | ||
47 | @@ -145,9 +151,11 @@ static void cli_proxy_cmd(int *sock_in, int *sock_out, pid_t *pid_out) { | ||
48 | cmd_arg = m_malloc(shell_cmdlen); | ||
49 | snprintf(cmd_arg, shell_cmdlen, "exec %s", cli_opts.proxycmd); | ||
50 | exec_fn = shell_proxy_cmd; | ||
51 | +#if DROPBEAR_CLI_MULTIHOP | ||
52 | } else { | ||
53 | /* No shell */ | ||
54 | exec_fn = exec_proxy_cmd; | ||
55 | +#endif | ||
56 | } | ||
57 | |||
58 | ret = spawn_command(exec_fn, cmd_arg, sock_out, sock_in, NULL, pid_out); | ||
59 | @@ -159,6 +167,7 @@ static void cli_proxy_cmd(int *sock_in, int *sock_out, pid_t *pid_out) { | ||
60 | cleanup: | ||
61 | m_free(cli_opts.proxycmd); | ||
62 | m_free(cmd_arg); | ||
63 | +#if DROPBEAR_CLI_MULTIHOP | ||
64 | if (cli_opts.proxyexec) { | ||
65 | char **a = NULL; | ||
66 | for (a = cli_opts.proxyexec; *a; a++) { | ||
67 | @@ -166,6 +175,7 @@ cleanup: | ||
68 | } | ||
69 | m_free(cli_opts.proxyexec); | ||
70 | } | ||
71 | +#endif | ||
72 | } | ||
73 | |||
74 | static void kill_proxy_sighandler(int UNUSED(signo)) { | ||
diff --git a/meta/recipes-core/dropbear/dropbear/0001-urandom-xauth-changes-to-options.h.patch b/meta/recipes-core/dropbear/dropbear/0001-urandom-xauth-changes-to-options.h.patch index 99adcfd770..0687e5dab1 100644 --- a/meta/recipes-core/dropbear/dropbear/0001-urandom-xauth-changes-to-options.h.patch +++ b/meta/recipes-core/dropbear/dropbear/0001-urandom-xauth-changes-to-options.h.patch | |||
@@ -1,15 +1,18 @@ | |||
1 | Subject: [PATCH 1/6] urandom-xauth-changes-to-options.h | 1 | From cdc6a4a57a86d8116a92a5d905993e65cf723556 Mon Sep 17 00:00:00 2001 |
2 | From: Richard Purdie <richard@openedhand.com> | ||
3 | Date: Wed, 31 Aug 2005 10:45:47 +0000 | ||
4 | Subject: [PATCH] urandom-xauth-changes-to-options.h | ||
2 | 5 | ||
3 | Upstream-Status: Inappropriate [configuration] | 6 | Upstream-Status: Inappropriate [configuration] |
4 | --- | 7 | --- |
5 | default_options.h | 2 +- | 8 | src/default_options.h | 2 +- |
6 | 1 file changed, 1 insertion(+), 1 deletion(-) | 9 | 1 file changed, 1 insertion(+), 1 deletion(-) |
7 | 10 | ||
8 | diff --git a/default_options.h b/default_options.h | 11 | diff --git a/src/default_options.h b/src/default_options.h |
9 | index 349338c..5ffac25 100644 | 12 | index 6e970bb..ccc8b47 100644 |
10 | --- a/default_options.h | 13 | --- a/src/default_options.h |
11 | +++ b/default_options.h | 14 | +++ b/src/default_options.h |
12 | @@ -289,7 +289,7 @@ group1 in Dropbear server too */ | 15 | @@ -317,7 +317,7 @@ group1 in Dropbear server too */ |
13 | 16 | ||
14 | /* The command to invoke for xauth when using X11 forwarding. | 17 | /* The command to invoke for xauth when using X11 forwarding. |
15 | * "-q" for quiet */ | 18 | * "-q" for quiet */ |
@@ -18,6 +21,3 @@ index 349338c..5ffac25 100644 | |||
18 | 21 | ||
19 | 22 | ||
20 | /* If you want to enable running an sftp server (such as the one included with | 23 | /* If you want to enable running an sftp server (such as the one included with |
21 | -- | ||
22 | 2.25.1 | ||
23 | |||
diff --git a/meta/recipes-core/dropbear/dropbear/0005-dropbear-enable-pam.patch b/meta/recipes-core/dropbear/dropbear/0005-dropbear-enable-pam.patch index 32c3ea5f08..6743f506e9 100644 --- a/meta/recipes-core/dropbear/dropbear/0005-dropbear-enable-pam.patch +++ b/meta/recipes-core/dropbear/dropbear/0005-dropbear-enable-pam.patch | |||
@@ -1,7 +1,7 @@ | |||
1 | From b8cece92ba19aa77ac013ea161bfe4c7147747c9 Mon Sep 17 00:00:00 2001 | 1 | From 253ca01f0fc50dbaeb2ff8bcece0c34256eba94f Mon Sep 17 00:00:00 2001 |
2 | From: Jussi Kukkonen <jussi.kukkonen@intel.com> | 2 | From: Jussi Kukkonen <jussi.kukkonen@intel.com> |
3 | Date: Wed, 2 Dec 2015 11:36:02 +0200 | 3 | Date: Wed, 2 Dec 2015 11:36:02 +0200 |
4 | Subject: Enable pam | 4 | Subject: [PATCH] Enable pam |
5 | 5 | ||
6 | We need modify file default_options.h besides enabling pam in | 6 | We need modify file default_options.h besides enabling pam in |
7 | configure if we want dropbear to support pam. | 7 | configure if we want dropbear to support pam. |
@@ -11,14 +11,14 @@ Upstream-Status: Pending | |||
11 | Signed-off-by: Xiaofeng Yan <xiaofeng.yan@windriver.com> | 11 | Signed-off-by: Xiaofeng Yan <xiaofeng.yan@windriver.com> |
12 | Signed-off-by: Jussi Kukkonen <jussi.kukkonen@intel.com> | 12 | Signed-off-by: Jussi Kukkonen <jussi.kukkonen@intel.com> |
13 | --- | 13 | --- |
14 | default_options.h | 4 ++-- | 14 | src/default_options.h | 4 ++-- |
15 | 1 file changed, 2 insertions(+), 2 deletions(-) | 15 | 1 file changed, 2 insertions(+), 2 deletions(-) |
16 | 16 | ||
17 | diff --git a/default_options.h b/default_options.h | 17 | diff --git a/src/default_options.h b/src/default_options.h |
18 | index 0e3d027..349338c 100644 | 18 | index ccc8b47..12768d1 100644 |
19 | --- a/default_options.h | 19 | --- a/src/default_options.h |
20 | +++ b/default_options.h | 20 | +++ b/src/default_options.h |
21 | @@ -210,7 +210,7 @@ group1 in Dropbear server too */ | 21 | @@ -228,7 +228,7 @@ group1 in Dropbear server too */ |
22 | 22 | ||
23 | /* Authentication Types - at least one required. | 23 | /* Authentication Types - at least one required. |
24 | RFC Draft requires pubkey auth, and recommends password */ | 24 | RFC Draft requires pubkey auth, and recommends password */ |
@@ -27,7 +27,7 @@ index 0e3d027..349338c 100644 | |||
27 | 27 | ||
28 | /* Note: PAM auth is quite simple and only works for PAM modules which just do | 28 | /* Note: PAM auth is quite simple and only works for PAM modules which just do |
29 | * a simple "Login: " "Password: " (you can edit the strings in svr-authpam.c). | 29 | * a simple "Login: " "Password: " (you can edit the strings in svr-authpam.c). |
30 | @@ -218,7 +218,7 @@ group1 in Dropbear server too */ | 30 | @@ -236,7 +236,7 @@ group1 in Dropbear server too */ |
31 | * but there's an interface via a PAM module. It won't work for more complex | 31 | * but there's an interface via a PAM module. It won't work for more complex |
32 | * PAM challenge/response. | 32 | * PAM challenge/response. |
33 | * You can't enable both PASSWORD and PAM. */ | 33 | * You can't enable both PASSWORD and PAM. */ |
@@ -36,6 +36,3 @@ index 0e3d027..349338c 100644 | |||
36 | 36 | ||
37 | /* ~/.ssh/authorized_keys authentication. | 37 | /* ~/.ssh/authorized_keys authentication. |
38 | * You must define DROPBEAR_SVR_PUBKEY_AUTH in order to use plugins. */ | 38 | * You must define DROPBEAR_SVR_PUBKEY_AUTH in order to use plugins. */ |
39 | -- | ||
40 | 2.25.1 | ||
41 | |||
diff --git a/meta/recipes-core/dropbear/dropbear/0006-dropbear-configuration-file.patch b/meta/recipes-core/dropbear/dropbear/0006-dropbear-configuration-file.patch index deed78ffb9..44861088cc 100644 --- a/meta/recipes-core/dropbear/dropbear/0006-dropbear-configuration-file.patch +++ b/meta/recipes-core/dropbear/dropbear/0006-dropbear-configuration-file.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From e3a5db1b6d3f6382a15b2266458c26c645a10f18 Mon Sep 17 00:00:00 2001 | 1 | From 16b147f97f0938cddb55ec1c90bc919c13f26fc0 Mon Sep 17 00:00:00 2001 |
2 | From: Mingli Yu <Mingli.Yu@windriver.com> | 2 | From: Mingli Yu <Mingli.Yu@windriver.com> |
3 | Date: Thu, 6 Sep 2018 15:54:00 +0800 | 3 | Date: Thu, 6 Sep 2018 15:54:00 +0800 |
4 | Subject: [PATCH] dropbear configuration file | 4 | Subject: [PATCH] dropbear configuration file |
@@ -12,14 +12,14 @@ Signed-off-by: Maxin B. John <maxin.john@enea.com> | |||
12 | Signed-off-by: Xiaofeng Yan <xiaofeng.yan@windriver.com> | 12 | Signed-off-by: Xiaofeng Yan <xiaofeng.yan@windriver.com> |
13 | Signed-off-by: Mingli Yu <Mingli.Yu@windriver.com> | 13 | Signed-off-by: Mingli Yu <Mingli.Yu@windriver.com> |
14 | --- | 14 | --- |
15 | svr-authpam.c | 2 +- | 15 | src/svr-authpam.c | 2 +- |
16 | 1 file changed, 1 insertion(+), 1 deletion(-) | 16 | 1 file changed, 1 insertion(+), 1 deletion(-) |
17 | 17 | ||
18 | diff --git a/svr-authpam.c b/svr-authpam.c | 18 | diff --git a/src/svr-authpam.c b/src/svr-authpam.c |
19 | index d201bc9..165ec5c 100644 | 19 | index ec14632..026102f 100644 |
20 | --- a/svr-authpam.c | 20 | --- a/src/svr-authpam.c |
21 | +++ b/svr-authpam.c | 21 | +++ b/src/svr-authpam.c |
22 | @@ -223,7 +223,7 @@ void svr_auth_pam(int valid_user) { | 22 | @@ -224,7 +224,7 @@ void svr_auth_pam(int valid_user) { |
23 | } | 23 | } |
24 | 24 | ||
25 | /* Init pam */ | 25 | /* Init pam */ |
@@ -28,6 +28,3 @@ index d201bc9..165ec5c 100644 | |||
28 | dropbear_log(LOG_WARNING, "pam_start() failed, rc=%d, %s", | 28 | dropbear_log(LOG_WARNING, "pam_start() failed, rc=%d, %s", |
29 | rc, pam_strerror(pamHandlep, rc)); | 29 | rc, pam_strerror(pamHandlep, rc)); |
30 | goto cleanup; | 30 | goto cleanup; |
31 | -- | ||
32 | 2.7.4 | ||
33 | |||
diff --git a/meta/recipes-core/dropbear/dropbear/CVE-2023-36328.patch b/meta/recipes-core/dropbear/dropbear/CVE-2023-36328.patch deleted file mode 100644 index ec50d69816..0000000000 --- a/meta/recipes-core/dropbear/dropbear/CVE-2023-36328.patch +++ /dev/null | |||
@@ -1,144 +0,0 @@ | |||
1 | From beba892bc0d4e4ded4d667ab1d2a94f4d75109a9 Mon Sep 17 00:00:00 2001 | ||
2 | From: czurnieden <czurnieden@gmx.de> | ||
3 | Date: Fri, 8 Sep 2023 10:07:32 +0000 | ||
4 | Subject: [PATCH] Fix possible integer overflow | ||
5 | |||
6 | CVE: CVE-2023-36328 | ||
7 | |||
8 | Upstream-Status: Backport [https://github.com/libtom/libtommath/commit/beba892bc0d4e4ded4d667ab1d2a94f4d75109a9] | ||
9 | |||
10 | Signed-off-by: Yogita Urade <yogita.urade@windriver.com> | ||
11 | --- | ||
12 | libtommath/bn_mp_2expt.c | 4 ++++ | ||
13 | libtommath/bn_mp_grow.c | 4 ++++ | ||
14 | libtommath/bn_mp_init_size.c | 5 +++++ | ||
15 | libtommath/bn_mp_mul_2d.c | 4 ++++ | ||
16 | libtommath/bn_s_mp_mul_digs.c | 4 ++++ | ||
17 | libtommath/bn_s_mp_mul_digs_fast.c | 4 ++++ | ||
18 | libtommath/bn_s_mp_mul_high_digs.c | 4 ++++ | ||
19 | libtommath/bn_s_mp_mul_high_digs_fast.c | 4 ++++ | ||
20 | 8 files changed, 33 insertions(+) | ||
21 | |||
22 | diff --git a/libtommath/bn_mp_2expt.c b/libtommath/bn_mp_2expt.c | ||
23 | index 0ae3df1..ca6fbc3 100644 | ||
24 | --- a/libtommath/bn_mp_2expt.c | ||
25 | +++ b/libtommath/bn_mp_2expt.c | ||
26 | @@ -12,6 +12,10 @@ mp_err mp_2expt(mp_int *a, int b) | ||
27 | { | ||
28 | mp_err err; | ||
29 | |||
30 | + if (b < 0) { | ||
31 | + return MP_VAL; | ||
32 | + } | ||
33 | + | ||
34 | /* zero a as per default */ | ||
35 | mp_zero(a); | ||
36 | |||
37 | diff --git a/libtommath/bn_mp_grow.c b/libtommath/bn_mp_grow.c | ||
38 | index 9e904c5..2b16826 100644 | ||
39 | --- a/libtommath/bn_mp_grow.c | ||
40 | +++ b/libtommath/bn_mp_grow.c | ||
41 | @@ -9,6 +9,10 @@ mp_err mp_grow(mp_int *a, int size) | ||
42 | int i; | ||
43 | mp_digit *tmp; | ||
44 | |||
45 | + if (size < 0) { | ||
46 | + return MP_VAL; | ||
47 | + } | ||
48 | + | ||
49 | /* if the alloc size is smaller alloc more ram */ | ||
50 | if (a->alloc < size) { | ||
51 | /* reallocate the array a->dp | ||
52 | diff --git a/libtommath/bn_mp_init_size.c b/libtommath/bn_mp_init_size.c | ||
53 | index d622687..5fefa96 100644 | ||
54 | --- a/libtommath/bn_mp_init_size.c | ||
55 | +++ b/libtommath/bn_mp_init_size.c | ||
56 | @@ -6,6 +6,11 @@ | ||
57 | /* init an mp_init for a given size */ | ||
58 | mp_err mp_init_size(mp_int *a, int size) | ||
59 | { | ||
60 | + | ||
61 | + if (size < 0) { | ||
62 | + return MP_VAL; | ||
63 | + } | ||
64 | + | ||
65 | size = MP_MAX(MP_MIN_PREC, size); | ||
66 | |||
67 | /* alloc mem */ | ||
68 | diff --git a/libtommath/bn_mp_mul_2d.c b/libtommath/bn_mp_mul_2d.c | ||
69 | index 87354de..2744163 100644 | ||
70 | --- a/libtommath/bn_mp_mul_2d.c | ||
71 | +++ b/libtommath/bn_mp_mul_2d.c | ||
72 | @@ -9,6 +9,10 @@ mp_err mp_mul_2d(const mp_int *a, int b, mp_int *c) | ||
73 | mp_digit d; | ||
74 | mp_err err; | ||
75 | |||
76 | + if (b < 0) { | ||
77 | + return MP_VAL; | ||
78 | + } | ||
79 | + | ||
80 | /* copy */ | ||
81 | if (a != c) { | ||
82 | if ((err = mp_copy(a, c)) != MP_OKAY) { | ||
83 | diff --git a/libtommath/bn_s_mp_mul_digs.c b/libtommath/bn_s_mp_mul_digs.c | ||
84 | index 64509d4..2d2f5b0 100644 | ||
85 | --- a/libtommath/bn_s_mp_mul_digs.c | ||
86 | +++ b/libtommath/bn_s_mp_mul_digs.c | ||
87 | @@ -16,6 +16,10 @@ mp_err s_mp_mul_digs(const mp_int *a, const mp_int *b, mp_int *c, int digs) | ||
88 | mp_word r; | ||
89 | mp_digit tmpx, *tmpt, *tmpy; | ||
90 | |||
91 | + if (digs < 0) { | ||
92 | + return MP_VAL; | ||
93 | + } | ||
94 | + | ||
95 | /* can we use the fast multiplier? */ | ||
96 | if ((digs < MP_WARRAY) && | ||
97 | (MP_MIN(a->used, b->used) < MP_MAXFAST)) { | ||
98 | diff --git a/libtommath/bn_s_mp_mul_digs_fast.c b/libtommath/bn_s_mp_mul_digs_fast.c | ||
99 | index b2a287b..d6dd3cc 100644 | ||
100 | --- a/libtommath/bn_s_mp_mul_digs_fast.c | ||
101 | +++ b/libtommath/bn_s_mp_mul_digs_fast.c | ||
102 | @@ -26,6 +26,10 @@ mp_err s_mp_mul_digs_fast(const mp_int *a, const mp_int *b, mp_int *c, int digs) | ||
103 | mp_digit W[MP_WARRAY]; | ||
104 | mp_word _W; | ||
105 | |||
106 | + if (digs < 0) { | ||
107 | + return MP_VAL; | ||
108 | + } | ||
109 | + | ||
110 | /* grow the destination as required */ | ||
111 | if (c->alloc < digs) { | ||
112 | if ((err = mp_grow(c, digs)) != MP_OKAY) { | ||
113 | diff --git a/libtommath/bn_s_mp_mul_high_digs.c b/libtommath/bn_s_mp_mul_high_digs.c | ||
114 | index 2bb2a50..c9dd355 100644 | ||
115 | --- a/libtommath/bn_s_mp_mul_high_digs.c | ||
116 | +++ b/libtommath/bn_s_mp_mul_high_digs.c | ||
117 | @@ -15,6 +15,10 @@ mp_err s_mp_mul_high_digs(const mp_int *a, const mp_int *b, mp_int *c, int digs) | ||
118 | mp_word r; | ||
119 | mp_digit tmpx, *tmpt, *tmpy; | ||
120 | |||
121 | + if (digs < 0) { | ||
122 | + return MP_VAL; | ||
123 | + } | ||
124 | + | ||
125 | /* can we use the fast multiplier? */ | ||
126 | if (MP_HAS(S_MP_MUL_HIGH_DIGS_FAST) | ||
127 | && ((a->used + b->used + 1) < MP_WARRAY) | ||
128 | diff --git a/libtommath/bn_s_mp_mul_high_digs_fast.c b/libtommath/bn_s_mp_mul_high_digs_fast.c | ||
129 | index a2c4fb6..afe3e4b 100644 | ||
130 | --- a/libtommath/bn_s_mp_mul_high_digs_fast.c | ||
131 | +++ b/libtommath/bn_s_mp_mul_high_digs_fast.c | ||
132 | @@ -19,6 +19,10 @@ mp_err s_mp_mul_high_digs_fast(const mp_int *a, const mp_int *b, mp_int *c, int | ||
133 | mp_digit W[MP_WARRAY]; | ||
134 | mp_word _W; | ||
135 | |||
136 | + if (digs < 0) { | ||
137 | + return MP_VAL; | ||
138 | + } | ||
139 | + | ||
140 | /* grow the destination as required */ | ||
141 | pa = a->used + b->used; | ||
142 | if (c->alloc < pa) { | ||
143 | -- | ||
144 | 2.35.5 | ||
diff --git a/meta/recipes-core/dropbear/dropbear/dropbear-disable-weak-ciphers.patch b/meta/recipes-core/dropbear/dropbear/dropbear-disable-weak-ciphers.patch deleted file mode 100644 index 5c60868ed8..0000000000 --- a/meta/recipes-core/dropbear/dropbear/dropbear-disable-weak-ciphers.patch +++ /dev/null | |||
@@ -1,31 +0,0 @@ | |||
1 | From c347ece05a7fdbf50d76cb136b9ed45caed333f6 Mon Sep 17 00:00:00 2001 | ||
2 | From: Joseph Reynolds <joseph.reynolds1@ibm.com> | ||
3 | Date: Thu, 20 Jun 2019 16:29:15 -0500 | ||
4 | Subject: [PATCH] dropbear: new feature: disable-weak-ciphers | ||
5 | |||
6 | This feature disables all CBC, SHA1, and diffie-hellman group1 ciphers | ||
7 | in the dropbear ssh server and client since they're considered weak ciphers | ||
8 | and we want to support the stong algorithms. | ||
9 | |||
10 | Upstream-Status: Inappropriate [configuration] | ||
11 | Signed-off-by: Joseph Reynolds <joseph.reynolds1@ibm.com> | ||
12 | --- | ||
13 | default_options.h | 2 +- | ||
14 | 1 file changed, 1 insertion(+), 1 deletion(-) | ||
15 | |||
16 | diff --git a/default_options.h b/default_options.h | ||
17 | index d417588..bc5200f 100644 | ||
18 | --- a/default_options.h | ||
19 | +++ b/default_options.h | ||
20 | @@ -180,7 +180,7 @@ IMPORTANT: Some options will require "make clean" after changes */ | ||
21 | * Small systems should generally include either curve25519 or ecdh for performance. | ||
22 | * curve25519 is less widely supported but is faster | ||
23 | */ | ||
24 | -#define DROPBEAR_DH_GROUP14_SHA1 1 | ||
25 | +#define DROPBEAR_DH_GROUP14_SHA1 0 | ||
26 | #define DROPBEAR_DH_GROUP14_SHA256 1 | ||
27 | #define DROPBEAR_DH_GROUP16 0 | ||
28 | #define DROPBEAR_CURVE25519 1 | ||
29 | -- | ||
30 | 2.25.1 | ||
31 | |||
diff --git a/meta/recipes-core/dropbear/dropbear/dropbearkey.service b/meta/recipes-core/dropbear/dropbear/dropbearkey.service index 71a12a6110..501e47124f 100644 --- a/meta/recipes-core/dropbear/dropbear/dropbearkey.service +++ b/meta/recipes-core/dropbear/dropbear/dropbearkey.service | |||
@@ -9,6 +9,6 @@ Environment="DROPBEAR_RSAKEY_DIR=/etc/dropbear" | |||
9 | EnvironmentFile=-/etc/default/dropbear | 9 | EnvironmentFile=-/etc/default/dropbear |
10 | Type=oneshot | 10 | Type=oneshot |
11 | ExecStart=@BASE_BINDIR@/mkdir -p ${DROPBEAR_RSAKEY_DIR} | 11 | ExecStart=@BASE_BINDIR@/mkdir -p ${DROPBEAR_RSAKEY_DIR} |
12 | ExecStart=@SBINDIR@/dropbearkey -t rsa -f ${DROPBEAR_RSAKEY_DIR}/dropbear_rsa_host_key | 12 | ExecStart=@SBINDIR@/dropbearkey -t rsa -f ${DROPBEAR_RSAKEY_DIR}/dropbear_rsa_host_key $DROPBEAR_RSAKEY_ARGS |
13 | RemainAfterExit=yes | 13 | RemainAfterExit=yes |
14 | Nice=10 | 14 | Nice=10 |
diff --git a/meta/recipes-core/dropbear/dropbear_2022.83.bb b/meta/recipes-core/dropbear/dropbear_2025.88.bb index 528eff1a10..72a886d907 100644 --- a/meta/recipes-core/dropbear/dropbear_2022.83.bb +++ b/meta/recipes-core/dropbear/dropbear_2025.88.bb | |||
@@ -19,12 +19,12 @@ SRC_URI = "http://matt.ucc.asn.au/dropbear/releases/dropbear-${PV}.tar.bz2 \ | |||
19 | file://dropbear@.service \ | 19 | file://dropbear@.service \ |
20 | file://dropbear.socket \ | 20 | file://dropbear.socket \ |
21 | file://dropbear.default \ | 21 | file://dropbear.default \ |
22 | file://0001-Fix-proxycmd-without-netcat.patch \ | ||
22 | ${@bb.utils.contains('DISTRO_FEATURES', 'pam', '${PAM_SRC_URI}', '', d)} \ | 23 | ${@bb.utils.contains('DISTRO_FEATURES', 'pam', '${PAM_SRC_URI}', '', d)} \ |
23 | ${@bb.utils.contains('PACKAGECONFIG', 'disable-weak-ciphers', 'file://dropbear-disable-weak-ciphers.patch', '', d)} \ | ||
24 | file://CVE-2023-36328.patch \ | ||
25 | " | 24 | " |
26 | 25 | ||
27 | SRC_URI[sha256sum] = "bc5a121ffbc94b5171ad5ebe01be42746d50aa797c9549a4639894a16749443b" | 26 | SRC_URI[sha256sum] = "783f50ea27b17c16da89578fafdb6decfa44bb8f6590e5698a4e4d3672dc53d4" |
27 | MIRRORS += "http://matt.ucc.asn.au/dropbear/releases/ https://dropbear.nl/mirror/releases/" | ||
28 | 28 | ||
29 | PAM_SRC_URI = "file://0005-dropbear-enable-pam.patch \ | 29 | PAM_SRC_URI = "file://0005-dropbear-enable-pam.patch \ |
30 | file://0006-dropbear-configuration-file.patch \ | 30 | file://0006-dropbear-configuration-file.patch \ |
@@ -48,11 +48,10 @@ SBINCOMMANDS = "dropbear dropbearkey dropbearconvert" | |||
48 | BINCOMMANDS = "dbclient ssh scp" | 48 | BINCOMMANDS = "dbclient ssh scp" |
49 | EXTRA_OEMAKE = 'MULTI=1 SCPPROGRESS=1 PROGRAMS="${SBINCOMMANDS} ${BINCOMMANDS}"' | 49 | EXTRA_OEMAKE = 'MULTI=1 SCPPROGRESS=1 PROGRAMS="${SBINCOMMANDS} ${BINCOMMANDS}"' |
50 | 50 | ||
51 | PACKAGECONFIG ?= "disable-weak-ciphers ${@bb.utils.filter('DISTRO_FEATURES', 'pam', d)}" | 51 | PACKAGECONFIG ?= "${@bb.utils.filter('DISTRO_FEATURES', 'pam x11', d)}" |
52 | PACKAGECONFIG[pam] = "--enable-pam,--disable-pam,libpam,${PAM_PLUGINS}" | 52 | PACKAGECONFIG[pam] = "--enable-pam,--disable-pam,libpam,${PAM_PLUGINS}" |
53 | PACKAGECONFIG[system-libtom] = "--disable-bundled-libtom,--enable-bundled-libtom,libtommath libtomcrypt" | 53 | PACKAGECONFIG[system-libtom] = "--disable-bundled-libtom,--enable-bundled-libtom,libtommath libtomcrypt" |
54 | PACKAGECONFIG[disable-weak-ciphers] = "" | 54 | PACKAGECONFIG[x11] = ",,,,xauth" |
55 | PACKAGECONFIG[enable-x11-forwarding] = "" | ||
56 | 55 | ||
57 | # This option appends to CFLAGS and LDFLAGS from OE | 56 | # This option appends to CFLAGS and LDFLAGS from OE |
58 | # This is causing [textrel] QA warning | 57 | # This is causing [textrel] QA warning |
@@ -63,7 +62,7 @@ EXTRA_OECONF:append:libc-musl = " --disable-wtmp --disable-lastlog" | |||
63 | 62 | ||
64 | do_configure:append() { | 63 | do_configure:append() { |
65 | echo "/* Dropbear features */" > ${B}/localoptions.h | 64 | echo "/* Dropbear features */" > ${B}/localoptions.h |
66 | if ${@bb.utils.contains('PACKAGECONFIG', 'enable-x11-forwarding', 'true', 'false', d)}; then | 65 | if ${@bb.utils.contains('PACKAGECONFIG', 'x11', 'true', 'false', d)}; then |
67 | echo "#define DROPBEAR_X11FWD 1" >> ${B}/localoptions.h | 66 | echo "#define DROPBEAR_X11FWD 1" >> ${B}/localoptions.h |
68 | fi | 67 | fi |
69 | } | 68 | } |
@@ -77,7 +76,7 @@ do_install() { | |||
77 | ${D}${sbindir} \ | 76 | ${D}${sbindir} \ |
78 | ${D}${localstatedir} | 77 | ${D}${localstatedir} |
79 | 78 | ||
80 | install -m 0644 ${WORKDIR}/dropbear.default ${D}${sysconfdir}/default/dropbear | 79 | install -m 0644 ${UNPACKDIR}/dropbear.default ${D}${sysconfdir}/default/dropbear |
81 | 80 | ||
82 | install -m 0755 dropbearmulti ${D}${sbindir}/ | 81 | install -m 0755 dropbearmulti ${D}${sbindir}/ |
83 | 82 | ||
@@ -95,18 +94,18 @@ do_install() { | |||
95 | -e 's,/usr/sbin,${sbindir},g' \ | 94 | -e 's,/usr/sbin,${sbindir},g' \ |
96 | -e 's,/var,${localstatedir},g' \ | 95 | -e 's,/var,${localstatedir},g' \ |
97 | -e 's,/usr/bin,${bindir},g' \ | 96 | -e 's,/usr/bin,${bindir},g' \ |
98 | -e 's,/usr,${prefix},g' ${WORKDIR}/init > ${D}${sysconfdir}/init.d/dropbear | 97 | -e 's,/usr,${prefix},g' ${UNPACKDIR}/init > ${D}${sysconfdir}/init.d/dropbear |
99 | chmod 755 ${D}${sysconfdir}/init.d/dropbear | 98 | chmod 755 ${D}${sysconfdir}/init.d/dropbear |
100 | if [ "${@bb.utils.filter('DISTRO_FEATURES', 'pam', d)}" ]; then | 99 | if [ "${@bb.utils.filter('DISTRO_FEATURES', 'pam', d)}" ]; then |
101 | install -d ${D}${sysconfdir}/pam.d | 100 | install -d ${D}${sysconfdir}/pam.d |
102 | install -m 0644 ${WORKDIR}/dropbear ${D}${sysconfdir}/pam.d/ | 101 | install -m 0644 ${UNPACKDIR}/dropbear ${D}${sysconfdir}/pam.d/ |
103 | fi | 102 | fi |
104 | 103 | ||
105 | # deal with systemd unit files | 104 | # deal with systemd unit files |
106 | install -d ${D}${systemd_system_unitdir} | 105 | install -d ${D}${systemd_system_unitdir} |
107 | install -m 0644 ${WORKDIR}/dropbearkey.service ${D}${systemd_system_unitdir} | 106 | install -m 0644 ${UNPACKDIR}/dropbearkey.service ${D}${systemd_system_unitdir} |
108 | install -m 0644 ${WORKDIR}/dropbear@.service ${D}${systemd_system_unitdir} | 107 | install -m 0644 ${UNPACKDIR}/dropbear@.service ${D}${systemd_system_unitdir} |
109 | install -m 0644 ${WORKDIR}/dropbear.socket ${D}${systemd_system_unitdir} | 108 | install -m 0644 ${UNPACKDIR}/dropbear.socket ${D}${systemd_system_unitdir} |
110 | sed -i -e 's,@BASE_BINDIR@,${base_bindir},g' \ | 109 | sed -i -e 's,@BASE_BINDIR@,${base_bindir},g' \ |
111 | -e 's,@BINDIR@,${bindir},g' \ | 110 | -e 's,@BINDIR@,${bindir},g' \ |
112 | -e 's,@SBINDIR@,${sbindir},g' \ | 111 | -e 's,@SBINDIR@,${sbindir},g' \ |
@@ -130,3 +129,5 @@ pkg_postrm:${PN} () { | |||
130 | } | 129 | } |
131 | 130 | ||
132 | CONFFILES:${PN} = "${sysconfdir}/default/dropbear" | 131 | CONFFILES:${PN} = "${sysconfdir}/default/dropbear" |
132 | |||
133 | FILES:${PN} += "${systemd_system_unitdir}/dropbearkey.service" | ||