diff options
| -rw-r--r-- | meta/recipes-core/dropbear/dropbear/0001-Fix-proxycmd-without-netcat.patch | 74 | ||||
| -rw-r--r-- | meta/recipes-core/dropbear/dropbear/0001-urandom-xauth-changes-to-options.h.patch | 2 | ||||
| -rw-r--r-- | meta/recipes-core/dropbear/dropbear/dropbear-disable-weak-ciphers.patch | 28 | ||||
| -rw-r--r-- | meta/recipes-core/dropbear/dropbear_2025.88.bb (renamed from meta/recipes-core/dropbear/dropbear_2024.86.bb) | 7 |
4 files changed, 78 insertions, 33 deletions
diff --git a/meta/recipes-core/dropbear/dropbear/0001-Fix-proxycmd-without-netcat.patch b/meta/recipes-core/dropbear/dropbear/0001-Fix-proxycmd-without-netcat.patch new file mode 100644 index 0000000000..967b66322f --- /dev/null +++ b/meta/recipes-core/dropbear/dropbear/0001-Fix-proxycmd-without-netcat.patch | |||
| @@ -0,0 +1,74 @@ | |||
| 1 | From 5cc0127000db5f7567b54d0495fb91a8e452fe09 Mon Sep 17 00:00:00 2001 | ||
| 2 | From: Konstantin Demin <rockdrilla@gmail.com> | ||
| 3 | Date: Fri, 9 May 2025 22:39:35 +0300 | ||
| 4 | Subject: [PATCH] Fix proxycmd without netcat | ||
| 5 | |||
| 6 | fixes e5a0ef27c2 "Execute multihop commands directly, no shell" | ||
| 7 | |||
| 8 | Signed-off-by: Konstantin Demin <rockdrilla@gmail.com> | ||
| 9 | |||
| 10 | Upstream-Status: Backport [https://github.com/mkj/dropbear/commit/5cc0127000db5f7567b54d0495fb91a8e452fe09] | ||
| 11 | Signed-off-by: Peter Marko <peter.marko@siemens.com> | ||
| 12 | --- | ||
| 13 | src/cli-main.c | 12 +++++++++++- | ||
| 14 | 1 file changed, 11 insertions(+), 1 deletion(-) | ||
| 15 | |||
| 16 | diff --git a/src/cli-main.c b/src/cli-main.c | ||
| 17 | index 2fafa88..0a052a3 100644 | ||
| 18 | --- a/src/cli-main.c | ||
| 19 | +++ b/src/cli-main.c | ||
| 20 | @@ -77,7 +77,11 @@ int main(int argc, char ** argv) { | ||
| 21 | } | ||
| 22 | |||
| 23 | #if DROPBEAR_CLI_PROXYCMD | ||
| 24 | - if (cli_opts.proxycmd || cli_opts.proxyexec) { | ||
| 25 | + if (cli_opts.proxycmd | ||
| 26 | +#if DROPBEAR_CLI_MULTIHOP | ||
| 27 | + || cli_opts.proxyexec | ||
| 28 | +#endif | ||
| 29 | + ) { | ||
| 30 | cli_proxy_cmd(&sock_in, &sock_out, &proxy_cmd_pid); | ||
| 31 | if (signal(SIGINT, kill_proxy_sighandler) == SIG_ERR || | ||
| 32 | signal(SIGTERM, kill_proxy_sighandler) == SIG_ERR || | ||
| 33 | @@ -110,11 +114,13 @@ static void shell_proxy_cmd(const void *user_data_cmd) { | ||
| 34 | dropbear_exit("Failed to run '%s'\n", cmd); | ||
| 35 | } | ||
| 36 | |||
| 37 | +#if DROPBEAR_CLI_MULTIHOP | ||
| 38 | static void exec_proxy_cmd(const void *unused) { | ||
| 39 | (void)unused; | ||
| 40 | run_command(cli_opts.proxyexec[0], cli_opts.proxyexec, ses.maxfd); | ||
| 41 | dropbear_exit("Failed to run '%s'\n", cli_opts.proxyexec[0]); | ||
| 42 | } | ||
| 43 | +#endif | ||
| 44 | |||
| 45 | static void cli_proxy_cmd(int *sock_in, int *sock_out, pid_t *pid_out) { | ||
| 46 | char * cmd_arg = NULL; | ||
| 47 | @@ -145,9 +151,11 @@ static void cli_proxy_cmd(int *sock_in, int *sock_out, pid_t *pid_out) { | ||
| 48 | cmd_arg = m_malloc(shell_cmdlen); | ||
| 49 | snprintf(cmd_arg, shell_cmdlen, "exec %s", cli_opts.proxycmd); | ||
| 50 | exec_fn = shell_proxy_cmd; | ||
| 51 | +#if DROPBEAR_CLI_MULTIHOP | ||
| 52 | } else { | ||
| 53 | /* No shell */ | ||
| 54 | exec_fn = exec_proxy_cmd; | ||
| 55 | +#endif | ||
| 56 | } | ||
| 57 | |||
| 58 | ret = spawn_command(exec_fn, cmd_arg, sock_out, sock_in, NULL, pid_out); | ||
| 59 | @@ -159,6 +167,7 @@ static void cli_proxy_cmd(int *sock_in, int *sock_out, pid_t *pid_out) { | ||
| 60 | cleanup: | ||
| 61 | m_free(cli_opts.proxycmd); | ||
| 62 | m_free(cmd_arg); | ||
| 63 | +#if DROPBEAR_CLI_MULTIHOP | ||
| 64 | if (cli_opts.proxyexec) { | ||
| 65 | char **a = NULL; | ||
| 66 | for (a = cli_opts.proxyexec; *a; a++) { | ||
| 67 | @@ -166,6 +175,7 @@ cleanup: | ||
| 68 | } | ||
| 69 | m_free(cli_opts.proxyexec); | ||
| 70 | } | ||
| 71 | +#endif | ||
| 72 | } | ||
| 73 | |||
| 74 | static void kill_proxy_sighandler(int UNUSED(signo)) { | ||
diff --git a/meta/recipes-core/dropbear/dropbear/0001-urandom-xauth-changes-to-options.h.patch b/meta/recipes-core/dropbear/dropbear/0001-urandom-xauth-changes-to-options.h.patch index 9c1dd3f606..0687e5dab1 100644 --- a/meta/recipes-core/dropbear/dropbear/0001-urandom-xauth-changes-to-options.h.patch +++ b/meta/recipes-core/dropbear/dropbear/0001-urandom-xauth-changes-to-options.h.patch | |||
| @@ -12,7 +12,7 @@ diff --git a/src/default_options.h b/src/default_options.h | |||
| 12 | index 6e970bb..ccc8b47 100644 | 12 | index 6e970bb..ccc8b47 100644 |
| 13 | --- a/src/default_options.h | 13 | --- a/src/default_options.h |
| 14 | +++ b/src/default_options.h | 14 | +++ b/src/default_options.h |
| 15 | @@ -311,7 +311,7 @@ group1 in Dropbear server too */ | 15 | @@ -317,7 +317,7 @@ group1 in Dropbear server too */ |
| 16 | 16 | ||
| 17 | /* The command to invoke for xauth when using X11 forwarding. | 17 | /* The command to invoke for xauth when using X11 forwarding. |
| 18 | * "-q" for quiet */ | 18 | * "-q" for quiet */ |
diff --git a/meta/recipes-core/dropbear/dropbear/dropbear-disable-weak-ciphers.patch b/meta/recipes-core/dropbear/dropbear/dropbear-disable-weak-ciphers.patch deleted file mode 100644 index a20781d31d..0000000000 --- a/meta/recipes-core/dropbear/dropbear/dropbear-disable-weak-ciphers.patch +++ /dev/null | |||
| @@ -1,28 +0,0 @@ | |||
| 1 | From c8a0c8e87b772576f3a431c3b4cacaf5aa001dcc Mon Sep 17 00:00:00 2001 | ||
| 2 | From: Joseph Reynolds <joseph.reynolds1@ibm.com> | ||
| 3 | Date: Thu, 20 Jun 2019 16:29:15 -0500 | ||
| 4 | Subject: [PATCH] dropbear: new feature: disable-weak-ciphers | ||
| 5 | |||
| 6 | This feature disables all CBC, SHA1, and diffie-hellman group1 ciphers | ||
| 7 | in the dropbear ssh server and client since they're considered weak ciphers | ||
| 8 | and we want to support the stong algorithms. | ||
| 9 | |||
| 10 | Upstream-Status: Inappropriate [configuration] | ||
| 11 | Signed-off-by: Joseph Reynolds <joseph.reynolds1@ibm.com> | ||
| 12 | --- | ||
| 13 | src/default_options.h | 2 +- | ||
| 14 | 1 file changed, 1 insertion(+), 1 deletion(-) | ||
| 15 | |||
| 16 | diff --git a/src/default_options.h b/src/default_options.h | ||
| 17 | index 12768d1..2b07497 100644 | ||
| 18 | --- a/src/default_options.h | ||
| 19 | +++ b/src/default_options.h | ||
| 20 | @@ -197,7 +197,7 @@ IMPORTANT: Some options will require "make clean" after changes */ | ||
| 21 | * Small systems should generally include either curve25519 or ecdh for performance. | ||
| 22 | * curve25519 is less widely supported but is faster | ||
| 23 | */ | ||
| 24 | -#define DROPBEAR_DH_GROUP14_SHA1 1 | ||
| 25 | +#define DROPBEAR_DH_GROUP14_SHA1 0 | ||
| 26 | #define DROPBEAR_DH_GROUP14_SHA256 1 | ||
| 27 | #define DROPBEAR_DH_GROUP16 0 | ||
| 28 | #define DROPBEAR_CURVE25519 1 | ||
diff --git a/meta/recipes-core/dropbear/dropbear_2024.86.bb b/meta/recipes-core/dropbear/dropbear_2025.88.bb index 38faaebc2a..f203763b17 100644 --- a/meta/recipes-core/dropbear/dropbear_2024.86.bb +++ b/meta/recipes-core/dropbear/dropbear_2025.88.bb | |||
| @@ -19,11 +19,11 @@ SRC_URI = "http://matt.ucc.asn.au/dropbear/releases/dropbear-${PV}.tar.bz2 \ | |||
| 19 | file://dropbear@.service \ | 19 | file://dropbear@.service \ |
| 20 | file://dropbear.socket \ | 20 | file://dropbear.socket \ |
| 21 | file://dropbear.default \ | 21 | file://dropbear.default \ |
| 22 | file://0001-Fix-proxycmd-without-netcat.patch \ | ||
| 22 | ${@bb.utils.contains('DISTRO_FEATURES', 'pam', '${PAM_SRC_URI}', '', d)} \ | 23 | ${@bb.utils.contains('DISTRO_FEATURES', 'pam', '${PAM_SRC_URI}', '', d)} \ |
| 23 | ${@bb.utils.contains('PACKAGECONFIG', 'disable-weak-ciphers', 'file://dropbear-disable-weak-ciphers.patch', '', d)} \ | ||
| 24 | " | 24 | " |
| 25 | 25 | ||
| 26 | SRC_URI[sha256sum] = "e78936dffc395f2e0db099321d6be659190966b99712b55c530dd0a1822e0a5e" | 26 | SRC_URI[sha256sum] = "783f50ea27b17c16da89578fafdb6decfa44bb8f6590e5698a4e4d3672dc53d4" |
| 27 | MIRRORS += "http://matt.ucc.asn.au/dropbear/releases/ https://dropbear.nl/mirror/releases/" | 27 | MIRRORS += "http://matt.ucc.asn.au/dropbear/releases/ https://dropbear.nl/mirror/releases/" |
| 28 | 28 | ||
| 29 | PAM_SRC_URI = "file://0005-dropbear-enable-pam.patch \ | 29 | PAM_SRC_URI = "file://0005-dropbear-enable-pam.patch \ |
| @@ -48,10 +48,9 @@ SBINCOMMANDS = "dropbear dropbearkey dropbearconvert" | |||
| 48 | BINCOMMANDS = "dbclient ssh scp" | 48 | BINCOMMANDS = "dbclient ssh scp" |
| 49 | EXTRA_OEMAKE = 'MULTI=1 SCPPROGRESS=1 PROGRAMS="${SBINCOMMANDS} ${BINCOMMANDS}"' | 49 | EXTRA_OEMAKE = 'MULTI=1 SCPPROGRESS=1 PROGRAMS="${SBINCOMMANDS} ${BINCOMMANDS}"' |
| 50 | 50 | ||
| 51 | PACKAGECONFIG ?= "disable-weak-ciphers ${@bb.utils.filter('DISTRO_FEATURES', 'pam', d)}" | 51 | PACKAGECONFIG ?= "${@bb.utils.filter('DISTRO_FEATURES', 'pam', d)}" |
| 52 | PACKAGECONFIG[pam] = "--enable-pam,--disable-pam,libpam,${PAM_PLUGINS}" | 52 | PACKAGECONFIG[pam] = "--enable-pam,--disable-pam,libpam,${PAM_PLUGINS}" |
| 53 | PACKAGECONFIG[system-libtom] = "--disable-bundled-libtom,--enable-bundled-libtom,libtommath libtomcrypt" | 53 | PACKAGECONFIG[system-libtom] = "--disable-bundled-libtom,--enable-bundled-libtom,libtommath libtomcrypt" |
| 54 | PACKAGECONFIG[disable-weak-ciphers] = "" | ||
| 55 | PACKAGECONFIG[enable-x11-forwarding] = "" | 54 | PACKAGECONFIG[enable-x11-forwarding] = "" |
| 56 | 55 | ||
| 57 | # This option appends to CFLAGS and LDFLAGS from OE | 56 | # This option appends to CFLAGS and LDFLAGS from OE |
