dropbear: upgrade to 2022.83

Remove patches that were upstreamed or are not relevant anymore. Replace the xauth patch with the rebased version from upstream. Add the dropbear-disable-weak-ciphers.patch from upstream OE. Add "--disable-harden" just like in the upstream recipe, as OE's hardening flags cause the textrel QA warning otherwise. Related: https://git.openembedded.org/openembedded-core/tree/meta/recipes-core/dropbear/ Related: SYS#6402 Change-Id: I431934b0558350931bb9571b0fa6efff8ba45387
2023-04-27 11:36:55 +02:00 · 2023-04-27 11:36:55 +02:00 · 909ac967d7
parent 6ec23241ba
commit 909ac967d7
10 changed files with 52 additions and 317 deletions
--- a/recipes-core/dropbear/dropbear.inc
+++ b/recipes-core/dropbear/dropbear.inc
@ -5,7 +5,7 @@ SECTION = "console/network"
 # some files are from other projects and have others license terms:
 #   public domain, OpenSSH 3.5p1, OpenSSH3.6.1p2, PuTTY
 LICENSE = "MIT & BSD-3-Clause & BSD-2-Clause & PD"
-LIC_FILES_CHKSUM = "file://LICENSE;md5=a5ec40cafba26fc4396d0b550f824e01"
+LIC_FILES_CHKSUM = "file://LICENSE;md5=25cf44512b7bc8966a48b6b1a9b7605f"

 DEPENDS = "zlib"
 RPROVIDES_${PN} = "ssh sshd"
@ -14,10 +14,7 @@ DEPENDS += "${@bb.utils.contains('DISTRO_FEATURES', 'pam', 'libpam', '', d)}"

 SRC_URI = "http://matt.ucc.asn.au/dropbear/releases/dropbear-${PV}.tar.bz2 \
           file://0001-urandom-xauth-changes-to-options.h.patch \
-           file://0003-configure.patch \
-           file://0004-fix-2kb-keys.patch \
-           file://0007-dropbear-fix-for-x32-abi.patch \
-           file://fix-libtomcrypt-libtommath-ordering.patch \
+           file://dropbear-disable-weak-ciphers.patch \
           file://init \
           file://dropbearkey.service \
           file://dropbear@.service \
@ -52,6 +49,10 @@ PACKAGECONFIG[system-libtom] = "--disable-bundled-libtom,--enable-bundled-libtom
 EXTRA_OECONF += "\
 ${@bb.utils.contains('DISTRO_FEATURES', 'pam', '--enable-pam', '--disable-pam', d)}"

+# This option appends to CFLAGS and LDFLAGS from OE
+# This is causing [textrel] QA warning
+EXTRA_OECONF += "--disable-harden"
+
 do_install() {
 	install -d ${D}${sysconfdir} \
 		${D}${sysconfdir}/init.d \
--- a/recipes-core/dropbear/dropbear/0001-urandom-xauth-changes-to-options.h.patch
+++ b/recipes-core/dropbear/dropbear/0001-urandom-xauth-changes-to-options.h.patch
@ -2,22 +2,22 @@ Subject: [PATCH 1/6] urandom-xauth-changes-to-options.h

 Upstream-Status: Inappropriate [configuration]
 ---
- options.h | 2 +-
+ default_options.h | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

-diff --git a/options.h b/options.h
-index 7d06322..71a21c2 100644
--- a/options.h
-+++ b/options.h
-@@ -247,7 +247,7 @@ much traffic. */
+diff --git a/default_options.h b/default_options.h
+index 349338c..5ffac25 100644
+--- a/default_options.h
+++ b/default_options.h
+@@ -289,7 +289,7 @@ group1 in Dropbear server too */
+ 
 /* The command to invoke for xauth when using X11 forwarding.
  * "-q" for quiet */
- #ifndef XAUTH_COMMAND
 -#define XAUTH_COMMAND "/usr/bin/xauth -q"
 +#define XAUTH_COMMAND "xauth -q"
- #endif
 
- /* if you want to enable running an sftp server (such as the one included with
+ 
+ /* If you want to enable running an sftp server (such as the one included with
 -- 
-1.7.11.7
+2.25.1

--- a/recipes-core/dropbear/dropbear/0003-configure.patch
+++ b/recipes-core/dropbear/dropbear/0003-configure.patch
@ -1,42 +0,0 @@
-From c5f5c5054c1b15539dccf866e2c3faba7ed68456 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Eric=20B=C3=A9nard?= <eric@eukrea.com>
-Date: Thu, 25 Apr 2013 00:27:25 +0200
-Subject: [PATCH 3/6] configure: add a variable to allow openpty check to be cached
-
-Upstream-Status: Pending
-
---
- configure.ac | 11 ++++++++---
- 1 file changed, 8 insertions(+), 3 deletions(-)
-
-diff --git a/configure.ac b/configure.ac
-index 05461f3..9c16d90 100644
--- a/configure.ac
-+++ b/configure.ac
-@@ -166,15 +166,20 @@ AC_ARG_ENABLE(openpty,
- 			AC_MSG_NOTICE(Not using openpty)
- 		else
- 			AC_MSG_NOTICE(Using openpty if available)
-			AC_SEARCH_LIBS(openpty, util, [AC_DEFINE(HAVE_OPENPTY,,Have openpty() function)])
-+			AC_SEARCH_LIBS(openpty, util, [dropbear_cv_func_have_openpty=yes])
- 		fi
- 	],
- 	[
- 		AC_MSG_NOTICE(Using openpty if available)
-		AC_SEARCH_LIBS(openpty, util, [AC_DEFINE(HAVE_OPENPTY)])
-+		AC_SEARCH_LIBS(openpty, util, [dropbear_cv_func_have_openpty=yes])
- 	]
- )
-		
-+
-+if test "x$dropbear_cv_func_have_openpty" = "xyes"; then
-+	AC_DEFINE(HAVE_OPENPTY,,Have openpty() function)
-+	no_ptc_check=yes
-+	no_ptmx_check=yes
-+fi
- 
- AC_ARG_ENABLE(syslog,
- 	[  --disable-syslog        Don't include syslog support],
-- 
-1.7.11.7
-
--- a/recipes-core/dropbear/dropbear/0004-fix-2kb-keys.patch
+++ b/recipes-core/dropbear/dropbear/0004-fix-2kb-keys.patch
@ -1,22 +0,0 @@
-Subject: [PATCH 4/6] fix 2kb keys
-
-Upstream-Status: Inappropriate [configuration]
---
- kex.h | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/kex.h b/kex.h
-index 72430e9..375c677 100644
--- a/kex.h
-+++ b/kex.h
-@@ -67,6 +67,6 @@ struct KEXState {
- };
- 
- 
-#define MAX_KEXHASHBUF 2000
-+#define MAX_KEXHASHBUF 3000
- 
- #endif /* _KEX_H_ */
-- 
-1.7.11.7
-
--- a/recipes-core/dropbear/dropbear/0007-dropbear-fix-for-x32-abi.patch
+++ b/recipes-core/dropbear/dropbear/0007-dropbear-fix-for-x32-abi.patch
@ -1,140 +0,0 @@
-Upstream-Status: Pending
-
-The dropbearkey utility built in x32 abi format, when generating ssh
-keys, was getting lost in the infinite loop.
-
-This patch fixes the issue by fixing types of variables and
-parameters of functions used in the code, which were getting
-undesired size, when compiled with the x32 abi toolchain.
-
-2013/05/23
-Received this fix from H J Lu.
-
-Signed-off-by: Nitin A Kamble <nitin.a.kamble@intel.com>
-
-# HG changeset patch
-# User H.J. Lu <hjl.tools@gmail.com>
-# Date 1369344079 25200
-# Node ID a10a1c46b857cc8a3923c3bb6d1504aa25b6052f
-# Parent  e76614145aea67f66e4a4257685c771efba21aa1
-Typdef mp_digit to unsigned long long for MP_64BIT
-
-When GCC is used with MP_64BIT, we should typedef mp_digit to unsigned
-long long instead of unsigned long since for x32, unsigned long is
-32-bit and unsigned long long is 64-bit and it is safe to use unsigned
-long long for 64-bit integer with GCC.
-
-diff -r e76614145aea -r a10a1c46b857 libtommath/tommath.h
--- a/libtommath/tommath.h	Thu Apr 18 22:57:47 2013 +0800
-+++ b/libtommath/tommath.h	Thu May 23 14:21:19 2013 -0700
-@@ -73,7 +73,7 @@
-    typedef signed long long   long64;
- #endif
-
-   typedef unsigned long      mp_digit;
-+   typedef unsigned long long mp_digit;
-    typedef unsigned long      mp_word __attribute__ ((mode(TI)));
-
-    #define DIGIT_BIT          60
-# HG changeset patch
-# User H.J. Lu <hjl.tools@gmail.com>
-# Date 1369344241 25200
-# Node ID c7555a4cb7ded3a88409ba85f4027baa7af5f536
-# Parent  a10a1c46b857cc8a3923c3bb6d1504aa25b6052f
-Cast to mp_digit when updating *rho
-
-There is
-
-int
-mp_montgomery_setup (mp_int * n, mp_digit * rho)
-
-We should cast to mp_digit instead of unsigned long when updating
-*rho since mp_digit may be unsigned long long and unsigned long long
-may be different from unsigned long, like in x32.
-
-diff -r a10a1c46b857 -r c7555a4cb7de libtommath/bn_mp_montgomery_setup.c
--- a/libtommath/bn_mp_montgomery_setup.c	Thu May 23 14:21:19 2013 -0700
-+++ b/libtommath/bn_mp_montgomery_setup.c	Thu May 23 14:24:01 2013 -0700
-@@ -48,7 +48,7 @@
- #endif
-
-   /* rho = -1/m mod b */
-  *rho = (unsigned long)(((mp_word)1 << ((mp_word) DIGIT_BIT)) - x) & MP_MASK;
-+  *rho = (mp_digit)(((mp_word)1 << ((mp_word) DIGIT_BIT)) - x) & MP_MASK;
-
-   return MP_OKAY;
- }
-# HG changeset patch
-# User H.J. Lu <hjl.tools@gmail.com>
-# Date 1369344541 25200
-# Node ID 7c656e7071a6412688b2f30a529a9afac6c7bf5a
-# Parent  c7555a4cb7ded3a88409ba85f4027baa7af5f536
-Define LTC_FAST_TYPE to unsigned long long for __x86_64__
-
-We should define LTC_FAST_TYPE to unsigned long long instead of unsigned
-long if __x86_64__ to support x32 where unsigned long long is 64-bit
-and unsigned long is 32-bit.
-
-diff -r c7555a4cb7de -r 7c656e7071a6 libtomcrypt/src/headers/tomcrypt_cfg.h
--- a/libtomcrypt/src/headers/tomcrypt_cfg.h	Thu May 23 14:24:01 2013 -0700
-+++ b/libtomcrypt/src/headers/tomcrypt_cfg.h	Thu May 23 14:29:01 2013 -0700
-@@ -74,7 +74,7 @@
-    #define ENDIAN_LITTLE
-    #define ENDIAN_64BITWORD
-    #define LTC_FAST
-   #define LTC_FAST_TYPE    unsigned long
-+   #define LTC_FAST_TYPE    unsigned long long
- #endif
-
- /* detect PPC32 */
-# HG changeset patch
-# User H.J. Lu <hjl.tools@gmail.com>
-# Date 1369344730 25200
-# Node ID a7d4690158fae4ede2c4e5b56233e83730bf38ee
-# Parent  7c656e7071a6412688b2f30a529a9afac6c7bf5a
-Use unsigned long long aas unsigned 64-bit integer for x86-64 GCC
-
-We should use unsigned long long instead of unsigned long as unsigned
-64-bit integer for x86-64 GCC to support x32 where unsigned long is
-32-bit.
-
-diff -r 7c656e7071a6 -r a7d4690158fa libtomcrypt/src/headers/tomcrypt_macros.h
--- a/libtomcrypt/src/headers/tomcrypt_macros.h	Thu May 23 14:29:01 2013 -0700
-+++ b/libtomcrypt/src/headers/tomcrypt_macros.h	Thu May 23 14:32:10 2013 -0700
-@@ -343,7 +343,7 @@
- /* 64-bit Rotates */
- #if !defined(__STRICT_ANSI__) && defined(__GNUC__) && defined(__x86_64__) && !defined(LTC_NO_ASM)
-
-static inline unsigned long ROL64(unsigned long word, int i)
-+static inline unsigned long long ROL64(unsigned long long word, int i)
- {
-    asm("rolq %%cl,%0"
-       :"=r" (word)
-@@ -351,7 +351,7 @@
-    return word;
- }
-
-static inline unsigned long ROR64(unsigned long word, int i)
-+static inline unsigned long long ROR64(unsigned long long word, int i)
- {
-    asm("rorq %%cl,%0"
-       :"=r" (word)
-@@ -361,7 +361,7 @@
-
- #ifndef LTC_NO_ROLC
-
-static inline unsigned long ROL64c(unsigned long word, const int i)
-+static inline unsigned long long ROL64c(unsigned long long word, const int i)
- {
-    asm("rolq %2,%0"
-       :"=r" (word)
-@@ -369,7 +369,7 @@
-    return word;
- }
-
-static inline unsigned long ROR64c(unsigned long word, const int i)
-+static inline unsigned long long ROR64c(unsigned long long word, const int i)
- {
-    asm("rorq %2,%0"
-       :"=r" (word)
-
--- a/recipes-core/dropbear/dropbear/dropbear-disable-weak-ciphers.patch
+++ b/recipes-core/dropbear/dropbear/dropbear-disable-weak-ciphers.patch
@ -0,0 +1,31 @@
+From c347ece05a7fdbf50d76cb136b9ed45caed333f6 Mon Sep 17 00:00:00 2001
+From: Joseph Reynolds <joseph.reynolds1@ibm.com>
+Date: Thu, 20 Jun 2019 16:29:15 -0500
+Subject: [PATCH] dropbear: new feature: disable-weak-ciphers
+
+This feature disables all CBC, SHA1, and diffie-hellman group1 ciphers
+in the dropbear ssh server and client since they're considered weak ciphers
+and we want to support the stong algorithms.
+
+Upstream-Status: Inappropriate [configuration]
+Signed-off-by: Joseph Reynolds <joseph.reynolds1@ibm.com>
+---
+ default_options.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/default_options.h b/default_options.h
+index d417588..bc5200f 100644
+--- a/default_options.h
+++ b/default_options.h
+@@ -180,7 +180,7 @@ IMPORTANT: Some options will require "make clean" after changes */
+  * Small systems should generally include either curve25519 or ecdh for performance.
+  * curve25519 is less widely supported but is faster
+  */
+-#define DROPBEAR_DH_GROUP14_SHA1 1
+#define DROPBEAR_DH_GROUP14_SHA1 0
+ #define DROPBEAR_DH_GROUP14_SHA256 1
+ #define DROPBEAR_DH_GROUP16 0
+ #define DROPBEAR_CURVE25519 1
+-- 
+2.25.1
+
--- a/recipes-core/dropbear/dropbear/fix-libtomcrypt-libtommath-ordering.patch
+++ b/recipes-core/dropbear/dropbear/fix-libtomcrypt-libtommath-ordering.patch
@ -1,48 +0,0 @@
-From 2fd8d2aedad0c50cdf1e43edd2387874b720ad4c Mon Sep 17 00:00:00 2001
-From: Andre McCurdy <armccurdy@gmail.com>
-Date: Fri, 16 Sep 2016 12:18:23 -0700
-Subject: [PATCH] fix libtomcrypt/libtommath ordering
-
-To prevent build failures when using system libtom libraries and
-linking with --as-needed, LIBTOM_LIBS should be in the order
-ltomcrypt -ltommath, not the other way around, ie libs should be
-prepended to LIBTOM_LIBS as they are found, not appended.
-
-Note that LIBTOM_LIBS is not used when linking with the bundled
-libtom libs.
-
-Upstream-Status: Pending
-
-Signed-off-by: Andre McCurdy <armccurdy@gmail.com>
---
- configure.ac | 8 ++++----
- 1 file changed, 4 insertions(+), 4 deletions(-)
-
-diff --git a/configure.ac b/configure.ac
-index b6abe4c..85bb8bc 100644
--- a/configure.ac
-+++ b/configure.ac
-@@ -390,16 +390,16 @@ AC_ARG_ENABLE(bundled-libtom,
- 			AC_MSG_NOTICE(Forcing bundled libtom*)
- 		else
- 			BUNDLED_LIBTOM=0
-			AC_CHECK_LIB(tommath, mp_exptmod, LIBTOM_LIBS="$LIBTOM_LIBS -ltommath", 
-+			AC_CHECK_LIB(tommath, mp_exptmod, LIBTOM_LIBS="-ltommath $LIBTOM_LIBS",
- 				[AC_MSG_ERROR([Missing system libtommath and --disable-bundled-libtom was specified])] )
-			AC_CHECK_LIB(tomcrypt, register_cipher, LIBTOM_LIBS="$LIBTOM_LIBS -ltomcrypt", 
-+			AC_CHECK_LIB(tomcrypt, register_cipher, LIBTOM_LIBS="-ltomcrypt $LIBTOM_LIBS",
- 				[AC_MSG_ERROR([Missing system libtomcrypt and --disable-bundled-libtom was specified])] )
- 		fi
- 	],
- 	[
- 		BUNDLED_LIBTOM=0
-		AC_CHECK_LIB(tommath, mp_exptmod, LIBTOM_LIBS="$LIBTOM_LIBS -ltommath", BUNDLED_LIBTOM=1)
-		AC_CHECK_LIB(tomcrypt, register_cipher, LIBTOM_LIBS="$LIBTOM_LIBS -ltomcrypt", BUNDLED_LIBTOM=1)
-+		AC_CHECK_LIB(tommath, mp_exptmod, LIBTOM_LIBS="-ltommath $LIBTOM_LIBS", BUNDLED_LIBTOM=1)
-+		AC_CHECK_LIB(tomcrypt, register_cipher, LIBTOM_LIBS="-ltomcrypt $LIBTOM_LIBS", BUNDLED_LIBTOM=1)
- 	]
- )
- 
-- 
-1.9.1
-
--- a/recipes-core/dropbear/dropbear/support-out-of-tree-builds.patch
+++ b/recipes-core/dropbear/dropbear/support-out-of-tree-builds.patch
@ -1,43 +0,0 @@
-From: =?UTF-8?q?Henrik=20Nordstr=C3=B6m?= <henrik@knc.nu>
-Date: Wed, 11 May 2016 12:35:06 +0200
-Subject: [PATCH] Support out-of-tree builds usign bundled libtom
-
-When building out-of-tree we need both source and generated
-folders in include paths to find both distributed and generated
-headers.
-
-
-
-Signed-off-by: Jussi Kukkonen <jussi.kukkonen@intel.com>
-Upstream-Status: Backport
---
- libtomcrypt/Makefile.in | 2 +-
- libtommath/Makefile.in  | 2 +-
- 2 files changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/libtomcrypt/Makefile.in b/libtomcrypt/Makefile.in
-index 3056ef0..7970700 100644
--- a/libtomcrypt/Makefile.in
-+++ b/libtomcrypt/Makefile.in
-@@ -19,7 +19,7 @@ srcdir=@srcdir@
- 
- # Compilation flags. Note the += does not write over the user's CFLAGS!
- # The rest of the flags come from the parent Dropbear makefile
-CFLAGS += -c -I$(srcdir)/src/headers/ -I$(srcdir)/../ -DLTC_SOURCE -I$(srcdir)/../libtommath/
-+CFLAGS += -c -Isrc/headers/ -I$(srcdir)/src/headers/ -I../ -I$(srcdir)/../ -DLTC_SOURCE -I../libtommath/ -I$(srcdir)/../libtommath/
- 
- # additional warnings (newer GCC 3.4 and higher)
- ifdef GCC_34
-diff --git a/libtommath/Makefile.in b/libtommath/Makefile.in
-index 06aba68..019c50b 100644
--- a/libtommath/Makefile.in
-+++ b/libtommath/Makefile.in
-@@ -9,7 +9,7 @@ VPATH=@srcdir@
- srcdir=@srcdir@
- 
- # So that libtommath can include Dropbear headers for options and m_burn()
-CFLAGS += -I$(srcdir)/../libtomcrypt/src/headers/ -I$(srcdir)/../
-+CFLAGS += -I. -I$(srcdir) -I../libtomcrypt/src/headers/ -I$(srcdir)/../libtomcrypt/src/headers/ -I../ -I$(srcdir)/../
- 
- ifndef IGNORE_SPEED
- 
--- a/recipes-core/dropbear/dropbear_2016.74.bb
+++ b/recipes-core/dropbear/dropbear_2016.74.bb
@ -1,7 +0,0 @@
-require dropbear.inc
-
-SRC_URI += "file://support-out-of-tree-builds.patch"
-
-SRC_URI[md5sum] = "9ad0172731e0f16623937804643b5bd8"
-SRC_URI[sha256sum] = "2720ea54ed009af812701bcc290a2a601d5c107d12993e5d92c0f5f81f718891"
-
--- a/recipes-core/dropbear/dropbear_2022.83.bb
+++ b/recipes-core/dropbear/dropbear_2022.83.bb
@ -0,0 +1,5 @@
+require dropbear.inc
+
+SRC_URI[md5sum] = "a75a34bcc03cacf71a2db9da3b7c94a5"
+SRC_URI[sha256sum] = "bc5a121ffbc94b5171ad5ebe01be42746d50aa797c9549a4639894a16749443b"
+