dropbear: upgrade to 2022.83
Remove patches that were upstreamed or are not relevant anymore. Replace the xauth patch with the rebased version from upstream. Add the dropbear-disable-weak-ciphers.patch from upstream OE. Add "--disable-harden" just like in the upstream recipe, as OE's hardening flags cause the textrel QA warning otherwise. Related: https://git.openembedded.org/openembedded-core/tree/meta/recipes-core/dropbear/ Related: SYS#6402 Change-Id: I431934b0558350931bb9571b0fa6efff8ba45387
This commit is contained in:
parent
6ec23241ba
commit
909ac967d7
|
@ -5,7 +5,7 @@ SECTION = "console/network"
|
|||
# some files are from other projects and have others license terms:
|
||||
# public domain, OpenSSH 3.5p1, OpenSSH3.6.1p2, PuTTY
|
||||
LICENSE = "MIT & BSD-3-Clause & BSD-2-Clause & PD"
|
||||
LIC_FILES_CHKSUM = "file://LICENSE;md5=a5ec40cafba26fc4396d0b550f824e01"
|
||||
LIC_FILES_CHKSUM = "file://LICENSE;md5=25cf44512b7bc8966a48b6b1a9b7605f"
|
||||
|
||||
DEPENDS = "zlib"
|
||||
RPROVIDES_${PN} = "ssh sshd"
|
||||
|
@ -14,10 +14,7 @@ DEPENDS += "${@bb.utils.contains('DISTRO_FEATURES', 'pam', 'libpam', '', d)}"
|
|||
|
||||
SRC_URI = "http://matt.ucc.asn.au/dropbear/releases/dropbear-${PV}.tar.bz2 \
|
||||
file://0001-urandom-xauth-changes-to-options.h.patch \
|
||||
file://0003-configure.patch \
|
||||
file://0004-fix-2kb-keys.patch \
|
||||
file://0007-dropbear-fix-for-x32-abi.patch \
|
||||
file://fix-libtomcrypt-libtommath-ordering.patch \
|
||||
file://dropbear-disable-weak-ciphers.patch \
|
||||
file://init \
|
||||
file://dropbearkey.service \
|
||||
file://dropbear@.service \
|
||||
|
@ -52,6 +49,10 @@ PACKAGECONFIG[system-libtom] = "--disable-bundled-libtom,--enable-bundled-libtom
|
|||
EXTRA_OECONF += "\
|
||||
${@bb.utils.contains('DISTRO_FEATURES', 'pam', '--enable-pam', '--disable-pam', d)}"
|
||||
|
||||
# This option appends to CFLAGS and LDFLAGS from OE
|
||||
# This is causing [textrel] QA warning
|
||||
EXTRA_OECONF += "--disable-harden"
|
||||
|
||||
do_install() {
|
||||
install -d ${D}${sysconfdir} \
|
||||
${D}${sysconfdir}/init.d \
|
||||
|
|
|
@ -2,22 +2,22 @@ Subject: [PATCH 1/6] urandom-xauth-changes-to-options.h
|
|||
|
||||
Upstream-Status: Inappropriate [configuration]
|
||||
---
|
||||
options.h | 2 +-
|
||||
default_options.h | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/options.h b/options.h
|
||||
index 7d06322..71a21c2 100644
|
||||
--- a/options.h
|
||||
+++ b/options.h
|
||||
@@ -247,7 +247,7 @@ much traffic. */
|
||||
diff --git a/default_options.h b/default_options.h
|
||||
index 349338c..5ffac25 100644
|
||||
--- a/default_options.h
|
||||
+++ b/default_options.h
|
||||
@@ -289,7 +289,7 @@ group1 in Dropbear server too */
|
||||
|
||||
/* The command to invoke for xauth when using X11 forwarding.
|
||||
* "-q" for quiet */
|
||||
#ifndef XAUTH_COMMAND
|
||||
-#define XAUTH_COMMAND "/usr/bin/xauth -q"
|
||||
+#define XAUTH_COMMAND "xauth -q"
|
||||
#endif
|
||||
|
||||
/* if you want to enable running an sftp server (such as the one included with
|
||||
|
||||
/* If you want to enable running an sftp server (such as the one included with
|
||||
--
|
||||
1.7.11.7
|
||||
2.25.1
|
||||
|
||||
|
|
|
@ -1,42 +0,0 @@
|
|||
From c5f5c5054c1b15539dccf866e2c3faba7ed68456 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Eric=20B=C3=A9nard?= <eric@eukrea.com>
|
||||
Date: Thu, 25 Apr 2013 00:27:25 +0200
|
||||
Subject: [PATCH 3/6] configure: add a variable to allow openpty check to be cached
|
||||
|
||||
Upstream-Status: Pending
|
||||
|
||||
---
|
||||
configure.ac | 11 ++++++++---
|
||||
1 file changed, 8 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/configure.ac b/configure.ac
|
||||
index 05461f3..9c16d90 100644
|
||||
--- a/configure.ac
|
||||
+++ b/configure.ac
|
||||
@@ -166,15 +166,20 @@ AC_ARG_ENABLE(openpty,
|
||||
AC_MSG_NOTICE(Not using openpty)
|
||||
else
|
||||
AC_MSG_NOTICE(Using openpty if available)
|
||||
- AC_SEARCH_LIBS(openpty, util, [AC_DEFINE(HAVE_OPENPTY,,Have openpty() function)])
|
||||
+ AC_SEARCH_LIBS(openpty, util, [dropbear_cv_func_have_openpty=yes])
|
||||
fi
|
||||
],
|
||||
[
|
||||
AC_MSG_NOTICE(Using openpty if available)
|
||||
- AC_SEARCH_LIBS(openpty, util, [AC_DEFINE(HAVE_OPENPTY)])
|
||||
+ AC_SEARCH_LIBS(openpty, util, [dropbear_cv_func_have_openpty=yes])
|
||||
]
|
||||
)
|
||||
-
|
||||
+
|
||||
+if test "x$dropbear_cv_func_have_openpty" = "xyes"; then
|
||||
+ AC_DEFINE(HAVE_OPENPTY,,Have openpty() function)
|
||||
+ no_ptc_check=yes
|
||||
+ no_ptmx_check=yes
|
||||
+fi
|
||||
|
||||
AC_ARG_ENABLE(syslog,
|
||||
[ --disable-syslog Don't include syslog support],
|
||||
--
|
||||
1.7.11.7
|
||||
|
|
@ -1,22 +0,0 @@
|
|||
Subject: [PATCH 4/6] fix 2kb keys
|
||||
|
||||
Upstream-Status: Inappropriate [configuration]
|
||||
---
|
||||
kex.h | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/kex.h b/kex.h
|
||||
index 72430e9..375c677 100644
|
||||
--- a/kex.h
|
||||
+++ b/kex.h
|
||||
@@ -67,6 +67,6 @@ struct KEXState {
|
||||
};
|
||||
|
||||
|
||||
-#define MAX_KEXHASHBUF 2000
|
||||
+#define MAX_KEXHASHBUF 3000
|
||||
|
||||
#endif /* _KEX_H_ */
|
||||
--
|
||||
1.7.11.7
|
||||
|
|
@ -1,140 +0,0 @@
|
|||
Upstream-Status: Pending
|
||||
|
||||
The dropbearkey utility built in x32 abi format, when generating ssh
|
||||
keys, was getting lost in the infinite loop.
|
||||
|
||||
This patch fixes the issue by fixing types of variables and
|
||||
parameters of functions used in the code, which were getting
|
||||
undesired size, when compiled with the x32 abi toolchain.
|
||||
|
||||
2013/05/23
|
||||
Received this fix from H J Lu.
|
||||
|
||||
Signed-off-by: Nitin A Kamble <nitin.a.kamble@intel.com>
|
||||
|
||||
# HG changeset patch
|
||||
# User H.J. Lu <hjl.tools@gmail.com>
|
||||
# Date 1369344079 25200
|
||||
# Node ID a10a1c46b857cc8a3923c3bb6d1504aa25b6052f
|
||||
# Parent e76614145aea67f66e4a4257685c771efba21aa1
|
||||
Typdef mp_digit to unsigned long long for MP_64BIT
|
||||
|
||||
When GCC is used with MP_64BIT, we should typedef mp_digit to unsigned
|
||||
long long instead of unsigned long since for x32, unsigned long is
|
||||
32-bit and unsigned long long is 64-bit and it is safe to use unsigned
|
||||
long long for 64-bit integer with GCC.
|
||||
|
||||
diff -r e76614145aea -r a10a1c46b857 libtommath/tommath.h
|
||||
--- a/libtommath/tommath.h Thu Apr 18 22:57:47 2013 +0800
|
||||
+++ b/libtommath/tommath.h Thu May 23 14:21:19 2013 -0700
|
||||
@@ -73,7 +73,7 @@
|
||||
typedef signed long long long64;
|
||||
#endif
|
||||
|
||||
- typedef unsigned long mp_digit;
|
||||
+ typedef unsigned long long mp_digit;
|
||||
typedef unsigned long mp_word __attribute__ ((mode(TI)));
|
||||
|
||||
#define DIGIT_BIT 60
|
||||
# HG changeset patch
|
||||
# User H.J. Lu <hjl.tools@gmail.com>
|
||||
# Date 1369344241 25200
|
||||
# Node ID c7555a4cb7ded3a88409ba85f4027baa7af5f536
|
||||
# Parent a10a1c46b857cc8a3923c3bb6d1504aa25b6052f
|
||||
Cast to mp_digit when updating *rho
|
||||
|
||||
There is
|
||||
|
||||
int
|
||||
mp_montgomery_setup (mp_int * n, mp_digit * rho)
|
||||
|
||||
We should cast to mp_digit instead of unsigned long when updating
|
||||
*rho since mp_digit may be unsigned long long and unsigned long long
|
||||
may be different from unsigned long, like in x32.
|
||||
|
||||
diff -r a10a1c46b857 -r c7555a4cb7de libtommath/bn_mp_montgomery_setup.c
|
||||
--- a/libtommath/bn_mp_montgomery_setup.c Thu May 23 14:21:19 2013 -0700
|
||||
+++ b/libtommath/bn_mp_montgomery_setup.c Thu May 23 14:24:01 2013 -0700
|
||||
@@ -48,7 +48,7 @@
|
||||
#endif
|
||||
|
||||
/* rho = -1/m mod b */
|
||||
- *rho = (unsigned long)(((mp_word)1 << ((mp_word) DIGIT_BIT)) - x) & MP_MASK;
|
||||
+ *rho = (mp_digit)(((mp_word)1 << ((mp_word) DIGIT_BIT)) - x) & MP_MASK;
|
||||
|
||||
return MP_OKAY;
|
||||
}
|
||||
# HG changeset patch
|
||||
# User H.J. Lu <hjl.tools@gmail.com>
|
||||
# Date 1369344541 25200
|
||||
# Node ID 7c656e7071a6412688b2f30a529a9afac6c7bf5a
|
||||
# Parent c7555a4cb7ded3a88409ba85f4027baa7af5f536
|
||||
Define LTC_FAST_TYPE to unsigned long long for __x86_64__
|
||||
|
||||
We should define LTC_FAST_TYPE to unsigned long long instead of unsigned
|
||||
long if __x86_64__ to support x32 where unsigned long long is 64-bit
|
||||
and unsigned long is 32-bit.
|
||||
|
||||
diff -r c7555a4cb7de -r 7c656e7071a6 libtomcrypt/src/headers/tomcrypt_cfg.h
|
||||
--- a/libtomcrypt/src/headers/tomcrypt_cfg.h Thu May 23 14:24:01 2013 -0700
|
||||
+++ b/libtomcrypt/src/headers/tomcrypt_cfg.h Thu May 23 14:29:01 2013 -0700
|
||||
@@ -74,7 +74,7 @@
|
||||
#define ENDIAN_LITTLE
|
||||
#define ENDIAN_64BITWORD
|
||||
#define LTC_FAST
|
||||
- #define LTC_FAST_TYPE unsigned long
|
||||
+ #define LTC_FAST_TYPE unsigned long long
|
||||
#endif
|
||||
|
||||
/* detect PPC32 */
|
||||
# HG changeset patch
|
||||
# User H.J. Lu <hjl.tools@gmail.com>
|
||||
# Date 1369344730 25200
|
||||
# Node ID a7d4690158fae4ede2c4e5b56233e83730bf38ee
|
||||
# Parent 7c656e7071a6412688b2f30a529a9afac6c7bf5a
|
||||
Use unsigned long long aas unsigned 64-bit integer for x86-64 GCC
|
||||
|
||||
We should use unsigned long long instead of unsigned long as unsigned
|
||||
64-bit integer for x86-64 GCC to support x32 where unsigned long is
|
||||
32-bit.
|
||||
|
||||
diff -r 7c656e7071a6 -r a7d4690158fa libtomcrypt/src/headers/tomcrypt_macros.h
|
||||
--- a/libtomcrypt/src/headers/tomcrypt_macros.h Thu May 23 14:29:01 2013 -0700
|
||||
+++ b/libtomcrypt/src/headers/tomcrypt_macros.h Thu May 23 14:32:10 2013 -0700
|
||||
@@ -343,7 +343,7 @@
|
||||
/* 64-bit Rotates */
|
||||
#if !defined(__STRICT_ANSI__) && defined(__GNUC__) && defined(__x86_64__) && !defined(LTC_NO_ASM)
|
||||
|
||||
-static inline unsigned long ROL64(unsigned long word, int i)
|
||||
+static inline unsigned long long ROL64(unsigned long long word, int i)
|
||||
{
|
||||
asm("rolq %%cl,%0"
|
||||
:"=r" (word)
|
||||
@@ -351,7 +351,7 @@
|
||||
return word;
|
||||
}
|
||||
|
||||
-static inline unsigned long ROR64(unsigned long word, int i)
|
||||
+static inline unsigned long long ROR64(unsigned long long word, int i)
|
||||
{
|
||||
asm("rorq %%cl,%0"
|
||||
:"=r" (word)
|
||||
@@ -361,7 +361,7 @@
|
||||
|
||||
#ifndef LTC_NO_ROLC
|
||||
|
||||
-static inline unsigned long ROL64c(unsigned long word, const int i)
|
||||
+static inline unsigned long long ROL64c(unsigned long long word, const int i)
|
||||
{
|
||||
asm("rolq %2,%0"
|
||||
:"=r" (word)
|
||||
@@ -369,7 +369,7 @@
|
||||
return word;
|
||||
}
|
||||
|
||||
-static inline unsigned long ROR64c(unsigned long word, const int i)
|
||||
+static inline unsigned long long ROR64c(unsigned long long word, const int i)
|
||||
{
|
||||
asm("rorq %2,%0"
|
||||
:"=r" (word)
|
||||
|
|
@ -0,0 +1,31 @@
|
|||
From c347ece05a7fdbf50d76cb136b9ed45caed333f6 Mon Sep 17 00:00:00 2001
|
||||
From: Joseph Reynolds <joseph.reynolds1@ibm.com>
|
||||
Date: Thu, 20 Jun 2019 16:29:15 -0500
|
||||
Subject: [PATCH] dropbear: new feature: disable-weak-ciphers
|
||||
|
||||
This feature disables all CBC, SHA1, and diffie-hellman group1 ciphers
|
||||
in the dropbear ssh server and client since they're considered weak ciphers
|
||||
and we want to support the stong algorithms.
|
||||
|
||||
Upstream-Status: Inappropriate [configuration]
|
||||
Signed-off-by: Joseph Reynolds <joseph.reynolds1@ibm.com>
|
||||
---
|
||||
default_options.h | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/default_options.h b/default_options.h
|
||||
index d417588..bc5200f 100644
|
||||
--- a/default_options.h
|
||||
+++ b/default_options.h
|
||||
@@ -180,7 +180,7 @@ IMPORTANT: Some options will require "make clean" after changes */
|
||||
* Small systems should generally include either curve25519 or ecdh for performance.
|
||||
* curve25519 is less widely supported but is faster
|
||||
*/
|
||||
-#define DROPBEAR_DH_GROUP14_SHA1 1
|
||||
+#define DROPBEAR_DH_GROUP14_SHA1 0
|
||||
#define DROPBEAR_DH_GROUP14_SHA256 1
|
||||
#define DROPBEAR_DH_GROUP16 0
|
||||
#define DROPBEAR_CURVE25519 1
|
||||
--
|
||||
2.25.1
|
||||
|
|
@ -1,48 +0,0 @@
|
|||
From 2fd8d2aedad0c50cdf1e43edd2387874b720ad4c Mon Sep 17 00:00:00 2001
|
||||
From: Andre McCurdy <armccurdy@gmail.com>
|
||||
Date: Fri, 16 Sep 2016 12:18:23 -0700
|
||||
Subject: [PATCH] fix libtomcrypt/libtommath ordering
|
||||
|
||||
To prevent build failures when using system libtom libraries and
|
||||
linking with --as-needed, LIBTOM_LIBS should be in the order
|
||||
-ltomcrypt -ltommath, not the other way around, ie libs should be
|
||||
prepended to LIBTOM_LIBS as they are found, not appended.
|
||||
|
||||
Note that LIBTOM_LIBS is not used when linking with the bundled
|
||||
libtom libs.
|
||||
|
||||
Upstream-Status: Pending
|
||||
|
||||
Signed-off-by: Andre McCurdy <armccurdy@gmail.com>
|
||||
---
|
||||
configure.ac | 8 ++++----
|
||||
1 file changed, 4 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/configure.ac b/configure.ac
|
||||
index b6abe4c..85bb8bc 100644
|
||||
--- a/configure.ac
|
||||
+++ b/configure.ac
|
||||
@@ -390,16 +390,16 @@ AC_ARG_ENABLE(bundled-libtom,
|
||||
AC_MSG_NOTICE(Forcing bundled libtom*)
|
||||
else
|
||||
BUNDLED_LIBTOM=0
|
||||
- AC_CHECK_LIB(tommath, mp_exptmod, LIBTOM_LIBS="$LIBTOM_LIBS -ltommath",
|
||||
+ AC_CHECK_LIB(tommath, mp_exptmod, LIBTOM_LIBS="-ltommath $LIBTOM_LIBS",
|
||||
[AC_MSG_ERROR([Missing system libtommath and --disable-bundled-libtom was specified])] )
|
||||
- AC_CHECK_LIB(tomcrypt, register_cipher, LIBTOM_LIBS="$LIBTOM_LIBS -ltomcrypt",
|
||||
+ AC_CHECK_LIB(tomcrypt, register_cipher, LIBTOM_LIBS="-ltomcrypt $LIBTOM_LIBS",
|
||||
[AC_MSG_ERROR([Missing system libtomcrypt and --disable-bundled-libtom was specified])] )
|
||||
fi
|
||||
],
|
||||
[
|
||||
BUNDLED_LIBTOM=0
|
||||
- AC_CHECK_LIB(tommath, mp_exptmod, LIBTOM_LIBS="$LIBTOM_LIBS -ltommath", BUNDLED_LIBTOM=1)
|
||||
- AC_CHECK_LIB(tomcrypt, register_cipher, LIBTOM_LIBS="$LIBTOM_LIBS -ltomcrypt", BUNDLED_LIBTOM=1)
|
||||
+ AC_CHECK_LIB(tommath, mp_exptmod, LIBTOM_LIBS="-ltommath $LIBTOM_LIBS", BUNDLED_LIBTOM=1)
|
||||
+ AC_CHECK_LIB(tomcrypt, register_cipher, LIBTOM_LIBS="-ltomcrypt $LIBTOM_LIBS", BUNDLED_LIBTOM=1)
|
||||
]
|
||||
)
|
||||
|
||||
--
|
||||
1.9.1
|
||||
|
|
@ -1,43 +0,0 @@
|
|||
From: =?UTF-8?q?Henrik=20Nordstr=C3=B6m?= <henrik@knc.nu>
|
||||
Date: Wed, 11 May 2016 12:35:06 +0200
|
||||
Subject: [PATCH] Support out-of-tree builds usign bundled libtom
|
||||
|
||||
When building out-of-tree we need both source and generated
|
||||
folders in include paths to find both distributed and generated
|
||||
headers.
|
||||
|
||||
|
||||
|
||||
Signed-off-by: Jussi Kukkonen <jussi.kukkonen@intel.com>
|
||||
Upstream-Status: Backport
|
||||
---
|
||||
libtomcrypt/Makefile.in | 2 +-
|
||||
libtommath/Makefile.in | 2 +-
|
||||
2 files changed, 2 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/libtomcrypt/Makefile.in b/libtomcrypt/Makefile.in
|
||||
index 3056ef0..7970700 100644
|
||||
--- a/libtomcrypt/Makefile.in
|
||||
+++ b/libtomcrypt/Makefile.in
|
||||
@@ -19,7 +19,7 @@ srcdir=@srcdir@
|
||||
|
||||
# Compilation flags. Note the += does not write over the user's CFLAGS!
|
||||
# The rest of the flags come from the parent Dropbear makefile
|
||||
-CFLAGS += -c -I$(srcdir)/src/headers/ -I$(srcdir)/../ -DLTC_SOURCE -I$(srcdir)/../libtommath/
|
||||
+CFLAGS += -c -Isrc/headers/ -I$(srcdir)/src/headers/ -I../ -I$(srcdir)/../ -DLTC_SOURCE -I../libtommath/ -I$(srcdir)/../libtommath/
|
||||
|
||||
# additional warnings (newer GCC 3.4 and higher)
|
||||
ifdef GCC_34
|
||||
diff --git a/libtommath/Makefile.in b/libtommath/Makefile.in
|
||||
index 06aba68..019c50b 100644
|
||||
--- a/libtommath/Makefile.in
|
||||
+++ b/libtommath/Makefile.in
|
||||
@@ -9,7 +9,7 @@ VPATH=@srcdir@
|
||||
srcdir=@srcdir@
|
||||
|
||||
# So that libtommath can include Dropbear headers for options and m_burn()
|
||||
-CFLAGS += -I$(srcdir)/../libtomcrypt/src/headers/ -I$(srcdir)/../
|
||||
+CFLAGS += -I. -I$(srcdir) -I../libtomcrypt/src/headers/ -I$(srcdir)/../libtomcrypt/src/headers/ -I../ -I$(srcdir)/../
|
||||
|
||||
ifndef IGNORE_SPEED
|
||||
|
|
@ -1,7 +0,0 @@
|
|||
require dropbear.inc
|
||||
|
||||
SRC_URI += "file://support-out-of-tree-builds.patch"
|
||||
|
||||
SRC_URI[md5sum] = "9ad0172731e0f16623937804643b5bd8"
|
||||
SRC_URI[sha256sum] = "2720ea54ed009af812701bcc290a2a601d5c107d12993e5d92c0f5f81f718891"
|
||||
|
|
@ -0,0 +1,5 @@
|
|||
require dropbear.inc
|
||||
|
||||
SRC_URI[md5sum] = "a75a34bcc03cacf71a2db9da3b7c94a5"
|
||||
SRC_URI[sha256sum] = "bc5a121ffbc94b5171ad5ebe01be42746d50aa797c9549a4639894a16749443b"
|
||||
|
Loading…
Reference in New Issue