Dropbear: upgrade options for latest upgrade
Yocto 2.6 upgrades our version of dropbear. Prepare for the upgrade.
1. Implement the new options system so we can upgrade without losing our
options.
Options available are described here:
https://github.com/mkj/dropbear/blob/master/default_options.h
Note, DROPBEAR_TWOFISH256, and DROPBEAR_TWOFISH128 options are dropped,
as they are not enabled in the default config.
2. Drop the -c option patch, as this has bene included in dropbear for some
time, and now conflicts with itself in merging.
https://github.com/mkj/dropbear/commit/ac9a4c839f6cbde3ca8226d79eca36a497620594
3. Drop the default host keys patch, as it is now in master, although it
does'nt conflict
https://github.com/mkj/dropbear/commit/4c95d595c00818f61905a9d607e3fd675ba85458
Change-Id: Ie691d2b56ddd8e8ddb08384e0f1c9d70e4798e30
Signed-off-by: Ed Tanous <ed.tanous@intel.com>
diff --git a/recipes-core/dropbear/dropbear/0001-Only-load-dropbear-default-host-keys-if-a-key-is-not.patch b/recipes-core/dropbear/dropbear/0001-Only-load-dropbear-default-host-keys-if-a-key-is-not.patch
deleted file mode 100644
index e32baec..0000000
--- a/recipes-core/dropbear/dropbear/0001-Only-load-dropbear-default-host-keys-if-a-key-is-not.patch
+++ /dev/null
@@ -1,42 +0,0 @@
-From 95eff1ca0beea55259c2cdc7f1bb9f930bf57bc8 Mon Sep 17 00:00:00 2001
-From: CamVan Nguyen <ctnguyen@us.ibm.com>
-Date: Tue, 13 Feb 2018 15:37:47 -0600
-Subject: [PATCH 1/1] Only load dropbear default host keys if a key is not
- specified
-
----
- svr-runopts.c | 10 +++++++---
- 1 file changed, 7 insertions(+), 3 deletions(-)
-
-diff --git a/svr-runopts.c b/svr-runopts.c
-index 8f60059..c5c2148 100644
---- a/svr-runopts.c
-+++ b/svr-runopts.c
-@@ -488,17 +488,21 @@ void load_all_hostkeys() {
- m_free(hostkey_file);
- }
-
-+ /* Only load default host keys if a host key is not specified by the
-+ * user */
-+ if (0 == svr_opts.num_hostkey_files) {
- #ifdef DROPBEAR_RSA
-- loadhostkey(RSA_PRIV_FILENAME, 0);
-+ loadhostkey(RSA_PRIV_FILENAME, 0);
- #endif
-
- #ifdef DROPBEAR_DSS
-- loadhostkey(DSS_PRIV_FILENAME, 0);
-+ loadhostkey(DSS_PRIV_FILENAME, 0);
- #endif
-
- #ifdef DROPBEAR_ECDSA
-- loadhostkey(ECDSA_PRIV_FILENAME, 0);
-+ loadhostkey(ECDSA_PRIV_FILENAME, 0);
- #endif
-+ }
-
- #ifdef DROPBEAR_DELAY_HOSTKEY
- if (svr_opts.delay_hostkey) {
---
-1.8.2.2
-
diff --git a/recipes-core/dropbear/dropbear/0001-dropbear-Add-c-command-option-to-force-a-specific-co.patch b/recipes-core/dropbear/dropbear/0001-dropbear-Add-c-command-option-to-force-a-specific-co.patch
deleted file mode 100644
index 88d0ac0..0000000
--- a/recipes-core/dropbear/dropbear/0001-dropbear-Add-c-command-option-to-force-a-specific-co.patch
+++ /dev/null
@@ -1,91 +0,0 @@
-From b4e094381ec846f4387dc6a3c210c2205a8db58a Mon Sep 17 00:00:00 2001
-From: Jeremy Kerr <jk@ozlabs.org>
-Date: Tue, 12 Apr 2016 11:11:40 +0800
-Subject: [PATCH] dropbear: Add -c <command> option to force a specific command
-
-This change adds a -c option to dropbear, to force the session to use a
-specific command, in a similar fashion to OpenSSH's ForceCommand
-configuration option.
-
-This is useful to provide a simple fixed service over ssh, without
-requiring an authorized key file for the per-key forced_command option.
-
-This setting takes precedence over the channel session's provided
-command, and the per-key forced_command setting.
-
-Signed-off-by: Jeremy Kerr <jk@ozlabs.org>
----
- runopts.h | 2 ++
- svr-chansession.c | 12 ++++++++++--
- svr-runopts.c | 5 +++++
- 3 files changed, 17 insertions(+), 2 deletions(-)
-
-diff --git a/runopts.h b/runopts.h
-index f7c869d..ffb573e 100644
---- a/runopts.h
-+++ b/runopts.h
-@@ -114,6 +114,8 @@ typedef struct svr_runopts {
- buffer * banner;
- char * pidfile;
-
-+ char * command;
-+
- } svr_runopts;
-
- extern svr_runopts svr_opts;
-diff --git a/svr-chansession.c b/svr-chansession.c
-index bfaf7f6..d6c9330 100644
---- a/svr-chansession.c
-+++ b/svr-chansession.c
-@@ -671,8 +671,16 @@ static int sessioncommand(struct Channel *channel, struct ChanSess *chansess,
- }
- }
-
-- /* take public key option 'command' into account */
-- svr_pubkey_set_forced_command(chansess);
-+
-+ /* take global command into account */
-+ if (svr_opts.command) {
-+ chansess->original_command = chansess->cmd ? : m_strdup("");
-+ chansess->cmd = m_strdup(svr_opts.command);
-+ } else {
-+ /* take public key option 'command' into account */
-+ svr_pubkey_set_forced_command(chansess);
-+ }
-+
-
- #ifdef LOG_COMMANDS
- if (chansess->cmd) {
-diff --git a/svr-runopts.c b/svr-runopts.c
-index 8f60059..f845300 100644
---- a/svr-runopts.c
-+++ b/svr-runopts.c
-@@ -79,6 +79,7 @@ static void printhelp(const char * progname) {
- #ifdef ENABLE_SVR_REMOTETCPFWD
- "-k Disable remote port forwarding\n"
- "-a Allow connections to forwarded ports from any host\n"
-+ "-c command Force executed command\n"
- #endif
- "-p [address:]port\n"
- " Listen on specified tcp port (and optionally address),\n"
-@@ -125,6 +126,7 @@ void svr_getopts(int argc, char ** argv) {
- /* see printhelp() for options */
- svr_opts.bannerfile = NULL;
- svr_opts.banner = NULL;
-+ svr_opts.command = NULL;
- svr_opts.forkbg = 1;
- svr_opts.norootlogin = 0;
- svr_opts.noauthpass = 0;
-@@ -177,6 +179,9 @@ void svr_getopts(int argc, char ** argv) {
- case 'b':
- next = &svr_opts.bannerfile;
- break;
-+ case 'c':
-+ next = &svr_opts.command;
-+ break;
- case 'd':
- case 'r':
- next = &keyfile;
---
-2.5.0
-
diff --git a/recipes-core/dropbear/dropbear/localoptions.h b/recipes-core/dropbear/dropbear/localoptions.h
new file mode 100644
index 0000000..8aec3b3
--- /dev/null
+++ b/recipes-core/dropbear/dropbear/localoptions.h
@@ -0,0 +1,6 @@
+// Disable CBC ciphers for modern security.
+#define DROPBEAR_ENABLE_CBC_MODE 0
+
+#define DROPBEAR_SHA1_96_HMAC 0
+#define DROPBEAR_SHA2_256_HMAC 1
+#define DROPBEAR_SHA2_512_HMAC 1
diff --git a/recipes-core/dropbear/dropbear_%.bbappend b/recipes-core/dropbear/dropbear_%.bbappend
index 8071497..cab454a 100644
--- a/recipes-core/dropbear/dropbear_%.bbappend
+++ b/recipes-core/dropbear/dropbear_%.bbappend
@@ -3,5 +3,4 @@
# to yocto 2.5 or later which will pull in the latest dropbear code.
FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}:"
SRC_URI += "file://dropbearkey.service \
- file://0001-dropbear-Add-c-command-option-to-force-a-specific-co.patch \
- file://0001-Only-load-dropbear-default-host-keys-if-a-key-is-not.patch"
+ file://localoptions.h"
diff --git a/recipes-core/dropbear/dropbear_2017.75.bbappend b/recipes-core/dropbear/dropbear_2017.75.bbappend
deleted file mode 100644
index 0bcdf6f..0000000
--- a/recipes-core/dropbear/dropbear_2017.75.bbappend
+++ /dev/null
@@ -1,4 +0,0 @@
-# TODO: Dropbear 2018.76 controls options in a different way. See
-# https://github.com/openbmc/openbmc/issues/3186
-FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}:"
-SRC_URI += "file://options.patch"