Yocto 2.3
Move OpenBMC to Yocto 2.3(pyro).
Tested: Built and verified Witherspoon and Palmetto images
Change-Id: I50744030e771f4850afc2a93a10d3507e76d36bc
Signed-off-by: Brad Bishop <bradleyb@fuzziesquirrel.com>
Resolves: openbmc/openbmc#2461
diff --git a/import-layers/yocto-poky/meta/recipes-connectivity/avahi/avahi.inc b/import-layers/yocto-poky/meta/recipes-connectivity/avahi/avahi.inc
index 234646d..faa8741 100644
--- a/import-layers/yocto-poky/meta/recipes-connectivity/avahi/avahi.inc
+++ b/import-layers/yocto-poky/meta/recipes-connectivity/avahi/avahi.inc
@@ -54,7 +54,7 @@
--disable-qt4 \
--disable-python \
--disable-doxygen-doc \
- --disable-manpages \
+ --enable-manpages \
${EXTRA_OECONF_SYSVINIT} \
${EXTRA_OECONF_SYSTEMD} \
"
@@ -153,13 +153,3 @@
killall -q -HUP dbus-daemon || true
fi
}
-
-pkg_postrm_avahi-daemon () {
- deluser avahi || true
- delgroup avahi || true
-}
-
-pkg_postrm_avahi-autoipd () {
- deluser avahi-autoipd || true
- delgroup avahi-autoipd || true
-}
diff --git a/import-layers/yocto-poky/meta/recipes-connectivity/bind/bind_9.10.3-P3.bb b/import-layers/yocto-poky/meta/recipes-connectivity/bind/bind_9.10.3-P3.bb
index 8160625..a802274 100644
--- a/import-layers/yocto-poky/meta/recipes-connectivity/bind/bind_9.10.3-P3.bb
+++ b/import-layers/yocto-poky/meta/recipes-connectivity/bind/bind_9.10.3-P3.bb
@@ -85,7 +85,7 @@
install -d "${D}${sysconfdir}/init.d"
install -m 644 ${S}/conf/* "${D}${sysconfdir}/bind/"
install -m 755 "${S}/init.d" "${D}${sysconfdir}/init.d/bind"
- sed -i -e '1s,#!.*python,#! /usr/bin/python3,' ${D}${sbindir}/dnssec-coverage ${D}${sbindir}/dnssec-checkds
+ sed -i -e '1s,#!.*python3,#! /usr/bin/python3,' ${D}${sbindir}/dnssec-coverage ${D}${sbindir}/dnssec-checkds
# Install systemd related files
install -d ${D}${sbindir}
diff --git a/import-layers/yocto-poky/meta/recipes-connectivity/bluez5/bluez5.inc b/import-layers/yocto-poky/meta/recipes-connectivity/bluez5/bluez5.inc
index ecefb7b..882873a 100644
--- a/import-layers/yocto-poky/meta/recipes-connectivity/bluez5/bluez5.inc
+++ b/import-layers/yocto-poky/meta/recipes-connectivity/bluez5/bluez5.inc
@@ -6,15 +6,16 @@
LIC_FILES_CHKSUM = "file://COPYING;md5=12f884d2ae1ff87c09e5b7ccc2c4ca7e \
file://COPYING.LIB;md5=fb504b67c50331fc78734fed90fb0e09 \
file://src/main.c;beginline=1;endline=24;md5=9bc54b93cd7e17bf03f52513f39f926e"
-DEPENDS = "udev libusb dbus-glib glib-2.0 libcheck readline"
+DEPENDS = "udev libusb dbus-glib glib-2.0 libcheck"
PROVIDES += "bluez-hcidump"
RPROVIDES_${PN} += "bluez-hcidump"
RCONFLICTS_${PN} = "bluez4"
-PACKAGECONFIG ??= "obex-profiles"
+PACKAGECONFIG ??= "obex-profiles readline"
PACKAGECONFIG[obex-profiles] = "--enable-obex,--disable-obex,libical"
PACKAGECONFIG[experimental] = "--enable-experimental,--disable-experimental,"
+PACKAGECONFIG[readline] = "--enable-client,--disable-client,readline,"
SRC_URI = "\
${KERNELORG_MIRROR}/linux/bluetooth/bluez-${PV}.tar.xz \
@@ -23,9 +24,12 @@
file://run-ptest \
${@bb.utils.contains('DISTRO_FEATURES', 'systemd', '', 'file://0001-Allow-using-obexd-without-systemd-in-the-user-sessio.patch', d)} \
file://0001-tests-add-a-target-for-building-tests-without-runnin.patch \
+ file://cve-2017-1000250.patch \
"
S = "${WORKDIR}/bluez-${PV}"
+CVE_PRODUCT = "bluez"
+
inherit autotools pkgconfig systemd update-rc.d distro_features_check ptest
EXTRA_OECONF = "\
@@ -42,7 +46,7 @@
NOINST_TOOLS_READLINE ??= ""
NOINST_TOOLS_EXPERIMENTAL ??= ""
NOINST_TOOLS = " \
- ${NOINST_TOOLS_READLINE} \
+ ${@bb.utils.contains('PACKAGECONFIG', 'readline', '${NOINST_TOOLS_READLINE}', '', d)} \
${@bb.utils.contains('PACKAGECONFIG', 'experimental', '${NOINST_TOOLS_EXPERIMENTAL}', '', d)} \
"
@@ -95,13 +99,13 @@
def get_noinst_tools_paths (d, bb, tools):
s = list()
- bindir = d.getVar("bindir", True)
+ bindir = d.getVar("bindir")
for bdp in tools.split():
f = os.path.basename(bdp)
s.append("%s/%s" % (bindir, f))
return "\n".join(s)
-FILES_${PN}-noinst-tools = "${@get_noinst_tools_paths(d, bb, d.getVar('NOINST_TOOLS', True))}"
+FILES_${PN}-noinst-tools = "${@get_noinst_tools_paths(d, bb, d.getVar('NOINST_TOOLS'))}"
RDEPENDS_${PN}-testtools += "python3 python3-dbus python3-pygobject"
diff --git a/import-layers/yocto-poky/meta/recipes-connectivity/bluez5/bluez5/cve-2017-1000250.patch b/import-layers/yocto-poky/meta/recipes-connectivity/bluez5/bluez5/cve-2017-1000250.patch
new file mode 100644
index 0000000..9fac961
--- /dev/null
+++ b/import-layers/yocto-poky/meta/recipes-connectivity/bluez5/bluez5/cve-2017-1000250.patch
@@ -0,0 +1,34 @@
+All versions of the SDP server in BlueZ 5.46 and earlier are vulnerable to an
+information disclosure vulnerability which allows remote attackers to obtain
+sensitive information from the bluetoothd process memory. This vulnerability
+lies in the processing of SDP search attribute requests.
+
+CVE: CVE-2017-1000250
+Upstream-Status: Backport
+Signed-off-by: Ross Burton <ross.burton@intel.com>
+
+From 9e009647b14e810e06626dde7f1bb9ea3c375d09 Mon Sep 17 00:00:00 2001
+From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Date: Wed, 13 Sep 2017 10:01:40 +0300
+Subject: sdp: Fix Out-of-bounds heap read in service_search_attr_req function
+
+Check if there is enough data to continue otherwise return an error.
+---
+ src/sdpd-request.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/sdpd-request.c b/src/sdpd-request.c
+index 1eefdce..318d044 100644
+--- a/src/sdpd-request.c
++++ b/src/sdpd-request.c
+@@ -917,7 +917,7 @@ static int service_search_attr_req(sdp_req_t *req, sdp_buf_t *buf)
+ } else {
+ /* continuation State exists -> get from cache */
+ sdp_buf_t *pCache = sdp_get_cached_rsp(cstate);
+- if (pCache) {
++ if (pCache && cstate->cStateValue.maxBytesSent < pCache->data_size) {
+ uint16_t sent = MIN(max, pCache->data_size - cstate->cStateValue.maxBytesSent);
+ pResponse = pCache->data;
+ memcpy(buf->data, pResponse + cstate->cStateValue.maxBytesSent, sent);
+--
+cgit v1.1
diff --git a/import-layers/yocto-poky/meta/recipes-connectivity/bluez5/bluez5_5.41.bb b/import-layers/yocto-poky/meta/recipes-connectivity/bluez5/bluez5_5.43.bb
similarity index 88%
rename from import-layers/yocto-poky/meta/recipes-connectivity/bluez5/bluez5_5.41.bb
rename to import-layers/yocto-poky/meta/recipes-connectivity/bluez5/bluez5_5.43.bb
index 522aab7..e10b82d 100644
--- a/import-layers/yocto-poky/meta/recipes-connectivity/bluez5/bluez5_5.41.bb
+++ b/import-layers/yocto-poky/meta/recipes-connectivity/bluez5/bluez5_5.43.bb
@@ -2,8 +2,8 @@
REQUIRED_DISTRO_FEATURES = "bluez5"
-SRC_URI[md5sum] = "318341b2188698130adb73236ee69244"
-SRC_URI[sha256sum] = "df7dc4462494dad4e60a2943240d584f6e760235dca64f5f10eba46dbab7f5f0"
+SRC_URI[md5sum] = "698def88df96840dfbb0858bb6d73350"
+SRC_URI[sha256sum] = "16c9c05d2a1da644ce3570d975ada3643d2e60c007a955bac09c0a0efeb58d15"
# noinst programs in Makefile.tools that are conditional on READLINE
# support
diff --git a/import-layers/yocto-poky/meta/recipes-connectivity/connman/connman.inc b/import-layers/yocto-poky/meta/recipes-connectivity/connman/connman.inc
index 35a7eed..64a5418 100644
--- a/import-layers/yocto-poky/meta/recipes-connectivity/connman/connman.inc
+++ b/import-layers/yocto-poky/meta/recipes-connectivity/connman/connman.inc
@@ -31,10 +31,8 @@
"
PACKAGECONFIG ??= "wispr \
- ${@bb.utils.contains('DISTRO_FEATURES', 'systemd','systemd', '', d)} \
- ${@bb.utils.contains('DISTRO_FEATURES', 'wifi','wifi', '', d)} \
+ ${@bb.utils.filter('DISTRO_FEATURES', '3g systemd wifi', d)} \
${@bb.utils.contains('DISTRO_FEATURES', 'bluetooth', 'bluez', '', d)} \
- ${@bb.utils.contains('DISTRO_FEATURES', '3g','3g', '', d)} \
"
# If you want ConnMan to support VPN, add following statement into
@@ -58,7 +56,7 @@
python __anonymous () {
systemd_packages = "${PN}"
- pkgconfig = d.getVar('PACKAGECONFIG', True)
+ pkgconfig = d.getVar('PACKAGECONFIG')
if ('openvpn' or 'vpnc' or 'l2tp' or 'pptp') in pkgconfig.split():
systemd_packages += " ${PN}-vpn"
d.setVar('SYSTEMD_PACKAGES', systemd_packages)
@@ -116,7 +114,7 @@
python populate_packages_prepend() {
depmap = dict(pppd="ppp")
- multilib_prefix = (d.getVar("MLPREFIX", True) or "")
+ multilib_prefix = (d.getVar("MLPREFIX") or "")
hook = lambda file,pkg,x,y,z: \
add_rdepends(bb, d, file, pkg, depmap, multilib_prefix, False)
diff --git a/import-layers/yocto-poky/meta/recipes-connectivity/connman/connman/0001-Fix-compile-on-musl-with-kernel-4.9-headers.patch b/import-layers/yocto-poky/meta/recipes-connectivity/connman/connman/0001-Fix-compile-on-musl-with-kernel-4.9-headers.patch
new file mode 100644
index 0000000..bf3b86d
--- /dev/null
+++ b/import-layers/yocto-poky/meta/recipes-connectivity/connman/connman/0001-Fix-compile-on-musl-with-kernel-4.9-headers.patch
@@ -0,0 +1,64 @@
+From c8bfad4ee9d2c505c00ccbb8b2139543b5ad6fcb Mon Sep 17 00:00:00 2001
+From: Jussi Kukkonen <jussi.kukkonen@intel.com>
+Date: Mon, 23 Jan 2017 17:41:39 +0200
+Subject: [PATCH] Fix compile on musl with kernel 4.9 headers
+
+Kernel headers break when musl defines IFF_LOWER_UP. While
+waiting for more proper fix in musl, add a hack to connman.
+
+Upstream-Status: Inappropriate [Workaround]
+Signed-off-by: Jussi Kukkonen <jussi.kukkonen@intel.com>
+---
+ src/6to4.c | 4 ++++
+ src/firewall.c | 4 ++++
+ src/iptables.c | 4 ++++
+ 3 files changed, 12 insertions(+)
+
+diff --git a/src/6to4.c b/src/6to4.c
+index 71a2882..1938afb 100644
+--- a/src/6to4.c
++++ b/src/6to4.c
+@@ -24,6 +24,10 @@
+ #include <config.h>
+ #endif
+
++/* hack to make sure kernel headers understand that libc (musl)
++ does define IFF_LOWER_UP et al. */
++#define __UAPI_DEF_IF_NET_DEVICE_FLAGS_LOWER_UP_DORMANT_ECHO 0
++
+ #include <errno.h>
+ #include <stdio.h>
+ #include <stdlib.h>
+diff --git a/src/firewall.c b/src/firewall.c
+index c440df6..c83def9 100644
+--- a/src/firewall.c
++++ b/src/firewall.c
+@@ -23,6 +23,10 @@
+ #include <config.h>
+ #endif
+
++/* hack to make sure kernel headers understand that libc (musl)
++ does define IFF_LOWER_UP et al. */
++#define __UAPI_DEF_IF_NET_DEVICE_FLAGS_LOWER_UP_DORMANT_ECHO 0
++
+ #include <errno.h>
+
+ #include <xtables.h>
+diff --git a/src/iptables.c b/src/iptables.c
+index 82e3ac4..46ad9e2 100644
+--- a/src/iptables.c
++++ b/src/iptables.c
+@@ -23,6 +23,10 @@
+ #include <config.h>
+ #endif
+
++/* hack to make sure kernel headers understand that libc (musl)
++ does define IFF_LOWER_UP et al. */
++#define __UAPI_DEF_IF_NET_DEVICE_FLAGS_LOWER_UP_DORMANT_ECHO 0
++
+ #include <getopt.h>
+ #include <stdlib.h>
+ #include <stdio.h>
+--
+2.1.4
+
diff --git a/import-layers/yocto-poky/meta/recipes-connectivity/connman/connman_1.33.bb b/import-layers/yocto-poky/meta/recipes-connectivity/connman/connman_1.33.bb
index d8793ac..ee04d9b 100644
--- a/import-layers/yocto-poky/meta/recipes-connectivity/connman/connman_1.33.bb
+++ b/import-layers/yocto-poky/meta/recipes-connectivity/connman/connman_1.33.bb
@@ -8,7 +8,8 @@
file://0003-stats-Fix-bad-file-descriptor-initialisation.patch \
file://CVE-2017-12865.patch \
"
-SRC_URI_append_libc-musl = " file://0002-resolve-musl-does-not-implement-res_ninit.patch"
+SRC_URI_append_libc-musl = " file://0002-resolve-musl-does-not-implement-res_ninit.patch \
+ file://0001-Fix-compile-on-musl-with-kernel-4.9-headers.patch"
SRC_URI[md5sum] = "c51903fd3e7a6a371d12ac5d72a1fa01"
SRC_URI[sha256sum] = "bc8946036fa70124d663136f9f6b6238d897ca482782df907b07a428b09df5a0"
diff --git a/import-layers/yocto-poky/meta/recipes-connectivity/dhcp/dhcp_4.3.4.bb b/import-layers/yocto-poky/meta/recipes-connectivity/dhcp/dhcp_4.3.5.bb
similarity index 81%
rename from import-layers/yocto-poky/meta/recipes-connectivity/dhcp/dhcp_4.3.4.bb
rename to import-layers/yocto-poky/meta/recipes-connectivity/dhcp/dhcp_4.3.5.bb
index 4151eb1..678c29a 100644
--- a/import-layers/yocto-poky/meta/recipes-connectivity/dhcp/dhcp_4.3.4.bb
+++ b/import-layers/yocto-poky/meta/recipes-connectivity/dhcp/dhcp_4.3.5.bb
@@ -11,8 +11,8 @@
file://remove-dhclient-script-bash-dependency.patch \
"
-SRC_URI[md5sum] = "0138319fe2b788cf4bdf34fbeaf9ff54"
-SRC_URI[sha256sum] = "f5115aee3dd3e6925de4ba47b80ab732ba48b481c8364b6ebade2d43698d607e"
+SRC_URI[md5sum] = "2b5e5b2fa31c2e27e487039d86f83d3f"
+SRC_URI[sha256sum] = "eb95936bf15d2393c55dd505bc527d1d4408289cec5a9fa8abb99f7577e7f954"
PACKAGECONFIG ?= ""
PACKAGECONFIG[bind-httpstats] = "--with-libxml2,--without-libxml2,libxml2"
diff --git a/import-layers/yocto-poky/meta/recipes-connectivity/iproute2/iproute2.inc b/import-layers/yocto-poky/meta/recipes-connectivity/iproute2/iproute2.inc
index 63e7ca9..ce64888 100644
--- a/import-layers/yocto-poky/meta/recipes-connectivity/iproute2/iproute2.inc
+++ b/import-layers/yocto-poky/meta/recipes-connectivity/iproute2/iproute2.inc
@@ -11,7 +11,7 @@
DEPENDS = "flex-native bison-native iptables elfutils"
-inherit update-alternatives bash-completion
+inherit update-alternatives bash-completion pkgconfig
EXTRA_OEMAKE = "CC='${CC}' KERNEL_INCLUDE=${STAGING_INCDIR} DOCDIR=${docdir}/iproute2 SUBDIRS='lib tc ip bridge misc genl' SBINDIR='${base_sbindir}' LIBDIR='${libdir}'"
diff --git a/import-layers/yocto-poky/meta/recipes-connectivity/iproute2/iproute2/0001-libc-compat.h-add-musl-workaround.patch b/import-layers/yocto-poky/meta/recipes-connectivity/iproute2/iproute2/0001-libc-compat.h-add-musl-workaround.patch
new file mode 100644
index 0000000..3d324c9
--- /dev/null
+++ b/import-layers/yocto-poky/meta/recipes-connectivity/iproute2/iproute2/0001-libc-compat.h-add-musl-workaround.patch
@@ -0,0 +1,41 @@
+From b7d96340c55afb7023ded0041107c63dbd886196 Mon Sep 17 00:00:00 2001
+From: Baruch Siach <baruch@tkos.co.il>
+Date: Thu, 22 Dec 2016 15:26:30 +0200
+Subject: [PATCH] libc-compat.h: add musl workaround
+
+The libc-compat.h kernel header uses glibc specific macros (__GLIBC__ and
+__USE_MISC) to solve conflicts with libc provided headers. This patch makes
+libc-compat.h work for musl libc as well.
+
+Upstream-Status: Pending
+
+Taken From:
+https://git.buildroot.net/buildroot/tree/package/iproute2/0001-Add-the-musl-workaround-to-the-libc-compat.h-copy.patch
+
+Signed-off-by: Baruch Siach <baruch@tkos.co.il>
+Signed-off-by: Maxin B. John <maxin.john@intel.com>
+---
+ include/linux/libc-compat.h | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/include/linux/libc-compat.h b/include/linux/libc-compat.h
+index f38571d..30f0b67 100644
+--- a/include/linux/libc-compat.h
++++ b/include/linux/libc-compat.h
+@@ -49,10 +49,12 @@
+ #define _LIBC_COMPAT_H
+
+ /* We have included glibc headers... */
+-#if defined(__GLIBC__)
++#if 1
++#define __USE_MISC
+
+ /* Coordinate with glibc net/if.h header. */
+ #if defined(_NET_IF_H) && defined(__USE_MISC)
++#define __UAPI_DEF_IF_NET_DEVICE_FLAGS_LOWER_UP_DORMANT_ECHO 0
+
+ /* GLIBC headers included first so don't define anything
+ * that would already be defined. */
+--
+2.4.0
+
diff --git a/import-layers/yocto-poky/meta/recipes-connectivity/iproute2/iproute2/iproute2-4.3.0-musl.patch b/import-layers/yocto-poky/meta/recipes-connectivity/iproute2/iproute2/iproute2-4.3.0-musl.patch
deleted file mode 100644
index 8c078f6..0000000
--- a/import-layers/yocto-poky/meta/recipes-connectivity/iproute2/iproute2/iproute2-4.3.0-musl.patch
+++ /dev/null
@@ -1,85 +0,0 @@
-Subject: [PATCH] Avoid in6_addr redefinition
-
-Due to both <netinet/in.h> and <linux/in6.h> being included, the
-in6_addr is being redefined: once from the C library headers and once
-from the kernel headers. This causes some build failures with for
-example the musl C library.
-
-In order to fix this, use just the C library header <netinet/in.h>.
-Original patch taken from
-http://git.alpinelinux.org/cgit/aports/tree/main/iproute2/musl-fixes.patch.
-
-(Refreshed the patch for 4.6 release)
-
-Upstream-Status: Pending
-
-Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
-Signed-off-by: Maxin B. John <maxin.john@intel.com>
-----
-diff -Naur iproute2-4.6.0-orig/include/libiptc/ipt_kernel_headers.h iproute2-4.6.0/include/libiptc/ipt_kernel_headers.h
---- iproute2-4.6.0-orig/include/libiptc/ipt_kernel_headers.h 2016-05-23 12:03:23.821826910 +0300
-+++ iproute2-4.6.0/include/libiptc/ipt_kernel_headers.h 2016-05-23 12:04:23.714078154 +0300
-@@ -6,7 +6,6 @@
- #include <limits.h>
-
- #include <netinet/ip.h>
--#include <netinet/in.h>
- #include <netinet/ip_icmp.h>
- #include <netinet/tcp.h>
- #include <netinet/udp.h>
-diff -Naur iproute2-4.6.0-orig/include/linux/if_bridge.h iproute2-4.6.0/include/linux/if_bridge.h
---- iproute2-4.6.0-orig/include/linux/if_bridge.h 2016-05-23 12:03:23.821826910 +0300
-+++ iproute2-4.6.0/include/linux/if_bridge.h 2016-05-23 12:04:23.716078129 +0300
-@@ -15,7 +15,6 @@
-
- #include <linux/types.h>
- #include <linux/if_ether.h>
--#include <linux/in6.h>
-
- #define SYSFS_BRIDGE_ATTR "bridge"
- #define SYSFS_BRIDGE_FDB "brforward"
-diff -Naur iproute2-4.6.0-orig/include/linux/netfilter.h iproute2-4.6.0/include/linux/netfilter.h
---- iproute2-4.6.0-orig/include/linux/netfilter.h 2016-05-23 12:03:23.821826910 +0300
-+++ iproute2-4.6.0/include/linux/netfilter.h 2016-05-23 12:04:23.717078117 +0300
-@@ -4,8 +4,6 @@
- #include <linux/types.h>
-
- #include <linux/sysctl.h>
--#include <linux/in.h>
--#include <linux/in6.h>
-
- /* Responses from hook functions. */
- #define NF_DROP 0
-diff -Naur iproute2-4.6.0-orig/include/linux/netfilter_ipv4/ip_tables.h iproute2-4.6.0/include/linux/netfilter_ipv4/ip_tables.h
---- iproute2-4.6.0-orig/include/linux/netfilter_ipv4/ip_tables.h 2016-05-18 21:56:02.000000000 +0300
-+++ iproute2-4.6.0/include/linux/netfilter_ipv4/ip_tables.h 2016-05-23 12:09:22.888337961 +0300
-@@ -17,7 +17,6 @@
-
- #include <linux/types.h>
-
--#include <linux/if.h>
- #include <linux/netfilter_ipv4.h>
-
- #include <linux/netfilter/x_tables.h>
-diff -Naur iproute2-4.6.0-orig/include/linux/xfrm.h iproute2-4.6.0/include/linux/xfrm.h
---- iproute2-4.6.0-orig/include/linux/xfrm.h 2016-05-23 12:03:23.821826910 +0300
-+++ iproute2-4.6.0/include/linux/xfrm.h 2016-05-23 12:04:23.718078104 +0300
-@@ -1,7 +1,6 @@
- #ifndef _LINUX_XFRM_H
- #define _LINUX_XFRM_H
-
--#include <linux/in6.h>
- #include <linux/types.h>
-
- /* All of the structures in this file may not change size as they are
-diff -Naur iproute2-4.6.0-orig/include/utils.h iproute2-4.6.0/include/utils.h
---- iproute2-4.6.0-orig/include/utils.h 2016-05-23 12:03:23.821826910 +0300
-+++ iproute2-4.6.0/include/utils.h 2016-05-23 12:04:23.718078104 +0300
-@@ -1,6 +1,7 @@
- #ifndef __UTILS_H__
- #define __UTILS_H__ 1
-
-+#include <sys/param.h> /* MAXPATHLEN */
- #include <sys/types.h>
- #include <asm/types.h>
- #include <resolv.h>
diff --git a/import-layers/yocto-poky/meta/recipes-connectivity/iproute2/iproute2_4.10.0.bb b/import-layers/yocto-poky/meta/recipes-connectivity/iproute2/iproute2_4.10.0.bb
new file mode 100644
index 0000000..a050e87
--- /dev/null
+++ b/import-layers/yocto-poky/meta/recipes-connectivity/iproute2/iproute2_4.10.0.bb
@@ -0,0 +1,14 @@
+require iproute2.inc
+
+SRC_URI = "${KERNELORG_MIRROR}/linux/utils/net/${BPN}/${BP}.tar.xz \
+ file://configure-cross.patch \
+ file://0001-iproute2-de-bash-scripts.patch \
+ file://0001-libc-compat.h-add-musl-workaround.patch \
+ "
+
+SRC_URI[md5sum] = "b94a2b0edefaeac124dc8f5d006931b9"
+SRC_URI[sha256sum] = "22b1e1c1fc704ad35837e5a66103739727b8b48ac90b48c13f79b7367ff0a9a8"
+
+# CFLAGS are computed in Makefile and reference CCOPTS
+#
+EXTRA_OEMAKE_append = " CCOPTS='${CFLAGS}'"
diff --git a/import-layers/yocto-poky/meta/recipes-connectivity/iproute2/iproute2_4.7.0.bb b/import-layers/yocto-poky/meta/recipes-connectivity/iproute2/iproute2_4.7.0.bb
deleted file mode 100644
index 426f989..0000000
--- a/import-layers/yocto-poky/meta/recipes-connectivity/iproute2/iproute2_4.7.0.bb
+++ /dev/null
@@ -1,13 +0,0 @@
-require iproute2.inc
-
-SRC_URI = "${KERNELORG_MIRROR}/linux/utils/net/${BPN}/${BP}.tar.xz \
- file://configure-cross.patch \
- file://0001-iproute2-de-bash-scripts.patch \
- file://iproute2-4.3.0-musl.patch \
- "
-SRC_URI[md5sum] = "d4b205830cdc2702f8a0cbd6232129cd"
-SRC_URI[sha256sum] = "8f60dbcfb33a79daae0638f53bdcaa4310c0aa59ae39af8a234020dc69bb7b92"
-
-# CFLAGS are computed in Makefile and reference CCOPTS
-#
-EXTRA_OEMAKE_append = " CCOPTS='${CFLAGS}'"
diff --git a/import-layers/yocto-poky/meta/recipes-connectivity/iw/iw_4.7.bb b/import-layers/yocto-poky/meta/recipes-connectivity/iw/iw_4.9.bb
similarity index 85%
rename from import-layers/yocto-poky/meta/recipes-connectivity/iw/iw_4.7.bb
rename to import-layers/yocto-poky/meta/recipes-connectivity/iw/iw_4.9.bb
index e9f4141..6daeb07 100644
--- a/import-layers/yocto-poky/meta/recipes-connectivity/iw/iw_4.7.bb
+++ b/import-layers/yocto-poky/meta/recipes-connectivity/iw/iw_4.9.bb
@@ -14,8 +14,8 @@
file://separate-objdir.patch \
"
-SRC_URI[md5sum] = "19d1edd276b2ac0c6cccfc7ae8d2b732"
-SRC_URI[sha256sum] = "758092229f13d691968060a0ad41364ba8eb8da4503626c20233a5b1eb33b4d9"
+SRC_URI[md5sum] = "06e96ab7a5c652f8eaed6f71533a9e0f"
+SRC_URI[sha256sum] = "12f921f3dbe0f33c309f5f2891cccf5325c94bd48dceeb102de183f5f048a9e2"
inherit pkgconfig
diff --git a/import-layers/yocto-poky/meta/recipes-connectivity/libpcap/libpcap.inc b/import-layers/yocto-poky/meta/recipes-connectivity/libpcap/libpcap.inc
index 7b29a52..6635779 100644
--- a/import-layers/yocto-poky/meta/recipes-connectivity/libpcap/libpcap.inc
+++ b/import-layers/yocto-poky/meta/recipes-connectivity/libpcap/libpcap.inc
@@ -19,14 +19,14 @@
inherit autotools binconfig-disabled pkgconfig bluetooth
EXTRA_OECONF = "--with-pcap=linux"
+EXTRA_AUTORECONF += "--exclude=aclocal"
PACKAGECONFIG ??= "${@bb.utils.contains('DISTRO_FEATURES', 'bluetooth', '${BLUEZ}', '', d)} \
- ${@bb.utils.contains('DISTRO_FEATURES', 'ipv6', 'ipv6', '', d)} \
+ ${@bb.utils.filter('DISTRO_FEATURES', 'ipv6', d)} \
"
PACKAGECONFIG[bluez4] = "--enable-bluetooth,--disable-bluetooth,bluez4"
# Add a dummy PACKAGECONFIG for bluez5 since it is not supported by libpcap.
PACKAGECONFIG[bluez5] = ",,"
-PACKAGECONFIG[canusb] = "--enable-canusb,--enable-canusb=no,libusb"
PACKAGECONFIG[dbus] = "--enable-dbus,--disable-dbus,dbus"
PACKAGECONFIG[ipv6] = "--enable-ipv6,--disable-ipv6,"
PACKAGECONFIG[libnl] = "--with-libnl,--without-libnl,libnl"
@@ -36,8 +36,5 @@
CXXFLAGS_prepend = "-I${S} "
do_configure_prepend () {
- if [ ! -e ${S}/acinclude.m4 ]; then
- cat ${S}/aclocal.m4 > ${S}/acinclude.m4
- fi
sed -i -e's,^V_RPATH_OPT=.*$,V_RPATH_OPT=,' ${S}/pcap-config.in
}
diff --git a/import-layers/yocto-poky/meta/recipes-connectivity/libpcap/libpcap/0001-Fix-compiler_state_t.ai-usage-when-INET6-is-not-defi.patch b/import-layers/yocto-poky/meta/recipes-connectivity/libpcap/libpcap/0001-Fix-compiler_state_t.ai-usage-when-INET6-is-not-defi.patch
new file mode 100644
index 0000000..edb6ae5
--- /dev/null
+++ b/import-layers/yocto-poky/meta/recipes-connectivity/libpcap/libpcap/0001-Fix-compiler_state_t.ai-usage-when-INET6-is-not-defi.patch
@@ -0,0 +1,41 @@
+From 64aa033a061c43fc15c711f2490ae41d23b868c3 Mon Sep 17 00:00:00 2001
+From: Fabio Berton <fabio.berton@ossystems.com.br>
+Date: Thu, 17 Nov 2016 09:44:42 -0200
+Subject: [PATCH 1/2] Fix compiler_state_t.ai usage when INET6 is not defined
+Organization: O.S. Systems Software LTDA.
+
+Fix error:
+
+/
+| ../libpcap-1.8.1/gencode.c: In function 'pcap_compile':
+| ../libpcap-1.8.1/gencode.c:693:8: error: 'compiler_state_t
+| {aka struct _compiler_state}' has no member named 'ai'
+| cstate.ai = NULL;
+\
+
+Upstream-Status: Submitted [1]
+
+[1] https://github.com/the-tcpdump-group/libpcap/pull/541
+
+Signed-off-by: Fabio Berton <fabio.berton@ossystems.com.br>
+---
+ gencode.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/gencode.c b/gencode.c
+index a887f27..e103c70 100644
+--- a/gencode.c
++++ b/gencode.c
+@@ -690,7 +690,9 @@ pcap_compile(pcap_t *p, struct bpf_program *program,
+ }
+ initchunks(&cstate);
+ cstate.no_optimize = 0;
++#ifdef INET6
+ cstate.ai = NULL;
++#endif
+ cstate.ic.root = NULL;
+ cstate.ic.cur_mark = 0;
+ cstate.bpf_pcap = p;
+--
+2.1.4
+
diff --git a/import-layers/yocto-poky/meta/recipes-connectivity/libpcap/libpcap/0002-Add-missing-compiler_state_t-parameter.patch b/import-layers/yocto-poky/meta/recipes-connectivity/libpcap/libpcap/0002-Add-missing-compiler_state_t-parameter.patch
new file mode 100644
index 0000000..032b265
--- /dev/null
+++ b/import-layers/yocto-poky/meta/recipes-connectivity/libpcap/libpcap/0002-Add-missing-compiler_state_t-parameter.patch
@@ -0,0 +1,67 @@
+From 50ec0a088d5924a8305b2d70dcba71b0942dee1a Mon Sep 17 00:00:00 2001
+From: Fabio Berton <fabio.berton@ossystems.com.br>
+Date: Thu, 17 Nov 2016 09:47:29 -0200
+Subject: [PATCH 2/2] Add missing compiler_state_t parameter
+Organization: O.S. Systems Software LTDA.
+
+Fix error:
+
+/
+|../libpcap-1.8.1/gencode.c: In function 'gen_gateway':
+|../libpcap-1.8.1/gencode.c:4914:13: error: 'cstate' undeclared
+| (first use in this function)
+| bpf_error(cstate, "direction applied to 'gateway'");
+\
+
+Upstream-Status: Submitted [1]
+
+[1] https://github.com/the-tcpdump-group/libpcap/pull/541
+
+Signed-off-by: Fabio Berton <fabio.berton@ossystems.com.br>
+---
+ gencode.c | 15 ++++++++-------
+ 1 file changed, 8 insertions(+), 7 deletions(-)
+
+diff --git a/gencode.c b/gencode.c
+index e103c70..f07c0be 100644
+--- a/gencode.c
++++ b/gencode.c
+@@ -523,7 +523,7 @@ static struct block *gen_host6(compiler_state_t *, struct in6_addr *,
+ struct in6_addr *, int, int, int);
+ #endif
+ #ifndef INET6
+-static struct block *gen_gateway(const u_char *, bpf_u_int32 **, int, int);
++static struct block *gen_gateway(compiler_state_t *, const u_char *, bpf_u_int32 **, int, int);
+ #endif
+ static struct block *gen_ipfrag(compiler_state_t *);
+ static struct block *gen_portatom(compiler_state_t *, int, bpf_int32);
+@@ -4904,11 +4904,12 @@ gen_host6(compiler_state_t *cstate, struct in6_addr *addr,
+
+ #ifndef INET6
+ static struct block *
+-gen_gateway(eaddr, alist, proto, dir)
+- const u_char *eaddr;
+- bpf_u_int32 **alist;
+- int proto;
+- int dir;
++gen_gateway(cstate, eaddr, alist, proto, dir)
++ compiler_state_t *cstate;
++ const u_char *eaddr;
++ bpf_u_int32 **alist;
++ int proto;
++ int dir;
+ {
+ struct block *b0, *b1, *tmp;
+
+@@ -6472,7 +6473,7 @@ gen_scode(compiler_state_t *cstate, const char *name, struct qual q)
+ alist = pcap_nametoaddr(name);
+ if (alist == NULL || *alist == NULL)
+ bpf_error(cstate, "unknown host '%s'", name);
+- b = gen_gateway(eaddr, alist, proto, dir);
++ b = gen_gateway(cstate, eaddr, alist, proto, dir);
+ free(eaddr);
+ return b;
+ #else
+--
+2.1.4
+
diff --git a/import-layers/yocto-poky/meta/recipes-connectivity/libpcap/libpcap/aclocal.patch b/import-layers/yocto-poky/meta/recipes-connectivity/libpcap/libpcap/aclocal.patch
deleted file mode 100644
index 2151982..0000000
--- a/import-layers/yocto-poky/meta/recipes-connectivity/libpcap/libpcap/aclocal.patch
+++ /dev/null
@@ -1,167 +0,0 @@
-Upstream-Status: Inappropriate [configuration]
-
-diff -ruN libpcap-1.1.1-orig/aclocal.m4 libpcap-1.1.1/aclocal.m4
---- libpcap-1.1.1-orig/aclocal.m4 2010-06-29 10:46:32.815117569 +0800
-+++ libpcap-1.1.1/aclocal.m4 2010-06-29 10:49:17.150149949 +0800
-@@ -37,7 +37,7 @@
- dnl AC_LBL_C_INIT. Now, we run AC_LBL_C_INIT_BEFORE_CC, AC_PROG_CC,
- dnl and AC_LBL_C_INIT at the top level.
- dnl
--AC_DEFUN(AC_LBL_C_INIT_BEFORE_CC,
-+AC_DEFUN([AC_LBL_C_INIT_BEFORE_CC],
- [
- AC_BEFORE([$0], [AC_LBL_C_INIT])
- AC_BEFORE([$0], [AC_PROG_CC])
-@@ -90,7 +90,7 @@
- dnl LDFLAGS
- dnl LBL_CFLAGS
- dnl
--AC_DEFUN(AC_LBL_C_INIT,
-+AC_DEFUN([AC_LBL_C_INIT],
- [
- AC_BEFORE([$0], [AC_LBL_FIXINCLUDES])
- AC_BEFORE([$0], [AC_LBL_DEVEL])
-@@ -217,7 +217,7 @@
- dnl V_SONAME_OPT
- dnl V_RPATH_OPT
- dnl
--AC_DEFUN(AC_LBL_SHLIBS_INIT,
-+AC_DEFUN([AC_LBL_SHLIBS_INIT],
- [AC_PREREQ(2.50)
- if test "$GCC" = yes ; then
- #
-@@ -361,7 +361,7 @@
- # Make sure we use the V_CCOPT flags, because some of those might
- # disable inlining.
- #
--AC_DEFUN(AC_LBL_C_INLINE,
-+AC_DEFUN([AC_LBL_C_INLINE],
- [AC_MSG_CHECKING(for inline)
- save_CFLAGS="$CFLAGS"
- CFLAGS="$V_CCOPT"
-@@ -407,7 +407,7 @@
- dnl
- dnl AC_LBL_FIXINCLUDES
- dnl
--AC_DEFUN(AC_LBL_FIXINCLUDES,
-+AC_DEFUN([AC_LBL_FIXINCLUDES],
- [if test "$GCC" = yes ; then
- AC_MSG_CHECKING(for ANSI ioctl definitions)
- AC_CACHE_VAL(ac_cv_lbl_gcc_fixincludes,
-@@ -453,7 +453,7 @@
- dnl $2 (yacc appended)
- dnl $3 (optional flex and bison -P prefix)
- dnl
--AC_DEFUN(AC_LBL_LEX_AND_YACC,
-+AC_DEFUN([AC_LBL_LEX_AND_YACC],
- [AC_ARG_WITH(flex, [ --without-flex don't use flex])
- AC_ARG_WITH(bison, [ --without-bison don't use bison])
- if test "$with_flex" = no ; then
-@@ -506,7 +506,7 @@
- dnl
- dnl DECLWAITSTATUS (defined)
- dnl
--AC_DEFUN(AC_LBL_UNION_WAIT,
-+AC_DEFUN([AC_LBL_UNION_WAIT],
- [AC_MSG_CHECKING(if union wait is used)
- AC_CACHE_VAL(ac_cv_lbl_union_wait,
- AC_TRY_COMPILE([
-@@ -535,7 +535,7 @@
- dnl
- dnl HAVE_SOCKADDR_SA_LEN (defined)
- dnl
--AC_DEFUN(AC_LBL_SOCKADDR_SA_LEN,
-+AC_DEFUN([AC_LBL_SOCKADDR_SA_LEN],
- [AC_MSG_CHECKING(if sockaddr struct has the sa_len member)
- AC_CACHE_VAL(ac_cv_lbl_sockaddr_has_sa_len,
- AC_TRY_COMPILE([
-@@ -560,7 +560,7 @@
- dnl
- dnl HAVE_SOCKADDR_STORAGE (defined)
- dnl
--AC_DEFUN(AC_LBL_SOCKADDR_STORAGE,
-+AC_DEFUN([AC_LBL_SOCKADDR_STORAGE],
- [AC_MSG_CHECKING(if sockaddr_storage struct exists)
- AC_CACHE_VAL(ac_cv_lbl_has_sockaddr_storage,
- AC_TRY_COMPILE([
-@@ -593,7 +593,7 @@
- dnl won't be using code that would use that member, or we wouldn't
- dnl compile in any case).
- dnl
--AC_DEFUN(AC_LBL_HP_PPA_INFO_T_DL_MODULE_ID_1,
-+AC_DEFUN([AC_LBL_HP_PPA_INFO_T_DL_MODULE_ID_1],
- [AC_MSG_CHECKING(if dl_hp_ppa_info_t struct has dl_module_id_1 member)
- AC_CACHE_VAL(ac_cv_lbl_dl_hp_ppa_info_t_has_dl_module_id_1,
- AC_TRY_COMPILE([
-@@ -619,7 +619,7 @@
- dnl
- dnl ac_cv_lbl_have_run_path (yes or no)
- dnl
--AC_DEFUN(AC_LBL_HAVE_RUN_PATH,
-+AC_DEFUN([AC_LBL_HAVE_RUN_PATH],
- [AC_MSG_CHECKING(for ${CC-cc} -R)
- AC_CACHE_VAL(ac_cv_lbl_have_run_path,
- [echo 'main(){}' > conftest.c
-@@ -644,7 +644,7 @@
- dnl
- dnl LBL_ALIGN (DEFINED)
- dnl
--AC_DEFUN(AC_LBL_UNALIGNED_ACCESS,
-+AC_DEFUN([AC_LBL_UNALIGNED_ACCESS],
- [AC_MSG_CHECKING(if unaligned accesses fail)
- AC_CACHE_VAL(ac_cv_lbl_unaligned_fail,
- [case "$host_cpu" in
-@@ -749,7 +749,7 @@
- dnl HAVE_OS_PROTO_H (defined)
- dnl os-proto.h (symlinked)
- dnl
--AC_DEFUN(AC_LBL_DEVEL,
-+AC_DEFUN([AC_LBL_DEVEL],
- [rm -f os-proto.h
- if test "${LBL_CFLAGS+set}" = set; then
- $1="$$1 ${LBL_CFLAGS}"
-@@ -886,7 +886,7 @@
- dnl statically and happen to have a libresolv.a lying around (and no
- dnl libnsl.a).
- dnl
--AC_DEFUN(AC_LBL_LIBRARY_NET, [
-+AC_DEFUN([AC_LBL_LIBRARY_NET], [
- # Most operating systems have gethostbyname() in the default searched
- # libraries (i.e. libc):
- # Some OSes (eg. Solaris) place it in libnsl
-@@ -909,7 +909,7 @@
- dnl Test for __attribute__
- dnl
-
--AC_DEFUN(AC_C___ATTRIBUTE__, [
-+AC_DEFUN([AC_C___ATTRIBUTE__], [
- AC_MSG_CHECKING(for __attribute__)
- AC_CACHE_VAL(ac_cv___attribute__, [
- AC_COMPILE_IFELSE(
-@@ -947,7 +947,7 @@
- dnl
- dnl -Scott Barron
- dnl
--AC_DEFUN(AC_LBL_TPACKET_STATS,
-+AC_DEFUN([AC_LBL_TPACKET_STATS],
- [AC_MSG_CHECKING(if if_packet.h has tpacket_stats defined)
- AC_CACHE_VAL(ac_cv_lbl_tpacket_stats,
- AC_TRY_COMPILE([
-@@ -976,7 +976,7 @@
- dnl doesn't have that member (which is OK, as either we won't be using
- dnl code that would use that member, or we wouldn't compile in any case).
- dnl
--AC_DEFUN(AC_LBL_LINUX_TPACKET_AUXDATA_TP_VLAN_TCI,
-+AC_DEFUN([AC_LBL_LINUX_TPACKET_AUXDATA_TP_VLAN_TCI],
- [AC_MSG_CHECKING(if tpacket_auxdata struct has tp_vlan_tci member)
- AC_CACHE_VAL(ac_cv_lbl_dl_hp_ppa_info_t_has_dl_module_id_1,
- AC_TRY_COMPILE([
-@@ -1003,7 +1003,7 @@
- dnl
- dnl HAVE_DLPI_PASSIVE (defined)
- dnl
--AC_DEFUN(AC_LBL_DL_PASSIVE_REQ_T,
-+AC_DEFUN([AC_LBL_DL_PASSIVE_REQ_T],
- [AC_MSG_CHECKING(if dl_passive_req_t struct exists)
- AC_CACHE_VAL(ac_cv_lbl_has_dl_passive_req_t,
- AC_TRY_COMPILE([
diff --git a/import-layers/yocto-poky/meta/recipes-connectivity/libpcap/libpcap/disable-remote.patch b/import-layers/yocto-poky/meta/recipes-connectivity/libpcap/libpcap/disable-remote.patch
new file mode 100644
index 0000000..7e1eea6
--- /dev/null
+++ b/import-layers/yocto-poky/meta/recipes-connectivity/libpcap/libpcap/disable-remote.patch
@@ -0,0 +1,36 @@
+Disable bits of remote capture support inherited from the WinPCAP merge
+which cause applications to FTBFS if they define HAVE_REMOTE.
+
+Patch from:
+https://anonscm.debian.org/cgit/users/rfrancoise/libpcap.git/commit/?
+id=f35949969269dfdcc3549b12fade604755e1e326
+
+Upstream-Status: Pending
+
+--- a/pcap/pcap.h
++++ b/pcap/pcap.h
+@@ -506,6 +506,11 @@
+ #define MODE_STAT 1
+ #define MODE_MON 2
+
++#ifdef HAVE_REMOTE
++ /* Includes most of the public stuff that is needed for the remote capture */
++ #include <remote-ext.h>
++#endif /* HAVE_REMOTE */
++
+ #elif defined(MSDOS)
+
+ /*
+@@ -526,11 +531,6 @@
+
+ #endif /* _WIN32/MSDOS/UN*X */
+
+-#ifdef HAVE_REMOTE
+- /* Includes most of the public stuff that is needed for the remote capture */
+- #include <remote-ext.h>
+-#endif /* HAVE_REMOTE */
+-
+ #ifdef __cplusplus
+ }
+ #endif
+
diff --git a/import-layers/yocto-poky/meta/recipes-connectivity/libpcap/libpcap/fix-grammar-deps.patch b/import-layers/yocto-poky/meta/recipes-connectivity/libpcap/libpcap/fix-grammar-deps.patch
new file mode 100644
index 0000000..f40e655
--- /dev/null
+++ b/import-layers/yocto-poky/meta/recipes-connectivity/libpcap/libpcap/fix-grammar-deps.patch
@@ -0,0 +1,29 @@
+Fix a missing dependency that can result in:
+
+../libpcap-1.8.1/grammar.y:78:10: fatal error: scanner.h: No such file or directory
+
+Upstream-Status: Backport
+Signed-off-by: Ross Burton <ross.burton@intel.com>
+
+From 0dd90a6bdbce4dca14106859eee63ef643a106e2 Mon Sep 17 00:00:00 2001
+From: Alfredo Alvarez Fernandez <alfredoalvarezernandez@gmail.com>
+Date: Tue, 21 Feb 2017 11:41:43 +0100
+Subject: [PATCH] Makefile.in: Fix missing dependency
+
+---
+ Makefile.in | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/Makefile.in b/Makefile.in
+index 7044f043..f5d443ae 100644
+--- a/Makefile.in
++++ b/Makefile.in
+@@ -465,7 +465,7 @@ grammar.h: grammar.c
+ $(MAKE) $(MAKEFLAGS) grammar.c; \
+ fi
+
+-grammar.o: grammar.c
++grammar.o: grammar.c scanner.h
+ $(CC) $(FULL_CFLAGS) -c grammar.c
+
+ gencode.o: $(srcdir)/gencode.c grammar.h scanner.h
diff --git a/import-layers/yocto-poky/meta/recipes-connectivity/libpcap/libpcap/libpcap-pkgconfig-support.patch b/import-layers/yocto-poky/meta/recipes-connectivity/libpcap/libpcap/libpcap-pkgconfig-support.patch
index b861513..afaa3be 100644
--- a/import-layers/yocto-poky/meta/recipes-connectivity/libpcap/libpcap/libpcap-pkgconfig-support.patch
+++ b/import-layers/yocto-poky/meta/recipes-connectivity/libpcap/libpcap/libpcap-pkgconfig-support.patch
@@ -1,25 +1,27 @@
-From 8887132e85892a72a84ca3878e60f254ad2ce939 Mon Sep 17 00:00:00 2001
-From: Joe MacDonald <joe_macdonald@mentor.com>
-Date: Tue, 24 Feb 2015 15:56:06 -0500
+From 2796129af52901dd68595e5e88a639308541def9 Mon Sep 17 00:00:00 2001
+From: Fabio Berton <fabio.berton@ossystems.com.br>
+Date: Thu, 3 Nov 2016 17:56:29 -0200
Subject: [PATCH] libpcap: pkgconfig support
+Organization: O.S. Systems Software LTDA.
Adding basic structure to support pkg-config.
Upstream-Status: Inappropriate [embedded specific]
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
+Signed-off-by: Fabio Berton <fabio.berton@ossystems.com.br>
---
Makefile.in | 5 +++++
- configure.in | 1 +
+ configure.ac | 1 +
libpcap.pc.in | 10 ++++++++++
3 files changed, 16 insertions(+)
create mode 100644 libpcap.pc.in
diff --git a/Makefile.in b/Makefile.in
-index 1c2d745..1f25faf 100644
+index e71d973..d7004ed 100644
--- a/Makefile.in
+++ b/Makefile.in
-@@ -60,6 +60,10 @@ V_RPATH_OPT = @V_RPATH_OPT@
+@@ -61,6 +61,10 @@ V_RPATH_OPT = @V_RPATH_OPT@
DEPENDENCY_CFLAG = @DEPENDENCY_CFLAG@
PROG=libpcap
@@ -30,19 +32,19 @@
# Standard CFLAGS
FULL_CFLAGS = $(CCOPT) $(INCLS) $(DEFS) $(CFLAGS)
-@@ -275,6 +279,7 @@ EXTRA_DIST = \
+@@ -286,6 +290,7 @@ EXTRA_DIST = \
lbl/os-solaris2.h \
lbl/os-sunos4.h \
lbl/os-ultrix4.h \
+ libpcap.pc \
+ missing/getopt.c \
+ missing/getopt.h \
missing/snprintf.c \
- mkdep \
- msdos/bin2c.c \
-diff --git a/configure.in b/configure.in
-index 8f5c86b..fb51b35 100644
---- a/configure.in
-+++ b/configure.in
-@@ -1700,6 +1700,7 @@ esac
+diff --git a/configure.ac b/configure.ac
+index da2f940..4fc67bf 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -1805,6 +1805,7 @@ fi
AC_PROG_INSTALL
AC_CONFIG_HEADER(config.h)
@@ -67,5 +69,5 @@
+Libs: -L${libdir} -lpcap
+Cflags: -I${includedir}
--
-1.9.1
+2.1.4
diff --git a/import-layers/yocto-poky/meta/recipes-connectivity/libpcap/libpcap_1.7.4.bb b/import-layers/yocto-poky/meta/recipes-connectivity/libpcap/libpcap_1.7.4.bb
deleted file mode 100644
index 8d12b25..0000000
--- a/import-layers/yocto-poky/meta/recipes-connectivity/libpcap/libpcap_1.7.4.bb
+++ /dev/null
@@ -1,26 +0,0 @@
-require libpcap.inc
-
-SRC_URI += "file://aclocal.patch \
- file://libpcap-pkgconfig-support.patch \
- "
-SRC_URI[md5sum] = "b2e13142bbaba857ab1c6894aedaf547"
-SRC_URI[sha256sum] = "7ad3112187e88328b85e46dce7a9b949632af18ee74d97ffc3f2b41fe7f448b0"
-
-#
-# make install doesn't cover the shared lib
-# make install-shared is just broken (no symlinks)
-#
-
-do_configure_prepend () {
- #remove hardcoded references to /usr/include
- sed 's|\([ "^'\''I]\+\)/usr/include/|\1${STAGING_INCDIR}/|g' -i ${S}/configure.in
-}
-
-do_install_prepend () {
- install -d ${D}${libdir}
- install -d ${D}${bindir}
- oe_runmake install-shared DESTDIR=${D}
- oe_libinstall -a -so libpcap ${D}${libdir}
- sed "s|@VERSION@|${PV}|" -i ${B}/libpcap.pc
- install -D -m 0644 libpcap.pc ${D}${libdir}/pkgconfig/libpcap.pc
-}
diff --git a/import-layers/yocto-poky/meta/recipes-connectivity/libpcap/libpcap_1.8.1.bb b/import-layers/yocto-poky/meta/recipes-connectivity/libpcap/libpcap_1.8.1.bb
new file mode 100644
index 0000000..13dfbd6
--- /dev/null
+++ b/import-layers/yocto-poky/meta/recipes-connectivity/libpcap/libpcap_1.8.1.bb
@@ -0,0 +1,31 @@
+require libpcap.inc
+
+SRC_URI += " \
+ file://libpcap-pkgconfig-support.patch \
+ file://0001-Fix-compiler_state_t.ai-usage-when-INET6-is-not-defi.patch \
+ file://0002-Add-missing-compiler_state_t-parameter.patch \
+ file://disable-remote.patch \
+ file://fix-grammar-deps.patch \
+"
+
+SRC_URI[md5sum] = "3d48f9cd171ff12b0efd9134b52f1447"
+SRC_URI[sha256sum] = "673dbc69fdc3f5a86fb5759ab19899039a8e5e6c631749e48dcd9c6f0c83541e"
+
+#
+# make install doesn't cover the shared lib
+# make install-shared is just broken (no symlinks)
+#
+
+do_configure_prepend () {
+ #remove hardcoded references to /usr/include
+ sed 's|\([ "^'\''I]\+\)/usr/include/|\1${STAGING_INCDIR}/|g' -i ${S}/configure.ac
+}
+
+do_install_prepend () {
+ install -d ${D}${libdir}
+ install -d ${D}${bindir}
+ oe_runmake install-shared DESTDIR=${D}
+ oe_libinstall -a -so libpcap ${D}${libdir}
+ sed "s|@VERSION@|${PV}|" -i ${B}/libpcap.pc
+ install -D -m 0644 libpcap.pc ${D}${libdir}/pkgconfig/libpcap.pc
+}
diff --git a/import-layers/yocto-poky/meta/recipes-connectivity/neard/neard/0001-Add-header-dependency-to-nciattach.o.patch b/import-layers/yocto-poky/meta/recipes-connectivity/neard/neard/0001-Add-header-dependency-to-nciattach.o.patch
new file mode 100644
index 0000000..d8e8a5e
--- /dev/null
+++ b/import-layers/yocto-poky/meta/recipes-connectivity/neard/neard/0001-Add-header-dependency-to-nciattach.o.patch
@@ -0,0 +1,35 @@
+From affaa2021a54c30353e4e1fee09c13a4de2196be Mon Sep 17 00:00:00 2001
+From: Jussi Kukkonen <jussi.kukkonen@intel.com>
+Date: Fri, 17 Mar 2017 14:24:29 +0200
+Subject: [PATCH] Add header dependency to nciattach.o
+
+This can happen when compiling nciattach.o:
+
+| In file included from ../neard-0.16/tools/nciattach.c:47:0:
+| ../neard-0.16/src/near.h:30:27: fatal error: near/nfc_copy.h: No such
+file or directory
+| #include <near/nfc_copy.h>
+
+Add the missing dependency to local headers.
+
+Signed-off-by: Jussi Kukkonen <jussi.kukkonen@intel.com>
+Upstream-Status: Submitted [mailinglist]
+---
+ Makefile.am | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/Makefile.am b/Makefile.am
+index fa552ee..acef6ba 100644
+--- a/Makefile.am
++++ b/Makefile.am
+@@ -253,6 +253,7 @@ se/builtin.h: src/genbuiltin $(builtin_se_sources)
+
+ $(src_neard_OBJECTS) \
+ $(tools_nfctool_nfctool_OBJECTS) \
++$(tools_nciattach_OBJECTS) \
+ $(plugin_objects) \
+ $(se_seeld_OBJECTS) \
+ $(unit_test_ndef_parse_OBJECTS) \
+--
+2.11.0
+
diff --git a/import-layers/yocto-poky/meta/recipes-connectivity/neard/neard_0.16.bb b/import-layers/yocto-poky/meta/recipes-connectivity/neard/neard_0.16.bb
index 5433dc3..cc6af4e 100644
--- a/import-layers/yocto-poky/meta/recipes-connectivity/neard/neard_0.16.bb
+++ b/import-layers/yocto-poky/meta/recipes-connectivity/neard/neard_0.16.bb
@@ -9,6 +9,7 @@
file://neard.in \
file://Makefile.am-fix-parallel-issue.patch \
file://Makefile.am-do-not-ship-version.h.patch \
+ file://0001-Add-header-dependency-to-nciattach.o.patch \
"
SRC_URI[md5sum] = "5c691fb7872856dc0d909c298bc8cb41"
SRC_URI[sha256sum] = "eae3b11c541a988ec11ca94b7deab01080cd5b58cfef3ced6ceac9b6e6e65b36"
@@ -19,7 +20,7 @@
inherit autotools pkgconfig systemd update-rc.d bluetooth
-PACKAGECONFIG ??= "${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'systemd', '', d)}"
+PACKAGECONFIG ??= "${@bb.utils.filter('DISTRO_FEATURES', 'systemd', d)}"
PACKAGECONFIG[systemd] = "--enable-systemd --with-systemdsystemunitdir=${systemd_unitdir}/system/ --with-systemduserunitdir=${systemd_unitdir}/user/,--disable-systemd"
diff --git a/import-layers/yocto-poky/meta/recipes-connectivity/nfs-utils/files/nfs-utils-debianize-start-statd.patch b/import-layers/yocto-poky/meta/recipes-connectivity/nfs-utils/files/nfs-utils-debianize-start-statd.patch
index 8500229..ede0dce 100644
--- a/import-layers/yocto-poky/meta/recipes-connectivity/nfs-utils/files/nfs-utils-debianize-start-statd.patch
+++ b/import-layers/yocto-poky/meta/recipes-connectivity/nfs-utils/files/nfs-utils-debianize-start-statd.patch
@@ -9,17 +9,18 @@
Signed-off-by: Roy Li <rongqing.li@windriver.com>
Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
---
- utils/statd/start-statd | 9 ++++++++-
- 1 file changed, 8 insertions(+), 1 deletion(-)
+ utils/statd/start-statd | 10 +++++++++-
+ 1 file changed, 9 insertions(+), 1 deletion(-)
diff --git a/utils/statd/start-statd b/utils/statd/start-statd
-index ec9383b..3969b8c 100755
+index 2fd6039..f591b34 100755
--- a/utils/statd/start-statd
+++ b/utils/statd/start-statd
-@@ -6,6 +6,13 @@
- # site.
- PATH="/sbin:/usr/sbin:/bin:/usr/bin"
-
+@@ -17,6 +17,14 @@ then
+ # statd already running - must have been slow to respond.
+ exit 0
+ fi
++
+# Read config
+DEFAULTFILE=/etc/default/nfs-common
+NEED_IDMAPD=
@@ -28,14 +29,14 @@
+fi
+
# First try systemd if it's installed.
- if systemctl --help >/dev/null 2>&1; then
+ if [ -d /run/systemd/system ]; then
# Quit only if the call worked.
-@@ -13,4 +20,4 @@ if systemctl --help >/dev/null 2>&1; then
- fi
+@@ -25,4 +33,4 @@ fi
+ cd /
# Fall back to launching it ourselves.
-exec rpc.statd --no-notify
+exec rpc.statd --no-notify $STATDOPTS
--
-1.9.1
+2.6.6
diff --git a/import-layers/yocto-poky/meta/recipes-connectivity/nfs-utils/nfs-utils/0001-nfs-utils-statd-fix-a-segfault-caused-by-improper-us.patch b/import-layers/yocto-poky/meta/recipes-connectivity/nfs-utils/nfs-utils/0001-nfs-utils-statd-fix-a-segfault-caused-by-improper-us.patch
deleted file mode 100644
index de0b045..0000000
--- a/import-layers/yocto-poky/meta/recipes-connectivity/nfs-utils/nfs-utils/0001-nfs-utils-statd-fix-a-segfault-caused-by-improper-us.patch
+++ /dev/null
@@ -1,113 +0,0 @@
-Upstream-Status: Pending
-
-Subject: nfs-utils/statd: fix a segfault caused by improper usage of RPC interface
-
-There is a hack which uses the bottom-level RPC improperly as below
-in the current statd implementation:
-insert a socket in the svc_fdset without a corresponding transport handle
-and passes the socket to the svc_getreqset subroutine, this usage causes
-a segfault of statd on a huge amount of sm-notifications.
-
-Fix the issue by separating the non-RPC-server sock from RPC dispatcher.
-
-Signed-off-by: Shan Hai <shan.hai@windriver.com>
-Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
----
- utils/statd/rmtcall.c | 1 -
- utils/statd/statd.c | 5 +++--
- utils/statd/statd.h | 2 +-
- utils/statd/svc_run.c | 8 ++++++--
- 4 files changed, 10 insertions(+), 6 deletions(-)
-
-diff --git a/utils/statd/rmtcall.c b/utils/statd/rmtcall.c
-index fd576d9..cde091b 100644
---- a/utils/statd/rmtcall.c
-+++ b/utils/statd/rmtcall.c
-@@ -104,7 +104,6 @@ statd_get_socket(void)
- if (sockfd < 0)
- return -1;
-
-- FD_SET(sockfd, &SVC_FDSET);
- return sockfd;
- }
-
-diff --git a/utils/statd/statd.c b/utils/statd/statd.c
-index 51a016e..e21a259 100644
---- a/utils/statd/statd.c
-+++ b/utils/statd/statd.c
-@@ -247,6 +247,7 @@ int main (int argc, char **argv)
- int port = 0, out_port = 0;
- int nlm_udp = 0, nlm_tcp = 0;
- struct rlimit rlim;
-+ int notify_sockfd;
-
- int pipefds[2] = { -1, -1};
- char status;
-@@ -473,7 +474,7 @@ int main (int argc, char **argv)
- }
-
- /* Make sure we have a privilege port for calling into the kernel */
-- if (statd_get_socket() < 0)
-+ if ((notify_sockfd = statd_get_socket()) < 0)
- exit(1);
-
- /* If sm-notify didn't take all the state files, load
-@@ -528,7 +529,7 @@ int main (int argc, char **argv)
- * Handle incoming requests: SM_NOTIFY socket requests, as
- * well as callbacks from lockd.
- */
-- my_svc_run(); /* I rolled my own, Olaf made it better... */
-+ my_svc_run(notify_sockfd); /* I rolled my own, Olaf made it better... */
-
- /* Only get here when simulating a crash so we should probably
- * start sm-notify running again. As we have already dropped
-diff --git a/utils/statd/statd.h b/utils/statd/statd.h
-index a1d8035..231ac7e 100644
---- a/utils/statd/statd.h
-+++ b/utils/statd/statd.h
-@@ -28,7 +28,7 @@ extern _Bool statd_present_address(const struct sockaddr *sap, char *buf,
- __attribute__((__malloc__))
- extern char * statd_canonical_name(const char *hostname);
-
--extern void my_svc_run(void);
-+extern void my_svc_run(int);
- extern void notify_hosts(void);
- extern void shuffle_dirs(void);
- extern int statd_get_socket(void);
-diff --git a/utils/statd/svc_run.c b/utils/statd/svc_run.c
-index d98ecee..28c1ad6 100644
---- a/utils/statd/svc_run.c
-+++ b/utils/statd/svc_run.c
-@@ -78,7 +78,7 @@ my_svc_exit(void)
- * The heart of the server. A crib from libc for the most part...
- */
- void
--my_svc_run(void)
-+my_svc_run(int sockfd)
- {
- FD_SET_TYPE readfds;
- int selret;
-@@ -96,6 +96,8 @@ my_svc_run(void)
- }
-
- readfds = SVC_FDSET;
-+ /* Set notify sockfd for waiting for reply */
-+ FD_SET(sockfd, &readfds);
- if (notify) {
- struct timeval tv;
-
-@@ -125,8 +127,10 @@ my_svc_run(void)
-
- default:
- selret -= process_reply(&readfds);
-- if (selret)
-+ if (selret) {
-+ FD_CLR(sockfd, &readfds);
- svc_getreqset(&readfds);
-+ }
- }
- }
- }
---
-1.9.1
-
diff --git a/import-layers/yocto-poky/meta/recipes-connectivity/nfs-utils/nfs-utils/fix-protocol-minor-version-fall-back.patch b/import-layers/yocto-poky/meta/recipes-connectivity/nfs-utils/nfs-utils/fix-protocol-minor-version-fall-back.patch
deleted file mode 100644
index 683246c..0000000
--- a/import-layers/yocto-poky/meta/recipes-connectivity/nfs-utils/nfs-utils/fix-protocol-minor-version-fall-back.patch
+++ /dev/null
@@ -1,55 +0,0 @@
-From 78bb645a42c216b37b8d930c7c849a3fa89babf8 Mon Sep 17 00:00:00 2001
-From: Takashi Iwai <tiwai@suse.com>
-Date: Sat, 16 Jan 2016 12:02:30 -0500
-Subject: [PATCH] Fix protocol minor version fall-back
-
-mount.nfs currently expects mount(2) to fail with EPROTONOSUPPORT if
-the kernel doesn't understand the requested NFS version.
-
-Unfortunately if the requested minor is not known to the kernel
-it returns -EINVAL.
-In kernels since 3.11 this can happen in nfs4_alloc_client(), if
-compiled without NFS_V4_2.
-
-More generally it can happen in in nfs_validate_text_mount_data()
-when nfs_parse_mount_options() returns 0 because
-nfs_parse_version_string()
-didn't recognise the version.
-
-EPROTONOSUPPORT is only returned if NFSv4 support is completely compiled
-out.
-
-So nfs_autonegotiate needs to check for EINVAL as well as
-EPROTONOSUPPORT.
-
-URL: https://bugzilla.opensuse.org/show_bug.cgi?id=959211
-Reported-by: Takashi Iwai <tiwai@suse.com>
-Signed-off-by: NeilBrown <neilb@suse.com>
-Signed-off-by: Steve Dickson <steved@redhat.com>
-
-
-Upstream-Status: Backport
-http://git.linux-nfs.org/?p=steved/nfs-utils.git;a=patch;h=78bb645a42c216b37b8d930c7c849a3fa89babf8
-
-Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
----
- utils/mount/stropts.c | 3 +++
- 1 file changed, 3 insertions(+)
-
-diff --git a/utils/mount/stropts.c b/utils/mount/stropts.c
-index c8f5a6d..86829a9 100644
---- a/utils/mount/stropts.c
-+++ b/utils/mount/stropts.c
-@@ -841,6 +841,9 @@ check_result:
- case EPROTONOSUPPORT:
- /* A clear indication that the server or our
- * client does not support NFS version 4 and minor */
-+ case EINVAL:
-+ /* A less clear indication that our client
-+ * does not support NFSv4 minor version. */
- if (mi->version.v_mode == V_GENERAL &&
- mi->version.minor == 0)
- return result;
---
-2.7.4
-
diff --git a/import-layers/yocto-poky/meta/recipes-connectivity/nfs-utils/nfs-utils/nfs-mountd.service b/import-layers/yocto-poky/meta/recipes-connectivity/nfs-utils/nfs-utils/nfs-mountd.service
index 613ddc0..27ea58d 100644
--- a/import-layers/yocto-poky/meta/recipes-connectivity/nfs-utils/nfs-utils/nfs-mountd.service
+++ b/import-layers/yocto-poky/meta/recipes-connectivity/nfs-utils/nfs-utils/nfs-mountd.service
@@ -1,7 +1,11 @@
[Unit]
Description=NFS Mount Daemon
-After=rpcbind.service nfs-server.service
-Requires=rpcbind.service nfs-server.service
+DefaultDependencies=no
+Requires=proc-fs-nfsd.mount
+After=proc-fs-nfsd.mount
+After=network.target local-fs.target
+BindsTo=nfs-server.service
+ConditionPathExists=@SYSCONFDIR@/exports
[Service]
EnvironmentFile=-@SYSCONFDIR@/nfs-utils.conf
diff --git a/import-layers/yocto-poky/meta/recipes-connectivity/nfs-utils/nfs-utils/nfs-server.service b/import-layers/yocto-poky/meta/recipes-connectivity/nfs-utils/nfs-utils/nfs-server.service
index 147d7a7..6481377 100644
--- a/import-layers/yocto-poky/meta/recipes-connectivity/nfs-utils/nfs-utils/nfs-server.service
+++ b/import-layers/yocto-poky/meta/recipes-connectivity/nfs-utils/nfs-utils/nfs-server.service
@@ -1,7 +1,12 @@
[Unit]
-Description=NFS Server
-Requires=rpcbind.service nfs-mountd.service
-After=rpcbind.service
+Description=NFS server and services
+DefaultDependencies=no
+Requires=network.target proc-fs-nfsd.mount
+Requires=nfs-mountd.service
+Wants=rpcbind.service
+After=local-fs.target
+After=network.target proc-fs-nfsd.mount rpcbind.service nfs-mountd.service
+ConditionPathExists=@SYSCONFDIR@/exports
[Service]
Type=oneshot
@@ -9,6 +14,7 @@
ExecStartPre=@SBINDIR@/exportfs -r
ExecStart=@SBINDIR@/rpc.nfsd $NFSD_OPTS $NFSD_COUNT
ExecStop=@SBINDIR@/rpc.nfsd 0
+ExecStopPost=@SBINDIR@/exportfs -au
ExecStopPost=@SBINDIR@/exportfs -f
ExecReload=@SBINDIR@/exportfs -r
StandardError=syslog
diff --git a/import-layers/yocto-poky/meta/recipes-connectivity/nfs-utils/nfs-utils/nfs-statd.service b/import-layers/yocto-poky/meta/recipes-connectivity/nfs-utils/nfs-utils/nfs-statd.service
index 746dacf..6e196b8 100644
--- a/import-layers/yocto-poky/meta/recipes-connectivity/nfs-utils/nfs-utils/nfs-statd.service
+++ b/import-layers/yocto-poky/meta/recipes-connectivity/nfs-utils/nfs-utils/nfs-statd.service
@@ -1,8 +1,9 @@
[Unit]
-Description=NFS file locking service
-After=rpcbind.service
-Requires=rpcbind.service
-Before=remote-fs-pre.target
+Description=NFS status monitor for NFSv2/3 locking.
+DefaultDependencies=no
+Conflicts=umount.target
+Requires=nss-lookup.target rpcbind.service
+After=network.target nss-lookup.target rpcbind.service
[Service]
EnvironmentFile=-@SYSCONFDIR@/nfs-utils.conf
diff --git a/import-layers/yocto-poky/meta/recipes-connectivity/nfs-utils/nfs-utils/nfsserver b/import-layers/yocto-poky/meta/recipes-connectivity/nfs-utils/nfs-utils/nfsserver
index 7ed93a5..d5e9c38 100644
--- a/import-layers/yocto-poky/meta/recipes-connectivity/nfs-utils/nfs-utils/nfsserver
+++ b/import-layers/yocto-poky/meta/recipes-connectivity/nfs-utils/nfs-utils/nfsserver
@@ -40,7 +40,7 @@
#mountd
start_mountd(){
echo -n 'starting mountd: '
- start-stop-daemon --start --exec "$NFS_MOUNTD" -- "-f /etc/exports $@"
+ start-stop-daemon --start --exec "$NFS_MOUNTD" -- "$@"
echo done
}
stop_mountd(){
diff --git a/import-layers/yocto-poky/meta/recipes-connectivity/nfs-utils/nfs-utils_1.3.3.bb b/import-layers/yocto-poky/meta/recipes-connectivity/nfs-utils/nfs-utils_1.3.4.bb
similarity index 88%
rename from import-layers/yocto-poky/meta/recipes-connectivity/nfs-utils/nfs-utils_1.3.3.bb
rename to import-layers/yocto-poky/meta/recipes-connectivity/nfs-utils/nfs-utils_1.3.4.bb
index a2bebe0..4ca9ab2 100644
--- a/import-layers/yocto-poky/meta/recipes-connectivity/nfs-utils/nfs-utils_1.3.3.bb
+++ b/import-layers/yocto-poky/meta/recipes-connectivity/nfs-utils/nfs-utils_1.3.4.bb
@@ -9,7 +9,6 @@
# util-linux for libblkid
DEPENDS = "libcap libnfsidmap libevent util-linux sqlite3 libtirpc"
-RDEPENDS_${PN}-client = "rpcbind bash"
RDEPENDS_${PN} = "${PN}-client bash"
RRECOMMENDS_${PN} = "kernel-module-nfsd"
@@ -31,13 +30,11 @@
file://proc-fs-nfsd.mount \
file://nfs-utils-Do-not-pass-CFLAGS-to-gcc-while-building.patch \
file://nfs-utils-debianize-start-statd.patch \
- file://0001-nfs-utils-statd-fix-a-segfault-caused-by-improper-us.patch \
file://bugfix-adjust-statd-service-name.patch \
- file://fix-protocol-minor-version-fall-back.patch \
"
-SRC_URI[md5sum] = "cd6b568c2e9301cc3bfac09d87fbbc0b"
-SRC_URI[sha256sum] = "700d689c5622c87953c34102e5befafc4d3c811e676852238f0dd79c9c0c084d"
+SRC_URI[md5sum] = "54e4119043ec8507a2a0e054cf2889a4"
+SRC_URI[sha256sum] = "b42a5bc0a8d80d04650030ceb9a11f08f4acfbcb1ee297f657fb94e339c45975"
# Only kernel-module-nfsd is required here (but can be built-in) - the nfsd module will
# pull in the remainder of the dependencies.
@@ -50,9 +47,9 @@
inherit autotools-brokensep update-rc.d systemd pkgconfig
+SYSTEMD_PACKAGES = "${PN} ${PN}-client"
SYSTEMD_SERVICE_${PN} = "nfs-server.service nfs-mountd.service"
SYSTEMD_SERVICE_${PN}-client = "nfs-statd.service"
-SYSTEMD_AUTO_ENABLE = "disable"
# --enable-uuid is need for cross-compiling
EXTRA_OECONF = "--with-statduser=rpcuser \
@@ -66,16 +63,14 @@
"
PACKAGECONFIG ??= "tcp-wrappers \
- ${@bb.utils.contains('DISTRO_FEATURES', 'ipv6', 'ipv6', '', d)} \
+ ${@bb.utils.filter('DISTRO_FEATURES', 'ipv6', d)} \
"
PACKAGECONFIG_remove_libc-musl = "tcp-wrappers"
PACKAGECONFIG[tcp-wrappers] = "--with-tcp-wrappers,--without-tcp-wrappers,tcp-wrappers"
PACKAGECONFIG[nfsidmap] = "--enable-nfsidmap,--disable-nfsidmap,keyutils"
PACKAGECONFIG[ipv6] = "--enable-ipv6,--disable-ipv6,"
-INHIBIT_AUTO_STAGE = "1"
-
-PACKAGES =+ "${PN}-client ${PN}-stats"
+PACKAGES =+ "${PN}-client ${PN}-mount ${PN}-stats"
CONFFILES_${PN}-client += "${localstatedir}/lib/nfs/etab \
${localstatedir}/lib/nfs/rmtab \
@@ -83,7 +78,7 @@
${localstatedir}/lib/nfs/statd/state \
${sysconfdir}/nfsmount.conf"
-FILES_${PN}-client = "${base_sbindir}/*mount.nfs* ${sbindir}/*statd \
+FILES_${PN}-client = "${sbindir}/*statd \
${sbindir}/rpc.idmapd ${sbindir}/sm-notify \
${sbindir}/showmount ${sbindir}/nfsstat \
${localstatedir}/lib/nfs \
@@ -91,6 +86,10 @@
${sysconfdir}/nfsmount.conf \
${sysconfdir}/init.d/nfscommon \
${systemd_unitdir}/system/nfs-statd.service"
+RDEPENDS_${PN}-client = "${PN}-mount rpcbind"
+
+FILES_${PN}-mount = "${base_sbindir}/*mount.nfs*"
+
FILES_${PN}-stats = "${sbindir}/mountstats ${sbindir}/nfsiostat"
RDEPENDS_${PN}-stats = "python3-core"
@@ -126,8 +125,6 @@
-e 's,@SYSCONFDIR@,${sysconfdir},g' \
${D}${systemd_unitdir}/system/*.service
if ${@bb.utils.contains('DISTRO_FEATURES','systemd','true','false',d)}; then
- install -d ${D}${sysconfdir}/modules-load.d
- echo "nfsd" > ${D}${sysconfdir}/modules-load.d/nfsd.conf
install -m 0644 ${WORKDIR}/proc-fs-nfsd.mount ${D}${systemd_unitdir}/system/
install -d ${D}${systemd_unitdir}/system/sysinit.target.wants/
ln -sf ../proc-fs-nfsd.mount ${D}${systemd_unitdir}/system/sysinit.target.wants/proc-fs-nfsd.mount
diff --git a/import-layers/yocto-poky/meta/recipes-connectivity/ofono/ofono.inc b/import-layers/yocto-poky/meta/recipes-connectivity/ofono/ofono.inc
index 9c47c6f..676a0c0 100644
--- a/import-layers/yocto-poky/meta/recipes-connectivity/ofono/ofono.inc
+++ b/import-layers/yocto-poky/meta/recipes-connectivity/ofono/ofono.inc
@@ -13,7 +13,7 @@
INITSCRIPT_PARAMS = "defaults 22"
PACKAGECONFIG ??= "\
- ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'systemd', '', d)} \
+ ${@bb.utils.filter('DISTRO_FEATURES', 'systemd', d)} \
${@bb.utils.contains('DISTRO_FEATURES', 'bluetooth', 'bluez', '', d)} \
"
PACKAGECONFIG[systemd] = "--with-systemdunitdir=${systemd_unitdir}/system/,--with-systemdunitdir="
diff --git a/import-layers/yocto-poky/meta/recipes-connectivity/ofono/ofono_1.18.bb b/import-layers/yocto-poky/meta/recipes-connectivity/ofono/ofono_1.18.bb
deleted file mode 100644
index b070731..0000000
--- a/import-layers/yocto-poky/meta/recipes-connectivity/ofono/ofono_1.18.bb
+++ /dev/null
@@ -1,10 +0,0 @@
-require ofono.inc
-
-SRC_URI = "\
- ${KERNELORG_MIRROR}/linux/network/${BPN}/${BP}.tar.xz \
- file://ofono \
-"
-SRC_URI[md5sum] = "0a6b37c8ace891cb2a7ca5d121043a0a"
-SRC_URI[sha256sum] = "53cdbf342913f46bce4827241c60e24255a3d43a94945edf77482ae5b312d51f"
-
-CFLAGS_append_libc-uclibc = " -D_GNU_SOURCE"
diff --git a/import-layers/yocto-poky/meta/recipes-connectivity/ofono/ofono_1.19.bb b/import-layers/yocto-poky/meta/recipes-connectivity/ofono/ofono_1.19.bb
new file mode 100644
index 0000000..adebd71
--- /dev/null
+++ b/import-layers/yocto-poky/meta/recipes-connectivity/ofono/ofono_1.19.bb
@@ -0,0 +1,10 @@
+require ofono.inc
+
+SRC_URI = "\
+ ${KERNELORG_MIRROR}/linux/network/${BPN}/${BP}.tar.xz \
+ file://ofono \
+"
+SRC_URI[md5sum] = "a5f8803ace110511b6ff5a2b39782e8b"
+SRC_URI[sha256sum] = "a0e09bdd8b53b8d2e4b54f1863ecd9aebe4786477a6cbf8f655496e8edb31c81"
+
+CFLAGS_append_libc-uclibc = " -D_GNU_SOURCE"
diff --git a/import-layers/yocto-poky/meta/recipes-connectivity/openssh/openssh/fix-CVE-2016-8858.patch b/import-layers/yocto-poky/meta/recipes-connectivity/openssh/openssh/fix-CVE-2016-8858.patch
deleted file mode 100644
index b26ee81..0000000
--- a/import-layers/yocto-poky/meta/recipes-connectivity/openssh/openssh/fix-CVE-2016-8858.patch
+++ /dev/null
@@ -1,39 +0,0 @@
-Fix CVE-2016-8858 of openssh
-
-Backport patch from upstream and drop the change of comment which can NOT be applied.
-
-Upstream-Status: Backport [ https://anongit.mindrot.org/openssh.git/commit/?id=ec165c3 ]
-CVE: CVE-2016-8858
-
-Signed-off-by: Kai Kang <kai.kang@windriver.com>
----
-From ec165c392ca54317dbe3064a8c200de6531e89ad Mon Sep 17 00:00:00 2001
-From: "markus@openbsd.org" <markus@openbsd.org>
-Date: Mon, 10 Oct 2016 19:28:48 +0000
-Subject: [PATCH] upstream commit
-
-Unregister the KEXINIT handler after message has been
-received. Otherwise an unauthenticated peer can repeat the KEXINIT and cause
-allocation of up to 128MB -- until the connection is closed. Reported by
-shilei-c at 360.cn
-
-Upstream-ID: 43649ae12a27ef94290db16d1a98294588b75c05
----
- kex.c | 3 ++-
- 1 file changed, 2 insertions(+), 1 deletion(-)
-
-diff --git a/kex.c b/kex.c
-index 3f97f8c..6a94bc5 100644
---- a/kex.c
-+++ b/kex.c
-@@ -481,6 +481,7 @@ kex_input_kexinit(int type, u_int32_t seq, void *ctxt)
- if (kex == NULL)
- return SSH_ERR_INVALID_ARGUMENT;
-
-+ ssh_dispatch_set(ssh, SSH2_MSG_KEXINIT, NULL);
- ptr = sshpkt_ptr(ssh, &dlen);
- if ((r = sshbuf_put(kex->peer, ptr, dlen)) != 0)
- return r;
---
-2.10.1
-
diff --git a/import-layers/yocto-poky/meta/recipes-connectivity/openssh/openssh/init b/import-layers/yocto-poky/meta/recipes-connectivity/openssh/openssh/init
index 1f63725..34ba0f8 100644
--- a/import-layers/yocto-poky/meta/recipes-connectivity/openssh/openssh/init
+++ b/import-layers/yocto-poky/meta/recipes-connectivity/openssh/openssh/init
@@ -19,11 +19,6 @@
[ -z "$SYSCONFDIR" ] && SYSCONFDIR=/etc/ssh
mkdir -p $SYSCONFDIR
-HOST_KEY_RSA=$SYSCONFDIR/ssh_host_rsa_key
-HOST_KEY_DSA=$SYSCONFDIR/ssh_host_dsa_key
-HOST_KEY_ECDSA=$SYSCONFDIR/ssh_host_ecdsa_key
-HOST_KEY_ED25519=$SYSCONFDIR/ssh_host_ed25519_key
-
check_for_no_start() {
# forget it if we're trying to start, and /etc/ssh/sshd_not_to_be_run exists
if [ -e $SYSCONFDIR/sshd_not_to_be_run ]; then
@@ -44,33 +39,13 @@
/usr/sbin/sshd -t $SSHD_OPTS || exit 1
}
-check_keys() {
- # create keys if necessary
- if [ ! -f $HOST_KEY_RSA ]; then
- echo " generating ssh RSA key..."
- ssh-keygen -q -f $HOST_KEY_RSA -N '' -t rsa
- fi
- if [ ! -f $HOST_KEY_ECDSA ]; then
- echo " generating ssh ECDSA key..."
- ssh-keygen -q -f $HOST_KEY_ECDSA -N '' -t ecdsa
- fi
- if [ ! -f $HOST_KEY_DSA ]; then
- echo " generating ssh DSA key..."
- ssh-keygen -q -f $HOST_KEY_DSA -N '' -t dsa
- fi
- if [ ! -f $HOST_KEY_ED25519 ]; then
- echo " generating ssh ED25519 key..."
- ssh-keygen -q -f $HOST_KEY_ED25519 -N '' -t ed25519
- fi
-}
-
export PATH="${PATH:+$PATH:}/usr/sbin:/sbin"
case "$1" in
start)
check_for_no_start
echo "Starting OpenBSD Secure Shell server: sshd"
- check_keys
+ @LIBEXECDIR@/sshd_check_keys
check_privsep_dir
start-stop-daemon -S -p $PIDFILE -x /usr/sbin/sshd -- $SSHD_OPTS
echo "done."
@@ -83,7 +58,7 @@
reload|force-reload)
check_for_no_start
- check_keys
+ @LIBEXECDIR@/sshd_check_keys
check_config
echo -n "Reloading OpenBSD Secure Shell server's configuration"
start-stop-daemon -K -p $PIDFILE -s 1 -x /usr/sbin/sshd
@@ -91,7 +66,7 @@
;;
restart)
- check_keys
+ @LIBEXECDIR@/sshd_check_keys
check_config
echo -n "Restarting OpenBSD Secure Shell server: sshd"
start-stop-daemon -K -p $PIDFILE --oknodo -x /usr/sbin/sshd
diff --git a/import-layers/yocto-poky/meta/recipes-connectivity/openssh/openssh/openssh-7.1p1-conditional-compile-des-in-cipher.patch b/import-layers/yocto-poky/meta/recipes-connectivity/openssh/openssh/openssh-7.1p1-conditional-compile-des-in-cipher.patch
index 2773c14..1098b97 100644
--- a/import-layers/yocto-poky/meta/recipes-connectivity/openssh/openssh/openssh-7.1p1-conditional-compile-des-in-cipher.patch
+++ b/import-layers/yocto-poky/meta/recipes-connectivity/openssh/openssh/openssh-7.1p1-conditional-compile-des-in-cipher.patch
@@ -1,18 +1,19 @@
-From d7eb26785ad4f25fb09fae46726ab8ca3fe16921 Mon Sep 17 00:00:00 2001
-From: Haiqing Bai <Haiqing.Bai@windriver.com>
-Date: Mon, 22 Aug 2016 14:11:16 +0300
-Subject: [PATCH] Remove des in cipher.
+From 27740c918fe5d78441bcf69e7d2eefb23ddeca4c Mon Sep 17 00:00:00 2001
+From: Dengke Du <dengke.du@windriver.com>
+Date: Thu, 19 Jan 2017 03:00:08 -0500
+Subject: [PATCH 1/3] Remove des in cipher.
Upstream-Status: Pending
Signed-off-by: Haiqing Bai <Haiqing.Bai@windriver.com>
Signed-off-by: Jussi Kukkonen <jussi.kukkonen@intel.com>
+Signed-off-by: Dengke Du <dengke.du@windriver.com>
---
cipher.c | 18 ++++++++++++++++++
1 file changed, 18 insertions(+)
diff --git a/cipher.c b/cipher.c
-index 031bda9..6cd667a 100644
+index 2def333..59f6792 100644
--- a/cipher.c
+++ b/cipher.c
@@ -53,8 +53,10 @@
@@ -25,8 +26,8 @@
+#endif /* OPENSSL_NO_DES */
#endif
- struct sshcipher {
-@@ -79,15 +81,19 @@ struct sshcipher {
+ struct sshcipher_ctx {
+@@ -88,15 +90,19 @@ struct sshcipher {
static const struct sshcipher ciphers[] = {
#ifdef WITH_SSH1
@@ -39,14 +40,14 @@
# endif /* OPENSSL_NO_BF */
#endif /* WITH_SSH1 */
#ifdef WITH_OPENSSL
- { "none", SSH_CIPHER_NONE, 8, 0, 0, 0, 0, 0, EVP_enc_null },
+#ifndef OPENSSL_NO_DES
+ { "none", SSH_CIPHER_NONE, 8, 0, 0, 0, 0, 0, EVP_enc_null },
{ "3des-cbc", SSH_CIPHER_SSH2, 8, 24, 0, 0, 0, 1, EVP_des_ede3_cbc },
+#endif /* OPENSSL_NO_DES */
# ifndef OPENSSL_NO_BF
{ "blowfish-cbc",
SSH_CIPHER_SSH2, 8, 16, 0, 0, 0, 1, EVP_bf_cbc },
-@@ -171,8 +177,10 @@ cipher_keylen(const struct sshcipher *c)
+@@ -180,8 +186,10 @@ cipher_keylen(const struct sshcipher *c)
u_int
cipher_seclen(const struct sshcipher *c)
{
@@ -57,7 +58,7 @@
return cipher_keylen(c);
}
-@@ -209,11 +217,13 @@ u_int
+@@ -230,11 +238,13 @@ u_int
cipher_mask_ssh1(int client)
{
u_int mask = 0;
@@ -71,7 +72,7 @@
return mask;
}
-@@ -553,7 +563,9 @@ cipher_get_keyiv(struct sshcipher_ctx *cc, u_char *iv, u_int len)
+@@ -606,7 +616,9 @@ cipher_get_keyiv(struct sshcipher_ctx *cc, u_char *iv, u_int len)
switch (c->number) {
#ifdef WITH_OPENSSL
case SSH_CIPHER_SSH2:
@@ -79,20 +80,20 @@
case SSH_CIPHER_DES:
+#endif /* OPENSSL_NO_DES */
case SSH_CIPHER_BLOWFISH:
- evplen = EVP_CIPHER_CTX_iv_length(&cc->evp);
+ evplen = EVP_CIPHER_CTX_iv_length(cc->evp);
if (evplen == 0)
-@@ -576,8 +588,10 @@ cipher_get_keyiv(struct sshcipher_ctx *cc, u_char *iv, u_int len)
+@@ -629,8 +641,10 @@ cipher_get_keyiv(struct sshcipher_ctx *cc, u_char *iv, u_int len)
break;
#endif
#ifdef WITH_SSH1
+#ifndef OPENSSL_NO_DES
case SSH_CIPHER_3DES:
- return ssh1_3des_iv(&cc->evp, 0, iv, 24);
+ return ssh1_3des_iv(cc->evp, 0, iv, 24);
+#endif /* OPENSSL_NO_DES */
#endif
default:
return SSH_ERR_INVALID_ARGUMENT;
-@@ -601,7 +615,9 @@ cipher_set_keyiv(struct sshcipher_ctx *cc, const u_char *iv)
+@@ -654,7 +668,9 @@ cipher_set_keyiv(struct sshcipher_ctx *cc, const u_char *iv)
switch (c->number) {
#ifdef WITH_OPENSSL
case SSH_CIPHER_SSH2:
@@ -100,19 +101,19 @@
case SSH_CIPHER_DES:
+#endif /* OPENSSL_NO_DES */
case SSH_CIPHER_BLOWFISH:
- evplen = EVP_CIPHER_CTX_iv_length(&cc->evp);
+ evplen = EVP_CIPHER_CTX_iv_length(cc->evp);
if (evplen <= 0)
-@@ -616,8 +632,10 @@ cipher_set_keyiv(struct sshcipher_ctx *cc, const u_char *iv)
+@@ -675,8 +691,10 @@ cipher_set_keyiv(struct sshcipher_ctx *cc, const u_char *iv)
break;
#endif
#ifdef WITH_SSH1
+#ifndef OPENSSL_NO_DES
case SSH_CIPHER_3DES:
- return ssh1_3des_iv(&cc->evp, 1, (u_char *)iv, 24);
+ return ssh1_3des_iv(cc->evp, 1, (u_char *)iv, 24);
+#endif /* OPENSSL_NO_DES */
#endif
default:
return SSH_ERR_INVALID_ARGUMENT;
--
-2.1.4
+2.8.1
diff --git a/import-layers/yocto-poky/meta/recipes-connectivity/openssh/openssh/openssh-7.1p1-conditional-compile-des-in-pkcs11.patch b/import-layers/yocto-poky/meta/recipes-connectivity/openssh/openssh/openssh-7.1p1-conditional-compile-des-in-pkcs11.patch
index 815af42..47dc73b 100644
--- a/import-layers/yocto-poky/meta/recipes-connectivity/openssh/openssh/openssh-7.1p1-conditional-compile-des-in-pkcs11.patch
+++ b/import-layers/yocto-poky/meta/recipes-connectivity/openssh/openssh/openssh-7.1p1-conditional-compile-des-in-pkcs11.patch
@@ -1,12 +1,12 @@
-From 04cfd84423f693d879dc3ffebb0f6fe2680c254f Mon Sep 17 00:00:00 2001
-From: Haiqing Bai <Haiqing.Bai@windriver.com>
-Date: Fri, 18 Mar 2016 15:59:21 +0800
-Subject: [PATCH 3/3] remove des in pkcs11.
+From e816fc06e4f8070b09e677ead4d21768784e4c99 Mon Sep 17 00:00:00 2001
+From: Dengke Du <dengke.du@windriver.com>
+Date: Thu, 19 Jan 2017 03:21:40 -0500
+Subject: [PATCH 2/3] remove des in pkcs11.
Upstream-Status: Pending
Signed-off-by: Haiqing Bai <Haiqing.Bai@windriver.com>
-
+Signed-off-by: Dengke Du <dengke.du@windriver.com>
---
pkcs11.h | 8 ++++++++
1 file changed, 8 insertions(+)
@@ -66,5 +66,5 @@
#define CKM_PBE_SHA1_RC2_40_CBC (0x3ab)
#define CKM_PKCS5_PBKD2 (0x3b0)
--
-1.9.1
+2.8.1
diff --git a/import-layers/yocto-poky/meta/recipes-connectivity/openssh/openssh/sshd_check_keys b/import-layers/yocto-poky/meta/recipes-connectivity/openssh/openssh/sshd_check_keys
new file mode 100644
index 0000000..f5bba53
--- /dev/null
+++ b/import-layers/yocto-poky/meta/recipes-connectivity/openssh/openssh/sshd_check_keys
@@ -0,0 +1,64 @@
+#! /bin/sh
+
+# /etc/default/ssh may set SYSCONFDIR and SSHD_OPTS
+if test -f /etc/default/ssh; then
+ . /etc/default/ssh
+fi
+
+[ -z "$SYSCONFDIR" ] && SYSCONFDIR=/etc/ssh
+mkdir -p $SYSCONFDIR
+
+# parse sshd options
+set -- ${SSHD_OPTS} --
+sshd_config=/etc/ssh/sshd_config
+while true ; do
+ case "$1" in
+ -f*) if [ "$1" = "-f" ] ; then
+ sshd_config="$2"
+ shift
+ else
+ sshd_config="${1#-f}"
+ fi
+ shift
+ ;;
+ --) shift; break;;
+ *) shift;;
+ esac
+done
+
+# parse location of keys
+HOST_KEY_RSA=$(grep ^HostKey "${sshd_config}" | grep _rsa_ | tail -1 | awk ' { print $2 } ')
+[ -z "${HOST_KEY_RSA}" ] && HOST_KEY_RSA=$(grep HostKey "${sshd_config}" | grep _rsa_ | tail -1 | awk ' { print $2 } ')
+[ -z "${HOST_KEY_RSA}" ] && HOST_KEY_RSA=$SYSCONFDIR/ssh_host_rsa_key
+HOST_KEY_DSA=$(grep ^HostKey "${sshd_config}" | grep _dsa_ | tail -1 | awk ' { print $2 } ')
+[ -z "${HOST_KEY_DSA}" ] && HOST_KEY_DSA=$(grep HostKey "${sshd_config}" | grep _dsa_ | tail -1 | awk ' { print $2 } ')
+[ -z "${HOST_KEY_DSA}" ] && HOST_KEY_DSA=$SYSCONFDIR/ssh_host_dsa_key
+HOST_KEY_ECDSA=$(grep ^HostKey "${sshd_config}" | grep _ecdsa_ | tail -1 | awk ' { print $2 } ')
+[ -z "${HOST_KEY_ECDSA}" ] && HOST_KEY_ECDSA=$(grep HostKey "${sshd_config}" | grep _ecdsa_ | tail -1 | awk ' { print $2 } ')
+[ -z "${HOST_KEY_ECDSA}" ] && HOST_KEY_ECDSA=$SYSCONFDIR/ssh_host_ecdsa_key
+HOST_KEY_ED25519=$(grep ^HostKey "${sshd_config}" | grep _ed25519_ | tail -1 | awk ' { print $2 } ')
+[ -z "${HOST_KEY_ED25519}" ] && HOST_KEY_ED25519=$(grep HostKey "${sshd_config}" | grep _ed25519_ | tail -1 | awk ' { print $2 } ')
+[ -z "${HOST_KEY_ED25519}" ] && HOST_KEY_ED25519=$SYSCONFDIR/ssh_host_ed25519_key
+
+# create keys if necessary
+if [ ! -f $HOST_KEY_RSA ]; then
+ echo " generating ssh RSA key..."
+ mkdir -p $(dirname $HOST_KEY_RSA)
+ ssh-keygen -q -f $HOST_KEY_RSA -N '' -t rsa
+fi
+if [ ! -f $HOST_KEY_ECDSA ]; then
+ echo " generating ssh ECDSA key..."
+ mkdir -p $(dirname $HOST_KEY_ECDSA)
+ ssh-keygen -q -f $HOST_KEY_ECDSA -N '' -t ecdsa
+fi
+if [ ! -f $HOST_KEY_DSA ]; then
+ echo " generating ssh DSA key..."
+ mkdir -p $(dirname $HOST_KEY_DSA)
+ ssh-keygen -q -f $HOST_KEY_DSA -N '' -t dsa
+fi
+if [ ! -f $HOST_KEY_ED25519 ]; then
+ echo " generating ssh ED25519 key..."
+ mkdir -p $(dirname $HOST_KEY_ED25519)
+ ssh-keygen -q -f $HOST_KEY_ED25519 -N '' -t ed25519
+fi
+
diff --git a/import-layers/yocto-poky/meta/recipes-connectivity/openssh/openssh/sshdgenkeys.service b/import-layers/yocto-poky/meta/recipes-connectivity/openssh/openssh/sshdgenkeys.service
index 148e6ad..603c337 100644
--- a/import-layers/yocto-poky/meta/recipes-connectivity/openssh/openssh/sshdgenkeys.service
+++ b/import-layers/yocto-poky/meta/recipes-connectivity/openssh/openssh/sshdgenkeys.service
@@ -1,22 +1,8 @@
[Unit]
Description=OpenSSH Key Generation
RequiresMountsFor=/var /run
-ConditionPathExists=!/var/run/ssh/ssh_host_rsa_key
-ConditionPathExists=!/var/run/ssh/ssh_host_dsa_key
-ConditionPathExists=!/var/run/ssh/ssh_host_ecdsa_key
-ConditionPathExists=!/var/run/ssh/ssh_host_ed25519_key
-ConditionPathExists=!/etc/ssh/ssh_host_rsa_key
-ConditionPathExists=!/etc/ssh/ssh_host_dsa_key
-ConditionPathExists=!/etc/ssh/ssh_host_ecdsa_key
-ConditionPathExists=!/etc/ssh/ssh_host_ed25519_key
[Service]
-Environment="SYSCONFDIR=/etc/ssh"
-EnvironmentFile=-/etc/default/ssh
-ExecStart=@BASE_BINDIR@/mkdir -p $SYSCONFDIR
-ExecStart=@BINDIR@/ssh-keygen -q -f ${SYSCONFDIR}/ssh_host_rsa_key -N '' -t rsa
-ExecStart=@BINDIR@/ssh-keygen -q -f ${SYSCONFDIR}/ssh_host_dsa_key -N '' -t dsa
-ExecStart=@BINDIR@/ssh-keygen -q -f ${SYSCONFDIR}/ssh_host_ecdsa_key -N '' -t ecdsa
-ExecStart=@BINDIR@/ssh-keygen -q -f ${SYSCONFDIR}/ssh_host_ed25519_key -N '' -t ed25519
+ExecStart=@LIBEXECDIR@/sshd_check_keys
Type=oneshot
RemainAfterExit=yes
diff --git a/import-layers/yocto-poky/meta/recipes-connectivity/openssh/openssh_7.3p1.bb b/import-layers/yocto-poky/meta/recipes-connectivity/openssh/openssh_7.4p1.bb
similarity index 91%
rename from import-layers/yocto-poky/meta/recipes-connectivity/openssh/openssh_7.3p1.bb
rename to import-layers/yocto-poky/meta/recipes-connectivity/openssh/openssh_7.4p1.bb
index 94eb0ed..e501ead 100644
--- a/import-layers/yocto-poky/meta/recipes-connectivity/openssh/openssh_7.3p1.bb
+++ b/import-layers/yocto-poky/meta/recipes-connectivity/openssh/openssh_7.4p1.bb
@@ -25,13 +25,13 @@
file://openssh-7.1p1-conditional-compile-des-in-cipher.patch \
file://openssh-7.1p1-conditional-compile-des-in-pkcs11.patch \
file://fix-potential-signed-overflow-in-pointer-arithmatic.patch \
- file://fix-CVE-2016-8858.patch \
+ file://sshd_check_keys \
"
PAM_SRC_URI = "file://sshd"
-SRC_URI[md5sum] = "dfadd9f035d38ce5d58a3bf130b86d08"
-SRC_URI[sha256sum] = "3ffb989a6dcaa69594c3b550d4855a5a2e1718ccdde7f5e36387b424220fbecc"
+SRC_URI[md5sum] = "b2db2a83caf66a208bb78d6d287cdaa3"
+SRC_URI[sha256sum] = "1b1fc4a14e2024293181924ed24872e6f2e06293f3e8926a376b8aec481f19d1"
inherit useradd update-rc.d update-alternatives systemd
@@ -92,12 +92,12 @@
}
do_install_append () {
- if [ "${@bb.utils.contains('DISTRO_FEATURES', 'pam', 'pam', '', d)}" = "pam" ]; then
+ if [ "${@bb.utils.filter('DISTRO_FEATURES', 'pam', d)}" ]; then
install -D -m 0644 ${WORKDIR}/sshd ${D}${sysconfdir}/pam.d/sshd
sed -i -e 's:#UsePAM no:UsePAM yes:' ${D}${sysconfdir}/ssh/sshd_config
fi
- if [ "${@bb.utils.contains('DISTRO_FEATURES', 'x11', 'x11', '', d)}" = "x11" ]; then
+ if [ "${@bb.utils.filter('DISTRO_FEATURES', 'x11', d)}" ]; then
sed -i -e 's:#X11Forwarding no:X11Forwarding yes:' ${D}${sysconfdir}/ssh/sshd_config
fi
@@ -125,7 +125,13 @@
sed -i -e 's,@BASE_BINDIR@,${base_bindir},g' \
-e 's,@SBINDIR@,${sbindir},g' \
-e 's,@BINDIR@,${bindir},g' \
+ -e 's,@LIBEXECDIR@,${libexecdir}/${BPN},g' \
${D}${systemd_unitdir}/system/sshd.socket ${D}${systemd_unitdir}/system/*.service
+
+ sed -i -e 's,@LIBEXECDIR@,${libexecdir}/${BPN},g' \
+ ${D}${sysconfdir}/init.d/sshd
+
+ install -D -m 0755 ${WORKDIR}/sshd_check_keys ${D}${libexecdir}/${BPN}/sshd_check_keys
}
do_install_ptest () {
@@ -140,6 +146,7 @@
FILES_${PN}-ssh = "${bindir}/ssh.${BPN} ${sysconfdir}/ssh/ssh_config"
FILES_${PN}-sshd = "${sbindir}/sshd ${sysconfdir}/init.d/sshd ${systemd_unitdir}/system"
FILES_${PN}-sshd += "${sysconfdir}/ssh/moduli ${sysconfdir}/ssh/sshd_config ${sysconfdir}/ssh/sshd_config_readonly ${sysconfdir}/default/volatiles/99_sshd ${sysconfdir}/pam.d/sshd"
+FILES_${PN}-sshd += "${libexecdir}/${BPN}/sshd_check_keys"
FILES_${PN}-sftp = "${bindir}/sftp"
FILES_${PN}-sftp-server = "${libexecdir}/sftp-server"
FILES_${PN}-misc = "${bindir}/ssh* ${libexecdir}/ssh*"
diff --git a/import-layers/yocto-poky/meta/recipes-connectivity/openssl/openssl.inc b/import-layers/yocto-poky/meta/recipes-connectivity/openssl/openssl.inc
index 2ef8b38..8f2a797 100644
--- a/import-layers/yocto-poky/meta/recipes-connectivity/openssl/openssl.inc
+++ b/import-layers/yocto-poky/meta/recipes-connectivity/openssl/openssl.inc
@@ -17,7 +17,6 @@
PACKAGECONFIG[perl] = ",,,"
-AR_append = " r"
TERMIO_libc-musl = "-DTERMIOS"
TERMIO ?= "-DTERMIO"
# Avoid binaries being marked as requiring an executable stack since it
@@ -28,16 +27,17 @@
export DIRS = "crypto ssl apps"
export EX_LIBS = "-lgcc -ldl"
export AS = "${CC} -c"
-EXTRA_OEMAKE = "-e MAKEFLAGS="
-inherit pkgconfig siteinfo multilib_header ptest
+inherit pkgconfig siteinfo multilib_header ptest relative_symlinks
PACKAGES =+ "libcrypto libssl ${PN}-misc openssl-conf"
FILES_libcrypto = "${libdir}/libcrypto${SOLIBS}"
FILES_libssl = "${libdir}/libssl${SOLIBS}"
FILES_${PN} =+ " ${libdir}/ssl/*"
FILES_${PN}-misc = "${libdir}/ssl/misc"
-RDEPENDS_${PN}-misc = "${@bb.utils.contains('PACKAGECONFIG', 'perl', 'perl', '', d)}"
+RDEPENDS_${PN}-misc = "${@bb.utils.filter('PACKAGECONFIG', 'perl', d)}"
+
+PROVIDES += "openssl10"
# Add the openssl.cnf file to the openssl-conf package. Make the libcrypto
# package RRECOMMENDS on this package. This will enable the configuration
@@ -84,7 +84,7 @@
target=linux-elf-armeb
;;
linux-aarch64*)
- target=linux-generic64
+ target=linux-aarch64
;;
linux-sh3)
target=debian-sh3
@@ -185,7 +185,7 @@
sed -i -e 's,/etc/openssl,${sysconfdir}/ssl,g' ${D}${bindir}/c_rehash
oe_multilib_header openssl/opensslconf.h
- if [ "${@bb.utils.contains('PACKAGECONFIG', 'perl', 'perl', '', d)}" = "perl" ]; then
+ if [ "${@bb.utils.filter('PACKAGECONFIG', 'perl', d)}" ]; then
sed -i -e '1s,.*,#!${bindir}/env perl,' ${D}${libdir}/ssl/misc/CA.pl
sed -i -e '1s,.*,#!${bindir}/env perl,' ${D}${libdir}/ssl/misc/tsget
else
@@ -206,6 +206,10 @@
do_install_ptest () {
cp -r -L Makefile.org Makefile test ${D}${PTEST_PATH}
+
+ # Replace the path to native perl with the path to target perl
+ sed -i 's,^PERL=.*,PERL=${bindir}/perl,' ${D}${PTEST_PATH}/Makefile
+
cp Configure config e_os.h ${D}${PTEST_PATH}
cp -r -L include ${D}${PTEST_PATH}
ln -sf ${libdir}/libcrypto.a ${D}${PTEST_PATH}
diff --git a/import-layers/yocto-poky/meta/recipes-connectivity/openssl/openssl/0001-CVE-2017-3731.patch b/import-layers/yocto-poky/meta/recipes-connectivity/openssl/openssl/0001-CVE-2017-3731.patch
deleted file mode 100644
index 04ef526..0000000
--- a/import-layers/yocto-poky/meta/recipes-connectivity/openssl/openssl/0001-CVE-2017-3731.patch
+++ /dev/null
@@ -1,46 +0,0 @@
-From 0cde9a9645c949fd0acf657dadc747676245cfaf Mon Sep 17 00:00:00 2001
-From: Alexandru Moise <alexandru.moise@windriver.com>
-Date: Tue, 7 Feb 2017 11:13:19 +0200
-Subject: [PATCH 1/2] crypto/evp: harden RC4_MD5 cipher.
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Originally a crash in 32-bit build was reported CHACHA20-POLY1305
-cipher. The crash is triggered by truncated packet and is result
-of excessive hashing to the edge of accessible memory (or bogus
-MAC value is produced if x86 MD5 assembly module is involved). Since
-hash operation is read-only it is not considered to be exploitable
-beyond a DoS condition.
-
-Thanks to Robert Święcki for report.
-
-CVE-2017-3731
-
-Backported from upstream commit:
-8e20499629b6bcf868d0072c7011e590b5c2294d
-
-Upstream-Status: Backport
-
-Reviewed-by: Rich Salz <rsalz@openssl.org>
-Signed-off-by: Alexandru Moise <alexandru.moise@windriver.com>
----
- crypto/evp/e_rc4_hmac_md5.c | 2 ++
- 1 file changed, 2 insertions(+)
-
-diff --git a/crypto/evp/e_rc4_hmac_md5.c b/crypto/evp/e_rc4_hmac_md5.c
-index 5e92855..3293419 100644
---- a/crypto/evp/e_rc4_hmac_md5.c
-+++ b/crypto/evp/e_rc4_hmac_md5.c
-@@ -269,6 +269,8 @@ static int rc4_hmac_md5_ctrl(EVP_CIPHER_CTX *ctx, int type, int arg,
- len = p[arg - 2] << 8 | p[arg - 1];
-
- if (!ctx->encrypt) {
-+ if (len < MD5_DIGEST_LENGTH)
-+ return -1;
- len -= MD5_DIGEST_LENGTH;
- p[arg - 2] = len >> 8;
- p[arg - 1] = len;
---
-2.10.2
-
diff --git a/import-layers/yocto-poky/meta/recipes-connectivity/openssl/openssl/0001-Fix-build-with-clang-using-external-assembler.patch b/import-layers/yocto-poky/meta/recipes-connectivity/openssl/openssl/0001-Fix-build-with-clang-using-external-assembler.patch
new file mode 100644
index 0000000..2270962
--- /dev/null
+++ b/import-layers/yocto-poky/meta/recipes-connectivity/openssl/openssl/0001-Fix-build-with-clang-using-external-assembler.patch
@@ -0,0 +1,45 @@
+From 2f6026cb8b16cf00726e3c5625c023f196680f07 Mon Sep 17 00:00:00 2001
+From: Khem Raj <raj.khem@gmail.com>
+Date: Fri, 17 Mar 2017 12:52:08 -0700
+Subject: [PATCH] Fix build with clang using external assembler
+
+Cherry-picked from
+https://github.com/openssl/openssl/commit/11208dcfb9105e8afa37233185decefd45e89e17
+https://github.com/openssl/openssl/commit/fbab8baddef8d3346ae40ff068871e2ddaf10270
+https://github.com/openssl/openssl/commit/6cf412c473d8145562b76219ce3da73b201b3255
+
+Fixes
+
+| ghash-armv4.S: Assembler messages:
+| ghash-armv4.S:81: Error: bad instruction `ldrbpl r12,[r2,r3]'
+| ghash-armv4.S:91: Error: bad instruction `ldrbpl r8,[r0,r3]'
+| ghash-armv4.S:137: Error: bad instruction `ldrbne r12,[r2,#15]'
+| ghash-armv4.S:224: Error: bad instruction `ldrbpl r12,[r0,r3]'
+| clang-4.0: error: assembler command failed with exit code 1 (use -v to see invocation)
+| make[2]: *** [<builtin>: ghash-armv4.o] Error 1
+
+Upstream-Status: Backport
+
+Signed-off-by: Khem Raj <raj.khem@gmail.com>
+---
+ crypto/modes/asm/ghash-armv4.pl | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/crypto/modes/asm/ghash-armv4.pl b/crypto/modes/asm/ghash-armv4.pl
+index 8ccc963ef..442fed4da 100644
+--- a/crypto/modes/asm/ghash-armv4.pl
++++ b/crypto/modes/asm/ghash-armv4.pl
+@@ -124,7 +124,10 @@ $code=<<___;
+ #include "arm_arch.h"
+
+ .text
++#if defined(__thumb2__) || defined(__clang__)
++.syntax unified
++#endif
+ .code 32
+
+ #ifdef __clang__
+ #define ldrplb ldrbpl
+--
+2.12.0
+
diff --git a/import-layers/yocto-poky/meta/recipes-connectivity/openssl/openssl/0002-CVE-2017-3731.patch b/import-layers/yocto-poky/meta/recipes-connectivity/openssl/openssl/0002-CVE-2017-3731.patch
deleted file mode 100644
index b56b2d5..0000000
--- a/import-layers/yocto-poky/meta/recipes-connectivity/openssl/openssl/0002-CVE-2017-3731.patch
+++ /dev/null
@@ -1,53 +0,0 @@
-From 6427f1accc54b515bb899370f1a662bfcb1caa52 Mon Sep 17 00:00:00 2001
-From: Alexandru Moise <alexandru.moise@windriver.com>
-Date: Tue, 7 Feb 2017 11:16:13 +0200
-Subject: [PATCH 2/2] crypto/evp: harden AEAD ciphers.
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Originally a crash in 32-bit build was reported CHACHA20-POLY1305
-cipher. The crash is triggered by truncated packet and is result
-of excessive hashing to the edge of accessible memory. Since hash
-operation is read-only it is not considered to be exploitable
-beyond a DoS condition. Other ciphers were hardened.
-
-Thanks to Robert Święcki for report.
-
-CVE-2017-3731
-
-Backported from upstream commit:
-2198b3a55de681e1f3c23edb0586afe13f438051
-
-Upstream-Status: Backport
-
-Reviewed-by: Rich Salz <rsalz@openssl.org>
-Signed-off-by: Alexandru Moise <alexandru.moise@windriver.com>
----
- crypto/evp/e_aes.c | 7 ++++++-
- 1 file changed, 6 insertions(+), 1 deletion(-)
-
-diff --git a/crypto/evp/e_aes.c b/crypto/evp/e_aes.c
-index 1734a82..16dcd10 100644
---- a/crypto/evp/e_aes.c
-+++ b/crypto/evp/e_aes.c
-@@ -1235,10 +1235,15 @@ static int aes_gcm_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr)
- {
- unsigned int len = c->buf[arg - 2] << 8 | c->buf[arg - 1];
- /* Correct length for explicit IV */
-+ if (len < EVP_GCM_TLS_EXPLICIT_IV_LEN)
-+ return 0;
- len -= EVP_GCM_TLS_EXPLICIT_IV_LEN;
- /* If decrypting correct for tag too */
-- if (!c->encrypt)
-+ if (!c->encrypt) {
-+ if (len < EVP_GCM_TLS_TAG_LEN)
-+ return 0;
- len -= EVP_GCM_TLS_TAG_LEN;
-+ }
- c->buf[arg - 2] = len >> 8;
- c->buf[arg - 1] = len & 0xff;
- }
---
-2.10.2
-
diff --git a/import-layers/yocto-poky/meta/recipes-connectivity/openssl/openssl/CVE-2016-7055.patch b/import-layers/yocto-poky/meta/recipes-connectivity/openssl/openssl/CVE-2016-7055.patch
deleted file mode 100644
index 83a74cd..0000000
--- a/import-layers/yocto-poky/meta/recipes-connectivity/openssl/openssl/CVE-2016-7055.patch
+++ /dev/null
@@ -1,43 +0,0 @@
-From 57c4b9f6a2f800b41ce2836986fe33640f6c3f8a Mon Sep 17 00:00:00 2001
-From: Andy Polyakov <appro@openssl.org>
-Date: Sun, 6 Nov 2016 18:33:17 +0100
-Subject: [PATCH] bn/asm/x86_64-mont.pl: fix for CVE-2016-7055 (Low severity).
-
-Reviewed-by: Rich Salz <rsalz@openssl.org>
-(cherry picked from commit 2fac86d9abeaa643677d1ffd0a139239fdf9406a)
-
-Upstream-Status: Backport [https://github.com/openssl/openssl/commit/57c4b9f6a2f800b41ce2836986fe33640f6c3f8a]
-CVE: CVE-2016-7055
-Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
----
- crypto/bn/asm/x86_64-mont.pl | 5 ++---
- 1 file changed, 2 insertions(+), 3 deletions(-)
-
-diff --git a/crypto/bn/asm/x86_64-mont.pl b/crypto/bn/asm/x86_64-mont.pl
-index 044fd7e..80492d8 100755
---- a/crypto/bn/asm/x86_64-mont.pl
-+++ b/crypto/bn/asm/x86_64-mont.pl
-@@ -1148,18 +1148,17 @@ $code.=<<___;
- mulx 2*8($aptr),%r15,%r13 # ...
- adox -3*8($tptr),%r11
- adcx %r15,%r12
-- adox $zero,%r12
-+ adox -2*8($tptr),%r12
- adcx $zero,%r13
-+ adox $zero,%r13
-
- mov $bptr,8(%rsp) # off-load &b[i]
-- .byte 0x67
- mov $mi,%r15
- imulq 24(%rsp),$mi # "t[0]"*n0
- xor %ebp,%ebp # xor $zero,$zero # cf=0, of=0
-
- mulx 3*8($aptr),%rax,%r14
- mov $mi,%rdx
-- adox -2*8($tptr),%r12
- adcx %rax,%r13
- adox -1*8($tptr),%r13
- adcx $zero,%r14
---
-2.7.4
-
diff --git a/import-layers/yocto-poky/meta/recipes-connectivity/openssl/openssl/debian1.0.2/soname.patch b/import-layers/yocto-poky/meta/recipes-connectivity/openssl/openssl/debian1.0.2/soname.patch
new file mode 100644
index 0000000..f9cdfec
--- /dev/null
+++ b/import-layers/yocto-poky/meta/recipes-connectivity/openssl/openssl/debian1.0.2/soname.patch
@@ -0,0 +1,13 @@
+Index: openssl-1.0.2d/crypto/opensslv.h
+===================================================================
+--- openssl-1.0.2d.orig/crypto/opensslv.h
++++ openssl-1.0.2d/crypto/opensslv.h
+@@ -88,7 +88,7 @@ extern "C" {
+ * should only keep the versions that are binary compatible with the current.
+ */
+ # define SHLIB_VERSION_HISTORY ""
+-# define SHLIB_VERSION_NUMBER "1.0.0"
++# define SHLIB_VERSION_NUMBER "1.0.2"
+
+
+ #ifdef __cplusplus
diff --git a/import-layers/yocto-poky/meta/recipes-connectivity/openssl/openssl_1.0.2j.bb b/import-layers/yocto-poky/meta/recipes-connectivity/openssl/openssl_1.0.2k.bb
similarity index 85%
rename from import-layers/yocto-poky/meta/recipes-connectivity/openssl/openssl_1.0.2j.bb
rename to import-layers/yocto-poky/meta/recipes-connectivity/openssl/openssl_1.0.2k.bb
index b6fb126..83d1a50 100644
--- a/import-layers/yocto-poky/meta/recipes-connectivity/openssl/openssl_1.0.2j.bb
+++ b/import-layers/yocto-poky/meta/recipes-connectivity/openssl/openssl_1.0.2k.bb
@@ -30,6 +30,7 @@
file://debian/no-symbolic.patch \
file://debian/pic.patch \
file://debian1.0.2/version-script.patch \
+ file://debian1.0.2/soname.patch \
file://openssl_fix_for_x32.patch \
file://fix-cipher-des-ede3-cfb1.patch \
file://openssl-avoid-NULL-pointer-dereference-in-EVP_DigestInit_ex.patch \
@@ -37,16 +38,15 @@
file://Makefiles-ptest.patch \
file://ptest-deps.patch \
file://openssl-1.0.2a-x32-asm.patch \
- file://ptest_makefile_deps.patch \
+ file://ptest_makefile_deps.patch \
file://configure-musl-target.patch \
file://parallel.patch \
file://openssl-util-perlpath.pl-cwd.patch \
- file://CVE-2016-7055.patch \
- file://0001-CVE-2017-3731.patch \
- file://0002-CVE-2017-3731.patch \
- "
-SRC_URI[md5sum] = "96322138f0b69e61b7212bc53d5e912b"
-SRC_URI[sha256sum] = "e7aff292be21c259c6af26469c7a9b3ba26e9abaaffd325e3dccc9785256c431"
+ file://Use-SHA256-not-MD5-as-default-digest.patch \
+ file://0001-Fix-build-with-clang-using-external-assembler.patch \
+ "
+SRC_URI[md5sum] = "f965fc0bf01bf882b31314b61391ae65"
+SRC_URI[sha256sum] = "6b3977c61f2aedf0f96367dcfb5c6e578cf37e7b8d913b4ecb6643c3cb88d8c0"
PACKAGES =+ "${PN}-engines"
FILES_${PN}-engines = "${libdir}/ssl/engines/*.so ${libdir}/engines"
diff --git a/import-layers/yocto-poky/meta/recipes-connectivity/portmap/portmap_6.0.bb b/import-layers/yocto-poky/meta/recipes-connectivity/portmap/portmap_6.0.bb
index 999b4a9..d970095 100644
--- a/import-layers/yocto-poky/meta/recipes-connectivity/portmap/portmap_6.0.bb
+++ b/import-layers/yocto-poky/meta/recipes-connectivity/portmap/portmap_6.0.bb
@@ -4,7 +4,7 @@
PR = "r9"
-SRC_URI = "http://www.sourcefiles.org/Networking/Tools/Miscellanenous/portmap-6.0.tgz \
+SRC_URI = "https://fossies.org/linux/misc/old/portmap-6.0.tgz \
file://destdir-no-strip.patch \
file://tcpd-config.patch \
file://portmap.init \
diff --git a/import-layers/yocto-poky/meta/recipes-connectivity/ppp-dialin/ppp-dialin_0.1.bb b/import-layers/yocto-poky/meta/recipes-connectivity/ppp-dialin/ppp-dialin_0.1.bb
index 51a76b4..b5f6895 100644
--- a/import-layers/yocto-poky/meta/recipes-connectivity/ppp-dialin/ppp-dialin_0.1.bb
+++ b/import-layers/yocto-poky/meta/recipes-connectivity/ppp-dialin/ppp-dialin_0.1.bb
@@ -4,8 +4,7 @@
RDEPENDS_${PN} = "ppp"
PR = "r8"
LICENSE = "MIT"
-LIC_FILES_CHKSUM = "file://${COREBASE}/LICENSE;md5=4d92cd373abda3937c2bc47fbc49d690 \
- file://${COREBASE}/meta/COPYING.MIT;md5=3da9cfbcb788c80a0384361b4de20420"
+LIC_FILES_CHKSUM = "file://${COREBASE}/meta/COPYING.MIT;md5=3da9cfbcb788c80a0384361b4de20420"
SRC_URI = "file://host-peer \
file://ppp-dialin"
diff --git a/import-layers/yocto-poky/meta/recipes-connectivity/ppp/ppp/0001-ppp-Fix-compilation-errors-in-Makefile.patch b/import-layers/yocto-poky/meta/recipes-connectivity/ppp/ppp/0001-ppp-Fix-compilation-errors-in-Makefile.patch
index 8aa2d2e..ea4969b 100644
--- a/import-layers/yocto-poky/meta/recipes-connectivity/ppp/ppp/0001-ppp-Fix-compilation-errors-in-Makefile.patch
+++ b/import-layers/yocto-poky/meta/recipes-connectivity/ppp/ppp/0001-ppp-Fix-compilation-errors-in-Makefile.patch
@@ -3,34 +3,14 @@
Date: Tue, 5 Nov 2013 17:32:56 +0800
Subject: [PATCH] ppp: Fix compilation errors in Makefile
-This patch fixes below issues:
-
-1. Make can't exit while compilation error occurs in subdir for plugins building.
-
-2. If build ppp with newer kernel (3.10.10), it will pick 'if_pppox.h' from sysroot-dir and
- 'if_pppol2tp.h' from its own source dir, this cause below build errors:
-
- bitbake_build/tmp/sysroots/intel-x86-64/usr/include/linux/if_pppox.h:84:26:
- error: field 'pppol2tp' has incomplete type
- struct pppol2tpin6_addr pppol2tp;
- ^
- bitbake_build/tmp/sysroots/intel-x86-64/usr/include/linux/if_pppox.h:99:28:
- error: field 'pppol2tp' has incomplete type
- struct pppol2tpv3in6_addr pppol2tp;
- ^
-
-The 'sysroot-dir/if_pppox.h' enabled ipv6 support but the 'source-dir/if_pppol2tp.h' lost
-related structure definitions, we should use both header files from sysroots to fix this
-build failure.
+Make can't exit while compilation error occurs in subdir for plugins building.
Upstream-Status: Pending
Signed-off-by: Lu Chong <Chong.Lu@windriver.com>
---
- pppd/plugins/Makefile.linux | 2 +-
- pppd/plugins/pppol2tp/Makefile.linux | 2 +-
- pppd/plugins/rp-pppoe/Makefile.linux | 2 +-
- 3 files changed, 3 insertions(+), 3 deletions(-)
+ pppd/plugins/Makefile.linux | 1 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/pppd/plugins/Makefile.linux b/pppd/plugins/Makefile.linux
index 0a7ec7b..2a2c15a 100644
@@ -45,31 +25,6 @@
%.so: %.c
$(CC) -o $@ $(LDFLAGS) $(CFLAGS) $^
-diff --git a/pppd/plugins/pppol2tp/Makefile.linux b/pppd/plugins/pppol2tp/Makefile.linux
-index 19eff67..feb2f52 100644
---- a/pppd/plugins/pppol2tp/Makefile.linux
-+++ b/pppd/plugins/pppol2tp/Makefile.linux
-@@ -1,6 +1,6 @@
- #CC = gcc
- COPTS = -O2 -g
--CFLAGS = $(COPTS) -I. -I../.. -I../../../include -fPIC
-+CFLAGS = $(COPTS) -I. -I../.. -fPIC
- LDFLAGS = -shared
- INSTALL = install
-
-diff --git a/pppd/plugins/rp-pppoe/Makefile.linux b/pppd/plugins/rp-pppoe/Makefile.linux
-index f078991..15b9118 100644
---- a/pppd/plugins/rp-pppoe/Makefile.linux
-+++ b/pppd/plugins/rp-pppoe/Makefile.linux
-@@ -26,7 +26,7 @@ INSTALL = install
- RP_VERSION=3.8p
-
- COPTS=-O2 -g
--CFLAGS=$(COPTS) -I../../../include '-DRP_VERSION="$(RP_VERSION)"'
-+CFLAGS=$(COPTS) '-DRP_VERSION="$(RP_VERSION)"'
- all: rp-pppoe.so pppoe-discovery
-
- pppoe-discovery: pppoe-discovery.o debug.o
--
1.7.9.5
diff --git a/import-layers/yocto-poky/meta/recipes-connectivity/ppp/ppp/0001-ppp-Remove-unneeded-include.patch b/import-layers/yocto-poky/meta/recipes-connectivity/ppp/ppp/0001-ppp-Remove-unneeded-include.patch
new file mode 100644
index 0000000..a32f89f
--- /dev/null
+++ b/import-layers/yocto-poky/meta/recipes-connectivity/ppp/ppp/0001-ppp-Remove-unneeded-include.patch
@@ -0,0 +1,43 @@
+commit cd90fd147844a0cfec101f1e2db7a3c59d236621
+Author: Jussi Kukkonen <jussi.kukkonen@intel.com>
+Date: Wed Dec 28 14:11:22 2016 +0200
+
+pppol2tp plugin: Remove unneeded include
+
+The include is not required and will break compile on musl libc with
+
+| In file included from pppol2tp.c:34:0:
+| /usr/include/linux/if.h:97:2: error: expected identifier before numeric constant
+| IFF_LOWER_UP = 1<<16, /* __volatile__ */
+
+Patch originally from Khem Raj.
+
+Upstream-Status: Pending [https://github.com/paulusmack/ppp/issues/73]
+Signed-off-by: Jussi Kukkonen <jussi.kukkonen@intel.com>
+
+diff --git a/pppd/plugins/pppol2tp/openl2tp.c b/pppd/plugins/pppol2tp/openl2tp.c
+index 9643b96..458316b 100644
+--- a/pppd/plugins/pppol2tp/openl2tp.c
++++ b/pppd/plugins/pppol2tp/openl2tp.c
+@@ -47,7 +47,6 @@
+ #include <linux/if_ether.h>
+ #include <linux/ppp_defs.h>
+ #include <linux/if_ppp.h>
+-#include <linux/if_pppox.h>
+ #include <linux/if_pppol2tp.h>
+
+ #include "l2tp_event.h"
+diff --git a/pppd/plugins/pppol2tp/pppol2tp.c b/pppd/plugins/pppol2tp/pppol2tp.c
+index 0e28606..4f6d98c 100644
+--- a/pppd/plugins/pppol2tp/pppol2tp.c
++++ b/pppd/plugins/pppol2tp/pppol2tp.c
+@@ -46,7 +46,6 @@
+ #include <linux/if_ether.h>
+ #include <linux/ppp_defs.h>
+ #include <linux/if_ppp.h>
+-#include <linux/if_pppox.h>
+ #include <linux/if_pppol2tp.h>
+
+ /* should be added to system's socket.h... */
+---
+
diff --git a/import-layers/yocto-poky/meta/recipes-connectivity/ppp/ppp_2.4.7.bb b/import-layers/yocto-poky/meta/recipes-connectivity/ppp/ppp_2.4.7.bb
index 56dbd98..b2c4d4c 100644
--- a/import-layers/yocto-poky/meta/recipes-connectivity/ppp/ppp_2.4.7.bb
+++ b/import-layers/yocto-poky/meta/recipes-connectivity/ppp/ppp_2.4.7.bb
@@ -11,7 +11,7 @@
file://pppd/tdb.c;beginline=1;endline=27;md5=4ca3a9991b011038d085d6675ae7c4e6 \
file://chat/chat.c;beginline=1;endline=15;md5=0d374b8545ee5c62d7aff1acbd38add2"
-SRC_URI = "http://ppp.samba.org/ftp/ppp/ppp-${PV}.tar.gz \
+SRC_URI = "https://download.samba.org/pub/${BPN}/${BP}.tar.gz \
file://makefile.patch \
file://cifdefroute.patch \
file://pppd-resolv-varrun.patch \
@@ -31,6 +31,7 @@
file://ppp@.service \
file://fix-CVE-2015-3310.patch \
file://ppp-fix-building-with-linux-4.8.patch \
+ file://0001-ppp-Remove-unneeded-include.patch \
"
SRC_URI_append_libc-musl = "\
diff --git a/import-layers/yocto-poky/meta/recipes-connectivity/socat/socat_1.7.3.1.bb b/import-layers/yocto-poky/meta/recipes-connectivity/socat/socat_1.7.3.2.bb
similarity index 81%
rename from import-layers/yocto-poky/meta/recipes-connectivity/socat/socat_1.7.3.1.bb
rename to import-layers/yocto-poky/meta/recipes-connectivity/socat/socat_1.7.3.2.bb
index 4da6d39..4dcb7b4 100644
--- a/import-layers/yocto-poky/meta/recipes-connectivity/socat/socat_1.7.3.1.bb
+++ b/import-layers/yocto-poky/meta/recipes-connectivity/socat/socat_1.7.3.2.bb
@@ -18,8 +18,8 @@
file://0001-Access-c_ispeed-and-c_ospeed-via-APIs.patch \
"
-SRC_URI[md5sum] = "334e46924f2b386299c9db2ac22bcd36"
-SRC_URI[sha256sum] = "d2da659540c38139f388e9437bfaae16bb458d174d056cb3228432a8f489fbaa"
+SRC_URI[md5sum] = "607a24c15bd2cb54e9328bfbbd3a1ae9"
+SRC_URI[sha256sum] = "e3561f808739383eb10fada1e5d4f26883f0311b34fd0af7837d0c95ef379251"
inherit autotools
@@ -29,10 +29,13 @@
ac_cv_header_bsd_libutil_h=no \
"
-PACKAGECONFIG ??= "tcp-wrappers"
+PACKAGECONFIG_class-target ??= "tcp-wrappers"
+PACKAGECONFIG ??= ""
PACKAGECONFIG[tcp-wrappers] = "--enable-libwrap,--disable-libwrap,tcp-wrappers"
do_install_prepend () {
mkdir -p ${D}${bindir}
install -d ${D}${bindir} ${D}${mandir}/man1
}
+
+BBCLASSEXTEND = "native nativesdk"
diff --git a/import-layers/yocto-poky/meta/recipes-connectivity/wireless-tools/wireless-tools_30.pre9.bb b/import-layers/yocto-poky/meta/recipes-connectivity/wireless-tools/wireless-tools_30.pre9.bb
index c3b8f66..0a34207 100644
--- a/import-layers/yocto-poky/meta/recipes-connectivity/wireless-tools/wireless-tools_30.pre9.bb
+++ b/import-layers/yocto-poky/meta/recipes-connectivity/wireless-tools/wireless-tools_30.pre9.bb
@@ -1,5 +1,5 @@
SUMMARY = "Tools for the Linux Standard Wireless Extension Subsystem"
-HOMEPAGE = "http://www.hpl.hp.com/personal/Jean_Tourrilhes/Linux/Tools.html"
+HOMEPAGE = "https://hewlettpackard.github.io/wireless-tools/Tools.html"
LICENSE = "GPLv2 & (LGPLv2.1 | MPL-1.1 | BSD)"
LIC_FILES_CHKSUM = "file://COPYING;md5=94d55d512a9ba36caa9b7df079bae19f \
file://iwconfig.c;beginline=1;endline=12;md5=cf710eb1795c376eb10ea4ff04649caf \
@@ -8,7 +8,7 @@
SECTION = "base"
PE = "1"
-SRC_URI = "http://www.hpl.hp.com/personal/Jean_Tourrilhes/Linux/wireless_tools.${PV}.tar.gz \
+SRC_URI = "https://hewlettpackard.github.io/wireless-tools/wireless_tools.${PV}.tar.gz \
file://remove.ldconfig.call.patch \
file://man.patch \
file://avoid_strip.patch \
@@ -17,7 +17,7 @@
SRC_URI[md5sum] = "ca91ba7c7eff9bfff6926b1a34a4697d"
SRC_URI[sha256sum] = "abd9c5c98abf1fdd11892ac2f8a56737544fe101e1be27c6241a564948f34c63"
-UPSTREAM_CHECK_URI = "http://www.hpl.hp.com/personal/Jean_Tourrilhes/Linux/Tools.html"
+UPSTREAM_CHECK_URI = "https://hewlettpackard.github.io/wireless-tools/Tools.html"
UPSTREAM_CHECK_REGEX = "wireless_tools\.(?P<pver>(\d+)(\..*|))\.tar\.gz"
S = "${WORKDIR}/wireless_tools.30"
diff --git a/import-layers/yocto-poky/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-Reject-psk-parameter-set-with-invalid-passphrase-cha.patch b/import-layers/yocto-poky/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-Reject-psk-parameter-set-with-invalid-passphrase-cha.patch
deleted file mode 100644
index dd7d5f7..0000000
--- a/import-layers/yocto-poky/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-Reject-psk-parameter-set-with-invalid-passphrase-cha.patch
+++ /dev/null
@@ -1,55 +0,0 @@
-From 73e4abb24a936014727924d8b0b2965edfc117dd Mon Sep 17 00:00:00 2001
-From: Jouni Malinen <jouni@qca.qualcomm.com>
-Date: Fri, 4 Mar 2016 18:46:41 +0200
-Subject: [PATCH 1/3] Reject psk parameter set with invalid passphrase
- character
-
-WPA/WPA2-Personal passphrase is not allowed to include control
-characters. Reject a passphrase configuration attempt if that passphrase
-includes an invalid passphrase.
-
-This fixes an issue where wpa_supplicant could have updated the
-configuration file psk parameter with arbitrary data from the control
-interface or D-Bus interface. While those interfaces are supposed to be
-accessible only for trusted users/applications, it may be possible that
-an untrusted user has access to a management software component that
-does not validate the passphrase value before passing it to
-wpa_supplicant.
-
-This could allow such an untrusted user to inject up to 63 characters of
-almost arbitrary data into the configuration file. Such configuration
-file could result in wpa_supplicant trying to load a library (e.g.,
-opensc_engine_path, pkcs11_engine_path, pkcs11_module_path,
-load_dynamic_eap) from user controlled location when starting again.
-This would allow code from that library to be executed under the
-wpa_supplicant process privileges.
-
-Upstream-Status: Backport
-
-CVE: CVE-2016-4477
-
-Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
-Signed-off-by: Zhixiong Chi <Zhixiong.Chi@windriver.com>
----
- wpa_supplicant/config.c | 6 ++++++
- 1 file changed, 6 insertions(+)
-
-diff --git a/wpa_supplicant/config.c b/wpa_supplicant/config.c
-index b1c7870..fdd9643 100644
---- a/wpa_supplicant/config.c
-+++ b/wpa_supplicant/config.c
-@@ -478,6 +478,12 @@ static int wpa_config_parse_psk(const struct parse_data *data,
- }
- wpa_hexdump_ascii_key(MSG_MSGDUMP, "PSK (ASCII passphrase)",
- (u8 *) value, len);
-+ if (has_ctrl_char((u8 *) value, len)) {
-+ wpa_printf(MSG_ERROR,
-+ "Line %d: Invalid passphrase character",
-+ line);
-+ return -1;
-+ }
- if (ssid->passphrase && os_strlen(ssid->passphrase) == len &&
- os_memcmp(ssid->passphrase, value, len) == 0) {
- /* No change to the previously configured value */
---
-1.9.1
diff --git a/import-layers/yocto-poky/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-WPS-Reject-a-Credential-with-invalid-passphrase.patch b/import-layers/yocto-poky/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-WPS-Reject-a-Credential-with-invalid-passphrase.patch
deleted file mode 100644
index db222e4..0000000
--- a/import-layers/yocto-poky/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-WPS-Reject-a-Credential-with-invalid-passphrase.patch
+++ /dev/null
@@ -1,86 +0,0 @@
-From ecbb0b3dc122b0d290987cf9c84010bbe53e1022 Mon Sep 17 00:00:00 2001
-From: Jouni Malinen <jouni@qca.qualcomm.com>
-Date: Fri, 4 Mar 2016 17:20:18 +0200
-Subject: [PATCH 1/2] WPS: Reject a Credential with invalid passphrase
-
-WPA/WPA2-Personal passphrase is not allowed to include control
-characters. Reject a Credential received from a WPS Registrar both as
-STA (Credential) and AP (AP Settings) if the credential is for WPAPSK or
-WPA2PSK authentication type and includes an invalid passphrase.
-
-This fixes an issue where hostapd or wpa_supplicant could have updated
-the configuration file PSK/passphrase parameter with arbitrary data from
-an external device (Registrar) that may not be fully trusted. Should
-such data include a newline character, the resulting configuration file
-could become invalid and fail to be parsed.
-
-Upstream-Status: Backport
-
-CVE: CVE-2016-4476
-
-Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
-Signed-off-by: Zhixiong Chi <Zhixiong.Chi@windriver.com>
----
- src/utils/common.c | 12 ++++++++++++
- src/utils/common.h | 1 +
- src/wps/wps_attr_process.c | 10 ++++++++++
- 3 files changed, 23 insertions(+)
-
-diff --git a/src/utils/common.c b/src/utils/common.c
-index 450e2c6..27b7c02 100644
---- a/src/utils/common.c
-+++ b/src/utils/common.c
-@@ -697,6 +697,18 @@ int is_hex(const u8 *data, size_t len)
- }
-
-
-+int has_ctrl_char(const u8 *data, size_t len)
-+{
-+ size_t i;
-+
-+ for (i = 0; i < len; i++) {
-+ if (data[i] < 32 || data[i] == 127)
-+ return 1;
-+ }
-+ return 0;
-+}
-+
-+
- size_t merge_byte_arrays(u8 *res, size_t res_len,
- const u8 *src1, size_t src1_len,
- const u8 *src2, size_t src2_len)
-diff --git a/src/utils/common.h b/src/utils/common.h
-index 701dbb2..a972240 100644
---- a/src/utils/common.h
-+++ b/src/utils/common.h
-@@ -488,6 +488,7 @@ const char * wpa_ssid_txt(const u8 *ssid, size_t ssid_len);
-
- char * wpa_config_parse_string(const char *value, size_t *len);
- int is_hex(const u8 *data, size_t len);
-+int has_ctrl_char(const u8 *data, size_t len);
- size_t merge_byte_arrays(u8 *res, size_t res_len,
- const u8 *src1, size_t src1_len,
- const u8 *src2, size_t src2_len);
-diff --git a/src/wps/wps_attr_process.c b/src/wps/wps_attr_process.c
-index eadb22f..e8c4579 100644
---- a/src/wps/wps_attr_process.c
-+++ b/src/wps/wps_attr_process.c
-@@ -229,6 +229,16 @@ static int wps_workaround_cred_key(struct wps_credential *cred)
- cred->key_len--;
- #endif /* CONFIG_WPS_STRICT */
- }
-+
-+
-+ if (cred->auth_type & (WPS_AUTH_WPAPSK | WPS_AUTH_WPA2PSK) &&
-+ (cred->key_len < 8 || has_ctrl_char(cred->key, cred->key_len))) {
-+ wpa_printf(MSG_INFO, "WPS: Reject credential with invalid WPA/WPA2-Personal passphrase");
-+ wpa_hexdump_ascii_key(MSG_INFO, "WPS: Network Key",
-+ cred->key, cred->key_len);
-+ return -1;
-+ }
-+
- return 0;
- }
-
---
-1.9.1
diff --git a/import-layers/yocto-poky/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0002-Reject-SET_CRED-commands-with-newline-characters-in-.patch b/import-layers/yocto-poky/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0002-Reject-SET_CRED-commands-with-newline-characters-in-.patch
deleted file mode 100644
index cad7425..0000000
--- a/import-layers/yocto-poky/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0002-Reject-SET_CRED-commands-with-newline-characters-in-.patch
+++ /dev/null
@@ -1,66 +0,0 @@
-From b166cd84a77a6717be9600bf95378a0055d6f5a5 Mon Sep 17 00:00:00 2001
-From: Jouni Malinen <jouni@qca.qualcomm.com>
-Date: Tue, 5 Apr 2016 23:33:10 +0300
-Subject: [PATCH 2/3] Reject SET_CRED commands with newline characters in the
- string values
-
-Most of the cred block parameters are written as strings without
-filtering and if there is an embedded newline character in the value,
-unexpected configuration file data might be written.
-
-This fixes an issue where wpa_supplicant could have updated the
-configuration file cred parameter with arbitrary data from the control
-interface or D-Bus interface. While those interfaces are supposed to be
-accessible only for trusted users/applications, it may be possible that
-an untrusted user has access to a management software component that
-does not validate the credential value before passing it to
-wpa_supplicant.
-
-This could allow such an untrusted user to inject almost arbitrary data
-into the configuration file. Such configuration file could result in
-wpa_supplicant trying to load a library (e.g., opensc_engine_path,
-pkcs11_engine_path, pkcs11_module_path, load_dynamic_eap) from user
-controlled location when starting again. This would allow code from that
-library to be executed under the wpa_supplicant process privileges.
-
-Upstream-Status: Backport
-
-CVE: CVE-2016-4477
-
-Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
-Signed-off-by: Zhixiong Chi <Zhixiong.Chi@windriver.com>
----
- wpa_supplicant/config.c | 9 ++++++++-
- 1 file changed, 8 insertions(+), 1 deletion(-)
-
-diff --git a/wpa_supplicant/config.c b/wpa_supplicant/config.c
-index eb97cd5..69152ef 100644
---- a/wpa_supplicant/config.c
-+++ b/wpa_supplicant/config.c
-@@ -2896,6 +2896,8 @@ int wpa_config_set_cred(struct wpa_cred *cred, const char *var,
-
- if (os_strcmp(var, "password") == 0 &&
- os_strncmp(value, "ext:", 4) == 0) {
-+ if (has_newline(value))
-+ return -1;
- str_clear_free(cred->password);
- cred->password = os_strdup(value);
- cred->ext_password = 1;
-@@ -2946,9 +2948,14 @@ int wpa_config_set_cred(struct wpa_cred *cred, const char *var,
- }
-
- val = wpa_config_parse_string(value, &len);
-- if (val == NULL) {
-+ if (val == NULL ||
-+ (os_strcmp(var, "excluded_ssid") != 0 &&
-+ os_strcmp(var, "roaming_consortium") != 0 &&
-+ os_strcmp(var, "required_roaming_consortium") != 0 &&
-+ has_newline(val))) {
- wpa_printf(MSG_ERROR, "Line %d: invalid field '%s' string "
- "value '%s'.", line, var, value);
-+ os_free(val);
- return -1;
- }
-
---
-1.9.1
diff --git a/import-layers/yocto-poky/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0002-Remove-newlines-from-wpa_supplicant-config-network-o.patch b/import-layers/yocto-poky/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0002-Remove-newlines-from-wpa_supplicant-config-network-o.patch
deleted file mode 100644
index cc7b01a..0000000
--- a/import-layers/yocto-poky/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0002-Remove-newlines-from-wpa_supplicant-config-network-o.patch
+++ /dev/null
@@ -1,86 +0,0 @@
-From 0fe5a234240a108b294a87174ad197f6b5cb38e9 Mon Sep 17 00:00:00 2001
-From: Paul Stewart <pstew@google.com>
-Date: Thu, 3 Mar 2016 15:40:19 -0800
-Subject: [PATCH 2/2] Remove newlines from wpa_supplicant config network
- output
-
-Spurious newlines output while writing the config file can corrupt the
-wpa_supplicant configuration. Avoid writing these for the network block
-parameters. This is a generic filter that cover cases that may not have
-been explicitly addressed with a more specific commit to avoid control
-characters in the psk parameter.
-
-Upstream-Status: Backport
-
-CVE: CVE-2016-4476
-
-Signed-off-by: Paul Stewart <pstew@google.com>
-Signed-off-by: Zhixiong Chi <Zhixiong.Chi.wrs.com>
----
- src/utils/common.c | 11 +++++++++++
- src/utils/common.h | 1 +
- wpa_supplicant/config.c | 15 +++++++++++++--
- 3 files changed, 25 insertions(+), 2 deletions(-)
-
-diff --git a/src/utils/common.c b/src/utils/common.c
-index 27b7c02..9856463 100644
---- a/src/utils/common.c
-+++ b/src/utils/common.c
-@@ -709,6 +709,17 @@ int has_ctrl_char(const u8 *data, size_t len)
- }
-
-
-+int has_newline(const char *str)
-+{
-+ while (*str) {
-+ if (*str == '\n' || *str == '\r')
-+ return 1;
-+ str++;
-+ }
-+ return 0;
-+}
-+
-+
- size_t merge_byte_arrays(u8 *res, size_t res_len,
- const u8 *src1, size_t src1_len,
- const u8 *src2, size_t src2_len)
-diff --git a/src/utils/common.h b/src/utils/common.h
-index a972240..d19927b 100644
---- a/src/utils/common.h
-+++ b/src/utils/common.h
-@@ -489,6 +489,7 @@ const char * wpa_ssid_txt(const u8 *ssid, size_t ssid_len);
- char * wpa_config_parse_string(const char *value, size_t *len);
- int is_hex(const u8 *data, size_t len);
- int has_ctrl_char(const u8 *data, size_t len);
-+int has_newline(const char *str);
- size_t merge_byte_arrays(u8 *res, size_t res_len,
- const u8 *src1, size_t src1_len,
- const u8 *src2, size_t src2_len);
-diff --git a/wpa_supplicant/config.c b/wpa_supplicant/config.c
-index fdd9643..eb97cd5 100644
---- a/wpa_supplicant/config.c
-+++ b/wpa_supplicant/config.c
-@@ -2699,8 +2699,19 @@ char * wpa_config_get(struct wpa_ssid *ssid, const char *var)
-
- for (i = 0; i < NUM_SSID_FIELDS; i++) {
- const struct parse_data *field = &ssid_fields[i];
-- if (os_strcmp(var, field->name) == 0)
-- return field->writer(field, ssid);
-+ if (os_strcmp(var, field->name) == 0) {
-+ char *ret = field->writer(field, ssid);
-+
-+ if (ret && has_newline(ret)) {
-+ wpa_printf(MSG_ERROR,
-+ "Found newline in value for %s; not returning it",
-+ var);
-+ os_free(ret);
-+ ret = NULL;
-+ }
-+
-+ return ret;
-+ }
- }
-
- return NULL;
---
-1.9.1
diff --git a/import-layers/yocto-poky/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0003-Reject-SET-commands-with-newline-characters-in-the-s.patch b/import-layers/yocto-poky/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0003-Reject-SET-commands-with-newline-characters-in-the-s.patch
deleted file mode 100644
index 5375db7..0000000
--- a/import-layers/yocto-poky/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0003-Reject-SET-commands-with-newline-characters-in-the-s.patch
+++ /dev/null
@@ -1,54 +0,0 @@
-From 2a3f56502b52375c3bf113cf92adfa99bad6b488 Mon Sep 17 00:00:00 2001
-From: Jouni Malinen <jouni@qca.qualcomm.com>
-Date: Tue, 5 Apr 2016 23:55:48 +0300
-Subject: [PATCH 3/3] Reject SET commands with newline characters in the
- string values
-
-Many of the global configuration parameters are written as strings
-without filtering and if there is an embedded newline character in the
-value, unexpected configuration file data might be written.
-
-This fixes an issue where wpa_supplicant could have updated the
-configuration file global parameter with arbitrary data from the control
-interface or D-Bus interface. While those interfaces are supposed to be
-accessible only for trusted users/applications, it may be possible that
-an untrusted user has access to a management software component that
-does not validate the value of a parameter before passing it to
-wpa_supplicant.
-
-This could allow such an untrusted user to inject almost arbitrary data
-into the configuration file. Such configuration file could result in
-wpa_supplicant trying to load a library (e.g., opensc_engine_path,
-pkcs11_engine_path, pkcs11_module_path, load_dynamic_eap) from user
-controlled location when starting again. This would allow code from that
-library to be executed under the wpa_supplicant process privileges.
-
-Upstream-Status: Backport
-
-CVE: CVE-2016-4477
-
-Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
-Signed-off-by: Zhixiong Chi <Zhixiong.Chi@windriver.com>
----
- wpa_supplicant/config.c | 6 ++++++
- 1 file changed, 6 insertions(+)
-
-diff --git a/wpa_supplicant/config.c b/wpa_supplicant/config.c
-index 69152ef..d9a1603 100644
---- a/wpa_supplicant/config.c
-+++ b/wpa_supplicant/config.c
-@@ -3764,6 +3764,12 @@ static int wpa_global_config_parse_str(const struct global_parse_data *data,
- return -1;
- }
-
-+ if (has_newline(pos)) {
-+ wpa_printf(MSG_ERROR, "Line %d: invalid %s value with newline",
-+ line, data->name);
-+ return -1;
-+ }
-+
- tmp = os_strdup(pos);
- if (tmp == NULL)
- return -1;
---
-1.9.1
diff --git a/import-layers/yocto-poky/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/key-replay-cve-multiple.patch b/import-layers/yocto-poky/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/key-replay-cve-multiple.patch
new file mode 100644
index 0000000..436520f
--- /dev/null
+++ b/import-layers/yocto-poky/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/key-replay-cve-multiple.patch
@@ -0,0 +1,1025 @@
+The WPA2 four-way handshake protocol is vulnerable to replay attacks which can
+result in unauthenticated clients gaining access to the network.
+
+Backport a number of patches from upstream to fix this.
+
+CVE: CVE-2017-13077
+CVE: CVE-2017-13078
+CVE: CVE-2017-13079
+CVE: CVE-2017-13080
+CVE: CVE-2017-13081
+CVE: CVE-2017-13082
+CVE: CVE-2017-13086
+CVE: CVE-2017-13087
+CVE: CVE-2017-13088
+
+Upstream-Status: Backport
+Signed-off-by: Ross Burton <ross.burton@intel.com>
+
+From cf4cab804c7afd5c45505528a8d16e46163243a2 Mon Sep 17 00:00:00 2001
+From: Mathy Vanhoef <Mathy.Vanhoef@cs.kuleuven.be>
+Date: Fri, 14 Jul 2017 15:15:35 +0200
+Subject: [PATCH 1/8] hostapd: Avoid key reinstallation in FT handshake
+
+Do not reinstall TK to the driver during Reassociation Response frame
+processing if the first attempt of setting the TK succeeded. This avoids
+issues related to clearing the TX/RX PN that could result in reusing
+same PN values for transmitted frames (e.g., due to CCM nonce reuse and
+also hitting replay protection on the receiver) and accepting replayed
+frames on RX side.
+
+This issue was introduced by the commit
+0e84c25434e6a1f283c7b4e62e483729085b78d2 ('FT: Fix PTK configuration in
+authenticator') which allowed wpa_ft_install_ptk() to be called multiple
+times with the same PTK. While the second configuration attempt is
+needed with some drivers, it must be done only if the first attempt
+failed.
+
+Signed-off-by: Mathy Vanhoef <Mathy.Vanhoef@cs.kuleuven.be>
+---
+ src/ap/ieee802_11.c | 16 +++++++++++++---
+ src/ap/wpa_auth.c | 11 +++++++++++
+ src/ap/wpa_auth.h | 3 ++-
+ src/ap/wpa_auth_ft.c | 10 ++++++++++
+ src/ap/wpa_auth_i.h | 1 +
+ 5 files changed, 37 insertions(+), 4 deletions(-)
+
+diff --git a/src/ap/ieee802_11.c b/src/ap/ieee802_11.c
+index 4e04169..333035f 100644
+--- a/src/ap/ieee802_11.c
++++ b/src/ap/ieee802_11.c
+@@ -1841,6 +1841,7 @@ static int add_associated_sta(struct hostapd_data *hapd,
+ {
+ struct ieee80211_ht_capabilities ht_cap;
+ struct ieee80211_vht_capabilities vht_cap;
++ int set = 1;
+
+ /*
+ * Remove the STA entry to ensure the STA PS state gets cleared and
+@@ -1848,9 +1849,18 @@ static int add_associated_sta(struct hostapd_data *hapd,
+ * FT-over-the-DS, where a station re-associates back to the same AP but
+ * skips the authentication flow, or if working with a driver that
+ * does not support full AP client state.
++ *
++ * Skip this if the STA has already completed FT reassociation and the
++ * TK has been configured since the TX/RX PN must not be reset to 0 for
++ * the same key.
+ */
+- if (!sta->added_unassoc)
++ if (!sta->added_unassoc &&
++ (!(sta->flags & WLAN_STA_AUTHORIZED) ||
++ !wpa_auth_sta_ft_tk_already_set(sta->wpa_sm))) {
+ hostapd_drv_sta_remove(hapd, sta->addr);
++ wpa_auth_sm_event(sta->wpa_sm, WPA_DRV_STA_REMOVED);
++ set = 0;
++ }
+
+ #ifdef CONFIG_IEEE80211N
+ if (sta->flags & WLAN_STA_HT)
+@@ -1873,11 +1883,11 @@ static int add_associated_sta(struct hostapd_data *hapd,
+ sta->flags & WLAN_STA_VHT ? &vht_cap : NULL,
+ sta->flags | WLAN_STA_ASSOC, sta->qosinfo,
+ sta->vht_opmode, sta->p2p_ie ? 1 : 0,
+- sta->added_unassoc)) {
++ set)) {
+ hostapd_logger(hapd, sta->addr,
+ HOSTAPD_MODULE_IEEE80211, HOSTAPD_LEVEL_NOTICE,
+ "Could not %s STA to kernel driver",
+- sta->added_unassoc ? "set" : "add");
++ set ? "set" : "add");
+
+ if (sta->added_unassoc) {
+ hostapd_drv_sta_remove(hapd, sta->addr);
+diff --git a/src/ap/wpa_auth.c b/src/ap/wpa_auth.c
+index 3587086..707971d 100644
+--- a/src/ap/wpa_auth.c
++++ b/src/ap/wpa_auth.c
+@@ -1745,6 +1745,9 @@ int wpa_auth_sm_event(struct wpa_state_machine *sm, enum wpa_event event)
+ #else /* CONFIG_IEEE80211R */
+ break;
+ #endif /* CONFIG_IEEE80211R */
++ case WPA_DRV_STA_REMOVED:
++ sm->tk_already_set = FALSE;
++ return 0;
+ }
+
+ #ifdef CONFIG_IEEE80211R
+@@ -3250,6 +3253,14 @@ int wpa_auth_sta_wpa_version(struct wpa_state_machine *sm)
+ }
+
+
++int wpa_auth_sta_ft_tk_already_set(struct wpa_state_machine *sm)
++{
++ if (!sm || !wpa_key_mgmt_ft(sm->wpa_key_mgmt))
++ return 0;
++ return sm->tk_already_set;
++}
++
++
+ int wpa_auth_sta_clear_pmksa(struct wpa_state_machine *sm,
+ struct rsn_pmksa_cache_entry *entry)
+ {
+diff --git a/src/ap/wpa_auth.h b/src/ap/wpa_auth.h
+index 0de8d97..97461b0 100644
+--- a/src/ap/wpa_auth.h
++++ b/src/ap/wpa_auth.h
+@@ -267,7 +267,7 @@ void wpa_receive(struct wpa_authenticator *wpa_auth,
+ u8 *data, size_t data_len);
+ enum wpa_event {
+ WPA_AUTH, WPA_ASSOC, WPA_DISASSOC, WPA_DEAUTH, WPA_REAUTH,
+- WPA_REAUTH_EAPOL, WPA_ASSOC_FT
++ WPA_REAUTH_EAPOL, WPA_ASSOC_FT, WPA_DRV_STA_REMOVED
+ };
+ void wpa_remove_ptk(struct wpa_state_machine *sm);
+ int wpa_auth_sm_event(struct wpa_state_machine *sm, enum wpa_event event);
+@@ -280,6 +280,7 @@ int wpa_auth_pairwise_set(struct wpa_state_machine *sm);
+ int wpa_auth_get_pairwise(struct wpa_state_machine *sm);
+ int wpa_auth_sta_key_mgmt(struct wpa_state_machine *sm);
+ int wpa_auth_sta_wpa_version(struct wpa_state_machine *sm);
++int wpa_auth_sta_ft_tk_already_set(struct wpa_state_machine *sm);
+ int wpa_auth_sta_clear_pmksa(struct wpa_state_machine *sm,
+ struct rsn_pmksa_cache_entry *entry);
+ struct rsn_pmksa_cache_entry *
+diff --git a/src/ap/wpa_auth_ft.c b/src/ap/wpa_auth_ft.c
+index 42242a5..e63b99a 100644
+--- a/src/ap/wpa_auth_ft.c
++++ b/src/ap/wpa_auth_ft.c
+@@ -780,6 +780,14 @@ void wpa_ft_install_ptk(struct wpa_state_machine *sm)
+ return;
+ }
+
++ if (sm->tk_already_set) {
++ /* Must avoid TK reconfiguration to prevent clearing of TX/RX
++ * PN in the driver */
++ wpa_printf(MSG_DEBUG,
++ "FT: Do not re-install same PTK to the driver");
++ return;
++ }
++
+ /* FIX: add STA entry to kernel/driver here? The set_key will fail
+ * most likely without this.. At the moment, STA entry is added only
+ * after association has been completed. This function will be called
+@@ -792,6 +800,7 @@ void wpa_ft_install_ptk(struct wpa_state_machine *sm)
+
+ /* FIX: MLME-SetProtection.Request(TA, Tx_Rx) */
+ sm->pairwise_set = TRUE;
++ sm->tk_already_set = TRUE;
+ }
+
+
+@@ -898,6 +907,7 @@ static int wpa_ft_process_auth_req(struct wpa_state_machine *sm,
+
+ sm->pairwise = pairwise;
+ sm->PTK_valid = TRUE;
++ sm->tk_already_set = FALSE;
+ wpa_ft_install_ptk(sm);
+
+ buflen = 2 + sizeof(struct rsn_mdie) + 2 + sizeof(struct rsn_ftie) +
+diff --git a/src/ap/wpa_auth_i.h b/src/ap/wpa_auth_i.h
+index 72b7eb3..7fd8f05 100644
+--- a/src/ap/wpa_auth_i.h
++++ b/src/ap/wpa_auth_i.h
+@@ -65,6 +65,7 @@ struct wpa_state_machine {
+ struct wpa_ptk PTK;
+ Boolean PTK_valid;
+ Boolean pairwise_set;
++ Boolean tk_already_set;
+ int keycount;
+ Boolean Pair;
+ struct wpa_key_replay_counter {
+--
+2.7.4
+
+From 927f891007c402fefd1ff384645b3f07597c3ede Mon Sep 17 00:00:00 2001
+From: Mathy Vanhoef <Mathy.Vanhoef@cs.kuleuven.be>
+Date: Wed, 12 Jul 2017 16:03:24 +0200
+Subject: [PATCH 2/8] Prevent reinstallation of an already in-use group key
+
+Track the current GTK and IGTK that is in use and when receiving a
+(possibly retransmitted) Group Message 1 or WNM-Sleep Mode Response, do
+not install the given key if it is already in use. This prevents an
+attacker from trying to trick the client into resetting or lowering the
+sequence counter associated to the group key.
+
+Signed-off-by: Mathy Vanhoef <Mathy.Vanhoef@cs.kuleuven.be>
+---
+ src/common/wpa_common.h | 11 +++++
+ src/rsn_supp/wpa.c | 116 ++++++++++++++++++++++++++++++------------------
+ src/rsn_supp/wpa_i.h | 4 ++
+ 3 files changed, 87 insertions(+), 44 deletions(-)
+
+diff --git a/src/common/wpa_common.h b/src/common/wpa_common.h
+index af1d0f0..d200285 100644
+--- a/src/common/wpa_common.h
++++ b/src/common/wpa_common.h
+@@ -217,6 +217,17 @@ struct wpa_ptk {
+ size_t tk_len;
+ };
+
++struct wpa_gtk {
++ u8 gtk[WPA_GTK_MAX_LEN];
++ size_t gtk_len;
++};
++
++#ifdef CONFIG_IEEE80211W
++struct wpa_igtk {
++ u8 igtk[WPA_IGTK_MAX_LEN];
++ size_t igtk_len;
++};
++#endif /* CONFIG_IEEE80211W */
+
+ /* WPA IE version 1
+ * 00-50-f2:1 (OUI:OUI type)
+diff --git a/src/rsn_supp/wpa.c b/src/rsn_supp/wpa.c
+index 3c47879..95bd7be 100644
+--- a/src/rsn_supp/wpa.c
++++ b/src/rsn_supp/wpa.c
+@@ -714,6 +714,15 @@ static int wpa_supplicant_install_gtk(struct wpa_sm *sm,
+ const u8 *_gtk = gd->gtk;
+ u8 gtk_buf[32];
+
++ /* Detect possible key reinstallation */
++ if (sm->gtk.gtk_len == (size_t) gd->gtk_len &&
++ os_memcmp(sm->gtk.gtk, gd->gtk, sm->gtk.gtk_len) == 0) {
++ wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
++ "WPA: Not reinstalling already in-use GTK to the driver (keyidx=%d tx=%d len=%d)",
++ gd->keyidx, gd->tx, gd->gtk_len);
++ return 0;
++ }
++
+ wpa_hexdump_key(MSG_DEBUG, "WPA: Group Key", gd->gtk, gd->gtk_len);
+ wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
+ "WPA: Installing GTK to the driver (keyidx=%d tx=%d len=%d)",
+@@ -748,6 +757,9 @@ static int wpa_supplicant_install_gtk(struct wpa_sm *sm,
+ }
+ os_memset(gtk_buf, 0, sizeof(gtk_buf));
+
++ sm->gtk.gtk_len = gd->gtk_len;
++ os_memcpy(sm->gtk.gtk, gd->gtk, sm->gtk.gtk_len);
++
+ return 0;
+ }
+
+@@ -854,6 +866,48 @@ static int wpa_supplicant_pairwise_gtk(struct wpa_sm *sm,
+ }
+
+
++#ifdef CONFIG_IEEE80211W
++static int wpa_supplicant_install_igtk(struct wpa_sm *sm,
++ const struct wpa_igtk_kde *igtk)
++{
++ size_t len = wpa_cipher_key_len(sm->mgmt_group_cipher);
++ u16 keyidx = WPA_GET_LE16(igtk->keyid);
++
++ /* Detect possible key reinstallation */
++ if (sm->igtk.igtk_len == len &&
++ os_memcmp(sm->igtk.igtk, igtk->igtk, sm->igtk.igtk_len) == 0) {
++ wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
++ "WPA: Not reinstalling already in-use IGTK to the driver (keyidx=%d)",
++ keyidx);
++ return 0;
++ }
++
++ wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
++ "WPA: IGTK keyid %d pn %02x%02x%02x%02x%02x%02x",
++ keyidx, MAC2STR(igtk->pn));
++ wpa_hexdump_key(MSG_DEBUG, "WPA: IGTK", igtk->igtk, len);
++ if (keyidx > 4095) {
++ wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
++ "WPA: Invalid IGTK KeyID %d", keyidx);
++ return -1;
++ }
++ if (wpa_sm_set_key(sm, wpa_cipher_to_alg(sm->mgmt_group_cipher),
++ broadcast_ether_addr,
++ keyidx, 0, igtk->pn, sizeof(igtk->pn),
++ igtk->igtk, len) < 0) {
++ wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
++ "WPA: Failed to configure IGTK to the driver");
++ return -1;
++ }
++
++ sm->igtk.igtk_len = len;
++ os_memcpy(sm->igtk.igtk, igtk->igtk, sm->igtk.igtk_len);
++
++ return 0;
++}
++#endif /* CONFIG_IEEE80211W */
++
++
+ static int ieee80211w_set_keys(struct wpa_sm *sm,
+ struct wpa_eapol_ie_parse *ie)
+ {
+@@ -864,30 +918,14 @@ static int ieee80211w_set_keys(struct wpa_sm *sm,
+ if (ie->igtk) {
+ size_t len;
+ const struct wpa_igtk_kde *igtk;
+- u16 keyidx;
++
+ len = wpa_cipher_key_len(sm->mgmt_group_cipher);
+ if (ie->igtk_len != WPA_IGTK_KDE_PREFIX_LEN + len)
+ return -1;
++
+ igtk = (const struct wpa_igtk_kde *) ie->igtk;
+- keyidx = WPA_GET_LE16(igtk->keyid);
+- wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "WPA: IGTK keyid %d "
+- "pn %02x%02x%02x%02x%02x%02x",
+- keyidx, MAC2STR(igtk->pn));
+- wpa_hexdump_key(MSG_DEBUG, "WPA: IGTK",
+- igtk->igtk, len);
+- if (keyidx > 4095) {
+- wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
+- "WPA: Invalid IGTK KeyID %d", keyidx);
+- return -1;
+- }
+- if (wpa_sm_set_key(sm, wpa_cipher_to_alg(sm->mgmt_group_cipher),
+- broadcast_ether_addr,
+- keyidx, 0, igtk->pn, sizeof(igtk->pn),
+- igtk->igtk, len) < 0) {
+- wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
+- "WPA: Failed to configure IGTK to the driver");
++ if (wpa_supplicant_install_igtk(sm, igtk) < 0)
+ return -1;
+- }
+ }
+
+ return 0;
+@@ -2307,7 +2345,7 @@ void wpa_sm_deinit(struct wpa_sm *sm)
+ */
+ void wpa_sm_notify_assoc(struct wpa_sm *sm, const u8 *bssid)
+ {
+- int clear_ptk = 1;
++ int clear_keys = 1;
+
+ if (sm == NULL)
+ return;
+@@ -2333,11 +2371,11 @@ void wpa_sm_notify_assoc(struct wpa_sm *sm, const u8 *bssid)
+ /* Prepare for the next transition */
+ wpa_ft_prepare_auth_request(sm, NULL);
+
+- clear_ptk = 0;
++ clear_keys = 0;
+ }
+ #endif /* CONFIG_IEEE80211R */
+
+- if (clear_ptk) {
++ if (clear_keys) {
+ /*
+ * IEEE 802.11, 8.4.10: Delete PTK SA on (re)association if
+ * this is not part of a Fast BSS Transition.
+@@ -2347,6 +2385,10 @@ void wpa_sm_notify_assoc(struct wpa_sm *sm, const u8 *bssid)
+ os_memset(&sm->ptk, 0, sizeof(sm->ptk));
+ sm->tptk_set = 0;
+ os_memset(&sm->tptk, 0, sizeof(sm->tptk));
++ os_memset(&sm->gtk, 0, sizeof(sm->gtk));
++#ifdef CONFIG_IEEE80211W
++ os_memset(&sm->igtk, 0, sizeof(sm->igtk));
++#endif /* CONFIG_IEEE80211W */
+ }
+
+ #ifdef CONFIG_TDLS
+@@ -2877,6 +2919,10 @@ void wpa_sm_drop_sa(struct wpa_sm *sm)
+ os_memset(sm->pmk, 0, sizeof(sm->pmk));
+ os_memset(&sm->ptk, 0, sizeof(sm->ptk));
+ os_memset(&sm->tptk, 0, sizeof(sm->tptk));
++ os_memset(&sm->gtk, 0, sizeof(sm->gtk));
++#ifdef CONFIG_IEEE80211W
++ os_memset(&sm->igtk, 0, sizeof(sm->igtk));
++#endif /* CONFIG_IEEE80211W */
+ #ifdef CONFIG_IEEE80211R
+ os_memset(sm->xxkey, 0, sizeof(sm->xxkey));
+ os_memset(sm->pmk_r0, 0, sizeof(sm->pmk_r0));
+@@ -2949,29 +2995,11 @@ int wpa_wnmsleep_install_key(struct wpa_sm *sm, u8 subelem_id, u8 *buf)
+ os_memset(&gd, 0, sizeof(gd));
+ #ifdef CONFIG_IEEE80211W
+ } else if (subelem_id == WNM_SLEEP_SUBELEM_IGTK) {
+- struct wpa_igtk_kde igd;
+- u16 keyidx;
+-
+- os_memset(&igd, 0, sizeof(igd));
+- keylen = wpa_cipher_key_len(sm->mgmt_group_cipher);
+- os_memcpy(igd.keyid, buf + 2, 2);
+- os_memcpy(igd.pn, buf + 4, 6);
+-
+- keyidx = WPA_GET_LE16(igd.keyid);
+- os_memcpy(igd.igtk, buf + 10, keylen);
+-
+- wpa_hexdump_key(MSG_DEBUG, "Install IGTK (WNM SLEEP)",
+- igd.igtk, keylen);
+- if (wpa_sm_set_key(sm, wpa_cipher_to_alg(sm->mgmt_group_cipher),
+- broadcast_ether_addr,
+- keyidx, 0, igd.pn, sizeof(igd.pn),
+- igd.igtk, keylen) < 0) {
+- wpa_printf(MSG_DEBUG, "Failed to install the IGTK in "
+- "WNM mode");
+- os_memset(&igd, 0, sizeof(igd));
++ const struct wpa_igtk_kde *igtk;
++
++ igtk = (const struct wpa_igtk_kde *) (buf + 2);
++ if (wpa_supplicant_install_igtk(sm, igtk) < 0)
+ return -1;
+- }
+- os_memset(&igd, 0, sizeof(igd));
+ #endif /* CONFIG_IEEE80211W */
+ } else {
+ wpa_printf(MSG_DEBUG, "Unknown element id");
+diff --git a/src/rsn_supp/wpa_i.h b/src/rsn_supp/wpa_i.h
+index f653ba6..afc9e37 100644
+--- a/src/rsn_supp/wpa_i.h
++++ b/src/rsn_supp/wpa_i.h
+@@ -31,6 +31,10 @@ struct wpa_sm {
+ u8 rx_replay_counter[WPA_REPLAY_COUNTER_LEN];
+ int rx_replay_counter_set;
+ u8 request_counter[WPA_REPLAY_COUNTER_LEN];
++ struct wpa_gtk gtk;
++#ifdef CONFIG_IEEE80211W
++ struct wpa_igtk igtk;
++#endif /* CONFIG_IEEE80211W */
+
+ struct eapol_sm *eapol; /* EAPOL state machine from upper level code */
+
+--
+2.7.4
+
+From 8280294e74846ea342389a0cd17215050fa5afe8 Mon Sep 17 00:00:00 2001
+From: Jouni Malinen <j@w1.fi>
+Date: Sun, 1 Oct 2017 12:12:24 +0300
+Subject: [PATCH 3/8] Extend protection of GTK/IGTK reinstallation of WNM-Sleep
+ Mode cases
+
+This extends the protection to track last configured GTK/IGTK value
+separately from EAPOL-Key frames and WNM-Sleep Mode frames to cover a
+corner case where these two different mechanisms may get used when the
+GTK/IGTK has changed and tracking a single value is not sufficient to
+detect a possible key reconfiguration.
+
+Signed-off-by: Jouni Malinen <j@w1.fi>
+---
+ src/rsn_supp/wpa.c | 53 +++++++++++++++++++++++++++++++++++++---------------
+ src/rsn_supp/wpa_i.h | 2 ++
+ 2 files changed, 40 insertions(+), 15 deletions(-)
+
+diff --git a/src/rsn_supp/wpa.c b/src/rsn_supp/wpa.c
+index 95bd7be..7a2c68d 100644
+--- a/src/rsn_supp/wpa.c
++++ b/src/rsn_supp/wpa.c
+@@ -709,14 +709,17 @@ struct wpa_gtk_data {
+
+ static int wpa_supplicant_install_gtk(struct wpa_sm *sm,
+ const struct wpa_gtk_data *gd,
+- const u8 *key_rsc)
++ const u8 *key_rsc, int wnm_sleep)
+ {
+ const u8 *_gtk = gd->gtk;
+ u8 gtk_buf[32];
+
+ /* Detect possible key reinstallation */
+- if (sm->gtk.gtk_len == (size_t) gd->gtk_len &&
+- os_memcmp(sm->gtk.gtk, gd->gtk, sm->gtk.gtk_len) == 0) {
++ if ((sm->gtk.gtk_len == (size_t) gd->gtk_len &&
++ os_memcmp(sm->gtk.gtk, gd->gtk, sm->gtk.gtk_len) == 0) ||
++ (sm->gtk_wnm_sleep.gtk_len == (size_t) gd->gtk_len &&
++ os_memcmp(sm->gtk_wnm_sleep.gtk, gd->gtk,
++ sm->gtk_wnm_sleep.gtk_len) == 0)) {
+ wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
+ "WPA: Not reinstalling already in-use GTK to the driver (keyidx=%d tx=%d len=%d)",
+ gd->keyidx, gd->tx, gd->gtk_len);
+@@ -757,8 +760,14 @@ static int wpa_supplicant_install_gtk(struct wpa_sm *sm,
+ }
+ os_memset(gtk_buf, 0, sizeof(gtk_buf));
+
+- sm->gtk.gtk_len = gd->gtk_len;
+- os_memcpy(sm->gtk.gtk, gd->gtk, sm->gtk.gtk_len);
++ if (wnm_sleep) {
++ sm->gtk_wnm_sleep.gtk_len = gd->gtk_len;
++ os_memcpy(sm->gtk_wnm_sleep.gtk, gd->gtk,
++ sm->gtk_wnm_sleep.gtk_len);
++ } else {
++ sm->gtk.gtk_len = gd->gtk_len;
++ os_memcpy(sm->gtk.gtk, gd->gtk, sm->gtk.gtk_len);
++ }
+
+ return 0;
+ }
+@@ -852,7 +861,7 @@ static int wpa_supplicant_pairwise_gtk(struct wpa_sm *sm,
+ (wpa_supplicant_check_group_cipher(sm, sm->group_cipher,
+ gtk_len, gtk_len,
+ &gd.key_rsc_len, &gd.alg) ||
+- wpa_supplicant_install_gtk(sm, &gd, key_rsc))) {
++ wpa_supplicant_install_gtk(sm, &gd, key_rsc, 0))) {
+ wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
+ "RSN: Failed to install GTK");
+ os_memset(&gd, 0, sizeof(gd));
+@@ -868,14 +877,18 @@ static int wpa_supplicant_pairwise_gtk(struct wpa_sm *sm,
+
+ #ifdef CONFIG_IEEE80211W
+ static int wpa_supplicant_install_igtk(struct wpa_sm *sm,
+- const struct wpa_igtk_kde *igtk)
++ const struct wpa_igtk_kde *igtk,
++ int wnm_sleep)
+ {
+ size_t len = wpa_cipher_key_len(sm->mgmt_group_cipher);
+ u16 keyidx = WPA_GET_LE16(igtk->keyid);
+
+ /* Detect possible key reinstallation */
+- if (sm->igtk.igtk_len == len &&
+- os_memcmp(sm->igtk.igtk, igtk->igtk, sm->igtk.igtk_len) == 0) {
++ if ((sm->igtk.igtk_len == len &&
++ os_memcmp(sm->igtk.igtk, igtk->igtk, sm->igtk.igtk_len) == 0) ||
++ (sm->igtk_wnm_sleep.igtk_len == len &&
++ os_memcmp(sm->igtk_wnm_sleep.igtk, igtk->igtk,
++ sm->igtk_wnm_sleep.igtk_len) == 0)) {
+ wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
+ "WPA: Not reinstalling already in-use IGTK to the driver (keyidx=%d)",
+ keyidx);
+@@ -900,8 +913,14 @@ static int wpa_supplicant_install_igtk(struct wpa_sm *sm,
+ return -1;
+ }
+
+- sm->igtk.igtk_len = len;
+- os_memcpy(sm->igtk.igtk, igtk->igtk, sm->igtk.igtk_len);
++ if (wnm_sleep) {
++ sm->igtk_wnm_sleep.igtk_len = len;
++ os_memcpy(sm->igtk_wnm_sleep.igtk, igtk->igtk,
++ sm->igtk_wnm_sleep.igtk_len);
++ } else {
++ sm->igtk.igtk_len = len;
++ os_memcpy(sm->igtk.igtk, igtk->igtk, sm->igtk.igtk_len);
++ }
+
+ return 0;
+ }
+@@ -924,7 +943,7 @@ static int ieee80211w_set_keys(struct wpa_sm *sm,
+ return -1;
+
+ igtk = (const struct wpa_igtk_kde *) ie->igtk;
+- if (wpa_supplicant_install_igtk(sm, igtk) < 0)
++ if (wpa_supplicant_install_igtk(sm, igtk, 0) < 0)
+ return -1;
+ }
+
+@@ -1574,7 +1593,7 @@ static void wpa_supplicant_process_1_of_2(struct wpa_sm *sm,
+ if (wpa_supplicant_rsc_relaxation(sm, key->key_rsc))
+ key_rsc = null_rsc;
+
+- if (wpa_supplicant_install_gtk(sm, &gd, key_rsc) ||
++ if (wpa_supplicant_install_gtk(sm, &gd, key_rsc, 0) ||
+ wpa_supplicant_send_2_of_2(sm, key, ver, key_info) < 0)
+ goto failed;
+ os_memset(&gd, 0, sizeof(gd));
+@@ -2386,8 +2405,10 @@ void wpa_sm_notify_assoc(struct wpa_sm *sm, const u8 *bssid)
+ sm->tptk_set = 0;
+ os_memset(&sm->tptk, 0, sizeof(sm->tptk));
+ os_memset(&sm->gtk, 0, sizeof(sm->gtk));
++ os_memset(&sm->gtk_wnm_sleep, 0, sizeof(sm->gtk_wnm_sleep));
+ #ifdef CONFIG_IEEE80211W
+ os_memset(&sm->igtk, 0, sizeof(sm->igtk));
++ os_memset(&sm->igtk_wnm_sleep, 0, sizeof(sm->igtk_wnm_sleep));
+ #endif /* CONFIG_IEEE80211W */
+ }
+
+@@ -2920,8 +2941,10 @@ void wpa_sm_drop_sa(struct wpa_sm *sm)
+ os_memset(&sm->ptk, 0, sizeof(sm->ptk));
+ os_memset(&sm->tptk, 0, sizeof(sm->tptk));
+ os_memset(&sm->gtk, 0, sizeof(sm->gtk));
++ os_memset(&sm->gtk_wnm_sleep, 0, sizeof(sm->gtk_wnm_sleep));
+ #ifdef CONFIG_IEEE80211W
+ os_memset(&sm->igtk, 0, sizeof(sm->igtk));
++ os_memset(&sm->igtk_wnm_sleep, 0, sizeof(sm->igtk_wnm_sleep));
+ #endif /* CONFIG_IEEE80211W */
+ #ifdef CONFIG_IEEE80211R
+ os_memset(sm->xxkey, 0, sizeof(sm->xxkey));
+@@ -2986,7 +3009,7 @@ int wpa_wnmsleep_install_key(struct wpa_sm *sm, u8 subelem_id, u8 *buf)
+
+ wpa_hexdump_key(MSG_DEBUG, "Install GTK (WNM SLEEP)",
+ gd.gtk, gd.gtk_len);
+- if (wpa_supplicant_install_gtk(sm, &gd, key_rsc)) {
++ if (wpa_supplicant_install_gtk(sm, &gd, key_rsc, 1)) {
+ os_memset(&gd, 0, sizeof(gd));
+ wpa_printf(MSG_DEBUG, "Failed to install the GTK in "
+ "WNM mode");
+@@ -2998,7 +3021,7 @@ int wpa_wnmsleep_install_key(struct wpa_sm *sm, u8 subelem_id, u8 *buf)
+ const struct wpa_igtk_kde *igtk;
+
+ igtk = (const struct wpa_igtk_kde *) (buf + 2);
+- if (wpa_supplicant_install_igtk(sm, igtk) < 0)
++ if (wpa_supplicant_install_igtk(sm, igtk, 1) < 0)
+ return -1;
+ #endif /* CONFIG_IEEE80211W */
+ } else {
+diff --git a/src/rsn_supp/wpa_i.h b/src/rsn_supp/wpa_i.h
+index afc9e37..9a54631 100644
+--- a/src/rsn_supp/wpa_i.h
++++ b/src/rsn_supp/wpa_i.h
+@@ -32,8 +32,10 @@ struct wpa_sm {
+ int rx_replay_counter_set;
+ u8 request_counter[WPA_REPLAY_COUNTER_LEN];
+ struct wpa_gtk gtk;
++ struct wpa_gtk gtk_wnm_sleep;
+ #ifdef CONFIG_IEEE80211W
+ struct wpa_igtk igtk;
++ struct wpa_igtk igtk_wnm_sleep;
+ #endif /* CONFIG_IEEE80211W */
+
+ struct eapol_sm *eapol; /* EAPOL state machine from upper level code */
+--
+2.7.4
+
+From 8f82bc94e8697a9d47fa8774dfdaaede1084912c Mon Sep 17 00:00:00 2001
+From: Mathy Vanhoef <Mathy.Vanhoef@cs.kuleuven.be>
+Date: Fri, 29 Sep 2017 04:22:51 +0200
+Subject: [PATCH 4/8] Prevent installation of an all-zero TK
+
+Properly track whether a PTK has already been installed to the driver
+and the TK part cleared from memory. This prevents an attacker from
+trying to trick the client into installing an all-zero TK.
+
+This fixes the earlier fix in commit
+ad00d64e7d8827b3cebd665a0ceb08adabf15e1e ('Fix TK configuration to the
+driver in EAPOL-Key 3/4 retry case') which did not take into account
+possibility of an extra message 1/4 showing up between retries of
+message 3/4.
+
+Signed-off-by: Mathy Vanhoef <Mathy.Vanhoef@cs.kuleuven.be>
+---
+ src/common/wpa_common.h | 1 +
+ src/rsn_supp/wpa.c | 5 ++---
+ src/rsn_supp/wpa_i.h | 1 -
+ 3 files changed, 3 insertions(+), 4 deletions(-)
+
+diff --git a/src/common/wpa_common.h b/src/common/wpa_common.h
+index d200285..1021ccb 100644
+--- a/src/common/wpa_common.h
++++ b/src/common/wpa_common.h
+@@ -215,6 +215,7 @@ struct wpa_ptk {
+ size_t kck_len;
+ size_t kek_len;
+ size_t tk_len;
++ int installed; /* 1 if key has already been installed to driver */
+ };
+
+ struct wpa_gtk {
+diff --git a/src/rsn_supp/wpa.c b/src/rsn_supp/wpa.c
+index 7a2c68d..0550a41 100644
+--- a/src/rsn_supp/wpa.c
++++ b/src/rsn_supp/wpa.c
+@@ -510,7 +510,6 @@ static void wpa_supplicant_process_1_of_4(struct wpa_sm *sm,
+ os_memset(buf, 0, sizeof(buf));
+ }
+ sm->tptk_set = 1;
+- sm->tk_to_set = 1;
+
+ kde = sm->assoc_wpa_ie;
+ kde_len = sm->assoc_wpa_ie_len;
+@@ -615,7 +614,7 @@ static int wpa_supplicant_install_ptk(struct wpa_sm *sm,
+ enum wpa_alg alg;
+ const u8 *key_rsc;
+
+- if (!sm->tk_to_set) {
++ if (sm->ptk.installed) {
+ wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
+ "WPA: Do not re-install same PTK to the driver");
+ return 0;
+@@ -659,7 +658,7 @@ static int wpa_supplicant_install_ptk(struct wpa_sm *sm,
+
+ /* TK is not needed anymore in supplicant */
+ os_memset(sm->ptk.tk, 0, WPA_TK_MAX_LEN);
+- sm->tk_to_set = 0;
++ sm->ptk.installed = 1;
+
+ if (sm->wpa_ptk_rekey) {
+ eloop_cancel_timeout(wpa_sm_rekey_ptk, sm, NULL);
+diff --git a/src/rsn_supp/wpa_i.h b/src/rsn_supp/wpa_i.h
+index 9a54631..41f371f 100644
+--- a/src/rsn_supp/wpa_i.h
++++ b/src/rsn_supp/wpa_i.h
+@@ -24,7 +24,6 @@ struct wpa_sm {
+ struct wpa_ptk ptk, tptk;
+ int ptk_set, tptk_set;
+ unsigned int msg_3_of_4_ok:1;
+- unsigned int tk_to_set:1;
+ u8 snonce[WPA_NONCE_LEN];
+ u8 anonce[WPA_NONCE_LEN]; /* ANonce from the last 1/4 msg */
+ int renew_snonce;
+--
+2.7.4
+
+From 12fac09b437a1dc8a0f253e265934a8aaf4d2f8b Mon Sep 17 00:00:00 2001
+From: Jouni Malinen <j@w1.fi>
+Date: Sun, 1 Oct 2017 12:32:57 +0300
+Subject: [PATCH 5/8] Fix PTK rekeying to generate a new ANonce
+
+The Authenticator state machine path for PTK rekeying ended up bypassing
+the AUTHENTICATION2 state where a new ANonce is generated when going
+directly to the PTKSTART state since there is no need to try to
+determine the PMK again in such a case. This is far from ideal since the
+new PTK would depend on a new nonce only from the supplicant.
+
+Fix this by generating a new ANonce when moving to the PTKSTART state
+for the purpose of starting new 4-way handshake to rekey PTK.
+
+Signed-off-by: Jouni Malinen <j@w1.fi>
+---
+ src/ap/wpa_auth.c | 24 +++++++++++++++++++++---
+ 1 file changed, 21 insertions(+), 3 deletions(-)
+
+diff --git a/src/ap/wpa_auth.c b/src/ap/wpa_auth.c
+index 707971d..bf10cc1 100644
+--- a/src/ap/wpa_auth.c
++++ b/src/ap/wpa_auth.c
+@@ -1901,6 +1901,21 @@ SM_STATE(WPA_PTK, AUTHENTICATION2)
+ }
+
+
++static int wpa_auth_sm_ptk_update(struct wpa_state_machine *sm)
++{
++ if (random_get_bytes(sm->ANonce, WPA_NONCE_LEN)) {
++ wpa_printf(MSG_ERROR,
++ "WPA: Failed to get random data for ANonce");
++ sm->Disconnect = TRUE;
++ return -1;
++ }
++ wpa_hexdump(MSG_DEBUG, "WPA: Assign new ANonce", sm->ANonce,
++ WPA_NONCE_LEN);
++ sm->TimeoutCtr = 0;
++ return 0;
++}
++
++
+ SM_STATE(WPA_PTK, INITPMK)
+ {
+ u8 msk[2 * PMK_LEN];
+@@ -2458,9 +2473,12 @@ SM_STEP(WPA_PTK)
+ SM_ENTER(WPA_PTK, AUTHENTICATION);
+ else if (sm->ReAuthenticationRequest)
+ SM_ENTER(WPA_PTK, AUTHENTICATION2);
+- else if (sm->PTKRequest)
+- SM_ENTER(WPA_PTK, PTKSTART);
+- else switch (sm->wpa_ptk_state) {
++ else if (sm->PTKRequest) {
++ if (wpa_auth_sm_ptk_update(sm) < 0)
++ SM_ENTER(WPA_PTK, DISCONNECTED);
++ else
++ SM_ENTER(WPA_PTK, PTKSTART);
++ } else switch (sm->wpa_ptk_state) {
+ case WPA_PTK_INITIALIZE:
+ break;
+ case WPA_PTK_DISCONNECT:
+--
+2.7.4
+
+From 6c4bed4f47d1960ec04981a9d50e5076aea5223d Mon Sep 17 00:00:00 2001
+From: Jouni Malinen <j@w1.fi>
+Date: Fri, 22 Sep 2017 11:03:15 +0300
+Subject: [PATCH 6/8] TDLS: Reject TPK-TK reconfiguration
+
+Do not try to reconfigure the same TPK-TK to the driver after it has
+been successfully configured. This is an explicit check to avoid issues
+related to resetting the TX/RX packet number. There was already a check
+for this for TPK M2 (retries of that message are ignored completely), so
+that behavior does not get modified.
+
+For TPK M3, the TPK-TK could have been reconfigured, but that was
+followed by immediate teardown of the link due to an issue in updating
+the STA entry. Furthermore, for TDLS with any real security (i.e.,
+ignoring open/WEP), the TPK message exchange is protected on the AP path
+and simple replay attacks are not feasible.
+
+As an additional corner case, make sure the local nonce gets updated if
+the peer uses a very unlikely "random nonce" of all zeros.
+
+Signed-off-by: Jouni Malinen <j@w1.fi>
+---
+ src/rsn_supp/tdls.c | 38 ++++++++++++++++++++++++++++++++++++--
+ 1 file changed, 36 insertions(+), 2 deletions(-)
+
+diff --git a/src/rsn_supp/tdls.c b/src/rsn_supp/tdls.c
+index e424168..9eb9738 100644
+--- a/src/rsn_supp/tdls.c
++++ b/src/rsn_supp/tdls.c
+@@ -112,6 +112,7 @@ struct wpa_tdls_peer {
+ u8 tk[16]; /* TPK-TK; assuming only CCMP will be used */
+ } tpk;
+ int tpk_set;
++ int tk_set; /* TPK-TK configured to the driver */
+ int tpk_success;
+ int tpk_in_progress;
+
+@@ -192,6 +193,20 @@ static int wpa_tdls_set_key(struct wpa_sm *sm, struct wpa_tdls_peer *peer)
+ u8 rsc[6];
+ enum wpa_alg alg;
+
++ if (peer->tk_set) {
++ /*
++ * This same TPK-TK has already been configured to the driver
++ * and this new configuration attempt (likely due to an
++ * unexpected retransmitted frame) would result in clearing
++ * the TX/RX sequence number which can break security, so must
++ * not allow that to happen.
++ */
++ wpa_printf(MSG_INFO, "TDLS: TPK-TK for the peer " MACSTR
++ " has already been configured to the driver - do not reconfigure",
++ MAC2STR(peer->addr));
++ return -1;
++ }
++
+ os_memset(rsc, 0, 6);
+
+ switch (peer->cipher) {
+@@ -209,12 +224,15 @@ static int wpa_tdls_set_key(struct wpa_sm *sm, struct wpa_tdls_peer *peer)
+ return -1;
+ }
+
++ wpa_printf(MSG_DEBUG, "TDLS: Configure pairwise key for peer " MACSTR,
++ MAC2STR(peer->addr));
+ if (wpa_sm_set_key(sm, alg, peer->addr, -1, 1,
+ rsc, sizeof(rsc), peer->tpk.tk, key_len) < 0) {
+ wpa_printf(MSG_WARNING, "TDLS: Failed to set TPK to the "
+ "driver");
+ return -1;
+ }
++ peer->tk_set = 1;
+ return 0;
+ }
+
+@@ -696,7 +714,7 @@ static void wpa_tdls_peer_clear(struct wpa_sm *sm, struct wpa_tdls_peer *peer)
+ peer->cipher = 0;
+ peer->qos_info = 0;
+ peer->wmm_capable = 0;
+- peer->tpk_set = peer->tpk_success = 0;
++ peer->tk_set = peer->tpk_set = peer->tpk_success = 0;
+ peer->chan_switch_enabled = 0;
+ os_memset(&peer->tpk, 0, sizeof(peer->tpk));
+ os_memset(peer->inonce, 0, WPA_NONCE_LEN);
+@@ -1159,6 +1177,7 @@ skip_rsnie:
+ wpa_tdls_peer_free(sm, peer);
+ return -1;
+ }
++ peer->tk_set = 0; /* A new nonce results in a new TK */
+ wpa_hexdump(MSG_DEBUG, "TDLS: Initiator Nonce for TPK handshake",
+ peer->inonce, WPA_NONCE_LEN);
+ os_memcpy(ftie->Snonce, peer->inonce, WPA_NONCE_LEN);
+@@ -1751,6 +1770,19 @@ static int wpa_tdls_addset_peer(struct wpa_sm *sm, struct wpa_tdls_peer *peer,
+ }
+
+
++static int tdls_nonce_set(const u8 *nonce)
++{
++ int i;
++
++ for (i = 0; i < WPA_NONCE_LEN; i++) {
++ if (nonce[i])
++ return 1;
++ }
++
++ return 0;
++}
++
++
+ static int wpa_tdls_process_tpk_m1(struct wpa_sm *sm, const u8 *src_addr,
+ const u8 *buf, size_t len)
+ {
+@@ -2004,7 +2036,8 @@ skip_rsn:
+ peer->rsnie_i_len = kde.rsn_ie_len;
+ peer->cipher = cipher;
+
+- if (os_memcmp(peer->inonce, ftie->Snonce, WPA_NONCE_LEN) != 0) {
++ if (os_memcmp(peer->inonce, ftie->Snonce, WPA_NONCE_LEN) != 0 ||
++ !tdls_nonce_set(peer->inonce)) {
+ /*
+ * There is no point in updating the RNonce for every obtained
+ * TPK M1 frame (e.g., retransmission due to timeout) with the
+@@ -2020,6 +2053,7 @@ skip_rsn:
+ "TDLS: Failed to get random data for responder nonce");
+ goto error;
+ }
++ peer->tk_set = 0; /* A new nonce results in a new TK */
+ }
+
+ #if 0
+--
+2.7.4
+
+From 53c5eb58e95004f86e65ee9fbfccbc291b139057 Mon Sep 17 00:00:00 2001
+From: Jouni Malinen <j@w1.fi>
+Date: Fri, 22 Sep 2017 11:25:02 +0300
+Subject: [PATCH 7/8] WNM: Ignore WNM-Sleep Mode Response without pending
+ request
+
+Commit 03ed0a52393710be6bdae657d1b36efa146520e5 ('WNM: Ignore WNM-Sleep
+Mode Response if WNM-Sleep Mode has not been used') started ignoring the
+response when no WNM-Sleep Mode Request had been used during the
+association. This can be made tighter by clearing the used flag when
+successfully processing a response. This adds an additional layer of
+protection against unexpected retransmissions of the response frame.
+
+Signed-off-by: Jouni Malinen <j@w1.fi>
+---
+ wpa_supplicant/wnm_sta.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/wpa_supplicant/wnm_sta.c b/wpa_supplicant/wnm_sta.c
+index 1b3409c..67a07ff 100644
+--- a/wpa_supplicant/wnm_sta.c
++++ b/wpa_supplicant/wnm_sta.c
+@@ -260,7 +260,7 @@ static void ieee802_11_rx_wnmsleep_resp(struct wpa_supplicant *wpa_s,
+
+ if (!wpa_s->wnmsleep_used) {
+ wpa_printf(MSG_DEBUG,
+- "WNM: Ignore WNM-Sleep Mode Response frame since WNM-Sleep Mode has not been used in this association");
++ "WNM: Ignore WNM-Sleep Mode Response frame since WNM-Sleep Mode operation has not been requested");
+ return;
+ }
+
+@@ -299,6 +299,8 @@ static void ieee802_11_rx_wnmsleep_resp(struct wpa_supplicant *wpa_s,
+ return;
+ }
+
++ wpa_s->wnmsleep_used = 0;
++
+ if (wnmsleep_ie->status == WNM_STATUS_SLEEP_ACCEPT ||
+ wnmsleep_ie->status == WNM_STATUS_SLEEP_EXIT_ACCEPT_GTK_UPDATE) {
+ wpa_printf(MSG_DEBUG, "Successfully recv WNM-Sleep Response "
+--
+2.7.4
+
+From b372ab0b7daea719749194dc554b26e6367603f2 Mon Sep 17 00:00:00 2001
+From: Jouni Malinen <j@w1.fi>
+Date: Fri, 22 Sep 2017 12:06:37 +0300
+Subject: [PATCH 8/8] FT: Do not allow multiple Reassociation Response frames
+
+The driver is expected to not report a second association event without
+the station having explicitly request a new association. As such, this
+case should not be reachable. However, since reconfiguring the same
+pairwise or group keys to the driver could result in nonce reuse issues,
+be extra careful here and do an additional state check to avoid this
+even if the local driver ends up somehow accepting an unexpected
+Reassociation Response frame.
+
+Signed-off-by: Jouni Malinen <j@w1.fi>
+---
+ src/rsn_supp/wpa.c | 3 +++
+ src/rsn_supp/wpa_ft.c | 8 ++++++++
+ src/rsn_supp/wpa_i.h | 1 +
+ 3 files changed, 12 insertions(+)
+
+diff --git a/src/rsn_supp/wpa.c b/src/rsn_supp/wpa.c
+index 0550a41..2a53c6f 100644
+--- a/src/rsn_supp/wpa.c
++++ b/src/rsn_supp/wpa.c
+@@ -2440,6 +2440,9 @@ void wpa_sm_notify_disassoc(struct wpa_sm *sm)
+ #ifdef CONFIG_TDLS
+ wpa_tdls_disassoc(sm);
+ #endif /* CONFIG_TDLS */
++#ifdef CONFIG_IEEE80211R
++ sm->ft_reassoc_completed = 0;
++#endif /* CONFIG_IEEE80211R */
+
+ /* Keys are not needed in the WPA state machine anymore */
+ wpa_sm_drop_sa(sm);
+diff --git a/src/rsn_supp/wpa_ft.c b/src/rsn_supp/wpa_ft.c
+index 205793e..d45bb45 100644
+--- a/src/rsn_supp/wpa_ft.c
++++ b/src/rsn_supp/wpa_ft.c
+@@ -153,6 +153,7 @@ static u8 * wpa_ft_gen_req_ies(struct wpa_sm *sm, size_t *len,
+ u16 capab;
+
+ sm->ft_completed = 0;
++ sm->ft_reassoc_completed = 0;
+
+ buf_len = 2 + sizeof(struct rsn_mdie) + 2 + sizeof(struct rsn_ftie) +
+ 2 + sm->r0kh_id_len + ric_ies_len + 100;
+@@ -681,6 +682,11 @@ int wpa_ft_validate_reassoc_resp(struct wpa_sm *sm, const u8 *ies,
+ return -1;
+ }
+
++ if (sm->ft_reassoc_completed) {
++ wpa_printf(MSG_DEBUG, "FT: Reassociation has already been completed for this FT protocol instance - ignore unexpected retransmission");
++ return 0;
++ }
++
+ if (wpa_ft_parse_ies(ies, ies_len, &parse) < 0) {
+ wpa_printf(MSG_DEBUG, "FT: Failed to parse IEs");
+ return -1;
+@@ -781,6 +787,8 @@ int wpa_ft_validate_reassoc_resp(struct wpa_sm *sm, const u8 *ies,
+ return -1;
+ }
+
++ sm->ft_reassoc_completed = 1;
++
+ if (wpa_ft_process_gtk_subelem(sm, parse.gtk, parse.gtk_len) < 0)
+ return -1;
+
+diff --git a/src/rsn_supp/wpa_i.h b/src/rsn_supp/wpa_i.h
+index 41f371f..56f88dc 100644
+--- a/src/rsn_supp/wpa_i.h
++++ b/src/rsn_supp/wpa_i.h
+@@ -128,6 +128,7 @@ struct wpa_sm {
+ size_t r0kh_id_len;
+ u8 r1kh_id[FT_R1KH_ID_LEN];
+ int ft_completed;
++ int ft_reassoc_completed;
+ int over_the_ds_in_progress;
+ u8 target_ap[ETH_ALEN]; /* over-the-DS target AP */
+ int set_ptk_after_assoc;
+--
+2.7.4
diff --git a/import-layers/yocto-poky/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.5.bb b/import-layers/yocto-poky/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.6.bb
similarity index 81%
rename from import-layers/yocto-poky/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.5.bb
rename to import-layers/yocto-poky/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.6.bb
index a4160e1..d6d4206 100644
--- a/import-layers/yocto-poky/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.5.bb
+++ b/import-layers/yocto-poky/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.6.bb
@@ -3,9 +3,9 @@
BUGTRACKER = "http://w1.fi/security/"
SECTION = "network"
LICENSE = "BSD"
-LIC_FILES_CHKSUM = "file://COPYING;md5=36b27801447e0662ee0138d17fe93880 \
- file://README;beginline=1;endline=56;md5=7f393579f8b109fe91f3b9765d26c7d3 \
- file://wpa_supplicant/wpa_supplicant.c;beginline=1;endline=12;md5=3430fda79f2ba1dd545f0b3c4d6e4d24"
+LIC_FILES_CHKSUM = "file://COPYING;md5=292eece3f2ebbaa25608eed8464018a3 \
+ file://README;beginline=1;endline=56;md5=3f01d778be8f953962388307ee38ed2b \
+ file://wpa_supplicant/wpa_supplicant.c;beginline=1;endline=12;md5=4061612fc5715696134e3baf933e8aba"
DEPENDS = "dbus libnl"
RRECOMMENDS_${PN} = "wpa-supplicant-passphrase wpa-supplicant-cli"
@@ -13,7 +13,7 @@
PACKAGECONFIG[gnutls] = ",,gnutls libgcrypt"
PACKAGECONFIG[openssl] = ",,openssl"
-inherit systemd
+inherit pkgconfig systemd
SYSTEMD_SERVICE_${PN} = "wpa_supplicant.service wpa_supplicant-nl80211@.service wpa_supplicant-wired@.service"
SYSTEMD_AUTO_ENABLE = "disable"
@@ -24,14 +24,12 @@
file://wpa_supplicant.conf \
file://wpa_supplicant.conf-sane \
file://99_wpa_supplicant \
- file://0001-WPS-Reject-a-Credential-with-invalid-passphrase.patch \
- file://0002-Remove-newlines-from-wpa_supplicant-config-network-o.patch \
- file://0001-Reject-psk-parameter-set-with-invalid-passphrase-cha.patch \
- file://0002-Reject-SET_CRED-commands-with-newline-characters-in-.patch \
- file://0003-Reject-SET-commands-with-newline-characters-in-the-s.patch \
+ file://key-replay-cve-multiple.patch \
"
-SRC_URI[md5sum] = "96ff75c3a514f1f324560a2376f13110"
-SRC_URI[sha256sum] = "cce55bae483b364eae55c35ba567c279be442ed8bab5b80a3c7fb0d057b9b316"
+SRC_URI[md5sum] = "091569eb4440b7d7f2b4276dbfc03c3c"
+SRC_URI[sha256sum] = "b4936d34c4e6cdd44954beba74296d964bc2c9668ecaa5255e499636fe2b1450"
+
+CVE_PRODUCT = "wpa_supplicant"
S = "${WORKDIR}/wpa_supplicant-${PV}"