diff options
Diffstat (limited to 'poky/meta/recipes-connectivity')
22 files changed, 379 insertions, 18 deletions
diff --git a/poky/meta/recipes-connectivity/avahi/avahi.inc b/poky/meta/recipes-connectivity/avahi/avahi.inc index 94fe6a16b6..6acedb5412 100644 --- a/poky/meta/recipes-connectivity/avahi/avahi.inc +++ b/poky/meta/recipes-connectivity/avahi/avahi.inc @@ -77,6 +77,11 @@ do_install() { rm -rf ${D}${datadir}/dbus-1/interfaces test -d ${D}${datadir}/dbus-1 && rmdir --ignore-fail-on-non-empty ${D}${datadir}/dbus-1 rm -rf ${D}${libdir}/avahi + + # Move example service files out of /etc/avahi/services so we don't + # advertise ssh & sftp-ssh by default + install -d ${D}${docdir}/avahi + mv ${D}${sysconfdir}/avahi/services/* ${D}${docdir}/avahi } PACKAGES =+ "${@bb.utils.contains("PACKAGECONFIG", "libdns_sd", "libavahi-compat-libdnssd", "", d)}" diff --git a/poky/meta/recipes-connectivity/avahi/avahi_0.7.bb b/poky/meta/recipes-connectivity/avahi/avahi_0.7.bb index 24523c7f81..f6e3afb24e 100644 --- a/poky/meta/recipes-connectivity/avahi/avahi_0.7.bb +++ b/poky/meta/recipes-connectivity/avahi/avahi_0.7.bb @@ -14,7 +14,7 @@ LICENSE_libavahi-gobject = "LGPLv2.1+" LICENSE_avahi-daemon = "LGPLv2.1+" LICENSE_libavahi-common = "LGPLv2.1+" LICENSE_libavahi-core = "LGPLv2.1+" -LICENSE_avahi-client = "LGPLv2.1+" +LICENSE_libavahi-client = "LGPLv2.1+" LICENSE_avahi-dnsconfd = "LGPLv2.1+" LICENSE_libavahi-glib = "LGPLv2.1+" LICENSE_avahi-autoipd = "LGPLv2.1+" diff --git a/poky/meta/recipes-connectivity/bind/bind_9.11.13.bb b/poky/meta/recipes-connectivity/bind/bind_9.11.22.bb index 4e64171cc1..3b4a299b36 100644 --- a/poky/meta/recipes-connectivity/bind/bind_9.11.13.bb +++ b/poky/meta/recipes-connectivity/bind/bind_9.11.22.bb @@ -1,9 +1,9 @@ SUMMARY = "ISC Internet Domain Name Server" -HOMEPAGE = "http://www.isc.org/sw/bind/" +HOMEPAGE = "https://www.isc.org/bind/" SECTION = "console/network" LICENSE = "ISC & BSD" -LIC_FILES_CHKSUM = "file://COPYRIGHT;md5=8f17f64e47e83b60cd920a1e4b54419e" +LIC_FILES_CHKSUM = "file://COPYRIGHT;md5=bf39058a7f64b2a934ce14dc9ec1dd45" DEPENDS = "openssl libcap zlib" @@ -20,8 +20,7 @@ SRC_URI = "https://ftp.isc.org/isc/bind9/${PV}/${BPN}-${PV}.tar.gz \ file://0001-avoid-start-failure-with-bind-user.patch \ " -SRC_URI[md5sum] = "17de0d024ab1eac377f1c2854dc25057" -SRC_URI[sha256sum] = "fd3f3cc9fcfcdaa752db35eb24598afa1fdcc2509d3227fc90a8631b7b400f7d" +SRC_URI[sha256sum] = "afc6d8015006f1cabf699ff19f517bb8fd9c1811e5231f26baf51c3550262ac9" UPSTREAM_CHECK_URI = "https://ftp.isc.org/isc/bind9/" # stay at 9.11 until 9.16, from 9.16 follow the ESV versions divisible by 4 diff --git a/poky/meta/recipes-connectivity/bluez5/bluez5.inc b/poky/meta/recipes-connectivity/bluez5/bluez5.inc index 150d909d73..f34ba0dce5 100644 --- a/poky/meta/recipes-connectivity/bluez5/bluez5.inc +++ b/poky/meta/recipes-connectivity/bluez5/bluez5.inc @@ -42,8 +42,8 @@ PACKAGECONFIG[sixaxis] = "--enable-sixaxis,--disable-sixaxis" PACKAGECONFIG[tools] = "--enable-tools,--disable-tools" PACKAGECONFIG[threads] = "--enable-threads,--disable-threads" PACKAGECONFIG[deprecated] = "--enable-deprecated,--disable-deprecated" -PACKAGECONFIG[mesh] = "--enable-mesh,--disable-mesh, json-c ell" -PACKAGECONFIG[btpclient] = "--enable-btpclient,--disable-btpclient, ell" +PACKAGECONFIG[mesh] = "--enable-mesh --enable-external-ell,--disable-mesh, json-c ell" +PACKAGECONFIG[btpclient] = "--enable-btpclient --enable-external-ell,--disable-btpclient, ell" PACKAGECONFIG[udev] = "--enable-udev,--disable-udev,udev" SRC_URI = "${KERNELORG_MIRROR}/linux/bluetooth/bluez-${PV}.tar.xz \ diff --git a/poky/meta/recipes-connectivity/bluez5/bluez5_5.54.bb b/poky/meta/recipes-connectivity/bluez5/bluez5_5.55.bb index 260eee1402..8190924562 100644 --- a/poky/meta/recipes-connectivity/bluez5/bluez5_5.54.bb +++ b/poky/meta/recipes-connectivity/bluez5/bluez5_5.55.bb @@ -1,7 +1,7 @@ require bluez5.inc -SRC_URI[md5sum] = "e637feb2dbb7582bbbff1708367a847c" -SRC_URI[sha256sum] = "68cdab9e63e8832b130d5979dc8c96fdb087b31278f342874d992af3e56656dc" +SRC_URI[md5sum] = "94972b8bc7ade60c72b0ffa6ccff2c0a" +SRC_URI[sha256sum] = "8863717113c4897e2ad3271fc808ea245319e6fd95eed2e934fae8e0894e9b88" # noinst programs in Makefile.tools that are conditional on READLINE # support diff --git a/poky/meta/recipes-connectivity/iproute2/iproute2_5.5.0.bb b/poky/meta/recipes-connectivity/iproute2/iproute2_5.5.0.bb index ad0ab13c9a..7ad4b8eee6 100644 --- a/poky/meta/recipes-connectivity/iproute2/iproute2_5.5.0.bb +++ b/poky/meta/recipes-connectivity/iproute2/iproute2_5.5.0.bb @@ -9,4 +9,4 @@ SRC_URI[sha256sum] = "bac543435cac208a11db44c9cc8e35aa902befef8750594654ee71941c # CFLAGS are computed in Makefile and reference CCOPTS # -EXTRA_OEMAKE_append = " CCOPTS='${CFLAGS} -fcommon'" +EXTRA_OEMAKE_append = " CCOPTS='${CFLAGS}'" diff --git a/poky/meta/recipes-connectivity/iw/iw_5.4.bb b/poky/meta/recipes-connectivity/iw/iw_5.4.bb index 9f58e49709..96879a9689 100644 --- a/poky/meta/recipes-connectivity/iw/iw_5.4.bb +++ b/poky/meta/recipes-connectivity/iw/iw_5.4.bb @@ -2,7 +2,7 @@ SUMMARY = "nl80211 based CLI configuration utility for wireless devices" DESCRIPTION = "iw is a new nl80211 based CLI configuration utility for \ wireless devices. It supports almost all new drivers that have been added \ to the kernel recently. " -HOMEPAGE = "http://wireless.kernel.org/en/users/Documentation/iw" +HOMEPAGE = "https://wireless.wiki.kernel.org/en/users/documentation/iw" SECTION = "base" LICENSE = "BSD-2-Clause" LIC_FILES_CHKSUM = "file://COPYING;md5=878618a5c4af25e9b93ef0be1a93f774" diff --git a/poky/meta/recipes-connectivity/openssh/openssh/sshdgenkeys.service b/poky/meta/recipes-connectivity/openssh/openssh/sshdgenkeys.service index 603c33787f..fd81793d51 100644 --- a/poky/meta/recipes-connectivity/openssh/openssh/sshdgenkeys.service +++ b/poky/meta/recipes-connectivity/openssh/openssh/sshdgenkeys.service @@ -6,3 +6,4 @@ RequiresMountsFor=/var /run ExecStart=@LIBEXECDIR@/sshd_check_keys Type=oneshot RemainAfterExit=yes +Nice=10 diff --git a/poky/meta/recipes-connectivity/openssh/openssh_8.2p1.bb b/poky/meta/recipes-connectivity/openssh/openssh_8.2p1.bb index d879efc201..fe94f30503 100644 --- a/poky/meta/recipes-connectivity/openssh/openssh_8.2p1.bb +++ b/poky/meta/recipes-connectivity/openssh/openssh_8.2p1.bb @@ -28,6 +28,10 @@ SRC_URI = "http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${PV}.tar SRC_URI[md5sum] = "3076e6413e8dbe56d33848c1054ac091" SRC_URI[sha256sum] = "43925151e6cf6cee1450190c0e9af4dc36b41c12737619edff8bcebdff64e671" +# This CVE is specific to OpenSSH server, as used in Fedora and Red Hat Enterprise Linux 7 +# and when running in a Kerberos environment. As such it is not relevant to OpenEmbedded +CVE_CHECK_WHITELIST += "CVE-2014-9278" + PAM_SRC_URI = "file://sshd" inherit manpages useradd update-rc.d update-alternatives systemd @@ -43,12 +47,15 @@ SYSTEMD_SERVICE_${PN}-sshd = "sshd.socket" inherit autotools-brokensep ptest -PACKAGECONFIG ??= "" +PACKAGECONFIG ??= "rng-tools" PACKAGECONFIG[kerberos] = "--with-kerberos5,--without-kerberos5,krb5" PACKAGECONFIG[ldns] = "--with-ldns,--without-ldns,ldns" PACKAGECONFIG[libedit] = "--with-libedit,--without-libedit,libedit" PACKAGECONFIG[manpages] = "--with-mantype=man,--with-mantype=cat" +# Add RRECOMMENDS to rng-tools for sshd package +PACKAGECONFIG[rng-tools] = "" + EXTRA_AUTORECONF += "--exclude=aclocal" # login path is hardcoded in sshd @@ -150,7 +157,10 @@ FILES_${PN}-keygen = "${bindir}/ssh-keygen" RDEPENDS_${PN} += "${PN}-scp ${PN}-ssh ${PN}-sshd ${PN}-keygen" RDEPENDS_${PN}-sshd += "${PN}-keygen ${@bb.utils.contains('DISTRO_FEATURES', 'pam', 'pam-plugin-keyinit pam-plugin-loginuid', '', d)}" -RRECOMMENDS_${PN}-sshd_append_class-target = " rng-tools" +RRECOMMENDS_${PN}-sshd_append_class-target = "\ + ${@bb.utils.filter('PACKAGECONFIG', 'rng-tools', d)} \ +" + # gdb would make attach-ptrace test pass rather than skip but not worth the build dependencies RDEPENDS_${PN}-ptest += "${PN}-sftp ${PN}-misc ${PN}-sftp-server make sed sudo coreutils" diff --git a/poky/meta/recipes-connectivity/openssl/openssl_1.1.1g.bb b/poky/meta/recipes-connectivity/openssl/openssl_1.1.1g.bb index 66fa8f7d0a..815955837b 100644 --- a/poky/meta/recipes-connectivity/openssl/openssl_1.1.1g.bb +++ b/poky/meta/recipes-connectivity/openssl/openssl_1.1.1g.bb @@ -191,7 +191,9 @@ PACKAGES =+ "libcrypto libssl openssl-conf ${PN}-engines ${PN}-misc" FILES_libcrypto = "${libdir}/libcrypto${SOLIBS}" FILES_libssl = "${libdir}/libssl${SOLIBS}" -FILES_openssl-conf = "${sysconfdir}/ssl/openssl.cnf" +FILES_openssl-conf = "${sysconfdir}/ssl/openssl.cnf \ + ${libdir}/ssl-1.1/openssl.cnf* \ + " FILES_${PN}-engines = "${libdir}/engines-1.1" FILES_${PN}-misc = "${libdir}/ssl-1.1/misc" FILES_${PN} =+ "${libdir}/ssl-1.1/*" @@ -202,6 +204,8 @@ CONFFILES_openssl-conf = "${sysconfdir}/ssl/openssl.cnf" RRECOMMENDS_libcrypto += "openssl-conf" RDEPENDS_${PN}-ptest += "openssl-bin perl perl-modules bash" +RDEPENDS_${PN}-bin += "openssl-conf" + BBCLASSEXTEND = "native nativesdk" CVE_PRODUCT = "openssl:openssl" diff --git a/poky/meta/recipes-connectivity/ssh-pregen-hostkeys/ssh-pregen-hostkeys/dropbear_rsa_host_key b/poky/meta/recipes-connectivity/ssh-pregen-hostkeys/ssh-pregen-hostkeys/dropbear_rsa_host_key Binary files differnew file mode 100644 index 0000000000..30443c9438 --- /dev/null +++ b/poky/meta/recipes-connectivity/ssh-pregen-hostkeys/ssh-pregen-hostkeys/dropbear_rsa_host_key diff --git a/poky/meta/recipes-connectivity/ssh-pregen-hostkeys/ssh-pregen-hostkeys/openssh/ssh_host_ecdsa_key b/poky/meta/recipes-connectivity/ssh-pregen-hostkeys/ssh-pregen-hostkeys/openssh/ssh_host_ecdsa_key new file mode 100644 index 0000000000..86c2104ec8 --- /dev/null +++ b/poky/meta/recipes-connectivity/ssh-pregen-hostkeys/ssh-pregen-hostkeys/openssh/ssh_host_ecdsa_key @@ -0,0 +1,9 @@ +-----BEGIN OPENSSH PRIVATE KEY----- +b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAaAAAABNlY2RzYS +1zaGEyLW5pc3RwMjU2AAAACG5pc3RwMjU2AAAAQQRJR6iZxr/NTqQN9NOwV+WPtu42r2eF +rJ0xsnlqw5bpmfz6aDR8RQvVHUZjRGQfR/RXPbQ5x+bjjdm176TuXNhHAAAAqAoE27MKBN +uzAAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBElHqJnGv81OpA30 +07BX5Y+27javZ4WsnTGyeWrDlumZ/PpoNHxFC9UdRmNEZB9H9Fc9tDnH5uON2bXvpO5c2E +cAAAAgLiHv/IWhxwosz9BiNILOOPlXaueL5hVTBKUJkpOi48sAAAANcm9vdEBxZW11bWlw +cwECAw== +-----END OPENSSH PRIVATE KEY----- diff --git a/poky/meta/recipes-connectivity/ssh-pregen-hostkeys/ssh-pregen-hostkeys/openssh/ssh_host_ecdsa_key.pub b/poky/meta/recipes-connectivity/ssh-pregen-hostkeys/ssh-pregen-hostkeys/openssh/ssh_host_ecdsa_key.pub new file mode 100644 index 0000000000..a358aeb88a --- /dev/null +++ b/poky/meta/recipes-connectivity/ssh-pregen-hostkeys/ssh-pregen-hostkeys/openssh/ssh_host_ecdsa_key.pub @@ -0,0 +1 @@ +ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBElHqJnGv81OpA3007BX5Y+27javZ4WsnTGyeWrDlumZ/PpoNHxFC9UdRmNEZB9H9Fc9tDnH5uON2bXvpO5c2Ec= root@qemupregen diff --git a/poky/meta/recipes-connectivity/ssh-pregen-hostkeys/ssh-pregen-hostkeys/openssh/ssh_host_ed25519_key b/poky/meta/recipes-connectivity/ssh-pregen-hostkeys/ssh-pregen-hostkeys/openssh/ssh_host_ed25519_key new file mode 100644 index 0000000000..00ed9adae2 --- /dev/null +++ b/poky/meta/recipes-connectivity/ssh-pregen-hostkeys/ssh-pregen-hostkeys/openssh/ssh_host_ed25519_key @@ -0,0 +1,7 @@ +-----BEGIN OPENSSH PRIVATE KEY----- +b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW +QyNTUxOQAAACDHSFTAbJ3OTd1r1E8G5JleCmsJEpQHmdTGtMcYqwWbbwAAAJChFtV0oRbV +dAAAAAtzc2gtZWQyNTUxOQAAACDHSFTAbJ3OTd1r1E8G5JleCmsJEpQHmdTGtMcYqwWbbw +AAAEA8UiUsygsTbP0HkDi5leXpQaVXihDyCHeitkBCItJGhcdIVMBsnc5N3WvUTwbkmV4K +awkSlAeZ1Ma0xxirBZtvAAAADXJvb3RAcWVtdW1pcHM= +-----END OPENSSH PRIVATE KEY----- diff --git a/poky/meta/recipes-connectivity/ssh-pregen-hostkeys/ssh-pregen-hostkeys/openssh/ssh_host_ed25519_key.pub b/poky/meta/recipes-connectivity/ssh-pregen-hostkeys/ssh-pregen-hostkeys/openssh/ssh_host_ed25519_key.pub new file mode 100644 index 0000000000..cc0e2f43ed --- /dev/null +++ b/poky/meta/recipes-connectivity/ssh-pregen-hostkeys/ssh-pregen-hostkeys/openssh/ssh_host_ed25519_key.pub @@ -0,0 +1 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMdIVMBsnc5N3WvUTwbkmV4KawkSlAeZ1Ma0xxirBZtv root@qemupregen diff --git a/poky/meta/recipes-connectivity/ssh-pregen-hostkeys/ssh-pregen-hostkeys/openssh/ssh_host_rsa_key b/poky/meta/recipes-connectivity/ssh-pregen-hostkeys/ssh-pregen-hostkeys/openssh/ssh_host_rsa_key new file mode 100644 index 0000000000..a8e4406ba3 --- /dev/null +++ b/poky/meta/recipes-connectivity/ssh-pregen-hostkeys/ssh-pregen-hostkeys/openssh/ssh_host_rsa_key @@ -0,0 +1,38 @@ +-----BEGIN OPENSSH PRIVATE KEY----- +b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn +NhAAAAAwEAAQAAAYEA2Q6dzF1xziCQCFq+e+Fv6w0607gNlyKnkhuoRq8G7/HEqXU2eEtC +i3AMUrAP8k7s9kP5vI5CyfSgFuC9MxDV2YL2bsmvRxBSKgg6KbNxkoTaFBqyqHopuWQca8 +KRahvzt5dh9fsmeqamIwgMWKTSwtDHcsbyt84nmO2Z2ZrNXobgueMIj+HiJVgmWn86FQFL +EoONAA+qb4SciPsxvmTlaQ/DMAh3llVo/IMLD9oyAyAI2kbHNnZttlYv5TmY7ICd3yCW8z +PXrxNcEF3Qs1d68gVJxLjLKTlYGzJW2J+RwY+1DJZ0w4lozeQiZXTXVtzcJB0tm2DcvQMz +kqyARmncSUwcPbEClEW6Y2xQnLeSHjexzlCCndiUbBTeG5iRl4OL6DN40iI9Lw2VROtj2Y +59n9PCfaoUs08dsgJLaNrDbRHrCRLSdZJ6OQFiC/nAx/t4e4+wdUgNOqLyJqomdNdaLXPq +tzr9ssrcY5j1DmmwKtzfTI5VM9LRQo+REIiUCNTFAAAFiFh232tYdt9rAAAAB3NzaC1yc2 +EAAAGBANkOncxdcc4gkAhavnvhb+sNOtO4DZcip5IbqEavBu/xxKl1NnhLQotwDFKwD/JO +7PZD+byOQsn0oBbgvTMQ1dmC9m7Jr0cQUioIOimzcZKE2hQasqh6KblkHGvCkWob87eXYf +X7JnqmpiMIDFik0sLQx3LG8rfOJ5jtmdmazV6G4LnjCI/h4iVYJlp/OhUBSxKDjQAPqm+E +nIj7Mb5k5WkPwzAId5ZVaPyDCw/aMgMgCNpGxzZ2bbZWL+U5mOyAnd8glvMz168TXBBd0L +NXevIFScS4yyk5WBsyVtifkcGPtQyWdMOJaM3kImV011bc3CQdLZtg3L0DM5KsgEZp3ElM +HD2xApRFumNsUJy3kh43sc5Qgp3YlGwU3huYkZeDi+gzeNIiPS8NlUTrY9mOfZ/Twn2qFL +NPHbICS2jaw20R6wkS0nWSejkBYgv5wMf7eHuPsHVIDTqi8iaqJnTXWi1z6rc6/bLK3GOY +9Q5psCrc30yOVTPS0UKPkRCIlAjUxQAAAAMBAAEAAAGAGIj+bUtiwdoMbeVUAszIydkE/U +mgv6S7LFjT/KlsL1M017LYJWDcdMaFnhMouksRngSxBg9OnWV5cxyURmFwytVy5bMGjRHb +N8UWTgBqphU+UWdzKngkn0AhtkyYA1aFhgsml5d8EgEkZnFSc/KtoDfZU7AJX519/FtfOK +m27Shx3pE7Nohh97avHyuidR1gTwdvuMIMke57g0BhrxPYmredaKCMZAHjjCeD6JbRcGj+ +ly3I9u8MF8BGSbLpBlLDUFCwP8G5CdmMua8bPJYhPSRqMLQhclI7hc6FaYk+gZV9B74Iv/ +SAxcCwI97dNbE0IAsbbWoUdoKGpAYQ5gOdhu5ioqZwKWjNjB3Xx48mq8xtmIR9HEnYzEnk +b/tDWNRWrGkvNK7vpLvnbsSSKBqOAbMzmQdJxogTgjE5doSmu2/krIMR6KUcUox2ZrR8Ot +JM6bXyNFBviiXmYvw/SZTDrVJu8BPMu5EMS5pBl8jPFBGI/ePk4qg7lWAJeQ89ThtBAAAA +wQDEU4HjomWwJsn9UWdoodXTV5aPY9B1OPkmYnRPtsjSAcXgtBzUXMEOsmXODOK3aQjsE0 +jQKpWDAUcUf6KKZKRehxUN4MlwujCG9czn65S6B8BsP1YUfZQjpNyub8vDBfeKzlxKBEEM +lb4iBT+LEGkihK13H5CbqRg1GDAThZzwrV4pj3S40zgyHhn8JjK4x4djEY6NwkWH8E2DgD +8vYG/FKh5E/VIZtCgtAHa4QNAgGB4VMRn1VpSJzxjCxb1wancAAADBAPT7F34WYEI3Vc52 +p1U5rPa6dZtg5QM14V0+KtMlb3frd0/F+JVj4t6COQ8J9pkOuD0YjOYJuFXIWAAYIjCdWt +cbTi/sSERawOWxrgSwJo2vjt5izrBQtr3N8tiB6KDGa5sdgJl5XzJ0SsdStfBbyhcJO4RV +p9lc+X8OsUfFsClmyIs45vlxBRH06DP6/zmYCAmqvlrfZJKqlpKAEWDDObRy/3+mSNhZ0J +BdmncASiASRlPPIoIHznyA1COUn6+TnwAAAMEA4tH89Dez2JauyPVeCyHAC680vrBKjmMx +WYdpq2Xzd/LNl2L9oc0IEZzerLTuaCh6qsbbk2wWj1nrYXvefz/xUtDR427tvRXckcsWhP +2HYohdYBkwTpp9QuscIV76GdwbTImuNEzvABH1hpTG6DSzqeyf/EVmSq07nptJIs5lpU49 +tW2aWraSvswHR9xfts1U79w9f4BNDy1rTmfuLERTRNF/T9CIFsk9tArLUNT64mhHtoEs8F +9AyGuq6v49bN0bAAAADXJvb3RAcWVtdW1pcHMBAgMEBQ== +-----END OPENSSH PRIVATE KEY----- diff --git a/poky/meta/recipes-connectivity/ssh-pregen-hostkeys/ssh-pregen-hostkeys/openssh/ssh_host_rsa_key.pub b/poky/meta/recipes-connectivity/ssh-pregen-hostkeys/ssh-pregen-hostkeys/openssh/ssh_host_rsa_key.pub new file mode 100644 index 0000000000..9eb8c3838f --- /dev/null +++ b/poky/meta/recipes-connectivity/ssh-pregen-hostkeys/ssh-pregen-hostkeys/openssh/ssh_host_rsa_key.pub @@ -0,0 +1 @@ +ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDZDp3MXXHOIJAIWr574W/rDTrTuA2XIqeSG6hGrwbv8cSpdTZ4S0KLcAxSsA/yTuz2Q/m8jkLJ9KAW4L0zENXZgvZuya9HEFIqCDops3GShNoUGrKoeim5ZBxrwpFqG/O3l2H1+yZ6pqYjCAxYpNLC0MdyxvK3zieY7ZnZms1ehuC54wiP4eIlWCZafzoVAUsSg40AD6pvhJyI+zG+ZOVpD8MwCHeWVWj8gwsP2jIDIAjaRsc2dm22Vi/lOZjsgJ3fIJbzM9evE1wQXdCzV3ryBUnEuMspOVgbMlbYn5HBj7UMlnTDiWjN5CJldNdW3NwkHS2bYNy9AzOSrIBGadxJTBw9sQKURbpjbFCct5IeN7HOUIKd2JRsFN4bmJGXg4voM3jSIj0vDZVE62PZjn2f08J9qhSzTx2yAkto2sNtEesJEtJ1kno5AWIL+cDH+3h7j7B1SA06ovImqiZ011otc+q3Ov2yytxjmPUOabAq3N9MjlUz0tFCj5EQiJQI1MU= root@qemupregen diff --git a/poky/meta/recipes-connectivity/ssh-pregen-hostkeys/ssh-pregen-hostkeys_1.0.bb b/poky/meta/recipes-connectivity/ssh-pregen-hostkeys/ssh-pregen-hostkeys_1.0.bb new file mode 100644 index 0000000000..ddd10e6eeb --- /dev/null +++ b/poky/meta/recipes-connectivity/ssh-pregen-hostkeys/ssh-pregen-hostkeys_1.0.bb @@ -0,0 +1,19 @@ +SUMMARY = "Pre generated host keys mainly for speeding up our qemu tests" + +SRC_URI = "file://dropbear_rsa_host_key \ + file://openssh" + +LICENSE = "MIT" +LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/MIT;md5=0835ade698e0bcf8506ecda2f7b4f302" + +INHIBIT_DEFAULT_DEPS = "1" + +do_install () { + install -d ${D}${sysconfdir}/dropbear + install ${WORKDIR}/dropbear_rsa_host_key -m 0600 ${D}${sysconfdir}/dropbear/ + + install -d ${D}${sysconfdir}/ssh + install ${WORKDIR}/openssh/* ${D}${sysconfdir}/ssh/ + chmod 0600 ${D}${sysconfdir}/ssh/* + chmod 0644 ${D}${sysconfdir}/ssh/*.pub +}
\ No newline at end of file diff --git a/poky/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-WPS-UPnP-Do-not-allow-event-subscriptions-with-URLs-.patch b/poky/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-WPS-UPnP-Do-not-allow-event-subscriptions-with-URLs-.patch new file mode 100644 index 0000000000..53ad5d028a --- /dev/null +++ b/poky/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-WPS-UPnP-Do-not-allow-event-subscriptions-with-URLs-.patch @@ -0,0 +1,151 @@ +From 5b78c8f961f25f4dc22d6f2b77ddd06d712cec63 Mon Sep 17 00:00:00 2001 +From: Jouni Malinen <jouni@codeaurora.org> +Date: Wed, 3 Jun 2020 23:17:35 +0300 +Subject: [PATCH 1/3] WPS UPnP: Do not allow event subscriptions with URLs to + other networks + +The UPnP Device Architecture 2.0 specification errata ("UDA errata +16-04-2020.docx") addresses a problem with notifications being allowed +to go out to other domains by disallowing such cases. Do such filtering +for the notification callback URLs to avoid undesired connections to +external networks based on subscriptions that any device in the local +network could request when WPS support for external registrars is +enabled (the upnp_iface parameter in hostapd configuration). + +Upstream-Status: Backport +CVE: CVE-2020-12695 patch #1 +Signed-off-by: Jouni Malinen <jouni@codeaurora.org> +Signed-off-by: Armin Kuster <akuster@mvista.com> + +--- + src/wps/wps_er.c | 2 +- + src/wps/wps_upnp.c | 38 ++++++++++++++++++++++++++++++++++++-- + src/wps/wps_upnp_i.h | 3 ++- + 3 files changed, 39 insertions(+), 4 deletions(-) + +Index: wpa_supplicant-2.9/src/wps/wps_er.c +=================================================================== +--- wpa_supplicant-2.9.orig/src/wps/wps_er.c ++++ wpa_supplicant-2.9/src/wps/wps_er.c +@@ -1298,7 +1298,7 @@ wps_er_init(struct wps_context *wps, con + "with %s", filter); + } + if (get_netif_info(er->ifname, &er->ip_addr, &er->ip_addr_text, +- er->mac_addr)) { ++ NULL, er->mac_addr)) { + wpa_printf(MSG_INFO, "WPS UPnP: Could not get IP/MAC address " + "for %s. Does it have IP address?", er->ifname); + wps_er_deinit(er, NULL, NULL); +Index: wpa_supplicant-2.9/src/wps/wps_upnp.c +=================================================================== +--- wpa_supplicant-2.9.orig/src/wps/wps_upnp.c ++++ wpa_supplicant-2.9/src/wps/wps_upnp.c +@@ -303,6 +303,14 @@ static void subscr_addr_free_all(struct + } + + ++static int local_network_addr(struct upnp_wps_device_sm *sm, ++ struct sockaddr_in *addr) ++{ ++ return (addr->sin_addr.s_addr & sm->netmask.s_addr) == ++ (sm->ip_addr & sm->netmask.s_addr); ++} ++ ++ + /* subscr_addr_add_url -- add address(es) for one url to subscription */ + static void subscr_addr_add_url(struct subscription *s, const char *url, + size_t url_len) +@@ -381,6 +389,7 @@ static void subscr_addr_add_url(struct s + + for (rp = result; rp; rp = rp->ai_next) { + struct subscr_addr *a; ++ struct sockaddr_in *addr = (struct sockaddr_in *) rp->ai_addr; + + /* Limit no. of address to avoid denial of service attack */ + if (dl_list_len(&s->addr_list) >= MAX_ADDR_PER_SUBSCRIPTION) { +@@ -389,6 +398,13 @@ static void subscr_addr_add_url(struct s + break; + } + ++ if (!local_network_addr(s->sm, addr)) { ++ wpa_printf(MSG_INFO, ++ "WPS UPnP: Ignore a delivery URL that points to another network %s", ++ inet_ntoa(addr->sin_addr)); ++ continue; ++ } ++ + a = os_zalloc(sizeof(*a) + alloc_len); + if (a == NULL) + break; +@@ -889,11 +905,12 @@ static int eth_get(const char *device, u + * @net_if: Selected network interface name + * @ip_addr: Buffer for returning IP address in network byte order + * @ip_addr_text: Buffer for returning a pointer to allocated IP address text ++ * @netmask: Buffer for returning netmask or %NULL if not needed + * @mac: Buffer for returning MAC address + * Returns: 0 on success, -1 on failure + */ + int get_netif_info(const char *net_if, unsigned *ip_addr, char **ip_addr_text, +- u8 mac[ETH_ALEN]) ++ struct in_addr *netmask, u8 mac[ETH_ALEN]) + { + struct ifreq req; + int sock = -1; +@@ -919,6 +936,19 @@ int get_netif_info(const char *net_if, u + in_addr.s_addr = *ip_addr; + os_snprintf(*ip_addr_text, 16, "%s", inet_ntoa(in_addr)); + ++ if (netmask) { ++ os_memset(&req, 0, sizeof(req)); ++ os_strlcpy(req.ifr_name, net_if, sizeof(req.ifr_name)); ++ if (ioctl(sock, SIOCGIFNETMASK, &req) < 0) { ++ wpa_printf(MSG_ERROR, ++ "WPS UPnP: SIOCGIFNETMASK failed: %d (%s)", ++ errno, strerror(errno)); ++ goto fail; ++ } ++ addr = (struct sockaddr_in *) &req.ifr_netmask; ++ netmask->s_addr = addr->sin_addr.s_addr; ++ } ++ + #ifdef __linux__ + os_strlcpy(req.ifr_name, net_if, sizeof(req.ifr_name)); + if (ioctl(sock, SIOCGIFHWADDR, &req) < 0) { +@@ -1025,11 +1055,15 @@ static int upnp_wps_device_start(struct + + /* Determine which IP and mac address we're using */ + if (get_netif_info(net_if, &sm->ip_addr, &sm->ip_addr_text, +- sm->mac_addr)) { ++ &sm->netmask, sm->mac_addr)) { + wpa_printf(MSG_INFO, "WPS UPnP: Could not get IP/MAC address " + "for %s. Does it have IP address?", net_if); + goto fail; + } ++ wpa_printf(MSG_DEBUG, "WPS UPnP: Local IP address %s netmask %s hwaddr " ++ MACSTR, ++ sm->ip_addr_text, inet_ntoa(sm->netmask), ++ MAC2STR(sm->mac_addr)); + + /* Listen for incoming TCP connections so that others + * can fetch our "xml files" from us. +Index: wpa_supplicant-2.9/src/wps/wps_upnp_i.h +=================================================================== +--- wpa_supplicant-2.9.orig/src/wps/wps_upnp_i.h ++++ wpa_supplicant-2.9/src/wps/wps_upnp_i.h +@@ -128,6 +128,7 @@ struct upnp_wps_device_sm { + u8 mac_addr[ETH_ALEN]; /* mac addr of network i.f. we use */ + char *ip_addr_text; /* IP address of network i.f. we use */ + unsigned ip_addr; /* IP address of network i.f. we use (host order) */ ++ struct in_addr netmask; + int multicast_sd; /* send multicast messages over this socket */ + int ssdp_sd; /* receive discovery UPD packets on socket */ + int ssdp_sd_registered; /* nonzero if we must unregister */ +@@ -158,7 +159,7 @@ struct subscription * subscription_find( + const u8 uuid[UUID_LEN]); + void subscr_addr_delete(struct subscr_addr *a); + int get_netif_info(const char *net_if, unsigned *ip_addr, char **ip_addr_text, +- u8 mac[ETH_ALEN]); ++ struct in_addr *netmask, u8 mac[ETH_ALEN]); + + /* wps_upnp_ssdp.c */ + void msearchreply_state_machine_stop(struct advertisement_state_machine *a); diff --git a/poky/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0002-WPS-UPnP-Fix-event-message-generation-using-a-long-U.patch b/poky/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0002-WPS-UPnP-Fix-event-message-generation-using-a-long-U.patch new file mode 100644 index 0000000000..59640859dd --- /dev/null +++ b/poky/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0002-WPS-UPnP-Fix-event-message-generation-using-a-long-U.patch @@ -0,0 +1,62 @@ +From f7d268864a2660b7239b9a8ff5ad37faeeb751ba Mon Sep 17 00:00:00 2001 +From: Jouni Malinen <jouni@codeaurora.org> +Date: Wed, 3 Jun 2020 22:41:02 +0300 +Subject: [PATCH 2/3] WPS UPnP: Fix event message generation using a long URL + path + +More than about 700 character URL ended up overflowing the wpabuf used +for building the event notification and this resulted in the wpabuf +buffer overflow checks terminating the hostapd process. Fix this by +allocating the buffer to be large enough to contain the full URL path. +However, since that around 700 character limit has been the practical +limit for more than ten years, start explicitly enforcing that as the +limit or the callback URLs since any longer ones had not worked before +and there is no need to enable them now either. + +Upstream-Status: Backport +CVE: CVE-2020-12695 patch #2 +Signed-off-by: Jouni Malinen <jouni@codeaurora.org> +Signed-off-by: Armin Kuster <akuster@mvista.com> + +--- + src/wps/wps_upnp.c | 9 +++++++-- + src/wps/wps_upnp_event.c | 3 ++- + 2 files changed, 9 insertions(+), 3 deletions(-) + +diff --git a/src/wps/wps_upnp.c b/src/wps/wps_upnp.c +index 7d4b7439940e..ab685d52ecab 100644 +--- a/src/wps/wps_upnp.c ++++ b/src/wps/wps_upnp.c +@@ -328,9 +328,14 @@ static void subscr_addr_add_url(struct subscription *s, const char *url, + int rerr; + size_t host_len, path_len; + +- /* url MUST begin with http: */ +- if (url_len < 7 || os_strncasecmp(url, "http://", 7)) ++ /* URL MUST begin with HTTP scheme. In addition, limit the length of ++ * the URL to 700 characters which is around the limit that was ++ * implicitly enforced for more than 10 years due to a bug in ++ * generating the event messages. */ ++ if (url_len < 7 || os_strncasecmp(url, "http://", 7) || url_len > 700) { ++ wpa_printf(MSG_DEBUG, "WPS UPnP: Reject an unacceptable URL"); + goto fail; ++ } + url += 7; + url_len -= 7; + +diff --git a/src/wps/wps_upnp_event.c b/src/wps/wps_upnp_event.c +index d7e6edcc6503..08a23612f338 100644 +--- a/src/wps/wps_upnp_event.c ++++ b/src/wps/wps_upnp_event.c +@@ -147,7 +147,8 @@ static struct wpabuf * event_build_message(struct wps_event_ *e) + struct wpabuf *buf; + char *b; + +- buf = wpabuf_alloc(1000 + wpabuf_len(e->data)); ++ buf = wpabuf_alloc(1000 + os_strlen(e->addr->path) + ++ wpabuf_len(e->data)); + if (buf == NULL) + return NULL; + wpabuf_printf(buf, "NOTIFY %s HTTP/1.1\r\n", e->addr->path); +-- +2.20.1 diff --git a/poky/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0003-WPS-UPnP-Handle-HTTP-initiation-failures-for-events-.patch b/poky/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0003-WPS-UPnP-Handle-HTTP-initiation-failures-for-events-.patch new file mode 100644 index 0000000000..8a014ef28a --- /dev/null +++ b/poky/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0003-WPS-UPnP-Handle-HTTP-initiation-failures-for-events-.patch @@ -0,0 +1,50 @@ +From 85aac526af8612c21b3117dadc8ef5944985b476 Mon Sep 17 00:00:00 2001 +From: Jouni Malinen <jouni@codeaurora.org> +Date: Thu, 4 Jun 2020 21:24:04 +0300 +Subject: [PATCH 3/3] WPS UPnP: Handle HTTP initiation failures for events more + properly + +While it is appropriate to try to retransmit the event to another +callback URL on a failure to initiate the HTTP client connection, there +is no point in trying the exact same operation multiple times in a row. +Replve the event_retry() calls with event_addr_failure() for these cases +to avoid busy loops trying to repeat the same failing operation. + +These potential busy loops would go through eloop callbacks, so the +process is not completely stuck on handling them, but unnecessary CPU +would be used to process the continues retries that will keep failing +for the same reason. + +Upstream-Status: Backport +CVE: CVE-2020-12695 patch #2 +Signed-off-by: Jouni Malinen <jouni@codeaurora.org> +Signed-off-by: Armin Kuster <akuster@mvista.com> + +--- + src/wps/wps_upnp_event.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/wps/wps_upnp_event.c b/src/wps/wps_upnp_event.c +index 08a23612f338..c0d9e41d9a38 100644 +--- a/src/wps/wps_upnp_event.c ++++ b/src/wps/wps_upnp_event.c +@@ -294,7 +294,7 @@ static int event_send_start(struct subscription *s) + + buf = event_build_message(e); + if (buf == NULL) { +- event_retry(e, 0); ++ event_addr_failure(e); + return -1; + } + +@@ -302,7 +302,7 @@ static int event_send_start(struct subscription *s) + event_http_cb, e); + if (e->http_event == NULL) { + wpabuf_free(buf); +- event_retry(e, 0); ++ event_addr_failure(e); + return -1; + } + +-- +2.20.1 diff --git a/poky/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.9.bb b/poky/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.9.bb index 3e92427bb0..7cc03fef7d 100644 --- a/poky/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.9.bb +++ b/poky/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.9.bb @@ -15,7 +15,7 @@ PACKAGECONFIG[openssl] = ",,openssl" inherit pkgconfig systemd -SYSTEMD_SERVICE_${PN} = "wpa_supplicant.service wpa_supplicant-nl80211@.service wpa_supplicant-wired@.service" +SYSTEMD_SERVICE_${PN} = "wpa_supplicant.service" SYSTEMD_AUTO_ENABLE = "disable" SRC_URI = "http://w1.fi/releases/wpa_supplicant-${PV}.tar.gz \ @@ -25,7 +25,10 @@ SRC_URI = "http://w1.fi/releases/wpa_supplicant-${PV}.tar.gz \ file://wpa_supplicant.conf-sane \ file://99_wpa_supplicant \ file://0001-replace-systemd-install-Alias-with-WantedBy.patch \ - file://0001-AP-Silently-ignore-management-frame-from-unexpected-.patch \ + file://0001-AP-Silently-ignore-management-frame-from-unexpected-.patch \ + file://0001-WPS-UPnP-Do-not-allow-event-subscriptions-with-URLs-.patch \ + file://0002-WPS-UPnP-Fix-event-message-generation-using-a-long-U.patch \ + file://0003-WPS-UPnP-Handle-HTTP-initiation-failures-for-events-.patch \ " SRC_URI[md5sum] = "2d2958c782576dc9901092fbfecb4190" SRC_URI[sha256sum] = "fcbdee7b4a64bea8177973299c8c824419c413ec2e3a95db63dd6a5dc3541f17" @@ -37,13 +40,13 @@ S = "${WORKDIR}/wpa_supplicant-${PV}" PACKAGES_prepend = "wpa-supplicant-passphrase wpa-supplicant-cli " FILES_wpa-supplicant-passphrase = "${bindir}/wpa_passphrase" FILES_wpa-supplicant-cli = "${sbindir}/wpa_cli" -FILES_${PN} += "${datadir}/dbus-1/system-services/*" +FILES_${PN} += "${datadir}/dbus-1/system-services/* ${systemd_system_unitdir}/*" CONFFILES_${PN} += "${sysconfdir}/wpa_supplicant.conf" do_configure () { ${MAKE} -C wpa_supplicant clean install -m 0755 ${WORKDIR}/defconfig wpa_supplicant/.config - + if echo "${PACKAGECONFIG}" | grep -qw "openssl"; then ssl=openssl elif echo "${PACKAGECONFIG}" | grep -qw "gnutls"; then |