summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat (limited to 'net-misc')
-rw-r--r--net-misc/dropbear/dropbear-2024.85-r2.ebuild199
-rw-r--r--net-misc/dropbear/files/dropbear-2024.84-fix-aslr-test-no-venv.patch15
-rw-r--r--net-misc/dropbear/files/dropbear-2024.84-non-interactive-tests-no-syslog.patch13
-rw-r--r--net-misc/dropbear/files/dropbear-2024.84-tests.patch57
4 files changed, 284 insertions, 0 deletions
diff --git a/net-misc/dropbear/dropbear-2024.85-r2.ebuild b/net-misc/dropbear/dropbear-2024.85-r2.ebuild
new file mode 100644
index 000000000000..609bbb453aa4
--- /dev/null
+++ b/net-misc/dropbear/dropbear-2024.85-r2.ebuild
@@ -0,0 +1,199 @@
+# Copyright 1999-2024 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=8
+
+PYTHON_COMPAT=( python3_{10..13} )
+VERIFY_SIG_OPENPGP_KEY_PATH=/usr/share/openpgp-keys/dropbear.asc
+inherit pam python-any-r1 savedconfig verify-sig
+
+DESCRIPTION="Small SSH 2 client/server designed for small memory environments"
+HOMEPAGE="https://matt.ucc.asn.au/dropbear/dropbear.html"
+SRC_URI="https://matt.ucc.asn.au/dropbear/releases/${P}.tar.bz2
+ https://matt.ucc.asn.au/dropbear/testing/${P}.tar.bz2"
+SRC_URI+=" verify-sig? (
+ https://matt.ucc.asn.au/dropbear/releases/${P}.tar.bz2.asc
+ https://matt.ucc.asn.au/dropbear/testing/${P}.tar.bz2.asc
+ )"
+
+LICENSE="MIT GPL-2" # (init script is GPL-2 #426056)
+SLOT="0"
+KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~m68k ~mips ~ppc ~ppc64 ~s390 ~sparc ~x86 ~amd64-linux ~x86-linux ~x64-macos"
+IUSE="bsdpty minimal multicall pam +shadow static +syslog test zlib"
+RESTRICT="!test? ( test )"
+
+LIB_DEPEND="
+ virtual/libcrypt[static-libs(+)]
+ zlib? ( sys-libs/zlib[static-libs(+)] )
+"
+RDEPEND="
+ acct-group/sshd
+ acct-user/sshd
+ !static? (
+ >=dev-libs/libtomcrypt-1.18.2-r2[libtommath]
+ >=dev-libs/libtommath-1.2.0
+ ${LIB_DEPEND//\[static-libs(+)]}
+ )
+ pam? ( sys-libs/pam )
+"
+DEPEND="
+ ${RDEPEND}
+ static? ( ${LIB_DEPEND} )
+"
+RDEPEND+=" pam? ( >=sys-auth/pambase-20080219.1 )"
+BDEPEND="
+ test? (
+ sys-libs/nss_wrapper
+ $(python_gen_any_dep '
+ dev-python/attrs[${PYTHON_USEDEP}]
+ dev-python/iniconfig[${PYTHON_USEDEP}]
+ dev-python/packaging[${PYTHON_USEDEP}]
+ dev-python/pluggy[${PYTHON_USEDEP}]
+ dev-python/py[${PYTHON_USEDEP}]
+ dev-python/pyparsing[${PYTHON_USEDEP}]
+ dev-python/pytest[${PYTHON_USEDEP}]
+ dev-python/psutil[${PYTHON_USEDEP}]
+ ')
+ )
+ verify-sig? ( sec-keys/openpgp-keys-dropbear )
+"
+
+REQUIRED_USE="pam? ( !static )"
+
+PATCHES=(
+ "${FILESDIR}"/${PN}-2024.84-dbscp.patch
+ "${FILESDIR}"/${PN}-2024.84-tests.patch
+ "${FILESDIR}"/${PN}-2024.84-test-bg-sleep.patch
+ "${FILESDIR}"/${PN}-2024.84-fix-aslr-test-no-venv.patch
+)
+
+set_options() {
+ progs=(
+ dropbear dbclient dropbearkey
+ $(usev !minimal "dropbearconvert scp")
+ )
+ makeopts=(
+ MULTI=$(usex multicall 1 0)
+ )
+}
+
+python_check_deps() {
+ python_has_version "dev-python/attrs[${PYTHON_USEDEP}]" && \
+ python_has_version "dev-python/iniconfig[${PYTHON_USEDEP}]" && \
+ python_has_version "dev-python/packaging[${PYTHON_USEDEP}]" && \
+ python_has_version "dev-python/pluggy[${PYTHON_USEDEP}]" && \
+ python_has_version "dev-python/py[${PYTHON_USEDEP}]" && \
+ python_has_version "dev-python/pyparsing[${PYTHON_USEDEP}]" && \
+ python_has_version "dev-python/pytest[${PYTHON_USEDEP}]" && \
+ python_has_version "dev-python/psutil[${PYTHON_USEDEP}]"
+}
+
+pkg_setup() {
+ use test && python-any-r1_pkg_setup
+
+ if use static ; then
+ ewarn "Using bundled copies of libtommath and libtomcrypt"
+ fi
+}
+
+src_prepare() {
+ default
+
+ # dropbear does not accept -E if built w/o syslog support and fails the tests
+ if use syslog; then
+ eapply "${FILESDIR}"/${PN}-2024.84-non-interactive-tests.patch
+ else
+ eapply "${FILESDIR}"/${PN}-2024.84-non-interactive-tests-no-syslog.patch
+ fi
+
+ sed \
+ -e '/SFTPSERVER_PATH/s:".*":"/usr/lib/misc/sftp-server":' \
+ -e '/DROPBEAR_X11FWD/s:0:1:' \
+ src/default_options.h > localoptions.h || die
+ sed \
+ -e '/pam_start/s:sshd:dropbear:' \
+ -i src/svr-authpam.c || die
+ restore_config localoptions.h
+
+ use test && python_fix_shebang test/parent_dropbear_map.py
+
+ # dropbearconver is not built with USE minimal
+ if use minimal; then
+ rm test/test_dropbearconvert.py || die
+ fi
+
+ # bsdpty requires CONFIG_LEGACY_PTYS in kernel; disable tests.
+ # bug #939601
+ if use bsdpty; then
+ rm test/test_channels.py || die
+ fi
+}
+
+src_configure() {
+ # Notes:
+ # 1) We use bundled libtom* when static build is enabled because
+ # libtomcrypt lacks it and we don't particularly want to add it.
+ # 2) We disable the hardening flags as our compiler already enables them
+ # by default as is appropriate for the target.
+ local myeconfargs=(
+ --disable-harden
+
+ # bug #836900
+ $(use_enable !elibc_musl lastlog)
+ $(use_enable !elibc_musl wtmp)
+
+ $(use_enable static bundled-libtom)
+ $(use_enable zlib)
+ $(use_enable pam)
+ $(use_enable !bsdpty openpty)
+ $(use_enable shadow)
+ $(use_enable static)
+ $(use_enable syslog)
+ )
+
+ econf "${myeconfargs[@]}"
+}
+
+src_compile() {
+ set_options
+ emake "${makeopts[@]}" PROGRAMS="${progs[*]}"
+
+ # need symlinks for tests
+ if use multicall && use test; then
+ local x
+ for x in "${progs[@]}" ; do
+ ln -sf dropbearmulti ${x} || die "ln -s dropbearmulti to ${x} failed"
+ done
+ fi
+}
+
+src_install() {
+ set_options
+ emake "${makeopts[@]}" PROGRAMS="${progs[*]}" DESTDIR="${D}" install
+ doman manpages/*.8
+ newinitd "${FILESDIR}"/dropbear.init.d dropbear
+ newconfd "${FILESDIR}"/dropbear.conf.d dropbear
+ dodoc CHANGES README.md SMALL.md MULTI.md
+
+ # The multi install target does not install the links right.
+ if use multicall ; then
+ pushd "${ED}"/usr/bin &> /dev/null || die
+ local x
+ for x in "${progs[@]}" ; do
+ ln -sf dropbearmulti ${x} || die "ln -s dropbearmulti to ${x} failed"
+ done
+ rm -f dropbear
+ dodir /usr/sbin
+ dosym -r /usr/bin/dropbearmulti /usr/sbin/dropbear
+ popd &> /dev/null || die
+ fi
+ save_config localoptions.h
+
+ if ! use minimal ; then
+ mv "${ED}"/usr/bin/{,db}scp || die
+ fi
+
+ if use pam; then
+ pamd_mimic system-remote-login dropbear auth account password session
+ fi
+}
diff --git a/net-misc/dropbear/files/dropbear-2024.84-fix-aslr-test-no-venv.patch b/net-misc/dropbear/files/dropbear-2024.84-fix-aslr-test-no-venv.patch
new file mode 100644
index 000000000000..62e87f230974
--- /dev/null
+++ b/net-misc/dropbear/files/dropbear-2024.84-fix-aslr-test-no-venv.patch
@@ -0,0 +1,15 @@
+We don't use a venv for this test, remove it.
+
+--- a/test/test_aslr.py
++++ b/test/test_aslr.py
+@@ -9,9 +9,7 @@
+ This indicates that re-exec makes ASLR work
+ """
+ map_script = (Path(request.node.fspath).parent / "parent_dropbear_map.py").resolve()
+- # run within the same venv, for python deps
+- activate = own_venv_command()
+- cmd = f"{activate}; {map_script}"
++ cmd = f"{map_script}"
+ print(cmd)
+ r = dbclient(request, cmd, capture_output=True, text=True)
+ map1 = r.stdout.rstrip()
diff --git a/net-misc/dropbear/files/dropbear-2024.84-non-interactive-tests-no-syslog.patch b/net-misc/dropbear/files/dropbear-2024.84-non-interactive-tests-no-syslog.patch
new file mode 100644
index 000000000000..b5a464884d20
--- /dev/null
+++ b/net-misc/dropbear/files/dropbear-2024.84-non-interactive-tests-no-syslog.patch
@@ -0,0 +1,13 @@
+Force tests to be non-interactive
+
+--- a/test/test_dropbear.py
++++ b/test/test_dropbear.py
+@@ -23,7 +23,7 @@
+ args = opt.dropbear.split() + [
+ "-p", LOCALADDR + ":" + opt.port, # bind locally only
+ "-r", opt.hostkey,
+- "-F", "-E",
++ "-F", "-s",
+ ]
+ print("subprocess args: ", args)
+
diff --git a/net-misc/dropbear/files/dropbear-2024.84-tests.patch b/net-misc/dropbear/files/dropbear-2024.84-tests.patch
new file mode 100644
index 000000000000..a7c53a42884e
--- /dev/null
+++ b/net-misc/dropbear/files/dropbear-2024.84-tests.patch
@@ -0,0 +1,57 @@
+Create all the keys needed for the tests.
+Enable testing server auth.
+
+dbclient obeys $HOME, but dropbear (the server) resolves HOME using getpwnam.
+Use sys-libs/nss_wrapper to fake it during tests.
+
+--- a/test/Makefile.in
++++ b/test/Makefile.in
+@@ -4,18 +4,24 @@
+
+ all: test
+
+-test: venv/bin/pytest fakekey
+- (source ./venv/bin/activate; pytest --hostkey=fakekey --dbclient=../dbclient --dropbear=../dropbear $(srcdir) )
++uid:=$(shell id -u)
++gid:=$(shell id -g)
++test: fakekey
++ mkdir -p ~/.ssh
++ ../dropbearkey -t ecdsa -f ~/.ssh/id_dropbear
++ ../dropbearkey -y -f ~/.ssh/id_dropbear | grep ^ecdsa > ~/.ssh/authorized_keys
++ ../dropbearkey -t ecdsa -f ~/.ssh/id_dropbear_key2 | grep ^ecdsa | sed 's/[^ ]*$$/key2 extra/' >> ~/.ssh/authorized_keys
++ ../dropbearkey -t ecdsa -f ~/.ssh/id_dropbear_key3 | grep ^ecdsa | sed 's/[^ ]*$$/key3%char/' >> ~/.ssh/authorized_keys
++ ../dropbearkey -t ecdsa -f ~/.ssh/id_dropbear_key4 | grep ^ecdsa | sed 's/[^ ]*$$/key4,char/' >> ~/.ssh/authorized_keys
++ echo "$(LOGNAME)::$(uid):$(gid):$(USER):$(HOME):/bin/bash" >> ~/passwd
++ echo "$(LOGNAME)::$(gid):" >> ~/group
++ chmod 0700 ~ ~/.ssh ~/.ssh/authorized_keys ~/passwd ~/group
++ DBTEST_IN_ACTION=y pytest --hostkey=fakekey --dbclient=../dbclient --dropbear=../dropbear $(srcdir)
+
+-one: venv/bin/pytest fakekey
+- (source ./venv/bin/activate; pytest --hostkey=fakekey --dbclient=../dbclient --dropbear=../dropbear $(srcdir) -k exit)
++one: fakekey
++ pytest --hostkey=fakekey --dbclient=../dbclient --dropbear=../dropbear $(srcdir) -k exit
+
+ fakekey:
+ ../dropbearkey -t ecdsa -f $@
+
+-venv/bin/pytest: $(srcdir)/requirements.txt
+- python3 -m venv init venv
+- ./venv/bin/pip install --upgrade pip
+- ./venv/bin/pip install -r $(srcdir)/requirements.txt
+-
+ .PHONY: test
+--- a/test/test_dropbear.py
++++ b/test/test_dropbear.py
+@@ -27,7 +27,11 @@ def dropbear(request):
+ ]
+ print("subprocess args: ", args)
+
+- p = subprocess.Popen(args, stderr=subprocess.PIPE, text=True)
++ env = os.environ
++ env['LD_PRELOAD'] = 'libnss_wrapper.so'
++ env['NSS_WRAPPER_PASSWD'] = env['HOME'] + '/passwd'
++ env['NSS_WRAPPER_GROUP'] = env['HOME'] + '/group'
++ p = subprocess.Popen(args, stderr=subprocess.PIPE, text=True, env=env)
+ # Wait until it has started listening
+ for l in p.stderr:
+ if "Not backgrounding" in l: