diff options
Diffstat (limited to 'recipes-connectivity')
51 files changed, 1125 insertions, 2480 deletions
diff --git a/recipes-connectivity/bluez/bluez5/0001-Allow-using-obexd-without-systemd-in-the-user-sessio.patch b/recipes-connectivity/bluez/bluez5/0001-Allow-using-obexd-without-systemd-in-the-user-sessio.patch deleted file mode 100644 index 2fde7bc..0000000 --- a/recipes-connectivity/bluez/bluez5/0001-Allow-using-obexd-without-systemd-in-the-user-sessio.patch +++ /dev/null @@ -1,63 +0,0 @@ -From: Giovanni Campagna <gcampagna-cNUdlRotFMnNLxjTenLetw@public.gmane.org> -Date: Sat, 12 Oct 2013 17:45:25 +0200 -Subject: [PATCH] Allow using obexd without systemd in the user session - -Not all sessions run systemd --user (actually, the majority -doesn't), so the dbus daemon must be able to spawn obexd -directly, and to do so it needs the full path of the daemon. - -Upstream-Status: Denied - -Not accepted by upstream maintainer for being a distro specific -configuration. See thread: - -http://thread.gmane.org/gmane.linux.bluez.kernel/38725/focus=38843 - -Signed-off-by: Javier Viguera <javier.viguera@digi.com> ---- - Makefile.obexd | 4 ++-- - obexd/src/org.bluez.obex.service | 4 ---- - obexd/src/org.bluez.obex.service.in | 4 ++++ - 3 files changed, 6 insertions(+), 6 deletions(-) - delete mode 100644 obexd/src/org.bluez.obex.service - create mode 100644 obexd/src/org.bluez.obex.service.in - -diff --git a/Makefile.obexd b/Makefile.obexd -index 2e33cbc72f2b..d5d858c857b4 100644 ---- a/Makefile.obexd -+++ b/Makefile.obexd -@@ -2,12 +2,12 @@ - if SYSTEMD - systemduserunitdir = @SYSTEMD_USERUNITDIR@ - systemduserunit_DATA = obexd/src/obex.service -+endif - - dbussessionbusdir = @DBUS_SESSIONBUSDIR@ - dbussessionbus_DATA = obexd/src/org.bluez.obex.service --endif - --EXTRA_DIST += obexd/src/obex.service.in obexd/src/org.bluez.obex.service -+EXTRA_DIST += obexd/src/obex.service.in obexd/src/org.bluez.obex.service.in - - obex_plugindir = $(libdir)/obex/plugins - -diff --git a/obexd/src/org.bluez.obex.service b/obexd/src/org.bluez.obex.service -deleted file mode 100644 -index a53808884554..000000000000 ---- a/obexd/src/org.bluez.obex.service -+++ /dev/null -@@ -1,4 +0,0 @@ --[D-BUS Service] --Name=org.bluez.obex --Exec=/bin/false --SystemdService=dbus-org.bluez.obex.service -diff --git a/obexd/src/org.bluez.obex.service.in b/obexd/src/org.bluez.obex.service.in -new file mode 100644 -index 000000000000..9c815f246b77 ---- /dev/null -+++ b/obexd/src/org.bluez.obex.service.in -@@ -0,0 +1,4 @@ -+[D-BUS Service] -+Name=org.bluez.obex -+Exec=@libexecdir@/obexd -+SystemdService=dbus-org.bluez.obex.service diff --git a/recipes-connectivity/bluez/bluez5/0001-tests-add-a-target-for-building-tests-without-runnin.patch b/recipes-connectivity/bluez/bluez5/0001-tests-add-a-target-for-building-tests-without-runnin.patch deleted file mode 100644 index 24ddae6..0000000 --- a/recipes-connectivity/bluez/bluez5/0001-tests-add-a-target-for-building-tests-without-runnin.patch +++ /dev/null @@ -1,28 +0,0 @@ -From 4bdf0f96dcaa945fd29f26d56e5b36d8c23e4c8b Mon Sep 17 00:00:00 2001 -From: Alexander Kanavin <alex.kanavin@gmail.com> -Date: Fri, 1 Apr 2016 17:07:34 +0300 -Subject: [PATCH] tests: add a target for building tests without running them - -Upstream-Status: Inappropriate [oe specific] -Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com> ---- - Makefile.am | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/Makefile.am b/Makefile.am -index 1a48a71..ba3b92f 100644 ---- a/Makefile.am -+++ b/Makefile.am -@@ -425,6 +425,9 @@ endif - TESTS = $(unit_tests) - AM_TESTS_ENVIRONMENT = MALLOC_CHECK_=3 MALLOC_PERTURB_=69 - -+# This allows building tests without running them -+buildtests: $(TESTS) -+ - if DBUS_RUN_SESSION - AM_TESTS_ENVIRONMENT += dbus-run-session -- - endif --- -2.8.0.rc3 - diff --git a/recipes-connectivity/bluez/bluez5/CVE-2017-1000250.patch b/recipes-connectivity/bluez/bluez5/CVE-2017-1000250.patch deleted file mode 100644 index 05359da..0000000 --- a/recipes-connectivity/bluez/bluez5/CVE-2017-1000250.patch +++ /dev/null @@ -1,26 +0,0 @@ -From 9e009647b14e810e06626dde7f1bb9ea3c375d09 Mon Sep 17 00:00:00 2001 -From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com> -Date: Wed, 13 Sep 2017 10:01:40 +0300 -Subject: sdp: Fix Out-of-bounds heap read in service_search_attr_req function - -Check if there is enough data to continue otherwise return an error. ---- - src/sdpd-request.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/sdpd-request.c b/src/sdpd-request.c -index 1eefdce..318d044 100644 ---- a/src/sdpd-request.c -+++ b/src/sdpd-request.c -@@ -917,7 +917,7 @@ static int service_search_attr_req(sdp_req_t *req, sdp_buf_t *buf) - } else { - /* continuation State exists -> get from cache */ - sdp_buf_t *pCache = sdp_get_cached_rsp(cstate); -- if (pCache) { -+ if (pCache && cstate->cStateValue.maxBytesSent < pCache->data_size) { - uint16_t sent = MIN(max, pCache->data_size - cstate->cStateValue.maxBytesSent); - pResponse = pCache->data; - memcpy(buf->data, pResponse + cstate->cStateValue.maxBytesSent, sent); --- -cgit v1.1 - diff --git a/recipes-connectivity/bluez/bluez5/out-of-tree.patch b/recipes-connectivity/bluez/bluez5/out-of-tree.patch deleted file mode 100644 index 3ee79d7..0000000 --- a/recipes-connectivity/bluez/bluez5/out-of-tree.patch +++ /dev/null @@ -1,26 +0,0 @@ -From ed55b49a226ca3909f52416be2ae5ce1c5ca2cb2 Mon Sep 17 00:00:00 2001 -From: Ross Burton <ross.burton@intel.com> -Date: Fri, 22 Apr 2016 15:40:37 +0100 -Subject: [PATCH] Makefile.obexd: add missing mkdir in builtin.h generation - -In parallel out-of-tree builds it's possible that obexd/src/builtin.h is -generated before the target directory has been implicitly created. Solve this by -creating the directory before writing into it. - -Upstream-Status: Submitted -Signed-off-by: Ross Burton <ross.burton@intel.com> ---- - Makefile.obexd | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/Makefile.obexd b/Makefile.obexd -index 2e33cbc..c8286f0 100644 ---- a/Makefile.obexd -+++ b/Makefile.obexd -@@ -105,2 +105,3 @@ obexd/src/plugin.$(OBJEXT): obexd/src/builtin.h - obexd/src/builtin.h: obexd/src/genbuiltin $(obexd_builtin_sources) -+ $(AM_V_at)$(MKDIR_P) $(dir $@) - $(AM_V_GEN)$(srcdir)/obexd/src/genbuiltin $(obexd_builtin_modules) > $@ --- -2.8.0.rc3 - diff --git a/recipes-connectivity/bluez/bluez5/run-ptest b/recipes-connectivity/bluez/bluez5/run-ptest deleted file mode 100644 index 21df00c..0000000 --- a/recipes-connectivity/bluez/bluez5/run-ptest +++ /dev/null @@ -1,31 +0,0 @@ -#! /bin/sh - -cd unit - -failed=0 -all=0 - -for f in test-*; do - "./$f" - case "$?" in - 0) - echo "PASS: $f" - all=$((all + 1)) - ;; - 77) - echo "SKIP: $f" - ;; - *) - echo "FAIL: $f" - failed=$((failed + 1)) - all=$((all + 1)) - ;; - esac -done - -if [ "$failed" -eq 0 ] ; then - echo "All $all tests passed" -else - echo "$failed of $all tests failed" -fi - diff --git a/recipes-connectivity/hostapd/hostapd/default b/recipes-connectivity/hostapd/files/default index 8f3287d..8f3287d 100644 --- a/recipes-connectivity/hostapd/hostapd/default +++ b/recipes-connectivity/hostapd/files/default diff --git a/recipes-connectivity/hostapd/hostapd/defconfig b/recipes-connectivity/hostapd/files/defconfig index 3a447c6..3a447c6 100644 --- a/recipes-connectivity/hostapd/hostapd/defconfig +++ b/recipes-connectivity/hostapd/files/defconfig diff --git a/recipes-connectivity/hostapd/hostapd/init b/recipes-connectivity/hostapd/files/init index 04fd2d0..04fd2d0 100644 --- a/recipes-connectivity/hostapd/hostapd/init +++ b/recipes-connectivity/hostapd/files/init diff --git a/recipes-connectivity/hostapd/hostapd/hostapd.service b/recipes-connectivity/hostapd/hostapd/hostapd.service deleted file mode 100644 index 151c050..0000000 --- a/recipes-connectivity/hostapd/hostapd/hostapd.service +++ /dev/null @@ -1,11 +0,0 @@ -[Unit] -Description=Hostapd IEEE 802.11 AP, IEEE 802.1X/WPA/WPA2/EAP/RADIUS Authenticator -After=network.target - -[Service] -Type=forking -PIDFile=/run/hostapd.pid -ExecStart=@SBINDIR@/hostapd @SYSCONFDIR@/hostapd.conf -P /run/hostapd.pid -B - -[Install] -WantedBy=multi-user.target diff --git a/recipes-connectivity/hostapd/hostapd_%.bbappend b/recipes-connectivity/hostapd/hostapd_%.bbappend index 2686fa3..c8f8fab 100644 --- a/recipes-connectivity/hostapd/hostapd_%.bbappend +++ b/recipes-connectivity/hostapd/hostapd_%.bbappend @@ -1,5 +1,6 @@ -SRC_URI += "file://cfg80211.conf" -PR = "m1" +FILESEXTRAPATHS_prepend := "${THISDIR}/files:" + +PR = "m2" do_install_append() { install -d ${D}{sysconfdir}/modprobe.d @@ -12,6 +13,8 @@ SRC_URI += " file://cfg80211.conf \ file://WiFi-SSID \ file://setchan \ file://default \ + file://init \ + file://defconfig \ " do_install() { diff --git a/recipes-connectivity/hostapd/hostapd_2.8.bb b/recipes-connectivity/hostapd/hostapd_2.8.bb deleted file mode 100644 index 15884d0..0000000 --- a/recipes-connectivity/hostapd/hostapd_2.8.bb +++ /dev/null @@ -1,51 +0,0 @@ -SUMMARY = "User space daemon for extended IEEE 802.11 management" -HOMEPAGE = "http://w1.fi/hostapd/" -SECTION = "kernel/userland" -LICENSE = "BSD-3-Clause" -LIC_FILES_CHKSUM = "file://hostapd/README;md5=1ec986bec88070e2a59c68c95d763f89" - -DEPENDS = "libnl openssl" - -SRC_URI = " \ - http://w1.fi/releases/hostapd-${PV}.tar.gz \ - file://defconfig \ - file://init \ - file://hostapd.service \ -" - -SRC_URI[md5sum] = "ed2c254e5f400838cb9d8e7b6e43b86c" -SRC_URI[sha256sum] = "929f522be6eeec38c53147e7bc084df028f65f148a3f7e4fa6c4c3f955cee4b0" - -S = "${WORKDIR}/hostapd-${PV}" -B = "${WORKDIR}/hostapd-${PV}/hostapd" - -inherit update-rc.d systemd pkgconfig distro_features_check - -CONFLICT_DISTRO_FEATURES = "openssl-no-weak-ciphers" - -INITSCRIPT_NAME = "hostapd" - -SYSTEMD_SERVICE_${PN} = "hostapd.service" -SYSTEMD_AUTO_ENABLE_${PN} = "disable" - -do_configure_append() { - install -m 0644 ${WORKDIR}/defconfig ${B}/.config -} - -do_compile() { - export CFLAGS="-MMD -O2 -Wall -g" - export EXTRA_CFLAGS="${CFLAGS}" - make V=1 -} - -do_install() { - install -d ${D}${sbindir} ${D}${sysconfdir}/init.d ${D}${systemd_unitdir}/system/ - install -m 0644 ${B}/hostapd.conf ${D}${sysconfdir} - install -m 0755 ${B}/hostapd ${D}${sbindir} - install -m 0755 ${B}/hostapd_cli ${D}${sbindir} - install -m 755 ${WORKDIR}/init ${D}${sysconfdir}/init.d/hostapd - install -m 0644 ${WORKDIR}/hostapd.service ${D}${systemd_unitdir}/system/ - sed -i -e 's,@SBINDIR@,${sbindir},g' -e 's,@SYSCONFDIR@,${sysconfdir},g' ${D}${systemd_unitdir}/system/hostapd.service -} - -CONFFILES_${PN} += "${sysconfdir}/hostapd.conf" diff --git a/recipes-connectivity/lora/lora-gateway-sx1303_2.0.1.bb b/recipes-connectivity/lora/lora-gateway-sx1303_2.0.1.bb new file mode 100644 index 0000000..c5c2ab1 --- /dev/null +++ b/recipes-connectivity/lora/lora-gateway-sx1303_2.0.1.bb @@ -0,0 +1,65 @@ +DESCRIPTION = "LoRa Packet Forwarder" +HOMEPAGE = "https://github.com/Lora-net/sx1302_hal" +PRIORITY = "optional" +SECTION = "console/utils" +# Semtech license is a modified BSD-style license +LICENSE = "Proprietary" +LIC_FILES_CHKSUM = "file://LICENSE.TXT;md5=d2119120bd616e725f4580070bd9ee19" +DEPENDS = "logrotate" +RDEPENDS_${PN} += "bash" +PR = "r0" + +# SRCREV = "100104ee350a0e469b348ac383486d311caaf5e5" +SRCREV = "V${PV}" + +SRC_URI = "git://github.com/Lora-net/sx1302_hal.git;protocol=git;branch=master \ +" + + +S = "${WORKDIR}/git" +B = "${S}" + +LORA_DIR = "/opt/lora" + + +CFLAGS += " -I${S}/packet_forwarder/inc -I${S}/libloragw/inc -I${S}/libtools/inc -I${S}/inc -I. -std=gnu11" + +do_compile() { + oe_runmake packet_forwarder LDFLAGS=${LDFLAGS} + oe_runmake util_boot LDFLAGS=${LDFLAGS} + oe_runmake util_chip_id FLAGS=${LDFLAGS} + oe_runmake util_net_downlink LDFLAGS=${LDFLAGS} + # oe_runmake util_spectral_scan LDFLAGS=${LDFLAGS} +} + +do_install() { + install -d ${D}${LORA_DIR} + install -d ${D}${LORA_DIR}/forwarder-utils-sx1303 + install -d ${D}${LORA_DIR}/gateway-utils-sx1303 + install -m 755 packet_forwarder/lora_pkt_fwd ${D}${LORA_DIR}/lora_pkt_fwd_sx1303 + install -m 755 libloragw/test_loragw* ${D}${LORA_DIR}/gateway-utils-sx1303/ + install -m 755 util_boot/boot ${D}${LORA_DIR}/forwarder-utils-sx1303/util_boot + install -m 755 util_chip_id/chip_id ${D}${LORA_DIR}/forwarder-utils-sx1303/util_chip_id + install -m 755 util_net_downlink/net_downlink ${D}${LORA_DIR}/forwarder-utils-sx1303/util_net_downlink + # install -m 755 util_spectral_scan/util_spectral_scan ${D}${LORA_DIR}/forwarder-utils-sx1303/ +} + +do_install_append_mtcdt() { +} + +do_install_append_mtcap() { +} + +do_install_append_mtcdt3() { +} + +do_install_append_mtcdt3hs() { +} + + +FILES_${PN} += "${LORA_DIR}" + +# disable this on purpose for dev purposes +do_rm_work() { + echo "skipping" +} diff --git a/recipes-connectivity/lora/lora-gateway_5.0.1.bb b/recipes-connectivity/lora/lora-gateway_5.0.4.bb index dc3a985..f16cadf 100644 --- a/recipes-connectivity/lora/lora-gateway_5.0.1.bb +++ b/recipes-connectivity/lora/lora-gateway_5.0.4.bb @@ -5,18 +5,18 @@ SECTION = "console/utils" # Semtech license is a modified BSD-style license LICENSE = "Proprietary" LIC_FILES_CHKSUM = "file://LICENSE;md5=a2bdef95625509f821ba00460e3ae0eb" -DEPENDS = "libgps25" -RDEPENDS_${PN} = "libgps25" +DEPENDS = "gpsd" -PR = "r27" -SRCREV = "dea57d6f29246434173c33c56850708c51fc5b23" +PR = "r23" +SRCREV = "004c03449d498cfa495df4d7834b733f4697a10f" - -SRC_URI = "git://git.multitech.net/lora_gateway_mtac_full;branch=master;protocol=git \ +SRC_URI = "git://git@gitlab.multitech.net/lora_enterprise/lora_gateway_mtac_full.git;protocol=ssh;branch=master \ file://library_4.0.cfg \ file://ln-lora-spi-dev.sh \ " +SRC_URI[md5sum] = "9e06a3733a9fea39a3d61f77b412badf" +SRC_URI[sha256sum] = "28fbfe098013908794b32e51d1fed4427f20dd6c8adbbca78df2e1800f5c84dc" S = "${WORKDIR}/git" @@ -28,7 +28,7 @@ do_configure_append() { } do_compile() { - oe_runmake + oe_runmake LDFLAGS=${LDFLAGS} } do_install() { @@ -55,6 +55,7 @@ do_install_append_mtcdt() { install -m 0755 ${WORKDIR}/ln-lora-spi-dev.sh ${D}/opt/lora/ } + PACKAGES += "${PN}-utils ${PN}-utils-dbg" FILES_${PN} = "${libdir}/lora/lora-gw-readme.md" @@ -67,3 +68,4 @@ FILES_${PN}-staticdev = "${libdir}/lora/libloragw.a" do_rm_work() { echo "skipping" } + diff --git a/recipes-connectivity/lora/lora-network-server_2.4.4.bb b/recipes-connectivity/lora/lora-network-server_2.4.4.bb index 49143a9..84c7289 100644 --- a/recipes-connectivity/lora/lora-network-server_2.4.4.bb +++ b/recipes-connectivity/lora/lora-network-server_2.4.4.bb @@ -3,8 +3,8 @@ PRIORITY = "optional" SECTION = "console/utils" LICENSE = "Proprietary" LIC_FILES_CHKSUM = "file://LICENSE;md5=2b9a30a3082ddccd2c695a4dbeeab80d" -DEPENDS = "jsoncpp libmts mosquitto sqlite3 curl gnutls" -RDEPENDS_${PN} += "lora-packet-forwarder logrotate bash lora-logging jsoncpp" +DEPENDS = "jsoncpp16 libmts mosquitto sqlite3 curl gnutls" +RDEPENDS_${PN} += "lora-packet-forwarder logrotate bash lora-logging jsoncpp16" PR = "r0" CONFFILES_${PN} += "${sysconfdir}/default/lora-network-server ${sysconfdir}/init.d/lora-network-server" diff --git a/recipes-connectivity/lora/lora-packet-forwarder_4.0.1.bb b/recipes-connectivity/lora/lora-packet-forwarder_4.0.6.bb index a56ec60..ac5bf6b 100644 --- a/recipes-connectivity/lora/lora-packet-forwarder_4.0.1.bb +++ b/recipes-connectivity/lora/lora-packet-forwarder_4.0.6.bb @@ -5,11 +5,11 @@ SECTION = "console/utils" # Semtech license is a modified BSD-style license LICENSE = "Proprietary" LIC_FILES_CHKSUM = "file://LICENSE;md5=22af7693d7b76ef0fc76161c4be76c45" -DEPENDS = "lora-gateway logrotate lora-logging libgps25" +DEPENDS = "lora-gateway logrotate lora-logging gpsd" RDEPENDS_${PN} += "bash" FILESEXTRAPATHS_append_mtcdt3hs := ":${THISDIR}/lora-packet-forwarder/mtcdt3" -PR = "r26" -SRCREV = "28b9dff2eb06fb88421cf32771d380a178079fce" +PR = "r29" +SRCREV = "${PV}" PACKAGE_ARCH = "${MACHINE_ARCH}" SRC_URI = "git://git.multitech.net/packet_forwarder_mtac_full;branch=master;protocol=git \ @@ -148,6 +148,21 @@ do_install_append_mtcdt3hs() { install -m 755 ${WORKDIR}/global_conf.json.3.0.0.MTAC_LORA_1_5.IN865.basic.clksrc0 ${D}${LORA_DIR}/global_conf.json.MTAC_LORA_1_5.IN865 } +do_install_append_mtcpmhs() { + install -m 755 ${WORKDIR}/global_conf.json.3.0.0.MTAC_LORA_1_5.EU868.basic.clksrc0 ${D}${LORA_DIR}/global_conf.json + install -m 755 ${WORKDIR}/global_conf.json.3.0.0.MTAC_LORA_1_0.EU868.basic.clksrc0 ${D}${LORA_DIR}/global_conf.json.MTAC_LORA_1_0 + install -m 755 ${WORKDIR}/global_conf.json.3.0.0.MTAC_LORA_1_5.EU868.basic.clksrc0 ${D}${LORA_DIR}/global_conf.json.MTAC_LORA_1_5 + install -m 755 ${WORKDIR}/global_conf.json.3.0.0.MTAC_LORA_1_0.EU868.basic.clksrc0 ${D}${LORA_DIR}/global_conf.json.MTAC_LORA_1_0.EU868 + install -m 755 ${WORKDIR}/global_conf.json.3.0.0.MTAC_LORA_1_5.EU868.basic.clksrc0 ${D}${LORA_DIR}/global_conf.json.MTAC_LORA_1_5.EU868 + install -m 755 ${WORKDIR}/global_conf.json.3.0.0.MTAC_LORA_1_5.RU864.basic.clksrc0 ${D}${LORA_DIR}/global_conf.json.MTAC_LORA_1_5.RU864 + install -m 755 ${WORKDIR}/global_conf.json.3.0.0.MTAC_LORA_1_0.US915.basic.clksrc0 ${D}${LORA_DIR}/global_conf.json.MTAC_LORA_1_0.US915 + install -m 755 ${WORKDIR}/global_conf.json.3.0.0.MTAC_LORA_1_5.US915.basic.clksrc0 ${D}${LORA_DIR}/global_conf.json.MTAC_LORA_1_5.US915 + install -m 755 ${WORKDIR}/global_conf.json.3.0.0.MTAC_LORA_1_5.AU915.basic.clksrc0 ${D}${LORA_DIR}/global_conf.json.MTAC_LORA_1_5.AU915 + install -m 755 ${WORKDIR}/global_conf.json.3.0.0.MTAC_LORA_1_5.AS923.basic.clksrc0 ${D}${LORA_DIR}/global_conf.json.MTAC_LORA_1_5.AS923 + install -m 755 ${WORKDIR}/global_conf.json.3.0.0.MTAC_LORA_1_5.AS923-LBT.basic.clksrc0 ${D}${LORA_DIR}/global_conf.json.MTAC_LORA_1_5.AS923-LBT + install -m 755 ${WORKDIR}/global_conf.json.3.0.0.MTAC_LORA_1_5.KR920-LBT.basic.clksrc0 ${D}${LORA_DIR}/global_conf.json.MTAC_LORA_1_5.KR920-LBT + install -m 755 ${WORKDIR}/global_conf.json.3.0.0.MTAC_LORA_1_5.IN865.basic.clksrc0 ${D}${LORA_DIR}/global_conf.json.MTAC_LORA_1_5.IN865 +} FILES_${PN} += "${LORA_DIR}" FILES_${PN}-dbg += "${LORA_DIR}/.debug ${LORA_DIR}/forwarder-utils/.debug" diff --git a/recipes-connectivity/lora/lora-query_1.0.6.bb b/recipes-connectivity/lora/lora-query_1.0.6.bb index 60bcc42..43afdf3 100644 --- a/recipes-connectivity/lora/lora-query_1.0.6.bb +++ b/recipes-connectivity/lora/lora-query_1.0.6.bb @@ -2,8 +2,8 @@ DESCRIPTION = "LoRa network server query tool" HOMEPAGE = "http://www.multitech.net/" LICENSE = "GPL-2.0" LIC_FILES_CHKSUM = "file://LICENSE;md5=94d55d512a9ba36caa9b7df079bae19f" -DEPENDS = "jsoncpp libmts" -RDEPENDS_${PN} += "jsoncpp" +DEPENDS = "jsoncpp16 libmts" +RDEPENDS_${PN} += "jsoncpp16" PR = "r2" SRCREV = "${PV}" diff --git a/recipes-connectivity/mbedtls/mbedtls_2.13.0.bb b/recipes-connectivity/mbedtls/mbedtls_2.25.0.bb index ff3f7f0..c54e18a 100644 --- a/recipes-connectivity/mbedtls/mbedtls_2.13.0.bb +++ b/recipes-connectivity/mbedtls/mbedtls_2.25.0.bb @@ -18,19 +18,18 @@ understand what the code does. It features: \ HOMEPAGE = "https://tls.mbed.org/" LICENSE = "Apache-2.0" -LIC_FILES_CHKSUM = "file://LICENSE;md5=302d50a6369f5f22efdb674db908167a" +LIC_FILES_CHKSUM = "file://LICENSE;md5=3b83ef96387f14655fc854ddc3c6bd57" SECTION = "libs" -SRC_URI = "https://tls.mbed.org/download/mbedtls-${PV}-apache.tgz" - -SRC_URI[md5sum] = "659d96bb03012ca6db414a9137fcdbd6" -SRC_URI[sha256sum] = "593b4e4d2e1629fc407ab4750d69fa309a0ddb66565dc3deb5b60eddbdeb06da" +S = "${WORKDIR}/git" +SRCREV = "1c54b5410fd48d6bcada97e30cac417c5c7eea67" +SRC_URI = "git://github.com/ARMmbed/mbedtls.git;protocol=https;branch=master" inherit cmake PACKAGECONFIG ??= "shared-libs programs" -PACKAGECONFIG[shared-libs] = "-DUSE_SHARED_MBEDTLS_LIBRARY=ON,-USE_SHARED_MBEDTLS_LIBRARY=OFF" +PACKAGECONFIG[shared-libs] = "-DUSE_SHARED_MBEDTLS_LIBRARY=ON,-DUSE_SHARED_MBEDTLS_LIBRARY=OFF" PACKAGECONFIG[programs] = "-DENABLE_PROGRAMS=ON,-DENABLE_PROGRAMS=OFF" EXTRA_OECMAKE = "-DENABLE_TESTING=OFF -DLIB_INSTALL_DIR:STRING=${libdir}" @@ -40,3 +39,5 @@ RPROVIDES_${PN} = "polarssl" PACKAGES =+ "${PN}-programs" FILES_${PN}-programs = "${bindir}/" + +BBCLASSEXTEND = "native nativesdk"
\ No newline at end of file diff --git a/recipes-connectivity/mosquitto/mosquitto/config_mk.patch b/recipes-connectivity/mosquitto/mosquitto/config_mk.patch deleted file mode 100644 index 437022c..0000000 --- a/recipes-connectivity/mosquitto/mosquitto/config_mk.patch +++ /dev/null @@ -1,27 +0,0 @@ -diff -Naur old/config.mk new/config.mk ---- old/config.mk 2017-04-17 14:33:32.504351936 -0500 -+++ new/config.mk 2017-04-17 14:34:27.061557282 -0500 -@@ -83,9 +83,9 @@ - # Strip executables and shared libraries on install. - WITH_STRIP:=no - - # Build static libraries --WITH_STATIC_LIBRARIES:=no -+WITH_STATIC_LIBRARIES:=yes - - # Build with async dns lookup support for bridges (temporary). Requires glibc. - #WITH_ADNS:=yes - -@@ -272,7 +272,7 @@ - endif - - INSTALL?=install --prefix=/usr/local -+prefix=/usr - mandir=${prefix}/share/man - localedir=${prefix}/share/locale - STRIP?=strip - - - - diff --git a/recipes-connectivity/mosquitto/mosquitto/mosquitto.conf b/recipes-connectivity/mosquitto/mosquitto/mosquitto.conf index 25821b8..6b861d6 100644 --- a/recipes-connectivity/mosquitto/mosquitto/mosquitto.conf +++ b/recipes-connectivity/mosquitto/mosquitto/mosquitto.conf @@ -4,84 +4,136 @@ # # Default values are shown, uncomment to change. # -# Use the # character to indicate a comment, but only if it is the +# Use the # character to indicate a comment, but only if it is the # very first character on the line. # ================================================================= # General configuration # ================================================================= -# Time in seconds to wait before resending an outgoing QoS=1 or -# QoS=2 message. -#retry_interval 20 - -# Time in seconds between updates of the $SYS tree. -# Set to 0 to disable the publishing of the $SYS tree. -#sys_interval 10 +# Use per listener security settings. +# +# It is recommended this option be set before any other options. +# +# If this option is set to true, then all authentication and access control +# options are controlled on a per listener basis. The following options are +# affected: +# +# password_file acl_file psk_file auth_plugin auth_opt_* allow_anonymous +# auto_id_prefix allow_zero_length_clientid +# +# Note that if set to true, then a durable client (i.e. with clean session set +# to false) that has disconnected will use the ACL settings defined for the +# listener that it was most recently connected to. +# +# The default behaviour is for this to be set to false, which maintains the +# setting behaviour from previous versions of mosquitto. +#per_listener_settings false -# Time in seconds between cleaning the internal message store of -# unreferenced messages. Lower values will result in lower memory -# usage but more processor time, higher values will have the -# opposite effect. -# Setting a value of 0 means the unreferenced messages will be -# disposed of as quickly as possible. -#store_clean_interval 10 -# Write process id to a file. Default is a blank string which means -# a pid file shouldn't be written. -# This should be set to /var/run/mosquitto.pid if mosquitto is -# being run automatically on boot with an init script and -# start-stop-daemon or similar. -pid_file /var/run/mosquitto.pid +# If a client is subscribed to multiple subscriptions that overlap, e.g. foo/# +# and foo/+/baz , then MQTT expects that when the broker receives a message on +# a topic that matches both subscriptions, such as foo/bar/baz, then the client +# should only receive the message once. +# Mosquitto keeps track of which clients a message has been sent to in order to +# meet this requirement. The allow_duplicate_messages option allows this +# behaviour to be disabled, which may be useful if you have a large number of +# clients subscribed to the same set of topics and are very concerned about +# minimising memory usage. +# It can be safely set to true if you know in advance that your clients will +# never have overlapping subscriptions, otherwise your clients must be able to +# correctly deal with duplicate messages even when then have QoS=2. +#allow_duplicate_messages false -# When run as root, drop privileges to this user and its primary -# group. -# Leave blank to stay as root, but this is not recommended. -# If run as a non-root user, this setting has no effect. -# Note that on Windows this has no effect and so mosquitto should -# be started by the user you wish it to run as. -user root +# This option controls whether a client is allowed to connect with a zero +# length client id or not. This option only affects clients using MQTT v3.1.1 +# and later. If set to false, clients connecting with a zero length client id +# are disconnected. If set to true, clients will be allocated a client id by +# the broker. This means it is only useful for clients with clean session set +# to true. +#allow_zero_length_clientid true -# The maximum number of QoS 1 and 2 messages currently inflight per +# If allow_zero_length_clientid is true, this option allows you to set a prefix +# to automatically generated client ids to aid visibility in logs. +# Defaults to 'auto-' +#auto_id_prefix auto- + +# This option affects the scenario when a client subscribes to a topic that has +# retained messages. It is possible that the client that published the retained +# message to the topic had access at the time they published, but that access +# has been subsequently removed. If check_retain_source is set to true, the +# default, the source of a retained message will be checked for access rights +# before it is republished. When set to false, no check will be made and the +# retained message will always be published. This affects all listeners. +#check_retain_source true + +# QoS 1 and 2 messages will be allowed inflight per client until this limit +# is exceeded. Defaults to 0. (No maximum) +# See also max_inflight_messages +#max_inflight_bytes 0 + +# The maximum number of QoS 1 and 2 messages currently inflight per # client. -# This includes messages that are partway through handshakes and -# those that are being retried. Defaults to 20. Set to 0 for no -# maximum. Setting to 1 will guarantee in-order delivery of QoS 1 +# This includes messages that are partway through handshakes and +# those that are being retried. Defaults to 20. Set to 0 for no +# maximum. Setting to 1 will guarantee in-order delivery of QoS 1 # and 2 messages. #max_inflight_messages 20 -# The maximum number of QoS 1 and 2 messages to hold in a queue -# above those that are currently in-flight. Defaults to 100. Set +# For MQTT v5 clients, it is possible to have the server send a "server +# keepalive" value that will override the keepalive value set by the client. +# This is intended to be used as a mechanism to say that the server will +# disconnect the client earlier than it anticipated, and that the client should +# use the new keepalive value. The max_keepalive option allows you to specify +# that clients may only connect with keepalive less than or equal to this +# value, otherwise they will be sent a server keepalive telling them to use +# max_keepalive. This only applies to MQTT v5 clients. The maximum value +# allowable is 65535. Do not set below 10. +#max_keepalive 65535 + +# For MQTT v5 clients, it is possible to have the server send a "maximum packet +# size" value that will instruct the client it will not accept MQTT packets +# with size greater than max_packet_size bytes. This applies to the full MQTT +# packet, not just the payload. Setting this option to a positive value will +# set the maximum packet size to that number of bytes. If a client sends a +# packet which is larger than this value, it will be disconnected. This applies +# to all clients regardless of the protocol version they are using, but v3.1.1 +# and earlier clients will of course not have received the maximum packet size +# information. Defaults to no limit. Setting below 20 bytes is forbidden +# because it is likely to interfere with ordinary client operation, even with +# very small payloads. +#max_packet_size 0 + +# QoS 1 and 2 messages above those currently in-flight will be queued per +# client until this limit is exceeded. Defaults to 0. (No maximum) +# See also max_queued_messages. +# If both max_queued_messages and max_queued_bytes are specified, packets will +# be queued until the first limit is reached. +#max_queued_bytes 0 + +# The maximum number of QoS 1 and 2 messages to hold in a queue per client +# above those that are currently in-flight. Defaults to 100. Set # to 0 for no maximum (not recommended). # See also queue_qos0_messages. +# See also max_queued_bytes. #max_queued_messages 100 - -# Set to true to queue messages with QoS 0 when a persistent client is -# disconnected. These messages are included in the limit imposed by -# max_queued_messages. -# Defaults to false. -# This is a non-standard option for the MQTT v3.1 spec but is allowed in -# v3.1.1. -#queue_qos0_messages false +# +# This option sets the maximum number of heap memory bytes that the broker will +# allocate, and hence sets a hard limit on memory use by the broker. Memory +# requests that exceed this value will be denied. The effect will vary +# depending on what has been denied. If an incoming message is being processed, +# then the message will be dropped and the publishing client will be +# disconnected. If an outgoing message is being sent, then the individual +# message will be dropped and the receiving client will be disconnected. +# Defaults to no limit. +#memory_limit 0 # This option sets the maximum publish payload size that the broker will allow. # Received messages that exceed this size will not be accepted by the broker. # The default value is 0, which means that all valid MQTT messages are -# accepted. MQTT imposes a maximum payload size of 268435455 bytes. +# accepted. MQTT imposes a maximum payload size of 268435455 bytes. #message_size_limit 0 -# This option controls whether a client is allowed to connect with a zero -# length client id or not. This option only affects clients using MQTT v3.1.1 -# and later. If set to false, clients connecting with a zero length client id -# are disconnected. If set to true, clients will be allocated a client id by -# the broker. This means it is only useful for clients with clean session set -# to true. -#allow_zero_length_clientid true - -# If allow_zero_length_clientid is true, this option allows you to set a prefix -# to automatically generated client ids to aid visibility in logs. -#auto_id_prefix - # This option allows persistent clients (those with clean session set to false) # to be removed if they do not reconnect within a certain time frame. # @@ -101,19 +153,34 @@ user root # The default if not set is to never expire persistent clients. #persistent_client_expiration -# If a client is subscribed to multiple subscriptions that overlap, e.g. foo/# -# and foo/+/baz , then MQTT expects that when the broker receives a message on -# a topic that matches both subscriptions, such as foo/bar/baz, then the client -# should only receive the message once. -# Mosquitto keeps track of which clients a message has been sent to in order to -# meet this requirement. The allow_duplicate_messages option allows this -# behaviour to be disabled, which may be useful if you have a large number of -# clients subscribed to the same set of topics and are very concerned about -# minimising memory usage. -# It can be safely set to true if you know in advance that your clients will -# never have overlapping subscriptions, otherwise your clients must be able to -# correctly deal with duplicate messages even when then have QoS=2. -#allow_duplicate_messages false +# Write process id to a file. Default is a blank string which means +# a pid file shouldn't be written. +# This should be set to /var/run/mosquitto.pid if mosquitto is +# being run automatically on boot with an init script and +# start-stop-daemon or similar. +#pid_file + +# Set to true to queue messages with QoS 0 when a persistent client is +# disconnected. These messages are included in the limit imposed by +# max_queued_messages and max_queued_bytes +# Defaults to false. +# This is a non-standard option for the MQTT v3.1 spec but is allowed in +# v3.1.1. +#queue_qos0_messages false + +# Set to false to disable retained message support. If a client publishes a +# message with the retain bit set, it will be disconnected if this is set to +# false. +#retain_available true + +# Disable Nagle's algorithm on client sockets. This has the effect of reducing +# latency of individual messages at the potential cost of increasing the number +# of packets being sent. +#set_tcp_nodelay false + +# Time in seconds between updates of the $SYS tree. +# Set to 0 to disable the publishing of the $SYS tree. +#sys_interval 10 # The MQTT specification requires that the QoS of a message delivered to a # subscriber is never upgraded to match the QoS of the subscription. Enabling @@ -122,12 +189,20 @@ user root # This is a non-standard option explicitly disallowed by the spec. #upgrade_outgoing_qos false +# When run as root, drop privileges to this user and its primary +# group. +# Set to root to stay as root, but this is not recommended. +# If run as a non-root user, this setting has no effect. +# Note that on Windows this has no effect and so mosquitto should +# be started by the user you wish it to run as. +user root + # ================================================================= # Default listener # ================================================================= # IP address/hostname to bind the default listener to. If not -# given, the default listener will not be bound to a specific +# given, the default listener will not be bound to a specific # address and so will be accessible to all network interfaces. # bind_address ip-address/host name bind_address 127.0.0.1 @@ -135,11 +210,25 @@ bind_address 127.0.0.1 # Port to use for the default listener. port 1883 -# The maximum number of client connections to allow. This is +# Bind the listener to a specific interface. This is similar to +# bind_address above but is useful when an interface has multiple addresses or +# the address may change. It is valid to use this with the bind_address option, +# but take care that the interface you are binding to contains the address you +# are binding to, otherwise you will not be able to connect. +# Example: bind_interface eth0 +#bind_interface + +# When a listener is using the websockets protocol, it is possible to serve +# http data as well. Set http_dir to a directory which contains the files you +# wish to serve. If this option is not specified, then no normal http +# connections will be possible. +#http_dir + +# The maximum number of client connections to allow. This is # a per listener setting. # Default is -1, which means unlimited connections. -# Note that other process limits mean that unlimited connections -# are not really possible. Typically the default maximum number of +# Note that other process limits mean that unlimited connections +# are not really possible. Typically the default maximum number of # connections possible is around 1024. #max_connections -1 @@ -150,12 +239,6 @@ port 1883 # only the cafile, certfile, keyfile and ciphers options are supported. protocol mqtt -# When a listener is using the websockets protocol, it is possible to serve -# http data as well. Set http_dir to a directory which contains the files you -# wish to serve. If this option is not specified, then no normal http -# connections will be possible. -#http_dir - # Set use_username_as_clientid to true to replace the clientid that a client # connected with with its username. This allows authentication to be tied to # the clientid, which means that it is possible to prevent one client @@ -169,21 +252,21 @@ protocol mqtt # ----------------------------------------------------------------- # Certificate based SSL/TLS support # ----------------------------------------------------------------- -# The following options can be used to enable SSL/TLS support for +# The following options can be used to enable SSL/TLS support for # this listener. Note that the recommended port for MQTT over TLS # is 8883, but this must be set manually. # # See also the mosquitto-tls man page. -# At least one of cafile or capath must be defined. They both -# define methods of accessing the PEM encoded Certificate -# Authority certificates that have signed your server certificate +# At least one of cafile or capath must be defined. They both +# define methods of accessing the PEM encoded Certificate +# Authority certificates that have signed your server certificate # and that you wish to trust. # cafile defines the path to a file containing the CA certificates. # capath defines a directory that will be searched for files # containing the CA certificates. For capath to work correctly, the # certificate files must have ".crt" as the file ending and you must run -# "c_rehash <path to capath>" each time you add/remove a certificate. +# "openssl rehash <path to capath>" each time you add/remove a certificate. #cafile #capath @@ -193,12 +276,24 @@ protocol mqtt # Path to the PEM encoded keyfile. #keyfile -# This option defines the version of the TLS protocol to use for this listener. -# The default value allows v1.2, v1.1 and v1.0, if they are all supported by -# the version of openssl that the broker was compiled against. For openssl >= -# 1.0.1 the valid values are tlsv1.2 tlsv1.1 and tlsv1. For openssl < 1.0.1 the -# valid values are tlsv1. -#tls_version + +# If you have require_certificate set to true, you can create a certificate +# revocation list file to revoke access to particular client certificates. If +# you have done this, use crlfile to point to the PEM encoded revocation file. +#crlfile + +# If you wish to control which encryption ciphers are used, use the ciphers +# option. The list of available ciphers can be obtained using the "openssl +# ciphers" command and should be provided in the same format as the output of +# that command. +# If unset defaults to DEFAULT:!aNULL:!eNULL:!LOW:!EXPORT:!SSLv2:@STRENGTH +#ciphers DEFAULT:!aNULL:!eNULL:!LOW:!EXPORT:!SSLv2:@STRENGTH + +# To allow the use of ephemeral DH key exchange, which provides forward +# security, the listener must load DH parameters. This can be specified with +# the dhparamfile option. The dhparamfile can be generated with the command +# e.g. "openssl dhparam -out dhparam.pem 2048" +#dhparamfile # By default a TLS enabled listener will operate in a similar fashion to a # https enabled web server, in that the server has a certificate signed by a CA @@ -209,22 +304,23 @@ protocol mqtt # outside of the mechanisms provided by MQTT. #require_certificate false +# This option defines the version of the TLS protocol to use for this listener. +# The default value allows all of v1.3, v1.2 and v1.1. The valid values are +# tlsv1.3 tlsv1.2 and tlsv1.1. +#tls_version + # If require_certificate is true, you may set use_identity_as_username to true # to use the CN value from the client certificate as a username. If this is # true, the password_file option will not be used for this listener. +# This takes priority over use_subject_as_username. +# See also use_subject_as_username. #use_identity_as_username false -# If you have require_certificate set to true, you can create a certificate -# revocation list file to revoke access to particular client certificates. If -# you have done this, use crlfile to point to the PEM encoded revocation file. -#crlfile - -# If you wish to control which encryption ciphers are used, use the ciphers -# option. The list of available ciphers can be optained using the "openssl -# ciphers" command and should be provided in the same format as the output of -# that command. -# If unset defaults to DEFAULT:!aNULL:!eNULL:!LOW:!EXPORT:!SSLv2:@STRENGTH -#ciphers DEFAULT:!aNULL:!eNULL:!LOW:!EXPORT:!SSLv2:@STRENGTH +# If require_certificate is true, you may set use_subject_as_username to true +# to use the complete subject value from the client certificate as a username. +# If this is true, the password_file option will not be used for this listener. +# See also use_identity_as_username +#use_subject_as_username false # ----------------------------------------------------------------- # Pre-shared-key based SSL/TLS support @@ -245,40 +341,60 @@ protocol mqtt # used or create a security plugin to handle them. #psk_hint +# When using PSK, the encryption ciphers used will be chosen from the list of +# available PSK ciphers. If you want to control which ciphers are available, +# use the "ciphers" option. The list of available ciphers can be obtained +# using the "openssl ciphers" command and should be provided in the same format +# as the output of that command. +#ciphers + # Set use_identity_as_username to have the psk identity sent by the client used # as its username. Authentication will be carried out using the PSK rather than # the MQTT username/password and so password_file will not be used for this # listener. #use_identity_as_username false -# When using PSK, the encryption ciphers used will be chosen from the list of -# available PSK ciphers. If you want to control which ciphers are available, -# use the "ciphers" option. The list of available ciphers can be optained -# using the "openssl ciphers" command and should be provided in the same format -# as the output of that command. -#ciphers # ================================================================= # Extra listeners # ================================================================= -# Listen on a port/ip address combination. By using this variable -# multiple times, mosquitto can listen on more than one port. If -# this variable is used and neither bind_address nor port given, +# Listen on a port/ip address combination. By using this variable +# multiple times, mosquitto can listen on more than one port. If +# this variable is used and neither bind_address nor port given, # then the default listener will not be started. -# The port number to listen on must be given. Optionally, an ip -# address or host name may be supplied as a second argument. In -# this case, mosquitto will attempt to bind the listener to that -# address and so restrict access to the associated network and +# The port number to listen on must be given. Optionally, an ip +# address or host name may be supplied as a second argument. In +# this case, mosquitto will attempt to bind the listener to that +# address and so restrict access to the associated network and # interface. By default, mosquitto will listen on all interfaces. +# Note that for a websockets listener it is not possible to bind to a host +# name. # listener port-number [ip address/host name] #listener -# The maximum number of client connections to allow. This is +# Bind the listener to a specific interface. This is similar to +# the [ip address/host name] part of the listener definition, but is useful +# when an interface has multiple addresses or the address may change. It is +# valid to use this with the [ip address/host name] part of the listener +# definition, but take care that the interface you are binding to contains the +# address you are binding to, otherwise you will not be able to connect. +# Only available on Linux and requires elevated privileges. +# +# Example: bind_interface eth0 +#bind_interface + +# When a listener is using the websockets protocol, it is possible to serve +# http data as well. Set http_dir to a directory which contains the files you +# wish to serve. If this option is not specified, then no normal http +# connections will be possible. +#http_dir + +# The maximum number of client connections to allow. This is # a per listener setting. # Default is -1, which means unlimited connections. -# Note that other process limits mean that unlimited connections -# are not really possible. Typically the default maximum number of +# Note that other process limits mean that unlimited connections +# are not really possible. Typically the default maximum number of # connections possible is around 1024. #max_connections -1 @@ -294,12 +410,6 @@ protocol mqtt # cafile, certfile, keyfile and ciphers options are supported. protocol mqtt -# When a listener is using the websockets protocol, it is possible to serve -# http data as well. Set http_dir to a directory which contains the files you -# wish to serve. If this option is not specified, then no normal http -# connections will be possible. -#http_dir - # Set use_username_as_clientid to true to replace the clientid that a client # connected with with its username. This allows authentication to be tied to # the clientid, which means that it is possible to prevent one client @@ -310,6 +420,13 @@ protocol mqtt # See also use_identity_as_username. #use_username_as_clientid +# Change the websockets headers size. This is a global option, it is not +# possible to set per listener. This option sets the size of the buffer used in +# the libwebsockets library when reading HTTP headers. If you are passing large +# header data such as cookies then you may need to increase this value. If left +# unset, or set to 0, then the default of 1024 bytes will be used. +#websockets_headers_size + # ----------------------------------------------------------------- # Certificate based SSL/TLS support # ----------------------------------------------------------------- @@ -329,7 +446,7 @@ protocol mqtt # capath defines a directory that will be searched for files # containing the CA certificates. For capath to work correctly, the # certificate files must have ".crt" as the file ending and you must run -# "c_rehash <path to capath>" each time you add/remove a certificate. +# "openssl rehash <path to capath>" each time you add/remove a certificate. #cafile #capath @@ -339,6 +456,24 @@ protocol mqtt # Path to the PEM encoded keyfile. #keyfile + +# If you wish to control which encryption ciphers are used, use the ciphers +# option. The list of available ciphers can be optained using the "openssl +# ciphers" command and should be provided in the same format as the output of +# that command. +#ciphers + +# If you have require_certificate set to true, you can create a certificate +# revocation list file to revoke access to particular client certificates. If +# you have done this, use crlfile to point to the PEM encoded revocation file. +#crlfile + +# To allow the use of ephemeral DH key exchange, which provides forward +# security, the listener must load DH parameters. This can be specified with +# the dhparamfile option. The dhparamfile can be generated with the command +# e.g. "openssl dhparam -out dhparam.pem 2048" +#dhparamfile + # By default an TLS enabled listener will operate in a similar fashion to a # https enabled web server, in that the server has a certificate signed by a CA # and the client will verify that it is a trusted certificate. The overall aim @@ -353,17 +488,6 @@ protocol mqtt # true, the password_file option will not be used for this listener. #use_identity_as_username false -# If you have require_certificate set to true, you can create a certificate -# revocation list file to revoke access to particular client certificates. If -# you have done this, use crlfile to point to the PEM encoded revocation file. -#crlfile - -# If you wish to control which encryption ciphers are used, use the ciphers -# option. The list of available ciphers can be optained using the "openssl -# ciphers" command and should be provided in the same format as the output of -# that command. -#ciphers - # ----------------------------------------------------------------- # Pre-shared-key based SSL/TLS support # ----------------------------------------------------------------- @@ -383,12 +507,6 @@ protocol mqtt # used or create a security plugin to handle them. #psk_hint -# Set use_identity_as_username to have the psk identity sent by the client used -# as its username. Authentication will be carried out using the PSK rather than -# the MQTT username/password and so password_file will not be used for this -# listener. -#use_identity_as_username false - # When using PSK, the encryption ciphers used will be chosen from the list of # available PSK ciphers. If you want to control which ciphers are available, # use the "ciphers" option. The list of available ciphers can be optained @@ -396,15 +514,22 @@ protocol mqtt # as the output of that command. #ciphers +# Set use_identity_as_username to have the psk identity sent by the client used +# as its username. Authentication will be carried out using the PSK rather than +# the MQTT username/password and so password_file will not be used for this +# listener. +#use_identity_as_username false + + # ================================================================= # Persistence # ================================================================= -# If persistence is enabled, save the in-memory database to disk -# every autosave_interval seconds. If set to 0, the persistence +# If persistence is enabled, save the in-memory database to disk +# every autosave_interval seconds. If set to 0, the persistence # database will only be written when mosquitto exits. See also # autosave_on_changes. -# Note that writing of the persistence database can be forced by +# Note that writing of the persistence database can be forced by # sending mosquitto a SIGUSR1 signal. #autosave_interval 1800 @@ -416,13 +541,13 @@ protocol mqtt #autosave_on_changes false # Save persistent message data to disk (true/false). -# This saves information about all messages, including -# subscriptions, currently in-flight messages and retained +# This saves information about all messages, including +# subscriptions, currently in-flight messages and retained # messages. # retained_persistence is a synonym for this option. #persistence false -# The filename to use for the persistent database, not including +# The filename to use for the persistent database, not including # the path. #persistence_file mosquitto.db @@ -432,21 +557,22 @@ protocol mqtt # similar. #persistence_location + # ================================================================= # Logging # ================================================================= -# Places to log to. Use multiple log_dest lines for multiple +# Places to log to. Use multiple log_dest lines for multiple # logging destinations. # Possible destinations are: stdout stderr syslog topic file # # stdout and stderr log to the console on the named output. # -# syslog uses the userspace syslog facility which usually ends up +# syslog uses the userspace syslog facility which usually ends up # in /var/log/messages or similar. # -# topic logs to the broker topic '$SYS/broker/log/<severity>', -# where severity is one of D, E, W, N, I, M which are debug, error, +# topic logs to the broker topic '$SYS/broker/log/<severity>', +# where severity is one of D, E, W, N, I, M which are debug, error, # warning, notice, information and message. Message type severity is used by # the subscribe/unsubscribe log_types and publishes log messages to # $SYS/broker/log/M/susbcribe or $SYS/broker/log/M/unsubscribe. @@ -461,15 +587,9 @@ protocol mqtt # Use "log_dest none" if you wish to disable logging. log_dest file /var/log/mosquitto.log -# If using syslog logging (not on Windows), messages will be logged to the -# "daemon" facility by default. Use the log_facility option to choose which of -# local0 to local7 to log to instead. The option value should be an integer -# value, e.g. "log_facility 5" to use local5. -#log_facility - # Types of messages to log. Use multiple log_type lines for logging # multiple types of messages. -# Possible types are: debug, error, warning, notice, information, +# Possible types are: debug, error, warning, notice, information, # none, subscribe, unsubscribe, websockets, all. # Note that debug type messages are for decoding the incoming/outgoing # network packets. They are not logged in "topics". @@ -478,40 +598,58 @@ log_type warning log_type notice log_type information + # If set to true, client connection and disconnection messages will be included # in the log. connection_messages true +# If using syslog logging (not on Windows), messages will be logged to the +# "daemon" facility by default. Use the log_facility option to choose which of +# local0 to local7 to log to instead. The option value should be an integer +# value, e.g. "log_facility 5" to use local5. +#log_facility + # If set to true, add a timestamp value to each log message. log_timestamp true +# Set the format of the log timestamp. If left unset, this is the number of +# seconds since the Unix epoch. +# This is a free text string which will be passed to the strftime function. To +# get an ISO 8601 datetime, for example: +# log_timestamp_format %Y-%m-%dT%H:%M:%S +#log_timestamp_format + +# Change the websockets logging level. This is a global option, it is not +# possible to set per listener. This is an integer that is interpreted by +# libwebsockets as a bit mask for its lws_log_levels enum. See the +# libwebsockets documentation for more details. "log_type websockets" must also +# be enabled. +#websockets_log_level 0 + + # ================================================================= # Security # ================================================================= -# If set, only clients that have a matching prefix on their -# clientid will be allowed to connect to the broker. By default, +# If set, only clients that have a matching prefix on their +# clientid will be allowed to connect to the broker. By default, # all clients may connect. # For example, setting "secure-" here would mean a client "secure- # client" could connect but another with clientid "mqtt" couldn't. #clientid_prefixes -# Boolean value that determines whether clients that connect -# without providing a username are allowed to connect. If set to -# false then a password file should be created (see the -# password_file option) to control authenticated client access. -# Defaults to true. +# Boolean value that determines whether clients that connect +# without providing a username are allowed to connect. If set to +# false then a password file should be created (see the +# password_file option) to control authenticated client access. +# +# Defaults to true if no other security options are set. If `password_file` or +# `psk_file` is set, or if an authentication plugin is loaded which implements +# username/password or TLS-PSK checks, then `allow_anonymous` defaults to +# false. +# #allow_anonymous true -# In addition to the clientid_prefixes, allow_anonymous and TLS -# authentication options, username based authentication is also -# possible. The default support is described in "Default -# authentication and topic access control" below. The auth_plugin -# allows another authentication method to be used. -# Specify the path to the loadable plugin and see the -# "Authentication and topic access plugin options" section below. -#auth_plugin - # ----------------------------------------------------------------- # Default authentication and topic access control # ----------------------------------------------------------------- @@ -522,11 +660,12 @@ log_timestamp true # plain text passwords are used, in which case the file should be a text file # with lines in the format: # username:password -# The password (and colon) may be omitted if desired, although this +# The password (and colon) may be omitted if desired, although this # offers very little in the way of security. -# +# # See the TLS client require_certificate and use_identity_as_username options -# for alternative authentication options. +# for alternative authentication options. If an auth_plugin is used as well as +# password_file, the auth_plugin check will be made first. #password_file # Access may also be controlled using a pre-shared-key file. This requires @@ -534,6 +673,7 @@ log_timestamp true # lines in the format: # identity:key # The key should be in hexadecimal format without a leading "0x". +# If an auth_plugin is used as well, the auth_plugin check will be made first. #psk_file # Control access to topics on the broker using an access control list @@ -544,14 +684,14 @@ log_timestamp true # Topic access is added with lines of the format: # # topic [read|write|readwrite] <topic> -# +# # The access type is controlled using "read", "write" or "readwrite". This # parameter is optional (unless <topic> contains a space character) - if not # given then the access is read/write. <topic> can contain the + or # # wildcards as in subscriptions. -# +# # The first set of topics are applied to anonymous clients, assuming -# allow_anonymous is true. User specific topic ACLs are added after a +# allow_anonymous is true. User specific topic ACLs are added after a # user line as follows: # # user <username> @@ -583,18 +723,31 @@ log_timestamp true # # pattern write sensor/%u/data # +# If an auth_plugin is used as well as acl_file, the auth_plugin check will be +# made first. #acl_file # ----------------------------------------------------------------- -# Authentication and topic access plugin options +# External authentication and topic access plugin options # ----------------------------------------------------------------- +# External authentication and access control can be supported with the +# auth_plugin option. This is a path to a loadable plugin. See also the +# auth_opt_* options described below. +# +# The auth_plugin option can be specified multiple times to load multiple +# plugins. The plugins will be processed in the order that they are specified +# here. If the auth_plugin option is specified alongside either of +# password_file or acl_file then the plugin checks will be made first. +# +#auth_plugin + # If the auth_plugin option above is used, define options to pass to the # plugin here as described by the plugin instructions. All options named # using the format auth_opt_* will be passed to the plugin, for example: # # auth_opt_db_host -# auth_opt_db_port +# auth_opt_db_port # auth_opt_db_username # auth_opt_db_password @@ -607,21 +760,29 @@ log_timestamp true # Create a new bridge using the "connection" option as described below. Set # options for the bridges using the remaining parameters. You must specify the # address and at least one topic to subscribe to. +# # Each connection must have a unique name. +# # The address line may have multiple host address and ports specified. See # below in the round_robin description for more details on bridge behaviour if -# multiple addresses are used. -# The direction that the topic will be shared can be chosen by -# specifying out, in or both, where the default value is out. +# multiple addresses are used. Note that if you use an IPv6 address, then you +# are required to specify a port. +# +# The direction that the topic will be shared can be chosen by +# specifying out, in or both, where the default value is out. # The QoS level of the bridged communication can be specified with the next # topic option. The default QoS level is 0, to change the QoS the topic # direction must also be given. +# # The local and remote prefix options allow a topic to be remapped when it is # bridged to/from the remote broker. This provides the ability to place a topic -# tree in an appropriate location. +# tree in an appropriate location. +# # For more details see the mosquitto.conf man page. -# Multiple topics can be specified per connection, but be careful +# +# Multiple topics can be specified per connection, but be careful # not to create any loops. +# # If you are using bridges with cleansession set to false (the default), then # you may get unexpected behaviour from incoming topics if you change what # topics you are subscribing to. This is because the remote broker keeps the @@ -632,9 +793,6 @@ log_timestamp true #address <host>[:<port>] [<host>[:<port>]] #topic <topic> [[[out | in | both] qos-level] local-prefix remote-prefix] -# Set the version of the MQTT protocol to use with for this bridge. Can be one -# of mqttv31 or mqttv311. Defaults to mqttv31. -#bridge_protocol_version mqttv31 # If a bridge has topics that have "out" direction, the default behaviour is to # send an unsubscribe request to the remote broker on that topic. This means @@ -644,56 +802,93 @@ log_timestamp true # the unsubscribe request. #bridge_attempt_unsubscribe true -# If the bridge has more than one address given in the address/addresses -# configuration, the round_robin option defines the behaviour of the bridge on -# a failure of the bridge connection. If round_robin is false, the default -# value, then the first address is treated as the main bridge connection. If -# the connection fails, the other secondary addresses will be attempted in -# turn. Whilst connected to a secondary bridge, the bridge will periodically -# attempt to reconnect to the main bridge until successful. -# If round_robin is true, then all addresses are treated as equals. If a -# connection fails, the next address will be tried and if successful will -# remain connected until it fails -#round_robin false +# Set the version of the MQTT protocol to use with for this bridge. Can be one +# of mqttv311 or mqttv11. Defaults to mqttv311. +#bridge_protocol_version mqttv311 -# Set the client id to use on the remote end of this bridge connection. If not -# defined, this defaults to 'name.hostname' where name is the connection name -# and hostname is the hostname of this computer. -# This replaces the old "clientid" option to avoid confusion. "clientid" -# remains valid for the time being. -#remote_clientid +# Set the clean session variable for this bridge. +# When set to true, when the bridge disconnects for any reason, all +# messages and subscriptions will be cleaned up on the remote +# broker. Note that with cleansession set to true, there may be a +# significant amount of retained messages sent when the bridge +# reconnects after losing its connection. +# When set to false, the subscriptions and messages are kept on the +# remote broker, and delivered when the bridge reconnects. +#cleansession false + +# Set the amount of time a bridge using the lazy start type must be idle before +# it will be stopped. Defaults to 60 seconds. +#idle_timeout 60 + +# Set the keepalive interval for this bridge connection, in +# seconds. +#keepalive_interval 60 # Set the clientid to use on the local broker. If not defined, this defaults to # 'local.<clientid>'. If you are bridging a broker to itself, it is important # that local_clientid and clientid do not match. #local_clientid -# Set the clean session variable for this bridge. -# When set to true, when the bridge disconnects for any reason, all -# messages and subscriptions will be cleaned up on the remote -# broker. Note that with cleansession set to true, there may be a -# significant amount of retained messages sent when the bridge -# reconnects after losing its connection. -# When set to false, the subscriptions and messages are kept on the -# remote broker, and delivered when the bridge reconnects. -#cleansession false - # If set to true, publish notification messages to the local and remote brokers # giving information about the state of the bridge connection. Retained # messages are published to the topic $SYS/broker/connection/<clientid>/state # unless the notification_topic option is used. # If the message is 1 then the connection is active, or 0 if the connection has # failed. +# This uses the last will and testament feature. #notifications true # Choose the topic on which notification messages for this bridge are # published. If not set, messages are published on the topic # $SYS/broker/connection/<clientid>/state -#notification_topic +#notification_topic -# Set the keepalive interval for this bridge connection, in -# seconds. -#keepalive_interval 60 +# Set the client id to use on the remote end of this bridge connection. If not +# defined, this defaults to 'name.hostname' where name is the connection name +# and hostname is the hostname of this computer. +# This replaces the old "clientid" option to avoid confusion. "clientid" +# remains valid for the time being. +#remote_clientid + +# Set the password to use when connecting to a broker that requires +# authentication. This option is only used if remote_username is also set. +# This replaces the old "password" option to avoid confusion. "password" +# remains valid for the time being. +#remote_password + +# Set the username to use when connecting to a broker that requires +# authentication. +# This replaces the old "username" option to avoid confusion. "username" +# remains valid for the time being. +#remote_username + +# Set the amount of time a bridge using the automatic start type will wait +# until attempting to reconnect. +# This option can be configured to use a constant delay time in seconds, or to +# use a backoff mechanism based on "Decorrelated Jitter", which adds a degree +# of randomness to when the restart occurs. +# +# Set a constant timeout of 20 seconds: +# restart_timeout 20 +# +# Set backoff with a base (start value) of 10 seconds and a cap (upper limit) of +# 60 seconds: +# restart_timeout 10 30 +# +# Defaults to jitter with a base of 5 and cap of 30 +#restart_timeout 5 30 + +# If the bridge has more than one address given in the address/addresses +# configuration, the round_robin option defines the behaviour of the bridge on +# a failure of the bridge connection. If round_robin is false, the default +# value, then the first address is treated as the main bridge connection. If +# the connection fails, the other secondary addresses will be attempted in +# turn. Whilst connected to a secondary bridge, the bridge will periodically +# attempt to reconnect to the main bridge until successful. +# If round_robin is true, then all addresses are treated as equals. If a +# connection fails, the next address will be tried and if successful will +# remain connected until it fails +#round_robin false # Set the start type of the bridge. This controls how the bridge starts and # can be one of three types: automatic, lazy and once. Note that RSMB provides @@ -713,14 +908,6 @@ log_timestamp true # broker starts but will not be restarted if the connection fails. #start_type automatic -# Set the amount of time a bridge using the automatic start type will wait -# until attempting to reconnect. Defaults to 30 seconds. -#restart_timeout 30 - -# Set the amount of time a bridge using the lazy start type must be idle before -# it will be stopped. Defaults to 60 seconds. -#idle_timeout 60 - # Set the number of messages that need to be queued for a bridge with lazy # start type to be restarted. Defaults to 10 messages. # Must be less than max_queued_messages. @@ -734,18 +921,6 @@ log_timestamp true # properly. #try_private true -# Set the username to use when connecting to a broker that requires -# authentication. -# This replaces the old "username" option to avoid confusion. "username" -# remains valid for the time being. -#remote_username - -# Set the password to use when connecting to a broker that requires -# authentication. This option is only used if remote_username is also set. -# This replaces the old "password" option to avoid confusion. "password" -# remains valid for the time being. -#remote_password - # ----------------------------------------------------------------- # Certificate based SSL/TLS support # ----------------------------------------------------------------- @@ -756,16 +931,16 @@ log_timestamp true # certificate. # bridge_capath defines a directory that will be searched for files containing # the CA certificates. For bridge_capath to work correctly, the certificate -# files must have ".crt" as the file ending and you must run "c_rehash <path to -# capath>" each time you add/remove a certificate. +# files must have ".crt" as the file ending and you must run "openssl rehash +# <path to capath>" each time you add/remove a certificate. #bridge_cafile #bridge_capath -# Path to the PEM encoded client certificate, if required by the remote broker. -#bridge_certfile -# Path to the PEM encoded client private key, if required by the remote broker. -#bridge_keyfile +# If the remote broker has more than one protocol available on its port, e.g. +# MQTT and WebSockets, then use bridge_alpn to configure which protocol is +# requested. Note that WebSockets support for bridges is not yet available. +#bridge_alpn # When using certificate based encryption, bridge_insecure disables # verification of the server hostname in the server certificate. This can be @@ -776,6 +951,12 @@ log_timestamp true # point using encryption. #bridge_insecure false +# Path to the PEM encoded client certificate, if required by the remote broker. +#bridge_certfile + +# Path to the PEM encoded client private key, if required by the remote broker. +#bridge_keyfile + # ----------------------------------------------------------------- # PSK based SSL/TLS support # ----------------------------------------------------------------- @@ -793,20 +974,15 @@ log_timestamp true # External config files # ================================================================= -# External configuration files may be included by using the +# External configuration files may be included by using the # include_dir option. This defines a directory that will be searched # for config files. All files that end in '.conf' will be loaded as # a configuration file. It is best to have this as the last option # in the main file. This option will only be processed from the main -# configuration file. The directory specified must not contain the +# configuration file. The directory specified must not contain the # main configuration file. +# Files within include_dir will be loaded sorted in case-sensitive +# alphabetical order, with capital letters ordered first. If this option is +# given multiple times, all of the files from the first instance will be +# processed before the next instance. See the man page for examples. #include_dir - -# ================================================================= -# rsmb options - unlikely to ever be supported -# ================================================================= - -#ffdc_output -#max_log_entries -#trace_level -#trace_output diff --git a/recipes-connectivity/mosquitto/mosquitto/mosquitto.init b/recipes-connectivity/mosquitto/mosquitto/mosquitto.init index 7b3e634..21bffe6 100755 --- a/recipes-connectivity/mosquitto/mosquitto/mosquitto.init +++ b/recipes-connectivity/mosquitto/mosquitto/mosquitto.init @@ -1,53 +1,96 @@ -#!/bin/sh -# -# mosquitto Starts and stops Mosquitto -# mosquitto (MQTT 3.5 broker) -# -# chkconfig: - 58 74 -# description: mosquitto is a MQTT 3.5 broker. \ -# http://mosquitto.org/ +#! /bin/sh + +# Based on the Debian initscript for mosquitto ### BEGIN INIT INFO -# Provides: mosquitto -# Required-Start: $network $local_fs -# Required-Stop: $network $local_fs -# Should-Start: $syslog $named -# Should-Stop: $syslog $named -# Short-Description: start and stop mosquitto -# Description: mosquitto is a MQTT 3.5 broker. +# Provides: mosquitto +# Required-Start: $remote_fs $syslog +# Required-Stop: $remote_fs $syslog +# Default-Start: 2 3 4 5 +# Default-Stop: 0 1 6 +# Short-Description: mosquitto MQTT message broker +# Description: +# This is a message broker that supports version 3.1/3.1.1 of the MQ Telemetry +# Transport (MQTT) protocol. +# +# MQTT provides a method of carrying out messaging using a publish/subscribe +# model. It is lightweight, both in terms of bandwidth usage and ease of +# implementation. This makes it particularly useful at the edge of the network +# where a sensor or other simple device may be implemented using an arduino for +# example. ### END INIT INFO -PIDFILE=/var/run/mosquitto.pid -DAEMON=/usr/sbin/mosquitto +## mlinux ENABLED="yes" [ -f /etc/default/mosquitto ] && . /etc/default/mosquitto +[ "$ENABLED" = "yes" ] || exit +## mlinux -start() { - echo "Starting Mosquitto..." - start-stop-daemon --start --quiet --oknodo --pidfile $PIDFILE --exec $DAEMON -- -d -c /etc/mosquitto/mosquitto.conf -} +set -e -stop() { - echo "Stopping Mosquitto..." - start-stop-daemon --stop --quiet --oknodo --pidfile $PIDFILE -} +PIDFILE=@LOCALSTATEDIR@/run/mosquitto.pid +DAEMON=@SBINDIR@/mosquitto -[ "$ENABLED" = "yes" ] || exit +# start and stop the mosquitto MQTT message broker + +test -x ${DAEMON} || exit 0 + +umask 022 + +. @SYSCONFDIR@/init.d/functions + +export PATH="${PATH:+$PATH:}@SBINDIR@:@BASE_SBINDIR@" case "$1" in - start) - start + start) + echo "Starting Mosquitto message broker" "mosquitto" + if start-stop-daemon --start --quiet --oknodo --background --make-pidfile --pidfile ${PIDFILE} --exec ${DAEMON} -- -c @SYSCONFDIR@/mosquitto/mosquitto.conf ; then + exit 0 + else + exit 1 + fi ;; - stop) - stop + stop) + echo "Stopping Mosquitto message broker" "mosquitto" + if start-stop-daemon --stop --quiet --oknodo --pidfile ${PIDFILE}; then + rm -f ${PIDFILE} + exit 0 + else + exit 1 + fi ;; - restart) - stop - start + + + reload|force-reload) + if [ -f ${PIDFILE} ] ; then + echo "Reloading configuration for mosquitto" + pid=`cat ${PIDFILE}` + kill -HUP $pid + else + echo "mosquitto does not seem to be running" + fi + ;; + + restart) + echo "Restarting Mosquitto message broker" "mosquitto" + if start-stop-daemon --stop --quiet --oknodo --retry 30 --pidfile ${PIDFILE}; then + rm -f ${PIDFILE} + fi + if start-stop-daemon --start --quiet --oknodo --background --make-pidfile --pidfile ${PIDFILE} --exec ${DAEMON} -- -c @SYSCONFDIR@/mosquitto/mosquitto.conf ; then + exit 0 + else + exit 1 + fi ;; - *) - echo $"Usage: $0 {start|stop|restart}" - exit 2 + + status) + status ${DAEMON} && exit 0 || exit $? + ;; + + *) + echo "Usage: $0 {start|stop|reload|force-reload|restart|status}" + exit 1 esac +exit 0 diff --git a/recipes-connectivity/mosquitto/mosquitto/nostrip.patch b/recipes-connectivity/mosquitto/mosquitto/nostrip.patch deleted file mode 100644 index b36be35..0000000 --- a/recipes-connectivity/mosquitto/mosquitto/nostrip.patch +++ /dev/null @@ -1,58 +0,0 @@ -Index: mosquitto-1.4/client/Makefile -=================================================================== ---- mosquitto-1.4.orig/client/Makefile 2015-02-17 19:44:09.000000000 -0600 -+++ mosquitto-1.4/client/Makefile 2015-03-25 11:34:01.388614891 -0500 -@@ -24,8 +24,8 @@ - - install : all - $(INSTALL) -d ${DESTDIR}$(prefix)/bin -- $(INSTALL) -s --strip-program=${CROSS_COMPILE}${STRIP} mosquitto_pub ${DESTDIR}${prefix}/bin/mosquitto_pub -- $(INSTALL) -s --strip-program=${CROSS_COMPILE}${STRIP} mosquitto_sub ${DESTDIR}${prefix}/bin/mosquitto_sub -+ $(INSTALL) mosquitto_pub ${DESTDIR}${prefix}/bin/mosquitto_pub -+ $(INSTALL) mosquitto_sub ${DESTDIR}${prefix}/bin/mosquitto_sub - - uninstall : - -rm -f ${DESTDIR}${prefix}/bin/mosquitto_pub -Index: mosquitto-1.4/lib/Makefile -=================================================================== ---- mosquitto-1.4.orig/lib/Makefile 2015-02-17 19:44:09.000000000 -0600 -+++ mosquitto-1.4/lib/Makefile 2015-03-25 11:34:01.388614891 -0500 -@@ -25,7 +25,7 @@ - - install : all - $(INSTALL) -d ${DESTDIR}$(prefix)/lib${LIB_SUFFIX}/ -- $(INSTALL) -s --strip-program=${CROSS_COMPILE}${STRIP} libmosquitto.so.${SOVERSION} ${DESTDIR}${prefix}/lib${LIB_SUFFIX}/libmosquitto.so.${SOVERSION} -+ $(INSTALL) libmosquitto.so.${SOVERSION} ${DESTDIR}${prefix}/lib${LIB_SUFFIX}/libmosquitto.so.${SOVERSION} - ln -sf libmosquitto.so.${SOVERSION} ${DESTDIR}${prefix}/lib${LIB_SUFFIX}/libmosquitto.so - $(INSTALL) -d ${DESTDIR}${prefix}/include/ - $(INSTALL) mosquitto.h ${DESTDIR}${prefix}/include/mosquitto.h -Index: mosquitto-1.4/src/Makefile -=================================================================== ---- mosquitto-1.4.orig/src/Makefile 2015-02-17 19:44:09.000000000 -0600 -+++ mosquitto-1.4/src/Makefile 2015-03-25 11:34:01.388614891 -0500 -@@ -103,10 +103,10 @@ - - install : all - $(INSTALL) -d ${DESTDIR}$(prefix)/sbin -- $(INSTALL) -s --strip-program=${CROSS_COMPILE}${STRIP} mosquitto ${DESTDIR}${prefix}/sbin/mosquitto -+ $(INSTALL) mosquitto ${DESTDIR}${prefix}/sbin/mosquitto - $(INSTALL) mosquitto_plugin.h ${DESTDIR}${prefix}/include/mosquitto_plugin.h - ifeq ($(WITH_TLS),yes) -- $(INSTALL) -s --strip-program=${CROSS_COMPILE}${STRIP} mosquitto_passwd ${DESTDIR}${prefix}/bin/mosquitto_passwd -+ $(INSTALL) mosquitto_passwd ${DESTDIR}${prefix}/bin/mosquitto_passwd - endif - - uninstall : -Index: mosquitto-1.4/lib/cpp/Makefile -=================================================================== ---- mosquitto-1.4.orig/lib/cpp/Makefile 2015-02-17 19:44:09.000000000 -0600 -+++ mosquitto-1.4/lib/cpp/Makefile 2015-03-25 11:34:25.984217051 -0500 -@@ -10,7 +10,7 @@ - - install : all - $(INSTALL) -d ${DESTDIR}$(prefix)/lib${LIB_SUFFIX}/ -- $(INSTALL) -s --strip-program=${CROSS_COMPILE}${STRIP} libmosquittopp.so.${SOVERSION} ${DESTDIR}${prefix}/lib${LIB_SUFFIX}/libmosquittopp.so.${SOVERSION} -+ $(INSTALL) libmosquittopp.so.${SOVERSION} ${DESTDIR}${prefix}/lib${LIB_SUFFIX}/libmosquittopp.so.${SOVERSION} - ln -sf libmosquittopp.so.${SOVERSION} ${DESTDIR}${prefix}/lib${LIB_SUFFIX}/libmosquittopp.so - $(INSTALL) -d ${DESTDIR}${prefix}/include/ - $(INSTALL) mosquittopp.h ${DESTDIR}${prefix}/include/mosquittopp.h diff --git a/recipes-connectivity/mosquitto/mosquitto_1.5.1.bb b/recipes-connectivity/mosquitto/mosquitto_1.5.1.bb deleted file mode 100644 index 947dcdf..0000000 --- a/recipes-connectivity/mosquitto/mosquitto_1.5.1.bb +++ /dev/null @@ -1,81 +0,0 @@ -# This recipe was a merger of the Multitech Daisy 3.5 Recipe with the -# reciped found at: -# http://git.yoctoproject.org/cgit/cgit.cgi/meta-intel-iot-middleware/plain/recipes-connectivity/mosquitto/mosquitto_1.4.10.bb -inherit autotools-brokensep -SUMMARY = "Open source MQTT v3.5 implemention" -DESCRIPTION = "Mosquitto is an open source (BSD licensed) message broker that implements the MQ Telemetry Transport protocol version 3.5. MQTT provides a lightweight method of carrying out messaging using a publish/subscribe model. " -HOMEPAGE = "http://mosquitto.org/" -SECTION = "console/network" -LICENSE = "EPL-1.0 & EDL-1.0" -LIC_FILES_CHKSUM = "file://LICENSE.txt;md5=62ddc846179e908dc0c8efec4a42ef20" - -# util-linux is needed to provide libuuid dependancy -DEPENDS = "c-ares openssl util-linux" - -PR = "r3" - -SRC_URI = "http://mosquitto.org/files/source/${PN}-${PV}.tar.gz \ - file://mosquitto.init \ - file://mosquitto.conf \ - file://mosquitto.default \ - file://mosquitto.logrotate.conf \ - file://config_mk.patch \ - " -SRC_URI[md5sum] = "f98c99998a36a234f3a9d9b402b991db" -SRC_URI[sha256sum] = "8557bc7ae34dfaf32a0fb56d2491b7a7f731269c88337227233013502df4d5b0" - -export LIB_SUFFIX="${@d.getVar('baselib', True).replace('lib', '')}" -inherit autotools update-rc.d - -INITSCRIPT_NAME = "mosquitto" -INITSCRIPT_PARAMS = "defaults 70 30" -do_compile() { - WITH_STATIC_LIBRARIES=1 oe_runmake PREFIX=/usr WITH_STATIC_LIBRARIES=1 -} -do_install() { - # oe_runmake DESTDIR=${D} prefix=/usr install - oe_runmake install DESTDIR=${D} - install -m 0755 -d ${D}/usr/lib - install -m 0644 lib/libmosquitto.a ${D}${libdir}/ - - install -d ${D}${sysconfdir}/init.d - install -d ${D}${sysconfdir}/default - install -m 0755 ${WORKDIR}/mosquitto.init ${D}${sysconfdir}/init.d/mosquitto - install -m 0644 ${WORKDIR}/mosquitto.conf ${D}${sysconfdir}/mosquitto/ - install -m 0644 ${WORKDIR}/mosquitto.default ${D}${sysconfdir}/default/mosquitto - - install -d ${D}${sysconfdir}/logrotate.d - install -m 0644 ${WORKDIR}/mosquitto.logrotate.conf ${D}${sysconfdir}/logrotate.d/mosquitto.conf -} - -do_rm_work() { - echo "skipping" -} - - -PACKAGES += "libmosquitto1 libmosquittopp1 ${PN}-clients ${PN}-python" - -CONFFILES_${PN} = "${sysconfdir}/mosquitto.conf ${sysconfdir}/default/mosquitto" -FILES_${PN} = "${sbindir}/mosquitto \ - ${bindir}/mosquitto_passwd \ - ${sysconfdir}/mosquitto \ - ${systemd_unitdir}/system/mosquitto.service \ - ${sysconfdir}/ \ -" - -FILES_libmosquitto1 = "${libdir}/libmosquitto.so.1" - -FILES_libmosquittopp1 = "${libdir}/libmosquittopp.so.1" - -FILES_${PN}-clients = "${bindir}/mosquitto_pub \ - ${bindir}/mosquitto_sub \ -" - -FILES_${PN}-staticdev += "${libdir}/libmosquitto.a" - -FILES_${PN}-python = "/usr/lib/python2.7/site-packages" - -inherit systemd - -SYSTEMD_SERVICE_${PN} = "mosquitto.service" - diff --git a/recipes-connectivity/mosquitto/mosquitto_1.6.10.bbappend b/recipes-connectivity/mosquitto/mosquitto_1.6.10.bbappend new file mode 100644 index 0000000..a03e26e --- /dev/null +++ b/recipes-connectivity/mosquitto/mosquitto_1.6.10.bbappend @@ -0,0 +1,36 @@ +FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}:" + +SRC_URI += "file://mosquitto.conf \ + file://mosquitto.default \ + file://mosquitto.logrotate.conf \ + " +RDEPENDS_${PN} += "logrotate" + +INITSCRIPT_PARAMS = "defaults 70 30" + +EXTRA_OECMAKE += " -DWITH_STATIC_LIBRARIES=ON" + +do_install_append() { + install -d ${D}${sysconfdir}/mosquitto + install -m 0644 ${WORKDIR}/mosquitto.conf ${D}${sysconfdir}/mosquitto/ + + install -d ${D}${sysconfdir}/default + install -m 0644 ${WORKDIR}/mosquitto.default ${D}${sysconfdir}/default/mosquitto + + install -d ${D}${sysconfdir}/logrotate.d + install -m 0644 ${WORKDIR}/mosquitto.logrotate.conf ${D}${sysconfdir}/logrotate.d/mosquitto.conf +} + + + +PACKAGES += "${PN}-python" + +CONFFILES_${PN} = "${sysconfdir}/mosquitto.conf ${sysconfdir}/default/mosquitto" + +FILES_${PN} += "${sysconfdir}/default \ + ${sysconfdir}/logrotate.d \ + " + +FILES_${PN}-staticdev += "${libdir}/libmosquitto.a" + +FILES_${PN}-python = "/usr/lib/python2.7/site-packages"
\ No newline at end of file diff --git a/recipes-connectivity/openssh/openssh/ssh.default b/recipes-connectivity/openssh/openssh-mlinux/ssh.default index d5c0507..d5c0507 100644 --- a/recipes-connectivity/openssh/openssh/ssh.default +++ b/recipes-connectivity/openssh/openssh-mlinux/ssh.default diff --git a/recipes-connectivity/openssh/openssh-mlinux/sshd b/recipes-connectivity/openssh/openssh-mlinux/sshd new file mode 100644 index 0000000..182650b --- /dev/null +++ b/recipes-connectivity/openssh/openssh-mlinux/sshd @@ -0,0 +1,11 @@ +#%PAM-1.0 + +auth include common-auth +account required pam_nologin.so +account include common-account +password include common-password +session optional pam_keyinit.so force revoke +session optional pam_radauth.so +session include common-session +session required pam_loginuid.so + diff --git a/recipes-connectivity/openssh/openssh-mlinux/sshd_check_keys b/recipes-connectivity/openssh/openssh-mlinux/sshd_check_keys new file mode 100644 index 0000000..4af8d5c --- /dev/null +++ b/recipes-connectivity/openssh/openssh-mlinux/sshd_check_keys @@ -0,0 +1,82 @@ +#! /bin/sh + +generate_key() { + local FILE=$1 + local TYPE=$2 + local DIR="$(dirname "$FILE")" + + mkdir -p "$DIR" + ssh-keygen -q -f "${FILE}.tmp" -N '' -t $TYPE + + # Atomically rename file public key + mv -f "${FILE}.tmp.pub" "${FILE}.pub" + + # This sync does double duty: Ensuring that the data in the temporary + # private key file is on disk before the rename, and ensuring that the + # public key rename is completed before the private key rename, since we + # switch on the existence of the private key to trigger key generation. + # This does mean it is possible for the public key to exist, but be garbage + # but this is OK because in that case the private key won't exist and the + # keys will be regenerated. + # + # In the event that sync understands arguments that limit what it tries to + # fsync(), we provided them. If it does not, it will simply call sync() + # which is just as well + sync "${FILE}.pub" "$DIR" "${FILE}.tmp" + + mv "${FILE}.tmp" "$FILE" + + # sync to ensure the atomic rename is committed + sync "$DIR" +} + +# /etc/default/ssh may set SYSCONFDIR and SSHD_OPTS +if test -f /etc/default/ssh; then + . /etc/default/ssh +fi + +[ -z "$SYSCONFDIR" ] && SYSCONFDIR=/etc/ssh +mkdir -p $SYSCONFDIR + +# parse sshd options +set -- ${SSHD_OPTS} -- +sshd_config=/etc/ssh/sshd_config +while true ; do + case "$1" in + -f*) if [ "$1" = "-f" ] ; then + sshd_config="$2" + shift + else + sshd_config="${1#-f}" + fi + shift + ;; + --) shift; break;; + *) shift;; + esac +done + +HOST_KEYS=$(sed -n 's/^[ \t]*HostKey[ \t]\+\(.*\)/\1/p' "${sshd_config}") +[ -z "${HOST_KEYS}" ] && HOST_KEYS="$SYSCONFDIR/ssh_host_rsa_key $SYSCONFDIR/ssh_host_dsa_key $SYSCONFDIR/ssh_host_ecdsa_key $SYSCONFDIR/ssh_host_ed25519_key" + +for key in ${HOST_KEYS} ; do + [ -f $key ] && continue + case $key in + *_rsa_key) + echo " generating ssh RSA host key..." + generate_key $key rsa + ;; + *_dsa_key) + echo " generating ssh DSA host key..." + generate_key $key dsa + ;; + *_ecdsa_key) + echo " generating ssh ECDSA host key..." + generate_key $key ecdsa + ;; + *_ed25519_key) + echo " generating ssh ED25519 host key..." + generate_key $key ed25519 + ;; + esac +done diff --git a/recipes-connectivity/openssh/openssh-mlinux/sshd_config b/recipes-connectivity/openssh/openssh-mlinux/sshd_config new file mode 100644 index 0000000..7e9da84 --- /dev/null +++ b/recipes-connectivity/openssh/openssh-mlinux/sshd_config @@ -0,0 +1,122 @@ +# $OpenBSD: sshd_config,v 1.102 2018/02/16 02:32:40 djm Exp $ + +# This is the sshd server system-wide configuration file. See +# sshd_config(5) for more information. + +# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin + +# The strategy used for options in the default sshd_config shipped with +# OpenSSH is to specify options with their default value where +# possible, but leave them commented. Uncommented options override the +# default value. + +#Port 22 +#AddressFamily any +#ListenAddress 0.0.0.0 +#ListenAddress :: + + +# The default requires explicit activation of protocol 1 +Protocol 2 + +#HostKey /etc/ssh/ssh_host_rsa_key +#HostKey /etc/ssh/ssh_host_ecdsa_key +#HostKey /etc/ssh/ssh_host_ed25519_key + +# Ciphers and keying +#RekeyLimit default none + +# Logging +#SyslogFacility AUTH +#LogLevel INFO + +# Authentication: + +#LoginGraceTime 2m +#PermitRootLogin prohibit-password +#StrictModes yes +#MaxAuthTries 6 +#MaxSessions 10 + +#PubkeyAuthentication yes + +# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2 +# but this is overridden so installations will only check .ssh/authorized_keys +AuthorizedKeysFile .ssh/authorized_keys + +#AuthorizedPrincipalsFile none + +#AuthorizedKeysCommand none +#AuthorizedKeysCommandUser nobody + +# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts +#HostbasedAuthentication no +# Change to yes if you don't trust ~/.ssh/known_hosts for +# HostbasedAuthentication +#IgnoreUserKnownHosts no +# Don't read the user's ~/.rhosts and ~/.shosts files +#IgnoreRhosts yes + +# To disable tunneled clear text passwords, change to no here! +#PasswordAuthentication yes +#PermitEmptyPasswords no + +# Change to yes to enable challenge-response passwords (beware issues with +# some PAM modules and threads) +ChallengeResponseAuthentication no + +# Kerberos options +#KerberosAuthentication no +#KerberosOrLocalPasswd yes +#KerberosTicketCleanup yes +#KerberosGetAFSToken no + +# GSSAPI options +#GSSAPIAuthentication no +#GSSAPICleanupCredentials yes + +# Set this to 'yes' to enable PAM authentication, account processing, +# and session processing. If this is enabled, PAM authentication will +# be allowed through the ChallengeResponseAuthentication and +# PasswordAuthentication. Depending on your PAM configuration, +# PAM authentication via ChallengeResponseAuthentication may bypass +# the setting of "PermitRootLogin without-password". +# If you just want the PAM account and session checks to run without +# PAM authentication, then enable this but set PasswordAuthentication +# and ChallengeResponseAuthentication to 'no'. +#UsePAM no + +#AllowAgentForwarding yes +#AllowTcpForwarding yes +#GatewayPorts no +#X11Forwarding no +#X11DisplayOffset 10 +#X11UseLocalhost yes +#PermitTTY yes +#PrintMotd yes +#PrintLastLog yes +#TCPKeepAlive yes +#UseLogin no +#PermitUserEnvironment no +Compression no +ClientAliveInterval 15 +ClientAliveCountMax 4 +#UseDNS no +#PidFile /var/run/sshd.pid +#MaxStartups 10:30:100 +#PermitTunnel no +#ChrootDirectory none +#VersionAddendum none + +# no default banner path +#Banner none + +# override default of no subsystems +Subsystem sftp /usr/libexec/sftp-server + +# Example of overriding settings on a per-user basis +#Match User anoncvs +# X11Forwarding no +# AllowTcpForwarding no +# PermitTTY no +# ForceCommand cvs server diff --git a/recipes-connectivity/openssh/openssh/0f90440ca70abab947acbd77795e9f130967956c.patch b/recipes-connectivity/openssh/openssh/0f90440ca70abab947acbd77795e9f130967956c.patch new file mode 100644 index 0000000..b88bc18 --- /dev/null +++ b/recipes-connectivity/openssh/openssh/0f90440ca70abab947acbd77795e9f130967956c.patch @@ -0,0 +1,28 @@ +From 0f90440ca70abab947acbd77795e9f130967956c Mon Sep 17 00:00:00 2001 +From: Darren Tucker <dtucker@dtucker.net> +Date: Fri, 20 Nov 2020 13:37:54 +1100 +Subject: [PATCH] Add new pselect6_time64 syscall on ARM. + +This is apparently needed on armhfp/armv7hl. bz#3232, patch from +jjelen at redhat.com. +--- + sandbox-seccomp-filter.c | 3 +++ + 1 file changed, 3 insertions(+) + +Upstream-Status: Backport +[fixes issues on 32bit IA and probably other 32 bit platforms too with glibc 2.33] + +diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c +index e0768c063..5065ae7ef 100644 +--- a/sandbox-seccomp-filter.c ++++ b/sandbox-seccomp-filter.c +@@ -267,6 +267,9 @@ static const struct sock_filter preauth_insns[] = { + #ifdef __NR_pselect6 + SC_ALLOW(__NR_pselect6), + #endif ++#ifdef __NR_pselect6_time64 ++ SC_ALLOW(__NR_pselect6_time64), ++#endif + #ifdef __NR_read + SC_ALLOW(__NR_read), + #endif diff --git a/recipes-connectivity/openssh/openssh/add-test-support-for-busybox.patch b/recipes-connectivity/openssh/openssh/add-test-support-for-busybox.patch new file mode 100644 index 0000000..b8402a4 --- /dev/null +++ b/recipes-connectivity/openssh/openssh/add-test-support-for-busybox.patch @@ -0,0 +1,47 @@ +Adjust test cases to work with busybox. + +- Replace dd parameter "obs" with "bs". +- Replace "head -<num>" with "head -n <num>". + +Signed-off-by: Maxin B. John <maxin.john@enea.com> +Upstream-Status: Pending + +Index: openssh-7.6p1/regress/cipher-speed.sh +=================================================================== +--- openssh-7.6p1.orig/regress/cipher-speed.sh ++++ openssh-7.6p1/regress/cipher-speed.sh +@@ -17,7 +17,7 @@ for c in `${SSH} -Q cipher`; do n=0; for + printf "%-60s" "$c/$m:" + ( ${SSH} -o 'compression no' \ + -F $OBJ/ssh_proxy -m $m -c $c somehost \ +- exec sh -c \'"dd of=/dev/null obs=32k"\' \ ++ exec sh -c \'"dd of=/dev/null bs=32k"\' \ + < ${DATA} ) 2>&1 | getbytes + + if [ $? -ne 0 ]; then +Index: openssh-7.6p1/regress/transfer.sh +=================================================================== +--- openssh-7.6p1.orig/regress/transfer.sh ++++ openssh-7.6p1/regress/transfer.sh +@@ -13,7 +13,7 @@ cmp ${DATA} ${COPY} || fail "corrupted + for s in 10 100 1k 32k 64k 128k 256k; do + trace "dd-size ${s}" + rm -f ${COPY} +- dd if=$DATA obs=${s} 2> /dev/null | \ ++ dd if=$DATA bs=${s} 2> /dev/null | \ + ${SSH} -q -F $OBJ/ssh_proxy somehost "cat > ${COPY}" + if [ $? -ne 0 ]; then + fail "ssh cat $DATA failed" +Index: openssh-7.6p1/regress/key-options.sh +=================================================================== +--- openssh-7.6p1.orig/regress/key-options.sh ++++ openssh-7.6p1/regress/key-options.sh +@@ -47,7 +47,7 @@ for f in 127.0.0.1 '127.0.0.0\/8'; do + fi + + sed 's/.*/from="'"$f"'" &/' $origkeys >$authkeys +- from=`head -1 $authkeys | cut -f1 -d ' '` ++ from=`head -n 1 $authkeys | cut -f1 -d ' '` + verbose "key option $from" + r=`${SSH} -q -F $OBJ/ssh_proxy somehost 'echo true'` + if [ "$r" = "true" ]; then diff --git a/recipes-connectivity/openssh/openssh/fix-potential-signed-overflow-in-pointer-arithmatic.patch b/recipes-connectivity/openssh/openssh/fix-potential-signed-overflow-in-pointer-arithmatic.patch index 7e043a2..20036da 100644 --- a/recipes-connectivity/openssh/openssh/fix-potential-signed-overflow-in-pointer-arithmatic.patch +++ b/recipes-connectivity/openssh/openssh/fix-potential-signed-overflow-in-pointer-arithmatic.patch @@ -11,14 +11,17 @@ would lead to program abort. Upstream-Status: Submitted [http://bugzilla.mindrot.org/show_bug.cgi?id=2608] Signed-off-by: Yuanjie Huang <yuanjie.huang@windriver.com> + +Complete the fix +Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com> --- - openbsd-compat/strlcat.c | 8 ++++++-- - openbsd-compat/strlcpy.c | 8 ++++++-- - openbsd-compat/strnlen.c | 8 ++++++-- - 3 files changed, 18 insertions(+), 6 deletions(-) + openbsd-compat/strlcat.c | 10 +++++++--- + openbsd-compat/strlcpy.c | 8 ++++++-- + openbsd-compat/strnlen.c | 8 ++++++-- + 3 files changed, 19 insertions(+), 7 deletions(-) diff --git a/openbsd-compat/strlcat.c b/openbsd-compat/strlcat.c -index bcc1b61..e758ebf 100644 +index bcc1b61..124e1e3 100644 --- a/openbsd-compat/strlcat.c +++ b/openbsd-compat/strlcat.c @@ -23,6 +23,7 @@ @@ -29,6 +32,15 @@ index bcc1b61..e758ebf 100644 /* * Appends src to string dst of size siz (unlike strncat, siz is the +@@ -42,7 +43,7 @@ strlcat(char *dst, const char *src, size_t siz) + /* Find the end of dst and adjust bytes left but don't go past end */ + while (n-- != 0 && *d != '\0') + d++; +- dlen = d - dst; ++ dlen = (uintptr_t)d - (uintptr_t)dst; + n = siz - dlen; + + if (n == 0) @@ -55,8 +56,11 @@ strlcat(char *dst, const char *src, size_t siz) s++; } @@ -70,7 +82,7 @@ index b4b1b60..b06f374 100644 #endif /* !HAVE_STRLCPY */ diff --git a/openbsd-compat/strnlen.c b/openbsd-compat/strnlen.c -index 93d5155..9b8de5d 100644 +index 7ad3573..7040f1f 100644 --- a/openbsd-compat/strnlen.c +++ b/openbsd-compat/strnlen.c @@ -23,6 +23,7 @@ @@ -95,5 +107,5 @@ index 93d5155..9b8de5d 100644 } #endif -- -1.9.1 +2.17.1 diff --git a/recipes-connectivity/openssh/openssh/init b/recipes-connectivity/openssh/openssh/init index 386628a..8887e3a 100644 --- a/recipes-connectivity/openssh/openssh/init +++ b/recipes-connectivity/openssh/openssh/init @@ -19,25 +19,6 @@ fi [ -z "$SYSCONFDIR" ] && SYSCONFDIR=/etc/ssh mkdir -p $SYSCONFDIR -parse_sshd_opts() { - set -- ${SSHD_OPTS} -- - sshd_config=/etc/ssh/sshd_config - while true ; do - case "$1" in - -f*) if [ "$1" = "-f" ] ; then - sshd_config="$2" - shift - else - sshd_config="${1#-f}" - fi - shift - ;; - --) shift; break;; - *) shift;; - esac - done -} - check_for_no_start() { # forget it if we're trying to start, and /etc/ssh/sshd_not_to_be_run exists if [ -e $SYSCONFDIR/sshd_not_to_be_run ]; then @@ -55,51 +36,7 @@ check_privsep_dir() { } check_config() { - /usr/sbin/sshd -t $SSHD_OPTS || exit 1 -} - -check_keys() { - # parse location of keys - local HOST_KEY_RSA - local HOST_KEY_DSA - local HOST_KEY_ECDSA - local HOST_KEY_ED25519 - - parse_sshd_opts - HOST_KEY_RSA=$(grep ^HostKey "${sshd_config}" | grep _rsa_ | tail -1 | awk ' { print $2 } ') - [ -z "${HOST_KEY_RSA}" ] && HOST_KEY_RSA=$(grep HostKey "${sshd_config}" | grep _rsa_ | tail -1 | awk ' { print $2 } ') - [ -z "${HOST_KEY_RSA}" ] && HOST_KEY_RSA=$SYSCONFDIR/ssh_host_rsa_key - HOST_KEY_DSA=$(grep ^HostKey "${sshd_config}" | grep _dsa_ | tail -1 | awk ' { print $2 } ') - [ -z "${HOST_KEY_DSA}" ] && HOST_KEY_DSA=$(grep HostKey "${sshd_config}" | grep _dsa_ | tail -1 | awk ' { print $2 } ') - [ -z "${HOST_KEY_DSA}" ] && HOST_KEY_DSA=$SYSCONFDIR/ssh_host_dsa_key - HOST_KEY_ECDSA=$(grep ^HostKey "${sshd_config}" | grep _ecdsa_ | tail -1 | awk ' { print $2 } ') - [ -z "${HOST_KEY_ECDSA}" ] && HOST_KEY_ECDSA=$(grep HostKey "${sshd_config}" | grep _ecdsa_ | tail -1 | awk ' { print $2 } ') - [ -z "${HOST_KEY_ECDSA}" ] && HOST_KEY_ECDSA=$SYSCONFDIR/ssh_host_ecdsa_key - HOST_KEY_ED25519=$(grep ^HostKey "${sshd_config}" | grep _ed25519_ | tail -1 | awk ' { print $2 } ') - [ -z "${HOST_KEY_ED25519}" ] && HOST_KEY_ED25519=$(grep HostKey "${sshd_config}" | grep _ed25519_ | tail -1 | awk ' { print $2 } ') - [ -z "${HOST_KEY_ED25519}" ] && HOST_KEY_ED25519=$SYSCONFDIR/ssh_host_ed25519_key - - # create keys if necessary - if [ ! -f $HOST_KEY_RSA ]; then - echo " generating ssh RSA key..." - mkdir -p $(dirname $HOST_KEY_RSA) - ssh-keygen -q -f $HOST_KEY_RSA -N '' -t rsa - fi - if [ ! -f $HOST_KEY_ECDSA ]; then - echo " generating ssh ECDSA key..." - mkdir -p $(dirname $HOST_KEY_ECDSA) - ssh-keygen -q -f $HOST_KEY_ECDSA -N '' -t ecdsa - fi - if [ ! -f $HOST_KEY_DSA ]; then - echo " generating ssh DSA key..." - mkdir -p $(dirname $HOST_KEY_DSA) - ssh-keygen -q -f $HOST_KEY_DSA -N '' -t dsa - fi - if [ ! -f $HOST_KEY_ED25519 ]; then - echo " generating ssh ED25519 key..." - mkdir -p $(dirname $HOST_KEY_ED25519) - ssh-keygen -q -f $HOST_KEY_ED25519 -N '' -t ed25519 - fi + /usr/sbin/sshd $SSHD_OPTS -t || exit 1 } export PATH="${PATH:+$PATH:}/usr/sbin:/sbin" @@ -108,30 +45,30 @@ case "$1" in start) check_for_no_start echo "Starting OpenBSD Secure Shell server: sshd" - check_keys + @LIBEXECDIR@/sshd_check_keys check_privsep_dir start-stop-daemon -S -p $PIDFILE -x /usr/sbin/sshd -- $SSHD_OPTS - echo "done." + echo "done." ;; stop) - echo -n "Stopping OpenBSD Secure Shell server: sshd" + echo -n "Stopping OpenBSD Secure Shell server: sshd" start-stop-daemon -K -p $PIDFILE -x /usr/sbin/sshd - echo "." + echo "." ;; reload|force-reload) check_for_no_start - check_keys + @LIBEXECDIR@/sshd_check_keys check_config - echo -n "Reloading OpenBSD Secure Shell server's configuration" + echo -n "Reloading OpenBSD Secure Shell server's configuration" start-stop-daemon -K -p $PIDFILE -s 1 -x /usr/sbin/sshd echo "." ;; restart) - check_keys + @LIBEXECDIR@/sshd_check_keys check_config - echo -n "Restarting OpenBSD Secure Shell server: sshd" + echo -n "Restarting OpenBSD Secure Shell server: sshd" start-stop-daemon -K -p $PIDFILE --oknodo -x /usr/sbin/sshd check_for_no_start check_privsep_dir diff --git a/recipes-connectivity/openssh/openssh/openssh-8.1p1-add-test-support-for-busybox.patch b/recipes-connectivity/openssh/openssh/openssh-8.1p1-add-test-support-for-busybox.patch deleted file mode 100644 index d6fbd3b..0000000 --- a/recipes-connectivity/openssh/openssh/openssh-8.1p1-add-test-support-for-busybox.patch +++ /dev/null @@ -1,48 +0,0 @@ -diff -ruN a/regress/cipher-speed.sh b/regress/cipher-speed.sh ---- a/regress/cipher-speed.sh 2019-12-03 13:16:36.091896387 -0600 -+++ b/regress/cipher-speed.sh 2019-12-03 13:28:29.726275955 -0600 -@@ -17,7 +17,7 @@ - printf "%-60s" "$c/$m:" - ( ${SSH} -o 'compression no' \ - -F $OBJ/ssh_proxy -m $m -c $c somehost \ -- exec sh -c \'"dd of=/dev/null obs=32k"\' \ -+ exec sh -c \'"dd of=/dev/null bs=32k"\' \ - < ${DATA} ) 2>&1 | getbytes - - if [ $? -ne 0 ]; then -diff -ruN a/regress/key-options.sh b/regress/key-options.sh ---- a/regress/key-options.sh 2019-12-03 13:24:44.164243780 -0600 -+++ b/regress/key-options.sh 2019-12-03 13:33:14.447235791 -0600 -@@ -84,7 +84,7 @@ - fi - - sed 's/.*/from="'"$f"'" &/' $origkeys >$authkeys -- from=`head -1 $authkeys | cut -f1 -d ' '` -+ from=`head -n 1 $authkeys | cut -f1 -d ' '` - verbose "key option $from" - r=`${SSH} -q -F $OBJ/ssh_proxy somehost 'echo true'` - if [ "$r" = "true" ]; then -diff -ruN a/regress/transfer.sh b/regress/transfer.sh ---- a/regress/transfer.sh 2019-12-03 13:16:58.342857354 -0600 -+++ b/regress/transfer.sh 2019-12-03 13:29:08.733267753 -0600 -@@ -13,7 +13,7 @@ - for s in 10 100 1k 32k 64k 128k 256k; do - trace "dd-size ${s}" - rm -f ${COPY} -- dd if=$DATA obs=${s} 2> /dev/null | \ -+ dd if=$DATA bs=${s} 2> /dev/null | \ - ${SSH} -q -F $OBJ/ssh_proxy somehost "cat > ${COPY}" - if [ $? -ne 0 ]; then - fail "ssh cat $DATA failed" -diff -ruN a/regress/yes-head.sh b/regress/yes-head.sh ---- a/regress/yes-head.sh 2019-12-03 13:17:11.682259074 -0600 -+++ b/regress/yes-head.sh 2019-12-03 13:32:47.699869866 -0600 -@@ -3,7 +3,7 @@ - - tid="yes pipe head" - --lines=`${SSH} -F $OBJ/ssh_proxy thishost 'sh -c "while true;do echo yes;done | _POSIX2_VERSION=199209 head -2000"' | (sleep 3 ; wc -l)` -+lines=`${SSH} -F $OBJ/ssh_proxy thishost 'sh -c "while true;do echo yes;done | _POSIX2_VERSION=199209 head -n 2000"' | (sleep 3 ; wc -l)` - if [ $? -ne 0 ]; then - fail "yes|head test failed" - lines = 0; diff --git a/recipes-connectivity/openssh/openssh/openssh-8.1p1-conditional-compile-des-in-cipher.patch b/recipes-connectivity/openssh/openssh/openssh-8.1p1-conditional-compile-des-in-cipher.patch deleted file mode 100644 index 507026c..0000000 --- a/recipes-connectivity/openssh/openssh/openssh-8.1p1-conditional-compile-des-in-cipher.patch +++ /dev/null @@ -1,13 +0,0 @@ ---- a/cipher.c 2019-12-03 12:46:22.282290586 -0600 -+++ b/cipher.c 2019-12-03 12:45:19.273805437 -0600 -@@ -158,8 +158,10 @@ - u_int - cipher_seclen(const struct sshcipher *c) - { -+#ifndef OPENSSL_NO_DES - if (strcmp("3des-cbc", c->name) == 0) - return 14; -+#endif - return cipher_keylen(c); - } - diff --git a/recipes-connectivity/openssh/openssh/openssh-8.1p1-conditional-compile-des-in-pkcs11.patch b/recipes-connectivity/openssh/openssh/openssh-8.1p1-conditional-compile-des-in-pkcs11.patch deleted file mode 100644 index 46b60b5..0000000 --- a/recipes-connectivity/openssh/openssh/openssh-8.1p1-conditional-compile-des-in-pkcs11.patch +++ /dev/null @@ -1,52 +0,0 @@ ---- a/pkcs11.h 2019-12-03 12:52:10.920974412 -0600 -+++ b/pkcs11.h 2019-12-03 12:56:56.383171416 -0600 -@@ -342,9 +342,11 @@ - #define CKK_GENERIC_SECRET (0x10) - #define CKK_RC2 (0x11) - #define CKK_RC4 (0x12) -+#ifndef OPENSSL_NO_DES - #define CKK_DES (0x13) - #define CKK_DES2 (0x14) - #define CKK_DES3 (0x15) -+#endif /* OPENSSL_NO_DES */ - #define CKK_CAST (0x16) - #define CKK_CAST3 (0x17) - #define CKK_CAST128 (0x18) -@@ -512,6 +514,7 @@ - #define CKM_RC2_CBC_PAD (0x105) - #define CKM_RC4_KEY_GEN (0x110) - #define CKM_RC4 (0x111) -+#ifndef OPENSSL_NO_DES - #define CKM_DES_KEY_GEN (0x120) - #define CKM_DES_ECB (0x121) - #define CKM_DES_CBC (0x122) -@@ -525,6 +528,7 @@ - #define CKM_DES3_MAC (0x134) - #define CKM_DES3_MAC_GENERAL (0x135) - #define CKM_DES3_CBC_PAD (0x136) -+#endif /* OPENSSL_NO_DES */ - #define CKM_CDMF_KEY_GEN (0x140) - #define CKM_CDMF_ECB (0x141) - #define CKM_CDMF_CBC (0x142) -@@ -610,8 +614,10 @@ - #define CKM_MD5_KEY_DERIVATION (0x390) - #define CKM_MD2_KEY_DERIVATION (0x391) - #define CKM_SHA1_KEY_DERIVATION (0x392) -+#ifndef OPENSSL_NO_DES - #define CKM_PBE_MD2_DES_CBC (0x3a0) - #define CKM_PBE_MD5_DES_CBC (0x3a1) -+#endif /* OPENSSL_NO_DES */ - #define CKM_PBE_MD5_CAST_CBC (0x3a2) - #define CKM_PBE_MD5_CAST3_CBC (0x3a3) - #define CKM_PBE_MD5_CAST5_CBC (0x3a4) -@@ -620,8 +626,10 @@ - #define CKM_PBE_SHA1_CAST128_CBC (0x3a5) - #define CKM_PBE_SHA1_RC4_128 (0x3a6) - #define CKM_PBE_SHA1_RC4_40 (0x3a7) -+#ifndef OPENSSL_NO_DES - #define CKM_PBE_SHA1_DES3_EDE_CBC (0x3a8) - #define CKM_PBE_SHA1_DES2_EDE_CBC (0x3a9) -+#endif /* OPENSSL_NO_DES */ - #define CKM_PBE_SHA1_RC2_128_CBC (0x3aa) - #define CKM_PBE_SHA1_RC2_40_CBC (0x3ab) - #define CKM_PKCS5_PBKD2 (0x3b0) diff --git a/recipes-connectivity/openssh/openssh/run-ptest b/recipes-connectivity/openssh/openssh/run-ptest index 36a3d2a..ae03e92 100755 --- a/recipes-connectivity/openssh/openssh/run-ptest +++ b/recipes-connectivity/openssh/openssh/run-ptest @@ -1,11 +1,12 @@ #!/bin/sh export TEST_SHELL=sh +export SKIP_UNIT=1 cd regress sed -i "/\t\tagent-ptrace /d" Makefile make -k .OBJDIR=`pwd` .CURDIR=`pwd` SUDO="sudo" tests \ - | sed -e 's/^skipped/SKIP: /g' -e 's/^ok /PASS: /g' -e 's/^failed/FAIL: /g' + | sed -u -e 's/^skipped/SKIP: /g' -e 's/^ok /PASS: /g' -e 's/^failed/FAIL: /g' SSHAGENT=`which ssh-agent` GDB=`which gdb` diff --git a/recipes-connectivity/openssh/openssh/ssh_config b/recipes-connectivity/openssh/openssh/ssh_config index 9e91915..e0d0238 100644 --- a/recipes-connectivity/openssh/openssh/ssh_config +++ b/recipes-connectivity/openssh/openssh/ssh_config @@ -1,4 +1,4 @@ -# $OpenBSD: ssh_config,v 1.28 2013/09/16 11:35:43 sthen Exp $ +# $OpenBSD: ssh_config,v 1.33 2017/05/07 23:12:57 djm Exp $ # This is the ssh client system-wide configuration file. See # ssh_config(5) for more information. This file provides defaults for @@ -31,14 +31,14 @@ Host * # AddressFamily any # ConnectTimeout 0 # StrictHostKeyChecking ask -# IdentityFile ~/.ssh/identity # IdentityFile ~/.ssh/id_rsa # IdentityFile ~/.ssh/id_dsa +# IdentityFile ~/.ssh/id_ecdsa +# IdentityFile ~/.ssh/id_ed25519 # Port 22 -# Protocol 2,1 -# Cipher 3des -# Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc -# MACs hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160 +# Protocol 2 +# Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc +# MACs hmac-md5,hmac-sha1,umac-64@openssh.com # EscapeChar ~ # Tunnel no # TunnelDevice any:any diff --git a/recipes-connectivity/openssh/openssh/sshd b/recipes-connectivity/openssh/openssh/sshd index 182650b..4882e58 100644 --- a/recipes-connectivity/openssh/openssh/sshd +++ b/recipes-connectivity/openssh/openssh/sshd @@ -5,7 +5,6 @@ account required pam_nologin.so account include common-account password include common-password session optional pam_keyinit.so force revoke -session optional pam_radauth.so session include common-session session required pam_loginuid.so diff --git a/recipes-connectivity/openssh/openssh/sshd.socket b/recipes-connectivity/openssh/openssh/sshd.socket index 12c39b2..8d76d62 100644 --- a/recipes-connectivity/openssh/openssh/sshd.socket +++ b/recipes-connectivity/openssh/openssh/sshd.socket @@ -1,5 +1,6 @@ [Unit] Conflicts=sshd.service +Wants=sshdgenkeys.service [Socket] ExecStartPre=@BASE_BINDIR@/mkdir -p /var/run/sshd diff --git a/recipes-connectivity/openssh/openssh/sshd@.service b/recipes-connectivity/openssh/openssh/sshd@.service index 9d83dfb..9d9965e 100644 --- a/recipes-connectivity/openssh/openssh/sshd@.service +++ b/recipes-connectivity/openssh/openssh/sshd@.service @@ -1,13 +1,10 @@ [Unit] Description=OpenSSH Per-Connection Daemon -Wants=sshdgenkeys.service After=sshdgenkeys.service [Service] Environment="SSHD_OPTS=" EnvironmentFile=-/etc/default/ssh ExecStart=-@SBINDIR@/sshd -i $SSHD_OPTS -ExecReload=@BASE_BINDIR@/kill -HUP $MAINPID StandardInput=socket -StandardError=syslog KillMode=process diff --git a/recipes-connectivity/openssh/openssh/sshd_check_keys b/recipes-connectivity/openssh/openssh/sshd_check_keys new file mode 100644 index 0000000..1931dc7 --- /dev/null +++ b/recipes-connectivity/openssh/openssh/sshd_check_keys @@ -0,0 +1,78 @@ +#! /bin/sh + +generate_key() { + local FILE=$1 + local TYPE=$2 + local DIR="$(dirname "$FILE")" + + mkdir -p "$DIR" + ssh-keygen -q -f "${FILE}.tmp" -N '' -t $TYPE + + # Atomically rename file public key + mv -f "${FILE}.tmp.pub" "${FILE}.pub" + + # This sync does double duty: Ensuring that the data in the temporary + # private key file is on disk before the rename, and ensuring that the + # public key rename is completed before the private key rename, since we + # switch on the existence of the private key to trigger key generation. + # This does mean it is possible for the public key to exist, but be garbage + # but this is OK because in that case the private key won't exist and the + # keys will be regenerated. + # + # In the event that sync understands arguments that limit what it tries to + # fsync(), we provided them. If it does not, it will simply call sync() + # which is just as well + sync "${FILE}.pub" "$DIR" "${FILE}.tmp" + + mv "${FILE}.tmp" "$FILE" + + # sync to ensure the atomic rename is committed + sync "$DIR" +} + +# /etc/default/ssh may set SYSCONFDIR and SSHD_OPTS +if test -f /etc/default/ssh; then + . /etc/default/ssh +fi + +[ -z "$SYSCONFDIR" ] && SYSCONFDIR=/etc/ssh +mkdir -p $SYSCONFDIR + +# parse sshd options +set -- ${SSHD_OPTS} -- +sshd_config=/etc/ssh/sshd_config +while true ; do + case "$1" in + -f*) if [ "$1" = "-f" ] ; then + sshd_config="$2" + shift + else + sshd_config="${1#-f}" + fi + shift + ;; + --) shift; break;; + *) shift;; + esac +done + +HOST_KEYS=$(sed -n 's/^[ \t]*HostKey[ \t]\+\(.*\)/\1/p' "${sshd_config}") +[ -z "${HOST_KEYS}" ] && HOST_KEYS="$SYSCONFDIR/ssh_host_rsa_key $SYSCONFDIR/ssh_host_ecdsa_key $SYSCONFDIR/ssh_host_ed25519_key" + +for key in ${HOST_KEYS} ; do + [ -f $key ] && continue + case $key in + *_rsa_key) + echo " generating ssh RSA host key..." + generate_key $key rsa + ;; + *_ecdsa_key) + echo " generating ssh ECDSA host key..." + generate_key $key ecdsa + ;; + *_ed25519_key) + echo " generating ssh ED25519 host key..." + generate_key $key ed25519 + ;; + esac +done diff --git a/recipes-connectivity/openssh/openssh/sshd_config b/recipes-connectivity/openssh/openssh/sshd_config index 31fe5d9..15f061b 100644 --- a/recipes-connectivity/openssh/openssh/sshd_config +++ b/recipes-connectivity/openssh/openssh/sshd_config @@ -1,4 +1,4 @@ -# $OpenBSD: sshd_config,v 1.80 2008/07/02 02:24:18 djm Exp $ +# $OpenBSD: sshd_config,v 1.102 2018/02/16 02:32:40 djm Exp $ # This is the sshd server system-wide configuration file. See # sshd_config(5) for more information. @@ -7,7 +7,7 @@ # The strategy used for options in the default sshd_config shipped with # OpenSSH is to specify options with their default value where -# possible, but leave them commented. Uncommented options change a +# possible, but leave them commented. Uncommented options override the # default value. #Port 22 @@ -15,43 +15,30 @@ #ListenAddress 0.0.0.0 #ListenAddress :: -# The default requires explicit activation of protocol 1 -Protocol 2 - -# HostKey for protocol version 1 -#HostKey /etc/ssh/ssh_host_key -# HostKeys for protocol version 2 #HostKey /etc/ssh/ssh_host_rsa_key -#HostKey /etc/ssh/ssh_host_dsa_key #HostKey /etc/ssh/ssh_host_ecdsa_key #HostKey /etc/ssh/ssh_host_ed25519_key -# Lifetime and size of ephemeral version 1 server key -#KeyRegenerationInterval 1h -#ServerKeyBits 1024 - # Ciphers and keying #RekeyLimit default none # Logging -# obsoletes QuietMode and FascistLogging #SyslogFacility AUTH #LogLevel INFO # Authentication: #LoginGraceTime 2m -#PermitRootLogin yes +#PermitRootLogin prohibit-password #StrictModes yes #MaxAuthTries 6 #MaxSessions 10 -#RSAAuthentication yes #PubkeyAuthentication yes # The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2 # but this is overridden so installations will only check .ssh/authorized_keys -AuthorizedKeysFile .ssh/authorized_keys +AuthorizedKeysFile .ssh/authorized_keys #AuthorizedPrincipalsFile none @@ -59,11 +46,9 @@ AuthorizedKeysFile .ssh/authorized_keys #AuthorizedKeysCommandUser nobody # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts -#RhostsRSAAuthentication no -# similar for protocol version 2 #HostbasedAuthentication no # Change to yes if you don't trust ~/.ssh/known_hosts for -# RhostsRSAAuthentication and HostbasedAuthentication +# HostbasedAuthentication #IgnoreUserKnownHosts no # Don't read the user's ~/.rhosts and ~/.shosts files #IgnoreRhosts yes @@ -72,7 +57,8 @@ AuthorizedKeysFile .ssh/authorized_keys #PasswordAuthentication yes #PermitEmptyPasswords no -# Change to no to disable s/key passwords +# Change to yes to enable challenge-response passwords (beware issues with +# some PAM modules and threads) ChallengeResponseAuthentication no # Kerberos options @@ -111,7 +97,7 @@ ChallengeResponseAuthentication no Compression no ClientAliveInterval 15 ClientAliveCountMax 4 -#UseDNS yes +#UseDNS no #PidFile /var/run/sshd.pid #MaxStartups 10:30:100 #PermitTunnel no diff --git a/recipes-connectivity/openssh/openssh/sshdgenkeys.service b/recipes-connectivity/openssh/openssh/sshdgenkeys.service index 148e6ad..fd81793 100644 --- a/recipes-connectivity/openssh/openssh/sshdgenkeys.service +++ b/recipes-connectivity/openssh/openssh/sshdgenkeys.service @@ -1,22 +1,9 @@ [Unit] Description=OpenSSH Key Generation RequiresMountsFor=/var /run -ConditionPathExists=!/var/run/ssh/ssh_host_rsa_key -ConditionPathExists=!/var/run/ssh/ssh_host_dsa_key -ConditionPathExists=!/var/run/ssh/ssh_host_ecdsa_key -ConditionPathExists=!/var/run/ssh/ssh_host_ed25519_key -ConditionPathExists=!/etc/ssh/ssh_host_rsa_key -ConditionPathExists=!/etc/ssh/ssh_host_dsa_key -ConditionPathExists=!/etc/ssh/ssh_host_ecdsa_key -ConditionPathExists=!/etc/ssh/ssh_host_ed25519_key [Service] -Environment="SYSCONFDIR=/etc/ssh" -EnvironmentFile=-/etc/default/ssh -ExecStart=@BASE_BINDIR@/mkdir -p $SYSCONFDIR -ExecStart=@BINDIR@/ssh-keygen -q -f ${SYSCONFDIR}/ssh_host_rsa_key -N '' -t rsa -ExecStart=@BINDIR@/ssh-keygen -q -f ${SYSCONFDIR}/ssh_host_dsa_key -N '' -t dsa -ExecStart=@BINDIR@/ssh-keygen -q -f ${SYSCONFDIR}/ssh_host_ecdsa_key -N '' -t ecdsa -ExecStart=@BINDIR@/ssh-keygen -q -f ${SYSCONFDIR}/ssh_host_ed25519_key -N '' -t ed25519 +ExecStart=@LIBEXECDIR@/sshd_check_keys Type=oneshot RemainAfterExit=yes +Nice=10 diff --git a/recipes-connectivity/openssh/openssh_8.1p1.bb b/recipes-connectivity/openssh/openssh_8.4p1.bb index 5bfd8e3..128e2e3 100644 --- a/recipes-connectivity/openssh/openssh_8.1p1.bb +++ b/recipes-connectivity/openssh/openssh_8.4p1.bb @@ -5,10 +5,10 @@ Ssh (Secure Shell) is a program for logging into a remote machine \ and for executing commands on a remote machine." HOMEPAGE = "http://www.openssh.com/" SECTION = "console/network" -LICENSE = "BSD" +LICENSE = "BSD & ISC & MIT" LIC_FILES_CHKSUM = "file://LICENCE;md5=18d9e5a8b3dd1790d73502f50426d4d3" -DEPENDS = "zlib openssl" +DEPENDS = "zlib openssl virtual/crypt" DEPENDS += "${@bb.utils.contains('DISTRO_FEATURES', 'pam', 'libpam', '', d)}" SRC_URI = "http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${PV}.tar.gz \ @@ -20,19 +20,21 @@ SRC_URI = "http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${PV}.tar file://sshd@.service \ file://sshdgenkeys.service \ file://volatiles.99_sshd \ - file://openssh-8.1p1-add-test-support-for-busybox.patch \ file://run-ptest \ - file://openssh-8.1p1-conditional-compile-des-in-cipher.patch \ - file://openssh-8.1p1-conditional-compile-des-in-pkcs11.patch \ file://fix-potential-signed-overflow-in-pointer-arithmatic.patch \ + file://sshd_check_keys \ + file://add-test-support-for-busybox.patch \ + file://0f90440ca70abab947acbd77795e9f130967956c.patch \ " +SRC_URI[sha256sum] = "5a01d22e407eb1c05ba8a8f7c654d388a13e9f226e4ed33bd38748dafa1d2b24" -PAM_SRC_URI = "file://sshd" +# This CVE is specific to OpenSSH server, as used in Fedora and Red Hat Enterprise Linux 7 +# and when running in a Kerberos environment. As such it is not relevant to OpenEmbedded +CVE_CHECK_WHITELIST += "CVE-2014-9278" -SRC_URI[md5sum] = "513694343631a99841e815306806edf0" -SRC_URI[sha256sum] = "02f5dbef3835d0753556f973cd57b4c19b6b1f6cd24c03445e23ac77ca1b93ff" +PAM_SRC_URI = "file://sshd" -inherit useradd update-rc.d update-alternatives systemd +inherit manpages useradd update-rc.d update-alternatives systemd USERADD_PACKAGES = "${PN}-sshd" USERADD_PARAM_${PN}-sshd = "--system --no-create-home --home-dir /var/run/sshd --shell /bin/false --user-group sshd" @@ -45,19 +47,30 @@ SYSTEMD_SERVICE_${PN}-sshd = "sshd.socket" inherit autotools-brokensep ptest -# LFS support: -CFLAGS += "-D__FILE_OFFSET_BITS=64" +PACKAGECONFIG ??= "rng-tools" +PACKAGECONFIG[kerberos] = "--with-kerberos5,--without-kerberos5,krb5" +PACKAGECONFIG[ldns] = "--with-ldns,--without-ldns,ldns" +PACKAGECONFIG[libedit] = "--with-libedit,--without-libedit,libedit" +PACKAGECONFIG[manpages] = "--with-mantype=man,--with-mantype=cat" + +# Add RRECOMMENDS to rng-tools for sshd package +PACKAGECONFIG[rng-tools] = "" + +EXTRA_AUTORECONF += "--exclude=aclocal" # login path is hardcoded in sshd EXTRA_OECONF = "'LOGIN_PROGRAM=${base_bindir}/login' \ ${@bb.utils.contains('DISTRO_FEATURES', 'pam', '--with-pam', '--without-pam', d)} \ --without-zlib-version-check \ - --with-privsep-path=/var/run/sshd \ + --with-privsep-path=${localstatedir}/run/sshd \ --sysconfdir=${sysconfdir}/ssh \ - --with-xauth=/usr/bin/xauth \ + --with-xauth=${bindir}/xauth \ --disable-strip \ " +# musl doesn't implement wtmp/utmp and logwtmp +EXTRA_OECONF_append_libc-musl = " --disable-wtmp --disable-lastlog" + # Since we do not depend on libbsd, we do not want configure to use it # just because it finds libutil.h. But, specifying --disable-libutil # causes compile errors, so... @@ -73,24 +86,22 @@ do_configure_prepend () { export LD="${CC}" install -m 0644 ${WORKDIR}/sshd_config ${B}/ install -m 0644 ${WORKDIR}/ssh_config ${B}/ - if [ ! -e acinclude.m4 -a -e aclocal.m4 ]; then - cp aclocal.m4 acinclude.m4 - fi } do_compile_ptest() { # skip regress/unittests/ binaries: this will silently skip # unittests in run-ptests which is good because they are so slow. - oe_runmake regress/modpipe regress/setuid-allowed regress/netcat + oe_runmake regress/modpipe regress/setuid-allowed regress/netcat \ + regress/check-perm regress/mkdtemp } do_install_append () { - if [ "${@bb.utils.contains('DISTRO_FEATURES', 'pam', 'pam', '', d)}" = "pam" ]; then + if [ "${@bb.utils.filter('DISTRO_FEATURES', 'pam', d)}" ]; then install -D -m 0644 ${WORKDIR}/sshd ${D}${sysconfdir}/pam.d/sshd sed -i -e 's:#UsePAM no:UsePAM yes:' ${D}${sysconfdir}/ssh/sshd_config fi - if [ "${@bb.utils.contains('DISTRO_FEATURES', 'x11', 'x11', '', d)}" = "x11" ]; then + if [ "${@bb.utils.filter('DISTRO_FEATURES', 'x11', d)}" ]; then sed -i -e 's:#X11Forwarding no:X11Forwarding yes:' ${D}${sysconfdir}/ssh/sshd_config fi @@ -107,7 +118,6 @@ do_install_append () { install -m 644 ${D}${sysconfdir}/ssh/sshd_config ${D}${sysconfdir}/ssh/sshd_config_readonly sed -i '/HostKey/d' ${D}${sysconfdir}/ssh/sshd_config_readonly echo "HostKey /var/run/ssh/ssh_host_rsa_key" >> ${D}${sysconfdir}/ssh/sshd_config_readonly - echo "HostKey /var/run/ssh/ssh_host_dsa_key" >> ${D}${sysconfdir}/ssh/sshd_config_readonly echo "HostKey /var/run/ssh/ssh_host_ecdsa_key" >> ${D}${sysconfdir}/ssh/sshd_config_readonly echo "HostKey /var/run/ssh/ssh_host_ed25519_key" >> ${D}${sysconfdir}/ssh/sshd_config_readonly @@ -118,7 +128,13 @@ do_install_append () { sed -i -e 's,@BASE_BINDIR@,${base_bindir},g' \ -e 's,@SBINDIR@,${sbindir},g' \ -e 's,@BINDIR@,${bindir},g' \ + -e 's,@LIBEXECDIR@,${libexecdir}/${BPN},g' \ ${D}${systemd_unitdir}/system/sshd.socket ${D}${systemd_unitdir}/system/*.service + + sed -i -e 's,@LIBEXECDIR@,${libexecdir}/${BPN},g' \ + ${D}${sysconfdir}/init.d/sshd + + install -D -m 0755 ${WORKDIR}/sshd_check_keys ${D}${libexecdir}/${BPN}/sshd_check_keys } do_install_ptest () { @@ -133,6 +149,7 @@ FILES_${PN}-scp = "${bindir}/scp.${BPN}" FILES_${PN}-ssh = "${bindir}/ssh.${BPN} ${sysconfdir}/ssh/ssh_config" FILES_${PN}-sshd = "${sbindir}/sshd ${sysconfdir}/init.d/sshd ${systemd_unitdir}/system" FILES_${PN}-sshd += "${sysconfdir}/ssh/moduli ${sysconfdir}/ssh/sshd_config ${sysconfdir}/ssh/sshd_config_readonly ${sysconfdir}/default/volatiles/99_sshd ${sysconfdir}/pam.d/sshd" +FILES_${PN}-sshd += "${libexecdir}/${BPN}/sshd_check_keys" FILES_${PN}-sftp = "${bindir}/sftp" FILES_${PN}-sftp-server = "${libexecdir}/sftp-server" FILES_${PN}-misc = "${bindir}/ssh* ${libexecdir}/ssh*" @@ -140,14 +157,18 @@ FILES_${PN}-keygen = "${bindir}/ssh-keygen" RDEPENDS_${PN} += "${PN}-scp ${PN}-ssh ${PN}-sshd ${PN}-keygen" RDEPENDS_${PN}-sshd += "${PN}-keygen ${@bb.utils.contains('DISTRO_FEATURES', 'pam', 'pam-plugin-keyinit pam-plugin-loginuid', '', d)}" -RDEPENDS_${PN}-ptest += "${PN}-sftp ${PN}-misc ${PN}-sftp-server make" +RRECOMMENDS_${PN}-sshd_append_class-target = "\ + ${@bb.utils.filter('PACKAGECONFIG', 'rng-tools', d)} \ +" + +# gdb would make attach-ptrace test pass rather than skip but not worth the build dependencies +RDEPENDS_${PN}-ptest += "${PN}-sftp ${PN}-misc ${PN}-sftp-server make sed sudo coreutils" RPROVIDES_${PN}-ssh = "ssh" RPROVIDES_${PN}-sshd = "sshd" RCONFLICTS_${PN} = "dropbear" RCONFLICTS_${PN}-sshd = "dropbear" -RCONFLICTS_${PN}-keygen = "ssh-keygen" CONFFILES_${PN}-sshd = "${sysconfdir}/ssh/sshd_config" CONFFILES_${PN}-ssh = "${sysconfdir}/ssh/ssh_config" @@ -156,5 +177,4 @@ ALTERNATIVE_PRIORITY = "90" ALTERNATIVE_${PN}-scp = "scp" ALTERNATIVE_${PN}-ssh = "ssh" -do_rm_work () { -} +BBCLASSEXTEND += "nativesdk" diff --git a/recipes-connectivity/openssh/openssh_%.bbappend b/recipes-connectivity/openssh/openssh_8.4p1.bbappend index 53d3da1..c594fa8 100644 --- a/recipes-connectivity/openssh/openssh_%.bbappend +++ b/recipes-connectivity/openssh/openssh_8.4p1.bbappend @@ -1,6 +1,9 @@ -FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}:" +FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}-mlinux:" -SRC_URI += "file://ssh.default" +SRC_URI += "file://ssh.default \ + file://sshd \ + file://sshd_config \ + file://sshd_check_keys" KEYFILES = "ssh_host_dsa_key \ ssh_host_dsa_key.pub \ @@ -12,7 +15,12 @@ ssh_host_ed25519_key \ ssh_host_ed25519_key.pub \ " +PACKAGECONFIG = "" + do_install_append() { + + echo "HostKey /var/run/ssh/ssh_host_dsa_key" >> ${D}${sysconfdir}/ssh/sshd_config_readonly + install -d ${D}${sysconfdir}/default install -m 644 ${WORKDIR}/ssh.default ${D}${sysconfdir}/default/ssh for f in ${KEYFILES}; do diff --git a/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-replace-systemd-install-Alias-with-WantedBy.patch b/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-replace-systemd-install-Alias-with-WantedBy.patch deleted file mode 100644 index a476cf0..0000000 --- a/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-replace-systemd-install-Alias-with-WantedBy.patch +++ /dev/null @@ -1,52 +0,0 @@ -From 94c401733a5a3d294cc412671166e6adfb409f53 Mon Sep 17 00:00:00 2001 -From: Joshua DeWeese <jdeweese@hennypenny.com> -Date: Wed, 30 Jan 2019 16:19:47 -0500 -Subject: [PATCH] replace systemd install Alias with WantedBy - -According to the systemd documentation "WantedBy=foo.service in a -service bar.service is mostly equivalent to -Alias=foo.service.wants/bar.service in the same file." However, -this is not really the intended purpose of install Aliases. - -Upstream-Status: Submitted [hostap@lists.infradead.org] - -Signed-off-by: Joshua DeWeese <jdeweese@hennypenny.com> ---- - wpa_supplicant/systemd/wpa_supplicant-nl80211.service.arg.in | 2 +- - wpa_supplicant/systemd/wpa_supplicant-wired.service.arg.in | 2 +- - wpa_supplicant/systemd/wpa_supplicant.service.arg.in | 2 +- - 3 files changed, 3 insertions(+), 3 deletions(-) - -diff --git a/wpa_supplicant/systemd/wpa_supplicant-nl80211.service.arg.in b/wpa_supplicant/systemd/wpa_supplicant-nl80211.service.arg.in -index 03ac507..da69a87 100644 ---- a/wpa_supplicant/systemd/wpa_supplicant-nl80211.service.arg.in -+++ b/wpa_supplicant/systemd/wpa_supplicant-nl80211.service.arg.in -@@ -12,4 +12,4 @@ Type=simple - ExecStart=@BINDIR@/wpa_supplicant -c/etc/wpa_supplicant/wpa_supplicant-nl80211-%I.conf -Dnl80211 -i%I - - [Install] --Alias=multi-user.target.wants/wpa_supplicant-nl80211@%i.service -+WantedBy=multi-user.target -diff --git a/wpa_supplicant/systemd/wpa_supplicant-wired.service.arg.in b/wpa_supplicant/systemd/wpa_supplicant-wired.service.arg.in -index c8a744d..ca3054b 100644 ---- a/wpa_supplicant/systemd/wpa_supplicant-wired.service.arg.in -+++ b/wpa_supplicant/systemd/wpa_supplicant-wired.service.arg.in -@@ -12,4 +12,4 @@ Type=simple - ExecStart=@BINDIR@/wpa_supplicant -c/etc/wpa_supplicant/wpa_supplicant-wired-%I.conf -Dwired -i%I - - [Install] --Alias=multi-user.target.wants/wpa_supplicant-wired@%i.service -+WantedBy=multi-user.target -diff --git a/wpa_supplicant/systemd/wpa_supplicant.service.arg.in b/wpa_supplicant/systemd/wpa_supplicant.service.arg.in -index 7788b38..55d2b9c 100644 ---- a/wpa_supplicant/systemd/wpa_supplicant.service.arg.in -+++ b/wpa_supplicant/systemd/wpa_supplicant.service.arg.in -@@ -12,4 +12,4 @@ Type=simple - ExecStart=@BINDIR@/wpa_supplicant -c/etc/wpa_supplicant/wpa_supplicant-%I.conf -i%I - - [Install] --Alias=multi-user.target.wants/wpa_supplicant@%i.service -+WantedBy=multi-user.target --- -2.7.4 - diff --git a/recipes-connectivity/wpa-supplicant/wpa-supplicant/99_wpa_supplicant b/recipes-connectivity/wpa-supplicant/wpa-supplicant/99_wpa_supplicant deleted file mode 100644 index 6ff4dd8..0000000 --- a/recipes-connectivity/wpa-supplicant/wpa-supplicant/99_wpa_supplicant +++ /dev/null @@ -1 +0,0 @@ -d root root 0700 /var/run/wpa_supplicant none diff --git a/recipes-connectivity/wpa-supplicant/wpa-supplicant/defconfig b/recipes-connectivity/wpa-supplicant/wpa-supplicant/defconfig deleted file mode 100644 index f04e398..0000000 --- a/recipes-connectivity/wpa-supplicant/wpa-supplicant/defconfig +++ /dev/null @@ -1,552 +0,0 @@ -# Example wpa_supplicant build time configuration -# -# This file lists the configuration options that are used when building the -# hostapd binary. All lines starting with # are ignored. Configuration option -# lines must be commented out complete, if they are not to be included, i.e., -# just setting VARIABLE=n is not disabling that variable. -# -# This file is included in Makefile, so variables like CFLAGS and LIBS can also -# be modified from here. In most cases, these lines should use += in order not -# to override previous values of the variables. - - -# Uncomment following two lines and fix the paths if you have installed OpenSSL -# or GnuTLS in non-default location -#CFLAGS += -I/usr/local/openssl/include -#LIBS += -L/usr/local/openssl/lib - -# Some Red Hat versions seem to include kerberos header files from OpenSSL, but -# the kerberos files are not in the default include path. Following line can be -# used to fix build issues on such systems (krb5.h not found). -#CFLAGS += -I/usr/include/kerberos - -# Example configuration for various cross-compilation platforms - -#### sveasoft (e.g., for Linksys WRT54G) ###################################### -#CC=mipsel-uclibc-gcc -#CC=/opt/brcm/hndtools-mipsel-uclibc/bin/mipsel-uclibc-gcc -#CFLAGS += -Os -#CPPFLAGS += -I../src/include -I../../src/router/openssl/include -#LIBS += -L/opt/brcm/hndtools-mipsel-uclibc-0.9.19/lib -lssl -############################################################################### - -#### openwrt (e.g., for Linksys WRT54G) ####################################### -#CC=mipsel-uclibc-gcc -#CC=/opt/brcm/hndtools-mipsel-uclibc/bin/mipsel-uclibc-gcc -#CFLAGS += -Os -#CPPFLAGS=-I../src/include -I../openssl-0.9.7d/include \ -# -I../WRT54GS/release/src/include -#LIBS = -lssl -############################################################################### - - -# Driver interface for Host AP driver -CONFIG_DRIVER_HOSTAP=y - -# Driver interface for Agere driver -#CONFIG_DRIVER_HERMES=y -# Change include directories to match with the local setup -#CFLAGS += -I../../hcf -I../../include -I../../include/hcf -#CFLAGS += -I../../include/wireless - -# Driver interface for madwifi driver -# Deprecated; use CONFIG_DRIVER_WEXT=y instead. -#CONFIG_DRIVER_MADWIFI=y -# Set include directory to the madwifi source tree -#CFLAGS += -I../../madwifi - -# Driver interface for ndiswrapper -# Deprecated; use CONFIG_DRIVER_WEXT=y instead. -#CONFIG_DRIVER_NDISWRAPPER=y - -# Driver interface for Atmel driver -# CONFIG_DRIVER_ATMEL=y - -# Driver interface for old Broadcom driver -# Please note that the newer Broadcom driver ("hybrid Linux driver") supports -# Linux wireless extensions and does not need (or even work) with the old -# driver wrapper. Use CONFIG_DRIVER_WEXT=y with that driver. -#CONFIG_DRIVER_BROADCOM=y -# Example path for wlioctl.h; change to match your configuration -#CFLAGS += -I/opt/WRT54GS/release/src/include - -# Driver interface for Intel ipw2100/2200 driver -# Deprecated; use CONFIG_DRIVER_WEXT=y instead. -#CONFIG_DRIVER_IPW=y - -# Driver interface for Ralink driver -#CONFIG_DRIVER_RALINK=y - -# Driver interface for generic Linux wireless extensions -# Note: WEXT is deprecated in the current Linux kernel version and no new -# functionality is added to it. nl80211-based interface is the new -# replacement for WEXT and its use allows wpa_supplicant to properly control -# the driver to improve existing functionality like roaming and to support new -# functionality. -CONFIG_DRIVER_WEXT=y - -# Driver interface for Linux drivers using the nl80211 kernel interface -CONFIG_DRIVER_NL80211=y - -# driver_nl80211.c requires libnl. If you are compiling it yourself -# you may need to point hostapd to your version of libnl. -# -#CFLAGS += -I$<path to libnl include files> -#LIBS += -L$<path to libnl library files> - -# Use libnl v2.0 (or 3.0) libraries. -#CONFIG_LIBNL20=y - -# Use libnl 3.2 libraries (if this is selected, CONFIG_LIBNL20 is ignored) -CONFIG_LIBNL32=y - - -# Driver interface for FreeBSD net80211 layer (e.g., Atheros driver) -#CONFIG_DRIVER_BSD=y -#CFLAGS += -I/usr/local/include -#LIBS += -L/usr/local/lib -#LIBS_p += -L/usr/local/lib -#LIBS_c += -L/usr/local/lib - -# Driver interface for Windows NDIS -#CONFIG_DRIVER_NDIS=y -#CFLAGS += -I/usr/include/w32api/ddk -#LIBS += -L/usr/local/lib -# For native build using mingw -#CONFIG_NATIVE_WINDOWS=y -# Additional directories for cross-compilation on Linux host for mingw target -#CFLAGS += -I/opt/mingw/mingw32/include/ddk -#LIBS += -L/opt/mingw/mingw32/lib -#CC=mingw32-gcc -# By default, driver_ndis uses WinPcap for low-level operations. This can be -# replaced with the following option which replaces WinPcap calls with NDISUIO. -# However, this requires that WZC is disabled (net stop wzcsvc) before starting -# wpa_supplicant. -# CONFIG_USE_NDISUIO=y - -# Driver interface for development testing -#CONFIG_DRIVER_TEST=y - -# Driver interface for wired Ethernet drivers -CONFIG_DRIVER_WIRED=y - -# Driver interface for the Broadcom RoboSwitch family -#CONFIG_DRIVER_ROBOSWITCH=y - -# Driver interface for no driver (e.g., WPS ER only) -#CONFIG_DRIVER_NONE=y - -# Enable IEEE 802.1X Supplicant (automatically included if any EAP method is -# included) -CONFIG_IEEE8021X_EAPOL=y - -# EAP-MD5 -CONFIG_EAP_MD5=y - -# EAP-MSCHAPv2 -CONFIG_EAP_MSCHAPV2=y - -# EAP-TLS -CONFIG_EAP_TLS=y - -# EAL-PEAP -CONFIG_EAP_PEAP=y - -# EAP-TTLS -CONFIG_EAP_TTLS=y - -# EAP-FAST -# Note: If OpenSSL is used as the TLS library, OpenSSL 1.0 or newer is needed -# for EAP-FAST support. Older OpenSSL releases would need to be patched, e.g., -# with openssl-0.9.8x-tls-extensions.patch, to add the needed functions. -#CONFIG_EAP_FAST=y - -# EAP-GTC -CONFIG_EAP_GTC=y - -# EAP-OTP -CONFIG_EAP_OTP=y - -# EAP-SIM (enable CONFIG_PCSC, if EAP-SIM is used) -#CONFIG_EAP_SIM=y - -# EAP-PSK (experimental; this is _not_ needed for WPA-PSK) -#CONFIG_EAP_PSK=y - -# EAP-pwd (secure authentication using only a password) -#CONFIG_EAP_PWD=y - -# EAP-PAX -#CONFIG_EAP_PAX=y - -# LEAP -CONFIG_EAP_LEAP=y - -# EAP-AKA (enable CONFIG_PCSC, if EAP-AKA is used) -#CONFIG_EAP_AKA=y - -# EAP-AKA' (enable CONFIG_PCSC, if EAP-AKA' is used). -# This requires CONFIG_EAP_AKA to be enabled, too. -#CONFIG_EAP_AKA_PRIME=y - -# Enable USIM simulator (Milenage) for EAP-AKA -#CONFIG_USIM_SIMULATOR=y - -# EAP-SAKE -#CONFIG_EAP_SAKE=y - -# EAP-GPSK -#CONFIG_EAP_GPSK=y -# Include support for optional SHA256 cipher suite in EAP-GPSK -#CONFIG_EAP_GPSK_SHA256=y - -# EAP-TNC and related Trusted Network Connect support (experimental) -#CONFIG_EAP_TNC=y - -# Wi-Fi Protected Setup (WPS) -CONFIG_WPS=y -# Enable WSC 2.0 support -#CONFIG_WPS2=y -# Enable WPS external registrar functionality -#CONFIG_WPS_ER=y -# Disable credentials for an open network by default when acting as a WPS -# registrar. -#CONFIG_WPS_REG_DISABLE_OPEN=y -# Enable WPS support with NFC config method -#CONFIG_WPS_NFC=y - -# EAP-IKEv2 -#CONFIG_EAP_IKEV2=y - -# EAP-EKE -#CONFIG_EAP_EKE=y - -# PKCS#12 (PFX) support (used to read private key and certificate file from -# a file that usually has extension .p12 or .pfx) -CONFIG_PKCS12=y - -# Smartcard support (i.e., private key on a smartcard), e.g., with openssl -# engine. -CONFIG_SMARTCARD=y - -# PC/SC interface for smartcards (USIM, GSM SIM) -# Enable this if EAP-SIM or EAP-AKA is included -#CONFIG_PCSC=y - -# Support HT overrides (disable HT/HT40, mask MCS rates, etc.) -#CONFIG_HT_OVERRIDES=y - -# Support VHT overrides (disable VHT, mask MCS rates, etc.) -#CONFIG_VHT_OVERRIDES=y - -# Development testing -#CONFIG_EAPOL_TEST=y - -# Select control interface backend for external programs, e.g, wpa_cli: -# unix = UNIX domain sockets (default for Linux/*BSD) -# udp = UDP sockets using localhost (127.0.0.1) -# named_pipe = Windows Named Pipe (default for Windows) -# udp-remote = UDP sockets with remote access (only for tests systems/purpose) -# y = use default (backwards compatibility) -# If this option is commented out, control interface is not included in the -# build. -CONFIG_CTRL_IFACE=y - -# Include support for GNU Readline and History Libraries in wpa_cli. -# When building a wpa_cli binary for distribution, please note that these -# libraries are licensed under GPL and as such, BSD license may not apply for -# the resulting binary. -#CONFIG_READLINE=y - -# Include internal line edit mode in wpa_cli. This can be used as a replacement -# for GNU Readline to provide limited command line editing and history support. -#CONFIG_WPA_CLI_EDIT=y - -# Remove debugging code that is printing out debug message to stdout. -# This can be used to reduce the size of the wpa_supplicant considerably -# if debugging code is not needed. The size reduction can be around 35% -# (e.g., 90 kB). -#CONFIG_NO_STDOUT_DEBUG=y - -# Remove WPA support, e.g., for wired-only IEEE 802.1X supplicant, to save -# 35-50 kB in code size. -#CONFIG_NO_WPA=y - -# Remove IEEE 802.11i/WPA-Personal ASCII passphrase support -# This option can be used to reduce code size by removing support for -# converting ASCII passphrases into PSK. If this functionality is removed, the -# PSK can only be configured as the 64-octet hexstring (e.g., from -# wpa_passphrase). This saves about 0.5 kB in code size. -#CONFIG_NO_WPA_PASSPHRASE=y - -# Disable scan result processing (ap_mode=1) to save code size by about 1 kB. -# This can be used if ap_scan=1 mode is never enabled. -#CONFIG_NO_SCAN_PROCESSING=y - -# Select configuration backend: -# file = text file (e.g., wpa_supplicant.conf; note: the configuration file -# path is given on command line, not here; this option is just used to -# select the backend that allows configuration files to be used) -# winreg = Windows registry (see win_example.reg for an example) -CONFIG_BACKEND=file - -# Remove configuration write functionality (i.e., to allow the configuration -# file to be updated based on runtime configuration changes). The runtime -# configuration can still be changed, the changes are just not going to be -# persistent over restarts. This option can be used to reduce code size by -# about 3.5 kB. -#CONFIG_NO_CONFIG_WRITE=y - -# Remove support for configuration blobs to reduce code size by about 1.5 kB. -#CONFIG_NO_CONFIG_BLOBS=y - -# Select program entry point implementation: -# main = UNIX/POSIX like main() function (default) -# main_winsvc = Windows service (read parameters from registry) -# main_none = Very basic example (development use only) -#CONFIG_MAIN=main - -# Select wrapper for operatins system and C library specific functions -# unix = UNIX/POSIX like systems (default) -# win32 = Windows systems -# none = Empty template -#CONFIG_OS=unix - -# Select event loop implementation -# eloop = select() loop (default) -# eloop_win = Windows events and WaitForMultipleObject() loop -#CONFIG_ELOOP=eloop - -# Should we use poll instead of select? Select is used by default. -#CONFIG_ELOOP_POLL=y - -# Select layer 2 packet implementation -# linux = Linux packet socket (default) -# pcap = libpcap/libdnet/WinPcap -# freebsd = FreeBSD libpcap -# winpcap = WinPcap with receive thread -# ndis = Windows NDISUIO (note: requires CONFIG_USE_NDISUIO=y) -# none = Empty template -#CONFIG_L2_PACKET=linux - -# PeerKey handshake for Station to Station Link (IEEE 802.11e DLS) -CONFIG_PEERKEY=y - -# IEEE 802.11w (management frame protection), also known as PMF -# Driver support is also needed for IEEE 802.11w. -#CONFIG_IEEE80211W=y - -# Select TLS implementation -# openssl = OpenSSL (default) -# gnutls = GnuTLS -# internal = Internal TLSv1 implementation (experimental) -# none = Empty template -#CONFIG_TLS=openssl - -# TLS-based EAP methods require at least TLS v1.0. Newer version of TLS (v1.1) -# can be enabled to get a stronger construction of messages when block ciphers -# are used. It should be noted that some existing TLS v1.0 -based -# implementation may not be compatible with TLS v1.1 message (ClientHello is -# sent prior to negotiating which version will be used) -#CONFIG_TLSV11=y - -# TLS-based EAP methods require at least TLS v1.0. Newer version of TLS (v1.2) -# can be enabled to enable use of stronger crypto algorithms. It should be -# noted that some existing TLS v1.0 -based implementation may not be compatible -# with TLS v1.2 message (ClientHello is sent prior to negotiating which version -# will be used) -#CONFIG_TLSV12=y - -# If CONFIG_TLS=internal is used, additional library and include paths are -# needed for LibTomMath. Alternatively, an integrated, minimal version of -# LibTomMath can be used. See beginning of libtommath.c for details on benefits -# and drawbacks of this option. -#CONFIG_INTERNAL_LIBTOMMATH=y -#ifndef CONFIG_INTERNAL_LIBTOMMATH -#LTM_PATH=/usr/src/libtommath-0.39 -#CFLAGS += -I$(LTM_PATH) -#LIBS += -L$(LTM_PATH) -#LIBS_p += -L$(LTM_PATH) -#endif -# At the cost of about 4 kB of additional binary size, the internal LibTomMath -# can be configured to include faster routines for exptmod, sqr, and div to -# speed up DH and RSA calculation considerably -#CONFIG_INTERNAL_LIBTOMMATH_FAST=y - -# Include NDIS event processing through WMI into wpa_supplicant/wpasvc. -# This is only for Windows builds and requires WMI-related header files and -# WbemUuid.Lib from Platform SDK even when building with MinGW. -#CONFIG_NDIS_EVENTS_INTEGRATED=y -#PLATFORMSDKLIB="/opt/Program Files/Microsoft Platform SDK/Lib" - -# Add support for old DBus control interface -# (fi.epitest.hostap.WPASupplicant) -#CONFIG_CTRL_IFACE_DBUS=y - -# Add support for new DBus control interface -# (fi.w1.hostap.wpa_supplicant1) -CONFIG_CTRL_IFACE_DBUS_NEW=y - -# Add introspection support for new DBus control interface -#CONFIG_CTRL_IFACE_DBUS_INTRO=y - -# Add support for loading EAP methods dynamically as shared libraries. -# When this option is enabled, each EAP method can be either included -# statically (CONFIG_EAP_<method>=y) or dynamically (CONFIG_EAP_<method>=dyn). -# Dynamic EAP methods are build as shared objects (eap_*.so) and they need to -# be loaded in the beginning of the wpa_supplicant configuration file -# (see load_dynamic_eap parameter in the example file) before being used in -# the network blocks. -# -# Note that some shared parts of EAP methods are included in the main program -# and in order to be able to use dynamic EAP methods using these parts, the -# main program must have been build with the EAP method enabled (=y or =dyn). -# This means that EAP-TLS/PEAP/TTLS/FAST cannot be added as dynamic libraries -# unless at least one of them was included in the main build to force inclusion -# of the shared code. Similarly, at least one of EAP-SIM/AKA must be included -# in the main build to be able to load these methods dynamically. -# -# Please also note that using dynamic libraries will increase the total binary -# size. Thus, it may not be the best option for targets that have limited -# amount of memory/flash. -#CONFIG_DYNAMIC_EAP_METHODS=y - -# IEEE Std 802.11r-2008 (Fast BSS Transition) -#CONFIG_IEEE80211R=y - -# Add support for writing debug log to a file (/tmp/wpa_supplicant-log-#.txt) -#CONFIG_DEBUG_FILE=y - -# Send debug messages to syslog instead of stdout -#CONFIG_DEBUG_SYSLOG=y -# Set syslog facility for debug messages -#CONFIG_DEBUG_SYSLOG_FACILITY=LOG_DAEMON - -# Add support for sending all debug messages (regardless of debug verbosity) -# to the Linux kernel tracing facility. This helps debug the entire stack by -# making it easy to record everything happening from the driver up into the -# same file, e.g., using trace-cmd. -#CONFIG_DEBUG_LINUX_TRACING=y - -# Enable privilege separation (see README 'Privilege separation' for details) -#CONFIG_PRIVSEP=y - -# Enable mitigation against certain attacks against TKIP by delaying Michael -# MIC error reports by a random amount of time between 0 and 60 seconds -#CONFIG_DELAYED_MIC_ERROR_REPORT=y - -# Enable tracing code for developer debugging -# This tracks use of memory allocations and other registrations and reports -# incorrect use with a backtrace of call (or allocation) location. -#CONFIG_WPA_TRACE=y -# For BSD, uncomment these. -#LIBS += -lexecinfo -#LIBS_p += -lexecinfo -#LIBS_c += -lexecinfo - -# Use libbfd to get more details for developer debugging -# This enables use of libbfd to get more detailed symbols for the backtraces -# generated by CONFIG_WPA_TRACE=y. -#CONFIG_WPA_TRACE_BFD=y -# For BSD, uncomment these. -#LIBS += -lbfd -liberty -lz -#LIBS_p += -lbfd -liberty -lz -#LIBS_c += -lbfd -liberty -lz - -CONFIG_TLS = %ssl% -CONFIG_CTRL_IFACE_DBUS=y -CONFIG_CTRL_IFACE_DBUS_NEW=y - -# wpa_supplicant depends on strong random number generation being available -# from the operating system. os_get_random() function is used to fetch random -# data when needed, e.g., for key generation. On Linux and BSD systems, this -# works by reading /dev/urandom. It should be noted that the OS entropy pool -# needs to be properly initialized before wpa_supplicant is started. This is -# important especially on embedded devices that do not have a hardware random -# number generator and may by default start up with minimal entropy available -# for random number generation. -# -# As a safety net, wpa_supplicant is by default trying to internally collect -# additional entropy for generating random data to mix in with the data fetched -# from the OS. This by itself is not considered to be very strong, but it may -# help in cases where the system pool is not initialized properly. However, it -# is very strongly recommended that the system pool is initialized with enough -# entropy either by using hardware assisted random number generator or by -# storing state over device reboots. -# -# wpa_supplicant can be configured to maintain its own entropy store over -# restarts to enhance random number generation. This is not perfect, but it is -# much more secure than using the same sequence of random numbers after every -# reboot. This can be enabled with -e<entropy file> command line option. The -# specified file needs to be readable and writable by wpa_supplicant. -# -# If the os_get_random() is known to provide strong random data (e.g., on -# Linux/BSD, the board in question is known to have reliable source of random -# data from /dev/urandom), the internal wpa_supplicant random pool can be -# disabled. This will save some in binary size and CPU use. However, this -# should only be considered for builds that are known to be used on devices -# that meet the requirements described above. -#CONFIG_NO_RANDOM_POOL=y - -# IEEE 802.11n (High Throughput) support (mainly for AP mode) -#CONFIG_IEEE80211N=y - -# IEEE 802.11ac (Very High Throughput) support (mainly for AP mode) -# (depends on CONFIG_IEEE80211N) -#CONFIG_IEEE80211AC=y - -# Wireless Network Management (IEEE Std 802.11v-2011) -# Note: This is experimental and not complete implementation. -#CONFIG_WNM=y - -# Interworking (IEEE 802.11u) -# This can be used to enable functionality to improve interworking with -# external networks (GAS/ANQP to learn more about the networks and network -# selection based on available credentials). -#CONFIG_INTERWORKING=y - -# Hotspot 2.0 -#CONFIG_HS20=y - -# Disable roaming in wpa_supplicant -#CONFIG_NO_ROAMING=y - -# AP mode operations with wpa_supplicant -# This can be used for controlling AP mode operations with wpa_supplicant. It -# should be noted that this is mainly aimed at simple cases like -# WPA2-Personal while more complex configurations like WPA2-Enterprise with an -# external RADIUS server can be supported with hostapd. -CONFIG_AP=y - -CONFIG_BGSCAN_SIMPLE=y - -# P2P (Wi-Fi Direct) -# This can be used to enable P2P support in wpa_supplicant. See README-P2P for -# more information on P2P operations. -#CONFIG_P2P=y - -# Enable TDLS support -#CONFIG_TDLS=y - -# Wi-Fi Direct -# This can be used to enable Wi-Fi Direct extensions for P2P using an external -# program to control the additional information exchanges in the messages. -#CONFIG_WIFI_DISPLAY=y - -# Autoscan -# This can be used to enable automatic scan support in wpa_supplicant. -# See wpa_supplicant.conf for more information on autoscan usage. -# -# Enabling directly a module will enable autoscan support. -# For exponential module: -CONFIG_AUTOSCAN_EXPONENTIAL=y -# For periodic module: -#CONFIG_AUTOSCAN_PERIODIC=y - -# Password (and passphrase, etc.) backend for external storage -# These optional mechanisms can be used to add support for storing passwords -# and other secrets in external (to wpa_supplicant) location. This allows, for -# example, operating system specific key storage to be used -# -# External password backend for testing purposes (developer use) -#CONFIG_EXT_PASSWORD_TEST=y diff --git a/recipes-connectivity/wpa-supplicant/wpa-supplicant/wpa-supplicant.sh b/recipes-connectivity/wpa-supplicant/wpa-supplicant/wpa-supplicant.sh deleted file mode 100644 index 35a1aa6..0000000 --- a/recipes-connectivity/wpa-supplicant/wpa-supplicant/wpa-supplicant.sh +++ /dev/null @@ -1,86 +0,0 @@ -#!/bin/sh - - -WPA_SUP_BIN="/usr/sbin/wpa_supplicant" -WPA_SUP_PNAME="wpa_supplicant" -WPA_SUP_PIDFILE="/var/run/wpa_supplicant.$IFACE.pid" -WPA_COMMON_CTRL_IFACE="/var/run/wpa_supplicant" -WPA_SUP_OPTIONS="-B -P $WPA_SUP_PIDFILE -i $IFACE" - -VERBOSITY=0 - - -if [ -s "$IF_WPA_CONF" ]; then - WPA_SUP_CONF="-c $IF_WPA_CONF" -else - exit 0 -fi - -if [ ! -x "$WPA_SUP_BIN" ]; then - - if [ "$VERBOSITY" = "1" ]; then - echo "$WPA_SUP_PNAME: binaries not executable or missing from $WPA_SUP_BIN" - fi - - exit 1 -fi - -if [ "$MODE" = "start" ] ; then - # driver type of interface, defaults to wext when undefined - if [ -s "/etc/wpa_supplicant/driver.$IFACE" ]; then - IF_WPA_DRIVER=$(cat "/etc/wpa_supplicant/driver.$IFACE") - elif [ -z "$IF_WPA_DRIVER" ]; then - - if [ "$VERBOSITY" = "1" ]; then - echo "$WPA_SUP_PNAME: wpa-driver not provided, using \"wext\"" - fi - - IF_WPA_DRIVER="wext" - fi - - # if we have passed the criteria, start wpa_supplicant - if [ -n "$WPA_SUP_CONF" ]; then - - if [ "$VERBOSITY" = "1" ]; then - echo "$WPA_SUP_PNAME: $WPA_SUP_BIN $WPA_SUP_OPTIONS $WPA_SUP_CONF -D $IF_WPA_DRIVER" - fi - - start-stop-daemon --start --quiet \ - --name $WPA_SUP_PNAME --startas $WPA_SUP_BIN --pidfile $WPA_SUP_PIDFILE \ - -- $WPA_SUP_OPTIONS $WPA_SUP_CONF -D $IF_WPA_DRIVER - fi - - # if the interface socket exists, then wpa_supplicant was invoked successfully - if [ -S "$WPA_COMMON_CTRL_IFACE/$IFACE" ]; then - - if [ "$VERBOSITY" = "1" ]; then - echo "$WPA_SUP_PNAME: ctrl_interface socket located at $WPA_COMMON_CTRL_IFACE/$IFACE" - fi - - exit 0 - - fi - -elif [ "$MODE" = "stop" ]; then - - if [ -f "$WPA_SUP_PIDFILE" ]; then - - if [ "$VERBOSITY" = "1" ]; then - echo "$WPA_SUP_PNAME: terminating $WPA_SUP_PNAME daemon" - fi - - start-stop-daemon --stop --quiet \ - --name $WPA_SUP_PNAME --pidfile $WPA_SUP_PIDFILE - - if [ -S "$WPA_COMMON_CTRL_IFACE/$IFACE" ]; then - rm -f $WPA_COMMON_CTRL_IFACE/$IFACE - fi - - if [ -f "$WPA_SUP_PIDFILE" ]; then - rm -f $WPA_SUP_PIDFILE - fi - fi - -fi - -exit 0 diff --git a/recipes-connectivity/wpa-supplicant/wpa-supplicant/wpa_supplicant.conf b/recipes-connectivity/wpa-supplicant/wpa-supplicant/wpa_supplicant.conf deleted file mode 100644 index 68258f5..0000000 --- a/recipes-connectivity/wpa-supplicant/wpa-supplicant/wpa_supplicant.conf +++ /dev/null @@ -1,690 +0,0 @@ -##### Example wpa_supplicant configuration file ############################### -# -# This file describes configuration file format and lists all available option. -# Please also take a look at simpler configuration examples in 'examples' -# subdirectory. -# -# Empty lines and lines starting with # are ignored - -# NOTE! This file may contain password information and should probably be made -# readable only by root user on multiuser systems. - -# Note: All file paths in this configuration file should use full (absolute, -# not relative to working directory) path in order to allow working directory -# to be changed. This can happen if wpa_supplicant is run in the background. - -# Whether to allow wpa_supplicant to update (overwrite) configuration -# -# This option can be used to allow wpa_supplicant to overwrite configuration -# file whenever configuration is changed (e.g., new network block is added with -# wpa_cli or wpa_gui, or a password is changed). This is required for -# wpa_cli/wpa_gui to be able to store the configuration changes permanently. -# Please note that overwriting configuration file will remove the comments from -# it. -#update_config=1 - -# global configuration (shared by all network blocks) -# -# Parameters for the control interface. If this is specified, wpa_supplicant -# will open a control interface that is available for external programs to -# manage wpa_supplicant. The meaning of this string depends on which control -# interface mechanism is used. For all cases, the existence of this parameter -# in configuration is used to determine whether the control interface is -# enabled. -# -# For UNIX domain sockets (default on Linux and BSD): This is a directory that -# will be created for UNIX domain sockets for listening to requests from -# external programs (CLI/GUI, etc.) for status information and configuration. -# The socket file will be named based on the interface name, so multiple -# wpa_supplicant processes can be run at the same time if more than one -# interface is used. -# /var/run/wpa_supplicant is the recommended directory for sockets and by -# default, wpa_cli will use it when trying to connect with wpa_supplicant. -# -# Access control for the control interface can be configured by setting the -# directory to allow only members of a group to use sockets. This way, it is -# possible to run wpa_supplicant as root (since it needs to change network -# configuration and open raw sockets) and still allow GUI/CLI components to be -# run as non-root users. However, since the control interface can be used to -# change the network configuration, this access needs to be protected in many -# cases. By default, wpa_supplicant is configured to use gid 0 (root). If you -# want to allow non-root users to use the control interface, add a new group -# and change this value to match with that group. Add users that should have -# control interface access to this group. If this variable is commented out or -# not included in the configuration file, group will not be changed from the -# value it got by default when the directory or socket was created. -# -# When configuring both the directory and group, use following format: -# DIR=/var/run/wpa_supplicant GROUP=wheel -# DIR=/var/run/wpa_supplicant GROUP=0 -# (group can be either group name or gid) -# -# For UDP connections (default on Windows): The value will be ignored. This -# variable is just used to select that the control interface is to be created. -# The value can be set to, e.g., udp (ctrl_interface=udp) -# -# For Windows Named Pipe: This value can be used to set the security descriptor -# for controlling access to the control interface. Security descriptor can be -# set using Security Descriptor String Format (see http://msdn.microsoft.com/ -# library/default.asp?url=/library/en-us/secauthz/security/ -# security_descriptor_string_format.asp). The descriptor string needs to be -# prefixed with SDDL=. For example, ctrl_interface=SDDL=D: would set an empty -# DACL (which will reject all connections). See README-Windows.txt for more -# information about SDDL string format. -# -ctrl_interface=/var/run/wpa_supplicant - -# IEEE 802.1X/EAPOL version -# wpa_supplicant is implemented based on IEEE Std 802.1X-2004 which defines -# EAPOL version 2. However, there are many APs that do not handle the new -# version number correctly (they seem to drop the frames completely). In order -# to make wpa_supplicant interoperate with these APs, the version number is set -# to 1 by default. This configuration value can be used to set it to the new -# version (2). -eapol_version=1 - -# AP scanning/selection -# By default, wpa_supplicant requests driver to perform AP scanning and then -# uses the scan results to select a suitable AP. Another alternative is to -# allow the driver to take care of AP scanning and selection and use -# wpa_supplicant just to process EAPOL frames based on IEEE 802.11 association -# information from the driver. -# 1: wpa_supplicant initiates scanning and AP selection -# 0: driver takes care of scanning, AP selection, and IEEE 802.11 association -# parameters (e.g., WPA IE generation); this mode can also be used with -# non-WPA drivers when using IEEE 802.1X mode; do not try to associate with -# APs (i.e., external program needs to control association). This mode must -# also be used when using wired Ethernet drivers. -# 2: like 0, but associate with APs using security policy and SSID (but not -# BSSID); this can be used, e.g., with ndiswrapper and NDIS drivers to -# enable operation with hidden SSIDs and optimized roaming; in this mode, -# the network blocks in the configuration file are tried one by one until -# the driver reports successful association; each network block should have -# explicit security policy (i.e., only one option in the lists) for -# key_mgmt, pairwise, group, proto variables -ap_scan=1 - -# EAP fast re-authentication -# By default, fast re-authentication is enabled for all EAP methods that -# support it. This variable can be used to disable fast re-authentication. -# Normally, there is no need to disable this. -fast_reauth=1 - -# OpenSSL Engine support -# These options can be used to load OpenSSL engines. -# The two engines that are supported currently are shown below: -# They are both from the opensc project (http://www.opensc.org/) -# By default no engines are loaded. -# make the opensc engine available -#opensc_engine_path=/usr/lib/opensc/engine_opensc.so -# make the pkcs11 engine available -#pkcs11_engine_path=/usr/lib/opensc/engine_pkcs11.so -# configure the path to the pkcs11 module required by the pkcs11 engine -#pkcs11_module_path=/usr/lib/pkcs11/opensc-pkcs11.so - -# Dynamic EAP methods -# If EAP methods were built dynamically as shared object files, they need to be -# loaded here before being used in the network blocks. By default, EAP methods -# are included statically in the build, so these lines are not needed -#load_dynamic_eap=/usr/lib/wpa_supplicant/eap_tls.so -#load_dynamic_eap=/usr/lib/wpa_supplicant/eap_md5.so - -# Driver interface parameters -# This field can be used to configure arbitrary driver interace parameters. The -# format is specific to the selected driver interface. This field is not used -# in most cases. -#driver_param="field=value" - -# Maximum lifetime for PMKSA in seconds; default 43200 -#dot11RSNAConfigPMKLifetime=43200 -# Threshold for reauthentication (percentage of PMK lifetime); default 70 -#dot11RSNAConfigPMKReauthThreshold=70 -# Timeout for security association negotiation in seconds; default 60 -#dot11RSNAConfigSATimeout=60 - -# network block -# -# Each network (usually AP's sharing the same SSID) is configured as a separate -# block in this configuration file. The network blocks are in preference order -# (the first match is used). -# -# network block fields: -# -# disabled: -# 0 = this network can be used (default) -# 1 = this network block is disabled (can be enabled through ctrl_iface, -# e.g., with wpa_cli or wpa_gui) -# -# id_str: Network identifier string for external scripts. This value is passed -# to external action script through wpa_cli as WPA_ID_STR environment -# variable to make it easier to do network specific configuration. -# -# ssid: SSID (mandatory); either as an ASCII string with double quotation or -# as hex string; network name -# -# scan_ssid: -# 0 = do not scan this SSID with specific Probe Request frames (default) -# 1 = scan with SSID-specific Probe Request frames (this can be used to -# find APs that do not accept broadcast SSID or use multiple SSIDs; -# this will add latency to scanning, so enable this only when needed) -# -# bssid: BSSID (optional); if set, this network block is used only when -# associating with the AP using the configured BSSID -# -# priority: priority group (integer) -# By default, all networks will get same priority group (0). If some of the -# networks are more desirable, this field can be used to change the order in -# which wpa_supplicant goes through the networks when selecting a BSS. The -# priority groups will be iterated in decreasing priority (i.e., the larger the -# priority value, the sooner the network is matched against the scan results). -# Within each priority group, networks will be selected based on security -# policy, signal strength, etc. -# Please note that AP scanning with scan_ssid=1 and ap_scan=2 mode are not -# using this priority to select the order for scanning. Instead, they try the -# networks in the order that used in the configuration file. -# -# mode: IEEE 802.11 operation mode -# 0 = infrastructure (Managed) mode, i.e., associate with an AP (default) -# 1 = IBSS (ad-hoc, peer-to-peer) -# Note: IBSS can only be used with key_mgmt NONE (plaintext and static WEP) -# and key_mgmt=WPA-NONE (fixed group key TKIP/CCMP). In addition, ap_scan has -# to be set to 2 for IBSS. WPA-None requires following network block options: -# proto=WPA, key_mgmt=WPA-NONE, pairwise=NONE, group=TKIP (or CCMP, but not -# both), and psk must also be set. -# -# proto: list of accepted protocols -# WPA = WPA/IEEE 802.11i/D3.0 -# RSN = WPA2/IEEE 802.11i (also WPA2 can be used as an alias for RSN) -# If not set, this defaults to: WPA RSN -# -# key_mgmt: list of accepted authenticated key management protocols -# WPA-PSK = WPA pre-shared key (this requires 'psk' field) -# WPA-EAP = WPA using EAP authentication (this can use an external -# program, e.g., Xsupplicant, for IEEE 802.1X EAP Authentication -# IEEE8021X = IEEE 802.1X using EAP authentication and (optionally) dynamically -# generated WEP keys -# NONE = WPA is not used; plaintext or static WEP could be used -# If not set, this defaults to: WPA-PSK WPA-EAP -# -# auth_alg: list of allowed IEEE 802.11 authentication algorithms -# OPEN = Open System authentication (required for WPA/WPA2) -# SHARED = Shared Key authentication (requires static WEP keys) -# LEAP = LEAP/Network EAP (only used with LEAP) -# If not set, automatic selection is used (Open System with LEAP enabled if -# LEAP is allowed as one of the EAP methods). -# -# pairwise: list of accepted pairwise (unicast) ciphers for WPA -# CCMP = AES in Counter mode with CBC-MAC [RFC 3610, IEEE 802.11i/D7.0] -# TKIP = Temporal Key Integrity Protocol [IEEE 802.11i/D7.0] -# NONE = Use only Group Keys (deprecated, should not be included if APs support -# pairwise keys) -# If not set, this defaults to: CCMP TKIP -# -# group: list of accepted group (broadcast/multicast) ciphers for WPA -# CCMP = AES in Counter mode with CBC-MAC [RFC 3610, IEEE 802.11i/D7.0] -# TKIP = Temporal Key Integrity Protocol [IEEE 802.11i/D7.0] -# WEP104 = WEP (Wired Equivalent Privacy) with 104-bit key -# WEP40 = WEP (Wired Equivalent Privacy) with 40-bit key [IEEE 802.11] -# If not set, this defaults to: CCMP TKIP WEP104 WEP40 -# -# psk: WPA preshared key; 256-bit pre-shared key -# The key used in WPA-PSK mode can be entered either as 64 hex-digits, i.e., -# 32 bytes or as an ASCII passphrase (in which case, the real PSK will be -# generated using the passphrase and SSID). ASCII passphrase must be between -# 8 and 63 characters (inclusive). -# This field is not needed, if WPA-EAP is used. -# Note: Separate tool, wpa_passphrase, can be used to generate 256-bit keys -# from ASCII passphrase. This process uses lot of CPU and wpa_supplicant -# startup and reconfiguration time can be optimized by generating the PSK only -# only when the passphrase or SSID has actually changed. -# -# eapol_flags: IEEE 802.1X/EAPOL options (bit field) -# Dynamic WEP key required for non-WPA mode -# bit0 (1): require dynamically generated unicast WEP key -# bit1 (2): require dynamically generated broadcast WEP key -# (3 = require both keys; default) -# Note: When using wired authentication, eapol_flags must be set to 0 for the -# authentication to be completed successfully. -# -# proactive_key_caching: -# Enable/disable opportunistic PMKSA caching for WPA2. -# 0 = disabled (default) -# 1 = enabled -# -# wep_key0..3: Static WEP key (ASCII in double quotation, e.g. "abcde" or -# hex without quotation, e.g., 0102030405) -# wep_tx_keyidx: Default WEP key index (TX) (0..3) -# -# peerkey: Whether PeerKey negotiation for direct links (IEEE 802.11e DLS) is -# allowed. This is only used with RSN/WPA2. -# 0 = disabled (default) -# 1 = enabled -#peerkey=1 -# -# Following fields are only used with internal EAP implementation. -# eap: space-separated list of accepted EAP methods -# MD5 = EAP-MD5 (unsecure and does not generate keying material -> -# cannot be used with WPA; to be used as a Phase 2 method -# with EAP-PEAP or EAP-TTLS) -# MSCHAPV2 = EAP-MSCHAPv2 (cannot be used separately with WPA; to be used -# as a Phase 2 method with EAP-PEAP or EAP-TTLS) -# OTP = EAP-OTP (cannot be used separately with WPA; to be used -# as a Phase 2 method with EAP-PEAP or EAP-TTLS) -# GTC = EAP-GTC (cannot be used separately with WPA; to be used -# as a Phase 2 method with EAP-PEAP or EAP-TTLS) -# TLS = EAP-TLS (client and server certificate) -# PEAP = EAP-PEAP (with tunnelled EAP authentication) -# TTLS = EAP-TTLS (with tunnelled EAP or PAP/CHAP/MSCHAP/MSCHAPV2 -# authentication) -# If not set, all compiled in methods are allowed. -# -# identity: Identity string for EAP -# anonymous_identity: Anonymous identity string for EAP (to be used as the -# unencrypted identity with EAP types that support different tunnelled -# identity, e.g., EAP-TTLS) -# password: Password string for EAP -# ca_cert: File path to CA certificate file (PEM/DER). This file can have one -# or more trusted CA certificates. If ca_cert and ca_path are not -# included, server certificate will not be verified. This is insecure and -# a trusted CA certificate should always be configured when using -# EAP-TLS/TTLS/PEAP. Full path should be used since working directory may -# change when wpa_supplicant is run in the background. -# On Windows, trusted CA certificates can be loaded from the system -# certificate store by setting this to cert_store://<name>, e.g., -# ca_cert="cert_store://CA" or ca_cert="cert_store://ROOT". -# Note that when running wpa_supplicant as an application, the user -# certificate store (My user account) is used, whereas computer store -# (Computer account) is used when running wpasvc as a service. -# ca_path: Directory path for CA certificate files (PEM). This path may -# contain multiple CA certificates in OpenSSL format. Common use for this -# is to point to system trusted CA list which is often installed into -# directory like /etc/ssl/certs. If configured, these certificates are -# added to the list of trusted CAs. ca_cert may also be included in that -# case, but it is not required. -# client_cert: File path to client certificate file (PEM/DER) -# Full path should be used since working directory may change when -# wpa_supplicant is run in the background. -# Alternatively, a named configuration blob can be used by setting this -# to blob://<blob name>. -# private_key: File path to client private key file (PEM/DER/PFX) -# When PKCS#12/PFX file (.p12/.pfx) is used, client_cert should be -# commented out. Both the private key and certificate will be read from -# the PKCS#12 file in this case. Full path should be used since working -# directory may change when wpa_supplicant is run in the background. -# Windows certificate store can be used by leaving client_cert out and -# configuring private_key in one of the following formats: -# cert://substring_to_match -# hash://certificate_thumbprint_in_hex -# for example: private_key="hash://63093aa9c47f56ae88334c7b65a4" -# Note that when running wpa_supplicant as an application, the user -# certificate store (My user account) is used, whereas computer store -# (Computer account) is used when running wpasvc as a service. -# Alternatively, a named configuration blob can be used by setting this -# to blob://<blob name>. -# private_key_passwd: Password for private key file (if left out, this will be -# asked through control interface) -# dh_file: File path to DH/DSA parameters file (in PEM format) -# This is an optional configuration file for setting parameters for an -# ephemeral DH key exchange. In most cases, the default RSA -# authentication does not use this configuration. However, it is possible -# setup RSA to use ephemeral DH key exchange. In addition, ciphers with -# DSA keys always use ephemeral DH keys. This can be used to achieve -# forward secrecy. If the file is in DSA parameters format, it will be -# automatically converted into DH params. -# subject_match: Substring to be matched against the subject of the -# authentication server certificate. If this string is set, the server -# sertificate is only accepted if it contains this string in the subject. -# The subject string is in following format: -# /C=US/ST=CA/L=San Francisco/CN=Test AS/emailAddress=as@example.com -# altsubject_match: Semicolon separated string of entries to be matched against -# the alternative subject name of the authentication server certificate. -# If this string is set, the server sertificate is only accepted if it -# contains one of the entries in an alternative subject name extension. -# altSubjectName string is in following format: TYPE:VALUE -# Example: EMAIL:server@example.com -# Example: DNS:server.example.com;DNS:server2.example.com -# Following types are supported: EMAIL, DNS, URI -# phase1: Phase1 (outer authentication, i.e., TLS tunnel) parameters -# (string with field-value pairs, e.g., "peapver=0" or -# "peapver=1 peaplabel=1") -# 'peapver' can be used to force which PEAP version (0 or 1) is used. -# 'peaplabel=1' can be used to force new label, "client PEAP encryption", -# to be used during key derivation when PEAPv1 or newer. Most existing -# PEAPv1 implementation seem to be using the old label, "client EAP -# encryption", and wpa_supplicant is now using that as the default value. -# Some servers, e.g., Radiator, may require peaplabel=1 configuration to -# interoperate with PEAPv1; see eap_testing.txt for more details. -# 'peap_outer_success=0' can be used to terminate PEAP authentication on -# tunneled EAP-Success. This is required with some RADIUS servers that -# implement draft-josefsson-pppext-eap-tls-eap-05.txt (e.g., -# Lucent NavisRadius v4.4.0 with PEAP in "IETF Draft 5" mode) -# include_tls_length=1 can be used to force wpa_supplicant to include -# TLS Message Length field in all TLS messages even if they are not -# fragmented. -# sim_min_num_chal=3 can be used to configure EAP-SIM to require three -# challenges (by default, it accepts 2 or 3) -# phase2: Phase2 (inner authentication with TLS tunnel) parameters -# (string with field-value pairs, e.g., "auth=MSCHAPV2" for EAP-PEAP or -# "autheap=MSCHAPV2 autheap=MD5" for EAP-TTLS) -# Following certificate/private key fields are used in inner Phase2 -# authentication when using EAP-TTLS or EAP-PEAP. -# ca_cert2: File path to CA certificate file. This file can have one or more -# trusted CA certificates. If ca_cert2 and ca_path2 are not included, -# server certificate will not be verified. This is insecure and a trusted -# CA certificate should always be configured. -# ca_path2: Directory path for CA certificate files (PEM) -# client_cert2: File path to client certificate file -# private_key2: File path to client private key file -# private_key2_passwd: Password for private key file -# dh_file2: File path to DH/DSA parameters file (in PEM format) -# subject_match2: Substring to be matched against the subject of the -# authentication server certificate. -# altsubject_match2: Substring to be matched against the alternative subject -# name of the authentication server certificate. -# -# fragment_size: Maximum EAP fragment size in bytes (default 1398). -# This value limits the fragment size for EAP methods that support -# fragmentation (e.g., EAP-TLS and EAP-PEAP). This value should be set -# small enough to make the EAP messages fit in MTU of the network -# interface used for EAPOL. The default value is suitable for most -# cases. -# -# EAP-PSK variables: -# eappsk: 16-byte (128-bit, 32 hex digits) pre-shared key in hex format -# nai: user NAI -# -# EAP-PAX variables: -# eappsk: 16-byte (128-bit, 32 hex digits) pre-shared key in hex format -# -# EAP-SAKE variables: -# eappsk: 32-byte (256-bit, 64 hex digits) pre-shared key in hex format -# (this is concatenation of Root-Secret-A and Root-Secret-B) -# nai: user NAI (PEERID) -# -# EAP-GPSK variables: -# eappsk: Pre-shared key in hex format (at least 128 bits, i.e., 32 hex digits) -# nai: user NAI (ID_Client) -# -# EAP-FAST variables: -# pac_file: File path for the PAC entries. wpa_supplicant will need to be able -# to create this file and write updates to it when PAC is being -# provisioned or refreshed. Full path to the file should be used since -# working directory may change when wpa_supplicant is run in the -# background. Alternatively, a named configuration blob can be used by -# setting this to blob://<blob name> -# phase1: fast_provisioning=1 option enables in-line provisioning of EAP-FAST -# credentials (PAC) -# -# wpa_supplicant supports number of "EAP workarounds" to work around -# interoperability issues with incorrectly behaving authentication servers. -# These are enabled by default because some of the issues are present in large -# number of authentication servers. Strict EAP conformance mode can be -# configured by disabling workarounds with eap_workaround=0. - -# Example blocks: - -# Simple case: WPA-PSK, PSK as an ASCII passphrase, allow all valid ciphers -network={ - ssid="simple" - psk="very secret passphrase" - priority=5 -} - -# Same as previous, but request SSID-specific scanning (for APs that reject -# broadcast SSID) -network={ - ssid="second ssid" - scan_ssid=1 - psk="very secret passphrase" - priority=2 -} - -# Only WPA-PSK is used. Any valid cipher combination is accepted. -network={ - ssid="example" - proto=WPA - key_mgmt=WPA-PSK - pairwise=CCMP TKIP - group=CCMP TKIP WEP104 WEP40 - psk=06b4be19da289f475aa46a33cb793029d4ab3db7a23ee92382eb0106c72ac7bb - priority=2 -} - -# Only WPA-EAP is used. Both CCMP and TKIP is accepted. An AP that used WEP104 -# or WEP40 as the group cipher will not be accepted. -network={ - ssid="example" - proto=RSN - key_mgmt=WPA-EAP - pairwise=CCMP TKIP - group=CCMP TKIP - eap=TLS - identity="user@example.com" - ca_cert="/etc/cert/ca.pem" - client_cert="/etc/cert/user.pem" - private_key="/etc/cert/user.prv" - private_key_passwd="password" - priority=1 -} - -# EAP-PEAP/MSCHAPv2 configuration for RADIUS servers that use the new peaplabel -# (e.g., Radiator) -network={ - ssid="example" - key_mgmt=WPA-EAP - eap=PEAP - identity="user@example.com" - password="foobar" - ca_cert="/etc/cert/ca.pem" - phase1="peaplabel=1" - phase2="auth=MSCHAPV2" - priority=10 -} - -# EAP-TTLS/EAP-MD5-Challenge configuration with anonymous identity for the -# unencrypted use. Real identity is sent only within an encrypted TLS tunnel. -network={ - ssid="example" - key_mgmt=WPA-EAP - eap=TTLS - identity="user@example.com" - anonymous_identity="anonymous@example.com" - password="foobar" - ca_cert="/etc/cert/ca.pem" - priority=2 -} - -# EAP-TTLS/MSCHAPv2 configuration with anonymous identity for the unencrypted -# use. Real identity is sent only within an encrypted TLS tunnel. -network={ - ssid="example" - key_mgmt=WPA-EAP - eap=TTLS - identity="user@example.com" - anonymous_identity="anonymous@example.com" - password="foobar" - ca_cert="/etc/cert/ca.pem" - phase2="auth=MSCHAPV2" -} - -# WPA-EAP, EAP-TTLS with different CA certificate used for outer and inner -# authentication. -network={ - ssid="example" - key_mgmt=WPA-EAP - eap=TTLS - # Phase1 / outer authentication - anonymous_identity="anonymous@example.com" - ca_cert="/etc/cert/ca.pem" - # Phase 2 / inner authentication - phase2="autheap=TLS" - ca_cert2="/etc/cert/ca2.pem" - client_cert2="/etc/cer/user.pem" - private_key2="/etc/cer/user.prv" - private_key2_passwd="password" - priority=2 -} - -# Both WPA-PSK and WPA-EAP is accepted. Only CCMP is accepted as pairwise and -# group cipher. -network={ - ssid="example" - bssid=00:11:22:33:44:55 - proto=WPA RSN - key_mgmt=WPA-PSK WPA-EAP - pairwise=CCMP - group=CCMP - psk=06b4be19da289f475aa46a33cb793029d4ab3db7a23ee92382eb0106c72ac7bb -} - -# Special characters in SSID, so use hex string. Default to WPA-PSK, WPA-EAP -# and all valid ciphers. -network={ - ssid=00010203 - psk=000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f -} - - -# IEEE 802.1X/EAPOL with dynamically generated WEP keys (i.e., no WPA) using -# EAP-TLS for authentication and key generation; require both unicast and -# broadcast WEP keys. -network={ - ssid="1x-test" - key_mgmt=IEEE8021X - eap=TLS - identity="user@example.com" - ca_cert="/etc/cert/ca.pem" - client_cert="/etc/cert/user.pem" - private_key="/etc/cert/user.prv" - private_key_passwd="password" - eapol_flags=3 -} - - -# LEAP with dynamic WEP keys -network={ - ssid="leap-example" - key_mgmt=IEEE8021X - eap=LEAP - identity="user" - password="foobar" -} - -# Plaintext connection (no WPA, no IEEE 802.1X) -network={ - ssid="plaintext-test" - key_mgmt=NONE -} - - -# Shared WEP key connection (no WPA, no IEEE 802.1X) -network={ - ssid="static-wep-test" - key_mgmt=NONE - wep_key0="abcde" - wep_key1=0102030405 - wep_key2="1234567890123" - wep_tx_keyidx=0 - priority=5 -} - - -# Shared WEP key connection (no WPA, no IEEE 802.1X) using Shared Key -# IEEE 802.11 authentication -network={ - ssid="static-wep-test2" - key_mgmt=NONE - wep_key0="abcde" - wep_key1=0102030405 - wep_key2="1234567890123" - wep_tx_keyidx=0 - priority=5 - auth_alg=SHARED -} - - -# IBSS/ad-hoc network with WPA-None/TKIP. -network={ - ssid="test adhoc" - mode=1 - proto=WPA - key_mgmt=WPA-NONE - pairwise=NONE - group=TKIP - psk="secret passphrase" -} - - -# Catch all example that allows more or less all configuration modes -network={ - ssid="example" - scan_ssid=1 - key_mgmt=WPA-EAP WPA-PSK IEEE8021X NONE - pairwise=CCMP TKIP - group=CCMP TKIP WEP104 WEP40 - psk="very secret passphrase" - eap=TTLS PEAP TLS - identity="user@example.com" - password="foobar" - ca_cert="/etc/cert/ca.pem" - client_cert="/etc/cert/user.pem" - private_key="/etc/cert/user.prv" - private_key_passwd="password" - phase1="peaplabel=0" -} - -# Example of EAP-TLS with smartcard (openssl engine) -network={ - ssid="example" - key_mgmt=WPA-EAP - eap=TLS - proto=RSN - pairwise=CCMP TKIP - group=CCMP TKIP - identity="user@example.com" - ca_cert="/etc/cert/ca.pem" - client_cert="/etc/cert/user.pem" - - engine=1 - - # The engine configured here must be available. Look at - # OpenSSL engine support in the global section. - # The key available through the engine must be the private key - # matching the client certificate configured above. - - # use the opensc engine - #engine_id="opensc" - #key_id="45" - - # use the pkcs11 engine - engine_id="pkcs11" - key_id="id_45" - - # Optional PIN configuration; this can be left out and PIN will be - # asked through the control interface - pin="1234" -} - -# Example configuration showing how to use an inlined blob as a CA certificate -# data instead of using external file -network={ - ssid="example" - key_mgmt=WPA-EAP - eap=TTLS - identity="user@example.com" - anonymous_identity="anonymous@example.com" - password="foobar" - ca_cert="blob://exampleblob" - priority=20 -} - -blob-base64-exampleblob={ -SGVsbG8gV29ybGQhCg== -} - - -# Wildcard match for SSID (plaintext APs only). This example select any -# open AP regardless of its SSID. -network={ - key_mgmt=NONE -} diff --git a/recipes-connectivity/wpa-supplicant/wpa-supplicant/wpa_supplicant.conf-sane b/recipes-connectivity/wpa-supplicant/wpa-supplicant/wpa_supplicant.conf-sane deleted file mode 100644 index c91ffe0..0000000 --- a/recipes-connectivity/wpa-supplicant/wpa-supplicant/wpa_supplicant.conf-sane +++ /dev/null @@ -1,7 +0,0 @@ -ctrl_interface=/var/run/wpa_supplicant -ctrl_interface_group=0 -update_config=1 - -network={ - key_mgmt=NONE -} diff --git a/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.8.bb b/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.8.bb deleted file mode 100644 index bd4167c..0000000 --- a/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.8.bb +++ /dev/null @@ -1,109 +0,0 @@ -SUMMARY = "Client for Wi-Fi Protected Access (WPA)" -HOMEPAGE = "http://w1.fi/wpa_supplicant/" -BUGTRACKER = "http://w1.fi/security/" -SECTION = "network" -LICENSE = "BSD" -LIC_FILES_CHKSUM = "file://COPYING;md5=279b4f5abb9c153c285221855ddb78cc \ - file://README;beginline=1;endline=56;md5=e7d3dbb01f75f0b9799e192731d1e1ff \ - file://wpa_supplicant/wpa_supplicant.c;beginline=1;endline=12;md5=0a8b56d3543498b742b9c0e94cc2d18b" -DEPENDS = "dbus libnl" -RRECOMMENDS_${PN} = "wpa-supplicant-passphrase wpa-supplicant-cli" - -PACKAGECONFIG ??= "gnutls" -PACKAGECONFIG[gnutls] = ",,gnutls libgcrypt" -PACKAGECONFIG[openssl] = ",,openssl" - -inherit pkgconfig systemd - -SYSTEMD_SERVICE_${PN} = "wpa_supplicant.service wpa_supplicant-nl80211@.service wpa_supplicant-wired@.service" -SYSTEMD_AUTO_ENABLE = "disable" - -SRC_URI = "http://w1.fi/releases/wpa_supplicant-${PV}.tar.gz \ - file://defconfig \ - file://wpa-supplicant.sh \ - file://wpa_supplicant.conf \ - file://wpa_supplicant.conf-sane \ - file://99_wpa_supplicant \ - file://0001-replace-systemd-install-Alias-with-WantedBy.patch \ - " -SRC_URI[md5sum] = "0af5998c5d924e985cab16b9a1c77904" -SRC_URI[sha256sum] = "a689336a12a99151b9de5e25bfccadb88438f4f4438eb8db331cd94346fd3d96" - -CVE_PRODUCT = "wpa_supplicant" - -S = "${WORKDIR}/wpa_supplicant-${PV}" - -PACKAGES_prepend = "wpa-supplicant-passphrase wpa-supplicant-cli " -FILES_wpa-supplicant-passphrase = "${bindir}/wpa_passphrase" -FILES_wpa-supplicant-cli = "${sbindir}/wpa_cli" -FILES_${PN} += "${datadir}/dbus-1/system-services/*" -CONFFILES_${PN} += "${sysconfdir}/wpa_supplicant.conf" - -do_configure () { - ${MAKE} -C wpa_supplicant clean - install -m 0755 ${WORKDIR}/defconfig wpa_supplicant/.config - - if echo "${PACKAGECONFIG}" | grep -qw "openssl"; then - ssl=openssl - elif echo "${PACKAGECONFIG}" | grep -qw "gnutls"; then - ssl=gnutls - fi - if [ -n "$ssl" ]; then - sed -i "s/%ssl%/$ssl/" wpa_supplicant/.config - fi - - # For rebuild - rm -f wpa_supplicant/*.d wpa_supplicant/dbus/*.d -} - -export EXTRA_CFLAGS = "${CFLAGS}" -export BINDIR = "${sbindir}" - -do_compile () { - unset CFLAGS CPPFLAGS CXXFLAGS - sed -e "s:CFLAGS\ =.*:& \$(EXTRA_CFLAGS):g" -i ${S}/src/lib.rules - oe_runmake -C wpa_supplicant -} - -do_install () { - install -d ${D}${sbindir} - install -m 755 wpa_supplicant/wpa_supplicant ${D}${sbindir} - install -m 755 wpa_supplicant/wpa_cli ${D}${sbindir} - - install -d ${D}${bindir} - install -m 755 wpa_supplicant/wpa_passphrase ${D}${bindir} - - install -d ${D}${docdir}/wpa_supplicant - install -m 644 wpa_supplicant/README ${WORKDIR}/wpa_supplicant.conf ${D}${docdir}/wpa_supplicant - - install -d ${D}${sysconfdir} - install -m 600 ${WORKDIR}/wpa_supplicant.conf-sane ${D}${sysconfdir}/wpa_supplicant.conf - - install -d ${D}${sysconfdir}/network/if-pre-up.d/ - install -d ${D}${sysconfdir}/network/if-post-down.d/ - install -d ${D}${sysconfdir}/network/if-down.d/ - install -m 755 ${WORKDIR}/wpa-supplicant.sh ${D}${sysconfdir}/network/if-pre-up.d/wpa-supplicant - cd ${D}${sysconfdir}/network/ && \ - ln -sf ../if-pre-up.d/wpa-supplicant if-post-down.d/wpa-supplicant - - install -d ${D}/${sysconfdir}/dbus-1/system.d - install -m 644 ${S}/wpa_supplicant/dbus/dbus-wpa_supplicant.conf ${D}/${sysconfdir}/dbus-1/system.d - install -d ${D}/${datadir}/dbus-1/system-services - install -m 644 ${S}/wpa_supplicant/dbus/*.service ${D}/${datadir}/dbus-1/system-services - - if ${@bb.utils.contains('DISTRO_FEATURES','systemd','true','false',d)}; then - install -d ${D}/${systemd_unitdir}/system - install -m 644 ${S}/wpa_supplicant/systemd/*.service ${D}/${systemd_unitdir}/system - fi - - install -d ${D}/etc/default/volatiles - install -m 0644 ${WORKDIR}/99_wpa_supplicant ${D}/etc/default/volatiles -} - -pkg_postinst_wpa-supplicant () { - # If we're offline, we don't need to do this. - if [ "x$D" = "x" ]; then - killall -q -HUP dbus-daemon || true - fi - -} |