Initial commit

3 files changed, 214 insertions, 0 deletions

diff --git a/sub/dropbear/Makefile b/sub/dropbear/Makefile
new file mode 100644
index 0000000..9eecc65
--- /dev/null
+++ b/sub/dropbear/Makefile
@@ -0,0 +1,41 @@
+include sub/dropbear/Makefile.sftp-server
+
+DROPBEAR_VERSION ?= 2017.75
+
+
+clean-dropbear:
+	rm -f $(OUTPUT)/build-host/.lh_dropbear_*
+	
+
+$(OUTPUT)/sources/dropbear-$(DROPBEAR_VERSION).tar.bz2: | $(OUTPUT)/tmp/.lh_prepared $(OUTPUT)/build-build/.lh_skarnet_installed
+	exec setuidgid $(NORMALUSER) cd $(OUTPUT)/sources wget https://dropbear.nl/mirror/dropbear-$(DROPBEAR_VERSION).tar.bz2
+
+$(OUTPUT)/build-host/.lh_dropbear_dled: $(OUTPUT)/sources/dropbear-$(DROPBEAR_VERSION).tar.bz2 | $(OUTPUT)/build-build/.lh_skarnet_installed
+	exec setuidgid $(NORMALUSER) s6-touch $@
+
+$(OUTPUT)/build-host/.lh_dropbear_copied: $(OUTPUT)/build-host/.lh_dropbear_dled | $(OUTPUT)/build-build/.lh_skarnet_installed
+	exec setuidgid $(NORMALUSER) s6-rmrf $(OUTPUT)/build-host/dropbear-$(DROPBEAR_VERSION)
+	exec setuidgid $(NORMALUSER) cd $(OUTPUT)/build-host tar jxpvf $(OUTPUT)/sources/dropbear-$(DROPBEAR_VERSION).tar.bz2
+	exec setuidgid $(NORMALUSER) s6-touch $@
+
+$(OUTPUT)/build-host/.lh_dropbear_patched: $(OUTPUT)/build-host/.lh_dropbear_copied
+	if test \! -r "$@"; then exec setuidgid $(NORMALUSER) cd $(OUTPUT)/build-host/dropbear-$(DROPBEAR_VERSION) redirfd -r 0 $(WD)/sub/dropbear/options.patch patch -p0; fi
+	exec setuidgid $(NORMALUSER) s6-touch $@
+
+$(OUTPUT)/build-host/.lh_dropbear_configured: $(OUTPUT)/build-host/.lh_dropbear_patched $(OUTPUT)/build-host/bin/muslgcc | $(OUTPUT)/build-build/.lh_skarnet_installed
+	exec setuidgid $(NORMALUSER) cd $(OUTPUT)/build-host/dropbear-$(DROPBEAR_VERSION) export ARCH $(KERNEL_ARCH) export CC $(TRIPLE)-muslgcc export LDFLAGS '-s -static' ./configure --host=$(TRIPLE) --prefix=/opt/dropbear-$(DROPBEAR_VERSION) --disable-syslog --disable-lastlog --disable-utmp --disable-utmpx --disable-wtmp --disable-wtmpx --disable-pututline --disable-pututxline --without-pam --enable-bundled-libtom --disable-zlib
+	exec setuidgid $(NORMALUSER) s6-touch $@
+
+$(OUTPUT)/build-host/.lh_dropbear_built: $(OUTPUT)/build-host/.lh_dropbear_configured $(OUTPUT)/build-host/bin/muslgcc | $(OUTPUT)/build-build/.lh_skarnet_installed
+	exec setuidgid $(NORMALUSER) cd $(OUTPUT)/build-host/dropbear-$(DROPBEAR_VERSION) export PROGRAMS "dropbear dbclient dropbearkey dropbearconvert scp" $(MAKE) STATIC=1 ARCH=$(KERNEL_ARCH)
+	exec setuidgid $(NORMALUSER) s6-touch $@
+
+$(OUTPUT)/build-host/.lh_dropbear_installed: $(OUTPUT)/build-host/.lh_dropbear_built $(OUTPUT)/build-host/$(OPENSSH_NAME)-$(OPENSSH_VERSION)/sftp-server $(OUTPUT)/build-host/bin/muslgcc | $(OUTPUT)/tmp/.lh_prepared $(OUTPUT)/build-build/.lh_skarnet_installed
+	exec cd $(OUTPUT)/build-host/dropbear-$(DROPBEAR_VERSION) $(MAKE) install DESTDIR=$(OUTPUT)/rootfs
+	exec makenamelink $(OUTPUT)/rootfs/opt dropbear dropbear-$(DROPBEAR_VERSION) $(OUTPUT)/tmp
+	exec cp -f $(OUTPUT)/build-host/dropbear-$(DROPBEAR_VERSION)/scp $(OUTPUT)/rootfs/opt/dropbear-$(DROPBEAR_VERSION)/bin/scp
+	exec makelinks $(OUTPUT)/rootfs /bin /opt/dropbear/bin
+	exec makelinks $(OUTPUT)/rootfs /bin /opt/dropbear/sbin
+	# The following line happens after the makelinks on purpose: we don't want the sftp-server binary to be exported to /bin
+	exec cp -f $(OUTPUT)/build-host/$(OPENSSH_NAME)-$(OPENSSH_VERSION)/sftp-server $(OUTPUT)/rootfs/opt/dropbear-$(DROPBEAR_VERSION)/bin/sftp-server
+	exec setuidgid $(NORMALUSER) s6-touch $@
diff --git a/sub/dropbear/Makefile.sftp-server b/sub/dropbear/Makefile.sftp-server
new file mode 100644
index 0000000..aa10735
--- /dev/null
+++ b/sub/dropbear/Makefile.sftp-server
@@ -0,0 +1,107 @@
+
+ZLIB_VERSION := 1.2.11
+
+$(OUTPUT)/sources/zlib-$(ZLIB_VERSION).tar.gz: | $(OUTPUT)/tmp/.lh_prepared $(OUTPUT)/build-build/.lh_skarnet_installed
+	exec setuidgid $(NORMALUSER) cd $(OUTPUT)/sources wget http://zlib.net/zlib-$(ZLIB_VERSION).tar.gz
+
+$(OUTPUT)/sources/.lh_zlib_dled: $(OUTPUT)/sources/zlib-$(ZLIB_VERSION).tar.gz
+	exec setuidgid $(NORMALUSER) s6-touch $@
+
+$(OUTPUT)/build-host/.lh_zlib_copied: $(OUTPUT)/sources/.lh_zlib_dled $(OUTPUT)/build-build/.lh_skarnet_installed
+	exec setuidgid $(NORMALUSER) s6-rmrf $(OUTPUT)/build-host/zlib-$(ZLIB_VERSION)
+	exec setuidgid $(NORMALUSER) cd $(OUTPUT)/build-host tar zxpvf $(OUTPUT)/sources/zlib-$(ZLIB_VERSION).tar.gz
+	exec setuidgid $(NORMALUSER) s6-touch $@
+
+$(OUTPUT)/build-host/.lh_zlib_configured: $(OUTPUT)/build-host/.lh_zlib_copied $(OUTPUT)/build-host/bin/muslgcc | $(OUTPUT)/build-build/.lh_skarnet_installed
+	exec setuidgid $(NORMALUSER) cd $(OUTPUT)/build-host/zlib-$(ZLIB_VERSION) export CHOST $(TRIPLE) ./configure --prefix=/opt/zlib-$(ZLIB_VERSION) --static
+	exec setuidgid $(NORMALUSER) s6-touch $@
+
+$(OUTPUT)/build-host/.lh_zlib_built: $(OUTPUT)/build-host/.lh_zlib_configured $(OUTPUT)/build-host/bin/muslgcc | $(OUTPUT)/build-build/.lh_skarnet_installed
+	exec setuidgid $(NORMALUSER) cd $(OUTPUT)/build-host/zlib-$(ZLIB_VERSION) $(MAKE) CHOST=$(TRIPLE) CC=$(TRIPLE)-muslgcc
+	exec setuidgid $(NORMALUSER) s6-touch $@
+
+$(OUTPUT)/build-host/.lh_zlib_installed: $(OUTPUT)/build-host/.lh_zlib_built $(OUTPUT)/build-host/bin/muslgcc | $(OUTPUT)/tmp/.lh_prepared $(OUTPUT)/build-build/.lh_skarnet_installed
+	exec cd $(OUTPUT)/build-host/zlib-$(ZLIB_VERSION) $(MAKE) install CHOST=$(TRIPLE) CC=$(TRIPLE)-muslgcc DESTDIR=$(OUTPUT)/build-host
+	exec makenamelink $(OUTPUT)/build-host/opt zlib zlib-$(ZLIB_VERSION) $(OUTPUT)/tmp
+	exec setuidgid $(NORMALUSER) s6-touch $@
+
+
+LIBRESSL_NAME := libressl
+LIBRESSL_VERSION := 2.5.4
+LIBRESSL_URLDIR := https://ftp.openbsd.org/pub/OpenBSD/LibreSSL
+LIBRESSL_TAREXT := tar.gz
+LIBRESSL_TARLETTER := z
+LIBRESSL_CONFIGURE_OPTIONS := --enable-extratests --disable-shared --enable-static --with-gnu-ld
+LIBRESSL_CFLAGS := ""
+LIBRESSL_CONFLDFLAGS := "-s -static"
+LIBRESSL_MAKELDFLAGS := "-s -all-static"
+
+$(OUTPUT)/sources/$(LIBRESSL_NAME)-$(LIBRESSL_VERSION).$(LIBRESSL_TAREXT): | $(OUTPUT)/tmp/.lh_prepared $(OUTPUT)/build-build/.lh_skarnet_installed
+	exec setuidgid $(NORMALUSER) cd $(OUTPUT)/sources wget $(LIBRESSL_URLDIR)/$(LIBRESSL_NAME)-$(LIBRESSL_VERSION).$(LIBRESSL_TAREXT)
+
+$(OUTPUT)/sources/.lh_$(LIBRESSL_NAME)_dled: $(OUTPUT)/sources/$(LIBRESSL_NAME)-$(LIBRESSL_VERSION).$(LIBRESSL_TAREXT) | $(OUTPUT)/build-build/.lh_skarnet_installed
+	exec setuidgid $(NORMALUSER) s6-touch $@
+
+$(OUTPUT)/build-host/.lh_$(LIBRESSL_NAME)_copied: $(OUTPUT)/sources/.lh_$(LIBRESSL_NAME)_dled | $(OUTPUT)/build-build/.lh_skarnet_installed
+	exec setuidgid $(NORMALUSER) s6-rmrf $(OUTPUT)/build-host/$(LIBRESSL_NAME)-$(LIBRESSL_VERSION)
+	exec setuidgid $(NORMALUSER) cd $(OUTPUT)/build-host tar $(LIBRESSL_TARLETTER)xpvf $(OUTPUT)/sources/$(LIBRESSL_NAME)-$(LIBRESSL_VERSION).$(LIBRESSL_TAREXT)
+	exec setuidgid $(NORMALUSER) s6-touch $@
+
+$(OUTPUT)/build-host/.lh_$(LIBRESSL_NAME)_configured: $(OUTPUT)/build-host/.lh_$(LIBRESSL_NAME)_copied $(OUTPUT)/build-host/.lh_zlib_installed $(OUTPUT)/build-host/bin/muslgcc | $(OUTPUT)/build-build/.lh_skarnet_installed
+	exec setuidgid $(NORMALUSER) cd $(OUTPUT)/build-host/$(LIBRESSL_NAME)-$(LIBRESSL_VERSION) export CFLAGS $(LIBRESSL_CFLAGS) export LDFLAGS $(LIBRESSL_CONFLDFLAGS) export CC muslgcc ./configure --host=$(TRIPLE) --prefix=/opt/$(LIBRESSL_NAME)-$(LIBRESSL_VERSION) $(LIBRESSL_CONFIGURE_OPTIONS)
+	exec setuidgid $(NORMALUSER) s6-touch $@
+
+$(OUTPUT)/build-host/.lh_$(LIBRESSL_NAME)_built: $(OUTPUT)/build-host/.lh_$(LIBRESSL_NAME)_configured $(OUTPUT)/build-host/bin/muslgcc | $(OUTPUT)/build-build/.lh_skarnet_installed
+	exec setuidgid $(NORMALUSER) cd $(OUTPUT)/build-host/$(LIBRESSL_NAME)-$(LIBRESSL_VERSION) $(MAKE) LDFLAGS=$(LIBRESSL_MAKELDFLAGS) CC=muslgcc
+	exec setuidgid $(NORMALUSER) s6-touch $@
+
+$(OUTPUT)/build-host/.lh_$(LIBRESSL_NAME)_installed: $(OUTPUT)/build-host/.lh_$(LIBRESSL_NAME)_built $(OUTPUT)/build-host/bin/muslgcc | $(OUTPUT)/tmp/.lh_prepared $(OUTPUT)/build-build/.lh_skarnet_installed
+	exec cd $(OUTPUT)/build-host/$(LIBRESSL_NAME)-$(LIBRESSL_VERSION) $(MAKE) install DESTDIR=$(OUTPUT)/build-host
+	exec makenamelink $(OUTPUT)/build-host/opt $(LIBRESSL_NAME) $(LIBRESSL_NAME)-$(LIBRESSL_VERSION) $(OUTPUT)/tmp
+	exec makelinks $(OUTPUT)/build-host /bin /opt/$(LIBRESSL_NAME)/bin
+	exec setuidgid $(NORMALUSER) s6-touch $@
+
+
+OPENSSH_NAME := openssh
+OPENSSH_VERSION := 7.5p1
+OPENSSH_URLDIR := http://ftp2.fr.openbsd.org/pub/OpenBSD/OpenSSH/portable
+OPENSSH_TAREXT := tar.gz
+OPENSSH_TARLETTER := z
+OPENSSH_CONFIGURE_OPTIONS := \
+ --disable-etc-default-login \
+ --disable-lastlog \
+ --disable-utmp \
+ --disable-utmpx \
+ --disable-wtmp \
+ --disable-wtmpx \
+ --disable-libutil \
+ --disable-pututline \
+ --disable-pututxline \
+ --without-rpath \
+ --without-pie \
+ --with-ssl-dir=$(OUTPUT)/build-host/opt/libressl \
+ --with-cflags="-I$(OUTPUT)/build-host/opt/zlib/include -I$(OUTPUT)/build-host/opt/libressl/include" \
+ --with-ldflags="-s -static -L$(OUTPUT)/build-host/opt/zlib/lib -L$(OUTPUT)/build-host/opt/libressl/lib"
+ --with-privsep-user=65534 \
+ --with-sandbox=rlimit \
+ --with-mantype=cat \
+ --with-md5-passwords
+
+
+$(OUTPUT)/sources/$(OPENSSH_NAME)-$(OPENSSH_VERSION).$(OPENSSH_TAREXT): | $(OUTPUT)/tmp/.lh_prepared $(OUTPUT)/build-build/.lh_skarnet_installed
+	exec setuidgid $(NORMALUSER) cd $(OUTPUT)/sources wget $(OPENSSH_URLDIR)/$(OPENSSH_NAME)-$(OPENSSH_VERSION).$(OPENSSH_TAREXT)
+
+$(OUTPUT)/sources/.lh_$(OPENSSH_NAME)_dled: $(OUTPUT)/sources/$(OPENSSH_NAME)-$(OPENSSH_VERSION).$(OPENSSH_TAREXT) | $(OUTPUT)/build-build/.lh_skarnet_installed
+	exec setuidgid $(NORMALUSER) s6-touch $@
+
+$(OUTPUT)/build-host/.lh_$(OPENSSH_NAME)_copied: $(OUTPUT)/sources/.lh_$(OPENSSH_NAME)_dled | $(OUTPUT)/build-build/.lh_skarnet_installed
+	exec setuidgid $(NORMALUSER) s6-rmrf $(OUTPUT)/build-host/$(OPENSSH_NAME)-$(OPENSSH_VERSION)
+	exec setuidgid $(NORMALUSER) cd $(OUTPUT)/build-host tar $(OPENSSH_TARLETTER)xpvf $(OUTPUT)/sources/$(OPENSSH_NAME)-$(OPENSSH_VERSION).$(OPENSSH_TAREXT)
+	exec setuidgid $(NORMALUSER) s6-touch $@
+
+$(OUTPUT)/build-host/.lh_$(OPENSSH_NAME)_configured: $(OUTPUT)/build-host/.lh_$(OPENSSH_NAME)_copied $(OUTPUT)/build-host/.lh_zlib_installed $(OUTPUT)/build-host/.lh_$(LIBRESSL_NAME)_installed $(OUTPUT)/build-host/bin/muslgcc | $(OUTPUT)/build-build/.lh_skarnet_installed
+	exec setuidgid $(NORMALUSER) cd $(OUTPUT)/build-host/$(OPENSSH_NAME)-$(OPENSSH_VERSION) export CC "muslgcc -I$(OUTPUT)/build-host/opt/zlib/include -I$(OUTPUT)/build-host/opt/libressl/include -L$(OUTPUT)/build-host/opt/zlib/lib -L$(OUTPUT)/build-host/opt/libressl/lib -s -static" ./configure --host=$(TRIPLE) --prefix=/opt/$(OPENSSH_NAME)-$(OPENSSH_VERSION) $(OPENSSH_CONFIGURE_OPTIONS)
+	exec setuidgid $(NORMALUSER) s6-touch $@
+
+$(OUTPUT)/build-host/$(OPENSSH_NAME)-$(OPENSSH_VERSION)/sftp-server: $(OUTPUT)/build-host/.lh_$(OPENSSH_NAME)_configured $(OUTPUT)/build-host/bin/muslgcc | $(OUTPUT)/build-build/.lh_skarnet_installed
+	exec setuidgid $(NORMALUSER) cd $(OUTPUT)/build-host/$(OPENSSH_NAME)-$(OPENSSH_VERSION) $(MAKE) sftp-server CC=muslgcc
diff --git a/sub/dropbear/options.patch b/sub/dropbear/options.patch
new file mode 100644
index 0000000..6e653d1
--- /dev/null
+++ b/sub/dropbear/options.patch
@@ -0,0 +1,66 @@
+--- options.h.old
++++ options.h
+@@ -40,7 +40,7 @@
+  *
+  * Both of these flags can be defined at once, don't compile without at least
+  * one of them. */
+-#define NON_INETD_MODE
++/* #define NON_INETD_MODE */
+ #define INETD_MODE
+ 
+ /* Setting this disables the fast exptmod bignum code. It saves ~5kB, but is
+@@ -52,10 +52,10 @@
+ several kB in binary size however will make the symmetrical ciphers and hashes
+ slower, perhaps by 50%. Recommended for small systems that aren't doing
+ much traffic. */
+-#define DROPBEAR_SMALL_CODE
++/* #define DROPBEAR_SMALL_CODE */
+ 
+ /* Enable X11 Forwarding - server only */
+-#define ENABLE_X11FWD
++/* #define ENABLE_X11FWD */
+ 
+ /* Enable TCP Fowarding */
+ /* 'Local' is "-L" style (client listening port forwarded via server)
+@@ -157,7 +157,7 @@
+    with badly seeded /dev/urandom when systems first boot.
+    This also requires a runtime flag "-R". This adds ~4kB to binary size (or hardly 
+    anything if dropbearkey is linked in a "dropbearmulti" binary) */
+-#define DROPBEAR_DELAY_HOSTKEY
++/* #define DROPBEAR_DELAY_HOSTKEY */
+ 
+ /* Enable Curve25519 for key exchange. This is another elliptic
+  * curve method with good security properties. Increases binary size
+@@ -244,7 +244,7 @@
+  * specified in the SSH_ASKPASS environment variable, and dbclient
+  * should be run with DISPLAY set and no tty. The program should
+  * return the password on standard output */
+-/*#define ENABLE_CLI_ASKPASS_HELPER*/
++#define ENABLE_CLI_ASKPASS_HELPER
+ 
+ /* Save a network roundtrip by sendng a real auth request immediately after
+  * sending a query for the available methods.  It is at the expense of < 100
+@@ -295,12 +295,12 @@
+  * OpenSSH), set the path below. If the path isn't defined, sftp will not
+  * be enabled */
+ #ifndef SFTPSERVER_PATH
+-#define SFTPSERVER_PATH "/usr/libexec/sftp-server"
++#define SFTPSERVER_PATH "/opt/dropbear/bin/sftp-server"
+ #endif
+ 
+ /* This is used by the scp binary when used as a client binary. If you're
+  * not using the Dropbear client, you'll need to change it */
+-#define DROPBEAR_PATH_SSH_PROGRAM "/usr/bin/dbclient"
++#define DROPBEAR_PATH_SSH_PROGRAM "/bin/dbclient"
+ 
+ /* Whether to log commands executed by a client. This only logs the 
+  * (single) command sent to the server, not what a user did in a 
+@@ -342,7 +342,7 @@
+ #define DEFAULT_IDLE_TIMEOUT 0
+ 
+ /* The default path. This will often get replaced by the shell */
+-#define DEFAULT_PATH "/usr/bin:/bin"
++#define DEFAULT_PATH "/command:/bin"
+ 
+ /* Some other defines (that mostly should be left alone) are defined
+  * in sysoptions.h */