dropbear: new feature: disable-weak-ciphers

Enhances dropbear with a new feature "disable-weak-ciphers", on by default. This feature disables all CBC, SHA1, and diffie-hellman group1 ciphers in the dropbear ssh server and client. Disable this feature if you need to connect to the ssh server from older clients. Additional customization can be done with local_options.h as usual. Tested: On dropbear_2019.78. Upstream-Status: Inappropriate [configuration] (From OE-Core rev: b11521ce1b1d1f8b4dddf830b41f5ea809730d22) Signed-off-by: Joseph Reynolds <joseph.reynolds1@ibm.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Joseph Reynolds <jrey@linux.ibm.com> 2019-06-20 16:29:15 -0500
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2019-06-21 15:32:36 +0100
commit: d52b1dfc1baac551350617bd683e8978bfae11c0 (patch)
tree: bc4b875c49ea642d44b605f6c001240bc5941d37 /meta/recipes-core/dropbear
parent: d4d8e851062ce5cc43bfe1cc65df4343b6572bfa (diff)
download: poky-d52b1dfc1baac551350617bd683e8978bfae11c0.tar.gz
2 files changed, 48 insertions, 2 deletions
diff --git a/meta/recipes-core/dropbear/dropbear.inc b/meta/recipes-core/dropbear/dropbear.inc
index b74d186cd4..dcbda741c3 100644
--- a/meta/recipes-core/dropbear/dropbear.inc
+++ b/meta/recipes-core/dropbear/dropbear.inc
@@ -20,7 +20,8 @@ SRC_URI = "http://matt.ucc.asn.au/dropbear/releases/dropbear-${PV}.tar.bz2 \
           file://dropbear@.service \
           file://dropbear.socket \
           file://dropbear.default \
-           ${@bb.utils.contains('DISTRO_FEATURES', 'pam', '${PAM_SRC_URI}', '', d)} "
+           ${@bb.utils.contains('DISTRO_FEATURES', 'pam', '${PAM_SRC_URI}', '', d)} \
+           ${@bb.utils.contains('PACKAGECONFIG', 'disable-weak-ciphers', 'file://dropbear-disable-weak-ciphers.patch', '', d)} "
 PAM_SRC_URI = "file://0005-dropbear-enable-pam.patch \
               file://0006-dropbear-configuration-file.patch \
@@ -46,8 +47,9 @@ SBINCOMMANDS = "dropbear dropbearkey dropbearconvert"
 BINCOMMANDS = "dbclient ssh scp"
 EXTRA_OEMAKE = 'MULTI=1 SCPPROGRESS=1 PROGRAMS="${SBINCOMMANDS} ${BINCOMMANDS}"'
-PACKAGECONFIG ?= ""
+PACKAGECONFIG ?= "disable-weak-ciphers"
 PACKAGECONFIG[system-libtom] = "--disable-bundled-libtom,--enable-bundled-libtom,libtommath libtomcrypt"
+PACKAGECONFIG[disable-weak-ciphers] = ""
 EXTRA_OECONF += "\
 ${@bb.utils.contains('DISTRO_FEATURES', 'pam', '--enable-pam', '--disable-pam', d)}"
diff --git a/meta/recipes-core/dropbear/dropbear/dropbear-disable-weak-ciphers.patch b/meta/recipes-core/dropbear/dropbear/dropbear-disable-weak-ciphers.patch
new file mode 100644
index 0000000000..e48a34bac0
--- /dev/null
+++ b/meta/recipes-core/dropbear/dropbear/dropbear-disable-weak-ciphers.patch
@@ -0,0 +1,44 @@
+This feature disables all CBC, SHA1, and diffie-hellman group1 ciphers 
+in the dropbear ssh server and client since they're considered weak ciphers
+and we want to support the stong algorithms.
+Upstream-Status: Inappropriate [configuration]
+Signed-off-by: Joseph Reynolds <joseph.reynolds1@ibm.com>
+Index: dropbear-2019.78/default_options.h
+===================================================================
+--- dropbear-2019.78.orig/default_options.h
+++ dropbear-2019.78/default_options.h
+@@ -91,7 +91,7 @@ IMPORTANT: Some options will require "ma
+ 
+ /* Enable CBC mode for ciphers. This has security issues though
+  * is the most compatible with older SSH implementations */
+-#define DROPBEAR_ENABLE_CBC_MODE 1
+#define DROPBEAR_ENABLE_CBC_MODE 0
+ 
+ /* Enable "Counter Mode" for ciphers. This is more secure than
+  * CBC mode against certain attacks. It is recommended for security
+@@ -101,7 +101,7 @@ IMPORTANT: Some options will require "ma
+ /* Message integrity. sha2-256 is recommended as a default, 
+    sha1 for compatibility */
+ #define DROPBEAR_SHA1_HMAC 1
+-#define DROPBEAR_SHA1_96_HMAC 1
+#define DROPBEAR_SHA1_96_HMAC 0
+ #define DROPBEAR_SHA2_256_HMAC 1
+ 
+ /* Hostkey/public key algorithms - at least one required, these are used
+@@ -149,12 +149,12 @@ IMPORTANT: Some options will require "ma
+  * Small systems should generally include either curve25519 or ecdh for performance.
+  * curve25519 is less widely supported but is faster
+  */ 
+-#define DROPBEAR_DH_GROUP14_SHA1 1
+#define DROPBEAR_DH_GROUP14_SHA1 0
+ #define DROPBEAR_DH_GROUP14_SHA256 1
+ #define DROPBEAR_DH_GROUP16 0
+ #define DROPBEAR_CURVE25519 1
+ #define DROPBEAR_ECDH 1
+-#define DROPBEAR_DH_GROUP1 1
+#define DROPBEAR_DH_GROUP1 0
+ 
+ /* When group1 is enabled it will only be allowed by Dropbear client
+ not as a server, due to concerns over its strength. Set to 0 to allow
author	Joseph Reynolds <jrey@linux.ibm.com>	2019-06-20 16:29:15 -0500
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2019-06-21 15:32:36 +0100
commit	d52b1dfc1baac551350617bd683e8978bfae11c0 (patch)
tree	bc4b875c49ea642d44b605f6c001240bc5941d37 /meta/recipes-core/dropbear
parent	d4d8e851062ce5cc43bfe1cc65df4343b6572bfa (diff)
download	poky-d52b1dfc1baac551350617bd683e8978bfae11c0.tar.gz

diff --git a/meta/recipes-core/dropbear/dropbear.inc b/meta/recipes-core/dropbear/dropbear.inc index b74d186cd4..dcbda741c3 100644 --- a/meta/recipes-core/dropbear/dropbear.inc +++ b/meta/recipes-core/dropbear/dropbear.inc
@@ -20,7 +20,8 @@ SRC_URI = "http://matt.ucc.asn.au/dropbear/releases/dropbear-${PV}.tar.bz2 \
20	file://dropbear@.service \	20	file://dropbear@.service \
21	file://dropbear.socket \	21	file://dropbear.socket \
22	file://dropbear.default \	22	file://dropbear.default \
23	${@bb.utils.contains('DISTRO_FEATURES', 'pam', '${PAM_SRC_URI}', '', d)} "	23	${@bb.utils.contains('DISTRO_FEATURES', 'pam', '${PAM_SRC_URI}', '', d)} \
		24	${@bb.utils.contains('PACKAGECONFIG', 'disable-weak-ciphers', 'file://dropbear-disable-weak-ciphers.patch', '', d)} "
24		25
25	PAM_SRC_URI = "file://0005-dropbear-enable-pam.patch \	26	PAM_SRC_URI = "file://0005-dropbear-enable-pam.patch \
26	file://0006-dropbear-configuration-file.patch \	27	file://0006-dropbear-configuration-file.patch \
@@ -46,8 +47,9 @@ SBINCOMMANDS = "dropbear dropbearkey dropbearconvert"
46	BINCOMMANDS = "dbclient ssh scp"	47	BINCOMMANDS = "dbclient ssh scp"
47	EXTRA_OEMAKE = 'MULTI=1 SCPPROGRESS=1 PROGRAMS="${SBINCOMMANDS} ${BINCOMMANDS}"'	48	EXTRA_OEMAKE = 'MULTI=1 SCPPROGRESS=1 PROGRAMS="${SBINCOMMANDS} ${BINCOMMANDS}"'
48		49
49	PACKAGECONFIG ?= ""	50	PACKAGECONFIG ?= "disable-weak-ciphers"
50	PACKAGECONFIG[system-libtom] = "--disable-bundled-libtom,--enable-bundled-libtom,libtommath libtomcrypt"	51	PACKAGECONFIG[system-libtom] = "--disable-bundled-libtom,--enable-bundled-libtom,libtommath libtomcrypt"
		52	PACKAGECONFIG[disable-weak-ciphers] = ""
51		53
52	EXTRA_OECONF += "\	54	EXTRA_OECONF += "\
53	${@bb.utils.contains('DISTRO_FEATURES', 'pam', '--enable-pam', '--disable-pam', d)}"	55	${@bb.utils.contains('DISTRO_FEATURES', 'pam', '--enable-pam', '--disable-pam', d)}"


diff --git a/meta/recipes-core/dropbear/dropbear/dropbear-disable-weak-ciphers.patch b/meta/recipes-core/dropbear/dropbear/dropbear-disable-weak-ciphers.patch new file mode 100644 index 0000000000..e48a34bac0 --- /dev/null +++ b/meta/recipes-core/dropbear/dropbear/dropbear-disable-weak-ciphers.patch
@@ -0,0 +1,44 @@
		1	This feature disables all CBC, SHA1, and diffie-hellman group1 ciphers
		2	in the dropbear ssh server and client since they're considered weak ciphers
		3	and we want to support the stong algorithms.
		4
		5	Upstream-Status: Inappropriate [configuration]
		6	Signed-off-by: Joseph Reynolds <joseph.reynolds1@ibm.com>
		7
		8	Index: dropbear-2019.78/default_options.h
		9	===================================================================
		10	--- dropbear-2019.78.orig/default_options.h
		11	+++ dropbear-2019.78/default_options.h
		12	@@ -91,7 +91,7 @@ IMPORTANT: Some options will require "ma
		13
		14	/* Enable CBC mode for ciphers. This has security issues though
		15	* is the most compatible with older SSH implementations */
		16	-#define DROPBEAR_ENABLE_CBC_MODE 1
		17	+#define DROPBEAR_ENABLE_CBC_MODE 0
		18
		19	/* Enable "Counter Mode" for ciphers. This is more secure than
		20	* CBC mode against certain attacks. It is recommended for security
		21	@@ -101,7 +101,7 @@ IMPORTANT: Some options will require "ma
		22	/* Message integrity. sha2-256 is recommended as a default,
		23	sha1 for compatibility */
		24	#define DROPBEAR_SHA1_HMAC 1
		25	-#define DROPBEAR_SHA1_96_HMAC 1
		26	+#define DROPBEAR_SHA1_96_HMAC 0
		27	#define DROPBEAR_SHA2_256_HMAC 1
		28
		29	/* Hostkey/public key algorithms - at least one required, these are used
		30	@@ -149,12 +149,12 @@ IMPORTANT: Some options will require "ma
		31	* Small systems should generally include either curve25519 or ecdh for performance.
		32	* curve25519 is less widely supported but is faster
		33	*/
		34	-#define DROPBEAR_DH_GROUP14_SHA1 1
		35	+#define DROPBEAR_DH_GROUP14_SHA1 0
		36	#define DROPBEAR_DH_GROUP14_SHA256 1
		37	#define DROPBEAR_DH_GROUP16 0
		38	#define DROPBEAR_CURVE25519 1
		39	#define DROPBEAR_ECDH 1
		40	-#define DROPBEAR_DH_GROUP1 1
		41	+#define DROPBEAR_DH_GROUP1 0
		42
		43	/* When group1 is enabled it will only be allowed by Dropbear client
		44	not as a server, due to concerns over its strength. Set to 0 to allow