1 files changed, 15 insertions, 24 deletions
diff --git a/meta/recipes-core/dropbear/dropbear/dropbear-disable-weak-ciphers.patch b/meta/recipes-core/dropbear/dropbear/dropbear-disable-weak-ciphers.patch
index e48a34bac0..b54581f17a 100644
--- a/meta/recipes-core/dropbear/dropbear/dropbear-disable-weak-ciphers.patch
+++ b/meta/recipes-core/dropbear/dropbear/dropbear-disable-weak-ciphers.patch
@@ -1,33 +1,24 @@
-This feature disables all CBC, SHA1, and diffie-hellman group1 ciphers 
+From c347ece05a7fdbf50d76cb136b9ed45caed333f6 Mon Sep 17 00:00:00 2001
+From: Joseph Reynolds <joseph.reynolds1@ibm.com>
+Date: Thu, 20 Jun 2019 16:29:15 -0500
+Subject: [PATCH] dropbear: new feature: disable-weak-ciphers
+This feature disables all CBC, SHA1, and diffie-hellman group1 ciphers
 in the dropbear ssh server and client since they're considered weak ciphers
 and we want to support the stong algorithms.
 Upstream-Status: Inappropriate [configuration]
 Signed-off-by: Joseph Reynolds <joseph.reynolds1@ibm.com>
-Index: dropbear-2019.78/default_options.h
+---
-===================================================================
+ default_options.h | 4 ++--
--- dropbear-2019.78.orig/default_options.h
+ 1 file changed, 2 insertions(+), 2 deletions(-)
-+++ dropbear-2019.78/default_options.h
-@@ -91,7 +91,7 @@ IMPORTANT: Some options will require "ma
+diff --git a/default_options.h b/default_options.h
- 
+index 1aa2297..7ff1394 100644
- /* Enable CBC mode for ciphers. This has security issues though
+--- a/default_options.h
-  * is the most compatible with older SSH implementations */
+++ b/default_options.h
-#define DROPBEAR_ENABLE_CBC_MODE 1
+@@ -163,12 +163,12 @@ IMPORTANT: Some options will require "make clean" after changes */
-+#define DROPBEAR_ENABLE_CBC_MODE 0
- 
- /* Enable "Counter Mode" for ciphers. This is more secure than
-  * CBC mode against certain attacks. It is recommended for security
-@@ -101,7 +101,7 @@ IMPORTANT: Some options will require "ma
- /* Message integrity. sha2-256 is recommended as a default, 
-    sha1 for compatibility */
- #define DROPBEAR_SHA1_HMAC 1
-#define DROPBEAR_SHA1_96_HMAC 1
-+#define DROPBEAR_SHA1_96_HMAC 0
- #define DROPBEAR_SHA2_256_HMAC 1
- 
- /* Hostkey/public key algorithms - at least one required, these are used
-@@ -149,12 +149,12 @@ IMPORTANT: Some options will require "ma
  * Small systems should generally include either curve25519 or ecdh for performance.
  * curve25519 is less widely supported but is faster
  */

diff --git a/meta/recipes-core/dropbear/dropbear/dropbear-disable-weak-ciphers.patch b/meta/recipes-core/dropbear/dropbear/dropbear-disable-weak-ciphers.patch index e48a34bac0..b54581f17a 100644 --- a/meta/recipes-core/dropbear/dropbear/dropbear-disable-weak-ciphers.patch +++ b/meta/recipes-core/dropbear/dropbear/dropbear-disable-weak-ciphers.patch
@@ -1,33 +1,24 @@
1	This feature disables all CBC, SHA1, and diffie-hellman group1 ciphers	1	From c347ece05a7fdbf50d76cb136b9ed45caed333f6 Mon Sep 17 00:00:00 2001
		2	From: Joseph Reynolds <joseph.reynolds1@ibm.com>
		3	Date: Thu, 20 Jun 2019 16:29:15 -0500
		4	Subject: [PATCH] dropbear: new feature: disable-weak-ciphers
		5
		6	This feature disables all CBC, SHA1, and diffie-hellman group1 ciphers
2	in the dropbear ssh server and client since they're considered weak ciphers	7	in the dropbear ssh server and client since they're considered weak ciphers
3	and we want to support the stong algorithms.	8	and we want to support the stong algorithms.
4		9
5	Upstream-Status: Inappropriate [configuration]	10	Upstream-Status: Inappropriate [configuration]
6	Signed-off-by: Joseph Reynolds <joseph.reynolds1@ibm.com>	11	Signed-off-by: Joseph Reynolds <joseph.reynolds1@ibm.com>
7		12
8	Index: dropbear-2019.78/default_options.h	13	---
9	===================================================================	14	default_options.h \| 4 ++--
10	--- dropbear-2019.78.orig/default_options.h	15	1 file changed, 2 insertions(+), 2 deletions(-)
11	+++ dropbear-2019.78/default_options.h	16
12	@@ -91,7 +91,7 @@ IMPORTANT: Some options will require "ma	17	diff --git a/default_options.h b/default_options.h
13		18	index 1aa2297..7ff1394 100644
14	/* Enable CBC mode for ciphers. This has security issues though	19	--- a/default_options.h
15	* is the most compatible with older SSH implementations */	20	+++ b/default_options.h
16	-#define DROPBEAR_ENABLE_CBC_MODE 1	21	@@ -163,12 +163,12 @@ IMPORTANT: Some options will require "make clean" after changes */
17	+#define DROPBEAR_ENABLE_CBC_MODE 0
18
19	/* Enable "Counter Mode" for ciphers. This is more secure than
20	* CBC mode against certain attacks. It is recommended for security
21	@@ -101,7 +101,7 @@ IMPORTANT: Some options will require "ma
22	/* Message integrity. sha2-256 is recommended as a default,
23	sha1 for compatibility */
24	#define DROPBEAR_SHA1_HMAC 1
25	-#define DROPBEAR_SHA1_96_HMAC 1
26	+#define DROPBEAR_SHA1_96_HMAC 0
27	#define DROPBEAR_SHA2_256_HMAC 1
28
29	/* Hostkey/public key algorithms - at least one required, these are used
30	@@ -149,12 +149,12 @@ IMPORTANT: Some options will require "ma
31	* Small systems should generally include either curve25519 or ecdh for performance.	22	* Small systems should generally include either curve25519 or ecdh for performance.
32	* curve25519 is less widely supported but is faster	23	* curve25519 is less widely supported but is faster
33	*/	24	*/