diff options
Diffstat (limited to 'meta/recipes-core/dropbear/dropbear/dropbear-disable-weak-ciphers.patch')
-rw-r--r-- | meta/recipes-core/dropbear/dropbear/dropbear-disable-weak-ciphers.patch | 44 |
1 files changed, 44 insertions, 0 deletions
diff --git a/meta/recipes-core/dropbear/dropbear/dropbear-disable-weak-ciphers.patch b/meta/recipes-core/dropbear/dropbear/dropbear-disable-weak-ciphers.patch new file mode 100644 index 0000000000..e48a34bac0 --- /dev/null +++ b/meta/recipes-core/dropbear/dropbear/dropbear-disable-weak-ciphers.patch | |||
@@ -0,0 +1,44 @@ | |||
1 | This feature disables all CBC, SHA1, and diffie-hellman group1 ciphers | ||
2 | in the dropbear ssh server and client since they're considered weak ciphers | ||
3 | and we want to support the stong algorithms. | ||
4 | |||
5 | Upstream-Status: Inappropriate [configuration] | ||
6 | Signed-off-by: Joseph Reynolds <joseph.reynolds1@ibm.com> | ||
7 | |||
8 | Index: dropbear-2019.78/default_options.h | ||
9 | =================================================================== | ||
10 | --- dropbear-2019.78.orig/default_options.h | ||
11 | +++ dropbear-2019.78/default_options.h | ||
12 | @@ -91,7 +91,7 @@ IMPORTANT: Some options will require "ma | ||
13 | |||
14 | /* Enable CBC mode for ciphers. This has security issues though | ||
15 | * is the most compatible with older SSH implementations */ | ||
16 | -#define DROPBEAR_ENABLE_CBC_MODE 1 | ||
17 | +#define DROPBEAR_ENABLE_CBC_MODE 0 | ||
18 | |||
19 | /* Enable "Counter Mode" for ciphers. This is more secure than | ||
20 | * CBC mode against certain attacks. It is recommended for security | ||
21 | @@ -101,7 +101,7 @@ IMPORTANT: Some options will require "ma | ||
22 | /* Message integrity. sha2-256 is recommended as a default, | ||
23 | sha1 for compatibility */ | ||
24 | #define DROPBEAR_SHA1_HMAC 1 | ||
25 | -#define DROPBEAR_SHA1_96_HMAC 1 | ||
26 | +#define DROPBEAR_SHA1_96_HMAC 0 | ||
27 | #define DROPBEAR_SHA2_256_HMAC 1 | ||
28 | |||
29 | /* Hostkey/public key algorithms - at least one required, these are used | ||
30 | @@ -149,12 +149,12 @@ IMPORTANT: Some options will require "ma | ||
31 | * Small systems should generally include either curve25519 or ecdh for performance. | ||
32 | * curve25519 is less widely supported but is faster | ||
33 | */ | ||
34 | -#define DROPBEAR_DH_GROUP14_SHA1 1 | ||
35 | +#define DROPBEAR_DH_GROUP14_SHA1 0 | ||
36 | #define DROPBEAR_DH_GROUP14_SHA256 1 | ||
37 | #define DROPBEAR_DH_GROUP16 0 | ||
38 | #define DROPBEAR_CURVE25519 1 | ||
39 | #define DROPBEAR_ECDH 1 | ||
40 | -#define DROPBEAR_DH_GROUP1 1 | ||
41 | +#define DROPBEAR_DH_GROUP1 0 | ||
42 | |||
43 | /* When group1 is enabled it will only be allowed by Dropbear client | ||
44 | not as a server, due to concerns over its strength. Set to 0 to allow | ||