1 files changed, 44 insertions, 0 deletions
diff --git a/meta/recipes-core/dropbear/dropbear/dropbear-disable-weak-ciphers.patch b/meta/recipes-core/dropbear/dropbear/dropbear-disable-weak-ciphers.patch
new file mode 100644
index 0000000000..e48a34bac0
--- /dev/null
+++ b/meta/recipes-core/dropbear/dropbear/dropbear-disable-weak-ciphers.patch
@@ -0,0 +1,44 @@
+This feature disables all CBC, SHA1, and diffie-hellman group1 ciphers 
+in the dropbear ssh server and client since they're considered weak ciphers
+and we want to support the stong algorithms.
+Upstream-Status: Inappropriate [configuration]
+Signed-off-by: Joseph Reynolds <joseph.reynolds1@ibm.com>
+Index: dropbear-2019.78/default_options.h
+===================================================================
+--- dropbear-2019.78.orig/default_options.h
+++ dropbear-2019.78/default_options.h
+@@ -91,7 +91,7 @@ IMPORTANT: Some options will require "ma
+ 
+ /* Enable CBC mode for ciphers. This has security issues though
+  * is the most compatible with older SSH implementations */
+-#define DROPBEAR_ENABLE_CBC_MODE 1
+#define DROPBEAR_ENABLE_CBC_MODE 0
+ 
+ /* Enable "Counter Mode" for ciphers. This is more secure than
+  * CBC mode against certain attacks. It is recommended for security
+@@ -101,7 +101,7 @@ IMPORTANT: Some options will require "ma
+ /* Message integrity. sha2-256 is recommended as a default, 
+    sha1 for compatibility */
+ #define DROPBEAR_SHA1_HMAC 1
+-#define DROPBEAR_SHA1_96_HMAC 1
+#define DROPBEAR_SHA1_96_HMAC 0
+ #define DROPBEAR_SHA2_256_HMAC 1
+ 
+ /* Hostkey/public key algorithms - at least one required, these are used
+@@ -149,12 +149,12 @@ IMPORTANT: Some options will require "ma
+  * Small systems should generally include either curve25519 or ecdh for performance.
+  * curve25519 is less widely supported but is faster
+  */ 
+-#define DROPBEAR_DH_GROUP14_SHA1 1
+#define DROPBEAR_DH_GROUP14_SHA1 0
+ #define DROPBEAR_DH_GROUP14_SHA256 1
+ #define DROPBEAR_DH_GROUP16 0
+ #define DROPBEAR_CURVE25519 1
+ #define DROPBEAR_ECDH 1
+-#define DROPBEAR_DH_GROUP1 1
+#define DROPBEAR_DH_GROUP1 0
+ 
+ /* When group1 is enabled it will only be allowed by Dropbear client
+ not as a server, due to concerns over its strength. Set to 0 to allow

diff --git a/meta/recipes-core/dropbear/dropbear/dropbear-disable-weak-ciphers.patch b/meta/recipes-core/dropbear/dropbear/dropbear-disable-weak-ciphers.patch new file mode 100644 index 0000000000..e48a34bac0 --- /dev/null +++ b/meta/recipes-core/dropbear/dropbear/dropbear-disable-weak-ciphers.patch
@@ -0,0 +1,44 @@
	1	This feature disables all CBC, SHA1, and diffie-hellman group1 ciphers
	2	in the dropbear ssh server and client since they're considered weak ciphers
	3	and we want to support the stong algorithms.
	4
	5	Upstream-Status: Inappropriate [configuration]
	6	Signed-off-by: Joseph Reynolds <joseph.reynolds1@ibm.com>
	7
	8	Index: dropbear-2019.78/default_options.h
	9	===================================================================
	10	--- dropbear-2019.78.orig/default_options.h
	11	+++ dropbear-2019.78/default_options.h
	12	@@ -91,7 +91,7 @@ IMPORTANT: Some options will require "ma
	13
	14	/* Enable CBC mode for ciphers. This has security issues though
	15	* is the most compatible with older SSH implementations */
	16	-#define DROPBEAR_ENABLE_CBC_MODE 1
	17	+#define DROPBEAR_ENABLE_CBC_MODE 0
	18
	19	/* Enable "Counter Mode" for ciphers. This is more secure than
	20	* CBC mode against certain attacks. It is recommended for security
	21	@@ -101,7 +101,7 @@ IMPORTANT: Some options will require "ma
	22	/* Message integrity. sha2-256 is recommended as a default,
	23	sha1 for compatibility */
	24	#define DROPBEAR_SHA1_HMAC 1
	25	-#define DROPBEAR_SHA1_96_HMAC 1
	26	+#define DROPBEAR_SHA1_96_HMAC 0
	27	#define DROPBEAR_SHA2_256_HMAC 1
	28
	29	/* Hostkey/public key algorithms - at least one required, these are used
	30	@@ -149,12 +149,12 @@ IMPORTANT: Some options will require "ma
	31	* Small systems should generally include either curve25519 or ecdh for performance.
	32	* curve25519 is less widely supported but is faster
	33	*/
	34	-#define DROPBEAR_DH_GROUP14_SHA1 1
	35	+#define DROPBEAR_DH_GROUP14_SHA1 0
	36	#define DROPBEAR_DH_GROUP14_SHA256 1
	37	#define DROPBEAR_DH_GROUP16 0
	38	#define DROPBEAR_CURVE25519 1
	39	#define DROPBEAR_ECDH 1
	40	-#define DROPBEAR_DH_GROUP1 1
	41	+#define DROPBEAR_DH_GROUP1 0
	42
	43	/* When group1 is enabled it will only be allowed by Dropbear client
	44	not as a server, due to concerns over its strength. Set to 0 to allow