2 files changed, 48 insertions, 2 deletions
diff --git a/meta/recipes-core/dropbear/dropbear.inc b/meta/recipes-core/dropbear/dropbear.inc
index b74d186cd4..dcbda741c3 100644
--- a/meta/recipes-core/dropbear/dropbear.inc
+++ b/meta/recipes-core/dropbear/dropbear.inc
@@ -20,7 +20,8 @@ SRC_URI = "http://matt.ucc.asn.au/dropbear/releases/dropbear-${PV}.tar.bz2 \
           file://dropbear@.service \
           file://dropbear.socket \
           file://dropbear.default \
-           ${@bb.utils.contains('DISTRO_FEATURES', 'pam', '${PAM_SRC_URI}', '', d)} "
+           ${@bb.utils.contains('DISTRO_FEATURES', 'pam', '${PAM_SRC_URI}', '', d)} \
+           ${@bb.utils.contains('PACKAGECONFIG', 'disable-weak-ciphers', 'file://dropbear-disable-weak-ciphers.patch', '', d)} "
 PAM_SRC_URI = "file://0005-dropbear-enable-pam.patch \
               file://0006-dropbear-configuration-file.patch \
@@ -46,8 +47,9 @@ SBINCOMMANDS = "dropbear dropbearkey dropbearconvert"
 BINCOMMANDS = "dbclient ssh scp"
 EXTRA_OEMAKE = 'MULTI=1 SCPPROGRESS=1 PROGRAMS="${SBINCOMMANDS} ${BINCOMMANDS}"'
-PACKAGECONFIG ?= ""
+PACKAGECONFIG ?= "disable-weak-ciphers"
 PACKAGECONFIG[system-libtom] = "--disable-bundled-libtom,--enable-bundled-libtom,libtommath libtomcrypt"
+PACKAGECONFIG[disable-weak-ciphers] = ""
 EXTRA_OECONF += "\
 ${@bb.utils.contains('DISTRO_FEATURES', 'pam', '--enable-pam', '--disable-pam', d)}"
diff --git a/meta/recipes-core/dropbear/dropbear/dropbear-disable-weak-ciphers.patch b/meta/recipes-core/dropbear/dropbear/dropbear-disable-weak-ciphers.patch
new file mode 100644
index 0000000000..e48a34bac0
--- /dev/null
+++ b/meta/recipes-core/dropbear/dropbear/dropbear-disable-weak-ciphers.patch
@@ -0,0 +1,44 @@
+This feature disables all CBC, SHA1, and diffie-hellman group1 ciphers 
+in the dropbear ssh server and client since they're considered weak ciphers
+and we want to support the stong algorithms.
+Upstream-Status: Inappropriate [configuration]
+Signed-off-by: Joseph Reynolds <joseph.reynolds1@ibm.com>
+Index: dropbear-2019.78/default_options.h
+===================================================================
+--- dropbear-2019.78.orig/default_options.h
+++ dropbear-2019.78/default_options.h
+@@ -91,7 +91,7 @@ IMPORTANT: Some options will require "ma
+ 
+ /* Enable CBC mode for ciphers. This has security issues though
+  * is the most compatible with older SSH implementations */
+-#define DROPBEAR_ENABLE_CBC_MODE 1
+#define DROPBEAR_ENABLE_CBC_MODE 0
+ 
+ /* Enable "Counter Mode" for ciphers. This is more secure than
+  * CBC mode against certain attacks. It is recommended for security
+@@ -101,7 +101,7 @@ IMPORTANT: Some options will require "ma
+ /* Message integrity. sha2-256 is recommended as a default, 
+    sha1 for compatibility */
+ #define DROPBEAR_SHA1_HMAC 1
+-#define DROPBEAR_SHA1_96_HMAC 1
+#define DROPBEAR_SHA1_96_HMAC 0
+ #define DROPBEAR_SHA2_256_HMAC 1
+ 
+ /* Hostkey/public key algorithms - at least one required, these are used
+@@ -149,12 +149,12 @@ IMPORTANT: Some options will require "ma
+  * Small systems should generally include either curve25519 or ecdh for performance.
+  * curve25519 is less widely supported but is faster
+  */ 
+-#define DROPBEAR_DH_GROUP14_SHA1 1
+#define DROPBEAR_DH_GROUP14_SHA1 0
+ #define DROPBEAR_DH_GROUP14_SHA256 1
+ #define DROPBEAR_DH_GROUP16 0
+ #define DROPBEAR_CURVE25519 1
+ #define DROPBEAR_ECDH 1
+-#define DROPBEAR_DH_GROUP1 1
+#define DROPBEAR_DH_GROUP1 0
+ 
+ /* When group1 is enabled it will only be allowed by Dropbear client
+ not as a server, due to concerns over its strength. Set to 0 to allow

diff --git a/meta/recipes-core/dropbear/dropbear.inc b/meta/recipes-core/dropbear/dropbear.inc index b74d186cd4..dcbda741c3 100644 --- a/meta/recipes-core/dropbear/dropbear.inc +++ b/meta/recipes-core/dropbear/dropbear.inc
@@ -20,7 +20,8 @@ SRC_URI = "http://matt.ucc.asn.au/dropbear/releases/dropbear-${PV}.tar.bz2 \
20	file://dropbear@.service \	20	file://dropbear@.service \
21	file://dropbear.socket \	21	file://dropbear.socket \
22	file://dropbear.default \	22	file://dropbear.default \
23	${@bb.utils.contains('DISTRO_FEATURES', 'pam', '${PAM_SRC_URI}', '', d)} "	23	${@bb.utils.contains('DISTRO_FEATURES', 'pam', '${PAM_SRC_URI}', '', d)} \
		24	${@bb.utils.contains('PACKAGECONFIG', 'disable-weak-ciphers', 'file://dropbear-disable-weak-ciphers.patch', '', d)} "
24		25
25	PAM_SRC_URI = "file://0005-dropbear-enable-pam.patch \	26	PAM_SRC_URI = "file://0005-dropbear-enable-pam.patch \
26	file://0006-dropbear-configuration-file.patch \	27	file://0006-dropbear-configuration-file.patch \
@@ -46,8 +47,9 @@ SBINCOMMANDS = "dropbear dropbearkey dropbearconvert"
46	BINCOMMANDS = "dbclient ssh scp"	47	BINCOMMANDS = "dbclient ssh scp"
47	EXTRA_OEMAKE = 'MULTI=1 SCPPROGRESS=1 PROGRAMS="${SBINCOMMANDS} ${BINCOMMANDS}"'	48	EXTRA_OEMAKE = 'MULTI=1 SCPPROGRESS=1 PROGRAMS="${SBINCOMMANDS} ${BINCOMMANDS}"'
48		49
49	PACKAGECONFIG ?= ""	50	PACKAGECONFIG ?= "disable-weak-ciphers"
50	PACKAGECONFIG[system-libtom] = "--disable-bundled-libtom,--enable-bundled-libtom,libtommath libtomcrypt"	51	PACKAGECONFIG[system-libtom] = "--disable-bundled-libtom,--enable-bundled-libtom,libtommath libtomcrypt"
		52	PACKAGECONFIG[disable-weak-ciphers] = ""
51		53
52	EXTRA_OECONF += "\	54	EXTRA_OECONF += "\
53	${@bb.utils.contains('DISTRO_FEATURES', 'pam', '--enable-pam', '--disable-pam', d)}"	55	${@bb.utils.contains('DISTRO_FEATURES', 'pam', '--enable-pam', '--disable-pam', d)}"


diff --git a/meta/recipes-core/dropbear/dropbear/dropbear-disable-weak-ciphers.patch b/meta/recipes-core/dropbear/dropbear/dropbear-disable-weak-ciphers.patch new file mode 100644 index 0000000000..e48a34bac0 --- /dev/null +++ b/meta/recipes-core/dropbear/dropbear/dropbear-disable-weak-ciphers.patch
@@ -0,0 +1,44 @@
		1	This feature disables all CBC, SHA1, and diffie-hellman group1 ciphers
		2	in the dropbear ssh server and client since they're considered weak ciphers
		3	and we want to support the stong algorithms.
		4
		5	Upstream-Status: Inappropriate [configuration]
		6	Signed-off-by: Joseph Reynolds <joseph.reynolds1@ibm.com>
		7
		8	Index: dropbear-2019.78/default_options.h
		9	===================================================================
		10	--- dropbear-2019.78.orig/default_options.h
		11	+++ dropbear-2019.78/default_options.h
		12	@@ -91,7 +91,7 @@ IMPORTANT: Some options will require "ma
		13
		14	/* Enable CBC mode for ciphers. This has security issues though
		15	* is the most compatible with older SSH implementations */
		16	-#define DROPBEAR_ENABLE_CBC_MODE 1
		17	+#define DROPBEAR_ENABLE_CBC_MODE 0
		18
		19	/* Enable "Counter Mode" for ciphers. This is more secure than
		20	* CBC mode against certain attacks. It is recommended for security
		21	@@ -101,7 +101,7 @@ IMPORTANT: Some options will require "ma
		22	/* Message integrity. sha2-256 is recommended as a default,
		23	sha1 for compatibility */
		24	#define DROPBEAR_SHA1_HMAC 1
		25	-#define DROPBEAR_SHA1_96_HMAC 1
		26	+#define DROPBEAR_SHA1_96_HMAC 0
		27	#define DROPBEAR_SHA2_256_HMAC 1
		28
		29	/* Hostkey/public key algorithms - at least one required, these are used
		30	@@ -149,12 +149,12 @@ IMPORTANT: Some options will require "ma
		31	* Small systems should generally include either curve25519 or ecdh for performance.
		32	* curve25519 is less widely supported but is faster
		33	*/
		34	-#define DROPBEAR_DH_GROUP14_SHA1 1
		35	+#define DROPBEAR_DH_GROUP14_SHA1 0
		36	#define DROPBEAR_DH_GROUP14_SHA256 1
		37	#define DROPBEAR_DH_GROUP16 0
		38	#define DROPBEAR_CURVE25519 1
		39	#define DROPBEAR_ECDH 1
		40	-#define DROPBEAR_DH_GROUP1 1
		41	+#define DROPBEAR_DH_GROUP1 0
		42
		43	/* When group1 is enabled it will only be allowed by Dropbear client
		44	not as a server, due to concerns over its strength. Set to 0 to allow