diff options
Diffstat (limited to 'meta/recipes-core/dropbear/dropbear/dropbear-disable-weak-ciphers.patch')
| -rw-r--r-- | meta/recipes-core/dropbear/dropbear/dropbear-disable-weak-ciphers.patch | 49 |
1 files changed, 18 insertions, 31 deletions
diff --git a/meta/recipes-core/dropbear/dropbear/dropbear-disable-weak-ciphers.patch b/meta/recipes-core/dropbear/dropbear/dropbear-disable-weak-ciphers.patch index e48a34bac0..f998caa255 100644 --- a/meta/recipes-core/dropbear/dropbear/dropbear-disable-weak-ciphers.patch +++ b/meta/recipes-core/dropbear/dropbear/dropbear-disable-weak-ciphers.patch @@ -1,44 +1,31 @@ -This feature disables all CBC, SHA1, and diffie-hellman group1 ciphers +From c347ece05a7fdbf50d76cb136b9ed45caed333f6 Mon Sep 17 00:00:00 2001 +From: Joseph Reynolds <joseph.reynolds1@ibm.com> +Date: Thu, 20 Jun 2019 16:29:15 -0500 +Subject: [PATCH] dropbear: new feature: disable-weak-ciphers + +This feature disables all CBC, SHA1, and diffie-hellman group1 ciphers in the dropbear ssh server and client since they're considered weak ciphers and we want to support the stong algorithms. Upstream-Status: Inappropriate [configuration] Signed-off-by: Joseph Reynolds <joseph.reynolds1@ibm.com> +--- + src/default_options.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) -Index: dropbear-2019.78/default_options.h -=================================================================== ---- dropbear-2019.78.orig/default_options.h -+++ dropbear-2019.78/default_options.h -@@ -91,7 +91,7 @@ IMPORTANT: Some options will require "ma - - /* Enable CBC mode for ciphers. This has security issues though - * is the most compatible with older SSH implementations */ --#define DROPBEAR_ENABLE_CBC_MODE 1 -+#define DROPBEAR_ENABLE_CBC_MODE 0 - - /* Enable "Counter Mode" for ciphers. This is more secure than - * CBC mode against certain attacks. It is recommended for security -@@ -101,7 +101,7 @@ IMPORTANT: Some options will require "ma - /* Message integrity. sha2-256 is recommended as a default, - sha1 for compatibility */ - #define DROPBEAR_SHA1_HMAC 1 --#define DROPBEAR_SHA1_96_HMAC 1 -+#define DROPBEAR_SHA1_96_HMAC 0 - #define DROPBEAR_SHA2_256_HMAC 1 - - /* Hostkey/public key algorithms - at least one required, these are used -@@ -149,12 +149,12 @@ IMPORTANT: Some options will require "ma +diff --git a/src/default_options.h b/src/default_options.h +index d417588..bc5200f 100644 +--- a/src/default_options.h ++++ b/src/default_options.h +@@ -180,7 +180,7 @@ IMPORTANT: Some options will require "make clean" after changes */ * Small systems should generally include either curve25519 or ecdh for performance. * curve25519 is less widely supported but is faster - */ + */ -#define DROPBEAR_DH_GROUP14_SHA1 1 +#define DROPBEAR_DH_GROUP14_SHA1 0 #define DROPBEAR_DH_GROUP14_SHA256 1 #define DROPBEAR_DH_GROUP16 0 #define DROPBEAR_CURVE25519 1 - #define DROPBEAR_ECDH 1 --#define DROPBEAR_DH_GROUP1 1 -+#define DROPBEAR_DH_GROUP1 0 - - /* When group1 is enabled it will only be allowed by Dropbear client - not as a server, due to concerns over its strength. Set to 0 to allow +-- +2.25.1 + |