From 1c7d6584a7811b7785ae5c1e378f14b5ba0971cf Mon Sep 17 00:00:00 2001 From: takeshi_hoshina Date: Mon, 2 Nov 2020 11:07:33 +0900 Subject: basesystem-jj recipes --- .../dropbear/dropbear-disable-weak-ciphers.patch | 44 ++++++++++++++++++++++ 1 file changed, 44 insertions(+) create mode 100644 external/poky/meta/recipes-core/dropbear/dropbear/dropbear-disable-weak-ciphers.patch (limited to 'external/poky/meta/recipes-core/dropbear/dropbear/dropbear-disable-weak-ciphers.patch') diff --git a/external/poky/meta/recipes-core/dropbear/dropbear/dropbear-disable-weak-ciphers.patch b/external/poky/meta/recipes-core/dropbear/dropbear/dropbear-disable-weak-ciphers.patch new file mode 100644 index 00000000..e48a34ba --- /dev/null +++ b/external/poky/meta/recipes-core/dropbear/dropbear/dropbear-disable-weak-ciphers.patch @@ -0,0 +1,44 @@ +This feature disables all CBC, SHA1, and diffie-hellman group1 ciphers +in the dropbear ssh server and client since they're considered weak ciphers +and we want to support the stong algorithms. + +Upstream-Status: Inappropriate [configuration] +Signed-off-by: Joseph Reynolds + +Index: dropbear-2019.78/default_options.h +=================================================================== +--- dropbear-2019.78.orig/default_options.h ++++ dropbear-2019.78/default_options.h +@@ -91,7 +91,7 @@ IMPORTANT: Some options will require "ma + + /* Enable CBC mode for ciphers. This has security issues though + * is the most compatible with older SSH implementations */ +-#define DROPBEAR_ENABLE_CBC_MODE 1 ++#define DROPBEAR_ENABLE_CBC_MODE 0 + + /* Enable "Counter Mode" for ciphers. This is more secure than + * CBC mode against certain attacks. It is recommended for security +@@ -101,7 +101,7 @@ IMPORTANT: Some options will require "ma + /* Message integrity. sha2-256 is recommended as a default, + sha1 for compatibility */ + #define DROPBEAR_SHA1_HMAC 1 +-#define DROPBEAR_SHA1_96_HMAC 1 ++#define DROPBEAR_SHA1_96_HMAC 0 + #define DROPBEAR_SHA2_256_HMAC 1 + + /* Hostkey/public key algorithms - at least one required, these are used +@@ -149,12 +149,12 @@ IMPORTANT: Some options will require "ma + * Small systems should generally include either curve25519 or ecdh for performance. + * curve25519 is less widely supported but is faster + */ +-#define DROPBEAR_DH_GROUP14_SHA1 1 ++#define DROPBEAR_DH_GROUP14_SHA1 0 + #define DROPBEAR_DH_GROUP14_SHA256 1 + #define DROPBEAR_DH_GROUP16 0 + #define DROPBEAR_CURVE25519 1 + #define DROPBEAR_ECDH 1 +-#define DROPBEAR_DH_GROUP1 1 ++#define DROPBEAR_DH_GROUP1 0 + + /* When group1 is enabled it will only be allowed by Dropbear client + not as a server, due to concerns over its strength. Set to 0 to allow -- cgit 1.2.3-korg