* [PATCH] dropbear: new feature: disable-weak-ciphers
@ 2019-06-20 21:29 Joseph Reynolds
2019-06-20 23:00 ` ✗ patchtest: failure for " Patchwork
2019-06-21 9:21 ` [PATCH] " Richard Purdie
0 siblings, 2 replies; 3+ messages in thread
From: Joseph Reynolds @ 2019-06-20 21:29 UTC (permalink / raw)
To: openembedded-core
dropbear: new feature: disable-weak-ciphers
Enhances dropbear with a new feature "disable-weak-ciphers", on by
default.
This feature disables all CBC, SHA1, and diffie-hellman group1 ciphers
in
the dropbear ssh server and client.
Disable this feature if you need to connect to the ssh server from older
clients. Additional customization can be done with local_options.h as
usual.
Tested: On dropbear_2019.78.
Upstream-Status: Inappropriate [configuration]
Signed-off-by: Joseph Reynolds <joseph.reynolds1@ibm.com>
---
meta/recipes-core/dropbear/dropbear.inc | 6 ++--
.../dropbear/dropbear-disable-weak-ciphers.patch | 37
++++++++++++++++++++++
2 files changed, 41 insertions(+), 2 deletions(-)
create mode 100644
meta/recipes-core/dropbear/dropbear/dropbear-disable-weak-ciphers.patch
diff --git a/meta/recipes-core/dropbear/dropbear.inc
b/meta/recipes-core/dropbear/dropbear.inc
index b74d186..dcbda74 100644
--- a/meta/recipes-core/dropbear/dropbear.inc
+++ b/meta/recipes-core/dropbear/dropbear.inc
@@ -20,7 +20,8 @@ SRC_URI =
"http://matt.ucc.asn.au/dropbear/releases/dropbear-${PV}.tar.bz2 \
file://dropbear@.service \
file://dropbear.socket \
file://dropbear.default \
- ${@bb.utils.contains('DISTRO_FEATURES', 'pam',
'${PAM_SRC_URI}', '', d)} "
+ ${@bb.utils.contains('DISTRO_FEATURES', 'pam',
'${PAM_SRC_URI}', '', d)} \
+ ${@bb.utils.contains('PACKAGECONFIG',
'disable-weak-ciphers', 'file://dropbear-disable-weak-ciphers.patch',
'', d)} "
PAM_SRC_URI = "file://0005-dropbear-enable-pam.patch \
file://0006-dropbear-configuration-file.patch \
@@ -46,8 +47,9 @@ SBINCOMMANDS = "dropbear dropbearkey dropbearconvert"
BINCOMMANDS = "dbclient ssh scp"
EXTRA_OEMAKE = 'MULTI=1 SCPPROGRESS=1 PROGRAMS="${SBINCOMMANDS}
${BINCOMMANDS}"'
-PACKAGECONFIG ?= ""
+PACKAGECONFIG ?= "disable-weak-ciphers"
PACKAGECONFIG[system-libtom] =
"--disable-bundled-libtom,--enable-bundled-libtom,libtommath
libtomcrypt"
+PACKAGECONFIG[disable-weak-ciphers] = ""
EXTRA_OECONF += "\
${@bb.utils.contains('DISTRO_FEATURES', 'pam', '--enable-pam',
'--disable-pam', d)}"
diff --git
a/meta/recipes-core/dropbear/dropbear/dropbear-disable-weak-ciphers.patch
b/meta/recipes-core/dropbear/dropbear/dropbear-disable-weak-ciphers.patch
new file mode 100644
index 0000000..764aebd
--- /dev/null
+++
b/meta/recipes-core/dropbear/dropbear/dropbear-disable-weak-ciphers.patch
@@ -0,0 +1,37 @@
+diff --git a/default_options.h b/default_options.h
+index 9000fcc..bfb8a8f 100644
+--- a/default_options.h
++++ b/default_options.h
+@@ -91,7 +91,7 @@ IMPORTANT: Some options will require "make clean"
after changes */
+
+ /* Enable CBC mode for ciphers. This has security issues though
+ * is the most compatible with older SSH implementations */
+-#define DROPBEAR_ENABLE_CBC_MODE 1
++#define DROPBEAR_ENABLE_CBC_MODE 0
+
+ /* Enable "Counter Mode" for ciphers. This is more secure than
+ * CBC mode against certain attacks. It is recommended for security
+@@ -101,7 +101,7 @@ IMPORTANT: Some options will require "make clean"
after changes */
+ /* Message integrity. sha2-256 is recommended as a default,
+ sha1 for compatibility */
+ #define DROPBEAR_SHA1_HMAC 1
+-#define DROPBEAR_SHA1_96_HMAC 1
++#define DROPBEAR_SHA1_96_HMAC 0
+ #define DROPBEAR_SHA2_256_HMAC 1
+
+ /* Hostkey/public key algorithms - at least one required, these are
used
+@@ -149,12 +149,12 @@ IMPORTANT: Some options will require "make clean"
after changes */
+ * Small systems should generally include either curve25519 or ecdh
for performance.
+ * curve25519 is less widely supported but is faster
+ */
+-#define DROPBEAR_DH_GROUP14_SHA1 1
++#define DROPBEAR_DH_GROUP14_SHA1 0
+ #define DROPBEAR_DH_GROUP14_SHA256 1
+ #define DROPBEAR_DH_GROUP16 0
+ #define DROPBEAR_CURVE25519 1
+ #define DROPBEAR_ECDH 1
+-#define DROPBEAR_DH_GROUP1 1
++#define DROPBEAR_DH_GROUP1 0
+
+ /* When group1 is enabled it will only be allowed by Dropbear client
+ not as a server, due to concerns over its strength. Set to 0 to allow
--
1.8.3.1
^ permalink raw reply related [flat|nested] 3+ messages in thread
* ✗ patchtest: failure for dropbear: new feature: disable-weak-ciphers
2019-06-20 21:29 [PATCH] dropbear: new feature: disable-weak-ciphers Joseph Reynolds
@ 2019-06-20 23:00 ` Patchwork
2019-06-21 9:21 ` [PATCH] " Richard Purdie
1 sibling, 0 replies; 3+ messages in thread
From: Patchwork @ 2019-06-20 23:00 UTC (permalink / raw)
To: Joseph Reynolds; +Cc: openembedded-core
== Series Details ==
Series: dropbear: new feature: disable-weak-ciphers
Revision: 1
URL : https://patchwork.openembedded.org/series/18278/
State : failure
== Summary ==
Thank you for submitting this patch series to OpenEmbedded Core. This is
an automated response. Several tests have been executed on the proposed
series by patchtest resulting in the following failures:
* Issue Series cannot be parsed correctly due to malformed diff lines [test_mbox_format]
Suggested fix Create the series again using git-format-patch and ensure it can be applied using git am
Diff line @@ -46,8 +47,9 @@ SBINCOMMANDS = "dropbear dropbearkey dropbearconvert"
* Issue Series does not apply on top of target branch [test_series_merge_on_head]
Suggested fix Rebase your series on top of targeted branch
Targeted branch master (currently at 0fdf76305a)
If you believe any of these test results are incorrect, please reply to the
mailing list (openembedded-core@lists.openembedded.org) raising your concerns.
Otherwise we would appreciate you correcting the issues and submitting a new
version of the patchset if applicable. Please ensure you add/increment the
version number when sending the new version (i.e. [PATCH] -> [PATCH v2] ->
[PATCH v3] -> ...).
---
Guidelines: https://www.openembedded.org/wiki/Commit_Patch_Message_Guidelines
Test framework: http://git.yoctoproject.org/cgit/cgit.cgi/patchtest
Test suite: http://git.yoctoproject.org/cgit/cgit.cgi/patchtest-oe
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [PATCH] dropbear: new feature: disable-weak-ciphers
2019-06-20 21:29 [PATCH] dropbear: new feature: disable-weak-ciphers Joseph Reynolds
2019-06-20 23:00 ` ✗ patchtest: failure for " Patchwork
@ 2019-06-21 9:21 ` Richard Purdie
1 sibling, 0 replies; 3+ messages in thread
From: Richard Purdie @ 2019-06-21 9:21 UTC (permalink / raw)
To: Joseph Reynolds, openembedded-core
On Thu, 2019-06-20 at 16:29 -0500, Joseph Reynolds wrote:
> dropbear: new feature: disable-weak-ciphers
>
> Enhances dropbear with a new feature "disable-weak-ciphers", on by
> default.
> This feature disables all CBC, SHA1, and diffie-hellman group1
> ciphers
> in
> the dropbear ssh server and client.
>
> Disable this feature if you need to connect to the ssh server from
> older
> clients. Additional customization can be done with local_options.h
> as
> usual.
>
> Tested: On dropbear_2019.78.
>
> Upstream-Status: Inappropriate [configuration]
Unfortunately this patch has come through line wrapped. I did manage to
unwrap it and get it to apply, only to find the patch itself within the
patch was broken due to missing whitespace line endings.
Also, the Upstream-Status needs to go in the patch itself along with a
Signed-off-by in the patch.
Since I was most of the way there I've fixed this all up and queued it
in master-next for testing.
Cheers,
Richard
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2019-06-21 9:21 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2019-06-20 21:29 [PATCH] dropbear: new feature: disable-weak-ciphers Joseph Reynolds
2019-06-20 23:00 ` ✗ patchtest: failure for " Patchwork
2019-06-21 9:21 ` [PATCH] " Richard Purdie
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox