[PATCH v2] dropbear: new feature: disable-weak-ciphers

[PATCH v2] dropbear: new feature: disable-weak-ciphers

[Joseph Reynolds]

 From 587a9e5c637ad3e70b8e35a3ca66013693ce7ac7 Mon Sep 17 00:00:00 2001
From: Joseph Reynolds <joseph.reynolds1@ibm.com>
Date: Wed, 19 Jun 2019 20:16:40 -0500
Subject: [PATCH v2] dropbear: new feature: disable-weak-ciphers

Enhances dropbear with a new feature "disable-weak-ciphers", on by default.
This feature disables all CBC, SHA1, and diffie-hellman group1 ciphers in
the dropbear ssh server and client.

Disable this feature if you need to connect to the ssh server from older
clients.  Additional customization can be done with local_options.h as 
usual.

Tested: On github.com/openbmc/openbmc using dropbear_2019.78.

Signed-off-by: Joseph Reynolds <joseph.reynolds1@ibm.com>
---
  meta/recipes-core/dropbear/dropbear.inc            |  6 ++-
  .../0007-dropbear-disable-weak-ciphers.patch       | 57 
++++++++++++++++++++++
  2 files changed, 61 insertions(+), 2 deletions(-)
  create mode 100644 
meta/recipes-core/dropbear/dropbear/0007-dropbear-disable-weak-ciphers.patch

diff --git a/meta/recipes-core/dropbear/dropbear.inc 
b/meta/recipes-core/dropbear/dropbear.inc
index b74d186..a12ddb6 100644
--- a/meta/recipes-core/dropbear/dropbear.inc
+++ b/meta/recipes-core/dropbear/dropbear.inc
@@ -20,7 +20,8 @@ SRC_URI = 
"http://matt.ucc.asn.au/dropbear/releases/dropbear-${PV}.tar.bz2 \
             file://dropbear@.service \
             file://dropbear.socket \
             file://dropbear.default \
-           ${@bb.utils.contains('DISTRO_FEATURES', 'pam', 
'${PAM_SRC_URI}', '', d)} "
+           ${@bb.utils.contains('DISTRO_FEATURES', 'pam', 
'${PAM_SRC_URI}', '', d)} \
+           ${@bb.utils.contains('PACKAGECONFIG', 
'disable-weak-ciphers', 
'file://0007-dropbear-disable-weak-ciphers.patch', '', d)} "

  PAM_SRC_URI = "file://0005-dropbear-enable-pam.patch \
                 file://0006-dropbear-configuration-file.patch \
@@ -46,8 +47,9 @@ SBINCOMMANDS = "dropbear dropbearkey dropbearconvert"
  BINCOMMANDS = "dbclient ssh scp"
  EXTRA_OEMAKE = 'MULTI=1 SCPPROGRESS=1 PROGRAMS="${SBINCOMMANDS} 
${BINCOMMANDS}"'

-PACKAGECONFIG ?= ""
+PACKAGECONFIG ?= "disable-weak-ciphers"
  PACKAGECONFIG[system-libtom] = 
"--disable-bundled-libtom,--enable-bundled-libtom,libtommath libtomcrypt"
+PACKAGECONFIG[disable-weak-ciphers] = ""

  EXTRA_OECONF += "\
   ${@bb.utils.contains('DISTRO_FEATURES', 'pam', '--enable-pam', 
'--disable-pam', d)}"
diff --git 
a/meta/recipes-core/dropbear/dropbear/0007-dropbear-disable-weak-ciphers.patch 
b/meta/recipes-core/dropbear/dropbear/0007-dropbear-disable-weak-cip
hers.patch
new file mode 100644
index 0000000..d1f5489
--- /dev/null
+++ 
b/meta/recipes-core/dropbear/dropbear/0007-dropbear-disable-weak-ciphers.patch
@@ -0,0 +1,57 @@
+From ef70b77d5a0e555b5b66502247269da73939a78d Mon Sep 17 00:00:00 2001
+From: Joseph Reynolds <jrey@linux.ibm.com>
+Date: Thu, 27 Jun 2019 16:34:41 -0500
+Subject: [PATCH] disable weak ciphers
+
+Disables all CBC, SHA1, and diffie-hellman group1 ciphers in
+the dropbear ssh server and client.
+
+Tested: via an OpenSSH client with: ssh -vv ${host}
+
+Upstream-Status: Inappropriate [configuration]
+
+Signed-off-by: Joseph Reynolds <jrey@linux.ibm.com>
+---
+ default_options.h | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/default_options.h b/default_options.h
+index 9000fcc..bfb8a8f 100644
+--- a/default_options.h
++++ b/default_options.h
+@@ -91,7 +91,7 @@ IMPORTANT: Some options will require "make clean" 
after changes */
+
+ /* Enable CBC mode for ciphers. This has security issues though
+  * is the most compatible with older SSH implementations */
+-#define DROPBEAR_ENABLE_CBC_MODE 1
++#define DROPBEAR_ENABLE_CBC_MODE 0
+
+ /* Enable "Counter Mode" for ciphers. This is more secure than
+  * CBC mode against certain attacks. It is recommended for security
+@@ -101,7 +101,7 @@ IMPORTANT: Some options will require "make clean" 
after changes */
+ /* Message integrity. sha2-256 is recommended as a default,
+    sha1 for compatibility */
+ #define DROPBEAR_SHA1_HMAC 1
+-#define DROPBEAR_SHA1_96_HMAC 1
++#define DROPBEAR_SHA1_96_HMAC 0
+ #define DROPBEAR_SHA2_256_HMAC 1
+
+ /* Hostkey/public key algorithms - at least one required, these are used
+@@ -149,12 +149,12 @@ IMPORTANT: Some options will require "make clean" 
after changes */
+  * Small systems should generally include either curve25519 or ecdh 
for performance.
+  * curve25519 is less widely supported but is faster
+  */
+-#define DROPBEAR_DH_GROUP14_SHA1 1
++#define DROPBEAR_DH_GROUP14_SHA1 0
+ #define DROPBEAR_DH_GROUP14_SHA256 1
+ #define DROPBEAR_DH_GROUP16 0
+ #define DROPBEAR_CURVE25519 1
+ #define DROPBEAR_ECDH 1
+-#define DROPBEAR_DH_GROUP1 1
++#define DROPBEAR_DH_GROUP1 0
+
+ /* When group1 is enabled it will only be allowed by Dropbear client
+ not as a server, due to concerns over its strength. Set to 0 to allow
+--
+2.7.2
+
-- 
2.7.2

✗ patchtest: failure for dropbear: new feature: disable-weak-ciphers (rev2)

[Patchwork]

== Series Details ==

Series: dropbear: new feature: disable-weak-ciphers (rev2)
Revision: 2
URL   : https://patchwork.openembedded.org/series/18278/
State : failure

== Summary ==


Thank you for submitting this patch series to OpenEmbedded Core. This is
an automated response. Several tests have been executed on the proposed
series by patchtest resulting in the following failures:



* Issue             Series cannot be parsed correctly due to malformed diff lines [test_mbox_format] 
  Suggested fix    Create the series again using git-format-patch and ensure it can be applied using git am
  Diff line        @@ -46,8 +47,9 @@ SBINCOMMANDS = "dropbear dropbearkey dropbearconvert"


* Issue             Series does not apply on top of target branch [test_series_merge_on_head] 
  Suggested fix    Rebase your series on top of targeted branch
  Targeted branch  master (currently at 148d54f91f)



If you believe any of these test results are incorrect, please reply to the
mailing list (openembedded-core@lists.openembedded.org) raising your concerns.
Otherwise we would appreciate you correcting the issues and submitting a new
version of the patchset if applicable. Please ensure you add/increment the
version number when sending the new version (i.e. [PATCH] -> [PATCH v2] ->
[PATCH v3] -> ...).

---
Guidelines:     https://www.openembedded.org/wiki/Commit_Patch_Message_Guidelines
Test framework: http://git.yoctoproject.org/cgit/cgit.cgi/patchtest
Test suite:     http://git.yoctoproject.org/cgit/cgit.cgi/patchtest-oe

Re: [PATCH v2] dropbear: new feature: disable-weak-ciphers

[Richard Purdie]

On Fri, 2019-06-28 at 18:03 -0500, Joseph Reynolds wrote:
>  From 587a9e5c637ad3e70b8e35a3ca66013693ce7ac7 Mon Sep 17 00:00:00
> 2001
> From: Joseph Reynolds <joseph.reynolds1@ibm.com>
> Date: Wed, 19 Jun 2019 20:16:40 -0500
> Subject: [PATCH v2] dropbear: new feature: disable-weak-ciphers
> 
> Enhances dropbear with a new feature "disable-weak-ciphers", on by
> default.
> This feature disables all CBC, SHA1, and diffie-hellman group1
> ciphers in
> the dropbear ssh server and client.
> 
> Disable this feature if you need to connect to the ssh server from
> older
> clients.  Additional customization can be done with local_options.h
> as 
> usual.
> 
> Tested: On github.com/openbmc/openbmc using dropbear_2019.78.
> 
> Signed-off-by: Joseph Reynolds <joseph.reynolds1@ibm.com>
> ---
>   meta/recipes-core/dropbear/dropbear.inc            |  6 ++-
>   .../0007-dropbear-disable-weak-ciphers.patch       | 57 
> ++++++++++++++++++++++
>   2 files changed, 61 insertions(+), 2 deletions(-)
>   create mode 100644 
> meta/recipes-core/dropbear/dropbear/0007-dropbear-disable-weak-
> ciphers.patch

I merged v1 of this patch previously. What was different in this
version?

Also, the patch was still line wrapped so very hard to apply (had to be
manually fixed).

Cheers,

Richard

Re: [PATCH v2] dropbear: new feature: disable-weak-ciphers

[Joseph Reynolds]

On 6/30/19 4:58 PM, Richard Purdie wrote:
> On Fri, 2019-06-28 at 18:03 -0500, Joseph Reynolds wrote:
>>   From 587a9e5c637ad3e70b8e35a3ca66013693ce7ac7 Mon Sep 17 00:00:00
>> 2001
>> From: Joseph Reynolds <joseph.reynolds1@ibm.com>
>> Date: Wed, 19 Jun 2019 20:16:40 -0500
>> Subject: [PATCH v2] dropbear: new feature: disable-weak-ciphers
>>
>> Enhances dropbear with a new feature "disable-weak-ciphers", on by
>> default.
>> This feature disables all CBC, SHA1, and diffie-hellman group1
>> ciphers in
>> the dropbear ssh server and client.
>>
>> Disable this feature if you need to connect to the ssh server from
>> older
>> clients.  Additional customization can be done with local_options.h
>> as
>> usual.
>>
>> Tested: On github.com/openbmc/openbmc using dropbear_2019.78.
>>
>> Signed-off-by: Joseph Reynolds <joseph.reynolds1@ibm.com>
>> ---
>>    meta/recipes-core/dropbear/dropbear.inc            |  6 ++-
>>    .../0007-dropbear-disable-weak-ciphers.patch       | 57
>> ++++++++++++++++++++++
>>    2 files changed, 61 insertions(+), 2 deletions(-)
>>    create mode 100644
>> meta/recipes-core/dropbear/dropbear/0007-dropbear-disable-weak-
>> ciphers.patch
> I merged v1 of this patch previously. What was different in this
> version?

The v2 patch had the same content with fixed up commit messages. You can 
ignore it.
Thanks for handling this.
>
> Also, the patch was still line wrapped so very hard to apply (had to be
> manually fixed).
>
> Cheers,
>
> Richard
>