Gitiles
Code Review Sign In
gerrit.openbmc.org / mdmillerii / openbmc / 22f682c653ad51d5f5c1ac8a7acd73c44f8b291b^! / .
commit22f682c653ad51d5f5c1ac8a7acd73c44f8b291b[log] [tgz]
authorAdriana Kobylak <anoo@us.ibm.com>Tue Jan 23 14:15:30 2024 -0600
committerAdriana Kobylak <anoo@us.ibm.com>Tue Feb 20 13:23:18 2024 -0600
tree40ac424dee3d5aa4007024449a3c019c70794395
parentb758ca406e1f4955f222bd11d145ad96160a29d2 [diff]
dropbear: Disable the Chacha20-Poly1305 cipher

The BMC dropbear SSH server has the affected chacha20-poly1305. The
dropbear project indicates that it's affected but not vulnerable to the
terrapin attack:
```
https://github.com/mkj/dropbear/blob/17657c36cce6df7716d5ff151ec09a665382d5dd/CHANGES#L17
```

The options are to remove the affected chacha20-poly1305 algorithm, or
to enable the new strict-key exchange (strict-kex) option although the
client would also need to use strict-kex.

Go with the first option.

Tested:

Before change:
```
root@p10bmc:~# ssh -c help
ssh: Available ciphers: chacha20-poly1305@openssh.com,aes128-ctr,aes256-ctr
```

After change:

```
root@p10bmc:~# ssh -c help
ssh: Available ciphers: aes128-ctr,aes256-ctr
```

Change-Id: Ibe256cbead030ee86078d8518109c691046fb812
Signed-off-by: Adriana Kobylak <anoo@us.ibm.com>

diff --git a/meta-phosphor/recipes-core/dropbear/dropbear/localoptions.h b/meta-phosphor/recipes-core/dropbear/dropbear/localoptions.h
index 8aec3b3..4a3ebcf 100644
--- a/meta-phosphor/recipes-core/dropbear/dropbear/localoptions.h
+++ b/meta-phosphor/recipes-core/dropbear/dropbear/localoptions.h

@@ -1,6 +1,9 @@
 // Disable CBC ciphers for modern security.
 #define DROPBEAR_ENABLE_CBC_MODE 0
 
+// Disable Chacha20-Poly1305 cipher.
+#define DROPBEAR_CHACHA20POLY1305 0
+
 #define DROPBEAR_SHA1_96_HMAC 0
 #define DROPBEAR_SHA2_256_HMAC 1
 #define DROPBEAR_SHA2_512_HMAC 1