Gitiles
Code Review Sign In
gerrit.openbmc.org / openbmc / openbmc / 1597b9231e2cdd8860317a94dd1b2118cc36da60^! / .
commit1597b9231e2cdd8860317a94dd1b2118cc36da60[log] [tgz]
authorJoseph Reynolds <jrey@us.ibm.com>Tue Oct 09 14:53:15 2018 -0500
committerBrad Bishop <bradleyb@fuzziesquirrel.com>Wed Oct 31 07:33:21 2018 -0400
tree549397433dc8c40dc6960d1bdbf32bb7c197f9d7
parent8c01c500cdfb3b71294e1b6eea60c0d9dbb8124c [diff]
Dropbear SSH remove HMAC-MD5

The Dropbear SSH client and server configuration is changed to not
accept the HMAC-MD5 algorithm when making connections.
The MD5 algorithm is no longer considered secure.

With this change, Dropbear supports the following MAC algorithms:
SHA1_HMAC, SHA2_256_HMAC, and SHA2_512_HMAC.
Note that Dropbear does not yet support HMAC-SHA3.

Tested:
  $ ssh -m hmac-sha1-96 root@${bmc}
  Unable to negotiate with ${bmc} port 22:
  no matching MAC found.
  Their offer: hmac-sha1,hmac-sha2-256,hmac-sha2-512
  $ ssh root@${bmc}  # worked

(From meta-phosphor rev: ec86af05553a7a66af68356cb2b4ec451d5bbf91)

Change-Id: Iba30c9f1ea66e2c72c75d16a16194ede808fe64a
Signed-off-by: Joseph Reynolds <jrey@us.ibm.com>
Signed-off-by: Brad Bishop <bradleyb@fuzziesquirrel.com>

diff --git a/meta-phosphor/recipes-core/dropbear/dropbear/options.patch b/meta-phosphor/recipes-core/dropbear/dropbear/options.patch
index 0582ca4..5212243 100644
--- a/meta-phosphor/recipes-core/dropbear/dropbear/options.patch
+++ b/meta-phosphor/recipes-core/dropbear/dropbear/options.patch

@@ -1,26 +1,33 @@
 diff --git a/options.h b/options.h
-index 0c51bb1..2c38f42 100644
+index 0c51bb1..3df2d67 100644
 --- a/options.h
 +++ b/options.h
-@@ -95,12 +95,9 @@ much traffic. */
+@@ -95,12 +95,12 @@ much traffic. */
  #define DROPBEAR_AES256
  /* Compiling in Blowfish will add ~6kB to runtime heap memory usage */
  /*#define DROPBEAR_BLOWFISH*/
 -#define DROPBEAR_TWOFISH256
 -#define DROPBEAR_TWOFISH128
++/*#define DROPBEAR_TWOFISH256*/
++/*#define DROPBEAR_TWOFISH128*/
  
  /* Enable CBC mode for ciphers. This has security issues though
   * is the most compatible with older SSH implementations */
 -#define DROPBEAR_ENABLE_CBC_MODE
++/*#define DROPBEAR_ENABLE_CBC_MODE*/
  
  /* Enable "Counter Mode" for ciphers. This is more secure than normal
   * CBC mode against certain attacks. It is recommended for security
-@@ -130,8 +127,6 @@ If you test it please contact the Dropbear author */
-  * These hashes are also used for public key fingerprints in logs.
+@@ -131,10 +131,10 @@ If you test it please contact the Dropbear author */
   * If you disable MD5, Dropbear will fall back to SHA1 fingerprints,
   * which are not the standard form. */
--#define DROPBEAR_SHA1_HMAC
+ #define DROPBEAR_SHA1_HMAC
 -#define DROPBEAR_SHA1_96_HMAC
++/*#define DROPBEAR_SHA1_96_HMAC*/
  #define DROPBEAR_SHA2_256_HMAC
  #define DROPBEAR_SHA2_512_HMAC
- #define DROPBEAR_MD5_HMAC
+-#define DROPBEAR_MD5_HMAC
++/*#define DROPBEAR_MD5_HMAC*/
+ 
+ /* You can also disable integrity. Don't bother disabling this if you're
+  * still using a cipher, it's relatively cheap. If you disable this it's dead