diff options
author | Adriana Kobylak <anoo@us.ibm.com> | 2024-01-23 23:15:30 +0300 |
---|---|---|
committer | Adriana Kobylak <anoo@us.ibm.com> | 2024-02-20 22:23:18 +0300 |
commit | 22f682c653ad51d5f5c1ac8a7acd73c44f8b291b (patch) | |
tree | 40ac424dee3d5aa4007024449a3c019c70794395 /meta-phosphor/recipes-core | |
parent | b758ca406e1f4955f222bd11d145ad96160a29d2 (diff) | |
download | openbmc-22f682c653ad51d5f5c1ac8a7acd73c44f8b291b.tar.xz |
dropbear: Disable the Chacha20-Poly1305 cipher
The BMC dropbear SSH server has the affected chacha20-poly1305. The
dropbear project indicates that it's affected but not vulnerable to the
terrapin attack:
```
https://github.com/mkj/dropbear/blob/17657c36cce6df7716d5ff151ec09a665382d5dd/CHANGES#L17
```
The options are to remove the affected chacha20-poly1305 algorithm, or
to enable the new strict-key exchange (strict-kex) option although the
client would also need to use strict-kex.
Go with the first option.
Tested:
Before change:
```
root@p10bmc:~# ssh -c help
ssh: Available ciphers: chacha20-poly1305@openssh.com,aes128-ctr,aes256-ctr
```
After change:
```
root@p10bmc:~# ssh -c help
ssh: Available ciphers: aes128-ctr,aes256-ctr
```
Change-Id: Ibe256cbead030ee86078d8518109c691046fb812
Signed-off-by: Adriana Kobylak <anoo@us.ibm.com>
Diffstat (limited to 'meta-phosphor/recipes-core')
-rw-r--r-- | meta-phosphor/recipes-core/dropbear/dropbear/localoptions.h | 3 |
1 files changed, 3 insertions, 0 deletions
diff --git a/meta-phosphor/recipes-core/dropbear/dropbear/localoptions.h b/meta-phosphor/recipes-core/dropbear/dropbear/localoptions.h index 8aec3b3a7c..4a3ebcffe8 100644 --- a/meta-phosphor/recipes-core/dropbear/dropbear/localoptions.h +++ b/meta-phosphor/recipes-core/dropbear/dropbear/localoptions.h @@ -1,6 +1,9 @@ // Disable CBC ciphers for modern security. #define DROPBEAR_ENABLE_CBC_MODE 0 +// Disable Chacha20-Poly1305 cipher. +#define DROPBEAR_CHACHA20POLY1305 0 + #define DROPBEAR_SHA1_96_HMAC 0 #define DROPBEAR_SHA2_256_HMAC 1 #define DROPBEAR_SHA2_512_HMAC 1 |