* [Buildroot] [PATCH v2] dropbear: Do not build static binary
@ 2018-05-07 12:28 Stefan Sørensen
2018-05-07 12:28 ` [Buildroot] [PATCH v2] dropbear: Disable legacy/insecure options Stefan Sørensen
` (3 more replies)
0 siblings, 4 replies; 7+ messages in thread
From: Stefan Sørensen @ 2018-05-07 12:28 UTC (permalink / raw)
To: buildroot
Dropbear 2018.76 now uses the --enable-static option to indicate that a static
binary should be built. This will incorrectly pick up the generic buildroot
option intended for building static libraries, causing an unwanted static
binary build with BR2_SHARED_STATIC_LIBS.
Fix by appending an --disable-static configure flag, overriding the buildroot
default.
Signed-off-by: Stefan S?rensen <stefan.sorensen@spectralink.com>
---
Changes v1->v2:
* Keep the --enable-static when BR2_STATIC_LIBS=y
package/dropbear/dropbear.mk | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/package/dropbear/dropbear.mk b/package/dropbear/dropbear.mk
index 1da1a559a3..fc41a84c1f 100644
--- a/package/dropbear/dropbear.mk
+++ b/package/dropbear/dropbear.mk
@@ -27,8 +27,11 @@ DROPBEAR_MAKE = \
$(MAKE) MULTI=1 SCPPROGRESS=1 \
PROGRAMS="$(DROPBEAR_PROGRAMS)"
-ifeq ($(BR2_STATIC_LIBS),y)
-DROPBEAR_CONF_OPTS += --enable-static
+# With BR2_SHARED_STATIC_LIBS=y the generic infrastructure adds a
+# --enable-static flags causing dropbear to be built as a static
+# binary. Adding a --disable-static reverts this
+ifeq ($(BR2_SHARED_STATIC_LIBS),y)
+DROPBEAR_CONF_OPTS += --disable-static
endif
# Ensure that dropbear doesn't use crypt() when it's not available
--
2.17.0
^ permalink raw reply related [flat|nested] 7+ messages in thread
* [Buildroot] [PATCH v2] dropbear: Disable legacy/insecure options
2018-05-07 12:28 [Buildroot] [PATCH v2] dropbear: Do not build static binary Stefan Sørensen
@ 2018-05-07 12:28 ` Stefan Sørensen
2018-07-01 1:12 ` [Buildroot] [PATCH] " Carlos Santos
2018-07-03 4:25 ` [Buildroot] [PATCH v2] " Baruch Siach
2018-05-07 17:53 ` [Buildroot] [PATCH v2] dropbear: Do not build static binary Baruch Siach
` (2 subsequent siblings)
3 siblings, 2 replies; 7+ messages in thread
From: Stefan Sørensen @ 2018-05-07 12:28 UTC (permalink / raw)
To: buildroot
Dropbear by default enables a number of algorithms that are now considered
insecure and should only be used when legacy support is required:
3DES encryption
Blowfish encryption
SHA1-96 message integrity
CBC encryption mode
DSA public keys
Diffie-Hellman Group1 key exchange
So disable them by default, but add a config option for bringing them back.
Furthermore the Blowfish legacy algorithm is unconditionally disabled
Signed-off-by: Stefan S?rensen <stefan.sorensen@spectralink.com>
---
Changes v1->v2:
* Mention that the Blowfish algorithm has been disabled
package/dropbear/Config.in | 10 ++++++++++
package/dropbear/dropbear.mk | 12 +++++++++++-
2 files changed, 21 insertions(+), 1 deletion(-)
diff --git a/package/dropbear/Config.in b/package/dropbear/Config.in
index 5d6b83b6d1..62f77bad9d 100644
--- a/package/dropbear/Config.in
+++ b/package/dropbear/Config.in
@@ -56,4 +56,14 @@ config BR2_PACKAGE_DROPBEAR_LASTLOG
Enable logging of dropbear access to lastlog. Notice that
Buildroot does not generate lastlog by default.
+config BR2_PACKAGE_DROPBEAR_LEGACY_CRYPTO
+ bool "enable legacy crypto"
+ help
+ Enable legacy and possibly insecure algorithms:
+ 3DES encryption
+ SHA1-96 message integrity
+ CBC encryption mode
+ DSA public keys
+ Diffie-Hellman Group1 key exchange
+
endif
diff --git a/package/dropbear/dropbear.mk b/package/dropbear/dropbear.mk
index fc41a84c1f..c2d3dedad3 100644
--- a/package/dropbear/dropbear.mk
+++ b/package/dropbear/dropbear.mk
@@ -42,13 +42,23 @@ define DROPBEAR_SVR_PASSWORD_AUTH
endef
DROPBEAR_POST_EXTRACT_HOOKS += DROPBEAR_SVR_PASSWORD_AUTH
+define DROPBEAR_DISABLE_LEGACY_CRYPTO
+ echo '#define DROPBEAR_3DES 0' >> $(@D)/localoptions.h
+ echo '#define DROPBEAR_ENABLE_CBC_MODE 0' >> $(@D)/localoptions.h
+ echo '#define DROPBEAR_SHA1_96_HMAC 0' >> $(@D)/localoptions.h
+ echo '#define DROPBEAR_DSS 0' >> $(@D)/localoptions.h
+ echo '#define DROPBEAR_DH_GROUP1 0' >> $(@D)/localoptions.h
+endef
+ifneq ($(BR2_PACKAGE_DROPBEAR_LEGACY_CRYPTO),y)
+DROPBEAR_POST_EXTRACT_HOOKS += DROPBEAR_DISABLE_LEGACY_CRYPTO
+endif
+
define DROPBEAR_ENABLE_REVERSE_DNS
echo '#define DO_HOST_LOOKUP 1' >> $(@D)/localoptions.h
endef
define DROPBEAR_BUILD_FEATURED
echo '#define DROPBEAR_SMALL_CODE 0' >> $(@D)/localoptions.h
- echo '#define DROPBEAR_BLOWFISH 1' >> $(@D)/localoptions.h
echo '#define DROPBEAR_TWOFISH128 1' >> $(@D)/localoptions.h
echo '#define DROPBEAR_TWOFISH256 1' >> $(@D)/localoptions.h
endef
--
2.17.0
^ permalink raw reply related [flat|nested] 7+ messages in thread
* [Buildroot] [PATCH v2] dropbear: Do not build static binary
2018-05-07 12:28 [Buildroot] [PATCH v2] dropbear: Do not build static binary Stefan Sørensen
2018-05-07 12:28 ` [Buildroot] [PATCH v2] dropbear: Disable legacy/insecure options Stefan Sørensen
@ 2018-05-07 17:53 ` Baruch Siach
2018-05-08 13:09 ` Thomas Petazzoni
2018-08-27 9:36 ` Peter Korsgaard
3 siblings, 0 replies; 7+ messages in thread
From: Baruch Siach @ 2018-05-07 17:53 UTC (permalink / raw)
To: buildroot
Hi Stefan,
On Mon, May 07, 2018 at 02:28:43PM +0200, Stefan S?rensen wrote:
> Dropbear 2018.76 now uses the --enable-static option to indicate that a static
> binary should be built. This will incorrectly pick up the generic buildroot
> option intended for building static libraries, causing an unwanted static
> binary build with BR2_SHARED_STATIC_LIBS.
>
> Fix by appending an --disable-static configure flag, overriding the buildroot
> default.
>
> Signed-off-by: Stefan S?rensen <stefan.sorensen@spectralink.com>
Reviewed-by: Baruch Siach <baruch@tkos.co.il>
baruch
> ---
> Changes v1->v2:
> * Keep the --enable-static when BR2_STATIC_LIBS=y
>
> package/dropbear/dropbear.mk | 7 +++++--
> 1 file changed, 5 insertions(+), 2 deletions(-)
>
> diff --git a/package/dropbear/dropbear.mk b/package/dropbear/dropbear.mk
> index 1da1a559a3..fc41a84c1f 100644
> --- a/package/dropbear/dropbear.mk
> +++ b/package/dropbear/dropbear.mk
> @@ -27,8 +27,11 @@ DROPBEAR_MAKE = \
> $(MAKE) MULTI=1 SCPPROGRESS=1 \
> PROGRAMS="$(DROPBEAR_PROGRAMS)"
>
> -ifeq ($(BR2_STATIC_LIBS),y)
> -DROPBEAR_CONF_OPTS += --enable-static
> +# With BR2_SHARED_STATIC_LIBS=y the generic infrastructure adds a
> +# --enable-static flags causing dropbear to be built as a static
> +# binary. Adding a --disable-static reverts this
> +ifeq ($(BR2_SHARED_STATIC_LIBS),y)
> +DROPBEAR_CONF_OPTS += --disable-static
> endif
>
> # Ensure that dropbear doesn't use crypt() when it's not available
--
http://baruch.siach.name/blog/ ~. .~ Tk Open Systems
=}------------------------------------------------ooO--U--Ooo------------{=
- baruch at tkos.co.il - tel: +972.52.368.4656, http://www.tkos.co.il -
^ permalink raw reply [flat|nested] 7+ messages in thread
* [Buildroot] [PATCH v2] dropbear: Do not build static binary
2018-05-07 12:28 [Buildroot] [PATCH v2] dropbear: Do not build static binary Stefan Sørensen
2018-05-07 12:28 ` [Buildroot] [PATCH v2] dropbear: Disable legacy/insecure options Stefan Sørensen
2018-05-07 17:53 ` [Buildroot] [PATCH v2] dropbear: Do not build static binary Baruch Siach
@ 2018-05-08 13:09 ` Thomas Petazzoni
2018-08-27 9:36 ` Peter Korsgaard
3 siblings, 0 replies; 7+ messages in thread
From: Thomas Petazzoni @ 2018-05-08 13:09 UTC (permalink / raw)
To: buildroot
Hello,
On Mon, 7 May 2018 14:28:43 +0200, Stefan S?rensen wrote:
> Dropbear 2018.76 now uses the --enable-static option to indicate that a static
> binary should be built. This will incorrectly pick up the generic buildroot
> option intended for building static libraries, causing an unwanted static
> binary build with BR2_SHARED_STATIC_LIBS.
>
> Fix by appending an --disable-static configure flag, overriding the buildroot
> default.
>
> Signed-off-by: Stefan S?rensen <stefan.sorensen@spectralink.com>
> ---
> Changes v1->v2:
> * Keep the --enable-static when BR2_STATIC_LIBS=y
Applied to master, thanks.
Thomas
--
Thomas Petazzoni, CTO, Bootlin (formerly Free Electrons)
Embedded Linux and Kernel engineering
https://bootlin.com
^ permalink raw reply [flat|nested] 7+ messages in thread
* [Buildroot] [PATCH] dropbear: Disable legacy/insecure options
2018-05-07 12:28 ` [Buildroot] [PATCH v2] dropbear: Disable legacy/insecure options Stefan Sørensen
@ 2018-07-01 1:12 ` Carlos Santos
2018-07-03 4:25 ` [Buildroot] [PATCH v2] " Baruch Siach
1 sibling, 0 replies; 7+ messages in thread
From: Carlos Santos @ 2018-07-01 1:12 UTC (permalink / raw)
To: buildroot
Stefan S?rensen wrote:
> Dropbear by default enables a number of algorithms that are now considered
> insecure and should only be used when legacy support is required:
> 3DES encryption
> Blowfish encryption
> SHA1-96 message integrity
> CBC encryption mode
> DSA public keys
> Diffie-Hellman Group1 key exchange
>
> So disable them by default, but add a config option for bringing them back.
> Furthermore the Blowfish legacy algorithm is unconditionally disabled
[...]
Looks good but after commit 037b8616257067282e375edca9af19418a0e7a4a it
needs to be rebased.
--
Carlos Santos
DATACOM P&D
^ permalink raw reply [flat|nested] 7+ messages in thread
* [Buildroot] [PATCH v2] dropbear: Disable legacy/insecure options
2018-05-07 12:28 ` [Buildroot] [PATCH v2] dropbear: Disable legacy/insecure options Stefan Sørensen
2018-07-01 1:12 ` [Buildroot] [PATCH] " Carlos Santos
@ 2018-07-03 4:25 ` Baruch Siach
1 sibling, 0 replies; 7+ messages in thread
From: Baruch Siach @ 2018-07-03 4:25 UTC (permalink / raw)
To: buildroot
Hi Stefan,
On Mon, May 07, 2018 at 02:28:44PM +0200, Stefan S?rensen wrote:
> Dropbear by default enables a number of algorithms that are now considered
> insecure and should only be used when legacy support is required:
> 3DES encryption
> Blowfish encryption
> SHA1-96 message integrity
> CBC encryption mode
> DSA public keys
> Diffie-Hellman Group1 key exchange
>
> So disable them by default, but add a config option for bringing them back.
> Furthermore the Blowfish legacy algorithm is unconditionally disabled
>
> Signed-off-by: Stefan S?rensen <stefan.sorensen@spectralink.com>
Reviewed-by: Baruch Siach <baruch@tkos.co.il>
baruch
--
http://baruch.siach.name/blog/ ~. .~ Tk Open Systems
=}------------------------------------------------ooO--U--Ooo------------{=
- baruch at tkos.co.il - tel: +972.52.368.4656, http://www.tkos.co.il -
^ permalink raw reply [flat|nested] 7+ messages in thread
* [Buildroot] [PATCH v2] dropbear: Do not build static binary
2018-05-07 12:28 [Buildroot] [PATCH v2] dropbear: Do not build static binary Stefan Sørensen
` (2 preceding siblings ...)
2018-05-08 13:09 ` Thomas Petazzoni
@ 2018-08-27 9:36 ` Peter Korsgaard
3 siblings, 0 replies; 7+ messages in thread
From: Peter Korsgaard @ 2018-08-27 9:36 UTC (permalink / raw)
To: buildroot
>>>>> "Stefan" == Stefan S?rensen <stefan.sorensen@spectralink.com> writes:
> Dropbear 2018.76 now uses the --enable-static option to indicate that a static
> binary should be built. This will incorrectly pick up the generic buildroot
> option intended for building static libraries, causing an unwanted static
> binary build with BR2_SHARED_STATIC_LIBS.
> Fix by appending an --disable-static configure flag, overriding the buildroot
> default.
> Signed-off-by: Stefan S?rensen <stefan.sorensen@spectralink.com>
> ---
> Changes v1->v2:
> * Keep the --enable-static when BR2_STATIC_LIBS=y
Committed to 2018.02.x, thanks.
--
Bye, Peter Korsgaard
^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2018-08-27 9:36 UTC | newest]
Thread overview: 7+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2018-05-07 12:28 [Buildroot] [PATCH v2] dropbear: Do not build static binary Stefan Sørensen
2018-05-07 12:28 ` [Buildroot] [PATCH v2] dropbear: Disable legacy/insecure options Stefan Sørensen
2018-07-01 1:12 ` [Buildroot] [PATCH] " Carlos Santos
2018-07-03 4:25 ` [Buildroot] [PATCH v2] " Baruch Siach
2018-05-07 17:53 ` [Buildroot] [PATCH v2] dropbear: Do not build static binary Baruch Siach
2018-05-08 13:09 ` Thomas Petazzoni
2018-08-27 9:36 ` Peter Korsgaard
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.