[Buildroot] [PATCH v2] dropbear: Do not build static binary

[Buildroot] [PATCH v2] dropbear: Do not build static binary

[Stefan Sørensen]

Dropbear 2018.76 now uses the --enable-static option to indicate that a static
binary should be built. This will incorrectly pick up the generic buildroot
option intended for building static libraries, causing an unwanted static
binary build with BR2_SHARED_STATIC_LIBS.

Fix by appending an --disable-static configure flag, overriding the buildroot
default.

Signed-off-by: Stefan S?rensen <stefan.sorensen@spectralink.com>
---
Changes v1->v2:
 * Keep the --enable-static when BR2_STATIC_LIBS=y

 package/dropbear/dropbear.mk | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/package/dropbear/dropbear.mk b/package/dropbear/dropbear.mk
index 1da1a559a3..fc41a84c1f 100644
--- a/package/dropbear/dropbear.mk
+++ b/package/dropbear/dropbear.mk
@@ -27,8 +27,11 @@ DROPBEAR_MAKE = \
 	$(MAKE) MULTI=1 SCPPROGRESS=1 \
 	PROGRAMS="$(DROPBEAR_PROGRAMS)"
 
-ifeq ($(BR2_STATIC_LIBS),y)
-DROPBEAR_CONF_OPTS += --enable-static
+# With BR2_SHARED_STATIC_LIBS=y the generic infrastructure adds a
+# --enable-static flags causing dropbear to be built as a static
+# binary. Adding a --disable-static reverts this
+ifeq ($(BR2_SHARED_STATIC_LIBS),y)
+DROPBEAR_CONF_OPTS += --disable-static
 endif
 
 # Ensure that dropbear doesn't use crypt() when it's not available
-- 
2.17.0

[Buildroot] [PATCH v2] dropbear: Disable legacy/insecure options

[Stefan Sørensen]

Dropbear by default enables a number of algorithms that are now considered
insecure and should only be used when legacy support is required:
   3DES encryption
   Blowfish encryption
   SHA1-96 message integrity
   CBC encryption mode
   DSA public keys
   Diffie-Hellman Group1 key exchange

So disable them by default, but add a config option for bringing them back.
Furthermore the Blowfish legacy algorithm is unconditionally disabled

Signed-off-by: Stefan S?rensen <stefan.sorensen@spectralink.com>
---
Changes v1->v2:
 * Mention that the Blowfish algorithm has been disabled

 package/dropbear/Config.in   | 10 ++++++++++
 package/dropbear/dropbear.mk | 12 +++++++++++-
 2 files changed, 21 insertions(+), 1 deletion(-)

diff --git a/package/dropbear/Config.in b/package/dropbear/Config.in
index 5d6b83b6d1..62f77bad9d 100644
--- a/package/dropbear/Config.in
+++ b/package/dropbear/Config.in
@@ -56,4 +56,14 @@ config BR2_PACKAGE_DROPBEAR_LASTLOG
 	  Enable logging of dropbear access to lastlog. Notice that
 	  Buildroot does not generate lastlog by default.
 
+config BR2_PACKAGE_DROPBEAR_LEGACY_CRYPTO
+	bool "enable legacy crypto"
+	help
+	  Enable legacy and possibly insecure algorithms:
+	    3DES encryption
+	    SHA1-96 message integrity
+	    CBC encryption mode
+	    DSA public keys
+	    Diffie-Hellman Group1 key exchange
+
 endif
diff --git a/package/dropbear/dropbear.mk b/package/dropbear/dropbear.mk
index fc41a84c1f..c2d3dedad3 100644
--- a/package/dropbear/dropbear.mk
+++ b/package/dropbear/dropbear.mk
@@ -42,13 +42,23 @@ define DROPBEAR_SVR_PASSWORD_AUTH
 endef
 DROPBEAR_POST_EXTRACT_HOOKS += DROPBEAR_SVR_PASSWORD_AUTH
 
+define DROPBEAR_DISABLE_LEGACY_CRYPTO
+	echo '#define DROPBEAR_3DES 0'                  >> $(@D)/localoptions.h
+	echo '#define DROPBEAR_ENABLE_CBC_MODE 0'       >> $(@D)/localoptions.h
+	echo '#define DROPBEAR_SHA1_96_HMAC 0'          >> $(@D)/localoptions.h
+	echo '#define DROPBEAR_DSS 0'                   >> $(@D)/localoptions.h
+	echo '#define DROPBEAR_DH_GROUP1 0'             >> $(@D)/localoptions.h
+endef
+ifneq ($(BR2_PACKAGE_DROPBEAR_LEGACY_CRYPTO),y)
+DROPBEAR_POST_EXTRACT_HOOKS += DROPBEAR_DISABLE_LEGACY_CRYPTO
+endif
+
 define DROPBEAR_ENABLE_REVERSE_DNS
 	echo '#define DO_HOST_LOOKUP 1'                 >> $(@D)/localoptions.h
 endef
 
 define DROPBEAR_BUILD_FEATURED
 	echo '#define DROPBEAR_SMALL_CODE 0'            >> $(@D)/localoptions.h
-	echo '#define DROPBEAR_BLOWFISH 1'              >> $(@D)/localoptions.h
 	echo '#define DROPBEAR_TWOFISH128 1'            >> $(@D)/localoptions.h
 	echo '#define DROPBEAR_TWOFISH256 1'            >> $(@D)/localoptions.h
 endef
-- 
2.17.0

[Buildroot] [PATCH v2] dropbear: Do not build static binary

[Baruch Siach]

Hi Stefan,

On Mon, May 07, 2018 at 02:28:43PM +0200, Stefan S?rensen wrote:
> Dropbear 2018.76 now uses the --enable-static option to indicate that a static
> binary should be built. This will incorrectly pick up the generic buildroot
> option intended for building static libraries, causing an unwanted static
> binary build with BR2_SHARED_STATIC_LIBS.
> 
> Fix by appending an --disable-static configure flag, overriding the buildroot
> default.
> 
> Signed-off-by: Stefan S?rensen <stefan.sorensen@spectralink.com>

Reviewed-by: Baruch Siach <baruch@tkos.co.il>

baruch

> ---
> Changes v1->v2:
>  * Keep the --enable-static when BR2_STATIC_LIBS=y
> 
>  package/dropbear/dropbear.mk | 7 +++++--
>  1 file changed, 5 insertions(+), 2 deletions(-)
> 
> diff --git a/package/dropbear/dropbear.mk b/package/dropbear/dropbear.mk
> index 1da1a559a3..fc41a84c1f 100644
> --- a/package/dropbear/dropbear.mk
> +++ b/package/dropbear/dropbear.mk
> @@ -27,8 +27,11 @@ DROPBEAR_MAKE = \
>  	$(MAKE) MULTI=1 SCPPROGRESS=1 \
>  	PROGRAMS="$(DROPBEAR_PROGRAMS)"
>  
> -ifeq ($(BR2_STATIC_LIBS),y)
> -DROPBEAR_CONF_OPTS += --enable-static
> +# With BR2_SHARED_STATIC_LIBS=y the generic infrastructure adds a
> +# --enable-static flags causing dropbear to be built as a static
> +# binary. Adding a --disable-static reverts this
> +ifeq ($(BR2_SHARED_STATIC_LIBS),y)
> +DROPBEAR_CONF_OPTS += --disable-static
>  endif
>  
>  # Ensure that dropbear doesn't use crypt() when it's not available

-- 
     http://baruch.siach.name/blog/                  ~. .~   Tk Open Systems
=}------------------------------------------------ooO--U--Ooo------------{=
   - baruch at tkos.co.il - tel: +972.52.368.4656, http://www.tkos.co.il -

[Buildroot] [PATCH v2] dropbear: Do not build static binary

[Thomas Petazzoni]

Hello,

On Mon,  7 May 2018 14:28:43 +0200, Stefan S?rensen wrote:
> Dropbear 2018.76 now uses the --enable-static option to indicate that a static
> binary should be built. This will incorrectly pick up the generic buildroot
> option intended for building static libraries, causing an unwanted static
> binary build with BR2_SHARED_STATIC_LIBS.
> 
> Fix by appending an --disable-static configure flag, overriding the buildroot
> default.
> 
> Signed-off-by: Stefan S?rensen <stefan.sorensen@spectralink.com>
> ---
> Changes v1->v2:
>  * Keep the --enable-static when BR2_STATIC_LIBS=y

Applied to master, thanks.

Thomas
-- 
Thomas Petazzoni, CTO, Bootlin (formerly Free Electrons)
Embedded Linux and Kernel engineering
https://bootlin.com

[Buildroot] [PATCH] dropbear: Disable legacy/insecure options

[Carlos Santos]

Stefan S?rensen wrote:

> Dropbear by default enables a number of algorithms that are now considered
> insecure and should only be used when legacy support is required:
>    3DES encryption
>    Blowfish encryption
>    SHA1-96 message integrity
>    CBC encryption mode
>    DSA public keys
>    Diffie-Hellman Group1 key exchange
> 
> So disable them by default, but add a config option for bringing them back.
> Furthermore the Blowfish legacy algorithm is unconditionally disabled
[...]

Looks good but after commit 037b8616257067282e375edca9af19418a0e7a4a it
needs to be rebased.

--
Carlos Santos
DATACOM P&D

[Buildroot] [PATCH v2] dropbear: Disable legacy/insecure options

[Baruch Siach]

Hi Stefan,

On Mon, May 07, 2018 at 02:28:44PM +0200, Stefan S?rensen wrote:
> Dropbear by default enables a number of algorithms that are now considered
> insecure and should only be used when legacy support is required:
>    3DES encryption
>    Blowfish encryption
>    SHA1-96 message integrity
>    CBC encryption mode
>    DSA public keys
>    Diffie-Hellman Group1 key exchange
> 
> So disable them by default, but add a config option for bringing them back.
> Furthermore the Blowfish legacy algorithm is unconditionally disabled
> 
> Signed-off-by: Stefan S?rensen <stefan.sorensen@spectralink.com>

Reviewed-by: Baruch Siach <baruch@tkos.co.il>

baruch

-- 
     http://baruch.siach.name/blog/                  ~. .~   Tk Open Systems
=}------------------------------------------------ooO--U--Ooo------------{=
   - baruch at tkos.co.il - tel: +972.52.368.4656, http://www.tkos.co.il -

[Buildroot] [PATCH v2] dropbear: Do not build static binary

[Peter Korsgaard]

>>>>> "Stefan" == Stefan S?rensen <stefan.sorensen@spectralink.com> writes:

 > Dropbear 2018.76 now uses the --enable-static option to indicate that a static
 > binary should be built. This will incorrectly pick up the generic buildroot
 > option intended for building static libraries, causing an unwanted static
 > binary build with BR2_SHARED_STATIC_LIBS.

 > Fix by appending an --disable-static configure flag, overriding the buildroot
 > default.

 > Signed-off-by: Stefan S?rensen <stefan.sorensen@spectralink.com>
 > ---
 > Changes v1->v2:
 >  * Keep the --enable-static when BR2_STATIC_LIBS=y

Committed to 2018.02.x, thanks.

-- 
Bye, Peter Korsgaard