* [Buildroot] [PATCH 1/3] dropbear: Use macro to set options
@ 2018-04-18 14:24 Stefan Sørensen
2018-04-18 14:24 ` [Buildroot] [PATCH 2/3] dropbear: Add configuration options for security features Stefan Sørensen
` (3 more replies)
0 siblings, 4 replies; 10+ messages in thread
From: Stefan Sørensen @ 2018-04-18 14:24 UTC (permalink / raw)
To: buildroot
Introduce a macro for editing options.h according to the Buildroot
configuration, replacing individual sed scripts.
Signed-off-by: Stefan S?rensen <stefan.sorensen@spectralink.com>
---
package/dropbear/dropbear.mk | 37 +++++++++++++++---------------------
1 file changed, 15 insertions(+), 22 deletions(-)
diff --git a/package/dropbear/dropbear.mk b/package/dropbear/dropbear.mk
index 01a1a07b76..dc1fee207f 100644
--- a/package/dropbear/dropbear.mk
+++ b/package/dropbear/dropbear.mk
@@ -32,24 +32,25 @@ endef
DROPBEAR_POST_EXTRACT_HOOKS += DROPBEAR_FIX_XAUTH
-define DROPBEAR_ENABLE_REVERSE_DNS
- $(SED) 's:.*\(#define DO_HOST_LOOKUP\).*:\1:' $(@D)/options.h
+define DROPBEAR_SET_OPT # (define, option)
+ if [ 'x$(2)' = 'xy' -o 'x$(2)' = 'x!' ]; then \
+ $(SED) 's:.*\(#define $(1)\)\([^A-Z0-9_]\|$$\).*:\1 1:' $(@D)/options.h; \
+ else \
+ $(SED) 's:.*\(#define $(1)\)\([^A-Z0-9_]\|$$\).*:/*\1*/:' $(@D)/options.h; \
+ fi
endef
-define DROPBEAR_BUILD_SMALL
- $(SED) 's:.*\(#define NO_FAST_EXPTMOD\).*:\1:' $(@D)/options.h
+define DROPBEAR_SET_OPTIONS
+ $(call DROPBEAR_SET_OPT,DROPBEAR_SMALL_CODE,$(BR2_PACKAGE_DROPBEAR_SMALL))
+ $(call DROPBEAR_SET_OPT,NO_FAST_EXPTMOD,$(BR2_PACKAGE_DROPBEAR_SMALL))
+ $(call DROPBEAR_SET_OPT,DO_HOST_LOOKUP,$(BR2_PACKAGE_DROPBEAR_ENABLE_REVERSE_DNS))
+ $(call DROPBEAR_SET_OPT,NON_INETD_MODE,$(BR2_USE_MMU))
+ $(call DROPBEAR_SET_OPT,DROPBEAR_BLOWFISH,!$(BR2_PACKAGE_DROPBEAR_SMALL))
+ $(call DROPBEAR_SET_OPT,DROPBEAR_TWOFISH128,!$(BR2_PACKAGE_DROPBEAR_SMALL))
+ $(call DROPBEAR_SET_OPT,DROPBEAR_TWOFISH256,!$(BR2_PACKAGE_DROPBEAR_SMALL))
endef
-define DROPBEAR_BUILD_FEATURED
- $(SED) 's:^#define DROPBEAR_SMALL_CODE::' $(@D)/options.h
- $(SED) 's:.*\(#define DROPBEAR_BLOWFISH\).*:\1:' $(@D)/options.h
- $(SED) 's:.*\(#define DROPBEAR_TWOFISH128\).*:\1:' $(@D)/options.h
- $(SED) 's:.*\(#define DROPBEAR_TWOFISH256\).*:\1:' $(@D)/options.h
-endef
-
-define DROPBEAR_DISABLE_STANDALONE
- $(SED) 's:\(#define NON_INETD_MODE\):/*\1 */:' $(@D)/options.h
-endef
+DROPBEAR_POST_EXTRACT_HOOKS += DROPBEAR_SET_OPTIONS
define DROPBEAR_INSTALL_INIT_SYSTEMD
$(INSTALL) -D -m 644 package/dropbear/dropbear.service \
@@ -64,19 +65,11 @@ define DROPBEAR_INSTALL_INIT_SYSV
$(INSTALL) -D -m 755 package/dropbear/S50dropbear \
$(TARGET_DIR)/etc/init.d/S50dropbear
endef
-else
-DROPBEAR_POST_EXTRACT_HOOKS += DROPBEAR_DISABLE_STANDALONE
-endif
-
-ifeq ($(BR2_PACKAGE_DROPBEAR_DISABLE_REVERSEDNS),)
-DROPBEAR_POST_EXTRACT_HOOKS += DROPBEAR_ENABLE_REVERSE_DNS
endif
ifeq ($(BR2_PACKAGE_DROPBEAR_SMALL),y)
-DROPBEAR_POST_EXTRACT_HOOKS += DROPBEAR_BUILD_SMALL
DROPBEAR_CONF_OPTS += --disable-zlib
else
-DROPBEAR_POST_EXTRACT_HOOKS += DROPBEAR_BUILD_FEATURED
DROPBEAR_DEPENDENCIES += zlib
endif
--
2.17.0
^ permalink raw reply related [flat|nested] 10+ messages in thread
* [Buildroot] [PATCH 2/3] dropbear: Add configuration options for security features
2018-04-18 14:24 [Buildroot] [PATCH 1/3] dropbear: Use macro to set options Stefan Sørensen
@ 2018-04-18 14:24 ` Stefan Sørensen
2018-04-18 15:10 ` Thomas Petazzoni
2018-04-18 21:58 ` Arnout Vandecappelle
2018-04-18 14:24 ` [Buildroot] [PATCH 3/3] dropbear: Disable insecure options Stefan Sørensen
` (2 subsequent siblings)
3 siblings, 2 replies; 10+ messages in thread
From: Stefan Sørensen @ 2018-04-18 14:24 UTC (permalink / raw)
To: buildroot
The dropbear server provides no runtime configuration of ciphers, key
exchange algorithms, etc., but must rather be configured compile time.
With no configurability the default settings will be use which may not
be desired in all scenearios.
These new options allow the selection of
Ciphers (AES128, AES256, 3DES, BLowfish, Twofish128, Twofish256)
Cipher modes (CBC, CTR)
Integrity algorithms (SHA1, SHA1-96, SHA2-256, SHA2-512, MD5)
Key exchange algorithms (RSA, DSS, ECDSA, Curve25519, ECDH)
Authenticaton types (Password, Pubkey)
No defaults are changed.
Signed-off-by: Stefan S?rensen <stefan.sorensen@spectralink.com>
---
package/dropbear/Config.in | 163 +++++++++++++++++++++++++++++++++++
package/dropbear/dropbear.mk | 25 +++++-
2 files changed, 185 insertions(+), 3 deletions(-)
diff --git a/package/dropbear/Config.in b/package/dropbear/Config.in
index 6700778161..441c521d18 100644
--- a/package/dropbear/Config.in
+++ b/package/dropbear/Config.in
@@ -55,4 +55,167 @@ config BR2_PACKAGE_DROPBEAR_LASTLOG
Enable logging of dropbear access to lastlog. Notice that
Buildroot does not generate lastlog by default.
+menu "Dropbear ciphers"
+
+config BR2_PACKAGE_DROPBEAR_CIPHER_AES128
+ bool "AES128"
+ default y
+ help
+ Enable the AES128 cipher
+
+config BR2_PACKAGE_DROPBEAR_CIPHER_AES256
+ bool "AES256"
+ default y
+ help
+ Enable the AES256 cipher
+
+config BR2_PACKAGE_DROPBEAR_CIPHER_3DES
+ bool "3DES"
+ default y
+ help
+ Enable the 3DES cipher
+
+config BR2_PACKAGE_DROPBEAR_CIPHER_BLOWFISH
+ bool "Blowfish"
+ default y if !BR2_PACKAGE_DROPBEAR_SMALL
+ help
+ Enable the Blowfish cipher
+
+config BR2_PACKAGE_DROPBEAR_CIPHER_TWOFISH128
+ bool "Twofish128"
+ default y if !BR2_PACKAGE_DROPBEAR_SMALL
+ help
+ Enable the Twofish128 cipher
+
+config BR2_PACKAGE_DROPBEAR_CIPHER_TWOFISH256
+ bool "Twofish256"
+ default y if !BR2_PACKAGE_DROPBEAR_SMALL
+ help
+ Enable the Twofish256 cipher
+
+endmenu
+
+menu "Dropbear cipher modes"
+
+config BR2_PACKAGE_DROPBEAR_CIPHER_MODE_CBC
+ bool "CBC"
+ default y
+ help
+ Enable CBC mode for ciphers. This has security issues though
+ is the most compatible with older SSH implementations
+
+config BR2_PACKAGE_DROPBEAR_CIPHER_MODE_CTR
+ bool "CTR"
+ default y
+ help
+ Enable "Counter Mode" for ciphers. This is more secure than
+ normal CBC mode against certain attacks. It is recommended
+ for security and forwards compatibility
+
+endmenu
+
+menu "Dropbear integrity algorithms"
+
+config BR2_PACKAGE_DROPBEAR_HMAC_SHA1
+ bool "SHA1"
+ default y
+ help
+ Enable SHA1 integrity algorithm
+
+config BR2_PACKAGE_DROPBEAR_HMAC_SHA1_96
+ bool "SHA1-96"
+ default y
+ help
+ Enable SHA1-96 integrity algorithm
+
+config BR2_PACKAGE_DROPBEAR_HMAC_SHA2_256
+ bool "SHA2-256"
+ default y
+ help
+ Enable SHA2-256 integrity algorithm
+
+config BR2_PACKAGE_DROPBEAR_HMAC_SHA2_512
+ bool "SHA2-512"
+ default y
+ help
+ Enable SHA2-512 integrity algorithm
+
+config BR2_PACKAGE_DROPBEAR_HMAC_MD5
+ bool "MD5"
+ default y
+ help
+ Enable MD5 integrity algorithm. If you disable MD5, Dropbear
+ will fall back to SHA1 fingerprints, which are not the
+ standard form
+
+endmenu
+
+menu "Dropbear key exchange algorithms"
+
+config BR2_PACKAGE_DROPBEAR_KEX_RSA
+ bool "RSA"
+ default y
+ help
+ Enable RSA key exchange algorithm.
+
+config BR2_PACKAGE_DROPBEAR_KEX_DSS
+ bool "DSS"
+ default y
+ help
+ Enable DSS key exchange algorithm. SSH2 RFC Draft requires
+ DSS.
+
+config BR2_PACKAGE_DROPBEAR_KEX_ECDSA
+ bool "ECDSA"
+ default y
+ help
+ Enable Curve25519 for key exchange. ECDSA is significantly
+ faster than RSA or DSS. Compiling in ECC code (either ECDSA
+ or ECDH) increases binary size - around 30kB on x86-64
+
+config BR2_PACKAGE_DROPBEAR_KEX_CURVE25519
+ bool "Curve25519"
+ default y
+ help
+ Enable Curve25519 for key exchange. This is another elliptic
+ curve method with good security properties
+
+config BR2_PACKAGE_DROPBEAR_KEX_ECDH
+ bool "ECDH"
+ default y
+ help
+ Enable elliptic curve Diffie Hellman key exchange algorithm
+
+config BR2_PACKAGE_DROPBEAR_KEX_DH_GROUP1
+ bool "DH Group1"
+ default y
+ help
+ Enable DH Group1 key exchange algorithm. Group1 is less
+ secure (1024 bit) than Group14 though is the only option for
+ interoperability with some older SSH programs
+
+config BR2_PACKAGE_DROPBEAR_KEX_DH_GROUP14
+ bool "DH Group14"
+ default y
+ help
+ Enable DH Group14 key exchange algorithm
+
+endmenu
+
+menu "Dropbear authenticaton types"
+
+config BR2_PACKAGE_DROPBEAR_AUTH_TYPE_PASSWORD
+ bool "Password"
+ default y
+ help
+ Enable password based authentication
+
+config BR2_PACKAGE_DROPBEAR_AUTH_TYPE_PUBKEY
+ bool "Public key"
+ default y
+ help
+ Enable public key based authentication
+
+endmenu
+
endif
diff --git a/package/dropbear/dropbear.mk b/package/dropbear/dropbear.mk
index dc1fee207f..cdbb77d5c3 100644
--- a/package/dropbear/dropbear.mk
+++ b/package/dropbear/dropbear.mk
@@ -45,9 +45,28 @@ define DROPBEAR_SET_OPTIONS
$(call DROPBEAR_SET_OPT,NO_FAST_EXPTMOD,$(BR2_PACKAGE_DROPBEAR_SMALL))
$(call DROPBEAR_SET_OPT,DO_HOST_LOOKUP,$(BR2_PACKAGE_DROPBEAR_ENABLE_REVERSE_DNS))
$(call DROPBEAR_SET_OPT,NON_INETD_MODE,$(BR2_USE_MMU))
- $(call DROPBEAR_SET_OPT,DROPBEAR_BLOWFISH,!$(BR2_PACKAGE_DROPBEAR_SMALL))
- $(call DROPBEAR_SET_OPT,DROPBEAR_TWOFISH128,!$(BR2_PACKAGE_DROPBEAR_SMALL))
- $(call DROPBEAR_SET_OPT,DROPBEAR_TWOFISH256,!$(BR2_PACKAGE_DROPBEAR_SMALL))
+ $(call DROPBEAR_SET_OPT,DROPBEAR_AES128,$(BR2_PACKAGE_DROPBEAR_CIPHER_AES128))
+ $(call DROPBEAR_SET_OPT,DROPBEAR_AES256,$(BR2_PACKAGE_DROPBEAR_CIPHER_AES256))
+ $(call DROPBEAR_SET_OPT,DROPBEAR_3DES,$(BR2_PACKAGE_DROPBEAR_CIPHER_3DES))
+ $(call DROPBEAR_SET_OPT,DROPBEAR_BLOWFISH,$(BR2_PACKAGE_DROPBEAR_CIPHER_BLOWFISH))
+ $(call DROPBEAR_SET_OPT,DROPBEAR_TWOFISH128,$(BR2_PACKAGE_DROPBEAR_CIPHER_TWOFISH128))
+ $(call DROPBEAR_SET_OPT,DROPBEAR_TWOFISH256,$(BR2_PACKAGE_DROPBEAR_CIPHER_TWOFISH256))
+ $(call DROPBEAR_SET_OPT,DROPBEAR_ENABLE_CBC_MODE,$(BR2_PACKAGE_DROPBEAR_CIPHER_MODE_CBC))
+ $(call DROPBEAR_SET_OPT,DROPBEAR_ENABLE_CTR_MODE,$(BR2_PACKAGE_DROPBEAR_CIPHER_MODE_CTR))
+ $(call DROPBEAR_SET_OPT,DROPBEAR_SHA1_HMAC,$(BR2_PACKAGE_DROPBEAR_HMAC_SHA1))
+ $(call DROPBEAR_SET_OPT,DROPBEAR_SHA1_96_HMAC,$(BR2_PACKAGE_DROPBEAR_HMAC_SHA1_96))
+ $(call DROPBEAR_SET_OPT,DROPBEAR_SHA2_256_HMAC,$(BR2_PACKAGE_DROPBEAR_HMAC_SHA2_256))
+ $(call DROPBEAR_SET_OPT,DROPBEAR_SHA2_512_HMAC,$(BR2_PACKAGE_DROPBEAR_HMAC_SHA2_512))
+ $(call DROPBEAR_SET_OPT,DROPBEAR_MD5_HMAC,$(BR2_PACKAGE_DROPBEAR_HMAC_MD5))
+ $(call DROPBEAR_SET_OPT,DROPBEAR_RSA,$(BR2_PACKAGE_DROPBEAR_KEX_RSA))
+ $(call DROPBEAR_SET_OPT,DROPBEAR_DSS,$(BR2_PACKAGE_DROPBEAR_KEX_DSS))
+ $(call DROPBEAR_SET_OPT,DROPBEAR_ECDSA,$(BR2_PACKAGE_DROPBEAR_KEX_ECDSA))
+ $(call DROPBEAR_SET_OPT,DROPBEAR_CURCE25519,$(BR2_PACKAGE_DROPBEAR_KEX_CURVE25519))
+ $(call DROPBEAR_SET_OPT,DROPBEAR_ECDH,$(BR2_PACKAGE_DROPBEAR_KEX_ECDH))
+ $(call DROPBEAR_SET_OPT,DROPBEAR_DH_GROUP1,$(BR2_PACKAGE_DROPBEAR_KEX_DH_GROUP1))
+ $(call DROPBEAR_SET_OPT,DROPBEAR_DH_GROUP14,$(BR2_PACKAGE_DROPBEAR_KEX_DH_GROUP14))
+ $(call DROPBEAR_SET_OPT,ENABLE_SVR_PASSWORD_AUTH,$(BR2_PACKAGE_DROPBEAR_AUTH_TYPE_PASSWORD))
+ $(call DROPBEAR_SET_OPT,ENABLE_SVR_PUBKEY_AUTH,$(BR2_PACKAGE_DROPBEAR_AUTH_TYPE_PUBKEY))
endef
DROPBEAR_POST_EXTRACT_HOOKS += DROPBEAR_SET_OPTIONS
--
2.17.0
^ permalink raw reply related [flat|nested] 10+ messages in thread
* [Buildroot] [PATCH 3/3] dropbear: Disable insecure options
2018-04-18 14:24 [Buildroot] [PATCH 1/3] dropbear: Use macro to set options Stefan Sørensen
2018-04-18 14:24 ` [Buildroot] [PATCH 2/3] dropbear: Add configuration options for security features Stefan Sørensen
@ 2018-04-18 14:24 ` Stefan Sørensen
2018-04-18 15:11 ` Thomas Petazzoni
2018-04-20 3:45 ` [Buildroot] [PATCH 1/3] dropbear: Use macro to set options François Perrad
2018-04-28 15:51 ` Thomas Petazzoni
3 siblings, 1 reply; 10+ messages in thread
From: Stefan Sørensen @ 2018-04-18 14:24 UTC (permalink / raw)
To: buildroot
The default dropbear configuration includes a number of features no longer
considered secure, so disable
3DES cipher
MD5 integrity algorithm
SHA1-96 integrity algorithm
DSS key exchange algorithm
DH Group1 key exchange algorithm
Signed-off-by: Stefan S?rensen <stefan.sorensen@spectralink.com>
---
package/dropbear/Config.in | 12 ++++++------
1 file changed, 6 insertions(+), 6 deletions(-)
diff --git a/package/dropbear/Config.in b/package/dropbear/Config.in
index 441c521d18..c5acd333a8 100644
--- a/package/dropbear/Config.in
+++ b/package/dropbear/Config.in
@@ -71,7 +71,7 @@ config BR2_PACKAGE_DROPBEAR_CIPHER_AES256
config BR2_PACKAGE_DROPBEAR_CIPHER_3DES
bool "3DES"
- default y
+ default n
help
Enable the 3DES cipher
@@ -99,7 +99,7 @@ menu "Dropbear cipher modes"
config BR2_PACKAGE_DROPBEAR_CIPHER_MODE_CBC
bool "CBC"
- default y
+ default n
help
Enable CBC mode for ciphers. This has security issues though
is the most compatible with older SSH implementations
@@ -124,7 +124,7 @@ config BR2_PACKAGE_DROPBEAR_HMAC_SHA1
config BR2_PACKAGE_DROPBEAR_HMAC_SHA1_96
bool "SHA1-96"
- default y
+ default n
help
Enable SHA1-96 integrity algorithm
@@ -142,7 +142,7 @@ config BR2_PACKAGE_DROPBEAR_HMAC_SHA2_512
config BR2_PACKAGE_DROPBEAR_HMAC_MD5
bool "MD5"
- default y
+ default n
help
Enable MD5 integrity algorithm. If you disable MD5, Dropbear
will fall back to SHA1 fingerprints, which are not the
@@ -160,7 +160,7 @@ config BR2_PACKAGE_DROPBEAR_KEX_RSA
config BR2_PACKAGE_DROPBEAR_KEX_DSS
bool "DSS"
- default y
+ default n
help
Enable DSS key exchange algorithm. SSH2 RFC Draft requires
DSS.
@@ -188,7 +188,7 @@ config BR2_PACKAGE_DROPBEAR_KEX_ECDH
config BR2_PACKAGE_DROPBEAR_KEX_DH_GROUP1
bool "DH Group1"
- default y
+ default n
help
Enable DH Group1 key exchange algorithm. Group1 is less
secure (1024 bit) than Group14 though is the only option for
--
2.17.0
^ permalink raw reply related [flat|nested] 10+ messages in thread
* [Buildroot] [PATCH 2/3] dropbear: Add configuration options for security features
2018-04-18 14:24 ` [Buildroot] [PATCH 2/3] dropbear: Add configuration options for security features Stefan Sørensen
@ 2018-04-18 15:10 ` Thomas Petazzoni
2018-04-19 7:50 ` Sørensen, Stefan
2018-04-18 21:58 ` Arnout Vandecappelle
1 sibling, 1 reply; 10+ messages in thread
From: Thomas Petazzoni @ 2018-04-18 15:10 UTC (permalink / raw)
To: buildroot
Hello,
On Wed, 18 Apr 2018 16:24:33 +0200, Stefan S?rensen wrote:
> The dropbear server provides no runtime configuration of ciphers, key
> exchange algorithms, etc., but must rather be configured compile time.
> With no configurability the default settings will be use which may not
> be desired in all scenearios.
>
> These new options allow the selection of
> Ciphers (AES128, AES256, 3DES, BLowfish, Twofish128, Twofish256)
> Cipher modes (CBC, CTR)
> Integrity algorithms (SHA1, SHA1-96, SHA2-256, SHA2-512, MD5)
> Key exchange algorithms (RSA, DSS, ECDSA, Curve25519, ECDH)
> Authenticaton types (Password, Pubkey)
>
> No defaults are changed.
>
> Signed-off-by: Stefan S?rensen <stefan.sorensen@spectralink.com>
We received PATCH 2/3 and 3/3, but not 1/3. Was it sent ? Is it a
mistake ?
> +config BR2_PACKAGE_DROPBEAR_CIPHER_BLOWFISH
> + bool "Blowfish"
> + default y if !BR2_PACKAGE_DROPBEAR_SMALL
No need for a tab before the "if".
Is it possible to enable this option even if
BR2_PACKAGE_DROPBEAR_SMALL=y ? I.e, does it build ?
> +menu "Dropbear authenticaton types"
authentication
Did you do a pass with ./utils/check-package on package/dropbear/*
after doing those changes ?
Thanks,
Thomas
--
Thomas Petazzoni, CTO, Bootlin (formerly Free Electrons)
Embedded Linux and Kernel engineering
https://bootlin.com
^ permalink raw reply [flat|nested] 10+ messages in thread
* [Buildroot] [PATCH 3/3] dropbear: Disable insecure options
2018-04-18 14:24 ` [Buildroot] [PATCH 3/3] dropbear: Disable insecure options Stefan Sørensen
@ 2018-04-18 15:11 ` Thomas Petazzoni
0 siblings, 0 replies; 10+ messages in thread
From: Thomas Petazzoni @ 2018-04-18 15:11 UTC (permalink / raw)
To: buildroot
Hello,
On Wed, 18 Apr 2018 16:24:34 +0200, Stefan S?rensen wrote:
> config BR2_PACKAGE_DROPBEAR_CIPHER_3DES
> bool "3DES"
> - default y
> + default n
"default n" is the default, so it's not needed. You can therefore
simply remove those "default y" lines instead of replacing them with
"default n". And perhaps extend the help text of those options to say
that those ciphers/hashes are considered insecure.
Thanks,
Thomas
--
Thomas Petazzoni, CTO, Bootlin (formerly Free Electrons)
Embedded Linux and Kernel engineering
https://bootlin.com
^ permalink raw reply [flat|nested] 10+ messages in thread
* [Buildroot] [PATCH 2/3] dropbear: Add configuration options for security features
2018-04-18 14:24 ` [Buildroot] [PATCH 2/3] dropbear: Add configuration options for security features Stefan Sørensen
2018-04-18 15:10 ` Thomas Petazzoni
@ 2018-04-18 21:58 ` Arnout Vandecappelle
2018-04-19 7:57 ` Sørensen, Stefan
1 sibling, 1 reply; 10+ messages in thread
From: Arnout Vandecappelle @ 2018-04-18 21:58 UTC (permalink / raw)
To: buildroot
On 18-04-18 16:24, Stefan S?rensen wrote:
> The dropbear server provides no runtime configuration of ciphers, key
> exchange algorithms, etc., but must rather be configured compile time.
> With no configurability the default settings will be use which may not
> be desired in all scenearios.
>
> These new options allow the selection of
> Ciphers (AES128, AES256, 3DES, BLowfish, Twofish128, Twofish256)
> Cipher modes (CBC, CTR)
> Integrity algorithms (SHA1, SHA1-96, SHA2-256, SHA2-512, MD5)
> Key exchange algorithms (RSA, DSS, ECDSA, Curve25519, ECDH)
> Authenticaton types (Password, Pubkey)
>
> No defaults are changed.
>
> Signed-off-by: Stefan S?rensen <stefan.sorensen@spectralink.com>
> ---
> package/dropbear/Config.in | 163 +++++++++++++++++++++++++++++++++++
Do we really want so many configuration options?
It is already possible to customize options.h through a patch in
BR2_GLOBAL_PATCH_DIR. I admit that that's a little hackish, so as an alternative
you could add an option to supply a custom options.h.
Regards,
Arnout
> package/dropbear/dropbear.mk | 25 +++++-
> 2 files changed, 185 insertions(+), 3 deletions(-)
[snip]
--
Arnout Vandecappelle arnout at mind be
Senior Embedded Software Architect +32-16-286500
Essensium/Mind http://www.mind.be
G.Geenslaan 9, 3001 Leuven, Belgium BE 872 984 063 RPR Leuven
LinkedIn profile: http://www.linkedin.com/in/arnoutvandecappelle
GPG fingerprint: 7493 020B C7E3 8618 8DEC 222C 82EB F404 F9AC 0DDF
^ permalink raw reply [flat|nested] 10+ messages in thread
* [Buildroot] [PATCH 2/3] dropbear: Add configuration options for security features
2018-04-18 15:10 ` Thomas Petazzoni
@ 2018-04-19 7:50 ` Sørensen, Stefan
0 siblings, 0 replies; 10+ messages in thread
From: Sørensen, Stefan @ 2018-04-19 7:50 UTC (permalink / raw)
To: buildroot
[Sorry for the double email Thomas, forgot to CC the list]
On Wed, 2018-04-18 at 17:10 +0200, Thomas Petazzoni wrote:
> We received PATCH 2/3 and 3/3, but not 1/3. Was it sent ? Is it a
> mistake ?
It is in patchwork: https://patchwork.ozlabs.org/patch/900310/
>
> > +config BR2_PACKAGE_DROPBEAR_CIPHER_BLOWFISH
> > + bool "Blowfish"
> > + default y if !BR2_PACKAGE_DROPBEAR_SMALL
>
> No need for a tab before the "if".
>
> Is it possible to enable this option even if
> BR2_PACKAGE_DROPBEAR_SMALL=y ? I.e, does it build ?
Yes, the selection of small code and ciphers are completely orthogonal.
> Did you do a pass with ./utils/check-package on package/dropbear/*
> after doing those changes ?
I did, not errors/warnings.
Stefan
^ permalink raw reply [flat|nested] 10+ messages in thread
* [Buildroot] [PATCH 2/3] dropbear: Add configuration options for security features
2018-04-18 21:58 ` Arnout Vandecappelle
@ 2018-04-19 7:57 ` Sørensen, Stefan
0 siblings, 0 replies; 10+ messages in thread
From: Sørensen, Stefan @ 2018-04-19 7:57 UTC (permalink / raw)
To: buildroot
On Wed, 2018-04-18 at 23:58 +0200, Arnout Vandecappelle wrote:
>
> On 18-04-18 16:24, Stefan S?rensen wrote:
> >
> > These new options allow the selection of
> > Ciphers (AES128, AES256, 3DES, BLowfish, Twofish128, Twofish256)
> > Cipher modes (CBC, CTR)
> > Integrity algorithms (SHA1, SHA1-96, SHA2-256, SHA2-512, MD5)
> > Key exchange algorithms (RSA, DSS, ECDSA, Curve25519, ECDH)
> > Authenticaton types (Password, Pubkey)
> >
> > No defaults are changed.
> >
> > Signed-off-by: Stefan S?rensen <stefan.sorensen@spectralink.com>
> > ---
> package/dropbear/Config.in | 163
> +++++++++++++++++++++++++++++++++++
> Do we really want so many configuration options?
Yes, it is a lot of options. So what about:
By default, enable the common and secure options (AES, CTR, SHA2,
ECDSA, Curve25519, Pubkey).
Add an option to enable legacy/insecure options (3DES, CBC, SHA1-96,
MD5, RSA).
Add an option to enable password authentication
Drop Blowfish and Twofish configuration.
Stefan
^ permalink raw reply [flat|nested] 10+ messages in thread
* [Buildroot] [PATCH 1/3] dropbear: Use macro to set options
2018-04-18 14:24 [Buildroot] [PATCH 1/3] dropbear: Use macro to set options Stefan Sørensen
2018-04-18 14:24 ` [Buildroot] [PATCH 2/3] dropbear: Add configuration options for security features Stefan Sørensen
2018-04-18 14:24 ` [Buildroot] [PATCH 3/3] dropbear: Disable insecure options Stefan Sørensen
@ 2018-04-20 3:45 ` François Perrad
2018-04-28 15:51 ` Thomas Petazzoni
3 siblings, 0 replies; 10+ messages in thread
From: François Perrad @ 2018-04-20 3:45 UTC (permalink / raw)
To: buildroot
2018-04-18 16:24 GMT+02:00 Stefan S?rensen <stefan.sorensen@spectralink.com>
:
> Introduce a macro for editing options.h according to the Buildroot
> configuration, replacing individual sed scripts.
>
>
with dropbear 2018.76, any customised options should be put in
localoptions.h,
instead of patching options.h
Fran?ois
> Signed-off-by: Stefan S?rensen <stefan.sorensen@spectralink.com>
> ---
> package/dropbear/dropbear.mk | 37 +++++++++++++++---------------------
> 1 file changed, 15 insertions(+), 22 deletions(-)
>
> diff --git a/package/dropbear/dropbear.mk b/package/dropbear/dropbear.mk
> index 01a1a07b76..dc1fee207f 100644
> --- a/package/dropbear/dropbear.mk
> +++ b/package/dropbear/dropbear.mk
> @@ -32,24 +32,25 @@ endef
>
> DROPBEAR_POST_EXTRACT_HOOKS += DROPBEAR_FIX_XAUTH
>
> -define DROPBEAR_ENABLE_REVERSE_DNS
> - $(SED) 's:.*\(#define DO_HOST_LOOKUP\).*:\1:' $(@D)/options.h
> +define DROPBEAR_SET_OPT # (define, option)
> + if [ 'x$(2)' = 'xy' -o 'x$(2)' = 'x!' ]; then \
> + $(SED) 's:.*\(#define $(1)\)\([^A-Z0-9_]\|$$\).*:\1 1:'
> $(@D)/options.h; \
> + else \
> + $(SED) 's:.*\(#define $(1)\)\([^A-Z0-9_]\|$$\).*:/*\1*/:'
> $(@D)/options.h; \
> + fi
> endef
>
> -define DROPBEAR_BUILD_SMALL
> - $(SED) 's:.*\(#define NO_FAST_EXPTMOD\).*:\1:' $(@D)/options.h
> +define DROPBEAR_SET_OPTIONS
> + $(call DROPBEAR_SET_OPT,DROPBEAR_SMALL_CODE,$(BR2_PACKAGE_
> DROPBEAR_SMALL))
> + $(call DROPBEAR_SET_OPT,NO_FAST_EXPTMOD,$(BR2_PACKAGE_
> DROPBEAR_SMALL))
> + $(call DROPBEAR_SET_OPT,DO_HOST_LOOKUP,$(BR2_PACKAGE_DROPBEAR_
> ENABLE_REVERSE_DNS))
> + $(call DROPBEAR_SET_OPT,NON_INETD_MODE,$(BR2_USE_MMU))
> + $(call DROPBEAR_SET_OPT,DROPBEAR_BLOWFISH,!$(BR2_PACKAGE_
> DROPBEAR_SMALL))
> + $(call DROPBEAR_SET_OPT,DROPBEAR_TWOFISH128,!$(BR2_PACKAGE_
> DROPBEAR_SMALL))
> + $(call DROPBEAR_SET_OPT,DROPBEAR_TWOFISH256,!$(BR2_PACKAGE_
> DROPBEAR_SMALL))
> endef
>
> -define DROPBEAR_BUILD_FEATURED
> - $(SED) 's:^#define DROPBEAR_SMALL_CODE::' $(@D)/options.h
> - $(SED) 's:.*\(#define DROPBEAR_BLOWFISH\).*:\1:' $(@D)/options.h
> - $(SED) 's:.*\(#define DROPBEAR_TWOFISH128\).*:\1:' $(@D)/options.h
> - $(SED) 's:.*\(#define DROPBEAR_TWOFISH256\).*:\1:' $(@D)/options.h
> -endef
> -
> -define DROPBEAR_DISABLE_STANDALONE
> - $(SED) 's:\(#define NON_INETD_MODE\):/*\1 */:' $(@D)/options.h
> -endef
> +DROPBEAR_POST_EXTRACT_HOOKS += DROPBEAR_SET_OPTIONS
>
> define DROPBEAR_INSTALL_INIT_SYSTEMD
> $(INSTALL) -D -m 644 package/dropbear/dropbear.service \
> @@ -64,19 +65,11 @@ define DROPBEAR_INSTALL_INIT_SYSV
> $(INSTALL) -D -m 755 package/dropbear/S50dropbear \
> $(TARGET_DIR)/etc/init.d/S50dropbear
> endef
> -else
> -DROPBEAR_POST_EXTRACT_HOOKS += DROPBEAR_DISABLE_STANDALONE
> -endif
> -
> -ifeq ($(BR2_PACKAGE_DROPBEAR_DISABLE_REVERSEDNS),)
> -DROPBEAR_POST_EXTRACT_HOOKS += DROPBEAR_ENABLE_REVERSE_DNS
> endif
>
> ifeq ($(BR2_PACKAGE_DROPBEAR_SMALL),y)
> -DROPBEAR_POST_EXTRACT_HOOKS += DROPBEAR_BUILD_SMALL
> DROPBEAR_CONF_OPTS += --disable-zlib
> else
> -DROPBEAR_POST_EXTRACT_HOOKS += DROPBEAR_BUILD_FEATURED
> DROPBEAR_DEPENDENCIES += zlib
> endif
>
> --
> 2.17.0
>
> _______________________________________________
> buildroot mailing list
> buildroot at busybox.net
> http://lists.busybox.net/mailman/listinfo/buildroot
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.busybox.net/pipermail/buildroot/attachments/20180420/866efc7b/attachment.html>
^ permalink raw reply [flat|nested] 10+ messages in thread
* [Buildroot] [PATCH 1/3] dropbear: Use macro to set options
2018-04-18 14:24 [Buildroot] [PATCH 1/3] dropbear: Use macro to set options Stefan Sørensen
` (2 preceding siblings ...)
2018-04-20 3:45 ` [Buildroot] [PATCH 1/3] dropbear: Use macro to set options François Perrad
@ 2018-04-28 15:51 ` Thomas Petazzoni
3 siblings, 0 replies; 10+ messages in thread
From: Thomas Petazzoni @ 2018-04-28 15:51 UTC (permalink / raw)
To: buildroot
Hello Stefan,
On Wed, 18 Apr 2018 16:24:32 +0200, Stefan S?rensen wrote:
> Introduce a macro for editing options.h according to the Buildroot
> configuration, replacing individual sed scripts.
>
> Signed-off-by: Stefan S?rensen <stefan.sorensen@spectralink.com>
I have merged some patches from Fran?ois Perrad (submitted before your
series) that bump Dropbear to 2018.76. And the mechanism to tweak
options has changed quite a bit.
You now simply needs to add #define in a file called localoptions.h,
overriding the default option values.
Could you rebase your patch series on top of the latest dropbear
changes ?
Thanks!
Thomas
--
Thomas Petazzoni, CTO, Bootlin (formerly Free Electrons)
Embedded Linux and Kernel engineering
https://bootlin.com
^ permalink raw reply [flat|nested] 10+ messages in thread
end of thread, other threads:[~2018-04-28 15:51 UTC | newest]
Thread overview: 10+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2018-04-18 14:24 [Buildroot] [PATCH 1/3] dropbear: Use macro to set options Stefan Sørensen
2018-04-18 14:24 ` [Buildroot] [PATCH 2/3] dropbear: Add configuration options for security features Stefan Sørensen
2018-04-18 15:10 ` Thomas Petazzoni
2018-04-19 7:50 ` Sørensen, Stefan
2018-04-18 21:58 ` Arnout Vandecappelle
2018-04-19 7:57 ` Sørensen, Stefan
2018-04-18 14:24 ` [Buildroot] [PATCH 3/3] dropbear: Disable insecure options Stefan Sørensen
2018-04-18 15:11 ` Thomas Petazzoni
2018-04-20 3:45 ` [Buildroot] [PATCH 1/3] dropbear: Use macro to set options François Perrad
2018-04-28 15:51 ` Thomas Petazzoni
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.