All of lore.kernel.org
 help / color / mirror / Atom feed
* [Buildroot] [PATCH v3] dropbear: Disable legacy/insecure options
@ 2018-07-03  7:48 Stefan Sørensen
  2018-07-03 10:38 ` Baruch Siach
  2018-07-04 19:44 ` Thomas Petazzoni
  0 siblings, 2 replies; 4+ messages in thread
From: Stefan Sørensen @ 2018-07-03  7:48 UTC (permalink / raw)
  To: buildroot

Dropbear by default enables a number of algorithms that are now considered
insecure and should only be used when legacy support is required:
   3DES encryption
   Blowfish encryption
   SHA1-96 message integrity
   CBC encryption mode
   DSA public keys
   Diffie-Hellman Group1 key exchange

So disable them by default, but add a config option for bringing them back.
Furthermore the Blowfish legacy algorithm is unconditionally disabled

Signed-off-by: Stefan S?rensen <stefan.sorensen@spectralink.com>
---
Changes v2->v3:
 * Rebase on 037b8616257067282e375edca9af19418a0e7a4a

Changes v1->v2:
 * Mention that the Blowfish algorithm has been disabled

 package/dropbear/Config.in   | 10 ++++++++++
 package/dropbear/dropbear.mk | 12 +++++++++++-
 2 files changed, 21 insertions(+), 1 deletion(-)

diff --git a/package/dropbear/Config.in b/package/dropbear/Config.in
index 5d6b83b6d1..62f77bad9d 100644
--- a/package/dropbear/Config.in
+++ b/package/dropbear/Config.in
@@ -56,4 +56,14 @@ config BR2_PACKAGE_DROPBEAR_LASTLOG
 	  Enable logging of dropbear access to lastlog. Notice that
 	  Buildroot does not generate lastlog by default.
 
+config BR2_PACKAGE_DROPBEAR_LEGACY_CRYPTO
+	bool "enable legacy crypto"
+	help
+	  Enable legacy and possibly insecure algorithms:
+	    3DES encryption
+	    SHA1-96 message integrity
+	    CBC encryption mode
+	    DSA public keys
+	    Diffie-Hellman Group1 key exchange
+
 endif
diff --git a/package/dropbear/dropbear.mk b/package/dropbear/dropbear.mk
index bb902bc7ce..7b1468cfb1 100644
--- a/package/dropbear/dropbear.mk
+++ b/package/dropbear/dropbear.mk
@@ -56,13 +56,23 @@ endef
 DROPBEAR_POST_EXTRACT_HOOKS += DROPBEAR_SVR_PASSWORD_AUTH
 endif
 
+define DROPBEAR_DISABLE_LEGACY_CRYPTO
+	echo '#define DROPBEAR_3DES 0'                  >> $(@D)/localoptions.h
+	echo '#define DROPBEAR_ENABLE_CBC_MODE 0'       >> $(@D)/localoptions.h
+	echo '#define DROPBEAR_SHA1_96_HMAC 0'          >> $(@D)/localoptions.h
+	echo '#define DROPBEAR_DSS 0'                   >> $(@D)/localoptions.h
+	echo '#define DROPBEAR_DH_GROUP1 0'             >> $(@D)/localoptions.h
+endef
+ifneq ($(BR2_PACKAGE_DROPBEAR_LEGACY_CRYPTO),y)
+DROPBEAR_POST_EXTRACT_HOOKS += DROPBEAR_DISABLE_LEGACY_CRYPTO
+endif
+
 define DROPBEAR_ENABLE_REVERSE_DNS
 	echo '#define DO_HOST_LOOKUP 1'                 >> $(@D)/localoptions.h
 endef
 
 define DROPBEAR_BUILD_FEATURED
 	echo '#define DROPBEAR_SMALL_CODE 0'            >> $(@D)/localoptions.h
-	echo '#define DROPBEAR_BLOWFISH 1'              >> $(@D)/localoptions.h
 	echo '#define DROPBEAR_TWOFISH128 1'            >> $(@D)/localoptions.h
 	echo '#define DROPBEAR_TWOFISH256 1'            >> $(@D)/localoptions.h
 endef
-- 
2.17.1

^ permalink raw reply related	[flat|nested] 4+ messages in thread
* [Buildroot] [PATCH v3] dropbear: Disable legacy/insecure options
  2018-07-03  7:48 [Buildroot] [PATCH v3] dropbear: Disable legacy/insecure options Stefan Sørensen
@ 2018-07-03 10:38 ` Baruch Siach
  2018-07-04  8:45   ` Thomas De Schampheleire
  2018-07-04 19:44 ` Thomas Petazzoni
  1 sibling, 1 reply; 4+ messages in thread
From: Baruch Siach @ 2018-07-03 10:38 UTC (permalink / raw)
  To: buildroot

Hi Stefan,

On Tue, Jul 03, 2018 at 09:48:10AM +0200, Stefan S?rensen wrote:
> Dropbear by default enables a number of algorithms that are now considered
> insecure and should only be used when legacy support is required:
>    3DES encryption
>    Blowfish encryption
>    SHA1-96 message integrity
>    CBC encryption mode
>    DSA public keys
>    Diffie-Hellman Group1 key exchange
> 
> So disable them by default, but add a config option for bringing them back.
> Furthermore the Blowfish legacy algorithm is unconditionally disabled
> 
> Signed-off-by: Stefan S?rensen <stefan.sorensen@spectralink.com>

Reviewed-by: Baruch Siach <baruch@tkos.co.il>

baruch

-- 
     http://baruch.siach.name/blog/                  ~. .~   Tk Open Systems
=}------------------------------------------------ooO--U--Ooo------------{=
   - baruch at tkos.co.il - tel: +972.52.368.4656, http://www.tkos.co.il -

^ permalink raw reply	[flat|nested] 4+ messages in thread
* [Buildroot] [PATCH v3] dropbear: Disable legacy/insecure options
  2018-07-03 10:38 ` Baruch Siach
@ 2018-07-04  8:45   ` Thomas De Schampheleire
  0 siblings, 0 replies; 4+ messages in thread
From: Thomas De Schampheleire @ 2018-07-04  8:45 UTC (permalink / raw)
  To: buildroot

On Tue, Jul 03, 2018 at 01:38:26PM +0300, Baruch Siach wrote:
> Hi Stefan,
> 
> On Tue, Jul 03, 2018 at 09:48:10AM +0200, Stefan S?rensen wrote:
> > Dropbear by default enables a number of algorithms that are now considered
> > insecure and should only be used when legacy support is required:
> >    3DES encryption
> >    Blowfish encryption
> >    SHA1-96 message integrity
> >    CBC encryption mode
> >    DSA public keys
> >    Diffie-Hellman Group1 key exchange
> > 
> > So disable them by default, but add a config option for bringing them back.
> > Furthermore the Blowfish legacy algorithm is unconditionally disabled
> > 
> > Signed-off-by: Stefan S?rensen <stefan.sorensen@spectralink.com>
> 
> Reviewed-by: Baruch Siach <baruch@tkos.co.il>

Reviewed-by: Thomas De Schampheleire <thomas.de_schampheleire@nokia.com>

^ permalink raw reply	[flat|nested] 4+ messages in thread
* [Buildroot] [PATCH v3] dropbear: Disable legacy/insecure options
  2018-07-03  7:48 [Buildroot] [PATCH v3] dropbear: Disable legacy/insecure options Stefan Sørensen
  2018-07-03 10:38 ` Baruch Siach
@ 2018-07-04 19:44 ` Thomas Petazzoni
  1 sibling, 0 replies; 4+ messages in thread
From: Thomas Petazzoni @ 2018-07-04 19:44 UTC (permalink / raw)
  To: buildroot

Hello,

On Tue,  3 Jul 2018 09:48:10 +0200, Stefan S?rensen wrote:
> Dropbear by default enables a number of algorithms that are now considered
> insecure and should only be used when legacy support is required:
>    3DES encryption
>    Blowfish encryption
>    SHA1-96 message integrity
>    CBC encryption mode
>    DSA public keys
>    Diffie-Hellman Group1 key exchange
> 
> So disable them by default, but add a config option for bringing them back.
> Furthermore the Blowfish legacy algorithm is unconditionally disabled
> 
> Signed-off-by: Stefan S?rensen <stefan.sorensen@spectralink.com>
> ---
> Changes v2->v3:
>  * Rebase on 037b8616257067282e375edca9af19418a0e7a4a

Applied to master, thanks.

Thomas
-- 
Thomas Petazzoni, CTO, Bootlin (formerly Free Electrons)
Embedded Linux and Kernel engineering
https://bootlin.com

^ permalink raw reply	[flat|nested] 4+ messages in thread
end of thread, other threads:[~2018-07-04 19:44 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2018-07-03  7:48 [Buildroot] [PATCH v3] dropbear: Disable legacy/insecure options Stefan Sørensen
2018-07-03 10:38 ` Baruch Siach
2018-07-04  8:45   ` Thomas De Schampheleire
2018-07-04 19:44 ` Thomas Petazzoni

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.