* [Buildroot] [PATCH v3] dropbear: Disable legacy/insecure options
@ 2018-07-03 7:48 Stefan Sørensen
2018-07-03 10:38 ` Baruch Siach
2018-07-04 19:44 ` Thomas Petazzoni
0 siblings, 2 replies; 4+ messages in thread
From: Stefan Sørensen @ 2018-07-03 7:48 UTC (permalink / raw)
To: buildroot
Dropbear by default enables a number of algorithms that are now considered
insecure and should only be used when legacy support is required:
3DES encryption
Blowfish encryption
SHA1-96 message integrity
CBC encryption mode
DSA public keys
Diffie-Hellman Group1 key exchange
So disable them by default, but add a config option for bringing them back.
Furthermore the Blowfish legacy algorithm is unconditionally disabled
Signed-off-by: Stefan S?rensen <stefan.sorensen@spectralink.com>
---
Changes v2->v3:
* Rebase on 037b8616257067282e375edca9af19418a0e7a4a
Changes v1->v2:
* Mention that the Blowfish algorithm has been disabled
package/dropbear/Config.in | 10 ++++++++++
package/dropbear/dropbear.mk | 12 +++++++++++-
2 files changed, 21 insertions(+), 1 deletion(-)
diff --git a/package/dropbear/Config.in b/package/dropbear/Config.in
index 5d6b83b6d1..62f77bad9d 100644
--- a/package/dropbear/Config.in
+++ b/package/dropbear/Config.in
@@ -56,4 +56,14 @@ config BR2_PACKAGE_DROPBEAR_LASTLOG
Enable logging of dropbear access to lastlog. Notice that
Buildroot does not generate lastlog by default.
+config BR2_PACKAGE_DROPBEAR_LEGACY_CRYPTO
+ bool "enable legacy crypto"
+ help
+ Enable legacy and possibly insecure algorithms:
+ 3DES encryption
+ SHA1-96 message integrity
+ CBC encryption mode
+ DSA public keys
+ Diffie-Hellman Group1 key exchange
+
endif
diff --git a/package/dropbear/dropbear.mk b/package/dropbear/dropbear.mk
index bb902bc7ce..7b1468cfb1 100644
--- a/package/dropbear/dropbear.mk
+++ b/package/dropbear/dropbear.mk
@@ -56,13 +56,23 @@ endef
DROPBEAR_POST_EXTRACT_HOOKS += DROPBEAR_SVR_PASSWORD_AUTH
endif
+define DROPBEAR_DISABLE_LEGACY_CRYPTO
+ echo '#define DROPBEAR_3DES 0' >> $(@D)/localoptions.h
+ echo '#define DROPBEAR_ENABLE_CBC_MODE 0' >> $(@D)/localoptions.h
+ echo '#define DROPBEAR_SHA1_96_HMAC 0' >> $(@D)/localoptions.h
+ echo '#define DROPBEAR_DSS 0' >> $(@D)/localoptions.h
+ echo '#define DROPBEAR_DH_GROUP1 0' >> $(@D)/localoptions.h
+endef
+ifneq ($(BR2_PACKAGE_DROPBEAR_LEGACY_CRYPTO),y)
+DROPBEAR_POST_EXTRACT_HOOKS += DROPBEAR_DISABLE_LEGACY_CRYPTO
+endif
+
define DROPBEAR_ENABLE_REVERSE_DNS
echo '#define DO_HOST_LOOKUP 1' >> $(@D)/localoptions.h
endef
define DROPBEAR_BUILD_FEATURED
echo '#define DROPBEAR_SMALL_CODE 0' >> $(@D)/localoptions.h
- echo '#define DROPBEAR_BLOWFISH 1' >> $(@D)/localoptions.h
echo '#define DROPBEAR_TWOFISH128 1' >> $(@D)/localoptions.h
echo '#define DROPBEAR_TWOFISH256 1' >> $(@D)/localoptions.h
endef
--
2.17.1
^ permalink raw reply related [flat|nested] 4+ messages in thread
* [Buildroot] [PATCH v3] dropbear: Disable legacy/insecure options
2018-07-03 7:48 [Buildroot] [PATCH v3] dropbear: Disable legacy/insecure options Stefan Sørensen
@ 2018-07-03 10:38 ` Baruch Siach
2018-07-04 8:45 ` Thomas De Schampheleire
2018-07-04 19:44 ` Thomas Petazzoni
1 sibling, 1 reply; 4+ messages in thread
From: Baruch Siach @ 2018-07-03 10:38 UTC (permalink / raw)
To: buildroot
Hi Stefan,
On Tue, Jul 03, 2018 at 09:48:10AM +0200, Stefan S?rensen wrote:
> Dropbear by default enables a number of algorithms that are now considered
> insecure and should only be used when legacy support is required:
> 3DES encryption
> Blowfish encryption
> SHA1-96 message integrity
> CBC encryption mode
> DSA public keys
> Diffie-Hellman Group1 key exchange
>
> So disable them by default, but add a config option for bringing them back.
> Furthermore the Blowfish legacy algorithm is unconditionally disabled
>
> Signed-off-by: Stefan S?rensen <stefan.sorensen@spectralink.com>
Reviewed-by: Baruch Siach <baruch@tkos.co.il>
baruch
--
http://baruch.siach.name/blog/ ~. .~ Tk Open Systems
=}------------------------------------------------ooO--U--Ooo------------{=
- baruch at tkos.co.il - tel: +972.52.368.4656, http://www.tkos.co.il -
^ permalink raw reply [flat|nested] 4+ messages in thread
* [Buildroot] [PATCH v3] dropbear: Disable legacy/insecure options
2018-07-03 10:38 ` Baruch Siach
@ 2018-07-04 8:45 ` Thomas De Schampheleire
0 siblings, 0 replies; 4+ messages in thread
From: Thomas De Schampheleire @ 2018-07-04 8:45 UTC (permalink / raw)
To: buildroot
On Tue, Jul 03, 2018 at 01:38:26PM +0300, Baruch Siach wrote:
> Hi Stefan,
>
> On Tue, Jul 03, 2018 at 09:48:10AM +0200, Stefan S?rensen wrote:
> > Dropbear by default enables a number of algorithms that are now considered
> > insecure and should only be used when legacy support is required:
> > 3DES encryption
> > Blowfish encryption
> > SHA1-96 message integrity
> > CBC encryption mode
> > DSA public keys
> > Diffie-Hellman Group1 key exchange
> >
> > So disable them by default, but add a config option for bringing them back.
> > Furthermore the Blowfish legacy algorithm is unconditionally disabled
> >
> > Signed-off-by: Stefan S?rensen <stefan.sorensen@spectralink.com>
>
> Reviewed-by: Baruch Siach <baruch@tkos.co.il>
Reviewed-by: Thomas De Schampheleire <thomas.de_schampheleire@nokia.com>
^ permalink raw reply [flat|nested] 4+ messages in thread
* [Buildroot] [PATCH v3] dropbear: Disable legacy/insecure options
2018-07-03 7:48 [Buildroot] [PATCH v3] dropbear: Disable legacy/insecure options Stefan Sørensen
2018-07-03 10:38 ` Baruch Siach
@ 2018-07-04 19:44 ` Thomas Petazzoni
1 sibling, 0 replies; 4+ messages in thread
From: Thomas Petazzoni @ 2018-07-04 19:44 UTC (permalink / raw)
To: buildroot
Hello,
On Tue, 3 Jul 2018 09:48:10 +0200, Stefan S?rensen wrote:
> Dropbear by default enables a number of algorithms that are now considered
> insecure and should only be used when legacy support is required:
> 3DES encryption
> Blowfish encryption
> SHA1-96 message integrity
> CBC encryption mode
> DSA public keys
> Diffie-Hellman Group1 key exchange
>
> So disable them by default, but add a config option for bringing them back.
> Furthermore the Blowfish legacy algorithm is unconditionally disabled
>
> Signed-off-by: Stefan S?rensen <stefan.sorensen@spectralink.com>
> ---
> Changes v2->v3:
> * Rebase on 037b8616257067282e375edca9af19418a0e7a4a
Applied to master, thanks.
Thomas
--
Thomas Petazzoni, CTO, Bootlin (formerly Free Electrons)
Embedded Linux and Kernel engineering
https://bootlin.com
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2018-07-04 19:44 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2018-07-03 7:48 [Buildroot] [PATCH v3] dropbear: Disable legacy/insecure options Stefan Sørensen
2018-07-03 10:38 ` Baruch Siach
2018-07-04 8:45 ` Thomas De Schampheleire
2018-07-04 19:44 ` Thomas Petazzoni
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.