[Buildroot] [PATCH v2] dropbear: Disable legacy/insecure options
Stefan Sørensen
stefan.sorensen at spectralink.com
Thu May 3 11:47:01 UTC 2018
Dropbear by default enables a number of algorithms that are now considered
insecure and should only be used when legacy support is required:
3DES encryption
Blowfish encryption
SHA1-96 message integrity
CBC encryption mode
DSA public keys
Diffie-Hellman Group1 key exchange
So disable them by default, but add a config option for bringing them back.
Signed-off-by: Stefan Sørensen <stefan.sorensen at spectralink.com>
---
Changes in v2:
- Update for 2018.76
- Use single option for legacy/insecure algorithms
package/dropbear/Config.in | 10 ++++++++++
package/dropbear/dropbear.mk | 12 +++++++++++-
2 files changed, 21 insertions(+), 1 deletion(-)
diff --git a/package/dropbear/Config.in b/package/dropbear/Config.in
index 5d6b83b6d1..8c121d0d72 100644
--- a/package/dropbear/Config.in
+++ b/package/dropbear/Config.in
@@ -56,4 +56,14 @@ config BR2_PACKAGE_DROPBEAR_LASTLOG
Enable logging of dropbear access to lastlog. Notice that
Buildroot does not generate lastlog by default.
+config BR2_PACKAGE_DROPBEAR_LEGACY_CRYPTO
+ bool "enable legacy crypto"
+ help
+ Enable legacy and possbibly insecure algorithms:
+ 3DES encryption
+ SHA1-96 message integrity
+ CBC encryption mode
+ DSA public keys
+ Diffie-Hellman Group1 key exchange
+
endif
diff --git a/package/dropbear/dropbear.mk b/package/dropbear/dropbear.mk
index f47f97d036..de29d16e74 100644
--- a/package/dropbear/dropbear.mk
+++ b/package/dropbear/dropbear.mk
@@ -41,13 +41,23 @@ define DROPBEAR_SVR_PASSWORD_AUTH
endef
DROPBEAR_POST_EXTRACT_HOOKS += DROPBEAR_SVR_PASSWORD_AUTH
+define DROPBEAR_DISABLE_LEGACY_CRYPTO
+ echo '#define DROPBEAR_3DES 0' >> $(@D)/localoptions.h
+ echo '#define DROPBEAR_ENABLE_CBC_MODE 0' >> $(@D)/localoptions.h
+ echo '#define DROPBEAR_SHA1_96_HMAC 0' >> $(@D)/localoptions.h
+ echo '#define DROPBEAR_DSS 0' >> $(@D)/localoptions.h
+ echo '#define DROPBEAR_DH_GROUP1 0' >> $(@D)/localoptions.h
+endef
+ifneq ($(BR2_PACKAGE_DROPBEAR_LEGACY_CRYPTO),y)
+DROPBEAR_POST_EXTRACT_HOOKS += DROPBEAR_DISABLE_LEGACY_CRYPTO
+endif
+
define DROPBEAR_ENABLE_REVERSE_DNS
echo '#define DO_HOST_LOOKUP 1' >> $(@D)/localoptions.h
endef
define DROPBEAR_BUILD_FEATURED
echo '#define DROPBEAR_SMALL_CODE 0' >> $(@D)/localoptions.h
- echo '#define DROPBEAR_BLOWFISH 1' >> $(@D)/localoptions.h
echo '#define DROPBEAR_TWOFISH128 1' >> $(@D)/localoptions.h
echo '#define DROPBEAR_TWOFISH256 1' >> $(@D)/localoptions.h
endef
--
2.17.0
More information about the buildroot
mailing list