projects / buildroot.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: bf19116)
dropbear: Disable legacy/insecure options
authorStefan Sørensen <stefan.sorensen@spectralink.com>
Tue, 3 Jul 2018 07:48:10 +0000 (09:48 +0200)
committerThomas Petazzoni <thomas.petazzoni@bootlin.com>
Wed, 4 Jul 2018 19:43:55 +0000 (21:43 +0200)
Dropbear by default enables a number of algorithms that are now considered
insecure and should only be used when legacy support is required:
   3DES encryption
   Blowfish encryption
   SHA1-96 message integrity
   CBC encryption mode
   DSA public keys
   Diffie-Hellman Group1 key exchange

So disable them by default, but add a config option for bringing them back.
Furthermore the Blowfish legacy algorithm is unconditionally disabled

Signed-off-by: Stefan Sørensen <stefan.sorensen@spectralink.com>
Reviewed-by: Baruch Siach <baruch@tkos.co.il>
Reviewed-by: Thomas De Schampheleire <thomas.de_schampheleire@nokia.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
package/dropbear/Config.in patch | blob | history
package/dropbear/dropbear.mk patch | blob | history

diff --git a/package/dropbear/Config.in b/package/dropbear/Config.in
index 5d6b83b6d1c0713386db47f7513337b7cf177b79..62f77bad9dd412faea4d3c5c9b75bc8613d3bd4c 100644 (file)
--- a/package/dropbear/Config.in
+++ b/package/dropbear/Config.in
@@ -56,4 +56,14 @@ config BR2_PACKAGE_DROPBEAR_LASTLOG
          Enable logging of dropbear access to lastlog. Notice that
          Buildroot does not generate lastlog by default.
 
+config BR2_PACKAGE_DROPBEAR_LEGACY_CRYPTO
+       bool "enable legacy crypto"
+       help
+         Enable legacy and possibly insecure algorithms:
+           3DES encryption
+           SHA1-96 message integrity
+           CBC encryption mode
+           DSA public keys
+           Diffie-Hellman Group1 key exchange
+
 endif
diff --git a/package/dropbear/dropbear.mk b/package/dropbear/dropbear.mk
index bb902bc7ce16b80e110dedaf3976875e1b58bb53..7b1468cfb1001227fc37179b18a9e68e07800ebe 100644 (file)
--- a/package/dropbear/dropbear.mk
+++ b/package/dropbear/dropbear.mk
@@ -56,13 +56,23 @@ endef
 DROPBEAR_POST_EXTRACT_HOOKS += DROPBEAR_SVR_PASSWORD_AUTH
 endif
 
+define DROPBEAR_DISABLE_LEGACY_CRYPTO
+       echo '#define DROPBEAR_3DES 0'                  >> $(@D)/localoptions.h
+       echo '#define DROPBEAR_ENABLE_CBC_MODE 0'       >> $(@D)/localoptions.h
+       echo '#define DROPBEAR_SHA1_96_HMAC 0'          >> $(@D)/localoptions.h
+       echo '#define DROPBEAR_DSS 0'                   >> $(@D)/localoptions.h
+       echo '#define DROPBEAR_DH_GROUP1 0'             >> $(@D)/localoptions.h
+endef
+ifneq ($(BR2_PACKAGE_DROPBEAR_LEGACY_CRYPTO),y)
+DROPBEAR_POST_EXTRACT_HOOKS += DROPBEAR_DISABLE_LEGACY_CRYPTO
+endif
+
 define DROPBEAR_ENABLE_REVERSE_DNS
        echo '#define DO_HOST_LOOKUP 1'                 >> $(@D)/localoptions.h
 endef
 
 define DROPBEAR_BUILD_FEATURED
        echo '#define DROPBEAR_SMALL_CODE 0'            >> $(@D)/localoptions.h
-       echo '#define DROPBEAR_BLOWFISH 1'              >> $(@D)/localoptions.h
        echo '#define DROPBEAR_TWOFISH128 1'            >> $(@D)/localoptions.h
        echo '#define DROPBEAR_TWOFISH256 1'            >> $(@D)/localoptions.h
 endef