From bf3626002fbdf9802372b0127195b4824faf1337 Mon Sep 17 00:00:00 2001 From: Matt Weber Date: Wed, 5 Dec 2018 20:06:29 -0600 Subject: [PATCH] system cfg: remove mkpasswd MD5 format option As SHA256 is now default, removing weak MD5 option. C libraries now all support the SHA methods. glibc 2.7+ uclibc (bdd8362a88 package/uclibc: defconfig: enable sha-256...) musl 1.1.14+ One issue this would prevent, is a host tool issue with a FIPS enabled system where weak ciphers/methods are disabled. It seems the crypt(3) call is impacted by /proc/sys/crypto/fips_enabled (per crypt(3) man page). It results in mkpasswd returning "(EPERM) crypt failed." Rather then create a Buildroot host dependency check, this patch removes the potential corner case from being selected. Acked-by: "Yann E. MORIN" Cc: "Yann E. MORIN" Signed-off-by: Matthew Weber Signed-off-by: Peter Korsgaard --- Config.in.legacy | 8 ++++++++ system/Config.in | 10 ---------- 2 files changed, 8 insertions(+), 10 deletions(-) diff --git a/Config.in.legacy b/Config.in.legacy index 37119d7e58..8cab6a23af 100644 --- a/Config.in.legacy +++ b/Config.in.legacy @@ -143,6 +143,7 @@ comment "----------------------------------------------------" endif ############################################################################### + comment "Legacy options removed in 2019.02" config BR2_PACKAGE_LUA_5_2 @@ -152,6 +153,13 @@ config BR2_PACKAGE_LUA_5_2 help The Lua 5.2.x version was removed. +config BR2_TARGET_GENERIC_PASSWD_MD5 + bool "target passwd md5 format support has been removed" + select BR2_LEGACY + help + The default has been moved to SHA256 and all C libraries + now support that method by default + comment "Legacy options removed in 2018.11" config BR2_TARGET_XLOADER diff --git a/system/Config.in b/system/Config.in index 65c92a8409..0f77b9b672 100644 --- a/system/Config.in +++ b/system/Config.in @@ -68,16 +68,6 @@ choice Note: this is used at build-time, and *not* at runtime. -config BR2_TARGET_GENERIC_PASSWD_MD5 - bool "md5" - help - Use MD5 to encode passwords. - - The default. Wildly available, and pretty good. - Although pretty strong, MD5 is now an old hash function, and - suffers from some weaknesses, which makes it susceptible to - brute-force attacks. - config BR2_TARGET_GENERIC_PASSWD_SHA256 bool "sha-256" help -- 2.30.2