Home Explore Help
Sign In
PUBLIC_REPOS
/
buildroot
mirror of git://git.buildroot.net/buildroot
2
1
Fork 0
Files
Browse Source

dropbear: Disable legacy/insecure options

Dropbear by default enables a number of algorithms that are now considered
insecure and should only be used when legacy support is required:
   3DES encryption
   Blowfish encryption
   SHA1-96 message integrity
   CBC encryption mode
   DSA public keys
   Diffie-Hellman Group1 key exchange

So disable them by default, but add a config option for bringing them back.
Furthermore the Blowfish legacy algorithm is unconditionally disabled

Signed-off-by: Stefan Sørensen <stefan.sorensen@spectralink.com>
Reviewed-by: Baruch Siach <baruch@tkos.co.il>
Reviewed-by: Thomas De Schampheleire <thomas.de_schampheleire@nokia.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Stefan Sørensen 7 years ago
parent
bf19116c80
commit
72d4d098b0
2 changed files with 21 additions and 1 deletions
Unified View Show Diff Stats
  1. 10 0
      package/dropbear/Config.in
  2. 11 1
      package/dropbear/dropbear.mk

+ 10 - 0
package/dropbear/Config.in
View File 

@@ -56,4 +56,14 @@ config BR2_PACKAGE_DROPBEAR_LASTLOG
 
 	  Enable logging of dropbear access to lastlog. Notice that
 
 	  Enable logging of dropbear access to lastlog. Notice that
 
 	  Buildroot does not generate lastlog by default.
 
 	  Buildroot does not generate lastlog by default.
 
 
 
+config BR2_PACKAGE_DROPBEAR_LEGACY_CRYPTO
 
+	bool "enable legacy crypto"
 
+	help
 
+	  Enable legacy and possibly insecure algorithms:
 
+	    3DES encryption
 
+	    SHA1-96 message integrity
 
+	    CBC encryption mode
 
+	    DSA public keys
 
+	    Diffie-Hellman Group1 key exchange
 
+
 
 endif
 
 endif

+ 11 - 1
package/dropbear/dropbear.mk
View File 

@@ -56,13 +56,23 @@ endef
 
 DROPBEAR_POST_EXTRACT_HOOKS += DROPBEAR_SVR_PASSWORD_AUTH
 
 DROPBEAR_POST_EXTRACT_HOOKS += DROPBEAR_SVR_PASSWORD_AUTH
 
 endif
 
 endif
 
 
 
+define DROPBEAR_DISABLE_LEGACY_CRYPTO
 
+	echo '#define DROPBEAR_3DES 0'                  >> $(@D)/localoptions.h
 
+	echo '#define DROPBEAR_ENABLE_CBC_MODE 0'       >> $(@D)/localoptions.h
 
+	echo '#define DROPBEAR_SHA1_96_HMAC 0'          >> $(@D)/localoptions.h
 
+	echo '#define DROPBEAR_DSS 0'                   >> $(@D)/localoptions.h
 
+	echo '#define DROPBEAR_DH_GROUP1 0'             >> $(@D)/localoptions.h
 
+endef
 
+ifneq ($(BR2_PACKAGE_DROPBEAR_LEGACY_CRYPTO),y)
 
+DROPBEAR_POST_EXTRACT_HOOKS += DROPBEAR_DISABLE_LEGACY_CRYPTO
 
+endif
 
+
 
 define DROPBEAR_ENABLE_REVERSE_DNS
 
 define DROPBEAR_ENABLE_REVERSE_DNS
 
 	echo '#define DO_HOST_LOOKUP 1'                 >> $(@D)/localoptions.h
 
 	echo '#define DO_HOST_LOOKUP 1'                 >> $(@D)/localoptions.h
 
 endef
 
 endef
 
 
 
 define DROPBEAR_BUILD_FEATURED
 
 define DROPBEAR_BUILD_FEATURED
 
 	echo '#define DROPBEAR_SMALL_CODE 0'            >> $(@D)/localoptions.h
 
 	echo '#define DROPBEAR_SMALL_CODE 0'            >> $(@D)/localoptions.h
 
-	echo '#define DROPBEAR_BLOWFISH 1'              >> $(@D)/localoptions.h
 
 	echo '#define DROPBEAR_TWOFISH128 1'            >> $(@D)/localoptions.h
 
 	echo '#define DROPBEAR_TWOFISH128 1'            >> $(@D)/localoptions.h
 
 	echo '#define DROPBEAR_TWOFISH256 1'            >> $(@D)/localoptions.h
 
 	echo '#define DROPBEAR_TWOFISH256 1'            >> $(@D)/localoptions.h
 
 endef
 
 endef