[Buildroot] [PATCH 4/5] dropbear: add option to disable CBC mode ciphers
Baruch Siach
baruch at tkos.co.il
Wed Jul 4 07:30:58 UTC 2018
Hi Thomas,
On Wed, Jul 04, 2018 at 09:07:38AM +0200, Thomas De Schampheleire wrote:
> CBC mode ciphers are considered insecure. Add an option to disable it.
We have a patch from Stefan Sørensen to disable all weak algorithms by
default:
http://patchwork.ozlabs.org/patch/938595/
I prefer Stefan's patch over this and the next patch.
Stefan's patch doesn't deal with the MD5 HMAC as the next patch does. But I
find it highly unlikely that upstream would enable MD5 by default ever again.
Upstream commit 34ee32607598 adds this code in sysoptions.h:
/* might be needed for compatibility with very old implementations */
#ifndef DROPBEAR_MD5_HMAC
#define DROPBEAR_MD5_HMAC 0
#endif
default_options.h doesn't mention MD5 at all.
baruch
> Signed-off-by: Thomas De Schampheleire <thomas.de_schampheleire at nokia.com>
> ---
> package/dropbear/Config.in | 7 +++++++
> package/dropbear/dropbear.mk | 8 ++++++++
> 2 files changed, 15 insertions(+)
>
> diff --git a/package/dropbear/Config.in b/package/dropbear/Config.in
> index 5d6b83b6d1..d92420ac81 100644
> --- a/package/dropbear/Config.in
> +++ b/package/dropbear/Config.in
> @@ -35,6 +35,13 @@ config BR2_PACKAGE_DROPBEAR_DISABLE_REVERSEDNS
> on systems without working DNS, as connections otherwise
> stall until DNS times out.
>
> +config BR2_PACKAGE_DROPBEAR_DISABLE_CBC
> + bool "disable CBC mode ciphers"
> + help
> + Cipher Block Chaining (CBC) may allow an attacker to recover
> + plaintext messages from the ciphertext. For higher security, it is
> + recommended to disable it (and thus enable this option).
> +
> config BR2_PACKAGE_DROPBEAR_SMALL
> bool "optimize for size"
> default y
> diff --git a/package/dropbear/dropbear.mk b/package/dropbear/dropbear.mk
> index bb902bc7ce..dc233aab53 100644
> --- a/package/dropbear/dropbear.mk
> +++ b/package/dropbear/dropbear.mk
> @@ -71,6 +71,10 @@ define DROPBEAR_DISABLE_STANDALONE
> echo '#define NON_INETD_MODE 0' >> $(@D)/localoptions.h
> endef
>
> +define DROPBEAR_DISABLE_CBC_CIPHERS
> + echo '#define DROPBEAR_ENABLE_CBC_MODE 0' >> $(@D)/localoptions.h
> +endef
> +
> define DROPBEAR_INSTALL_INIT_SYSTEMD
> $(INSTALL) -D -m 644 package/dropbear/dropbear.service \
> $(TARGET_DIR)/usr/lib/systemd/system/dropbear.service
> @@ -92,6 +96,10 @@ ifeq ($(BR2_PACKAGE_DROPBEAR_DISABLE_REVERSEDNS),)
> DROPBEAR_POST_EXTRACT_HOOKS += DROPBEAR_ENABLE_REVERSE_DNS
> endif
>
> +ifeq ($(BR2_PACKAGE_DROPBEAR_DISABLE_CBC),y)
> +DROPBEAR_POST_EXTRACT_HOOKS += DROPBEAR_DISABLE_CBC_CIPHERS
> +endif
> +
> ifeq ($(BR2_PACKAGE_DROPBEAR_SMALL),y)
> DROPBEAR_CONF_OPTS += --disable-zlib --enable-bundled-libtom
> else
> --
> 2.16.4
>
--
http://baruch.siach.name/blog/ ~. .~ Tk Open Systems
=}------------------------------------------------ooO--U--Ooo------------{=
- baruch at tkos.co.il - tel: +972.2.679.5364, http://www.tkos.co.il -
More information about the buildroot
mailing list