[Buildroot] [PATCH 4/5] dropbear: add option to disable CBC mode ciphers

Thomas De Schampheleire thomas.de_schampheleire at nokia.com
Wed Jul 4 07:07:38 UTC 2018


CBC mode ciphers are considered insecure. Add an option to disable it.

Signed-off-by: Thomas De Schampheleire <thomas.de_schampheleire at nokia.com>
---
 package/dropbear/Config.in   | 7 +++++++
 package/dropbear/dropbear.mk | 8 ++++++++
 2 files changed, 15 insertions(+)

diff --git a/package/dropbear/Config.in b/package/dropbear/Config.in
index 5d6b83b6d1..d92420ac81 100644
--- a/package/dropbear/Config.in
+++ b/package/dropbear/Config.in
@@ -35,6 +35,13 @@ config BR2_PACKAGE_DROPBEAR_DISABLE_REVERSEDNS
 	  on systems without working DNS, as connections otherwise
 	  stall until DNS times out.
 
+config BR2_PACKAGE_DROPBEAR_DISABLE_CBC
+	bool "disable CBC mode ciphers"
+	help
+	  Cipher Block Chaining (CBC) may allow an attacker to recover
+	  plaintext messages from the ciphertext. For higher security, it is
+	  recommended to disable it (and thus enable this option).
+
 config BR2_PACKAGE_DROPBEAR_SMALL
 	bool "optimize for size"
 	default y
diff --git a/package/dropbear/dropbear.mk b/package/dropbear/dropbear.mk
index bb902bc7ce..dc233aab53 100644
--- a/package/dropbear/dropbear.mk
+++ b/package/dropbear/dropbear.mk
@@ -71,6 +71,10 @@ define DROPBEAR_DISABLE_STANDALONE
 	echo '#define NON_INETD_MODE 0'                 >> $(@D)/localoptions.h
 endef
 
+define DROPBEAR_DISABLE_CBC_CIPHERS
+	echo '#define DROPBEAR_ENABLE_CBC_MODE 0'       >> $(@D)/localoptions.h
+endef
+
 define DROPBEAR_INSTALL_INIT_SYSTEMD
 	$(INSTALL) -D -m 644 package/dropbear/dropbear.service \
 		$(TARGET_DIR)/usr/lib/systemd/system/dropbear.service
@@ -92,6 +96,10 @@ ifeq ($(BR2_PACKAGE_DROPBEAR_DISABLE_REVERSEDNS),)
 DROPBEAR_POST_EXTRACT_HOOKS += DROPBEAR_ENABLE_REVERSE_DNS
 endif
 
+ifeq ($(BR2_PACKAGE_DROPBEAR_DISABLE_CBC),y)
+DROPBEAR_POST_EXTRACT_HOOKS += DROPBEAR_DISABLE_CBC_CIPHERS
+endif
+
 ifeq ($(BR2_PACKAGE_DROPBEAR_SMALL),y)
 DROPBEAR_CONF_OPTS += --disable-zlib --enable-bundled-libtom
 else
-- 
2.16.4



More information about the buildroot mailing list