[Buildroot] [PATCH 5/5] dropbear: add option to disable weak HMAC algorithms
Thomas De Schampheleire
thomas.de_schampheleire at nokia.com
Wed Jul 4 07:07:39 UTC 2018
sha1-96 and md5 HMAC algorithms are considered insecure.
Add an option to disable them.
Note that the md5 HMAC algorithm seems to be disabled by default in current
dropbear, but the upstream commit in which that was done
(750ec4ec4cbed4cf5e2f3c7b9de95c90d9ebd68d - "Convert #ifdef to #if, other
build changes") does not explicitly state this change as a goal. To make
sure it is not reverted in the future, explicitly disable the algorithm.
Signed-off-by: Thomas De Schampheleire <thomas.de_schampheleire at nokia.com>
---
package/dropbear/Config.in | 7 +++++++
package/dropbear/dropbear.mk | 9 +++++++++
2 files changed, 16 insertions(+)
diff --git a/package/dropbear/Config.in b/package/dropbear/Config.in
index d92420ac81..bb7d914c06 100644
--- a/package/dropbear/Config.in
+++ b/package/dropbear/Config.in
@@ -42,6 +42,13 @@ config BR2_PACKAGE_DROPBEAR_DISABLE_CBC
plaintext messages from the ciphertext. For higher security, it is
recommended to disable it (and thus enable this option).
+config BR2_PACKAGE_DROPBEAR_DISABLE_WEAK_HMAC
+ bool "disable weak HMAC algorithms"
+ help
+ Disable support for following weak HMAC algorithms:
+ - sha1-96 HMAC
+ - md5 HMAC
+
config BR2_PACKAGE_DROPBEAR_SMALL
bool "optimize for size"
default y
diff --git a/package/dropbear/dropbear.mk b/package/dropbear/dropbear.mk
index dc233aab53..17e937444f 100644
--- a/package/dropbear/dropbear.mk
+++ b/package/dropbear/dropbear.mk
@@ -75,6 +75,11 @@ define DROPBEAR_DISABLE_CBC_CIPHERS
echo '#define DROPBEAR_ENABLE_CBC_MODE 0' >> $(@D)/localoptions.h
endef
+define DROPBEAR_DISABLE_WEAK_HMAC_ALGORITHMS
+ echo '#define DROPBEAR_SHA1_96_HMAC 0' >> $(@D)/localoptions.h
+ echo '#define DROPBEAR_MD5_HMAC 0' >> $(@D)/localoptions.h
+endef
+
define DROPBEAR_INSTALL_INIT_SYSTEMD
$(INSTALL) -D -m 644 package/dropbear/dropbear.service \
$(TARGET_DIR)/usr/lib/systemd/system/dropbear.service
@@ -100,6 +105,10 @@ ifeq ($(BR2_PACKAGE_DROPBEAR_DISABLE_CBC),y)
DROPBEAR_POST_EXTRACT_HOOKS += DROPBEAR_DISABLE_CBC_CIPHERS
endif
+ifeq ($(BR2_PACKAGE_DROPBEAR_DISABLE_WEAK_HMAC),y)
+DROPBEAR_POST_EXTRACT_HOOKS += DROPBEAR_DISABLE_WEAK_HMAC_ALGORITHMS
+endif
+
ifeq ($(BR2_PACKAGE_DROPBEAR_SMALL),y)
DROPBEAR_CONF_OPTS += --disable-zlib --enable-bundled-libtom
else
--
2.16.4
More information about the buildroot
mailing list