[Buildroot] [PATCH v2] dropbear: Disable legacy/insecure options

Thu May 3 21:04:44 UTC 2018

>>>>> "Stefan" == Stefan Sørensen <stefan.sorensen at spectralink.com> writes:

 > Dropbear by default enables a number of algorithms that are now considered
 > insecure and should only be used when legacy support is required:
 >    3DES encryption
 >    Blowfish encryption
 >    SHA1-96 message integrity
 >    CBC encryption mode
 >    DSA public keys
 >    Diffie-Hellman Group1 key exchange

 > So disable them by default, but add a config option for bringing them back.

 > Signed-off-by: Stefan Sørensen <stefan.sorensen at spectralink.com>
 > ---
 > Changes in v2:
 >  - Update for 2018.76
 >  - Use single option for legacy/insecure algorithms

 >  package/dropbear/Config.in   | 10 ++++++++++
 >  package/dropbear/dropbear.mk | 12 +++++++++++-
 >  2 files changed, 21 insertions(+), 1 deletion(-)

 > diff --git a/package/dropbear/Config.in b/package/dropbear/Config.in
 > index 5d6b83b6d1..8c121d0d72 100644
 > --- a/package/dropbear/Config.in
 > +++ b/package/dropbear/Config.in
 > @@ -56,4 +56,14 @@ config BR2_PACKAGE_DROPBEAR_LASTLOG
 >  	  Enable logging of dropbear access to lastlog. Notice that
 >  	  Buildroot does not generate lastlog by default.

 > +config BR2_PACKAGE_DROPBEAR_LEGACY_CRYPTO
 > +	bool "enable legacy crypto"
 > +	help
 > +	  Enable legacy and possbibly insecure algorithms:

s/possbibly/possibly/

> +	    3DES encryption
 > +	    SHA1-96 message integrity
 > +	    CBC encryption mode
 > +	    DSA public keys
 > +	    Diffie-Hellman Group1 key exchange
 > +
 >  endif
 > diff --git a/package/dropbear/dropbear.mk b/package/dropbear/dropbear.mk
 > index f47f97d036..de29d16e74 100644
 > --- a/package/dropbear/dropbear.mk
 > +++ b/package/dropbear/dropbear.mk
 > @@ -41,13 +41,23 @@ define DROPBEAR_SVR_PASSWORD_AUTH
 >  endef
 >  DROPBEAR_POST_EXTRACT_HOOKS += DROPBEAR_SVR_PASSWORD_AUTH

 > +define DROPBEAR_DISABLE_LEGACY_CRYPTO
 > +	echo '#define DROPBEAR_3DES 0'                  >> $(@D)/localoptions.h
 > +	echo '#define DROPBEAR_ENABLE_CBC_MODE 0'       >> $(@D)/localoptions.h
 > +	echo '#define DROPBEAR_SHA1_96_HMAC 0'          >> $(@D)/localoptions.h
 > +	echo '#define DROPBEAR_DSS 0'                   >> $(@D)/localoptions.h
 > +	echo '#define DROPBEAR_DH_GROUP1 0'             >> $(@D)/localoptions.h
 > +endef
 > +ifneq ($(BR2_PACKAGE_DROPBEAR_LEGACY_CRYPTO),y)
 > +DROPBEAR_POST_EXTRACT_HOOKS += DROPBEAR_DISABLE_LEGACY_CRYPTO
 > +endif
 > +
 >  define DROPBEAR_ENABLE_REVERSE_DNS
 >  	echo '#define DO_HOST_LOOKUP 1'                 >> $(@D)/localoptions.h
 >  endef

 >  define DROPBEAR_BUILD_FEATURED
 >  	echo '#define DROPBEAR_SMALL_CODE 0'            >> $(@D)/localoptions.h
 > -	echo '#define DROPBEAR_BLOWFISH 1'              >> $(@D)/localoptions.h

This is not mentioned in the commit description. If this is also
considered a legacy algorithm then I guess it is OK to drop it
unconditioanlly, but it should be mentioned.

-- 
Bye, Peter Korsgaard