dropbear: Disable legacy/insecure options

Dropbear by default enables a number of algorithms that are now considered
insecure and should only be used when legacy support is required:
   3DES encryption
   Blowfish encryption
   SHA1-96 message integrity
   CBC encryption mode
   DSA public keys
   Diffie-Hellman Group1 key exchange

So disable them by default, but add a config option for bringing them back.
Furthermore the Blowfish legacy algorithm is unconditionally disabled

Signed-off-by: Stefan Sørensen <stefan.sorensen@spectralink.com>
Reviewed-by: Baruch Siach <baruch@tkos.co.il>
Reviewed-by: Thomas De Schampheleire <thomas.de_schampheleire@nokia.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
This commit is contained in:
Stefan Sørensen 2018-07-03 09:48:10 +02:00 committed by Thomas Petazzoni
parent bf19116c80
commit 72d4d098b0
2 changed files with 21 additions and 1 deletions

View File

@ -56,4 +56,14 @@ config BR2_PACKAGE_DROPBEAR_LASTLOG
Enable logging of dropbear access to lastlog. Notice that Enable logging of dropbear access to lastlog. Notice that
Buildroot does not generate lastlog by default. Buildroot does not generate lastlog by default.
config BR2_PACKAGE_DROPBEAR_LEGACY_CRYPTO
bool "enable legacy crypto"
help
Enable legacy and possibly insecure algorithms:
3DES encryption
SHA1-96 message integrity
CBC encryption mode
DSA public keys
Diffie-Hellman Group1 key exchange
endif endif

View File

@ -56,13 +56,23 @@ endef
DROPBEAR_POST_EXTRACT_HOOKS += DROPBEAR_SVR_PASSWORD_AUTH DROPBEAR_POST_EXTRACT_HOOKS += DROPBEAR_SVR_PASSWORD_AUTH
endif endif
define DROPBEAR_DISABLE_LEGACY_CRYPTO
echo '#define DROPBEAR_3DES 0' >> $(@D)/localoptions.h
echo '#define DROPBEAR_ENABLE_CBC_MODE 0' >> $(@D)/localoptions.h
echo '#define DROPBEAR_SHA1_96_HMAC 0' >> $(@D)/localoptions.h
echo '#define DROPBEAR_DSS 0' >> $(@D)/localoptions.h
echo '#define DROPBEAR_DH_GROUP1 0' >> $(@D)/localoptions.h
endef
ifneq ($(BR2_PACKAGE_DROPBEAR_LEGACY_CRYPTO),y)
DROPBEAR_POST_EXTRACT_HOOKS += DROPBEAR_DISABLE_LEGACY_CRYPTO
endif
define DROPBEAR_ENABLE_REVERSE_DNS define DROPBEAR_ENABLE_REVERSE_DNS
echo '#define DO_HOST_LOOKUP 1' >> $(@D)/localoptions.h echo '#define DO_HOST_LOOKUP 1' >> $(@D)/localoptions.h
endef endef
define DROPBEAR_BUILD_FEATURED define DROPBEAR_BUILD_FEATURED
echo '#define DROPBEAR_SMALL_CODE 0' >> $(@D)/localoptions.h echo '#define DROPBEAR_SMALL_CODE 0' >> $(@D)/localoptions.h
echo '#define DROPBEAR_BLOWFISH 1' >> $(@D)/localoptions.h
echo '#define DROPBEAR_TWOFISH128 1' >> $(@D)/localoptions.h echo '#define DROPBEAR_TWOFISH128 1' >> $(@D)/localoptions.h
echo '#define DROPBEAR_TWOFISH256 1' >> $(@D)/localoptions.h echo '#define DROPBEAR_TWOFISH256 1' >> $(@D)/localoptions.h
endef endef