dropbear: Disable legacy/insecure options

Dropbear by default enables a number of algorithms that are now considered insecure and should only be used when legacy support is required: 3DES encryption Blowfish encryption SHA1-96 message integrity CBC encryption mode DSA public keys Diffie-Hellman Group1 key exchange So disable them by default, but add a config option for bringing them back. Furthermore the Blowfish legacy algorithm is unconditionally disabled Signed-off-by: Stefan Sørensen <stefan.sorensen@spectralink.com> Reviewed-by: Baruch Siach <baruch@tkos.co.il> Reviewed-by: Thomas De Schampheleire <thomas.de_schampheleire@nokia.com> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2018-07-03 09:48:10 +02:00 · 2018-07-03 09:48:10 +02:00 · 72d4d098b0
commit 72d4d098b0
parent bf19116c80
2 changed files with 21 additions and 1 deletions
--- a/package/dropbear/Config.in
+++ b/package/dropbear/Config.in
@ -56,4 +56,14 @@ config BR2_PACKAGE_DROPBEAR_LASTLOG
 	  Enable logging of dropbear access to lastlog. Notice that
 	  Buildroot does not generate lastlog by default.

+config BR2_PACKAGE_DROPBEAR_LEGACY_CRYPTO
+	bool "enable legacy crypto"
+	help
+	  Enable legacy and possibly insecure algorithms:
+	    3DES encryption
+	    SHA1-96 message integrity
+	    CBC encryption mode
+	    DSA public keys
+	    Diffie-Hellman Group1 key exchange
+
 endif
--- a/package/dropbear/dropbear.mk
+++ b/package/dropbear/dropbear.mk
@ -56,13 +56,23 @@ endef
 DROPBEAR_POST_EXTRACT_HOOKS += DROPBEAR_SVR_PASSWORD_AUTH
 endif

+define DROPBEAR_DISABLE_LEGACY_CRYPTO
+	echo '#define DROPBEAR_3DES 0'                  >> $(@D)/localoptions.h
+	echo '#define DROPBEAR_ENABLE_CBC_MODE 0'       >> $(@D)/localoptions.h
+	echo '#define DROPBEAR_SHA1_96_HMAC 0'          >> $(@D)/localoptions.h
+	echo '#define DROPBEAR_DSS 0'                   >> $(@D)/localoptions.h
+	echo '#define DROPBEAR_DH_GROUP1 0'             >> $(@D)/localoptions.h
+endef
+ifneq ($(BR2_PACKAGE_DROPBEAR_LEGACY_CRYPTO),y)
+DROPBEAR_POST_EXTRACT_HOOKS += DROPBEAR_DISABLE_LEGACY_CRYPTO
+endif
+
 define DROPBEAR_ENABLE_REVERSE_DNS
 	echo '#define DO_HOST_LOOKUP 1'                 >> $(@D)/localoptions.h
 endef

 define DROPBEAR_BUILD_FEATURED
 	echo '#define DROPBEAR_SMALL_CODE 0'            >> $(@D)/localoptions.h
-	echo '#define DROPBEAR_BLOWFISH 1'              >> $(@D)/localoptions.h
 	echo '#define DROPBEAR_TWOFISH128 1'            >> $(@D)/localoptions.h
 	echo '#define DROPBEAR_TWOFISH256 1'            >> $(@D)/localoptions.h
 endef