[LEDE-DEV] openssl: Remove RIPEMD-160 from OpenSSL

Message ID 20170327222622.8015-1-rosenp@gmail.com
State Deferred
Headers show

Commit Message

Rosen Penev March 27, 2017, 10:26 p.m.
The commit that removed no-ripemd stated that it was needed for openssh.
However with recent OpenSSH releases (7.4), RIPEMD-160 is run-time disabled.
I've verified this with ssh -vvv making no mention of RIPEMD-160 anywhere.
---
 package/libs/openssl/Makefile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Comments

txt.file March 27, 2017, 10:45 p.m. | #1
The topic and patch is about OpenSSL but description is about OpenSSH.
What has OpenSSL to do with OpenSSH?

kind regards
txt.file
--
This message is signed.

Rosen Penev:
> The commit that removed no-ripemd stated that it was needed for openssh.
> However with recent OpenSSH releases (7.4), RIPEMD-160 is run-time disabled.
> I've verified this with ssh -vvv making no mention of RIPEMD-160 anywhere.
> ---
>  package/libs/openssl/Makefile | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/package/libs/openssl/Makefile b/package/libs/openssl/Makefile
> index 2543a46..a2d3ce3 100644
> --- a/package/libs/openssl/Makefile
> +++ b/package/libs/openssl/Makefile
> @@ -100,7 +100,7 @@ endef
>  
>  
>  OPENSSL_NO_CIPHERS:= no-idea no-md2 no-mdc2 no-rc5 no-sha0 no-camellia no-krb5 \
> - no-whrlpool no-whirlpool no-seed no-jpake
> + no-whrlpool no-whirlpool no-seed no-jpake no-ripemd
>  OPENSSL_OPTIONS:= shared no-err no-sse2 no-ssl2 no-ssl2-method no-heartbeats
>  
>  ifdef CONFIG_OPENSSL_ENGINE_CRYPTO
>
Alexandru Ardelean March 28, 2017, 6:09 a.m. | #2
On Tue, Mar 28, 2017 at 1:45 AM, txt.file <txt.file@txtfile.eu> wrote:
> The topic and patch is about OpenSSL but description is about OpenSSH.
> What has OpenSSL to do with OpenSSH?
>
> kind regards
> txt.file
> --
> This message is signed.
>
> Rosen Penev:
>> The commit that removed no-ripemd stated that it was needed for openssh.
>> However with recent OpenSSH releases (7.4), RIPEMD-160 is run-time disabled.
>> I've verified this with ssh -vvv making no mention of RIPEMD-160 anywhere.
>> ---
>>  package/libs/openssl/Makefile | 2 +-
>>  1 file changed, 1 insertion(+), 1 deletion(-)
>>
>> diff --git a/package/libs/openssl/Makefile b/package/libs/openssl/Makefile
>> index 2543a46..a2d3ce3 100644
>> --- a/package/libs/openssl/Makefile
>> +++ b/package/libs/openssl/Makefile
>> @@ -100,7 +100,7 @@ endef
>>
>>
>>  OPENSSL_NO_CIPHERS:= no-idea no-md2 no-mdc2 no-rc5 no-sha0 no-camellia no-krb5 \
>> - no-whrlpool no-whirlpool no-seed no-jpake
>> + no-whrlpool no-whirlpool no-seed no-jpake no-ripemd
>>  OPENSSL_OPTIONS:= shared no-err no-sse2 no-ssl2 no-ssl2-method no-heartbeats
>>
>>  ifdef CONFIG_OPENSSL_ENGINE_CRYPTO
>>
>
>
> _______________________________________________
> Lede-dev mailing list
> Lede-dev@lists.infradead.org
> http://lists.infradead.org/mailman/listinfo/lede-dev
>

as far as things go, openssh is part of the package feeds here:
https://github.com/openwrt/packages/tree/master/net/openssh

while openssl is part of the core packages
removing this cipher if unused, makes sense also to reduce openssl size

my 2c :)

thanks
Alex
Philip Prindeville April 18, 2017, 8:01 p.m. | #3
> On Mar 28, 2017, at 12:09 AM, Alexandru Ardelean <ardeleanalex@gmail.com> wrote:
> 
> On Tue, Mar 28, 2017 at 1:45 AM, txt.file <txt.file@txtfile.eu> wrote:
>> The topic and patch is about OpenSSL but description is about OpenSSH.
>> What has OpenSSL to do with OpenSSH?
>> 
>> kind regards
>> txt.file
>> --
>> This message is signed.
>> 
>> Rosen Penev:
>>> The commit that removed no-ripemd stated that it was needed for openssh.
>>> However with recent OpenSSH releases (7.4), RIPEMD-160 is run-time disabled.
>>> I've verified this with ssh -vvv making no mention of RIPEMD-160 anywhere.
>>> ---
>>> package/libs/openssl/Makefile | 2 +-
>>> 1 file changed, 1 insertion(+), 1 deletion(-)
>>> 
>>> diff --git a/package/libs/openssl/Makefile b/package/libs/openssl/Makefile
>>> index 2543a46..a2d3ce3 100644
>>> --- a/package/libs/openssl/Makefile
>>> +++ b/package/libs/openssl/Makefile
>>> @@ -100,7 +100,7 @@ endef
>>> 
>>> 
>>> OPENSSL_NO_CIPHERS:= no-idea no-md2 no-mdc2 no-rc5 no-sha0 no-camellia no-krb5 \
>>> - no-whrlpool no-whirlpool no-seed no-jpake
>>> + no-whrlpool no-whirlpool no-seed no-jpake no-ripemd
>>> OPENSSL_OPTIONS:= shared no-err no-sse2 no-ssl2 no-ssl2-method no-heartbeats
>>> 
>>> ifdef CONFIG_OPENSSL_ENGINE_CRYPTO
>>> 
>> 
>> 
>> _______________________________________________
>> Lede-dev mailing list
>> Lede-dev@lists.infradead.org
>> http://lists.infradead.org/mailman/listinfo/lede-dev
>> 
> 
> as far as things go, openssh is part of the package feeds here:
> https://github.com/openwrt/packages/tree/master/net/openssh
> 
> while openssl is part of the core packages
> removing this cipher if unused, makes sense also to reduce openssl size
> 
> my 2c :)
> 
> thanks
> Alex


What happens if someone has a private package feed and they’re still using it?

I think we should remove ciphers when they’re proven weak or otherwise vulnerable, like AES128-CBC… not when we’re unaware of anyone using it.

-Philip
Felix Fietkau April 26, 2017, 9:23 a.m. | #4
On 2017-03-28 00:26, Rosen Penev wrote:
> The commit that removed no-ripemd stated that it was needed for openssh.
> However with recent OpenSSH releases (7.4), RIPEMD-160 is run-time disabled.
> I've verified this with ssh -vvv making no mention of RIPEMD-160 anywhere.
Last time I tried to remove this, some other things in packages/ broke
as well. If you really care about this, please do a full build with
*all* feeds and all packages that use openssl enabled to ensure that
this doesn't break anything.

- Felix

Patch

diff --git a/package/libs/openssl/Makefile b/package/libs/openssl/Makefile
index 2543a46..a2d3ce3 100644
--- a/package/libs/openssl/Makefile
+++ b/package/libs/openssl/Makefile
@@ -100,7 +100,7 @@  endef
 
 
 OPENSSL_NO_CIPHERS:= no-idea no-md2 no-mdc2 no-rc5 no-sha0 no-camellia no-krb5 \
- no-whrlpool no-whirlpool no-seed no-jpake
+ no-whrlpool no-whirlpool no-seed no-jpake no-ripemd
 OPENSSL_OPTIONS:= shared no-err no-sse2 no-ssl2 no-ssl2-method no-heartbeats
 
 ifdef CONFIG_OPENSSL_ENGINE_CRYPTO