From patchwork Tue Jul 3 07:48:10 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?S=C3=B8rensen=2C_Stefan?= X-Patchwork-Id: 938595 Return-Path: X-Original-To: incoming-buildroot@patchwork.ozlabs.org Delivered-To: patchwork-incoming-buildroot@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (mailfrom) smtp.mailfrom=busybox.net (client-ip=140.211.166.138; helo=whitealder.osuosl.org; envelope-from=buildroot-bounces@busybox.net; receiver=) Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none) header.from=spectralink.com Authentication-Results: ozlabs.org; dkim=fail reason="signature verification failed" (1024-bit key; unprotected) header.d=spectralink.onmicrosoft.com header.i=@spectralink.onmicrosoft.com header.b="seYMuYgA"; dkim-atps=neutral Received: from whitealder.osuosl.org (smtp1.osuosl.org [140.211.166.138]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 41Kg9Y584jz9s29 for ; Tue, 3 Jul 2018 20:20:17 +1000 (AEST) Received: from localhost (localhost [127.0.0.1]) by whitealder.osuosl.org (Postfix) with ESMTP id 2DB17889AA; Tue, 3 Jul 2018 10:20:14 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from whitealder.osuosl.org ([127.0.0.1]) by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qR7JoIETUb8K; Tue, 3 Jul 2018 10:20:12 +0000 (UTC) Received: from ash.osuosl.org (ash.osuosl.org [140.211.166.34]) by whitealder.osuosl.org (Postfix) with ESMTP id 5890A88994; Tue, 3 Jul 2018 10:20:12 +0000 (UTC) X-Original-To: buildroot@lists.busybox.net Delivered-To: buildroot@osuosl.org Received: from hemlock.osuosl.org (smtp2.osuosl.org [140.211.166.133]) by ash.osuosl.org (Postfix) with ESMTP id 461251C3EBC for ; Tue, 3 Jul 2018 10:20:11 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by hemlock.osuosl.org (Postfix) with ESMTP id 436B988BB0 for ; Tue, 3 Jul 2018 10:20:11 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from hemlock.osuosl.org ([127.0.0.1]) by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bWUVwM4TYAdt for ; Tue, 3 Jul 2018 10:20:08 +0000 (UTC) X-Greylist: from auto-whitelisted by SQLgrey-1.7.6 Received: from NAM03-DM3-obe.outbound.protection.outlook.com (mail-dm3nam03on0106.outbound.protection.outlook.com [104.47.41.106]) by hemlock.osuosl.org (Postfix) with ESMTPS id 555E8889CF for ; Tue, 3 Jul 2018 10:20:08 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=spectralink.onmicrosoft.com; s=selector1-spectralink-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=nJ6XeyPOOAC/ivOpl74bKZ4kpbbLcALgfDGHxWOqMqw=; b=seYMuYgAQcJZh5DOksGKVSJC21fmijNyuPMfLctdY5aS9bje4yZwQA1tHcaV4X4sLRfZhhv2pTiw8yvgnhpxV48GsB7mhf53hAetY4CzXSZWGkOYvq0eg7dhQteVmDFtd7BPXxTDOChYQ5OdAZidDeq04fLUj/RLiAIBbGuPyyU= Authentication-Results: spf=none (sender IP is ) smtp.mailfrom=Stefan.Sorensen@spectralink.com; Received: from e31020.spectralink.com (213.83.164.180) by DM5PR07MB3482.namprd07.prod.outlook.com (2603:10b6:4:67::25) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.906.24; Tue, 3 Jul 2018 07:48:38 +0000 From: =?utf-8?q?Stefan_S=C3=B8rensen?= To: buildroot@buildroot.org Date: Tue, 3 Jul 2018 09:48:10 +0200 Message-Id: <20180703074810.19105-1-stefan.sorensen@spectralink.com> X-Mailer: git-send-email 2.17.1 MIME-Version: 1.0 X-Originating-IP: [213.83.164.180] X-ClientProxiedBy: HE1PR07CA0003.eurprd07.prod.outlook.com (2603:10a6:7:67::13) To DM5PR07MB3482.namprd07.prod.outlook.com (2603:10b6:4:67::25) X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: aff1f33f-bc87-45c1-6a3f-08d5e0b963d6 X-Microsoft-Antispam: UriScan:; BCL:0; PCL:0; RULEID:(7020095)(4652040)(8989117)(5600053)(711020)(4534165)(4627221)(201703031133081)(201702281549075)(8990107)(2017052603328)(7153060)(7193020); SRVR:DM5PR07MB3482; X-Microsoft-Exchange-Diagnostics: 1; DM5PR07MB3482; 3:XyLExKDSooDLDdS5M0qASjlgT1uZHgCIC/TO8e2oGXCgvIY8FvzxQyUh8rbWFUjDQnxXtY2fHCBN2OYLpJCHy3dLhSgffxo7T1VzkNz1BHdhFf5Xg2Xqz8amfZCjM3OuUckeT44gVW+cE4IsfDK0l3h1QbKYUpGxpZqKkamKxBchopclZjFhrgrxmy6RyAbkyaBCwXB4X3yrGR/YXlIO83xtWLwMxveC+IUiUY9UtfJs02jkr36Ox9YxZGQF/4bb; 25:YvCzmI3sZztgjV486R0tgQ/v8LpLIINMqb5W3l0A8fCymdD95RKr6akqzSLJy79v7DhrrntUFQs8lFws5MiCqG07kgM6vGyZhlgkg1Ywy0vraqkvyuyF8XTG8Wsu9czONpsHgDfeSR0mh3geHqybE2zQtOhDZAfIX1MA1/PU4v74wZeTfnH7JGDdvFviQPXZ39zDzcML6Se18J3MdKY4M0PxDvbIDUdamisJvLqbh+i2IcJdCuOcSFNJqkyOf4KdFqvOkz8uLFx8CVn51RDePu3HVQcOq7viNtBcrguRXme6DLta1iDPSMk3AlEDr+MRLx71wZ9ZNV5Eg00D5zcItg==; 31:P31CaEyS8Hr5gYYIYvbSitSqPYbw/7mMmYmNmIatRhUF1Utp+GOiZSGm6b2yyaHWBpUUpnBiG7PdLhnQ6zyhl/0i1xS4Kc5aX86a2iXBzi+nEoDkK+7R3P18/DkIM+WhpmGgMBF/90512EcEth++3Rzz5K+kJkpznmfAVe+qXcsJZUYlUVyBCfsnOlceAqlLoyOBTQIYjhqUdqLFj5VIAmmt0qgKoGm6ZQTaT+uxKqM= X-MS-TrafficTypeDiagnostic: DM5PR07MB3482: X-Microsoft-Exchange-Diagnostics: 1; DM5PR07MB3482; 20:PzVjIX5CL9DMo+CUzHBU1QE4rBdVY+de27bleGniLLVJcM6KXMeOJbEXgukJxoQKEHWhYtKXzlzoIlENZEFsiy4GGC4IRjuUubKpKRwgcSf8F3Ebce8JeJf/J6zGFWRpL+5JBej0/faPPSIBU9hQF1c3oSJ9SJxI+lKXWsqT35JaJbb8Nj2fKn7QF2T+IpAhLTQ9uo0RBKJm62een6xRljkMKQxIaEG+EgL3/dVtTJLoumtD2ZvUzzgITtPegXhpzeGiGhSEmVHs1QehZSlZ1xj1xncu79Ne5wPDu/4VlA2oTqM0jNTkNwaYkS8WTTWdY3oMiHLZFb3U2IsmNrmmLFGccdh0aWhOEi+KVuG33TUCagYW4s12M4o6kTEireW1fN+zgYcdm6VdaRGNhm75SJF/S13Gb2GIHyDEWo21IyFA+ubJxtbl3cN5MHmag8WslW5P/9Qr1gWrmlXBvmwYlKZt03DQv8l1zoWMlVyUg8aE5azvwiihd/5c1pfm4TZjL3XO/ppnF53HUqTzAgoEfdjbdAsxsUJSjZJbydPfHBLZXjS23966PVLvVmxAALm1xhcdwKTzlb74uw5Q/96vYGYZNGPW0akonAGJIXqggqM=; 4:c9OtRxbbgd74DXCy4kIfGX27bRudcdAzgqyvf/nT7AE6RPDi7W5yA9Qa8ZXgAkOEeihkOIlxbh+QzYrp5DsQCFBY7b4psu0Gjm2iDdLdfDmxNmlkB3wQ95D7e8wrcCI4pX43MIyvzk6ogU83JO3KKCnNzn0eQh86E13qEzut4b1aj6ZDVH2Qo2rzp6rGyNoKPlKawNQaEXELtZwB8RTxP0PzxFKa0rbiShCV6Qmz0TZEUGm135VtUB/xPC7HNryAYZPCUeUy+4y5z8xwdKpk2Q== X-Microsoft-Antispam-PRVS: X-Exchange-Antispam-Report-Test: UriScan:; X-MS-Exchange-SenderADCheck: 1 X-Exchange-Antispam-Report-CFA-Test: BCL:0; PCL:0; RULEID:(6040522)(2401047)(8121501046)(5005006)(3231254)(944501410)(52105095)(10201501046)(3002001)(93006095)(93001095)(149027)(150027)(6041310)(20161123560045)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(20161123564045)(20161123558120)(20161123562045)(6072148)(201708071742011)(7699016); SRVR:DM5PR07MB3482; BCL:0; PCL:0; RULEID:; SRVR:DM5PR07MB3482; X-Forefront-PRVS: 0722981D2A X-Forefront-Antispam-Report: SFV:NSPM; SFS:(10019020)(39850400004)(376002)(396003)(366004)(346002)(136003)(189003)(199004)(97736004)(16526019)(47776003)(69596002)(68736007)(86362001)(476003)(575784001)(2870700001)(26005)(52116002)(7696005)(551544002)(1076002)(23676004)(386003)(2351001)(478600001)(14444005)(956004)(7736002)(105586002)(305945005)(66066001)(2906002)(72206003)(50466002)(53416004)(50226002)(106356001)(486006)(3846002)(36756003)(107886003)(4326008)(8936002)(53936002)(8676002)(81156014)(81166006)(316002)(6486002)(2361001)(6116002)(186003)(2616005)(5660300001)(6666003)(25786009)(6916009); DIR:OUT; SFP:1102; SCL:1; SRVR:DM5PR07MB3482; H:e31020.spectralink.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1; Received-SPF: None (protection.outlook.com: spectralink.com does not designate permitted sender hosts) X-Microsoft-Exchange-Diagnostics: =?utf-8?q?1=3BDM5PR07MB3482=3B23=3AgF3K?= =?utf-8?q?2OMzarnGEemfNafnZMOQ3NeRwGgnEnlrQuKpj+TP0UpLZQiiBurZFlyU?= =?utf-8?q?zIfQrl+WWo85eVEqAI6T2AviQa0C4vkroF9DaD3muysmktKcW1wbg7DJ?= =?utf-8?q?DR6grdYEaaFQoK/uo6flGAuRE0OmBQ5tJjV594+hFJRjKTJUPGhFSBir?= =?utf-8?q?qYylmzOgJ32687Q3w9s+H9tLaB7nZa6UVzT23rpCM0bhVB2+fggBe05k?= =?utf-8?q?Pr9RY8ec5Mc1+eGPuEDtd6j/gpnY+zdfZWSAEQT+vhAFXGMKtwKnnvKn?= =?utf-8?q?F9zUQhixWU4oOwtq2C9I9J4outBH4kVCok1Rp6Pa+0TDNcKoIL1inUwI?= =?utf-8?q?3UzaJNo4YUgOEa8DCO3PxqAeJX1S0T/4p5opP90K47PI/IoCsQqy461f?= =?utf-8?q?kf4v8d49cqcFNshr53ad0NJRJ0BovJ0PsoUDmsdoPHRB2PEtUY/MHleR?= =?utf-8?q?TtQvLZ2TZMzNxs0vFVqJ4jxfIx2kHKh7Y9lbWYRtynAPkKwHTApOULsK?= =?utf-8?q?dRKuWI0SX5x8Deq+Hbc+vreIu/n64P84DjU5rdiIRl4QKrxh7NVrt/vQ?= =?utf-8?q?V0YLsmjbV9VrFdw5vhewEMzIGAjVBaqHIKkZlAtB1+Acc9KUVudD/vXm?= =?utf-8?q?BQH+O3/H/sfydtP0JBhGf2xM2H59mzJKnHUUho5CFgwaYlulbx4OTKRl?= =?utf-8?q?EztGT6v0WAszma+kVYefOmPSbdmsryMXCh8GwCL3sBZmTvzu0nyaWZk0?= =?utf-8?q?7XfRtddgFlo9Kcu61iOBswf4oZvYQsT6RDtgvUeQWxYmrz6EOJ4KXDiP?= =?utf-8?q?7ejbW+hgCN4D5PKi4Billn+v4ohLjodGNZAHUVkv8Ulg2xUGIrV5MMa5?= =?utf-8?q?Id6/Ozv8e1OS+80714LDSxdVDV0ef7yeW1MIlpU7Ll6adX39SQJ1iG7T?= =?utf-8?q?hnAgu/cBI9BoFAZGEzkT/iRLsPVQOnZwiuDwniG8poqaN1Dp8ecaNoho?= =?utf-8?q?D72rS3EvmurS4KszZoOclNGcoAnzwiDzel2Zs5UBdjDZfxxwI5fKXqxN?= =?utf-8?q?QMKjTBwaosJ4sE8lXyTVHS6U1GdGDTQYxLJBJGYvFjBA9+5jKrahboVP?= =?utf-8?q?bCF0EbZP3uI1BpnghPgQq2VACV4dAS9c9LpDAYIFBAcA3HhqIYdEBSE5?= =?utf-8?q?y6MaZDyRMjr4BU0zTaG1WwbDl/MMO7j514q97bgQAMRtX6rChYpku6Lr?= =?utf-8?q?cWYLFTrlFsRNBP6zQKIygKiEBPm5ZJnpdDLPq5udkJEqegisbbKrDliY?= =?utf-8?q?+rUMAN670F2wG5p20rOtHsTd+a8KaxAAeI6aPIvnOpHiJXbovcPa9eZe?= =?utf-8?q?oVNw22MF1A=3D=3D?= X-Microsoft-Antispam-Message-Info: LoYt6bUVfOesivDAnEviT72erNmQ9L1iyfhV2tPJWOW3NVFiqyMHWDi+avSjdOF5VF7oR2t3d7An3xGI/f1PVu7ksS3X8+0Np/RMCN7t+9L4Fv5VKnz+qtoDPN+/B637QdWlEZa0F+UJ1BMaxdATuu0TFHqwiISp0ss/7dlj6dqr71AupcbxlOi5ZpeermCa9G2Xkz+ekcWptSdulccuRnYSr8S0O+c5YV8YcO991UxP4N9EEGAUzc0iZHBzzronBOTV3mCQpUfN1pmc4i77rxFjlZGThafl7v2rObzMSv0cjc5I+4VmtMPIQin1Lo8A+d5qcZ7iX5AM4fBi6PdkbSmUIqHR6xjlpykbyy4huQg= X-Microsoft-Exchange-Diagnostics: 1; DM5PR07MB3482; 6:D/xjOpZd1fPCVXJWacOYiX10f9seh+zbfwzg2712QZaK4S9PvOrI6MRhxLA9EBux5DBWHEJVatMonKqRYDzcy9PMjddMb0KcEAEWGC2+un9TDsBIF9cvqPtRO+9CtEPfzK6kKFt4LNbETCV2Yxfrp/kswwv8C3ERoeuL8N23wAbtzJk9CVFhqNvUu0JKMMT0etuVD7MLmvgq7T5XLsAfBAWviJX8Ts+G8g/Xti8dmRjYdtgFsO2pXIWWShNzE/Jdt9RAqbYCYh+C5Q3wrUV8FC46JOL9FVrh6H5WxdjPo59EYHp+fwpRUbX8vuj2lAzG0oZE53vDAdemUVFm+9RviggHfb5lHsXnyNuEatwBIPQOUPweNnCIAGUpmG4pCD/UteWJeayBreFK3aH0W6TEJvD9yY7eqsr4ubdK1z768AhumVYmWtUI89If9+A2MAEPA6/qX6XfAkNkxFF+PnizPA==; 5:PE9ILq+tZDryD44eNrihl9oecAPChMErs2c4TfgnKguKPtPLZWvc7I99oiVsSEsnDvHNOQUXszkIfeHvTlHttnGABl+0jpXHqTZ6fHU2wszGq9TqaHqrC8dGit6sZMsmv7hT3t5zWmVAOVgzabzMwEUcl/xOYgFvbE8NDq1tRvw=; 24:P6tMeshiNw0qSh1Mwho9a1AZQUXjC/okP6nVCDjTKJOEHAdmJWvOG1BeNuUI4TKdmZbdLdQBlwlOyg2RLH8CPHsRylMq59gzqi3yFavuMAo= SpamDiagnosticOutput: 1:99 SpamDiagnosticMetadata: NSPM X-Microsoft-Exchange-Diagnostics: 1; DM5PR07MB3482; 7:20v3hgrzTxqcwvYqtXr3I8CM0PsBLaEx85x8nFuLC2PCLVP/JkPlwLnrg7F/R6PLh+D3gecA2nvFi9M6tKdrVVKaeweWAlyPWNGaeo2cI4hzDNqYNFSCQlZwKNxhmXdz9qqMPv55UEL/bnO0fy/3mraiDHvW08mA8ba2D6pEPquh1EMn8QEpvJHGbkp2S7VaS2XEgtQ2tYIDP7F+odjqg+9XHHr3E3ZV+n2Mk6JFCZfqgLS2hyE9xaK9PBX15+v3 X-OriginatorOrg: spectralink.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 03 Jul 2018 07:48:38.4125 (UTC) X-MS-Exchange-CrossTenant-Network-Message-Id: aff1f33f-bc87-45c1-6a3f-08d5e0b963d6 X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: c45ba920-5298-4256-8585-360096d02150 X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM5PR07MB3482 Subject: [Buildroot] [PATCH v3] dropbear: Disable legacy/insecure options X-BeenThere: buildroot@busybox.net X-Mailman-Version: 2.1.24 Precedence: list List-Id: Discussion and development of buildroot List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: buildroot-bounces@busybox.net Sender: "buildroot" Dropbear by default enables a number of algorithms that are now considered insecure and should only be used when legacy support is required: 3DES encryption Blowfish encryption SHA1-96 message integrity CBC encryption mode DSA public keys Diffie-Hellman Group1 key exchange So disable them by default, but add a config option for bringing them back. Furthermore the Blowfish legacy algorithm is unconditionally disabled Signed-off-by: Stefan Sørensen Reviewed-by: Baruch Siach Reviewed-by: Thomas De Schampheleire --- Changes v2->v3: * Rebase on 037b8616257067282e375edca9af19418a0e7a4a Changes v1->v2: * Mention that the Blowfish algorithm has been disabled package/dropbear/Config.in | 10 ++++++++++ package/dropbear/dropbear.mk | 12 +++++++++++- 2 files changed, 21 insertions(+), 1 deletion(-) diff --git a/package/dropbear/Config.in b/package/dropbear/Config.in index 5d6b83b6d1..62f77bad9d 100644 --- a/package/dropbear/Config.in +++ b/package/dropbear/Config.in @@ -56,4 +56,14 @@ config BR2_PACKAGE_DROPBEAR_LASTLOG Enable logging of dropbear access to lastlog. Notice that Buildroot does not generate lastlog by default. +config BR2_PACKAGE_DROPBEAR_LEGACY_CRYPTO + bool "enable legacy crypto" + help + Enable legacy and possibly insecure algorithms: + 3DES encryption + SHA1-96 message integrity + CBC encryption mode + DSA public keys + Diffie-Hellman Group1 key exchange + endif diff --git a/package/dropbear/dropbear.mk b/package/dropbear/dropbear.mk index bb902bc7ce..7b1468cfb1 100644 --- a/package/dropbear/dropbear.mk +++ b/package/dropbear/dropbear.mk @@ -56,13 +56,23 @@ endef DROPBEAR_POST_EXTRACT_HOOKS += DROPBEAR_SVR_PASSWORD_AUTH endif +define DROPBEAR_DISABLE_LEGACY_CRYPTO + echo '#define DROPBEAR_3DES 0' >> $(@D)/localoptions.h + echo '#define DROPBEAR_ENABLE_CBC_MODE 0' >> $(@D)/localoptions.h + echo '#define DROPBEAR_SHA1_96_HMAC 0' >> $(@D)/localoptions.h + echo '#define DROPBEAR_DSS 0' >> $(@D)/localoptions.h + echo '#define DROPBEAR_DH_GROUP1 0' >> $(@D)/localoptions.h +endef +ifneq ($(BR2_PACKAGE_DROPBEAR_LEGACY_CRYPTO),y) +DROPBEAR_POST_EXTRACT_HOOKS += DROPBEAR_DISABLE_LEGACY_CRYPTO +endif + define DROPBEAR_ENABLE_REVERSE_DNS echo '#define DO_HOST_LOOKUP 1' >> $(@D)/localoptions.h endef define DROPBEAR_BUILD_FEATURED echo '#define DROPBEAR_SMALL_CODE 0' >> $(@D)/localoptions.h - echo '#define DROPBEAR_BLOWFISH 1' >> $(@D)/localoptions.h echo '#define DROPBEAR_TWOFISH128 1' >> $(@D)/localoptions.h echo '#define DROPBEAR_TWOFISH256 1' >> $(@D)/localoptions.h endef