From patchwork Mon May 7 12:28:44 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?S=C3=B8rensen=2C_Stefan?= X-Patchwork-Id: 909724 Return-Path: X-Original-To: incoming-buildroot@patchwork.ozlabs.org Delivered-To: patchwork-incoming-buildroot@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (mailfrom) smtp.mailfrom=busybox.net (client-ip=140.211.166.137; helo=fraxinus.osuosl.org; envelope-from=buildroot-bounces@busybox.net; receiver=) Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none) header.from=spectralink.com Authentication-Results: ozlabs.org; dkim=fail reason="signature verification failed" (1024-bit key; unprotected) header.d=spectralink.onmicrosoft.com header.i=@spectralink.onmicrosoft.com header.b="pYbcmn/0"; dkim-atps=neutral Received: from fraxinus.osuosl.org (smtp4.osuosl.org [140.211.166.137]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 40fhkh6B0zz9s34 for ; Mon, 7 May 2018 22:29:16 +1000 (AEST) Received: from localhost (localhost [127.0.0.1]) by fraxinus.osuosl.org (Postfix) with ESMTP id 40B19844C1; Mon, 7 May 2018 12:29:14 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from fraxinus.osuosl.org ([127.0.0.1]) by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zeonTxE5LCme; Mon, 7 May 2018 12:29:11 +0000 (UTC) Received: from ash.osuosl.org (ash.osuosl.org [140.211.166.34]) by fraxinus.osuosl.org (Postfix) with ESMTP id F0E6F84460; Mon, 7 May 2018 12:29:10 +0000 (UTC) X-Original-To: buildroot@lists.busybox.net Delivered-To: buildroot@osuosl.org Received: from silver.osuosl.org (smtp3.osuosl.org [140.211.166.136]) by ash.osuosl.org (Postfix) with ESMTP id 0604D1BFCC3 for ; Mon, 7 May 2018 12:29:10 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by silver.osuosl.org (Postfix) with ESMTP id 029882399B for ; Mon, 7 May 2018 12:29:10 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from silver.osuosl.org ([127.0.0.1]) by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9BWYaa6hKWuT for ; Mon, 7 May 2018 12:29:09 +0000 (UTC) X-Greylist: from auto-whitelisted by SQLgrey-1.7.6 Received: from NAM03-BY2-obe.outbound.protection.outlook.com (mail-by2nam03on0137.outbound.protection.outlook.com [104.47.42.137]) by silver.osuosl.org (Postfix) with ESMTPS id 01AF02356A for ; Mon, 7 May 2018 12:29:09 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=spectralink.onmicrosoft.com; s=selector1-spectralink-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=Zs1Twb8fFK1UDd6/FDdc5xMc5VVSw/iFr/AoJ1BNyNM=; b=pYbcmn/0Hdgc7rSUIe+XN4o4du+UVD3d1ujIm+7ejE/nWJdODrT1UH5MDZU+FQC+cG2D2Ly+vRW0qjRJvEsj0lDrdCL7aeUEdn/G8YoYfMS9Nx/c3JW1iVb9MBwuYX/LMtPRFQ8w//uEhkcYh8Zr9NajCxTuvCyxdL6qUj2zbcA= Authentication-Results: spf=none (sender IP is ) smtp.mailfrom=Stefan.Sorensen@spectralink.com; Received: from e31020.spectralink.com (213.83.164.162) by CY4PR07MB3480.namprd07.prod.outlook.com (2603:10b6:910:75::21) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id 15.20.735.16; Mon, 7 May 2018 12:29:07 +0000 From: =?utf-8?q?Stefan_S=C3=B8rensen?= To: buildroot@buildroot.org Date: Mon, 7 May 2018 14:28:44 +0200 Message-Id: <20180507122844.30867-2-stefan.sorensen@spectralink.com> X-Mailer: git-send-email 2.17.0 In-Reply-To: <20180507122844.30867-1-stefan.sorensen@spectralink.com> References: <20180507122844.30867-1-stefan.sorensen@spectralink.com> MIME-Version: 1.0 X-Originating-IP: [213.83.164.162] X-ClientProxiedBy: HE1PR05CA0279.eurprd05.prod.outlook.com (2603:10a6:3:fc::31) To CY4PR07MB3480.namprd07.prod.outlook.com (2603:10b6:910:75::21) X-MS-PublicTrafficType: Email X-Microsoft-Antispam: UriScan:; BCL:0; PCL:0; RULEID:(7020095)(4652020)(5600026)(4534165)(4627221)(201703031133081)(201702281549075)(2017052603328)(7153060)(7193020); SRVR:CY4PR07MB3480; X-Microsoft-Exchange-Diagnostics: 1; CY4PR07MB3480; 3:VE0PtSX2rgqgBqtuYia5vyvZwGQpMoK1DC2hSeROTvQtO8L5YglZO2SR6oxBLYB5vFhYGHEROdkdeT637mxHcFej/Hw5VNR81juG8NM5/LunASkwJxy80v46bK518bW+zQC/FZ5jcKJ7gpSbLhgwqdanVUNzxCLktxDodVbLUWSKGy1sNr71tCVum4/FLzHRKp4lNI4KVWBpHpP00VB4y+Yf4znnREedFdQCaAM7ez8j6rWUeRgenyuTVI/X1ZKN; 25:q2BOSKakcpTWTFH7WkE39zvEHob20K8AfsNmJ4DA6bXhl4emGATDFq7E9I6wNnu7Y4dUoSJczTgdMsU/03eFIZSrmfJ0QFlGNRnAdSv/O+FeQqvHDv7mZTXgijzsh7omJ4nVX730qcra6HKta21sF06xWgeRWKwrkLPdEa3MZ1mz6B9CkAssrCkuqkmcG/JnpQNcNi5RmFv+KGTA6nvj67/bKsPvN8+6MLXqFnVHubbXnHABeXFh1Qk3pXIM7Ion83MuIlEgrpYNzbFvZSsVhpxhAL8Lh+zetUrpFqwDepZ4uib5tOqQQ/+y2hQQ7vzs8BLmGaKm7Hw/eba8/Fml+g==; 31:dfpbF/PKu4V59qMvUlqiKcP5ey9h3kdpxTAMZt62HACrO11VvFOZdL2yzcb8Gkw0jCGXoBNOZ6+3y3ECocwaKMboQmF475FboWZxKX3pPHsIQlSNV1mnN2nIhPB5vhcwvdDnaHSXsUnSxCRrEf7npQOFbuNraHaBxCoaMBT78CKFqddkO27NpiI1nfrX/erKUd+Yh9m9Ja7Fd0hICnYpNQjRp7Dh+I7BKkRMcErcMxc= X-MS-TrafficTypeDiagnostic: CY4PR07MB3480: X-Microsoft-Exchange-Diagnostics: 1; CY4PR07MB3480; 20:O+kv5H5mjpeLfBBJgN4G+0HdSyvCyHSUeqU1gKWrGfKmzG/RVZzP3X1TU+cZOLYTEQ04bWE0tHoGZUMi2ZL5vVwlI1nOIh2wZ9BiCBZgpQm5prGEJb4qaMfw5lw5UWQdcXYHk2WVlbgLUYsPwMVjMqsGYHj8cWDf3K63JAt7EVQrvG+o041+x671N+ZrXe4XpRNZbNMV3YkH95pTezQR2xdcHgoECqsfck8CG1Kld3ohHuSaTTgsTSmL16aVtVUvI/RkD0jo28opEv1S2cJMNZtJ0OaICbGkCYKHBwLFNF2fERQqu9mLOfAtI4dBAkYSefBKBr59BqnrkPzDrlV05/3itFl3iMH4ugEcHQ2yV5YEAQnR5iDH5BVJhWxodqoYOXBgb0NPmMPBS/JkSy2ufrKwtCs47vLMt2kD+1R6gFIPot6aDo/6HKYmANbT/oCfhco0xqDu82p5b+IP3sBVPcemq7e+G24Wf42mnYty0ykx+SNLjtXafTuD+wZwpIbjc8NT8P2GTKogpozb8dxU1szKz5eDdchyHcF52IUS8H+tGZce/xK7teFpyaimuw5hjqkN93WPejsA60mTbvwa0iwoYaNvKV1PD1XyAauZVwM=; 4:ooI6H0DNB2UJpKhOFpsPhulzrtbfBx3gFSK4RQdLlk4+0s9QOPizA0IzWhgk90ikSsPlzGbB8r3p/OICxWRHyJYPz+Blift9gne6pjyxlyDnOpBBgITbO8yb+u3cREuzf6+q8qEoq3U2YIOhr7MohLZibEVQE6IvO+z/PTZKafSrF+HI/PRSrsR2/3k23zFmto7+7PuZ4DovU/3FqFOl3MVjZ2J2ZV/6nzgrVqFU0TjE3twq6Aw2lhoJ7zzLlVVCyez7h2WF8QtbSjzBN118oA== X-Microsoft-Antispam-PRVS: X-Exchange-Antispam-Report-Test: UriScan:; X-MS-Exchange-SenderADCheck: 1 X-Exchange-Antispam-Report-CFA-Test: BCL:0; PCL:0; RULEID:(6040522)(2401047)(5005006)(8121501046)(10201501046)(3231254)(944501410)(52105095)(93006095)(93001095)(3002001)(149027)(150027)(6041310)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(20161123560045)(20161123562045)(20161123564045)(20161123558120)(6072148)(201708071742011); SRVR:CY4PR07MB3480; BCL:0; PCL:0; RULEID:; SRVR:CY4PR07MB3480; X-Forefront-PRVS: 066517B35B X-Forefront-Antispam-Report: SFV:NSPM; SFS:(10019020)(366004)(39380400002)(376002)(396003)(39840400004)(346002)(199004)(189003)(8936002)(66066001)(305945005)(69596002)(53416004)(956004)(551544002)(47776003)(2616005)(81156014)(476003)(5660300001)(53936002)(50226002)(107886003)(4326008)(59450400001)(7696005)(486006)(76176011)(386003)(7736002)(23676004)(52116002)(81166006)(106356001)(8676002)(105586002)(36756003)(478600001)(316002)(6486002)(1076002)(6116002)(3846002)(6916009)(6666003)(25786009)(2906002)(72206003)(2870700001)(50466002)(97736004)(2361001)(446003)(26005)(11346002)(186003)(16526019)(68736007)(2351001)(86362001); DIR:OUT; SFP:1102; SCL:1; SRVR:CY4PR07MB3480; H:e31020.spectralink.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1; Received-SPF: None (protection.outlook.com: spectralink.com does not designate permitted sender hosts) X-Microsoft-Exchange-Diagnostics: =?utf-8?q?1=3BCY4PR07MB3480=3B23=3AHNLp?= =?utf-8?q?wyYwFxvLReB0hpAH6cWGwvRCwEqj3BjCuiEwAgbyXH6oqgpl6C25EWGN?= =?utf-8?q?vBRKueJ9IAlO5GQ0M5aqsm5j/MsUb5V7n9wAdVWUGj5bo+rPfs06gmGx?= =?utf-8?q?e/6DdEOsnz6E/0+ONbWAtOJZPSB+ckzXHmXAB8pOltWf1tPS10jdysnH?= =?utf-8?q?4y3tN9cSTUbMz9KKnSSrCsVSytyP96iaDdV8QulJ4EkOnD5JBes7+qAP?= =?utf-8?q?7RVR0WjbIGYsMfD5EI84SOqfD9RjaBVShfOjJtA/Mhw/AS2TFoS9CG3s?= =?utf-8?q?ZwDhX7z9FDt7kdRyDVm6fjhZJ+EAvhi2cLcIn2awyT6MlxZu9B9hEF6z?= =?utf-8?q?l2N7uAzdJH4kv4JHxemKfrKEokQQvDrKwQgZR5/F98fjxXqpTPoEJNbc?= =?utf-8?q?N7y1C6KVyvDxwDMcr/GNx/xcrc933QgGJijSpVcD0AbzG70RvxzPoXEb?= =?utf-8?q?wIlpWSfuynUiVeiSDF9GOL494WqkQ6ZS5LqrNsOBjRrNqzbHGLcBnM7Q?= =?utf-8?q?OSmLd7bVNZaqIFagojNZ8YFVxrwoadKmSTNqN56o5GcV6jKMVpRaxWI1?= =?utf-8?q?WYSAnGP5oRlbKZVocdCjbFi6oWg82QjoVwJh5Nytz8sTlxa3Ec2im4VY?= =?utf-8?q?Qyv72cBilHcioQ+4Cn+pQoIk3dI53iuu7Jl6dIwykO2L6QModXUdk2Kw?= =?utf-8?q?ndVD+yCqXSDLgzgeOc3lKv7BU1BCt3c7w5FhyhivzHLkJX5BFAdK07IS?= =?utf-8?q?71ZTRzMyo3LAMdzCq4WsZ1REJXb4bIObV23rWi8wsRvDhZ5mqA/f9e1Z?= =?utf-8?q?6S7ijUzxI2I+a5dKGt5MOEGKyPzh7kSazVViQz+XiB1Zv6Agwcn5Hb6A?= =?utf-8?q?rK694aGN57XMpMvppkxGrJRrKhzZId+HVh7Ul4qBqNdw2ngj+eAkA6BA?= =?utf-8?q?UGJs1JDvrxXF9LdPVpELtJjN2YncDVv7vEXhtaODssnnnMmao89VjFh1?= =?utf-8?q?ihS96oA/mT2JXEIVQdC3NOIOJfVzAo5Cqtrcg41MtOzUyYaqynfuV01X?= =?utf-8?q?pdM4e1kmT+DkkbR2+CAXFAIUUbxdC+PP516S+99xK/8Z7nMDi70TPjLt?= =?utf-8?q?8RuRYxa7Oi7ab2did4hcAIVa2RxIJc+swyGstAM0Eq8NxOhIrd9CyI6u?= =?utf-8?q?yD6VDE+bZKV6PJjTAKgy91iHlPSXDF2Gyss5GMfh8a4il/FEGy5N3UW1?= =?utf-8?q?QjV+gqAI2UlT6oETN9D/4IPaQRiTdGIwgPUVHYTWU3MQucQ700Sb2KMB?= =?utf-8?q?3rzSRsXiVGG+alg3iUtB8/AizLG9FJ7xr2xiRKiJrQVFv4/Zo0okq7r+?= =?utf-8?q?n7xF3omEjJMdWQCLchJgPWSNY+j6LUZcUEw+uxYFxqK8B6p/u4GJ?= X-Microsoft-Antispam-Message-Info: lCRzB6z5t2qYd6wmNFI1ZpAnScjLj6jutUdA5n0NY0/GoQjm3gpqAlR893uUjxPyrwy+msD3PV2o/4Edl2j3XlI7kai1uVxNhPqp17Bqr6X8TBZQH3IAFTuT7yCo0jZigywGzuDFHBlTRr6ZMuPMVn1MvQCK92GviISbgkX0FJgXkYWRAHeHqd5ZeQ80tXhW X-Microsoft-Exchange-Diagnostics: 1; CY4PR07MB3480; 6:yrGqLXuLfw85T9EsrJTnhPR4GEGwLiAA6j6VfrjWe5uh5ztN2j/m591KrhpI/OdsWhmC87F23ZHv9oLYLvXoIMUOAK5oJn+QUzWbS4NbyzD+dVlSxEc3tqCqkSyhRq4rtOT84YP4TgB9TyZ0RbpUKgHvK3ajiJYeIUunLUROUemkJn1dgdlPts4DaUVqSZS20G2XiNu1qcBbFFWQmm89xUV4wINa2ov9GCzxXwWOMrMWGNNueMnQ/l6pfuBWINtBgiKGy5AeBzrzftDGI33EgJRHbGsRtVwh5+897E/tBU0Cx4/09Kg/hBMAT6k4eyB4adv8ACaNDyWix10uvt0REdiQs8zUWeHaEcZh/5cfeeaGE0FDfMiNywjPfKQJOiuLM5S1u52SgsC65OZDt9DSAxOjLkd1RYu7uisjuWC16nyNMvKsaxIDrfRiw5jgDfIdf9gXFHiqRuyGsA81pcNJgw==; 5:KqFDlDh6gNNAj/vLV2OjS24JacWUZ6yyjrNif1jPKT7JGKES4A4S1VNkHIEO0nEQ8qWP4j2Kmru3pO9a7R2/xkplOlHQoffrVkeLTV/wPcds+/tFo8yWMcVT3sQovC+aXPC2q8VlDRWCSKXzG6Wh93g490mRsHBZgRiOozyEvoU=; 24:YUM8z3Gq0BKgxQceZ1rNd0GfkQrUdjfJmiIBiy8KWEanaCMtsoN2+zcFVk96zb37U7qmKA/D+1ZS2RtCm+l6KcG/5arrdLvl8AFonXzjokQ= SpamDiagnosticOutput: 1:99 SpamDiagnosticMetadata: NSPM X-Microsoft-Exchange-Diagnostics: 1; CY4PR07MB3480; 7:bk5XFqVLsY5WuYnv+qbe//tKHdglfN/OE+5sas6hfMyMUTUKBaLDqF7ydk9GP3nIqf2D5LjCCJZolEmER18jK22DVGez4rtcdzhvvGd5Z8e7qeMuEG0F43b0V970h3sCLI8kO9N0gOSEmN9VybBUZYOYItT2uB5n7YWRCnJBjAR5ukuq1gJbDQy5V9Ljk6x+IwQ00aIUvtB3UGpLEMYalxJ9940aaxus5eJ5Awr8eW+8u2fT/0rQWLZEg8/8e4/3 X-MS-Office365-Filtering-Correlation-Id: cf9be1d1-bc29-436b-b6e4-08d5b41620f0 X-OriginatorOrg: spectralink.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 07 May 2018 12:29:07.0063 (UTC) X-MS-Exchange-CrossTenant-Network-Message-Id: cf9be1d1-bc29-436b-b6e4-08d5b41620f0 X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: c45ba920-5298-4256-8585-360096d02150 X-MS-Exchange-Transport-CrossTenantHeadersStamped: CY4PR07MB3480 Subject: [Buildroot] [PATCH v2] dropbear: Disable legacy/insecure options X-BeenThere: buildroot@busybox.net X-Mailman-Version: 2.1.24 Precedence: list List-Id: Discussion and development of buildroot List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: buildroot-bounces@busybox.net Sender: "buildroot" Dropbear by default enables a number of algorithms that are now considered insecure and should only be used when legacy support is required: 3DES encryption Blowfish encryption SHA1-96 message integrity CBC encryption mode DSA public keys Diffie-Hellman Group1 key exchange So disable them by default, but add a config option for bringing them back. Furthermore the Blowfish legacy algorithm is unconditionally disabled Signed-off-by: Stefan Sørensen Reviewed-by: Baruch Siach --- Changes v1->v2: * Mention that the Blowfish algorithm has been disabled package/dropbear/Config.in | 10 ++++++++++ package/dropbear/dropbear.mk | 12 +++++++++++- 2 files changed, 21 insertions(+), 1 deletion(-) diff --git a/package/dropbear/Config.in b/package/dropbear/Config.in index 5d6b83b6d1..62f77bad9d 100644 --- a/package/dropbear/Config.in +++ b/package/dropbear/Config.in @@ -56,4 +56,14 @@ config BR2_PACKAGE_DROPBEAR_LASTLOG Enable logging of dropbear access to lastlog. Notice that Buildroot does not generate lastlog by default. +config BR2_PACKAGE_DROPBEAR_LEGACY_CRYPTO + bool "enable legacy crypto" + help + Enable legacy and possibly insecure algorithms: + 3DES encryption + SHA1-96 message integrity + CBC encryption mode + DSA public keys + Diffie-Hellman Group1 key exchange + endif diff --git a/package/dropbear/dropbear.mk b/package/dropbear/dropbear.mk index fc41a84c1f..c2d3dedad3 100644 --- a/package/dropbear/dropbear.mk +++ b/package/dropbear/dropbear.mk @@ -42,13 +42,23 @@ define DROPBEAR_SVR_PASSWORD_AUTH endef DROPBEAR_POST_EXTRACT_HOOKS += DROPBEAR_SVR_PASSWORD_AUTH +define DROPBEAR_DISABLE_LEGACY_CRYPTO + echo '#define DROPBEAR_3DES 0' >> $(@D)/localoptions.h + echo '#define DROPBEAR_ENABLE_CBC_MODE 0' >> $(@D)/localoptions.h + echo '#define DROPBEAR_SHA1_96_HMAC 0' >> $(@D)/localoptions.h + echo '#define DROPBEAR_DSS 0' >> $(@D)/localoptions.h + echo '#define DROPBEAR_DH_GROUP1 0' >> $(@D)/localoptions.h +endef +ifneq ($(BR2_PACKAGE_DROPBEAR_LEGACY_CRYPTO),y) +DROPBEAR_POST_EXTRACT_HOOKS += DROPBEAR_DISABLE_LEGACY_CRYPTO +endif + define DROPBEAR_ENABLE_REVERSE_DNS echo '#define DO_HOST_LOOKUP 1' >> $(@D)/localoptions.h endef define DROPBEAR_BUILD_FEATURED echo '#define DROPBEAR_SMALL_CODE 0' >> $(@D)/localoptions.h - echo '#define DROPBEAR_BLOWFISH 1' >> $(@D)/localoptions.h echo '#define DROPBEAR_TWOFISH128 1' >> $(@D)/localoptions.h echo '#define DROPBEAR_TWOFISH256 1' >> $(@D)/localoptions.h endef