From patchwork Thu Dec 6 02:06:27 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Matt Weber X-Patchwork-Id: 1008578 Return-Path: X-Original-To: incoming-buildroot@patchwork.ozlabs.org Delivered-To: patchwork-incoming-buildroot@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (mailfrom) smtp.mailfrom=busybox.net (client-ip=140.211.166.136; helo=silver.osuosl.org; envelope-from=buildroot-bounces@busybox.net; receiver=) Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none) header.from=rockwellcollins.com Received: from silver.osuosl.org (smtp3.osuosl.org [140.211.166.136]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 439JrV4Ql3z9s6w for ; Thu, 6 Dec 2018 13:07:06 +1100 (AEDT) Received: from localhost (localhost [127.0.0.1]) by silver.osuosl.org (Postfix) with ESMTP id 7DFDF2270A; Thu, 6 Dec 2018 02:07:02 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from silver.osuosl.org ([127.0.0.1]) by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GrZpOh4CywR6; Thu, 6 Dec 2018 02:06:56 +0000 (UTC) Received: from ash.osuosl.org (ash.osuosl.org [140.211.166.34]) by silver.osuosl.org (Postfix) with ESMTP id B368B2203D; Thu, 6 Dec 2018 02:06:56 +0000 (UTC) X-Original-To: buildroot@lists.busybox.net Delivered-To: buildroot@osuosl.org Received: from whitealder.osuosl.org (smtp1.osuosl.org [140.211.166.138]) by ash.osuosl.org (Postfix) with ESMTP id 4C0E21C2B11 for ; Thu, 6 Dec 2018 02:06:37 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by whitealder.osuosl.org (Postfix) with ESMTP id 48DB08761D for ; Thu, 6 Dec 2018 02:06:37 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from whitealder.osuosl.org ([127.0.0.1]) by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qMPnBD6Tkw+Z for ; Thu, 6 Dec 2018 02:06:31 +0000 (UTC) X-Greylist: domain auto-whitelisted by SQLgrey-1.7.6 Received: from da1vs01.rockwellcollins.com (da1vs01.rockwellcollins.com [205.175.227.27]) by whitealder.osuosl.org (Postfix) with ESMTPS id 7B0D687929 for ; Thu, 6 Dec 2018 02:06:31 +0000 (UTC) Received: from ofwda1n02.rockwellcollins.com (HELO ciulimr01.rockwellcollins.com) ([205.175.227.14]) by da1vs01.rockwellcollins.com with ESMTP; 05 Dec 2018 20:06:30 -0600 X-Received: from largo.rockwellcollins.com (unknown [192.168.140.76]) by ciulimr01.rockwellcollins.com (Postfix) with ESMTP id 8240660190; Wed, 5 Dec 2018 20:06:30 -0600 (CST) From: Matt Weber To: buildroot@buildroot.org Date: Wed, 5 Dec 2018 20:06:27 -0600 Message-Id: <1544061989-7450-1-git-send-email-matthew.weber@rockwellcollins.com> X-Mailer: git-send-email 1.9.1 Subject: [Buildroot] [PATCH v2 1/3] system cfg: update mkpasswd SHA option txt X-BeenThere: buildroot@busybox.net X-Mailman-Version: 2.1.29 Precedence: list List-Id: Discussion and development of buildroot List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: "Yann E. MORIN" MIME-Version: 1.0 Errors-To: buildroot-bounces@busybox.net Sender: "buildroot" This patch drops the comment about checking the C libraries version as they now all support it by default glibc 2.7+ uclibc (bdd8362a88 package/uclibc: defconfig: enable sha-256...) musl 1.1.14+ Reviewed-by: "Yann E. MORIN" Cc: "Yann E. MORIN" Signed-off-by: Matthew Weber --- Changes v1 -> v2 [Yann - Suggest this patch content is split out from the change of default method to SHA256 - then -> than in help text --- system/Config.in | 12 ++---------- 1 file changed, 2 insertions(+), 10 deletions(-) diff --git a/system/Config.in b/system/Config.in index 9e34f11..e33568f 100644 --- a/system/Config.in +++ b/system/Config.in @@ -81,20 +81,12 @@ config BR2_TARGET_GENERIC_PASSWD_MD5 config BR2_TARGET_GENERIC_PASSWD_SHA256 bool "sha-256" help - Use SHA256 to encode passwords. - - Very strong, but not ubiquitous, although available in glibc - for some time now. Choose only if you are sure your C library - understands SHA256 passwords. + Use SHA256 to encode passwords which is stronger than MD5. config BR2_TARGET_GENERIC_PASSWD_SHA512 bool "sha-512" help - Use SHA512 to encode passwords. - - Extremely strong, but not ubiquitous, although available in - glibc for some time now. Choose only if you are sure your C - library understands SHA512 passwords. + Use SHA512 to encode passwords which is stronger than SHA256 endchoice # Passwd encoding From patchwork Thu Dec 6 02:06:28 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Matt Weber X-Patchwork-Id: 1008577 Return-Path: X-Original-To: incoming-buildroot@patchwork.ozlabs.org Delivered-To: patchwork-incoming-buildroot@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (mailfrom) smtp.mailfrom=busybox.net (client-ip=140.211.166.133; helo=hemlock.osuosl.org; envelope-from=buildroot-bounces@busybox.net; receiver=) Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none) header.from=rockwellcollins.com Received: from hemlock.osuosl.org (smtp2.osuosl.org [140.211.166.133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 439JrS64YSz9s0t for ; Thu, 6 Dec 2018 13:07:04 +1100 (AEDT) Received: from localhost (localhost [127.0.0.1]) by hemlock.osuosl.org (Postfix) with ESMTP id D1E5C87D0E; Thu, 6 Dec 2018 02:07:00 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from hemlock.osuosl.org ([127.0.0.1]) by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zN7fY9u+bm+L; Thu, 6 Dec 2018 02:06:56 +0000 (UTC) Received: from ash.osuosl.org (ash.osuosl.org [140.211.166.34]) by hemlock.osuosl.org (Postfix) with ESMTP id 0778985BB5; Thu, 6 Dec 2018 02:06:56 +0000 (UTC) X-Original-To: buildroot@lists.busybox.net Delivered-To: buildroot@osuosl.org Received: from whitealder.osuosl.org (smtp1.osuosl.org [140.211.166.138]) by ash.osuosl.org (Postfix) with ESMTP id 903991BF29D for ; Thu, 6 Dec 2018 02:06:36 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by whitealder.osuosl.org (Postfix) with ESMTP id 8C4D687A15 for ; Thu, 6 Dec 2018 02:06:36 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from whitealder.osuosl.org ([127.0.0.1]) by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FPhm1vb6tSb5 for ; Thu, 6 Dec 2018 02:06:31 +0000 (UTC) X-Greylist: domain auto-whitelisted by SQLgrey-1.7.6 Received: from da1vs02.rockwellcollins.com (da1vs02.rockwellcollins.com [205.175.227.29]) by whitealder.osuosl.org (Postfix) with ESMTPS id 715C38761D for ; Thu, 6 Dec 2018 02:06:31 +0000 (UTC) Received: from ofwda1n02.rockwellcollins.com (HELO ciulimr01.rockwellcollins.com) ([205.175.227.14]) by da1vs02.rockwellcollins.com with ESMTP; 05 Dec 2018 20:06:31 -0600 X-Received: from largo.rockwellcollins.com (unknown [192.168.140.76]) by ciulimr01.rockwellcollins.com (Postfix) with ESMTP id 91D51601F4; Wed, 5 Dec 2018 20:06:30 -0600 (CST) From: Matt Weber To: buildroot@buildroot.org Date: Wed, 5 Dec 2018 20:06:28 -0600 Message-Id: <1544061989-7450-2-git-send-email-matthew.weber@rockwellcollins.com> X-Mailer: git-send-email 1.9.1 In-Reply-To: <1544061989-7450-1-git-send-email-matthew.weber@rockwellcollins.com> References: <1544061989-7450-1-git-send-email-matthew.weber@rockwellcollins.com> Subject: [Buildroot] [PATCH v2 2/3] system cfg: set mkpasswd default to SHA256 X-BeenThere: buildroot@busybox.net X-Mailman-Version: 2.1.29 Precedence: list List-Id: Discussion and development of buildroot List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: buildroot-bounces@busybox.net Sender: "buildroot" This patch changes the default mkpasswd method to SHA256 from MD5. The change both improves the quality of the hash used and prepares for eventually removing MD5 as a option. Reviewed-by: "Yann E. MORIN" Signed-off-by: Matthew Weber --- Changes v2 - New patch --- system/Config.in | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/system/Config.in b/system/Config.in index e33568f..65c92a8 100644 --- a/system/Config.in +++ b/system/Config.in @@ -61,7 +61,7 @@ endif choice bool "Passwords encoding" - default BR2_TARGET_GENERIC_PASSWD_MD5 + default BR2_TARGET_GENERIC_PASSWD_SHA256 help Choose the password encoding scheme to use when Buildroot needs to encode a password (eg. the root password, below). From patchwork Thu Dec 6 02:06:29 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Matt Weber X-Patchwork-Id: 1008579 Return-Path: X-Original-To: incoming-buildroot@patchwork.ozlabs.org Delivered-To: patchwork-incoming-buildroot@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (mailfrom) smtp.mailfrom=busybox.net (client-ip=140.211.166.133; helo=hemlock.osuosl.org; envelope-from=buildroot-bounces@busybox.net; receiver=) Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none) header.from=rockwellcollins.com Received: from hemlock.osuosl.org (smtp2.osuosl.org [140.211.166.133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 439JrW4cNJz9s0t for ; Thu, 6 Dec 2018 13:07:07 +1100 (AEDT) Received: from localhost (localhost [127.0.0.1]) by hemlock.osuosl.org (Postfix) with ESMTP id 3DDF487DA1; Thu, 6 Dec 2018 02:07:06 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from hemlock.osuosl.org ([127.0.0.1]) by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YPNRXXOcSFQf; Thu, 6 Dec 2018 02:07:01 +0000 (UTC) Received: from ash.osuosl.org (ash.osuosl.org [140.211.166.34]) by hemlock.osuosl.org (Postfix) with ESMTP id 61D4087E5F; Thu, 6 Dec 2018 02:07:01 +0000 (UTC) X-Original-To: buildroot@lists.busybox.net Delivered-To: buildroot@osuosl.org Received: from hemlock.osuosl.org (smtp2.osuosl.org [140.211.166.133]) by ash.osuosl.org (Postfix) with ESMTP id 8CEDA1BF29D for ; Thu, 6 Dec 2018 02:07:00 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by hemlock.osuosl.org (Postfix) with ESMTP id 89B6987B3D for ; Thu, 6 Dec 2018 02:07:00 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from hemlock.osuosl.org ([127.0.0.1]) by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Dlaw1jj0bZ1v for ; Thu, 6 Dec 2018 02:06:55 +0000 (UTC) X-Greylist: domain auto-whitelisted by SQLgrey-1.7.6 Received: from ch3vs02.rockwellcollins.com (ch3vs02.rockwellcollins.com [205.175.226.29]) by hemlock.osuosl.org (Postfix) with ESMTPS id 8264985A83 for ; Thu, 6 Dec 2018 02:06:31 +0000 (UTC) Received: from ofwch3n02.rockwellcollins.com (HELO ciulimr01.rockwellcollins.com) ([205.175.226.14]) by ch3vs02.rockwellcollins.com with ESMTP; 05 Dec 2018 20:06:31 -0600 X-Received: from largo.rockwellcollins.com (unknown [192.168.140.76]) by ciulimr01.rockwellcollins.com (Postfix) with ESMTP id A9026600E1; Wed, 5 Dec 2018 20:06:30 -0600 (CST) From: Matt Weber To: buildroot@buildroot.org Date: Wed, 5 Dec 2018 20:06:29 -0600 Message-Id: <1544061989-7450-3-git-send-email-matthew.weber@rockwellcollins.com> X-Mailer: git-send-email 1.9.1 In-Reply-To: <1544061989-7450-1-git-send-email-matthew.weber@rockwellcollins.com> References: <1544061989-7450-1-git-send-email-matthew.weber@rockwellcollins.com> Subject: [Buildroot] [PATCH v2 3/3] system cfg: remove mkpasswd MD5 format option X-BeenThere: buildroot@busybox.net X-Mailman-Version: 2.1.29 Precedence: list List-Id: Discussion and development of buildroot List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: "Yann E. MORIN" MIME-Version: 1.0 Errors-To: buildroot-bounces@busybox.net Sender: "buildroot" As SHA256 is now default, removing weak MD5 option. C libraries now all support the SHA methods. glibc 2.7+ uclibc (bdd8362a88 package/uclibc: defconfig: enable sha-256...) musl 1.1.14+ One issue this would prevent, is a host tool issue with a FIPS enabled system where weak ciphers/methods are disabled. It seems the crypt(3) call is impacted by /proc/sys/crypto/fips_enabled (per crypt(3) man page). It results in mkpasswd returning "(EPERM) crypt failed." Rather then create a Buildroot host dependency check, this patch removes the potential corner case from being selected. Acked-by: "Yann E. MORIN" Cc: "Yann E. MORIN" Signed-off-by: Matthew Weber --- Changes v1 -> v2 - Updated description wording --- Config.in.legacy | 8 ++++++++ system/Config.in | 10 ---------- 2 files changed, 8 insertions(+), 10 deletions(-) diff --git a/Config.in.legacy b/Config.in.legacy index 02321c8..d70654c 100644 --- a/Config.in.legacy +++ b/Config.in.legacy @@ -143,6 +143,14 @@ comment "----------------------------------------------------" endif ############################################################################### + +config BR2_TARGET_GENERIC_PASSWD_MD5 + bool "target passwd md5 format support has been removed" + select BR2_LEGACY + help + The default has been moved to SHA256 and all C libraries + now support that method by default + comment "Legacy options removed in 2018.11" config BR2_TARGET_XLOADER diff --git a/system/Config.in b/system/Config.in index 65c92a8..0f77b9b 100644 --- a/system/Config.in +++ b/system/Config.in @@ -68,16 +68,6 @@ choice Note: this is used at build-time, and *not* at runtime. -config BR2_TARGET_GENERIC_PASSWD_MD5 - bool "md5" - help - Use MD5 to encode passwords. - - The default. Wildly available, and pretty good. - Although pretty strong, MD5 is now an old hash function, and - suffers from some weaknesses, which makes it susceptible to - brute-force attacks. - config BR2_TARGET_GENERIC_PASSWD_SHA256 bool "sha-256" help