[Buildroot] [PATCH 1/3] dropbear: Use macro to set options

[Buildroot] [PATCH 1/3] dropbear: Use macro to set options

[Stefan Sørensen]

Introduce a macro for editing options.h according to the Buildroot
configuration, replacing individual sed scripts.

Signed-off-by: Stefan S?rensen <stefan.sorensen@spectralink.com>
---
 package/dropbear/dropbear.mk | 37 +++++++++++++++---------------------
 1 file changed, 15 insertions(+), 22 deletions(-)

diff --git a/package/dropbear/dropbear.mk b/package/dropbear/dropbear.mk
index 01a1a07b76..dc1fee207f 100644
--- a/package/dropbear/dropbear.mk
+++ b/package/dropbear/dropbear.mk
@@ -32,24 +32,25 @@ endef
 
 DROPBEAR_POST_EXTRACT_HOOKS += DROPBEAR_FIX_XAUTH
 
-define DROPBEAR_ENABLE_REVERSE_DNS
-	$(SED) 's:.*\(#define DO_HOST_LOOKUP\).*:\1:' $(@D)/options.h
+define DROPBEAR_SET_OPT # (define, option)
+	if [ 'x$(2)' = 'xy' -o 'x$(2)' = 'x!' ]; then \
+		$(SED) 's:.*\(#define $(1)\)\([^A-Z0-9_]\|$$\).*:\1 1:' $(@D)/options.h; \
+	else \
+		$(SED) 's:.*\(#define $(1)\)\([^A-Z0-9_]\|$$\).*:/*\1*/:' $(@D)/options.h; \
+	fi
 endef
 
-define DROPBEAR_BUILD_SMALL
-	$(SED) 's:.*\(#define NO_FAST_EXPTMOD\).*:\1:' $(@D)/options.h
+define DROPBEAR_SET_OPTIONS
+	$(call DROPBEAR_SET_OPT,DROPBEAR_SMALL_CODE,$(BR2_PACKAGE_DROPBEAR_SMALL))
+	$(call DROPBEAR_SET_OPT,NO_FAST_EXPTMOD,$(BR2_PACKAGE_DROPBEAR_SMALL))
+	$(call DROPBEAR_SET_OPT,DO_HOST_LOOKUP,$(BR2_PACKAGE_DROPBEAR_ENABLE_REVERSE_DNS))
+	$(call DROPBEAR_SET_OPT,NON_INETD_MODE,$(BR2_USE_MMU))
+	$(call DROPBEAR_SET_OPT,DROPBEAR_BLOWFISH,!$(BR2_PACKAGE_DROPBEAR_SMALL))
+	$(call DROPBEAR_SET_OPT,DROPBEAR_TWOFISH128,!$(BR2_PACKAGE_DROPBEAR_SMALL))
+	$(call DROPBEAR_SET_OPT,DROPBEAR_TWOFISH256,!$(BR2_PACKAGE_DROPBEAR_SMALL))
 endef
 
-define DROPBEAR_BUILD_FEATURED
-	$(SED) 's:^#define DROPBEAR_SMALL_CODE::' $(@D)/options.h
-	$(SED) 's:.*\(#define DROPBEAR_BLOWFISH\).*:\1:' $(@D)/options.h
-	$(SED) 's:.*\(#define DROPBEAR_TWOFISH128\).*:\1:' $(@D)/options.h
-	$(SED) 's:.*\(#define DROPBEAR_TWOFISH256\).*:\1:' $(@D)/options.h
-endef
-
-define DROPBEAR_DISABLE_STANDALONE
-	$(SED) 's:\(#define NON_INETD_MODE\):/*\1 */:' $(@D)/options.h
-endef
+DROPBEAR_POST_EXTRACT_HOOKS += DROPBEAR_SET_OPTIONS
 
 define DROPBEAR_INSTALL_INIT_SYSTEMD
 	$(INSTALL) -D -m 644 package/dropbear/dropbear.service \
@@ -64,19 +65,11 @@ define DROPBEAR_INSTALL_INIT_SYSV
 	$(INSTALL) -D -m 755 package/dropbear/S50dropbear \
 		$(TARGET_DIR)/etc/init.d/S50dropbear
 endef
-else
-DROPBEAR_POST_EXTRACT_HOOKS += DROPBEAR_DISABLE_STANDALONE
-endif
-
-ifeq ($(BR2_PACKAGE_DROPBEAR_DISABLE_REVERSEDNS),)
-DROPBEAR_POST_EXTRACT_HOOKS += DROPBEAR_ENABLE_REVERSE_DNS
 endif
 
 ifeq ($(BR2_PACKAGE_DROPBEAR_SMALL),y)
-DROPBEAR_POST_EXTRACT_HOOKS += DROPBEAR_BUILD_SMALL
 DROPBEAR_CONF_OPTS += --disable-zlib
 else
-DROPBEAR_POST_EXTRACT_HOOKS += DROPBEAR_BUILD_FEATURED
 DROPBEAR_DEPENDENCIES += zlib
 endif
 
-- 
2.17.0

[Buildroot] [PATCH 2/3] dropbear: Add configuration options for security features

[Stefan Sørensen]

The dropbear server provides no runtime configuration of ciphers, key
exchange algorithms, etc., but must rather be configured compile time.
With no configurability the default settings will be use which may not
be desired in all scenearios.

These new options allow the selection of
  Ciphers (AES128, AES256, 3DES, BLowfish, Twofish128, Twofish256)
  Cipher modes (CBC, CTR)
  Integrity algorithms (SHA1, SHA1-96, SHA2-256, SHA2-512, MD5)
  Key exchange algorithms (RSA, DSS, ECDSA, Curve25519, ECDH)
  Authenticaton types (Password, Pubkey)

No defaults are changed.

Signed-off-by: Stefan S?rensen <stefan.sorensen@spectralink.com>
---
 package/dropbear/Config.in   | 163 +++++++++++++++++++++++++++++++++++
 package/dropbear/dropbear.mk |  25 +++++-
 2 files changed, 185 insertions(+), 3 deletions(-)

diff --git a/package/dropbear/Config.in b/package/dropbear/Config.in
index 6700778161..441c521d18 100644
--- a/package/dropbear/Config.in
+++ b/package/dropbear/Config.in
@@ -55,4 +55,167 @@ config BR2_PACKAGE_DROPBEAR_LASTLOG
 	  Enable logging of dropbear access to lastlog. Notice that
 	  Buildroot does not generate lastlog by default.
 
+menu "Dropbear ciphers"
+
+config BR2_PACKAGE_DROPBEAR_CIPHER_AES128
+	bool "AES128"
+	default y
+	help
+	  Enable the AES128 cipher
+
+config BR2_PACKAGE_DROPBEAR_CIPHER_AES256
+	bool "AES256"
+	default y
+	help
+	  Enable the AES256 cipher
+
+config BR2_PACKAGE_DROPBEAR_CIPHER_3DES
+	bool "3DES"
+	default y
+	help
+	  Enable the 3DES cipher
+
+config BR2_PACKAGE_DROPBEAR_CIPHER_BLOWFISH
+	bool "Blowfish"
+	default y	if !BR2_PACKAGE_DROPBEAR_SMALL
+	help
+	  Enable the Blowfish cipher
+
+config BR2_PACKAGE_DROPBEAR_CIPHER_TWOFISH128
+	bool "Twofish128"
+	default y	if !BR2_PACKAGE_DROPBEAR_SMALL
+	help
+	  Enable the Twofish128 cipher
+
+config BR2_PACKAGE_DROPBEAR_CIPHER_TWOFISH256
+	bool "Twofish256"
+	default y	if !BR2_PACKAGE_DROPBEAR_SMALL
+	help
+	  Enable the Twofish256 cipher
+
+endmenu
+
+menu "Dropbear cipher modes"
+
+config BR2_PACKAGE_DROPBEAR_CIPHER_MODE_CBC
+	bool "CBC"
+	default y
+	help
+	  Enable CBC mode for ciphers. This has security issues though
+	  is the most compatible with older SSH implementations
+
+config BR2_PACKAGE_DROPBEAR_CIPHER_MODE_CTR
+	bool "CTR"
+	default y
+	help
+	  Enable "Counter Mode" for ciphers. This is more secure than
+	  normal CBC mode against certain attacks. It is recommended
+	  for security and forwards compatibility
+
+endmenu
+
+menu "Dropbear integrity algorithms"
+
+config BR2_PACKAGE_DROPBEAR_HMAC_SHA1
+	bool "SHA1"
+	default y
+	help
+	  Enable SHA1 integrity algorithm
+
+config BR2_PACKAGE_DROPBEAR_HMAC_SHA1_96
+	bool "SHA1-96"
+	default y
+	help
+	  Enable SHA1-96 integrity algorithm
+
+config BR2_PACKAGE_DROPBEAR_HMAC_SHA2_256
+	bool "SHA2-256"
+	default y
+	help
+	  Enable SHA2-256 integrity algorithm
+
+config BR2_PACKAGE_DROPBEAR_HMAC_SHA2_512
+	bool "SHA2-512"
+	default y
+	help
+	  Enable SHA2-512 integrity algorithm
+
+config BR2_PACKAGE_DROPBEAR_HMAC_MD5
+	bool "MD5"
+	default y
+	help
+	  Enable MD5 integrity algorithm. If you disable MD5, Dropbear
+	  will fall back to SHA1 fingerprints, which are not the
+	  standard form
+
+endmenu
+
+menu "Dropbear key exchange algorithms"
+
+config BR2_PACKAGE_DROPBEAR_KEX_RSA
+	bool "RSA"
+	default y
+	help
+	  Enable RSA key exchange algorithm.
+
+config BR2_PACKAGE_DROPBEAR_KEX_DSS
+	bool "DSS"
+	default y
+	help
+	  Enable DSS key exchange algorithm. SSH2 RFC Draft requires
+	  DSS.
+
+config BR2_PACKAGE_DROPBEAR_KEX_ECDSA
+	bool "ECDSA"
+	default y
+	help
+	  Enable Curve25519 for key exchange. ECDSA is significantly
+	  faster than RSA or DSS. Compiling in ECC code (either ECDSA
+	  or ECDH) increases binary size - around 30kB on x86-64
+
+config BR2_PACKAGE_DROPBEAR_KEX_CURVE25519
+	bool "Curve25519"
+	default y
+	help
+	  Enable Curve25519 for key exchange. This is another elliptic
+	  curve method with good security properties
+
+config BR2_PACKAGE_DROPBEAR_KEX_ECDH
+	bool "ECDH"
+	default y
+	help
+	  Enable elliptic curve Diffie Hellman key exchange algorithm
+
+config BR2_PACKAGE_DROPBEAR_KEX_DH_GROUP1
+	bool "DH Group1"
+	default y
+	help
+	  Enable DH Group1 key exchange algorithm. Group1 is less
+	  secure (1024 bit) than Group14 though is the only option for
+	  interoperability with some older SSH programs
+
+config BR2_PACKAGE_DROPBEAR_KEX_DH_GROUP14
+	bool "DH Group14"
+	default y
+	help
+	  Enable DH Group14 key exchange algorithm
+
+endmenu
+
+menu "Dropbear authenticaton types"
+
+config BR2_PACKAGE_DROPBEAR_AUTH_TYPE_PASSWORD
+	bool "Password"
+	default y
+	help
+	  Enable password based authentication
+
+config BR2_PACKAGE_DROPBEAR_AUTH_TYPE_PUBKEY
+	bool "Public key"
+	default y
+	help
+	  Enable public key based authentication
+
+endmenu
+
 endif
diff --git a/package/dropbear/dropbear.mk b/package/dropbear/dropbear.mk
index dc1fee207f..cdbb77d5c3 100644
--- a/package/dropbear/dropbear.mk
+++ b/package/dropbear/dropbear.mk
@@ -45,9 +45,28 @@ define DROPBEAR_SET_OPTIONS
 	$(call DROPBEAR_SET_OPT,NO_FAST_EXPTMOD,$(BR2_PACKAGE_DROPBEAR_SMALL))
 	$(call DROPBEAR_SET_OPT,DO_HOST_LOOKUP,$(BR2_PACKAGE_DROPBEAR_ENABLE_REVERSE_DNS))
 	$(call DROPBEAR_SET_OPT,NON_INETD_MODE,$(BR2_USE_MMU))
-	$(call DROPBEAR_SET_OPT,DROPBEAR_BLOWFISH,!$(BR2_PACKAGE_DROPBEAR_SMALL))
-	$(call DROPBEAR_SET_OPT,DROPBEAR_TWOFISH128,!$(BR2_PACKAGE_DROPBEAR_SMALL))
-	$(call DROPBEAR_SET_OPT,DROPBEAR_TWOFISH256,!$(BR2_PACKAGE_DROPBEAR_SMALL))
+	$(call DROPBEAR_SET_OPT,DROPBEAR_AES128,$(BR2_PACKAGE_DROPBEAR_CIPHER_AES128))
+	$(call DROPBEAR_SET_OPT,DROPBEAR_AES256,$(BR2_PACKAGE_DROPBEAR_CIPHER_AES256))
+	$(call DROPBEAR_SET_OPT,DROPBEAR_3DES,$(BR2_PACKAGE_DROPBEAR_CIPHER_3DES))
+	$(call DROPBEAR_SET_OPT,DROPBEAR_BLOWFISH,$(BR2_PACKAGE_DROPBEAR_CIPHER_BLOWFISH))
+	$(call DROPBEAR_SET_OPT,DROPBEAR_TWOFISH128,$(BR2_PACKAGE_DROPBEAR_CIPHER_TWOFISH128))
+	$(call DROPBEAR_SET_OPT,DROPBEAR_TWOFISH256,$(BR2_PACKAGE_DROPBEAR_CIPHER_TWOFISH256))
+	$(call DROPBEAR_SET_OPT,DROPBEAR_ENABLE_CBC_MODE,$(BR2_PACKAGE_DROPBEAR_CIPHER_MODE_CBC))
+	$(call DROPBEAR_SET_OPT,DROPBEAR_ENABLE_CTR_MODE,$(BR2_PACKAGE_DROPBEAR_CIPHER_MODE_CTR))
+	$(call DROPBEAR_SET_OPT,DROPBEAR_SHA1_HMAC,$(BR2_PACKAGE_DROPBEAR_HMAC_SHA1))
+	$(call DROPBEAR_SET_OPT,DROPBEAR_SHA1_96_HMAC,$(BR2_PACKAGE_DROPBEAR_HMAC_SHA1_96))
+	$(call DROPBEAR_SET_OPT,DROPBEAR_SHA2_256_HMAC,$(BR2_PACKAGE_DROPBEAR_HMAC_SHA2_256))
+	$(call DROPBEAR_SET_OPT,DROPBEAR_SHA2_512_HMAC,$(BR2_PACKAGE_DROPBEAR_HMAC_SHA2_512))
+	$(call DROPBEAR_SET_OPT,DROPBEAR_MD5_HMAC,$(BR2_PACKAGE_DROPBEAR_HMAC_MD5))
+	$(call DROPBEAR_SET_OPT,DROPBEAR_RSA,$(BR2_PACKAGE_DROPBEAR_KEX_RSA))
+	$(call DROPBEAR_SET_OPT,DROPBEAR_DSS,$(BR2_PACKAGE_DROPBEAR_KEX_DSS))
+	$(call DROPBEAR_SET_OPT,DROPBEAR_ECDSA,$(BR2_PACKAGE_DROPBEAR_KEX_ECDSA))
+	$(call DROPBEAR_SET_OPT,DROPBEAR_CURCE25519,$(BR2_PACKAGE_DROPBEAR_KEX_CURVE25519))
+	$(call DROPBEAR_SET_OPT,DROPBEAR_ECDH,$(BR2_PACKAGE_DROPBEAR_KEX_ECDH))
+	$(call DROPBEAR_SET_OPT,DROPBEAR_DH_GROUP1,$(BR2_PACKAGE_DROPBEAR_KEX_DH_GROUP1))
+	$(call DROPBEAR_SET_OPT,DROPBEAR_DH_GROUP14,$(BR2_PACKAGE_DROPBEAR_KEX_DH_GROUP14))
+	$(call DROPBEAR_SET_OPT,ENABLE_SVR_PASSWORD_AUTH,$(BR2_PACKAGE_DROPBEAR_AUTH_TYPE_PASSWORD))
+	$(call DROPBEAR_SET_OPT,ENABLE_SVR_PUBKEY_AUTH,$(BR2_PACKAGE_DROPBEAR_AUTH_TYPE_PUBKEY))
 endef
 
 DROPBEAR_POST_EXTRACT_HOOKS += DROPBEAR_SET_OPTIONS
-- 
2.17.0

[Buildroot] [PATCH 2/3] dropbear: Add configuration options for security features

[Thomas Petazzoni]

Hello,

On Wed, 18 Apr 2018 16:24:33 +0200, Stefan S?rensen wrote:
> The dropbear server provides no runtime configuration of ciphers, key
> exchange algorithms, etc., but must rather be configured compile time.
> With no configurability the default settings will be use which may not
> be desired in all scenearios.
> 
> These new options allow the selection of
>   Ciphers (AES128, AES256, 3DES, BLowfish, Twofish128, Twofish256)
>   Cipher modes (CBC, CTR)
>   Integrity algorithms (SHA1, SHA1-96, SHA2-256, SHA2-512, MD5)
>   Key exchange algorithms (RSA, DSS, ECDSA, Curve25519, ECDH)
>   Authenticaton types (Password, Pubkey)
> 
> No defaults are changed.
> 
> Signed-off-by: Stefan S?rensen <stefan.sorensen@spectralink.com>

We received PATCH 2/3 and 3/3, but not 1/3. Was it sent ? Is it a
mistake ?

> +config BR2_PACKAGE_DROPBEAR_CIPHER_BLOWFISH
> +	bool "Blowfish"
> +	default y	if !BR2_PACKAGE_DROPBEAR_SMALL

No need for a tab before the "if".

Is it possible to enable this option even if
BR2_PACKAGE_DROPBEAR_SMALL=y ? I.e, does it build ?

> +menu "Dropbear authenticaton types"

authentication

Did you do a pass with ./utils/check-package on package/dropbear/*
after doing those changes ?

Thanks,

Thomas
-- 
Thomas Petazzoni, CTO, Bootlin (formerly Free Electrons)
Embedded Linux and Kernel engineering
https://bootlin.com

[Buildroot] [PATCH 2/3] dropbear: Add configuration options for security features

[Sørensen, Stefan]

[Sorry for the double email Thomas, forgot to CC the list]

On Wed, 2018-04-18 at 17:10 +0200, Thomas Petazzoni wrote:

> We received PATCH 2/3 and 3/3, but not 1/3. Was it sent ? Is it a
> mistake ?

It is in patchwork: https://patchwork.ozlabs.org/patch/900310/

> 
> > +config BR2_PACKAGE_DROPBEAR_CIPHER_BLOWFISH
> > +   bool "Blowfish"
> > +   default y       if !BR2_PACKAGE_DROPBEAR_SMALL
> 
> No need for a tab before the "if".
> 
> Is it possible to enable this option even if
> BR2_PACKAGE_DROPBEAR_SMALL=y ? I.e, does it build ?

Yes, the selection of small code and ciphers are completely orthogonal.

> Did you do a pass with ./utils/check-package on package/dropbear/*
> after doing those changes ?

I did, not errors/warnings.

Stefan

[Buildroot] [PATCH 2/3] dropbear: Add configuration options for security features

[Arnout Vandecappelle]

On 18-04-18 16:24, Stefan S?rensen wrote:
> The dropbear server provides no runtime configuration of ciphers, key
> exchange algorithms, etc., but must rather be configured compile time.
> With no configurability the default settings will be use which may not
> be desired in all scenearios.
> 
> These new options allow the selection of
>   Ciphers (AES128, AES256, 3DES, BLowfish, Twofish128, Twofish256)
>   Cipher modes (CBC, CTR)
>   Integrity algorithms (SHA1, SHA1-96, SHA2-256, SHA2-512, MD5)
>   Key exchange algorithms (RSA, DSS, ECDSA, Curve25519, ECDH)
>   Authenticaton types (Password, Pubkey)
> 
> No defaults are changed.
> 
> Signed-off-by: Stefan S?rensen <stefan.sorensen@spectralink.com>
> ---
>  package/dropbear/Config.in   | 163 +++++++++++++++++++++++++++++++++++

 Do we really want so many configuration options?

 It is already possible to customize options.h through a patch in
BR2_GLOBAL_PATCH_DIR. I admit that that's a little hackish, so as an alternative
you could add an option to supply a custom options.h.

 Regards,
 Arnout

>  package/dropbear/dropbear.mk |  25 +++++-
>  2 files changed, 185 insertions(+), 3 deletions(-)
[snip]

-- 
Arnout Vandecappelle                          arnout at mind be
Senior Embedded Software Architect            +32-16-286500
Essensium/Mind                                http://www.mind.be
G.Geenslaan 9, 3001 Leuven, Belgium           BE 872 984 063 RPR Leuven
LinkedIn profile: http://www.linkedin.com/in/arnoutvandecappelle
GPG fingerprint:  7493 020B C7E3 8618 8DEC 222C 82EB F404 F9AC 0DDF

[Buildroot] [PATCH 2/3] dropbear: Add configuration options for security features

[Sørensen, Stefan]

On Wed, 2018-04-18 at 23:58 +0200, Arnout Vandecappelle wrote:
> 
> On 18-04-18 16:24, Stefan S?rensen wrote:
> > 
> > These new options allow the selection of
> >   Ciphers (AES128, AES256, 3DES, BLowfish, Twofish128, Twofish256)
> >   Cipher modes (CBC, CTR)
> >   Integrity algorithms (SHA1, SHA1-96, SHA2-256, SHA2-512, MD5)
> >   Key exchange algorithms (RSA, DSS, ECDSA, Curve25519, ECDH)
> >   Authenticaton types (Password, Pubkey)
> > 
> > No defaults are changed.
> > 
> > Signed-off-by: Stefan S?rensen <stefan.sorensen@spectralink.com>
> > ---
>  package/dropbear/Config.in   | 163
> +++++++++++++++++++++++++++++++++++
>  Do we really want so many configuration options?

Yes, it is a lot of options. So what about:

   By default, enable the common and secure options (AES, CTR, SHA2,  
   ECDSA, Curve25519, Pubkey).

   Add an option to enable legacy/insecure options (3DES, CBC, SHA1-96, 
   MD5, RSA).

   Add an option to enable password authentication

   Drop Blowfish and Twofish configuration.


Stefan

[Buildroot] [PATCH 3/3] dropbear: Disable insecure options

[Stefan Sørensen]

The default dropbear configuration includes a number of features no longer
considered secure, so disable
  3DES cipher
  MD5 integrity algorithm
  SHA1-96 integrity algorithm
  DSS key exchange algorithm
  DH Group1 key exchange algorithm

Signed-off-by: Stefan S?rensen <stefan.sorensen@spectralink.com>
---
 package/dropbear/Config.in | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/package/dropbear/Config.in b/package/dropbear/Config.in
index 441c521d18..c5acd333a8 100644
--- a/package/dropbear/Config.in
+++ b/package/dropbear/Config.in
@@ -71,7 +71,7 @@ config BR2_PACKAGE_DROPBEAR_CIPHER_AES256
 
 config BR2_PACKAGE_DROPBEAR_CIPHER_3DES
 	bool "3DES"
-	default y
+	default n
 	help
 	  Enable the 3DES cipher
 
@@ -99,7 +99,7 @@ menu "Dropbear cipher modes"
 
 config BR2_PACKAGE_DROPBEAR_CIPHER_MODE_CBC
 	bool "CBC"
-	default y
+	default n
 	help
 	  Enable CBC mode for ciphers. This has security issues though
 	  is the most compatible with older SSH implementations
@@ -124,7 +124,7 @@ config BR2_PACKAGE_DROPBEAR_HMAC_SHA1
 
 config BR2_PACKAGE_DROPBEAR_HMAC_SHA1_96
 	bool "SHA1-96"
-	default y
+	default n
 	help
 	  Enable SHA1-96 integrity algorithm
 
@@ -142,7 +142,7 @@ config BR2_PACKAGE_DROPBEAR_HMAC_SHA2_512
 
 config BR2_PACKAGE_DROPBEAR_HMAC_MD5
 	bool "MD5"
-	default y
+	default n
 	help
 	  Enable MD5 integrity algorithm. If you disable MD5, Dropbear
 	  will fall back to SHA1 fingerprints, which are not the
@@ -160,7 +160,7 @@ config BR2_PACKAGE_DROPBEAR_KEX_RSA
 
 config BR2_PACKAGE_DROPBEAR_KEX_DSS
 	bool "DSS"
-	default y
+	default n
 	help
 	  Enable DSS key exchange algorithm. SSH2 RFC Draft requires
 	  DSS.
@@ -188,7 +188,7 @@ config BR2_PACKAGE_DROPBEAR_KEX_ECDH
 
 config BR2_PACKAGE_DROPBEAR_KEX_DH_GROUP1
 	bool "DH Group1"
-	default y
+	default n
 	help
 	  Enable DH Group1 key exchange algorithm. Group1 is less
 	  secure (1024 bit) than Group14 though is the only option for
-- 
2.17.0

[Buildroot] [PATCH 3/3] dropbear: Disable insecure options

[Thomas Petazzoni]

Hello,

On Wed, 18 Apr 2018 16:24:34 +0200, Stefan S?rensen wrote:

>  config BR2_PACKAGE_DROPBEAR_CIPHER_3DES
>  	bool "3DES"
> -	default y
> +	default n

"default n" is the default, so it's not needed. You can therefore
simply remove those "default y" lines instead of replacing them with
"default n". And perhaps extend the help text of those options to say
that those ciphers/hashes are considered insecure.

Thanks,

Thomas
-- 
Thomas Petazzoni, CTO, Bootlin (formerly Free Electrons)
Embedded Linux and Kernel engineering
https://bootlin.com

[Buildroot] [PATCH 1/3] dropbear: Use macro to set options

[François Perrad]

2018-04-18 16:24 GMT+02:00 Stefan S?rensen <stefan.sorensen@spectralink.com>
:

> Introduce a macro for editing options.h according to the Buildroot
> configuration, replacing individual sed scripts.
>
>
with dropbear 2018.76, any customised options should be put in
localoptions.h,
instead of patching options.h

Fran?ois


> Signed-off-by: Stefan S?rensen <stefan.sorensen@spectralink.com>
> ---
>  package/dropbear/dropbear.mk | 37 +++++++++++++++---------------------
>  1 file changed, 15 insertions(+), 22 deletions(-)
>
> diff --git a/package/dropbear/dropbear.mk b/package/dropbear/dropbear.mk
> index 01a1a07b76..dc1fee207f 100644
> --- a/package/dropbear/dropbear.mk
> +++ b/package/dropbear/dropbear.mk
> @@ -32,24 +32,25 @@ endef
>
>  DROPBEAR_POST_EXTRACT_HOOKS += DROPBEAR_FIX_XAUTH
>
> -define DROPBEAR_ENABLE_REVERSE_DNS
> -       $(SED) 's:.*\(#define DO_HOST_LOOKUP\).*:\1:' $(@D)/options.h
> +define DROPBEAR_SET_OPT # (define, option)
> +       if [ 'x$(2)' = 'xy' -o 'x$(2)' = 'x!' ]; then \
> +               $(SED) 's:.*\(#define $(1)\)\([^A-Z0-9_]\|$$\).*:\1 1:'
> $(@D)/options.h; \
> +       else \
> +               $(SED) 's:.*\(#define $(1)\)\([^A-Z0-9_]\|$$\).*:/*\1*/:'
> $(@D)/options.h; \
> +       fi
>  endef
>
> -define DROPBEAR_BUILD_SMALL
> -       $(SED) 's:.*\(#define NO_FAST_EXPTMOD\).*:\1:' $(@D)/options.h
> +define DROPBEAR_SET_OPTIONS
> +       $(call DROPBEAR_SET_OPT,DROPBEAR_SMALL_CODE,$(BR2_PACKAGE_
> DROPBEAR_SMALL))
> +       $(call DROPBEAR_SET_OPT,NO_FAST_EXPTMOD,$(BR2_PACKAGE_
> DROPBEAR_SMALL))
> +       $(call DROPBEAR_SET_OPT,DO_HOST_LOOKUP,$(BR2_PACKAGE_DROPBEAR_
> ENABLE_REVERSE_DNS))
> +       $(call DROPBEAR_SET_OPT,NON_INETD_MODE,$(BR2_USE_MMU))
> +       $(call DROPBEAR_SET_OPT,DROPBEAR_BLOWFISH,!$(BR2_PACKAGE_
> DROPBEAR_SMALL))
> +       $(call DROPBEAR_SET_OPT,DROPBEAR_TWOFISH128,!$(BR2_PACKAGE_
> DROPBEAR_SMALL))
> +       $(call DROPBEAR_SET_OPT,DROPBEAR_TWOFISH256,!$(BR2_PACKAGE_
> DROPBEAR_SMALL))
>  endef
>
> -define DROPBEAR_BUILD_FEATURED
> -       $(SED) 's:^#define DROPBEAR_SMALL_CODE::' $(@D)/options.h
> -       $(SED) 's:.*\(#define DROPBEAR_BLOWFISH\).*:\1:' $(@D)/options.h
> -       $(SED) 's:.*\(#define DROPBEAR_TWOFISH128\).*:\1:' $(@D)/options.h
> -       $(SED) 's:.*\(#define DROPBEAR_TWOFISH256\).*:\1:' $(@D)/options.h
> -endef
> -
> -define DROPBEAR_DISABLE_STANDALONE
> -       $(SED) 's:\(#define NON_INETD_MODE\):/*\1 */:' $(@D)/options.h
> -endef
> +DROPBEAR_POST_EXTRACT_HOOKS += DROPBEAR_SET_OPTIONS
>
>  define DROPBEAR_INSTALL_INIT_SYSTEMD
>         $(INSTALL) -D -m 644 package/dropbear/dropbear.service \
> @@ -64,19 +65,11 @@ define DROPBEAR_INSTALL_INIT_SYSV
>         $(INSTALL) -D -m 755 package/dropbear/S50dropbear \
>                 $(TARGET_DIR)/etc/init.d/S50dropbear
>  endef
> -else
> -DROPBEAR_POST_EXTRACT_HOOKS += DROPBEAR_DISABLE_STANDALONE
> -endif
> -
> -ifeq ($(BR2_PACKAGE_DROPBEAR_DISABLE_REVERSEDNS),)
> -DROPBEAR_POST_EXTRACT_HOOKS += DROPBEAR_ENABLE_REVERSE_DNS
>  endif
>
>  ifeq ($(BR2_PACKAGE_DROPBEAR_SMALL),y)
> -DROPBEAR_POST_EXTRACT_HOOKS += DROPBEAR_BUILD_SMALL
>  DROPBEAR_CONF_OPTS += --disable-zlib
>  else
> -DROPBEAR_POST_EXTRACT_HOOKS += DROPBEAR_BUILD_FEATURED
>  DROPBEAR_DEPENDENCIES += zlib
>  endif
>
> --
> 2.17.0
>
> _______________________________________________
> buildroot mailing list
> buildroot at busybox.net
> http://lists.busybox.net/mailman/listinfo/buildroot
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.busybox.net/pipermail/buildroot/attachments/20180420/866efc7b/attachment.html>

[Buildroot] [PATCH 1/3] dropbear: Use macro to set options

[Thomas Petazzoni]

Hello Stefan,

On Wed, 18 Apr 2018 16:24:32 +0200, Stefan S?rensen wrote:
> Introduce a macro for editing options.h according to the Buildroot
> configuration, replacing individual sed scripts.
> 
> Signed-off-by: Stefan S?rensen <stefan.sorensen@spectralink.com>

I have merged some patches from Fran?ois Perrad (submitted before your
series) that bump Dropbear to 2018.76. And the mechanism to tweak
options has changed quite a bit.

You now simply needs to add #define in a file called localoptions.h,
overriding the default option values.

Could you rebase your patch series on top of the latest dropbear
changes ?

Thanks!

Thomas
-- 
Thomas Petazzoni, CTO, Bootlin (formerly Free Electrons)
Embedded Linux and Kernel engineering
https://bootlin.com