From: Markus Mayer via buildroot <buildroot@buildroot.org>
To: Buildroot Mailing List <buildroot@buildroot.org>
Cc: Markus Mayer <mmayer@broadcom.com>
Subject: [Buildroot] [PATCH] package/dropbear: provide config option to turn off SHA1 for RSA
Date: Fri, 16 Aug 2024 17:00:26 -0700 [thread overview]
Message-ID: <20240817000027.654079-1-mmayer@broadcom.com> (raw)
Since SHA1 hashing is considered insecure, users may wish to disable
support for it. This will reduce compatibility with older systems but
provide a more secure setup.
SHA1 support for RSA is slated to be removed from dropbear at some
point. This new option also gives users the ability to disable support
early and evaluate what consequences this upcoming change might bring.
Signed-off-by: Markus Mayer <mmayer@broadcom.com>
---
package/dropbear/Config.in | 6 ++++++
package/dropbear/dropbear.mk | 7 +++++++
2 files changed, 13 insertions(+)
diff --git a/package/dropbear/Config.in b/package/dropbear/Config.in
index 207c1f561700..099f61535aa2 100644
--- a/package/dropbear/Config.in
+++ b/package/dropbear/Config.in
@@ -67,6 +67,12 @@ config BR2_PACKAGE_DROPBEAR_LEGACY_CRYPTO
DSA public keys
Diffie-Hellman Group1 key exchange
+config BR2_PACKAGE_DROPBEAR_DISABLE_RSA_SHA1
+ bool "disable SHA1 hashing for RSA"
+ help
+ SHA1 is no longer considered secure. Users may want to disable
+ it. However, this may preclude older clients from connecting.
+
config BR2_PACKAGE_DROPBEAR_LOCALOPTIONS_FILE
string "path to custom localoptions.h definitions file"
help
diff --git a/package/dropbear/dropbear.mk b/package/dropbear/dropbear.mk
index 9423d891c8d3..56a0b9d910b4 100644
--- a/package/dropbear/dropbear.mk
+++ b/package/dropbear/dropbear.mk
@@ -77,6 +77,13 @@ endef
DROPBEAR_POST_EXTRACT_HOOKS += DROPBEAR_ENABLE_LEGACY_CRYPTO
endif
+ifeq ($(BR2_PACKAGE_DROPBEAR_DISABLE_RSA_SHA1),y)
+define DROPBEAR_DISABLE_RSA_SHA1
+ echo '#define DROPBEAR_RSA_SHA1 0' >> $(@D)/localoptions.h
+endef
+DROPBEAR_POST_EXTRACT_HOOKS += DROPBEAR_DISABLE_RSA_SHA1
+endif
+
ifeq ($(BR2_PACKAGE_DROPBEAR_DISABLE_REVERSEDNS),)
define DROPBEAR_ENABLE_REVERSE_DNS
echo '#define DO_HOST_LOOKUP 1' >> $(@D)/localoptions.h
--
2.46.0
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
next reply other threads:[~2024-08-17 0:00 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-08-17 0:00 Markus Mayer via buildroot [this message]
2024-08-17 10:10 ` [Buildroot] [PATCH] package/dropbear: provide config option to turn off SHA1 for RSA Thomas Petazzoni via buildroot
2024-08-17 19:49 ` Markus Mayer via buildroot
2024-08-18 20:48 ` Peter Korsgaard
2024-08-18 22:31 ` Markus Mayer via buildroot
2024-08-19 7:11 ` Peter Korsgaard
2024-08-20 20:27 ` Markus Mayer via buildroot
2025-05-13 11:08 ` Peter Korsgaard
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20240817000027.654079-1-mmayer@broadcom.com \
--to=buildroot@buildroot.org \
--cc=mmayer@broadcom.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox