From mboxrd@z Thu Jan 1 00:00:00 1970 Return-path: Received: from mail.kamstrup.com ([93.167.225.188]) by metis.ext.pengutronix.de with esmtp (Exim 4.72) (envelope-from ) id 1YOkF9-0004DJ-24 for ptxdist@pengutronix.de; Fri, 20 Feb 2015 10:51:32 +0100 From: Bruno Thomsen Date: Fri, 20 Feb 2015 10:51:17 +0100 Message-ID: <1424425877-9444-1-git-send-email-bth@kamstrup.com> MIME-Version: 1.0 Subject: [ptxdist] [PATCHv2] dropbear: version bump 2014.65 -> 2015.67 Reply-To: ptxdist@pengutronix.de List-Id: PTXdist Development Mailing List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: ptxdist-bounces@pengutronix.de Errors-To: ptxdist-bounces@pengutronix.de To: ptxdist@pengutronix.de Cc: bth@kamstrup.com The new version contain options to enable/disable cipher modes. Default security level increased by disabling CBC mode and enabling CTR mode. Tenable Network Security - Nessus: http://www.tenable.com/plugins/index.php?view=single&id=70658 Signed-off-by: Bruno Thomsen --- rules/dropbear.in | 15 +++++++++++++++ rules/dropbear.make | 18 ++++++++++++++++-- 2 files changed, 31 insertions(+), 2 deletions(-) diff --git a/rules/dropbear.in b/rules/dropbear.in index fe2ada3..1c1d813 100644 --- a/rules/dropbear.in +++ b/rules/dropbear.in @@ -203,6 +203,21 @@ config DROPBEAR_TWOFISH256 bijective f function made by four key-dependent 8x8-bit S-boxes. +config DROPBEAR_CBC_CIPHERS + bool + prompt "CBC mode ciphers" + help + Enable CBC mode for ciphers. This has security issues though + is the most compatible with older SSH implementations. + +config DROPBEAR_CTR_CIPHERS + bool + prompt "Counter mode ciphers" + default y + help + Enable "Counter Mode" for ciphers. This is more secure than normal + CBC mode against certain attacks. This adds around 1kB to binary + size and is recommended for most cases. comment "Integrity, at least one required --- RFC Draft requires sha1-hmac and recommends sha1-96" diff --git a/rules/dropbear.make b/rules/dropbear.make index f03d0fc..ab9da5d 100644 --- a/rules/dropbear.make +++ b/rules/dropbear.make @@ -18,8 +18,8 @@ PACKAGES-$(PTXCONF_DROPBEAR) += dropbear # # Paths and names # -DROPBEAR_VERSION := 2014.65 -DROPBEAR_MD5 := 1918604238817385a156840fa2c39490 +DROPBEAR_VERSION := 2015.67 +DROPBEAR_MD5 := e967e320344cd4bfebe321e3ab8514d6 DROPBEAR := dropbear-$(DROPBEAR_VERSION) DROPBEAR_SUFFIX := tar.bz2 DROPBEAR_URL := http://matt.ucc.asn.au/dropbear/releases/$(DROPBEAR).$(DROPBEAR_SUFFIX) @@ -163,7 +163,21 @@ else @$(call disable_c, $(DROPBEAR_DIR)/options.h,DROPBEAR_TWOFISH128) endif +ifdef PTXCONF_DROPBEAR_CBC_CIPHERS + @echo "ptxdist: enabling cbc ciphers" + @$(call enable_c, $(DROPBEAR_DIR)/options.h,DROPBEAR_ENABLE_CBC_MODE) +else + @echo "ptxdist: disabling cbc ciphers" + @$(call disable_c, $(DROPBEAR_DIR)/options.h,DROPBEAR_ENABLE_CBC_MODE) +endif +ifdef PTXCONF_DROPBEAR_CTR_CIPHERS + @echo "ptxdist: enabling ctr ciphers" + @$(call enable_c, $(DROPBEAR_DIR)/options.h,DROPBEAR_ENABLE_CTR_MODE) +else + @echo "ptxdist: disabling ctr ciphers" + @$(call disable_c, $(DROPBEAR_DIR)/options.h,DROPBEAR_ENABLE_CTR_MODE) +endif ifdef PTXCONF_DROPBEAR_SHA1 @echo "ptxdist: enabling sha1" -- 1.9.1 -- ptxdist mailing list ptxdist@pengutronix.de