From mboxrd@z Thu Jan 1 00:00:00 1970 Return-path: Received: from ptx.hi.pengutronix.de ([2001:67c:670:100:1d::c0] ident=Debian-exim) by metis.ext.pengutronix.de with esmtp (Exim 4.72) (envelope-from ) id 1YORnB-0004Dr-Di for ptxdist@pengutronix.de; Thu, 19 Feb 2015 15:09:25 +0100 Received: from mol by ptx.hi.pengutronix.de with local (Exim 4.80) (envelope-from ) id 1YORnB-0000Jr-CM for ptxdist@pengutronix.de; Thu, 19 Feb 2015 15:09:25 +0100 Date: Thu, 19 Feb 2015 15:09:25 +0100 From: Michael Olbrich Message-ID: <20150219140925.GL30223@pengutronix.de> References: <1424101629-16021-1-git-send-email-bth@kamstrup.com> MIME-Version: 1.0 Content-Disposition: inline In-Reply-To: <1424101629-16021-1-git-send-email-bth@kamstrup.com> Subject: Re: [ptxdist] [PATCH] dropbear: version bump 2014.65 -> 2015.67 Reply-To: ptxdist@pengutronix.de List-Id: PTXdist Development Mailing List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: ptxdist-bounces@pengutronix.de Errors-To: ptxdist-bounces@pengutronix.de To: ptxdist@pengutronix.de On Mon, Feb 16, 2015 at 04:47:09PM +0100, Bruno Thomsen wrote: > The new version contain options to enable/disable cipher modes. > Keeping today's default cipher mode. > In a secure solution one would disable CBC and enable CTR. > > Signed-off-by: Bruno Thomsen > --- > rules/dropbear.in | 15 +++++++++++++++ > rules/dropbear.make | 18 ++++++++++++++++-- > 2 files changed, 31 insertions(+), 2 deletions(-) > > diff --git a/rules/dropbear.in b/rules/dropbear.in > index fe2ada3..79aad57 100644 > --- a/rules/dropbear.in > +++ b/rules/dropbear.in > @@ -203,6 +203,21 @@ config DROPBEAR_TWOFISH256 > bijective f function made by four key-dependent > 8x8-bit S-boxes. > > +config DROPBEAR_CBC_CIPHERS > + bool > + prompt "CBC mode ciphers" > + default y > + help > + Enable CBC mode for ciphers. This has security issues though > + is the most compatible with older SSH implementations. In that case, shouldn't this be off by default? Those that still need it can enable it. Michael > + > +config DROPBEAR_CTR_CIPHERS > + bool > + prompt "Counter mode ciphers" > + help > + Enable "Counter Mode" for ciphers. This is more secure than normal > + CBC mode against certain attacks. This adds around 1kB to binary > + size and is recommended for most cases. > > comment "Integrity, at least one required --- RFC Draft requires sha1-hmac and recommends sha1-96" > > diff --git a/rules/dropbear.make b/rules/dropbear.make > index f03d0fc..ab9da5d 100644 > --- a/rules/dropbear.make > +++ b/rules/dropbear.make > @@ -18,8 +18,8 @@ PACKAGES-$(PTXCONF_DROPBEAR) += dropbear > # > # Paths and names > # > -DROPBEAR_VERSION := 2014.65 > -DROPBEAR_MD5 := 1918604238817385a156840fa2c39490 > +DROPBEAR_VERSION := 2015.67 > +DROPBEAR_MD5 := e967e320344cd4bfebe321e3ab8514d6 > DROPBEAR := dropbear-$(DROPBEAR_VERSION) > DROPBEAR_SUFFIX := tar.bz2 > DROPBEAR_URL := http://matt.ucc.asn.au/dropbear/releases/$(DROPBEAR).$(DROPBEAR_SUFFIX) > @@ -163,7 +163,21 @@ else > @$(call disable_c, $(DROPBEAR_DIR)/options.h,DROPBEAR_TWOFISH128) > endif > > +ifdef PTXCONF_DROPBEAR_CBC_CIPHERS > + @echo "ptxdist: enabling cbc ciphers" > + @$(call enable_c, $(DROPBEAR_DIR)/options.h,DROPBEAR_ENABLE_CBC_MODE) > +else > + @echo "ptxdist: disabling cbc ciphers" > + @$(call disable_c, $(DROPBEAR_DIR)/options.h,DROPBEAR_ENABLE_CBC_MODE) > +endif > > +ifdef PTXCONF_DROPBEAR_CTR_CIPHERS > + @echo "ptxdist: enabling ctr ciphers" > + @$(call enable_c, $(DROPBEAR_DIR)/options.h,DROPBEAR_ENABLE_CTR_MODE) > +else > + @echo "ptxdist: disabling ctr ciphers" > + @$(call disable_c, $(DROPBEAR_DIR)/options.h,DROPBEAR_ENABLE_CTR_MODE) > +endif > > ifdef PTXCONF_DROPBEAR_SHA1 > @echo "ptxdist: enabling sha1" > -- > 1.9.1 > > > -- > ptxdist mailing list > ptxdist@pengutronix.de > -- Pengutronix e.K. | | Industrial Linux Solutions | http://www.pengutronix.de/ | Peiner Str. 6-8, 31137 Hildesheim, Germany | Phone: +49-5121-206917-0 | Amtsgericht Hildesheim, HRA 2686 | Fax: +49-5121-206917-5555 | -- ptxdist mailing list ptxdist@pengutronix.de