dropbear: disable MD5 HMAC and switch to sha1 fingerprints

As MD5 is known weak for many years and more and more
penetration test tools complain about enabled MD5 HMAC
I think it's time to drop it.

By disabling the MD5 HMAC support dropbear  will also
automatically use SHA1 for fingerprints.
This shouldn't be a problem too.

Signed-off-by: Martin Schiller <ms@dev.tdt.de>
owl
Martin Schiller 2017-11-22 13:39:51 +01:00 committed by Hans Dedecker
parent 575178e462
commit 65d62b5f4f
2 changed files with 5 additions and 3 deletions

View File

@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk
PKG_NAME:=dropbear PKG_NAME:=dropbear
PKG_VERSION:=2017.75 PKG_VERSION:=2017.75
PKG_RELEASE:=4 PKG_RELEASE:=5
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2
PKG_SOURCE_URL:= \ PKG_SOURCE_URL:= \

View File

@ -39,7 +39,7 @@
/* Enable "Counter Mode" for ciphers. This is more secure than normal /* Enable "Counter Mode" for ciphers. This is more secure than normal
* CBC mode against certain attacks. It is recommended for security * CBC mode against certain attacks. It is recommended for security
@@ -131,9 +131,9 @@ If you test it please contact the Dropbe @@ -131,10 +131,10 @@ If you test it please contact the Dropbe
* If you disable MD5, Dropbear will fall back to SHA1 fingerprints, * If you disable MD5, Dropbear will fall back to SHA1 fingerprints,
* which are not the standard form. */ * which are not the standard form. */
#define DROPBEAR_SHA1_HMAC #define DROPBEAR_SHA1_HMAC
@ -47,10 +47,12 @@
+/*#define DROPBEAR_SHA1_96_HMAC*/ +/*#define DROPBEAR_SHA1_96_HMAC*/
#define DROPBEAR_SHA2_256_HMAC #define DROPBEAR_SHA2_256_HMAC
-#define DROPBEAR_SHA2_512_HMAC -#define DROPBEAR_SHA2_512_HMAC
-#define DROPBEAR_MD5_HMAC
+/*#define DROPBEAR_SHA2_512_HMAC*/ +/*#define DROPBEAR_SHA2_512_HMAC*/
#define DROPBEAR_MD5_HMAC +/*#define DROPBEAR_MD5_HMAC*/
/* You can also disable integrity. Don't bother disabling this if you're /* You can also disable integrity. Don't bother disabling this if you're
* still using a cipher, it's relatively cheap. If you disable this it's dead
@@ -146,7 +146,7 @@ If you test it please contact the Dropbe @@ -146,7 +146,7 @@ If you test it please contact the Dropbe
* Removing either of these won't save very much space. * Removing either of these won't save very much space.
* SSH2 RFC Draft requires dss, recommends rsa */ * SSH2 RFC Draft requires dss, recommends rsa */