dropbear with external libtommath/libtomcrypt

Matt Johnston matt at ucc.asn.au
Tue Apr 19 20:44:57 AWST 2016


Hi Peter,

External libraries are fine - Debian has used them for a
while. The only security-important change is
https://secure.ucc.asn.au/hg/dropbear/rev/a55b97f5a485 which
I assume is already in buildroot.

I've made a few small changes to clear memory or avoid
memory allocations - those could go upstream to libtom at
some point.

Cheers,
Matt

On Sat, Apr 16, 2016 at 11:29:02AM +0200, Peter Korsgaard wrote:
> Hi,
> 
> We've recently received patches in Buildroot (http://buildroot.org) to
> build libtommath/libtomcrypt (statically) seperately and link dropbear
> against those instead of the bundled copies.
> 
> In general we prefer to use system libraries instead of bundled versions
> whenever possible, but as dropbear is security sensitive I wanted to
> check before making the change.
> 
> I see that the bundled copies contain local changes. What is the
> pro/cons of using the bundled versions vs external?
> 
> -- 
> Bye, Peter Korsgaard


More information about the Dropbear mailing list