mirror of
git://git.openwrt.org/openwrt/openwrt.git
synced 2025-01-12 09:39:32 +00:00
dropbear: add option to enable modern crypto only
reduces binary/package size and increases overall performance also: - adjust 910-signkey-fix-use-of-rsa-sha2-256-pubkeys.patch to build without DROPBEAR_RSA/DROPBEAR_RSA_SHA256 Signed-off-by: Konstantin Demin <rockdrilla@gmail.com>
This commit is contained in:
parent
88c8053d47
commit
bf900e02c7
@ -145,4 +145,25 @@ config DROPBEAR_AGENTFORWARD
|
||||
Also see DROPBEAR_DBCLIENT_AGENTFORWARD (agent forwarding in
|
||||
dropbear client) if DROPBEAR_DBCLIENT is selected.
|
||||
|
||||
config DROPBEAR_MODERN_ONLY
|
||||
bool "Use modern crypto only [BREAKS COMPATIBILITY]"
|
||||
select DROPBEAR_ED25519
|
||||
select DROPBEAR_CURVE25519
|
||||
select DROPBEAR_CHACHA20POLY1305
|
||||
help
|
||||
This option enables:
|
||||
- Chacha20-Poly1305
|
||||
- Curve25519
|
||||
- Ed25519
|
||||
and disables:
|
||||
- AES
|
||||
- RSA
|
||||
- SHA1
|
||||
|
||||
Reduces binary size by about 64 kB (MIPS) from default
|
||||
configuration.
|
||||
|
||||
Consider enabling this option if you're building own OpenWrt
|
||||
image and using modern SSH software everywhere.
|
||||
|
||||
endmenu
|
||||
|
@ -33,7 +33,8 @@ PKG_CONFIG_DEPENDS:= \
|
||||
CONFIG_DROPBEAR_ED25519 CONFIG_DROPBEAR_CHACHA20POLY1305 \
|
||||
CONFIG_DROPBEAR_UTMP CONFIG_DROPBEAR_PUTUTLINE \
|
||||
CONFIG_DROPBEAR_DBCLIENT CONFIG_DROPBEAR_SCP CONFIG_DROPBEAR_ASKPASS \
|
||||
CONFIG_DROPBEAR_DBCLIENT_AGENTFORWARD CONFIG_DROPBEAR_AGENTFORWARD
|
||||
CONFIG_DROPBEAR_DBCLIENT_AGENTFORWARD CONFIG_DROPBEAR_AGENTFORWARD \
|
||||
CONFIG_DROPBEAR_MODERN_ONLY
|
||||
|
||||
include $(INCLUDE_DIR)/package.mk
|
||||
|
||||
@ -148,6 +149,11 @@ DB_OPT_CONFIG = \
|
||||
DROPBEAR_CLI_ASKPASS_HELPER,CONFIG_DROPBEAR_ASKPASS,1,0 \
|
||||
DROPBEAR_CLI_AGENTFWD,CONFIG_DROPBEAR_DBCLIENT_AGENTFORWARD,1,0 \
|
||||
DROPBEAR_SVR_AGENTFWD,CONFIG_DROPBEAR_AGENTFORWARD,1,0 \
|
||||
DROPBEAR_AES128,CONFIG_DROPBEAR_MODERN_ONLY,0,1 \
|
||||
DROPBEAR_AES256,CONFIG_DROPBEAR_MODERN_ONLY,0,1 \
|
||||
DROPBEAR_ENABLE_CTR_MODE,CONFIG_DROPBEAR_MODERN_ONLY,0,1 \
|
||||
DROPBEAR_RSA,CONFIG_DROPBEAR_MODERN_ONLY,0,1 \
|
||||
DROPBEAR_RSA_SHA1,CONFIG_DROPBEAR_MODERN_ONLY,0,1 \
|
||||
|
||||
|
||||
TARGET_CFLAGS += -DARGTYPE=3
|
||||
|
@ -21,7 +21,7 @@ Signed-off-by: Petr Štetiar <ynezz@true.cz>
|
||||
|
||||
--- a/signkey.c
|
||||
+++ b/signkey.c
|
||||
@@ -652,8 +652,12 @@ int buf_verify(buffer * buf, sign_key *k
|
||||
@@ -652,10 +652,18 @@ int buf_verify(buffer * buf, sign_key *k
|
||||
sigtype = signature_type_from_name(type_name, type_name_len);
|
||||
m_free(type_name);
|
||||
|
||||
@ -29,10 +29,16 @@ Signed-off-by: Petr Štetiar <ynezz@true.cz>
|
||||
- dropbear_exit("Non-matching signing type");
|
||||
+ if (sigtype == DROPBEAR_SIGNATURE_NONE) {
|
||||
+ dropbear_exit("No signature type");
|
||||
+ }
|
||||
+
|
||||
+ if ((expect_sigtype != DROPBEAR_SIGNATURE_RSA_SHA256) && (expect_sigtype != sigtype)) {
|
||||
+ dropbear_exit("Non-matching signing type");
|
||||
}
|
||||
|
||||
+#if DROPBEAR_RSA
|
||||
+#if DROPBEAR_RSA_SHA256
|
||||
+ if ((expect_sigtype != DROPBEAR_SIGNATURE_RSA_SHA256) && (expect_sigtype != sigtype)) {
|
||||
+ dropbear_exit("Non-matching signing type");
|
||||
+ }
|
||||
+#endif
|
||||
+#endif
|
||||
+
|
||||
keytype = signkey_type_from_signature(sigtype);
|
||||
#if DROPBEAR_DSS
|
||||
if (keytype == DROPBEAR_SIGNKEY_DSS) {
|
||||
|
Loading…
Reference in New Issue
Block a user