projects
/
openwrt
/
staging
/
nbd.git
/ commitdiff
commit
grep
author
committer
pickaxe
?
search:
re
summary
|
shortlog
|
log
|
commit
| commitdiff |
tree
raw
|
patch
|
inline
| side by side (parent:
88c8053
)
dropbear: add option to enable modern crypto only
author
Konstantin Demin
<rockdrilla@gmail.com>
Tue, 9 Jan 2024 00:40:01 +0000
(
03:40
+0300)
committer
Rui Salvaterra
<rsalvaterra@gmail.com>
Fri, 9 Feb 2024 09:13:05 +0000
(09:13 +0000)
reduces binary/package size and increases overall performance
also:
- adjust 910-signkey-fix-use-of-rsa-sha2-256-pubkeys.patch
to build without DROPBEAR_RSA/DROPBEAR_RSA_SHA256
Signed-off-by: Konstantin Demin <rockdrilla@gmail.com>
package/network/services/dropbear/Config.in
patch
|
blob
|
history
package/network/services/dropbear/Makefile
patch
|
blob
|
history
package/network/services/dropbear/patches/910-signkey-fix-use-of-rsa-sha2-256-pubkeys.patch
patch
|
blob
|
history
diff --git
a/package/network/services/dropbear/Config.in
b/package/network/services/dropbear/Config.in
index 449cc2a421dc7696bc50107b1ac3ffb714dc885c..fd4d5f3c7a5e49a54fe2124d5230b204c1b7f560 100644
(file)
--- a/
package/network/services/dropbear/Config.in
+++ b/
package/network/services/dropbear/Config.in
@@
-145,4
+145,25
@@
config DROPBEAR_AGENTFORWARD
Also see DROPBEAR_DBCLIENT_AGENTFORWARD (agent forwarding in
dropbear client) if DROPBEAR_DBCLIENT is selected.
Also see DROPBEAR_DBCLIENT_AGENTFORWARD (agent forwarding in
dropbear client) if DROPBEAR_DBCLIENT is selected.
+config DROPBEAR_MODERN_ONLY
+ bool "Use modern crypto only [BREAKS COMPATIBILITY]"
+ select DROPBEAR_ED25519
+ select DROPBEAR_CURVE25519
+ select DROPBEAR_CHACHA20POLY1305
+ help
+ This option enables:
+ - Chacha20-Poly1305
+ - Curve25519
+ - Ed25519
+ and disables:
+ - AES
+ - RSA
+ - SHA1
+
+ Reduces binary size by about 64 kB (MIPS) from default
+ configuration.
+
+ Consider enabling this option if you're building own OpenWrt
+ image and using modern SSH software everywhere.
+
endmenu
endmenu
diff --git
a/package/network/services/dropbear/Makefile
b/package/network/services/dropbear/Makefile
index ef67371e1d8a90b1fbcabb86ec0a2312c643df90..653911b7647254933ac351f4fcbaff3f48b0aff2 100644
(file)
--- a/
package/network/services/dropbear/Makefile
+++ b/
package/network/services/dropbear/Makefile
@@
-33,7
+33,8
@@
PKG_CONFIG_DEPENDS:= \
CONFIG_DROPBEAR_ED25519 CONFIG_DROPBEAR_CHACHA20POLY1305 \
CONFIG_DROPBEAR_UTMP CONFIG_DROPBEAR_PUTUTLINE \
CONFIG_DROPBEAR_DBCLIENT CONFIG_DROPBEAR_SCP CONFIG_DROPBEAR_ASKPASS \
CONFIG_DROPBEAR_ED25519 CONFIG_DROPBEAR_CHACHA20POLY1305 \
CONFIG_DROPBEAR_UTMP CONFIG_DROPBEAR_PUTUTLINE \
CONFIG_DROPBEAR_DBCLIENT CONFIG_DROPBEAR_SCP CONFIG_DROPBEAR_ASKPASS \
- CONFIG_DROPBEAR_DBCLIENT_AGENTFORWARD CONFIG_DROPBEAR_AGENTFORWARD
+ CONFIG_DROPBEAR_DBCLIENT_AGENTFORWARD CONFIG_DROPBEAR_AGENTFORWARD \
+ CONFIG_DROPBEAR_MODERN_ONLY
include $(INCLUDE_DIR)/package.mk
include $(INCLUDE_DIR)/package.mk
@@
-148,6
+149,11
@@
DB_OPT_CONFIG = \
DROPBEAR_CLI_ASKPASS_HELPER,CONFIG_DROPBEAR_ASKPASS,1,0 \
DROPBEAR_CLI_AGENTFWD,CONFIG_DROPBEAR_DBCLIENT_AGENTFORWARD,1,0 \
DROPBEAR_SVR_AGENTFWD,CONFIG_DROPBEAR_AGENTFORWARD,1,0 \
DROPBEAR_CLI_ASKPASS_HELPER,CONFIG_DROPBEAR_ASKPASS,1,0 \
DROPBEAR_CLI_AGENTFWD,CONFIG_DROPBEAR_DBCLIENT_AGENTFORWARD,1,0 \
DROPBEAR_SVR_AGENTFWD,CONFIG_DROPBEAR_AGENTFORWARD,1,0 \
+ DROPBEAR_AES128,CONFIG_DROPBEAR_MODERN_ONLY,0,1 \
+ DROPBEAR_AES256,CONFIG_DROPBEAR_MODERN_ONLY,0,1 \
+ DROPBEAR_ENABLE_CTR_MODE,CONFIG_DROPBEAR_MODERN_ONLY,0,1 \
+ DROPBEAR_RSA,CONFIG_DROPBEAR_MODERN_ONLY,0,1 \
+ DROPBEAR_RSA_SHA1,CONFIG_DROPBEAR_MODERN_ONLY,0,1 \
TARGET_CFLAGS += -DARGTYPE=3
TARGET_CFLAGS += -DARGTYPE=3
diff --git
a/package/network/services/dropbear/patches/910-signkey-fix-use-of-rsa-sha2-256-pubkeys.patch
b/package/network/services/dropbear/patches/910-signkey-fix-use-of-rsa-sha2-256-pubkeys.patch
index 442fdcfc756d8887275605a0114a93ae326f1243..059177a1c58174d0e7304554f94b6d0f40181f34 100644
(file)
--- a/
package/network/services/dropbear/patches/910-signkey-fix-use-of-rsa-sha2-256-pubkeys.patch
+++ b/
package/network/services/dropbear/patches/910-signkey-fix-use-of-rsa-sha2-256-pubkeys.patch
@@
-21,7
+21,7
@@
Signed-off-by: Petr Štetiar <ynezz@true.cz>
--- a/signkey.c
+++ b/signkey.c
--- a/signkey.c
+++ b/signkey.c
-@@ -652,
8 +652,12
@@ int buf_verify(buffer * buf, sign_key *k
+@@ -652,
10 +652,18
@@ int buf_verify(buffer * buf, sign_key *k
sigtype = signature_type_from_name(type_name, type_name_len);
m_free(type_name);
sigtype = signature_type_from_name(type_name, type_name_len);
m_free(type_name);
@@
-29,10
+29,16
@@
Signed-off-by: Petr Štetiar <ynezz@true.cz>
- dropbear_exit("Non-matching signing type");
+ if (sigtype == DROPBEAR_SIGNATURE_NONE) {
+ dropbear_exit("No signature type");
- dropbear_exit("Non-matching signing type");
+ if (sigtype == DROPBEAR_SIGNATURE_NONE) {
+ dropbear_exit("No signature type");
-+ }
-+
-+ if ((expect_sigtype != DROPBEAR_SIGNATURE_RSA_SHA256) && (expect_sigtype != sigtype)) {
-+ dropbear_exit("Non-matching signing type");
}
}
++#if DROPBEAR_RSA
++#if DROPBEAR_RSA_SHA256
++ if ((expect_sigtype != DROPBEAR_SIGNATURE_RSA_SHA256) && (expect_sigtype != sigtype)) {
++ dropbear_exit("Non-matching signing type");
++ }
++#endif
++#endif
++
keytype = signkey_type_from_signature(sigtype);
keytype = signkey_type_from_signature(sigtype);
+ #if DROPBEAR_DSS
+ if (keytype == DROPBEAR_SIGNKEY_DSS) {