dropbear: split ECC support to basic and full
authorKonstantin Demin <rockdrilla@gmail.com>
Mon, 25 Mar 2019 19:00:28 +0000 (22:00 +0300)
committerHans Dedecker <dedeckeh@gmail.com>
Mon, 25 Mar 2019 21:25:35 +0000 (22:25 +0100)
- limit ECC support to ec*-sha2-nistp256:
  * DROPBEAR_ECC now provides only basic support for ECC
- provide full ECC support as an option:
  * DROPBEAR_ECC_FULL brings back support for ec{dh,dsa}-sha2-nistp{384,521}
- update feature costs in binary size

Signed-off-by: Konstantin Demin <rockdrilla@gmail.com>
package/network/services/dropbear/Config.in
package/network/services/dropbear/Makefile

index ca0af9d..9106322 100644 (file)
@@ -8,29 +8,46 @@ config DROPBEAR_CURVE25519
                This enables the following key exchange algorithm:
                  curve25519-sha256@libssh.org
 
-               Increases binary size by about 13 kB uncompressed (MIPS).
+               Increases binary size by about 8 kB uncompressed (MIPS).
 
 config DROPBEAR_ECC
        bool "Elliptic curve cryptography (ECC)"
        default n
        help
-               Enables elliptic curve cryptography (ECC) support in key exchange and public key
-               authentication.
+               Enables basic support for elliptic curve cryptography (ECC)
+               in key exchange and public key authentication.
 
                Key exchange algorithms:
                  ecdh-sha2-nistp256
+
+               Public key algorithms:
+                 ecdsa-sha2-nistp256
+
+               Increases binary size by about 24 kB (MIPS).
+
+               If full ECC support is required, also select DROPBEAR_ECC_FULL.
+
+config DROPBEAR_ECC_FULL
+       bool "Elliptic curve cryptography (ECC), full support"
+       default n
+       depends on DROPBEAR_ECC
+       help
+               Enables full support for elliptic curve cryptography (ECC)
+               in key exchange and public key authentication.
+
+               Key exchange algorithms:
+                 ecdh-sha2-nistp256 (*)
                  ecdh-sha2-nistp384
                  ecdh-sha2-nistp521
 
                Public key algorithms:
-                 ecdsa-sha2-nistp256
+                 ecdsa-sha2-nistp256 (*)
                  ecdsa-sha2-nistp384
                  ecdsa-sha2-nistp521
 
-               Does not generate ECC host keys by default (ECC key exchange will not be used,
-               only ECC public key auth).
+               (*) - basic ECC support; provided by DROPBEAR_ECC.
 
-               Increases binary size by about 23 kB (MIPS).
+               Increases binary size by about 4 kB (MIPS).
 
 config DROPBEAR_ZLIB
        bool "Enable compression"
index ca39f84..1ad1f51 100644 (file)
@@ -26,7 +26,7 @@ PKG_USE_MIPS16:=0
 PKG_FIXUP:=autoreconf
 
 PKG_CONFIG_DEPENDS:= \
-       CONFIG_TARGET_INIT_PATH CONFIG_DROPBEAR_ECC \
+       CONFIG_TARGET_INIT_PATH CONFIG_DROPBEAR_ECC CONFIG_DROPBEAR_ECC_FULL \
        CONFIG_DROPBEAR_CURVE25519 CONFIG_DROPBEAR_ZLIB \
        CONFIG_DROPBEAR_UTMP CONFIG_DROPBEAR_PUTUTLINE
 
@@ -119,6 +119,12 @@ define Build/Configure
                        $(PKG_BUILD_DIR)/localoptions.h; \
        done
 
+       # enable nistp384 and nistp521 only if full ECC support was requested
+       for OPTION in DROPBEAR_ECC_384 DROPBEAR_ECC_521; do \
+               $(ESED) 's,^(#define '$$$$OPTION') .*$$$$,\1 $(if $(CONFIG_DROPBEAR_ECC_FULL),1,0),g' \
+               $(PKG_BUILD_DIR)/sysoptions.h; \
+       done
+
        # Enforce rebuild of svr-chansession.c
        rm -f $(PKG_BUILD_DIR)/svr-chansession.o
 endef