mirror of https://github.com/hak5/openwrt.git
dropbear: split ECC support to basic and full
- limit ECC support to ec*-sha2-nistp256: * DROPBEAR_ECC now provides only basic support for ECC - provide full ECC support as an option: * DROPBEAR_ECC_FULL brings back support for ec{dh,dsa}-sha2-nistp{384,521} - update feature costs in binary size Signed-off-by: Konstantin Demin <rockdrilla@gmail.com>openwrt-19.07
parent
5eb7864aad
commit
01964148c6
|
@ -8,29 +8,46 @@ config DROPBEAR_CURVE25519
|
|||
This enables the following key exchange algorithm:
|
||||
curve25519-sha256@libssh.org
|
||||
|
||||
Increases binary size by about 13 kB uncompressed (MIPS).
|
||||
Increases binary size by about 8 kB uncompressed (MIPS).
|
||||
|
||||
config DROPBEAR_ECC
|
||||
bool "Elliptic curve cryptography (ECC)"
|
||||
default n
|
||||
help
|
||||
Enables elliptic curve cryptography (ECC) support in key exchange and public key
|
||||
authentication.
|
||||
Enables basic support for elliptic curve cryptography (ECC)
|
||||
in key exchange and public key authentication.
|
||||
|
||||
Key exchange algorithms:
|
||||
ecdh-sha2-nistp256
|
||||
|
||||
Public key algorithms:
|
||||
ecdsa-sha2-nistp256
|
||||
|
||||
Increases binary size by about 24 kB (MIPS).
|
||||
|
||||
If full ECC support is required, also select DROPBEAR_ECC_FULL.
|
||||
|
||||
config DROPBEAR_ECC_FULL
|
||||
bool "Elliptic curve cryptography (ECC), full support"
|
||||
default n
|
||||
depends on DROPBEAR_ECC
|
||||
help
|
||||
Enables full support for elliptic curve cryptography (ECC)
|
||||
in key exchange and public key authentication.
|
||||
|
||||
Key exchange algorithms:
|
||||
ecdh-sha2-nistp256 (*)
|
||||
ecdh-sha2-nistp384
|
||||
ecdh-sha2-nistp521
|
||||
|
||||
Public key algorithms:
|
||||
ecdsa-sha2-nistp256
|
||||
ecdsa-sha2-nistp256 (*)
|
||||
ecdsa-sha2-nistp384
|
||||
ecdsa-sha2-nistp521
|
||||
|
||||
Does not generate ECC host keys by default (ECC key exchange will not be used,
|
||||
only ECC public key auth).
|
||||
(*) - basic ECC support; provided by DROPBEAR_ECC.
|
||||
|
||||
Increases binary size by about 23 kB (MIPS).
|
||||
Increases binary size by about 4 kB (MIPS).
|
||||
|
||||
config DROPBEAR_ZLIB
|
||||
bool "Enable compression"
|
||||
|
|
|
@ -26,7 +26,7 @@ PKG_USE_MIPS16:=0
|
|||
PKG_FIXUP:=autoreconf
|
||||
|
||||
PKG_CONFIG_DEPENDS:= \
|
||||
CONFIG_TARGET_INIT_PATH CONFIG_DROPBEAR_ECC \
|
||||
CONFIG_TARGET_INIT_PATH CONFIG_DROPBEAR_ECC CONFIG_DROPBEAR_ECC_FULL \
|
||||
CONFIG_DROPBEAR_CURVE25519 CONFIG_DROPBEAR_ZLIB \
|
||||
CONFIG_DROPBEAR_UTMP CONFIG_DROPBEAR_PUTUTLINE
|
||||
|
||||
|
@ -119,6 +119,12 @@ define Build/Configure
|
|||
$(PKG_BUILD_DIR)/localoptions.h; \
|
||||
done
|
||||
|
||||
# enable nistp384 and nistp521 only if full ECC support was requested
|
||||
for OPTION in DROPBEAR_ECC_384 DROPBEAR_ECC_521; do \
|
||||
$(ESED) 's,^(#define '$$$$OPTION') .*$$$$,\1 $(if $(CONFIG_DROPBEAR_ECC_FULL),1,0),g' \
|
||||
$(PKG_BUILD_DIR)/sysoptions.h; \
|
||||
done
|
||||
|
||||
# Enforce rebuild of svr-chansession.c
|
||||
rm -f $(PKG_BUILD_DIR)/svr-chansession.o
|
||||
endef
|
||||
|
|
Loading…
Reference in New Issue