dropbear: split ECC support to basic and full

- limit ECC support to ec*-sha2-nistp256:
  * DROPBEAR_ECC now provides only basic support for ECC
- provide full ECC support as an option:
  * DROPBEAR_ECC_FULL brings back support for ec{dh,dsa}-sha2-nistp{384,521}
- update feature costs in binary size

Signed-off-by: Konstantin Demin <rockdrilla@gmail.com>
openwrt-19.07
Konstantin Demin 2019-03-25 22:00:28 +03:00 committed by Hans Dedecker
parent 5eb7864aad
commit 01964148c6
2 changed files with 31 additions and 8 deletions

View File

@ -8,29 +8,46 @@ config DROPBEAR_CURVE25519
This enables the following key exchange algorithm:
curve25519-sha256@libssh.org
Increases binary size by about 13 kB uncompressed (MIPS).
Increases binary size by about 8 kB uncompressed (MIPS).
config DROPBEAR_ECC
bool "Elliptic curve cryptography (ECC)"
default n
help
Enables elliptic curve cryptography (ECC) support in key exchange and public key
authentication.
Enables basic support for elliptic curve cryptography (ECC)
in key exchange and public key authentication.
Key exchange algorithms:
ecdh-sha2-nistp256
Public key algorithms:
ecdsa-sha2-nistp256
Increases binary size by about 24 kB (MIPS).
If full ECC support is required, also select DROPBEAR_ECC_FULL.
config DROPBEAR_ECC_FULL
bool "Elliptic curve cryptography (ECC), full support"
default n
depends on DROPBEAR_ECC
help
Enables full support for elliptic curve cryptography (ECC)
in key exchange and public key authentication.
Key exchange algorithms:
ecdh-sha2-nistp256 (*)
ecdh-sha2-nistp384
ecdh-sha2-nistp521
Public key algorithms:
ecdsa-sha2-nistp256
ecdsa-sha2-nistp256 (*)
ecdsa-sha2-nistp384
ecdsa-sha2-nistp521
Does not generate ECC host keys by default (ECC key exchange will not be used,
only ECC public key auth).
(*) - basic ECC support; provided by DROPBEAR_ECC.
Increases binary size by about 23 kB (MIPS).
Increases binary size by about 4 kB (MIPS).
config DROPBEAR_ZLIB
bool "Enable compression"

View File

@ -26,7 +26,7 @@ PKG_USE_MIPS16:=0
PKG_FIXUP:=autoreconf
PKG_CONFIG_DEPENDS:= \
CONFIG_TARGET_INIT_PATH CONFIG_DROPBEAR_ECC \
CONFIG_TARGET_INIT_PATH CONFIG_DROPBEAR_ECC CONFIG_DROPBEAR_ECC_FULL \
CONFIG_DROPBEAR_CURVE25519 CONFIG_DROPBEAR_ZLIB \
CONFIG_DROPBEAR_UTMP CONFIG_DROPBEAR_PUTUTLINE
@ -119,6 +119,12 @@ define Build/Configure
$(PKG_BUILD_DIR)/localoptions.h; \
done
# enable nistp384 and nistp521 only if full ECC support was requested
for OPTION in DROPBEAR_ECC_384 DROPBEAR_ECC_521; do \
$(ESED) 's,^(#define '$$$$OPTION') .*$$$$,\1 $(if $(CONFIG_DROPBEAR_ECC_FULL),1,0),g' \
$(PKG_BUILD_DIR)/sysoptions.h; \
done
# Enforce rebuild of svr-chansession.c
rm -f $(PKG_BUILD_DIR)/svr-chansession.o
endef