hak5
/
openwrt
mirror of https://github.com/hak5/openwrt.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

dropbear: split ECC support to basic and full 

- limit ECC support to ec*-sha2-nistp256:
  * DROPBEAR_ECC now provides only basic support for ECC
- provide full ECC support as an option:
  * DROPBEAR_ECC_FULL brings back support for ec{dh,dsa}-sha2-nistp{384,521}
- update feature costs in binary size

Signed-off-by: Konstantin Demin <rockdrilla@gmail.com>
openwrt-19.07
Konstantin Demin 2019-03-25 22:00:28 +03:00 committed by Hans Dedecker
parent 5eb7864aad
commit 01964148c6
2 changed files with 31 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

31
package/network/services/dropbear/Config.in
View File

@ -8,29 +8,46 @@ config DROPBEAR_CURVE25519
This enables the following key exchange algorithm: This enables the following key exchange algorithm:
curve25519-sha256@libssh.org curve25519-sha256@libssh.org
Increases binary size by about 13 kB uncompressed (MIPS). Increases binary size by about 8 kB uncompressed (MIPS).
config DROPBEAR_ECC config DROPBEAR_ECC
bool "Elliptic curve cryptography (ECC)" bool "Elliptic curve cryptography (ECC)"
default n default n
help help
Enables elliptic curve cryptography (ECC) support in key exchange and public key Enables basic support for elliptic curve cryptography (ECC)
authentication. in key exchange and public key authentication.
Key exchange algorithms: Key exchange algorithms:
ecdh-sha2-nistp256 ecdh-sha2-nistp256
Public key algorithms:
ecdsa-sha2-nistp256
Increases binary size by about 24 kB (MIPS).
If full ECC support is required, also select DROPBEAR_ECC_FULL.
config DROPBEAR_ECC_FULL
bool "Elliptic curve cryptography (ECC), full support"
default n
depends on DROPBEAR_ECC
help
Enables full support for elliptic curve cryptography (ECC)
in key exchange and public key authentication.
Key exchange algorithms:
ecdh-sha2-nistp256 (*)
ecdh-sha2-nistp384 ecdh-sha2-nistp384
ecdh-sha2-nistp521 ecdh-sha2-nistp521
Public key algorithms: Public key algorithms:
ecdsa-sha2-nistp256 ecdsa-sha2-nistp256 (*)
ecdsa-sha2-nistp384 ecdsa-sha2-nistp384
ecdsa-sha2-nistp521 ecdsa-sha2-nistp521
Does not generate ECC host keys by default (ECC key exchange will not be used, (*) - basic ECC support; provided by DROPBEAR_ECC.
only ECC public key auth).
Increases binary size by about 23 kB (MIPS). Increases binary size by about 4 kB (MIPS).
config DROPBEAR_ZLIB config DROPBEAR_ZLIB
bool "Enable compression" bool "Enable compression"

8
package/network/services/dropbear/Makefile
View File

@ -26,7 +26,7 @@ PKG_USE_MIPS16:=0
PKG_FIXUP:=autoreconf PKG_FIXUP:=autoreconf
PKG_CONFIG_DEPENDS:= \ PKG_CONFIG_DEPENDS:= \
CONFIG_TARGET_INIT_PATH CONFIG_DROPBEAR_ECC \ CONFIG_TARGET_INIT_PATH CONFIG_DROPBEAR_ECC CONFIG_DROPBEAR_ECC_FULL \
CONFIG_DROPBEAR_CURVE25519 CONFIG_DROPBEAR_ZLIB \ CONFIG_DROPBEAR_CURVE25519 CONFIG_DROPBEAR_ZLIB \
CONFIG_DROPBEAR_UTMP CONFIG_DROPBEAR_PUTUTLINE CONFIG_DROPBEAR_UTMP CONFIG_DROPBEAR_PUTUTLINE
@ -119,6 +119,12 @@ define Build/Configure
$(PKG_BUILD_DIR)/localoptions.h; \ $(PKG_BUILD_DIR)/localoptions.h; \
done done
# enable nistp384 and nistp521 only if full ECC support was requested
for OPTION in DROPBEAR_ECC_384 DROPBEAR_ECC_521; do \
$(ESED) 's,^(#define '$$$$OPTION') .*$$$$,\1 $(if $(CONFIG_DROPBEAR_ECC_FULL),1,0),g' \
$(PKG_BUILD_DIR)/sysoptions.h; \
done
# Enforce rebuild of svr-chansession.c # Enforce rebuild of svr-chansession.c
rm -f $(PKG_BUILD_DIR)/svr-chansession.o rm -f $(PKG_BUILD_DIR)/svr-chansession.o
endef endef