diff options
| author | Felix Fietkau <nbd@openwrt.org> | 2015-09-08 08:55:10 +0000 |
|---|---|---|
| committer | Felix Fietkau <nbd@openwrt.org> | 2015-09-08 08:55:10 +0000 |
| commit | b055bbb7d72f08823bc05252d7854e248f846da9 (patch) | |
| tree | d580353ba85df187a9cd95b24e0303b6f9693814 | |
| parent | 6d0723a7978b4cd98e4d2b1a233c919e5fa9759e (diff) | |
| download | master-187ad058-b055bbb7d72f08823bc05252d7854e248f846da9.tar.gz master-187ad058-b055bbb7d72f08823bc05252d7854e248f846da9.tar.bz2 master-187ad058-b055bbb7d72f08823bc05252d7854e248f846da9.zip | |
dropbear: disable 3des, cbc mode, dss support, saves about 5k gzipped
While technically required by the RFC, they are usually completely
unused (DSA), or have security issues (3DES, CBC)
Signed-off-by: Felix Fietkau <nbd@openwrt.org>
git-svn-id: svn://svn.openwrt.org/openwrt/trunk@46814 3c298f89-4303-0410-b956-a3cf2f4a3e73
| -rw-r--r-- | package/network/services/dropbear/patches/120-openwrt_options.patch | 21 |
1 files changed, 20 insertions, 1 deletions
diff --git a/package/network/services/dropbear/patches/120-openwrt_options.patch b/package/network/services/dropbear/patches/120-openwrt_options.patch index 805a0964ab..87118ef4ba 100644 --- a/package/network/services/dropbear/patches/120-openwrt_options.patch +++ b/package/network/services/dropbear/patches/120-openwrt_options.patch @@ -18,7 +18,12 @@ /* Whether to support "-c" and "-m" flags to choose ciphers/MACs at runtime */ #define ENABLE_USER_ALGO_LIST -@@ -95,8 +95,8 @@ much traffic. */ +@@ -91,16 +91,16 @@ much traffic. */ + * Including multiple keysize variants the same cipher + * (eg AES256 as well as AES128) will result in a minimal size increase.*/ + #define DROPBEAR_AES128 +-#define DROPBEAR_3DES ++/*#define DROPBEAR_3DES*/ #define DROPBEAR_AES256 /* Compiling in Blowfish will add ~6kB to runtime heap memory usage */ /*#define DROPBEAR_BLOWFISH*/ @@ -29,6 +34,11 @@ /* Enable CBC mode for ciphers. This has security issues though * is the most compatible with older SSH implementations */ +-#define DROPBEAR_ENABLE_CBC_MODE ++/*#define DROPBEAR_ENABLE_CBC_MODE*/ + + /* Enable "Counter Mode" for ciphers. This is more secure than normal + * CBC mode against certain attacks. It is recommended for security @@ -131,9 +131,9 @@ If you test it please contact the Dropbe * If you disable MD5, Dropbear will fall back to SHA1 fingerprints, * which are not the standard form. */ @@ -42,6 +52,15 @@ #define DROPBEAR_MD5_HMAC /* You can also disable integrity. Don't bother disabling this if you're +@@ -146,7 +146,7 @@ If you test it please contact the Dropbe + * Removing either of these won't save very much space. + * SSH2 RFC Draft requires dss, recommends rsa */ + #define DROPBEAR_RSA +-#define DROPBEAR_DSS ++/*#define DROPBEAR_DSS*/ + /* ECDSA is significantly faster than RSA or DSS. Compiling in ECC + * code (either ECDSA or ECDH) increases binary size - around 30kB + * on x86-64 */ @@ -189,7 +189,7 @@ If you test it please contact the Dropbe /* Whether to print the message of the day (MOTD). This doesn't add much code |