aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorKonstantin Demin <rockdrilla@gmail.com>2019-03-25 22:00:28 +0300
committerHans Dedecker <dedeckeh@gmail.com>2019-03-25 22:25:35 +0100
commit01964148c638e88d2ec29e63880c12c84b84c5a4 (patch)
tree71d942402ba851e2032ab0472472d157eb2bb145
parent5eb7864aadd5d4dffdb9befb87ba9a025a728b71 (diff)
downloadupstream-01964148c638e88d2ec29e63880c12c84b84c5a4.tar.gz
upstream-01964148c638e88d2ec29e63880c12c84b84c5a4.tar.bz2
upstream-01964148c638e88d2ec29e63880c12c84b84c5a4.zip
dropbear: split ECC support to basic and full
- limit ECC support to ec*-sha2-nistp256: * DROPBEAR_ECC now provides only basic support for ECC - provide full ECC support as an option: * DROPBEAR_ECC_FULL brings back support for ec{dh,dsa}-sha2-nistp{384,521} - update feature costs in binary size Signed-off-by: Konstantin Demin <rockdrilla@gmail.com>
-rw-r--r--package/network/services/dropbear/Config.in31
-rw-r--r--package/network/services/dropbear/Makefile8
2 files changed, 31 insertions, 8 deletions
diff --git a/package/network/services/dropbear/Config.in b/package/network/services/dropbear/Config.in
index ca0af9d5e0..9106322eea 100644
--- a/package/network/services/dropbear/Config.in
+++ b/package/network/services/dropbear/Config.in
@@ -8,29 +8,46 @@ config DROPBEAR_CURVE25519
This enables the following key exchange algorithm:
curve25519-sha256@libssh.org
- Increases binary size by about 13 kB uncompressed (MIPS).
+ Increases binary size by about 8 kB uncompressed (MIPS).
config DROPBEAR_ECC
bool "Elliptic curve cryptography (ECC)"
default n
help
- Enables elliptic curve cryptography (ECC) support in key exchange and public key
- authentication.
+ Enables basic support for elliptic curve cryptography (ECC)
+ in key exchange and public key authentication.
Key exchange algorithms:
ecdh-sha2-nistp256
+
+ Public key algorithms:
+ ecdsa-sha2-nistp256
+
+ Increases binary size by about 24 kB (MIPS).
+
+ If full ECC support is required, also select DROPBEAR_ECC_FULL.
+
+config DROPBEAR_ECC_FULL
+ bool "Elliptic curve cryptography (ECC), full support"
+ default n
+ depends on DROPBEAR_ECC
+ help
+ Enables full support for elliptic curve cryptography (ECC)
+ in key exchange and public key authentication.
+
+ Key exchange algorithms:
+ ecdh-sha2-nistp256 (*)
ecdh-sha2-nistp384
ecdh-sha2-nistp521
Public key algorithms:
- ecdsa-sha2-nistp256
+ ecdsa-sha2-nistp256 (*)
ecdsa-sha2-nistp384
ecdsa-sha2-nistp521
- Does not generate ECC host keys by default (ECC key exchange will not be used,
- only ECC public key auth).
+ (*) - basic ECC support; provided by DROPBEAR_ECC.
- Increases binary size by about 23 kB (MIPS).
+ Increases binary size by about 4 kB (MIPS).
config DROPBEAR_ZLIB
bool "Enable compression"
diff --git a/package/network/services/dropbear/Makefile b/package/network/services/dropbear/Makefile
index ca39f845b9..1ad1f516a7 100644
--- a/package/network/services/dropbear/Makefile
+++ b/package/network/services/dropbear/Makefile
@@ -26,7 +26,7 @@ PKG_USE_MIPS16:=0
PKG_FIXUP:=autoreconf
PKG_CONFIG_DEPENDS:= \
- CONFIG_TARGET_INIT_PATH CONFIG_DROPBEAR_ECC \
+ CONFIG_TARGET_INIT_PATH CONFIG_DROPBEAR_ECC CONFIG_DROPBEAR_ECC_FULL \
CONFIG_DROPBEAR_CURVE25519 CONFIG_DROPBEAR_ZLIB \
CONFIG_DROPBEAR_UTMP CONFIG_DROPBEAR_PUTUTLINE
@@ -119,6 +119,12 @@ define Build/Configure
$(PKG_BUILD_DIR)/localoptions.h; \
done
+ # enable nistp384 and nistp521 only if full ECC support was requested
+ for OPTION in DROPBEAR_ECC_384 DROPBEAR_ECC_521; do \
+ $(ESED) 's,^(#define '$$$$OPTION') .*$$$$,\1 $(if $(CONFIG_DROPBEAR_ECC_FULL),1,0),g' \
+ $(PKG_BUILD_DIR)/sysoptions.h; \
+ done
+
# Enforce rebuild of svr-chansession.c
rm -f $(PKG_BUILD_DIR)/svr-chansession.o
endef