diff options
author | Konstantin Demin <rockdrilla@gmail.com> | 2019-03-25 22:00:28 +0300 |
---|---|---|
committer | Hans Dedecker <dedeckeh@gmail.com> | 2019-03-25 22:25:35 +0100 |
commit | 01964148c638e88d2ec29e63880c12c84b84c5a4 (patch) | |
tree | 71d942402ba851e2032ab0472472d157eb2bb145 /package/network | |
parent | 5eb7864aadd5d4dffdb9befb87ba9a025a728b71 (diff) | |
download | upstream-01964148c638e88d2ec29e63880c12c84b84c5a4.tar.gz upstream-01964148c638e88d2ec29e63880c12c84b84c5a4.tar.bz2 upstream-01964148c638e88d2ec29e63880c12c84b84c5a4.zip |
dropbear: split ECC support to basic and full
- limit ECC support to ec*-sha2-nistp256:
* DROPBEAR_ECC now provides only basic support for ECC
- provide full ECC support as an option:
* DROPBEAR_ECC_FULL brings back support for ec{dh,dsa}-sha2-nistp{384,521}
- update feature costs in binary size
Signed-off-by: Konstantin Demin <rockdrilla@gmail.com>
Diffstat (limited to 'package/network')
-rw-r--r-- | package/network/services/dropbear/Config.in | 31 | ||||
-rw-r--r-- | package/network/services/dropbear/Makefile | 8 |
2 files changed, 31 insertions, 8 deletions
diff --git a/package/network/services/dropbear/Config.in b/package/network/services/dropbear/Config.in index ca0af9d5e0..9106322eea 100644 --- a/package/network/services/dropbear/Config.in +++ b/package/network/services/dropbear/Config.in @@ -8,29 +8,46 @@ config DROPBEAR_CURVE25519 This enables the following key exchange algorithm: curve25519-sha256@libssh.org - Increases binary size by about 13 kB uncompressed (MIPS). + Increases binary size by about 8 kB uncompressed (MIPS). config DROPBEAR_ECC bool "Elliptic curve cryptography (ECC)" default n help - Enables elliptic curve cryptography (ECC) support in key exchange and public key - authentication. + Enables basic support for elliptic curve cryptography (ECC) + in key exchange and public key authentication. Key exchange algorithms: ecdh-sha2-nistp256 + + Public key algorithms: + ecdsa-sha2-nistp256 + + Increases binary size by about 24 kB (MIPS). + + If full ECC support is required, also select DROPBEAR_ECC_FULL. + +config DROPBEAR_ECC_FULL + bool "Elliptic curve cryptography (ECC), full support" + default n + depends on DROPBEAR_ECC + help + Enables full support for elliptic curve cryptography (ECC) + in key exchange and public key authentication. + + Key exchange algorithms: + ecdh-sha2-nistp256 (*) ecdh-sha2-nistp384 ecdh-sha2-nistp521 Public key algorithms: - ecdsa-sha2-nistp256 + ecdsa-sha2-nistp256 (*) ecdsa-sha2-nistp384 ecdsa-sha2-nistp521 - Does not generate ECC host keys by default (ECC key exchange will not be used, - only ECC public key auth). + (*) - basic ECC support; provided by DROPBEAR_ECC. - Increases binary size by about 23 kB (MIPS). + Increases binary size by about 4 kB (MIPS). config DROPBEAR_ZLIB bool "Enable compression" diff --git a/package/network/services/dropbear/Makefile b/package/network/services/dropbear/Makefile index ca39f845b9..1ad1f516a7 100644 --- a/package/network/services/dropbear/Makefile +++ b/package/network/services/dropbear/Makefile @@ -26,7 +26,7 @@ PKG_USE_MIPS16:=0 PKG_FIXUP:=autoreconf PKG_CONFIG_DEPENDS:= \ - CONFIG_TARGET_INIT_PATH CONFIG_DROPBEAR_ECC \ + CONFIG_TARGET_INIT_PATH CONFIG_DROPBEAR_ECC CONFIG_DROPBEAR_ECC_FULL \ CONFIG_DROPBEAR_CURVE25519 CONFIG_DROPBEAR_ZLIB \ CONFIG_DROPBEAR_UTMP CONFIG_DROPBEAR_PUTUTLINE @@ -119,6 +119,12 @@ define Build/Configure $(PKG_BUILD_DIR)/localoptions.h; \ done + # enable nistp384 and nistp521 only if full ECC support was requested + for OPTION in DROPBEAR_ECC_384 DROPBEAR_ECC_521; do \ + $(ESED) 's,^(#define '$$$$OPTION') .*$$$$,\1 $(if $(CONFIG_DROPBEAR_ECC_FULL),1,0),g' \ + $(PKG_BUILD_DIR)/sysoptions.h; \ + done + # Enforce rebuild of svr-chansession.c rm -f $(PKG_BUILD_DIR)/svr-chansession.o endef |