diff options
author | Felix Fietkau <nbd@openwrt.org> | 2015-09-08 08:55:10 +0000 |
---|---|---|
committer | Felix Fietkau <nbd@openwrt.org> | 2015-09-08 08:55:10 +0000 |
commit | a4cf4c35af05d8128ca7887c4f9c6c2cb53102bb (patch) | |
tree | 40a9910f8f3a014b2db00f7838aa14ef162cc4fa | |
parent | b13d8e55a71ec826d18929e8effa65461f87b6a1 (diff) | |
download | master-31e0f0ae-a4cf4c35af05d8128ca7887c4f9c6c2cb53102bb.tar.gz master-31e0f0ae-a4cf4c35af05d8128ca7887c4f9c6c2cb53102bb.tar.bz2 master-31e0f0ae-a4cf4c35af05d8128ca7887c4f9c6c2cb53102bb.zip |
dropbear: disable 3des, cbc mode, dss support, saves about 5k gzipped
While technically required by the RFC, they are usually completely
unused (DSA), or have security issues (3DES, CBC)
Signed-off-by: Felix Fietkau <nbd@openwrt.org>
SVN-Revision: 46814
-rw-r--r-- | package/network/services/dropbear/patches/120-openwrt_options.patch | 21 |
1 files changed, 20 insertions, 1 deletions
diff --git a/package/network/services/dropbear/patches/120-openwrt_options.patch b/package/network/services/dropbear/patches/120-openwrt_options.patch index 805a0964ab..87118ef4ba 100644 --- a/package/network/services/dropbear/patches/120-openwrt_options.patch +++ b/package/network/services/dropbear/patches/120-openwrt_options.patch @@ -18,7 +18,12 @@ /* Whether to support "-c" and "-m" flags to choose ciphers/MACs at runtime */ #define ENABLE_USER_ALGO_LIST -@@ -95,8 +95,8 @@ much traffic. */ +@@ -91,16 +91,16 @@ much traffic. */ + * Including multiple keysize variants the same cipher + * (eg AES256 as well as AES128) will result in a minimal size increase.*/ + #define DROPBEAR_AES128 +-#define DROPBEAR_3DES ++/*#define DROPBEAR_3DES*/ #define DROPBEAR_AES256 /* Compiling in Blowfish will add ~6kB to runtime heap memory usage */ /*#define DROPBEAR_BLOWFISH*/ @@ -29,6 +34,11 @@ /* Enable CBC mode for ciphers. This has security issues though * is the most compatible with older SSH implementations */ +-#define DROPBEAR_ENABLE_CBC_MODE ++/*#define DROPBEAR_ENABLE_CBC_MODE*/ + + /* Enable "Counter Mode" for ciphers. This is more secure than normal + * CBC mode against certain attacks. It is recommended for security @@ -131,9 +131,9 @@ If you test it please contact the Dropbe * If you disable MD5, Dropbear will fall back to SHA1 fingerprints, * which are not the standard form. */ @@ -42,6 +52,15 @@ #define DROPBEAR_MD5_HMAC /* You can also disable integrity. Don't bother disabling this if you're +@@ -146,7 +146,7 @@ If you test it please contact the Dropbe + * Removing either of these won't save very much space. + * SSH2 RFC Draft requires dss, recommends rsa */ + #define DROPBEAR_RSA +-#define DROPBEAR_DSS ++/*#define DROPBEAR_DSS*/ + /* ECDSA is significantly faster than RSA or DSS. Compiling in ECC + * code (either ECDSA or ECDH) increases binary size - around 30kB + * on x86-64 */ @@ -189,7 +189,7 @@ If you test it please contact the Dropbe /* Whether to print the message of the day (MOTD). This doesn't add much code |