aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorFelix Fietkau <nbd@openwrt.org>2015-09-08 08:55:10 +0000
committerFelix Fietkau <nbd@openwrt.org>2015-09-08 08:55:10 +0000
commita4cf4c35af05d8128ca7887c4f9c6c2cb53102bb (patch)
tree40a9910f8f3a014b2db00f7838aa14ef162cc4fa
parentb13d8e55a71ec826d18929e8effa65461f87b6a1 (diff)
downloadupstream-a4cf4c35af05d8128ca7887c4f9c6c2cb53102bb.tar.gz
upstream-a4cf4c35af05d8128ca7887c4f9c6c2cb53102bb.tar.bz2
upstream-a4cf4c35af05d8128ca7887c4f9c6c2cb53102bb.zip
dropbear: disable 3des, cbc mode, dss support, saves about 5k gzipped
While technically required by the RFC, they are usually completely unused (DSA), or have security issues (3DES, CBC) Signed-off-by: Felix Fietkau <nbd@openwrt.org> SVN-Revision: 46814
-rw-r--r--package/network/services/dropbear/patches/120-openwrt_options.patch21
1 files changed, 20 insertions, 1 deletions
diff --git a/package/network/services/dropbear/patches/120-openwrt_options.patch b/package/network/services/dropbear/patches/120-openwrt_options.patch
index 805a0964ab..87118ef4ba 100644
--- a/package/network/services/dropbear/patches/120-openwrt_options.patch
+++ b/package/network/services/dropbear/patches/120-openwrt_options.patch
@@ -18,7 +18,12 @@
/* Whether to support "-c" and "-m" flags to choose ciphers/MACs at runtime */
#define ENABLE_USER_ALGO_LIST
-@@ -95,8 +95,8 @@ much traffic. */
+@@ -91,16 +91,16 @@ much traffic. */
+ * Including multiple keysize variants the same cipher
+ * (eg AES256 as well as AES128) will result in a minimal size increase.*/
+ #define DROPBEAR_AES128
+-#define DROPBEAR_3DES
++/*#define DROPBEAR_3DES*/
#define DROPBEAR_AES256
/* Compiling in Blowfish will add ~6kB to runtime heap memory usage */
/*#define DROPBEAR_BLOWFISH*/
@@ -29,6 +34,11 @@
/* Enable CBC mode for ciphers. This has security issues though
* is the most compatible with older SSH implementations */
+-#define DROPBEAR_ENABLE_CBC_MODE
++/*#define DROPBEAR_ENABLE_CBC_MODE*/
+
+ /* Enable "Counter Mode" for ciphers. This is more secure than normal
+ * CBC mode against certain attacks. It is recommended for security
@@ -131,9 +131,9 @@ If you test it please contact the Dropbe
* If you disable MD5, Dropbear will fall back to SHA1 fingerprints,
* which are not the standard form. */
@@ -42,6 +52,15 @@
#define DROPBEAR_MD5_HMAC
/* You can also disable integrity. Don't bother disabling this if you're
+@@ -146,7 +146,7 @@ If you test it please contact the Dropbe
+ * Removing either of these won't save very much space.
+ * SSH2 RFC Draft requires dss, recommends rsa */
+ #define DROPBEAR_RSA
+-#define DROPBEAR_DSS
++/*#define DROPBEAR_DSS*/
+ /* ECDSA is significantly faster than RSA or DSS. Compiling in ECC
+ * code (either ECDSA or ECDH) increases binary size - around 30kB
+ * on x86-64 */
@@ -189,7 +189,7 @@ If you test it please contact the Dropbe
/* Whether to print the message of the day (MOTD). This doesn't add much code