This allows the user to select only the key exchange algorithms (s)he requires
(e.g., disabling group 14 SHA-{1,256} and keeping only Curve25519). The default
selection maintains the current functionality.
Additionally, make sure at least one key exchange algorithm is selected, lest
the build would fail.
Signed-off-by: Rui Salvaterra <rsalvate...@gmail.com>
---
package/network/services/dropbear/Config.in | 12 ++++++++++++
package/network/services/dropbear/Makefile | 13 ++++++++++---
2 files changed, 22 insertions(+), 3 deletions(-)
diff --git a/package/network/services/dropbear/Config.in
b/package/network/services/dropbear/Config.in
index 9cea6242a6..066dab0a9b 100644
--- a/package/network/services/dropbear/Config.in
+++ b/package/network/services/dropbear/Config.in
@@ -94,6 +94,16 @@ config DROPBEAR_AUTOSEL_EA
endmenu
+menu "Key exchange algorithm selection"
+
+config DROPBEAR_DH_GROUP14_SHA1
+ bool "Group 14 SHA-1"
+ default y
+
+config DROPBEAR_DH_GROUP14_SHA256
+ bool "Group 14 SHA-256"
+ default y
+
config DROPBEAR_CURVE25519
bool "Curve25519 support"
default y
@@ -103,6 +113,8 @@ config DROPBEAR_CURVE25519
Increases binary size by about 4 kB (MIPS).
+endmenu
+
config DROPBEAR_ZLIB
bool "Enable compression"
default n
diff --git a/package/network/services/dropbear/Makefile
b/package/network/services/dropbear/Makefile
index 768058718c..d0b0dbf3dc 100644
--- a/package/network/services/dropbear/Makefile
+++ b/package/network/services/dropbear/Makefile
@@ -32,6 +32,7 @@ PKG_CONFIG_DEPENDS:= \
CONFIG_DROPBEAR_RSA CONFIG_DROPBEAR_CURVE25519 CONFIG_DROPBEAR_ZLIB \
CONFIG_DROPBEAR_ED25519 CONFIG_DROPBEAR_AES128 CONFIG_DROPBEAR_AES256 \
CONFIG_DROPBEAR_CHACHA20POLY1305 CONFIG_DROPBEAR_UTMP \
+ CONFIG_DROPBEAR_DH_GROUP14_SHA1 CONFIG_DROPBEAR_DH_GROUP14_SHA256 \
CONFIG_DROPBEAR_PUTUTLINE CONFIG_DROPBEAR_DBCLIENT CONFIG_DROPBEAR_SCP
include $(INCLUDE_DIR)/package.mk
@@ -110,9 +111,6 @@ define Build/Configure
echo '#define DROPBEAR_RSA $(if $(CONFIG_DROPBEAR_RSA),1,0)' >> \
$(PKG_BUILD_DIR)/localoptions.h
- echo '#define DROPBEAR_CURVE25519 $(if
$(CONFIG_DROPBEAR_CURVE25519),1,0)' >> \
- $(PKG_BUILD_DIR)/localoptions.h
-
for OPTION in DROPBEAR_ECDSA DROPBEAR_ECDH; do \
echo "#define $$$$OPTION $(if $(CONFIG_DROPBEAR_ECC),1,0)" >> \
$(PKG_BUILD_DIR)/localoptions.h; \
@@ -130,6 +128,15 @@ define Build/Configure
echo '#define DROPBEAR_CHACHA20POLY1305 $(if
$(CONFIG_DROPBEAR_CHACHA20POLY1305),1,0)' >> \
$(PKG_BUILD_DIR)/localoptions.h
+ echo '#define DROPBEAR_DH_GROUP14_SHA1 $(if
$(CONFIG_DROPBEAR_DH_GROUP14_SHA1),1,0)' >> \
+ $(PKG_BUILD_DIR)/localoptions.h
+
+ echo '#define DROPBEAR_DH_GROUP14_SHA256 $(if
$(CONFIG_DROPBEAR_DH_GROUP14_SHA256),1,0)' >> \
+ $(PKG_BUILD_DIR)/localoptions.h
+
+ echo '#define DROPBEAR_CURVE25519 $(if
$(CONFIG_DROPBEAR_CURVE25519),1,0)' >> \
+ $(PKG_BUILD_DIR)/localoptions.h
+
# remove protocol idented software version number
$(ESED) 's,^(#define LOCAL_IDENT) .*$$$$,\1 "SSH-2.0-dropbear",g' \
$(PKG_BUILD_DIR)/sysoptions.h
--
2.28.0
_______________________________________________
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel
