This allows the user to select only the key exchange algorithms (s)he requires (e.g., disabling group 14 SHA-{1,256} and keeping only Curve25519). The default selection maintains the current functionality.
Additionally, make sure at least one key exchange algorithm is selected, lest the build would fail. Signed-off-by: Rui Salvaterra <rsalvate...@gmail.com> --- package/network/services/dropbear/Config.in | 12 ++++++++++++ package/network/services/dropbear/Makefile | 13 ++++++++++--- 2 files changed, 22 insertions(+), 3 deletions(-) diff --git a/package/network/services/dropbear/Config.in b/package/network/services/dropbear/Config.in index 9cea6242a6..066dab0a9b 100644 --- a/package/network/services/dropbear/Config.in +++ b/package/network/services/dropbear/Config.in @@ -94,6 +94,16 @@ config DROPBEAR_AUTOSEL_EA endmenu +menu "Key exchange algorithm selection" + +config DROPBEAR_DH_GROUP14_SHA1 + bool "Group 14 SHA-1" + default y + +config DROPBEAR_DH_GROUP14_SHA256 + bool "Group 14 SHA-256" + default y + config DROPBEAR_CURVE25519 bool "Curve25519 support" default y @@ -103,6 +113,8 @@ config DROPBEAR_CURVE25519 Increases binary size by about 4 kB (MIPS). +endmenu + config DROPBEAR_ZLIB bool "Enable compression" default n diff --git a/package/network/services/dropbear/Makefile b/package/network/services/dropbear/Makefile index 768058718c..d0b0dbf3dc 100644 --- a/package/network/services/dropbear/Makefile +++ b/package/network/services/dropbear/Makefile @@ -32,6 +32,7 @@ PKG_CONFIG_DEPENDS:= \ CONFIG_DROPBEAR_RSA CONFIG_DROPBEAR_CURVE25519 CONFIG_DROPBEAR_ZLIB \ CONFIG_DROPBEAR_ED25519 CONFIG_DROPBEAR_AES128 CONFIG_DROPBEAR_AES256 \ CONFIG_DROPBEAR_CHACHA20POLY1305 CONFIG_DROPBEAR_UTMP \ + CONFIG_DROPBEAR_DH_GROUP14_SHA1 CONFIG_DROPBEAR_DH_GROUP14_SHA256 \ CONFIG_DROPBEAR_PUTUTLINE CONFIG_DROPBEAR_DBCLIENT CONFIG_DROPBEAR_SCP include $(INCLUDE_DIR)/package.mk @@ -110,9 +111,6 @@ define Build/Configure echo '#define DROPBEAR_RSA $(if $(CONFIG_DROPBEAR_RSA),1,0)' >> \ $(PKG_BUILD_DIR)/localoptions.h - echo '#define DROPBEAR_CURVE25519 $(if $(CONFIG_DROPBEAR_CURVE25519),1,0)' >> \ - $(PKG_BUILD_DIR)/localoptions.h - for OPTION in DROPBEAR_ECDSA DROPBEAR_ECDH; do \ echo "#define $$$$OPTION $(if $(CONFIG_DROPBEAR_ECC),1,0)" >> \ $(PKG_BUILD_DIR)/localoptions.h; \ @@ -130,6 +128,15 @@ define Build/Configure echo '#define DROPBEAR_CHACHA20POLY1305 $(if $(CONFIG_DROPBEAR_CHACHA20POLY1305),1,0)' >> \ $(PKG_BUILD_DIR)/localoptions.h + echo '#define DROPBEAR_DH_GROUP14_SHA1 $(if $(CONFIG_DROPBEAR_DH_GROUP14_SHA1),1,0)' >> \ + $(PKG_BUILD_DIR)/localoptions.h + + echo '#define DROPBEAR_DH_GROUP14_SHA256 $(if $(CONFIG_DROPBEAR_DH_GROUP14_SHA256),1,0)' >> \ + $(PKG_BUILD_DIR)/localoptions.h + + echo '#define DROPBEAR_CURVE25519 $(if $(CONFIG_DROPBEAR_CURVE25519),1,0)' >> \ + $(PKG_BUILD_DIR)/localoptions.h + # remove protocol idented software version number $(ESED) 's,^(#define LOCAL_IDENT) .*$$$$,\1 "SSH-2.0-dropbear",g' \ $(PKG_BUILD_DIR)/sysoptions.h -- 2.28.0 _______________________________________________ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel