dropbear: add option to enable modern crypto only
authorKonstantin Demin <rockdrilla@gmail.com>
Tue, 9 Jan 2024 00:40:01 +0000 (03:40 +0300)
committerRui Salvaterra <rsalvaterra@gmail.com>
Fri, 9 Feb 2024 09:13:05 +0000 (09:13 +0000)
reduces binary/package size and increases overall performance

also:
- adjust 910-signkey-fix-use-of-rsa-sha2-256-pubkeys.patch
  to build without DROPBEAR_RSA/DROPBEAR_RSA_SHA256

Signed-off-by: Konstantin Demin <rockdrilla@gmail.com>
package/network/services/dropbear/Config.in
package/network/services/dropbear/Makefile
package/network/services/dropbear/patches/910-signkey-fix-use-of-rsa-sha2-256-pubkeys.patch

index 449cc2a421dc7696bc50107b1ac3ffb714dc885c..fd4d5f3c7a5e49a54fe2124d5230b204c1b7f560 100644 (file)
@@ -145,4 +145,25 @@ config DROPBEAR_AGENTFORWARD
                Also see DROPBEAR_DBCLIENT_AGENTFORWARD (agent forwarding in
                dropbear client) if DROPBEAR_DBCLIENT is selected.
 
+config DROPBEAR_MODERN_ONLY
+       bool "Use modern crypto only [BREAKS COMPATIBILITY]"
+       select DROPBEAR_ED25519
+       select DROPBEAR_CURVE25519
+       select DROPBEAR_CHACHA20POLY1305
+       help
+               This option enables:
+                - Chacha20-Poly1305
+                - Curve25519
+                - Ed25519
+               and disables:
+                - AES
+                - RSA
+                - SHA1
+
+               Reduces binary size by about 64 kB (MIPS) from default
+               configuration.
+
+               Consider enabling this option if you're building own OpenWrt
+               image and using modern SSH software everywhere.
+
 endmenu
index ef67371e1d8a90b1fbcabb86ec0a2312c643df90..653911b7647254933ac351f4fcbaff3f48b0aff2 100644 (file)
@@ -33,7 +33,8 @@ PKG_CONFIG_DEPENDS:= \
        CONFIG_DROPBEAR_ED25519 CONFIG_DROPBEAR_CHACHA20POLY1305 \
        CONFIG_DROPBEAR_UTMP CONFIG_DROPBEAR_PUTUTLINE \
        CONFIG_DROPBEAR_DBCLIENT CONFIG_DROPBEAR_SCP CONFIG_DROPBEAR_ASKPASS \
-       CONFIG_DROPBEAR_DBCLIENT_AGENTFORWARD CONFIG_DROPBEAR_AGENTFORWARD
+       CONFIG_DROPBEAR_DBCLIENT_AGENTFORWARD CONFIG_DROPBEAR_AGENTFORWARD \
+       CONFIG_DROPBEAR_MODERN_ONLY
 
 include $(INCLUDE_DIR)/package.mk
 
@@ -148,6 +149,11 @@ DB_OPT_CONFIG = \
        DROPBEAR_CLI_ASKPASS_HELPER,CONFIG_DROPBEAR_ASKPASS,1,0 \
        DROPBEAR_CLI_AGENTFWD,CONFIG_DROPBEAR_DBCLIENT_AGENTFORWARD,1,0 \
        DROPBEAR_SVR_AGENTFWD,CONFIG_DROPBEAR_AGENTFORWARD,1,0 \
+       DROPBEAR_AES128,CONFIG_DROPBEAR_MODERN_ONLY,0,1 \
+       DROPBEAR_AES256,CONFIG_DROPBEAR_MODERN_ONLY,0,1 \
+       DROPBEAR_ENABLE_CTR_MODE,CONFIG_DROPBEAR_MODERN_ONLY,0,1 \
+       DROPBEAR_RSA,CONFIG_DROPBEAR_MODERN_ONLY,0,1 \
+       DROPBEAR_RSA_SHA1,CONFIG_DROPBEAR_MODERN_ONLY,0,1 \
 
 
 TARGET_CFLAGS += -DARGTYPE=3
index 442fdcfc756d8887275605a0114a93ae326f1243..059177a1c58174d0e7304554f94b6d0f40181f34 100644 (file)
@@ -21,7 +21,7 @@ Signed-off-by: Petr Štetiar <ynezz@true.cz>
 
 --- a/signkey.c
 +++ b/signkey.c
-@@ -652,8 +652,12 @@ int buf_verify(buffer * buf, sign_key *k
+@@ -652,10 +652,18 @@ int buf_verify(buffer * buf, sign_key *k
        sigtype = signature_type_from_name(type_name, type_name_len);
        m_free(type_name);
  
@@ -29,10 +29,16 @@ Signed-off-by: Petr Štetiar <ynezz@true.cz>
 -                      dropbear_exit("Non-matching signing type");
 +      if (sigtype == DROPBEAR_SIGNATURE_NONE) {
 +              dropbear_exit("No signature type");
-+      }
-+
-+      if ((expect_sigtype != DROPBEAR_SIGNATURE_RSA_SHA256) && (expect_sigtype != sigtype)) {
-+              dropbear_exit("Non-matching signing type");
        }
  
++#if DROPBEAR_RSA
++#if DROPBEAR_RSA_SHA256
++      if ((expect_sigtype != DROPBEAR_SIGNATURE_RSA_SHA256) && (expect_sigtype != sigtype)) {
++              dropbear_exit("Non-matching signing type");
++      }
++#endif
++#endif
++
        keytype = signkey_type_from_signature(sigtype);
+ #if DROPBEAR_DSS
+       if (keytype == DROPBEAR_SIGNKEY_DSS) {