From: Konstantin Demin Date: Tue, 9 Jan 2024 00:40:01 +0000 (+0300) Subject: dropbear: add option to enable modern crypto only X-Git-Url: http://git.lede-project.org./?a=commitdiff_plain;h=bf900e02c7102601be2e9280231711e70f065877;p=openwrt%2Fstaging%2Fldir.git dropbear: add option to enable modern crypto only reduces binary/package size and increases overall performance also: - adjust 910-signkey-fix-use-of-rsa-sha2-256-pubkeys.patch to build without DROPBEAR_RSA/DROPBEAR_RSA_SHA256 Signed-off-by: Konstantin Demin --- diff --git a/package/network/services/dropbear/Config.in b/package/network/services/dropbear/Config.in index 449cc2a421..fd4d5f3c7a 100644 --- a/package/network/services/dropbear/Config.in +++ b/package/network/services/dropbear/Config.in @@ -145,4 +145,25 @@ config DROPBEAR_AGENTFORWARD Also see DROPBEAR_DBCLIENT_AGENTFORWARD (agent forwarding in dropbear client) if DROPBEAR_DBCLIENT is selected. +config DROPBEAR_MODERN_ONLY + bool "Use modern crypto only [BREAKS COMPATIBILITY]" + select DROPBEAR_ED25519 + select DROPBEAR_CURVE25519 + select DROPBEAR_CHACHA20POLY1305 + help + This option enables: + - Chacha20-Poly1305 + - Curve25519 + - Ed25519 + and disables: + - AES + - RSA + - SHA1 + + Reduces binary size by about 64 kB (MIPS) from default + configuration. + + Consider enabling this option if you're building own OpenWrt + image and using modern SSH software everywhere. + endmenu diff --git a/package/network/services/dropbear/Makefile b/package/network/services/dropbear/Makefile index ef67371e1d..653911b764 100644 --- a/package/network/services/dropbear/Makefile +++ b/package/network/services/dropbear/Makefile @@ -33,7 +33,8 @@ PKG_CONFIG_DEPENDS:= \ CONFIG_DROPBEAR_ED25519 CONFIG_DROPBEAR_CHACHA20POLY1305 \ CONFIG_DROPBEAR_UTMP CONFIG_DROPBEAR_PUTUTLINE \ CONFIG_DROPBEAR_DBCLIENT CONFIG_DROPBEAR_SCP CONFIG_DROPBEAR_ASKPASS \ - CONFIG_DROPBEAR_DBCLIENT_AGENTFORWARD CONFIG_DROPBEAR_AGENTFORWARD + CONFIG_DROPBEAR_DBCLIENT_AGENTFORWARD CONFIG_DROPBEAR_AGENTFORWARD \ + CONFIG_DROPBEAR_MODERN_ONLY include $(INCLUDE_DIR)/package.mk @@ -148,6 +149,11 @@ DB_OPT_CONFIG = \ DROPBEAR_CLI_ASKPASS_HELPER,CONFIG_DROPBEAR_ASKPASS,1,0 \ DROPBEAR_CLI_AGENTFWD,CONFIG_DROPBEAR_DBCLIENT_AGENTFORWARD,1,0 \ DROPBEAR_SVR_AGENTFWD,CONFIG_DROPBEAR_AGENTFORWARD,1,0 \ + DROPBEAR_AES128,CONFIG_DROPBEAR_MODERN_ONLY,0,1 \ + DROPBEAR_AES256,CONFIG_DROPBEAR_MODERN_ONLY,0,1 \ + DROPBEAR_ENABLE_CTR_MODE,CONFIG_DROPBEAR_MODERN_ONLY,0,1 \ + DROPBEAR_RSA,CONFIG_DROPBEAR_MODERN_ONLY,0,1 \ + DROPBEAR_RSA_SHA1,CONFIG_DROPBEAR_MODERN_ONLY,0,1 \ TARGET_CFLAGS += -DARGTYPE=3 diff --git a/package/network/services/dropbear/patches/910-signkey-fix-use-of-rsa-sha2-256-pubkeys.patch b/package/network/services/dropbear/patches/910-signkey-fix-use-of-rsa-sha2-256-pubkeys.patch index 442fdcfc75..059177a1c5 100644 --- a/package/network/services/dropbear/patches/910-signkey-fix-use-of-rsa-sha2-256-pubkeys.patch +++ b/package/network/services/dropbear/patches/910-signkey-fix-use-of-rsa-sha2-256-pubkeys.patch @@ -21,7 +21,7 @@ Signed-off-by: Petr Å tetiar --- a/signkey.c +++ b/signkey.c -@@ -652,8 +652,12 @@ int buf_verify(buffer * buf, sign_key *k +@@ -652,10 +652,18 @@ int buf_verify(buffer * buf, sign_key *k sigtype = signature_type_from_name(type_name, type_name_len); m_free(type_name); @@ -29,10 +29,16 @@ Signed-off-by: Petr Å tetiar - dropbear_exit("Non-matching signing type"); + if (sigtype == DROPBEAR_SIGNATURE_NONE) { + dropbear_exit("No signature type"); -+ } -+ -+ if ((expect_sigtype != DROPBEAR_SIGNATURE_RSA_SHA256) && (expect_sigtype != sigtype)) { -+ dropbear_exit("Non-matching signing type"); } ++#if DROPBEAR_RSA ++#if DROPBEAR_RSA_SHA256 ++ if ((expect_sigtype != DROPBEAR_SIGNATURE_RSA_SHA256) && (expect_sigtype != sigtype)) { ++ dropbear_exit("Non-matching signing type"); ++ } ++#endif ++#endif ++ keytype = signkey_type_from_signature(sigtype); + #if DROPBEAR_DSS + if (keytype == DROPBEAR_SIGNKEY_DSS) {