From 01964148c638e88d2ec29e63880c12c84b84c5a4 Mon Sep 17 00:00:00 2001 From: Konstantin Demin Date: Mon, 25 Mar 2019 22:00:28 +0300 Subject: [PATCH] dropbear: split ECC support to basic and full - limit ECC support to ec*-sha2-nistp256: * DROPBEAR_ECC now provides only basic support for ECC - provide full ECC support as an option: * DROPBEAR_ECC_FULL brings back support for ec{dh,dsa}-sha2-nistp{384,521} - update feature costs in binary size Signed-off-by: Konstantin Demin --- package/network/services/dropbear/Config.in | 31 ++++++++++++++++----- package/network/services/dropbear/Makefile | 8 +++++- 2 files changed, 31 insertions(+), 8 deletions(-) diff --git a/package/network/services/dropbear/Config.in b/package/network/services/dropbear/Config.in index ca0af9d5e0..9106322eea 100644 --- a/package/network/services/dropbear/Config.in +++ b/package/network/services/dropbear/Config.in @@ -8,29 +8,46 @@ config DROPBEAR_CURVE25519 This enables the following key exchange algorithm: curve25519-sha256@libssh.org - Increases binary size by about 13 kB uncompressed (MIPS). + Increases binary size by about 8 kB uncompressed (MIPS). config DROPBEAR_ECC bool "Elliptic curve cryptography (ECC)" default n help - Enables elliptic curve cryptography (ECC) support in key exchange and public key - authentication. + Enables basic support for elliptic curve cryptography (ECC) + in key exchange and public key authentication. Key exchange algorithms: ecdh-sha2-nistp256 + + Public key algorithms: + ecdsa-sha2-nistp256 + + Increases binary size by about 24 kB (MIPS). + + If full ECC support is required, also select DROPBEAR_ECC_FULL. + +config DROPBEAR_ECC_FULL + bool "Elliptic curve cryptography (ECC), full support" + default n + depends on DROPBEAR_ECC + help + Enables full support for elliptic curve cryptography (ECC) + in key exchange and public key authentication. + + Key exchange algorithms: + ecdh-sha2-nistp256 (*) ecdh-sha2-nistp384 ecdh-sha2-nistp521 Public key algorithms: - ecdsa-sha2-nistp256 + ecdsa-sha2-nistp256 (*) ecdsa-sha2-nistp384 ecdsa-sha2-nistp521 - Does not generate ECC host keys by default (ECC key exchange will not be used, - only ECC public key auth). + (*) - basic ECC support; provided by DROPBEAR_ECC. - Increases binary size by about 23 kB (MIPS). + Increases binary size by about 4 kB (MIPS). config DROPBEAR_ZLIB bool "Enable compression" diff --git a/package/network/services/dropbear/Makefile b/package/network/services/dropbear/Makefile index ca39f845b9..1ad1f516a7 100644 --- a/package/network/services/dropbear/Makefile +++ b/package/network/services/dropbear/Makefile @@ -26,7 +26,7 @@ PKG_USE_MIPS16:=0 PKG_FIXUP:=autoreconf PKG_CONFIG_DEPENDS:= \ - CONFIG_TARGET_INIT_PATH CONFIG_DROPBEAR_ECC \ + CONFIG_TARGET_INIT_PATH CONFIG_DROPBEAR_ECC CONFIG_DROPBEAR_ECC_FULL \ CONFIG_DROPBEAR_CURVE25519 CONFIG_DROPBEAR_ZLIB \ CONFIG_DROPBEAR_UTMP CONFIG_DROPBEAR_PUTUTLINE @@ -119,6 +119,12 @@ define Build/Configure $(PKG_BUILD_DIR)/localoptions.h; \ done + # enable nistp384 and nistp521 only if full ECC support was requested + for OPTION in DROPBEAR_ECC_384 DROPBEAR_ECC_521; do \ + $(ESED) 's,^(#define '$$$$OPTION') .*$$$$,\1 $(if $(CONFIG_DROPBEAR_ECC_FULL),1,0),g' \ + $(PKG_BUILD_DIR)/sysoptions.h; \ + done + # Enforce rebuild of svr-chansession.c rm -f $(PKG_BUILD_DIR)/svr-chansession.o endef -- 2.25.1