[PATCH 3/3] dropbear: create a submenu for key exchange algorithms

Rui Salvaterra rsalvaterra at gmail.com
Tue Oct 13 08:54:12 EDT 2020


This allows the user to select only the key exchange algorithms (s)he requires
(e.g., disabling group 14 SHA-{1,256} and keeping only Curve25519). The default
selection maintains the current functionality.

Additionally, make sure at least one key exchange algorithm is selected, lest
the build would fail.

Signed-off-by: Rui Salvaterra <rsalvaterra at gmail.com>
---
 package/network/services/dropbear/Config.in | 12 ++++++++++++
 package/network/services/dropbear/Makefile  | 13 ++++++++++---
 2 files changed, 22 insertions(+), 3 deletions(-)

diff --git a/package/network/services/dropbear/Config.in b/package/network/services/dropbear/Config.in
index 9cea6242a6..066dab0a9b 100644
--- a/package/network/services/dropbear/Config.in
+++ b/package/network/services/dropbear/Config.in
@@ -94,6 +94,16 @@ config DROPBEAR_AUTOSEL_EA
 
 endmenu
 
+menu "Key exchange algorithm selection"
+
+config DROPBEAR_DH_GROUP14_SHA1
+	bool "Group 14 SHA-1"
+	default y
+
+config DROPBEAR_DH_GROUP14_SHA256
+	bool "Group 14 SHA-256"
+	default y
+
 config DROPBEAR_CURVE25519
 	bool "Curve25519 support"
 	default y
@@ -103,6 +113,8 @@ config DROPBEAR_CURVE25519
 
 		Increases binary size by about 4 kB (MIPS).
 
+endmenu
+
 config DROPBEAR_ZLIB
 	bool "Enable compression"
 	default n
diff --git a/package/network/services/dropbear/Makefile b/package/network/services/dropbear/Makefile
index 768058718c..d0b0dbf3dc 100644
--- a/package/network/services/dropbear/Makefile
+++ b/package/network/services/dropbear/Makefile
@@ -32,6 +32,7 @@ PKG_CONFIG_DEPENDS:= \
 	CONFIG_DROPBEAR_RSA CONFIG_DROPBEAR_CURVE25519 CONFIG_DROPBEAR_ZLIB \
 	CONFIG_DROPBEAR_ED25519 CONFIG_DROPBEAR_AES128 CONFIG_DROPBEAR_AES256 \
 	CONFIG_DROPBEAR_CHACHA20POLY1305 CONFIG_DROPBEAR_UTMP \
+	CONFIG_DROPBEAR_DH_GROUP14_SHA1 CONFIG_DROPBEAR_DH_GROUP14_SHA256 \
 	CONFIG_DROPBEAR_PUTUTLINE CONFIG_DROPBEAR_DBCLIENT CONFIG_DROPBEAR_SCP
 
 include $(INCLUDE_DIR)/package.mk
@@ -110,9 +111,6 @@ define Build/Configure
 	echo '#define DROPBEAR_RSA $(if $(CONFIG_DROPBEAR_RSA),1,0)' >> \
 		$(PKG_BUILD_DIR)/localoptions.h
 
-	echo '#define DROPBEAR_CURVE25519 $(if $(CONFIG_DROPBEAR_CURVE25519),1,0)' >> \
-		$(PKG_BUILD_DIR)/localoptions.h
-
 	for OPTION in DROPBEAR_ECDSA DROPBEAR_ECDH; do \
 		echo "#define $$$$OPTION $(if $(CONFIG_DROPBEAR_ECC),1,0)" >> \
 			$(PKG_BUILD_DIR)/localoptions.h; \
@@ -130,6 +128,15 @@ define Build/Configure
 	echo '#define DROPBEAR_CHACHA20POLY1305 $(if $(CONFIG_DROPBEAR_CHACHA20POLY1305),1,0)' >> \
 		$(PKG_BUILD_DIR)/localoptions.h
 
+	echo '#define DROPBEAR_DH_GROUP14_SHA1 $(if $(CONFIG_DROPBEAR_DH_GROUP14_SHA1),1,0)' >> \
+		$(PKG_BUILD_DIR)/localoptions.h
+
+	echo '#define DROPBEAR_DH_GROUP14_SHA256 $(if $(CONFIG_DROPBEAR_DH_GROUP14_SHA256),1,0)' >> \
+		$(PKG_BUILD_DIR)/localoptions.h
+
+	echo '#define DROPBEAR_CURVE25519 $(if $(CONFIG_DROPBEAR_CURVE25519),1,0)' >> \
+		$(PKG_BUILD_DIR)/localoptions.h
+
 	# remove protocol idented software version number
 	$(ESED) 's,^(#define LOCAL_IDENT) .*$$$$,\1 "SSH-2.0-dropbear",g' \
 		$(PKG_BUILD_DIR)/sysoptions.h
-- 
2.28.0




More information about the openwrt-devel mailing list