This allows the user to select only the key exchange algorithms (s)he requires (e.g., disabling group 14 SHA-{1,256} and keeping only Curve25519). The default selection maintains the current functionality.
Additionally, make sure at least one key exchange algorithm is selected, lest the build would fail. Signed-off-by: Rui Salvaterra <rsalvate...@gmail.com> --- package/network/services/dropbear/Config.in | 17 +++++++++++++++++ package/network/services/dropbear/Makefile | 7 +++++-- 2 files changed, 22 insertions(+), 2 deletions(-) diff --git a/package/network/services/dropbear/Config.in b/package/network/services/dropbear/Config.in index 6d2b4cdfae..b0ad21f907 100644 --- a/package/network/services/dropbear/Config.in +++ b/package/network/services/dropbear/Config.in @@ -94,6 +94,16 @@ config DROPBEAR_AUTOSEL_EA endmenu +menu "Key exchange algorithm selection" + +config DROPBEAR_DH_GROUP14_SHA1 + bool "Group 14 SHA-1" + default y + +config DROPBEAR_DH_GROUP14_SHA256 + bool "Group 14 SHA-256" + default y + config DROPBEAR_CURVE25519 bool "Curve25519 support" default y @@ -103,6 +113,13 @@ config DROPBEAR_CURVE25519 Increases binary size by about 4 kB (MIPS). +config DROPBEAR_AUTOSEL_KEX + def_bool y + depends on !(DROPBEAR_DH_GROUP14_SHA1 || DROPBEAR_CURVE25519) + select DROPBEAR_DH_GROUP14_SHA256 + +endmenu + config DROPBEAR_ZLIB bool "Enable compression" default n diff --git a/package/network/services/dropbear/Makefile b/package/network/services/dropbear/Makefile index 1d131455a2..7a6cc96f94 100644 --- a/package/network/services/dropbear/Makefile +++ b/package/network/services/dropbear/Makefile @@ -33,7 +33,8 @@ PKG_CONFIG_DEPENDS:= \ CONFIG_DROPBEAR_ED25519 CONFIG_DROPBEAR_CHACHA20POLY1305 \ CONFIG_DROPBEAR_UTMP CONFIG_DROPBEAR_PUTUTLINE \ CONFIG_DROPBEAR_DBCLIENT CONFIG_DROPBEAR_SCP CONFIG_DROPBEAR_ASKPASS \ - CONFIG_DROPBEAR_RSA CONFIG_DROPBEAR_AES128 CONFIG_DROPBEAR_AES256 + CONFIG_DROPBEAR_RSA CONFIG_DROPBEAR_AES128 CONFIG_DROPBEAR_AES256 \ + DROPBEAR_DH_GROUP14_SHA1 DROPBEAR_DH_GROUP14_SHA256 include $(INCLUDE_DIR)/package.mk @@ -140,7 +141,9 @@ DB_OPT_CONFIG = \ DROPBEAR_CLI_ASKPASS_HELPER|CONFIG_DROPBEAR_ASKPASS|1|0 \ DROPBEAR_RSA|CONFIG_DROPBEAR_RSA|1|0 \ DROPBEAR_AES128|CONFIG_DROPBEAR_AES128|1|0 \ - DROPBEAR_AES256|CONFIG_DROPBEAR_AES256|1|0 + DROPBEAR_AES256|CONFIG_DROPBEAR_AES256|1|0 \ + DROPBEAR_DH_GROUP14_SHA1|CONFIG_DROPBEAR_DH_GROUP14_SHA1|1|0 \ + DROPBEAR_DH_GROUP14_SHA256|CONFIG_DROPBEAR_DH_GROUP14_SHA256|1|0 TARGET_CFLAGS += -DARGTYPE=3 -ffunction-sections -fdata-sections -flto TARGET_LDFLAGS += -Wl,--gc-sections -flto=jobserver -- 2.29.2 _______________________________________________ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel