dropbear: add option to enable modern crypto only

author Konstantin Demin <rockdrilla@gmail.com>

Tue, 9 Jan 2024 00:40:01 +0000 (03:40 +0300)

committer Rui Salvaterra <rsalvaterra@gmail.com>

Fri, 9 Feb 2024 09:13:05 +0000 (09:13 +0000)
author Konstantin Demin <rockdrilla@gmail.com>
Tue, 9 Jan 2024 00:40:01 +0000 (03:40 +0300)
committer Rui Salvaterra <rsalvaterra@gmail.com>
Fri, 9 Feb 2024 09:13:05 +0000 (09:13 +0000)
diff --git a/package/network/services/dropbear/Config.in b/package/network/services/dropbear/Config.in

index 449cc2a421dc7696bc50107b1ac3ffb714dc885c..fd4d5f3c7a5e49a54fe2124d5230b204c1b7f560 100644 (file)
--- a/package/network/services/dropbear/Config.in
+++ b/package/network/services/dropbear/Config.in
@@ -145,4 +145,25 @@ config DROPBEAR_AGENTFORWARD
                 Also see DROPBEAR_DBCLIENT_AGENTFORWARD (agent forwarding in
                 dropbear client) if DROPBEAR_DBCLIENT is selected.
  
+config DROPBEAR_MODERN_ONLY
+       bool "Use modern crypto only [BREAKS COMPATIBILITY]"
+       select DROPBEAR_ED25519
+       select DROPBEAR_CURVE25519
+       select DROPBEAR_CHACHA20POLY1305
+       help
+               This option enables:
+                - Chacha20-Poly1305
+                - Curve25519
+                - Ed25519
+               and disables:
+                - AES
+                - RSA
+                - SHA1
+
+               Reduces binary size by about 64 kB (MIPS) from default
+               configuration.
+
+               Consider enabling this option if you're building own OpenWrt
+               image and using modern SSH software everywhere.
+
  endmenu
diff --git a/package/network/services/dropbear/Makefile b/package/network/services/dropbear/Makefile

index ef67371e1d8a90b1fbcabb86ec0a2312c643df90..653911b7647254933ac351f4fcbaff3f48b0aff2 100644 (file)
--- a/package/network/services/dropbear/Makefile
+++ b/package/network/services/dropbear/Makefile
@@ -33,7 +33,8 @@ PKG_CONFIG_DEPENDS:= \
         CONFIG_DROPBEAR_ED25519 CONFIG_DROPBEAR_CHACHA20POLY1305 \
         CONFIG_DROPBEAR_UTMP CONFIG_DROPBEAR_PUTUTLINE \
         CONFIG_DROPBEAR_DBCLIENT CONFIG_DROPBEAR_SCP CONFIG_DROPBEAR_ASKPASS \
-       CONFIG_DROPBEAR_DBCLIENT_AGENTFORWARD CONFIG_DROPBEAR_AGENTFORWARD
+       CONFIG_DROPBEAR_DBCLIENT_AGENTFORWARD CONFIG_DROPBEAR_AGENTFORWARD \
+       CONFIG_DROPBEAR_MODERN_ONLY
  
  include $(INCLUDE_DIR)/package.mk
  
@@ -148,6 +149,11 @@ DB_OPT_CONFIG = \
         DROPBEAR_CLI_ASKPASS_HELPER,CONFIG_DROPBEAR_ASKPASS,1,0 \
         DROPBEAR_CLI_AGENTFWD,CONFIG_DROPBEAR_DBCLIENT_AGENTFORWARD,1,0 \
         DROPBEAR_SVR_AGENTFWD,CONFIG_DROPBEAR_AGENTFORWARD,1,0 \
+       DROPBEAR_AES128,CONFIG_DROPBEAR_MODERN_ONLY,0,1 \
+       DROPBEAR_AES256,CONFIG_DROPBEAR_MODERN_ONLY,0,1 \
+       DROPBEAR_ENABLE_CTR_MODE,CONFIG_DROPBEAR_MODERN_ONLY,0,1 \
+       DROPBEAR_RSA,CONFIG_DROPBEAR_MODERN_ONLY,0,1 \
+       DROPBEAR_RSA_SHA1,CONFIG_DROPBEAR_MODERN_ONLY,0,1 \
  
  
  TARGET_CFLAGS += -DARGTYPE=3
diff --git a/package/network/services/dropbear/patches/910-signkey-fix-use-of-rsa-sha2-256-pubkeys.patch b/package/network/services/dropbear/patches/910-signkey-fix-use-of-rsa-sha2-256-pubkeys.patch

index 442fdcfc756d8887275605a0114a93ae326f1243..059177a1c58174d0e7304554f94b6d0f40181f34 100644 (file)
--- a/package/network/services/dropbear/patches/910-signkey-fix-use-of-rsa-sha2-256-pubkeys.patch
+++ b/package/network/services/dropbear/patches/910-signkey-fix-use-of-rsa-sha2-256-pubkeys.patch
@@ -21,7 +21,7 @@ Signed-off-by: Petr Štetiar <ynezz@true.cz>
  
  --- a/signkey.c
  +++ b/signkey.c
-@@ -652,8 +652,12 @@ int buf_verify(buffer * buf, sign_key *k
+@@ -652,10 +652,18 @@ int buf_verify(buffer * buf, sign_key *k
         sigtype = signature_type_from_name(type_name, type_name_len);
         m_free(type_name);
   
@@ -29,10 +29,16 @@ Signed-off-by: Petr Štetiar <ynezz@true.cz>
  -                      dropbear_exit("Non-matching signing type");
  +      if (sigtype == DROPBEAR_SIGNATURE_NONE) {
  +              dropbear_exit("No signature type");
-+      }
-+
-+      if ((expect_sigtype != DROPBEAR_SIGNATURE_RSA_SHA256) && (expect_sigtype != sigtype)) {
-+              dropbear_exit("Non-matching signing type");
         }
   
++#if DROPBEAR_RSA
++#if DROPBEAR_RSA_SHA256
++      if ((expect_sigtype != DROPBEAR_SIGNATURE_RSA_SHA256) && (expect_sigtype != sigtype)) {
++              dropbear_exit("Non-matching signing type");
++      }
++#endif
++#endif
++
         keytype = signkey_type_from_signature(sigtype);
+ #if DROPBEAR_DSS
+       if (keytype == DROPBEAR_SIGNKEY_DSS) {
author	Konstantin Demin <rockdrilla@gmail.com>
	Tue, 9 Jan 2024 00:40:01 +0000 (03:40 +0300)
committer	Rui Salvaterra <rsalvaterra@gmail.com>
	Fri, 9 Feb 2024 09:13:05 +0000 (09:13 +0000)
package/network/services/dropbear/Config.in		patch \| blob \| history
package/network/services/dropbear/Makefile		patch \| blob \| history
package/network/services/dropbear/patches/910-signkey-fix-use-of-rsa-sha2-256-pubkeys.patch		patch \| blob \| history