mirror of
https://github.com/openwrt/openwrt.git
synced 2024-12-24 15:56:49 +00:00
dropbear: disable 3des, cbc mode, dss support, saves about 5k gzipped
While technically required by the RFC, they are usually completely unused (DSA), or have security issues (3DES, CBC) Signed-off-by: Felix Fietkau <nbd@openwrt.org> SVN-Revision: 46814
This commit is contained in:
parent
b13d8e55a7
commit
a4cf4c35af
@ -18,7 +18,12 @@
|
|||||||
|
|
||||||
/* Whether to support "-c" and "-m" flags to choose ciphers/MACs at runtime */
|
/* Whether to support "-c" and "-m" flags to choose ciphers/MACs at runtime */
|
||||||
#define ENABLE_USER_ALGO_LIST
|
#define ENABLE_USER_ALGO_LIST
|
||||||
@@ -95,8 +95,8 @@ much traffic. */
|
@@ -91,16 +91,16 @@ much traffic. */
|
||||||
|
* Including multiple keysize variants the same cipher
|
||||||
|
* (eg AES256 as well as AES128) will result in a minimal size increase.*/
|
||||||
|
#define DROPBEAR_AES128
|
||||||
|
-#define DROPBEAR_3DES
|
||||||
|
+/*#define DROPBEAR_3DES*/
|
||||||
#define DROPBEAR_AES256
|
#define DROPBEAR_AES256
|
||||||
/* Compiling in Blowfish will add ~6kB to runtime heap memory usage */
|
/* Compiling in Blowfish will add ~6kB to runtime heap memory usage */
|
||||||
/*#define DROPBEAR_BLOWFISH*/
|
/*#define DROPBEAR_BLOWFISH*/
|
||||||
@ -29,6 +34,11 @@
|
|||||||
|
|
||||||
/* Enable CBC mode for ciphers. This has security issues though
|
/* Enable CBC mode for ciphers. This has security issues though
|
||||||
* is the most compatible with older SSH implementations */
|
* is the most compatible with older SSH implementations */
|
||||||
|
-#define DROPBEAR_ENABLE_CBC_MODE
|
||||||
|
+/*#define DROPBEAR_ENABLE_CBC_MODE*/
|
||||||
|
|
||||||
|
/* Enable "Counter Mode" for ciphers. This is more secure than normal
|
||||||
|
* CBC mode against certain attacks. It is recommended for security
|
||||||
@@ -131,9 +131,9 @@ If you test it please contact the Dropbe
|
@@ -131,9 +131,9 @@ If you test it please contact the Dropbe
|
||||||
* If you disable MD5, Dropbear will fall back to SHA1 fingerprints,
|
* If you disable MD5, Dropbear will fall back to SHA1 fingerprints,
|
||||||
* which are not the standard form. */
|
* which are not the standard form. */
|
||||||
@ -42,6 +52,15 @@
|
|||||||
#define DROPBEAR_MD5_HMAC
|
#define DROPBEAR_MD5_HMAC
|
||||||
|
|
||||||
/* You can also disable integrity. Don't bother disabling this if you're
|
/* You can also disable integrity. Don't bother disabling this if you're
|
||||||
|
@@ -146,7 +146,7 @@ If you test it please contact the Dropbe
|
||||||
|
* Removing either of these won't save very much space.
|
||||||
|
* SSH2 RFC Draft requires dss, recommends rsa */
|
||||||
|
#define DROPBEAR_RSA
|
||||||
|
-#define DROPBEAR_DSS
|
||||||
|
+/*#define DROPBEAR_DSS*/
|
||||||
|
/* ECDSA is significantly faster than RSA or DSS. Compiling in ECC
|
||||||
|
* code (either ECDSA or ECDH) increases binary size - around 30kB
|
||||||
|
* on x86-64 */
|
||||||
@@ -189,7 +189,7 @@ If you test it please contact the Dropbe
|
@@ -189,7 +189,7 @@ If you test it please contact the Dropbe
|
||||||
|
|
||||||
/* Whether to print the message of the day (MOTD). This doesn't add much code
|
/* Whether to print the message of the day (MOTD). This doesn't add much code
|
||||||
|
Loading…
Reference in New Issue
Block a user