dropbear: add option to enable modern crypto only

reduces binary/package size and increases overall performance also: - adjust 910-signkey-fix-use-of-rsa-sha2-256-pubkeys.patch to build without DROPBEAR_RSA/DROPBEAR_RSA_SHA256 Signed-off-by: Konstantin Demin <rockdrilla@gmail.com>
2024-12-19 05:38:00 +00:00 · 2024-01-09 03:40:01 +03:00 · 2024-01-09 03:40:01 +03:00 · bf900e02c7
commit bf900e02c7
parent 88c8053d47
3 changed files with 39 additions and 6 deletions
--- a/package/network/services/dropbear/Config.in
+++ b/package/network/services/dropbear/Config.in
@ -145,4 +145,25 @@ config DROPBEAR_AGENTFORWARD
 		Also see DROPBEAR_DBCLIENT_AGENTFORWARD (agent forwarding in
 		dropbear client) if DROPBEAR_DBCLIENT is selected.

+config DROPBEAR_MODERN_ONLY
+	bool "Use modern crypto only [BREAKS COMPATIBILITY]"
+	select DROPBEAR_ED25519
+	select DROPBEAR_CURVE25519
+	select DROPBEAR_CHACHA20POLY1305
+	help
+		This option enables:
+		 - Chacha20-Poly1305
+		 - Curve25519
+		 - Ed25519
+		and disables:
+		 - AES
+		 - RSA
+		 - SHA1
+
+		Reduces binary size by about 64 kB (MIPS) from default
+		configuration.
+
+		Consider enabling this option if you're building own OpenWrt
+		image and using modern SSH software everywhere.
+
 endmenu
--- a/package/network/services/dropbear/Makefile
+++ b/package/network/services/dropbear/Makefile
@ -33,7 +33,8 @@ PKG_CONFIG_DEPENDS:= \
 	CONFIG_DROPBEAR_ED25519 CONFIG_DROPBEAR_CHACHA20POLY1305 \
 	CONFIG_DROPBEAR_UTMP CONFIG_DROPBEAR_PUTUTLINE \
 	CONFIG_DROPBEAR_DBCLIENT CONFIG_DROPBEAR_SCP CONFIG_DROPBEAR_ASKPASS \
-	CONFIG_DROPBEAR_DBCLIENT_AGENTFORWARD CONFIG_DROPBEAR_AGENTFORWARD
+	CONFIG_DROPBEAR_DBCLIENT_AGENTFORWARD CONFIG_DROPBEAR_AGENTFORWARD \
+	CONFIG_DROPBEAR_MODERN_ONLY

 include $(INCLUDE_DIR)/package.mk

@ -148,6 +149,11 @@ DB_OPT_CONFIG = \
 	DROPBEAR_CLI_ASKPASS_HELPER,CONFIG_DROPBEAR_ASKPASS,1,0 \
 	DROPBEAR_CLI_AGENTFWD,CONFIG_DROPBEAR_DBCLIENT_AGENTFORWARD,1,0 \
 	DROPBEAR_SVR_AGENTFWD,CONFIG_DROPBEAR_AGENTFORWARD,1,0 \
+	DROPBEAR_AES128,CONFIG_DROPBEAR_MODERN_ONLY,0,1 \
+	DROPBEAR_AES256,CONFIG_DROPBEAR_MODERN_ONLY,0,1 \
+	DROPBEAR_ENABLE_CTR_MODE,CONFIG_DROPBEAR_MODERN_ONLY,0,1 \
+	DROPBEAR_RSA,CONFIG_DROPBEAR_MODERN_ONLY,0,1 \
+	DROPBEAR_RSA_SHA1,CONFIG_DROPBEAR_MODERN_ONLY,0,1 \


 TARGET_CFLAGS += -DARGTYPE=3
--- a/package/network/services/dropbear/patches/910-signkey-fix-use-of-rsa-sha2-256-pubkeys.patch
+++ b/package/network/services/dropbear/patches/910-signkey-fix-use-of-rsa-sha2-256-pubkeys.patch
@ -21,7 +21,7 @@ Signed-off-by: Petr Štetiar <ynezz@true.cz>

 --- a/signkey.c
 +++ b/signkey.c
-@@ -652,8 +652,12 @@ int buf_verify(buffer * buf, sign_key *k
+@@ -652,10 +652,18 @@ int buf_verify(buffer * buf, sign_key *k
 	sigtype = signature_type_from_name(type_name, type_name_len);
 	m_free(type_name);
 
@ -29,10 +29,16 @@ Signed-off-by: Petr Štetiar <ynezz@true.cz>
 -			dropbear_exit("Non-matching signing type");
 +	if (sigtype == DROPBEAR_SIGNATURE_NONE) {
 +		dropbear_exit("No signature type");
-+	}
-+
-+	if ((expect_sigtype != DROPBEAR_SIGNATURE_RSA_SHA256) && (expect_sigtype != sigtype)) {
-+		dropbear_exit("Non-matching signing type");
 	}
 
+#if DROPBEAR_RSA
+#if DROPBEAR_RSA_SHA256
+	if ((expect_sigtype != DROPBEAR_SIGNATURE_RSA_SHA256) && (expect_sigtype != sigtype)) {
+		dropbear_exit("Non-matching signing type");
+	}
+#endif
+#endif
+
 	keytype = signkey_type_from_signature(sigtype);
+ #if DROPBEAR_DSS
+ 	if (keytype == DROPBEAR_SIGNKEY_DSS) {