mirror of
https://github.com/openwrt/openwrt.git
synced 2024-12-24 07:46:48 +00:00
65d62b5f4f
As MD5 is known weak for many years and more and more penetration test tools complain about enabled MD5 HMAC I think it's time to drop it. By disabling the MD5 HMAC support dropbear will also automatically use SHA1 for fingerprints. This shouldn't be a problem too. Signed-off-by: Martin Schiller <ms@dev.tdt.de>
83 lines
3.2 KiB
Diff
83 lines
3.2 KiB
Diff
--- a/options.h
|
|
+++ b/options.h
|
|
@@ -41,7 +41,7 @@
|
|
* Both of these flags can be defined at once, don't compile without at least
|
|
* one of them. */
|
|
#define NON_INETD_MODE
|
|
-#define INETD_MODE
|
|
+/*#define INETD_MODE*/
|
|
|
|
/* Setting this disables the fast exptmod bignum code. It saves ~5kB, but is
|
|
* perhaps 20% slower for pubkey operations (it is probably worth experimenting
|
|
@@ -81,7 +81,7 @@ much traffic. */
|
|
|
|
/* Enable "Netcat mode" option. This will forward standard input/output
|
|
* to a remote TCP-forwarded connection */
|
|
-#define ENABLE_CLI_NETCAT
|
|
+/*#define ENABLE_CLI_NETCAT*/
|
|
|
|
/* Whether to support "-c" and "-m" flags to choose ciphers/MACs at runtime */
|
|
#define ENABLE_USER_ALGO_LIST
|
|
@@ -91,16 +91,16 @@ much traffic. */
|
|
* Including multiple keysize variants the same cipher
|
|
* (eg AES256 as well as AES128) will result in a minimal size increase.*/
|
|
#define DROPBEAR_AES128
|
|
-#define DROPBEAR_3DES
|
|
+/*#define DROPBEAR_3DES*/
|
|
#define DROPBEAR_AES256
|
|
/* Compiling in Blowfish will add ~6kB to runtime heap memory usage */
|
|
/*#define DROPBEAR_BLOWFISH*/
|
|
-#define DROPBEAR_TWOFISH256
|
|
-#define DROPBEAR_TWOFISH128
|
|
+/*#define DROPBEAR_TWOFISH256*/
|
|
+/*#define DROPBEAR_TWOFISH128*/
|
|
|
|
/* Enable CBC mode for ciphers. This has security issues though
|
|
* is the most compatible with older SSH implementations */
|
|
-#define DROPBEAR_ENABLE_CBC_MODE
|
|
+/*#define DROPBEAR_ENABLE_CBC_MODE*/
|
|
|
|
/* Enable "Counter Mode" for ciphers. This is more secure than normal
|
|
* CBC mode against certain attacks. It is recommended for security
|
|
@@ -131,10 +131,10 @@ If you test it please contact the Dropbe
|
|
* If you disable MD5, Dropbear will fall back to SHA1 fingerprints,
|
|
* which are not the standard form. */
|
|
#define DROPBEAR_SHA1_HMAC
|
|
-#define DROPBEAR_SHA1_96_HMAC
|
|
+/*#define DROPBEAR_SHA1_96_HMAC*/
|
|
#define DROPBEAR_SHA2_256_HMAC
|
|
-#define DROPBEAR_SHA2_512_HMAC
|
|
-#define DROPBEAR_MD5_HMAC
|
|
+/*#define DROPBEAR_SHA2_512_HMAC*/
|
|
+/*#define DROPBEAR_MD5_HMAC*/
|
|
|
|
/* You can also disable integrity. Don't bother disabling this if you're
|
|
* still using a cipher, it's relatively cheap. If you disable this it's dead
|
|
@@ -146,7 +146,7 @@ If you test it please contact the Dropbe
|
|
* Removing either of these won't save very much space.
|
|
* SSH2 RFC Draft requires dss, recommends rsa */
|
|
#define DROPBEAR_RSA
|
|
-#define DROPBEAR_DSS
|
|
+/*#define DROPBEAR_DSS*/
|
|
/* ECDSA is significantly faster than RSA or DSS. Compiling in ECC
|
|
* code (either ECDSA or ECDH) increases binary size - around 30kB
|
|
* on x86-64 */
|
|
@@ -194,7 +194,7 @@ If you test it please contact the Dropbe
|
|
|
|
/* Whether to print the message of the day (MOTD). This doesn't add much code
|
|
* size */
|
|
-#define DO_MOTD
|
|
+/*#define DO_MOTD*/
|
|
|
|
/* The MOTD file path */
|
|
#ifndef MOTD_FILENAME
|
|
@@ -242,7 +242,7 @@ Homedir is prepended unless path begins
|
|
* note that it will be provided for all "hidden" client-interactive
|
|
* style prompts - if you want something more sophisticated, use
|
|
* SSH_ASKPASS instead. Comment out this var to remove this functionality.*/
|
|
-#define DROPBEAR_PASSWORD_ENV "DROPBEAR_PASSWORD"
|
|
+/*#define DROPBEAR_PASSWORD_ENV "DROPBEAR_PASSWORD"*/
|
|
|
|
/* Define this (as well as ENABLE_CLI_PASSWORD_AUTH) to allow the use of
|
|
* a helper program for the ssh client. The helper program should be
|