@@ -1,6 +1,13 @@
menu "Configuration"
depends on PACKAGE_dropbear
+config DROPBEAR_RSA
+ bool "RSA support"
+ default y
+ help
+ The ubiquitous RSA public key algorithm.
+ Keep enabled, unless you're 100 % sure you don't need it!
+
config DROPBEAR_CURVE25519
bool "Curve25519 support"
default y
@@ -28,7 +28,7 @@ PKG_FIXUP:=autoreconf
PKG_CONFIG_DEPENDS:= \
CONFIG_TARGET_INIT_PATH CONFIG_DROPBEAR_ECC CONFIG_DROPBEAR_ECC_FULL \
- CONFIG_DROPBEAR_CURVE25519 CONFIG_DROPBEAR_ZLIB \
+ CONFIG_DROPBEAR_RSA CONFIG_DROPBEAR_CURVE25519 CONFIG_DROPBEAR_ZLIB \
CONFIG_DROPBEAR_ED25519 CONFIG_DROPBEAR_CHACHA20POLY1305 \
CONFIG_DROPBEAR_UTMP CONFIG_DROPBEAR_PUTUTLINE \
CONFIG_DROPBEAR_DBCLIENT
@@ -64,9 +64,9 @@ define Package/dropbear/description
endef
define Package/dropbear/conffiles
+$(if $(CONFIG_DROPBEAR_RSA),/etc/dropbear/dropbear_rsa_host_key)
$(if $(CONFIG_DROPBEAR_ED25519),/etc/dropbear/dropbear_ed25519_host_key)
$(if $(CONFIG_DROPBEAR_ECC),/etc/dropbear/dropbear_ecdsa_host_key)
-/etc/dropbear/dropbear_rsa_host_key
/etc/config/dropbear
endef
@@ -104,6 +104,9 @@ define Build/Configure
echo '#define DEFAULT_PATH "$(TARGET_INIT_PATH)"' >> \
$(PKG_BUILD_DIR)/localoptions.h
+ echo '#define DROPBEAR_RSA $(if $(CONFIG_DROPBEAR_RSA),1,0)' >> \
+ $(PKG_BUILD_DIR)/localoptions.h
+
echo '#define DROPBEAR_CURVE25519 $(if $(CONFIG_DROPBEAR_CURVE25519),1,0)' >> \
$(PKG_BUILD_DIR)/localoptions.h
@@ -169,7 +172,7 @@ define Package/dropbear/install
$(INSTALL_DATA) ./files/dropbear.failsafe $(1)/lib/preinit/99_10_failsafe_dropbear
$(if $(CONFIG_DROPBEAR_ED25519),touch $(1)/etc/dropbear/dropbear_ed25519_host_key)
$(if $(CONFIG_DROPBEAR_ECC),touch $(1)/etc/dropbear/dropbear_ecdsa_host_key)
- touch $(1)/etc/dropbear/dropbear_rsa_host_key
+ $(if $(CONFIG_DROPBEAR_RSA),touch $(1)/etc/dropbear/dropbear_rsa_host_key)
endef
define Package/dropbearconvert/install
@@ -19,22 +19,26 @@ Signed-off-by: Petr Štetiar <ynezz@true.cz>
signkey.c | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
-diff --git a/signkey.c b/signkey.c
-index 92fe6a242cd0..d16ab174d83a 100644
--- a/signkey.c
+++ b/signkey.c
-@@ -657,8 +657,12 @@ int buf_verify(buffer * buf, sign_key *key, enum signature_type expect_sigtype,
+@@ -657,9 +657,19 @@ int buf_verify(buffer * buf, sign_key *k
sigtype = signature_type_from_name(type_name, type_name_len);
m_free(type_name);
-- if (expect_sigtype != sigtype) {
-- dropbear_exit("Non-matching signing type");
++#if DROPBEAR_RSA
+ if (sigtype == DROPBEAR_SIGNATURE_NONE) {
+ dropbear_exit("No signature type");
+ }
+
+ if ((expect_sigtype != DROPBEAR_SIGNATURE_RSA_SHA256) && (expect_sigtype != sigtype)) {
++ dropbear_exit("Non-matching signing type");
++ }
++#else
+ if (expect_sigtype != sigtype) {
+- dropbear_exit("Non-matching signing type");
+ dropbear_exit("Non-matching signing type");
}
++#endif
keytype = signkey_type_from_signature(sigtype);
+ #if DROPBEAR_DSS
This allows the user to disable the RSA algorithm in Dropbear, if not required. (RSA is still enabled by default, of course, due to its ubiquity.) Size comparison of the dropbear executable (cortex-a9+neon): RSA + Ed25519: 182804 bytes RSA only: 170496 bytes Ed25519 only: 166356 bytes Signed-off-by: Rui Salvaterra <rsalvaterra@gmail.com> --- package/network/services/dropbear/Config.in | 7 +++++++ package/network/services/dropbear/Makefile | 9 ++++++--- ...0-signkey-fix-use-of-rsa-sha2-256-pubkeys.patch | 14 +++++++++----- 3 files changed, 22 insertions(+), 8 deletions(-)