Message ID | 20201013125411.114995-3-rsalvaterra@gmail.com |
---|---|
State | Superseded |
Headers | show |
Series | dropbear: overhaul the crypto algorithm selection | expand |
20. 10. 13. 오후 9:54에 Rui Salvaterra 이(가) 쓴 글: > This allows the user to select only the encryption algorithms (s)he requires > (e.g., disabling AES and keeping only ChaCha20-Poly1305). The default selection > maintains the current functionality. > > Additionally, make sure at least one encryption algorithm is selected, lest the > build would fail. > > Signed-off-by: Rui Salvaterra <rsalvaterra@gmail.com> > --- > package/network/services/dropbear/Config.in | 21 +++++++++++++++++++++ > package/network/services/dropbear/Makefile | 12 +++++++++--- > 2 files changed, 30 insertions(+), 3 deletions(-) > > diff --git a/package/network/services/dropbear/Config.in b/package/network/services/dropbear/Config.in > index d2771eca93..9cea6242a6 100644 > --- a/package/network/services/dropbear/Config.in > +++ b/package/network/services/dropbear/Config.in > @@ -64,6 +64,20 @@ config DROPBEAR_AUTOSEL_PK > > endmenu > > +menu "Encryption algorithm selection" > + > +config DROPBEAR_AES128 > + bool "AES-128 support" > + default y > + help > + This enables support for the 128-bit AES cipher > + > +config DROPBEAR_AES256 > + bool "AES-256 support" > + default y > + help > + This enables support for the 256-bit AES cipher > + does those option enable AES-GCM too? it looks like they added with chacha20-poly1305 but unlike chacha it's not enable by default on upsteam. AES-GCM will be enabled by DROPBEAR_ENABLE_GCM_MODE by the way keysize is set for entire AES types, so no for just aes-gcm-128 and aes-ctr-256 > config DROPBEAR_CHACHA20POLY1305 > bool "Chacha20-Poly1305 support" > default y > @@ -73,6 +87,13 @@ config DROPBEAR_CHACHA20POLY1305 > > Increases binary size by about 4 kB (MIPS). > > +config DROPBEAR_AUTOSEL_EA > + def_bool y > + depends on !(DROPBEAR_AES256 || DROPBEAR_CHACHA20POLY1305) > + select DROPBEAR_AES128 > + > +endmenu > + > config DROPBEAR_CURVE25519 > bool "Curve25519 support" > default y > diff --git a/package/network/services/dropbear/Makefile b/package/network/services/dropbear/Makefile > index 2ab2cd396d..768058718c 100644 > --- a/package/network/services/dropbear/Makefile > +++ b/package/network/services/dropbear/Makefile > @@ -30,9 +30,9 @@ PKG_FLAGS:=nonshared > PKG_CONFIG_DEPENDS:= \ > CONFIG_TARGET_INIT_PATH CONFIG_DROPBEAR_ECC CONFIG_DROPBEAR_ECC_FULL \ > CONFIG_DROPBEAR_RSA CONFIG_DROPBEAR_CURVE25519 CONFIG_DROPBEAR_ZLIB \ > - CONFIG_DROPBEAR_ED25519 CONFIG_DROPBEAR_CHACHA20POLY1305 \ > - CONFIG_DROPBEAR_UTMP CONFIG_DROPBEAR_PUTUTLINE \ > - CONFIG_DROPBEAR_DBCLIENT CONFIG_DROPBEAR_SCP > + CONFIG_DROPBEAR_ED25519 CONFIG_DROPBEAR_AES128 CONFIG_DROPBEAR_AES256 \ > + CONFIG_DROPBEAR_CHACHA20POLY1305 CONFIG_DROPBEAR_UTMP \ > + CONFIG_DROPBEAR_PUTUTLINE CONFIG_DROPBEAR_DBCLIENT CONFIG_DROPBEAR_SCP > > include $(INCLUDE_DIR)/package.mk > > @@ -121,6 +121,12 @@ define Build/Configure > echo '#define DROPBEAR_ED25519 $(if $(CONFIG_DROPBEAR_ED25519),1,0)' >> \ > $(PKG_BUILD_DIR)/localoptions.h > > + echo '#define DROPBEAR_AES128 $(if $(CONFIG_DROPBEAR_AES128),1,0)' >> \ > + $(PKG_BUILD_DIR)/localoptions.h > + > + echo '#define DROPBEAR_AES256 $(if $(CONFIG_DROPBEAR_AES256),1,0)' >> \ > + $(PKG_BUILD_DIR)/localoptions.h > + > echo '#define DROPBEAR_CHACHA20POLY1305 $(if $(CONFIG_DROPBEAR_CHACHA20POLY1305),1,0)' >> \ > $(PKG_BUILD_DIR)/localoptions.h >
diff --git a/package/network/services/dropbear/Config.in b/package/network/services/dropbear/Config.in index d2771eca93..9cea6242a6 100644 --- a/package/network/services/dropbear/Config.in +++ b/package/network/services/dropbear/Config.in @@ -64,6 +64,20 @@ config DROPBEAR_AUTOSEL_PK endmenu +menu "Encryption algorithm selection" + +config DROPBEAR_AES128 + bool "AES-128 support" + default y + help + This enables support for the 128-bit AES cipher + +config DROPBEAR_AES256 + bool "AES-256 support" + default y + help + This enables support for the 256-bit AES cipher + config DROPBEAR_CHACHA20POLY1305 bool "Chacha20-Poly1305 support" default y @@ -73,6 +87,13 @@ config DROPBEAR_CHACHA20POLY1305 Increases binary size by about 4 kB (MIPS). +config DROPBEAR_AUTOSEL_EA + def_bool y + depends on !(DROPBEAR_AES256 || DROPBEAR_CHACHA20POLY1305) + select DROPBEAR_AES128 + +endmenu + config DROPBEAR_CURVE25519 bool "Curve25519 support" default y diff --git a/package/network/services/dropbear/Makefile b/package/network/services/dropbear/Makefile index 2ab2cd396d..768058718c 100644 --- a/package/network/services/dropbear/Makefile +++ b/package/network/services/dropbear/Makefile @@ -30,9 +30,9 @@ PKG_FLAGS:=nonshared PKG_CONFIG_DEPENDS:= \ CONFIG_TARGET_INIT_PATH CONFIG_DROPBEAR_ECC CONFIG_DROPBEAR_ECC_FULL \ CONFIG_DROPBEAR_RSA CONFIG_DROPBEAR_CURVE25519 CONFIG_DROPBEAR_ZLIB \ - CONFIG_DROPBEAR_ED25519 CONFIG_DROPBEAR_CHACHA20POLY1305 \ - CONFIG_DROPBEAR_UTMP CONFIG_DROPBEAR_PUTUTLINE \ - CONFIG_DROPBEAR_DBCLIENT CONFIG_DROPBEAR_SCP + CONFIG_DROPBEAR_ED25519 CONFIG_DROPBEAR_AES128 CONFIG_DROPBEAR_AES256 \ + CONFIG_DROPBEAR_CHACHA20POLY1305 CONFIG_DROPBEAR_UTMP \ + CONFIG_DROPBEAR_PUTUTLINE CONFIG_DROPBEAR_DBCLIENT CONFIG_DROPBEAR_SCP include $(INCLUDE_DIR)/package.mk @@ -121,6 +121,12 @@ define Build/Configure echo '#define DROPBEAR_ED25519 $(if $(CONFIG_DROPBEAR_ED25519),1,0)' >> \ $(PKG_BUILD_DIR)/localoptions.h + echo '#define DROPBEAR_AES128 $(if $(CONFIG_DROPBEAR_AES128),1,0)' >> \ + $(PKG_BUILD_DIR)/localoptions.h + + echo '#define DROPBEAR_AES256 $(if $(CONFIG_DROPBEAR_AES256),1,0)' >> \ + $(PKG_BUILD_DIR)/localoptions.h + echo '#define DROPBEAR_CHACHA20POLY1305 $(if $(CONFIG_DROPBEAR_CHACHA20POLY1305),1,0)' >> \ $(PKG_BUILD_DIR)/localoptions.h
This allows the user to select only the encryption algorithms (s)he requires (e.g., disabling AES and keeping only ChaCha20-Poly1305). The default selection maintains the current functionality. Additionally, make sure at least one encryption algorithm is selected, lest the build would fail. Signed-off-by: Rui Salvaterra <rsalvaterra@gmail.com> --- package/network/services/dropbear/Config.in | 21 +++++++++++++++++++++ package/network/services/dropbear/Makefile | 12 +++++++++--- 2 files changed, 30 insertions(+), 3 deletions(-)