Mercurial > dropbear
comparison default_options.h @ 1659:d32bcb5c557d
Add Ed25519 support (#91)
* Add support for Ed25519 as a public key type
Ed25519 is a elliptic curve signature scheme that offers
better security than ECDSA and DSA and good performance. It may be
used for both user and host keys.
OpenSSH key import and fuzzer are not supported yet.
Initially inspired by Peter Szabo.
* Add curve25519 and ed25519 fuzzers
* Add import and export of Ed25519 keys
| author | Vladislav Grishenko <themiron@users.noreply.github.com> |
|---|---|
| date | Wed, 11 Mar 2020 21:09:45 +0500 |
| parents | aabde6f57fce |
| children | 26e07f7f682a |
comparison
equal
deleted
inserted
replaced
| 1658:7402218141d4 | 1659:d32bcb5c557d |
|---|---|
| 20 | 20 |
| 21 /* Default hostkey paths - these can be specified on the command line */ | 21 /* Default hostkey paths - these can be specified on the command line */ |
| 22 #define DSS_PRIV_FILENAME "/etc/dropbear/dropbear_dss_host_key" | 22 #define DSS_PRIV_FILENAME "/etc/dropbear/dropbear_dss_host_key" |
| 23 #define RSA_PRIV_FILENAME "/etc/dropbear/dropbear_rsa_host_key" | 23 #define RSA_PRIV_FILENAME "/etc/dropbear/dropbear_rsa_host_key" |
| 24 #define ECDSA_PRIV_FILENAME "/etc/dropbear/dropbear_ecdsa_host_key" | 24 #define ECDSA_PRIV_FILENAME "/etc/dropbear/dropbear_ecdsa_host_key" |
| 25 #define ED25519_PRIV_FILENAME "/etc/dropbear/dropbear_ed25519_host_key" | |
| 25 | 26 |
| 26 /* Set NON_INETD_MODE if you require daemon functionality (ie Dropbear listens | 27 /* Set NON_INETD_MODE if you require daemon functionality (ie Dropbear listens |
| 27 * on chosen ports and keeps accepting connections. This is the default. | 28 * on chosen ports and keeps accepting connections. This is the default. |
| 28 * | 29 * |
| 29 * Set INETD_MODE if you want to be able to run Dropbear with inetd (or | 30 * Set INETD_MODE if you want to be able to run Dropbear with inetd (or |
| 114 #define DROPBEAR_DSS 1 | 115 #define DROPBEAR_DSS 1 |
| 115 /* ECDSA is significantly faster than RSA or DSS. Compiling in ECC | 116 /* ECDSA is significantly faster than RSA or DSS. Compiling in ECC |
| 116 * code (either ECDSA or ECDH) increases binary size - around 30kB | 117 * code (either ECDSA or ECDH) increases binary size - around 30kB |
| 117 * on x86-64 */ | 118 * on x86-64 */ |
| 118 #define DROPBEAR_ECDSA 1 | 119 #define DROPBEAR_ECDSA 1 |
| 120 /* Ed25519 is faster than ECDSA. Compiling in Ed25519 code increases | |
| 121 binary size - around 7,5kB on x86-64 */ | |
| 122 #define DROPBEAR_ED25519 1 | |
| 119 | 123 |
| 120 /* RSA must be >=1024 */ | 124 /* RSA must be >=1024 */ |
| 121 #define DROPBEAR_DEFAULT_RSA_SIZE 2048 | 125 #define DROPBEAR_DEFAULT_RSA_SIZE 2048 |
| 122 /* DSS is always 1024 */ | 126 /* DSS is always 1024 */ |
| 123 /* ECDSA defaults to largest size configured, usually 521 */ | 127 /* ECDSA defaults to largest size configured, usually 521 */ |
| 128 /* Ed25519 is always 256 */ | |
| 124 | 129 |
| 125 /* Add runtime flag "-R" to generate hostkeys as-needed when the first | 130 /* Add runtime flag "-R" to generate hostkeys as-needed when the first |
| 126 connection using that key type occurs. | 131 connection using that key type occurs. |
| 127 This avoids the need to otherwise run "dropbearkey" and avoids some problems | 132 This avoids the need to otherwise run "dropbearkey" and avoids some problems |
| 128 with badly seeded /dev/urandom when systems first boot. */ | 133 with badly seeded /dev/urandom when systems first boot. */ |
| 141 * group1 is too small for security though is necessary if you need | 146 * group1 is too small for security though is necessary if you need |
| 142 compatibility with some implementations such as Dropbear versions < 0.53 | 147 compatibility with some implementations such as Dropbear versions < 0.53 |
| 143 * group14 is supported by most implementations. | 148 * group14 is supported by most implementations. |
| 144 * group16 provides a greater strength level but is slower and increases binary size | 149 * group16 provides a greater strength level but is slower and increases binary size |
| 145 * curve25519 and ecdh algorithms are faster than non-elliptic curve methods | 150 * curve25519 and ecdh algorithms are faster than non-elliptic curve methods |
| 146 * curve25519 increases binary size by ~8kB on x86-64 | 151 * curve25519 increases binary size by ~2,5kB on x86-64 |
| 147 * including either ECDH or ECDSA increases binary size by ~30kB on x86-64 | 152 * including either ECDH or ECDSA increases binary size by ~30kB on x86-64 |
| 148 | 153 |
| 149 * Small systems should generally include either curve25519 or ecdh for performance. | 154 * Small systems should generally include either curve25519 or ecdh for performance. |
| 150 * curve25519 is less widely supported but is faster | 155 * curve25519 is less widely supported but is faster |
| 151 */ | 156 */ |