Mercurial > dropbear
changeset 1544:d1a8a05216ff
make group1 client-only
| author | Matt Johnston <matt@ucc.asn.au> |
|---|---|
| date | Mon, 26 Feb 2018 22:42:53 +0800 |
| parents | 016b86f03e21 |
| children | 0b991dec7ab9 bb8eaa26bc93 2c902644036d |
| files | default_options.h svr-session.c |
| diffstat | 2 files changed, 19 insertions(+), 1 deletions(-) [+] |
line wrap: on
line diff
--- a/default_options.h Mon Feb 26 22:19:01 2018 +0800 +++ b/default_options.h Mon Feb 26 22:42:53 2018 +0800 @@ -149,12 +149,17 @@ * Small systems should generally include either curve25519 or ecdh for performance. * curve25519 is less widely supported but is faster */ -#define DROPBEAR_DH_GROUP1 0 #define DROPBEAR_DH_GROUP14_SHA1 1 #define DROPBEAR_DH_GROUP14_SHA256 1 #define DROPBEAR_DH_GROUP16 0 #define DROPBEAR_CURVE25519 1 #define DROPBEAR_ECDH 1 +#define DROPBEAR_DH_GROUP1 1 + +/* When group1 is enabled it will only be allowed by Dropbear client +not as a server, due to concerns over its strength. Set to 0 to allow +group1 in Dropbear server too */ +#define DROPBEAR_DH_GROUP1_CLIENTONLY 1 /* Control the memory/performance/compression tradeoff for zlib. * Set windowBits=8 for least memory usage, see your system's
--- a/svr-session.c Mon Feb 26 22:19:01 2018 +0800 +++ b/svr-session.c Mon Feb 26 22:42:53 2018 +0800 @@ -42,6 +42,7 @@ #include "crypto_desc.h" static void svr_remoteclosed(void); +static void svr_algos_initialise(void); struct serversession svr_ses; /* GLOBAL */ @@ -102,6 +103,7 @@ svr_authinitialise(); chaninitialise(svr_chantypes); svr_chansessinitialise(); + svr_algos_initialise(); /* for logging the remote address */ get_socket_address(ses.sock_in, NULL, NULL, &host, &port, 0); @@ -243,3 +245,14 @@ } +static void svr_algos_initialise(void) { +#if DROPBEAR_DH_GROUP1 && DROPBEAR_DH_GROUP1_CLIENTONLY + algo_type *algo; + for (algo = sshkex; algo->name; algo++) { + if (strcmp(algo->name, "diffie-hellman-group1-sha1") == 0) { + algo->usable = 0; + } + } +#endif +} +