changeset 1293:dc8f7997f10f

move group14 and group16 to options.h, group14-sha256 on by default
author Matt Johnston <matt@ucc.asn.au>
date Mon, 02 May 2016 17:03:55 +0200
parents 432b0a030fd6
children 56aba7dedbea
files options.h sysoptions.h
diffstat 2 files changed, 12 insertions(+), 7 deletions(-) [+]
line wrap: on
line diff
--- a/options.h	Fri Apr 29 23:04:10 2016 +0800
+++ b/options.h	Mon May 02 17:03:55 2016 +0200
@@ -168,10 +168,20 @@
  * ECDSA above */
 #define DROPBEAR_ECDH
 
-/* Group14 (2048 bit) is recommended. Group1 is less secure (1024 bit) though
-   is the only option for interoperability with some older SSH programs */
+/* Key exchange algorithm.
+ * group1 - 1024 bit, sha1
+ * group14 - 2048 bit, sha1
+ * group14_256 - 2048 bit, sha2-256
+ * group16 - 4096 bit, sha2-512
+ *
+ * group14 is supported by most implementations.
+ * group16 provides a greater strength but is slower and increases binary size
+ * group1 is necessary if compatibility with Dropbear versions < 0.53 is required
+ */ 
 #define DROPBEAR_DH_GROUP1 1
 #define DROPBEAR_DH_GROUP14 1
+#define DROPBEAR_DH_GROUP14_256 1
+#define DROPBEAR_DH_GROUP16 0
 
 /* Control the memory/performance/compression tradeoff for zlib.
  * Set windowBits=8 for least memory usage, see your system's
--- a/sysoptions.h	Fri Apr 29 23:04:10 2016 +0800
+++ b/sysoptions.h	Mon May 02 17:03:55 2016 +0200
@@ -127,11 +127,6 @@
 #define DROPBEAR_MD5
 #endif
 
-/* These are disabled in Dropbear 2016.73 by default since the spec 
-   draft-ietf-curdle-ssh-kex-sha2-02 is under development. */
-#define DROPBEAR_DH_GROUP14_256 0
-#define DROPBEAR_DH_GROUP16 0
-
 /* roughly 2x 521 bits */
 #define MAX_ECC_SIZE 140