changeset 1919:ff8a81386a2b

Disable dh-group1 KEX by default Add comments for SK keys
author Matt Johnston <matt@ucc.asn.au>
date Wed, 30 Mar 2022 12:51:32 +0800
parents 863f31b4cf3c
children 1489449eceb1
files default_options.h
diffstat 1 files changed, 4 insertions(+), 2 deletions(-) [+]
line wrap: on
line diff
--- a/default_options.h	Wed Mar 30 12:03:50 2022 +0800
+++ b/default_options.h	Wed Mar 30 12:51:32 2022 +0800
@@ -134,10 +134,12 @@
  * code (either ECDSA or ECDH) increases binary size - around 30kB
  * on x86-64 */
 #define DROPBEAR_ECDSA 1
-#define DROPBEAR_SK_ECDSA 1
 /* Ed25519 is faster than ECDSA. Compiling in Ed25519 code increases
    binary size - around 7,5kB on x86-64 */
 #define DROPBEAR_ED25519 1
+/* SK_ECDSA/SK_ED25519 allows u2f security keys for public key auth.
+ * This is currently server-only. */
+#define DROPBEAR_SK_ECDSA 1
 #define DROPBEAR_SK_ED25519 1
 
 /* RSA must be >=1024 */
@@ -178,7 +180,7 @@
 #define DROPBEAR_DH_GROUP16 0
 #define DROPBEAR_CURVE25519 1
 #define DROPBEAR_ECDH 1
-#define DROPBEAR_DH_GROUP1 1
+#define DROPBEAR_DH_GROUP1 0
 
 /* When group1 is enabled it will only be allowed by Dropbear client
 not as a server, due to concerns over its strength. Set to 0 to allow