dropbear: add option to enable modern crypto only

reduces binary/package size and increases overall performance

also:
- adjust 910-signkey-fix-use-of-rsa-sha2-256-pubkeys.patch
  to build without DROPBEAR_RSA/DROPBEAR_RSA_SHA256

Signed-off-by: Konstantin Demin <rockdrilla@gmail.com>

3 files changed, 39 insertions, 6 deletions

diff --git a/package/network/services/dropbear/Config.in b/package/network/services/dropbear/Config.in
index 449cc2a421..fd4d5f3c7a 100644
--- a/package/network/services/dropbear/Config.in
+++ b/package/network/services/dropbear/Config.in
@@ -145,4 +145,25 @@ config DROPBEAR_AGENTFORWARD
 		Also see DROPBEAR_DBCLIENT_AGENTFORWARD (agent forwarding in
 		dropbear client) if DROPBEAR_DBCLIENT is selected.
 
+config DROPBEAR_MODERN_ONLY
+	bool "Use modern crypto only [BREAKS COMPATIBILITY]"
+	select DROPBEAR_ED25519
+	select DROPBEAR_CURVE25519
+	select DROPBEAR_CHACHA20POLY1305
+	help
+		This option enables:
+		 - Chacha20-Poly1305
+		 - Curve25519
+		 - Ed25519
+		and disables:
+		 - AES
+		 - RSA
+		 - SHA1
+
+		Reduces binary size by about 64 kB (MIPS) from default
+		configuration.
+
+		Consider enabling this option if you're building own OpenWrt
+		image and using modern SSH software everywhere.
+
 endmenu
diff --git a/package/network/services/dropbear/Makefile b/package/network/services/dropbear/Makefile
index ef67371e1d..653911b764 100644
--- a/package/network/services/dropbear/Makefile
+++ b/package/network/services/dropbear/Makefile
@@ -33,7 +33,8 @@ PKG_CONFIG_DEPENDS:= \
 	CONFIG_DROPBEAR_ED25519 CONFIG_DROPBEAR_CHACHA20POLY1305 \
 	CONFIG_DROPBEAR_UTMP CONFIG_DROPBEAR_PUTUTLINE \
 	CONFIG_DROPBEAR_DBCLIENT CONFIG_DROPBEAR_SCP CONFIG_DROPBEAR_ASKPASS \
-	CONFIG_DROPBEAR_DBCLIENT_AGENTFORWARD CONFIG_DROPBEAR_AGENTFORWARD
+	CONFIG_DROPBEAR_DBCLIENT_AGENTFORWARD CONFIG_DROPBEAR_AGENTFORWARD \
+	CONFIG_DROPBEAR_MODERN_ONLY
 
 include $(INCLUDE_DIR)/package.mk
 
@@ -148,6 +149,11 @@ DB_OPT_CONFIG = \
 	DROPBEAR_CLI_ASKPASS_HELPER,CONFIG_DROPBEAR_ASKPASS,1,0 \
 	DROPBEAR_CLI_AGENTFWD,CONFIG_DROPBEAR_DBCLIENT_AGENTFORWARD,1,0 \
 	DROPBEAR_SVR_AGENTFWD,CONFIG_DROPBEAR_AGENTFORWARD,1,0 \
+	DROPBEAR_AES128,CONFIG_DROPBEAR_MODERN_ONLY,0,1 \
+	DROPBEAR_AES256,CONFIG_DROPBEAR_MODERN_ONLY,0,1 \
+	DROPBEAR_ENABLE_CTR_MODE,CONFIG_DROPBEAR_MODERN_ONLY,0,1 \
+	DROPBEAR_RSA,CONFIG_DROPBEAR_MODERN_ONLY,0,1 \
+	DROPBEAR_RSA_SHA1,CONFIG_DROPBEAR_MODERN_ONLY,0,1 \
 
 
 TARGET_CFLAGS += -DARGTYPE=3
diff --git a/package/network/services/dropbear/patches/910-signkey-fix-use-of-rsa-sha2-256-pubkeys.patch b/package/network/services/dropbear/patches/910-signkey-fix-use-of-rsa-sha2-256-pubkeys.patch
index 442fdcfc75..059177a1c5 100644
--- a/package/network/services/dropbear/patches/910-signkey-fix-use-of-rsa-sha2-256-pubkeys.patch
+++ b/package/network/services/dropbear/patches/910-signkey-fix-use-of-rsa-sha2-256-pubkeys.patch
@@ -21,7 +21,7 @@ Signed-off-by: Petr Štetiar <ynezz@true.cz>
 
 --- a/signkey.c
 +++ b/signkey.c
-@@ -652,8 +652,12 @@ int buf_verify(buffer * buf, sign_key *k
+@@ -652,10 +652,18 @@ int buf_verify(buffer * buf, sign_key *k
  	sigtype = signature_type_from_name(type_name, type_name_len);
  	m_free(type_name);
  
@@ -29,10 +29,16 @@ Signed-off-by: Petr Štetiar <ynezz@true.cz>
 -			dropbear_exit("Non-matching signing type");
 +	if (sigtype == DROPBEAR_SIGNATURE_NONE) {
 +		dropbear_exit("No signature type");
-+	}
-+
-+	if ((expect_sigtype != DROPBEAR_SIGNATURE_RSA_SHA256) && (expect_sigtype != sigtype)) {
-+		dropbear_exit("Non-matching signing type");
  	}
  
++#if DROPBEAR_RSA
++#if DROPBEAR_RSA_SHA256
++	if ((expect_sigtype != DROPBEAR_SIGNATURE_RSA_SHA256) && (expect_sigtype != sigtype)) {
++		dropbear_exit("Non-matching signing type");
++	}
++#endif
++#endif
++
  	keytype = signkey_type_from_signature(sigtype);
+ #if DROPBEAR_DSS
+ 	if (keytype == DROPBEAR_SIGNKEY_DSS) {