options for disabling "normal" DH

d6daad29 · Matt Johnston · 4664ce2c · d6daad29 · d6daad29 · d6daad29
Commit d6daad29 authored May 02, 2016 by Matt Johnston
--- a/algo.h
+++ b/algo.h
@@ -83,9 +83,15 @@ struct dropbear_hash {
 };

 enum dropbear_kex_mode {
+#if DROPBEAR_NORMAL_DH
 	DROPBEAR_KEX_NORMAL_DH,
+#endif
+#ifdef DROPBEAR_ECDH
 	DROPBEAR_KEX_ECDH,
+#endif
+#ifdef DROPBEAR_CURVE25519
 	DROPBEAR_KEX_CURVE25519,
+#endif
 };

 struct dropbear_kex {

--- a/cli-kex.c
+++ b/cli-kex.c
@@ -48,6 +48,7 @@ void send_msg_kexdh_init() {
 	CHECKCLEARTOWRITE();
 	buf_putbyte(ses.writepayload, SSH_MSG_KEXDH_INIT);
 	switch (ses.newkeys->algo_kex->mode) {
+#if DROPBEAR_NORMAL_DH
 		case DROPBEAR_KEX_NORMAL_DH:
 			if (ses.newkeys->algo_kex != cli_ses.param_kex_algo
 				|| !cli_ses.dh_param) {
@@ -58,8 +59,9 @@ void send_msg_kexdh_init() {
 			}
 			buf_putmpint(ses.writepayload, &cli_ses.dh_param->pub);
 			break;
-		case DROPBEAR_KEX_ECDH:
+#endif
 #ifdef DROPBEAR_ECDH
+		case DROPBEAR_KEX_ECDH:
 			if (ses.newkeys->algo_kex != cli_ses.param_kex_algo
 				|| !cli_ses.ecdh_param) {
 				if (cli_ses.ecdh_param) {
@@ -68,8 +70,8 @@ void send_msg_kexdh_init() {
 				cli_ses.ecdh_param = gen_kexecdh_param();
 			}
 			buf_put_ecc_raw_pubkey_string(ses.writepayload, &cli_ses.ecdh_param->key);
-#endif
 			break;
+#endif
 #ifdef DROPBEAR_CURVE25519
 		case DROPBEAR_KEX_CURVE25519:
 			if (ses.newkeys->algo_kex != cli_ses.param_kex_algo
@@ -80,8 +82,8 @@ void send_msg_kexdh_init() {
 				cli_ses.curve25519_param = gen_kexcurve25519_param();
 			}
 			buf_putstring(ses.writepayload, (const char*)cli_ses.curve25519_param->pub, CURVE25519_LEN);
-#endif
 			break;
+#endif
 	}

 	cli_ses.param_kex_algo = ses.newkeys->algo_kex;
@@ -118,6 +120,7 @@ void recv_msg_kexdh_reply() {
 	}

 	switch (ses.newkeys->algo_kex->mode) {
+#if DROPBEAR_NORMAL_DH
 		case DROPBEAR_KEX_NORMAL_DH:
 			{
 			DEF_MP_INT(dh_f);
@@ -131,15 +134,16 @@ void recv_msg_kexdh_reply() {
 			mp_clear(&dh_f);
 			}
 			break;
-		case DROPBEAR_KEX_ECDH:
+#endif
 #ifdef DROPBEAR_ECDH
+		case DROPBEAR_KEX_ECDH:
 			{
 			buffer *ecdh_qs = buf_getstringbuf(ses.payload);
 			kexecdh_comb_key(cli_ses.ecdh_param, ecdh_qs, hostkey);
 			buf_free(ecdh_qs);
 			}
-#endif
 			break;
+#endif
 #ifdef DROPBEAR_CURVE25519
 		case DROPBEAR_KEX_CURVE25519:
 			{
@@ -147,8 +151,8 @@ void recv_msg_kexdh_reply() {
 			kexcurve25519_comb_key(cli_ses.curve25519_param, ecdh_qs, hostkey);
 			buf_free(ecdh_qs);
 			}
-#endif
 			break;
+#endif
 	}

 	if (cli_ses.dh_param) {

--- a/common-algo.c
+++ b/common-algo.c
@@ -251,11 +251,11 @@ algo_type sshhostkey[] = {
 #if DROPBEAR_DH_GROUP1
 static const struct dropbear_kex kex_dh_group1 = {DROPBEAR_KEX_NORMAL_DH, dh_p_1, DH_P_1_LEN, NULL, &sha1_desc };
 #endif
-#if DROPBEAR_DH_GROUP14
+#if DROPBEAR_DH_GROUP14_SHA1
 static const struct dropbear_kex kex_dh_group14_sha1 = {DROPBEAR_KEX_NORMAL_DH, dh_p_14, DH_P_14_LEN, NULL, &sha1_desc };
-#if DROPBEAR_DH_GROUP14_256
-static const struct dropbear_kex kex_dh_group14_sha256 = {DROPBEAR_KEX_NORMAL_DH, dh_p_14, DH_P_14_LEN, NULL, &sha256_desc };
 #endif
+#if DROPBEAR_DH_GROUP14_SHA256
+static const struct dropbear_kex kex_dh_group14_sha256 = {DROPBEAR_KEX_NORMAL_DH, dh_p_14, DH_P_14_LEN, NULL, &sha256_desc };
 #endif
 #if DROPBEAR_DH_GROUP16
 static const struct dropbear_kex kex_dh_group16_sha512 = {DROPBEAR_KEX_NORMAL_DH, dh_p_16, DH_P_16_LEN, NULL, &sha512_desc };
@@ -295,12 +295,12 @@ algo_type sshkex[] = {
 	{"ecdh-sha2-nistp256", 0, &kex_ecdh_nistp256, 1, NULL},
 #endif
 #endif
-#if DROPBEAR_DH_GROUP14
-#if DROPBEAR_DH_GROUP14_256
-	{"diffie-hellman-group14-sha256", 0, &kex_dh_group14_sha256, 1, NULL},
-#endif
+#if DROPBEAR_DH_GROUP14_SHA1
 	{"diffie-hellman-group14-sha1", 0, &kex_dh_group14_sha1, 1, NULL},
 #endif
+#if DROPBEAR_DH_GROUP14_SHA256
+	{"diffie-hellman-group14-sha256", 0, &kex_dh_group14_sha256, 1, NULL},
+#endif
 #if DROPBEAR_DH_GROUP1
 	{"diffie-hellman-group1-sha1", 0, &kex_dh_group1, 1, NULL},
 #endif
@@ -349,6 +349,7 @@ void buf_put_algolist(buffer * buf, algo_type localalgos[]) {
 		}
 	}
 	buf_putstring(buf, (const char*)algolist->data, algolist->len);
+	TRACE(("algolist add '%*s'", algolist->len, algolist->data))
 	buf_free(algolist);
 }


--- a/keyimport.c
+++ b/keyimport.c
@@ -36,9 +36,11 @@
 #include "dbutil.h"
 #include "ecc.h"

+#ifdef DROPBEAR_ECDSA
 static const unsigned char OID_SEC256R1_BLOB[] = {0x2a, 0x86, 0x48, 0xce, 0x3d, 0x03, 0x01, 0x07};
 static const unsigned char OID_SEC384R1_BLOB[] = {0x2b, 0x81, 0x04, 0x00, 0x22};
 static const unsigned char OID_SEC521R1_BLOB[] = {0x2b, 0x81, 0x04, 0x00, 0x23};
+#endif

 #define PUT_32BIT(cp, value) do { \
  (cp)[3] = (unsigned char)(value); \

--- a/options.h
+++ b/options.h
@@ -150,7 +150,7 @@ If you test it please contact the Dropbear author */
 /* ECDSA is significantly faster than RSA or DSS. Compiling in ECC
 * code (either ECDSA or ECDH) increases binary size - around 30kB
 * on x86-64 */
-#define DROPBEAR_ECDSA
+//#define DROPBEAR_ECDSA

 /* Generate hostkeys as-needed when the first connection using that key type occurs.
   This avoids the need to otherwise run "dropbearkey" and avoids some problems
@@ -169,18 +169,19 @@ If you test it please contact the Dropbear author */
 #define DROPBEAR_ECDH

 /* Key exchange algorithm.
- * group1 - 1024 bit, sha1
- * group14 - 2048 bit, sha1
- * group14_256 - 2048 bit, sha2-256
+ * group14_sha1 - 2048 bit, sha1
+ * group14_sha256 - 2048 bit, sha2-256
 * group16 - 4096 bit, sha2-512
+ * group1 - 1024 bit, sha1
 *
 * group14 is supported by most implementations.
- * group16 provides a greater strength but is slower and increases binary size
- * group1 is necessary if compatibility with Dropbear versions < 0.53 is required
+ * group16 provides a greater strength level but is slower and increases binary size
+ * group1 is too small for security though is necessary if you need 
+     compatibility with some implementations such as Dropbear versions < 0.53
 */ 
 #define DROPBEAR_DH_GROUP1 1
-#define DROPBEAR_DH_GROUP14 1
-#define DROPBEAR_DH_GROUP14_256 1
+#define DROPBEAR_DH_GROUP14_SHA1 1
+#define DROPBEAR_DH_GROUP14_SHA256 1
 #define DROPBEAR_DH_GROUP16 0

 /* Control the memory/performance/compression tradeoff for zlib.

--- a/svr-kex.c
+++ b/svr-kex.c
@@ -54,18 +54,24 @@ void recv_msg_kexdh_init() {
 	}

 	switch (ses.newkeys->algo_kex->mode) {
+#if DROPBEAR_NORMAL_DH
 		case DROPBEAR_KEX_NORMAL_DH:
 			m_mp_init(&dh_e);
 			if (buf_getmpint(ses.payload, &dh_e) != DROPBEAR_SUCCESS) {
 				dropbear_exit("Bad kex value");
 			}
 			break;
+#endif
+#ifdef DROPBEAR_ECDH
 		case DROPBEAR_KEX_ECDH:
+#endif
+#ifdef DROPBEAR_CURVE25519
 		case DROPBEAR_KEX_CURVE25519:
+#endif
 #if defined(DROPBEAR_ECDH) || defined(DROPBEAR_CURVE25519)
 			ecdh_qs = buf_getstringbuf(ses.payload);
-#endif
 			break;
+#endif
 	}
 	if (ses.payload->pos != ses.payload->len) {
 		dropbear_exit("Bad kex value");
@@ -221,6 +227,7 @@ static void send_msg_kexdh_reply(mp_int *dh_e, buffer *ecdh_qs) {
 			ses.newkeys->algo_hostkey);

 	switch (ses.newkeys->algo_kex->mode) {
+#ifdef DROPBEAR_NORMAL_DH
 		case DROPBEAR_KEX_NORMAL_DH:
 			{
 			struct kex_dh_param * dh_param = gen_kexdh_param();
@@ -231,8 +238,9 @@ static void send_msg_kexdh_reply(mp_int *dh_e, buffer *ecdh_qs) {
 			free_kexdh_param(dh_param);
 			}
 			break;
-		case DROPBEAR_KEX_ECDH:
+#endif
 #ifdef DROPBEAR_ECDH
+		case DROPBEAR_KEX_ECDH:
 			{
 			struct kex_ecdh_param *ecdh_param = gen_kexecdh_param();
 			kexecdh_comb_key(ecdh_param, ecdh_qs, svr_opts.hostkey);
@@ -240,18 +248,18 @@ static void send_msg_kexdh_reply(mp_int *dh_e, buffer *ecdh_qs) {
 			buf_put_ecc_raw_pubkey_string(ses.writepayload, &ecdh_param->key);
 			free_kexecdh_param(ecdh_param);
 			}
-#endif
 			break;
-		case DROPBEAR_KEX_CURVE25519:
+#endif
 #ifdef DROPBEAR_CURVE25519
+		case DROPBEAR_KEX_CURVE25519:
 			{
 			struct kex_curve25519_param *param = gen_kexcurve25519_param();
 			kexcurve25519_comb_key(param, ecdh_qs, svr_opts.hostkey);
 			buf_putstring(ses.writepayload, (const char*)param->pub, CURVE25519_LEN);
 			free_kexcurve25519_param(param);
 			}
-#endif
 			break;
+#endif
 	}

 	/* calc the signature */

--- a/sysoptions.h
+++ b/sysoptions.h
@@ -113,7 +113,7 @@
 #define RSA_BLINDING

 /* hashes which will be linked and registered */
-#if defined(DROPBEAR_SHA2_256_HMAC) || defined(DROPBEAR_ECC_256) || defined(DROPBEAR_CURVE25519) || DROPBEAR_DH_GROUP14
+#if defined(DROPBEAR_SHA2_256_HMAC) || defined(DROPBEAR_ECC_256) || defined(DROPBEAR_CURVE25519) || DROPBEAR_DH_GROUP14_SHA256
 #define DROPBEAR_SHA256
 #endif
 #if defined(DROPBEAR_ECC_384)
@@ -125,6 +125,14 @@
 #endif
 #if defined(DROPBEAR_MD5_HMAC)
 #define DROPBEAR_MD5
+#endif
+
+ #if DROPBEAR_DH_GROUP14_SHA256 || DROPBEAR_DH_GROUP14_SHA1
+ #define DROPBEAR_DH_GROUP14 1
+ #endif
+
+#if DROPBEAR_DH_GROUP1 || DROPBEAR_DH_GROUP14 || DROPBEAR_DH_GROUP16
+#define DROPBEAR_NORMAL_DH 1
 #endif

 /* roughly 2x 521 bits */