[PATCH v4 3/3] dropbear: create a submenu for key exchange algorithms

[Rui Salvaterra]

This allows the user to select only the key exchange algorithms (s)he requires
(e.g., disabling group 14 SHA-{1,256} and keeping only Curve25519). The default
selection maintains the current functionality.

Additionally, make sure at least one key exchange algorithm is selected, lest
the build would fail.

Signed-off-by: Rui Salvaterra <rsalvaterra at gmail.com>
---
 package/network/services/dropbear/Config.in | 17 +++++++++++++++++
 package/network/services/dropbear/Makefile  |  7 +++++--
 2 files changed, 22 insertions(+), 2 deletions(-)

diff --git a/package/network/services/dropbear/Config.in b/package/network/services/dropbear/Config.in
index 6d2b4cdfae..b0ad21f907 100644
--- a/package/network/services/dropbear/Config.in
+++ b/package/network/services/dropbear/Config.in
@@ -94,6 +94,16 @@ config DROPBEAR_AUTOSEL_EA
 
 endmenu
 
+menu "Key exchange algorithm selection"
+
+config DROPBEAR_DH_GROUP14_SHA1
+	bool "Group 14 SHA-1"
+	default y
+
+config DROPBEAR_DH_GROUP14_SHA256
+	bool "Group 14 SHA-256"
+	default y
+
 config DROPBEAR_CURVE25519
 	bool "Curve25519 support"
 	default y
@@ -103,6 +113,13 @@ config DROPBEAR_CURVE25519
 
 		Increases binary size by about 4 kB (MIPS).
 
+config DROPBEAR_AUTOSEL_KEX
+	def_bool y
+	depends on !(DROPBEAR_DH_GROUP14_SHA1 || DROPBEAR_CURVE25519)
+	select DROPBEAR_DH_GROUP14_SHA256
+
+endmenu
+
 config DROPBEAR_ZLIB
 	bool "Enable compression"
 	default n
diff --git a/package/network/services/dropbear/Makefile b/package/network/services/dropbear/Makefile
index 1d131455a2..7a6cc96f94 100644
--- a/package/network/services/dropbear/Makefile
+++ b/package/network/services/dropbear/Makefile
@@ -33,7 +33,8 @@ PKG_CONFIG_DEPENDS:= \
 	CONFIG_DROPBEAR_ED25519 CONFIG_DROPBEAR_CHACHA20POLY1305 \
 	CONFIG_DROPBEAR_UTMP CONFIG_DROPBEAR_PUTUTLINE \
 	CONFIG_DROPBEAR_DBCLIENT CONFIG_DROPBEAR_SCP CONFIG_DROPBEAR_ASKPASS \
-	CONFIG_DROPBEAR_RSA CONFIG_DROPBEAR_AES128 CONFIG_DROPBEAR_AES256
+	CONFIG_DROPBEAR_RSA CONFIG_DROPBEAR_AES128 CONFIG_DROPBEAR_AES256 \
+	DROPBEAR_DH_GROUP14_SHA1 DROPBEAR_DH_GROUP14_SHA256
 
 include $(INCLUDE_DIR)/package.mk
 
@@ -140,7 +141,9 @@ DB_OPT_CONFIG = \
 	DROPBEAR_CLI_ASKPASS_HELPER|CONFIG_DROPBEAR_ASKPASS|1|0 \
 	DROPBEAR_RSA|CONFIG_DROPBEAR_RSA|1|0 \
 	DROPBEAR_AES128|CONFIG_DROPBEAR_AES128|1|0 \
-	DROPBEAR_AES256|CONFIG_DROPBEAR_AES256|1|0
+	DROPBEAR_AES256|CONFIG_DROPBEAR_AES256|1|0 \
+	DROPBEAR_DH_GROUP14_SHA1|CONFIG_DROPBEAR_DH_GROUP14_SHA1|1|0 \
+	DROPBEAR_DH_GROUP14_SHA256|CONFIG_DROPBEAR_DH_GROUP14_SHA256|1|0
 
 TARGET_CFLAGS += -DARGTYPE=3 -ffunction-sections -fdata-sections -flto
 TARGET_LDFLAGS += -Wl,--gc-sections -flto=jobserver
-- 
2.29.2