Disable dh-group1 KEX by default

Add comments for SK keys
author: Matt Johnston <matt@ucc.asn.au> 2022-03-30 12:51:32 +0800
committer: Matt Johnston <matt@ucc.asn.au> 2022-03-30 12:51:32 +0800
commit: f0fb8b148647b2c02b0d6c061cdb39dd8f591002 (patch)
tree: 35d3a68492c765c999a2adf52203bbe9a6bfa335
parent: 2dcacde0e0acd0a6e2a4f35fc254592bc78c26c0 (diff)
download: dropbear-f0fb8b148647b2c02b0d6c061cdb39dd8f591002.tar.gz
1 files changed, 4 insertions, 2 deletions
diff --git a/default_options.h b/default_options.h
index 4a5709a..131811f 100644
--- a/default_options.h
+++ b/default_options.h
@@ -134,10 +134,12 @@ IMPORTANT: Some options will require "make clean" after changes */
  * code (either ECDSA or ECDH) increases binary size - around 30kB
  * on x86-64 */
 #define DROPBEAR_ECDSA 1
-#define DROPBEAR_SK_ECDSA 1
 /* Ed25519 is faster than ECDSA. Compiling in Ed25519 code increases
    binary size - around 7,5kB on x86-64 */
 #define DROPBEAR_ED25519 1
+/* SK_ECDSA/SK_ED25519 allows u2f security keys for public key auth.
+ * This is currently server-only. */
+#define DROPBEAR_SK_ECDSA 1
 #define DROPBEAR_SK_ED25519 1
 
 /* RSA must be >=1024 */
@@ -178,7 +180,7 @@ IMPORTANT: Some options will require "make clean" after changes */
 #define DROPBEAR_DH_GROUP16 0
 #define DROPBEAR_CURVE25519 1
 #define DROPBEAR_ECDH 1
-#define DROPBEAR_DH_GROUP1 1
+#define DROPBEAR_DH_GROUP1 0
 
 /* When group1 is enabled it will only be allowed by Dropbear client
 not as a server, due to concerns over its strength. Set to 0 to allow
author	Matt Johnston <matt@ucc.asn.au>	2022-03-30 12:51:32 +0800
committer	Matt Johnston <matt@ucc.asn.au>	2022-03-30 12:51:32 +0800
commit	f0fb8b148647b2c02b0d6c061cdb39dd8f591002 (patch)
tree	35d3a68492c765c999a2adf52203bbe9a6bfa335
parent	2dcacde0e0acd0a6e2a4f35fc254592bc78c26c0 (diff)
download	dropbear-f0fb8b148647b2c02b0d6c061cdb39dd8f591002.tar.gz