From 01964148c638e88d2ec29e63880c12c84b84c5a4 Mon Sep 17 00:00:00 2001
From: Konstantin Demin <rockdrilla@gmail.com>
Date: Mon, 25 Mar 2019 22:00:28 +0300
Subject: [PATCH] dropbear: split ECC support to basic and full

- limit ECC support to ec*-sha2-nistp256:
  * DROPBEAR_ECC now provides only basic support for ECC
- provide full ECC support as an option:
  * DROPBEAR_ECC_FULL brings back support for ec{dh,dsa}-sha2-nistp{384,521}
- update feature costs in binary size

Signed-off-by: Konstantin Demin <rockdrilla@gmail.com>
---
 package/network/services/dropbear/Config.in | 31 ++++++++++++++++-----
 package/network/services/dropbear/Makefile  |  8 +++++-
 2 files changed, 31 insertions(+), 8 deletions(-)

diff --git a/package/network/services/dropbear/Config.in b/package/network/services/dropbear/Config.in
index ca0af9d5e0..9106322eea 100644
--- a/package/network/services/dropbear/Config.in
+++ b/package/network/services/dropbear/Config.in
@@ -8,29 +8,46 @@ config DROPBEAR_CURVE25519
 		This enables the following key exchange algorithm:
 		  curve25519-sha256@libssh.org
 
-		Increases binary size by about 13 kB uncompressed (MIPS).
+		Increases binary size by about 8 kB uncompressed (MIPS).
 
 config DROPBEAR_ECC
 	bool "Elliptic curve cryptography (ECC)"
 	default n
 	help
-		Enables elliptic curve cryptography (ECC) support in key exchange and public key
-		authentication.
+		Enables basic support for elliptic curve cryptography (ECC)
+		in key exchange and public key authentication.
 
 		Key exchange algorithms:
 		  ecdh-sha2-nistp256
+
+		Public key algorithms:
+		  ecdsa-sha2-nistp256
+
+		Increases binary size by about 24 kB (MIPS).
+
+		If full ECC support is required, also select DROPBEAR_ECC_FULL.
+
+config DROPBEAR_ECC_FULL
+	bool "Elliptic curve cryptography (ECC), full support"
+	default n
+	depends on DROPBEAR_ECC
+	help
+		Enables full support for elliptic curve cryptography (ECC)
+		in key exchange and public key authentication.
+
+		Key exchange algorithms:
+		  ecdh-sha2-nistp256 (*)
 		  ecdh-sha2-nistp384
 		  ecdh-sha2-nistp521
 
 		Public key algorithms:
-		  ecdsa-sha2-nistp256
+		  ecdsa-sha2-nistp256 (*)
 		  ecdsa-sha2-nistp384
 		  ecdsa-sha2-nistp521
 
-		Does not generate ECC host keys by default (ECC key exchange will not be used,
-		only ECC public key auth).
+		(*) - basic ECC support; provided by DROPBEAR_ECC.
 
-		Increases binary size by about 23 kB (MIPS).
+		Increases binary size by about 4 kB (MIPS).
 
 config DROPBEAR_ZLIB
 	bool "Enable compression"
diff --git a/package/network/services/dropbear/Makefile b/package/network/services/dropbear/Makefile
index ca39f845b9..1ad1f516a7 100644
--- a/package/network/services/dropbear/Makefile
+++ b/package/network/services/dropbear/Makefile
@@ -26,7 +26,7 @@ PKG_USE_MIPS16:=0
 PKG_FIXUP:=autoreconf
 
 PKG_CONFIG_DEPENDS:= \
-	CONFIG_TARGET_INIT_PATH CONFIG_DROPBEAR_ECC \
+	CONFIG_TARGET_INIT_PATH CONFIG_DROPBEAR_ECC CONFIG_DROPBEAR_ECC_FULL \
 	CONFIG_DROPBEAR_CURVE25519 CONFIG_DROPBEAR_ZLIB \
 	CONFIG_DROPBEAR_UTMP CONFIG_DROPBEAR_PUTUTLINE
 
@@ -119,6 +119,12 @@ define Build/Configure
 			$(PKG_BUILD_DIR)/localoptions.h; \
 	done
 
+	# enable nistp384 and nistp521 only if full ECC support was requested
+	for OPTION in DROPBEAR_ECC_384 DROPBEAR_ECC_521; do \
+		$(ESED) 's,^(#define '$$$$OPTION') .*$$$$,\1 $(if $(CONFIG_DROPBEAR_ECC_FULL),1,0),g' \
+		$(PKG_BUILD_DIR)/sysoptions.h; \
+	done
+
 	# Enforce rebuild of svr-chansession.c
 	rm -f $(PKG_BUILD_DIR)/svr-chansession.o
 endef
-- 
2.30.2