From 6f793d42d061e1613c435f0b79c54a67a7440c79 Mon Sep 17 00:00:00 2001
From: Matt Johnston <matt@ucc.asn.au>
Date: Wed, 30 Mar 2022 12:51:32 +0800
Subject: [PATCH] Disable dh-group1 KEX by default

Add comments for SK keys
---
 default_options.h | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/default_options.h b/default_options.h
index 4a5709a..131811f 100644
--- a/default_options.h
+++ b/default_options.h
@@ -134,10 +134,12 @@ IMPORTANT: Some options will require "make clean" after changes */
  * code (either ECDSA or ECDH) increases binary size - around 30kB
  * on x86-64 */
 #define DROPBEAR_ECDSA 1
-#define DROPBEAR_SK_ECDSA 1
 /* Ed25519 is faster than ECDSA. Compiling in Ed25519 code increases
    binary size - around 7,5kB on x86-64 */
 #define DROPBEAR_ED25519 1
+/* SK_ECDSA/SK_ED25519 allows u2f security keys for public key auth.
+ * This is currently server-only. */
+#define DROPBEAR_SK_ECDSA 1
 #define DROPBEAR_SK_ED25519 1
 
 /* RSA must be >=1024 */
@@ -178,7 +180,7 @@ IMPORTANT: Some options will require "make clean" after changes */
 #define DROPBEAR_DH_GROUP16 0
 #define DROPBEAR_CURVE25519 1
 #define DROPBEAR_ECDH 1
-#define DROPBEAR_DH_GROUP1 1
+#define DROPBEAR_DH_GROUP1 0
 
 /* When group1 is enabled it will only be allowed by Dropbear client
 not as a server, due to concerns over its strength. Set to 0 to allow