Get rid of group15, move group16 to sha512.

New groups are disabled by default pending draft-ietf-curdle-ssh-kex-sha2-02 being finalised
2025-06-26 18:17:32 +00:00 · 2016-03-12 16:21:13 +08:00
parent a991d3b56b
commit fdc61f3ab2
5 changed files with 43 additions and 66 deletions
--- a/options.h
+++ b/options.h
@@ -152,11 +152,6 @@ If you test it please contact the Dropbear author */
 * on x86-64 */
 #define DROPBEAR_ECDSA

-/* These larger DH groups (3072 and 4096 bit respectively) add to binary size 
-    and may be significantly slower. Usually ECDH or curve25519 will be a better option */
-/*#define DROPBEAR_DH_GROUP15*/
-/*#define DROPBEAR_DH_GROUP16*/
-
 /* Generate hostkeys as-needed when the first connection using that key type occurs.
   This avoids the need to otherwise run "dropbearkey" and avoids some problems
   with badly seeded /dev/urandom when systems first boot.
@@ -173,6 +168,11 @@ If you test it please contact the Dropbear author */
 * ECDSA above */
 #define DROPBEAR_ECDH

+/* Group14 (2048 bit) is recommended. Group1 is less secure (1024 bit) though
+   is the only option for interoperability with some older SSH programs */
+#define DROPBEAR_DH_GROUP1 1
+#define DROPBEAR_DH_GROUP14 1
+
 /* Control the memory/performance/compression tradeoff for zlib.
 * Set windowBits=8 for least memory usage, see your system's
 * zlib.h for full details.