Dňa 28.02.2012 10:02, Florian Fainelli wrote / napísal(a):
> Hello,
>
> Le 02/28/12 07:29, Ondrej Famera a écrit :
>> This enables support for ECDSA keys in openssl and since it is supported
>> in openSSH since version 5.7 ECDSA keys can be then used by
>> openssh-{server,keygen,client} and are automaticaly generated on sshd
>> start.
>>
>> - tested to be working on routerstation PRO with trunk r30744
>
> I am not against it, but what's the size impact on openssl with the enabling
> of ecdsa? and cannot it be turned on as an openssl configuration option
> instead? (such that packages dans depend on this or select this option).
Hello Florian,
change in size of openssl package is 128 kB (quite significant).
1428 kB
test_no_ecdsa/build_dir/target-mips_r2_uClibc-0.9.33/openssl-1.0.0g/ipkg-ar71xx/
1556 kB
test_ecdsa/build_dir/target-mips_r2_uClibc-0.9.33/openssl-1.0.0g/ipkg-ar71xx/
enabled ECDSA make also openssh bigger by 36 kB
1072 kB
test_no_ecdsa/build_dir/target-mips_r2_uClibc-0.9.33/openssh-5.9p1/ipkg-ar71xx/
1108 kB
test_ecdsa/build_dir/target-mips_r2_uClibc-0.9.33/openssh-5.9p1/ipkg-ar71xx/
- in mine build only these two packages get affected (in size) by enabling
ECDSA,
the rest of packages remains the same in size, even syslog-ng3 which depends on
openssl
- openssl got only options to turn off elliptic curves
('no-ec','no-ecdh','no-ecdsa'),
by default openssl builds with 'ec' enabled
What about configurable option in openssl package in configuration menu to
enable elliptic curves (by default disabled) ?
--
Ondrej Famera
>
>>
>> Signed-off-by: Ondrej Faměra <fam...@fi.muni.cz>
>>
>> ---
>>
>>
>> Index: package/openssl/Makefile
>> ===================================================================
>> --- package/openssl/Makefile (revision 30744)
>> +++ package/openssl/Makefile (working copy)
>> @@ -74,7 +74,7 @@
>> OPENSSL_NO_CIPHERS:= no-idea no-md2 no-mdc2 no-rc5 no-sha0 no-smime \
>> no-rmd160 no-aes192 no-ripemd no-camellia no-ans1 no-krb5
>> -OPENSSL_OPTIONS:= shared no-ec no-err no-hw no-threads zlib-dynamic
>> no-sse2
>> +OPENSSL_OPTIONS:= shared no-err no-hw no-threads zlib-dynamic no-sse2
>> ifdef CONFIG_OPENSSL_ENGINE
>> OPENSSL_OPTIONS += -DHAVE_CRYPTODEV
>>
>>
>> Index: packages/net/openssh/files/sshd.init
>> ===================================================================
>> --- packages/net/openssh/files/sshd.init (revision 30744)
>> +++ packages/net/openssh/files/sshd.init (working copy)
>> @@ -7,7 +7,7 @@
>> SERVICE_USE_PID=1
>> start() {
>> - for type in rsa dsa; do {
>> + for type in rsa dsa ecdsa; do {
>> # check for keys
>> key=/etc/ssh/ssh_host_${type}_key
>> [ ! -f $key ] && {
>> _______________________________________________
>> openwrt-devel mailing list
>> openwrt-devel@lists.openwrt.org
>> https://lists.openwrt.org/mailman/listinfo/openwrt-devel
_______________________________________________
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel
