## SECTION=networking
menuconfig DROPBEAR
	tristate
	prompt "dropbear                      "
	select ZLIB
	select LIBC_UTIL
	select LIBC_CRYPT
	select GCCLIBS_GCC_S
	select INITMETHOD
	select RC_ONCE						if RUNTIME
	select BUSYBOX_START_STOP_DAEMON			if DROPBEAR_STARTSCRIPT
	select BUSYBOX_FEATURE_START_STOP_DAEMON_FANCY		if DROPBEAR_STARTSCRIPT
	select BUSYBOX_FEATURE_START_STOP_DAEMON_LONG_OPTIONS	if DROPBEAR_STARTSCRIPT
	help
	  dropbear is an SSH 2 server and client designed
	  to be small enough to be used in small memory
	  environments, while still being functional and
	  secure enough for general use.

	  It implements most required features of the
	  SSH 2 protocol, and other features such as X11
	  and authentication agent forwarding.

	  http://matt.ucc.asn.au/dropbear/dropbear.html

if DROPBEAR

config DROPBEAR_KEY_DIR
	string "dropbear key directory"
	default "/etc/dropbear"
	help
	  This is the directory where dropbear stores the keys.

config DROPBEAR_ZLIB
	bool
	prompt "zlib support"
	help
	  Disable compression in Dropbear by dropping use of
	  zlib.
	  If you disable zlib, you must explicitly disable
	  compression for the client - OpenSSH is possibly
	  buggy in this regard, it seems you need to disable it
	  globally in ~/.ssh/config, not just in the host entry
	  in that file.

config DROPBEAR_DIS_OPENPTY
	bool
	prompt "Don't use openpty, use alternative method"
	help
	  If openpty() is being used (HAVE_OPENPTY defined in config.h) and it fails,
	  you can try compiling with --disable-openpty. You will probably then need
	  to create all the /dev/pty?? and /dev/tty?? devices, which can be
	  problematic for devfs. In general, openpty() is the best way to allocate
	  PTYs, so it's best to try and get it working.

config DROPBEAR_DIS_SYSLOG
	bool
	prompt "Don't include syslog support"
	help
	  Keep dropbear from writing to syslog.
	  This option is useful for small or flash-based filesystems.

config DROPBEAR_DIS_LASTLOG
	bool
	prompt "disable use of lastlog"
	help
	  Keep dropbear from writing to lastlog.
	  This option is useful for small or flash-based filesystems.

config DROPBEAR_DIS_UTMP
	bool
	prompt "disable use of utmp"
	help
	  FIXME: This item should be documented in detail
	  Keep dropbear from writing to utmp.
	  This option is useful for small or flash-based filesystems.

config DROPBEAR_DIS_UTMPX
	bool
	prompt "disable use of utmpx"
	help
	  FIXME: This item should be documented in detail
	  Keep dropbear from writing to utmpx.
	  This option is useful for small or flash-based filesystems.

config DROPBEAR_DIS_WTMP
	bool
	prompt "disable use of wtmp"
	help
	  FIXME: This item should be documented in detail
	  Keep dropbear from writing to wtmp.
	  This option is useful for small or flash-based filesystems.

config DROPBEAR_DIS_WTMPX
	bool
	prompt "disable use of wtmpx"
	help
	  FIXME: This item should be documented in detail
	  Keep dropbear from writing to wtmpx.
	  This option is useful for small or flash-based filesystems.

config DROPBEAR_DIS_PUTUTLINE
	bool
	prompt "disable use of pututline"
	help
	  pututline is needed to write to the utmp structure.

config DROPBEAR_DIS_PUTUTXLINE
	bool
	prompt "disable use of pututxline"
	help
	  pututxline is needed to write to the utmpx structure.

menu "Features                     "

config DROPBEAR_DIS_X11
	bool
	prompt "disable X11 Forwarding"
	default y
	help
	  X11 forwarding means passing X11 (graphical interface)
	  information over the SSH connection.

config DROPBEAR_DIS_TCP
	bool
	prompt "disable TCP Forwarding"
	help
	  TCP forwarding means the tunneling of TCP ports over
	  the SSH connection.

config DROPBEAR_DIS_AGENT
	bool
	prompt "disable Authentication Agent Forwarding"
	help
	  Authentication agent is a program to automate the
	  use of authentication private keys.

endmenu

menu "Encryption                   "

comment "at least one required --- RFC Draft requires 3DES and recommends AES128"

config DROPBEAR_AES128
	bool
	prompt "AES 128"
	default y
	help
	  This Advanced Encryption Standard designed by Joan Daemen
	  and Vincent Rijmen, is a FIPS-approved symmetric encryption
	  algorithm that may be used by U.S. Government organizations
	  (and others) to protect sensitive information.

config DROPBEAR_3DES
	bool
	prompt "3DES (legacy)"
	help
	  DES is an IBM algorithm designed during the 1970s.
	  In 1976, NIST has officially adopted it as an encryption
	  algorithm for unclassified data. Since then, DES has
	  become one of the widely used block ciphers on the
	  market. As the effective key length of DES is a 56-bit,
	  a triple-DES was created. The new 3DES concept uses
	  three DES rounds to encrypt the DATA 3 times.

config DROPBEAR_AES256
	bool
	prompt "AES 256"
	default y
	help
	  This Advanced Encryption Standard designed by Joan Daemen
	  and Vincent Rijmen, is a FIPS-approved symmetric encryption
	  algorithm that may be used by U.S. Government organizations
	  (and others) to protect sensitive information.

config DROPBEAR_CHACHA20POLY1305
	bool
	prompt "Chacha20-Poly1305"
	default y
	help
	  Enable Chacha20-Poly1305 authenticated encryption mode.
	  This is generally faster than AES256 on CPU w/o dedicated AES
	  instructions, having the same key size.
	  Recommended.

comment "WARNING: No encryption method selected!"
	depends on !DROPBEAR_AES128 && !DROPBEAR_3DES && !DROPBEAR_AES256 && !DROPBEAR_CHACHA20POLY1305

config DROPBEAR_CBC_CIPHERS
	bool
	prompt "CBC mode ciphers (legacy)"
	help
	  Enable CBC mode for ciphers. This has security issues though
	  is the most compatible with older SSH implementations.

config DROPBEAR_CTR_CIPHERS
	bool
	prompt "Counter mode ciphers"
	default y
	help
	  Enable "Counter Mode" for ciphers. This is more secure than normal
	  CBC mode against certain attacks. This adds around 1kB to binary
	  size and is recommended for most cases.

endmenu

menu "Message Integrity (HMAC)     "

comment "at least one required ---"

config DROPBEAR_SHA1
	bool
	prompt "sha1 (compat)"
	help
	  The Secure Hash Algorithm (SHA) was developed by NIST and
	  is specified in the Secure Hash Standard (SHS, FIPS 180).
	  SHA-1 is a revision to this version and was published in
	  1994. It is also described in the ANSI X9.30 (part 2)
	  standard. SHA-1 produces a 160-bit (20 byte) message digest.
	  Although slower than MD5, this larger digest size makes it
	  stronger against brute force attacks.

config DROPBEAR_SHA1_96
	bool
	prompt "sha1-96 (legacy)"
	help
	  The Secure Hash Algorithm (SHA) was developed by NIST and
	  is specified in the Secure Hash Standard (SHS, FIPS 180).
	  SHA-1 is a revision to this version and was published in
	  1994. It is also described in the ANSI X9.30 (part 2)
	  standard. SHA-1 produces a 160-bit (20 byte) message digest.
	  Although slower than MD5, this larger digest size makes it
	  stronger against brute force attacks.

config DROPBEAR_SHA256
	bool
	prompt "sha256 (recommended)"
	default y
	help
	  SHA-2 is a set of cryptographic hash functions (SHA-224, SHA-256,
	  SHA-384, SHA-512) designed by the National Security Agency (NSA)
	  and published in 2001 by the NIST as a U.S. Federal Information
	  Processing Standard. SHA stands for Secure Hash Algorithm. SHA-2
	  includes a significant number of changes from its predecessor,
	  SHA-1. SHA-2 consists of a set of four hash functions with digests
	  that are 224, 256, 384 or 512 bits.

config DROPBEAR_SHA512
	bool
	prompt "sha512"
	default y
	help
	  SHA-2 is a set of cryptographic hash functions (SHA-224, SHA-256,
	  SHA-384, SHA-512) designed by the National Security Agency (NSA)
	  and published in 2001 by the NIST as a U.S. Federal Information
	  Processing Standard. SHA stands for Secure Hash Algorithm. SHA-2
	  includes a significant number of changes from its predecessor,
	  SHA-1. SHA-2 consists of a set of four hash functions with digests
	  that are 224, 256, 384 or 512 bits.

comment "WARNING: No Message Integrity method selected!"
	depends on !DROPBEAR_SHA1 && !DROPBEAR_SHA1_96 && !DROPBEAR_SHA256 && !DROPBEAR_SHA512

endmenu

menu "Hostkey/public key algorithms"

comment "at least one required ---"

config DROPBEAR_RSA
	bool
	prompt "rsa"
	default y
	help
	  RSA was announced in 1978. The security of the RSA system
	  is based upon the RSA Problem (RSAP). This problem is
	  conjectured (but not proven) to be equivalent to the
	  Integer Factorisation Problem (IFP).

config DROPBEAR_ECDSA
	bool
	prompt "ecdsa"
	help
	  ECDSA stands for Elliptic Curve Digital Signature Algorithm.
	  ECDSA is significantly faster than RSA.

config DROPBEAR_ED25519
	bool
	prompt "ed25519"
	default y
	help
	  Ed25519 is the EdDSA signature scheme using SHA-512 (SHA-2)
	  and Curve25519.
	  Ed25519 is intended to provide attack resistance comparable to
	  quality 128-bit symmetric ciphers.
	  Public keys are 256 bits long and signatures are 512 bits
	  long.

comment "WARNING: No Hostkey/public key algorithm selected!"
	depends on !DROPBEAR_RSA && !DROPBEAR_ECDSA && !DROPBEAR_ED25519

endmenu

menu "Key exchange algorithm       "

comment "at least one required ---"

config DROPBEAR_DH_GROUP14_SHA256
	bool
	prompt "group14_sha256"
	default y
	help
	  2048 bit, sha2-256.
	  group14 is supported by most implementations.

config DROPBEAR_DH_GROUP14_SHA1
	bool
	prompt "group14_sha1"
	help
	  2048 bit, sha1.
	  group14 is supported by most implementations.

config DROPBEAR_DH_GROUP16
	bool
	prompt "group16"
	help
	  4096 bit, sha2-512.
	  group16 provides a greater strength level but is slower and
	  increases binary size.

config DROPBEAR_ECDH
	bool
	prompt "ecdh"
	help
	  ECDH stands for Elliptic Curve Diffie-Hellman.

	  Small systems should generally include either curve25519 or
	  ecdh for performance.

config DROPBEAR_CURVE25519
	bool
	prompt "curve25519"
	help
	  Enable curve25519 for key exchange.
	  This is another elliptic curve method with good security properties.
	  This algorithm does not rely on NIST-based curves
	  and gives us more security confidence against a possible
	  backdoor in nistp-256 curve.

	  Small systems should generally include either curve25519 or
	  ecdh for performance.

config DROPBEAR_DH_GROUP1
	bool
	prompt "group1 (legacy, client only)"
	help
	  1024 bit, sha1.
	  This is too small for security though is necessary if you need
	  compatibility with some implementations such as Dropbear
	  versions < 0.53.
	  Client only!

comment "WARNING: No key exchange algorithm selected!"
	depends on !DROPBEAR_DH_GROUP14_SHA256 && !DROPBEAR_DH_GROUP14_SHA1 && !DROPBEAR_DH_GROUP16 && !DROPBEAR_ECDH && !DROPBEAR_CURVE25519 && !DROPBEAR_DH_GROUP1

endmenu

menu "Authentication types         "

comment "at least one required --- RFC Draft requires pubkey auth"

config DROPBEAR_PASSWD
	bool
	prompt "password"
	default y
	help
	  Use password authentication

config DROPBEAR_PUBKEY
	bool
	prompt "pubkey"
	default y
	help
	  Use public key authentication

comment "WARNING: No authentication type selected!"
	depends on !DROPBEAR_PASSWD && !DROPBEAR_PUBKEY

endmenu

comment "Installation options           ---"

config DROPBEAR_DROPBEAR
	bool
	prompt "Install dropbear SSH server"
	default y
	select DROPBEAR_DROPBEAR_KEY
	select DROPBEAR_RSA
	help
	  Installs the dropbar server in /usr/sbin/dropbear on the target

config DROPBEAR_DROPBEAR_KEY
	bool
	prompt "Install dropbearkey"
	help
	  This program is used to generate the host key(s).
	  Select this, if you want this program on your target platform.

config DROPBEAR_DROPBEAR_CONVERT
	bool
	prompt "Install dropbearconvert"
	help
	  With this utility you can convert ssh hostkeys from openssh to dropbear format.
	  Select this, if you want this program on your target platform.

config DROPBEAR_SCP
	bool
	depends on !OPENSSH_SCP || ALLYES
	prompt	"Install dropbear's scp"
	help
	  This is dropbear's implementation of the scp utility.

comment "OpenSSH scp is selected!"
	depends on OPENSSH_SCP

comment "Runtime options                ---"

config DROPBEAR_STARTSCRIPT
	bool
	default y
	depends on INITMETHOD_BBINIT
	prompt "install /etc/init.d/dropbear"

endif