dropbear: sysoptions.h annotate

annotate sysoptions.h @ 1861:2b3a8026a6ce

Add re-exec for server This allows ASLR to re-randomize the address space for every connection, preventing some vulnerabilities from being exploitable by repeated probing. Overhead (memory and time) is yet to be confirmed. At present this is only enabled on Linux. Other BSD platforms with fexecve() would probably also work though have not been tested.

author	Matt Johnston <matt@ucc.asn.au>
date	Sun, 30 Jan 2022 10:14:56 +0800
parents	35d504d59c05
children	6f265a35159a

rev	line source
499 f3ca5ebc319a Split options.h out into sysoptions.h for options that aren't usually Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1 /*******************************************************************
f3ca5ebc319a Split options.h out into sysoptions.h for options that aren't usually Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2 * You shouldn't edit this file unless you know you need to.
f3ca5ebc319a Split options.h out into sysoptions.h for options that aren't usually Matt Johnston <matt@ucc.asn.au> parents: diff changeset	3 * This file is only included from options.h
f3ca5ebc319a Split options.h out into sysoptions.h for options that aren't usually Matt Johnston <matt@ucc.asn.au> parents: diff changeset	4 *******************************************************************/
f3ca5ebc319a Split options.h out into sysoptions.h for options that aren't usually Matt Johnston <matt@ucc.asn.au> parents: diff changeset	5
f3ca5ebc319a Split options.h out into sysoptions.h for options that aren't usually Matt Johnston <matt@ucc.asn.au> parents: diff changeset	6 #ifndef DROPBEAR_VERSION
1761 4b984c42372d Changelog for 2020.81 Matt Johnston <matt@ucc.asn.au> parents: 1753 diff changeset	7 #define DROPBEAR_VERSION "2020.81"
499 f3ca5ebc319a Split options.h out into sysoptions.h for options that aren't usually Matt Johnston <matt@ucc.asn.au> parents: diff changeset	8 #endif
f3ca5ebc319a Split options.h out into sysoptions.h for options that aren't usually Matt Johnston <matt@ucc.asn.au> parents: diff changeset	9
f3ca5ebc319a Split options.h out into sysoptions.h for options that aren't usually Matt Johnston <matt@ucc.asn.au> parents: diff changeset	10 #define LOCAL_IDENT "SSH-2.0-dropbear_" DROPBEAR_VERSION
f3ca5ebc319a Split options.h out into sysoptions.h for options that aren't usually Matt Johnston <matt@ucc.asn.au> parents: diff changeset	11 #define PROGNAME "dropbear"
f3ca5ebc319a Split options.h out into sysoptions.h for options that aren't usually Matt Johnston <matt@ucc.asn.au> parents: diff changeset	12
f3ca5ebc319a Split options.h out into sysoptions.h for options that aren't usually Matt Johnston <matt@ucc.asn.au> parents: diff changeset	13 /* Spec recommends after one hour or 1 gigabyte of data. One hour
f3ca5ebc319a Split options.h out into sysoptions.h for options that aren't usually Matt Johnston <matt@ucc.asn.au> parents: diff changeset	14 * is a bit too verbose, so we try 8 hours */
f3ca5ebc319a Split options.h out into sysoptions.h for options that aren't usually Matt Johnston <matt@ucc.asn.au> parents: diff changeset	15 #ifndef KEX_REKEY_TIMEOUT
f3ca5ebc319a Split options.h out into sysoptions.h for options that aren't usually Matt Johnston <matt@ucc.asn.au> parents: diff changeset	16 #define KEX_REKEY_TIMEOUT (3600 * 8)
f3ca5ebc319a Split options.h out into sysoptions.h for options that aren't usually Matt Johnston <matt@ucc.asn.au> parents: diff changeset	17 #endif
f3ca5ebc319a Split options.h out into sysoptions.h for options that aren't usually Matt Johnston <matt@ucc.asn.au> parents: diff changeset	18 #ifndef KEX_REKEY_DATA
887 0459ff21e320 Back out accidentally committed files Matt Johnston <matt@ucc.asn.au> parents: 886 diff changeset	19 #define KEX_REKEY_DATA (1<<30) /* 2^30 == 1GB, this value must be < INT_MAX */
499 f3ca5ebc319a Split options.h out into sysoptions.h for options that aren't usually Matt Johnston <matt@ucc.asn.au> parents: diff changeset	20 #endif
f3ca5ebc319a Split options.h out into sysoptions.h for options that aren't usually Matt Johnston <matt@ucc.asn.au> parents: diff changeset	21 /* Close connections to clients which haven't authorised after AUTH_TIMEOUT */
f3ca5ebc319a Split options.h out into sysoptions.h for options that aren't usually Matt Johnston <matt@ucc.asn.au> parents: diff changeset	22 #ifndef AUTH_TIMEOUT
f3ca5ebc319a Split options.h out into sysoptions.h for options that aren't usually Matt Johnston <matt@ucc.asn.au> parents: diff changeset	23 #define AUTH_TIMEOUT 300 /* we choose 5 minutes */
f3ca5ebc319a Split options.h out into sysoptions.h for options that aren't usually Matt Johnston <matt@ucc.asn.au> parents: diff changeset	24 #endif
f3ca5ebc319a Split options.h out into sysoptions.h for options that aren't usually Matt Johnston <matt@ucc.asn.au> parents: diff changeset	25
1514 6c16a05023aa rename some options and move some to sysoptions.h Matt Johnston <matt@ucc.asn.au> parents: 1499 diff changeset	26 #define DROPBEAR_SVR_PUBKEY_OPTIONS_BUILT ((DROPBEAR_SVR_PUBKEY_AUTH) && (DROPBEAR_SVR_PUBKEY_OPTIONS))
6c16a05023aa rename some options and move some to sysoptions.h Matt Johnston <matt@ucc.asn.au> parents: 1499 diff changeset	27
6c16a05023aa rename some options and move some to sysoptions.h Matt Johnston <matt@ucc.asn.au> parents: 1499 diff changeset	28 #if !(NON_INETD_MODE \|\| INETD_MODE)
6c16a05023aa rename some options and move some to sysoptions.h Matt Johnston <matt@ucc.asn.au> parents: 1499 diff changeset	29 #error "NON_INETD_MODE or INETD_MODE (or both) must be enabled."
6c16a05023aa rename some options and move some to sysoptions.h Matt Johnston <matt@ucc.asn.au> parents: 1499 diff changeset	30 #endif
1295 750ec4ec4cbe Convert #ifdef to #if, other build changes Matt Johnston <matt@ucc.asn.au> parents: 1294 diff changeset	31
1861 2b3a8026a6ce Add re-exec for server Matt Johnston <matt@ucc.asn.au> parents: 1855 diff changeset	32 /* Would probably work on freebsd but hasn't been tested */
2b3a8026a6ce Add re-exec for server Matt Johnston <matt@ucc.asn.au> parents: 1855 diff changeset	33 #define DROPBEAR_DO_REEXEC (defined(HAVE_FEXECVE) && DROPBEAR_REEXEC && defined(__linux__))
2b3a8026a6ce Add re-exec for server Matt Johnston <matt@ucc.asn.au> parents: 1855 diff changeset	34
746 465fefc4f6e0 Put some #ifdef options around first-follows options in case they Matt Johnston <matt@ucc.asn.au> parents: 745 diff changeset	35 /* A client should try and send an initial key exchange packet guessing
465fefc4f6e0 Put some #ifdef options around first-follows options in case they Matt Johnston <matt@ucc.asn.au> parents: 745 diff changeset	36 * the algorithm that will match - saves a round trip connecting, has little
465fefc4f6e0 Put some #ifdef options around first-follows options in case they Matt Johnston <matt@ucc.asn.au> parents: 745 diff changeset	37 * overhead if the guess was "wrong". */
1295 750ec4ec4cbe Convert #ifdef to #if, other build changes Matt Johnston <matt@ucc.asn.au> parents: 1294 diff changeset	38 #ifndef DROPBEAR_KEX_FIRST_FOLLOWS
750ec4ec4cbe Convert #ifdef to #if, other build changes Matt Johnston <matt@ucc.asn.au> parents: 1294 diff changeset	39 #define DROPBEAR_KEX_FIRST_FOLLOWS 1
750ec4ec4cbe Convert #ifdef to #if, other build changes Matt Johnston <matt@ucc.asn.au> parents: 1294 diff changeset	40 #endif
746 465fefc4f6e0 Put some #ifdef options around first-follows options in case they Matt Johnston <matt@ucc.asn.au> parents: 745 diff changeset	41 /* Use protocol extension to allow "first follows" to succeed more frequently.
465fefc4f6e0 Put some #ifdef options around first-follows options in case they Matt Johnston <matt@ucc.asn.au> parents: 745 diff changeset	42 * This is currently Dropbear-specific but will gracefully fallback when connecting
465fefc4f6e0 Put some #ifdef options around first-follows options in case they Matt Johnston <matt@ucc.asn.au> parents: 745 diff changeset	43 * to other implementations. */
1295 750ec4ec4cbe Convert #ifdef to #if, other build changes Matt Johnston <matt@ucc.asn.au> parents: 1294 diff changeset	44 #ifndef DROPBEAR_KEXGUESS2
750ec4ec4cbe Convert #ifdef to #if, other build changes Matt Johnston <matt@ucc.asn.au> parents: 1294 diff changeset	45 #define DROPBEAR_KEXGUESS2 1
750ec4ec4cbe Convert #ifdef to #if, other build changes Matt Johnston <matt@ucc.asn.au> parents: 1294 diff changeset	46 #endif
746 465fefc4f6e0 Put some #ifdef options around first-follows options in case they Matt Johnston <matt@ucc.asn.au> parents: 745 diff changeset	47
499 f3ca5ebc319a Split options.h out into sysoptions.h for options that aren't usually Matt Johnston <matt@ucc.asn.au> parents: diff changeset	48 /* Minimum key sizes for DSS and RSA */
f3ca5ebc319a Split options.h out into sysoptions.h for options that aren't usually Matt Johnston <matt@ucc.asn.au> parents: diff changeset	49 #ifndef MIN_DSS_KEYLEN
1414 9236e7120c3e increase min DSS and RSA lengths Matt Johnston <matt@ucc.asn.au> parents: 1342 diff changeset	50 #define MIN_DSS_KEYLEN 1024
499 f3ca5ebc319a Split options.h out into sysoptions.h for options that aren't usually Matt Johnston <matt@ucc.asn.au> parents: diff changeset	51 #endif
f3ca5ebc319a Split options.h out into sysoptions.h for options that aren't usually Matt Johnston <matt@ucc.asn.au> parents: diff changeset	52 #ifndef MIN_RSA_KEYLEN
1414 9236e7120c3e increase min DSS and RSA lengths Matt Johnston <matt@ucc.asn.au> parents: 1342 diff changeset	53 #define MIN_RSA_KEYLEN 1024
499 f3ca5ebc319a Split options.h out into sysoptions.h for options that aren't usually Matt Johnston <matt@ucc.asn.au> parents: diff changeset	54 #endif
f3ca5ebc319a Split options.h out into sysoptions.h for options that aren't usually Matt Johnston <matt@ucc.asn.au> parents: diff changeset	55
1832 a974a80f5f44 Banner size should account for newlines Matt Johnston <matt@codeconstruct.com.au> parents: 1831 diff changeset	56 #define MAX_BANNER_SIZE 2050 /* this is 2580 chars, any more is foolish /
499 f3ca5ebc319a Split options.h out into sysoptions.h for options that aren't usually Matt Johnston <matt@ucc.asn.au> parents: diff changeset	57 #define MAX_BANNER_LINES 20 /* How many lines the client will display */
f3ca5ebc319a Split options.h out into sysoptions.h for options that aren't usually Matt Johnston <matt@ucc.asn.au> parents: diff changeset	58
f3ca5ebc319a Split options.h out into sysoptions.h for options that aren't usually Matt Johnston <matt@ucc.asn.au> parents: diff changeset	59 /* the number of NAME=VALUE pairs to malloc for environ, if we don't have
f3ca5ebc319a Split options.h out into sysoptions.h for options that aren't usually Matt Johnston <matt@ucc.asn.au> parents: diff changeset	60 * the clearenv() function */
f3ca5ebc319a Split options.h out into sysoptions.h for options that aren't usually Matt Johnston <matt@ucc.asn.au> parents: diff changeset	61 #define ENV_SIZE 100
f3ca5ebc319a Split options.h out into sysoptions.h for options that aren't usually Matt Johnston <matt@ucc.asn.au> parents: diff changeset	62
1138 cc3916a7afd9 increase MAX_CMD_LEN to 9000 Matt Johnston <matt@ucc.asn.au> parents: 1084 diff changeset	63 #define MAX_CMD_LEN 9000 /* max length of a command */
499 f3ca5ebc319a Split options.h out into sysoptions.h for options that aren't usually Matt Johnston <matt@ucc.asn.au> parents: diff changeset	64 #define MAX_TERM_LEN 200 /* max length of TERM name */
f3ca5ebc319a Split options.h out into sysoptions.h for options that aren't usually Matt Johnston <matt@ucc.asn.au> parents: diff changeset	65
f3ca5ebc319a Split options.h out into sysoptions.h for options that aren't usually Matt Johnston <matt@ucc.asn.au> parents: diff changeset	66 #define MAX_HOST_LEN 254 /* max hostname len for tcp fwding */
f3ca5ebc319a Split options.h out into sysoptions.h for options that aren't usually Matt Johnston <matt@ucc.asn.au> parents: diff changeset	67 #define MAX_IP_LEN 15 /* strlen("255.255.255.255") == 15 */
f3ca5ebc319a Split options.h out into sysoptions.h for options that aren't usually Matt Johnston <matt@ucc.asn.au> parents: diff changeset	68
f3ca5ebc319a Split options.h out into sysoptions.h for options that aren't usually Matt Johnston <matt@ucc.asn.au> parents: diff changeset	69 #define DROPBEAR_MAX_PORTS 10 /* max number of ports which can be specified,
f3ca5ebc319a Split options.h out into sysoptions.h for options that aren't usually Matt Johnston <matt@ucc.asn.au> parents: diff changeset	70 ipv4 and ipv6 don't count twice */
f3ca5ebc319a Split options.h out into sysoptions.h for options that aren't usually Matt Johnston <matt@ucc.asn.au> parents: diff changeset	71
f3ca5ebc319a Split options.h out into sysoptions.h for options that aren't usually Matt Johnston <matt@ucc.asn.au> parents: diff changeset	72 /* Each port might have at least a v4 and a v6 address */
f3ca5ebc319a Split options.h out into sysoptions.h for options that aren't usually Matt Johnston <matt@ucc.asn.au> parents: diff changeset	73 #define MAX_LISTEN_ADDR (DROPBEAR_MAX_PORTS*3)
f3ca5ebc319a Split options.h out into sysoptions.h for options that aren't usually Matt Johnston <matt@ucc.asn.au> parents: diff changeset	74
f3ca5ebc319a Split options.h out into sysoptions.h for options that aren't usually Matt Johnston <matt@ucc.asn.au> parents: diff changeset	75 #define _PATH_TTY "/dev/tty"
f3ca5ebc319a Split options.h out into sysoptions.h for options that aren't usually Matt Johnston <matt@ucc.asn.au> parents: diff changeset	76
f3ca5ebc319a Split options.h out into sysoptions.h for options that aren't usually Matt Johnston <matt@ucc.asn.au> parents: diff changeset	77 #define _PATH_CP "/bin/cp"
f3ca5ebc319a Split options.h out into sysoptions.h for options that aren't usually Matt Johnston <matt@ucc.asn.au> parents: diff changeset	78
722 4a274f47eabd Add ~. and ~^Z handling to exit/suspend dbclient Matt Johnston <matt@ucc.asn.au> parents: 718 diff changeset	79 #define DROPBEAR_ESCAPE_CHAR '~'
4a274f47eabd Add ~. and ~^Z handling to exit/suspend dbclient Matt Johnston <matt@ucc.asn.au> parents: 718 diff changeset	80
499 f3ca5ebc319a Split options.h out into sysoptions.h for options that aren't usually Matt Johnston <matt@ucc.asn.au> parents: diff changeset	81 /* success/failure defines */
f3ca5ebc319a Split options.h out into sysoptions.h for options that aren't usually Matt Johnston <matt@ucc.asn.au> parents: diff changeset	82 #define DROPBEAR_SUCCESS 0
f3ca5ebc319a Split options.h out into sysoptions.h for options that aren't usually Matt Johnston <matt@ucc.asn.au> parents: diff changeset	83 #define DROPBEAR_FAILURE -1
1295 750ec4ec4cbe Convert #ifdef to #if, other build changes Matt Johnston <matt@ucc.asn.au> parents: 1294 diff changeset	84
750ec4ec4cbe Convert #ifdef to #if, other build changes Matt Johnston <matt@ucc.asn.au> parents: 1294 diff changeset	85 #define DROPBEAR_PASSWORD_ENV "DROPBEAR_PASSWORD"
499 f3ca5ebc319a Split options.h out into sysoptions.h for options that aren't usually Matt Johnston <matt@ucc.asn.au> parents: diff changeset	86
1537 6a83b1944432 Fix restricted group code for BSDs, move to separate function Matt Johnston <matt@ucc.asn.au> parents: 1517 diff changeset	87 #define DROPBEAR_NGROUP_MAX 1024
6a83b1944432 Fix restricted group code for BSDs, move to separate function Matt Johnston <matt@ucc.asn.au> parents: 1517 diff changeset	88
499 f3ca5ebc319a Split options.h out into sysoptions.h for options that aren't usually Matt Johnston <matt@ucc.asn.au> parents: diff changeset	89 /* Required for pubkey auth */
1295 750ec4ec4cbe Convert #ifdef to #if, other build changes Matt Johnston <matt@ucc.asn.au> parents: 1294 diff changeset	90 #define DROPBEAR_SIGNKEY_VERIFY ((DROPBEAR_SVR_PUBKEY_AUTH) \|\| (DROPBEAR_CLIENT))
499 f3ca5ebc319a Split options.h out into sysoptions.h for options that aren't usually Matt Johnston <matt@ucc.asn.au> parents: diff changeset	91
1831 0a3d02c66bf6 Comment on reason for DROPBEAR_MAX_PASSWORD_LEN limit Matt Johnston <matt@codeconstruct.com.au> parents: 1761 diff changeset	92 /* crypt(password) must take less time than the auth failure delay
0a3d02c66bf6 Comment on reason for DROPBEAR_MAX_PASSWORD_LEN limit Matt Johnston <matt@codeconstruct.com.au> parents: 1761 diff changeset	93 (250ms set in svr-auth.c). On Linux the delay depends on
0a3d02c66bf6 Comment on reason for DROPBEAR_MAX_PASSWORD_LEN limit Matt Johnston <matt@codeconstruct.com.au> parents: 1761 diff changeset	94 password length, 100 characters here was empirically derived.
0a3d02c66bf6 Comment on reason for DROPBEAR_MAX_PASSWORD_LEN limit Matt Johnston <matt@codeconstruct.com.au> parents: 1761 diff changeset	95
0a3d02c66bf6 Comment on reason for DROPBEAR_MAX_PASSWORD_LEN limit Matt Johnston <matt@codeconstruct.com.au> parents: 1761 diff changeset	96 If a longer password is allowed Dropbear cannot compensate
0a3d02c66bf6 Comment on reason for DROPBEAR_MAX_PASSWORD_LEN limit Matt Johnston <matt@codeconstruct.com.au> parents: 1761 diff changeset	97 for the crypt time which will expose which usernames exist */
1640 228b086794b7 limit password length to 100 Matt Johnston <matt@ucc.asn.au> parents: 1617 diff changeset	98 #define DROPBEAR_MAX_PASSWORD_LEN 100
228b086794b7 limit password length to 100 Matt Johnston <matt@ucc.asn.au> parents: 1617 diff changeset	99
499 f3ca5ebc319a Split options.h out into sysoptions.h for options that aren't usually Matt Johnston <matt@ucc.asn.au> parents: diff changeset	100 #define SHA1_HASH_SIZE 20
1855 35d504d59c05 Implement server-side support for sk-ecdsa U2F-backed keys (#142) egor-duda <egor-duda@users.noreply.github.com> parents: 1834 diff changeset	101 #define SHA256_HASH_SIZE 32
499 f3ca5ebc319a Split options.h out into sysoptions.h for options that aren't usually Matt Johnston <matt@ucc.asn.au> parents: diff changeset	102 #define MD5_HASH_SIZE 16
855 04ede40a529a - Some fixes for old compilers like tru64 v4 from Daniel Richard G. Matt Johnston <matt@ucc.asn.au> parents: 850 diff changeset	103 #define MAX_HASH_SIZE 64 /* sha512 */
499 f3ca5ebc319a Split options.h out into sysoptions.h for options that aren't usually Matt Johnston <matt@ucc.asn.au> parents: diff changeset	104
1672 3a97f14c0235 Add Chacha20-Poly1305, AES128-GCM and AES256-GCM support (#93) Vladislav Grishenko <themiron@users.noreply.github.com> parents: 1659 diff changeset	105 #if DROPBEAR_CHACHA20POLY1305
3a97f14c0235 Add Chacha20-Poly1305, AES128-GCM and AES256-GCM support (#93) Vladislav Grishenko <themiron@users.noreply.github.com> parents: 1659 diff changeset	106 #define MAX_KEY_LEN 64 /* 2 x 256 bits for chacha20 */
3a97f14c0235 Add Chacha20-Poly1305, AES128-GCM and AES256-GCM support (#93) Vladislav Grishenko <themiron@users.noreply.github.com> parents: 1659 diff changeset	107 #else
499 f3ca5ebc319a Split options.h out into sysoptions.h for options that aren't usually Matt Johnston <matt@ucc.asn.au> parents: diff changeset	108 #define MAX_KEY_LEN 32 /* 256 bits for aes256 etc */
1672 3a97f14c0235 Add Chacha20-Poly1305, AES128-GCM and AES256-GCM support (#93) Vladislav Grishenko <themiron@users.noreply.github.com> parents: 1659 diff changeset	109 #endif
762 a78a38e402d1 - Fix various hardcoded uses of SHA1 Matt Johnston <matt@ucc.asn.au> parents: 761 diff changeset	110 #define MAX_IV_LEN 20 /* must be same as max blocksize, */
715 cd3d3c63d189 Make hmac-sha2-256 and hmac-sha2-512 work Matt Johnston <matt@ucc.asn.au> parents: 710 diff changeset	111
1295 750ec4ec4cbe Convert #ifdef to #if, other build changes Matt Johnston <matt@ucc.asn.au> parents: 1294 diff changeset	112 #if DROPBEAR_SHA2_512_HMAC
715 cd3d3c63d189 Make hmac-sha2-256 and hmac-sha2-512 work Matt Johnston <matt@ucc.asn.au> parents: 710 diff changeset	113 #define MAX_MAC_LEN 64
1295 750ec4ec4cbe Convert #ifdef to #if, other build changes Matt Johnston <matt@ucc.asn.au> parents: 1294 diff changeset	114 #elif DROPBEAR_SHA2_256_HMAC
715 cd3d3c63d189 Make hmac-sha2-256 and hmac-sha2-512 work Matt Johnston <matt@ucc.asn.au> parents: 710 diff changeset	115 #define MAX_MAC_LEN 32
679 03073a27abb3 - Add hmac-sha2-256 and hmac-sha2-512. Needs debugging, seems to be Matt Johnston <matt@ucc.asn.au> parents: 668 diff changeset	116 #else
715 cd3d3c63d189 Make hmac-sha2-256 and hmac-sha2-512 work Matt Johnston <matt@ucc.asn.au> parents: 710 diff changeset	117 #define MAX_MAC_LEN 20
679 03073a27abb3 - Add hmac-sha2-256 and hmac-sha2-512. Needs debugging, seems to be Matt Johnston <matt@ucc.asn.au> parents: 668 diff changeset	118 #endif
499 f3ca5ebc319a Split options.h out into sysoptions.h for options that aren't usually Matt Johnston <matt@ucc.asn.au> parents: diff changeset	119
1517 7c7c5326ad73 clean up some default options Matt Johnston <matt@ucc.asn.au> parents: 1514 diff changeset	120 /* sha2-512 is not necessary unless unforseen problems arise with sha2-256 */
7c7c5326ad73 clean up some default options Matt Johnston <matt@ucc.asn.au> parents: 1514 diff changeset	121 #ifndef DROPBEAR_SHA2_512_HMAC
7c7c5326ad73 clean up some default options Matt Johnston <matt@ucc.asn.au> parents: 1514 diff changeset	122 #define DROPBEAR_SHA2_512_HMAC 0
7c7c5326ad73 clean up some default options Matt Johnston <matt@ucc.asn.au> parents: 1514 diff changeset	123 #endif
7c7c5326ad73 clean up some default options Matt Johnston <matt@ucc.asn.au> parents: 1514 diff changeset	124
7c7c5326ad73 clean up some default options Matt Johnston <matt@ucc.asn.au> parents: 1514 diff changeset	125 /* might be needed for compatibility with very old implementations */
7c7c5326ad73 clean up some default options Matt Johnston <matt@ucc.asn.au> parents: 1514 diff changeset	126 #ifndef DROPBEAR_MD5_HMAC
7c7c5326ad73 clean up some default options Matt Johnston <matt@ucc.asn.au> parents: 1514 diff changeset	127 #define DROPBEAR_MD5_HMAC 0
7c7c5326ad73 clean up some default options Matt Johnston <matt@ucc.asn.au> parents: 1514 diff changeset	128 #endif
7c7c5326ad73 clean up some default options Matt Johnston <matt@ucc.asn.au> parents: 1514 diff changeset	129
7c7c5326ad73 clean up some default options Matt Johnston <matt@ucc.asn.au> parents: 1514 diff changeset	130 /* Twofish counter mode is disabled by default because it
7c7c5326ad73 clean up some default options Matt Johnston <matt@ucc.asn.au> parents: 1514 diff changeset	131 has not been tested for interoperability with other SSH implementations.
7c7c5326ad73 clean up some default options Matt Johnston <matt@ucc.asn.au> parents: 1514 diff changeset	132 If you test it please contact the Dropbear author */
7c7c5326ad73 clean up some default options Matt Johnston <matt@ucc.asn.au> parents: 1514 diff changeset	133 #ifndef DROPBEAR_TWOFISH_CTR
7c7c5326ad73 clean up some default options Matt Johnston <matt@ucc.asn.au> parents: 1514 diff changeset	134 #define DROPBEAR_TWOFISH_CTR 0
7c7c5326ad73 clean up some default options Matt Johnston <matt@ucc.asn.au> parents: 1514 diff changeset	135 #endif
7c7c5326ad73 clean up some default options Matt Johnston <matt@ucc.asn.au> parents: 1514 diff changeset	136
1295 750ec4ec4cbe Convert #ifdef to #if, other build changes Matt Johnston <matt@ucc.asn.au> parents: 1294 diff changeset	137
750ec4ec4cbe Convert #ifdef to #if, other build changes Matt Johnston <matt@ucc.asn.au> parents: 1294 diff changeset	138 #define DROPBEAR_ECC ((DROPBEAR_ECDH) \|\| (DROPBEAR_ECDSA))
750ec4ec4cbe Convert #ifdef to #if, other build changes Matt Johnston <matt@ucc.asn.au> parents: 1294 diff changeset	139
838 4365e12c68e6 A few small fixes for ECC compilation Matt Johnston <matt@ucc.asn.au> parents: 835 diff changeset	140 /* Debian doesn't define this in system headers */
1295 750ec4ec4cbe Convert #ifdef to #if, other build changes Matt Johnston <matt@ucc.asn.au> parents: 1294 diff changeset	141 #if !defined(LTM_DESC) && (DROPBEAR_ECC)
750ec4ec4cbe Convert #ifdef to #if, other build changes Matt Johnston <matt@ucc.asn.au> parents: 1294 diff changeset	142 #define LTM_DESC
869 c63e7644db60 Only define LTM_DESC if it isn't already Matt Johnston <matt@ucc.asn.au> parents: 861 diff changeset	143 #endif
755 b07eb3dc23ec refactor kexdh code a bit, start working on ecdh etc Matt Johnston <matt@ucc.asn.au> parents: 722 diff changeset	144
1295 750ec4ec4cbe Convert #ifdef to #if, other build changes Matt Johnston <matt@ucc.asn.au> parents: 1294 diff changeset	145 #define DROPBEAR_ECC_256 (DROPBEAR_ECC)
750ec4ec4cbe Convert #ifdef to #if, other build changes Matt Johnston <matt@ucc.asn.au> parents: 1294 diff changeset	146 #define DROPBEAR_ECC_384 (DROPBEAR_ECC)
750ec4ec4cbe Convert #ifdef to #if, other build changes Matt Johnston <matt@ucc.asn.au> parents: 1294 diff changeset	147 #define DROPBEAR_ECC_521 (DROPBEAR_ECC)
756 bf9dc2d9c2b1 more bits on ecc branch Matt Johnston <matt@ucc.asn.au> parents: 755 diff changeset	148
1295 750ec4ec4cbe Convert #ifdef to #if, other build changes Matt Johnston <matt@ucc.asn.au> parents: 1294 diff changeset	149 #define DROPBEAR_LTC_PRNG (DROPBEAR_ECC)
761 ac2158e3e403 ecc kind of works, needs fixing/testing Matt Johnston <matt@ucc.asn.au> parents: 759 diff changeset	150
850 7507b174bba0 - Make curve25519 work after fixing a typo, interoperates with OpenSSH Matt Johnston <matt@ucc.asn.au> parents: 847 diff changeset	151 /* RSA can be vulnerable to timing attacks which use the time required for
7507b174bba0 - Make curve25519 work after fixing a typo, interoperates with OpenSSH Matt Johnston <matt@ucc.asn.au> parents: 847 diff changeset	152 * signing to guess the private key. Blinding avoids this attack, though makes
7507b174bba0 - Make curve25519 work after fixing a typo, interoperates with OpenSSH Matt Johnston <matt@ucc.asn.au> parents: 847 diff changeset	153 * signing operations slightly slower. */
1295 750ec4ec4cbe Convert #ifdef to #if, other build changes Matt Johnston <matt@ucc.asn.au> parents: 1294 diff changeset	154 #define DROPBEAR_RSA_BLINDING 1
850 7507b174bba0 - Make curve25519 work after fixing a typo, interoperates with OpenSSH Matt Johnston <matt@ucc.asn.au> parents: 847 diff changeset	155
1674 ba6fc7afe1c5 use sigtype where appropriate Matt Johnston <matt@ucc.asn.au> parents: 1659 diff changeset	156 #ifndef DROPBEAR_RSA_SHA1
ba6fc7afe1c5 use sigtype where appropriate Matt Johnston <matt@ucc.asn.au> parents: 1659 diff changeset	157 #define DROPBEAR_RSA_SHA1 DROPBEAR_RSA
ba6fc7afe1c5 use sigtype where appropriate Matt Johnston <matt@ucc.asn.au> parents: 1659 diff changeset	158 #endif
ba6fc7afe1c5 use sigtype where appropriate Matt Johnston <matt@ucc.asn.au> parents: 1659 diff changeset	159 #ifndef DROPBEAR_RSA_SHA256
ba6fc7afe1c5 use sigtype where appropriate Matt Johnston <matt@ucc.asn.au> parents: 1659 diff changeset	160 #define DROPBEAR_RSA_SHA256 DROPBEAR_RSA
ba6fc7afe1c5 use sigtype where appropriate Matt Johnston <matt@ucc.asn.au> parents: 1659 diff changeset	161 #endif
ba6fc7afe1c5 use sigtype where appropriate Matt Johnston <matt@ucc.asn.au> parents: 1659 diff changeset	162
847 f4bb964c8678 Add '-R' for delayed hostkey option Matt Johnston <matt@ucc.asn.au> parents: 838 diff changeset	163 /* hashes which will be linked and registered */
1674 ba6fc7afe1c5 use sigtype where appropriate Matt Johnston <matt@ucc.asn.au> parents: 1659 diff changeset	164 #define DROPBEAR_SHA256 ((DROPBEAR_SHA2_256_HMAC) \|\| (DROPBEAR_ECC_256) \
ba6fc7afe1c5 use sigtype where appropriate Matt Johnston <matt@ucc.asn.au> parents: 1659 diff changeset	165 \|\| (DROPBEAR_CURVE25519) \|\| (DROPBEAR_DH_GROUP14_SHA256) \
ba6fc7afe1c5 use sigtype where appropriate Matt Johnston <matt@ucc.asn.au> parents: 1659 diff changeset	166 \|\| (DROPBEAR_RSA_SHA256))
1295 750ec4ec4cbe Convert #ifdef to #if, other build changes Matt Johnston <matt@ucc.asn.au> parents: 1294 diff changeset	167 #define DROPBEAR_SHA384 (DROPBEAR_ECC_384)
847 f4bb964c8678 Add '-R' for delayed hostkey option Matt Johnston <matt@ucc.asn.au> parents: 838 diff changeset	168 /* LTC SHA384 depends on SHA512 */
1295 750ec4ec4cbe Convert #ifdef to #if, other build changes Matt Johnston <matt@ucc.asn.au> parents: 1294 diff changeset	169 #define DROPBEAR_SHA512 ((DROPBEAR_SHA2_512_HMAC) \|\| (DROPBEAR_ECC_521) \
1659 d32bcb5c557d Add Ed25519 support (#91) Vladislav Grishenko <themiron@users.noreply.github.com> parents: 1654 diff changeset	170 \|\| (DROPBEAR_SHA384) \|\| (DROPBEAR_DH_GROUP16) \
d32bcb5c557d Add Ed25519 support (#91) Vladislav Grishenko <themiron@users.noreply.github.com> parents: 1654 diff changeset	171 \|\| (DROPBEAR_ED25519))
1295 750ec4ec4cbe Convert #ifdef to #if, other build changes Matt Johnston <matt@ucc.asn.au> parents: 1294 diff changeset	172 #define DROPBEAR_MD5 (DROPBEAR_MD5_HMAC)
759 76fba0856749 More changes for KEX and ECDH. Set up hash descriptors, make ECC code work, Matt Johnston <matt@ucc.asn.au> parents: 756 diff changeset	173
1295 750ec4ec4cbe Convert #ifdef to #if, other build changes Matt Johnston <matt@ucc.asn.au> parents: 1294 diff changeset	174 #define DROPBEAR_DH_GROUP14 ((DROPBEAR_DH_GROUP14_SHA256) \|\| (DROPBEAR_DH_GROUP14_SHA1))
1294 56aba7dedbea options for disabling "normal" DH Matt Johnston <matt@ucc.asn.au> parents: 1293 diff changeset	175
1295 750ec4ec4cbe Convert #ifdef to #if, other build changes Matt Johnston <matt@ucc.asn.au> parents: 1294 diff changeset	176 #define DROPBEAR_NORMAL_DH ((DROPBEAR_DH_GROUP1) \|\| (DROPBEAR_DH_GROUP14) \|\| (DROPBEAR_DH_GROUP16))
1248 739b3909c499 Get rid of group15, move group16 to sha512. Matt Johnston <matt@ucc.asn.au> parents: 1230 diff changeset	177
1681 435cfb9ec96e send and handle SSH_MSG_EXT_INFO only at the correct point Matt Johnston <matt@ucc.asn.au> parents: 1674 diff changeset	178 /* Dropbear only uses server-sig-algs, only needed if we have rsa-sha256 pubkey auth */
435cfb9ec96e send and handle SSH_MSG_EXT_INFO only at the correct point Matt Johnston <matt@ucc.asn.au> parents: 1674 diff changeset	179 #define DROPBEAR_EXT_INFO ((DROPBEAR_RSA_SHA256) \
435cfb9ec96e send and handle SSH_MSG_EXT_INFO only at the correct point Matt Johnston <matt@ucc.asn.au> parents: 1674 diff changeset	180 && ((DROPBEAR_CLI_PUBKEY_AUTH) \|\| (DROPBEAR_SVR_PUBKEY_AUTH)))
435cfb9ec96e send and handle SSH_MSG_EXT_INFO only at the correct point Matt Johnston <matt@ucc.asn.au> parents: 1674 diff changeset	181
847 f4bb964c8678 Add '-R' for delayed hostkey option Matt Johnston <matt@ucc.asn.au> parents: 838 diff changeset	182 /* roughly 2x 521 bits */
755 b07eb3dc23ec refactor kexdh code a bit, start working on ecdh etc Matt Johnston <matt@ucc.asn.au> parents: 722 diff changeset	183 #define MAX_ECC_SIZE 140
b07eb3dc23ec refactor kexdh code a bit, start working on ecdh etc Matt Johnston <matt@ucc.asn.au> parents: 722 diff changeset	184
499 f3ca5ebc319a Split options.h out into sysoptions.h for options that aren't usually Matt Johnston <matt@ucc.asn.au> parents: diff changeset	185 #define MAX_NAME_LEN 64 /* maximum length of a protocol name, isn't
f3ca5ebc319a Split options.h out into sysoptions.h for options that aren't usually Matt Johnston <matt@ucc.asn.au> parents: diff changeset	186 explicitly specified for all protocols (just
f3ca5ebc319a Split options.h out into sysoptions.h for options that aren't usually Matt Johnston <matt@ucc.asn.au> parents: diff changeset	187 for algos) but seems valid */
f3ca5ebc319a Split options.h out into sysoptions.h for options that aren't usually Matt Johnston <matt@ucc.asn.au> parents: diff changeset	188
1753 7c0fcd19e492 Increase MAX_PROPOSED_ALGO to 50, warn if exceeded Matt Johnston <matt@ucc.asn.au> parents: 1734 diff changeset	189 #define MAX_PROPOSED_ALGO 50
499 f3ca5ebc319a Split options.h out into sysoptions.h for options that aren't usually Matt Johnston <matt@ucc.asn.au> parents: diff changeset	190
f3ca5ebc319a Split options.h out into sysoptions.h for options that aren't usually Matt Johnston <matt@ucc.asn.au> parents: diff changeset	191 /* size/count limits */
603 3aa74a4d83ae Refer to RFCs rather than drafts, update some section references Matt Johnston <matt@ucc.asn.au> parents: 598 diff changeset	192 /* From transport rfc */
499 f3ca5ebc319a Split options.h out into sysoptions.h for options that aren't usually Matt Johnston <matt@ucc.asn.au> parents: diff changeset	193 #define MIN_PACKET_LEN 16
f3ca5ebc319a Split options.h out into sysoptions.h for options that aren't usually Matt Johnston <matt@ucc.asn.au> parents: diff changeset	194
f3ca5ebc319a Split options.h out into sysoptions.h for options that aren't usually Matt Johnston <matt@ucc.asn.au> parents: diff changeset	195 #define RECV_MAX_PACKET_LEN (MAX(35000, ((RECV_MAX_PAYLOAD_LEN)+100)))
f3ca5ebc319a Split options.h out into sysoptions.h for options that aren't usually Matt Johnston <matt@ucc.asn.au> parents: diff changeset	196
f3ca5ebc319a Split options.h out into sysoptions.h for options that aren't usually Matt Johnston <matt@ucc.asn.au> parents: diff changeset	197 /* for channel code */
f3ca5ebc319a Split options.h out into sysoptions.h for options that aren't usually Matt Johnston <matt@ucc.asn.au> parents: diff changeset	198 #define TRANS_MAX_WINDOW 500000000 /* 500MB is sufficient, stopping overflow */
f3ca5ebc319a Split options.h out into sysoptions.h for options that aren't usually Matt Johnston <matt@ucc.asn.au> parents: diff changeset	199 #define TRANS_MAX_WIN_INCR 500000000 /* overflow prevention */
f3ca5ebc319a Split options.h out into sysoptions.h for options that aren't usually Matt Johnston <matt@ucc.asn.au> parents: diff changeset	200
f3ca5ebc319a Split options.h out into sysoptions.h for options that aren't usually Matt Johnston <matt@ucc.asn.au> parents: diff changeset	201 #define RECV_WINDOWEXTEND (opts.recv_window / 3) /* We send a "window extend" every
f3ca5ebc319a Split options.h out into sysoptions.h for options that aren't usually Matt Johnston <matt@ucc.asn.au> parents: diff changeset	202 RECV_WINDOWEXTEND bytes */
1834 94dc11094e26 Increase max window size to 10MB, fallback rather than Matt Johnston <matt@codeconstruct.com.au> parents: 1832 diff changeset	203 #define MAX_RECV_WINDOW (1010241024) /* 10 MB should be enough */
499 f3ca5ebc319a Split options.h out into sysoptions.h for options that aren't usually Matt Johnston <matt@ucc.asn.au> parents: diff changeset	204
1169 41a5820cab8b Increase channel limit to 1000 Matt Johnston <matt@ucc.asn.au> parents: 1147 diff changeset	205 #define MAX_CHANNELS 1000 /* simple mem restriction, includes each tcp/x11
499 f3ca5ebc319a Split options.h out into sysoptions.h for options that aren't usually Matt Johnston <matt@ucc.asn.au> parents: diff changeset	206 connection, so can't be _too_ small */
f3ca5ebc319a Split options.h out into sysoptions.h for options that aren't usually Matt Johnston <matt@ucc.asn.au> parents: diff changeset	207
1138 cc3916a7afd9 increase MAX_CMD_LEN to 9000 Matt Johnston <matt@ucc.asn.au> parents: 1084 diff changeset	208 #define MAX_STRING_LEN (MAX(MAX_CMD_LEN, 2400)) /* Sun SSH needs 2400 for algos,
cc3916a7afd9 increase MAX_CMD_LEN to 9000 Matt Johnston <matt@ucc.asn.au> parents: 1084 diff changeset	209 MAX_CMD_LEN is usually longer */
499 f3ca5ebc319a Split options.h out into sysoptions.h for options that aren't usually Matt Johnston <matt@ucc.asn.au> parents: diff changeset	210
f3ca5ebc319a Split options.h out into sysoptions.h for options that aren't usually Matt Johnston <matt@ucc.asn.au> parents: diff changeset	211 /* For a 4096 bit DSS key, empirically determined */
f3ca5ebc319a Split options.h out into sysoptions.h for options that aren't usually Matt Johnston <matt@ucc.asn.au> parents: diff changeset	212 #define MAX_PUBKEY_SIZE 1700
f3ca5ebc319a Split options.h out into sysoptions.h for options that aren't usually Matt Johnston <matt@ucc.asn.au> parents: diff changeset	213 /* For a 4096 bit DSS key, empirically determined */
f3ca5ebc319a Split options.h out into sysoptions.h for options that aren't usually Matt Johnston <matt@ucc.asn.au> parents: diff changeset	214 #define MAX_PRIVKEY_SIZE 1700
f3ca5ebc319a Split options.h out into sysoptions.h for options that aren't usually Matt Johnston <matt@ucc.asn.au> parents: diff changeset	215
1659 d32bcb5c557d Add Ed25519 support (#91) Vladislav Grishenko <themiron@users.noreply.github.com> parents: 1654 diff changeset	216 #define MAX_HOSTKEYS 4
795 7f604f9b3756 ecdsa is working Matt Johnston <matt@ucc.asn.au> parents: 794 diff changeset	217
499 f3ca5ebc319a Split options.h out into sysoptions.h for options that aren't usually Matt Johnston <matt@ucc.asn.au> parents: diff changeset	218 /* The maximum size of the bignum portion of the kexhash buffer */
603 3aa74a4d83ae Refer to RFCs rather than drafts, update some section references Matt Johnston <matt@ucc.asn.au> parents: 598 diff changeset	219 /* Sect. 8 of the transport rfc 4253, K_S + e + f + K */
499 f3ca5ebc319a Split options.h out into sysoptions.h for options that aren't usually Matt Johnston <matt@ucc.asn.au> parents: diff changeset	220 #define KEXHASHBUF_MAX_INTS (1700 + 130 + 130 + 130)
f3ca5ebc319a Split options.h out into sysoptions.h for options that aren't usually Matt Johnston <matt@ucc.asn.au> parents: diff changeset	221
f3ca5ebc319a Split options.h out into sysoptions.h for options that aren't usually Matt Johnston <matt@ucc.asn.au> parents: diff changeset	222 #define DROPBEAR_MAX_SOCKS 2 /* IPv4, IPv6 are all we'll get for now. Revisit
f3ca5ebc319a Split options.h out into sysoptions.h for options that aren't usually Matt Johnston <matt@ucc.asn.au> parents: diff changeset	223 in a few years time.... */
f3ca5ebc319a Split options.h out into sysoptions.h for options that aren't usually Matt Johnston <matt@ucc.asn.au> parents: diff changeset	224
f3ca5ebc319a Split options.h out into sysoptions.h for options that aren't usually Matt Johnston <matt@ucc.asn.au> parents: diff changeset	225 #define DROPBEAR_MAX_CLI_PASS 1024
f3ca5ebc319a Split options.h out into sysoptions.h for options that aren't usually Matt Johnston <matt@ucc.asn.au> parents: diff changeset	226
f3ca5ebc319a Split options.h out into sysoptions.h for options that aren't usually Matt Johnston <matt@ucc.asn.au> parents: diff changeset	227 #define DROPBEAR_MAX_CLI_INTERACT_PROMPTS 80 /* The number of prompts we'll
f3ca5ebc319a Split options.h out into sysoptions.h for options that aren't usually Matt Johnston <matt@ucc.asn.au> parents: diff changeset	228 accept for keyb-interactive
f3ca5ebc319a Split options.h out into sysoptions.h for options that aren't usually Matt Johnston <matt@ucc.asn.au> parents: diff changeset	229 auth */
f3ca5ebc319a Split options.h out into sysoptions.h for options that aren't usually Matt Johnston <matt@ucc.asn.au> parents: diff changeset	230
883 ff597bf2cfb0 DROPBEAR_CLI_AUTH_IMMEDIATE fixed, now enabled by default Matt Johnston <matt@ucc.asn.au> parents: 878 diff changeset	231
1295 750ec4ec4cbe Convert #ifdef to #if, other build changes Matt Johnston <matt@ucc.asn.au> parents: 1294 diff changeset	232 #define DROPBEAR_AES ((DROPBEAR_AES256) \|\| (DROPBEAR_AES128))
499 f3ca5ebc319a Split options.h out into sysoptions.h for options that aren't usually Matt Johnston <matt@ucc.asn.au> parents: diff changeset	233
1295 750ec4ec4cbe Convert #ifdef to #if, other build changes Matt Johnston <matt@ucc.asn.au> parents: 1294 diff changeset	234 #define DROPBEAR_TWOFISH ((DROPBEAR_TWOFISH256) \|\| (DROPBEAR_TWOFISH128))
499 f3ca5ebc319a Split options.h out into sysoptions.h for options that aren't usually Matt Johnston <matt@ucc.asn.au> parents: diff changeset	235
1672 3a97f14c0235 Add Chacha20-Poly1305, AES128-GCM and AES256-GCM support (#93) Vladislav Grishenko <themiron@users.noreply.github.com> parents: 1659 diff changeset	236 #define DROPBEAR_AEAD_MODE ((DROPBEAR_CHACHA20POLY1305) \|\| (DROPBEAR_ENABLE_GCM_MODE))
3a97f14c0235 Add Chacha20-Poly1305, AES128-GCM and AES256-GCM support (#93) Vladislav Grishenko <themiron@users.noreply.github.com> parents: 1659 diff changeset	237
1295 750ec4ec4cbe Convert #ifdef to #if, other build changes Matt Johnston <matt@ucc.asn.au> parents: 1294 diff changeset	238 #define DROPBEAR_CLI_ANYTCPFWD ((DROPBEAR_CLI_REMOTETCPFWD) \|\| (DROPBEAR_CLI_LOCALTCPFWD))
499 f3ca5ebc319a Split options.h out into sysoptions.h for options that aren't usually Matt Johnston <matt@ucc.asn.au> parents: diff changeset	239
1295 750ec4ec4cbe Convert #ifdef to #if, other build changes Matt Johnston <matt@ucc.asn.au> parents: 1294 diff changeset	240 #define DROPBEAR_TCP_ACCEPT ((DROPBEAR_CLI_LOCALTCPFWD) \|\| (DROPBEAR_SVR_REMOTETCPFWD))
499 f3ca5ebc319a Split options.h out into sysoptions.h for options that aren't usually Matt Johnston <matt@ucc.asn.au> parents: diff changeset	241
1295 750ec4ec4cbe Convert #ifdef to #if, other build changes Matt Johnston <matt@ucc.asn.au> parents: 1294 diff changeset	242 #define DROPBEAR_LISTENERS \
750ec4ec4cbe Convert #ifdef to #if, other build changes Matt Johnston <matt@ucc.asn.au> parents: 1294 diff changeset	243 ((DROPBEAR_CLI_REMOTETCPFWD) \|\| (DROPBEAR_CLI_LOCALTCPFWD) \|\| \
750ec4ec4cbe Convert #ifdef to #if, other build changes Matt Johnston <matt@ucc.asn.au> parents: 1294 diff changeset	244 (DROPBEAR_SVR_REMOTETCPFWD) \|\| (DROPBEAR_SVR_LOCALTCPFWD) \|\| \
750ec4ec4cbe Convert #ifdef to #if, other build changes Matt Johnston <matt@ucc.asn.au> parents: 1294 diff changeset	245 (DROPBEAR_SVR_AGENTFWD) \|\| (DROPBEAR_X11FWD))
499 f3ca5ebc319a Split options.h out into sysoptions.h for options that aren't usually Matt Johnston <matt@ucc.asn.au> parents: diff changeset	246
1295 750ec4ec4cbe Convert #ifdef to #if, other build changes Matt Johnston <matt@ucc.asn.au> parents: 1294 diff changeset	247 #define DROPBEAR_CLI_MULTIHOP ((DROPBEAR_CLI_NETCAT) && (DROPBEAR_CLI_PROXYCMD))
499 f3ca5ebc319a Split options.h out into sysoptions.h for options that aren't usually Matt Johnston <matt@ucc.asn.au> parents: diff changeset	248
1499 2d450c1056e3 options: Complete the transition to numeric toggles (`#if') Michael Witten <mfwitten@gmail.com> parents: 1477 diff changeset	249 #define ENABLE_CONNECT_UNIX ((DROPBEAR_CLI_AGENTFWD) \|\| (DROPBEAR_USE_PRNGD))
547 cf376c696dfc Make it compile, update for changes in channel structure. Matt Johnston <matt@ucc.asn.au> parents: 521 diff changeset	250
1295 750ec4ec4cbe Convert #ifdef to #if, other build changes Matt Johnston <matt@ucc.asn.au> parents: 1294 diff changeset	251 /* if we're using authorized_keys or known_hosts */
750ec4ec4cbe Convert #ifdef to #if, other build changes Matt Johnston <matt@ucc.asn.au> parents: 1294 diff changeset	252 #define DROPBEAR_KEY_LINES ((DROPBEAR_CLIENT) \|\| (DROPBEAR_SVR_PUBKEY_AUTH))
499 f3ca5ebc319a Split options.h out into sysoptions.h for options that aren't usually Matt Johnston <matt@ucc.asn.au> parents: diff changeset	253
605 53c21d4ec98a - Don't allow setting memLevel since that doesn't work properly Matt Johnston <matt@ucc.asn.au> parents: 598 diff changeset	254 /* Changing this is inadvisable, it appears to have problems
53c21d4ec98a - Don't allow setting memLevel since that doesn't work properly Matt Johnston <matt@ucc.asn.au> parents: 598 diff changeset	255 * with flushing compressed data */
53c21d4ec98a - Don't allow setting memLevel since that doesn't work properly Matt Johnston <matt@ucc.asn.au> parents: 598 diff changeset	256 #define DROPBEAR_ZLIB_MEM_LEVEL 8
53c21d4ec98a - Don't allow setting memLevel since that doesn't work properly Matt Johnston <matt@ucc.asn.au> parents: 598 diff changeset	257
1295 750ec4ec4cbe Convert #ifdef to #if, other build changes Matt Johnston <matt@ucc.asn.au> parents: 1294 diff changeset	258 #if (DROPBEAR_SVR_PASSWORD_AUTH) && (DROPBEAR_SVR_PAM_AUTH)
1615 cd23631dab5c fix error message to say localoptions.h Matt Johnston <matt@ucc.asn.au> parents: 1554 diff changeset	259 #error "You can't turn on PASSWORD and PAM auth both at once. Fix it in localoptions.h"
499 f3ca5ebc319a Split options.h out into sysoptions.h for options that aren't usually Matt Johnston <matt@ucc.asn.au> parents: diff changeset	260 #endif
f3ca5ebc319a Split options.h out into sysoptions.h for options that aren't usually Matt Johnston <matt@ucc.asn.au> parents: diff changeset	261
1514 6c16a05023aa rename some options and move some to sysoptions.h Matt Johnston <matt@ucc.asn.au> parents: 1499 diff changeset	262 /* PAM requires ./configure --enable-pam */
6c16a05023aa rename some options and move some to sysoptions.h Matt Johnston <matt@ucc.asn.au> parents: 1499 diff changeset	263 #if !defined(HAVE_LIBPAM) && DROPBEAR_SVR_PAM_AUTH
6c16a05023aa rename some options and move some to sysoptions.h Matt Johnston <matt@ucc.asn.au> parents: 1499 diff changeset	264 #error "DROPBEAR_SVR_PATM_AUTH requires PAM headers. Perhaps ./configure --enable-pam ?"
6c16a05023aa rename some options and move some to sysoptions.h Matt Johnston <matt@ucc.asn.au> parents: 1499 diff changeset	265 #endif
6c16a05023aa rename some options and move some to sysoptions.h Matt Johnston <matt@ucc.asn.au> parents: 1499 diff changeset	266
6c16a05023aa rename some options and move some to sysoptions.h Matt Johnston <matt@ucc.asn.au> parents: 1499 diff changeset	267 #if DROPBEAR_SVR_PASSWORD_AUTH && !HAVE_CRYPT
6c16a05023aa rename some options and move some to sysoptions.h Matt Johnston <matt@ucc.asn.au> parents: 1499 diff changeset	268 #error "DROPBEAR_SVR_PASSWORD_AUTH requires `crypt()'."
6c16a05023aa rename some options and move some to sysoptions.h Matt Johnston <matt@ucc.asn.au> parents: 1499 diff changeset	269 #endif
6c16a05023aa rename some options and move some to sysoptions.h Matt Johnston <matt@ucc.asn.au> parents: 1499 diff changeset	270
6c16a05023aa rename some options and move some to sysoptions.h Matt Johnston <matt@ucc.asn.au> parents: 1499 diff changeset	271 #if !(DROPBEAR_SVR_PASSWORD_AUTH \|\| DROPBEAR_SVR_PAM_AUTH \|\| DROPBEAR_SVR_PUBKEY_AUTH)
6c16a05023aa rename some options and move some to sysoptions.h Matt Johnston <matt@ucc.asn.au> parents: 1499 diff changeset	272 #error "At least one server authentication type must be enabled. DROPBEAR_SVR_PUBKEY_AUTH and DROPBEAR_SVR_PASSWORD_AUTH are recommended."
6c16a05023aa rename some options and move some to sysoptions.h Matt Johnston <matt@ucc.asn.au> parents: 1499 diff changeset	273 #endif
6c16a05023aa rename some options and move some to sysoptions.h Matt Johnston <matt@ucc.asn.au> parents: 1499 diff changeset	274
1654 cc0fc5131c5c Rename EPKA -> Plugin Matt Johnston <matt@ucc.asn.au> parents: 1653 diff changeset	275 #if (DROPBEAR_PLUGIN && !DROPBEAR_SVR_PUBKEY_AUTH)
cc0fc5131c5c Rename EPKA -> Plugin Matt Johnston <matt@ucc.asn.au> parents: 1653 diff changeset	276 #error "You must define DROPBEAR_SVR_PUBKEY_AUTH in order to use plugins"
1653 76189c9ffea2 External Public-Key Authentication API (#72) fabriziobertocci <fabriziobertocci@gmail.com> parents: 1650 diff changeset	277 #endif
1514 6c16a05023aa rename some options and move some to sysoptions.h Matt Johnston <matt@ucc.asn.au> parents: 1499 diff changeset	278
6c16a05023aa rename some options and move some to sysoptions.h Matt Johnston <matt@ucc.asn.au> parents: 1499 diff changeset	279 #if !(DROPBEAR_AES128 \|\| DROPBEAR_3DES \|\| DROPBEAR_AES256 \|\| DROPBEAR_BLOWFISH \
1672 3a97f14c0235 Add Chacha20-Poly1305, AES128-GCM and AES256-GCM support (#93) Vladislav Grishenko <themiron@users.noreply.github.com> parents: 1659 diff changeset	280 \|\| DROPBEAR_TWOFISH256 \|\| DROPBEAR_TWOFISH128 \|\| DROPBEAR_CHACHA20POLY1305)
1514 6c16a05023aa rename some options and move some to sysoptions.h Matt Johnston <matt@ucc.asn.au> parents: 1499 diff changeset	281 #error "At least one encryption algorithm must be enabled. AES128 is recommended."
6c16a05023aa rename some options and move some to sysoptions.h Matt Johnston <matt@ucc.asn.au> parents: 1499 diff changeset	282 #endif
6c16a05023aa rename some options and move some to sysoptions.h Matt Johnston <matt@ucc.asn.au> parents: 1499 diff changeset	283
1659 d32bcb5c557d Add Ed25519 support (#91) Vladislav Grishenko <themiron@users.noreply.github.com> parents: 1654 diff changeset	284 #if !(DROPBEAR_RSA \|\| DROPBEAR_DSS \|\| DROPBEAR_ECDSA \|\| DROPBEAR_ED25519)
1514 6c16a05023aa rename some options and move some to sysoptions.h Matt Johnston <matt@ucc.asn.au> parents: 1499 diff changeset	285 #error "At least one hostkey or public-key algorithm must be enabled; RSA is recommended."
6c16a05023aa rename some options and move some to sysoptions.h Matt Johnston <matt@ucc.asn.au> parents: 1499 diff changeset	286 #endif
6c16a05023aa rename some options and move some to sysoptions.h Matt Johnston <matt@ucc.asn.au> parents: 1499 diff changeset	287
6c16a05023aa rename some options and move some to sysoptions.h Matt Johnston <matt@ucc.asn.au> parents: 1499 diff changeset	288 /* Source for randomness. This must be able to provide hundreds of bytes per SSH
6c16a05023aa rename some options and move some to sysoptions.h Matt Johnston <matt@ucc.asn.au> parents: 1499 diff changeset	289 * connection without blocking. */
6c16a05023aa rename some options and move some to sysoptions.h Matt Johnston <matt@ucc.asn.au> parents: 1499 diff changeset	290 #ifndef DROPBEAR_URANDOM_DEV
6c16a05023aa rename some options and move some to sysoptions.h Matt Johnston <matt@ucc.asn.au> parents: 1499 diff changeset	291 #define DROPBEAR_URANDOM_DEV "/dev/urandom"
6c16a05023aa rename some options and move some to sysoptions.h Matt Johnston <matt@ucc.asn.au> parents: 1499 diff changeset	292 #endif
6c16a05023aa rename some options and move some to sysoptions.h Matt Johnston <matt@ucc.asn.au> parents: 1499 diff changeset	293
6c16a05023aa rename some options and move some to sysoptions.h Matt Johnston <matt@ucc.asn.au> parents: 1499 diff changeset	294 /* client keyboard interactive authentication is often used for password auth.
6c16a05023aa rename some options and move some to sysoptions.h Matt Johnston <matt@ucc.asn.au> parents: 1499 diff changeset	295 rfc4256 */
6c16a05023aa rename some options and move some to sysoptions.h Matt Johnston <matt@ucc.asn.au> parents: 1499 diff changeset	296 #define DROPBEAR_CLI_INTERACT_AUTH (DROPBEAR_CLI_PASSWORD_AUTH)
6c16a05023aa rename some options and move some to sysoptions.h Matt Johnston <matt@ucc.asn.au> parents: 1499 diff changeset	297
499 f3ca5ebc319a Split options.h out into sysoptions.h for options that aren't usually Matt Johnston <matt@ucc.asn.au> parents: diff changeset	298 /* We use dropbear_client and dropbear_server as shortcuts to avoid redundant
f3ca5ebc319a Split options.h out into sysoptions.h for options that aren't usually Matt Johnston <matt@ucc.asn.au> parents: diff changeset	299 * code, if we're just compiling as client or server */
1295 750ec4ec4cbe Convert #ifdef to #if, other build changes Matt Johnston <matt@ucc.asn.au> parents: 1294 diff changeset	300 #if (DROPBEAR_SERVER) && (DROPBEAR_CLIENT)
499 f3ca5ebc319a Split options.h out into sysoptions.h for options that aren't usually Matt Johnston <matt@ucc.asn.au> parents: diff changeset	301
f3ca5ebc319a Split options.h out into sysoptions.h for options that aren't usually Matt Johnston <matt@ucc.asn.au> parents: diff changeset	302 #define IS_DROPBEAR_SERVER (ses.isserver == 1)
f3ca5ebc319a Split options.h out into sysoptions.h for options that aren't usually Matt Johnston <matt@ucc.asn.au> parents: diff changeset	303 #define IS_DROPBEAR_CLIENT (ses.isserver == 0)
f3ca5ebc319a Split options.h out into sysoptions.h for options that aren't usually Matt Johnston <matt@ucc.asn.au> parents: diff changeset	304
1295 750ec4ec4cbe Convert #ifdef to #if, other build changes Matt Johnston <matt@ucc.asn.au> parents: 1294 diff changeset	305 #elif DROPBEAR_SERVER
499 f3ca5ebc319a Split options.h out into sysoptions.h for options that aren't usually Matt Johnston <matt@ucc.asn.au> parents: diff changeset	306
f3ca5ebc319a Split options.h out into sysoptions.h for options that aren't usually Matt Johnston <matt@ucc.asn.au> parents: diff changeset	307 #define IS_DROPBEAR_SERVER 1
f3ca5ebc319a Split options.h out into sysoptions.h for options that aren't usually Matt Johnston <matt@ucc.asn.au> parents: diff changeset	308 #define IS_DROPBEAR_CLIENT 0
f3ca5ebc319a Split options.h out into sysoptions.h for options that aren't usually Matt Johnston <matt@ucc.asn.au> parents: diff changeset	309
1295 750ec4ec4cbe Convert #ifdef to #if, other build changes Matt Johnston <matt@ucc.asn.au> parents: 1294 diff changeset	310 #elif DROPBEAR_CLIENT
499 f3ca5ebc319a Split options.h out into sysoptions.h for options that aren't usually Matt Johnston <matt@ucc.asn.au> parents: diff changeset	311
f3ca5ebc319a Split options.h out into sysoptions.h for options that aren't usually Matt Johnston <matt@ucc.asn.au> parents: diff changeset	312 #define IS_DROPBEAR_SERVER 0
f3ca5ebc319a Split options.h out into sysoptions.h for options that aren't usually Matt Johnston <matt@ucc.asn.au> parents: diff changeset	313 #define IS_DROPBEAR_CLIENT 1
f3ca5ebc319a Split options.h out into sysoptions.h for options that aren't usually Matt Johnston <matt@ucc.asn.au> parents: diff changeset	314
f3ca5ebc319a Split options.h out into sysoptions.h for options that aren't usually Matt Johnston <matt@ucc.asn.au> parents: diff changeset	315 #else
521 cc2dff9bd671 - Allow building with neither server nor client specified Matt Johnston <matt@ucc.asn.au> parents: 516 diff changeset	316 /* Just building key utils? */
cc2dff9bd671 - Allow building with neither server nor client specified Matt Johnston <matt@ucc.asn.au> parents: 516 diff changeset	317 #define IS_DROPBEAR_SERVER 0
cc2dff9bd671 - Allow building with neither server nor client specified Matt Johnston <matt@ucc.asn.au> parents: 516 diff changeset	318 #define IS_DROPBEAR_CLIENT 0
cc2dff9bd671 - Allow building with neither server nor client specified Matt Johnston <matt@ucc.asn.au> parents: 516 diff changeset	319
667 fc7ae88e63b3 Rename HAVE_FORK to USE_VFORK Matt Johnston <matt@ucc.asn.au> parents: 661 diff changeset	320 #endif /* neither DROPBEAR_SERVER nor DROPBEAR_CLIENT */
fc7ae88e63b3 Rename HAVE_FORK to USE_VFORK Matt Johnston <matt@ucc.asn.au> parents: 661 diff changeset	321
1295 750ec4ec4cbe Convert #ifdef to #if, other build changes Matt Johnston <matt@ucc.asn.au> parents: 1294 diff changeset	322 #ifdef HAVE_FORK
750ec4ec4cbe Convert #ifdef to #if, other build changes Matt Johnston <matt@ucc.asn.au> parents: 1294 diff changeset	323 #define DROPBEAR_VFORK 0
750ec4ec4cbe Convert #ifdef to #if, other build changes Matt Johnston <matt@ucc.asn.au> parents: 1294 diff changeset	324 #else
750ec4ec4cbe Convert #ifdef to #if, other build changes Matt Johnston <matt@ucc.asn.au> parents: 1294 diff changeset	325 #define DROPBEAR_VFORK 1
750ec4ec4cbe Convert #ifdef to #if, other build changes Matt Johnston <matt@ucc.asn.au> parents: 1294 diff changeset	326 #endif
667 fc7ae88e63b3 Rename HAVE_FORK to USE_VFORK Matt Johnston <matt@ucc.asn.au> parents: 661 diff changeset	327
1440 8b74d5f876a7 sysoptions.h: Add ability to override DROPBEAR_LISTEN_BACKLOG Ben Gardner <bgardner@wabtec.com> parents: 1342 diff changeset	328 #ifndef DROPBEAR_LISTEN_BACKLOG
936 d93a6bcf616f Improve handling lots of concurrent forwarded connections. Increase Matt Johnston <matt@ucc.asn.au> parents: 902 diff changeset	329 #if MAX_UNAUTH_CLIENTS > MAX_CHANNELS
d93a6bcf616f Improve handling lots of concurrent forwarded connections. Increase Matt Johnston <matt@ucc.asn.au> parents: 902 diff changeset	330 #define DROPBEAR_LISTEN_BACKLOG MAX_UNAUTH_CLIENTS
d93a6bcf616f Improve handling lots of concurrent forwarded connections. Increase Matt Johnston <matt@ucc.asn.au> parents: 902 diff changeset	331 #else
d93a6bcf616f Improve handling lots of concurrent forwarded connections. Increase Matt Johnston <matt@ucc.asn.au> parents: 902 diff changeset	332 #define DROPBEAR_LISTEN_BACKLOG MAX_CHANNELS
d93a6bcf616f Improve handling lots of concurrent forwarded connections. Increase Matt Johnston <matt@ucc.asn.au> parents: 902 diff changeset	333 #endif
1440 8b74d5f876a7 sysoptions.h: Add ability to override DROPBEAR_LISTEN_BACKLOG Ben Gardner <bgardner@wabtec.com> parents: 1342 diff changeset	334 #endif
936 d93a6bcf616f Improve handling lots of concurrent forwarded connections. Increase Matt Johnston <matt@ucc.asn.au> parents: 902 diff changeset	335
1040 2b4fd440399d Free memory before exiting. Based on patch from Thorsten Horstmann. Matt Johnston <matt@ucc.asn.au> parents: 1009 diff changeset	336 /* free memory before exiting */
1295 750ec4ec4cbe Convert #ifdef to #if, other build changes Matt Johnston <matt@ucc.asn.au> parents: 1294 diff changeset	337 #define DROPBEAR_CLEANUP 1
1040 2b4fd440399d Free memory before exiting. Based on patch from Thorsten Horstmann. Matt Johnston <matt@ucc.asn.au> parents: 1009 diff changeset	338
970 0bb16232e7c4 Make keepalive handling more robust, this should now match what OpenSSH does Matt Johnston <matt@ucc.asn.au> parents: 965 diff changeset	339 /* Use this string since some implementations might special-case it */
0bb16232e7c4 Make keepalive handling more robust, this should now match what OpenSSH does Matt Johnston <matt@ucc.asn.au> parents: 965 diff changeset	340 #define DROPBEAR_KEEPALIVE_STRING "[email protected]"
0bb16232e7c4 Make keepalive handling more robust, this should now match what OpenSSH does Matt Johnston <matt@ucc.asn.au> parents: 965 diff changeset	341
1084 2265d7ebfdeb separate client/server fastopen options Matt Johnston <matt@ucc.asn.au> parents: 1049 diff changeset	342 /* Linux will attempt TCP fast open, falling back if not supported by the kernel.
2265d7ebfdeb separate client/server fastopen options Matt Johnston <matt@ucc.asn.au> parents: 1049 diff changeset	343 * Currently server is enabled but client is disabled by default until there
2265d7ebfdeb separate client/server fastopen options Matt Johnston <matt@ucc.asn.au> parents: 1049 diff changeset	344 * is further compatibility testing */
1033 ca71904cf3ee Fixes for backwards compatibility Matt Johnston <matt@ucc.asn.au> parents: 1009 diff changeset	345 #ifdef __linux__
1295 750ec4ec4cbe Convert #ifdef to #if, other build changes Matt Johnston <matt@ucc.asn.au> parents: 1294 diff changeset	346 #define DROPBEAR_SERVER_TCP_FAST_OPEN 1
750ec4ec4cbe Convert #ifdef to #if, other build changes Matt Johnston <matt@ucc.asn.au> parents: 1294 diff changeset	347 #define DROPBEAR_CLIENT_TCP_FAST_OPEN 0
750ec4ec4cbe Convert #ifdef to #if, other build changes Matt Johnston <matt@ucc.asn.au> parents: 1294 diff changeset	348 #else
750ec4ec4cbe Convert #ifdef to #if, other build changes Matt Johnston <matt@ucc.asn.au> parents: 1294 diff changeset	349 #define DROPBEAR_SERVER_TCP_FAST_OPEN 0
750ec4ec4cbe Convert #ifdef to #if, other build changes Matt Johnston <matt@ucc.asn.au> parents: 1294 diff changeset	350 #define DROPBEAR_CLIENT_TCP_FAST_OPEN 0
1033 ca71904cf3ee Fixes for backwards compatibility Matt Johnston <matt@ucc.asn.au> parents: 1009 diff changeset	351 #endif
ca71904cf3ee Fixes for backwards compatibility Matt Johnston <matt@ucc.asn.au> parents: 1009 diff changeset	352
1569 c42e8ff42bd1 Only use malloc wrapper if fuzzing Matt Johnston <matt@ucc.asn.au> parents: 1554 diff changeset	353 #define DROPBEAR_TRACKING_MALLOC (DROPBEAR_FUZZ)
c42e8ff42bd1 Only use malloc wrapper if fuzzing Matt Johnston <matt@ucc.asn.au> parents: 1554 diff changeset	354
1596 60fceff95858 workaround memory sanitizer FD_ZERO false positives Matt Johnston <matt@ucc.asn.au> parents: 1569 diff changeset	355 /* Used to work around Memory Sanitizer false positives */
60fceff95858 workaround memory sanitizer FD_ZERO false positives Matt Johnston <matt@ucc.asn.au> parents: 1569 diff changeset	356 #if defined(__has_feature)
60fceff95858 workaround memory sanitizer FD_ZERO false positives Matt Johnston <matt@ucc.asn.au> parents: 1569 diff changeset	357 # if __has_feature(memory_sanitizer)
60fceff95858 workaround memory sanitizer FD_ZERO false positives Matt Johnston <matt@ucc.asn.au> parents: 1569 diff changeset	358 # define DROPBEAR_MSAN 1
60fceff95858 workaround memory sanitizer FD_ZERO false positives Matt Johnston <matt@ucc.asn.au> parents: 1569 diff changeset	359 # endif
60fceff95858 workaround memory sanitizer FD_ZERO false positives Matt Johnston <matt@ucc.asn.au> parents: 1569 diff changeset	360 #endif
60fceff95858 workaround memory sanitizer FD_ZERO false positives Matt Johnston <matt@ucc.asn.au> parents: 1569 diff changeset	361 #ifndef DROPBEAR_MSAN
60fceff95858 workaround memory sanitizer FD_ZERO false positives Matt Johnston <matt@ucc.asn.au> parents: 1569 diff changeset	362 #define DROPBEAR_MSAN 0
60fceff95858 workaround memory sanitizer FD_ZERO false positives Matt Johnston <matt@ucc.asn.au> parents: 1569 diff changeset	363 #endif
60fceff95858 workaround memory sanitizer FD_ZERO false positives Matt Johnston <matt@ucc.asn.au> parents: 1569 diff changeset	364
60fceff95858 workaround memory sanitizer FD_ZERO false positives Matt Johnston <matt@ucc.asn.au> parents: 1569 diff changeset	365
667 fc7ae88e63b3 Rename HAVE_FORK to USE_VFORK Matt Johnston <matt@ucc.asn.au> parents: 661 diff changeset	366 /* no include guard for this file */

Mercurial > dropbear

annotate sysoptions.h @ 1861:2b3a8026a6ce