annotate sysoptions.h @ 1916:3f4cdf839a1a

Make SHA1 optional, implement SHA256 fingerprints SHA256 is always compiled and only enable SHA1 when needed. Fingerprints are always SHA256: base64 format, md5 and sha1 are removed. dbrandom now uses sha256 its hash function.
author Matt Johnston <matt@ucc.asn.au>
date Wed, 30 Mar 2022 11:44:04 +0800
parents 13cb8cc1b0e4
children 77bc00dcc19f
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
rev   line source
499
f3ca5ebc319a Split options.h out into sysoptions.h for options that aren't usually
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
1 /*******************************************************************
f3ca5ebc319a Split options.h out into sysoptions.h for options that aren't usually
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
2 * You shouldn't edit this file unless you know you need to.
f3ca5ebc319a Split options.h out into sysoptions.h for options that aren't usually
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
3 * This file is only included from options.h
f3ca5ebc319a Split options.h out into sysoptions.h for options that aren't usually
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
4 *******************************************************************/
f3ca5ebc319a Split options.h out into sysoptions.h for options that aren't usually
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
5
f3ca5ebc319a Split options.h out into sysoptions.h for options that aren't usually
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
6 #ifndef DROPBEAR_VERSION
1761
4b984c42372d Changelog for 2020.81
Matt Johnston <matt@ucc.asn.au>
parents: 1753
diff changeset
7 #define DROPBEAR_VERSION "2020.81"
499
f3ca5ebc319a Split options.h out into sysoptions.h for options that aren't usually
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
8 #endif
f3ca5ebc319a Split options.h out into sysoptions.h for options that aren't usually
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
9
f3ca5ebc319a Split options.h out into sysoptions.h for options that aren't usually
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
10 #define LOCAL_IDENT "SSH-2.0-dropbear_" DROPBEAR_VERSION
f3ca5ebc319a Split options.h out into sysoptions.h for options that aren't usually
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
11 #define PROGNAME "dropbear"
f3ca5ebc319a Split options.h out into sysoptions.h for options that aren't usually
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
12
f3ca5ebc319a Split options.h out into sysoptions.h for options that aren't usually
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
13 /* Spec recommends after one hour or 1 gigabyte of data. One hour
f3ca5ebc319a Split options.h out into sysoptions.h for options that aren't usually
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
14 * is a bit too verbose, so we try 8 hours */
f3ca5ebc319a Split options.h out into sysoptions.h for options that aren't usually
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
15 #ifndef KEX_REKEY_TIMEOUT
f3ca5ebc319a Split options.h out into sysoptions.h for options that aren't usually
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
16 #define KEX_REKEY_TIMEOUT (3600 * 8)
f3ca5ebc319a Split options.h out into sysoptions.h for options that aren't usually
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
17 #endif
f3ca5ebc319a Split options.h out into sysoptions.h for options that aren't usually
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
18 #ifndef KEX_REKEY_DATA
887
0459ff21e320 Back out accidentally committed files
Matt Johnston <matt@ucc.asn.au>
parents: 886
diff changeset
19 #define KEX_REKEY_DATA (1<<30) /* 2^30 == 1GB, this value must be < INT_MAX */
499
f3ca5ebc319a Split options.h out into sysoptions.h for options that aren't usually
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
20 #endif
f3ca5ebc319a Split options.h out into sysoptions.h for options that aren't usually
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
21 /* Close connections to clients which haven't authorised after AUTH_TIMEOUT */
f3ca5ebc319a Split options.h out into sysoptions.h for options that aren't usually
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
22 #ifndef AUTH_TIMEOUT
f3ca5ebc319a Split options.h out into sysoptions.h for options that aren't usually
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
23 #define AUTH_TIMEOUT 300 /* we choose 5 minutes */
f3ca5ebc319a Split options.h out into sysoptions.h for options that aren't usually
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
24 #endif
f3ca5ebc319a Split options.h out into sysoptions.h for options that aren't usually
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
25
1514
6c16a05023aa rename some options and move some to sysoptions.h
Matt Johnston <matt@ucc.asn.au>
parents: 1499
diff changeset
26 #define DROPBEAR_SVR_PUBKEY_OPTIONS_BUILT ((DROPBEAR_SVR_PUBKEY_AUTH) && (DROPBEAR_SVR_PUBKEY_OPTIONS))
6c16a05023aa rename some options and move some to sysoptions.h
Matt Johnston <matt@ucc.asn.au>
parents: 1499
diff changeset
27
6c16a05023aa rename some options and move some to sysoptions.h
Matt Johnston <matt@ucc.asn.au>
parents: 1499
diff changeset
28 #if !(NON_INETD_MODE || INETD_MODE)
6c16a05023aa rename some options and move some to sysoptions.h
Matt Johnston <matt@ucc.asn.au>
parents: 1499
diff changeset
29 #error "NON_INETD_MODE or INETD_MODE (or both) must be enabled."
6c16a05023aa rename some options and move some to sysoptions.h
Matt Johnston <matt@ucc.asn.au>
parents: 1499
diff changeset
30 #endif
1295
750ec4ec4cbe Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents: 1294
diff changeset
31
1861
2b3a8026a6ce Add re-exec for server
Matt Johnston <matt@ucc.asn.au>
parents: 1855
diff changeset
32 /* Would probably work on freebsd but hasn't been tested */
1862
6f265a35159a Fix -Wexpansion-to-defined failure on clang
Matt Johnston <matt@ucc.asn.au>
parents: 1861
diff changeset
33 #if defined(HAVE_FEXECVE) && DROPBEAR_REEXEC && defined(__linux__)
6f265a35159a Fix -Wexpansion-to-defined failure on clang
Matt Johnston <matt@ucc.asn.au>
parents: 1861
diff changeset
34 #define DROPBEAR_DO_REEXEC 1
6f265a35159a Fix -Wexpansion-to-defined failure on clang
Matt Johnston <matt@ucc.asn.au>
parents: 1861
diff changeset
35 #else
6f265a35159a Fix -Wexpansion-to-defined failure on clang
Matt Johnston <matt@ucc.asn.au>
parents: 1861
diff changeset
36 #define DROPBEAR_DO_REEXEC 0
6f265a35159a Fix -Wexpansion-to-defined failure on clang
Matt Johnston <matt@ucc.asn.au>
parents: 1861
diff changeset
37 #endif
1861
2b3a8026a6ce Add re-exec for server
Matt Johnston <matt@ucc.asn.au>
parents: 1855
diff changeset
38
746
465fefc4f6e0 Put some #ifdef options around first-follows options in case they
Matt Johnston <matt@ucc.asn.au>
parents: 745
diff changeset
39 /* A client should try and send an initial key exchange packet guessing
465fefc4f6e0 Put some #ifdef options around first-follows options in case they
Matt Johnston <matt@ucc.asn.au>
parents: 745
diff changeset
40 * the algorithm that will match - saves a round trip connecting, has little
465fefc4f6e0 Put some #ifdef options around first-follows options in case they
Matt Johnston <matt@ucc.asn.au>
parents: 745
diff changeset
41 * overhead if the guess was "wrong". */
1295
750ec4ec4cbe Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents: 1294
diff changeset
42 #ifndef DROPBEAR_KEX_FIRST_FOLLOWS
750ec4ec4cbe Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents: 1294
diff changeset
43 #define DROPBEAR_KEX_FIRST_FOLLOWS 1
750ec4ec4cbe Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents: 1294
diff changeset
44 #endif
746
465fefc4f6e0 Put some #ifdef options around first-follows options in case they
Matt Johnston <matt@ucc.asn.au>
parents: 745
diff changeset
45 /* Use protocol extension to allow "first follows" to succeed more frequently.
465fefc4f6e0 Put some #ifdef options around first-follows options in case they
Matt Johnston <matt@ucc.asn.au>
parents: 745
diff changeset
46 * This is currently Dropbear-specific but will gracefully fallback when connecting
465fefc4f6e0 Put some #ifdef options around first-follows options in case they
Matt Johnston <matt@ucc.asn.au>
parents: 745
diff changeset
47 * to other implementations. */
1295
750ec4ec4cbe Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents: 1294
diff changeset
48 #ifndef DROPBEAR_KEXGUESS2
750ec4ec4cbe Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents: 1294
diff changeset
49 #define DROPBEAR_KEXGUESS2 1
750ec4ec4cbe Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents: 1294
diff changeset
50 #endif
746
465fefc4f6e0 Put some #ifdef options around first-follows options in case they
Matt Johnston <matt@ucc.asn.au>
parents: 745
diff changeset
51
499
f3ca5ebc319a Split options.h out into sysoptions.h for options that aren't usually
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
52 /* Minimum key sizes for DSS and RSA */
f3ca5ebc319a Split options.h out into sysoptions.h for options that aren't usually
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
53 #ifndef MIN_DSS_KEYLEN
1414
9236e7120c3e increase min DSS and RSA lengths
Matt Johnston <matt@ucc.asn.au>
parents: 1342
diff changeset
54 #define MIN_DSS_KEYLEN 1024
499
f3ca5ebc319a Split options.h out into sysoptions.h for options that aren't usually
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
55 #endif
f3ca5ebc319a Split options.h out into sysoptions.h for options that aren't usually
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
56 #ifndef MIN_RSA_KEYLEN
1414
9236e7120c3e increase min DSS and RSA lengths
Matt Johnston <matt@ucc.asn.au>
parents: 1342
diff changeset
57 #define MIN_RSA_KEYLEN 1024
499
f3ca5ebc319a Split options.h out into sysoptions.h for options that aren't usually
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
58 #endif
f3ca5ebc319a Split options.h out into sysoptions.h for options that aren't usually
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
59
1832
a974a80f5f44 Banner size should account for newlines
Matt Johnston <matt@codeconstruct.com.au>
parents: 1831
diff changeset
60 #define MAX_BANNER_SIZE 2050 /* this is 25*80 chars, any more is foolish */
499
f3ca5ebc319a Split options.h out into sysoptions.h for options that aren't usually
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
61 #define MAX_BANNER_LINES 20 /* How many lines the client will display */
f3ca5ebc319a Split options.h out into sysoptions.h for options that aren't usually
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
62
f3ca5ebc319a Split options.h out into sysoptions.h for options that aren't usually
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
63 /* the number of NAME=VALUE pairs to malloc for environ, if we don't have
f3ca5ebc319a Split options.h out into sysoptions.h for options that aren't usually
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
64 * the clearenv() function */
f3ca5ebc319a Split options.h out into sysoptions.h for options that aren't usually
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
65 #define ENV_SIZE 100
f3ca5ebc319a Split options.h out into sysoptions.h for options that aren't usually
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
66
1138
cc3916a7afd9 increase MAX_CMD_LEN to 9000
Matt Johnston <matt@ucc.asn.au>
parents: 1084
diff changeset
67 #define MAX_CMD_LEN 9000 /* max length of a command */
499
f3ca5ebc319a Split options.h out into sysoptions.h for options that aren't usually
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
68 #define MAX_TERM_LEN 200 /* max length of TERM name */
f3ca5ebc319a Split options.h out into sysoptions.h for options that aren't usually
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
69
f3ca5ebc319a Split options.h out into sysoptions.h for options that aren't usually
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
70 #define MAX_HOST_LEN 254 /* max hostname len for tcp fwding */
f3ca5ebc319a Split options.h out into sysoptions.h for options that aren't usually
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
71 #define MAX_IP_LEN 15 /* strlen("255.255.255.255") == 15 */
f3ca5ebc319a Split options.h out into sysoptions.h for options that aren't usually
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
72
f3ca5ebc319a Split options.h out into sysoptions.h for options that aren't usually
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
73 #define DROPBEAR_MAX_PORTS 10 /* max number of ports which can be specified,
f3ca5ebc319a Split options.h out into sysoptions.h for options that aren't usually
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
74 ipv4 and ipv6 don't count twice */
f3ca5ebc319a Split options.h out into sysoptions.h for options that aren't usually
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
75
f3ca5ebc319a Split options.h out into sysoptions.h for options that aren't usually
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
76 /* Each port might have at least a v4 and a v6 address */
f3ca5ebc319a Split options.h out into sysoptions.h for options that aren't usually
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
77 #define MAX_LISTEN_ADDR (DROPBEAR_MAX_PORTS*3)
f3ca5ebc319a Split options.h out into sysoptions.h for options that aren't usually
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
78
f3ca5ebc319a Split options.h out into sysoptions.h for options that aren't usually
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
79 #define _PATH_TTY "/dev/tty"
f3ca5ebc319a Split options.h out into sysoptions.h for options that aren't usually
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
80
f3ca5ebc319a Split options.h out into sysoptions.h for options that aren't usually
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
81 #define _PATH_CP "/bin/cp"
f3ca5ebc319a Split options.h out into sysoptions.h for options that aren't usually
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
82
722
4a274f47eabd Add ~. and ~^Z handling to exit/suspend dbclient
Matt Johnston <matt@ucc.asn.au>
parents: 718
diff changeset
83 #define DROPBEAR_ESCAPE_CHAR '~'
4a274f47eabd Add ~. and ~^Z handling to exit/suspend dbclient
Matt Johnston <matt@ucc.asn.au>
parents: 718
diff changeset
84
499
f3ca5ebc319a Split options.h out into sysoptions.h for options that aren't usually
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
85 /* success/failure defines */
f3ca5ebc319a Split options.h out into sysoptions.h for options that aren't usually
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
86 #define DROPBEAR_SUCCESS 0
f3ca5ebc319a Split options.h out into sysoptions.h for options that aren't usually
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
87 #define DROPBEAR_FAILURE -1
1295
750ec4ec4cbe Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents: 1294
diff changeset
88
750ec4ec4cbe Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents: 1294
diff changeset
89 #define DROPBEAR_PASSWORD_ENV "DROPBEAR_PASSWORD"
499
f3ca5ebc319a Split options.h out into sysoptions.h for options that aren't usually
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
90
1537
6a83b1944432 Fix restricted group code for BSDs, move to separate function
Matt Johnston <matt@ucc.asn.au>
parents: 1517
diff changeset
91 #define DROPBEAR_NGROUP_MAX 1024
6a83b1944432 Fix restricted group code for BSDs, move to separate function
Matt Johnston <matt@ucc.asn.au>
parents: 1517
diff changeset
92
499
f3ca5ebc319a Split options.h out into sysoptions.h for options that aren't usually
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
93 /* Required for pubkey auth */
1295
750ec4ec4cbe Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents: 1294
diff changeset
94 #define DROPBEAR_SIGNKEY_VERIFY ((DROPBEAR_SVR_PUBKEY_AUTH) || (DROPBEAR_CLIENT))
499
f3ca5ebc319a Split options.h out into sysoptions.h for options that aren't usually
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
95
1831
0a3d02c66bf6 Comment on reason for DROPBEAR_MAX_PASSWORD_LEN limit
Matt Johnston <matt@codeconstruct.com.au>
parents: 1761
diff changeset
96 /* crypt(password) must take less time than the auth failure delay
0a3d02c66bf6 Comment on reason for DROPBEAR_MAX_PASSWORD_LEN limit
Matt Johnston <matt@codeconstruct.com.au>
parents: 1761
diff changeset
97 (250ms set in svr-auth.c). On Linux the delay depends on
0a3d02c66bf6 Comment on reason for DROPBEAR_MAX_PASSWORD_LEN limit
Matt Johnston <matt@codeconstruct.com.au>
parents: 1761
diff changeset
98 password length, 100 characters here was empirically derived.
0a3d02c66bf6 Comment on reason for DROPBEAR_MAX_PASSWORD_LEN limit
Matt Johnston <matt@codeconstruct.com.au>
parents: 1761
diff changeset
99
0a3d02c66bf6 Comment on reason for DROPBEAR_MAX_PASSWORD_LEN limit
Matt Johnston <matt@codeconstruct.com.au>
parents: 1761
diff changeset
100 If a longer password is allowed Dropbear cannot compensate
0a3d02c66bf6 Comment on reason for DROPBEAR_MAX_PASSWORD_LEN limit
Matt Johnston <matt@codeconstruct.com.au>
parents: 1761
diff changeset
101 for the crypt time which will expose which usernames exist */
1640
228b086794b7 limit password length to 100
Matt Johnston <matt@ucc.asn.au>
parents: 1617
diff changeset
102 #define DROPBEAR_MAX_PASSWORD_LEN 100
228b086794b7 limit password length to 100
Matt Johnston <matt@ucc.asn.au>
parents: 1617
diff changeset
103
499
f3ca5ebc319a Split options.h out into sysoptions.h for options that aren't usually
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
104 #define SHA1_HASH_SIZE 20
1855
35d504d59c05 Implement server-side support for sk-ecdsa U2F-backed keys (#142)
egor-duda <egor-duda@users.noreply.github.com>
parents: 1834
diff changeset
105 #define SHA256_HASH_SIZE 32
499
f3ca5ebc319a Split options.h out into sysoptions.h for options that aren't usually
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
106 #define MD5_HASH_SIZE 16
855
04ede40a529a - Some fixes for old compilers like tru64 v4 from Daniel Richard G.
Matt Johnston <matt@ucc.asn.au>
parents: 850
diff changeset
107 #define MAX_HASH_SIZE 64 /* sha512 */
499
f3ca5ebc319a Split options.h out into sysoptions.h for options that aren't usually
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
108
1672
3a97f14c0235 Add Chacha20-Poly1305, AES128-GCM and AES256-GCM support (#93)
Vladislav Grishenko <themiron@users.noreply.github.com>
parents: 1659
diff changeset
109 #if DROPBEAR_CHACHA20POLY1305
3a97f14c0235 Add Chacha20-Poly1305, AES128-GCM and AES256-GCM support (#93)
Vladislav Grishenko <themiron@users.noreply.github.com>
parents: 1659
diff changeset
110 #define MAX_KEY_LEN 64 /* 2 x 256 bits for chacha20 */
3a97f14c0235 Add Chacha20-Poly1305, AES128-GCM and AES256-GCM support (#93)
Vladislav Grishenko <themiron@users.noreply.github.com>
parents: 1659
diff changeset
111 #else
499
f3ca5ebc319a Split options.h out into sysoptions.h for options that aren't usually
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
112 #define MAX_KEY_LEN 32 /* 256 bits for aes256 etc */
1672
3a97f14c0235 Add Chacha20-Poly1305, AES128-GCM and AES256-GCM support (#93)
Vladislav Grishenko <themiron@users.noreply.github.com>
parents: 1659
diff changeset
113 #endif
762
a78a38e402d1 - Fix various hardcoded uses of SHA1
Matt Johnston <matt@ucc.asn.au>
parents: 761
diff changeset
114 #define MAX_IV_LEN 20 /* must be same as max blocksize, */
715
cd3d3c63d189 Make hmac-sha2-256 and hmac-sha2-512 work
Matt Johnston <matt@ucc.asn.au>
parents: 710
diff changeset
115
1295
750ec4ec4cbe Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents: 1294
diff changeset
116 #if DROPBEAR_SHA2_512_HMAC
715
cd3d3c63d189 Make hmac-sha2-256 and hmac-sha2-512 work
Matt Johnston <matt@ucc.asn.au>
parents: 710
diff changeset
117 #define MAX_MAC_LEN 64
1295
750ec4ec4cbe Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents: 1294
diff changeset
118 #elif DROPBEAR_SHA2_256_HMAC
715
cd3d3c63d189 Make hmac-sha2-256 and hmac-sha2-512 work
Matt Johnston <matt@ucc.asn.au>
parents: 710
diff changeset
119 #define MAX_MAC_LEN 32
679
03073a27abb3 - Add hmac-sha2-256 and hmac-sha2-512. Needs debugging, seems to be
Matt Johnston <matt@ucc.asn.au>
parents: 668
diff changeset
120 #else
715
cd3d3c63d189 Make hmac-sha2-256 and hmac-sha2-512 work
Matt Johnston <matt@ucc.asn.au>
parents: 710
diff changeset
121 #define MAX_MAC_LEN 20
679
03073a27abb3 - Add hmac-sha2-256 and hmac-sha2-512. Needs debugging, seems to be
Matt Johnston <matt@ucc.asn.au>
parents: 668
diff changeset
122 #endif
499
f3ca5ebc319a Split options.h out into sysoptions.h for options that aren't usually
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
123
1517
7c7c5326ad73 clean up some default options
Matt Johnston <matt@ucc.asn.au>
parents: 1514
diff changeset
124 /* sha2-512 is not necessary unless unforseen problems arise with sha2-256 */
7c7c5326ad73 clean up some default options
Matt Johnston <matt@ucc.asn.au>
parents: 1514
diff changeset
125 #ifndef DROPBEAR_SHA2_512_HMAC
7c7c5326ad73 clean up some default options
Matt Johnston <matt@ucc.asn.au>
parents: 1514
diff changeset
126 #define DROPBEAR_SHA2_512_HMAC 0
7c7c5326ad73 clean up some default options
Matt Johnston <matt@ucc.asn.au>
parents: 1514
diff changeset
127 #endif
7c7c5326ad73 clean up some default options
Matt Johnston <matt@ucc.asn.au>
parents: 1514
diff changeset
128
7c7c5326ad73 clean up some default options
Matt Johnston <matt@ucc.asn.au>
parents: 1514
diff changeset
129 /* might be needed for compatibility with very old implementations */
7c7c5326ad73 clean up some default options
Matt Johnston <matt@ucc.asn.au>
parents: 1514
diff changeset
130 #ifndef DROPBEAR_MD5_HMAC
7c7c5326ad73 clean up some default options
Matt Johnston <matt@ucc.asn.au>
parents: 1514
diff changeset
131 #define DROPBEAR_MD5_HMAC 0
7c7c5326ad73 clean up some default options
Matt Johnston <matt@ucc.asn.au>
parents: 1514
diff changeset
132 #endif
7c7c5326ad73 clean up some default options
Matt Johnston <matt@ucc.asn.au>
parents: 1514
diff changeset
133
1295
750ec4ec4cbe Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents: 1294
diff changeset
134 #define DROPBEAR_ECC ((DROPBEAR_ECDH) || (DROPBEAR_ECDSA))
750ec4ec4cbe Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents: 1294
diff changeset
135
838
4365e12c68e6 A few small fixes for ECC compilation
Matt Johnston <matt@ucc.asn.au>
parents: 835
diff changeset
136 /* Debian doesn't define this in system headers */
1295
750ec4ec4cbe Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents: 1294
diff changeset
137 #if !defined(LTM_DESC) && (DROPBEAR_ECC)
750ec4ec4cbe Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents: 1294
diff changeset
138 #define LTM_DESC
869
c63e7644db60 Only define LTM_DESC if it isn't already
Matt Johnston <matt@ucc.asn.au>
parents: 861
diff changeset
139 #endif
755
b07eb3dc23ec refactor kexdh code a bit, start working on ecdh etc
Matt Johnston <matt@ucc.asn.au>
parents: 722
diff changeset
140
1295
750ec4ec4cbe Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents: 1294
diff changeset
141 #define DROPBEAR_ECC_256 (DROPBEAR_ECC)
750ec4ec4cbe Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents: 1294
diff changeset
142 #define DROPBEAR_ECC_384 (DROPBEAR_ECC)
750ec4ec4cbe Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents: 1294
diff changeset
143 #define DROPBEAR_ECC_521 (DROPBEAR_ECC)
756
bf9dc2d9c2b1 more bits on ecc branch
Matt Johnston <matt@ucc.asn.au>
parents: 755
diff changeset
144
1295
750ec4ec4cbe Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents: 1294
diff changeset
145 #define DROPBEAR_LTC_PRNG (DROPBEAR_ECC)
761
ac2158e3e403 ecc kind of works, needs fixing/testing
Matt Johnston <matt@ucc.asn.au>
parents: 759
diff changeset
146
850
7507b174bba0 - Make curve25519 work after fixing a typo, interoperates with OpenSSH
Matt Johnston <matt@ucc.asn.au>
parents: 847
diff changeset
147 /* RSA can be vulnerable to timing attacks which use the time required for
7507b174bba0 - Make curve25519 work after fixing a typo, interoperates with OpenSSH
Matt Johnston <matt@ucc.asn.au>
parents: 847
diff changeset
148 * signing to guess the private key. Blinding avoids this attack, though makes
7507b174bba0 - Make curve25519 work after fixing a typo, interoperates with OpenSSH
Matt Johnston <matt@ucc.asn.au>
parents: 847
diff changeset
149 * signing operations slightly slower. */
1295
750ec4ec4cbe Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents: 1294
diff changeset
150 #define DROPBEAR_RSA_BLINDING 1
850
7507b174bba0 - Make curve25519 work after fixing a typo, interoperates with OpenSSH
Matt Johnston <matt@ucc.asn.au>
parents: 847
diff changeset
151
1674
ba6fc7afe1c5 use sigtype where appropriate
Matt Johnston <matt@ucc.asn.au>
parents: 1659
diff changeset
152 #ifndef DROPBEAR_RSA_SHA1
ba6fc7afe1c5 use sigtype where appropriate
Matt Johnston <matt@ucc.asn.au>
parents: 1659
diff changeset
153 #define DROPBEAR_RSA_SHA1 DROPBEAR_RSA
ba6fc7afe1c5 use sigtype where appropriate
Matt Johnston <matt@ucc.asn.au>
parents: 1659
diff changeset
154 #endif
ba6fc7afe1c5 use sigtype where appropriate
Matt Johnston <matt@ucc.asn.au>
parents: 1659
diff changeset
155 #ifndef DROPBEAR_RSA_SHA256
ba6fc7afe1c5 use sigtype where appropriate
Matt Johnston <matt@ucc.asn.au>
parents: 1659
diff changeset
156 #define DROPBEAR_RSA_SHA256 DROPBEAR_RSA
ba6fc7afe1c5 use sigtype where appropriate
Matt Johnston <matt@ucc.asn.au>
parents: 1659
diff changeset
157 #endif
ba6fc7afe1c5 use sigtype where appropriate
Matt Johnston <matt@ucc.asn.au>
parents: 1659
diff changeset
158
847
f4bb964c8678 Add '-R' for delayed hostkey option
Matt Johnston <matt@ucc.asn.au>
parents: 838
diff changeset
159 /* hashes which will be linked and registered */
1916
3f4cdf839a1a Make SHA1 optional, implement SHA256 fingerprints
Matt Johnston <matt@ucc.asn.au>
parents: 1915
diff changeset
160 #define DROPBEAR_SHA1 (DROPBEAR_RSA_SHA1 || DROPBEAR_DSS \
3f4cdf839a1a Make SHA1 optional, implement SHA256 fingerprints
Matt Johnston <matt@ucc.asn.au>
parents: 1915
diff changeset
161 || DROPBEAR_SHA1_HMAC || DROPBEAR_SHA1_96_HMAC \
3f4cdf839a1a Make SHA1 optional, implement SHA256 fingerprints
Matt Johnston <matt@ucc.asn.au>
parents: 1915
diff changeset
162 || DROPBEAR_DH_GROUP1 || DROPBEAR_DH_GROUP14_SHA1 )
3f4cdf839a1a Make SHA1 optional, implement SHA256 fingerprints
Matt Johnston <matt@ucc.asn.au>
parents: 1915
diff changeset
163 /* sha256 is always used for fingerprints and dbrandom */
3f4cdf839a1a Make SHA1 optional, implement SHA256 fingerprints
Matt Johnston <matt@ucc.asn.au>
parents: 1915
diff changeset
164 #define DROPBEAR_SHA256 1
1295
750ec4ec4cbe Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents: 1294
diff changeset
165 #define DROPBEAR_SHA384 (DROPBEAR_ECC_384)
847
f4bb964c8678 Add '-R' for delayed hostkey option
Matt Johnston <matt@ucc.asn.au>
parents: 838
diff changeset
166 /* LTC SHA384 depends on SHA512 */
1295
750ec4ec4cbe Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents: 1294
diff changeset
167 #define DROPBEAR_SHA512 ((DROPBEAR_SHA2_512_HMAC) || (DROPBEAR_ECC_521) \
1659
d32bcb5c557d Add Ed25519 support (#91)
Vladislav Grishenko <themiron@users.noreply.github.com>
parents: 1654
diff changeset
168 || (DROPBEAR_SHA384) || (DROPBEAR_DH_GROUP16) \
d32bcb5c557d Add Ed25519 support (#91)
Vladislav Grishenko <themiron@users.noreply.github.com>
parents: 1654
diff changeset
169 || (DROPBEAR_ED25519))
1295
750ec4ec4cbe Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents: 1294
diff changeset
170 #define DROPBEAR_MD5 (DROPBEAR_MD5_HMAC)
759
76fba0856749 More changes for KEX and ECDH. Set up hash descriptors, make ECC code work,
Matt Johnston <matt@ucc.asn.au>
parents: 756
diff changeset
171
1295
750ec4ec4cbe Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents: 1294
diff changeset
172 #define DROPBEAR_DH_GROUP14 ((DROPBEAR_DH_GROUP14_SHA256) || (DROPBEAR_DH_GROUP14_SHA1))
1294
56aba7dedbea options for disabling "normal" DH
Matt Johnston <matt@ucc.asn.au>
parents: 1293
diff changeset
173
1295
750ec4ec4cbe Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents: 1294
diff changeset
174 #define DROPBEAR_NORMAL_DH ((DROPBEAR_DH_GROUP1) || (DROPBEAR_DH_GROUP14) || (DROPBEAR_DH_GROUP16))
1248
739b3909c499 Get rid of group15, move group16 to sha512.
Matt Johnston <matt@ucc.asn.au>
parents: 1230
diff changeset
175
1681
435cfb9ec96e send and handle SSH_MSG_EXT_INFO only at the correct point
Matt Johnston <matt@ucc.asn.au>
parents: 1674
diff changeset
176 /* Dropbear only uses server-sig-algs, only needed if we have rsa-sha256 pubkey auth */
435cfb9ec96e send and handle SSH_MSG_EXT_INFO only at the correct point
Matt Johnston <matt@ucc.asn.au>
parents: 1674
diff changeset
177 #define DROPBEAR_EXT_INFO ((DROPBEAR_RSA_SHA256) \
435cfb9ec96e send and handle SSH_MSG_EXT_INFO only at the correct point
Matt Johnston <matt@ucc.asn.au>
parents: 1674
diff changeset
178 && ((DROPBEAR_CLI_PUBKEY_AUTH) || (DROPBEAR_SVR_PUBKEY_AUTH)))
435cfb9ec96e send and handle SSH_MSG_EXT_INFO only at the correct point
Matt Johnston <matt@ucc.asn.au>
parents: 1674
diff changeset
179
847
f4bb964c8678 Add '-R' for delayed hostkey option
Matt Johnston <matt@ucc.asn.au>
parents: 838
diff changeset
180 /* roughly 2x 521 bits */
755
b07eb3dc23ec refactor kexdh code a bit, start working on ecdh etc
Matt Johnston <matt@ucc.asn.au>
parents: 722
diff changeset
181 #define MAX_ECC_SIZE 140
b07eb3dc23ec refactor kexdh code a bit, start working on ecdh etc
Matt Johnston <matt@ucc.asn.au>
parents: 722
diff changeset
182
499
f3ca5ebc319a Split options.h out into sysoptions.h for options that aren't usually
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
183 #define MAX_NAME_LEN 64 /* maximum length of a protocol name, isn't
f3ca5ebc319a Split options.h out into sysoptions.h for options that aren't usually
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
184 explicitly specified for all protocols (just
f3ca5ebc319a Split options.h out into sysoptions.h for options that aren't usually
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
185 for algos) but seems valid */
f3ca5ebc319a Split options.h out into sysoptions.h for options that aren't usually
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
186
1753
7c0fcd19e492 Increase MAX_PROPOSED_ALGO to 50, warn if exceeded
Matt Johnston <matt@ucc.asn.au>
parents: 1734
diff changeset
187 #define MAX_PROPOSED_ALGO 50
499
f3ca5ebc319a Split options.h out into sysoptions.h for options that aren't usually
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
188
f3ca5ebc319a Split options.h out into sysoptions.h for options that aren't usually
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
189 /* size/count limits */
603
3aa74a4d83ae Refer to RFCs rather than drafts, update some section references
Matt Johnston <matt@ucc.asn.au>
parents: 598
diff changeset
190 /* From transport rfc */
499
f3ca5ebc319a Split options.h out into sysoptions.h for options that aren't usually
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
191 #define MIN_PACKET_LEN 16
f3ca5ebc319a Split options.h out into sysoptions.h for options that aren't usually
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
192
f3ca5ebc319a Split options.h out into sysoptions.h for options that aren't usually
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
193 #define RECV_MAX_PACKET_LEN (MAX(35000, ((RECV_MAX_PAYLOAD_LEN)+100)))
f3ca5ebc319a Split options.h out into sysoptions.h for options that aren't usually
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
194
f3ca5ebc319a Split options.h out into sysoptions.h for options that aren't usually
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
195 /* for channel code */
f3ca5ebc319a Split options.h out into sysoptions.h for options that aren't usually
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
196 #define TRANS_MAX_WINDOW 500000000 /* 500MB is sufficient, stopping overflow */
f3ca5ebc319a Split options.h out into sysoptions.h for options that aren't usually
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
197 #define TRANS_MAX_WIN_INCR 500000000 /* overflow prevention */
f3ca5ebc319a Split options.h out into sysoptions.h for options that aren't usually
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
198
f3ca5ebc319a Split options.h out into sysoptions.h for options that aren't usually
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
199 #define RECV_WINDOWEXTEND (opts.recv_window / 3) /* We send a "window extend" every
f3ca5ebc319a Split options.h out into sysoptions.h for options that aren't usually
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
200 RECV_WINDOWEXTEND bytes */
1834
94dc11094e26 Increase max window size to 10MB, fallback rather than
Matt Johnston <matt@codeconstruct.com.au>
parents: 1832
diff changeset
201 #define MAX_RECV_WINDOW (10*1024*1024) /* 10 MB should be enough */
499
f3ca5ebc319a Split options.h out into sysoptions.h for options that aren't usually
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
202
1169
41a5820cab8b Increase channel limit to 1000
Matt Johnston <matt@ucc.asn.au>
parents: 1147
diff changeset
203 #define MAX_CHANNELS 1000 /* simple mem restriction, includes each tcp/x11
499
f3ca5ebc319a Split options.h out into sysoptions.h for options that aren't usually
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
204 connection, so can't be _too_ small */
f3ca5ebc319a Split options.h out into sysoptions.h for options that aren't usually
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
205
1138
cc3916a7afd9 increase MAX_CMD_LEN to 9000
Matt Johnston <matt@ucc.asn.au>
parents: 1084
diff changeset
206 #define MAX_STRING_LEN (MAX(MAX_CMD_LEN, 2400)) /* Sun SSH needs 2400 for algos,
cc3916a7afd9 increase MAX_CMD_LEN to 9000
Matt Johnston <matt@ucc.asn.au>
parents: 1084
diff changeset
207 MAX_CMD_LEN is usually longer */
499
f3ca5ebc319a Split options.h out into sysoptions.h for options that aren't usually
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
208
f3ca5ebc319a Split options.h out into sysoptions.h for options that aren't usually
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
209 /* For a 4096 bit DSS key, empirically determined */
f3ca5ebc319a Split options.h out into sysoptions.h for options that aren't usually
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
210 #define MAX_PUBKEY_SIZE 1700
f3ca5ebc319a Split options.h out into sysoptions.h for options that aren't usually
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
211 /* For a 4096 bit DSS key, empirically determined */
f3ca5ebc319a Split options.h out into sysoptions.h for options that aren't usually
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
212 #define MAX_PRIVKEY_SIZE 1700
f3ca5ebc319a Split options.h out into sysoptions.h for options that aren't usually
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
213
1659
d32bcb5c557d Add Ed25519 support (#91)
Vladislav Grishenko <themiron@users.noreply.github.com>
parents: 1654
diff changeset
214 #define MAX_HOSTKEYS 4
795
7f604f9b3756 ecdsa is working
Matt Johnston <matt@ucc.asn.au>
parents: 794
diff changeset
215
499
f3ca5ebc319a Split options.h out into sysoptions.h for options that aren't usually
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
216 /* The maximum size of the bignum portion of the kexhash buffer */
603
3aa74a4d83ae Refer to RFCs rather than drafts, update some section references
Matt Johnston <matt@ucc.asn.au>
parents: 598
diff changeset
217 /* Sect. 8 of the transport rfc 4253, K_S + e + f + K */
499
f3ca5ebc319a Split options.h out into sysoptions.h for options that aren't usually
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
218 #define KEXHASHBUF_MAX_INTS (1700 + 130 + 130 + 130)
f3ca5ebc319a Split options.h out into sysoptions.h for options that aren't usually
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
219
f3ca5ebc319a Split options.h out into sysoptions.h for options that aren't usually
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
220 #define DROPBEAR_MAX_SOCKS 2 /* IPv4, IPv6 are all we'll get for now. Revisit
f3ca5ebc319a Split options.h out into sysoptions.h for options that aren't usually
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
221 in a few years time.... */
f3ca5ebc319a Split options.h out into sysoptions.h for options that aren't usually
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
222
f3ca5ebc319a Split options.h out into sysoptions.h for options that aren't usually
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
223 #define DROPBEAR_MAX_CLI_PASS 1024
f3ca5ebc319a Split options.h out into sysoptions.h for options that aren't usually
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
224
f3ca5ebc319a Split options.h out into sysoptions.h for options that aren't usually
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
225 #define DROPBEAR_MAX_CLI_INTERACT_PROMPTS 80 /* The number of prompts we'll
f3ca5ebc319a Split options.h out into sysoptions.h for options that aren't usually
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
226 accept for keyb-interactive
f3ca5ebc319a Split options.h out into sysoptions.h for options that aren't usually
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
227 auth */
f3ca5ebc319a Split options.h out into sysoptions.h for options that aren't usually
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
228
883
ff597bf2cfb0 DROPBEAR_CLI_AUTH_IMMEDIATE fixed, now enabled by default
Matt Johnston <matt@ucc.asn.au>
parents: 878
diff changeset
229
1295
750ec4ec4cbe Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents: 1294
diff changeset
230 #define DROPBEAR_AES ((DROPBEAR_AES256) || (DROPBEAR_AES128))
499
f3ca5ebc319a Split options.h out into sysoptions.h for options that aren't usually
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
231
1672
3a97f14c0235 Add Chacha20-Poly1305, AES128-GCM and AES256-GCM support (#93)
Vladislav Grishenko <themiron@users.noreply.github.com>
parents: 1659
diff changeset
232 #define DROPBEAR_AEAD_MODE ((DROPBEAR_CHACHA20POLY1305) || (DROPBEAR_ENABLE_GCM_MODE))
3a97f14c0235 Add Chacha20-Poly1305, AES128-GCM and AES256-GCM support (#93)
Vladislav Grishenko <themiron@users.noreply.github.com>
parents: 1659
diff changeset
233
1295
750ec4ec4cbe Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents: 1294
diff changeset
234 #define DROPBEAR_CLI_ANYTCPFWD ((DROPBEAR_CLI_REMOTETCPFWD) || (DROPBEAR_CLI_LOCALTCPFWD))
499
f3ca5ebc319a Split options.h out into sysoptions.h for options that aren't usually
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
235
1295
750ec4ec4cbe Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents: 1294
diff changeset
236 #define DROPBEAR_TCP_ACCEPT ((DROPBEAR_CLI_LOCALTCPFWD) || (DROPBEAR_SVR_REMOTETCPFWD))
499
f3ca5ebc319a Split options.h out into sysoptions.h for options that aren't usually
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
237
1295
750ec4ec4cbe Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents: 1294
diff changeset
238 #define DROPBEAR_LISTENERS \
750ec4ec4cbe Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents: 1294
diff changeset
239 ((DROPBEAR_CLI_REMOTETCPFWD) || (DROPBEAR_CLI_LOCALTCPFWD) || \
750ec4ec4cbe Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents: 1294
diff changeset
240 (DROPBEAR_SVR_REMOTETCPFWD) || (DROPBEAR_SVR_LOCALTCPFWD) || \
750ec4ec4cbe Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents: 1294
diff changeset
241 (DROPBEAR_SVR_AGENTFWD) || (DROPBEAR_X11FWD))
499
f3ca5ebc319a Split options.h out into sysoptions.h for options that aren't usually
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
242
1295
750ec4ec4cbe Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents: 1294
diff changeset
243 #define DROPBEAR_CLI_MULTIHOP ((DROPBEAR_CLI_NETCAT) && (DROPBEAR_CLI_PROXYCMD))
499
f3ca5ebc319a Split options.h out into sysoptions.h for options that aren't usually
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
244
1499
2d450c1056e3 options: Complete the transition to numeric toggles (`#if')
Michael Witten <mfwitten@gmail.com>
parents: 1477
diff changeset
245 #define ENABLE_CONNECT_UNIX ((DROPBEAR_CLI_AGENTFWD) || (DROPBEAR_USE_PRNGD))
547
cf376c696dfc Make it compile, update for changes in channel structure.
Matt Johnston <matt@ucc.asn.au>
parents: 521
diff changeset
246
1295
750ec4ec4cbe Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents: 1294
diff changeset
247 /* if we're using authorized_keys or known_hosts */
750ec4ec4cbe Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents: 1294
diff changeset
248 #define DROPBEAR_KEY_LINES ((DROPBEAR_CLIENT) || (DROPBEAR_SVR_PUBKEY_AUTH))
499
f3ca5ebc319a Split options.h out into sysoptions.h for options that aren't usually
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
249
605
53c21d4ec98a - Don't allow setting memLevel since that doesn't work properly
Matt Johnston <matt@ucc.asn.au>
parents: 598
diff changeset
250 /* Changing this is inadvisable, it appears to have problems
53c21d4ec98a - Don't allow setting memLevel since that doesn't work properly
Matt Johnston <matt@ucc.asn.au>
parents: 598
diff changeset
251 * with flushing compressed data */
53c21d4ec98a - Don't allow setting memLevel since that doesn't work properly
Matt Johnston <matt@ucc.asn.au>
parents: 598
diff changeset
252 #define DROPBEAR_ZLIB_MEM_LEVEL 8
53c21d4ec98a - Don't allow setting memLevel since that doesn't work properly
Matt Johnston <matt@ucc.asn.au>
parents: 598
diff changeset
253
1295
750ec4ec4cbe Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents: 1294
diff changeset
254 #if (DROPBEAR_SVR_PASSWORD_AUTH) && (DROPBEAR_SVR_PAM_AUTH)
1615
cd23631dab5c fix error message to say localoptions.h
Matt Johnston <matt@ucc.asn.au>
parents: 1554
diff changeset
255 #error "You can't turn on PASSWORD and PAM auth both at once. Fix it in localoptions.h"
499
f3ca5ebc319a Split options.h out into sysoptions.h for options that aren't usually
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
256 #endif
f3ca5ebc319a Split options.h out into sysoptions.h for options that aren't usually
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
257
1514
6c16a05023aa rename some options and move some to sysoptions.h
Matt Johnston <matt@ucc.asn.au>
parents: 1499
diff changeset
258 /* PAM requires ./configure --enable-pam */
6c16a05023aa rename some options and move some to sysoptions.h
Matt Johnston <matt@ucc.asn.au>
parents: 1499
diff changeset
259 #if !defined(HAVE_LIBPAM) && DROPBEAR_SVR_PAM_AUTH
6c16a05023aa rename some options and move some to sysoptions.h
Matt Johnston <matt@ucc.asn.au>
parents: 1499
diff changeset
260 #error "DROPBEAR_SVR_PATM_AUTH requires PAM headers. Perhaps ./configure --enable-pam ?"
6c16a05023aa rename some options and move some to sysoptions.h
Matt Johnston <matt@ucc.asn.au>
parents: 1499
diff changeset
261 #endif
6c16a05023aa rename some options and move some to sysoptions.h
Matt Johnston <matt@ucc.asn.au>
parents: 1499
diff changeset
262
6c16a05023aa rename some options and move some to sysoptions.h
Matt Johnston <matt@ucc.asn.au>
parents: 1499
diff changeset
263 #if DROPBEAR_SVR_PASSWORD_AUTH && !HAVE_CRYPT
6c16a05023aa rename some options and move some to sysoptions.h
Matt Johnston <matt@ucc.asn.au>
parents: 1499
diff changeset
264 #error "DROPBEAR_SVR_PASSWORD_AUTH requires `crypt()'."
6c16a05023aa rename some options and move some to sysoptions.h
Matt Johnston <matt@ucc.asn.au>
parents: 1499
diff changeset
265 #endif
6c16a05023aa rename some options and move some to sysoptions.h
Matt Johnston <matt@ucc.asn.au>
parents: 1499
diff changeset
266
6c16a05023aa rename some options and move some to sysoptions.h
Matt Johnston <matt@ucc.asn.au>
parents: 1499
diff changeset
267 #if !(DROPBEAR_SVR_PASSWORD_AUTH || DROPBEAR_SVR_PAM_AUTH || DROPBEAR_SVR_PUBKEY_AUTH)
6c16a05023aa rename some options and move some to sysoptions.h
Matt Johnston <matt@ucc.asn.au>
parents: 1499
diff changeset
268 #error "At least one server authentication type must be enabled. DROPBEAR_SVR_PUBKEY_AUTH and DROPBEAR_SVR_PASSWORD_AUTH are recommended."
6c16a05023aa rename some options and move some to sysoptions.h
Matt Johnston <matt@ucc.asn.au>
parents: 1499
diff changeset
269 #endif
6c16a05023aa rename some options and move some to sysoptions.h
Matt Johnston <matt@ucc.asn.au>
parents: 1499
diff changeset
270
1654
cc0fc5131c5c Rename EPKA -> Plugin
Matt Johnston <matt@ucc.asn.au>
parents: 1653
diff changeset
271 #if (DROPBEAR_PLUGIN && !DROPBEAR_SVR_PUBKEY_AUTH)
cc0fc5131c5c Rename EPKA -> Plugin
Matt Johnston <matt@ucc.asn.au>
parents: 1653
diff changeset
272 #error "You must define DROPBEAR_SVR_PUBKEY_AUTH in order to use plugins"
1653
76189c9ffea2 External Public-Key Authentication API (#72)
fabriziobertocci <fabriziobertocci@gmail.com>
parents: 1650
diff changeset
273 #endif
1514
6c16a05023aa rename some options and move some to sysoptions.h
Matt Johnston <matt@ucc.asn.au>
parents: 1499
diff changeset
274
1915
13cb8cc1b0e4 Remove twofish and remnants of blowfish
Matt Johnston <matt@ucc.asn.au>
parents: 1862
diff changeset
275 #if !(DROPBEAR_AES128 || DROPBEAR_3DES || DROPBEAR_AES256 || DROPBEAR_CHACHA20POLY1305)
1514
6c16a05023aa rename some options and move some to sysoptions.h
Matt Johnston <matt@ucc.asn.au>
parents: 1499
diff changeset
276 #error "At least one encryption algorithm must be enabled. AES128 is recommended."
6c16a05023aa rename some options and move some to sysoptions.h
Matt Johnston <matt@ucc.asn.au>
parents: 1499
diff changeset
277 #endif
6c16a05023aa rename some options and move some to sysoptions.h
Matt Johnston <matt@ucc.asn.au>
parents: 1499
diff changeset
278
1659
d32bcb5c557d Add Ed25519 support (#91)
Vladislav Grishenko <themiron@users.noreply.github.com>
parents: 1654
diff changeset
279 #if !(DROPBEAR_RSA || DROPBEAR_DSS || DROPBEAR_ECDSA || DROPBEAR_ED25519)
1514
6c16a05023aa rename some options and move some to sysoptions.h
Matt Johnston <matt@ucc.asn.au>
parents: 1499
diff changeset
280 #error "At least one hostkey or public-key algorithm must be enabled; RSA is recommended."
6c16a05023aa rename some options and move some to sysoptions.h
Matt Johnston <matt@ucc.asn.au>
parents: 1499
diff changeset
281 #endif
6c16a05023aa rename some options and move some to sysoptions.h
Matt Johnston <matt@ucc.asn.au>
parents: 1499
diff changeset
282
6c16a05023aa rename some options and move some to sysoptions.h
Matt Johnston <matt@ucc.asn.au>
parents: 1499
diff changeset
283 /* Source for randomness. This must be able to provide hundreds of bytes per SSH
6c16a05023aa rename some options and move some to sysoptions.h
Matt Johnston <matt@ucc.asn.au>
parents: 1499
diff changeset
284 * connection without blocking. */
6c16a05023aa rename some options and move some to sysoptions.h
Matt Johnston <matt@ucc.asn.au>
parents: 1499
diff changeset
285 #ifndef DROPBEAR_URANDOM_DEV
6c16a05023aa rename some options and move some to sysoptions.h
Matt Johnston <matt@ucc.asn.au>
parents: 1499
diff changeset
286 #define DROPBEAR_URANDOM_DEV "/dev/urandom"
6c16a05023aa rename some options and move some to sysoptions.h
Matt Johnston <matt@ucc.asn.au>
parents: 1499
diff changeset
287 #endif
6c16a05023aa rename some options and move some to sysoptions.h
Matt Johnston <matt@ucc.asn.au>
parents: 1499
diff changeset
288
6c16a05023aa rename some options and move some to sysoptions.h
Matt Johnston <matt@ucc.asn.au>
parents: 1499
diff changeset
289 /* client keyboard interactive authentication is often used for password auth.
6c16a05023aa rename some options and move some to sysoptions.h
Matt Johnston <matt@ucc.asn.au>
parents: 1499
diff changeset
290 rfc4256 */
6c16a05023aa rename some options and move some to sysoptions.h
Matt Johnston <matt@ucc.asn.au>
parents: 1499
diff changeset
291 #define DROPBEAR_CLI_INTERACT_AUTH (DROPBEAR_CLI_PASSWORD_AUTH)
6c16a05023aa rename some options and move some to sysoptions.h
Matt Johnston <matt@ucc.asn.au>
parents: 1499
diff changeset
292
499
f3ca5ebc319a Split options.h out into sysoptions.h for options that aren't usually
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
293 /* We use dropbear_client and dropbear_server as shortcuts to avoid redundant
f3ca5ebc319a Split options.h out into sysoptions.h for options that aren't usually
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
294 * code, if we're just compiling as client or server */
1295
750ec4ec4cbe Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents: 1294
diff changeset
295 #if (DROPBEAR_SERVER) && (DROPBEAR_CLIENT)
499
f3ca5ebc319a Split options.h out into sysoptions.h for options that aren't usually
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
296
f3ca5ebc319a Split options.h out into sysoptions.h for options that aren't usually
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
297 #define IS_DROPBEAR_SERVER (ses.isserver == 1)
f3ca5ebc319a Split options.h out into sysoptions.h for options that aren't usually
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
298 #define IS_DROPBEAR_CLIENT (ses.isserver == 0)
f3ca5ebc319a Split options.h out into sysoptions.h for options that aren't usually
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
299
1295
750ec4ec4cbe Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents: 1294
diff changeset
300 #elif DROPBEAR_SERVER
499
f3ca5ebc319a Split options.h out into sysoptions.h for options that aren't usually
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
301
f3ca5ebc319a Split options.h out into sysoptions.h for options that aren't usually
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
302 #define IS_DROPBEAR_SERVER 1
f3ca5ebc319a Split options.h out into sysoptions.h for options that aren't usually
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
303 #define IS_DROPBEAR_CLIENT 0
f3ca5ebc319a Split options.h out into sysoptions.h for options that aren't usually
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
304
1295
750ec4ec4cbe Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents: 1294
diff changeset
305 #elif DROPBEAR_CLIENT
499
f3ca5ebc319a Split options.h out into sysoptions.h for options that aren't usually
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
306
f3ca5ebc319a Split options.h out into sysoptions.h for options that aren't usually
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
307 #define IS_DROPBEAR_SERVER 0
f3ca5ebc319a Split options.h out into sysoptions.h for options that aren't usually
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
308 #define IS_DROPBEAR_CLIENT 1
f3ca5ebc319a Split options.h out into sysoptions.h for options that aren't usually
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
309
f3ca5ebc319a Split options.h out into sysoptions.h for options that aren't usually
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
310 #else
521
cc2dff9bd671 - Allow building with neither server nor client specified
Matt Johnston <matt@ucc.asn.au>
parents: 516
diff changeset
311 /* Just building key utils? */
cc2dff9bd671 - Allow building with neither server nor client specified
Matt Johnston <matt@ucc.asn.au>
parents: 516
diff changeset
312 #define IS_DROPBEAR_SERVER 0
cc2dff9bd671 - Allow building with neither server nor client specified
Matt Johnston <matt@ucc.asn.au>
parents: 516
diff changeset
313 #define IS_DROPBEAR_CLIENT 0
cc2dff9bd671 - Allow building with neither server nor client specified
Matt Johnston <matt@ucc.asn.au>
parents: 516
diff changeset
314
667
fc7ae88e63b3 Rename HAVE_FORK to USE_VFORK
Matt Johnston <matt@ucc.asn.au>
parents: 661
diff changeset
315 #endif /* neither DROPBEAR_SERVER nor DROPBEAR_CLIENT */
fc7ae88e63b3 Rename HAVE_FORK to USE_VFORK
Matt Johnston <matt@ucc.asn.au>
parents: 661
diff changeset
316
1295
750ec4ec4cbe Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents: 1294
diff changeset
317 #ifdef HAVE_FORK
750ec4ec4cbe Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents: 1294
diff changeset
318 #define DROPBEAR_VFORK 0
750ec4ec4cbe Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents: 1294
diff changeset
319 #else
750ec4ec4cbe Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents: 1294
diff changeset
320 #define DROPBEAR_VFORK 1
750ec4ec4cbe Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents: 1294
diff changeset
321 #endif
667
fc7ae88e63b3 Rename HAVE_FORK to USE_VFORK
Matt Johnston <matt@ucc.asn.au>
parents: 661
diff changeset
322
1440
8b74d5f876a7 sysoptions.h: Add ability to override DROPBEAR_LISTEN_BACKLOG
Ben Gardner <bgardner@wabtec.com>
parents: 1342
diff changeset
323 #ifndef DROPBEAR_LISTEN_BACKLOG
936
d93a6bcf616f Improve handling lots of concurrent forwarded connections. Increase
Matt Johnston <matt@ucc.asn.au>
parents: 902
diff changeset
324 #if MAX_UNAUTH_CLIENTS > MAX_CHANNELS
d93a6bcf616f Improve handling lots of concurrent forwarded connections. Increase
Matt Johnston <matt@ucc.asn.au>
parents: 902
diff changeset
325 #define DROPBEAR_LISTEN_BACKLOG MAX_UNAUTH_CLIENTS
d93a6bcf616f Improve handling lots of concurrent forwarded connections. Increase
Matt Johnston <matt@ucc.asn.au>
parents: 902
diff changeset
326 #else
d93a6bcf616f Improve handling lots of concurrent forwarded connections. Increase
Matt Johnston <matt@ucc.asn.au>
parents: 902
diff changeset
327 #define DROPBEAR_LISTEN_BACKLOG MAX_CHANNELS
d93a6bcf616f Improve handling lots of concurrent forwarded connections. Increase
Matt Johnston <matt@ucc.asn.au>
parents: 902
diff changeset
328 #endif
1440
8b74d5f876a7 sysoptions.h: Add ability to override DROPBEAR_LISTEN_BACKLOG
Ben Gardner <bgardner@wabtec.com>
parents: 1342
diff changeset
329 #endif
936
d93a6bcf616f Improve handling lots of concurrent forwarded connections. Increase
Matt Johnston <matt@ucc.asn.au>
parents: 902
diff changeset
330
1040
2b4fd440399d Free memory before exiting. Based on patch from Thorsten Horstmann.
Matt Johnston <matt@ucc.asn.au>
parents: 1009
diff changeset
331 /* free memory before exiting */
1295
750ec4ec4cbe Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents: 1294
diff changeset
332 #define DROPBEAR_CLEANUP 1
1040
2b4fd440399d Free memory before exiting. Based on patch from Thorsten Horstmann.
Matt Johnston <matt@ucc.asn.au>
parents: 1009
diff changeset
333
970
0bb16232e7c4 Make keepalive handling more robust, this should now match what OpenSSH does
Matt Johnston <matt@ucc.asn.au>
parents: 965
diff changeset
334 /* Use this string since some implementations might special-case it */
0bb16232e7c4 Make keepalive handling more robust, this should now match what OpenSSH does
Matt Johnston <matt@ucc.asn.au>
parents: 965
diff changeset
335 #define DROPBEAR_KEEPALIVE_STRING "[email protected]"
0bb16232e7c4 Make keepalive handling more robust, this should now match what OpenSSH does
Matt Johnston <matt@ucc.asn.au>
parents: 965
diff changeset
336
1084
2265d7ebfdeb separate client/server fastopen options
Matt Johnston <matt@ucc.asn.au>
parents: 1049
diff changeset
337 /* Linux will attempt TCP fast open, falling back if not supported by the kernel.
2265d7ebfdeb separate client/server fastopen options
Matt Johnston <matt@ucc.asn.au>
parents: 1049
diff changeset
338 * Currently server is enabled but client is disabled by default until there
2265d7ebfdeb separate client/server fastopen options
Matt Johnston <matt@ucc.asn.au>
parents: 1049
diff changeset
339 * is further compatibility testing */
1033
ca71904cf3ee Fixes for backwards compatibility
Matt Johnston <matt@ucc.asn.au>
parents: 1009
diff changeset
340 #ifdef __linux__
1295
750ec4ec4cbe Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents: 1294
diff changeset
341 #define DROPBEAR_SERVER_TCP_FAST_OPEN 1
750ec4ec4cbe Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents: 1294
diff changeset
342 #define DROPBEAR_CLIENT_TCP_FAST_OPEN 0
750ec4ec4cbe Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents: 1294
diff changeset
343 #else
750ec4ec4cbe Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents: 1294
diff changeset
344 #define DROPBEAR_SERVER_TCP_FAST_OPEN 0
750ec4ec4cbe Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents: 1294
diff changeset
345 #define DROPBEAR_CLIENT_TCP_FAST_OPEN 0
1033
ca71904cf3ee Fixes for backwards compatibility
Matt Johnston <matt@ucc.asn.au>
parents: 1009
diff changeset
346 #endif
ca71904cf3ee Fixes for backwards compatibility
Matt Johnston <matt@ucc.asn.au>
parents: 1009
diff changeset
347
1569
c42e8ff42bd1 Only use malloc wrapper if fuzzing
Matt Johnston <matt@ucc.asn.au>
parents: 1554
diff changeset
348 #define DROPBEAR_TRACKING_MALLOC (DROPBEAR_FUZZ)
c42e8ff42bd1 Only use malloc wrapper if fuzzing
Matt Johnston <matt@ucc.asn.au>
parents: 1554
diff changeset
349
1596
60fceff95858 workaround memory sanitizer FD_ZERO false positives
Matt Johnston <matt@ucc.asn.au>
parents: 1569
diff changeset
350 /* Used to work around Memory Sanitizer false positives */
60fceff95858 workaround memory sanitizer FD_ZERO false positives
Matt Johnston <matt@ucc.asn.au>
parents: 1569
diff changeset
351 #if defined(__has_feature)
60fceff95858 workaround memory sanitizer FD_ZERO false positives
Matt Johnston <matt@ucc.asn.au>
parents: 1569
diff changeset
352 # if __has_feature(memory_sanitizer)
60fceff95858 workaround memory sanitizer FD_ZERO false positives
Matt Johnston <matt@ucc.asn.au>
parents: 1569
diff changeset
353 # define DROPBEAR_MSAN 1
60fceff95858 workaround memory sanitizer FD_ZERO false positives
Matt Johnston <matt@ucc.asn.au>
parents: 1569
diff changeset
354 # endif
60fceff95858 workaround memory sanitizer FD_ZERO false positives
Matt Johnston <matt@ucc.asn.au>
parents: 1569
diff changeset
355 #endif
60fceff95858 workaround memory sanitizer FD_ZERO false positives
Matt Johnston <matt@ucc.asn.au>
parents: 1569
diff changeset
356 #ifndef DROPBEAR_MSAN
60fceff95858 workaround memory sanitizer FD_ZERO false positives
Matt Johnston <matt@ucc.asn.au>
parents: 1569
diff changeset
357 #define DROPBEAR_MSAN 0
60fceff95858 workaround memory sanitizer FD_ZERO false positives
Matt Johnston <matt@ucc.asn.au>
parents: 1569
diff changeset
358 #endif
60fceff95858 workaround memory sanitizer FD_ZERO false positives
Matt Johnston <matt@ucc.asn.au>
parents: 1569
diff changeset
359
60fceff95858 workaround memory sanitizer FD_ZERO false positives
Matt Johnston <matt@ucc.asn.au>
parents: 1569
diff changeset
360
667
fc7ae88e63b3 Rename HAVE_FORK to USE_VFORK
Matt Johnston <matt@ucc.asn.au>
parents: 661
diff changeset
361 /* no include guard for this file */