Mercurial > dropbear
comparison sysoptions.h @ 1342:8747c2b19152
merge 2017.75
author | Matt Johnston <matt@ucc.asn.au> |
---|---|
date | Thu, 18 May 2017 22:59:38 +0800 |
parents | cfd2abbf9cf4 2c9dac2d6707 |
children | 9236e7120c3e 8b74d5f876a7 |
comparison
equal
deleted
inserted
replaced
1341:ab35a9ccc2eb | 1342:8747c2b19152 |
---|---|
21 /* Close connections to clients which haven't authorised after AUTH_TIMEOUT */ | 21 /* Close connections to clients which haven't authorised after AUTH_TIMEOUT */ |
22 #ifndef AUTH_TIMEOUT | 22 #ifndef AUTH_TIMEOUT |
23 #define AUTH_TIMEOUT 300 /* we choose 5 minutes */ | 23 #define AUTH_TIMEOUT 300 /* we choose 5 minutes */ |
24 #endif | 24 #endif |
25 | 25 |
26 #define DROPBEAR_SVR_PUBKEY_OPTIONS_BUILT ((DROPBEAR_SVR_PUBKEY_AUTH) && (DROPBEAR_SVR_PUBKEY_OPTIONS)) | |
27 | |
26 /* A client should try and send an initial key exchange packet guessing | 28 /* A client should try and send an initial key exchange packet guessing |
27 * the algorithm that will match - saves a round trip connecting, has little | 29 * the algorithm that will match - saves a round trip connecting, has little |
28 * overhead if the guess was "wrong". */ | 30 * overhead if the guess was "wrong". */ |
29 #define USE_KEX_FIRST_FOLLOWS | 31 #ifndef DROPBEAR_KEX_FIRST_FOLLOWS |
32 #define DROPBEAR_KEX_FIRST_FOLLOWS 1 | |
33 #endif | |
30 /* Use protocol extension to allow "first follows" to succeed more frequently. | 34 /* Use protocol extension to allow "first follows" to succeed more frequently. |
31 * This is currently Dropbear-specific but will gracefully fallback when connecting | 35 * This is currently Dropbear-specific but will gracefully fallback when connecting |
32 * to other implementations. */ | 36 * to other implementations. */ |
33 #define USE_KEXGUESS2 | 37 #ifndef DROPBEAR_KEXGUESS2 |
38 #define DROPBEAR_KEXGUESS2 1 | |
39 #endif | |
34 | 40 |
35 /* Minimum key sizes for DSS and RSA */ | 41 /* Minimum key sizes for DSS and RSA */ |
36 #ifndef MIN_DSS_KEYLEN | 42 #ifndef MIN_DSS_KEYLEN |
37 #define MIN_DSS_KEYLEN 512 | 43 #define MIN_DSS_KEYLEN 512 |
38 #endif | 44 #endif |
66 #define DROPBEAR_ESCAPE_CHAR '~' | 72 #define DROPBEAR_ESCAPE_CHAR '~' |
67 | 73 |
68 /* success/failure defines */ | 74 /* success/failure defines */ |
69 #define DROPBEAR_SUCCESS 0 | 75 #define DROPBEAR_SUCCESS 0 |
70 #define DROPBEAR_FAILURE -1 | 76 #define DROPBEAR_FAILURE -1 |
77 | |
78 #define DROPBEAR_PASSWORD_ENV "DROPBEAR_PASSWORD" | |
71 | 79 |
72 /* Required for pubkey auth */ | 80 /* Required for pubkey auth */ |
73 #if defined(ENABLE_SVR_PUBKEY_AUTH) || defined(DROPBEAR_CLIENT) | 81 #define DROPBEAR_SIGNKEY_VERIFY ((DROPBEAR_SVR_PUBKEY_AUTH) || (DROPBEAR_CLIENT)) |
74 #define DROPBEAR_SIGNKEY_VERIFY | |
75 #endif | |
76 | 82 |
77 #define SHA1_HASH_SIZE 20 | 83 #define SHA1_HASH_SIZE 20 |
78 #define MD5_HASH_SIZE 16 | 84 #define MD5_HASH_SIZE 16 |
79 #define MAX_HASH_SIZE 64 /* sha512 */ | 85 #define MAX_HASH_SIZE 64 /* sha512 */ |
80 | 86 |
81 #define MAX_KEY_LEN 32 /* 256 bits for aes256 etc */ | 87 #define MAX_KEY_LEN 32 /* 256 bits for aes256 etc */ |
82 #define MAX_IV_LEN 20 /* must be same as max blocksize, */ | 88 #define MAX_IV_LEN 20 /* must be same as max blocksize, */ |
83 | 89 |
84 #if defined(DROPBEAR_SHA2_512_HMAC) | 90 #if DROPBEAR_SHA2_512_HMAC |
85 #define MAX_MAC_LEN 64 | 91 #define MAX_MAC_LEN 64 |
86 #elif defined(DROPBEAR_SHA2_256_HMAC) | 92 #elif DROPBEAR_SHA2_256_HMAC |
87 #define MAX_MAC_LEN 32 | 93 #define MAX_MAC_LEN 32 |
88 #else | 94 #else |
89 #define MAX_MAC_LEN 20 | 95 #define MAX_MAC_LEN 20 |
90 #endif | 96 #endif |
91 | 97 |
92 #if defined(DROPBEAR_ECDH) || defined (DROPBEAR_ECDSA) | 98 |
93 #define DROPBEAR_ECC | 99 #define DROPBEAR_ECC ((DROPBEAR_ECDH) || (DROPBEAR_ECDSA)) |
100 | |
94 /* Debian doesn't define this in system headers */ | 101 /* Debian doesn't define this in system headers */ |
95 #ifndef LTM_DESC | 102 #if !defined(LTM_DESC) && (DROPBEAR_ECC) |
96 #define LTM_DESC | 103 #define LTM_DESC |
97 #endif | 104 #endif |
98 #endif | 105 |
99 | 106 #define DROPBEAR_ECC_256 (DROPBEAR_ECC) |
100 #ifdef DROPBEAR_ECC | 107 #define DROPBEAR_ECC_384 (DROPBEAR_ECC) |
101 #define DROPBEAR_ECC_256 | 108 #define DROPBEAR_ECC_521 (DROPBEAR_ECC) |
102 #define DROPBEAR_ECC_384 | 109 |
103 #define DROPBEAR_ECC_521 | 110 #define DROPBEAR_LTC_PRNG (DROPBEAR_ECC) |
104 #endif | |
105 | |
106 #ifdef DROPBEAR_ECC | |
107 #define DROPBEAR_LTC_PRNG | |
108 #endif | |
109 | 111 |
110 /* RSA can be vulnerable to timing attacks which use the time required for | 112 /* RSA can be vulnerable to timing attacks which use the time required for |
111 * signing to guess the private key. Blinding avoids this attack, though makes | 113 * signing to guess the private key. Blinding avoids this attack, though makes |
112 * signing operations slightly slower. */ | 114 * signing operations slightly slower. */ |
113 #define RSA_BLINDING | 115 #define DROPBEAR_RSA_BLINDING 1 |
114 | 116 |
115 /* hashes which will be linked and registered */ | 117 /* hashes which will be linked and registered */ |
116 #if defined(DROPBEAR_SHA2_256_HMAC) || defined(DROPBEAR_ECC_256) || defined(DROPBEAR_CURVE25519) || DROPBEAR_DH_GROUP14 | 118 #define DROPBEAR_SHA256 ((DROPBEAR_SHA2_256_HMAC) || (DROPBEAR_ECC_256) \ |
117 #define DROPBEAR_SHA256 | 119 || (DROPBEAR_CURVE25519) || (DROPBEAR_DH_GROUP14_SHA256)) |
118 #endif | 120 #define DROPBEAR_SHA384 (DROPBEAR_ECC_384) |
119 #if defined(DROPBEAR_ECC_384) | |
120 #define DROPBEAR_SHA384 | |
121 #endif | |
122 /* LTC SHA384 depends on SHA512 */ | 121 /* LTC SHA384 depends on SHA512 */ |
123 #if defined(DROPBEAR_SHA2_512_HMAC) || defined(DROPBEAR_ECC_521) || defined(DROPBEAR_ECC_384) || DROPBEAR_DH_GROUP16 | 122 #define DROPBEAR_SHA512 ((DROPBEAR_SHA2_512_HMAC) || (DROPBEAR_ECC_521) \ |
124 #define DROPBEAR_SHA512 | 123 || (DROPBEAR_SHA384) || (DROPBEAR_DH_GROUP16)) |
125 #endif | 124 #define DROPBEAR_MD5 (DROPBEAR_MD5_HMAC) |
126 #if defined(DROPBEAR_MD5_HMAC) | 125 |
127 #define DROPBEAR_MD5 | 126 #define DROPBEAR_DH_GROUP14 ((DROPBEAR_DH_GROUP14_SHA256) || (DROPBEAR_DH_GROUP14_SHA1)) |
128 #endif | 127 |
129 | 128 #define DROPBEAR_NORMAL_DH ((DROPBEAR_DH_GROUP1) || (DROPBEAR_DH_GROUP14) || (DROPBEAR_DH_GROUP16)) |
130 /* These are disabled in Dropbear 2016.73 by default since the spec | |
131 draft-ietf-curdle-ssh-kex-sha2-02 is under development. */ | |
132 #define DROPBEAR_DH_GROUP14_256 0 | |
133 #define DROPBEAR_DH_GROUP16 0 | |
134 | 129 |
135 /* roughly 2x 521 bits */ | 130 /* roughly 2x 521 bits */ |
136 #define MAX_ECC_SIZE 140 | 131 #define MAX_ECC_SIZE 140 |
137 | 132 |
138 #define MAX_NAME_LEN 64 /* maximum length of a protocol name, isn't | 133 #define MAX_NAME_LEN 64 /* maximum length of a protocol name, isn't |
180 #define DROPBEAR_MAX_CLI_INTERACT_PROMPTS 80 /* The number of prompts we'll | 175 #define DROPBEAR_MAX_CLI_INTERACT_PROMPTS 80 /* The number of prompts we'll |
181 accept for keyb-interactive | 176 accept for keyb-interactive |
182 auth */ | 177 auth */ |
183 | 178 |
184 | 179 |
185 #if defined(DROPBEAR_AES256) || defined(DROPBEAR_AES128) | 180 #define DROPBEAR_AES ((DROPBEAR_AES256) || (DROPBEAR_AES128)) |
186 #define DROPBEAR_AES | 181 |
187 #endif | 182 #define DROPBEAR_TWOFISH ((DROPBEAR_TWOFISH256) || (DROPBEAR_TWOFISH128)) |
188 | 183 |
189 #if defined(DROPBEAR_TWOFISH256) || defined(DROPBEAR_TWOFISH128) | 184 #define DROPBEAR_CLI_ANYTCPFWD ((DROPBEAR_CLI_REMOTETCPFWD) || (DROPBEAR_CLI_LOCALTCPFWD)) |
190 #define DROPBEAR_TWOFISH | 185 |
191 #endif | 186 #define DROPBEAR_TCP_ACCEPT ((DROPBEAR_CLI_LOCALTCPFWD) || (DROPBEAR_SVR_REMOTETCPFWD)) |
192 | 187 |
193 #ifndef ENABLE_X11FWD | 188 #define DROPBEAR_LISTENERS \ |
194 #define DISABLE_X11FWD | 189 ((DROPBEAR_CLI_REMOTETCPFWD) || (DROPBEAR_CLI_LOCALTCPFWD) || \ |
195 #endif | 190 (DROPBEAR_SVR_REMOTETCPFWD) || (DROPBEAR_SVR_LOCALTCPFWD) || \ |
196 | 191 (DROPBEAR_SVR_AGENTFWD) || (DROPBEAR_X11FWD)) |
197 #if defined(ENABLE_CLI_REMOTETCPFWD) || defined(ENABLE_CLI_LOCALTCPFWD) | 192 |
198 #define ENABLE_CLI_ANYTCPFWD | 193 #define DROPBEAR_CLI_MULTIHOP ((DROPBEAR_CLI_NETCAT) && (DROPBEAR_CLI_PROXYCMD)) |
199 #endif | 194 |
200 | 195 #define ENABLE_CONNECT_UNIX ((DROPBEAR_CLI_AGENTFWD) || (DROPBEAR_PRNGD_SOCKET)) |
201 #if defined(ENABLE_CLI_LOCALTCPFWD) || defined(ENABLE_SVR_REMOTETCPFWD) | 196 |
202 #define DROPBEAR_TCP_ACCEPT | 197 /* if we're using authorized_keys or known_hosts */ |
203 #endif | 198 #define DROPBEAR_KEY_LINES ((DROPBEAR_CLIENT) || (DROPBEAR_SVR_PUBKEY_AUTH)) |
204 | |
205 #if defined(ENABLE_CLI_REMOTETCPFWD) || defined(ENABLE_CLI_LOCALTCPFWD) || \ | |
206 defined(ENABLE_SVR_REMOTETCPFWD) || defined(ENABLE_SVR_LOCALTCPFWD) || \ | |
207 defined(ENABLE_SVR_AGENTFWD) || defined(ENABLE_X11FWD) | |
208 #define USING_LISTENERS | |
209 #endif | |
210 | |
211 #if defined(ENABLE_CLI_NETCAT) && defined(ENABLE_CLI_PROXYCMD) | |
212 #define ENABLE_CLI_MULTIHOP | |
213 #endif | |
214 | |
215 #if defined(ENABLE_CLI_AGENTFWD) || defined(DROPBEAR_PRNGD_SOCKET) | |
216 #define ENABLE_CONNECT_UNIX | |
217 #endif | |
218 | |
219 #if defined(DROPBEAR_CLIENT) || defined(ENABLE_SVR_PUBKEY_AUTH) | |
220 #define DROPBEAR_KEY_LINES /* ie we're using authorized_keys or known_hosts */ | |
221 #endif | |
222 | 199 |
223 /* Changing this is inadvisable, it appears to have problems | 200 /* Changing this is inadvisable, it appears to have problems |
224 * with flushing compressed data */ | 201 * with flushing compressed data */ |
225 #define DROPBEAR_ZLIB_MEM_LEVEL 8 | 202 #define DROPBEAR_ZLIB_MEM_LEVEL 8 |
226 | 203 |
227 #if defined(ENABLE_SVR_PASSWORD_AUTH) && defined(ENABLE_SVR_PAM_AUTH) | 204 #if (DROPBEAR_SVR_PASSWORD_AUTH) && (DROPBEAR_SVR_PAM_AUTH) |
228 #error "You can't turn on PASSWORD and PAM auth both at once. Fix it in options.h" | 205 #error "You can't turn on PASSWORD and PAM auth both at once. Fix it in options.h" |
229 #endif | 206 #endif |
230 | 207 |
231 /* We use dropbear_client and dropbear_server as shortcuts to avoid redundant | 208 /* We use dropbear_client and dropbear_server as shortcuts to avoid redundant |
232 * code, if we're just compiling as client or server */ | 209 * code, if we're just compiling as client or server */ |
233 #if defined(DROPBEAR_SERVER) && defined(DROPBEAR_CLIENT) | 210 #if (DROPBEAR_SERVER) && (DROPBEAR_CLIENT) |
234 | 211 |
235 #define IS_DROPBEAR_SERVER (ses.isserver == 1) | 212 #define IS_DROPBEAR_SERVER (ses.isserver == 1) |
236 #define IS_DROPBEAR_CLIENT (ses.isserver == 0) | 213 #define IS_DROPBEAR_CLIENT (ses.isserver == 0) |
237 | 214 |
238 #elif defined(DROPBEAR_SERVER) | 215 #elif DROPBEAR_SERVER |
239 | 216 |
240 #define IS_DROPBEAR_SERVER 1 | 217 #define IS_DROPBEAR_SERVER 1 |
241 #define IS_DROPBEAR_CLIENT 0 | 218 #define IS_DROPBEAR_CLIENT 0 |
242 | 219 |
243 #elif defined(DROPBEAR_CLIENT) | 220 #elif DROPBEAR_CLIENT |
244 | 221 |
245 #define IS_DROPBEAR_SERVER 0 | 222 #define IS_DROPBEAR_SERVER 0 |
246 #define IS_DROPBEAR_CLIENT 1 | 223 #define IS_DROPBEAR_CLIENT 1 |
247 | 224 |
248 #else | 225 #else |
250 #define IS_DROPBEAR_SERVER 0 | 227 #define IS_DROPBEAR_SERVER 0 |
251 #define IS_DROPBEAR_CLIENT 0 | 228 #define IS_DROPBEAR_CLIENT 0 |
252 | 229 |
253 #endif /* neither DROPBEAR_SERVER nor DROPBEAR_CLIENT */ | 230 #endif /* neither DROPBEAR_SERVER nor DROPBEAR_CLIENT */ |
254 | 231 |
255 #ifndef HAVE_FORK | 232 #ifdef HAVE_FORK |
256 #define USE_VFORK | 233 #define DROPBEAR_VFORK 0 |
257 #endif /* don't HAVE_FORK */ | 234 #else |
235 #define DROPBEAR_VFORK 1 | |
236 #endif | |
258 | 237 |
259 #if MAX_UNAUTH_CLIENTS > MAX_CHANNELS | 238 #if MAX_UNAUTH_CLIENTS > MAX_CHANNELS |
260 #define DROPBEAR_LISTEN_BACKLOG MAX_UNAUTH_CLIENTS | 239 #define DROPBEAR_LISTEN_BACKLOG MAX_UNAUTH_CLIENTS |
261 #else | 240 #else |
262 #define DROPBEAR_LISTEN_BACKLOG MAX_CHANNELS | 241 #define DROPBEAR_LISTEN_BACKLOG MAX_CHANNELS |
263 #endif | 242 #endif |
264 | 243 |
244 #ifndef DROPBEAR_NONE_CIPHER | |
245 #define DROPBEAR_NONE_CIPHER 0 | |
246 #endif | |
247 | |
265 /* free memory before exiting */ | 248 /* free memory before exiting */ |
266 #define DROPBEAR_CLEANUP | 249 #define DROPBEAR_CLEANUP 1 |
267 | 250 |
268 /* Use this string since some implementations might special-case it */ | 251 /* Use this string since some implementations might special-case it */ |
269 #define DROPBEAR_KEEPALIVE_STRING "[email protected]" | 252 #define DROPBEAR_KEEPALIVE_STRING "[email protected]" |
270 | 253 |
271 /* Linux will attempt TCP fast open, falling back if not supported by the kernel. | 254 /* Linux will attempt TCP fast open, falling back if not supported by the kernel. |
272 * Currently server is enabled but client is disabled by default until there | 255 * Currently server is enabled but client is disabled by default until there |
273 * is further compatibility testing */ | 256 * is further compatibility testing */ |
274 #ifdef __linux__ | 257 #ifdef __linux__ |
275 #define DROPBEAR_SERVER_TCP_FAST_OPEN | 258 #define DROPBEAR_SERVER_TCP_FAST_OPEN 1 |
276 /* #define DROPBEAR_CLIENT_TCP_FAST_OPEN */ | 259 #define DROPBEAR_CLIENT_TCP_FAST_OPEN 0 |
260 #else | |
261 #define DROPBEAR_SERVER_TCP_FAST_OPEN 0 | |
262 #define DROPBEAR_CLIENT_TCP_FAST_OPEN 0 | |
277 #endif | 263 #endif |
278 | 264 |
279 /* no include guard for this file */ | 265 /* no include guard for this file */ |