comparison sysoptions.h @ 1342:8747c2b19152

merge 2017.75
author Matt Johnston <matt@ucc.asn.au>
date Thu, 18 May 2017 22:59:38 +0800
parents cfd2abbf9cf4 2c9dac2d6707
children 9236e7120c3e 8b74d5f876a7
comparison
equal deleted inserted replaced
1341:ab35a9ccc2eb 1342:8747c2b19152
21 /* Close connections to clients which haven't authorised after AUTH_TIMEOUT */ 21 /* Close connections to clients which haven't authorised after AUTH_TIMEOUT */
22 #ifndef AUTH_TIMEOUT 22 #ifndef AUTH_TIMEOUT
23 #define AUTH_TIMEOUT 300 /* we choose 5 minutes */ 23 #define AUTH_TIMEOUT 300 /* we choose 5 minutes */
24 #endif 24 #endif
25 25
26 #define DROPBEAR_SVR_PUBKEY_OPTIONS_BUILT ((DROPBEAR_SVR_PUBKEY_AUTH) && (DROPBEAR_SVR_PUBKEY_OPTIONS))
27
26 /* A client should try and send an initial key exchange packet guessing 28 /* A client should try and send an initial key exchange packet guessing
27 * the algorithm that will match - saves a round trip connecting, has little 29 * the algorithm that will match - saves a round trip connecting, has little
28 * overhead if the guess was "wrong". */ 30 * overhead if the guess was "wrong". */
29 #define USE_KEX_FIRST_FOLLOWS 31 #ifndef DROPBEAR_KEX_FIRST_FOLLOWS
32 #define DROPBEAR_KEX_FIRST_FOLLOWS 1
33 #endif
30 /* Use protocol extension to allow "first follows" to succeed more frequently. 34 /* Use protocol extension to allow "first follows" to succeed more frequently.
31 * This is currently Dropbear-specific but will gracefully fallback when connecting 35 * This is currently Dropbear-specific but will gracefully fallback when connecting
32 * to other implementations. */ 36 * to other implementations. */
33 #define USE_KEXGUESS2 37 #ifndef DROPBEAR_KEXGUESS2
38 #define DROPBEAR_KEXGUESS2 1
39 #endif
34 40
35 /* Minimum key sizes for DSS and RSA */ 41 /* Minimum key sizes for DSS and RSA */
36 #ifndef MIN_DSS_KEYLEN 42 #ifndef MIN_DSS_KEYLEN
37 #define MIN_DSS_KEYLEN 512 43 #define MIN_DSS_KEYLEN 512
38 #endif 44 #endif
66 #define DROPBEAR_ESCAPE_CHAR '~' 72 #define DROPBEAR_ESCAPE_CHAR '~'
67 73
68 /* success/failure defines */ 74 /* success/failure defines */
69 #define DROPBEAR_SUCCESS 0 75 #define DROPBEAR_SUCCESS 0
70 #define DROPBEAR_FAILURE -1 76 #define DROPBEAR_FAILURE -1
77
78 #define DROPBEAR_PASSWORD_ENV "DROPBEAR_PASSWORD"
71 79
72 /* Required for pubkey auth */ 80 /* Required for pubkey auth */
73 #if defined(ENABLE_SVR_PUBKEY_AUTH) || defined(DROPBEAR_CLIENT) 81 #define DROPBEAR_SIGNKEY_VERIFY ((DROPBEAR_SVR_PUBKEY_AUTH) || (DROPBEAR_CLIENT))
74 #define DROPBEAR_SIGNKEY_VERIFY
75 #endif
76 82
77 #define SHA1_HASH_SIZE 20 83 #define SHA1_HASH_SIZE 20
78 #define MD5_HASH_SIZE 16 84 #define MD5_HASH_SIZE 16
79 #define MAX_HASH_SIZE 64 /* sha512 */ 85 #define MAX_HASH_SIZE 64 /* sha512 */
80 86
81 #define MAX_KEY_LEN 32 /* 256 bits for aes256 etc */ 87 #define MAX_KEY_LEN 32 /* 256 bits for aes256 etc */
82 #define MAX_IV_LEN 20 /* must be same as max blocksize, */ 88 #define MAX_IV_LEN 20 /* must be same as max blocksize, */
83 89
84 #if defined(DROPBEAR_SHA2_512_HMAC) 90 #if DROPBEAR_SHA2_512_HMAC
85 #define MAX_MAC_LEN 64 91 #define MAX_MAC_LEN 64
86 #elif defined(DROPBEAR_SHA2_256_HMAC) 92 #elif DROPBEAR_SHA2_256_HMAC
87 #define MAX_MAC_LEN 32 93 #define MAX_MAC_LEN 32
88 #else 94 #else
89 #define MAX_MAC_LEN 20 95 #define MAX_MAC_LEN 20
90 #endif 96 #endif
91 97
92 #if defined(DROPBEAR_ECDH) || defined (DROPBEAR_ECDSA) 98
93 #define DROPBEAR_ECC 99 #define DROPBEAR_ECC ((DROPBEAR_ECDH) || (DROPBEAR_ECDSA))
100
94 /* Debian doesn't define this in system headers */ 101 /* Debian doesn't define this in system headers */
95 #ifndef LTM_DESC 102 #if !defined(LTM_DESC) && (DROPBEAR_ECC)
96 #define LTM_DESC 103 #define LTM_DESC
97 #endif 104 #endif
98 #endif 105
99 106 #define DROPBEAR_ECC_256 (DROPBEAR_ECC)
100 #ifdef DROPBEAR_ECC 107 #define DROPBEAR_ECC_384 (DROPBEAR_ECC)
101 #define DROPBEAR_ECC_256 108 #define DROPBEAR_ECC_521 (DROPBEAR_ECC)
102 #define DROPBEAR_ECC_384 109
103 #define DROPBEAR_ECC_521 110 #define DROPBEAR_LTC_PRNG (DROPBEAR_ECC)
104 #endif
105
106 #ifdef DROPBEAR_ECC
107 #define DROPBEAR_LTC_PRNG
108 #endif
109 111
110 /* RSA can be vulnerable to timing attacks which use the time required for 112 /* RSA can be vulnerable to timing attacks which use the time required for
111 * signing to guess the private key. Blinding avoids this attack, though makes 113 * signing to guess the private key. Blinding avoids this attack, though makes
112 * signing operations slightly slower. */ 114 * signing operations slightly slower. */
113 #define RSA_BLINDING 115 #define DROPBEAR_RSA_BLINDING 1
114 116
115 /* hashes which will be linked and registered */ 117 /* hashes which will be linked and registered */
116 #if defined(DROPBEAR_SHA2_256_HMAC) || defined(DROPBEAR_ECC_256) || defined(DROPBEAR_CURVE25519) || DROPBEAR_DH_GROUP14 118 #define DROPBEAR_SHA256 ((DROPBEAR_SHA2_256_HMAC) || (DROPBEAR_ECC_256) \
117 #define DROPBEAR_SHA256 119 || (DROPBEAR_CURVE25519) || (DROPBEAR_DH_GROUP14_SHA256))
118 #endif 120 #define DROPBEAR_SHA384 (DROPBEAR_ECC_384)
119 #if defined(DROPBEAR_ECC_384)
120 #define DROPBEAR_SHA384
121 #endif
122 /* LTC SHA384 depends on SHA512 */ 121 /* LTC SHA384 depends on SHA512 */
123 #if defined(DROPBEAR_SHA2_512_HMAC) || defined(DROPBEAR_ECC_521) || defined(DROPBEAR_ECC_384) || DROPBEAR_DH_GROUP16 122 #define DROPBEAR_SHA512 ((DROPBEAR_SHA2_512_HMAC) || (DROPBEAR_ECC_521) \
124 #define DROPBEAR_SHA512 123 || (DROPBEAR_SHA384) || (DROPBEAR_DH_GROUP16))
125 #endif 124 #define DROPBEAR_MD5 (DROPBEAR_MD5_HMAC)
126 #if defined(DROPBEAR_MD5_HMAC) 125
127 #define DROPBEAR_MD5 126 #define DROPBEAR_DH_GROUP14 ((DROPBEAR_DH_GROUP14_SHA256) || (DROPBEAR_DH_GROUP14_SHA1))
128 #endif 127
129 128 #define DROPBEAR_NORMAL_DH ((DROPBEAR_DH_GROUP1) || (DROPBEAR_DH_GROUP14) || (DROPBEAR_DH_GROUP16))
130 /* These are disabled in Dropbear 2016.73 by default since the spec
131 draft-ietf-curdle-ssh-kex-sha2-02 is under development. */
132 #define DROPBEAR_DH_GROUP14_256 0
133 #define DROPBEAR_DH_GROUP16 0
134 129
135 /* roughly 2x 521 bits */ 130 /* roughly 2x 521 bits */
136 #define MAX_ECC_SIZE 140 131 #define MAX_ECC_SIZE 140
137 132
138 #define MAX_NAME_LEN 64 /* maximum length of a protocol name, isn't 133 #define MAX_NAME_LEN 64 /* maximum length of a protocol name, isn't
180 #define DROPBEAR_MAX_CLI_INTERACT_PROMPTS 80 /* The number of prompts we'll 175 #define DROPBEAR_MAX_CLI_INTERACT_PROMPTS 80 /* The number of prompts we'll
181 accept for keyb-interactive 176 accept for keyb-interactive
182 auth */ 177 auth */
183 178
184 179
185 #if defined(DROPBEAR_AES256) || defined(DROPBEAR_AES128) 180 #define DROPBEAR_AES ((DROPBEAR_AES256) || (DROPBEAR_AES128))
186 #define DROPBEAR_AES 181
187 #endif 182 #define DROPBEAR_TWOFISH ((DROPBEAR_TWOFISH256) || (DROPBEAR_TWOFISH128))
188 183
189 #if defined(DROPBEAR_TWOFISH256) || defined(DROPBEAR_TWOFISH128) 184 #define DROPBEAR_CLI_ANYTCPFWD ((DROPBEAR_CLI_REMOTETCPFWD) || (DROPBEAR_CLI_LOCALTCPFWD))
190 #define DROPBEAR_TWOFISH 185
191 #endif 186 #define DROPBEAR_TCP_ACCEPT ((DROPBEAR_CLI_LOCALTCPFWD) || (DROPBEAR_SVR_REMOTETCPFWD))
192 187
193 #ifndef ENABLE_X11FWD 188 #define DROPBEAR_LISTENERS \
194 #define DISABLE_X11FWD 189 ((DROPBEAR_CLI_REMOTETCPFWD) || (DROPBEAR_CLI_LOCALTCPFWD) || \
195 #endif 190 (DROPBEAR_SVR_REMOTETCPFWD) || (DROPBEAR_SVR_LOCALTCPFWD) || \
196 191 (DROPBEAR_SVR_AGENTFWD) || (DROPBEAR_X11FWD))
197 #if defined(ENABLE_CLI_REMOTETCPFWD) || defined(ENABLE_CLI_LOCALTCPFWD) 192
198 #define ENABLE_CLI_ANYTCPFWD 193 #define DROPBEAR_CLI_MULTIHOP ((DROPBEAR_CLI_NETCAT) && (DROPBEAR_CLI_PROXYCMD))
199 #endif 194
200 195 #define ENABLE_CONNECT_UNIX ((DROPBEAR_CLI_AGENTFWD) || (DROPBEAR_PRNGD_SOCKET))
201 #if defined(ENABLE_CLI_LOCALTCPFWD) || defined(ENABLE_SVR_REMOTETCPFWD) 196
202 #define DROPBEAR_TCP_ACCEPT 197 /* if we're using authorized_keys or known_hosts */
203 #endif 198 #define DROPBEAR_KEY_LINES ((DROPBEAR_CLIENT) || (DROPBEAR_SVR_PUBKEY_AUTH))
204
205 #if defined(ENABLE_CLI_REMOTETCPFWD) || defined(ENABLE_CLI_LOCALTCPFWD) || \
206 defined(ENABLE_SVR_REMOTETCPFWD) || defined(ENABLE_SVR_LOCALTCPFWD) || \
207 defined(ENABLE_SVR_AGENTFWD) || defined(ENABLE_X11FWD)
208 #define USING_LISTENERS
209 #endif
210
211 #if defined(ENABLE_CLI_NETCAT) && defined(ENABLE_CLI_PROXYCMD)
212 #define ENABLE_CLI_MULTIHOP
213 #endif
214
215 #if defined(ENABLE_CLI_AGENTFWD) || defined(DROPBEAR_PRNGD_SOCKET)
216 #define ENABLE_CONNECT_UNIX
217 #endif
218
219 #if defined(DROPBEAR_CLIENT) || defined(ENABLE_SVR_PUBKEY_AUTH)
220 #define DROPBEAR_KEY_LINES /* ie we're using authorized_keys or known_hosts */
221 #endif
222 199
223 /* Changing this is inadvisable, it appears to have problems 200 /* Changing this is inadvisable, it appears to have problems
224 * with flushing compressed data */ 201 * with flushing compressed data */
225 #define DROPBEAR_ZLIB_MEM_LEVEL 8 202 #define DROPBEAR_ZLIB_MEM_LEVEL 8
226 203
227 #if defined(ENABLE_SVR_PASSWORD_AUTH) && defined(ENABLE_SVR_PAM_AUTH) 204 #if (DROPBEAR_SVR_PASSWORD_AUTH) && (DROPBEAR_SVR_PAM_AUTH)
228 #error "You can't turn on PASSWORD and PAM auth both at once. Fix it in options.h" 205 #error "You can't turn on PASSWORD and PAM auth both at once. Fix it in options.h"
229 #endif 206 #endif
230 207
231 /* We use dropbear_client and dropbear_server as shortcuts to avoid redundant 208 /* We use dropbear_client and dropbear_server as shortcuts to avoid redundant
232 * code, if we're just compiling as client or server */ 209 * code, if we're just compiling as client or server */
233 #if defined(DROPBEAR_SERVER) && defined(DROPBEAR_CLIENT) 210 #if (DROPBEAR_SERVER) && (DROPBEAR_CLIENT)
234 211
235 #define IS_DROPBEAR_SERVER (ses.isserver == 1) 212 #define IS_DROPBEAR_SERVER (ses.isserver == 1)
236 #define IS_DROPBEAR_CLIENT (ses.isserver == 0) 213 #define IS_DROPBEAR_CLIENT (ses.isserver == 0)
237 214
238 #elif defined(DROPBEAR_SERVER) 215 #elif DROPBEAR_SERVER
239 216
240 #define IS_DROPBEAR_SERVER 1 217 #define IS_DROPBEAR_SERVER 1
241 #define IS_DROPBEAR_CLIENT 0 218 #define IS_DROPBEAR_CLIENT 0
242 219
243 #elif defined(DROPBEAR_CLIENT) 220 #elif DROPBEAR_CLIENT
244 221
245 #define IS_DROPBEAR_SERVER 0 222 #define IS_DROPBEAR_SERVER 0
246 #define IS_DROPBEAR_CLIENT 1 223 #define IS_DROPBEAR_CLIENT 1
247 224
248 #else 225 #else
250 #define IS_DROPBEAR_SERVER 0 227 #define IS_DROPBEAR_SERVER 0
251 #define IS_DROPBEAR_CLIENT 0 228 #define IS_DROPBEAR_CLIENT 0
252 229
253 #endif /* neither DROPBEAR_SERVER nor DROPBEAR_CLIENT */ 230 #endif /* neither DROPBEAR_SERVER nor DROPBEAR_CLIENT */
254 231
255 #ifndef HAVE_FORK 232 #ifdef HAVE_FORK
256 #define USE_VFORK 233 #define DROPBEAR_VFORK 0
257 #endif /* don't HAVE_FORK */ 234 #else
235 #define DROPBEAR_VFORK 1
236 #endif
258 237
259 #if MAX_UNAUTH_CLIENTS > MAX_CHANNELS 238 #if MAX_UNAUTH_CLIENTS > MAX_CHANNELS
260 #define DROPBEAR_LISTEN_BACKLOG MAX_UNAUTH_CLIENTS 239 #define DROPBEAR_LISTEN_BACKLOG MAX_UNAUTH_CLIENTS
261 #else 240 #else
262 #define DROPBEAR_LISTEN_BACKLOG MAX_CHANNELS 241 #define DROPBEAR_LISTEN_BACKLOG MAX_CHANNELS
263 #endif 242 #endif
264 243
244 #ifndef DROPBEAR_NONE_CIPHER
245 #define DROPBEAR_NONE_CIPHER 0
246 #endif
247
265 /* free memory before exiting */ 248 /* free memory before exiting */
266 #define DROPBEAR_CLEANUP 249 #define DROPBEAR_CLEANUP 1
267 250
268 /* Use this string since some implementations might special-case it */ 251 /* Use this string since some implementations might special-case it */
269 #define DROPBEAR_KEEPALIVE_STRING "[email protected]" 252 #define DROPBEAR_KEEPALIVE_STRING "[email protected]"
270 253
271 /* Linux will attempt TCP fast open, falling back if not supported by the kernel. 254 /* Linux will attempt TCP fast open, falling back if not supported by the kernel.
272 * Currently server is enabled but client is disabled by default until there 255 * Currently server is enabled but client is disabled by default until there
273 * is further compatibility testing */ 256 * is further compatibility testing */
274 #ifdef __linux__ 257 #ifdef __linux__
275 #define DROPBEAR_SERVER_TCP_FAST_OPEN 258 #define DROPBEAR_SERVER_TCP_FAST_OPEN 1
276 /* #define DROPBEAR_CLIENT_TCP_FAST_OPEN */ 259 #define DROPBEAR_CLIENT_TCP_FAST_OPEN 0
260 #else
261 #define DROPBEAR_SERVER_TCP_FAST_OPEN 0
262 #define DROPBEAR_CLIENT_TCP_FAST_OPEN 0
277 #endif 263 #endif
278 264
279 /* no include guard for this file */ 265 /* no include guard for this file */