Mercurial > dropbear
comparison sysoptions.h @ 1546:bb8eaa26bc93 fuzz
merge from main
author | Matt Johnston <matt@ucc.asn.au> |
---|---|
date | Mon, 26 Feb 2018 22:44:48 +0800 |
parents | 6a83b1944432 |
children | 1c66ca4f3791 |
comparison
equal
deleted
inserted
replaced
1530:63fa53d3b6c7 | 1546:bb8eaa26bc93 |
---|---|
21 /* Close connections to clients which haven't authorised after AUTH_TIMEOUT */ | 21 /* Close connections to clients which haven't authorised after AUTH_TIMEOUT */ |
22 #ifndef AUTH_TIMEOUT | 22 #ifndef AUTH_TIMEOUT |
23 #define AUTH_TIMEOUT 300 /* we choose 5 minutes */ | 23 #define AUTH_TIMEOUT 300 /* we choose 5 minutes */ |
24 #endif | 24 #endif |
25 | 25 |
26 #define DROPBEAR_SVR_PUBKEY_OPTIONS_BUILT ((DROPBEAR_SVR_PUBKEY_AUTH) && (DROPBEAR_SVR_PUBKEY_OPTIONS)) | 26 #define DROPBEAR_SVR_PUBKEY_OPTIONS_BUILT ((DROPBEAR_SVR_PUBKEY_AUTH) && (DROPBEAR_SVR_PUBKEY_OPTIONS)) |
27 | |
28 #if !(NON_INETD_MODE || INETD_MODE) | |
29 #error "NON_INETD_MODE or INETD_MODE (or both) must be enabled." | |
30 #endif | |
27 | 31 |
28 /* A client should try and send an initial key exchange packet guessing | 32 /* A client should try and send an initial key exchange packet guessing |
29 * the algorithm that will match - saves a round trip connecting, has little | 33 * the algorithm that will match - saves a round trip connecting, has little |
30 * overhead if the guess was "wrong". */ | 34 * overhead if the guess was "wrong". */ |
31 #ifndef DROPBEAR_KEX_FIRST_FOLLOWS | 35 #ifndef DROPBEAR_KEX_FIRST_FOLLOWS |
75 #define DROPBEAR_SUCCESS 0 | 79 #define DROPBEAR_SUCCESS 0 |
76 #define DROPBEAR_FAILURE -1 | 80 #define DROPBEAR_FAILURE -1 |
77 | 81 |
78 #define DROPBEAR_PASSWORD_ENV "DROPBEAR_PASSWORD" | 82 #define DROPBEAR_PASSWORD_ENV "DROPBEAR_PASSWORD" |
79 | 83 |
84 #define DROPBEAR_NGROUP_MAX 1024 | |
85 | |
80 /* Required for pubkey auth */ | 86 /* Required for pubkey auth */ |
81 #define DROPBEAR_SIGNKEY_VERIFY ((DROPBEAR_SVR_PUBKEY_AUTH) || (DROPBEAR_CLIENT)) | 87 #define DROPBEAR_SIGNKEY_VERIFY ((DROPBEAR_SVR_PUBKEY_AUTH) || (DROPBEAR_CLIENT)) |
82 | 88 |
83 #define SHA1_HASH_SIZE 20 | 89 #define SHA1_HASH_SIZE 20 |
84 #define MD5_HASH_SIZE 16 | 90 #define MD5_HASH_SIZE 16 |
91 #define MAX_MAC_LEN 64 | 97 #define MAX_MAC_LEN 64 |
92 #elif DROPBEAR_SHA2_256_HMAC | 98 #elif DROPBEAR_SHA2_256_HMAC |
93 #define MAX_MAC_LEN 32 | 99 #define MAX_MAC_LEN 32 |
94 #else | 100 #else |
95 #define MAX_MAC_LEN 20 | 101 #define MAX_MAC_LEN 20 |
102 #endif | |
103 | |
104 /* sha2-512 is not necessary unless unforseen problems arise with sha2-256 */ | |
105 #ifndef DROPBEAR_SHA2_512_HMAC | |
106 #define DROPBEAR_SHA2_512_HMAC 0 | |
107 #endif | |
108 | |
109 /* might be needed for compatibility with very old implementations */ | |
110 #ifndef DROPBEAR_MD5_HMAC | |
111 #define DROPBEAR_MD5_HMAC 0 | |
112 #endif | |
113 | |
114 /* Twofish counter mode is disabled by default because it | |
115 has not been tested for interoperability with other SSH implementations. | |
116 If you test it please contact the Dropbear author */ | |
117 #ifndef DROPBEAR_TWOFISH_CTR | |
118 #define DROPBEAR_TWOFISH_CTR 0 | |
96 #endif | 119 #endif |
97 | 120 |
98 | 121 |
99 #define DROPBEAR_ECC ((DROPBEAR_ECDH) || (DROPBEAR_ECDSA)) | 122 #define DROPBEAR_ECC ((DROPBEAR_ECDH) || (DROPBEAR_ECDSA)) |
100 | 123 |
203 | 226 |
204 #if (DROPBEAR_SVR_PASSWORD_AUTH) && (DROPBEAR_SVR_PAM_AUTH) | 227 #if (DROPBEAR_SVR_PASSWORD_AUTH) && (DROPBEAR_SVR_PAM_AUTH) |
205 #error "You can't turn on PASSWORD and PAM auth both at once. Fix it in options.h" | 228 #error "You can't turn on PASSWORD and PAM auth both at once. Fix it in options.h" |
206 #endif | 229 #endif |
207 | 230 |
231 /* PAM requires ./configure --enable-pam */ | |
232 #if !defined(HAVE_LIBPAM) && DROPBEAR_SVR_PAM_AUTH | |
233 #error "DROPBEAR_SVR_PATM_AUTH requires PAM headers. Perhaps ./configure --enable-pam ?" | |
234 #endif | |
235 | |
236 #if DROPBEAR_SVR_PASSWORD_AUTH && !HAVE_CRYPT | |
237 #error "DROPBEAR_SVR_PASSWORD_AUTH requires `crypt()'." | |
238 #endif | |
239 | |
240 #if !(DROPBEAR_SVR_PASSWORD_AUTH || DROPBEAR_SVR_PAM_AUTH || DROPBEAR_SVR_PUBKEY_AUTH) | |
241 #error "At least one server authentication type must be enabled. DROPBEAR_SVR_PUBKEY_AUTH and DROPBEAR_SVR_PASSWORD_AUTH are recommended." | |
242 #endif | |
243 | |
244 | |
245 #if !(DROPBEAR_AES128 || DROPBEAR_3DES || DROPBEAR_AES256 || DROPBEAR_BLOWFISH \ | |
246 || DROPBEAR_TWOFISH256 || DROPBEAR_TWOFISH128) | |
247 #error "At least one encryption algorithm must be enabled. AES128 is recommended." | |
248 #endif | |
249 | |
250 #if !(DROPBEAR_RSA || DROPBEAR_DSS || DROPBEAR_ECDSA) | |
251 #error "At least one hostkey or public-key algorithm must be enabled; RSA is recommended." | |
252 #endif | |
253 | |
254 /* Source for randomness. This must be able to provide hundreds of bytes per SSH | |
255 * connection without blocking. */ | |
256 #ifndef DROPBEAR_URANDOM_DEV | |
257 #define DROPBEAR_URANDOM_DEV "/dev/urandom" | |
258 #endif | |
259 | |
260 /* client keyboard interactive authentication is often used for password auth. | |
261 rfc4256 */ | |
262 #define DROPBEAR_CLI_INTERACT_AUTH (DROPBEAR_CLI_PASSWORD_AUTH) | |
263 | |
208 /* We use dropbear_client and dropbear_server as shortcuts to avoid redundant | 264 /* We use dropbear_client and dropbear_server as shortcuts to avoid redundant |
209 * code, if we're just compiling as client or server */ | 265 * code, if we're just compiling as client or server */ |
210 #if (DROPBEAR_SERVER) && (DROPBEAR_CLIENT) | 266 #if (DROPBEAR_SERVER) && (DROPBEAR_CLIENT) |
211 | 267 |
212 #define IS_DROPBEAR_SERVER (ses.isserver == 1) | 268 #define IS_DROPBEAR_SERVER (ses.isserver == 1) |