Mercurial > dropbear
comparison default_options.h @ 1714:c0f12eaf95c9
Disable by default 3des, cbc, hmac-sha1-96, x11 forwarding
| author | Matt Johnston <matt@ucc.asn.au> |
|---|---|
| date | Thu, 11 Jun 2020 00:09:15 +0800 |
| parents | c2c0f43ff827 |
| children | d529a52b2f7c 42745af83b7d |
comparison
equal
deleted
inserted
replaced
| 1713:c2c0f43ff827 | 1714:c0f12eaf95c9 |
|---|---|
| 46 * slower, perhaps by 50%. Recommended for small systems that aren't doing | 46 * slower, perhaps by 50%. Recommended for small systems that aren't doing |
| 47 * much traffic. */ | 47 * much traffic. */ |
| 48 #define DROPBEAR_SMALL_CODE 1 | 48 #define DROPBEAR_SMALL_CODE 1 |
| 49 | 49 |
| 50 /* Enable X11 Forwarding - server only */ | 50 /* Enable X11 Forwarding - server only */ |
| 51 #define DROPBEAR_X11FWD 1 | 51 #define DROPBEAR_X11FWD 0 |
| 52 | 52 |
| 53 /* Enable TCP Fowarding */ | 53 /* Enable TCP Fowarding */ |
| 54 /* 'Local' is "-L" style (client listening port forwarded via server) | 54 /* 'Local' is "-L" style (client listening port forwarded via server) |
| 55 * 'Remote' is "-R" style (server listening port forwarded via client) */ | 55 * 'Remote' is "-R" style (server listening port forwarded via client) */ |
| 56 #define DROPBEAR_CLI_LOCALTCPFWD 1 | 56 #define DROPBEAR_CLI_LOCALTCPFWD 1 |
| 81 * AES128 should be enabled, some very old implementations might only | 81 * AES128 should be enabled, some very old implementations might only |
| 82 * support 3DES. | 82 * support 3DES. |
| 83 * Including both AES keysize variants (128 and 256) will result in | 83 * Including both AES keysize variants (128 and 256) will result in |
| 84 * a minimal size increase */ | 84 * a minimal size increase */ |
| 85 #define DROPBEAR_AES128 1 | 85 #define DROPBEAR_AES128 1 |
| 86 #define DROPBEAR_3DES 1 | |
| 87 #define DROPBEAR_AES256 1 | 86 #define DROPBEAR_AES256 1 |
| 87 #define DROPBEAR_3DES 0 | |
| 88 #define DROPBEAR_TWOFISH256 0 | 88 #define DROPBEAR_TWOFISH256 0 |
| 89 #define DROPBEAR_TWOFISH128 0 | 89 #define DROPBEAR_TWOFISH128 0 |
| 90 | 90 |
| 91 /* Enable Chacha20-Poly1305 authenticated encryption mode. This is | |
| 92 * generally faster than AES256 on CPU w/o dedicated AES instructions, | |
| 93 * having the same key size. Recommended. | |
| 94 * Compiling in will add ~5,5kB to binary size on x86-64 */ | |
| 95 #define DROPBEAR_CHACHA20POLY1305 1 | |
| 96 | |
| 97 /* Enable "Counter Mode" for ciphers. Recommended. */ | |
| 98 #define DROPBEAR_ENABLE_CTR_MODE 1 | |
| 99 | |
| 91 /* Enable CBC mode for ciphers. This has security issues though | 100 /* Enable CBC mode for ciphers. This has security issues though |
| 92 * is the most compatible with older SSH implementations */ | 101 may be required for compatibility with old implementations */ |
| 93 #define DROPBEAR_ENABLE_CBC_MODE 1 | 102 #define DROPBEAR_ENABLE_CBC_MODE 0 |
| 94 | |
| 95 /* Enable "Counter Mode" for ciphers. This is more secure than | |
| 96 * CBC mode against certain attacks. It is recommended for security | |
| 97 * and forwards compatibility */ | |
| 98 #define DROPBEAR_ENABLE_CTR_MODE 1 | |
| 99 | 103 |
| 100 /* Enable "Galois/Counter Mode" for ciphers. This authenticated | 104 /* Enable "Galois/Counter Mode" for ciphers. This authenticated |
| 101 * encryption mode is combination of CTR mode and GHASH. Recommended | 105 * encryption mode is combination of CTR mode and GHASH. Recommended |
| 102 * for security and forwards compatibility, but slower than CTR on | 106 * for security and forwards compatibility, but slower than CTR on |
| 103 * CPU w/o dedicated AES/GHASH instructions. | 107 * CPU w/o dedicated AES/GHASH instructions. |
| 104 * Compiling in will add ~6kB to binary size on x86-64 */ | 108 * Compiling in will add ~6kB to binary size on x86-64 */ |
| 105 #define DROPBEAR_ENABLE_GCM_MODE 0 | 109 #define DROPBEAR_ENABLE_GCM_MODE 0 |
| 106 | 110 |
| 107 /* Enable Chacha20-Poly1305 authenticated encryption mode. This is | |
| 108 * generally faster than AES256 on CPU w/o dedicated AES instructions, | |
| 109 * having the same key size. | |
| 110 * Compiling in will add ~5,5kB to binary size on x86-64 */ | |
| 111 #define DROPBEAR_CHACHA20POLY1305 1 | |
| 112 | |
| 113 /* Message integrity. sha2-256 is recommended as a default, | 111 /* Message integrity. sha2-256 is recommended as a default, |
| 114 sha1 for compatibility */ | 112 sha1 for compatibility */ |
| 115 #define DROPBEAR_SHA1_HMAC 1 | 113 #define DROPBEAR_SHA1_HMAC 1 |
| 116 #define DROPBEAR_SHA1_96_HMAC 1 | |
| 117 #define DROPBEAR_SHA2_256_HMAC 1 | 114 #define DROPBEAR_SHA2_256_HMAC 1 |
| 115 #define DROPBEAR_SHA1_96_HMAC 0 | |
| 118 | 116 |
| 119 /* Hostkey/public key algorithms - at least one required, these are used | 117 /* Hostkey/public key algorithms - at least one required, these are used |
| 120 * for hostkey as well as for verifying signatures with pubkey auth. | 118 * for hostkey as well as for verifying signatures with pubkey auth. |
| 121 * Removing either of these won't save very much space. | 119 * Removing either of these won't save very much space. |
| 122 * RSA is recommended | 120 * RSA is recommended |