Mercurial > dropbear
comparison sysoptions.h @ 1733:d529a52b2f7c coverity coverity
merge coverity from main
author | Matt Johnston <matt@ucc.asn.au> |
---|---|
date | Fri, 26 Jun 2020 21:07:34 +0800 |
parents | 25b0ce1936c4 |
children | 73646de50f13 |
comparison
equal
deleted
inserted
replaced
1643:b59623a64678 | 1733:d529a52b2f7c |
---|---|
2 * You shouldn't edit this file unless you know you need to. | 2 * You shouldn't edit this file unless you know you need to. |
3 * This file is only included from options.h | 3 * This file is only included from options.h |
4 *******************************************************************/ | 4 *******************************************************************/ |
5 | 5 |
6 #ifndef DROPBEAR_VERSION | 6 #ifndef DROPBEAR_VERSION |
7 #define DROPBEAR_VERSION "2018.76" | 7 #define DROPBEAR_VERSION "2020.79" |
8 #endif | 8 #endif |
9 | 9 |
10 #define LOCAL_IDENT "SSH-2.0-dropbear_" DROPBEAR_VERSION | 10 #define LOCAL_IDENT "SSH-2.0-dropbear_" DROPBEAR_VERSION |
11 #define PROGNAME "dropbear" | 11 #define PROGNAME "dropbear" |
12 | 12 |
90 | 90 |
91 #define SHA1_HASH_SIZE 20 | 91 #define SHA1_HASH_SIZE 20 |
92 #define MD5_HASH_SIZE 16 | 92 #define MD5_HASH_SIZE 16 |
93 #define MAX_HASH_SIZE 64 /* sha512 */ | 93 #define MAX_HASH_SIZE 64 /* sha512 */ |
94 | 94 |
95 #if DROPBEAR_CHACHA20POLY1305 | |
96 #define MAX_KEY_LEN 64 /* 2 x 256 bits for chacha20 */ | |
97 #else | |
95 #define MAX_KEY_LEN 32 /* 256 bits for aes256 etc */ | 98 #define MAX_KEY_LEN 32 /* 256 bits for aes256 etc */ |
99 #endif | |
96 #define MAX_IV_LEN 20 /* must be same as max blocksize, */ | 100 #define MAX_IV_LEN 20 /* must be same as max blocksize, */ |
97 | 101 |
98 #if DROPBEAR_SHA2_512_HMAC | 102 #if DROPBEAR_SHA2_512_HMAC |
99 #define MAX_MAC_LEN 64 | 103 #define MAX_MAC_LEN 64 |
100 #elif DROPBEAR_SHA2_256_HMAC | 104 #elif DROPBEAR_SHA2_256_HMAC |
137 /* RSA can be vulnerable to timing attacks which use the time required for | 141 /* RSA can be vulnerable to timing attacks which use the time required for |
138 * signing to guess the private key. Blinding avoids this attack, though makes | 142 * signing to guess the private key. Blinding avoids this attack, though makes |
139 * signing operations slightly slower. */ | 143 * signing operations slightly slower. */ |
140 #define DROPBEAR_RSA_BLINDING 1 | 144 #define DROPBEAR_RSA_BLINDING 1 |
141 | 145 |
146 #ifndef DROPBEAR_RSA_SHA1 | |
147 #define DROPBEAR_RSA_SHA1 DROPBEAR_RSA | |
148 #endif | |
149 #ifndef DROPBEAR_RSA_SHA256 | |
150 #define DROPBEAR_RSA_SHA256 DROPBEAR_RSA | |
151 #endif | |
152 | |
142 /* hashes which will be linked and registered */ | 153 /* hashes which will be linked and registered */ |
143 #define DROPBEAR_SHA256 ((DROPBEAR_SHA2_256_HMAC) || (DROPBEAR_ECC_256) \ | 154 #define DROPBEAR_SHA256 ((DROPBEAR_SHA2_256_HMAC) || (DROPBEAR_ECC_256) \ |
144 || (DROPBEAR_CURVE25519) || (DROPBEAR_DH_GROUP14_SHA256)) | 155 || (DROPBEAR_CURVE25519) || (DROPBEAR_DH_GROUP14_SHA256) \ |
156 || (DROPBEAR_RSA_SHA256)) | |
145 #define DROPBEAR_SHA384 (DROPBEAR_ECC_384) | 157 #define DROPBEAR_SHA384 (DROPBEAR_ECC_384) |
146 /* LTC SHA384 depends on SHA512 */ | 158 /* LTC SHA384 depends on SHA512 */ |
147 #define DROPBEAR_SHA512 ((DROPBEAR_SHA2_512_HMAC) || (DROPBEAR_ECC_521) \ | 159 #define DROPBEAR_SHA512 ((DROPBEAR_SHA2_512_HMAC) || (DROPBEAR_ECC_521) \ |
148 || (DROPBEAR_SHA384) || (DROPBEAR_DH_GROUP16)) | 160 || (DROPBEAR_SHA384) || (DROPBEAR_DH_GROUP16) \ |
161 || (DROPBEAR_ED25519)) | |
149 #define DROPBEAR_MD5 (DROPBEAR_MD5_HMAC) | 162 #define DROPBEAR_MD5 (DROPBEAR_MD5_HMAC) |
150 | 163 |
151 #define DROPBEAR_DH_GROUP14 ((DROPBEAR_DH_GROUP14_SHA256) || (DROPBEAR_DH_GROUP14_SHA1)) | 164 #define DROPBEAR_DH_GROUP14 ((DROPBEAR_DH_GROUP14_SHA256) || (DROPBEAR_DH_GROUP14_SHA1)) |
152 | 165 |
153 #define DROPBEAR_NORMAL_DH ((DROPBEAR_DH_GROUP1) || (DROPBEAR_DH_GROUP14) || (DROPBEAR_DH_GROUP16)) | 166 #define DROPBEAR_NORMAL_DH ((DROPBEAR_DH_GROUP1) || (DROPBEAR_DH_GROUP14) || (DROPBEAR_DH_GROUP16)) |
167 | |
168 /* Dropbear only uses server-sig-algs, only needed if we have rsa-sha256 pubkey auth */ | |
169 #define DROPBEAR_EXT_INFO ((DROPBEAR_RSA_SHA256) \ | |
170 && ((DROPBEAR_CLI_PUBKEY_AUTH) || (DROPBEAR_SVR_PUBKEY_AUTH))) | |
154 | 171 |
155 /* roughly 2x 521 bits */ | 172 /* roughly 2x 521 bits */ |
156 #define MAX_ECC_SIZE 140 | 173 #define MAX_ECC_SIZE 140 |
157 | 174 |
158 #define MAX_NAME_LEN 64 /* maximum length of a protocol name, isn't | 175 #define MAX_NAME_LEN 64 /* maximum length of a protocol name, isn't |
184 /* For a 4096 bit DSS key, empirically determined */ | 201 /* For a 4096 bit DSS key, empirically determined */ |
185 #define MAX_PUBKEY_SIZE 1700 | 202 #define MAX_PUBKEY_SIZE 1700 |
186 /* For a 4096 bit DSS key, empirically determined */ | 203 /* For a 4096 bit DSS key, empirically determined */ |
187 #define MAX_PRIVKEY_SIZE 1700 | 204 #define MAX_PRIVKEY_SIZE 1700 |
188 | 205 |
189 #define MAX_HOSTKEYS 3 | 206 #define MAX_HOSTKEYS 4 |
190 | 207 |
191 /* The maximum size of the bignum portion of the kexhash buffer */ | 208 /* The maximum size of the bignum portion of the kexhash buffer */ |
192 /* Sect. 8 of the transport rfc 4253, K_S + e + f + K */ | 209 /* Sect. 8 of the transport rfc 4253, K_S + e + f + K */ |
193 #define KEXHASHBUF_MAX_INTS (1700 + 130 + 130 + 130) | 210 #define KEXHASHBUF_MAX_INTS (1700 + 130 + 130 + 130) |
194 | 211 |
203 | 220 |
204 | 221 |
205 #define DROPBEAR_AES ((DROPBEAR_AES256) || (DROPBEAR_AES128)) | 222 #define DROPBEAR_AES ((DROPBEAR_AES256) || (DROPBEAR_AES128)) |
206 | 223 |
207 #define DROPBEAR_TWOFISH ((DROPBEAR_TWOFISH256) || (DROPBEAR_TWOFISH128)) | 224 #define DROPBEAR_TWOFISH ((DROPBEAR_TWOFISH256) || (DROPBEAR_TWOFISH128)) |
225 | |
226 #define DROPBEAR_AEAD_MODE ((DROPBEAR_CHACHA20POLY1305) || (DROPBEAR_ENABLE_GCM_MODE)) | |
208 | 227 |
209 #define DROPBEAR_CLI_ANYTCPFWD ((DROPBEAR_CLI_REMOTETCPFWD) || (DROPBEAR_CLI_LOCALTCPFWD)) | 228 #define DROPBEAR_CLI_ANYTCPFWD ((DROPBEAR_CLI_REMOTETCPFWD) || (DROPBEAR_CLI_LOCALTCPFWD)) |
210 | 229 |
211 #define DROPBEAR_TCP_ACCEPT ((DROPBEAR_CLI_LOCALTCPFWD) || (DROPBEAR_SVR_REMOTETCPFWD)) | 230 #define DROPBEAR_TCP_ACCEPT ((DROPBEAR_CLI_LOCALTCPFWD) || (DROPBEAR_SVR_REMOTETCPFWD)) |
212 | 231 |
241 | 260 |
242 #if !(DROPBEAR_SVR_PASSWORD_AUTH || DROPBEAR_SVR_PAM_AUTH || DROPBEAR_SVR_PUBKEY_AUTH) | 261 #if !(DROPBEAR_SVR_PASSWORD_AUTH || DROPBEAR_SVR_PAM_AUTH || DROPBEAR_SVR_PUBKEY_AUTH) |
243 #error "At least one server authentication type must be enabled. DROPBEAR_SVR_PUBKEY_AUTH and DROPBEAR_SVR_PASSWORD_AUTH are recommended." | 262 #error "At least one server authentication type must be enabled. DROPBEAR_SVR_PUBKEY_AUTH and DROPBEAR_SVR_PASSWORD_AUTH are recommended." |
244 #endif | 263 #endif |
245 | 264 |
265 #if (DROPBEAR_PLUGIN && !DROPBEAR_SVR_PUBKEY_AUTH) | |
266 #error "You must define DROPBEAR_SVR_PUBKEY_AUTH in order to use plugins" | |
267 #endif | |
246 | 268 |
247 #if !(DROPBEAR_AES128 || DROPBEAR_3DES || DROPBEAR_AES256 || DROPBEAR_BLOWFISH \ | 269 #if !(DROPBEAR_AES128 || DROPBEAR_3DES || DROPBEAR_AES256 || DROPBEAR_BLOWFISH \ |
248 || DROPBEAR_TWOFISH256 || DROPBEAR_TWOFISH128) | 270 || DROPBEAR_TWOFISH256 || DROPBEAR_TWOFISH128 || DROPBEAR_CHACHA20POLY1305) |
249 #error "At least one encryption algorithm must be enabled. AES128 is recommended." | 271 #error "At least one encryption algorithm must be enabled. AES128 is recommended." |
250 #endif | 272 #endif |
251 | 273 |
252 #if !(DROPBEAR_RSA || DROPBEAR_DSS || DROPBEAR_ECDSA) | 274 #if !(DROPBEAR_RSA || DROPBEAR_DSS || DROPBEAR_ECDSA || DROPBEAR_ED25519) |
253 #error "At least one hostkey or public-key algorithm must be enabled; RSA is recommended." | 275 #error "At least one hostkey or public-key algorithm must be enabled; RSA is recommended." |
254 #endif | 276 #endif |
255 | 277 |
256 /* Source for randomness. This must be able to provide hundreds of bytes per SSH | 278 /* Source for randomness. This must be able to provide hundreds of bytes per SSH |
257 * connection without blocking. */ | 279 * connection without blocking. */ |