Mercurial > dropbear

comparison sysoptions.h @ 1733:d529a52b2f7c coverity coverity

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
merge coverity from main
author Matt Johnston <matt@ucc.asn.au>
date Fri, 26 Jun 2020 21:07:34 +0800
parents 25b0ce1936c4
children 73646de50f13
comparison
equal deleted inserted replaced
1643:b59623a64678 1733:d529a52b2f7c
2 * You shouldn't edit this file unless you know you need to. 2 * You shouldn't edit this file unless you know you need to.
3 * This file is only included from options.h 3 * This file is only included from options.h
4 *******************************************************************/ 4 *******************************************************************/
5 5
6 #ifndef DROPBEAR_VERSION 6 #ifndef DROPBEAR_VERSION
7 #define DROPBEAR_VERSION "2018.76" 7 #define DROPBEAR_VERSION "2020.79"
8 #endif 8 #endif
9 9
10 #define LOCAL_IDENT "SSH-2.0-dropbear_" DROPBEAR_VERSION 10 #define LOCAL_IDENT "SSH-2.0-dropbear_" DROPBEAR_VERSION
11 #define PROGNAME "dropbear" 11 #define PROGNAME "dropbear"
12 12
90 90
91 #define SHA1_HASH_SIZE 20 91 #define SHA1_HASH_SIZE 20
92 #define MD5_HASH_SIZE 16 92 #define MD5_HASH_SIZE 16
93 #define MAX_HASH_SIZE 64 /* sha512 */ 93 #define MAX_HASH_SIZE 64 /* sha512 */
94 94
95 #if DROPBEAR_CHACHA20POLY1305
96 #define MAX_KEY_LEN 64 /* 2 x 256 bits for chacha20 */
97 #else
95 #define MAX_KEY_LEN 32 /* 256 bits for aes256 etc */ 98 #define MAX_KEY_LEN 32 /* 256 bits for aes256 etc */
99 #endif
96 #define MAX_IV_LEN 20 /* must be same as max blocksize, */ 100 #define MAX_IV_LEN 20 /* must be same as max blocksize, */
97 101
98 #if DROPBEAR_SHA2_512_HMAC 102 #if DROPBEAR_SHA2_512_HMAC
99 #define MAX_MAC_LEN 64 103 #define MAX_MAC_LEN 64
100 #elif DROPBEAR_SHA2_256_HMAC 104 #elif DROPBEAR_SHA2_256_HMAC
137 /* RSA can be vulnerable to timing attacks which use the time required for 141 /* RSA can be vulnerable to timing attacks which use the time required for
138 * signing to guess the private key. Blinding avoids this attack, though makes 142 * signing to guess the private key. Blinding avoids this attack, though makes
139 * signing operations slightly slower. */ 143 * signing operations slightly slower. */
140 #define DROPBEAR_RSA_BLINDING 1 144 #define DROPBEAR_RSA_BLINDING 1
141 145
146 #ifndef DROPBEAR_RSA_SHA1
147 #define DROPBEAR_RSA_SHA1 DROPBEAR_RSA
148 #endif
149 #ifndef DROPBEAR_RSA_SHA256
150 #define DROPBEAR_RSA_SHA256 DROPBEAR_RSA
151 #endif
152
142 /* hashes which will be linked and registered */ 153 /* hashes which will be linked and registered */
143 #define DROPBEAR_SHA256 ((DROPBEAR_SHA2_256_HMAC) || (DROPBEAR_ECC_256) \ 154 #define DROPBEAR_SHA256 ((DROPBEAR_SHA2_256_HMAC) || (DROPBEAR_ECC_256) \
144 || (DROPBEAR_CURVE25519) || (DROPBEAR_DH_GROUP14_SHA256)) 155 || (DROPBEAR_CURVE25519) || (DROPBEAR_DH_GROUP14_SHA256) \
156 || (DROPBEAR_RSA_SHA256))
145 #define DROPBEAR_SHA384 (DROPBEAR_ECC_384) 157 #define DROPBEAR_SHA384 (DROPBEAR_ECC_384)
146 /* LTC SHA384 depends on SHA512 */ 158 /* LTC SHA384 depends on SHA512 */
147 #define DROPBEAR_SHA512 ((DROPBEAR_SHA2_512_HMAC) || (DROPBEAR_ECC_521) \ 159 #define DROPBEAR_SHA512 ((DROPBEAR_SHA2_512_HMAC) || (DROPBEAR_ECC_521) \
148 || (DROPBEAR_SHA384) || (DROPBEAR_DH_GROUP16)) 160 || (DROPBEAR_SHA384) || (DROPBEAR_DH_GROUP16) \
161 || (DROPBEAR_ED25519))
149 #define DROPBEAR_MD5 (DROPBEAR_MD5_HMAC) 162 #define DROPBEAR_MD5 (DROPBEAR_MD5_HMAC)
150 163
151 #define DROPBEAR_DH_GROUP14 ((DROPBEAR_DH_GROUP14_SHA256) || (DROPBEAR_DH_GROUP14_SHA1)) 164 #define DROPBEAR_DH_GROUP14 ((DROPBEAR_DH_GROUP14_SHA256) || (DROPBEAR_DH_GROUP14_SHA1))
152 165
153 #define DROPBEAR_NORMAL_DH ((DROPBEAR_DH_GROUP1) || (DROPBEAR_DH_GROUP14) || (DROPBEAR_DH_GROUP16)) 166 #define DROPBEAR_NORMAL_DH ((DROPBEAR_DH_GROUP1) || (DROPBEAR_DH_GROUP14) || (DROPBEAR_DH_GROUP16))
167
168 /* Dropbear only uses server-sig-algs, only needed if we have rsa-sha256 pubkey auth */
169 #define DROPBEAR_EXT_INFO ((DROPBEAR_RSA_SHA256) \
170 && ((DROPBEAR_CLI_PUBKEY_AUTH) || (DROPBEAR_SVR_PUBKEY_AUTH)))
154 171
155 /* roughly 2x 521 bits */ 172 /* roughly 2x 521 bits */
156 #define MAX_ECC_SIZE 140 173 #define MAX_ECC_SIZE 140
157 174
158 #define MAX_NAME_LEN 64 /* maximum length of a protocol name, isn't 175 #define MAX_NAME_LEN 64 /* maximum length of a protocol name, isn't
184 /* For a 4096 bit DSS key, empirically determined */ 201 /* For a 4096 bit DSS key, empirically determined */
185 #define MAX_PUBKEY_SIZE 1700 202 #define MAX_PUBKEY_SIZE 1700
186 /* For a 4096 bit DSS key, empirically determined */ 203 /* For a 4096 bit DSS key, empirically determined */
187 #define MAX_PRIVKEY_SIZE 1700 204 #define MAX_PRIVKEY_SIZE 1700
188 205
189 #define MAX_HOSTKEYS 3 206 #define MAX_HOSTKEYS 4
190 207
191 /* The maximum size of the bignum portion of the kexhash buffer */ 208 /* The maximum size of the bignum portion of the kexhash buffer */
192 /* Sect. 8 of the transport rfc 4253, K_S + e + f + K */ 209 /* Sect. 8 of the transport rfc 4253, K_S + e + f + K */
193 #define KEXHASHBUF_MAX_INTS (1700 + 130 + 130 + 130) 210 #define KEXHASHBUF_MAX_INTS (1700 + 130 + 130 + 130)
194 211
203 220
204 221
205 #define DROPBEAR_AES ((DROPBEAR_AES256) || (DROPBEAR_AES128)) 222 #define DROPBEAR_AES ((DROPBEAR_AES256) || (DROPBEAR_AES128))
206 223
207 #define DROPBEAR_TWOFISH ((DROPBEAR_TWOFISH256) || (DROPBEAR_TWOFISH128)) 224 #define DROPBEAR_TWOFISH ((DROPBEAR_TWOFISH256) || (DROPBEAR_TWOFISH128))
225
226 #define DROPBEAR_AEAD_MODE ((DROPBEAR_CHACHA20POLY1305) || (DROPBEAR_ENABLE_GCM_MODE))
208 227
209 #define DROPBEAR_CLI_ANYTCPFWD ((DROPBEAR_CLI_REMOTETCPFWD) || (DROPBEAR_CLI_LOCALTCPFWD)) 228 #define DROPBEAR_CLI_ANYTCPFWD ((DROPBEAR_CLI_REMOTETCPFWD) || (DROPBEAR_CLI_LOCALTCPFWD))
210 229
211 #define DROPBEAR_TCP_ACCEPT ((DROPBEAR_CLI_LOCALTCPFWD) || (DROPBEAR_SVR_REMOTETCPFWD)) 230 #define DROPBEAR_TCP_ACCEPT ((DROPBEAR_CLI_LOCALTCPFWD) || (DROPBEAR_SVR_REMOTETCPFWD))
212 231
241 260
242 #if !(DROPBEAR_SVR_PASSWORD_AUTH || DROPBEAR_SVR_PAM_AUTH || DROPBEAR_SVR_PUBKEY_AUTH) 261 #if !(DROPBEAR_SVR_PASSWORD_AUTH || DROPBEAR_SVR_PAM_AUTH || DROPBEAR_SVR_PUBKEY_AUTH)
243 #error "At least one server authentication type must be enabled. DROPBEAR_SVR_PUBKEY_AUTH and DROPBEAR_SVR_PASSWORD_AUTH are recommended." 262 #error "At least one server authentication type must be enabled. DROPBEAR_SVR_PUBKEY_AUTH and DROPBEAR_SVR_PASSWORD_AUTH are recommended."
244 #endif 263 #endif
245 264
265 #if (DROPBEAR_PLUGIN && !DROPBEAR_SVR_PUBKEY_AUTH)
266 #error "You must define DROPBEAR_SVR_PUBKEY_AUTH in order to use plugins"
267 #endif
246 268
247 #if !(DROPBEAR_AES128 || DROPBEAR_3DES || DROPBEAR_AES256 || DROPBEAR_BLOWFISH \ 269 #if !(DROPBEAR_AES128 || DROPBEAR_3DES || DROPBEAR_AES256 || DROPBEAR_BLOWFISH \
248 || DROPBEAR_TWOFISH256 || DROPBEAR_TWOFISH128) 270 || DROPBEAR_TWOFISH256 || DROPBEAR_TWOFISH128 || DROPBEAR_CHACHA20POLY1305)
249 #error "At least one encryption algorithm must be enabled. AES128 is recommended." 271 #error "At least one encryption algorithm must be enabled. AES128 is recommended."
250 #endif 272 #endif
251 273
252 #if !(DROPBEAR_RSA || DROPBEAR_DSS || DROPBEAR_ECDSA) 274 #if !(DROPBEAR_RSA || DROPBEAR_DSS || DROPBEAR_ECDSA || DROPBEAR_ED25519)
253 #error "At least one hostkey or public-key algorithm must be enabled; RSA is recommended." 275 #error "At least one hostkey or public-key algorithm must be enabled; RSA is recommended."
254 #endif 276 #endif
255 277
256 /* Source for randomness. This must be able to provide hundreds of bytes per SSH 278 /* Source for randomness. This must be able to provide hundreds of bytes per SSH
257 * connection without blocking. */ 279 * connection without blocking. */