Mercurial > dropbear
comparison default_options.h @ 1733:d529a52b2f7c coverity coverity
merge coverity from main
| author | Matt Johnston <matt@ucc.asn.au> |
|---|---|
| date | Fri, 26 Jun 2020 21:07:34 +0800 |
| parents | a2bbc22ea1e6 c0f12eaf95c9 |
| children |
comparison
equal
deleted
inserted
replaced
| 1643:b59623a64678 | 1733:d529a52b2f7c |
|---|---|
| 20 | 20 |
| 21 /* Default hostkey paths - these can be specified on the command line */ | 21 /* Default hostkey paths - these can be specified on the command line */ |
| 22 #define DSS_PRIV_FILENAME "/etc/dropbear/dropbear_dss_host_key" | 22 #define DSS_PRIV_FILENAME "/etc/dropbear/dropbear_dss_host_key" |
| 23 #define RSA_PRIV_FILENAME "/etc/dropbear/dropbear_rsa_host_key" | 23 #define RSA_PRIV_FILENAME "/etc/dropbear/dropbear_rsa_host_key" |
| 24 #define ECDSA_PRIV_FILENAME "/etc/dropbear/dropbear_ecdsa_host_key" | 24 #define ECDSA_PRIV_FILENAME "/etc/dropbear/dropbear_ecdsa_host_key" |
| 25 #define ED25519_PRIV_FILENAME "/etc/dropbear/dropbear_ed25519_host_key" | |
| 25 | 26 |
| 26 /* Set NON_INETD_MODE if you require daemon functionality (ie Dropbear listens | 27 /* Set NON_INETD_MODE if you require daemon functionality (ie Dropbear listens |
| 27 * on chosen ports and keeps accepting connections. This is the default. | 28 * on chosen ports and keeps accepting connections. This is the default. |
| 28 * | 29 * |
| 29 * Set INETD_MODE if you want to be able to run Dropbear with inetd (or | 30 * Set INETD_MODE if you want to be able to run Dropbear with inetd (or |
| 45 * slower, perhaps by 50%. Recommended for small systems that aren't doing | 46 * slower, perhaps by 50%. Recommended for small systems that aren't doing |
| 46 * much traffic. */ | 47 * much traffic. */ |
| 47 #define DROPBEAR_SMALL_CODE 1 | 48 #define DROPBEAR_SMALL_CODE 1 |
| 48 | 49 |
| 49 /* Enable X11 Forwarding - server only */ | 50 /* Enable X11 Forwarding - server only */ |
| 50 #define DROPBEAR_X11FWD 1 | 51 #define DROPBEAR_X11FWD 0 |
| 51 | 52 |
| 52 /* Enable TCP Fowarding */ | 53 /* Enable TCP Fowarding */ |
| 53 /* 'Local' is "-L" style (client listening port forwarded via server) | 54 /* 'Local' is "-L" style (client listening port forwarded via server) |
| 54 * 'Remote' is "-R" style (server listening port forwarded via client) */ | 55 * 'Remote' is "-R" style (server listening port forwarded via client) */ |
| 55 #define DROPBEAR_CLI_LOCALTCPFWD 1 | 56 #define DROPBEAR_CLI_LOCALTCPFWD 1 |
| 80 * AES128 should be enabled, some very old implementations might only | 81 * AES128 should be enabled, some very old implementations might only |
| 81 * support 3DES. | 82 * support 3DES. |
| 82 * Including both AES keysize variants (128 and 256) will result in | 83 * Including both AES keysize variants (128 and 256) will result in |
| 83 * a minimal size increase */ | 84 * a minimal size increase */ |
| 84 #define DROPBEAR_AES128 1 | 85 #define DROPBEAR_AES128 1 |
| 85 #define DROPBEAR_3DES 1 | |
| 86 #define DROPBEAR_AES256 1 | 86 #define DROPBEAR_AES256 1 |
| 87 #define DROPBEAR_3DES 0 | |
| 87 #define DROPBEAR_TWOFISH256 0 | 88 #define DROPBEAR_TWOFISH256 0 |
| 88 #define DROPBEAR_TWOFISH128 0 | 89 #define DROPBEAR_TWOFISH128 0 |
| 89 /* Compiling in Blowfish will add ~6kB to runtime heap memory usage */ | 90 |
| 90 #define DROPBEAR_BLOWFISH 0 | 91 /* Enable Chacha20-Poly1305 authenticated encryption mode. This is |
| 92 * generally faster than AES256 on CPU w/o dedicated AES instructions, | |
| 93 * having the same key size. Recommended. | |
| 94 * Compiling in will add ~5,5kB to binary size on x86-64 */ | |
| 95 #define DROPBEAR_CHACHA20POLY1305 1 | |
| 96 | |
| 97 /* Enable "Counter Mode" for ciphers. Recommended. */ | |
| 98 #define DROPBEAR_ENABLE_CTR_MODE 1 | |
| 91 | 99 |
| 92 /* Enable CBC mode for ciphers. This has security issues though | 100 /* Enable CBC mode for ciphers. This has security issues though |
| 93 * is the most compatible with older SSH implementations */ | 101 may be required for compatibility with old implementations */ |
| 94 #define DROPBEAR_ENABLE_CBC_MODE 1 | 102 #define DROPBEAR_ENABLE_CBC_MODE 0 |
| 95 | 103 |
| 96 /* Enable "Counter Mode" for ciphers. This is more secure than | 104 /* Enable "Galois/Counter Mode" for ciphers. This authenticated |
| 97 * CBC mode against certain attacks. It is recommended for security | 105 * encryption mode is combination of CTR mode and GHASH. Recommended |
| 98 * and forwards compatibility */ | 106 * for security and forwards compatibility, but slower than CTR on |
| 99 #define DROPBEAR_ENABLE_CTR_MODE 1 | 107 * CPU w/o dedicated AES/GHASH instructions. |
| 108 * Compiling in will add ~6kB to binary size on x86-64 */ | |
| 109 #define DROPBEAR_ENABLE_GCM_MODE 0 | |
| 100 | 110 |
| 101 /* Message integrity. sha2-256 is recommended as a default, | 111 /* Message integrity. sha2-256 is recommended as a default, |
| 102 sha1 for compatibility */ | 112 sha1 for compatibility */ |
| 103 #define DROPBEAR_SHA1_HMAC 1 | 113 #define DROPBEAR_SHA1_HMAC 1 |
| 104 #define DROPBEAR_SHA1_96_HMAC 1 | |
| 105 #define DROPBEAR_SHA2_256_HMAC 1 | 114 #define DROPBEAR_SHA2_256_HMAC 1 |
| 115 #define DROPBEAR_SHA1_96_HMAC 0 | |
| 106 | 116 |
| 107 /* Hostkey/public key algorithms - at least one required, these are used | 117 /* Hostkey/public key algorithms - at least one required, these are used |
| 108 * for hostkey as well as for verifying signatures with pubkey auth. | 118 * for hostkey as well as for verifying signatures with pubkey auth. |
| 109 * Removing either of these won't save very much space. | 119 * Removing either of these won't save very much space. |
| 110 * RSA is recommended | 120 * RSA is recommended |
| 114 #define DROPBEAR_DSS 1 | 124 #define DROPBEAR_DSS 1 |
| 115 /* ECDSA is significantly faster than RSA or DSS. Compiling in ECC | 125 /* ECDSA is significantly faster than RSA or DSS. Compiling in ECC |
| 116 * code (either ECDSA or ECDH) increases binary size - around 30kB | 126 * code (either ECDSA or ECDH) increases binary size - around 30kB |
| 117 * on x86-64 */ | 127 * on x86-64 */ |
| 118 #define DROPBEAR_ECDSA 1 | 128 #define DROPBEAR_ECDSA 1 |
| 129 /* Ed25519 is faster than ECDSA. Compiling in Ed25519 code increases | |
| 130 binary size - around 7,5kB on x86-64 */ | |
| 131 #define DROPBEAR_ED25519 1 | |
| 119 | 132 |
| 120 /* RSA must be >=1024 */ | 133 /* RSA must be >=1024 */ |
| 121 #define DROPBEAR_DEFAULT_RSA_SIZE 2048 | 134 #define DROPBEAR_DEFAULT_RSA_SIZE 2048 |
| 122 /* DSS is always 1024 */ | 135 /* DSS is always 1024 */ |
| 123 /* ECDSA defaults to largest size configured, usually 521 */ | 136 /* ECDSA defaults to largest size configured, usually 521 */ |
| 137 /* Ed25519 is always 256 */ | |
| 124 | 138 |
| 125 /* Add runtime flag "-R" to generate hostkeys as-needed when the first | 139 /* Add runtime flag "-R" to generate hostkeys as-needed when the first |
| 126 connection using that key type occurs. | 140 connection using that key type occurs. |
| 127 This avoids the need to otherwise run "dropbearkey" and avoids some problems | 141 This avoids the need to otherwise run "dropbearkey" and avoids some problems |
| 128 with badly seeded /dev/urandom when systems first boot. */ | 142 with badly seeded /dev/urandom when systems first boot. */ |
| 141 * group1 is too small for security though is necessary if you need | 155 * group1 is too small for security though is necessary if you need |
| 142 compatibility with some implementations such as Dropbear versions < 0.53 | 156 compatibility with some implementations such as Dropbear versions < 0.53 |
| 143 * group14 is supported by most implementations. | 157 * group14 is supported by most implementations. |
| 144 * group16 provides a greater strength level but is slower and increases binary size | 158 * group16 provides a greater strength level but is slower and increases binary size |
| 145 * curve25519 and ecdh algorithms are faster than non-elliptic curve methods | 159 * curve25519 and ecdh algorithms are faster than non-elliptic curve methods |
| 146 * curve25519 increases binary size by ~8kB on x86-64 | 160 * curve25519 increases binary size by ~2,5kB on x86-64 |
| 147 * including either ECDH or ECDSA increases binary size by ~30kB on x86-64 | 161 * including either ECDH or ECDSA increases binary size by ~30kB on x86-64 |
| 148 | 162 |
| 149 * Small systems should generally include either curve25519 or ecdh for performance. | 163 * Small systems should generally include either curve25519 or ecdh for performance. |
| 150 * curve25519 is less widely supported but is faster | 164 * curve25519 is less widely supported but is faster |
| 151 */ | 165 */ |
| 172 | 186 |
| 173 /* Whether to do reverse DNS lookups. */ | 187 /* Whether to do reverse DNS lookups. */ |
| 174 #define DO_HOST_LOOKUP 0 | 188 #define DO_HOST_LOOKUP 0 |
| 175 | 189 |
| 176 /* Whether to print the message of the day (MOTD). */ | 190 /* Whether to print the message of the day (MOTD). */ |
| 177 #define DO_MOTD 0 | 191 #define DO_MOTD 1 |
| 178 #define MOTD_FILENAME "/etc/motd" | 192 #define MOTD_FILENAME "/etc/motd" |
| 179 | 193 |
| 180 /* Authentication Types - at least one required. | 194 /* Authentication Types - at least one required. |
| 181 RFC Draft requires pubkey auth, and recommends password */ | 195 RFC Draft requires pubkey auth, and recommends password */ |
| 182 #define DROPBEAR_SVR_PASSWORD_AUTH 1 | 196 #define DROPBEAR_SVR_PASSWORD_AUTH 1 |