Mercurial > dropbear

diff default_options.h.in @ 1499:2d450c1056e3

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
options: Complete the transition to numeric toggles (`#if') For the sake of review, this commit alters only the code; the affiliated comments within the source files also need to be updated, but doing so now would obscure the operational changes that have been made here. * All on/off options have been switched to the numeric `#if' variant; that is the only way to make this `default_options.h.in' thing work in a reasonable manner. * There is now some very minor compile-time checking of the user's choice of options. * NO_FAST_EXPTMOD doesn't seem to be used, so it has been removed. * ENABLE_USER_ALGO_LIST was supposed to be renamed DROPBEAR_USER_ALGO_LIST, and this commit completes that work. * DROPBEAR_FUZZ seems to be a relatively new, as-yet undocumented option, which was added by the following commit: commit 6e0b539e9ca0b5628c6c5a3d118ad6a2e79e8039 Author: Matt Johnston <[email protected]> Date: Tue May 23 22:29:21 2017 +0800 split out checkpubkey_line() separately It has now been added to `sysoptions.h' and defined as `0' by default. * The configuration option `DROPBEAR_PASSWORD_ENV' is no longer listed in `default_options.h.in'; it is no longer meant to be set by the user, and is instead left to be defined in `sysoptions.h' (where it was already being defined) as merely the name of the environment variable in question: DROPBEAR_PASSWORD To enable or disable use of that environment variable, the user must now toggle `DROPBEAR_USE_DROPBEAR_PASSWORD'. * The sFTP support is now toggled by setting `DROPBEAR_SFTPSERVER', and the path of the sFTP server program is set independently through the usual SFTPSERVER_PATH.
author Michael Witten <mfwitten@gmail.com>
date Thu, 20 Jul 2017 19:38:26 +0000
parents da095983a60b
children 6c16a05023aa
line wrap: on
line diff
--- a/default_options.h.in	Wed Feb 14 23:09:40 2018 +0800
+++ b/default_options.h.in	Thu Jul 20 19:38:26 2017 +0000
@@ -36,10 +36,9 @@
 #define NON_INETD_MODE 1
 #define INETD_MODE 1
 
-/* Setting this disables the fast exptmod bignum code. It saves ~5kB, but is
- * perhaps 20% slower for pubkey operations (it is probably worth experimenting
- * if you want to use this) */
-/*#define NO_FAST_EXPTMOD*/
+#if !(NON_INETD_MODE || INETD_MODE)
+	#error "NON_INETD_MODE or INETD_MODE (or both) must be enabled."
+#endif
 
 /* Set this if you want to use the DROPBEAR_SMALL_CODE option. This can save
 several kB in binary size however will make the symmetrical ciphers and hashes
@@ -77,7 +76,7 @@
 #define DROPBEAR_CLI_NETCAT 1
 
 /* Whether to support "-c" and "-m" flags to choose ciphers/MACs at runtime */
-#define ENABLE_USER_ALGO_LIST 1
+#define DROPBEAR_USER_ALGO_LIST 1
 
 /* Encryption - at least one required.
  * Protocol RFC requires 3DES and recommends AES128 for interoperability.
@@ -86,10 +85,15 @@
 #define DROPBEAR_AES128 1
 #define DROPBEAR_3DES 1
 #define DROPBEAR_AES256 1
-/* Compiling in Blowfish will add ~6kB to runtime heap memory usage */
-/*#define DROPBEAR_BLOWFISH*/
 #define DROPBEAR_TWOFISH256 1
 #define DROPBEAR_TWOFISH128 1
+/* Compiling in Blowfish will add ~6kB to runtime heap memory usage */
+#define DROPBEAR_BLOWFISH 0
+
+#if !(DROPBEAR_AES128 || DROPBEAR_3DES || DROPBEAR_AES256 || DROPBEAR_BLOWFISH \
+      || DROPBEAR_TWOFISH256 || DROPBEAR_TWOFISH128)
+	#error "At least one encryption algorithm must be enabled; 3DES and AES128 are recommended."
+#endif
 
 /* Enable CBC mode for ciphers. This has security issues though
  * is the most compatible with older SSH implementations */
@@ -129,6 +133,10 @@
  * on x86-64 */
 #define DROPBEAR_ECDSA 1
 
+#if !(DROPBEAR_RSA || DROPBEAR_DSS || DROPBEAR_ECDSA)
+	#error "At least one hostkey or public-key algorithm must be enabled; RSA is recommended."
+#endif
+
 /* RSA must be >=1024 */
 #define DROPBEAR_DEFAULT_RSA_SIZE 2048
 /* DSS is always 1024 */
@@ -193,15 +201,38 @@
  * PAM challenge/response.
  * You can't enable both PASSWORD and PAM. */
 
+/* PAM requires ./configure --enable-pam */
+#if defined(HAVE_LIBPAM) && !DROPBEAR_SVR_PASSWORD_AUTH
+	#define DROPBEAR_SVR_PAM_AUTH 1
+#else
+	#define DROPBEAR_SVR_PAM_AUTH 0
+#endif
+
 /* This requires crypt() */
-#ifdef HAVE_CRYPT
-#define DROPBEAR_SVR_PASSWORD_AUTH 1
+#if defined(HAVE_CRYPT) && !DROPBEAR_SVR_PAM_AUTH
+	#define DROPBEAR_SVR_PASSWORD_AUTH 1
 #else
-#define DROPBEAR_SVR_PASSWORD_AUTH 0
+	#define DROPBEAR_SVR_PASSWORD_AUTH 0
+#endif
+
+#define DROPBEAR_SVR_PUBKEY_AUTH 1
+
+#if !(DROPBEAR_SVR_PASSWORD_AUTH || DROPBEAR_SVR_PAM_AUTH || DROPBEAR_SVR_PUBKEY_AUTH)
+	#error "At least one server authentication type must be enabled; PUBKEY and PASSWORD are recommended."
 #endif
-/* PAM requires ./configure --enable-pam */
-#define DROPBEAR_SVR_PAM_AUTH 0
-#define DROPBEAR_SVR_PUBKEY_AUTH 1
+
+#if DROPBEAR_SVR_PASSWORD_AUTH && !HAVE_CRYPT
+	#error "DROPBEAR_SVR_PASSWORD_AUTH requires `crypt()'."
+#endif
+
+#if DROPBEAR_SVR_PAM_AUTH
+	#if DISABLE_PAM
+		#error "DROPBEAR_SVR_PAM_AUTH requires 'configure --enable-pam' to succeed."
+	#endif
+	#if DROPBEAR_SVR_PASSWORD_AUTH
+		#error "DROPBEAR_SVR_PASSWORD_AUTH cannot be enabled at the same time as DROPBEAR_SVR_PAM_AUTH."
+	#endif
+#endif
 
 /* Whether to take public key options in 
  * authorized_keys file into account */
@@ -209,11 +240,18 @@
 
 /* This requires getpass. */
 #ifdef HAVE_GETPASS
-#define DROPBEAR_CLI_PASSWORD_AUTH 1
-#define DROPBEAR_CLI_INTERACT_AUTH 1
+	#define DROPBEAR_CLI_PASSWORD_AUTH 1
+	#define DROPBEAR_CLI_INTERACT_AUTH 1
+#else
+	#define DROPBEAR_CLI_PASSWORD_AUTH 0
+	#define DROPBEAR_CLI_INTERACT_AUTH 0
 #endif
 #define DROPBEAR_CLI_PUBKEY_AUTH 1
 
+#if !(DROPBEAR_CLI_PASSWORD_AUTH || DROPBEAR_CLI_PUBKEY_AUTH)
+	#error "At least one client authentication type must be enabled; PUBKEY and PASSWORD are recommended."
+#endif
+
 /* A default argument for dbclient -i <privatekey>. 
 Homedir is prepended unless path begins with / */
 #define DROPBEAR_DEFAULT_CLI_AUTHKEY ".ssh/id_dropbear"
@@ -224,7 +262,7 @@
  * note that it will be provided for all "hidden" client-interactive
  * style prompts - if you want something more sophisticated, use 
  * SSH_ASKPASS instead. Comment out this var to remove this functionality.*/
-#define DROPBEAR_PASSWORD_ENV "DROPBEAR_PASSWORD"
+#define DROPBEAR_USE_DROPBEAR_PASSWORD 1
 
 /* Define this (as well as DROPBEAR_CLI_PASSWORD_AUTH) to allow the use of
  * a helper program for the ssh client. The helper program should be
@@ -233,6 +271,10 @@
  * return the password on standard output */
 #define DROPBEAR_CLI_ASKPASS_HELPER 0
 
+#if DROPBEAR_CLI_ASKPASS_HELPER
+	#define DROPBEAR_CLI_PASSWORD_AUTH 1
+#endif
+
 /* Save a network roundtrip by sendng a real auth request immediately after
  * sending a query for the available methods.  It is at the expense of < 100
  * bytes of extra network traffic. This is not yet enabled by default since it
@@ -245,8 +287,8 @@
 #define DROPBEAR_URANDOM_DEV "/dev/urandom"
 
 /* Set this to use PRNGD or EGD instead of /dev/urandom or /dev/random */
-/*#define DROPBEAR_PRNGD_SOCKET "/var/run/dropbear-rng"*/
-
+#define DROPBEAR_USE_PRNGD 0
+#define DROPBEAR_PRNGD_SOCKET "/var/run/dropbear-rng"
 
 /* Specify the number of clients we will allow to be connected but
  * not yet authenticated. After this limit, connections are rejected */
@@ -269,6 +311,8 @@
  * "-q" for quiet */
 #define XAUTH_COMMAND "/usr/bin/xauth -q"
 
+#define DROPBEAR_SFTPSERVER 1
+
 /* if you want to enable running an sftp server (such as the one included with
  * OpenSSH), set the path below. If the path isn't defined, sftp will not
  * be enabled */