Mercurial > dropbear
diff sysoptions.h @ 1546:bb8eaa26bc93 fuzz
merge from main
| author | Matt Johnston <matt@ucc.asn.au> |
|---|---|
| date | Mon, 26 Feb 2018 22:44:48 +0800 |
| parents | 6a83b1944432 |
| children | 1c66ca4f3791 |
line wrap: on
line diff
--- a/sysoptions.h Wed Feb 21 21:59:52 2018 +0800 +++ b/sysoptions.h Mon Feb 26 22:44:48 2018 +0800 @@ -23,7 +23,11 @@ #define AUTH_TIMEOUT 300 /* we choose 5 minutes */ #endif - #define DROPBEAR_SVR_PUBKEY_OPTIONS_BUILT ((DROPBEAR_SVR_PUBKEY_AUTH) && (DROPBEAR_SVR_PUBKEY_OPTIONS)) +#define DROPBEAR_SVR_PUBKEY_OPTIONS_BUILT ((DROPBEAR_SVR_PUBKEY_AUTH) && (DROPBEAR_SVR_PUBKEY_OPTIONS)) + +#if !(NON_INETD_MODE || INETD_MODE) + #error "NON_INETD_MODE or INETD_MODE (or both) must be enabled." +#endif /* A client should try and send an initial key exchange packet guessing * the algorithm that will match - saves a round trip connecting, has little @@ -77,6 +81,8 @@ #define DROPBEAR_PASSWORD_ENV "DROPBEAR_PASSWORD" +#define DROPBEAR_NGROUP_MAX 1024 + /* Required for pubkey auth */ #define DROPBEAR_SIGNKEY_VERIFY ((DROPBEAR_SVR_PUBKEY_AUTH) || (DROPBEAR_CLIENT)) @@ -95,6 +101,23 @@ #define MAX_MAC_LEN 20 #endif +/* sha2-512 is not necessary unless unforseen problems arise with sha2-256 */ +#ifndef DROPBEAR_SHA2_512_HMAC +#define DROPBEAR_SHA2_512_HMAC 0 +#endif + +/* might be needed for compatibility with very old implementations */ +#ifndef DROPBEAR_MD5_HMAC +#define DROPBEAR_MD5_HMAC 0 +#endif + +/* Twofish counter mode is disabled by default because it +has not been tested for interoperability with other SSH implementations. +If you test it please contact the Dropbear author */ +#ifndef DROPBEAR_TWOFISH_CTR +#define DROPBEAR_TWOFISH_CTR 0 +#endif + #define DROPBEAR_ECC ((DROPBEAR_ECDH) || (DROPBEAR_ECDSA)) @@ -205,6 +228,39 @@ #error "You can't turn on PASSWORD and PAM auth both at once. Fix it in options.h" #endif +/* PAM requires ./configure --enable-pam */ +#if !defined(HAVE_LIBPAM) && DROPBEAR_SVR_PAM_AUTH +#error "DROPBEAR_SVR_PATM_AUTH requires PAM headers. Perhaps ./configure --enable-pam ?" +#endif + +#if DROPBEAR_SVR_PASSWORD_AUTH && !HAVE_CRYPT + #error "DROPBEAR_SVR_PASSWORD_AUTH requires `crypt()'." +#endif + +#if !(DROPBEAR_SVR_PASSWORD_AUTH || DROPBEAR_SVR_PAM_AUTH || DROPBEAR_SVR_PUBKEY_AUTH) + #error "At least one server authentication type must be enabled. DROPBEAR_SVR_PUBKEY_AUTH and DROPBEAR_SVR_PASSWORD_AUTH are recommended." +#endif + + +#if !(DROPBEAR_AES128 || DROPBEAR_3DES || DROPBEAR_AES256 || DROPBEAR_BLOWFISH \ + || DROPBEAR_TWOFISH256 || DROPBEAR_TWOFISH128) + #error "At least one encryption algorithm must be enabled. AES128 is recommended." +#endif + +#if !(DROPBEAR_RSA || DROPBEAR_DSS || DROPBEAR_ECDSA) + #error "At least one hostkey or public-key algorithm must be enabled; RSA is recommended." +#endif + +/* Source for randomness. This must be able to provide hundreds of bytes per SSH + * connection without blocking. */ +#ifndef DROPBEAR_URANDOM_DEV +#define DROPBEAR_URANDOM_DEV "/dev/urandom" +#endif + +/* client keyboard interactive authentication is often used for password auth. + rfc4256 */ +#define DROPBEAR_CLI_INTERACT_AUTH (DROPBEAR_CLI_PASSWORD_AUTH) + /* We use dropbear_client and dropbear_server as shortcuts to avoid redundant * code, if we're just compiling as client or server */ #if (DROPBEAR_SERVER) && (DROPBEAR_CLIENT)