Mercurial > dropbear
diff options.h @ 854:ccc76acaf4c7
merge ecc again
author | Matt Johnston <matt@ucc.asn.au> |
---|---|
date | Thu, 14 Nov 2013 20:45:46 +0800 |
parents | c1c1b43f78c2 |
children | c19acba28590 |
line wrap: on
line diff
--- a/options.h Fri Nov 01 00:21:59 2013 +0800 +++ b/options.h Thu Nov 14 20:45:46 2013 +0800 @@ -8,7 +8,7 @@ /* Define compile-time options below - the "#ifndef DROPBEAR_XXX .... #endif" * parts are to allow for commandline -DDROPBEAR_XXX options etc. */ -/* Important: Many options will require "make clean" after changes */ +/* IMPORTANT: Many options will require "make clean" after changes */ #ifndef DROPBEAR_DEFPORT #define DROPBEAR_DEFPORT "22" @@ -129,7 +129,7 @@ /* You can also disable integrity. Don't bother disabling this if you're * still using a cipher, it's relatively cheap. If you disable this it's dead - * simple to run arbitrary commands on the remote host. Beware. */ + * simple for an attacker to run arbitrary commands on the remote host. Beware. */ /* #define DROPBEAR_NONE_INTEGRITY */ /* Hostkey/public key algorithms - at least one required, these are used @@ -138,14 +138,26 @@ * SSH2 RFC Draft requires dss, recommends rsa */ #define DROPBEAR_RSA #define DROPBEAR_DSS - -#define DROPBEAR_ECDH +/* ECDSA is significantly faster than RSA or DSS. Compiling in ECC + * code (either ECDSA or ECDH) increases binary size - around 30kB + * on x86-64 */ #define DROPBEAR_ECDSA -/* RSA can be vulnerable to timing attacks which use the time required for - * signing to guess the private key. Blinding avoids this attack, though makes - * signing operations slightly slower. */ -#define RSA_BLINDING +/* Generate hostkeys as-needed when the first connection using that key type occurs. + This avoids the need to otherwise run "dropbearkey" and avoids some problems + with badly seeded /dev/urandom when systems first boot. + This also requires a runtime flag "-R". This adds ~4kB to binary size (or hardly + anything if dropbearkey is linked in a "dropbearmulti" binary) */ +#define DROPBEAR_DELAY_HOSTKEY + +/* Enable Curve25519 for key exchange. This is another elliptic + * curve method with good security properties. Increases binary size + * by ~8kB on x86-64 */ +#define DROPBEAR_CURVE25519 + +/* Enable elliptic curve Diffie Hellman key exchange, see note about + * ECDSA above */ +#define DROPBEAR_ECDH /* Control the memory/performance/compression tradeoff for zlib. * Set windowBits=8 for least memory usage, see your system's @@ -182,7 +194,7 @@ #define ENABLE_SVR_PASSWORD_AUTH /* PAM requires ./configure --enable-pam */ -//#define ENABLE_SVR_PAM_AUTH +/*#define ENABLE_SVR_PAM_AUTH */ #define ENABLE_SVR_PUBKEY_AUTH /* Whether to take public key options in