changeset 1523:1d163552145f coverity

merge coverity
author Matt Johnston <matt@ucc.asn.au>
date Mon, 19 Feb 2018 23:14:49 +0800
parents eb4c7052f51d (current diff) 47fcbdd12d9b (diff)
children 0b991dec7ab9
files default_options.h default_options.h.in libtommath/makefile.include
diffstat 25 files changed, 241 insertions(+), 755 deletions(-) [+]
line wrap: on
line diff
--- a/CHANGES	Sat Feb 17 11:29:17 2018 +0800
+++ b/CHANGES	Mon Feb 19 23:14:49 2018 +0800
@@ -1,3 +1,76 @@
+Upcoming...
+
+- IMPORTANT:
+  Custom configuration is now specified in local_options.h rather than options.h
+  Available options and defaults can be seen in default_options.h.in
+
+  To migrate your configuration, compare your customised options.h against the
+  upstream options.h from your relevant version. Any customised options should
+  be put in localoptions.h
+
+- "configure --enable-static" should now be used instead of "make STATIC=1"
+
+- Add group14-256 and group16 key exchange options
+
+- Set hardened build flags by default if supported by the compiler.
+  -Wl,-pie
+  -Wl,-z,now -Wl,-z,relro
+  -fstack-protector-strong
+  -D_FORTIFY_SOURCE=2
+  # spectre v2 mitigation
+  -mfunction-return=thunk
+  -mindirect-branch=thunk
+
+  These can be disabled with configure --disable-harden if needed
+  Spectre patch from Loganaden Velvindron
+
+- Add runtime -T max_auth_tries option from Kevin Darbyshire-Bryant
+
+- Add 'dbclient -J &fd' to allow dbclient to connect over an existing socket.
+  See dbclient manpage for a socat example. Patch from Harald Becker
+
+- Add "-c forced_command" option. Patch from Jeremy Kerr
+
+- Support server-chosen TCP forwarding ports, patch from houseofkodai
+
+- Allow choosing outgoing address for dbclient with -b [bind_address][:bind_port]
+  Patch from houseofkodai
+
+- Update bundled libtomcrypt to 1.18.1, libtommath to 1.0.1
+
+- Minimum RSA key length has been increased to 1024 bits
+
+- Set PAM_RHOST which is needed by modules such as pam_abl
+
+- Improvements to DSS public key validation, found by OSS-Fuzz. 
+
+- Don't exit when an authorized_keys file has malformed entries. Found by OSS-Fuzz
+
+- Fix null-pointer crash with malformed ECDSA or DSS keys. Found by OSS-Fuzz
+
+- Numerous code cleanups and small issues fixed by Francois Perrad
+
+- Test for pkt_sched.h rather than SO_PRIORITY which was problematic with some musl
+  platforms. Reported by Oliver Schneider and Andrew Bainbridge
+
+- Fix some platform portability problems, from Ben Gardner
+
+- Add EXEEXT filename suffix for building dropbearmulti, from William Foster
+
+- Support --enable-<option> properly for configure, from Stefan Hauser
+
+- configure have_openpty result can be cached, from Eric BĂ©nard
+
+- handle platforms that return close() < -1 on failure, from Marco Wenzel
+
+- Build and configuration cleanups from Michael Witten
+
+- Fix libtomcrypt/libtommath linking order, from Andre McCurdy
+
+- Fix old Linux platforms that have SYS_clock_gettime but not CLOCK_MONOTONIC
+
+- Update curve25519-donna implementation to current version
+
 2017.75 - 18 May 2017
 
 - Security: Fix double-free in server TCP listener cleanup
--- a/Makefile.in	Sat Feb 17 11:29:17 2018 +0800
+++ b/Makefile.in	Mon Feb 19 23:14:49 2018 +0800
@@ -23,9 +23,10 @@
 LIBTOM_LIBS=$(STATIC_LTC) $(STATIC_LTM)
 endif
 
+OPTION_HEADERS = default_options_guard.h sysoptions.h
 ifneq ($(wildcard localoptions.h),)
 CFLAGS+=-DLOCALOPTIONS_H_EXISTS
-LOCALOPTIONS_H=localoptions.h
+OPTION_HEADERS += localoptions.h
 endif
 
 COMMONOBJS=dbutil.o buffer.o dbhelpers.o \
@@ -98,7 +99,6 @@
 	CFLAGS+= -DDROPBEAR_CLIENT
 endif
 
-
 # these are exported so that libtomcrypt's makefile will use them
 export CC
 export CFLAGS
@@ -121,9 +121,16 @@
 
 all: $(TARGETS)
 
-# a bit lazy, but safer
-HEADERS=$(wildcard $(srcdir)/*.h *.h)
-*.o: $(HEADERS)
+# for simplicity assume all source depends on all headers
+HEADERS=$(wildcard $(srcdir)/*.h *.h) $(OPTION_HEADERS)
+%.o : %.c $(HEADERS)
+	$(CC) -c $(CFLAGS) $(CPPFLAGS) $< -o [email protected]
+
+default_options_guard.h: default_options.h
+	@echo Creating [email protected]
+	@printf "/*\n > > > Do not edit this file (default_options_guard.h) < < <\nGenerated from "$^"\nLocal customisation goes in localoptions.h\n*/\n\n" > [email protected]
+	@$(srcdir)/ifndef_wrapper.sh < $^ >> [email protected]
+	@mv [email protected] [email protected]
 
 strip: $(TARGETS)
 	$(STRIP) $(addsuffix $(EXEEXT), $(TARGETS))
@@ -197,10 +204,10 @@
 	-rm -f $*$(EXEEXT)
 	-ln -s dropbearmulti$(EXEEXT) $*$(EXEEXT)
 
-$(STATIC_LTC): 
+$(STATIC_LTC): $(OPTION_HEADERS)
 	$(MAKE) -C libtomcrypt
 
-$(STATIC_LTM):
+$(STATIC_LTM): $(OPTION_HEADERS)
 	$(MAKE) -C libtommath
 
 .PHONY : clean sizes thisclean distclean tidy ltc-clean ltm-clean
@@ -224,14 +231,7 @@
 distclean: clean tidy
 	-rm -f config.h
 	-rm -f Makefile
+	-rm -f default_options_guard.h
 
 tidy:
 	-rm -f *~ *.gcov */*~
-
-# default_options.h is stored in version control, could not find a workaround
-# for parallel "make -j" and dependency rules.
-default_options.h: default_options.h.in 
-	@echo Creating [email protected]
-	@echo "/*\n > > > Do not edit this file (default_options.h) < < <\nGenerated from "$^"\nLocal customisation goes in localoptions.h\n*/\n\n" > [email protected]
-	@$(srcdir)/ifndef_wrapper.sh < $^ >> [email protected]
-	@mv [email protected] [email protected]
--- a/cli-auth.c	Sat Feb 17 11:29:17 2018 +0800
+++ b/cli-auth.c	Mon Feb 19 23:14:49 2018 +0800
@@ -60,7 +60,7 @@
 	*/
 	if (ses.keys->trans.algo_comp != DROPBEAR_COMP_ZLIB_DELAY) {
 		ses.authstate.authtypes = AUTH_TYPE_PUBKEY;
-#if DROPBEAR_USE_DROPBEAR_PASSWORD
+#if DROPBEAR_USE_PASSWORD_ENV
 		if (getenv(DROPBEAR_PASSWORD_ENV)) {
 			ses.authstate.authtypes |= AUTH_TYPE_PASSWORD | AUTH_TYPE_INTERACT;
 		}
@@ -337,7 +337,7 @@
 {
 	char* password = NULL;
 	
-#if DROPBEAR_USE_DROPBEAR_PASSWORD
+#if DROPBEAR_USE_PASSWORD_ENV
 	/* Password provided in an environment var */
 	password = getenv(DROPBEAR_PASSWORD_ENV);
 	if (password)
--- a/cli-main.c	Sat Feb 17 11:29:17 2018 +0800
+++ b/cli-main.c	Mon Feb 19 23:14:49 2018 +0800
@@ -158,6 +158,21 @@
 	size_t ex_cmdlen;
 	int ret;
 
+	/* File descriptor "-j &3" */
+	if (*cli_opts.proxycmd == '&') {
+		char *p = cli_opts.proxycmd + 1;
+		int sock = strtoul(p, &p, 10);
+		/* must be a single number, and not stdin/stdout/stderr */
+		if (sock > 2 && sock < 1024 && *p == '\0') {
+			*sock_in = sock;
+			*sock_out = sock;
+			return;
+		}
+	}
+
+	/* Normal proxycommand */
+
+	/* So that spawn_command knows which shell to run */
 	fill_passwd(cli_opts.own_user);
 
 	ex_cmdlen = strlen(cli_opts.proxycmd) + 6; /* "exec " + command + '\0' */
--- a/cli-tcpfwd.c	Sat Feb 17 11:29:17 2018 +0800
+++ b/cli-tcpfwd.c	Mon Feb 19 23:14:49 2018 +0800
@@ -23,7 +23,6 @@
  * SOFTWARE. */
 
 #include "includes.h"
-#include "options.h"
 #include "dbutil.h"
 #include "tcpfwd.h"
 #include "channel.h"
--- a/common-algo.c	Sat Feb 17 11:29:17 2018 +0800
+++ b/common-algo.c	Mon Feb 19 23:14:49 2018 +0800
@@ -289,12 +289,12 @@
 	{"ecdh-sha2-nistp256", 0, &kex_ecdh_nistp256, 1, NULL},
 #endif
 #endif
+#if DROPBEAR_DH_GROUP14_SHA256
+	{"diffie-hellman-group14-sha256", 0, &kex_dh_group14_sha256, 1, NULL},
+#endif
 #if DROPBEAR_DH_GROUP14_SHA1
 	{"diffie-hellman-group14-sha1", 0, &kex_dh_group14_sha1, 1, NULL},
 #endif
-#if DROPBEAR_DH_GROUP14_SHA256
-	{"diffie-hellman-group14-sha256", 0, &kex_dh_group14_sha256, 1, NULL},
-#endif
 #if DROPBEAR_DH_GROUP1
 	{"diffie-hellman-group1-sha1", 0, &kex_dh_group1, 1, NULL},
 #endif
--- a/dbclient.1	Sat Feb 17 11:29:17 2018 +0800
+++ b/dbclient.1	Mon Feb 19 23:14:49 2018 +0800
@@ -111,11 +111,22 @@
 .B \-I \fIidle_timeout
 Disconnect the session if no traffic is transmitted or received for \fIidle_timeout\fR seconds.
 .TP
+
+.\" TODO: how to avoid a line break between these two -J arguments?
 .B \-J \fIproxy_command
+.TP
+.B \-J \fI&fd
+.br
 Use the standard input/output of the program \fIproxy_command\fR rather than using
 a normal TCP connection. A hostname should be still be provided, as this is used for
 comparing saved hostkeys. This command will be executed as "exec proxy_command ..." with the
 default shell.
+
+The second form &fd will make dbclient use the numeric file descriptor as a socket. This
+can be used for more complex tunnelling scenarios. Example usage with socat is
+
+socat EXEC:'dbclient -J &38 ev',fdin=38,fdout=38 TCP4:host.example.com:22
+
 .TP
 .B \-B \fIendhost:endport
 "Netcat-alike" mode, where Dropbear will connect to the given host, then create a
--- a/dbhelpers.h	Sat Feb 17 11:29:17 2018 +0800
+++ b/dbhelpers.h	Mon Feb 19 23:14:49 2018 +0800
@@ -3,7 +3,7 @@
 
 /* This header defines some things that are also used by libtomcrypt/math. 
    We avoid including normal include.h since that can result in conflicting 
-   definitinos - only include config.h */
+   definitions - only include config.h */
 #include "config.h"
 
 #ifdef __GNUC__
--- a/default_options.h	Sat Feb 17 11:29:17 2018 +0800
+++ b/default_options.h	Mon Feb 19 23:14:49 2018 +0800
@@ -1,44 +1,27 @@
-/*
- > > > Do not edit this file (default_options.h) < < <
-Generated from ../default_options.h.in
-Local customisation goes in localoptions.h
-*/
-
-
 #ifndef DROPBEAR_DEFAULT_OPTIONS_H_
 #define DROPBEAR_DEFAULT_OPTIONS_H_
 /*
                      > > > Read This < < <
 
-default_options.h.in  documents compile-time options, and provides default values.
+default_options.h  documents compile-time options, and provides default values.
 
 Local customisation should be added to localoptions.h which is
 used if it exists. Options defined there will override any options in this
 file.
 
-Options can also be defined with -DDROPBEAR_XXX in Makefile CFLAGS
-
-IMPORTANT: Many options will require "make clean" after changes */
+Options can also be defined with -DDROPBEAR_XXX=[0,1] in Makefile CFLAGS
 
-#ifndef DROPBEAR_DEFPORT
+IMPORTANT: Some options will require "make clean" after changes */
+
 #define DROPBEAR_DEFPORT "22"
-#endif
 
 /* Listen on all interfaces */
-#ifndef DROPBEAR_DEFADDRESS
 #define DROPBEAR_DEFADDRESS ""
-#endif
 
 /* Default hostkey paths - these can be specified on the command line */
-#ifndef DSS_PRIV_FILENAME
 #define DSS_PRIV_FILENAME "/etc/dropbear/dropbear_dss_host_key"
-#endif
-#ifndef RSA_PRIV_FILENAME
 #define RSA_PRIV_FILENAME "/etc/dropbear/dropbear_rsa_host_key"
-#endif
-#ifndef ECDSA_PRIV_FILENAME
 #define ECDSA_PRIV_FILENAME "/etc/dropbear/dropbear_ecdsa_host_key"
-#endif
 
 /* Set NON_INETD_MODE if you require daemon functionality (ie Dropbear listens
  * on chosen ports and keeps accepting connections. This is the default.
@@ -50,140 +33,76 @@
  *
  * Both of these flags can be defined at once, don't compile without at least
  * one of them. */
-#ifndef NON_INETD_MODE
 #define NON_INETD_MODE 1
-#endif
-#ifndef INETD_MODE
 #define INETD_MODE 1
-#endif
 
-/* Setting this disables the fast exptmod bignum code. It saves ~5kB, but is
- * perhaps 20% slower for pubkey operations (it is probably worth experimenting
- * if you want to use this) */
-/*#define NO_FAST_EXPTMOD*/
+/* Include verbose debug output, enabled with -v at runtime. 
+ * This will add a reasonable amount to your executable size. */
+#define DEBUG_TRACE 0
 
 /* Set this if you want to use the DROPBEAR_SMALL_CODE option. This can save
-several kB in binary size however will make the symmetrical ciphers and hashes
-slower, perhaps by 50%. Recommended for small systems that aren't doing
-much traffic. */
-#ifndef DROPBEAR_SMALL_CODE
+ * several kB in binary size however will make the symmetrical ciphers and hashes
+ * slower, perhaps by 50%. Recommended for small systems that aren't doing
+ * much traffic. */
 #define DROPBEAR_SMALL_CODE 1
-#endif
 
 /* Enable X11 Forwarding - server only */
-#ifndef DROPBEAR_X11FWD
 #define DROPBEAR_X11FWD 1
-#endif
 
 /* Enable TCP Fowarding */
 /* 'Local' is "-L" style (client listening port forwarded via server)
  * 'Remote' is "-R" style (server listening port forwarded via client) */
-
-#ifndef DROPBEAR_CLI_LOCALTCPFWD
 #define DROPBEAR_CLI_LOCALTCPFWD 1
-#endif
-#ifndef DROPBEAR_CLI_REMOTETCPFWD
 #define DROPBEAR_CLI_REMOTETCPFWD 1
-#endif
 
-#ifndef DROPBEAR_SVR_LOCALTCPFWD
 #define DROPBEAR_SVR_LOCALTCPFWD 1
-#endif
-#ifndef DROPBEAR_SVR_REMOTETCPFWD
 #define DROPBEAR_SVR_REMOTETCPFWD 1
-#endif
 
 /* Enable Authentication Agent Forwarding */
-#ifndef DROPBEAR_SVR_AGENTFWD
 #define DROPBEAR_SVR_AGENTFWD 1
-#endif
-#ifndef DROPBEAR_CLI_AGENTFWD
 #define DROPBEAR_CLI_AGENTFWD 1
-#endif
-
 
 /* Note: Both DROPBEAR_CLI_PROXYCMD and DROPBEAR_CLI_NETCAT must be set to
  * allow multihop dbclient connections */
 
 /* Allow using -J <proxycommand> to run the connection through a 
    pipe to a program, rather the normal TCP connection */
-#ifndef DROPBEAR_CLI_PROXYCMD
 #define DROPBEAR_CLI_PROXYCMD 1
-#endif
 
 /* Enable "Netcat mode" option. This will forward standard input/output
  * to a remote TCP-forwarded connection */
-#ifndef DROPBEAR_CLI_NETCAT
 #define DROPBEAR_CLI_NETCAT 1
-#endif
 
 /* Whether to support "-c" and "-m" flags to choose ciphers/MACs at runtime */
-#ifndef ENABLE_USER_ALGO_LIST
-#define ENABLE_USER_ALGO_LIST 1
-#endif
+#define DROPBEAR_USER_ALGO_LIST 1
 
 /* Encryption - at least one required.
- * Protocol RFC requires 3DES and recommends AES128 for interoperability.
- * Including multiple keysize variants the same cipher 
- * (eg AES256 as well as AES128) will result in a minimal size increase.*/
-#ifndef DROPBEAR_AES128
+ * AES128 should be enabled, some very old implementations might only
+ * support 3DES.
+ * Including both AES keysize variants (128 and 256) will result in 
+ * a minimal size increase */
 #define DROPBEAR_AES128 1
-#endif
-#ifndef DROPBEAR_3DES
 #define DROPBEAR_3DES 1
-#endif
-#ifndef DROPBEAR_AES256
 #define DROPBEAR_AES256 1
-#endif
+#define DROPBEAR_TWOFISH256 0
+#define DROPBEAR_TWOFISH128 0
 /* Compiling in Blowfish will add ~6kB to runtime heap memory usage */
-/*#define DROPBEAR_BLOWFISH*/
-#ifndef DROPBEAR_TWOFISH256
-#define DROPBEAR_TWOFISH256 1
-#endif
-#ifndef DROPBEAR_TWOFISH128
-#define DROPBEAR_TWOFISH128 1
-#endif
+#define DROPBEAR_BLOWFISH 0
 
 /* Enable CBC mode for ciphers. This has security issues though
  * is the most compatible with older SSH implementations */
-#ifndef DROPBEAR_ENABLE_CBC_MODE
 #define DROPBEAR_ENABLE_CBC_MODE 1
-#endif
 
-/* Enable "Counter Mode" for ciphers. This is more secure than normal
+/* Enable "Counter Mode" for ciphers. This is more secure than
  * CBC mode against certain attacks. It is recommended for security
  * and forwards compatibility */
-#ifndef DROPBEAR_ENABLE_CTR_MODE
 #define DROPBEAR_ENABLE_CTR_MODE 1
-#endif
-
-/* Twofish counter mode is disabled by default because it 
-has not been tested for interoperability with other SSH implementations.
-If you test it please contact the Dropbear author */
-#ifndef DROPBEAR_TWOFISH_CTR
-#define DROPBEAR_TWOFISH_CTR 0
-#endif
 
 /* Message integrity. sha2-256 is recommended as a default, 
    sha1 for compatibility */
-#ifndef DROPBEAR_SHA1_HMAC
 #define DROPBEAR_SHA1_HMAC 1
-#endif
-#ifndef DROPBEAR_SHA1_96_HMAC
 #define DROPBEAR_SHA1_96_HMAC 1
-#endif
-#ifndef DROPBEAR_SHA2_256_HMAC
 #define DROPBEAR_SHA2_256_HMAC 1
-#endif
-/* Default is to include it is sha512 is being compiled in for ECDSA */
-#ifndef DROPBEAR_SHA2_512_HMAC
-#define DROPBEAR_SHA2_512_HMAC (DROPBEAR_ECDSA)
-#endif
-
-/* XXX needed for fingerprints */
-#ifndef DROPBEAR_MD5_HMAC
-#define DROPBEAR_MD5_HMAC 0
-#endif
 
 /* Hostkey/public key algorithms - at least one required, these are used
  * for hostkey as well as for verifying signatures with pubkey auth.
@@ -191,23 +110,15 @@
  * RSA is recommended
  * DSS may be necessary to connect to some systems though
    is not recommended for new keys */
-#ifndef DROPBEAR_RSA
 #define DROPBEAR_RSA 1
-#endif
-#ifndef DROPBEAR_DSS
 #define DROPBEAR_DSS 1
-#endif
 /* ECDSA is significantly faster than RSA or DSS. Compiling in ECC
  * code (either ECDSA or ECDH) increases binary size - around 30kB
  * on x86-64 */
-#ifndef DROPBEAR_ECDSA
 #define DROPBEAR_ECDSA 1
-#endif
 
 /* RSA must be >=1024 */
-#ifndef DROPBEAR_DEFAULT_RSA_SIZE
 #define DROPBEAR_DEFAULT_RSA_SIZE 2048
-#endif
 /* DSS is always 1024 */
 /* ECDSA defaults to largest size configured, usually 521 */
 
@@ -215,46 +126,35 @@
    connection using that key type occurs.
    This avoids the need to otherwise run "dropbearkey" and avoids some problems
    with badly seeded /dev/urandom when systems first boot. */
-#ifndef DROPBEAR_DELAY_HOSTKEY
 #define DROPBEAR_DELAY_HOSTKEY 1
-#endif
 
-/* Enable Curve25519 for key exchange. This is another elliptic
- * curve method with good security properties. Increases binary size
- * by ~8kB on x86-64 */
-#ifndef DROPBEAR_CURVE25519
-#define DROPBEAR_CURVE25519 1
-#endif
-
-/* Enable elliptic curve Diffie Hellman key exchange, see note about
- * ECDSA above */
-#ifndef DROPBEAR_ECDH
-#define DROPBEAR_ECDH 1
-#endif
 
 /* Key exchange algorithm.
+
  * group14_sha1 - 2048 bit, sha1
  * group14_sha256 - 2048 bit, sha2-256
  * group16 - 4096 bit, sha2-512
  * group1 - 1024 bit, sha1
+ * curve25519 - elliptic curve DH
+ * ecdh - NIST elliptic curve DH (256, 384, 521)
  *
- * group14 is supported by most implementations.
- * group16 provides a greater strength level but is slower and increases binary size
  * group1 is too small for security though is necessary if you need 
      compatibility with some implementations such as Dropbear versions < 0.53
+ * group14 is supported by most implementations.
+ * group16 provides a greater strength level but is slower and increases binary size
+ * curve25519 and ecdh algorithms are faster than non-elliptic curve methods
+ * curve25519 increases binary size by ~8kB on x86-64
+ * including either ECDH or ECDSA increases binary size by ~30kB on x86-64
+
+ * Small systems should generally include either curve25519 or ecdh for performance.
+ * curve25519 is less widely supported but is faster
  */ 
-#ifndef DROPBEAR_DH_GROUP1
 #define DROPBEAR_DH_GROUP1 1
-#endif
-#ifndef DROPBEAR_DH_GROUP14_SHA1
 #define DROPBEAR_DH_GROUP14_SHA1 1
-#endif
-#ifndef DROPBEAR_DH_GROUP14_SHA256
 #define DROPBEAR_DH_GROUP14_SHA256 1
-#endif
-#ifndef DROPBEAR_DH_GROUP16
 #define DROPBEAR_DH_GROUP16 0
-#endif
+#define DROPBEAR_CURVE25519 1
+#define DROPBEAR_ECDH 1
 
 /* Control the memory/performance/compression tradeoff for zlib.
  * Set windowBits=8 for least memory usage, see your system's
@@ -263,27 +163,18 @@
  * windowBits=8 will use 129kB for compression.
  * Both modes will use ~35kB for decompression (using windowBits=15 for
  * interoperability) */
-#ifndef DROPBEAR_ZLIB_WINDOW_BITS
 #define DROPBEAR_ZLIB_WINDOW_BITS 15 
-#endif
 
 /* Whether to do reverse DNS lookups. */
-#ifndef DO_HOST_LOOKUP
 #define DO_HOST_LOOKUP 0
-#endif
 
 /* Whether to print the message of the day (MOTD). */
-#ifndef DO_MOTD
 #define DO_MOTD 0
-#endif
-
-/* The MOTD file path */
-#ifndef MOTD_FILENAME
 #define MOTD_FILENAME "/etc/motd"
-#endif
 
 /* Authentication Types - at least one required.
    RFC Draft requires pubkey auth, and recommends password */
+#define DROPBEAR_SVR_PASSWORD_AUTH 1
 
 /* Note: PAM auth is quite simple and only works for PAM modules which just do
  * a simple "Login: " "Password: " (you can edit the strings in svr-authpam.c).
@@ -291,138 +182,79 @@
  * but there's an interface via a PAM module. It won't work for more complex
  * PAM challenge/response.
  * You can't enable both PASSWORD and PAM. */
+#define DROPBEAR_SVR_PAM_AUTH 0
 
-/* This requires crypt() */
-#ifdef HAVE_CRYPT
-#ifndef DROPBEAR_SVR_PASSWORD_AUTH
-#define DROPBEAR_SVR_PASSWORD_AUTH 1
-#endif
-#else
-#ifndef DROPBEAR_SVR_PASSWORD_AUTH
-#define DROPBEAR_SVR_PASSWORD_AUTH 0
-#endif
-#endif
-/* PAM requires ./configure --enable-pam */
-#ifndef DROPBEAR_SVR_PAM_AUTH
-#define DROPBEAR_SVR_PAM_AUTH 0
-#endif
-#ifndef DROPBEAR_SVR_PUBKEY_AUTH
+/* ~/.ssh/authorized_keys authentication */
 #define DROPBEAR_SVR_PUBKEY_AUTH 1
-#endif
 
 /* Whether to take public key options in 
  * authorized_keys file into account */
-#ifndef DROPBEAR_SVR_PUBKEY_OPTIONS
 #define DROPBEAR_SVR_PUBKEY_OPTIONS 1
-#endif
 
-/* This requires getpass. */
-#ifdef HAVE_GETPASS
-#ifndef DROPBEAR_CLI_PASSWORD_AUTH
+/* Client authentication options */
 #define DROPBEAR_CLI_PASSWORD_AUTH 1
-#endif
-#ifndef DROPBEAR_CLI_INTERACT_AUTH
-#define DROPBEAR_CLI_INTERACT_AUTH 1
-#endif
-#endif
-#ifndef DROPBEAR_CLI_PUBKEY_AUTH
 #define DROPBEAR_CLI_PUBKEY_AUTH 1
-#endif
 
 /* A default argument for dbclient -i <privatekey>. 
 Homedir is prepended unless path begins with / */
-#ifndef DROPBEAR_DEFAULT_CLI_AUTHKEY
 #define DROPBEAR_DEFAULT_CLI_AUTHKEY ".ssh/id_dropbear"
-#endif
 
-/* This variable can be used to set a password for client
- * authentication on the commandline. Beware of platforms
- * that don't protect environment variables of processes etc. Also
- * note that it will be provided for all "hidden" client-interactive
- * style prompts - if you want something more sophisticated, use 
- * SSH_ASKPASS instead. Comment out this var to remove this functionality.*/
-#ifndef DROPBEAR_PASSWORD_ENV
-#define DROPBEAR_PASSWORD_ENV "DROPBEAR_PASSWORD"
-#endif
+/* Allow specifying the password for dbclient via the DROPBEAR_PASSWORD
+ * environment variable. */
+#define DROPBEAR_USE_PASSWORD_ENV 1
 
 /* Define this (as well as DROPBEAR_CLI_PASSWORD_AUTH) to allow the use of
  * a helper program for the ssh client. The helper program should be
  * specified in the SSH_ASKPASS environment variable, and dbclient
  * should be run with DISPLAY set and no tty. The program should
  * return the password on standard output */
-#ifndef DROPBEAR_CLI_ASKPASS_HELPER
 #define DROPBEAR_CLI_ASKPASS_HELPER 0
-#endif
 
 /* Save a network roundtrip by sendng a real auth request immediately after
- * sending a query for the available methods.  It is at the expense of < 100
- * bytes of extra network traffic. This is not yet enabled by default since it
- * could cause problems with non-compliant servers */
-#ifndef DROPBEAR_CLI_IMMEDIATE_AUTH
+ * sending a query for the available methods. This is not yet enabled by default 
+ since it could cause problems with non-compliant servers */ 
 #define DROPBEAR_CLI_IMMEDIATE_AUTH 0
-#endif
 
-/* Source for randomness. This must be able to provide hundreds of bytes per SSH
- * connection without blocking. In addition /dev/random is used for seeding
- * rsa/dss key generation */
-#ifndef DROPBEAR_URANDOM_DEV
-#define DROPBEAR_URANDOM_DEV "/dev/urandom"
-#endif
-
-/* Set this to use PRNGD or EGD instead of /dev/urandom or /dev/random */
-/*#define DROPBEAR_PRNGD_SOCKET "/var/run/dropbear-rng"*/
-
+/* Set this to use PRNGD or EGD instead of /dev/urandom */
+#define DROPBEAR_USE_PRNGD 0
+#define DROPBEAR_PRNGD_SOCKET "/var/run/dropbear-rng"
 
 /* Specify the number of clients we will allow to be connected but
  * not yet authenticated. After this limit, connections are rejected */
 /* The first setting is per-IP, to avoid denial of service */
-#ifndef MAX_UNAUTH_PER_IP
 #define MAX_UNAUTH_PER_IP 5
-#endif
 
 /* And then a global limit to avoid chewing memory if connections 
  * come from many IPs */
-#ifndef MAX_UNAUTH_CLIENTS
 #define MAX_UNAUTH_CLIENTS 30
-#endif
 
 /* Default maximum number of failed authentication tries (server option) */
 /* -T server option overrides */
-#ifndef MAX_AUTH_TRIES
 #define MAX_AUTH_TRIES 10
-#endif
 
 /* The default file to store the daemon's process ID, for shutdown
    scripts etc. This can be overridden with the -P flag */
-#ifndef DROPBEAR_PIDFILE
 #define DROPBEAR_PIDFILE "/var/run/dropbear.pid"
-#endif
 
 /* The command to invoke for xauth when using X11 forwarding.
  * "-q" for quiet */
-#ifndef XAUTH_COMMAND
 #define XAUTH_COMMAND "/usr/bin/xauth -q"
-#endif
+
 
 /* if you want to enable running an sftp server (such as the one included with
- * OpenSSH), set the path below. If the path isn't defined, sftp will not
- * be enabled */
-#ifndef SFTPSERVER_PATH
+ * OpenSSH), set the path below and set DROPBEAR_SFTPSERVER. 
+ * The sftp-server program is not provided by Dropbear itself */
+#define DROPBEAR_SFTPSERVER 1
 #define SFTPSERVER_PATH "/usr/libexec/sftp-server"
-#endif
 
 /* This is used by the scp binary when used as a client binary. If you're
  * not using the Dropbear client, you'll need to change it */
-#ifndef DROPBEAR_PATH_SSH_PROGRAM
 #define DROPBEAR_PATH_SSH_PROGRAM "/usr/bin/dbclient"
-#endif
 
 /* Whether to log commands executed by a client. This only logs the 
  * (single) command sent to the server, not what a user did in a 
  * shell/sftp session etc. */
-#ifndef LOG_COMMANDS
 #define LOG_COMMANDS 0
-#endif
 
 /* Window size limits. These tend to be a trade-off between memory
    usage and network performance: */
@@ -431,42 +263,28 @@
    significant difference to network performance. 24kB was empirically
    chosen for a 100mbit ethernet network. The value can be altered at
    runtime with the -W argument. */
-#ifndef DEFAULT_RECV_WINDOW
 #define DEFAULT_RECV_WINDOW 24576
-#endif
 /* Maximum size of a received SSH data packet - this _MUST_ be >= 32768
    in order to interoperate with other implementations */
-#ifndef RECV_MAX_PAYLOAD_LEN
 #define RECV_MAX_PAYLOAD_LEN 32768
-#endif
 /* Maximum size of a transmitted data packet - this can be any value,
    though increasing it may not make a significant difference. */
-#ifndef TRANS_MAX_PAYLOAD_LEN
 #define TRANS_MAX_PAYLOAD_LEN 16384
-#endif
 
 /* Ensure that data is transmitted every KEEPALIVE seconds. This can
 be overridden at runtime with -K. 0 disables keepalives */
-#ifndef DEFAULT_KEEPALIVE
 #define DEFAULT_KEEPALIVE 0
-#endif
 
 /* If this many KEEPALIVES are sent with no packets received from the
 other side, exit. Not run-time configurable - if you have a need
 for runtime configuration please mail the Dropbear list */
-#ifndef DEFAULT_KEEPALIVE_LIMIT
 #define DEFAULT_KEEPALIVE_LIMIT 3
-#endif
 
 /* Ensure that data is received within IDLE_TIMEOUT seconds. This can
 be overridden at runtime with -I. 0 disables idle timeouts */
-#ifndef DEFAULT_IDLE_TIMEOUT
 #define DEFAULT_IDLE_TIMEOUT 0
-#endif
 
 /* The default path. This will often get replaced by the shell */
-#ifndef DEFAULT_PATH
 #define DEFAULT_PATH "/usr/bin:/bin"
-#endif
 
 #endif /* DROPBEAR_DEFAULT_OPTIONS_H_ */
--- a/default_options.h.in	Sat Feb 17 11:29:17 2018 +0800
+++ /dev/null	Thu Jan 01 00:00:00 1970 +0000
@@ -1,365 +0,0 @@
-#ifndef DROPBEAR_DEFAULT_OPTIONS_H_
-#define DROPBEAR_DEFAULT_OPTIONS_H_
-/*
-                     > > > Read This < < <
-
-default_options.h.in  documents compile-time options, and provides default values.
-
-Local customisation should be added to localoptions.h which is
-used if it exists. Options defined there will override any options in this
-file.
-
-Options can also be defined with -DDROPBEAR_XXX in Makefile CFLAGS
-
-IMPORTANT: Many options will require "make clean" after changes */
-
-#define DROPBEAR_DEFPORT "22"
-
-/* Listen on all interfaces */
-#define DROPBEAR_DEFADDRESS ""
-
-/* Default hostkey paths - these can be specified on the command line */
-#define DSS_PRIV_FILENAME "/etc/dropbear/dropbear_dss_host_key"
-#define RSA_PRIV_FILENAME "/etc/dropbear/dropbear_rsa_host_key"
-#define ECDSA_PRIV_FILENAME "/etc/dropbear/dropbear_ecdsa_host_key"
-
-/* Set NON_INETD_MODE if you require daemon functionality (ie Dropbear listens
- * on chosen ports and keeps accepting connections. This is the default.
- *
- * Set INETD_MODE if you want to be able to run Dropbear with inetd (or
- * similar), where it will use stdin/stdout for connections, and each process
- * lasts for a single connection. Dropbear should be invoked with the -i flag
- * for inetd, and can only accept IPv4 connections.
- *
- * Both of these flags can be defined at once, don't compile without at least
- * one of them. */
-#define NON_INETD_MODE 1
-#define INETD_MODE 1
-
-#if !(NON_INETD_MODE || INETD_MODE)
-	#error "NON_INETD_MODE or INETD_MODE (or both) must be enabled."
-#endif
-
-/* Set this if you want to use the DROPBEAR_SMALL_CODE option. This can save
-several kB in binary size however will make the symmetrical ciphers and hashes
-slower, perhaps by 50%. Recommended for small systems that aren't doing
-much traffic. */
-#define DROPBEAR_SMALL_CODE 1
-
-/* Enable X11 Forwarding - server only */
-#define DROPBEAR_X11FWD 1
-
-/* Enable TCP Fowarding */
-/* 'Local' is "-L" style (client listening port forwarded via server)
- * 'Remote' is "-R" style (server listening port forwarded via client) */
-
-#define DROPBEAR_CLI_LOCALTCPFWD 1
-#define DROPBEAR_CLI_REMOTETCPFWD 1
-
-#define DROPBEAR_SVR_LOCALTCPFWD 1
-#define DROPBEAR_SVR_REMOTETCPFWD 1
-
-/* Enable Authentication Agent Forwarding */
-#define DROPBEAR_SVR_AGENTFWD 1
-#define DROPBEAR_CLI_AGENTFWD 1
-
-
-/* Note: Both DROPBEAR_CLI_PROXYCMD and DROPBEAR_CLI_NETCAT must be set to
- * allow multihop dbclient connections */
-
-/* Allow using -J <proxycommand> to run the connection through a 
-   pipe to a program, rather the normal TCP connection */
-#define DROPBEAR_CLI_PROXYCMD 1
-
-/* Enable "Netcat mode" option. This will forward standard input/output
- * to a remote TCP-forwarded connection */
-#define DROPBEAR_CLI_NETCAT 1
-
-/* Whether to support "-c" and "-m" flags to choose ciphers/MACs at runtime */
-#define DROPBEAR_USER_ALGO_LIST 1
-
-/* Encryption - at least one required.
- * Protocol RFC requires 3DES and recommends AES128 for interoperability.
- * Including multiple keysize variants the same cipher 
- * (eg AES256 as well as AES128) will result in a minimal size increase.*/
-#define DROPBEAR_AES128 1
-#define DROPBEAR_3DES 1
-#define DROPBEAR_AES256 1
-#define DROPBEAR_TWOFISH256 1
-#define DROPBEAR_TWOFISH128 1
-/* Compiling in Blowfish will add ~6kB to runtime heap memory usage */
-#define DROPBEAR_BLOWFISH 0
-
-#if !(DROPBEAR_AES128 || DROPBEAR_3DES || DROPBEAR_AES256 || DROPBEAR_BLOWFISH \
-      || DROPBEAR_TWOFISH256 || DROPBEAR_TWOFISH128)
-	#error "At least one encryption algorithm must be enabled; 3DES and AES128 are recommended."
-#endif
-
-/* Enable CBC mode for ciphers. This has security issues though
- * is the most compatible with older SSH implementations */
-#define DROPBEAR_ENABLE_CBC_MODE 1
-
-/* Enable "Counter Mode" for ciphers. This is more secure than normal
- * CBC mode against certain attacks. It is recommended for security
- * and forwards compatibility */
-#define DROPBEAR_ENABLE_CTR_MODE 1
-
-/* Twofish counter mode is disabled by default because it 
-has not been tested for interoperability with other SSH implementations.
-If you test it please contact the Dropbear author */
-#define DROPBEAR_TWOFISH_CTR 0
-
-/* Message integrity. sha2-256 is recommended as a default, 
-   sha1 for compatibility */
-#define DROPBEAR_SHA1_HMAC 1
-#define DROPBEAR_SHA1_96_HMAC 1
-#define DROPBEAR_SHA2_256_HMAC 1
-/* Default is to include it is sha512 is being compiled in for ECDSA */
-#define DROPBEAR_SHA2_512_HMAC (DROPBEAR_ECDSA)
-
-/* XXX needed for fingerprints */
-#define DROPBEAR_MD5_HMAC 0
-
-/* Hostkey/public key algorithms - at least one required, these are used
- * for hostkey as well as for verifying signatures with pubkey auth.
- * Removing either of these won't save very much space.
- * RSA is recommended
- * DSS may be necessary to connect to some systems though
-   is not recommended for new keys */
-#define DROPBEAR_RSA 1
-#define DROPBEAR_DSS 1
-/* ECDSA is significantly faster than RSA or DSS. Compiling in ECC
- * code (either ECDSA or ECDH) increases binary size - around 30kB
- * on x86-64 */
-#define DROPBEAR_ECDSA 1
-
-#if !(DROPBEAR_RSA || DROPBEAR_DSS || DROPBEAR_ECDSA)
-	#error "At least one hostkey or public-key algorithm must be enabled; RSA is recommended."
-#endif
-
-/* RSA must be >=1024 */
-#define DROPBEAR_DEFAULT_RSA_SIZE 2048
-/* DSS is always 1024 */
-/* ECDSA defaults to largest size configured, usually 521 */
-
-/* Add runtime flag "-R" to generate hostkeys as-needed when the first 
-   connection using that key type occurs.
-   This avoids the need to otherwise run "dropbearkey" and avoids some problems
-   with badly seeded /dev/urandom when systems first boot. */
-#define DROPBEAR_DELAY_HOSTKEY 1
-
-/* Enable Curve25519 for key exchange. This is another elliptic
- * curve method with good security properties. Increases binary size
- * by ~8kB on x86-64 */
-#define DROPBEAR_CURVE25519 1
-
-/* Enable elliptic curve Diffie Hellman key exchange, see note about
- * ECDSA above */
-#define DROPBEAR_ECDH 1
-
-/* Key exchange algorithm.
- * group14_sha1 - 2048 bit, sha1
- * group14_sha256 - 2048 bit, sha2-256
- * group16 - 4096 bit, sha2-512
- * group1 - 1024 bit, sha1
- *
- * group14 is supported by most implementations.
- * group16 provides a greater strength level but is slower and increases binary size
- * group1 is too small for security though is necessary if you need 
-     compatibility with some implementations such as Dropbear versions < 0.53
- */ 
-#define DROPBEAR_DH_GROUP1 1
-#define DROPBEAR_DH_GROUP14_SHA1 1
-#define DROPBEAR_DH_GROUP14_SHA256 1
-#define DROPBEAR_DH_GROUP16 0
-
-/* Control the memory/performance/compression tradeoff for zlib.
- * Set windowBits=8 for least memory usage, see your system's
- * zlib.h for full details.
- * Default settings (windowBits=15) will use 256kB for compression
- * windowBits=8 will use 129kB for compression.
- * Both modes will use ~35kB for decompression (using windowBits=15 for
- * interoperability) */
-#define DROPBEAR_ZLIB_WINDOW_BITS 15 
-
-/* Whether to do reverse DNS lookups. */
-#define DO_HOST_LOOKUP 0
-
-/* Whether to print the message of the day (MOTD). */
-#define DO_MOTD 0
-
-/* The MOTD file path */
-#define MOTD_FILENAME "/etc/motd"
-
-/* Authentication Types - at least one required.
-   RFC Draft requires pubkey auth, and recommends password */
-
-/* Note: PAM auth is quite simple and only works for PAM modules which just do
- * a simple "Login: " "Password: " (you can edit the strings in svr-authpam.c).
- * It's useful for systems like OS X where standard password crypts don't work
- * but there's an interface via a PAM module. It won't work for more complex
- * PAM challenge/response.
- * You can't enable both PASSWORD and PAM. */
-
-/* PAM requires ./configure --enable-pam */
-#if defined(HAVE_LIBPAM) && !DROPBEAR_SVR_PASSWORD_AUTH
-	#define DROPBEAR_SVR_PAM_AUTH 1
-#else
-	#define DROPBEAR_SVR_PAM_AUTH 0
-#endif
-
-/* This requires crypt() */
-#if defined(HAVE_CRYPT) && !DROPBEAR_SVR_PAM_AUTH
-	#define DROPBEAR_SVR_PASSWORD_AUTH 1
-#else
-	#define DROPBEAR_SVR_PASSWORD_AUTH 0
-#endif
-
-#define DROPBEAR_SVR_PUBKEY_AUTH 1
-
-#if !(DROPBEAR_SVR_PASSWORD_AUTH || DROPBEAR_SVR_PAM_AUTH || DROPBEAR_SVR_PUBKEY_AUTH)
-	#error "At least one server authentication type must be enabled; PUBKEY and PASSWORD are recommended."
-#endif
-
-#if DROPBEAR_SVR_PASSWORD_AUTH && !HAVE_CRYPT
-	#error "DROPBEAR_SVR_PASSWORD_AUTH requires `crypt()'."
-#endif
-
-#if DROPBEAR_SVR_PAM_AUTH
-	#if DISABLE_PAM
-		#error "DROPBEAR_SVR_PAM_AUTH requires 'configure --enable-pam' to succeed."
-	#endif
-	#if DROPBEAR_SVR_PASSWORD_AUTH
-		#error "DROPBEAR_SVR_PASSWORD_AUTH cannot be enabled at the same time as DROPBEAR_SVR_PAM_AUTH."
-	#endif
-#endif
-
-/* Whether to take public key options in 
- * authorized_keys file into account */
-#define DROPBEAR_SVR_PUBKEY_OPTIONS 1
-
-/* This requires getpass. */
-#ifdef HAVE_GETPASS
-	#define DROPBEAR_CLI_PASSWORD_AUTH 1
-	#define DROPBEAR_CLI_INTERACT_AUTH 1
-#else
-	#define DROPBEAR_CLI_PASSWORD_AUTH 0
-	#define DROPBEAR_CLI_INTERACT_AUTH 0
-#endif
-#define DROPBEAR_CLI_PUBKEY_AUTH 1
-
-#if !(DROPBEAR_CLI_PASSWORD_AUTH || DROPBEAR_CLI_PUBKEY_AUTH)
-	#error "At least one client authentication type must be enabled; PUBKEY and PASSWORD are recommended."
-#endif
-
-/* A default argument for dbclient -i <privatekey>. 
-Homedir is prepended unless path begins with / */
-#define DROPBEAR_DEFAULT_CLI_AUTHKEY ".ssh/id_dropbear"
-
-/* This variable can be used to set a password for client
- * authentication on the commandline. Beware of platforms
- * that don't protect environment variables of processes etc. Also
- * note that it will be provided for all "hidden" client-interactive
- * style prompts - if you want something more sophisticated, use 
- * SSH_ASKPASS instead. Comment out this var to remove this functionality.*/
-#define DROPBEAR_USE_DROPBEAR_PASSWORD 1
-
-/* Define this (as well as DROPBEAR_CLI_PASSWORD_AUTH) to allow the use of
- * a helper program for the ssh client. The helper program should be
- * specified in the SSH_ASKPASS environment variable, and dbclient
- * should be run with DISPLAY set and no tty. The program should
- * return the password on standard output */
-#define DROPBEAR_CLI_ASKPASS_HELPER 0
-
-#if DROPBEAR_CLI_ASKPASS_HELPER
-	#define DROPBEAR_CLI_PASSWORD_AUTH 1
-#endif
-
-/* Save a network roundtrip by sendng a real auth request immediately after
- * sending a query for the available methods.  It is at the expense of < 100
- * bytes of extra network traffic. This is not yet enabled by default since it
- * could cause problems with non-compliant servers */
-#define DROPBEAR_CLI_IMMEDIATE_AUTH 0
-
-/* Source for randomness. This must be able to provide hundreds of bytes per SSH
- * connection without blocking. In addition /dev/random is used for seeding
- * rsa/dss key generation */
-#define DROPBEAR_URANDOM_DEV "/dev/urandom"
-
-/* Set this to use PRNGD or EGD instead of /dev/urandom or /dev/random */
-#define DROPBEAR_USE_PRNGD 0
-#define DROPBEAR_PRNGD_SOCKET "/var/run/dropbear-rng"
-
-/* Specify the number of clients we will allow to be connected but
- * not yet authenticated. After this limit, connections are rejected */
-/* The first setting is per-IP, to avoid denial of service */
-#define MAX_UNAUTH_PER_IP 5
-
-/* And then a global limit to avoid chewing memory if connections 
- * come from many IPs */
-#define MAX_UNAUTH_CLIENTS 30
-
-/* Default maximum number of failed authentication tries (server option) */
-/* -T server option overrides */
-#define MAX_AUTH_TRIES 10
-
-/* The default file to store the daemon's process ID, for shutdown
-   scripts etc. This can be overridden with the -P flag */
-#define DROPBEAR_PIDFILE "/var/run/dropbear.pid"
-
-/* The command to invoke for xauth when using X11 forwarding.
- * "-q" for quiet */
-#define XAUTH_COMMAND "/usr/bin/xauth -q"
-
-#define DROPBEAR_SFTPSERVER 1
-
-/* if you want to enable running an sftp server (such as the one included with
- * OpenSSH), set the path below. If the path isn't defined, sftp will not
- * be enabled */
-#define SFTPSERVER_PATH "/usr/libexec/sftp-server"
-
-/* This is used by the scp binary when used as a client binary. If you're
- * not using the Dropbear client, you'll need to change it */
-#define DROPBEAR_PATH_SSH_PROGRAM "/usr/bin/dbclient"
-
-/* Whether to log commands executed by a client. This only logs the 
- * (single) command sent to the server, not what a user did in a 
- * shell/sftp session etc. */
-#define LOG_COMMANDS 0
-
-/* Window size limits. These tend to be a trade-off between memory
-   usage and network performance: */
-/* Size of the network receive window. This amount of memory is allocated
-   as a per-channel receive buffer. Increasing this value can make a
-   significant difference to network performance. 24kB was empirically
-   chosen for a 100mbit ethernet network. The value can be altered at
-   runtime with the -W argument. */
-#define DEFAULT_RECV_WINDOW 24576
-/* Maximum size of a received SSH data packet - this _MUST_ be >= 32768
-   in order to interoperate with other implementations */
-#define RECV_MAX_PAYLOAD_LEN 32768
-/* Maximum size of a transmitted data packet - this can be any value,
-   though increasing it may not make a significant difference. */
-#define TRANS_MAX_PAYLOAD_LEN 16384
-
-/* Ensure that data is transmitted every KEEPALIVE seconds. This can
-be overridden at runtime with -K. 0 disables keepalives */
-#define DEFAULT_KEEPALIVE 0
-
-/* If this many KEEPALIVES are sent with no packets received from the
-other side, exit. Not run-time configurable - if you have a need
-for runtime configuration please mail the Dropbear list */
-#define DEFAULT_KEEPALIVE_LIMIT 3
-
-/* Ensure that data is received within IDLE_TIMEOUT seconds. This can
-be overridden at runtime with -I. 0 disables idle timeouts */
-#define DEFAULT_IDLE_TIMEOUT 0
-
-/* The default path. This will often get replaced by the shell */
-#define DEFAULT_PATH "/usr/bin:/bin"
-
-/* Include verbose debug output, enabled with -v at runtime. 
- * This will add a reasonable amount to your executable size. */
-#define DEBUG_TRACE 0
-
-#endif /* DROPBEAR_DEFAULT_OPTIONS_H_ */
--- a/ecc.c	Sat Feb 17 11:29:17 2018 +0800
+++ b/ecc.c	Mon Feb 19 23:14:49 2018 +0800
@@ -1,5 +1,4 @@
 #include "includes.h"
-#include "options.h"
 #include "ecc.h"
 #include "dbutil.h"
 #include "bignum.h"
--- a/ecc.h	Sat Feb 17 11:29:17 2018 +0800
+++ b/ecc.h	Mon Feb 19 23:14:49 2018 +0800
@@ -2,7 +2,6 @@
 #define DROPBEAR_DROPBEAR_ECC_H
 
 #include "includes.h"
-#include "options.h"
 
 #include "buffer.h"
 
--- a/ecdsa.c	Sat Feb 17 11:29:17 2018 +0800
+++ b/ecdsa.c	Mon Feb 19 23:14:49 2018 +0800
@@ -1,4 +1,3 @@
-#include "options.h"
 #include "includes.h"
 #include "dbutil.h"
 #include "crypto_desc.h"
--- a/ifndef_wrapper.sh	Sat Feb 17 11:29:17 2018 +0800
+++ b/ifndef_wrapper.sh	Mon Feb 19 23:14:49 2018 +0800
@@ -2,6 +2,6 @@
 
 # Wrap all "#define X Y" with a #ifndef X...#endif"
 
-sed -E 's/^(#define ([^ ]+) .*)/#ifndef \2\
+sed -E 's/^( *#define ([^ ]+) .*)/#ifndef \2\
 \1\
 #endif/' 
--- a/includes.h	Sat Feb 17 11:29:17 2018 +0800
+++ b/includes.h	Mon Feb 19 23:14:49 2018 +0800
@@ -26,7 +26,6 @@
 #define DROPBEAR_INCLUDES_H_
 
 
-#include "config.h"
 #include "options.h"
 #include "debug.h"
 
--- a/libtommath/Makefile.in	Sat Feb 17 11:29:17 2018 +0800
+++ b/libtommath/Makefile.in	Mon Feb 19 23:14:49 2018 +0800
@@ -126,19 +126,6 @@
 pretty:
 	perl pretty.build
 
-#\zipup the project (take that!)
-no_oops: clean
-	cd .. ; cvs commit
-	echo Scanning for scratch/dirty files
-	find . -type f | grep -v CVS | xargs -n 1 bash mess.sh
-
-clean:
-	rm -f *.bat *.pdf *.o *.a *.obj *.lib *.exe *.dll etclib/*.o demo/demo.o test ltmtest mpitest mtest/mtest mtest/mtest.exe \
-        *.idx *.toc *.log *.aux *.dvi *.lof *.ind *.ilg *.ps *.log *.s mpi.c *.da *.dyn *.dpi tommath.tex `find . -type f | grep [~] | xargs` *.lo *.la
-	rm -rf .libs
-	-cd etc && MAKE=${MAKE} ${MAKE} clean
-	-cd pics && MAKE=${MAKE} ${MAKE} clean
-
 .PHONY: pre_gen
 pre_gen:
 	perl gen.pl
--- a/libtommath/makefile.include	Sat Feb 17 11:29:17 2018 +0800
+++ /dev/null	Thu Jan 01 00:00:00 1970 +0000
@@ -1,105 +0,0 @@
-#
-# Include makefile for libtommath
-#
-
-#version of library
-VERSION=1.0
-VERSION_SO=1:0
-
-# default make target
-default: ${LIBNAME}
-
-# Compiler and Linker Names
-ifndef PREFIX
-  PREFIX=
-endif
-
-ifeq ($(CC),cc)
-  CC = $(PREFIX)gcc
-endif
-LD=$(PREFIX)ld
-AR=$(PREFIX)ar
-RANLIB=$(PREFIX)ranlib
-
-ifndef MAKE
-   MAKE=make
-endif
-
-CFLAGS += -I./ -Wall -Wsign-compare -Wextra -Wshadow
-
-ifndef NO_ADDTL_WARNINGS
-# additional warnings
-CFLAGS += -Wsystem-headers -Wdeclaration-after-statement -Wbad-function-cast -Wcast-align
-CFLAGS += -Wstrict-prototypes -Wpointer-arith
-endif
-
-ifdef COMPILE_DEBUG
-#debug
-CFLAGS += -g3
-else
-
-ifdef COMPILE_SIZE
-#for size
-CFLAGS += -Os
-else
-
-ifndef IGNORE_SPEED
-#for speed
-CFLAGS += -O3 -funroll-loops
-
-#x86 optimizations [should be valid for any GCC install though]
-CFLAGS  += -fomit-frame-pointer
-endif
-
-endif # COMPILE_SIZE
-endif # COMPILE_DEBUG
-
-# adjust coverage set
-ifneq ($(filter $(shell arch), i386 i686 x86_64 amd64 ia64),)
-   COVERAGE = test_standalone timing
-   COVERAGE_APP = ./test && ./ltmtest
-else
-   COVERAGE = test_standalone
-   COVERAGE_APP = ./test
-endif
-
-HEADERS_PUB=tommath.h tommath_class.h tommath_superclass.h
-HEADERS=tommath_private.h $(HEADERS_PUB)
-
-test_standalone: CFLAGS+=-DLTM_DEMO_TEST_VS_MTEST=0
-
-#LIBPATH-The directory for libtommath to be installed to.
-#INCPATH-The directory to install the header files for libtommath.
-#DATAPATH-The directory to install the pdf docs.
-LIBPATH?=/usr/lib
-INCPATH?=/usr/include
-DATAPATH?=/usr/share/doc/libtommath/pdf
-
-#make the code coverage of the library
-#
-coverage: CFLAGS += -fprofile-arcs -ftest-coverage -DTIMING_NO_LOGS
-coverage: LFLAGS += -lgcov
-coverage: LDFLAGS += -lgcov
-
-coverage: $(COVERAGE)
-	$(COVERAGE_APP)
-
-lcov: coverage
-	rm -f coverage.info
-	lcov --capture --no-external --no-recursion $(LCOV_ARGS) --output-file coverage.info -q
-	genhtml coverage.info --output-directory coverage -q
-
-# target that removes all coverage output
-cleancov-clean:
-	rm -f `find . -type f -name "*.info" | xargs`
-	rm -rf coverage/
-
-# cleans everything - coverage output and standard 'clean'
-cleancov: cleancov-clean clean
-
-clean:
-	rm -f *.gcda *.gcno *.bat *.o *.a *.obj *.lib *.exe *.dll etclib/*.o demo/demo.o test ltmtest mpitest mtest/mtest mtest/mtest.exe \
-        *.idx *.toc *.log *.aux *.dvi *.lof *.ind *.ilg *.ps *.log *.s mpi.c *.da *.dyn *.dpi tommath.tex `find . -type f | grep [~] | xargs` *.lo *.la
-	rm -rf .libs/
-	cd etc ; MAKE=${MAKE} ${MAKE} clean
-	cd pics ; MAKE=${MAKE} ${MAKE} clean
--- a/libtommath/makefile_include.mk	Sat Feb 17 11:29:17 2018 +0800
+++ b/libtommath/makefile_include.mk	Mon Feb 19 23:14:49 2018 +0800
@@ -17,12 +17,13 @@
   CROSS_COMPILE=
 endif
 
-ifeq ($(CC),cc)
-  CC = $(CROSS_COMPILE)gcc
-endif
-LD=$(CROSS_COMPILE)ld
-AR=$(CROSS_COMPILE)ar
-RANLIB=$(CROSS_COMPILE)ranlib
+# Dropbear passes these down
+#ifeq ($(CC),cc)
+#  CC = $(CROSS_COMPILE)gcc
+#endif
+#LD=$(CROSS_COMPILE)ld
+#AR=$(CROSS_COMPILE)ar
+#RANLIB=$(CROSS_COMPILE)ranlib
 
 ifndef MAKE
    MAKE=make
@@ -113,5 +114,5 @@
 	rm -f *.gcda *.gcno *.gcov *.bat *.o *.a *.obj *.lib *.exe *.dll etclib/*.o demo/demo.o test ltmtest mpitest mtest/mtest mtest/mtest.exe \
         *.idx *.toc *.log *.aux *.dvi *.lof *.ind *.ilg *.ps *.log *.s mpi.c *.da *.dyn *.dpi tommath.tex `find . -type f | grep [~] | xargs` *.lo *.la
 	rm -rf .libs/
-	${MAKE} -C etc/ clean MAKE=${MAKE}
-	${MAKE} -C doc/ clean MAKE=${MAKE}
+	#${MAKE} -C etc/ clean MAKE=${MAKE}
+	#${MAKE} -C doc/ clean MAKE=${MAKE}
--- a/list.c	Sat Feb 17 11:29:17 2018 +0800
+++ b/list.c	Mon Feb 19 23:14:49 2018 +0800
@@ -1,4 +1,4 @@
-#include "options.h"
+#include "includes.h"
 #include "dbutil.h"
 #include "list.h"
 
--- a/loginrec.c	Sat Feb 17 11:29:17 2018 +0800
+++ b/loginrec.c	Mon Feb 19 23:14:49 2018 +0800
@@ -1330,7 +1330,8 @@
 
 		if ( lseek(*fd, offset, SEEK_SET) != offset ) {
 			dropbear_log(LOG_WARNING, "lastlog_openseek: %s->lseek(): %s",
-			 lastlog_file, strerror(errno));
+				lastlog_file, strerror(errno));
+			m_close(*fd);
 			return 0;
 		}
 	}
--- a/ltc_prng.c	Sat Feb 17 11:29:17 2018 +0800
+++ b/ltc_prng.c	Mon Feb 19 23:14:49 2018 +0800
@@ -11,7 +11,6 @@
  *
  * Tom St Denis, [email protected], http://libtomcrypt.com
  */
-#include "options.h"
 #include "includes.h"
 #include "dbrandom.h"
 #include "ltc_prng.h"
--- a/ltc_prng.h	Sat Feb 17 11:29:17 2018 +0800
+++ b/ltc_prng.h	Mon Feb 19 23:14:49 2018 +0800
@@ -1,7 +1,6 @@
 #ifndef DROPBEAR_LTC_PRNG_H_DROPBEAR
 #define DROPBEAR_LTC_PRNG_H_DROPBEAR
 
-#include "options.h"
 #include "includes.h"
 
 #if DROPBEAR_LTC_PRNG
--- a/options.h	Sat Feb 17 11:29:17 2018 +0800
+++ b/options.h	Mon Feb 19 23:14:49 2018 +0800
@@ -8,11 +8,15 @@
 See default_options.h.in for a description of the available options.
 */
 
+/* Some configuration options or checks depend on system config */
+#include "config.h"
+
 #ifdef LOCALOPTIONS_H_EXISTS
 #include "localoptions.h"
 #endif
 
-#include "default_options.h"
+/* default_options.h is processed to add #ifndef guards */
+#include "default_options_guard.h"
 
 /* Some other defines that mostly should be left alone are defined
  * in sysoptions.h */
--- a/session.h	Sat Feb 17 11:29:17 2018 +0800
+++ b/session.h	Mon Feb 19 23:14:49 2018 +0800
@@ -26,7 +26,6 @@
 #define DROPBEAR_SESSION_H_
 
 #include "includes.h"
-#include "options.h"
 #include "buffer.h"
 #include "signkey.h"
 #include "kex.h"
--- a/sysoptions.h	Sat Feb 17 11:29:17 2018 +0800
+++ b/sysoptions.h	Mon Feb 19 23:14:49 2018 +0800
@@ -23,7 +23,11 @@
 #define AUTH_TIMEOUT 300 /* we choose 5 minutes */
 #endif
 
- #define DROPBEAR_SVR_PUBKEY_OPTIONS_BUILT ((DROPBEAR_SVR_PUBKEY_AUTH) && (DROPBEAR_SVR_PUBKEY_OPTIONS))
+#define DROPBEAR_SVR_PUBKEY_OPTIONS_BUILT ((DROPBEAR_SVR_PUBKEY_AUTH) && (DROPBEAR_SVR_PUBKEY_OPTIONS))
+
+#if !(NON_INETD_MODE || INETD_MODE)
+	#error "NON_INETD_MODE or INETD_MODE (or both) must be enabled."
+#endif
 
 /* A client should try and send an initial key exchange packet guessing
  * the algorithm that will match - saves a round trip connecting, has little
@@ -95,6 +99,23 @@
 #define MAX_MAC_LEN 20
 #endif
 
+/* sha2-512 is not necessary unless unforseen problems arise with sha2-256 */
+#ifndef DROPBEAR_SHA2_512_HMAC
+#define DROPBEAR_SHA2_512_HMAC 0
+#endif
+
+/* might be needed for compatibility with very old implementations */
+#ifndef DROPBEAR_MD5_HMAC
+#define DROPBEAR_MD5_HMAC 0
+#endif
+
+/* Twofish counter mode is disabled by default because it 
+has not been tested for interoperability with other SSH implementations.
+If you test it please contact the Dropbear author */
+#ifndef DROPBEAR_TWOFISH_CTR
+#define DROPBEAR_TWOFISH_CTR 0
+#endif
+
 
 #define DROPBEAR_ECC ((DROPBEAR_ECDH) || (DROPBEAR_ECDSA))
 
@@ -205,6 +226,39 @@
 #error "You can't turn on PASSWORD and PAM auth both at once. Fix it in options.h"
 #endif
 
+/* PAM requires ./configure --enable-pam */
+#if !defined(HAVE_LIBPAM) && DROPBEAR_SVR_PAM_AUTH
+#error "DROPBEAR_SVR_PATM_AUTH requires PAM headers. Perhaps ./configure --enable-pam ?"
+#endif
+
+#if DROPBEAR_SVR_PASSWORD_AUTH && !HAVE_CRYPT
+	#error "DROPBEAR_SVR_PASSWORD_AUTH requires `crypt()'."
+#endif
+
+#if !(DROPBEAR_SVR_PASSWORD_AUTH || DROPBEAR_SVR_PAM_AUTH || DROPBEAR_SVR_PUBKEY_AUTH)
+	#error "At least one server authentication type must be enabled. DROPBEAR_SVR_PUBKEY_AUTH and DROPBEAR_SVR_PASSWORD_AUTH are recommended."
+#endif
+
+
+#if !(DROPBEAR_AES128 || DROPBEAR_3DES || DROPBEAR_AES256 || DROPBEAR_BLOWFISH \
+      || DROPBEAR_TWOFISH256 || DROPBEAR_TWOFISH128)
+	#error "At least one encryption algorithm must be enabled. AES128 is recommended."
+#endif
+
+#if !(DROPBEAR_RSA || DROPBEAR_DSS || DROPBEAR_ECDSA)
+	#error "At least one hostkey or public-key algorithm must be enabled; RSA is recommended."
+#endif
+
+/* Source for randomness. This must be able to provide hundreds of bytes per SSH
+ * connection without blocking. */
+#ifndef DROPBEAR_URANDOM_DEV
+#define DROPBEAR_URANDOM_DEV "/dev/urandom"
+#endif
+
+/* client keyboard interactive authentication is often used for password auth.
+ rfc4256 */
+#define DROPBEAR_CLI_INTERACT_AUTH (DROPBEAR_CLI_PASSWORD_AUTH)
+
 /* We use dropbear_client and dropbear_server as shortcuts to avoid redundant
  * code, if we're just compiling as client or server */
 #if (DROPBEAR_SERVER) && (DROPBEAR_CLIENT)