changeset 1714:c0f12eaf95c9

Disable by default 3des, cbc, hmac-sha1-96, x11 forwarding
author Matt Johnston <matt@ucc.asn.au>
date Thu, 11 Jun 2020 00:09:15 +0800
parents c2c0f43ff827
children 3974f087d9c0
files default_options.h
diffstat 1 files changed, 13 insertions(+), 15 deletions(-) [+]
line wrap: on
line diff
--- a/default_options.h	Wed Jun 10 23:42:42 2020 +0800
+++ b/default_options.h	Thu Jun 11 00:09:15 2020 +0800
@@ -48,7 +48,7 @@
 #define DROPBEAR_SMALL_CODE 1
 
 /* Enable X11 Forwarding - server only */
-#define DROPBEAR_X11FWD 1
+#define DROPBEAR_X11FWD 0
 
 /* Enable TCP Fowarding */
 /* 'Local' is "-L" style (client listening port forwarded via server)
@@ -83,20 +83,24 @@
  * Including both AES keysize variants (128 and 256) will result in 
  * a minimal size increase */
 #define DROPBEAR_AES128 1
-#define DROPBEAR_3DES 1
 #define DROPBEAR_AES256 1
+#define DROPBEAR_3DES 0
 #define DROPBEAR_TWOFISH256 0
 #define DROPBEAR_TWOFISH128 0
 
-/* Enable CBC mode for ciphers. This has security issues though
- * is the most compatible with older SSH implementations */
-#define DROPBEAR_ENABLE_CBC_MODE 1
+/* Enable Chacha20-Poly1305 authenticated encryption mode. This is
+ * generally faster than AES256 on CPU w/o dedicated AES instructions,
+ * having the same key size. Recommended.
+ * Compiling in will add ~5,5kB to binary size on x86-64 */
+#define DROPBEAR_CHACHA20POLY1305 1
 
-/* Enable "Counter Mode" for ciphers. This is more secure than
- * CBC mode against certain attacks. It is recommended for security
- * and forwards compatibility */
+/* Enable "Counter Mode" for ciphers. Recommended. */
 #define DROPBEAR_ENABLE_CTR_MODE 1
 
+/* Enable CBC mode for ciphers. This has security issues though
+   may be required for compatibility with old implementations */
+#define DROPBEAR_ENABLE_CBC_MODE 0
+
 /* Enable "Galois/Counter Mode" for ciphers. This authenticated
  * encryption mode is combination of CTR mode and GHASH. Recommended
  * for security and forwards compatibility, but slower than CTR on
@@ -104,17 +108,11 @@
  * Compiling in will add ~6kB to binary size on x86-64 */
 #define DROPBEAR_ENABLE_GCM_MODE 0
 
-/* Enable Chacha20-Poly1305 authenticated encryption mode. This is
- * generally faster than AES256 on CPU w/o dedicated AES instructions,
- * having the same key size.
- * Compiling in will add ~5,5kB to binary size on x86-64 */
-#define DROPBEAR_CHACHA20POLY1305 1
-
 /* Message integrity. sha2-256 is recommended as a default, 
    sha1 for compatibility */
 #define DROPBEAR_SHA1_HMAC 1
-#define DROPBEAR_SHA1_96_HMAC 1
 #define DROPBEAR_SHA2_256_HMAC 1
+#define DROPBEAR_SHA1_96_HMAC 0
 
 /* Hostkey/public key algorithms - at least one required, these are used
  * for hostkey as well as for verifying signatures with pubkey auth.