sysoptions.h 8.31 KB
Newer Older
1
2
3
4
5
6
/*******************************************************************
 * You shouldn't edit this file unless you know you need to. 
 * This file is only included from options.h
 *******************************************************************/

#ifndef DROPBEAR_VERSION
Matt Johnston's avatar
Matt Johnston committed
7
#define DROPBEAR_VERSION "2016.74"
8
9
10
11
12
13
14
15
16
17
18
#endif

#define LOCAL_IDENT "SSH-2.0-dropbear_" DROPBEAR_VERSION
#define PROGNAME "dropbear"

/* Spec recommends after one hour or 1 gigabyte of data. One hour
 * is a bit too verbose, so we try 8 hours */
#ifndef KEX_REKEY_TIMEOUT
#define KEX_REKEY_TIMEOUT (3600 * 8)
#endif
#ifndef KEX_REKEY_DATA
19
#define KEX_REKEY_DATA (1<<30) /* 2^30 == 1GB, this value must be < INT_MAX */
20
21
22
23
24
25
#endif
/* Close connections to clients which haven't authorised after AUTH_TIMEOUT */
#ifndef AUTH_TIMEOUT
#define AUTH_TIMEOUT 300 /* we choose 5 minutes */
#endif

26
27
28
29
30
31
32
33
34
/* A client should try and send an initial key exchange packet guessing
 * the algorithm that will match - saves a round trip connecting, has little
 * overhead if the guess was "wrong". */
#define USE_KEX_FIRST_FOLLOWS
/* Use protocol extension to allow "first follows" to succeed more frequently.
 * This is currently Dropbear-specific but will gracefully fallback when connecting
 * to other implementations. */
#define USE_KEXGUESS2

35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
/* Minimum key sizes for DSS and RSA */
#ifndef MIN_DSS_KEYLEN
#define MIN_DSS_KEYLEN 512
#endif
#ifndef MIN_RSA_KEYLEN
#define MIN_RSA_KEYLEN 512
#endif

#define MAX_BANNER_SIZE 2000 /* this is 25*80 chars, any more is foolish */
#define MAX_BANNER_LINES 20 /* How many lines the client will display */

/* the number of NAME=VALUE pairs to malloc for environ, if we don't have
 * the clearenv() function */
#define ENV_SIZE 100

Matt Johnston's avatar
Matt Johnston committed
50
#define MAX_CMD_LEN 9000 /* max length of a command */
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
#define MAX_TERM_LEN 200 /* max length of TERM name */

#define MAX_HOST_LEN 254 /* max hostname len for tcp fwding */
#define MAX_IP_LEN 15 /* strlen("255.255.255.255") == 15 */

#define DROPBEAR_MAX_PORTS 10 /* max number of ports which can be specified,
								 ipv4 and ipv6 don't count twice */

/* Each port might have at least a v4 and a v6 address */
#define MAX_LISTEN_ADDR (DROPBEAR_MAX_PORTS*3)

#define _PATH_TTY "/dev/tty"

#define _PATH_CP "/bin/cp"

66
67
#define DROPBEAR_ESCAPE_CHAR '~'

68
69
70
71
72
73
74
75
76
77
78
/* success/failure defines */
#define DROPBEAR_SUCCESS 0
#define DROPBEAR_FAILURE -1

/* Required for pubkey auth */
#if defined(ENABLE_SVR_PUBKEY_AUTH) || defined(DROPBEAR_CLIENT)
#define DROPBEAR_SIGNKEY_VERIFY
#endif

#define SHA1_HASH_SIZE 20
#define MD5_HASH_SIZE 16
79
#define MAX_HASH_SIZE 64 /* sha512 */
80
81

#define MAX_KEY_LEN 32 /* 256 bits for aes256 etc */
82
#define MAX_IV_LEN 20 /* must be same as max blocksize,  */
83

84
#if defined(DROPBEAR_SHA2_512_HMAC)
85
#define MAX_MAC_LEN 64
86
#elif defined(DROPBEAR_SHA2_256_HMAC)
87
#define MAX_MAC_LEN 32
88
#else
89
#define MAX_MAC_LEN 20
90
#endif
91

92
93
#if defined(DROPBEAR_ECDH) || defined (DROPBEAR_ECDSA)
#define DROPBEAR_ECC
94
/* Debian doesn't define this in system headers */
95
#ifndef LTM_DESC
96
#define LTM_DESC
97
#endif
98
#endif
99

Matt Johnston's avatar
Matt Johnston committed
100
101
102
103
104
105
#ifdef DROPBEAR_ECC
#define DROPBEAR_ECC_256
#define DROPBEAR_ECC_384
#define DROPBEAR_ECC_521
#endif

106
107
108
109
#ifdef DROPBEAR_ECC
#define DROPBEAR_LTC_PRNG
#endif

110
111
112
113
114
/* RSA can be vulnerable to timing attacks which use the time required for
 * signing to guess the private key. Blinding avoids this attack, though makes
 * signing operations slightly slower. */
#define RSA_BLINDING

115
/* hashes which will be linked and registered */
116
#if defined(DROPBEAR_SHA2_256_HMAC) || defined(DROPBEAR_ECC_256) || defined(DROPBEAR_CURVE25519) || DROPBEAR_DH_GROUP14
117
118
119
120
121
#define DROPBEAR_SHA256
#endif
#if defined(DROPBEAR_ECC_384)
#define DROPBEAR_SHA384
#endif
122
/* LTC SHA384 depends on SHA512 */
123
#if defined(DROPBEAR_SHA2_512_HMAC) || defined(DROPBEAR_ECC_521) || defined(DROPBEAR_ECC_384) || DROPBEAR_DH_GROUP16
124
125
126
127
128
129
#define DROPBEAR_SHA512
#endif
#if defined(DROPBEAR_MD5_HMAC)
#define DROPBEAR_MD5
#endif

130
131
132
133
134
/* These are disabled in Dropbear 2016.73 by default since the spec 
   draft-ietf-curdle-ssh-kex-sha2-02 is under development. */
#define DROPBEAR_DH_GROUP14_256 0
#define DROPBEAR_DH_GROUP16 0

135
/* roughly 2x 521 bits */
136
137
#define MAX_ECC_SIZE 140

138
139
140
141
142
143
144
#define MAX_NAME_LEN 64 /* maximum length of a protocol name, isn't
						   explicitly specified for all protocols (just
						   for algos) but seems valid */

#define MAX_PROPOSED_ALGO 20

/* size/count limits */
145
/* From transport rfc */
146
147
148
149
150
151
152
153
154
155
156
157
#define MIN_PACKET_LEN 16

#define RECV_MAX_PACKET_LEN (MAX(35000, ((RECV_MAX_PAYLOAD_LEN)+100)))

/* for channel code */
#define TRANS_MAX_WINDOW 500000000 /* 500MB is sufficient, stopping overflow */
#define TRANS_MAX_WIN_INCR 500000000 /* overflow prevention */

#define RECV_WINDOWEXTEND (opts.recv_window / 3) /* We send a "window extend" every
								RECV_WINDOWEXTEND bytes */
#define MAX_RECV_WINDOW (1024*1024) /* 1 MB should be enough */

Matt Johnston's avatar
Matt Johnston committed
158
#define MAX_CHANNELS 1000 /* simple mem restriction, includes each tcp/x11
159
160
							connection, so can't be _too_ small */

Matt Johnston's avatar
Matt Johnston committed
161
162
#define MAX_STRING_LEN (MAX(MAX_CMD_LEN, 2400)) /* Sun SSH needs 2400 for algos,
                                                   MAX_CMD_LEN is usually longer */
163
164
165
166
167
168

/* For a 4096 bit DSS key, empirically determined */
#define MAX_PUBKEY_SIZE 1700
/* For a 4096 bit DSS key, empirically determined */
#define MAX_PRIVKEY_SIZE 1700

Matt Johnston's avatar
Matt Johnston committed
169
170
#define MAX_HOSTKEYS 3

171
/* The maximum size of the bignum portion of the kexhash buffer */
172
/* Sect. 8 of the transport rfc 4253, K_S + e + f + K */
173
174
175
176
177
178
179
180
181
182
183
#define KEXHASHBUF_MAX_INTS (1700 + 130 + 130 + 130)

#define DROPBEAR_MAX_SOCKS 2 /* IPv4, IPv6 are all we'll get for now. Revisit
								in a few years time.... */

#define DROPBEAR_MAX_CLI_PASS 1024

#define DROPBEAR_MAX_CLI_INTERACT_PROMPTS 80 /* The number of prompts we'll 
												accept for keyb-interactive
												auth */

184

Matt Johnston's avatar
Matt Johnston committed
185
186
#if defined(DROPBEAR_AES256) || defined(DROPBEAR_AES128)
#define DROPBEAR_AES
187
188
#endif

Matt Johnston's avatar
Matt Johnston committed
189
190
#if defined(DROPBEAR_TWOFISH256) || defined(DROPBEAR_TWOFISH128)
#define DROPBEAR_TWOFISH
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
#endif

#ifndef ENABLE_X11FWD
#define DISABLE_X11FWD
#endif

#if defined(ENABLE_CLI_REMOTETCPFWD) || defined(ENABLE_CLI_LOCALTCPFWD)
#define ENABLE_CLI_ANYTCPFWD 
#endif

#if defined(ENABLE_CLI_LOCALTCPFWD) || defined(ENABLE_SVR_REMOTETCPFWD)
#define DROPBEAR_TCP_ACCEPT
#endif

#if defined(ENABLE_CLI_REMOTETCPFWD) || defined(ENABLE_CLI_LOCALTCPFWD) || \
	defined(ENABLE_SVR_REMOTETCPFWD) || defined(ENABLE_SVR_LOCALTCPFWD) || \
207
	defined(ENABLE_SVR_AGENTFWD) || defined(ENABLE_X11FWD)
208
209
210
211
212
213
214
#define USING_LISTENERS
#endif

#if defined(ENABLE_CLI_NETCAT) && defined(ENABLE_CLI_PROXYCMD)
#define ENABLE_CLI_MULTIHOP
#endif

215
216
217
218
#if defined(ENABLE_CLI_AGENTFWD) || defined(DROPBEAR_PRNGD_SOCKET)
#define ENABLE_CONNECT_UNIX
#endif

219
220
221
222
#if defined(DROPBEAR_CLIENT) || defined(ENABLE_SVR_PUBKEY_AUTH)
#define DROPBEAR_KEY_LINES /* ie we're using authorized_keys or known_hosts */
#endif

223
224
225
226
/* Changing this is inadvisable, it appears to have problems
 * with flushing compressed data */
#define DROPBEAR_ZLIB_MEM_LEVEL 8

227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
#if defined(ENABLE_SVR_PASSWORD_AUTH) && defined(ENABLE_SVR_PAM_AUTH)
#error "You can't turn on PASSWORD and PAM auth both at once. Fix it in options.h"
#endif

/* We use dropbear_client and dropbear_server as shortcuts to avoid redundant
 * code, if we're just compiling as client or server */
#if defined(DROPBEAR_SERVER) && defined(DROPBEAR_CLIENT)

#define IS_DROPBEAR_SERVER (ses.isserver == 1)
#define IS_DROPBEAR_CLIENT (ses.isserver == 0)

#elif defined(DROPBEAR_SERVER)

#define IS_DROPBEAR_SERVER 1
#define IS_DROPBEAR_CLIENT 0

#elif defined(DROPBEAR_CLIENT)

#define IS_DROPBEAR_SERVER 0
#define IS_DROPBEAR_CLIENT 1

#else
249
250
251
252
/* Just building key utils? */
#define IS_DROPBEAR_SERVER 0
#define IS_DROPBEAR_CLIENT 0

Matt Johnston's avatar
Matt Johnston committed
253
254
255
256
257
258
#endif /* neither DROPBEAR_SERVER nor DROPBEAR_CLIENT */

#ifndef HAVE_FORK
#define USE_VFORK
#endif  /* don't HAVE_FORK */

259
260
261
262
263
264
#if MAX_UNAUTH_CLIENTS > MAX_CHANNELS
#define DROPBEAR_LISTEN_BACKLOG MAX_UNAUTH_CLIENTS
#else
#define DROPBEAR_LISTEN_BACKLOG MAX_CHANNELS
#endif

265
266
267
/* free memory before exiting */
#define DROPBEAR_CLEANUP

268
269
270
/* Use this string since some implementations might special-case it */
#define DROPBEAR_KEEPALIVE_STRING "[email protected]"

271
272
273
/* Linux will attempt TCP fast open, falling back if not supported by the kernel.
 * Currently server is enabled but client is disabled by default until there
 * is further compatibility testing */
274
#ifdef __linux__
275
276
#define DROPBEAR_SERVER_TCP_FAST_OPEN
/* #define DROPBEAR_CLIENT_TCP_FAST_OPEN */
277
278
#endif

Matt Johnston's avatar
Matt Johnston committed
279
/* no include guard for this file */