release/src/router/dropbear/sysoptions.h

   1 /*******************************************************************
   2  * You shouldn't edit this file unless you know you need to.
   3  * This file is only included from options.h
   4  *******************************************************************/
   5
   6 #ifndef DROPBEAR_VERSION
   7 #define DROPBEAR_VERSION "2015.71"
   8 #endif
   9
  10 #define LOCAL_IDENT "SSH-2.0-dropbear_" DROPBEAR_VERSION
  11 #define PROGNAME "dropbear"
  12
  13 /* Spec recommends after one hour or 1 gigabyte of data. One hour
  14  * is a bit too verbose, so we try 8 hours */
  15 #ifndef KEX_REKEY_TIMEOUT
  16 #define KEX_REKEY_TIMEOUT (3600 * 8)
  17 #endif
  18 #ifndef KEX_REKEY_DATA
  19 #define KEX_REKEY_DATA (1<<30) /* 2^30 == 1GB, this value must be < INT_MAX */
  20 #endif
  21 /* Close connections to clients which haven't authorised after AUTH_TIMEOUT */
  22 #ifndef AUTH_TIMEOUT
  23 #define AUTH_TIMEOUT 300 /* we choose 5 minutes */
  24 #endif
  25
  26 /* A client should try and send an initial key exchange packet guessing
  27  * the algorithm that will match - saves a round trip connecting, has little
  28  * overhead if the guess was "wrong". */
  29 #define USE_KEX_FIRST_FOLLOWS
  30 /* Use protocol extension to allow "first follows" to succeed more frequently.
  31  * This is currently Dropbear-specific but will gracefully fallback when connecting
  32  * to other implementations. */
  33 #define USE_KEXGUESS2
  34
  35 /* Minimum key sizes for DSS and RSA */
  36 #ifndef MIN_DSS_KEYLEN
  37 #define MIN_DSS_KEYLEN 512
  38 #endif
  39 #ifndef MIN_RSA_KEYLEN
  40 #define MIN_RSA_KEYLEN 512
  41 #endif
  42
  43 #define MAX_BANNER_SIZE 2000 /* this is 25*80 chars, any more is foolish */
  44 #define MAX_BANNER_LINES 20 /* How many lines the client will display */
  45
  46 /* the number of NAME=VALUE pairs to malloc for environ, if we don't have
  47  * the clearenv() function */
  48 #define ENV_SIZE 100
  49
  50 #define MAX_CMD_LEN 9000 /* max length of a command */
  51 #define MAX_TERM_LEN 200 /* max length of TERM name */
  52
  53 #define MAX_HOST_LEN 254 /* max hostname len for tcp fwding */
  54 #define MAX_IP_LEN 15 /* strlen("255.255.255.255") == 15 */
  55
  56 #define DROPBEAR_MAX_PORTS 10 /* max number of ports which can be specified,
  57                                                                  ipv4 and ipv6 don't count twice */
  58
  59 /* Each port might have at least a v4 and a v6 address */
  60 #define MAX_LISTEN_ADDR (DROPBEAR_MAX_PORTS*3)
  61
  62 #define _PATH_TTY "/dev/tty"
  63
  64 #define _PATH_CP "/bin/cp"
  65
  66 #define DROPBEAR_ESCAPE_CHAR '~'
  67
  68 /* success/failure defines */
  69 #define DROPBEAR_SUCCESS 0
  70 #define DROPBEAR_FAILURE -1
  71
  72 /* Required for pubkey auth */
  73 #if defined(ENABLE_SVR_PUBKEY_AUTH) || defined(DROPBEAR_CLIENT)
  74 #define DROPBEAR_SIGNKEY_VERIFY
  75 #endif
  76
  77 #define SHA1_HASH_SIZE 20
  78 #define MD5_HASH_SIZE 16
  79 #define MAX_HASH_SIZE 64 /* sha512 */
  80
  81 #define MAX_KEY_LEN 32 /* 256 bits for aes256 etc */
  82 #define MAX_IV_LEN 20 /* must be same as max blocksize,  */
  83
  84 #if defined(DROPBEAR_SHA2_512_HMAC)
  85 #define MAX_MAC_LEN 64
  86 #elif defined(DROPBEAR_SHA2_256_HMAC)
  87 #define MAX_MAC_LEN 32
  88 #else
  89 #define MAX_MAC_LEN 20
  90 #endif
  91
  92 #if defined(DROPBEAR_ECDH) || defined (DROPBEAR_ECDSA)
  93 #define DROPBEAR_ECC
  94 /* Debian doesn't define this in system headers */
  95 #ifndef LTM_DESC
  96 #define LTM_DESC
  97 #endif
  98 #endif
  99
 100 #ifdef DROPBEAR_ECC
 101 #define DROPBEAR_ECC_256
 102 #define DROPBEAR_ECC_384
 103 #define DROPBEAR_ECC_521
 104 #endif
 105
 106 #ifdef DROPBEAR_ECC
 107 #define DROPBEAR_LTC_PRNG
 108 #endif
 109
 110 /* RSA can be vulnerable to timing attacks which use the time required for
 111  * signing to guess the private key. Blinding avoids this attack, though makes
 112  * signing operations slightly slower. */
 113 #define RSA_BLINDING
 114
 115 /* hashes which will be linked and registered */
 116 #if defined(DROPBEAR_SHA2_256_HMAC) || defined(DROPBEAR_ECC_256) || defined(DROPBEAR_CURVE25519)
 117 #define DROPBEAR_SHA256
 118 #endif
 119 #if defined(DROPBEAR_ECC_384)
 120 #define DROPBEAR_SHA384
 121 #endif
 122 /* LTC SHA384 depends on SHA512 */
 123 #if defined(DROPBEAR_SHA2_512_HMAC) || defined(DROPBEAR_ECC_521) || defined(DROPBEAR_ECC_384)
 124 #define DROPBEAR_SHA512
 125 #endif
 126 #if defined(DROPBEAR_MD5_HMAC)
 127 #define DROPBEAR_MD5
 128 #endif
 129
 130 /* roughly 2x 521 bits */
 131 #define MAX_ECC_SIZE 140
 132
 133 #define MAX_NAME_LEN 64 /* maximum length of a protocol name, isn't
 134                                                    explicitly specified for all protocols (just
 135                                                    for algos) but seems valid */
 136
 137 #define MAX_PROPOSED_ALGO 20
 138
 139 /* size/count limits */
 140 /* From transport rfc */
 141 #define MIN_PACKET_LEN 16
 142
 143 #define RECV_MAX_PACKET_LEN (MAX(35000, ((RECV_MAX_PAYLOAD_LEN)+100)))
 144
 145 /* for channel code */
 146 #define TRANS_MAX_WINDOW 500000000 /* 500MB is sufficient, stopping overflow */
 147 #define TRANS_MAX_WIN_INCR 500000000 /* overflow prevention */
 148
 149 #define RECV_WINDOWEXTEND (opts.recv_window / 3) /* We send a "window extend" every
 150                                                                 RECV_WINDOWEXTEND bytes */
 151 #define MAX_RECV_WINDOW (1024*1024) /* 1 MB should be enough */
 152
 153 #define MAX_CHANNELS 1000 /* simple mem restriction, includes each tcp/x11
 154                                                         connection, so can't be _too_ small */
 155
 156 #define MAX_STRING_LEN (MAX(MAX_CMD_LEN, 2400)) /* Sun SSH needs 2400 for algos,
 157                                                    MAX_CMD_LEN is usually longer */
 158
 159 /* For a 4096 bit DSS key, empirically determined */
 160 #define MAX_PUBKEY_SIZE 1700
 161 /* For a 4096 bit DSS key, empirically determined */
 162 #define MAX_PRIVKEY_SIZE 1700
 163
 164 #define MAX_HOSTKEYS 3
 165
 166 /* The maximum size of the bignum portion of the kexhash buffer */
 167 /* Sect. 8 of the transport rfc 4253, K_S + e + f + K */
 168 #define KEXHASHBUF_MAX_INTS (1700 + 130 + 130 + 130)
 169
 170 #define DROPBEAR_MAX_SOCKS 2 /* IPv4, IPv6 are all we'll get for now. Revisit
 171                                                                 in a few years time.... */
 172
 173 #define DROPBEAR_MAX_CLI_PASS 1024
 174
 175 #define DROPBEAR_MAX_CLI_INTERACT_PROMPTS 80 /* The number of prompts we'll
 176                                                                                                 accept for keyb-interactive
 177                                                                                                 auth */
 178
 179
 180 #if defined(DROPBEAR_AES256) || defined(DROPBEAR_AES128)
 181 #define DROPBEAR_AES
 182 #endif
 183
 184 #if defined(DROPBEAR_TWOFISH256) || defined(DROPBEAR_TWOFISH128)
 185 #define DROPBEAR_TWOFISH
 186 #endif
 187
 188 #ifndef ENABLE_X11FWD
 189 #define DISABLE_X11FWD
 190 #endif
 191
 192 #if defined(ENABLE_CLI_REMOTETCPFWD) || defined(ENABLE_CLI_LOCALTCPFWD)
 193 #define ENABLE_CLI_ANYTCPFWD
 194 #endif
 195
 196 #if defined(ENABLE_CLI_LOCALTCPFWD) || defined(ENABLE_SVR_REMOTETCPFWD)
 197 #define DROPBEAR_TCP_ACCEPT
 198 #endif
 199
 200 #if defined(ENABLE_CLI_REMOTETCPFWD) || defined(ENABLE_CLI_LOCALTCPFWD) || \
 201         defined(ENABLE_SVR_REMOTETCPFWD) || defined(ENABLE_SVR_LOCALTCPFWD) || \
 202         defined(ENABLE_SVR_AGENTFWD) || defined(ENABLE_X11FWD)
 203 #define USING_LISTENERS
 204 #endif
 205
 206 #if defined(ENABLE_CLI_NETCAT) && defined(ENABLE_CLI_PROXYCMD)
 207 #define ENABLE_CLI_MULTIHOP
 208 #endif
 209
 210 #if defined(ENABLE_CLI_AGENTFWD) || defined(DROPBEAR_PRNGD_SOCKET)
 211 #define ENABLE_CONNECT_UNIX
 212 #endif
 213
 214 #if defined(DROPBEAR_CLIENT) || defined(ENABLE_SVR_PUBKEY_AUTH)
 215 #define DROPBEAR_KEY_LINES /* ie we're using authorized_keys or known_hosts */
 216 #endif
 217
 218 /* Changing this is inadvisable, it appears to have problems
 219  * with flushing compressed data */
 220 #define DROPBEAR_ZLIB_MEM_LEVEL 8
 221
 222 #if defined(ENABLE_SVR_PASSWORD_AUTH) && defined(ENABLE_SVR_PAM_AUTH)
 223 #error "You can't turn on PASSWORD and PAM auth both at once. Fix it in options.h"
 224 #endif
 225
 226 /* We use dropbear_client and dropbear_server as shortcuts to avoid redundant
 227  * code, if we're just compiling as client or server */
 228 #if defined(DROPBEAR_SERVER) && defined(DROPBEAR_CLIENT)
 229
 230 #define IS_DROPBEAR_SERVER (ses.isserver == 1)
 231 #define IS_DROPBEAR_CLIENT (ses.isserver == 0)
 232
 233 #elif defined(DROPBEAR_SERVER)
 234
 235 #define IS_DROPBEAR_SERVER 1
 236 #define IS_DROPBEAR_CLIENT 0
 237
 238 #elif defined(DROPBEAR_CLIENT)
 239
 240 #define IS_DROPBEAR_SERVER 0
 241 #define IS_DROPBEAR_CLIENT 1
 242
 243 #else
 244 /* Just building key utils? */
 245 #define IS_DROPBEAR_SERVER 0
 246 #define IS_DROPBEAR_CLIENT 0
 247
 248 #endif /* neither DROPBEAR_SERVER nor DROPBEAR_CLIENT */
 249
 250 #ifndef HAVE_FORK
 251 #define USE_VFORK
 252 #endif  /* don't HAVE_FORK */
 253
 254 #if MAX_UNAUTH_CLIENTS > MAX_CHANNELS
 255 #define DROPBEAR_LISTEN_BACKLOG MAX_UNAUTH_CLIENTS
 256 #else
 257 #define DROPBEAR_LISTEN_BACKLOG MAX_CHANNELS
 258 #endif
 259
 260 /* free memory before exiting */
 261 #define DROPBEAR_CLEANUP
 262
 263 /* Use this string since some implementations might special-case it */
 264 #define DROPBEAR_KEEPALIVE_STRING "keepalive@openssh.com"
 265
 266 /* Linux will attempt TCP fast open, falling back if not supported by the kernel.
 267  * Currently server is enabled but client is disabled by default until there
 268  * is further compatibility testing */
 269 #ifdef __linux__
 270 #define DROPBEAR_SERVER_TCP_FAST_OPEN
 271 /* #define DROPBEAR_CLIENT_TCP_FAST_OPEN */
 272 #endif
 273
 274 /* no include guard for this file */