62
62
#define ENABLE_AGENTFWD
64
64
/* Encryption - at least one required.
65
* RFC Draft requires 3DES, and recommends Blowfish, AES128 & Twofish128 */
65
* RFC Draft requires 3DES and recommends AES128 for interoperability.
66
* Including multiple keysize variants the same cipher
67
* (eg AES256 as well as AES128) will result in a minimal size increase.*/
66
68
#define DROPBEAR_AES128_CBC
69
#define DROPBEAR_3DES_CBC
70
#define DROPBEAR_AES256_CBC
67
71
#define DROPBEAR_BLOWFISH_CBC
72
#define DROPBEAR_TWOFISH256_CBC
68
73
#define DROPBEAR_TWOFISH128_CBC
69
#define DROPBEAR_3DES_CBC
71
/* Integrity - at least one required.
72
* RFC Draft requires sha1-hmac, and recommends md5-hmac.
75
/* Message Integrity - at least one required.
76
* RFC Draft requires sha1 and recommends sha1-96.
77
* sha1-96 may be of use for slow links, as it has a smaller overhead.
74
* Note: there's no point disabling sha1 to save space, since it's used in the
79
* Note: there's no point disabling sha1 to save space, since it's used
75
80
* for the random number generator and public-key cryptography anyway.
76
81
* Disabling it here will just stop it from being used as the integrity portion
77
82
* of the ssh protocol.
79
* These are also used for key fingerprints in logs (when pubkey auth is used),
80
* MD5 fingerprints are printed if available, however SHA1 fingerprints will be
81
* generated otherwise. This isn't exactly optimal, although SHA1 fingerprints
82
* are not too hard to create from pubkeys if required. */
84
* These hashes are also used for public key fingerprints in logs.
85
* If you disable MD5, Dropbear will fall back to SHA1 fingerprints,
86
* which are not the standard form. */
83
87
#define DROPBEAR_SHA1_HMAC
88
#define DROPBEAR_SHA1_96_HMAC
84
89
#define DROPBEAR_MD5_HMAC
86
91
/* Hostkey/public key algorithms - at least one required, these are used
90
95
#define DROPBEAR_RSA
91
96
#define DROPBEAR_DSS
98
/* RSA can be vulnerable to timing attacks which use the time required for
99
* signing to guess the private key. Blinding avoids this attack, though makes
100
* signing operations slightly slower. */
93
103
/* Define DSS_PROTOK to use PuTTY's method of generating the value k for dss,
94
104
* rather than just from the random byte source. Undefining this will save you
95
105
* ~4k in binary size with static uclibc, but your DSS hostkey could be exposed
124
134
#define ENABLE_CLI_PASSWORD_AUTH
125
135
#define ENABLE_CLI_PUBKEY_AUTH
136
#define ENABLE_CLI_INTERACT_AUTH
127
138
/* Define this (as well as ENABLE_CLI_PASSWORD_AUTH) to allow the use of
128
139
* a helper program for the ssh client. The helper program should be
268
279
#define MAX_MAC_LEN SHA1_HASH_SIZE
271
#define MAX_KEY_LEN 24 /* 3DES requires a 24 byte key */
282
#define MAX_KEY_LEN 32 /* 256 bits for aes256 etc */
272
283
#define MAX_IV_LEN 20 /* must be same as max blocksize,
273
284
and >= SHA1_HASH_SIZE */
274
285
#define MAX_MAC_KEY 20
295
306
#define MAX_STRING_LEN 1400 /* ~= MAX_PROPOSED_ALGO * MAX_NAME_LEN, also
296
307
is the max length for a password etc */
298
/* For a 4096 bit DSS key, empirically determined to be 1590 bytes */
299
#define MAX_PUBKEY_SIZE 1600
300
/* For a 4096 bit DSS key, empirically determined to be 1590 bytes */
301
#define MAX_PRIVKEY_SIZE 1600
309
/* For a 4096 bit DSS key, empirically determined */
310
#define MAX_PUBKEY_SIZE 1700
311
/* For a 4096 bit DSS key, empirically determined */
312
#define MAX_PRIVKEY_SIZE 1700
314
/* The maximum size of the bignum portion of the kexhash buffer */
315
/* Sect. 8 of the transport draft, K_S + e + f + K */
316
#define KEXHASHBUF_MAX_INTS (1700 + 130 + 130 + 130)
303
318
#define DROPBEAR_MAX_SOCKS 2 /* IPv4, IPv6 are all we'll get for now. Revisit
304
319
in a few years time.... */
306
321
#define DROPBEAR_MAX_CLI_PASS 1024
323
#define DROPBEAR_MAX_CLI_INTERACT_PROMPTS 80 /* The number of prompts we'll
324
accept for keyb-interactive
327
#if defined(DROPBEAR_AES256_CBC) || defined(DROPBEAR_AES128_CBC)
328
#define DROPBEAR_AES_CBC
331
#if defined(DROPBEAR_TWOFISH256_CBC) || defined(DROPBEAR_TWOFISH128_CBC)
332
#define DROPBEAR_TWOFISH_CBC
308
335
#ifndef ENABLE_X11FWD
309
336
#define DISABLE_X11FWD
313
340
#define DISABLE_AGENTFWD
316
#ifndef ENABLE_LOCALTCPFWD
317
#define DISABLE_TCPDIRECT
320
#ifndef ENABLE_REMOTETCPFWD
321
#define DISABLE_REMOTETCPFWD
324
343
#if defined(ENABLE_CLI_REMOTETCPFWD) || defined(ENABLE_CLI_LOCALTCPFWD)
325
344
#define ENABLE_CLI_ANYTCPFWD
329
348
#define DROPBEAR_TCP_ACCEPT
332
#if defined(ENABLE_REMOTETCPFWD) || defined(ENABLE_LOCALTCPFWD) || \
351
#if defined(ENABLE_CLI_REMOTETCPFWD) || defined(ENABLE_CLI_LOCALTCPFWD) || \
352
defined(ENABLE_SVR_REMOTETCPFWD) || defined(ENABLE_SVR_LOCALTCPFWD) || \
333
353
defined(ENABLE_AGENTFWD) || defined(ENABLE_X11FWD)
334
354
#define USING_LISTENERS
added
removed
options.h
