rename some options and move some to sysoptions.h

2025-05-13 00:01:41 +00:00 · 2018-02-18 00:29:17 +08:00 · 2018-02-18 00:29:17 +08:00 · c2f2f2b817
commit c2f2f2b817
parent c8d852caf6
4 changed files with 106 additions and 149 deletions
--- a/cli-auth.c
+++ b/cli-auth.c
@ -60,7 +60,7 @@ void cli_auth_getmethods() {
 	*/
 	if (ses.keys->trans.algo_comp != DROPBEAR_COMP_ZLIB_DELAY) {
 		ses.authstate.authtypes = AUTH_TYPE_PUBKEY;
-#if DROPBEAR_USE_DROPBEAR_PASSWORD
+#if DROPBEAR_USE_PASSWORD_ENV
 		if (getenv(DROPBEAR_PASSWORD_ENV)) {
 			ses.authstate.authtypes |= AUTH_TYPE_PASSWORD | AUTH_TYPE_INTERACT;
 		}
@ -337,7 +337,7 @@ char* getpass_or_cancel(const char* prompt)
 {
 	char* password = NULL;
-#if DROPBEAR_USE_DROPBEAR_PASSWORD
+#if DROPBEAR_USE_PASSWORD_ENV
 	/* Password provided in an environment var */
 	password = getenv(DROPBEAR_PASSWORD_ENV);
 	if (password)
--- a/default_options.h
+++ b/default_options.h
@ -57,10 +57,11 @@ IMPORTANT: Many options will require "make clean" after changes */
 #define INETD_MODE 1
 #endif
-/* Setting this disables the fast exptmod bignum code. It saves ~5kB, but is
+/* Include verbose debug output, enabled with -v at runtime. 
- * perhaps 20% slower for pubkey operations (it is probably worth experimenting
+ * This will add a reasonable amount to your executable size. */
- * if you want to use this) */
+#ifndef DEBUG_TRACE
-/*#define NO_FAST_EXPTMOD*/
+#define DEBUG_TRACE 0
 #endif
 /* Set this if you want to use the DROPBEAR_SMALL_CODE option. This can save
 several kB in binary size however will make the symmetrical ciphers and hashes
@ -101,7 +102,6 @@ much traffic. */
 #define DROPBEAR_CLI_AGENTFWD 1
 #endif
 /* Note: Both DROPBEAR_CLI_PROXYCMD and DROPBEAR_CLI_NETCAT must be set to
 * allow multihop dbclient connections */
@ -118,14 +118,15 @@ much traffic. */
 #endif
 /* Whether to support "-c" and "-m" flags to choose ciphers/MACs at runtime */
-#ifndef ENABLE_USER_ALGO_LIST
+#ifndef DROPBEAR_USER_ALGO_LIST
-#define ENABLE_USER_ALGO_LIST 1
+#define DROPBEAR_USER_ALGO_LIST 1
 #endif
 /* Encryption - at least one required.
- * Protocol RFC requires 3DES and recommends AES128 for interoperability.
+ * AES128 should be enabled, some very old implementations might only
- * Including multiple keysize variants the same cipher 
+ * support 3DES.
- * (eg AES256 as well as AES128) will result in a minimal size increase.*/
+ * Including both AES keysize variants (128 and 256) will result in 
 * a minimal size increase */
 #ifndef DROPBEAR_AES128
 #define DROPBEAR_AES128 1
 #endif
@ -135,14 +136,16 @@ much traffic. */
 #ifndef DROPBEAR_AES256
 #define DROPBEAR_AES256 1
 #endif
 /* Compiling in Blowfish will add ~6kB to runtime heap memory usage */
 /*#define DROPBEAR_BLOWFISH*/
 #ifndef DROPBEAR_TWOFISH256
 #define DROPBEAR_TWOFISH256 1
 #endif
 #ifndef DROPBEAR_TWOFISH128
 #define DROPBEAR_TWOFISH128 1
 #endif
 /* Compiling in Blowfish will add ~6kB to runtime heap memory usage */
 #ifndef DROPBEAR_BLOWFISH
 #define DROPBEAR_BLOWFISH 0
 #endif
 /* Enable CBC mode for ciphers. This has security issues though
 * is the most compatible with older SSH implementations */
@ -150,7 +153,7 @@ much traffic. */
 #define DROPBEAR_ENABLE_CBC_MODE 1
 #endif
-/* Enable "Counter Mode" for ciphers. This is more secure than normal
+/* Enable "Counter Mode" for ciphers. This is more secure than
 * CBC mode against certain attacks. It is recommended for security
 * and forwards compatibility */
 #ifndef DROPBEAR_ENABLE_CTR_MODE
@ -175,7 +178,7 @@ If you test it please contact the Dropbear author */
 #ifndef DROPBEAR_SHA2_256_HMAC
 #define DROPBEAR_SHA2_256_HMAC 1
 #endif
-/* Default is to include it is sha512 is being compiled in for ECDSA */
+/* Default is to include it if sha512 is being compiled in for ECDSA */
 #ifndef DROPBEAR_SHA2_512_HMAC
 #define DROPBEAR_SHA2_512_HMAC (DROPBEAR_ECDSA)
 #endif
@ -284,6 +287,9 @@ If you test it please contact the Dropbear author */
 /* Authentication Types - at least one required.
   RFC Draft requires pubkey auth, and recommends password */
 #ifndef DROPBEAR_SVR_PASSWORD_AUTH
 #define DROPBEAR_SVR_PASSWORD_AUTH 1
 #endif
 /* Note: PAM auth is quite simple and only works for PAM modules which just do
 * a simple "Login: " "Password: " (you can edit the strings in svr-authpam.c).
@ -291,21 +297,11 @@ If you test it please contact the Dropbear author */
 * but there's an interface via a PAM module. It won't work for more complex
 * PAM challenge/response.
 * You can't enable both PASSWORD and PAM. */
 /* This requires crypt() */
 #ifdef HAVE_CRYPT
 #ifndef DROPBEAR_SVR_PASSWORD_AUTH
 #define DROPBEAR_SVR_PASSWORD_AUTH 1
 #endif
 #else
 #ifndef DROPBEAR_SVR_PASSWORD_AUTH
 #define DROPBEAR_SVR_PASSWORD_AUTH 0
 #endif
 #endif
 /* PAM requires ./configure --enable-pam */
 #ifndef DROPBEAR_SVR_PAM_AUTH
 #define DROPBEAR_SVR_PAM_AUTH 0
 #endif
 /* ~/.ssh/authorized_keys authentication */
 #ifndef DROPBEAR_SVR_PUBKEY_AUTH
 #define DROPBEAR_SVR_PUBKEY_AUTH 1
 #endif
@ -316,15 +312,10 @@ If you test it please contact the Dropbear author */
 #define DROPBEAR_SVR_PUBKEY_OPTIONS 1
 #endif
-/* This requires getpass. */
+/* Client authentication options */
 #ifdef HAVE_GETPASS
 #ifndef DROPBEAR_CLI_PASSWORD_AUTH
 #define DROPBEAR_CLI_PASSWORD_AUTH 1
 #endif
 #ifndef DROPBEAR_CLI_INTERACT_AUTH
 #define DROPBEAR_CLI_INTERACT_AUTH 1
 #endif
 #endif
 #ifndef DROPBEAR_CLI_PUBKEY_AUTH
 #define DROPBEAR_CLI_PUBKEY_AUTH 1
 #endif
@ -335,14 +326,10 @@ Homedir is prepended unless path begins with / */
 #define DROPBEAR_DEFAULT_CLI_AUTHKEY ".ssh/id_dropbear"
 #endif
-/* This variable can be used to set a password for client
+/* Allow specifying the password for dbclient via the DROPBEAR_PASSWORD
- * authentication on the commandline. Beware of platforms
+ * environment variable. */
- * that don't protect environment variables of processes etc. Also
+#ifndef DROPBEAR_USE_PASSWORD_ENV
- * note that it will be provided for all "hidden" client-interactive
+#define DROPBEAR_USE_PASSWORD_ENV 1
 * style prompts - if you want something more sophisticated, use 
 * SSH_ASKPASS instead. Comment out this var to remove this functionality.*/
 #ifndef DROPBEAR_PASSWORD_ENV
 #define DROPBEAR_PASSWORD_ENV "DROPBEAR_PASSWORD"
 #endif
 /* Define this (as well as DROPBEAR_CLI_PASSWORD_AUTH) to allow the use of
@ -355,24 +342,18 @@ Homedir is prepended unless path begins with / */
 #endif
 /* Save a network roundtrip by sendng a real auth request immediately after
- * sending a query for the available methods.  It is at the expense of < 100
+ * sending a query for the available methods. This is not yet enabled by default 
- * bytes of extra network traffic. This is not yet enabled by default since it
+ since it could cause problems with non-compliant servers */ 
- * could cause problems with non-compliant servers */
+ #define DROPBEAR_CLI_IMMEDIATE_AUTH 0
-#ifndef DROPBEAR_CLI_IMMEDIATE_AUTH
+
-#define DROPBEAR_CLI_IMMEDIATE_AUTH 0
+/* Set this to use PRNGD or EGD instead of /dev/urandom */
 #ifndef DROPBEAR_USE_PRNGD
 #define DROPBEAR_USE_PRNGD 0
 #endif
-
+#ifndef DROPBEAR_PRNGD_SOCKET
-/* Source for randomness. This must be able to provide hundreds of bytes per SSH
+#define DROPBEAR_PRNGD_SOCKET "/var/run/dropbear-rng"
 * connection without blocking. In addition /dev/random is used for seeding
 * rsa/dss key generation */
 #ifndef DROPBEAR_URANDOM_DEV
 #define DROPBEAR_URANDOM_DEV "/dev/urandom"
 #endif
 /* Set this to use PRNGD or EGD instead of /dev/urandom or /dev/random */
 /*#define DROPBEAR_PRNGD_SOCKET "/var/run/dropbear-rng"*/
 /* Specify the number of clients we will allow to be connected but
 * not yet authenticated. After this limit, connections are rejected */
 /* The first setting is per-IP, to avoid denial of service */
@ -404,9 +385,13 @@ Homedir is prepended unless path begins with / */
 #define XAUTH_COMMAND "/usr/bin/xauth -q"
 #endif
 /* if you want to enable running an sftp server (such as the one included with
- * OpenSSH), set the path below. If the path isn't defined, sftp will not
+ * OpenSSH), set the path below and set DROPBEAR_SFTPSERVER. 
- * be enabled */
+ * The sftp-server program is not provided by Dropbear itself */
 #ifndef DROPBEAR_SFTPSERVER
 #define DROPBEAR_SFTPSERVER 1
 #endif
 #ifndef SFTPSERVER_PATH
 #define SFTPSERVER_PATH "/usr/libexec/sftp-server"
 #endif
--- a/default_options.h.in
+++ b/default_options.h.in
@ -36,9 +36,9 @@ IMPORTANT: Many options will require "make clean" after changes */
 #define NON_INETD_MODE 1
 #define INETD_MODE 1
-#if !(NON_INETD_MODE || INETD_MODE)
+/* Include verbose debug output, enabled with -v at runtime. 
-	#error "NON_INETD_MODE or INETD_MODE (or both) must be enabled."
+ * This will add a reasonable amount to your executable size. */
-#endif
+#define DEBUG_TRACE 0
 /* Set this if you want to use the DROPBEAR_SMALL_CODE option. This can save
 several kB in binary size however will make the symmetrical ciphers and hashes
@ -63,7 +63,6 @@ much traffic. */
 #define DROPBEAR_SVR_AGENTFWD 1
 #define DROPBEAR_CLI_AGENTFWD 1
 /* Note: Both DROPBEAR_CLI_PROXYCMD and DROPBEAR_CLI_NETCAT must be set to
 * allow multihop dbclient connections */
@ -79,9 +78,10 @@ much traffic. */
 #define DROPBEAR_USER_ALGO_LIST 1
 /* Encryption - at least one required.
- * Protocol RFC requires 3DES and recommends AES128 for interoperability.
+ * AES128 should be enabled, some very old implementations might only
- * Including multiple keysize variants the same cipher 
+ * support 3DES.
- * (eg AES256 as well as AES128) will result in a minimal size increase.*/
+ * Including both AES keysize variants (128 and 256) will result in 
 * a minimal size increase */
 #define DROPBEAR_AES128 1
 #define DROPBEAR_3DES 1
 #define DROPBEAR_AES256 1
@ -90,16 +90,11 @@ much traffic. */
 /* Compiling in Blowfish will add ~6kB to runtime heap memory usage */
 #define DROPBEAR_BLOWFISH 0
 #if !(DROPBEAR_AES128 || DROPBEAR_3DES || DROPBEAR_AES256 || DROPBEAR_BLOWFISH \
      || DROPBEAR_TWOFISH256 || DROPBEAR_TWOFISH128)
 	#error "At least one encryption algorithm must be enabled; 3DES and AES128 are recommended."
 #endif
 /* Enable CBC mode for ciphers. This has security issues though
 * is the most compatible with older SSH implementations */
 #define DROPBEAR_ENABLE_CBC_MODE 1
-/* Enable "Counter Mode" for ciphers. This is more secure than normal
+/* Enable "Counter Mode" for ciphers. This is more secure than
 * CBC mode against certain attacks. It is recommended for security
 * and forwards compatibility */
 #define DROPBEAR_ENABLE_CTR_MODE 1
@ -114,7 +109,7 @@ If you test it please contact the Dropbear author */
 #define DROPBEAR_SHA1_HMAC 1
 #define DROPBEAR_SHA1_96_HMAC 1
 #define DROPBEAR_SHA2_256_HMAC 1
-/* Default is to include it is sha512 is being compiled in for ECDSA */
+/* Default is to include it if sha512 is being compiled in for ECDSA */
 #define DROPBEAR_SHA2_512_HMAC (DROPBEAR_ECDSA)
 /* XXX needed for fingerprints */
@ -133,10 +128,6 @@ If you test it please contact the Dropbear author */
 * on x86-64 */
 #define DROPBEAR_ECDSA 1
 #if !(DROPBEAR_RSA || DROPBEAR_DSS || DROPBEAR_ECDSA)
 	#error "At least one hostkey or public-key algorithm must be enabled; RSA is recommended."
 #endif
 /* RSA must be >=1024 */
 #define DROPBEAR_DEFAULT_RSA_SIZE 2048
 /* DSS is always 1024 */
@ -193,6 +184,7 @@ If you test it please contact the Dropbear author */
 /* Authentication Types - at least one required.
   RFC Draft requires pubkey auth, and recommends password */
 #define DROPBEAR_SVR_PASSWORD_AUTH 1
 /* Note: PAM auth is quite simple and only works for PAM modules which just do
 * a simple "Login: " "Password: " (you can edit the strings in svr-authpam.c).
@ -200,69 +192,26 @@ If you test it please contact the Dropbear author */
 * but there's an interface via a PAM module. It won't work for more complex
 * PAM challenge/response.
 * You can't enable both PASSWORD and PAM. */
 #define DROPBEAR_SVR_PAM_AUTH 0
-/* PAM requires ./configure --enable-pam */
+/* ~/.ssh/authorized_keys authentication */
 #if defined(HAVE_LIBPAM) && !DROPBEAR_SVR_PASSWORD_AUTH
 	#define DROPBEAR_SVR_PAM_AUTH 1
 #else
 	#define DROPBEAR_SVR_PAM_AUTH 0
 #endif
 /* This requires crypt() */
 #if defined(HAVE_CRYPT) && !DROPBEAR_SVR_PAM_AUTH
 	#define DROPBEAR_SVR_PASSWORD_AUTH 1
 #else
 	#define DROPBEAR_SVR_PASSWORD_AUTH 0
 #endif
 #define DROPBEAR_SVR_PUBKEY_AUTH 1
 #if !(DROPBEAR_SVR_PASSWORD_AUTH || DROPBEAR_SVR_PAM_AUTH || DROPBEAR_SVR_PUBKEY_AUTH)
 	#error "At least one server authentication type must be enabled; PUBKEY and PASSWORD are recommended."
 #endif
 #if DROPBEAR_SVR_PASSWORD_AUTH && !HAVE_CRYPT
 	#error "DROPBEAR_SVR_PASSWORD_AUTH requires `crypt()'."
 #endif
 #if DROPBEAR_SVR_PAM_AUTH
 	#if DISABLE_PAM
 		#error "DROPBEAR_SVR_PAM_AUTH requires 'configure --enable-pam' to succeed."
 	#endif
 	#if DROPBEAR_SVR_PASSWORD_AUTH
 		#error "DROPBEAR_SVR_PASSWORD_AUTH cannot be enabled at the same time as DROPBEAR_SVR_PAM_AUTH."
 	#endif
 #endif
 /* Whether to take public key options in 
 * authorized_keys file into account */
 #define DROPBEAR_SVR_PUBKEY_OPTIONS 1
-/* This requires getpass. */
+/* Client authentication options */
-#ifdef HAVE_GETPASS
+#define DROPBEAR_CLI_PASSWORD_AUTH 1
 	#define DROPBEAR_CLI_PASSWORD_AUTH 1
 	#define DROPBEAR_CLI_INTERACT_AUTH 1
 #else
 	#define DROPBEAR_CLI_PASSWORD_AUTH 0
 	#define DROPBEAR_CLI_INTERACT_AUTH 0
 #endif
 #define DROPBEAR_CLI_PUBKEY_AUTH 1
 #if !(DROPBEAR_CLI_PASSWORD_AUTH || DROPBEAR_CLI_PUBKEY_AUTH)
 	#error "At least one client authentication type must be enabled; PUBKEY and PASSWORD are recommended."
 #endif
 /* A default argument for dbclient -i <privatekey>. 
 Homedir is prepended unless path begins with / */
 #define DROPBEAR_DEFAULT_CLI_AUTHKEY ".ssh/id_dropbear"
-/* This variable can be used to set a password for client
+/* Allow specifying the password for dbclient via the DROPBEAR_PASSWORD
- * authentication on the commandline. Beware of platforms
+ * environment variable. */
- * that don't protect environment variables of processes etc. Also
+#define DROPBEAR_USE_PASSWORD_ENV 1
 * note that it will be provided for all "hidden" client-interactive
 * style prompts - if you want something more sophisticated, use 
 * SSH_ASKPASS instead. Comment out this var to remove this functionality.*/
 #define DROPBEAR_USE_DROPBEAR_PASSWORD 1
 /* Define this (as well as DROPBEAR_CLI_PASSWORD_AUTH) to allow the use of
 * a helper program for the ssh client. The helper program should be
@ -271,22 +220,12 @@ Homedir is prepended unless path begins with / */
 * return the password on standard output */
 #define DROPBEAR_CLI_ASKPASS_HELPER 0
 #if DROPBEAR_CLI_ASKPASS_HELPER
 	#define DROPBEAR_CLI_PASSWORD_AUTH 1
 #endif
 /* Save a network roundtrip by sendng a real auth request immediately after
- * sending a query for the available methods.  It is at the expense of < 100
+ * sending a query for the available methods. This is not yet enabled by default 
- * bytes of extra network traffic. This is not yet enabled by default since it
+ since it could cause problems with non-compliant servers */ 
- * could cause problems with non-compliant servers */
+ #define DROPBEAR_CLI_IMMEDIATE_AUTH 0
 #define DROPBEAR_CLI_IMMEDIATE_AUTH 0
-/* Source for randomness. This must be able to provide hundreds of bytes per SSH
+/* Set this to use PRNGD or EGD instead of /dev/urandom */
 * connection without blocking. In addition /dev/random is used for seeding
 * rsa/dss key generation */
 #define DROPBEAR_URANDOM_DEV "/dev/urandom"
 /* Set this to use PRNGD or EGD instead of /dev/urandom or /dev/random */
 #define DROPBEAR_USE_PRNGD 0
 #define DROPBEAR_PRNGD_SOCKET "/var/run/dropbear-rng"
@ -311,11 +250,11 @@ Homedir is prepended unless path begins with / */
 * "-q" for quiet */
 #define XAUTH_COMMAND "/usr/bin/xauth -q"
 #define DROPBEAR_SFTPSERVER 1
 /* if you want to enable running an sftp server (such as the one included with
- * OpenSSH), set the path below. If the path isn't defined, sftp will not
+ * OpenSSH), set the path below and set DROPBEAR_SFTPSERVER. 
- * be enabled */
+ * The sftp-server program is not provided by Dropbear itself */
 #define DROPBEAR_SFTPSERVER 1
 #define SFTPSERVER_PATH "/usr/libexec/sftp-server"
 /* This is used by the scp binary when used as a client binary. If you're
@ -358,8 +297,4 @@ be overridden at runtime with -I. 0 disables idle timeouts */
 /* The default path. This will often get replaced by the shell */
 #define DEFAULT_PATH "/usr/bin:/bin"
 /* Include verbose debug output, enabled with -v at runtime. 
 * This will add a reasonable amount to your executable size. */
 #define DEBUG_TRACE 0
 #endif /* DROPBEAR_DEFAULT_OPTIONS_H_ */
--- a/sysoptions.h
+++ b/sysoptions.h
@ -23,7 +23,11 @@
 #define AUTH_TIMEOUT 300 /* we choose 5 minutes */
 #endif
- #define DROPBEAR_SVR_PUBKEY_OPTIONS_BUILT ((DROPBEAR_SVR_PUBKEY_AUTH) && (DROPBEAR_SVR_PUBKEY_OPTIONS))
+#define DROPBEAR_SVR_PUBKEY_OPTIONS_BUILT ((DROPBEAR_SVR_PUBKEY_AUTH) && (DROPBEAR_SVR_PUBKEY_OPTIONS))
 #if !(NON_INETD_MODE || INETD_MODE)
 	#error "NON_INETD_MODE or INETD_MODE (or both) must be enabled."
 #endif
 /* A client should try and send an initial key exchange packet guessing
 * the algorithm that will match - saves a round trip connecting, has little
@ -205,6 +209,39 @@
 #error "You can't turn on PASSWORD and PAM auth both at once. Fix it in options.h"
 #endif
 /* PAM requires ./configure --enable-pam */
 #if !defined(HAVE_LIBPAM) && DROPBEAR_SVR_PAM_AUTH
 #error "DROPBEAR_SVR_PATM_AUTH requires PAM headers. Perhaps ./configure --enable-pam ?"
 #endif
 #if DROPBEAR_SVR_PASSWORD_AUTH && !HAVE_CRYPT
 	#error "DROPBEAR_SVR_PASSWORD_AUTH requires `crypt()'."
 #endif
 #if !(DROPBEAR_SVR_PASSWORD_AUTH || DROPBEAR_SVR_PAM_AUTH || DROPBEAR_SVR_PUBKEY_AUTH)
 	#error "At least one server authentication type must be enabled. DROPBEAR_SVR_PUBKEY_AUTH and DROPBEAR_SVR_PASSWORD_AUTH are recommended."
 #endif
 #if !(DROPBEAR_AES128 || DROPBEAR_3DES || DROPBEAR_AES256 || DROPBEAR_BLOWFISH \
      || DROPBEAR_TWOFISH256 || DROPBEAR_TWOFISH128)
 	#error "At least one encryption algorithm must be enabled. AES128 is recommended."
 #endif
 #if !(DROPBEAR_RSA || DROPBEAR_DSS || DROPBEAR_ECDSA)
 	#error "At least one hostkey or public-key algorithm must be enabled; RSA is recommended."
 #endif
 /* Source for randomness. This must be able to provide hundreds of bytes per SSH
 * connection without blocking. */
 #ifndef DROPBEAR_URANDOM_DEV
 #define DROPBEAR_URANDOM_DEV "/dev/urandom"
 #endif
 /* client keyboard interactive authentication is often used for password auth.
 rfc4256 */
 #define DROPBEAR_CLI_INTERACT_AUTH (DROPBEAR_CLI_PASSWORD_AUTH)
 /* We use dropbear_client and dropbear_server as shortcuts to avoid redundant
 * code, if we're just compiling as client or server */
 #if (DROPBEAR_SERVER) && (DROPBEAR_CLIENT)