diff options
| author | Michael Witten <mfwitten@gmail.com> | 2017-07-20 19:38:26 +0000 |
|---|---|---|
| committer | Michael Witten <mfwitten@gmail.com> | 2017-07-20 19:38:26 +0000 |
| commit | 9530d2e5d42c7cfe319e071906dea93957882653 (patch) | |
| tree | cd5326daf724a419368e0eb2fbdd8f14eb4b0f1f | |
| parent | efb17566cd56ef96a7839c0e10cecdc6d7561793 (diff) | |
| download | dropbear-9530d2e5d42c7cfe319e071906dea93957882653.tar.gz | |
options: Complete the transition to numeric toggles (`#if')
For the sake of review, this commit alters only the code; the affiliated
comments within the source files also need to be updated, but doing so
now would obscure the operational changes that have been made here.
* All on/off options have been switched to the numeric `#if' variant;
that is the only way to make this `default_options.h.in' thing work
in a reasonable manner.
* There is now some very minor compile-time checking of the user's
choice of options.
* NO_FAST_EXPTMOD doesn't seem to be used, so it has been removed.
* ENABLE_USER_ALGO_LIST was supposed to be renamed DROPBEAR_USER_ALGO_LIST,
and this commit completes that work.
* DROPBEAR_FUZZ seems to be a relatively new, as-yet undocumented option,
which was added by the following commit:
commit 6e0b539e9ca0b5628c6c5a3d118ad6a2e79e8039
Author: Matt Johnston <matt@ucc.asn.au>
Date: Tue May 23 22:29:21 2017 +0800
split out checkpubkey_line() separately
It has now been added to `sysoptions.h' and defined as `0' by default.
* The configuration option `DROPBEAR_PASSWORD_ENV' is no longer listed in
`default_options.h.in'; it is no longer meant to be set by the user, and
is instead left to be defined in `sysoptions.h' (where it was already being
defined) as merely the name of the environment variable in question:
DROPBEAR_PASSWORD
To enable or disable use of that environment variable, the user must now
toggle `DROPBEAR_USE_DROPBEAR_PASSWORD'.
* The sFTP support is now toggled by setting `DROPBEAR_SFTPSERVER', and the
path of the sFTP server program is set independently through the usual
SFTPSERVER_PATH.
| -rw-r--r-- | Makefile.in | 2 | ||||
| -rw-r--r-- | cli-auth.c | 4 | ||||
| -rw-r--r-- | cli-runopts.c | 4 | ||||
| -rw-r--r-- | dbrandom.c | 8 | ||||
| -rw-r--r-- | dbutil.c | 2 | ||||
| -rw-r--r-- | dbutil.h | 2 | ||||
| -rw-r--r-- | default_options.h.in | 78 | ||||
| -rw-r--r-- | keyimport.c | 4 | ||||
| -rw-r--r-- | libtomcrypt/src/headers/tomcrypt_custom.h | 4 | ||||
| -rw-r--r-- | netio.c | 2 | ||||
| -rw-r--r-- | runopts.h | 2 | ||||
| -rw-r--r-- | signkey.c | 6 | ||||
| -rw-r--r-- | svr-authpubkeyoptions.c | 2 | ||||
| -rw-r--r-- | svr-chansession.c | 8 | ||||
| -rw-r--r-- | svr-main.c | 12 | ||||
| -rw-r--r-- | svr-runopts.c | 10 | ||||
| -rw-r--r-- | svr-tcpfwd.c | 2 | ||||
| -rw-r--r-- | sysoptions.h | 2 |
18 files changed, 100 insertions, 54 deletions
diff --git a/Makefile.in b/Makefile.in index 8c2b7c7..8c9fbfe 100644 --- a/Makefile.in +++ b/Makefile.in @@ -20,7 +20,7 @@ LIBTOM_LIBS=@LIBTOM_LIBS@ ifeq (@BUNDLED_LIBTOM@, 1) LIBTOM_DEPS=$(STATIC_LTC) $(STATIC_LTM) CFLAGS+=-I$(srcdir)/libtomcrypt/src/headers/ -LIBTOM_LIBS=$(STATIC_LTC) $(STATIC_LTM) +LIBTOM_LIBS=$(STATIC_LTC) $(STATIC_LTM) endif ifneq ($(wildcard localoptions.h),) @@ -60,9 +60,11 @@ void cli_auth_getmethods() { */ if (ses.keys->trans.algo_comp != DROPBEAR_COMP_ZLIB_DELAY) { ses.authstate.authtypes = AUTH_TYPE_PUBKEY; +#if DROPBEAR_USE_DROPBEAR_PASSWORD if (getenv(DROPBEAR_PASSWORD_ENV)) { ses.authstate.authtypes |= AUTH_TYPE_PASSWORD | AUTH_TYPE_INTERACT; } +#endif if (cli_auth_try() == DROPBEAR_SUCCESS) { TRACE(("skipped initial none auth query")) /* Note that there will be two auth responses in-flight */ @@ -335,7 +337,7 @@ char* getpass_or_cancel(const char* prompt) { char* password = NULL; -#ifdef DROPBEAR_PASSWORD_ENV +#if DROPBEAR_USE_DROPBEAR_PASSWORD /* Password provided in an environment var */ password = getenv(DROPBEAR_PASSWORD_ENV); if (password) diff --git a/cli-runopts.c b/cli-runopts.c index d69a719..abcfc9f 100644 --- a/cli-runopts.c +++ b/cli-runopts.c @@ -306,10 +306,10 @@ void cli_getopts(int argc, char ** argv) { case 'm': #endif case 'D': -#ifndef DROPBEAR_CLI_REMOTETCPFWD +#if !DROPBEAR_CLI_REMOTETCPFWD case 'R': #endif -#ifndef DROPBEAR_CLI_LOCALTCPFWD +#if !DROPBEAR_CLI_LOCALTCPFWD case 'L': #endif case 'V': @@ -59,7 +59,7 @@ process_file(hash_state *hs, const char *filename, unsigned int readcount; int ret = DROPBEAR_FAILURE; -#ifdef DROPBEAR_PRNGD_SOCKET +#if DROPBEAR_USE_PRNGD if (prngd) { readfd = connect_unix(filename); @@ -107,7 +107,7 @@ process_file(hash_state *hs, const char *filename, wantread = MIN(sizeof(readbuf), len-readcount); } -#ifdef DROPBEAR_PRNGD_SOCKET +#if DROPBEAR_USE_PRNGD if (prngd) { char egdcmd[2]; @@ -157,7 +157,7 @@ void addrandom(const unsigned char * buf, unsigned int len) static void write_urandom() { -#ifndef DROPBEAR_PRNGD_SOCKET +#if !DROPBEAR_USE_PRNGD /* This is opportunistic, don't worry about failure */ unsigned char buf[INIT_SEED_SIZE]; FILE *f = fopen(DROPBEAR_URANDOM_DEV, "w"); @@ -185,7 +185,7 @@ void seedrandom() { /* existing state */ sha1_process(&hs, (void*)hashpool, sizeof(hashpool)); -#ifdef DROPBEAR_PRNGD_SOCKET +#if DROPBEAR_USE_PRNGD if (process_file(&hs, DROPBEAR_PRNGD_SOCKET, INIT_SEED_SIZE, 1) != DROPBEAR_SUCCESS) { dropbear_exit("Failure reading random device %s", @@ -214,7 +214,7 @@ void dropbear_trace2(const char* format, ...) { #endif /* DEBUG_TRACE */ /* Connect to a given unix socket. The socket is blocking */ -#ifdef ENABLE_CONNECT_UNIX +#if ENABLE_CONNECT_UNIX int connect_unix(const char* path) { struct sockaddr_un addr; int fd = -1; @@ -59,7 +59,7 @@ char * stripcontrol(const char * text); int spawn_command(void(*exec_fn)(const void *user_data), const void *exec_data, int *writefd, int *readfd, int *errfd, pid_t *pid); void run_shell_command(const char* cmd, unsigned int maxfd, char* usershell); -#ifdef ENABLE_CONNECT_UNIX +#if ENABLE_CONNECT_UNIX int connect_unix(const char* addr); #endif int buf_readfile(buffer* buf, const char* filename); diff --git a/default_options.h.in b/default_options.h.in index 95097ac..3e7052f 100644 --- a/default_options.h.in +++ b/default_options.h.in @@ -36,10 +36,9 @@ IMPORTANT: Many options will require "make clean" after changes */ #define NON_INETD_MODE 1 #define INETD_MODE 1 -/* Setting this disables the fast exptmod bignum code. It saves ~5kB, but is - * perhaps 20% slower for pubkey operations (it is probably worth experimenting - * if you want to use this) */ -/*#define NO_FAST_EXPTMOD*/ +#if !(NON_INETD_MODE || INETD_MODE) + #error "NON_INETD_MODE or INETD_MODE (or both) must be enabled." +#endif /* Set this if you want to use the DROPBEAR_SMALL_CODE option. This can save several kB in binary size however will make the symmetrical ciphers and hashes @@ -77,7 +76,7 @@ much traffic. */ #define DROPBEAR_CLI_NETCAT 1 /* Whether to support "-c" and "-m" flags to choose ciphers/MACs at runtime */ -#define ENABLE_USER_ALGO_LIST 1 +#define DROPBEAR_USER_ALGO_LIST 1 /* Encryption - at least one required. * Protocol RFC requires 3DES and recommends AES128 for interoperability. @@ -86,10 +85,15 @@ much traffic. */ #define DROPBEAR_AES128 1 #define DROPBEAR_3DES 1 #define DROPBEAR_AES256 1 -/* Compiling in Blowfish will add ~6kB to runtime heap memory usage */ -/*#define DROPBEAR_BLOWFISH*/ #define DROPBEAR_TWOFISH256 1 #define DROPBEAR_TWOFISH128 1 +/* Compiling in Blowfish will add ~6kB to runtime heap memory usage */ +#define DROPBEAR_BLOWFISH 0 + +#if !(DROPBEAR_AES128 || DROPBEAR_3DES || DROPBEAR_AES256 || DROPBEAR_BLOWFISH \ + || DROPBEAR_TWOFISH256 || DROPBEAR_TWOFISH128) + #error "At least one encryption algorithm must be enabled; 3DES and AES128 are recommended." +#endif /* Enable CBC mode for ciphers. This has security issues though * is the most compatible with older SSH implementations */ @@ -129,6 +133,10 @@ If you test it please contact the Dropbear author */ * on x86-64 */ #define DROPBEAR_ECDSA 1 +#if !(DROPBEAR_RSA || DROPBEAR_DSS || DROPBEAR_ECDSA) + #error "At least one hostkey or public-key algorithm must be enabled; RSA is recommended." +#endif + /* RSA must be >=1024 */ #define DROPBEAR_DEFAULT_RSA_SIZE 2048 /* DSS is always 1024 */ @@ -193,27 +201,57 @@ If you test it please contact the Dropbear author */ * PAM challenge/response. * You can't enable both PASSWORD and PAM. */ +/* PAM requires ./configure --enable-pam */ +#if defined(HAVE_LIBPAM) && !DROPBEAR_SVR_PASSWORD_AUTH + #define DROPBEAR_SVR_PAM_AUTH 1 +#else + #define DROPBEAR_SVR_PAM_AUTH 0 +#endif + /* This requires crypt() */ -#ifdef HAVE_CRYPT -#define DROPBEAR_SVR_PASSWORD_AUTH 1 +#if defined(HAVE_CRYPT) && !DROPBEAR_SVR_PAM_AUTH + #define DROPBEAR_SVR_PASSWORD_AUTH 1 #else -#define DROPBEAR_SVR_PASSWORD_AUTH 0 + #define DROPBEAR_SVR_PASSWORD_AUTH 0 #endif -/* PAM requires ./configure --enable-pam */ -#define DROPBEAR_SVR_PAM_AUTH 0 + #define DROPBEAR_SVR_PUBKEY_AUTH 1 +#if !(DROPBEAR_SVR_PASSWORD_AUTH || DROPBEAR_SVR_PAM_AUTH || DROPBEAR_SVR_PUBKEY_AUTH) + #error "At least one server authentication type must be enabled; PUBKEY and PASSWORD are recommended." +#endif + +#if DROPBEAR_SVR_PASSWORD_AUTH && !HAVE_CRYPT + #error "DROPBEAR_SVR_PASSWORD_AUTH requires `crypt()'." +#endif + +#if DROPBEAR_SVR_PAM_AUTH + #if DISABLE_PAM + #error "DROPBEAR_SVR_PAM_AUTH requires 'configure --enable-pam' to succeed." + #endif + #if DROPBEAR_SVR_PASSWORD_AUTH + #error "DROPBEAR_SVR_PASSWORD_AUTH cannot be enabled at the same time as DROPBEAR_SVR_PAM_AUTH." + #endif +#endif + /* Whether to take public key options in * authorized_keys file into account */ #define DROPBEAR_SVR_PUBKEY_OPTIONS 1 /* This requires getpass. */ #ifdef HAVE_GETPASS -#define DROPBEAR_CLI_PASSWORD_AUTH 1 -#define DROPBEAR_CLI_INTERACT_AUTH 1 + #define DROPBEAR_CLI_PASSWORD_AUTH 1 + #define DROPBEAR_CLI_INTERACT_AUTH 1 +#else + #define DROPBEAR_CLI_PASSWORD_AUTH 0 + #define DROPBEAR_CLI_INTERACT_AUTH 0 #endif #define DROPBEAR_CLI_PUBKEY_AUTH 1 +#if !(DROPBEAR_CLI_PASSWORD_AUTH || DROPBEAR_CLI_PUBKEY_AUTH) + #error "At least one client authentication type must be enabled; PUBKEY and PASSWORD are recommended." +#endif + /* A default argument for dbclient -i <privatekey>. Homedir is prepended unless path begins with / */ #define DROPBEAR_DEFAULT_CLI_AUTHKEY ".ssh/id_dropbear" @@ -224,7 +262,7 @@ Homedir is prepended unless path begins with / */ * note that it will be provided for all "hidden" client-interactive * style prompts - if you want something more sophisticated, use * SSH_ASKPASS instead. Comment out this var to remove this functionality.*/ -#define DROPBEAR_PASSWORD_ENV "DROPBEAR_PASSWORD" +#define DROPBEAR_USE_DROPBEAR_PASSWORD 1 /* Define this (as well as DROPBEAR_CLI_PASSWORD_AUTH) to allow the use of * a helper program for the ssh client. The helper program should be @@ -233,6 +271,10 @@ Homedir is prepended unless path begins with / */ * return the password on standard output */ #define DROPBEAR_CLI_ASKPASS_HELPER 0 +#if DROPBEAR_CLI_ASKPASS_HELPER + #define DROPBEAR_CLI_PASSWORD_AUTH 1 +#endif + /* Save a network roundtrip by sendng a real auth request immediately after * sending a query for the available methods. It is at the expense of < 100 * bytes of extra network traffic. This is not yet enabled by default since it @@ -245,8 +287,8 @@ Homedir is prepended unless path begins with / */ #define DROPBEAR_URANDOM_DEV "/dev/urandom" /* Set this to use PRNGD or EGD instead of /dev/urandom or /dev/random */ -/*#define DROPBEAR_PRNGD_SOCKET "/var/run/dropbear-rng"*/ - +#define DROPBEAR_USE_PRNGD 0 +#define DROPBEAR_PRNGD_SOCKET "/var/run/dropbear-rng" /* Specify the number of clients we will allow to be connected but * not yet authenticated. After this limit, connections are rejected */ @@ -269,6 +311,8 @@ Homedir is prepended unless path begins with / */ * "-q" for quiet */ #define XAUTH_COMMAND "/usr/bin/xauth -q" +#define DROPBEAR_SFTPSERVER 1 + /* if you want to enable running an sftp server (such as the one included with * OpenSSH), set the path below. If the path isn't defined, sftp will not * be enabled */ diff --git a/keyimport.c b/keyimport.c index e44ee56..ea3164c 100644 --- a/keyimport.c +++ b/keyimport.c @@ -870,7 +870,7 @@ static int openssh_write(const char *filename, sign_key *key, */ numbers[0].start = zero; numbers[0].bytes = 1; zero[0] = '\0'; - #ifdef DROPBEAR_RSA + #if DROPBEAR_RSA if (key->type == DROPBEAR_SIGNKEY_RSA) { if (key->rsakey->p == NULL || key->rsakey->q == NULL) { @@ -966,7 +966,7 @@ static int openssh_write(const char *filename, sign_key *key, } #endif /* DROPBEAR_RSA */ - #ifdef DROPBEAR_DSS + #if DROPBEAR_DSS if (key->type == DROPBEAR_SIGNKEY_DSS) { /* p */ diff --git a/libtomcrypt/src/headers/tomcrypt_custom.h b/libtomcrypt/src/headers/tomcrypt_custom.h index e58de71..b7bd20c 100644 --- a/libtomcrypt/src/headers/tomcrypt_custom.h +++ b/libtomcrypt/src/headers/tomcrypt_custom.h @@ -68,8 +68,8 @@ #define LTC_NO_MODES #define LTC_NO_HASHES #define LTC_NO_MACS - #define LTC_NO_PRNGS - #define LTC_NO_PK + #define LTC_NO_PRNGS + #define LTC_NO_PK #define LTC_NO_PKCS #define LTC_NO_MISC #endif /* LTC_NOTHING */ @@ -613,7 +613,7 @@ void getaddrstring(struct sockaddr_storage* addr, int flags = NI_NUMERICSERV | NI_NUMERICHOST; -#ifndef DO_HOST_LOOKUP +#if !DO_HOST_LOOKUP host_lookup = 0; #endif @@ -86,7 +86,7 @@ typedef struct svr_runopts { int ipv6; */ -#ifdef DO_MOTD +#if DO_MOTD /* whether to print the MOTD */ int domotd; #endif @@ -78,13 +78,13 @@ enum signkey_type signkey_type_from_name(const char* name, unsigned int namelen) #if DROPBEAR_ECDSA /* Some of the ECDSA key sizes are defined even if they're not compiled in */ if (0 -#ifndef DROPBEAR_ECC_256 +#if !DROPBEAR_ECC_256 || i == DROPBEAR_SIGNKEY_ECDSA_NISTP256 #endif -#ifndef DROPBEAR_ECC_384 +#if !DROPBEAR_ECC_384 || i == DROPBEAR_SIGNKEY_ECDSA_NISTP384 #endif -#ifndef DROPBEAR_ECC_521 +#if !DROPBEAR_ECC_521 || i == DROPBEAR_SIGNKEY_ECDSA_NISTP521 #endif ) { diff --git a/svr-authpubkeyoptions.c b/svr-authpubkeyoptions.c index d08fc2c..19f07b9 100644 --- a/svr-authpubkeyoptions.c +++ b/svr-authpubkeyoptions.c @@ -100,7 +100,7 @@ void svr_pubkey_set_forced_command(struct ChanSess *chansess) { chansess->original_command = m_strdup(""); } chansess->cmd = m_strdup(ses.authstate.pubkey_options->forced_command); -#ifdef LOG_COMMANDS +#if LOG_COMMANDS dropbear_log(LOG_INFO, "Command forced to '%s'", chansess->original_command); #endif } diff --git a/svr-chansession.c b/svr-chansession.c index 5542ad1..cdc6e94 100644 --- a/svr-chansession.c +++ b/svr-chansession.c @@ -663,7 +663,7 @@ static int sessioncommand(struct Channel *channel, struct ChanSess *chansess, } } if (issubsys) { -#ifdef SFTPSERVER_PATH +#if DROPBEAR_SFTPSERVER if ((cmdlen == 4) && strncmp(chansess->cmd, "sftp", 4) == 0) { m_free(chansess->cmd); chansess->cmd = m_strdup(SFTPSERVER_PATH); @@ -687,7 +687,7 @@ static int sessioncommand(struct Channel *channel, struct ChanSess *chansess, } -#ifdef LOG_COMMANDS +#if LOG_COMMANDS if (chansess->cmd) { dropbear_log(LOG_INFO, "User %s executing '%s'", ses.authstate.pw_name, chansess->cmd); @@ -774,7 +774,7 @@ static int ptycommand(struct Channel *channel, struct ChanSess *chansess) { pid_t pid; struct logininfo *li = NULL; -#ifdef DO_MOTD +#if DO_MOTD buffer * motdbuf = NULL; int len; struct stat sb; @@ -826,7 +826,7 @@ static int ptycommand(struct Channel *channel, struct ChanSess *chansess) { login_login(li); login_free_entry(li); -#ifdef DO_MOTD +#if DO_MOTD if (svr_opts.domotd && !chansess->cmd) { /* don't show the motd if ~/.hushlogin exists */ @@ -35,10 +35,10 @@ static size_t listensockets(int *sock, size_t sockcount, int *maxfd); static void sigchld_handler(int dummy); static void sigsegv_handler(int); static void sigintterm_handler(int fish); -#ifdef INETD_MODE +#if INETD_MODE static void main_inetd(void); #endif -#ifdef NON_INETD_MODE +#if NON_INETD_MODE static void main_noinetd(void); #endif static void commonsetup(void); @@ -58,7 +58,7 @@ int main(int argc, char ** argv) /* get commandline options */ svr_getopts(argc, argv); -#ifdef INETD_MODE +#if INETD_MODE /* service program mode */ if (svr_opts.inetdmode) { main_inetd(); @@ -66,7 +66,7 @@ int main(int argc, char ** argv) } #endif -#ifdef NON_INETD_MODE +#if NON_INETD_MODE main_noinetd(); /* notreached */ #endif @@ -76,7 +76,7 @@ int main(int argc, char ** argv) } #endif -#ifdef INETD_MODE +#if INETD_MODE static void main_inetd() { char *host, *port = NULL; @@ -103,7 +103,7 @@ static void main_inetd() { } #endif /* INETD_MODE */ -#ifdef NON_INETD_MODE +#if NON_INETD_MODE static void main_noinetd() { fd_set fds; unsigned int i, j; diff --git a/svr-runopts.c b/svr-runopts.c index cca5562..3d97023 100644 --- a/svr-runopts.c +++ b/svr-runopts.c @@ -64,7 +64,7 @@ static void printhelp(const char * progname) { #else "-E Log to stderr rather than syslog\n" #endif -#ifdef DO_MOTD +#if DO_MOTD "-m Don't display the motd on login\n" #endif "-w Disallow root logins\n" @@ -88,7 +88,7 @@ static void printhelp(const char * progname) { " (default port is %s if none specified)\n" "-P PidFile Create pid file PidFile\n" " (default %s)\n" -#ifdef INETD_MODE +#if INETD_MODE "-i Start for inetd\n" #endif "-W <receive_window_buffer> (default %d, larger may be faster, max 1MB)\n" @@ -156,7 +156,7 @@ void svr_getopts(int argc, char ** argv) { opts.ipv4 = 1; opts.ipv6 = 1; */ -#ifdef DO_MOTD +#if DO_MOTD svr_opts.domotd = 1; #endif #ifndef DISABLE_SYSLOG @@ -210,7 +210,7 @@ void svr_getopts(int argc, char ** argv) { opts.listen_fwd_all = 1; break; #endif -#ifdef INETD_MODE +#if INETD_MODE case 'i': svr_opts.inetdmode = 1; break; @@ -221,7 +221,7 @@ void svr_getopts(int argc, char ** argv) { case 'P': next = &svr_opts.pidfile; break; -#ifdef DO_MOTD +#if DO_MOTD /* motd is displayed by default, -m turns it off */ case 'm': svr_opts.domotd = 0; diff --git a/svr-tcpfwd.c b/svr-tcpfwd.c index 480beb6..16d0859 100644 --- a/svr-tcpfwd.c +++ b/svr-tcpfwd.c @@ -35,7 +35,7 @@ #include "auth.h" #include "netio.h" -#ifndef DROPBEAR_SVR_REMOTETCPFWD +#if !DROPBEAR_SVR_REMOTETCPFWD /* This is better than SSH_MSG_UNIMPLEMENTED */ void recv_msg_global_request_remotetcp() { diff --git a/sysoptions.h b/sysoptions.h index 7aa1314..bf88cf3 100644 --- a/sysoptions.h +++ b/sysoptions.h @@ -192,7 +192,7 @@ #define DROPBEAR_CLI_MULTIHOP ((DROPBEAR_CLI_NETCAT) && (DROPBEAR_CLI_PROXYCMD)) -#define ENABLE_CONNECT_UNIX ((DROPBEAR_CLI_AGENTFWD) || (DROPBEAR_PRNGD_SOCKET)) +#define ENABLE_CONNECT_UNIX ((DROPBEAR_CLI_AGENTFWD) || (DROPBEAR_USE_PRNGD)) /* if we're using authorized_keys or known_hosts */ #define DROPBEAR_KEY_LINES ((DROPBEAR_CLIENT) || (DROPBEAR_SVR_PUBKEY_AUTH)) |