ViewMTN: Diff from [598835da..] to [7ad1775e..]

The unified diff between revisions [598835da..] and [7ad1775e..] is displayed below. It can also be downloaded as a raw diff.
This diff has been restricted to the following files: 'options.h'
#
#
# patch "options.h"
#  from [6b6c0e1d871782f0f3bcfd50e4e18364eae33c91]
#    to [c365717890e92696dd8e3f5821531993ec37ff35]
#
============================================================
--- options.h	6b6c0e1d871782f0f3bcfd50e4e18364eae33c91
+++ options.h	c365717890e92696dd8e3f5821531993ec37ff35
@@ -128,11 +128,12 @@ etc) slower (perhaps by 50%). Recommende
  * You can't enable both PASSWORD and PAM. */

 #define ENABLE_SVR_PASSWORD_AUTH
-/*#define ENABLE_SVR_PAM_AUTH*/
+/* #define ENABLE_SVR_PAM_AUTH */ /* requires ./configure --enable-pam */
 #define ENABLE_SVR_PUBKEY_AUTH

 #define ENABLE_CLI_PASSWORD_AUTH
 #define ENABLE_CLI_PUBKEY_AUTH
+#define ENABLE_CLI_INTERACT_AUTH

 /* Define this (as well as ENABLE_CLI_PASSWORD_AUTH) to allow the use of
  * a helper program for the ssh client. The helper program should be
@@ -160,6 +161,13 @@ etc) slower (perhaps by 50%). Recommende

 /* Specify the number of clients we will allow to be connected but
  * not yet authenticated. After this limit, connections are rejected */
+/* The first setting is per-IP, to avoid denial of service */
+#ifndef MAX_UNAUTH_PER_IP
+#define MAX_UNAUTH_PER_IP 5
+#endif
+
+/* And then a global limit to avoid chewing memory if connections
+ * come from many IPs */
 #ifndef MAX_UNAUTH_CLIENTS
 #define MAX_UNAUTH_CLIENTS 30
 #endif
@@ -199,7 +207,7 @@ etc) slower (perhaps by 50%). Recommende
  *******************************************************************/

 #ifndef DROPBEAR_VERSION
-#define DROPBEAR_VERSION "0.46"
+#define DROPBEAR_VERSION "0.48"
 #endif

 #define LOCAL_IDENT "SSH-2.0-dropbear_" DROPBEAR_VERSION
@@ -244,6 +252,8 @@ etc) slower (perhaps by 50%). Recommende

 #define _PATH_TTY "/dev/tty"

+#define _PATH_CP "/bin/cp"
+
 /* Timeouts in seconds */
 #define SELECT_TIMEOUT 20

@@ -278,7 +288,7 @@ etc) slower (perhaps by 50%). Recommende
 #define MAX_MAC_LEN SHA1_HASH_SIZE


-#define MAX_KEY_LEN 24 /* 3DES requires a 24 byte key */
+#define MAX_KEY_LEN 32 /* 256 bits for aes256 etc */
 #define MAX_IV_LEN 20 /* must be same as max blocksize,
 						 and >= SHA1_HASH_SIZE */
 #define MAX_MAC_KEY 20
@@ -305,16 +315,24 @@ etc) slower (perhaps by 50%). Recommende
 #define MAX_STRING_LEN 1400 /* ~= MAX_PROPOSED_ALGO * MAX_NAME_LEN, also
 							   is the max length for a password etc */

-/* For a 4096 bit DSS key, empirically determined to be 1590 bytes */
-#define MAX_PUBKEY_SIZE 1600
-/* For a 4096 bit DSS key, empirically determined to be 1590 bytes */
-#define MAX_PRIVKEY_SIZE 1600
+/* For a 4096 bit DSS key, empirically determined */
+#define MAX_PUBKEY_SIZE 1700
+/* For a 4096 bit DSS key, empirically determined */
+#define MAX_PRIVKEY_SIZE 1700

+/* The maximum size of the bignum portion of the kexhash buffer */
+/* Sect. 8 of the transport draft, K_S + e + f + K */
+#define KEXHASHBUF_MAX_INTS (1700 + 130 + 130 + 130)
+
 #define DROPBEAR_MAX_SOCKS 2 /* IPv4, IPv6 are all we'll get for now. Revisit
 								in a few years time.... */

 #define DROPBEAR_MAX_CLI_PASS 1024

+#define DROPBEAR_MAX_CLI_INTERACT_PROMPTS 80 /* The number of prompts we'll
+												accept for keyb-interactive
+												auth */
+
 #if defined(DROPBEAR_AES256_CBC) || defined(DROPBEAR_AES128_CBC)
 #define DROPBEAR_AES_CBC
 #endif