sync/ports
1
0
Fork 0
mirror of https://git.freebsd.org/ports.git synced 2025-06-03 20:06:29 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions

- Fix and update HPN patch to latest from upstream but leave it off by

Browse source 
default.
- Add an 'hpn' FLAVOR to produce a package for users with HPN and
  NONECIPHER enabled.

Approved by:	portmgr (implicit)
This commit is contained in:
Bryan Drewery 2018-06-28 03:38:32 +00:00
parent 66e2bc4899
commit 877e47208a
Notes: svn2git 2021-03-31 03:12:20 +00:00 
svn path=/head/; revision=473485
3 changed files with 308 additions and 283 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

19
security/openssh-portable/Makefile
View file

@ -3,7 +3,7 @@
PORTNAME= openssh
DISTVERSION= 7.7p1
PORTREVISION= 4
PORTREVISION= 5
PORTEPOCH= 1
CATEGORIES= security ipv6
MASTER_SITES= OPENBSD/OpenSSH/portable
@ -29,10 +29,18 @@ ETCOLD= ${PREFIX}/etc
BROKEN_SSL= openssl-devel
BROKEN_SSL_REASON_openssl-devel= error: OpenSSL >= 1.1.0 is not yet supported
FLAVORS= default hpn
default_CONFLICTS_INSTALL= openssl-portable-hpn-[0-9]*
hpn_CONFLICTS_INSTALL= openssh-portable-[0-9]*
hpn_PKGNAMESUFFIX= -portable-hpn
OPTIONS_DEFINE= PAM TCP_WRAPPERS LIBEDIT BSM \
HPN X509 KERB_GSSAPI \
LDNS NONECIPHER XMSS
OPTIONS_DEFAULT= LIBEDIT PAM TCP_WRAPPERS LDNS
.if ${FLAVOR:U} == hpn
OPTIONS_DEFAULT+= HPN NONECIPHER
.endif
OPTIONS_RADIO= KERBEROS
OPTIONS_RADIO_KERBEROS= MIT HEIMDAL HEIMDAL_BASE
TCP_WRAPPERS_DESC= tcp_wrappers support
@ -57,7 +65,6 @@ LDNS_EXTRA_PATCHES= ${FILESDIR}/extra-patch-ldns
LDNS_CFLAGS= -I${LOCALBASE}/include
LDNS_CONFIGURE_ON= --with-ldflags='-L${LOCALBASE}/lib'
# http://www.psc.edu/index.php/hpn-ssh
HPN_CONFIGURE_WITH= hpn
NONECIPHER_CONFIGURE_WITH= nonecipher
@ -103,12 +110,12 @@ EXTRA_PATCHES+= ${FILESDIR}/extra-patch-hpn-gss-glue
PATCHFILES+= openssh-7.7p1-gsskex-all-20141021-debian-rh-20171004.patch.gz:-p1:gsskex
.endif
# http://www.psc.edu/index.php/hpn-ssh https://github.com/rapier1/hpn-ssh https://github.com/rapier1/openssh-portable
# https://www.psc.edu/hpn-ssh https://github.com/rapier1/openssh-portable/tree/hpn-openssl1.1-7_7_P1
.if ${PORT_OPTIONS:MHPN} || ${PORT_OPTIONS:MNONECIPHER}
BROKEN= HPN: Not yet updated for ${DISTVERSION} and disabled in base
#BROKEN= HPN: Not yet updated for ${DISTVERSION} and disabled in base
PORTDOCS+= HPN-README
HPN_VERSION= 14v5
HPN_DISTVERSION= 6.7p1
HPN_VERSION= 14v15
HPN_DISTVERSION= 7.7p1
#PATCH_SITES+= SOURCEFORGE/hpnssh/HPN-SSH%20${HPN_VERSION}%20${HPN_DISTVERSION}/:hpn
#PATCHFILES+= ${PORTNAME}-${HPN_DISTVERSION}-hpnssh${HPN_VERSION}.diff.gz:-p1:hpn
EXTRA_PATCHES+= ${FILESDIR}/extra-patch-hpn:-p2

548
security/openssh-portable/files/extra-patch-hpn
View file

@ -131,11 +131,11 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
+ (tasota@gmail.com) an NSF REU grant recipient for 2013.
+ This work was financed, in part, by Cisco System, Inc., the National
+ Library of Medicine, and the National Science Foundation.
--- work.clean/openssh-6.8p1/channels.c 2015-03-17 00:49:20.000000000 -0500
+++ work/openssh-6.8p1/channels.c 2015-04-03 15:51:59.599537000 -0500
@@ -183,8 +183,14 @@
static int connect_next(struct channel_connect *);
static void channel_connect_ctx_free(struct channel_connect *);
--- work/openssh-7.7p1/channels.c.orig 2018-04-01 22:38:28.000000000 -0700
+++ work/openssh-7.7p1/channels.c 2018-06-27 16:37:07.663857000 -0700
@@ -215,6 +215,12 @@ static int rdynamic_connect_finish(struct ssh *, Chann
/* Setup helper */
static void channel_handler_init(struct ssh_channels *sc);
+
+#ifdef HPN_ENABLED
@ -145,25 +145,23 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
+
/* -- channel core */
Channel *
channel_by_id(int id)
{
@@ -333,6 +339,9 @@
void
@@ -391,6 +397,9 @@ channel_new(struct ssh *ssh, char *ctype, int type, in
c->local_window = window;
c->local_window_max = window;
c->local_consumed = 0;
c->local_maxpacket = maxpack;
+#ifdef HPN_ENABLED
+ c->dynamic_window = 0;
+#endif
c->remote_id = -1;
c->remote_name = xstrdup(remote_name);
c->remote_window = 0;
@@ -837,11 +846,41 @@
FD_SET(c->sock, writeset);
c->ctl_chan = -1;
c->delayed = 1; /* prevent call to channel_post handler */
@@ -977,6 +986,30 @@ channel_pre_connecting(struct ssh *ssh, Channel *c,
FD_SET(c->sock, writeset);
}
+#ifdef HPN_ENABLED
+static u_int
+static int
+channel_tcpwinsz(void)
+{
+ u_int32_t tcpwinsz = 0;
@ -172,56 +170,60 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
+
+ /* if we aren't on a socket return 128KB */
+ if (!packet_connection_is_on_socket())
+ return (128*1024);
+ return 128 * 1024;
+
+ ret = getsockopt(packet_get_connection_in(),
+ SOL_SOCKET, SO_RCVBUF, &tcpwinsz, &optsz);
+ /* return no more than SSHBUF_SIZE_MAX */
+ if (ret == 0 && tcpwinsz > SSHBUF_SIZE_MAX)
+ SOL_SOCKET, SO_RCVBUF, &tcpwinsz, &optsz);
+ /* return no more than SSHBUF_SIZE_MAX (currently 256MB) */
+ if ((ret == 0) && tcpwinsz > SSHBUF_SIZE_MAX)
+ tcpwinsz = SSHBUF_SIZE_MAX;
+ debug2("tcpwinsz: %d for connection: %d", tcpwinsz,
+ packet_get_connection_in());
+ return (tcpwinsz);
+
+ debug2("tcpwinsz: tcp connection %d, Receive window: %d",
+ packet_get_connection_in(), tcpwinsz);
+ return tcpwinsz;
+}
+#endif
+
static void
channel_pre_open(Channel *c, fd_set *readset, fd_set *writeset)
{
u_int limit = compat20 ? c->remote_window : packet_get_maxsize();
+#ifdef HPN_ENABLED
+ /* check buffer limits */
+ if (!c->tcpwinsz || c->dynamic_window > 0)
+ c->tcpwinsz = channel_tcpwinsz();
+
+ limit = MIN(limit, 2 * c->tcpwinsz);
+#endif
+
if (c->istate == CHAN_INPUT_OPEN &&
limit > 0 &&
buffer_len(&c->input) < limit &&
@@ -1846,6 +1885,20 @@
channel_pre_open(struct ssh *ssh, Channel *c,
fd_set *readset, fd_set *writeset)
@@ -2074,21 +2107,32 @@ channel_check_window(struct ssh *ssh, Channel *c)
c->local_maxpacket*3) ||
c->local_window < c->local_window_max/2) &&
c->local_consumed > 0) {
+ u_int addition = 0;
+#ifdef HPN_ENABLED
+ u_int32_t tcpwinsz = channel_tcpwinsz();
+ /* adjust max window size if we are in a dynamic environment */
+ if (c->dynamic_window && (c->tcpwinsz > c->local_window_max)) {
+ u_int addition = 0;
+
+ /*
+ * grow the window somewhat aggressively to maintain
+ * pressure
+ */
+ addition = 1.5*(c->tcpwinsz - c->local_window_max);
+ if (c->dynamic_window && (tcpwinsz > c->local_window_max)) {
+ /* grow the window somewhat aggressively to maintain pressure */
+ addition = 1.5 * (tcpwinsz - c->local_window_max);
+ c->local_window_max += addition;
+ c->local_consumed += addition;
+ debug("Channel: Window growth to %d by %d bytes", c->local_window_max, addition);
+ }
+#endif
packet_start(SSH2_MSG_CHANNEL_WINDOW_ADJUST);
packet_put_int(c->remote_id);
packet_put_int(c->local_consumed);
@@ -2794,6 +2847,17 @@
if (!c->have_remote_id)
fatal(":%s: channel %d: no remote id",
__func__, c->self);
if ((r = sshpkt_start(ssh,
SSH2_MSG_CHANNEL_WINDOW_ADJUST)) != 0 ||
(r = sshpkt_put_u32(ssh, c->remote_id)) != 0 ||
- (r = sshpkt_put_u32(ssh, c->local_consumed)) != 0 ||
+ (r = sshpkt_put_u32(ssh, c->local_consumed + addition)) != 0 ||
(r = sshpkt_send(ssh)) != 0) {
fatal("%s: channel %i: %s", __func__,
c->self, ssh_err(r));
}
debug2("channel %d: window %d sent adjust %d",
c->self, c->local_window,
- c->local_consumed);
- c->local_window += c->local_consumed;
+ c->local_consumed + addition);
+ c->local_window += c->local_consumed + addition;
c->local_consumed = 0;
}
return 1;
@@ -3258,6 +3302,17 @@ channel_fwd_bind_addr(const char *listen_addr, int *wi
return addr;
}
@ -237,9 +239,9 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
+#endif
+
static int
channel_setup_fwd_listener_tcpip(int type, struct Forward *fwd,
int *allocated_listen_port, struct ForwardOptions *fwd_opts)
@@ -2918,9 +2982,20 @@
channel_setup_fwd_listener_tcpip(struct ssh *ssh, int type,
struct Forward *fwd, int *allocated_listen_port,
@@ -3398,6 +3453,17 @@ channel_setup_fwd_listener_tcpip(struct ssh *ssh, int
}
/* Allocate a channel number for the socket. */
@ -249,136 +251,111 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
+ * window size.
+ */
+ if (!hpn_disabled)
+ c = channel_new("port listener", type, sock, sock, -1,
+ c = channel_new(ssh, "port listener", type, sock, sock, -1,
+ hpn_buffer_size, CHAN_TCP_PACKET_DEFAULT,
+ 0, "port listener", 1);
+ else
+#endif
c = channel_new("port listener", type, sock, sock, -1,
c = channel_new(ssh, "port listener", type, sock, sock, -1,
CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT,
0, "port listener", 1);
c->path = xstrdup(host);
c->host_port = fwd->connect_port;
c->listening_addr = addr == NULL ? NULL : xstrdup(addr);
@@ -3952,6 +4027,14 @@
@@ -4457,6 +4523,14 @@ x11_create_display_inet(struct ssh *ssh, int x11_displ
*chanids = xcalloc(num_socks + 1, sizeof(**chanids));
for (n = 0; n < num_socks; n++) {
sock = socks[n];
+#ifdef HPN_ENABLED
+ if (!hpn_disabled)
+ nc = channel_new("x11 listener",
+ nc = channel_new(ssh, "x11 listener",
+ SSH_CHANNEL_X11_LISTENER, sock, sock, -1,
+ hpn_buffer_size, CHAN_X11_PACKET_DEFAULT,
+ 0, "X11 inet listener", 1);
+ else
+#endif
nc = channel_new("x11 listener",
nc = channel_new(ssh, "x11 listener",
SSH_CHANNEL_X11_LISTENER, sock, sock, -1,
CHAN_X11_WINDOW_DEFAULT, CHAN_X11_PACKET_DEFAULT,
--- work.clean/openssh-6.8p1/channels.h 2015-03-17 00:49:20.000000000 -0500
+++ work/openssh-6.8p1/channels.h 2015-04-03 13:58:44.472717000 -0500
@@ -136,6 +136,10 @@
--- work/openssh-7.7p1/channels.h.orig 2018-04-01 22:38:28.000000000 -0700
+++ work/openssh-7.7p1/channels.h 2018-06-27 16:38:40.766588000 -0700
@@ -143,6 +143,9 @@ struct Channel {
u_int local_maxpacket;
int extended_usage;
int single_connection;
+#ifdef HPN_ENABLED
+ int dynamic_window;
+ u_int tcpwinsz;
+#endif
char *ctype; /* type */
@@ -311,4 +315,9 @@
void chan_write_failed(Channel *);
void chan_obuf_empty(Channel *);
@@ -335,5 +338,10 @@ void chan_ibuf_empty(struct ssh *, Channel *);
void chan_rcvd_ieof(struct ssh *, Channel *);
void chan_write_failed(struct ssh *, Channel *);
void chan_obuf_empty(struct ssh *, Channel *);
+
+#ifdef HPN_ENABLED
+/* hpn handler */
+void channel_set_hpn(int, int);
+#endif
+
#endif
--- work.clean/openssh-6.8p1/cipher.c 2015-03-17 00:49:20.000000000 -0500
+++ work/openssh-6.8p1/cipher.c 2015-04-03 16:22:04.972592000 -0500
@@ -273,7 +273,13 @@ ciphers_valid(const char *names)
--- work/openssh-7.7p1/cipher.c.orig 2018-04-01 22:38:28.000000000 -0700
+++ work/openssh-7.7p1/cipher.c 2018-06-27 16:55:43.165788000 -0700
@@ -212,7 +212,12 @@ ciphers_valid(const char *names)
for ((p = strsep(&cp, CIPHER_SEP)); p && *p != '\0';
(p = strsep(&cp, CIPHER_SEP))) {
c = cipher_by_name(p);
- if (c == NULL || c->number != SSH_CIPHER_SSH2) {
+ if (c == NULL || (c->number != SSH_CIPHER_SSH2 &&
+#ifdef NONE_CIPHER_ENABLED
+ c->number != SSH_CIPHER_NONE
+ if (c == NULL || ((c->flags & CFLAG_INTERNAL) != 0 &&
+ (c->flags & CFLAG_NONE) != 0)) {
+#else
+ 1
if (c == NULL || (c->flags & CFLAG_INTERNAL) != 0) {
+#endif
+ )) {
free(cipher_list);
return 0;
}
@@ -605,6 +611,9 @@ cipher_get_keyiv(struct sshcipher_ctx *c
switch (c->number) {
#ifdef WITH_OPENSSL
+#ifdef NONE_CIPHER_ENABLED
+ case SSH_CIPHER_NONE:
+#endif
case SSH_CIPHER_SSH2:
case SSH_CIPHER_DES:
case SSH_CIPHER_BLOWFISH:
@@ -653,6 +662,9 @@ cipher_set_keyiv(struct sshcipher_ctx *c
switch (c->number) {
#ifdef WITH_OPENSSL
+#ifdef NONE_CIPHER_ENABLED
+ case SSH_CIPHER_NONE:
+#endif
case SSH_CIPHER_SSH2:
case SSH_CIPHER_DES:
case SSH_CIPHER_BLOWFISH:
--- work.clean/openssh-6.8p1/clientloop.c 2015-03-17 00:49:20.000000000 -0500
+++ work/openssh-6.8p1/clientloop.c 2015-04-03 17:29:40.618489000 -0500
@@ -1909,6 +1909,15 @@
sock = x11_connect_display();
--- work/openssh-7.7p1/clientloop.c.orig 2018-04-01 22:38:28.000000000 -0700
+++ work/openssh-7.7p1/clientloop.c 2018-06-27 16:40:24.560906000 -0700
@@ -1549,6 +1549,15 @@ client_request_x11(struct ssh *ssh, const char *reques
sock = x11_connect_display(ssh);
if (sock < 0)
return NULL;
+#ifdef HPN_ENABLED
+ /* again is this really necessary for X11? */
+ if (!options.hpn_disabled)
+ c = channel_new("x11",
+ c = channel_new(ssh, "x11",
+ SSH_CHANNEL_X11_OPEN, sock, sock, -1,
+ options.hpn_buffer_size,
+ CHAN_X11_PACKET_DEFAULT, 0, "x11", 1);
+ else
+#endif
c = channel_new("x11",
c = channel_new(ssh, "x11",
SSH_CHANNEL_X11_OPEN, sock, sock, -1,
CHAN_TCP_WINDOW_DEFAULT, CHAN_X11_PACKET_DEFAULT, 0, "x11", 1);
@@ -1934,6 +1943,14 @@
@@ -1574,6 +1583,14 @@ client_request_agent(struct ssh *ssh, const char *requ
__func__, ssh_err(r));
return NULL;
}
+#ifdef HPN_ENABLED
+ if (!options.hpn_disabled)
+ c = channel_new("authentication agent connection",
+ c = channel_new(ssh, "authentication agent connection",
+ SSH_CHANNEL_OPEN, sock, sock, -1,
+ options.hpn_buffer_size, CHAN_TCP_PACKET_DEFAULT, 0,
+ "authentication agent connection", 1);
+ else
+#endif
c = channel_new("authentication agent connection",
c = channel_new(ssh, "authentication agent connection",
SSH_CHANNEL_OPEN, sock, sock, -1,
CHAN_X11_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, 0,
@@ -1964,6 +1981,12 @@
return -1;
@@ -1602,6 +1619,12 @@ client_request_tun_fwd(struct ssh *ssh, int tun_mode,
}
debug("Tunnel forwarding using interface %s", ifname);
+#ifdef HPN_ENABLED
+ if (!options.hpn_disabled)
+ c = channel_new("tun", SSH_CHANNEL_OPENING, fd, fd, -1,
+ c = channel_new(ssh, "tun", SSH_CHANNEL_OPENING, fd, fd, -1,
+ options.hpn_buffer_size, CHAN_TCP_PACKET_DEFAULT, 0, "tun", 1);
+ else
+#endif
c = channel_new("tun", SSH_CHANNEL_OPENING, fd, fd, -1,
c = channel_new(ssh, "tun", SSH_CHANNEL_OPENING, fd, fd, -1,
CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, 0, "tun", 1);
c->datagram = 1;
--- work.clean/openssh-6.8p1/compat.c 2015-03-17 00:49:20.000000000 -0500
@ -470,9 +447,9 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
debug("kex: %s cipher: %s MAC: %s compression: %s",
ctos ? "client->server" : "server->client",
newkeys->enc.name,
--- work.clean/openssh-7.2p1/packet.c.orig 2016-02-25 19:40:04.000000000 -0800
+++ work.clean/openssh-7.2p1/packet.c 2016-02-29 08:05:15.744201000 -0800
@@ -1037,6 +1037,24 @@ ssh_set_newkeys(struct ssh *ssh, int mod
--- work/openssh-7.7p1/packet.c.orig 2018-04-01 22:38:28.000000000 -0700
+++ work/openssh-7.7p1/packet.c 2018-06-27 16:42:42.739507000 -0700
@@ -926,6 +926,24 @@ ssh_set_newkeys(struct ssh *ssh, int mode)
return 0;
}
@ -497,11 +474,13 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
#define MAX_PACKETS (1U<<31)
static int
ssh_packet_need_rekeying(struct ssh *ssh, u_int outbound_packet_len)
@@ -1055,6 +1073,12 @@ ssh_packet_need_rekeying(struct ssh *ssh
@@ -944,6 +962,14 @@ ssh_packet_need_rekeying(struct ssh *ssh, u_int outbou
/* Peer can't rekey */
if (ssh->compat & SSH_BUG_NOREKEY)
return 0;
+#ifdef NONE_CIPHER_ENABLED
+ /* used to force rekeying when called for by the none
+ * cipher switch methods -cjr */
+ if (rekey_requested == 1) {
+ rekey_requested = 0;
+ return 1;
@ -524,11 +503,21 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
/* OLD API */
extern struct ssh *active_state;
#include "opacket.h"
--- work/openssh-6.9p1/readconf.c.orig 2015-07-27 13:32:13.169218000 -0500
+++ work/openssh-6.9p1/readconf.c 2015-07-27 13:33:00.429332000 -0500
@@ -153,6 +153,12 @@ typedef enum {
oTunnel, oTunnelDevice, oLocalCommand, oPermitLocalCommand,
oVisualHostKey, oUseRoaming,
--- work/openssh-7.7p1/readconf.c.orig 2018-04-01 22:38:28.000000000 -0700
+++ work/openssh-7.7p1/readconf.c 2018-06-27 16:58:41.109275000 -0700
@@ -66,6 +66,9 @@
#include "uidswap.h"
#include "myproposal.h"
#include "digest.h"
+#ifdef HPN_ENABLED
+#include "sshbuf.h"
+#endif
/* Format of the configuration file:
@@ -167,6 +170,12 @@ typedef enum {
oLocalCommand, oPermitLocalCommand, oRemoteCommand,
oVisualHostKey,
oKexAlgorithms, oIPQoS, oRequestTTY, oIgnoreUnknown, oProxyUseFdpass,
+#ifdef HPN_ENABLED
+ oHPNDisabled, oHPNBufferSize, oTcpRcvBufPoll, oTcpRcvBuf,
@ -539,7 +528,7 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
oCanonicalDomains, oCanonicalizeHostname, oCanonicalizeMaxDots,
oCanonicalizeFallbackLocal, oCanonicalizePermittedCNAMEs,
oStreamLocalBindMask, oStreamLocalBindUnlink, oRevokedHostKeys,
@@ -277,6 +283,16 @@ static struct {
@@ -304,6 +313,16 @@ static struct {
{ "updatehostkeys", oUpdateHostkeys },
{ "hostbasedkeytypes", oHostbasedKeyTypes },
{ "pubkeyacceptedkeytypes", oPubkeyAcceptedKeyTypes },
@ -554,9 +543,9 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
+ { "hpnbuffersize", oHPNBufferSize },
+#endif
{ "ignoreunknown", oIgnoreUnknown },
{ "proxyjump", oProxyJump },
{ NULL, oBadOption }
@@ -906,6 +922,44 @@ parse_time:
@@ -962,6 +981,44 @@ parse_time:
intptr = &options->check_host_ip;
goto parse_flag;
@ -601,7 +590,7 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
case oVerifyHostKeyDNS:
intptr = &options->verify_host_key_dns;
multistate_ptr = multistate_yesnoask;
@@ -1665,6 +1719,16 @@ initialize_options(Options * options)
@@ -1833,6 +1890,16 @@ initialize_options(Options * options)
options->ip_qos_interactive = -1;
options->ip_qos_bulk = -1;
options->request_tty = -1;
@ -618,7 +607,7 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
options->proxy_use_fdpass = -1;
options->ignored_unknown = NULL;
options->num_canonical_domains = 0;
@@ -1826,6 +1890,35 @@ fill_default_options(Options * options)
@@ -1979,6 +2046,34 @@ fill_default_options(Options * options)
options->server_alive_interval = 0;
if (options->server_alive_count_max == -1)
options->server_alive_count_max = 3;
@ -635,11 +624,10 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
+ /* if a user tries to set the size to 0 set it to 1KB */
+ if (options->hpn_buffer_size == 0)
+ options->hpn_buffer_size = 1;
+ /* limit the buffer to 64MB */
+ if (options->hpn_buffer_size > 64*1024) {
+ options->hpn_buffer_size = 64*1024*1024;
+ debug("User requested buffer larger than 64MB. Request"
+ " reverted to 64MB");
+ /* limit the buffer to SSHBUF_SIZE_MAX (currently 256MB) */
+ if (options->hpn_buffer_size > (SSHBUF_SIZE_MAX / 1024)) {
+ options->hpn_buffer_size = SSHBUF_SIZE_MAX;
+ debug("User requested buffer larger than 256MB. Request reverted to 256MB");
+ } else
+ options->hpn_buffer_size *= 1024;
+ debug("hpn_buffer_size set to %d", options->hpn_buffer_size);
@ -693,9 +681,19 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
struct timeval tv[2];
#define atime tv[0]
--- work/openssh/servconf.c.orig 2015-05-29 03:27:21.000000000 -0500
+++ work/openssh/servconf.c 2015-06-02 09:56:36.041601000 -0500
@@ -159,6 +159,14 @@ initialize_server_options(ServerOptions
--- work/openssh-7.7p1/servconf.c.orig 2018-04-01 22:38:28.000000000 -0700
+++ work/openssh-7.7p1/servconf.c 2018-06-27 17:01:05.276677000 -0700
@@ -63,6 +63,9 @@
#include "auth.h"
#include "myproposal.h"
#include "digest.h"
+#ifdef HPN_ENABLED
+#include "sshbuf.h"
+#endif
static void add_listen_addr(ServerOptions *, const char *,
const char *, int);
@@ -169,6 +172,14 @@ initialize_server_options(ServerOptions *options)
options->authorized_principals_file = NULL;
options->authorized_principals_command = NULL;
options->authorized_principals_command_user = NULL;
@ -710,7 +708,7 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
options->ip_qos_interactive = -1;
options->ip_qos_bulk = -1;
options->version_addendum = NULL;
@@ -319,6 +327,57 @@ fill_default_server_options(ServerOption
@@ -371,6 +382,57 @@ fill_default_server_options(ServerOptions *options)
}
if (options->permit_tun == -1)
options->permit_tun = SSH_TUNMODE_NO;
@ -754,9 +752,9 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
+ if (options->hpn_disabled <= 0) {
+ if (options->hpn_buffer_size == 0)
+ options->hpn_buffer_size = 1;
+ /* limit the maximum buffer to 64MB */
+ if (options->hpn_buffer_size > 64*1024) {
+ options->hpn_buffer_size = 64*1024*1024;
+ /* limit the maximum buffer to SSHBUF_SIZE_MAX (currently 256MB) */
+ if (options->hpn_buffer_size > (SSHBUF_SIZE_MAX / 1024)) {
+ options->hpn_buffer_size = SSHBUF_SIZE_MAX;
+ } else {
+ options->hpn_buffer_size *= 1024;
+ }
@ -768,7 +766,7 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
if (options->ip_qos_interactive == -1)
options->ip_qos_interactive = IPTOS_LOWDELAY;
if (options->ip_qos_bulk == -1)
@@ -412,6 +471,12 @@ typedef enum {
@@ -466,6 +528,12 @@ typedef enum {
sUsePrivilegeSeparation, sAllowAgentForwarding,
sHostCertificate,
sRevokedKeys, sTrustedUserCAKeys, sAuthorizedPrincipalsFile,
@ -781,7 +779,7 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
sAuthorizedPrincipalsCommand, sAuthorizedPrincipalsCommandUser,
sKexAlgorithms, sIPQoS, sVersionAddendum,
sAuthorizedKeysCommand, sAuthorizedKeysCommandUser,
@@ -548,6 +613,14 @@ static struct {
@@ -603,6 +671,14 @@ static struct {
{ "revokedkeys", sRevokedKeys, SSHCFG_ALL },
{ "trustedusercakeys", sTrustedUserCAKeys, SSHCFG_ALL },
{ "authorizedprincipalsfile", sAuthorizedPrincipalsFile, SSHCFG_ALL },
@ -796,10 +794,11 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
{ "kexalgorithms", sKexAlgorithms, SSHCFG_GLOBAL },
{ "ipqos", sIPQoS, SSHCFG_ALL },
{ "authorizedkeyscommand", sAuthorizedKeysCommand, SSHCFG_ALL },
@@ -1153,6 +1226,25 @@ process_server_config_line(ServerOptions
@@ -1351,6 +1427,25 @@ process_server_config_line(ServerOptions *options, cha
case sIgnoreUserKnownHosts:
intptr = &options->ignore_user_known_hosts;
goto parse_flag;
+
+#ifdef NONE_CIPHER_ENABLED
+ case sNoneEnabled:
+ intptr = &options->none_enabled;
@ -818,10 +817,9 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
+ intptr = &options->hpn_buffer_size;
+ goto parse_int;
+#endif
+
case sHostbasedAuthentication:
intptr = &options->hostbased_authentication;
goto parse_flag;
--- work.clean/openssh-6.8p1/servconf.h 2015-03-17 00:49:20.000000000 -0500
+++ work/openssh-6.8p1/servconf.h 2015-04-03 13:48:37.316827000 -0500
@@ -169,6 +169,15 @@
@ -840,23 +838,23 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
int permit_tun;
int num_permitted_opens;
--- work.clean/openssh-6.8p1/serverloop.c 2015-03-17 00:49:20.000000000 -0500
+++ work/openssh-6.8p1/serverloop.c 2015-04-03 17:14:15.182548000 -0500
@@ -526,6 +526,12 @@ server_request_tun(void)
sock = tun_open(tun, mode);
if (sock < 0)
--- work/openssh-7.7p1/serverloop.c.orig 2018-04-01 22:38:28.000000000 -0700
+++ work/openssh-7.7p1/serverloop.c 2018-06-27 16:53:02.246871000 -0700
@@ -550,6 +550,12 @@ server_request_tun(struct ssh *ssh)
goto done;
debug("Tunnel forwarding using interface %s", ifname);
+#ifdef HPN_ENABLED
+ if (!options.hpn_disabled)
+ c = channel_new("tun", SSH_CHANNEL_OPEN, sock, sock, -1,
+ c = channel_new(ssh, "tun", SSH_CHANNEL_OPEN, sock, sock, -1,
+ options.hpn_buffer_size, CHAN_TCP_PACKET_DEFAULT, 0, "tun", 1);
+ else
+#endif
c = channel_new("tun", SSH_CHANNEL_OPEN, sock, sock, -1,
c = channel_new(ssh, "tun", SSH_CHANNEL_OPEN, sock, sock, -1,
CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, 0, "tun", 1);
c->datagram = 1;
@@ -563,6 +569,10 @@ server_request_session(void)
c = channel_new("session", SSH_CHANNEL_LARVAL,
@@ -600,6 +606,10 @@ server_request_session(struct ssh *ssh)
c = channel_new(ssh, "session", SSH_CHANNEL_LARVAL,
-1, -1, -1, /*window size*/0, CHAN_SES_PACKET_DEFAULT,
0, "server-session", 1);
+#ifdef HPN_ENABLED
@ -865,22 +863,22 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
+#endif
if (session_open(the_authctxt, c->self) != 1) {
debug("session open failed, free channel %d", c->self);
channel_free(c);
--- work.clean/openssh-6.8p1/session.c 2015-04-01 22:07:18.149110000 -0500
+++ work/openssh-6.8p1/session.c 2015-04-03 17:09:02.984097000 -0500
@@ -2340,6 +2340,14 @@
channel_free(ssh, c);
--- work/openssh-7.7p1/session.c.orig 2018-04-01 22:38:28.000000000 -0700
+++ work/openssh-7.7p1/session.c 2018-06-27 17:01:40.730347000 -0700
@@ -2116,6 +2116,14 @@ session_set_fds(struct ssh *ssh, Session *s,
*/
if (s->chanid == -1)
fatal("no channel for session %d", s->self);
+#ifdef HPN_ENABLED
+ if (!options.hpn_disabled)
+ channel_set_fds(s->chanid,
+ channel_set_fds(ssh, s->chanid,
+ fdout, fdin, fderr,
+ ignore_fderr ? CHAN_EXTENDED_IGNORE : CHAN_EXTENDED_READ,
+ 1, is_tty, options.hpn_buffer_size);
+ else
+#endif
channel_set_fds(s->chanid,
channel_set_fds(ssh, s->chanid,
fdout, fdin, fderr,
ignore_fderr ? CHAN_EXTENDED_IGNORE : CHAN_EXTENDED_READ,
--- work.clean/openssh-6.8p1/sftp.1 2015-03-17 00:49:20.000000000 -0500
@ -909,9 +907,9 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
/* File to read commands from */
FILE* infile;
--- work.clean/openssh-6.8p1/ssh.c 2015-04-01 22:07:18.166356000 -0500
+++ work/openssh-6.8p1/ssh.c 2015-04-03 17:16:34.114673000 -0500
@@ -885,6 +885,14 @@
--- work/openssh-7.7p1/ssh.c.orig 2018-04-01 22:38:28.000000000 -0700
+++ work/openssh-7.7p1/ssh.c 2018-06-27 17:05:30.011979000 -0700
@@ -954,6 +954,14 @@ main(int ac, char **av)
break;
case 'T':
options.request_tty = REQUEST_TTY_NO;
@ -926,80 +924,91 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
break;
case 'o':
line = xstrdup(optarg);
@@ -1848,9 +1856,85 @@
if (!isatty(err))
set_nonblock(err);
@@ -1833,6 +1841,78 @@ ssh_session2_setup(struct ssh *ssh, int id, int succes
NULL, fileno(stdin), &command, environ);
}
+#ifdef HPN_ENABLED
+static void
+hpn_options_init(void)
+{
+ /*
+ * we need to check to see if what they want to do about buffer
+ * We need to check to see if what they want to do about buffer
+ * sizes here. In a hpn to nonhpn connection we want to limit
+ * the window size to something reasonable in case the far side
+ * has the large window bug. In hpn to hpn connection we want to
+ * use the max window size but allow the user to override it
+ * lastly if they disabled hpn then use the ssh std window size
+
+ * so why don't we just do a getsockopt() here and set the
+ * lastly if they disabled hpn then use the ssh std window size.
+ *
+ * So why don't we just do a getsockopt() here and set the
+ * ssh window to that? In the case of a autotuning receive
+ * window the window would get stuck at the initial buffer
+ * size generally less than 96k. Therefore we need to set the
+ * maximum ssh window size to the maximum hpn buffer size
+ * unless the user has specifically set the tcprcvbufpoll
+ * to no. In which case we *can* just set the window to the
+ * minimum of the hpn buffer size and tcp receive buffer size
+ * minimum of the hpn buffer size and tcp receive buffer size.
+ */
+
+ if (tty_flag)
+ options.hpn_buffer_size = CHAN_SES_WINDOW_DEFAULT;
+ else
+ options.hpn_buffer_size = 2*1024*1024;
+ options.hpn_buffer_size = 2 * 1024 * 1024;
+
+ if (datafellows & SSH_BUG_LARGEWINDOW) {
+ debug("HPN to Non-HPN Connection");
+ } else {
+ int sock, socksize;
+ socklen_t socksizelen = sizeof(socksize);
+
+ socklen_t socksizelen;
+ if (options.tcp_rcv_buf_poll <= 0) {
+ sock = socket(AF_INET, SOCK_STREAM, 0);
+ socksizelen = sizeof(socksize);
+ getsockopt(sock, SOL_SOCKET, SO_RCVBUF,
+ &socksize, &socksizelen);
+ &socksize, &socksizelen);
+ close(sock);
+ debug("socksize %d", socksize);
+ options.hpn_buffer_size = socksize;
+ debug ("HPNBufferSize set to TCP RWIN: %d",
+ options.hpn_buffer_size);
+ debug("HPNBufferSize set to TCP RWIN: %d", options.hpn_buffer_size);
+ } else {
+ if (options.tcp_rcv_buf > 0) {
+ /*
+ * create a socket but don't connect it.
+ * Create a socket but don't connect it:
+ * we use that the get the rcv socket size
+ */
+ sock = socket(AF_INET, SOCK_STREAM, 0);
+ /*
+ * if they are using the tcp_rcv_buf option
+ * attempt to set the buffer size to that
+ * If they are using the tcp_rcv_buf option,
+ * attempt to set the buffer size to that.
+ */
+ if (options.tcp_rcv_buf)
+ if (options.tcp_rcv_buf) {
+ socksizelen = sizeof(options.tcp_rcv_buf);
+ setsockopt(sock, SOL_SOCKET, SO_RCVBUF,
+ (void *)&options.tcp_rcv_buf,
+ sizeof(options.tcp_rcv_buf));
+ &options.tcp_rcv_buf, socksizelen);
+ }
+ socksizelen = sizeof(socksize);
+ getsockopt(sock, SOL_SOCKET, SO_RCVBUF,
+ &socksize, &socksizelen);
+ &socksize, &socksizelen);
+ close(sock);
+ debug("socksize %d", socksize);
+ options.hpn_buffer_size = socksize;
+ debug ("HPNBufferSize set to user TCPRcvBuf: "
+ "%d", options.hpn_buffer_size);
+ debug("HPNBufferSize set to user TCPRcvBuf: %d", options.hpn_buffer_size);
+ }
+ }
+ }
+
+ debug("Final hpn_buffer_size = %d", options.hpn_buffer_size);
+
+ window = options.hpn_buffer_size;
+
+ channel_set_hpn(options.hpn_disabled, options.hpn_buffer_size);
+}
+
/* open new channel for a session */
static int
ssh_session2_open(struct ssh *ssh)
@@ -1859,9 +1939,17 @@ ssh_session2_open(struct ssh *ssh)
if (!isatty(err))
set_nonblock(err);
+#ifdef HPN_ENABLED
+ window = options.hpn_buffer_size;
+#else
window = CHAN_SES_WINDOW_DEFAULT;
+#endif
@ -1012,7 +1021,7 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
window >>= 1;
packetmax >>= 1;
}
@@ -1859,6 +1943,12 @@
@@ -1870,6 +1958,12 @@ ssh_session2_open(struct ssh *ssh)
window, packetmax, CHAN_EXTENDED_WRITE,
"client-session", /*nonblock*/0);
@ -1022,17 +1031,47 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
+ debug ("Enabled Dynamic Window Scaling");
+ }
+#endif
debug3("ssh_session2_open: channel_new: %d", c->self);
debug3("%s: channel_new: %d", __func__, c->self);
channel_send_open(c->self);
--- work.clean/openssh-6.8p1/sshconnect.c 2015-03-17 00:49:20.000000000 -0500
+++ work/openssh-6.8p1/sshconnect.c 2015-04-03 16:32:38.204744000 -0500
@@ -266,6 +266,31 @@
kill(proxy_command_pid, SIGHUP);
}
channel_send_open(ssh, c->self);
@@ -1885,6 +1979,15 @@ ssh_session2(struct ssh *ssh, struct passwd *pw)
{
int devnull, id = -1;
char *cp, *tun_fwd_ifname = NULL;
+
+#ifdef HPN_ENABLED
+ /*
+ * We need to initialize this early because the forwarding logic below
+ * might open channels that use the hpn buffer sizes. We can't send a
+ * window of -1 (the default) to the server as it breaks things.
+ */
+ hpn_options_init();
+#endif
/* XXX should be pre-session */
if (!options.control_persist)
--- work/openssh-7.7p1/sshbuf.h.orig 2018-06-27 16:11:24.503058000 -0700
+++ work/openssh-7.7p1/sshbuf.h 2018-06-27 16:12:01.359375000 -0700
@@ -28,7 +28,11 @@
# endif /* OPENSSL_HAS_ECC */
#endif /* WITH_OPENSSL */
+#ifdef HPN_ENABLED
+/*
+#define SSHBUF_SIZE_MAX 0xF000000 /* Hard maximum size 256MB */
+#else
#define SSHBUF_SIZE_MAX 0x8000000 /* Hard maximum size */
+#endif
#define SSHBUF_REFS_MAX 0x100000 /* Max child buffers */
#define SSHBUF_MAX_BIGNUM (16384 / 8) /* Max bignum *bytes* */
#define SSHBUF_MAX_ECPOINT ((528 * 2 / 8) + 1) /* Max EC point *bytes* */
--- work/openssh-7.7p1/sshconnect.c.orig 2018-04-01 22:38:28.000000000 -0700
+++ work/openssh-7.7p1/sshconnect.c 2018-06-26 15:55:19.103812000 -0700
@@ -337,7 +337,32 @@ check_ifaddrs(const char *ifname, int af, const struct
}
#endif
+#ifdef HPN_ENABLED
/*
+ * Set TCP receive buffer if requested.
+ * Note: tuning needs to happen after the socket is
+ * created but before the connection happens
@ -1056,10 +1095,11 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
+}
+#endif
+
/*
+/*
* Creates a (possibly privileged) socket for use as the ssh connection.
*/
@@ -282,6 +307,11 @@
static int
@@ -359,6 +384,11 @@ ssh_create_socket(int privileged, struct addrinfo *ai)
}
fcntl(sock, F_SETFD, FD_CLOEXEC);
@ -1069,54 +1109,42 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
+#endif
+
/* Bind the socket to an alternative local IP address */
if (options.bind_address == NULL && !privileged)
return sock;
@@ -523,11 +553,23 @@ send_client_banner(int connection_out, i
if (options.bind_address == NULL && options.bind_interface == NULL &&
!privileged)
@@ -637,8 +667,14 @@ static void
send_client_banner(int connection_out, int minor1)
{
/* Send our own protocol version identification. */
if (compat20) {
- xasprintf(&client_version_string, "SSH-%d.%d-%.100s\r\n",
- PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION);
+ xasprintf(&client_version_string, "SSH-%d.%d-%.100s%s\r\n",
+ PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION,
- xasprintf(&client_version_string, "SSH-%d.%d-%.100s\r\n",
- PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION);
+ xasprintf(&client_version_string, "SSH-%d.%d-%.100s%s\r\n",
+ PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION,
+#ifdef HPN_ENABLED
+ options.hpn_disabled ? "" : SSH_HPN
+ options.hpn_disabled ? "" : SSH_HPN
+#else
+ ""
+ ""
+#endif
+ );
} else {
- xasprintf(&client_version_string, "SSH-%d.%d-%.100s\n",
- PROTOCOL_MAJOR_1, minor1, SSH_VERSION);
+ xasprintf(&client_version_string, "SSH-%d.%d-%.100s%s\n",
+ PROTOCOL_MAJOR_1, minor1, SSH_VERSION,
+#ifdef HPN_ENABLED
+ options.hpn_disabled ? "" : SSH_HPN
+#else
+ ""
+#endif
+ );
}
if (roaming_atomicio(vwrite, connection_out, client_version_string,
+ );
if (atomicio(vwrite, connection_out, client_version_string,
strlen(client_version_string)) != strlen(client_version_string))
--- work.clean/openssh-7.2p1/sshconnect2.c.orig 2016-02-25 19:40:04.000000000 -0800
+++ work.clean/openssh-7.2p1/sshconnect2.c 2016-02-29 08:06:31.134954000 -0800
@@ -81,6 +81,14 @@
fatal("write: %.100s", strerror(errno));
--- work/openssh-7.7p1/sshconnect2.c.orig 2018-04-01 22:38:28.000000000 -0700
+++ work/openssh-7.7p1/sshconnect2.c 2018-06-27 17:11:17.543893000 -0700
@@ -81,7 +81,13 @@
extern char *client_version_string;
extern char *server_version_string;
extern Options options;
+#ifdef NONE_CIPHER_ENABLED
+struct kex *xxx_kex;
+
+/* tty_flag is set in ssh.c. use this in ssh_userauth2 */
+/* if it is set then prevent the switch to the null cipher */
+
+extern int tty_flag;
+#endif
+
/*
* SSH2 key exchange
@@ -154,14 +162,17 @@ order_hostkeyalgs(char *host, struct soc
*/
@@ -154,14 +160,17 @@ order_hostkeyalgs(char *host, struct sockaddr *hostadd
return ret;
}
@ -1135,17 +1163,7 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
xxx_host = host;
xxx_hostaddr = hostaddr;
@@ -235,6 +246,9 @@ ssh_kex2(char *host, struct sockaddr *ho
packet_send();
packet_write_wait();
#endif
+#ifdef NONE_CIPHER_ENABLED
+ xxx_kex = kex;
+#endif
}
/*
@@ -407,6 +421,29 @@ ssh_userauth2(const char *local_user, co
@@ -409,6 +418,30 @@ ssh_userauth2(const char *local_user, const char *serv
if (!authctxt.success)
fatal("Authentication failed.");
@ -1159,9 +1177,10 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
+ if ((options.none_switch == 1) && (options.none_enabled == 1)) {
+ if (!tty_flag) { /* no null on tty sessions */
+ debug("Requesting none rekeying...");
+ memcpy(&myproposal, &myproposal_default, sizeof(myproposal));
+ myproposal[PROPOSAL_ENC_ALGS_STOC] = "none";
+ myproposal[PROPOSAL_ENC_ALGS_CTOS] = "none";
+ kex_prop2buf(xxx_kex->my, myproposal);
+ kex_prop2buf(active_state->kex->my, myproposal);
+ packet_request_rekeying();
+ fprintf(stderr, "WARNING: ENABLED NONE CIPHER\n");
+ } else {
@ -1175,9 +1194,9 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
debug("Authentication succeeded (%s).", authctxt.method->name);
}
--- work.clean/openssh-7.1p1/sshd.c.orig 2015-08-20 21:49:03.000000000 -0700
+++ work.clean/openssh-7.1p1/sshd.c 2015-11-11 12:45:48.202186000 -0800
@@ -373,8 +373,13 @@ sshd_exchange_identification(struct ssh
--- work/openssh-7.7p1/sshd.c.orig 2018-04-01 22:38:28.000000000 -0700
+++ work/openssh-7.7p1/sshd.c 2018-06-27 17:13:03.176633000 -0700
@@ -372,8 +372,13 @@ sshd_exchange_identification(struct ssh *ssh, int sock
char buf[256]; /* Must not be larger than remote_version. */
char remote_version[256]; /* Must be at least as big as buf. */
@ -1192,8 +1211,8 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
*options.version_addendum == '\0' ? "" : " ",
options.version_addendum);
@@ -1027,6 +1032,10 @@ server_listen(void)
int ret, listen_sock, on = 1;
@@ -1025,6 +1030,10 @@ listen_on_addrs(struct listenaddr *la)
int ret, listen_sock;
struct addrinfo *ai;
char ntop[NI_MAXHOST], strport[NI_MAXSERV];
+#ifdef HPN_ENABLED
@ -1201,9 +1220,9 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
+ socklen_t socksizelen = sizeof(socksize);
+#endif
for (ai = options.listen_addrs; ai; ai = ai->ai_next) {
for (ai = la->addrs; ai; ai = ai->ai_next) {
if (ai->ai_family != AF_INET && ai->ai_family != AF_INET6)
@@ -1072,6 +1081,13 @@ server_listen(void)
@@ -1070,6 +1079,13 @@ listen_on_addrs(struct listenaddr *la)
debug("Bind to port %s on %s.", strport, ntop);
@ -1217,7 +1236,7 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
/* Bind the socket to the desired port. */
if (bind(listen_sock, ai->ai_addr, ai->ai_addrlen) < 0) {
error("Bind to port %s on %s failed: %.200s.",
@@ -1596,6 +1612,15 @@ main(int ac, char **av)
@@ -1634,6 +1650,15 @@ main(int ac, char **av)
/* Fill in default values for those options not explicitly set. */
fill_default_server_options(&options);
@ -1233,9 +1252,9 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
/* challenge-response is implemented via keyboard interactive */
if (options.challenge_response_authentication)
options.kbd_interactive_authentication = 1;
@@ -2099,6 +2124,11 @@ main(int ac, char **av)
}
#endif
@@ -2047,6 +2072,11 @@ main(int ac, char **av)
rdomain == NULL ? "" : "\"");
free(laddr);
+#ifdef HPN_ENABLED
+ /* set the HPN options for the child */
@ -1243,20 +1262,20 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
+#endif
+
/*
* In privilege separation, we fork another child and prepare
* file descriptor passing.
@@ -2177,6 +2207,11 @@ do_ssh2_kex(void)
* We don't want to listen forever unless the other side
* successfully authenticates itself. So we set up an alarm which is
@@ -2212,6 +2242,11 @@ do_ssh2_kex(void)
char *myproposal[PROPOSAL_MAX] = { KEX_SERVER };
struct kex *kex;
int r;
+
+#ifdef NONE_CIPHER_ENABLED
+ if (options.none_enabled == 1)
+ debug ("WARNING: None cipher enabled");
+#endif
+
myproposal[PROPOSAL_KEX_ALGS] = compat_kex_proposal(
options.kex_algorithms);
myproposal[PROPOSAL_ENC_ALGS_CTOS] = compat_cipher_proposal(
--- work.clean/openssh-6.8p1/sshd_config 2015-04-01 22:07:18.248858000 -0500
+++ work/openssh-6.8p1/sshd_config 2015-04-01 22:16:49.932279000 -0500
@@ -111,6 +111,20 @@ AuthorizedKeysFile .ssh/authorized_keys
@ -1280,11 +1299,10 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
# Example of overriding settings on a per-user basis
#Match User anoncvs
# X11Forwarding no
--- work.clean/openssh-6.8p1/version.h 2015-04-01 22:07:18.258955000 -0500
+++ work/openssh-6.8p1/version.h 2015-04-02 16:51:25.209617000 -0500
@@ -3,4 +3,5 @@
#define SSH_VERSION "OpenSSH_6.8"
--- work/openssh-7.7p1/version.h.orig 2018-04-01 22:38:28.000000000 -0700
+++ work/openssh-7.7p1/version.h 2018-06-27 17:13:57.263086000 -0700
@@ -4,3 +4,4 @@
#define SSH_PORTABLE "p1"
#define SSH_RELEASE SSH_VERSION SSH_PORTABLE
+#define SSH_HPN "-hpn14v5"
+#define SSH_HPN "-hpn14v15"

24
security/openssh-portable/files/patch-servconf.c
View file

@ -6,17 +6,17 @@ Changed paths:
Apply FreeBSD's configuration defaults.
--- servconf.c.orig 2018-06-19 09:26:26 UTC
+++ servconf.c
@@ -63,6 +63,7 @@
#include "auth.h"
#include "myproposal.h"
#include "digest.h"
+#include "version.h"
--- servconf.c.orig 2018-06-27 17:18:19.513676000 -0700
+++ servconf.c 2018-06-27 17:19:38.133882000 -0700
@@ -41,6 +41,7 @@
#include <util.h>
#endif
static void add_listen_addr(ServerOptions *, const char *,
const char *, int);
@@ -240,7 +241,11 @@ fill_default_server_options(ServerOption
+#include "version.h"
#include "openbsd-compat/sys-queue.h"
#include "xmalloc.h"
#include "ssh.h"
@@ -251,7 +252,11 @@ fill_default_server_options(ServerOptions *options)
/* Portable-specific options */
if (options->use_pam == -1)
@ -28,7 +28,7 @@ Apply FreeBSD's configuration defaults.
/* Standard Options */
if (options->num_host_key_files == 0) {
@@ -280,7 +285,7 @@ fill_default_server_options(ServerOption
@@ -291,7 +296,7 @@ fill_default_server_options(ServerOptions *options)
if (options->print_lastlog == -1)
options->print_lastlog = 1;
if (options->x11_forwarding == -1)
@ -37,7 +37,7 @@ Apply FreeBSD's configuration defaults.
if (options->x11_display_offset == -1)
options->x11_display_offset = 10;
if (options->x11_use_localhost == -1)
@@ -320,7 +325,11 @@ fill_default_server_options(ServerOption
@@ -331,7 +336,11 @@ fill_default_server_options(ServerOptions *options)
if (options->gss_strict_acceptor == -1)
options->gss_strict_acceptor = 1;
if (options->password_authentication == -1)