- Fix and update HPN patch to latest from upstream but leave it off by

default.
- Add an 'hpn' FLAVOR to produce a package for users with HPN and
  NONECIPHER enabled.

Approved by:	portmgr (implicit)
This commit is contained in:
Bryan Drewery 2018-06-28 03:38:32 +00:00
parent 66e2bc4899
commit 877e47208a
Notes: svn2git 2021-03-31 03:12:20 +00:00
svn path=/head/; revision=473485
3 changed files with 308 additions and 283 deletions

View file

@ -3,7 +3,7 @@
PORTNAME= openssh PORTNAME= openssh
DISTVERSION= 7.7p1 DISTVERSION= 7.7p1
PORTREVISION= 4 PORTREVISION= 5
PORTEPOCH= 1 PORTEPOCH= 1
CATEGORIES= security ipv6 CATEGORIES= security ipv6
MASTER_SITES= OPENBSD/OpenSSH/portable MASTER_SITES= OPENBSD/OpenSSH/portable
@ -29,10 +29,18 @@ ETCOLD= ${PREFIX}/etc
BROKEN_SSL= openssl-devel BROKEN_SSL= openssl-devel
BROKEN_SSL_REASON_openssl-devel= error: OpenSSL >= 1.1.0 is not yet supported BROKEN_SSL_REASON_openssl-devel= error: OpenSSL >= 1.1.0 is not yet supported
FLAVORS= default hpn
default_CONFLICTS_INSTALL= openssl-portable-hpn-[0-9]*
hpn_CONFLICTS_INSTALL= openssh-portable-[0-9]*
hpn_PKGNAMESUFFIX= -portable-hpn
OPTIONS_DEFINE= PAM TCP_WRAPPERS LIBEDIT BSM \ OPTIONS_DEFINE= PAM TCP_WRAPPERS LIBEDIT BSM \
HPN X509 KERB_GSSAPI \ HPN X509 KERB_GSSAPI \
LDNS NONECIPHER XMSS LDNS NONECIPHER XMSS
OPTIONS_DEFAULT= LIBEDIT PAM TCP_WRAPPERS LDNS OPTIONS_DEFAULT= LIBEDIT PAM TCP_WRAPPERS LDNS
.if ${FLAVOR:U} == hpn
OPTIONS_DEFAULT+= HPN NONECIPHER
.endif
OPTIONS_RADIO= KERBEROS OPTIONS_RADIO= KERBEROS
OPTIONS_RADIO_KERBEROS= MIT HEIMDAL HEIMDAL_BASE OPTIONS_RADIO_KERBEROS= MIT HEIMDAL HEIMDAL_BASE
TCP_WRAPPERS_DESC= tcp_wrappers support TCP_WRAPPERS_DESC= tcp_wrappers support
@ -57,7 +65,6 @@ LDNS_EXTRA_PATCHES= ${FILESDIR}/extra-patch-ldns
LDNS_CFLAGS= -I${LOCALBASE}/include LDNS_CFLAGS= -I${LOCALBASE}/include
LDNS_CONFIGURE_ON= --with-ldflags='-L${LOCALBASE}/lib' LDNS_CONFIGURE_ON= --with-ldflags='-L${LOCALBASE}/lib'
# http://www.psc.edu/index.php/hpn-ssh
HPN_CONFIGURE_WITH= hpn HPN_CONFIGURE_WITH= hpn
NONECIPHER_CONFIGURE_WITH= nonecipher NONECIPHER_CONFIGURE_WITH= nonecipher
@ -103,12 +110,12 @@ EXTRA_PATCHES+= ${FILESDIR}/extra-patch-hpn-gss-glue
PATCHFILES+= openssh-7.7p1-gsskex-all-20141021-debian-rh-20171004.patch.gz:-p1:gsskex PATCHFILES+= openssh-7.7p1-gsskex-all-20141021-debian-rh-20171004.patch.gz:-p1:gsskex
.endif .endif
# http://www.psc.edu/index.php/hpn-ssh https://github.com/rapier1/hpn-ssh https://github.com/rapier1/openssh-portable # https://www.psc.edu/hpn-ssh https://github.com/rapier1/openssh-portable/tree/hpn-openssl1.1-7_7_P1
.if ${PORT_OPTIONS:MHPN} || ${PORT_OPTIONS:MNONECIPHER} .if ${PORT_OPTIONS:MHPN} || ${PORT_OPTIONS:MNONECIPHER}
BROKEN= HPN: Not yet updated for ${DISTVERSION} and disabled in base #BROKEN= HPN: Not yet updated for ${DISTVERSION} and disabled in base
PORTDOCS+= HPN-README PORTDOCS+= HPN-README
HPN_VERSION= 14v5 HPN_VERSION= 14v15
HPN_DISTVERSION= 6.7p1 HPN_DISTVERSION= 7.7p1
#PATCH_SITES+= SOURCEFORGE/hpnssh/HPN-SSH%20${HPN_VERSION}%20${HPN_DISTVERSION}/:hpn #PATCH_SITES+= SOURCEFORGE/hpnssh/HPN-SSH%20${HPN_VERSION}%20${HPN_DISTVERSION}/:hpn
#PATCHFILES+= ${PORTNAME}-${HPN_DISTVERSION}-hpnssh${HPN_VERSION}.diff.gz:-p1:hpn #PATCHFILES+= ${PORTNAME}-${HPN_DISTVERSION}-hpnssh${HPN_VERSION}.diff.gz:-p1:hpn
EXTRA_PATCHES+= ${FILESDIR}/extra-patch-hpn:-p2 EXTRA_PATCHES+= ${FILESDIR}/extra-patch-hpn:-p2

View file

@ -131,11 +131,11 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
+ (tasota@gmail.com) an NSF REU grant recipient for 2013. + (tasota@gmail.com) an NSF REU grant recipient for 2013.
+ This work was financed, in part, by Cisco System, Inc., the National + This work was financed, in part, by Cisco System, Inc., the National
+ Library of Medicine, and the National Science Foundation. + Library of Medicine, and the National Science Foundation.
--- work.clean/openssh-6.8p1/channels.c 2015-03-17 00:49:20.000000000 -0500 --- work/openssh-7.7p1/channels.c.orig 2018-04-01 22:38:28.000000000 -0700
+++ work/openssh-6.8p1/channels.c 2015-04-03 15:51:59.599537000 -0500 +++ work/openssh-7.7p1/channels.c 2018-06-27 16:37:07.663857000 -0700
@@ -183,8 +183,14 @@ @@ -215,6 +215,12 @@ static int rdynamic_connect_finish(struct ssh *, Chann
static int connect_next(struct channel_connect *); /* Setup helper */
static void channel_connect_ctx_free(struct channel_connect *); static void channel_handler_init(struct ssh_channels *sc);
+ +
+#ifdef HPN_ENABLED +#ifdef HPN_ENABLED
@ -145,25 +145,23 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
+ +
/* -- channel core */ /* -- channel core */
Channel * void
channel_by_id(int id) @@ -391,6 +397,9 @@ channel_new(struct ssh *ssh, char *ctype, int type, in
{ c->local_window = window;
@@ -333,6 +339,9 @@
c->local_window_max = window; c->local_window_max = window;
c->local_consumed = 0;
c->local_maxpacket = maxpack; c->local_maxpacket = maxpack;
+#ifdef HPN_ENABLED +#ifdef HPN_ENABLED
+ c->dynamic_window = 0; + c->dynamic_window = 0;
+#endif +#endif
c->remote_id = -1;
c->remote_name = xstrdup(remote_name); c->remote_name = xstrdup(remote_name);
c->remote_window = 0; c->ctl_chan = -1;
@@ -837,11 +846,41 @@ c->delayed = 1; /* prevent call to channel_post handler */
FD_SET(c->sock, writeset); @@ -977,6 +986,30 @@ channel_pre_connecting(struct ssh *ssh, Channel *c,
FD_SET(c->sock, writeset);
} }
+#ifdef HPN_ENABLED +#ifdef HPN_ENABLED
+static u_int +static int
+channel_tcpwinsz(void) +channel_tcpwinsz(void)
+{ +{
+ u_int32_t tcpwinsz = 0; + u_int32_t tcpwinsz = 0;
@ -172,56 +170,60 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
+ +
+ /* if we aren't on a socket return 128KB */ + /* if we aren't on a socket return 128KB */
+ if (!packet_connection_is_on_socket()) + if (!packet_connection_is_on_socket())
+ return (128*1024); + return 128 * 1024;
+
+ ret = getsockopt(packet_get_connection_in(), + ret = getsockopt(packet_get_connection_in(),
+ SOL_SOCKET, SO_RCVBUF, &tcpwinsz, &optsz); + SOL_SOCKET, SO_RCVBUF, &tcpwinsz, &optsz);
+ /* return no more than SSHBUF_SIZE_MAX */ + /* return no more than SSHBUF_SIZE_MAX (currently 256MB) */
+ if (ret == 0 && tcpwinsz > SSHBUF_SIZE_MAX) + if ((ret == 0) && tcpwinsz > SSHBUF_SIZE_MAX)
+ tcpwinsz = SSHBUF_SIZE_MAX; + tcpwinsz = SSHBUF_SIZE_MAX;
+ debug2("tcpwinsz: %d for connection: %d", tcpwinsz, +
+ packet_get_connection_in()); + debug2("tcpwinsz: tcp connection %d, Receive window: %d",
+ return (tcpwinsz); + packet_get_connection_in(), tcpwinsz);
+ return tcpwinsz;
+} +}
+#endif +#endif
+ +
static void static void
channel_pre_open(Channel *c, fd_set *readset, fd_set *writeset) channel_pre_open(struct ssh *ssh, Channel *c,
{ fd_set *readset, fd_set *writeset)
u_int limit = compat20 ? c->remote_window : packet_get_maxsize(); @@ -2074,21 +2107,32 @@ channel_check_window(struct ssh *ssh, Channel *c)
+#ifdef HPN_ENABLED
+ /* check buffer limits */
+ if (!c->tcpwinsz || c->dynamic_window > 0)
+ c->tcpwinsz = channel_tcpwinsz();
+
+ limit = MIN(limit, 2 * c->tcpwinsz);
+#endif
+
if (c->istate == CHAN_INPUT_OPEN &&
limit > 0 &&
buffer_len(&c->input) < limit &&
@@ -1846,6 +1885,20 @@
c->local_maxpacket*3) || c->local_maxpacket*3) ||
c->local_window < c->local_window_max/2) && c->local_window < c->local_window_max/2) &&
c->local_consumed > 0) { c->local_consumed > 0) {
+ u_int addition = 0;
+#ifdef HPN_ENABLED +#ifdef HPN_ENABLED
+ u_int32_t tcpwinsz = channel_tcpwinsz();
+ /* adjust max window size if we are in a dynamic environment */ + /* adjust max window size if we are in a dynamic environment */
+ if (c->dynamic_window && (c->tcpwinsz > c->local_window_max)) { + if (c->dynamic_window && (tcpwinsz > c->local_window_max)) {
+ u_int addition = 0; + /* grow the window somewhat aggressively to maintain pressure */
+ + addition = 1.5 * (tcpwinsz - c->local_window_max);
+ /*
+ * grow the window somewhat aggressively to maintain
+ * pressure
+ */
+ addition = 1.5*(c->tcpwinsz - c->local_window_max);
+ c->local_window_max += addition; + c->local_window_max += addition;
+ c->local_consumed += addition; + debug("Channel: Window growth to %d by %d bytes", c->local_window_max, addition);
+ } + }
+#endif +#endif
packet_start(SSH2_MSG_CHANNEL_WINDOW_ADJUST); if (!c->have_remote_id)
packet_put_int(c->remote_id); fatal(":%s: channel %d: no remote id",
packet_put_int(c->local_consumed); __func__, c->self);
@@ -2794,6 +2847,17 @@ if ((r = sshpkt_start(ssh,
SSH2_MSG_CHANNEL_WINDOW_ADJUST)) != 0 ||
(r = sshpkt_put_u32(ssh, c->remote_id)) != 0 ||
- (r = sshpkt_put_u32(ssh, c->local_consumed)) != 0 ||
+ (r = sshpkt_put_u32(ssh, c->local_consumed + addition)) != 0 ||
(r = sshpkt_send(ssh)) != 0) {
fatal("%s: channel %i: %s", __func__,
c->self, ssh_err(r));
}
debug2("channel %d: window %d sent adjust %d",
c->self, c->local_window,
- c->local_consumed);
- c->local_window += c->local_consumed;
+ c->local_consumed + addition);
+ c->local_window += c->local_consumed + addition;
c->local_consumed = 0;
}
return 1;
@@ -3258,6 +3302,17 @@ channel_fwd_bind_addr(const char *listen_addr, int *wi
return addr; return addr;
} }
@ -237,9 +239,9 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
+#endif +#endif
+ +
static int static int
channel_setup_fwd_listener_tcpip(int type, struct Forward *fwd, channel_setup_fwd_listener_tcpip(struct ssh *ssh, int type,
int *allocated_listen_port, struct ForwardOptions *fwd_opts) struct Forward *fwd, int *allocated_listen_port,
@@ -2918,9 +2982,20 @@ @@ -3398,6 +3453,17 @@ channel_setup_fwd_listener_tcpip(struct ssh *ssh, int
} }
/* Allocate a channel number for the socket. */ /* Allocate a channel number for the socket. */
@ -249,136 +251,111 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
+ * window size. + * window size.
+ */ + */
+ if (!hpn_disabled) + if (!hpn_disabled)
+ c = channel_new("port listener", type, sock, sock, -1, + c = channel_new(ssh, "port listener", type, sock, sock, -1,
+ hpn_buffer_size, CHAN_TCP_PACKET_DEFAULT, + hpn_buffer_size, CHAN_TCP_PACKET_DEFAULT,
+ 0, "port listener", 1); + 0, "port listener", 1);
+ else + else
+#endif +#endif
c = channel_new("port listener", type, sock, sock, -1, c = channel_new(ssh, "port listener", type, sock, sock, -1,
CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT,
0, "port listener", 1); 0, "port listener", 1);
c->path = xstrdup(host); @@ -4457,6 +4523,14 @@ x11_create_display_inet(struct ssh *ssh, int x11_displ
c->host_port = fwd->connect_port;
c->listening_addr = addr == NULL ? NULL : xstrdup(addr);
@@ -3952,6 +4027,14 @@
*chanids = xcalloc(num_socks + 1, sizeof(**chanids)); *chanids = xcalloc(num_socks + 1, sizeof(**chanids));
for (n = 0; n < num_socks; n++) { for (n = 0; n < num_socks; n++) {
sock = socks[n]; sock = socks[n];
+#ifdef HPN_ENABLED +#ifdef HPN_ENABLED
+ if (!hpn_disabled) + if (!hpn_disabled)
+ nc = channel_new("x11 listener", + nc = channel_new(ssh, "x11 listener",
+ SSH_CHANNEL_X11_LISTENER, sock, sock, -1, + SSH_CHANNEL_X11_LISTENER, sock, sock, -1,
+ hpn_buffer_size, CHAN_X11_PACKET_DEFAULT, + hpn_buffer_size, CHAN_X11_PACKET_DEFAULT,
+ 0, "X11 inet listener", 1); + 0, "X11 inet listener", 1);
+ else + else
+#endif +#endif
nc = channel_new("x11 listener", nc = channel_new(ssh, "x11 listener",
SSH_CHANNEL_X11_LISTENER, sock, sock, -1, SSH_CHANNEL_X11_LISTENER, sock, sock, -1,
CHAN_X11_WINDOW_DEFAULT, CHAN_X11_PACKET_DEFAULT, CHAN_X11_WINDOW_DEFAULT, CHAN_X11_PACKET_DEFAULT,
--- work.clean/openssh-6.8p1/channels.h 2015-03-17 00:49:20.000000000 -0500 --- work/openssh-7.7p1/channels.h.orig 2018-04-01 22:38:28.000000000 -0700
+++ work/openssh-6.8p1/channels.h 2015-04-03 13:58:44.472717000 -0500 +++ work/openssh-7.7p1/channels.h 2018-06-27 16:38:40.766588000 -0700
@@ -136,6 +136,10 @@ @@ -143,6 +143,9 @@ struct Channel {
u_int local_maxpacket; u_int local_maxpacket;
int extended_usage; int extended_usage;
int single_connection; int single_connection;
+#ifdef HPN_ENABLED +#ifdef HPN_ENABLED
+ int dynamic_window; + int dynamic_window;
+ u_int tcpwinsz;
+#endif +#endif
char *ctype; /* type */ char *ctype; /* type */
@@ -311,4 +315,9 @@ @@ -335,5 +338,10 @@ void chan_ibuf_empty(struct ssh *, Channel *);
void chan_write_failed(Channel *); void chan_rcvd_ieof(struct ssh *, Channel *);
void chan_obuf_empty(Channel *); void chan_write_failed(struct ssh *, Channel *);
void chan_obuf_empty(struct ssh *, Channel *);
+
+#ifdef HPN_ENABLED +#ifdef HPN_ENABLED
+/* hpn handler */ +/* hpn handler */
+void channel_set_hpn(int, int); +void channel_set_hpn(int, int);
+#endif +#endif
+
#endif #endif
--- work.clean/openssh-6.8p1/cipher.c 2015-03-17 00:49:20.000000000 -0500 --- work/openssh-7.7p1/cipher.c.orig 2018-04-01 22:38:28.000000000 -0700
+++ work/openssh-6.8p1/cipher.c 2015-04-03 16:22:04.972592000 -0500 +++ work/openssh-7.7p1/cipher.c 2018-06-27 16:55:43.165788000 -0700
@@ -273,7 +273,13 @@ ciphers_valid(const char *names) @@ -212,7 +212,12 @@ ciphers_valid(const char *names)
for ((p = strsep(&cp, CIPHER_SEP)); p && *p != '\0'; for ((p = strsep(&cp, CIPHER_SEP)); p && *p != '\0';
(p = strsep(&cp, CIPHER_SEP))) { (p = strsep(&cp, CIPHER_SEP))) {
c = cipher_by_name(p); c = cipher_by_name(p);
- if (c == NULL || c->number != SSH_CIPHER_SSH2) {
+ if (c == NULL || (c->number != SSH_CIPHER_SSH2 &&
+#ifdef NONE_CIPHER_ENABLED +#ifdef NONE_CIPHER_ENABLED
+ c->number != SSH_CIPHER_NONE + if (c == NULL || ((c->flags & CFLAG_INTERNAL) != 0 &&
+ (c->flags & CFLAG_NONE) != 0)) {
+#else +#else
+ 1 if (c == NULL || (c->flags & CFLAG_INTERNAL) != 0) {
+#endif +#endif
+ )) {
free(cipher_list); free(cipher_list);
return 0; return 0;
} }
@@ -605,6 +611,9 @@ cipher_get_keyiv(struct sshcipher_ctx *c --- work/openssh-7.7p1/clientloop.c.orig 2018-04-01 22:38:28.000000000 -0700
+++ work/openssh-7.7p1/clientloop.c 2018-06-27 16:40:24.560906000 -0700
switch (c->number) { @@ -1549,6 +1549,15 @@ client_request_x11(struct ssh *ssh, const char *reques
#ifdef WITH_OPENSSL sock = x11_connect_display(ssh);
+#ifdef NONE_CIPHER_ENABLED
+ case SSH_CIPHER_NONE:
+#endif
case SSH_CIPHER_SSH2:
case SSH_CIPHER_DES:
case SSH_CIPHER_BLOWFISH:
@@ -653,6 +662,9 @@ cipher_set_keyiv(struct sshcipher_ctx *c
switch (c->number) {
#ifdef WITH_OPENSSL
+#ifdef NONE_CIPHER_ENABLED
+ case SSH_CIPHER_NONE:
+#endif
case SSH_CIPHER_SSH2:
case SSH_CIPHER_DES:
case SSH_CIPHER_BLOWFISH:
--- work.clean/openssh-6.8p1/clientloop.c 2015-03-17 00:49:20.000000000 -0500
+++ work/openssh-6.8p1/clientloop.c 2015-04-03 17:29:40.618489000 -0500
@@ -1909,6 +1909,15 @@
sock = x11_connect_display();
if (sock < 0) if (sock < 0)
return NULL; return NULL;
+#ifdef HPN_ENABLED +#ifdef HPN_ENABLED
+ /* again is this really necessary for X11? */ + /* again is this really necessary for X11? */
+ if (!options.hpn_disabled) + if (!options.hpn_disabled)
+ c = channel_new("x11", + c = channel_new(ssh, "x11",
+ SSH_CHANNEL_X11_OPEN, sock, sock, -1, + SSH_CHANNEL_X11_OPEN, sock, sock, -1,
+ options.hpn_buffer_size, + options.hpn_buffer_size,
+ CHAN_X11_PACKET_DEFAULT, 0, "x11", 1); + CHAN_X11_PACKET_DEFAULT, 0, "x11", 1);
+ else + else
+#endif +#endif
c = channel_new("x11", c = channel_new(ssh, "x11",
SSH_CHANNEL_X11_OPEN, sock, sock, -1, SSH_CHANNEL_X11_OPEN, sock, sock, -1,
CHAN_TCP_WINDOW_DEFAULT, CHAN_X11_PACKET_DEFAULT, 0, "x11", 1); CHAN_TCP_WINDOW_DEFAULT, CHAN_X11_PACKET_DEFAULT, 0, "x11", 1);
@@ -1934,6 +1943,14 @@ @@ -1574,6 +1583,14 @@ client_request_agent(struct ssh *ssh, const char *requ
__func__, ssh_err(r)); __func__, ssh_err(r));
return NULL; return NULL;
} }
+#ifdef HPN_ENABLED +#ifdef HPN_ENABLED
+ if (!options.hpn_disabled) + if (!options.hpn_disabled)
+ c = channel_new("authentication agent connection", + c = channel_new(ssh, "authentication agent connection",
+ SSH_CHANNEL_OPEN, sock, sock, -1, + SSH_CHANNEL_OPEN, sock, sock, -1,
+ options.hpn_buffer_size, CHAN_TCP_PACKET_DEFAULT, 0, + options.hpn_buffer_size, CHAN_TCP_PACKET_DEFAULT, 0,
+ "authentication agent connection", 1); + "authentication agent connection", 1);
+ else + else
+#endif +#endif
c = channel_new("authentication agent connection", c = channel_new(ssh, "authentication agent connection",
SSH_CHANNEL_OPEN, sock, sock, -1, SSH_CHANNEL_OPEN, sock, sock, -1,
CHAN_X11_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, 0, CHAN_X11_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, 0,
@@ -1964,6 +1981,12 @@ @@ -1602,6 +1619,12 @@ client_request_tun_fwd(struct ssh *ssh, int tun_mode,
return -1;
} }
debug("Tunnel forwarding using interface %s", ifname);
+#ifdef HPN_ENABLED +#ifdef HPN_ENABLED
+ if (!options.hpn_disabled) + if (!options.hpn_disabled)
+ c = channel_new("tun", SSH_CHANNEL_OPENING, fd, fd, -1, + c = channel_new(ssh, "tun", SSH_CHANNEL_OPENING, fd, fd, -1,
+ options.hpn_buffer_size, CHAN_TCP_PACKET_DEFAULT, 0, "tun", 1); + options.hpn_buffer_size, CHAN_TCP_PACKET_DEFAULT, 0, "tun", 1);
+ else + else
+#endif +#endif
c = channel_new("tun", SSH_CHANNEL_OPENING, fd, fd, -1, c = channel_new(ssh, "tun", SSH_CHANNEL_OPENING, fd, fd, -1,
CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, 0, "tun", 1); CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, 0, "tun", 1);
c->datagram = 1; c->datagram = 1;
--- work.clean/openssh-6.8p1/compat.c 2015-03-17 00:49:20.000000000 -0500 --- work.clean/openssh-6.8p1/compat.c 2015-03-17 00:49:20.000000000 -0500
@ -470,9 +447,9 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
debug("kex: %s cipher: %s MAC: %s compression: %s", debug("kex: %s cipher: %s MAC: %s compression: %s",
ctos ? "client->server" : "server->client", ctos ? "client->server" : "server->client",
newkeys->enc.name, newkeys->enc.name,
--- work.clean/openssh-7.2p1/packet.c.orig 2016-02-25 19:40:04.000000000 -0800 --- work/openssh-7.7p1/packet.c.orig 2018-04-01 22:38:28.000000000 -0700
+++ work.clean/openssh-7.2p1/packet.c 2016-02-29 08:05:15.744201000 -0800 +++ work/openssh-7.7p1/packet.c 2018-06-27 16:42:42.739507000 -0700
@@ -1037,6 +1037,24 @@ ssh_set_newkeys(struct ssh *ssh, int mod @@ -926,6 +926,24 @@ ssh_set_newkeys(struct ssh *ssh, int mode)
return 0; return 0;
} }
@ -497,11 +474,13 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
#define MAX_PACKETS (1U<<31) #define MAX_PACKETS (1U<<31)
static int static int
ssh_packet_need_rekeying(struct ssh *ssh, u_int outbound_packet_len) ssh_packet_need_rekeying(struct ssh *ssh, u_int outbound_packet_len)
@@ -1055,6 +1073,12 @@ ssh_packet_need_rekeying(struct ssh *ssh @@ -944,6 +962,14 @@ ssh_packet_need_rekeying(struct ssh *ssh, u_int outbou
/* Peer can't rekey */ /* Peer can't rekey */
if (ssh->compat & SSH_BUG_NOREKEY) if (ssh->compat & SSH_BUG_NOREKEY)
return 0; return 0;
+#ifdef NONE_CIPHER_ENABLED +#ifdef NONE_CIPHER_ENABLED
+ /* used to force rekeying when called for by the none
+ * cipher switch methods -cjr */
+ if (rekey_requested == 1) { + if (rekey_requested == 1) {
+ rekey_requested = 0; + rekey_requested = 0;
+ return 1; + return 1;
@ -524,11 +503,21 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
/* OLD API */ /* OLD API */
extern struct ssh *active_state; extern struct ssh *active_state;
#include "opacket.h" #include "opacket.h"
--- work/openssh-6.9p1/readconf.c.orig 2015-07-27 13:32:13.169218000 -0500 --- work/openssh-7.7p1/readconf.c.orig 2018-04-01 22:38:28.000000000 -0700
+++ work/openssh-6.9p1/readconf.c 2015-07-27 13:33:00.429332000 -0500 +++ work/openssh-7.7p1/readconf.c 2018-06-27 16:58:41.109275000 -0700
@@ -153,6 +153,12 @@ typedef enum { @@ -66,6 +66,9 @@
oTunnel, oTunnelDevice, oLocalCommand, oPermitLocalCommand, #include "uidswap.h"
oVisualHostKey, oUseRoaming, #include "myproposal.h"
#include "digest.h"
+#ifdef HPN_ENABLED
+#include "sshbuf.h"
+#endif
/* Format of the configuration file:
@@ -167,6 +170,12 @@ typedef enum {
oLocalCommand, oPermitLocalCommand, oRemoteCommand,
oVisualHostKey,
oKexAlgorithms, oIPQoS, oRequestTTY, oIgnoreUnknown, oProxyUseFdpass, oKexAlgorithms, oIPQoS, oRequestTTY, oIgnoreUnknown, oProxyUseFdpass,
+#ifdef HPN_ENABLED +#ifdef HPN_ENABLED
+ oHPNDisabled, oHPNBufferSize, oTcpRcvBufPoll, oTcpRcvBuf, + oHPNDisabled, oHPNBufferSize, oTcpRcvBufPoll, oTcpRcvBuf,
@ -539,7 +528,7 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
oCanonicalDomains, oCanonicalizeHostname, oCanonicalizeMaxDots, oCanonicalDomains, oCanonicalizeHostname, oCanonicalizeMaxDots,
oCanonicalizeFallbackLocal, oCanonicalizePermittedCNAMEs, oCanonicalizeFallbackLocal, oCanonicalizePermittedCNAMEs,
oStreamLocalBindMask, oStreamLocalBindUnlink, oRevokedHostKeys, oStreamLocalBindMask, oStreamLocalBindUnlink, oRevokedHostKeys,
@@ -277,6 +283,16 @@ static struct { @@ -304,6 +313,16 @@ static struct {
{ "updatehostkeys", oUpdateHostkeys }, { "updatehostkeys", oUpdateHostkeys },
{ "hostbasedkeytypes", oHostbasedKeyTypes }, { "hostbasedkeytypes", oHostbasedKeyTypes },
{ "pubkeyacceptedkeytypes", oPubkeyAcceptedKeyTypes }, { "pubkeyacceptedkeytypes", oPubkeyAcceptedKeyTypes },
@ -554,9 +543,9 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
+ { "hpnbuffersize", oHPNBufferSize }, + { "hpnbuffersize", oHPNBufferSize },
+#endif +#endif
{ "ignoreunknown", oIgnoreUnknown }, { "ignoreunknown", oIgnoreUnknown },
{ "proxyjump", oProxyJump },
{ NULL, oBadOption } @@ -962,6 +981,44 @@ parse_time:
@@ -906,6 +922,44 @@ parse_time:
intptr = &options->check_host_ip; intptr = &options->check_host_ip;
goto parse_flag; goto parse_flag;
@ -601,7 +590,7 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
case oVerifyHostKeyDNS: case oVerifyHostKeyDNS:
intptr = &options->verify_host_key_dns; intptr = &options->verify_host_key_dns;
multistate_ptr = multistate_yesnoask; multistate_ptr = multistate_yesnoask;
@@ -1665,6 +1719,16 @@ initialize_options(Options * options) @@ -1833,6 +1890,16 @@ initialize_options(Options * options)
options->ip_qos_interactive = -1; options->ip_qos_interactive = -1;
options->ip_qos_bulk = -1; options->ip_qos_bulk = -1;
options->request_tty = -1; options->request_tty = -1;
@ -618,7 +607,7 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
options->proxy_use_fdpass = -1; options->proxy_use_fdpass = -1;
options->ignored_unknown = NULL; options->ignored_unknown = NULL;
options->num_canonical_domains = 0; options->num_canonical_domains = 0;
@@ -1826,6 +1890,35 @@ fill_default_options(Options * options) @@ -1979,6 +2046,34 @@ fill_default_options(Options * options)
options->server_alive_interval = 0; options->server_alive_interval = 0;
if (options->server_alive_count_max == -1) if (options->server_alive_count_max == -1)
options->server_alive_count_max = 3; options->server_alive_count_max = 3;
@ -635,11 +624,10 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
+ /* if a user tries to set the size to 0 set it to 1KB */ + /* if a user tries to set the size to 0 set it to 1KB */
+ if (options->hpn_buffer_size == 0) + if (options->hpn_buffer_size == 0)
+ options->hpn_buffer_size = 1; + options->hpn_buffer_size = 1;
+ /* limit the buffer to 64MB */ + /* limit the buffer to SSHBUF_SIZE_MAX (currently 256MB) */
+ if (options->hpn_buffer_size > 64*1024) { + if (options->hpn_buffer_size > (SSHBUF_SIZE_MAX / 1024)) {
+ options->hpn_buffer_size = 64*1024*1024; + options->hpn_buffer_size = SSHBUF_SIZE_MAX;
+ debug("User requested buffer larger than 64MB. Request" + debug("User requested buffer larger than 256MB. Request reverted to 256MB");
+ " reverted to 64MB");
+ } else + } else
+ options->hpn_buffer_size *= 1024; + options->hpn_buffer_size *= 1024;
+ debug("hpn_buffer_size set to %d", options->hpn_buffer_size); + debug("hpn_buffer_size set to %d", options->hpn_buffer_size);
@ -693,9 +681,19 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
struct timeval tv[2]; struct timeval tv[2];
#define atime tv[0] #define atime tv[0]
--- work/openssh/servconf.c.orig 2015-05-29 03:27:21.000000000 -0500 --- work/openssh-7.7p1/servconf.c.orig 2018-04-01 22:38:28.000000000 -0700
+++ work/openssh/servconf.c 2015-06-02 09:56:36.041601000 -0500 +++ work/openssh-7.7p1/servconf.c 2018-06-27 17:01:05.276677000 -0700
@@ -159,6 +159,14 @@ initialize_server_options(ServerOptions @@ -63,6 +63,9 @@
#include "auth.h"
#include "myproposal.h"
#include "digest.h"
+#ifdef HPN_ENABLED
+#include "sshbuf.h"
+#endif
static void add_listen_addr(ServerOptions *, const char *,
const char *, int);
@@ -169,6 +172,14 @@ initialize_server_options(ServerOptions *options)
options->authorized_principals_file = NULL; options->authorized_principals_file = NULL;
options->authorized_principals_command = NULL; options->authorized_principals_command = NULL;
options->authorized_principals_command_user = NULL; options->authorized_principals_command_user = NULL;
@ -710,7 +708,7 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
options->ip_qos_interactive = -1; options->ip_qos_interactive = -1;
options->ip_qos_bulk = -1; options->ip_qos_bulk = -1;
options->version_addendum = NULL; options->version_addendum = NULL;
@@ -319,6 +327,57 @@ fill_default_server_options(ServerOption @@ -371,6 +382,57 @@ fill_default_server_options(ServerOptions *options)
} }
if (options->permit_tun == -1) if (options->permit_tun == -1)
options->permit_tun = SSH_TUNMODE_NO; options->permit_tun = SSH_TUNMODE_NO;
@ -754,9 +752,9 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
+ if (options->hpn_disabled <= 0) { + if (options->hpn_disabled <= 0) {
+ if (options->hpn_buffer_size == 0) + if (options->hpn_buffer_size == 0)
+ options->hpn_buffer_size = 1; + options->hpn_buffer_size = 1;
+ /* limit the maximum buffer to 64MB */ + /* limit the maximum buffer to SSHBUF_SIZE_MAX (currently 256MB) */
+ if (options->hpn_buffer_size > 64*1024) { + if (options->hpn_buffer_size > (SSHBUF_SIZE_MAX / 1024)) {
+ options->hpn_buffer_size = 64*1024*1024; + options->hpn_buffer_size = SSHBUF_SIZE_MAX;
+ } else { + } else {
+ options->hpn_buffer_size *= 1024; + options->hpn_buffer_size *= 1024;
+ } + }
@ -768,7 +766,7 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
if (options->ip_qos_interactive == -1) if (options->ip_qos_interactive == -1)
options->ip_qos_interactive = IPTOS_LOWDELAY; options->ip_qos_interactive = IPTOS_LOWDELAY;
if (options->ip_qos_bulk == -1) if (options->ip_qos_bulk == -1)
@@ -412,6 +471,12 @@ typedef enum { @@ -466,6 +528,12 @@ typedef enum {
sUsePrivilegeSeparation, sAllowAgentForwarding, sUsePrivilegeSeparation, sAllowAgentForwarding,
sHostCertificate, sHostCertificate,
sRevokedKeys, sTrustedUserCAKeys, sAuthorizedPrincipalsFile, sRevokedKeys, sTrustedUserCAKeys, sAuthorizedPrincipalsFile,
@ -781,7 +779,7 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
sAuthorizedPrincipalsCommand, sAuthorizedPrincipalsCommandUser, sAuthorizedPrincipalsCommand, sAuthorizedPrincipalsCommandUser,
sKexAlgorithms, sIPQoS, sVersionAddendum, sKexAlgorithms, sIPQoS, sVersionAddendum,
sAuthorizedKeysCommand, sAuthorizedKeysCommandUser, sAuthorizedKeysCommand, sAuthorizedKeysCommandUser,
@@ -548,6 +613,14 @@ static struct { @@ -603,6 +671,14 @@ static struct {
{ "revokedkeys", sRevokedKeys, SSHCFG_ALL }, { "revokedkeys", sRevokedKeys, SSHCFG_ALL },
{ "trustedusercakeys", sTrustedUserCAKeys, SSHCFG_ALL }, { "trustedusercakeys", sTrustedUserCAKeys, SSHCFG_ALL },
{ "authorizedprincipalsfile", sAuthorizedPrincipalsFile, SSHCFG_ALL }, { "authorizedprincipalsfile", sAuthorizedPrincipalsFile, SSHCFG_ALL },
@ -796,10 +794,11 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
{ "kexalgorithms", sKexAlgorithms, SSHCFG_GLOBAL }, { "kexalgorithms", sKexAlgorithms, SSHCFG_GLOBAL },
{ "ipqos", sIPQoS, SSHCFG_ALL }, { "ipqos", sIPQoS, SSHCFG_ALL },
{ "authorizedkeyscommand", sAuthorizedKeysCommand, SSHCFG_ALL }, { "authorizedkeyscommand", sAuthorizedKeysCommand, SSHCFG_ALL },
@@ -1153,6 +1226,25 @@ process_server_config_line(ServerOptions @@ -1351,6 +1427,25 @@ process_server_config_line(ServerOptions *options, cha
case sIgnoreUserKnownHosts:
intptr = &options->ignore_user_known_hosts; intptr = &options->ignore_user_known_hosts;
goto parse_flag; goto parse_flag;
+
+#ifdef NONE_CIPHER_ENABLED +#ifdef NONE_CIPHER_ENABLED
+ case sNoneEnabled: + case sNoneEnabled:
+ intptr = &options->none_enabled; + intptr = &options->none_enabled;
@ -818,10 +817,9 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
+ intptr = &options->hpn_buffer_size; + intptr = &options->hpn_buffer_size;
+ goto parse_int; + goto parse_int;
+#endif +#endif
+
case sHostbasedAuthentication: case sHostbasedAuthentication:
intptr = &options->hostbased_authentication; intptr = &options->hostbased_authentication;
goto parse_flag;
--- work.clean/openssh-6.8p1/servconf.h 2015-03-17 00:49:20.000000000 -0500 --- work.clean/openssh-6.8p1/servconf.h 2015-03-17 00:49:20.000000000 -0500
+++ work/openssh-6.8p1/servconf.h 2015-04-03 13:48:37.316827000 -0500 +++ work/openssh-6.8p1/servconf.h 2015-04-03 13:48:37.316827000 -0500
@@ -169,6 +169,15 @@ @@ -169,6 +169,15 @@
@ -840,23 +838,23 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
int permit_tun; int permit_tun;
int num_permitted_opens; int num_permitted_opens;
--- work.clean/openssh-6.8p1/serverloop.c 2015-03-17 00:49:20.000000000 -0500 --- work/openssh-7.7p1/serverloop.c.orig 2018-04-01 22:38:28.000000000 -0700
+++ work/openssh-6.8p1/serverloop.c 2015-04-03 17:14:15.182548000 -0500 +++ work/openssh-7.7p1/serverloop.c 2018-06-27 16:53:02.246871000 -0700
@@ -526,6 +526,12 @@ server_request_tun(void) @@ -550,6 +550,12 @@ server_request_tun(struct ssh *ssh)
sock = tun_open(tun, mode);
if (sock < 0)
goto done; goto done;
debug("Tunnel forwarding using interface %s", ifname);
+#ifdef HPN_ENABLED +#ifdef HPN_ENABLED
+ if (!options.hpn_disabled) + if (!options.hpn_disabled)
+ c = channel_new("tun", SSH_CHANNEL_OPEN, sock, sock, -1, + c = channel_new(ssh, "tun", SSH_CHANNEL_OPEN, sock, sock, -1,
+ options.hpn_buffer_size, CHAN_TCP_PACKET_DEFAULT, 0, "tun", 1); + options.hpn_buffer_size, CHAN_TCP_PACKET_DEFAULT, 0, "tun", 1);
+ else + else
+#endif +#endif
c = channel_new("tun", SSH_CHANNEL_OPEN, sock, sock, -1, c = channel_new(ssh, "tun", SSH_CHANNEL_OPEN, sock, sock, -1,
CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, 0, "tun", 1); CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, 0, "tun", 1);
c->datagram = 1; c->datagram = 1;
@@ -563,6 +569,10 @@ server_request_session(void) @@ -600,6 +606,10 @@ server_request_session(struct ssh *ssh)
c = channel_new("session", SSH_CHANNEL_LARVAL, c = channel_new(ssh, "session", SSH_CHANNEL_LARVAL,
-1, -1, -1, /*window size*/0, CHAN_SES_PACKET_DEFAULT, -1, -1, -1, /*window size*/0, CHAN_SES_PACKET_DEFAULT,
0, "server-session", 1); 0, "server-session", 1);
+#ifdef HPN_ENABLED +#ifdef HPN_ENABLED
@ -865,22 +863,22 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
+#endif +#endif
if (session_open(the_authctxt, c->self) != 1) { if (session_open(the_authctxt, c->self) != 1) {
debug("session open failed, free channel %d", c->self); debug("session open failed, free channel %d", c->self);
channel_free(c); channel_free(ssh, c);
--- work.clean/openssh-6.8p1/session.c 2015-04-01 22:07:18.149110000 -0500 --- work/openssh-7.7p1/session.c.orig 2018-04-01 22:38:28.000000000 -0700
+++ work/openssh-6.8p1/session.c 2015-04-03 17:09:02.984097000 -0500 +++ work/openssh-7.7p1/session.c 2018-06-27 17:01:40.730347000 -0700
@@ -2340,6 +2340,14 @@ @@ -2116,6 +2116,14 @@ session_set_fds(struct ssh *ssh, Session *s,
*/ */
if (s->chanid == -1) if (s->chanid == -1)
fatal("no channel for session %d", s->self); fatal("no channel for session %d", s->self);
+#ifdef HPN_ENABLED +#ifdef HPN_ENABLED
+ if (!options.hpn_disabled) + if (!options.hpn_disabled)
+ channel_set_fds(s->chanid, + channel_set_fds(ssh, s->chanid,
+ fdout, fdin, fderr, + fdout, fdin, fderr,
+ ignore_fderr ? CHAN_EXTENDED_IGNORE : CHAN_EXTENDED_READ, + ignore_fderr ? CHAN_EXTENDED_IGNORE : CHAN_EXTENDED_READ,
+ 1, is_tty, options.hpn_buffer_size); + 1, is_tty, options.hpn_buffer_size);
+ else + else
+#endif +#endif
channel_set_fds(s->chanid, channel_set_fds(ssh, s->chanid,
fdout, fdin, fderr, fdout, fdin, fderr,
ignore_fderr ? CHAN_EXTENDED_IGNORE : CHAN_EXTENDED_READ, ignore_fderr ? CHAN_EXTENDED_IGNORE : CHAN_EXTENDED_READ,
--- work.clean/openssh-6.8p1/sftp.1 2015-03-17 00:49:20.000000000 -0500 --- work.clean/openssh-6.8p1/sftp.1 2015-03-17 00:49:20.000000000 -0500
@ -909,9 +907,9 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
/* File to read commands from */ /* File to read commands from */
FILE* infile; FILE* infile;
--- work.clean/openssh-6.8p1/ssh.c 2015-04-01 22:07:18.166356000 -0500 --- work/openssh-7.7p1/ssh.c.orig 2018-04-01 22:38:28.000000000 -0700
+++ work/openssh-6.8p1/ssh.c 2015-04-03 17:16:34.114673000 -0500 +++ work/openssh-7.7p1/ssh.c 2018-06-27 17:05:30.011979000 -0700
@@ -885,6 +885,14 @@ @@ -954,6 +954,14 @@ main(int ac, char **av)
break; break;
case 'T': case 'T':
options.request_tty = REQUEST_TTY_NO; options.request_tty = REQUEST_TTY_NO;
@ -926,80 +924,91 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
break; break;
case 'o': case 'o':
line = xstrdup(optarg); line = xstrdup(optarg);
@@ -1848,9 +1856,85 @@ @@ -1833,6 +1841,78 @@ ssh_session2_setup(struct ssh *ssh, int id, int succes
if (!isatty(err)) NULL, fileno(stdin), &command, environ);
set_nonblock(err); }
+#ifdef HPN_ENABLED +static void
+hpn_options_init(void)
+{
+ /* + /*
+ * we need to check to see if what they want to do about buffer + * We need to check to see if what they want to do about buffer
+ * sizes here. In a hpn to nonhpn connection we want to limit + * sizes here. In a hpn to nonhpn connection we want to limit
+ * the window size to something reasonable in case the far side + * the window size to something reasonable in case the far side
+ * has the large window bug. In hpn to hpn connection we want to + * has the large window bug. In hpn to hpn connection we want to
+ * use the max window size but allow the user to override it + * use the max window size but allow the user to override it
+ * lastly if they disabled hpn then use the ssh std window size + * lastly if they disabled hpn then use the ssh std window size.
+ + *
+ * so why don't we just do a getsockopt() here and set the + * So why don't we just do a getsockopt() here and set the
+ * ssh window to that? In the case of a autotuning receive + * ssh window to that? In the case of a autotuning receive
+ * window the window would get stuck at the initial buffer + * window the window would get stuck at the initial buffer
+ * size generally less than 96k. Therefore we need to set the + * size generally less than 96k. Therefore we need to set the
+ * maximum ssh window size to the maximum hpn buffer size + * maximum ssh window size to the maximum hpn buffer size
+ * unless the user has specifically set the tcprcvbufpoll + * unless the user has specifically set the tcprcvbufpoll
+ * to no. In which case we *can* just set the window to the + * to no. In which case we *can* just set the window to the
+ * minimum of the hpn buffer size and tcp receive buffer size + * minimum of the hpn buffer size and tcp receive buffer size.
+ */ + */
+ +
+ if (tty_flag) + if (tty_flag)
+ options.hpn_buffer_size = CHAN_SES_WINDOW_DEFAULT; + options.hpn_buffer_size = CHAN_SES_WINDOW_DEFAULT;
+ else + else
+ options.hpn_buffer_size = 2*1024*1024; + options.hpn_buffer_size = 2 * 1024 * 1024;
+ +
+ if (datafellows & SSH_BUG_LARGEWINDOW) { + if (datafellows & SSH_BUG_LARGEWINDOW) {
+ debug("HPN to Non-HPN Connection"); + debug("HPN to Non-HPN Connection");
+ } else { + } else {
+ int sock, socksize; + int sock, socksize;
+ socklen_t socksizelen = sizeof(socksize); + socklen_t socksizelen;
+
+ if (options.tcp_rcv_buf_poll <= 0) { + if (options.tcp_rcv_buf_poll <= 0) {
+ sock = socket(AF_INET, SOCK_STREAM, 0); + sock = socket(AF_INET, SOCK_STREAM, 0);
+ socksizelen = sizeof(socksize);
+ getsockopt(sock, SOL_SOCKET, SO_RCVBUF, + getsockopt(sock, SOL_SOCKET, SO_RCVBUF,
+ &socksize, &socksizelen); + &socksize, &socksizelen);
+ close(sock); + close(sock);
+ debug("socksize %d", socksize); + debug("socksize %d", socksize);
+ options.hpn_buffer_size = socksize; + options.hpn_buffer_size = socksize;
+ debug ("HPNBufferSize set to TCP RWIN: %d", + debug("HPNBufferSize set to TCP RWIN: %d", options.hpn_buffer_size);
+ options.hpn_buffer_size);
+ } else { + } else {
+ if (options.tcp_rcv_buf > 0) { + if (options.tcp_rcv_buf > 0) {
+ /* + /*
+ * create a socket but don't connect it. + * Create a socket but don't connect it:
+ * we use that the get the rcv socket size + * we use that the get the rcv socket size
+ */ + */
+ sock = socket(AF_INET, SOCK_STREAM, 0); + sock = socket(AF_INET, SOCK_STREAM, 0);
+ /* + /*
+ * if they are using the tcp_rcv_buf option + * If they are using the tcp_rcv_buf option,
+ * attempt to set the buffer size to that + * attempt to set the buffer size to that.
+ */ + */
+ if (options.tcp_rcv_buf) + if (options.tcp_rcv_buf) {
+ socksizelen = sizeof(options.tcp_rcv_buf);
+ setsockopt(sock, SOL_SOCKET, SO_RCVBUF, + setsockopt(sock, SOL_SOCKET, SO_RCVBUF,
+ (void *)&options.tcp_rcv_buf, + &options.tcp_rcv_buf, socksizelen);
+ sizeof(options.tcp_rcv_buf)); + }
+ socksizelen = sizeof(socksize);
+ getsockopt(sock, SOL_SOCKET, SO_RCVBUF, + getsockopt(sock, SOL_SOCKET, SO_RCVBUF,
+ &socksize, &socksizelen); + &socksize, &socksizelen);
+ close(sock); + close(sock);
+ debug("socksize %d", socksize); + debug("socksize %d", socksize);
+ options.hpn_buffer_size = socksize; + options.hpn_buffer_size = socksize;
+ debug ("HPNBufferSize set to user TCPRcvBuf: " + debug("HPNBufferSize set to user TCPRcvBuf: %d", options.hpn_buffer_size);
+ "%d", options.hpn_buffer_size);
+ } + }
+ } + }
+ } + }
+ +
+ debug("Final hpn_buffer_size = %d", options.hpn_buffer_size); + debug("Final hpn_buffer_size = %d", options.hpn_buffer_size);
+ +
+ window = options.hpn_buffer_size;
+
+ channel_set_hpn(options.hpn_disabled, options.hpn_buffer_size); + channel_set_hpn(options.hpn_disabled, options.hpn_buffer_size);
+}
+
/* open new channel for a session */
static int
ssh_session2_open(struct ssh *ssh)
@@ -1859,9 +1939,17 @@ ssh_session2_open(struct ssh *ssh)
if (!isatty(err))
set_nonblock(err);
+#ifdef HPN_ENABLED
+ window = options.hpn_buffer_size;
+#else +#else
window = CHAN_SES_WINDOW_DEFAULT; window = CHAN_SES_WINDOW_DEFAULT;
+#endif +#endif
@ -1012,7 +1021,7 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
window >>= 1; window >>= 1;
packetmax >>= 1; packetmax >>= 1;
} }
@@ -1859,6 +1943,12 @@ @@ -1870,6 +1958,12 @@ ssh_session2_open(struct ssh *ssh)
window, packetmax, CHAN_EXTENDED_WRITE, window, packetmax, CHAN_EXTENDED_WRITE,
"client-session", /*nonblock*/0); "client-session", /*nonblock*/0);
@ -1022,17 +1031,47 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
+ debug ("Enabled Dynamic Window Scaling"); + debug ("Enabled Dynamic Window Scaling");
+ } + }
+#endif +#endif
debug3("ssh_session2_open: channel_new: %d", c->self); debug3("%s: channel_new: %d", __func__, c->self);
channel_send_open(c->self); channel_send_open(ssh, c->self);
--- work.clean/openssh-6.8p1/sshconnect.c 2015-03-17 00:49:20.000000000 -0500 @@ -1885,6 +1979,15 @@ ssh_session2(struct ssh *ssh, struct passwd *pw)
+++ work/openssh-6.8p1/sshconnect.c 2015-04-03 16:32:38.204744000 -0500 {
@@ -266,6 +266,31 @@ int devnull, id = -1;
kill(proxy_command_pid, SIGHUP); char *cp, *tun_fwd_ifname = NULL;
} +
+#ifdef HPN_ENABLED
+ /*
+ * We need to initialize this early because the forwarding logic below
+ * might open channels that use the hpn buffer sizes. We can't send a
+ * window of -1 (the default) to the server as it breaks things.
+ */
+ hpn_options_init();
+#endif
/* XXX should be pre-session */
if (!options.control_persist)
--- work/openssh-7.7p1/sshbuf.h.orig 2018-06-27 16:11:24.503058000 -0700
+++ work/openssh-7.7p1/sshbuf.h 2018-06-27 16:12:01.359375000 -0700
@@ -28,7 +28,11 @@
# endif /* OPENSSL_HAS_ECC */
#endif /* WITH_OPENSSL */
+#ifdef HPN_ENABLED +#ifdef HPN_ENABLED
+/* +#define SSHBUF_SIZE_MAX 0xF000000 /* Hard maximum size 256MB */
+#else
#define SSHBUF_SIZE_MAX 0x8000000 /* Hard maximum size */
+#endif
#define SSHBUF_REFS_MAX 0x100000 /* Max child buffers */
#define SSHBUF_MAX_BIGNUM (16384 / 8) /* Max bignum *bytes* */
#define SSHBUF_MAX_ECPOINT ((528 * 2 / 8) + 1) /* Max EC point *bytes* */
--- work/openssh-7.7p1/sshconnect.c.orig 2018-04-01 22:38:28.000000000 -0700
+++ work/openssh-7.7p1/sshconnect.c 2018-06-26 15:55:19.103812000 -0700
@@ -337,7 +337,32 @@ check_ifaddrs(const char *ifname, int af, const struct
}
#endif
+#ifdef HPN_ENABLED
/*
+ * Set TCP receive buffer if requested. + * Set TCP receive buffer if requested.
+ * Note: tuning needs to happen after the socket is + * Note: tuning needs to happen after the socket is
+ * created but before the connection happens + * created but before the connection happens
@ -1056,10 +1095,11 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
+} +}
+#endif +#endif
+ +
/* +/*
* Creates a (possibly privileged) socket for use as the ssh connection. * Creates a (possibly privileged) socket for use as the ssh connection.
*/ */
@@ -282,6 +307,11 @@ static int
@@ -359,6 +384,11 @@ ssh_create_socket(int privileged, struct addrinfo *ai)
} }
fcntl(sock, F_SETFD, FD_CLOEXEC); fcntl(sock, F_SETFD, FD_CLOEXEC);
@ -1069,54 +1109,42 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
+#endif +#endif
+ +
/* Bind the socket to an alternative local IP address */ /* Bind the socket to an alternative local IP address */
if (options.bind_address == NULL && !privileged) if (options.bind_address == NULL && options.bind_interface == NULL &&
return sock; !privileged)
@@ -523,11 +553,23 @@ send_client_banner(int connection_out, i @@ -637,8 +667,14 @@ static void
send_client_banner(int connection_out, int minor1)
{ {
/* Send our own protocol version identification. */ /* Send our own protocol version identification. */
if (compat20) { - xasprintf(&client_version_string, "SSH-%d.%d-%.100s\r\n",
- xasprintf(&client_version_string, "SSH-%d.%d-%.100s\r\n", - PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION);
- PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION); + xasprintf(&client_version_string, "SSH-%d.%d-%.100s%s\r\n",
+ xasprintf(&client_version_string, "SSH-%d.%d-%.100s%s\r\n", + PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION,
+ PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION,
+#ifdef HPN_ENABLED +#ifdef HPN_ENABLED
+ options.hpn_disabled ? "" : SSH_HPN + options.hpn_disabled ? "" : SSH_HPN
+#else +#else
+ "" + ""
+#endif +#endif
+ ); + );
} else { if (atomicio(vwrite, connection_out, client_version_string,
- xasprintf(&client_version_string, "SSH-%d.%d-%.100s\n",
- PROTOCOL_MAJOR_1, minor1, SSH_VERSION);
+ xasprintf(&client_version_string, "SSH-%d.%d-%.100s%s\n",
+ PROTOCOL_MAJOR_1, minor1, SSH_VERSION,
+#ifdef HPN_ENABLED
+ options.hpn_disabled ? "" : SSH_HPN
+#else
+ ""
+#endif
+ );
}
if (roaming_atomicio(vwrite, connection_out, client_version_string,
strlen(client_version_string)) != strlen(client_version_string)) strlen(client_version_string)) != strlen(client_version_string))
--- work.clean/openssh-7.2p1/sshconnect2.c.orig 2016-02-25 19:40:04.000000000 -0800 fatal("write: %.100s", strerror(errno));
+++ work.clean/openssh-7.2p1/sshconnect2.c 2016-02-29 08:06:31.134954000 -0800 --- work/openssh-7.7p1/sshconnect2.c.orig 2018-04-01 22:38:28.000000000 -0700
@@ -81,6 +81,14 @@ +++ work/openssh-7.7p1/sshconnect2.c 2018-06-27 17:11:17.543893000 -0700
@@ -81,7 +81,13 @@
extern char *client_version_string; extern char *client_version_string;
extern char *server_version_string; extern char *server_version_string;
extern Options options; extern Options options;
+#ifdef NONE_CIPHER_ENABLED +#ifdef NONE_CIPHER_ENABLED
+struct kex *xxx_kex;
+
+/* tty_flag is set in ssh.c. use this in ssh_userauth2 */ +/* tty_flag is set in ssh.c. use this in ssh_userauth2 */
+/* if it is set then prevent the switch to the null cipher */ +/* if it is set then prevent the switch to the null cipher */
+
+extern int tty_flag; +extern int tty_flag;
+#endif +#endif
+
/* /*
* SSH2 key exchange * SSH2 key exchange
@@ -154,14 +162,17 @@ order_hostkeyalgs(char *host, struct soc */
@@ -154,14 +160,17 @@ order_hostkeyalgs(char *host, struct sockaddr *hostadd
return ret; return ret;
} }
@ -1135,17 +1163,7 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
xxx_host = host; xxx_host = host;
xxx_hostaddr = hostaddr; xxx_hostaddr = hostaddr;
@@ -235,6 +246,9 @@ ssh_kex2(char *host, struct sockaddr *ho @@ -409,6 +418,30 @@ ssh_userauth2(const char *local_user, const char *serv
packet_send();
packet_write_wait();
#endif
+#ifdef NONE_CIPHER_ENABLED
+ xxx_kex = kex;
+#endif
}
/*
@@ -407,6 +421,29 @@ ssh_userauth2(const char *local_user, co
if (!authctxt.success) if (!authctxt.success)
fatal("Authentication failed."); fatal("Authentication failed.");
@ -1159,9 +1177,10 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
+ if ((options.none_switch == 1) && (options.none_enabled == 1)) { + if ((options.none_switch == 1) && (options.none_enabled == 1)) {
+ if (!tty_flag) { /* no null on tty sessions */ + if (!tty_flag) { /* no null on tty sessions */
+ debug("Requesting none rekeying..."); + debug("Requesting none rekeying...");
+ memcpy(&myproposal, &myproposal_default, sizeof(myproposal));
+ myproposal[PROPOSAL_ENC_ALGS_STOC] = "none"; + myproposal[PROPOSAL_ENC_ALGS_STOC] = "none";
+ myproposal[PROPOSAL_ENC_ALGS_CTOS] = "none"; + myproposal[PROPOSAL_ENC_ALGS_CTOS] = "none";
+ kex_prop2buf(xxx_kex->my, myproposal); + kex_prop2buf(active_state->kex->my, myproposal);
+ packet_request_rekeying(); + packet_request_rekeying();
+ fprintf(stderr, "WARNING: ENABLED NONE CIPHER\n"); + fprintf(stderr, "WARNING: ENABLED NONE CIPHER\n");
+ } else { + } else {
@ -1175,9 +1194,9 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
debug("Authentication succeeded (%s).", authctxt.method->name); debug("Authentication succeeded (%s).", authctxt.method->name);
} }
--- work.clean/openssh-7.1p1/sshd.c.orig 2015-08-20 21:49:03.000000000 -0700 --- work/openssh-7.7p1/sshd.c.orig 2018-04-01 22:38:28.000000000 -0700
+++ work.clean/openssh-7.1p1/sshd.c 2015-11-11 12:45:48.202186000 -0800 +++ work/openssh-7.7p1/sshd.c 2018-06-27 17:13:03.176633000 -0700
@@ -373,8 +373,13 @@ sshd_exchange_identification(struct ssh @@ -372,8 +372,13 @@ sshd_exchange_identification(struct ssh *ssh, int sock
char buf[256]; /* Must not be larger than remote_version. */ char buf[256]; /* Must not be larger than remote_version. */
char remote_version[256]; /* Must be at least as big as buf. */ char remote_version[256]; /* Must be at least as big as buf. */
@ -1192,8 +1211,8 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
*options.version_addendum == '\0' ? "" : " ", *options.version_addendum == '\0' ? "" : " ",
options.version_addendum); options.version_addendum);
@@ -1027,6 +1032,10 @@ server_listen(void) @@ -1025,6 +1030,10 @@ listen_on_addrs(struct listenaddr *la)
int ret, listen_sock, on = 1; int ret, listen_sock;
struct addrinfo *ai; struct addrinfo *ai;
char ntop[NI_MAXHOST], strport[NI_MAXSERV]; char ntop[NI_MAXHOST], strport[NI_MAXSERV];
+#ifdef HPN_ENABLED +#ifdef HPN_ENABLED
@ -1201,9 +1220,9 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
+ socklen_t socksizelen = sizeof(socksize); + socklen_t socksizelen = sizeof(socksize);
+#endif +#endif
for (ai = options.listen_addrs; ai; ai = ai->ai_next) { for (ai = la->addrs; ai; ai = ai->ai_next) {
if (ai->ai_family != AF_INET && ai->ai_family != AF_INET6) if (ai->ai_family != AF_INET && ai->ai_family != AF_INET6)
@@ -1072,6 +1081,13 @@ server_listen(void) @@ -1070,6 +1079,13 @@ listen_on_addrs(struct listenaddr *la)
debug("Bind to port %s on %s.", strport, ntop); debug("Bind to port %s on %s.", strport, ntop);
@ -1217,7 +1236,7 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
/* Bind the socket to the desired port. */ /* Bind the socket to the desired port. */
if (bind(listen_sock, ai->ai_addr, ai->ai_addrlen) < 0) { if (bind(listen_sock, ai->ai_addr, ai->ai_addrlen) < 0) {
error("Bind to port %s on %s failed: %.200s.", error("Bind to port %s on %s failed: %.200s.",
@@ -1596,6 +1612,15 @@ main(int ac, char **av) @@ -1634,6 +1650,15 @@ main(int ac, char **av)
/* Fill in default values for those options not explicitly set. */ /* Fill in default values for those options not explicitly set. */
fill_default_server_options(&options); fill_default_server_options(&options);
@ -1233,9 +1252,9 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
/* challenge-response is implemented via keyboard interactive */ /* challenge-response is implemented via keyboard interactive */
if (options.challenge_response_authentication) if (options.challenge_response_authentication)
options.kbd_interactive_authentication = 1; options.kbd_interactive_authentication = 1;
@@ -2099,6 +2124,11 @@ main(int ac, char **av) @@ -2047,6 +2072,11 @@ main(int ac, char **av)
} rdomain == NULL ? "" : "\"");
#endif free(laddr);
+#ifdef HPN_ENABLED +#ifdef HPN_ENABLED
+ /* set the HPN options for the child */ + /* set the HPN options for the child */
@ -1243,20 +1262,20 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
+#endif +#endif
+ +
/* /*
* In privilege separation, we fork another child and prepare * We don't want to listen forever unless the other side
* file descriptor passing. * successfully authenticates itself. So we set up an alarm which is
@@ -2177,6 +2207,11 @@ do_ssh2_kex(void) @@ -2212,6 +2242,11 @@ do_ssh2_kex(void)
char *myproposal[PROPOSAL_MAX] = { KEX_SERVER };
struct kex *kex; struct kex *kex;
int r; int r;
+
+#ifdef NONE_CIPHER_ENABLED +#ifdef NONE_CIPHER_ENABLED
+ if (options.none_enabled == 1) + if (options.none_enabled == 1)
+ debug ("WARNING: None cipher enabled"); + debug ("WARNING: None cipher enabled");
+#endif +#endif
+
myproposal[PROPOSAL_KEX_ALGS] = compat_kex_proposal( myproposal[PROPOSAL_KEX_ALGS] = compat_kex_proposal(
options.kex_algorithms); options.kex_algorithms);
myproposal[PROPOSAL_ENC_ALGS_CTOS] = compat_cipher_proposal(
--- work.clean/openssh-6.8p1/sshd_config 2015-04-01 22:07:18.248858000 -0500 --- work.clean/openssh-6.8p1/sshd_config 2015-04-01 22:07:18.248858000 -0500
+++ work/openssh-6.8p1/sshd_config 2015-04-01 22:16:49.932279000 -0500 +++ work/openssh-6.8p1/sshd_config 2015-04-01 22:16:49.932279000 -0500
@@ -111,6 +111,20 @@ AuthorizedKeysFile .ssh/authorized_keys @@ -111,6 +111,20 @@ AuthorizedKeysFile .ssh/authorized_keys
@ -1280,11 +1299,10 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
# Example of overriding settings on a per-user basis # Example of overriding settings on a per-user basis
#Match User anoncvs #Match User anoncvs
# X11Forwarding no # X11Forwarding no
--- work.clean/openssh-6.8p1/version.h 2015-04-01 22:07:18.258955000 -0500 --- work/openssh-7.7p1/version.h.orig 2018-04-01 22:38:28.000000000 -0700
+++ work/openssh-6.8p1/version.h 2015-04-02 16:51:25.209617000 -0500 +++ work/openssh-7.7p1/version.h 2018-06-27 17:13:57.263086000 -0700
@@ -3,4 +3,5 @@ @@ -4,3 +4,4 @@
#define SSH_VERSION "OpenSSH_6.8"
#define SSH_PORTABLE "p1" #define SSH_PORTABLE "p1"
#define SSH_RELEASE SSH_VERSION SSH_PORTABLE #define SSH_RELEASE SSH_VERSION SSH_PORTABLE
+#define SSH_HPN "-hpn14v5" +#define SSH_HPN "-hpn14v15"

View file

@ -6,17 +6,17 @@ Changed paths:
Apply FreeBSD's configuration defaults. Apply FreeBSD's configuration defaults.
--- servconf.c.orig 2018-06-19 09:26:26 UTC --- servconf.c.orig 2018-06-27 17:18:19.513676000 -0700
+++ servconf.c +++ servconf.c 2018-06-27 17:19:38.133882000 -0700
@@ -63,6 +63,7 @@ @@ -41,6 +41,7 @@
#include "auth.h" #include <util.h>
#include "myproposal.h" #endif
#include "digest.h"
+#include "version.h"
static void add_listen_addr(ServerOptions *, const char *, +#include "version.h"
const char *, int); #include "openbsd-compat/sys-queue.h"
@@ -240,7 +241,11 @@ fill_default_server_options(ServerOption #include "xmalloc.h"
#include "ssh.h"
@@ -251,7 +252,11 @@ fill_default_server_options(ServerOptions *options)
/* Portable-specific options */ /* Portable-specific options */
if (options->use_pam == -1) if (options->use_pam == -1)
@ -28,7 +28,7 @@ Apply FreeBSD's configuration defaults.
/* Standard Options */ /* Standard Options */
if (options->num_host_key_files == 0) { if (options->num_host_key_files == 0) {
@@ -280,7 +285,7 @@ fill_default_server_options(ServerOption @@ -291,7 +296,7 @@ fill_default_server_options(ServerOptions *options)
if (options->print_lastlog == -1) if (options->print_lastlog == -1)
options->print_lastlog = 1; options->print_lastlog = 1;
if (options->x11_forwarding == -1) if (options->x11_forwarding == -1)
@ -37,7 +37,7 @@ Apply FreeBSD's configuration defaults.
if (options->x11_display_offset == -1) if (options->x11_display_offset == -1)
options->x11_display_offset = 10; options->x11_display_offset = 10;
if (options->x11_use_localhost == -1) if (options->x11_use_localhost == -1)
@@ -320,7 +325,11 @@ fill_default_server_options(ServerOption @@ -331,7 +336,11 @@ fill_default_server_options(ServerOptions *options)
if (options->gss_strict_acceptor == -1) if (options->gss_strict_acceptor == -1)
options->gss_strict_acceptor = 1; options->gss_strict_acceptor = 1;
if (options->password_authentication == -1) if (options->password_authentication == -1)