You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
329 lines
11 KiB
329 lines
11 KiB
diff -u a/openssh-8_5_P1-hpn-AES-CTR-15.2.diff b/openssh-8_5_P1-hpn-AES-CTR-15.2.diff
|
|
--- a/openssh-8_5_P1-hpn-AES-CTR-15.2.diff 2021-03-15 17:45:28.550606801 -0700
|
|
+++ b/openssh-8_5_P1-hpn-AES-CTR-15.2.diff 2021-03-15 17:56:36.240309581 -0700
|
|
@@ -3,9 +3,9 @@
|
|
--- a/Makefile.in
|
|
+++ b/Makefile.in
|
|
@@ -46,7 +46,7 @@ CFLAGS=@CFLAGS@
|
|
- CFLAGS_NOPIE=@CFLAGS_NOPIE@
|
|
- CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ $(PATHS) @DEFS@
|
|
- PICFLAG=@PICFLAG@
|
|
+ LD=@LD@
|
|
+ CFLAGS=@CFLAGS@ $(CFLAGS_EXTRA)
|
|
+ CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ @LDAP_CPPFLAGS@ $(PATHS) @DEFS@
|
|
-LIBS=@LIBS@
|
|
+LIBS=@LIBS@ -lpthread
|
|
K5LIBS=@K5LIBS@
|
|
@@ -803,8 +803,8 @@
|
|
ssh_packet_set_connection(struct ssh *ssh, int fd_in, int fd_out)
|
|
{
|
|
struct session_state *state;
|
|
-- const struct sshcipher *none = cipher_by_name("none");
|
|
-+ struct sshcipher *none = cipher_by_name("none");
|
|
+- const struct sshcipher *none = cipher_none();
|
|
++ struct sshcipher *none = cipher_none();
|
|
int r;
|
|
|
|
if (none == NULL) {
|
|
@@ -898,20 +898,20 @@
|
|
options->fingerprint_hash = -1;
|
|
options->update_hostkeys = -1;
|
|
+ options->disable_multithreaded = -1;
|
|
- options->hostbased_accepted_algos = NULL;
|
|
- options->pubkey_accepted_algos = NULL;
|
|
- options->known_hosts_command = NULL;
|
|
+ }
|
|
+
|
|
+ /*
|
|
@@ -2467,6 +2474,10 @@ fill_default_options(Options * options)
|
|
+ options->update_hostkeys = 0;
|
|
if (options->sk_provider == NULL)
|
|
options->sk_provider = xstrdup("$SSH_SK_PROVIDER");
|
|
- #endif
|
|
+ if (options->update_hostkeys == -1)
|
|
+ options->update_hostkeys = 0;
|
|
+ if (options->disable_multithreaded == -1)
|
|
+ options->disable_multithreaded = 0;
|
|
|
|
- /* Expand KEX name lists */
|
|
- all_cipher = cipher_alg_list(',', 0);
|
|
+ /* expand KEX and etc. name lists */
|
|
+ { char *all;
|
|
diff --git a/readconf.h b/readconf.h
|
|
index 2fba866e..7f8f0227 100644
|
|
--- a/readconf.h
|
|
@@ -950,9 +950,9 @@
|
|
/* Portable-specific options */
|
|
sUsePAM,
|
|
+ sDisableMTAES,
|
|
- /* Standard Options */
|
|
- sPort, sHostKeyFile, sLoginGraceTime,
|
|
- sPermitRootLogin, sLogFacility, sLogLevel, sLogVerbose,
|
|
+ /* X.509 Standard Options */
|
|
+ sHostbasedAlgorithms,
|
|
+ sPubkeyAlgorithms,
|
|
@@ -662,6 +666,7 @@ static struct {
|
|
{ "authorizedprincipalsfile", sAuthorizedPrincipalsFile, SSHCFG_ALL },
|
|
{ "kexalgorithms", sKexAlgorithms, SSHCFG_GLOBAL },
|
|
diff -u a/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff b/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff
|
|
--- a/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff 2021-03-16 10:29:42.953733894 -0700
|
|
+++ b/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff 2021-03-16 10:47:54.198893025 -0700
|
|
@@ -157,6 +157,36 @@
|
|
+ Allan Jude provided the code for the NoneMac and buffer normalization.
|
|
+ This work was financed, in part, by Cisco System, Inc., the National
|
|
+ Library of Medicine, and the National Science Foundation.
|
|
+diff --git a/auth2.c b/auth2.c
|
|
+--- a/auth2.c 2021-03-15 19:30:45.404060786 -0700
|
|
++++ b/auth2.c 2021-03-15 19:37:22.078476597 -0700
|
|
+@@ -229,16 +229,17 @@
|
|
+ double delay;
|
|
+
|
|
+ digest_alg = ssh_digest_maxbytes();
|
|
+- len = ssh_digest_bytes(digest_alg);
|
|
+- hash = xmalloc(len);
|
|
++ if (len = ssh_digest_bytes(digest_alg) > 0) {
|
|
++ hash = xmalloc(len);
|
|
+
|
|
+- (void)snprintf(b, sizeof b, "%llu%s",
|
|
+- (unsigned long long)options.timing_secret, user);
|
|
+- if (ssh_digest_memory(digest_alg, b, strlen(b), hash, len) != 0)
|
|
+- fatal_f("ssh_digest_memory");
|
|
+- /* 0-4.2 ms of delay */
|
|
+- delay = (double)PEEK_U32(hash) / 1000 / 1000 / 1000 / 1000;
|
|
+- freezero(hash, len);
|
|
++ (void)snprintf(b, sizeof b, "%llu%s",
|
|
++ (unsigned long long)options.timing_secret, user);
|
|
++ if (ssh_digest_memory(digest_alg, b, strlen(b), hash, len) != 0)
|
|
++ fatal_f("ssh_digest_memory");
|
|
++ /* 0-4.2 ms of delay */
|
|
++ delay = (double)PEEK_U32(hash) / 1000 / 1000 / 1000 / 1000;
|
|
++ freezero(hash, len);
|
|
++ }
|
|
+ debug3_f("user specific delay %0.3lfms", delay/1000);
|
|
+ return MIN_FAIL_DELAY_SECONDS + delay;
|
|
+ }
|
|
diff --git a/channels.c b/channels.c
|
|
index b60d56c4..0e363c15 100644
|
|
--- a/channels.c
|
|
@@ -209,14 +239,14 @@
|
|
static void
|
|
channel_pre_open(struct ssh *ssh, Channel *c,
|
|
fd_set *readset, fd_set *writeset)
|
|
-@@ -2120,22 +2147,32 @@ channel_check_window(struct ssh *ssh, Channel *c)
|
|
+@@ -2164,21 +2164,31 @@ channel_check_window(struct ssh *ssh, Channel *c)
|
|
|
|
if (c->type == SSH_CHANNEL_OPEN &&
|
|
!(c->flags & (CHAN_CLOSE_SENT|CHAN_CLOSE_RCVD)) &&
|
|
- ((c->local_window_max - c->local_window >
|
|
- c->local_maxpacket*3) ||
|
|
-+ ((ssh_packet_is_interactive(ssh) &&
|
|
-+ c->local_window_max - c->local_window > c->local_maxpacket*3) ||
|
|
++ ((ssh_packet_is_interactive(ssh) &&
|
|
++ c->local_window_max - c->local_window > c->local_maxpacket*3) ||
|
|
c->local_window < c->local_window_max/2) &&
|
|
c->local_consumed > 0) {
|
|
+ u_int addition = 0;
|
|
@@ -235,9 +265,8 @@
|
|
(r = sshpkt_put_u32(ssh, c->remote_id)) != 0 ||
|
|
- (r = sshpkt_put_u32(ssh, c->local_consumed)) != 0 ||
|
|
+ (r = sshpkt_put_u32(ssh, c->local_consumed + addition)) != 0 ||
|
|
- (r = sshpkt_send(ssh)) != 0) {
|
|
- fatal_fr(r, "channel %i", c->self);
|
|
- }
|
|
+ (r = sshpkt_send(ssh)) != 0)
|
|
+ fatal_fr(r, "channel %d", c->self);
|
|
- debug2("channel %d: window %d sent adjust %d", c->self,
|
|
- c->local_window, c->local_consumed);
|
|
- c->local_window += c->local_consumed;
|
|
@@ -386,21 +415,45 @@
|
|
index 69befa96..90b5f338 100644
|
|
--- a/compat.c
|
|
+++ b/compat.c
|
|
-@@ -149,6 +149,14 @@ compat_banner(struct ssh *ssh, const char *version)
|
|
- debug_f("match: %s pat %s compat 0x%08x",
|
|
+@@ -43,7 +43,7 @@ compat_datafellows(const char *version)
|
|
+ static u_int
|
|
+ compat_datafellows(const char *version)
|
|
+ {
|
|
+- int i;
|
|
++ int i, bugs = 0;
|
|
+ static struct {
|
|
+ char *pat;
|
|
+ int bugs;
|
|
+@@ -147,11 +147,26 @@
|
|
+ if (match_pattern_list(version, check[i].pat, 0) == 1) {
|
|
+ debug("match: %s pat %s compat 0x%08x",
|
|
version, check[i].pat, check[i].bugs);
|
|
- ssh->compat = check[i].bugs;
|
|
+ /* Check to see if the remote side is OpenSSH and not HPN */
|
|
-+ /* TODO: need to use new method to test for this */
|
|
+ if (strstr(version, "OpenSSH") != NULL) {
|
|
+ if (strstr(version, "hpn") == NULL) {
|
|
-+ ssh->compat |= SSH_BUG_LARGEWINDOW;
|
|
++ bugs |= SSH_BUG_LARGEWINDOW;
|
|
+ debug("Remote is NON-HPN aware");
|
|
+ }
|
|
+ }
|
|
- return;
|
|
+- return check[i].bugs;
|
|
++ bugs |= check[i].bugs;
|
|
}
|
|
}
|
|
+- debug("no match: %s", version);
|
|
+- return 0;
|
|
++ /* Check to see if the remote side is OpenSSH and not HPN */
|
|
++ if (strstr(version, "OpenSSH") != NULL) {
|
|
++ if (strstr(version, "hpn") == NULL) {
|
|
++ bugs |= SSH_BUG_LARGEWINDOW;
|
|
++ debug("Remote is NON-HPN aware");
|
|
++ }
|
|
++ }
|
|
++ if (bugs == 0)
|
|
++ debug("no match: %s", version);
|
|
++ return bugs;
|
|
+ }
|
|
+
|
|
+ char *
|
|
diff --git a/compat.h b/compat.h
|
|
index c197fafc..ea2e17a7 100644
|
|
--- a/compat.h
|
|
@@ -459,7 +512,7 @@
|
|
@@ -890,6 +890,10 @@ kex_choose_conf(struct ssh *ssh)
|
|
int nenc, nmac, ncomp;
|
|
u_int mode, ctos, need, dh_need, authlen;
|
|
- int r, first_kex_follows;
|
|
+ int r, first_kex_follows = 0;
|
|
+ int auth_flag = 0;
|
|
+
|
|
+ auth_flag = packet_authentication_state(ssh);
|
|
@@ -1035,19 +1088,6 @@
|
|
|
|
/* File to read commands from */
|
|
FILE* infile;
|
|
-diff --git a/ssh-keygen.c b/ssh-keygen.c
|
|
-index cfb5f115..36a6e519 100644
|
|
---- a/ssh-keygen.c
|
|
-+++ b/ssh-keygen.c
|
|
-@@ -2971,7 +2971,7 @@ do_download_sk(const char *skprovider, const char *device)
|
|
- freezero(pin, strlen(pin));
|
|
- error_r(r, "Unable to load resident keys");
|
|
- return -1;
|
|
-- }
|
|
-+ }
|
|
- if (nkeys == 0)
|
|
- logit("No keys to download");
|
|
- if (pin != NULL)
|
|
diff --git a/ssh.c b/ssh.c
|
|
index 53330da5..27b9770e 100644
|
|
--- a/ssh.c
|
|
@@ -1093,7 +1133,7 @@
|
|
+ else
|
|
+ options.hpn_buffer_size = 2 * 1024 * 1024;
|
|
+
|
|
-+ if (ssh->compat & SSH_BUG_LARGEWINDOW) {
|
|
++ if (ssh_compat_fellows(ssh, SSH_BUG_LARGEWINDOW)) {
|
|
+ debug("HPN to Non-HPN Connection");
|
|
+ } else {
|
|
+ int sock, socksize;
|
|
@@ -1335,6 +1375,28 @@
|
|
/* Bind the socket to the desired port. */
|
|
if (bind(listen_sock, ai->ai_addr, ai->ai_addrlen) == -1) {
|
|
error("Bind to port %s on %s failed: %.200s.",
|
|
+@@ -1625,13 +1625,14 @@
|
|
+ if (ssh_digest_update(ctx, sshbuf_ptr(server_cfg),
|
|
+ sshbuf_len(server_cfg)) != 0)
|
|
+ fatal_f("ssh_digest_update");
|
|
+- len = ssh_digest_bytes(digest_alg);
|
|
+- hash = xmalloc(len);
|
|
+- if (ssh_digest_final(ctx, hash, len) != 0)
|
|
+- fatal_f("ssh_digest_final");
|
|
+- options.timing_secret = PEEK_U64(hash);
|
|
+- freezero(hash, len);
|
|
+- ssh_digest_free(ctx);
|
|
++ if ((len = ssh_digest_bytes(digest_alg)) > 0) {
|
|
++ hash = xmalloc(len);
|
|
++ if (ssh_digest_final(ctx, hash, len) != 0)
|
|
++ fatal_f("ssh_digest_final");
|
|
++ options.timing_secret = PEEK_U64(hash);
|
|
++ freezero(hash, len);
|
|
++ ssh_digest_free(ctx);
|
|
++ }
|
|
+ ctx = NULL;
|
|
+ return;
|
|
+ }
|
|
@@ -1727,6 +1734,19 @@ main(int ac, char **av)
|
|
/* Fill in default values for those options not explicitly set. */
|
|
fill_default_server_options(&options);
|
|
@@ -1405,14 +1467,3 @@
|
|
# Example of overriding settings on a per-user basis
|
|
#Match User anoncvs
|
|
# X11Forwarding no
|
|
-diff --git a/version.h b/version.h
|
|
-index 6b4fa372..332fb486 100644
|
|
---- a/version.h
|
|
-+++ b/version.h
|
|
-@@ -3,4 +3,5 @@
|
|
- #define SSH_VERSION "OpenSSH_8.5"
|
|
-
|
|
- #define SSH_PORTABLE "p1"
|
|
--#define SSH_RELEASE SSH_VERSION SSH_PORTABLE
|
|
-+#define SSH_HPN "-hpn15v2"
|
|
-+#define SSH_RELEASE SSH_VERSION SSH_PORTABLE SSH_HPN
|
|
diff -u a/openssh-8_5_P1-hpn-PeakTput-15.2.diff b/openssh-8_5_P1-hpn-PeakTput-15.2.diff
|
|
--- a/openssh-8_5_P1-hpn-PeakTput-15.2.diff 2021-03-15 17:45:28.550606801 -0700
|
|
+++ b/openssh-8_5_P1-hpn-PeakTput-15.2.diff 2021-03-15 18:39:10.262087944 -0700
|
|
@@ -12,9 +12,9 @@
|
|
static long stalled; /* how long we have been stalled */
|
|
static int bytes_per_second; /* current speed in bytes per second */
|
|
@@ -127,6 +129,7 @@ refresh_progress_meter(int force_update)
|
|
+ off_t bytes_left;
|
|
int cur_speed;
|
|
- int hours, minutes, seconds;
|
|
- int file_len;
|
|
+ int len;
|
|
+ off_t delta_pos;
|
|
|
|
if ((!force_update && !alarm_fired && !win_resized) || !can_output())
|
|
@@ -30,15 +30,17 @@
|
|
if (bytes_left > 0)
|
|
elapsed = now - last_update;
|
|
else {
|
|
-@@ -166,7 +173,7 @@ refresh_progress_meter(int force_update)
|
|
-
|
|
+@@ -166,8 +173,8 @@ refresh_progress_meter(int force_update)
|
|
+ buf[1] = '\0';
|
|
+
|
|
/* filename */
|
|
- buf[0] = '\0';
|
|
-- file_len = win_size - 36;
|
|
-+ file_len = win_size - 45;
|
|
- if (file_len > 0) {
|
|
- buf[0] = '\r';
|
|
- snmprintf(buf+1, sizeof(buf)-1, &file_len, "%-*s",
|
|
+- if (win_size > 36) {
|
|
++ if (win_size > 45) {
|
|
+- int file_len = win_size - 36;
|
|
++ int file_len = win_size - 45;
|
|
+ snmprintf(buf+1, sizeof(buf)-1, &file_len, "%-*s ",
|
|
+ file_len, file);
|
|
+ }
|
|
@@ -191,6 +198,15 @@ refresh_progress_meter(int force_update)
|
|
(off_t)bytes_per_second);
|
|
strlcat(buf, "/s ", win_size);
|
|
@@ -63,15 +65,3 @@
|
|
}
|
|
|
|
/*ARGSUSED*/
|
|
-diff --git a/ssh-keygen.c b/ssh-keygen.c
|
|
-index cfb5f115..986ff59b 100644
|
|
---- a/ssh-keygen.c
|
|
-+++ b/ssh-keygen.c
|
|
-@@ -2959,7 +2959,6 @@ do_download_sk(const char *skprovider, const char *device)
|
|
-
|
|
- if (skprovider == NULL)
|
|
- fatal("Cannot download keys without provider");
|
|
--
|
|
- pin = read_passphrase("Enter PIN for authenticator: ", RP_ALLOW_STDIN);
|
|
- if (!quiet) {
|
|
- printf("You may need to touch your authenticator "
|