You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
243 lines
8.5 KiB
243 lines
8.5 KiB
diff -ur a/openssh-8_4_P1-hpn-AES-CTR-15.1.diff b/openssh-8_4_P1-hpn-AES-CTR-15.1.diff
|
|
--- a/openssh-8_4_P1-hpn-AES-CTR-15.1.diff 2021-03-03 11:08:18.300474672 -0800
|
|
+++ b/openssh-8_4_P1-hpn-AES-CTR-15.1.diff 2021-03-03 11:18:42.408298903 -0800
|
|
@@ -894,9 +894,9 @@
|
|
intptr = &options->compression;
|
|
multistate_ptr = multistate_compression;
|
|
@@ -2062,6 +2068,7 @@ initialize_options(Options * options)
|
|
- options->update_hostkeys = -1;
|
|
- options->hostbased_key_types = NULL;
|
|
- options->pubkey_key_types = NULL;
|
|
+ options->hostbased_accepted_algos = NULL;
|
|
+ options->pubkey_accepted_algos = NULL;
|
|
+ options->known_hosts_command = NULL;
|
|
+ options->disable_multithreaded = -1;
|
|
}
|
|
|
|
diff -ur a/openssh-8_4_P1-hpn-DynWinNoneSwitch-15.1.diff b/openssh-8_4_P1-hpn-DynWinNoneSwitch-15.1.diff
|
|
--- a/openssh-8_4_P1-hpn-DynWinNoneSwitch-15.1.diff 2021-03-03 11:08:18.300474672 -0800
|
|
+++ b/openssh-8_4_P1-hpn-DynWinNoneSwitch-15.1.diff 2021-03-03 12:53:24.117319233 -0800
|
|
@@ -209,7 +209,7 @@
|
|
static void
|
|
channel_pre_open(struct ssh *ssh, Channel *c,
|
|
fd_set *readset, fd_set *writeset)
|
|
-@@ -2179,25 +2206,34 @@ channel_check_window(struct ssh *ssh, Channel *c)
|
|
+@@ -2179,22 +2206,31 @@ channel_check_window(struct ssh *ssh, Channel *c)
|
|
|
|
if (c->type == SSH_CHANNEL_OPEN &&
|
|
!(c->flags & (CHAN_CLOSE_SENT|CHAN_CLOSE_RCVD)) &&
|
|
@@ -229,22 +229,19 @@
|
|
+ debug("Channel: Window growth to %d by %d bytes", c->local_window_max, addition);
|
|
+ }
|
|
if (!c->have_remote_id)
|
|
- fatal(":%s: channel %d: no remote id",
|
|
- __func__, c->self);
|
|
+ fatal_f("channel %d: no remote id", c->self);
|
|
if ((r = sshpkt_start(ssh,
|
|
SSH2_MSG_CHANNEL_WINDOW_ADJUST)) != 0 ||
|
|
(r = sshpkt_put_u32(ssh, c->remote_id)) != 0 ||
|
|
- (r = sshpkt_put_u32(ssh, c->local_consumed)) != 0 ||
|
|
+ (r = sshpkt_put_u32(ssh, c->local_consumed + addition)) != 0 ||
|
|
(r = sshpkt_send(ssh)) != 0) {
|
|
- fatal("%s: channel %i: %s", __func__,
|
|
- c->self, ssh_err(r));
|
|
+ fatal_fr(r, "channel %i", c->self);
|
|
}
|
|
- debug2("channel %d: window %d sent adjust %d",
|
|
- c->self, c->local_window,
|
|
-- c->local_consumed);
|
|
+ debug2("channel %d: window %d sent adjust %d", c->self,
|
|
+- c->local_window, c->local_consumed);
|
|
- c->local_window += c->local_consumed;
|
|
-+ c->local_consumed + addition);
|
|
++ c->local_window, c->local_consumed + addition);
|
|
+ c->local_window += c->local_consumed + addition;
|
|
c->local_consumed = 0;
|
|
}
|
|
@@ -387,18 +384,18 @@
|
|
index dec8e7e9..3c11558e 100644
|
|
--- a/compat.c
|
|
+++ b/compat.c
|
|
-@@ -150,6 +150,13 @@ compat_datafellows(const char *version)
|
|
- debug("match: %s pat %s compat 0x%08x",
|
|
+@@ -150,6 +150,13 @@ compat_banner(struct ssh *ssh, const char *version)
|
|
+ debug_f("match: %s pat %s compat 0x%08x",
|
|
version, check[i].pat, check[i].bugs);
|
|
- datafellows = check[i].bugs; /* XXX for now */
|
|
+ ssh->compat = check[i].bugs;
|
|
+ /* Check to see if the remote side is OpenSSH and not HPN */
|
|
+ if (strstr(version, "OpenSSH") != NULL) {
|
|
+ if (strstr(version, "hpn") == NULL) {
|
|
-+ datafellows |= SSH_BUG_LARGEWINDOW;
|
|
++ ssh->compat |= SSH_BUG_LARGEWINDOW;
|
|
+ debug("Remote is NON-HPN aware");
|
|
+ }
|
|
+ }
|
|
- return check[i].bugs;
|
|
+ return;
|
|
}
|
|
}
|
|
diff --git a/compat.h b/compat.h
|
|
@@ -431,9 +428,9 @@
|
|
--- a/digest-openssl.c
|
|
+++ b/digest-openssl.c
|
|
@@ -61,6 +61,7 @@ const struct ssh_digest digests[] = {
|
|
- { SSH_DIGEST_SHA256, "SHA256", 32, EVP_sha256 },
|
|
+ { SSH_DIGEST_SHA256, "SHA256", 32, EVP_sha256 },
|
|
{ SSH_DIGEST_SHA384, "SHA384", 48, EVP_sha384 },
|
|
- { SSH_DIGEST_SHA512, "SHA512", 64, EVP_sha512 },
|
|
+ { SSH_DIGEST_SHA512, "SHA512", 64, EVP_sha512 },
|
|
+ { SSH_DIGEST_NULL, "NONEMAC", 0, EVP_md_null},
|
|
{ -1, NULL, 0, NULL },
|
|
};
|
|
@@ -536,18 +533,10 @@
|
|
if (state->rekey_limit)
|
|
*max_blocks = MINIMUM(*max_blocks,
|
|
state->rekey_limit / enc->block_size);
|
|
-@@ -966,6 +975,24 @@ ssh_set_newkeys(struct ssh *ssh, int mode)
|
|
+@@ -966,6 +975,16 @@ ssh_set_newkeys(struct ssh *ssh, int mode)
|
|
return 0;
|
|
}
|
|
|
|
-+/* this supports the forced rekeying required for the NONE cipher */
|
|
-+int rekey_requested = 0;
|
|
-+void
|
|
-+packet_request_rekeying(void)
|
|
-+{
|
|
-+ rekey_requested = 1;
|
|
-+}
|
|
-+
|
|
+/* used to determine if pre or post auth when rekeying for aes-ctr
|
|
+ * and none cipher switch */
|
|
+int
|
|
@@ -561,20 +550,6 @@
|
|
#define MAX_PACKETS (1U<<31)
|
|
static int
|
|
ssh_packet_need_rekeying(struct ssh *ssh, u_int outbound_packet_len)
|
|
-@@ -992,6 +1019,13 @@ ssh_packet_need_rekeying(struct ssh *ssh, u_int outbound_packet_len)
|
|
- if (state->p_send.packets == 0 && state->p_read.packets == 0)
|
|
- return 0;
|
|
-
|
|
-+ /* used to force rekeying when called for by the none
|
|
-+ * cipher switch methods -cjr */
|
|
-+ if (rekey_requested == 1) {
|
|
-+ rekey_requested = 0;
|
|
-+ return 1;
|
|
-+ }
|
|
-+
|
|
- /* Time-based rekeying */
|
|
- if (state->rekey_interval != 0 &&
|
|
- (int64_t)state->rekey_time + state->rekey_interval <= monotime())
|
|
@@ -1330,7 +1364,7 @@ ssh_packet_read_seqnr(struct ssh *ssh, u_char *typep, u_int32_t *seqnr_p)
|
|
struct session_state *state = ssh->state;
|
|
int len, r, ms_remain;
|
|
@@ -622,9 +597,9 @@
|
|
/* Format of the configuration file:
|
|
|
|
@@ -165,6 +166,8 @@ typedef enum {
|
|
- oHashKnownHosts,
|
|
oTunnel, oTunnelDevice,
|
|
oLocalCommand, oPermitLocalCommand, oRemoteCommand,
|
|
+ oDisableMTAES,
|
|
+ oTcpRcvBufPoll, oTcpRcvBuf, oHPNDisabled, oHPNBufferSize,
|
|
+ oNoneEnabled, oNoneMacEnabled, oNoneSwitch,
|
|
oVisualHostKey,
|
|
@@ -778,9 +753,9 @@
|
|
int ip_qos_bulk; /* IP ToS/DSCP/class for bulk traffic */
|
|
SyslogFacility log_facility; /* Facility for system logging. */
|
|
@@ -115,7 +119,11 @@ typedef struct {
|
|
-
|
|
int enable_ssh_keysign;
|
|
int64_t rekey_limit;
|
|
+ int disable_multithreaded; /*disable multithreaded aes-ctr*/
|
|
+ int none_switch; /* Use none cipher */
|
|
+ int none_enabled; /* Allow none cipher to be used */
|
|
+ int nonemac_enabled; /* Allow none MAC to be used */
|
|
@@ -888,9 +863,9 @@
|
|
+ options->hpn_buffer_size = CHAN_TCP_WINDOW_DEFAULT;
|
|
+ }
|
|
+
|
|
+ if (options->disable_multithreaded == -1)
|
|
+ options->disable_multithreaded = 0;
|
|
if (options->ip_qos_interactive == -1)
|
|
- options->ip_qos_interactive = IPTOS_DSCP_AF21;
|
|
- if (options->ip_qos_bulk == -1)
|
|
@@ -511,6 +564,8 @@ typedef enum {
|
|
sPasswordAuthentication, sKbdInteractiveAuthentication,
|
|
sListenAddress, sAddressFamily,
|
|
@@ -1091,7 +1066,7 @@
|
|
}
|
|
|
|
+static void
|
|
-+hpn_options_init(void)
|
|
++hpn_options_init(struct ssh *ssh)
|
|
+{
|
|
+ /*
|
|
+ * We need to check to see if what they want to do about buffer
|
|
@@ -1116,7 +1091,7 @@
|
|
+ else
|
|
+ options.hpn_buffer_size = 2 * 1024 * 1024;
|
|
+
|
|
-+ if (datafellows & SSH_BUG_LARGEWINDOW) {
|
|
++ if (ssh->compat & SSH_BUG_LARGEWINDOW) {
|
|
+ debug("HPN to Non-HPN Connection");
|
|
+ } else {
|
|
+ int sock, socksize;
|
|
@@ -1186,7 +1161,7 @@
|
|
+ c->dynamic_window = 1;
|
|
+ debug("Enabled Dynamic Window Scaling");
|
|
+ }
|
|
- debug3("%s: channel_new: %d", __func__, c->self);
|
|
+ debug3_f("channel_new: %d", c->self);
|
|
|
|
channel_send_open(ssh, c->self);
|
|
@@ -2078,6 +2160,13 @@ ssh_session2(struct ssh *ssh, struct passwd *pw)
|
|
@@ -1198,7 +1173,7 @@
|
|
+ * might open channels that use the hpn buffer sizes. We can't send a
|
|
+ * window of -1 (the default) to the server as it breaks things.
|
|
+ */
|
|
-+ hpn_options_init();
|
|
++ hpn_options_init(ssh);
|
|
+
|
|
/* XXX should be pre-session */
|
|
if (!options.control_persist)
|
|
@@ -1297,11 +1272,10 @@
|
|
xxx_host = host;
|
|
xxx_hostaddr = hostaddr;
|
|
|
|
-@@ -482,6 +493,34 @@ ssh_userauth2(struct ssh *ssh, const char *local_user,
|
|
-
|
|
+@@ -482,6 +493,33 @@ ssh_userauth2(struct ssh *ssh, const char *local_user,
|
|
if (!authctxt.success)
|
|
fatal("Authentication failed.");
|
|
-+
|
|
+
|
|
+ /*
|
|
+ * If the user wants to use the none cipher, do it post authentication
|
|
+ * and only if the right conditions are met -- both of the NONE commands
|
|
@@ -1329,9 +1303,9 @@
|
|
+ }
|
|
+ }
|
|
+
|
|
- debug("Authentication succeeded (%s).", authctxt.method->name);
|
|
- }
|
|
-
|
|
+ #ifdef WITH_OPENSSL
|
|
+ if (options.disable_multithreaded == 0) {
|
|
+ /* if we are using aes-ctr there can be issues in either a fork or sandbox
|
|
diff --git a/sshd.c b/sshd.c
|
|
index 8aa7f3df..d0e3f1b0 100644
|
|
--- a/sshd.c
|
|
@@ -1397,9 +1371,9 @@
|
|
+ if (options.nonemac_enabled == 1)
|
|
+ debug("WARNING: None MAC enabled");
|
|
+
|
|
- myproposal[PROPOSAL_KEX_ALGS] = compat_kex_proposal(
|
|
+ myproposal[PROPOSAL_KEX_ALGS] = compat_kex_proposal(ssh,
|
|
options.kex_algorithms);
|
|
- myproposal[PROPOSAL_ENC_ALGS_CTOS] = compat_cipher_proposal(
|
|
+ myproposal[PROPOSAL_ENC_ALGS_CTOS] = compat_cipher_proposal(ssh,
|
|
diff --git a/sshd_config b/sshd_config
|
|
index 19b7c91a..cdd889b2 100644
|
|
--- a/sshd_config
|