You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
195 lines
6.9 KiB
195 lines
6.9 KiB
diff -ur --exclude '.*.un*' a/openssh-7_8_P1-hpn-AES-CTR-14.16.diff b/openssh-7_8_P1-hpn-AES-CTR-14.16.diff
|
|
--- a/openssh-7_8_P1-hpn-AES-CTR-14.16.diff 2019-04-18 15:07:06.748067368 -0700
|
|
+++ b/openssh-7_8_P1-hpn-AES-CTR-14.16.diff 2019-04-18 19:42:26.689298696 -0700
|
|
@@ -998,7 +998,7 @@
|
|
+ * so we repoint the define to the multithreaded evp. To start the threads we
|
|
+ * then force a rekey
|
|
+ */
|
|
-+ const void *cc = ssh_packet_get_send_context(active_state);
|
|
++ const void *cc = ssh_packet_get_send_context(ssh);
|
|
+
|
|
+ /* only do this for the ctr cipher. otherwise gcm mode breaks. Don't know why though */
|
|
+ if (strstr(cipher_ctx_name(cc), "ctr")) {
|
|
@@ -1028,7 +1028,7 @@
|
|
+ * so we repoint the define to the multithreaded evp. To start the threads we
|
|
+ * then force a rekey
|
|
+ */
|
|
-+ const void *cc = ssh_packet_get_send_context(active_state);
|
|
++ const void *cc = ssh_packet_get_send_context(ssh);
|
|
+
|
|
+ /* only rekey if necessary. If we don't do this gcm mode cipher breaks */
|
|
+ if (strstr(cipher_ctx_name(cc), "ctr")) {
|
|
diff -ur --exclude '.*.un*' a/openssh-7_8_P1-hpn-DynWinNoneSwitch-14.16.diff b/openssh-7_8_P1-hpn-DynWinNoneSwitch-14.16.diff
|
|
--- a/openssh-7_8_P1-hpn-DynWinNoneSwitch-14.16.diff 2019-04-18 15:07:11.289035776 -0700
|
|
+++ b/openssh-7_8_P1-hpn-DynWinNoneSwitch-14.16.diff 2019-04-18 17:07:59.413376785 -0700
|
|
@@ -162,24 +162,24 @@
|
|
}
|
|
|
|
+static int
|
|
-+channel_tcpwinsz(void)
|
|
++channel_tcpwinsz(struct ssh *ssh)
|
|
+{
|
|
+ u_int32_t tcpwinsz = 0;
|
|
+ socklen_t optsz = sizeof(tcpwinsz);
|
|
+ int ret = -1;
|
|
+
|
|
+ /* if we aren't on a socket return 128KB */
|
|
-+ if (!packet_connection_is_on_socket())
|
|
++ if (!ssh_packet_connection_is_on_socket(ssh))
|
|
+ return 128 * 1024;
|
|
+
|
|
-+ ret = getsockopt(packet_get_connection_in(),
|
|
++ ret = getsockopt(ssh_packet_get_connection_in(ssh),
|
|
+ SOL_SOCKET, SO_RCVBUF, &tcpwinsz, &optsz);
|
|
+ /* return no more than SSHBUF_SIZE_MAX (currently 256MB) */
|
|
+ if ((ret == 0) && tcpwinsz > SSHBUF_SIZE_MAX)
|
|
+ tcpwinsz = SSHBUF_SIZE_MAX;
|
|
+
|
|
+ debug2("tcpwinsz: tcp connection %d, Receive window: %d",
|
|
-+ packet_get_connection_in(), tcpwinsz);
|
|
++ ssh_packet_get_connection_in(ssh), tcpwinsz);
|
|
+ return tcpwinsz;
|
|
+}
|
|
+
|
|
@@ -191,7 +191,7 @@
|
|
c->local_window < c->local_window_max/2) &&
|
|
c->local_consumed > 0) {
|
|
+ u_int addition = 0;
|
|
-+ u_int32_t tcpwinsz = channel_tcpwinsz();
|
|
++ u_int32_t tcpwinsz = channel_tcpwinsz(ssh);
|
|
+ /* adjust max window size if we are in a dynamic environment */
|
|
+ if (c->dynamic_window && (tcpwinsz > c->local_window_max)) {
|
|
+ /* grow the window somewhat aggressively to maintain pressure */
|
|
@@ -409,18 +409,10 @@
|
|
index dcf35e6..da4ced0 100644
|
|
--- a/packet.c
|
|
+++ b/packet.c
|
|
-@@ -920,6 +920,24 @@ ssh_set_newkeys(struct ssh *ssh, int mode)
|
|
+@@ -920,6 +920,16 @@ ssh_set_newkeys(struct ssh *ssh, int mode)
|
|
return 0;
|
|
}
|
|
|
|
-+/* this supports the forced rekeying required for the NONE cipher */
|
|
-+int rekey_requested = 0;
|
|
-+void
|
|
-+packet_request_rekeying(void)
|
|
-+{
|
|
-+ rekey_requested = 1;
|
|
-+}
|
|
-+
|
|
+/* used to determine if pre or post auth when rekeying for aes-ctr
|
|
+ * and none cipher switch */
|
|
+int
|
|
@@ -434,20 +426,6 @@
|
|
#define MAX_PACKETS (1U<<31)
|
|
static int
|
|
ssh_packet_need_rekeying(struct ssh *ssh, u_int outbound_packet_len)
|
|
-@@ -946,6 +964,13 @@ ssh_packet_need_rekeying(struct ssh *ssh, u_int outbound_packet_len)
|
|
- if (state->p_send.packets == 0 && state->p_read.packets == 0)
|
|
- return 0;
|
|
-
|
|
-+ /* used to force rekeying when called for by the none
|
|
-+ * cipher switch methods -cjr */
|
|
-+ if (rekey_requested == 1) {
|
|
-+ rekey_requested = 0;
|
|
-+ return 1;
|
|
-+ }
|
|
-+
|
|
- /* Time-based rekeying */
|
|
- if (state->rekey_interval != 0 &&
|
|
- (int64_t)state->rekey_time + state->rekey_interval <= monotime())
|
|
diff --git a/packet.h b/packet.h
|
|
index 170203c..f4d9df2 100644
|
|
--- a/packet.h
|
|
@@ -476,9 +454,9 @@
|
|
/* Format of the configuration file:
|
|
|
|
@@ -166,6 +167,8 @@ typedef enum {
|
|
- oHashKnownHosts,
|
|
oTunnel, oTunnelDevice,
|
|
oLocalCommand, oPermitLocalCommand, oRemoteCommand,
|
|
+ oDisableMTAES,
|
|
+ oTcpRcvBufPoll, oTcpRcvBuf, oHPNDisabled, oHPNBufferSize,
|
|
+ oNoneEnabled, oNoneSwitch,
|
|
oVisualHostKey,
|
|
@@ -615,9 +593,9 @@
|
|
int ip_qos_bulk; /* IP ToS/DSCP/class for bulk traffic */
|
|
SyslogFacility log_facility; /* Facility for system logging. */
|
|
@@ -111,7 +115,10 @@ typedef struct {
|
|
-
|
|
int enable_ssh_keysign;
|
|
int64_t rekey_limit;
|
|
+ int disable_multithreaded; /*disable multithreaded aes-ctr*/
|
|
+ int none_switch; /* Use none cipher */
|
|
+ int none_enabled; /* Allow none to be used */
|
|
int rekey_interval;
|
|
@@ -673,9 +651,9 @@
|
|
/* Portable-specific options */
|
|
if (options->use_pam == -1)
|
|
@@ -391,6 +400,43 @@ fill_default_server_options(ServerOptions *options)
|
|
- }
|
|
- if (options->permit_tun == -1)
|
|
options->permit_tun = SSH_TUNMODE_NO;
|
|
+ if (options->disable_multithreaded == -1)
|
|
+ options->disable_multithreaded = 0;
|
|
+ if (options->none_enabled == -1)
|
|
+ options->none_enabled = 0;
|
|
+ if (options->hpn_disabled == -1)
|
|
@@ -1092,7 +1070,7 @@
|
|
xxx_host = host;
|
|
xxx_hostaddr = hostaddr;
|
|
|
|
-@@ -412,6 +423,28 @@ ssh_userauth2(const char *local_user, const char *server_user, char *host,
|
|
+@@ -412,6 +423,27 @@ ssh_userauth2(const char *local_user, const char *server_user, char *host,
|
|
|
|
if (!authctxt.success)
|
|
fatal("Authentication failed.");
|
|
@@ -1108,7 +1086,7 @@
|
|
+ memcpy(&myproposal, &myproposal_default, sizeof(myproposal));
|
|
+ myproposal[PROPOSAL_ENC_ALGS_STOC] = "none";
|
|
+ myproposal[PROPOSAL_ENC_ALGS_CTOS] = "none";
|
|
-+ kex_prop2buf(active_state->kex->my, myproposal);
|
|
++ kex_prop2buf(ssh->kex->my, myproposal);
|
|
+ packet_request_rekeying();
|
|
+ fprintf(stderr, "WARNING: ENABLED NONE CIPHER\n");
|
|
+ } else {
|
|
@@ -1117,23 +1095,13 @@
|
|
+ fprintf(stderr, "NONE cipher switch disabled when a TTY is allocated\n");
|
|
+ }
|
|
+ }
|
|
-+
|
|
- debug("Authentication succeeded (%s).", authctxt.method->name);
|
|
- }
|
|
|
|
+ #ifdef WITH_OPENSSL
|
|
+ if (options.disable_multithreaded == 0) {
|
|
diff --git a/sshd.c b/sshd.c
|
|
index a738c3a..b32dbe0 100644
|
|
--- a/sshd.c
|
|
+++ b/sshd.c
|
|
-@@ -373,7 +373,7 @@ sshd_exchange_identification(struct ssh *ssh, int sock_in, int sock_out)
|
|
- char remote_version[256]; /* Must be at least as big as buf. */
|
|
-
|
|
- xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s\r\n",
|
|
-- PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION,
|
|
-+ PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE,
|
|
- *options.version_addendum == '\0' ? "" : " ",
|
|
- options.version_addendum);
|
|
-
|
|
@@ -1037,6 +1037,8 @@ listen_on_addrs(struct listenaddr *la)
|
|
int ret, listen_sock;
|
|
struct addrinfo *ai;
|
|
@@ -1217,11 +1185,10 @@
|
|
index f1bbf00..21a70c2 100644
|
|
--- a/version.h
|
|
+++ b/version.h
|
|
-@@ -3,4 +3,6 @@
|
|
+@@ -3,4 +3,5 @@
|
|
#define SSH_VERSION "OpenSSH_7.8"
|
|
|
|
#define SSH_PORTABLE "p1"
|
|
-#define SSH_RELEASE SSH_VERSION SSH_PORTABLE
|
|
-+#define SSH_HPN "-hpn14v16"
|
|
+#define SSH_RELEASE SSH_VERSION SSH_PORTABLE SSH_HPN
|
|
+
|