diff options
Diffstat (limited to 'net-misc/openssh/files/openssh-8.5_p1-hpn-15.1-glue.patch')
-rw-r--r-- | net-misc/openssh/files/openssh-8.5_p1-hpn-15.1-glue.patch | 242 |
1 files changed, 242 insertions, 0 deletions
diff --git a/net-misc/openssh/files/openssh-8.5_p1-hpn-15.1-glue.patch b/net-misc/openssh/files/openssh-8.5_p1-hpn-15.1-glue.patch new file mode 100644 index 000000000000..ec6e687271cf --- /dev/null +++ b/net-misc/openssh/files/openssh-8.5_p1-hpn-15.1-glue.patch @@ -0,0 +1,242 @@ +diff -ur a/openssh-8_4_P1-hpn-AES-CTR-15.1.diff b/openssh-8_4_P1-hpn-AES-CTR-15.1.diff +--- a/openssh-8_4_P1-hpn-AES-CTR-15.1.diff 2021-03-03 11:08:18.300474672 -0800 ++++ b/openssh-8_4_P1-hpn-AES-CTR-15.1.diff 2021-03-03 11:18:42.408298903 -0800 +@@ -894,9 +894,9 @@ + intptr = &options->compression; + multistate_ptr = multistate_compression; + @@ -2062,6 +2068,7 @@ initialize_options(Options * options) +- options->update_hostkeys = -1; +- options->hostbased_key_types = NULL; +- options->pubkey_key_types = NULL; ++ options->hostbased_accepted_algos = NULL; ++ options->pubkey_accepted_algos = NULL; ++ options->known_hosts_command = NULL; + + options->disable_multithreaded = -1; + } + +diff -ur a/openssh-8_4_P1-hpn-DynWinNoneSwitch-15.1.diff b/openssh-8_4_P1-hpn-DynWinNoneSwitch-15.1.diff +--- a/openssh-8_4_P1-hpn-DynWinNoneSwitch-15.1.diff 2021-03-03 11:08:18.300474672 -0800 ++++ b/openssh-8_4_P1-hpn-DynWinNoneSwitch-15.1.diff 2021-03-03 12:53:24.117319233 -0800 +@@ -209,7 +209,7 @@ + static void + channel_pre_open(struct ssh *ssh, Channel *c, + fd_set *readset, fd_set *writeset) +-@@ -2179,25 +2206,34 @@ channel_check_window(struct ssh *ssh, Channel *c) ++@@ -2179,22 +2206,31 @@ channel_check_window(struct ssh *ssh, Channel *c) + + if (c->type == SSH_CHANNEL_OPEN && + !(c->flags & (CHAN_CLOSE_SENT|CHAN_CLOSE_RCVD)) && +@@ -229,22 +229,19 @@ + + debug("Channel: Window growth to %d by %d bytes", c->local_window_max, addition); + + } + if (!c->have_remote_id) +- fatal(":%s: channel %d: no remote id", +- __func__, c->self); ++ fatal_f("channel %d: no remote id", c->self); + if ((r = sshpkt_start(ssh, + SSH2_MSG_CHANNEL_WINDOW_ADJUST)) != 0 || + (r = sshpkt_put_u32(ssh, c->remote_id)) != 0 || + - (r = sshpkt_put_u32(ssh, c->local_consumed)) != 0 || + + (r = sshpkt_put_u32(ssh, c->local_consumed + addition)) != 0 || + (r = sshpkt_send(ssh)) != 0) { +- fatal("%s: channel %i: %s", __func__, +- c->self, ssh_err(r)); ++ fatal_fr(r, "channel %i", c->self); + } +- debug2("channel %d: window %d sent adjust %d", +- c->self, c->local_window, +-- c->local_consumed); ++ debug2("channel %d: window %d sent adjust %d", c->self, ++- c->local_window, c->local_consumed); + - c->local_window += c->local_consumed; +-+ c->local_consumed + addition); +++ c->local_window, c->local_consumed + addition); + + c->local_window += c->local_consumed + addition; + c->local_consumed = 0; + } +@@ -387,18 +384,18 @@ + index dec8e7e9..3c11558e 100644 + --- a/compat.c + +++ b/compat.c +-@@ -150,6 +150,13 @@ compat_datafellows(const char *version) +- debug("match: %s pat %s compat 0x%08x", ++@@ -150,6 +150,13 @@ compat_banner(struct ssh *ssh, const char *version) ++ debug_f("match: %s pat %s compat 0x%08x", + version, check[i].pat, check[i].bugs); +- datafellows = check[i].bugs; /* XXX for now */ ++ ssh->compat = check[i].bugs; + + /* Check to see if the remote side is OpenSSH and not HPN */ + + if (strstr(version, "OpenSSH") != NULL) { + + if (strstr(version, "hpn") == NULL) { +-+ datafellows |= SSH_BUG_LARGEWINDOW; +++ ssh->compat |= SSH_BUG_LARGEWINDOW; + + debug("Remote is NON-HPN aware"); + + } + + } +- return check[i].bugs; ++ return; + } + } + diff --git a/compat.h b/compat.h +@@ -431,9 +428,9 @@ + --- a/digest-openssl.c + +++ b/digest-openssl.c + @@ -61,6 +61,7 @@ const struct ssh_digest digests[] = { +- { SSH_DIGEST_SHA256, "SHA256", 32, EVP_sha256 }, ++ { SSH_DIGEST_SHA256, "SHA256", 32, EVP_sha256 }, + { SSH_DIGEST_SHA384, "SHA384", 48, EVP_sha384 }, +- { SSH_DIGEST_SHA512, "SHA512", 64, EVP_sha512 }, ++ { SSH_DIGEST_SHA512, "SHA512", 64, EVP_sha512 }, + + { SSH_DIGEST_NULL, "NONEMAC", 0, EVP_md_null}, + { -1, NULL, 0, NULL }, + }; +@@ -536,18 +533,10 @@ + if (state->rekey_limit) + *max_blocks = MINIMUM(*max_blocks, + state->rekey_limit / enc->block_size); +-@@ -966,6 +975,24 @@ ssh_set_newkeys(struct ssh *ssh, int mode) ++@@ -966,6 +975,16 @@ ssh_set_newkeys(struct ssh *ssh, int mode) + return 0; + } + +-+/* this supports the forced rekeying required for the NONE cipher */ +-+int rekey_requested = 0; +-+void +-+packet_request_rekeying(void) +-+{ +-+ rekey_requested = 1; +-+} +-+ + +/* used to determine if pre or post auth when rekeying for aes-ctr + + * and none cipher switch */ + +int +@@ -561,20 +550,6 @@ + #define MAX_PACKETS (1U<<31) + static int + ssh_packet_need_rekeying(struct ssh *ssh, u_int outbound_packet_len) +-@@ -992,6 +1019,13 @@ ssh_packet_need_rekeying(struct ssh *ssh, u_int outbound_packet_len) +- if (state->p_send.packets == 0 && state->p_read.packets == 0) +- return 0; +- +-+ /* used to force rekeying when called for by the none +-+ * cipher switch methods -cjr */ +-+ if (rekey_requested == 1) { +-+ rekey_requested = 0; +-+ return 1; +-+ } +-+ +- /* Time-based rekeying */ +- if (state->rekey_interval != 0 && +- (int64_t)state->rekey_time + state->rekey_interval <= monotime()) + @@ -1330,7 +1364,7 @@ ssh_packet_read_seqnr(struct ssh *ssh, u_char *typep, u_int32_t *seqnr_p) + struct session_state *state = ssh->state; + int len, r, ms_remain; +@@ -622,9 +597,9 @@ + /* Format of the configuration file: + + @@ -165,6 +166,8 @@ typedef enum { +- oHashKnownHosts, + oTunnel, oTunnelDevice, + oLocalCommand, oPermitLocalCommand, oRemoteCommand, ++ oDisableMTAES, + + oTcpRcvBufPoll, oTcpRcvBuf, oHPNDisabled, oHPNBufferSize, + + oNoneEnabled, oNoneMacEnabled, oNoneSwitch, + oVisualHostKey, +@@ -778,9 +753,9 @@ + int ip_qos_bulk; /* IP ToS/DSCP/class for bulk traffic */ + SyslogFacility log_facility; /* Facility for system logging. */ + @@ -115,7 +119,11 @@ typedef struct { +- + int enable_ssh_keysign; + int64_t rekey_limit; ++ int disable_multithreaded; /*disable multithreaded aes-ctr*/ + + int none_switch; /* Use none cipher */ + + int none_enabled; /* Allow none cipher to be used */ + + int nonemac_enabled; /* Allow none MAC to be used */ +@@ -888,9 +863,9 @@ + + options->hpn_buffer_size = CHAN_TCP_WINDOW_DEFAULT; + + } + + ++ if (options->disable_multithreaded == -1) ++ options->disable_multithreaded = 0; + if (options->ip_qos_interactive == -1) +- options->ip_qos_interactive = IPTOS_DSCP_AF21; +- if (options->ip_qos_bulk == -1) + @@ -511,6 +564,8 @@ typedef enum { + sPasswordAuthentication, sKbdInteractiveAuthentication, + sListenAddress, sAddressFamily, +@@ -1091,7 +1066,7 @@ + } + + +static void +-+hpn_options_init(void) +++hpn_options_init(struct ssh *ssh) + +{ + + /* + + * We need to check to see if what they want to do about buffer +@@ -1116,7 +1091,7 @@ + + else + + options.hpn_buffer_size = 2 * 1024 * 1024; + + +-+ if (datafellows & SSH_BUG_LARGEWINDOW) { +++ if (ssh->compat & SSH_BUG_LARGEWINDOW) { + + debug("HPN to Non-HPN Connection"); + + } else { + + int sock, socksize; +@@ -1186,7 +1161,7 @@ + + c->dynamic_window = 1; + + debug("Enabled Dynamic Window Scaling"); + + } +- debug3("%s: channel_new: %d", __func__, c->self); ++ debug3_f("channel_new: %d", c->self); + + channel_send_open(ssh, c->self); + @@ -2078,6 +2160,13 @@ ssh_session2(struct ssh *ssh, struct passwd *pw) +@@ -1198,7 +1173,7 @@ + + * might open channels that use the hpn buffer sizes. We can't send a + + * window of -1 (the default) to the server as it breaks things. + + */ +-+ hpn_options_init(); +++ hpn_options_init(ssh); + + + /* XXX should be pre-session */ + if (!options.control_persist) +@@ -1297,11 +1272,10 @@ + xxx_host = host; + xxx_hostaddr = hostaddr; + +-@@ -482,6 +493,34 @@ ssh_userauth2(struct ssh *ssh, const char *local_user, +- ++@@ -482,6 +493,33 @@ ssh_userauth2(struct ssh *ssh, const char *local_user, + if (!authctxt.success) + fatal("Authentication failed."); +-+ ++ + + /* + + * If the user wants to use the none cipher, do it post authentication + + * and only if the right conditions are met -- both of the NONE commands +@@ -1329,9 +1303,9 @@ + + } + + } + + +- debug("Authentication succeeded (%s).", authctxt.method->name); +- } +- ++ #ifdef WITH_OPENSSL ++ if (options.disable_multithreaded == 0) { ++ /* if we are using aes-ctr there can be issues in either a fork or sandbox + diff --git a/sshd.c b/sshd.c + index 8aa7f3df..d0e3f1b0 100644 + --- a/sshd.c +@@ -1397,9 +1371,9 @@ + + if (options.nonemac_enabled == 1) + + debug("WARNING: None MAC enabled"); + + +- myproposal[PROPOSAL_KEX_ALGS] = compat_kex_proposal( ++ myproposal[PROPOSAL_KEX_ALGS] = compat_kex_proposal(ssh, + options.kex_algorithms); +- myproposal[PROPOSAL_ENC_ALGS_CTOS] = compat_cipher_proposal( ++ myproposal[PROPOSAL_ENC_ALGS_CTOS] = compat_cipher_proposal(ssh, + diff --git a/sshd_config b/sshd_config + index 19b7c91a..cdd889b2 100644 + --- a/sshd_config |