summaryrefslogtreecommitdiff
path: root/net-misc/openssh/files/openssh-8.5_p1-hpn-15.1-glue.patch
diff options
context:
space:
mode:
Diffstat (limited to 'net-misc/openssh/files/openssh-8.5_p1-hpn-15.1-glue.patch')
-rw-r--r--net-misc/openssh/files/openssh-8.5_p1-hpn-15.1-glue.patch242
1 files changed, 242 insertions, 0 deletions
diff --git a/net-misc/openssh/files/openssh-8.5_p1-hpn-15.1-glue.patch b/net-misc/openssh/files/openssh-8.5_p1-hpn-15.1-glue.patch
new file mode 100644
index 000000000000..ec6e687271cf
--- /dev/null
+++ b/net-misc/openssh/files/openssh-8.5_p1-hpn-15.1-glue.patch
@@ -0,0 +1,242 @@
+diff -ur a/openssh-8_4_P1-hpn-AES-CTR-15.1.diff b/openssh-8_4_P1-hpn-AES-CTR-15.1.diff
+--- a/openssh-8_4_P1-hpn-AES-CTR-15.1.diff 2021-03-03 11:08:18.300474672 -0800
++++ b/openssh-8_4_P1-hpn-AES-CTR-15.1.diff 2021-03-03 11:18:42.408298903 -0800
+@@ -894,9 +894,9 @@
+ intptr = &options->compression;
+ multistate_ptr = multistate_compression;
+ @@ -2062,6 +2068,7 @@ initialize_options(Options * options)
+- options->update_hostkeys = -1;
+- options->hostbased_key_types = NULL;
+- options->pubkey_key_types = NULL;
++ options->hostbased_accepted_algos = NULL;
++ options->pubkey_accepted_algos = NULL;
++ options->known_hosts_command = NULL;
+ + options->disable_multithreaded = -1;
+ }
+
+diff -ur a/openssh-8_4_P1-hpn-DynWinNoneSwitch-15.1.diff b/openssh-8_4_P1-hpn-DynWinNoneSwitch-15.1.diff
+--- a/openssh-8_4_P1-hpn-DynWinNoneSwitch-15.1.diff 2021-03-03 11:08:18.300474672 -0800
++++ b/openssh-8_4_P1-hpn-DynWinNoneSwitch-15.1.diff 2021-03-03 12:53:24.117319233 -0800
+@@ -209,7 +209,7 @@
+ static void
+ channel_pre_open(struct ssh *ssh, Channel *c,
+ fd_set *readset, fd_set *writeset)
+-@@ -2179,25 +2206,34 @@ channel_check_window(struct ssh *ssh, Channel *c)
++@@ -2179,22 +2206,31 @@ channel_check_window(struct ssh *ssh, Channel *c)
+
+ if (c->type == SSH_CHANNEL_OPEN &&
+ !(c->flags & (CHAN_CLOSE_SENT|CHAN_CLOSE_RCVD)) &&
+@@ -229,22 +229,19 @@
+ + debug("Channel: Window growth to %d by %d bytes", c->local_window_max, addition);
+ + }
+ if (!c->have_remote_id)
+- fatal(":%s: channel %d: no remote id",
+- __func__, c->self);
++ fatal_f("channel %d: no remote id", c->self);
+ if ((r = sshpkt_start(ssh,
+ SSH2_MSG_CHANNEL_WINDOW_ADJUST)) != 0 ||
+ (r = sshpkt_put_u32(ssh, c->remote_id)) != 0 ||
+ - (r = sshpkt_put_u32(ssh, c->local_consumed)) != 0 ||
+ + (r = sshpkt_put_u32(ssh, c->local_consumed + addition)) != 0 ||
+ (r = sshpkt_send(ssh)) != 0) {
+- fatal("%s: channel %i: %s", __func__,
+- c->self, ssh_err(r));
++ fatal_fr(r, "channel %i", c->self);
+ }
+- debug2("channel %d: window %d sent adjust %d",
+- c->self, c->local_window,
+-- c->local_consumed);
++ debug2("channel %d: window %d sent adjust %d", c->self,
++- c->local_window, c->local_consumed);
+ - c->local_window += c->local_consumed;
+-+ c->local_consumed + addition);
+++ c->local_window, c->local_consumed + addition);
+ + c->local_window += c->local_consumed + addition;
+ c->local_consumed = 0;
+ }
+@@ -387,18 +384,18 @@
+ index dec8e7e9..3c11558e 100644
+ --- a/compat.c
+ +++ b/compat.c
+-@@ -150,6 +150,13 @@ compat_datafellows(const char *version)
+- debug("match: %s pat %s compat 0x%08x",
++@@ -150,6 +150,13 @@ compat_banner(struct ssh *ssh, const char *version)
++ debug_f("match: %s pat %s compat 0x%08x",
+ version, check[i].pat, check[i].bugs);
+- datafellows = check[i].bugs; /* XXX for now */
++ ssh->compat = check[i].bugs;
+ + /* Check to see if the remote side is OpenSSH and not HPN */
+ + if (strstr(version, "OpenSSH") != NULL) {
+ + if (strstr(version, "hpn") == NULL) {
+-+ datafellows |= SSH_BUG_LARGEWINDOW;
+++ ssh->compat |= SSH_BUG_LARGEWINDOW;
+ + debug("Remote is NON-HPN aware");
+ + }
+ + }
+- return check[i].bugs;
++ return;
+ }
+ }
+ diff --git a/compat.h b/compat.h
+@@ -431,9 +428,9 @@
+ --- a/digest-openssl.c
+ +++ b/digest-openssl.c
+ @@ -61,6 +61,7 @@ const struct ssh_digest digests[] = {
+- { SSH_DIGEST_SHA256, "SHA256", 32, EVP_sha256 },
++ { SSH_DIGEST_SHA256, "SHA256", 32, EVP_sha256 },
+ { SSH_DIGEST_SHA384, "SHA384", 48, EVP_sha384 },
+- { SSH_DIGEST_SHA512, "SHA512", 64, EVP_sha512 },
++ { SSH_DIGEST_SHA512, "SHA512", 64, EVP_sha512 },
+ + { SSH_DIGEST_NULL, "NONEMAC", 0, EVP_md_null},
+ { -1, NULL, 0, NULL },
+ };
+@@ -536,18 +533,10 @@
+ if (state->rekey_limit)
+ *max_blocks = MINIMUM(*max_blocks,
+ state->rekey_limit / enc->block_size);
+-@@ -966,6 +975,24 @@ ssh_set_newkeys(struct ssh *ssh, int mode)
++@@ -966,6 +975,16 @@ ssh_set_newkeys(struct ssh *ssh, int mode)
+ return 0;
+ }
+
+-+/* this supports the forced rekeying required for the NONE cipher */
+-+int rekey_requested = 0;
+-+void
+-+packet_request_rekeying(void)
+-+{
+-+ rekey_requested = 1;
+-+}
+-+
+ +/* used to determine if pre or post auth when rekeying for aes-ctr
+ + * and none cipher switch */
+ +int
+@@ -561,20 +550,6 @@
+ #define MAX_PACKETS (1U<<31)
+ static int
+ ssh_packet_need_rekeying(struct ssh *ssh, u_int outbound_packet_len)
+-@@ -992,6 +1019,13 @@ ssh_packet_need_rekeying(struct ssh *ssh, u_int outbound_packet_len)
+- if (state->p_send.packets == 0 && state->p_read.packets == 0)
+- return 0;
+-
+-+ /* used to force rekeying when called for by the none
+-+ * cipher switch methods -cjr */
+-+ if (rekey_requested == 1) {
+-+ rekey_requested = 0;
+-+ return 1;
+-+ }
+-+
+- /* Time-based rekeying */
+- if (state->rekey_interval != 0 &&
+- (int64_t)state->rekey_time + state->rekey_interval <= monotime())
+ @@ -1330,7 +1364,7 @@ ssh_packet_read_seqnr(struct ssh *ssh, u_char *typep, u_int32_t *seqnr_p)
+ struct session_state *state = ssh->state;
+ int len, r, ms_remain;
+@@ -622,9 +597,9 @@
+ /* Format of the configuration file:
+
+ @@ -165,6 +166,8 @@ typedef enum {
+- oHashKnownHosts,
+ oTunnel, oTunnelDevice,
+ oLocalCommand, oPermitLocalCommand, oRemoteCommand,
++ oDisableMTAES,
+ + oTcpRcvBufPoll, oTcpRcvBuf, oHPNDisabled, oHPNBufferSize,
+ + oNoneEnabled, oNoneMacEnabled, oNoneSwitch,
+ oVisualHostKey,
+@@ -778,9 +753,9 @@
+ int ip_qos_bulk; /* IP ToS/DSCP/class for bulk traffic */
+ SyslogFacility log_facility; /* Facility for system logging. */
+ @@ -115,7 +119,11 @@ typedef struct {
+-
+ int enable_ssh_keysign;
+ int64_t rekey_limit;
++ int disable_multithreaded; /*disable multithreaded aes-ctr*/
+ + int none_switch; /* Use none cipher */
+ + int none_enabled; /* Allow none cipher to be used */
+ + int nonemac_enabled; /* Allow none MAC to be used */
+@@ -888,9 +863,9 @@
+ + options->hpn_buffer_size = CHAN_TCP_WINDOW_DEFAULT;
+ + }
+ +
++ if (options->disable_multithreaded == -1)
++ options->disable_multithreaded = 0;
+ if (options->ip_qos_interactive == -1)
+- options->ip_qos_interactive = IPTOS_DSCP_AF21;
+- if (options->ip_qos_bulk == -1)
+ @@ -511,6 +564,8 @@ typedef enum {
+ sPasswordAuthentication, sKbdInteractiveAuthentication,
+ sListenAddress, sAddressFamily,
+@@ -1091,7 +1066,7 @@
+ }
+
+ +static void
+-+hpn_options_init(void)
+++hpn_options_init(struct ssh *ssh)
+ +{
+ + /*
+ + * We need to check to see if what they want to do about buffer
+@@ -1116,7 +1091,7 @@
+ + else
+ + options.hpn_buffer_size = 2 * 1024 * 1024;
+ +
+-+ if (datafellows & SSH_BUG_LARGEWINDOW) {
+++ if (ssh->compat & SSH_BUG_LARGEWINDOW) {
+ + debug("HPN to Non-HPN Connection");
+ + } else {
+ + int sock, socksize;
+@@ -1186,7 +1161,7 @@
+ + c->dynamic_window = 1;
+ + debug("Enabled Dynamic Window Scaling");
+ + }
+- debug3("%s: channel_new: %d", __func__, c->self);
++ debug3_f("channel_new: %d", c->self);
+
+ channel_send_open(ssh, c->self);
+ @@ -2078,6 +2160,13 @@ ssh_session2(struct ssh *ssh, struct passwd *pw)
+@@ -1198,7 +1173,7 @@
+ + * might open channels that use the hpn buffer sizes. We can't send a
+ + * window of -1 (the default) to the server as it breaks things.
+ + */
+-+ hpn_options_init();
+++ hpn_options_init(ssh);
+ +
+ /* XXX should be pre-session */
+ if (!options.control_persist)
+@@ -1297,11 +1272,10 @@
+ xxx_host = host;
+ xxx_hostaddr = hostaddr;
+
+-@@ -482,6 +493,34 @@ ssh_userauth2(struct ssh *ssh, const char *local_user,
+-
++@@ -482,6 +493,33 @@ ssh_userauth2(struct ssh *ssh, const char *local_user,
+ if (!authctxt.success)
+ fatal("Authentication failed.");
+-+
++
+ + /*
+ + * If the user wants to use the none cipher, do it post authentication
+ + * and only if the right conditions are met -- both of the NONE commands
+@@ -1329,9 +1303,9 @@
+ + }
+ + }
+ +
+- debug("Authentication succeeded (%s).", authctxt.method->name);
+- }
+-
++ #ifdef WITH_OPENSSL
++ if (options.disable_multithreaded == 0) {
++ /* if we are using aes-ctr there can be issues in either a fork or sandbox
+ diff --git a/sshd.c b/sshd.c
+ index 8aa7f3df..d0e3f1b0 100644
+ --- a/sshd.c
+@@ -1397,9 +1371,9 @@
+ + if (options.nonemac_enabled == 1)
+ + debug("WARNING: None MAC enabled");
+ +
+- myproposal[PROPOSAL_KEX_ALGS] = compat_kex_proposal(
++ myproposal[PROPOSAL_KEX_ALGS] = compat_kex_proposal(ssh,
+ options.kex_algorithms);
+- myproposal[PROPOSAL_ENC_ALGS_CTOS] = compat_cipher_proposal(
++ myproposal[PROPOSAL_ENC_ALGS_CTOS] = compat_cipher_proposal(ssh,
+ diff --git a/sshd_config b/sshd_config
+ index 19b7c91a..cdd889b2 100644
+ --- a/sshd_config
generated by cgit v1.2.3 (git 2.25.1) at 2024-08-04 23:25:48 +0000