diff options
Diffstat (limited to 'net-misc/openssh/files/openssh-8.7_p1-hpn-15.2-glue.patch')
| -rw-r--r-- | net-misc/openssh/files/openssh-8.7_p1-hpn-15.2-glue.patch | 198 |
1 files changed, 198 insertions, 0 deletions
diff --git a/net-misc/openssh/files/openssh-8.7_p1-hpn-15.2-glue.patch b/net-misc/openssh/files/openssh-8.7_p1-hpn-15.2-glue.patch new file mode 100644 index 000000000000..309e57e88643 --- /dev/null +++ b/net-misc/openssh/files/openssh-8.7_p1-hpn-15.2-glue.patch @@ -0,0 +1,198 @@ +diff -ur '--exclude=.*.un~' a/openssh-8_5_P1-hpn-AES-CTR-15.2.diff b/openssh-8_5_P1-hpn-AES-CTR-15.2.diff +--- a/openssh-8_5_P1-hpn-AES-CTR-15.2.diff 2021-08-20 11:49:32.351767063 -0700 ++++ b/openssh-8_5_P1-hpn-AES-CTR-15.2.diff 2021-08-20 11:58:08.746214945 -0700 +@@ -1026,9 +1026,9 @@ + + } + +#endif + + +- debug("Authentication succeeded (%s).", authctxt.method->name); +- } +- ++ if (ssh_packet_connection_is_on_socket(ssh)) { ++ verbose("Authenticated to %s ([%s]:%d) using \"%s\".", host, ++ ssh_remote_ipaddr(ssh), ssh_remote_port(ssh), + diff --git a/sshd.c b/sshd.c + index 6277e6d6..bf3d6e4a 100644 + --- a/sshd.c +diff -ur '--exclude=.*.un~' a/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff b/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff +--- a/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff 2021-08-20 11:49:32.351767063 -0700 ++++ b/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff 2021-08-20 12:04:45.008038085 -0700 +@@ -536,18 +536,10 @@ + if (state->rekey_limit) + *max_blocks = MINIMUM(*max_blocks, + state->rekey_limit / enc->block_size); +-@@ -954,6 +963,24 @@ ssh_set_newkeys(struct ssh *ssh, int mode) ++@@ -954,6 +963,16 @@ ssh_set_newkeys(struct ssh *ssh, int mode) + return 0; + } + +-+/* this supports the forced rekeying required for the NONE cipher */ +-+int rekey_requested = 0; +-+void +-+packet_request_rekeying(void) +-+{ +-+ rekey_requested = 1; +-+} +-+ + +/* used to determine if pre or post auth when rekeying for aes-ctr + + * and none cipher switch */ + +int +@@ -561,20 +553,6 @@ + #define MAX_PACKETS (1U<<31) + static int + ssh_packet_need_rekeying(struct ssh *ssh, u_int outbound_packet_len) +-@@ -980,6 +1007,13 @@ ssh_packet_need_rekeying(struct ssh *ssh, u_int outbound_packet_len) +- if (state->p_send.packets == 0 && state->p_read.packets == 0) +- return 0; +- +-+ /* used to force rekeying when called for by the none +-+ * cipher switch methods -cjr */ +-+ if (rekey_requested == 1) { +-+ rekey_requested = 0; +-+ return 1; +-+ } +-+ +- /* Time-based rekeying */ +- if (state->rekey_interval != 0 && +- (int64_t)state->rekey_time + state->rekey_interval <= monotime()) + @@ -1317,7 +1351,7 @@ ssh_packet_read_seqnr(struct ssh *ssh, u_char *typep, u_int32_t *seqnr_p) + struct session_state *state = ssh->state; + int len, r, ms_remain; +@@ -598,12 +576,11 @@ + }; + + typedef int (ssh_packet_hook_fn)(struct ssh *, struct sshbuf *, +-@@ -155,6 +158,10 @@ int ssh_packet_inc_alive_timeouts(struct ssh *); ++@@ -155,6 +158,9 @@ int ssh_packet_inc_alive_timeouts(struct ssh *); + int ssh_packet_set_maxsize(struct ssh *, u_int); + u_int ssh_packet_get_maxsize(struct ssh *); + + +/* for forced packet rekeying post auth */ +-+void packet_request_rekeying(void); + +int packet_authentication_state(const struct ssh *); + + + int ssh_packet_get_state(struct ssh *, struct sshbuf *); +@@ -627,9 +604,9 @@ + oLocalCommand, oPermitLocalCommand, oRemoteCommand, + + oTcpRcvBufPoll, oTcpRcvBuf, oHPNDisabled, oHPNBufferSize, + + oNoneEnabled, oNoneMacEnabled, oNoneSwitch, ++ oDisableMTAES, + oVisualHostKey, + oKexAlgorithms, oIPQoS, oRequestTTY, oIgnoreUnknown, oProxyUseFdpass, +- oCanonicalDomains, oCanonicalizeHostname, oCanonicalizeMaxDots, + @@ -297,6 +300,9 @@ static struct { + { "kexalgorithms", oKexAlgorithms }, + { "ipqos", oIPQoS }, +@@ -637,9 +614,9 @@ + + { "noneenabled", oNoneEnabled }, + + { "nonemacenabled", oNoneMacEnabled }, + + { "noneswitch", oNoneSwitch }, +- { "proxyusefdpass", oProxyUseFdpass }, +- { "canonicaldomains", oCanonicalDomains }, +- { "canonicalizefallbacklocal", oCanonicalizeFallbackLocal }, ++ { "sessiontype", oSessionType }, ++ { "stdinnull", oStdinNull }, ++ { "forkafterauthentication", oForkAfterAuthentication }, + @@ -317,6 +323,11 @@ static struct { + { "securitykeyprovider", oSecurityKeyProvider }, + { "knownhostscommand", oKnownHostsCommand }, +@@ -717,9 +694,9 @@ + + options->hpn_buffer_size = -1; + + options->tcp_rcv_buf_poll = -1; + + options->tcp_rcv_buf = -1; +- options->proxy_use_fdpass = -1; +- options->ignored_unknown = NULL; +- options->num_canonical_domains = 0; ++ options->session_type = -1; ++ options->stdin_null = -1; ++ options->fork_after_authentication = -1; + @@ -2426,6 +2484,41 @@ fill_default_options(Options * options) + options->server_alive_interval = 0; + if (options->server_alive_count_max == -1) +@@ -778,9 +755,9 @@ + int ip_qos_bulk; /* IP ToS/DSCP/class for bulk traffic */ + SyslogFacility log_facility; /* Facility for system logging. */ + @@ -120,7 +124,11 @@ typedef struct { +- + int enable_ssh_keysign; + int64_t rekey_limit; ++ int disable_multithreaded; /*disable multithreaded aes-ctr*/ + + int none_switch; /* Use none cipher */ + + int none_enabled; /* Allow none cipher to be used */ + + int nonemac_enabled; /* Allow none MAC to be used */ +@@ -842,9 +819,9 @@ + /* Portable-specific options */ + if (options->use_pam == -1) + @@ -424,6 +434,49 @@ fill_default_server_options(ServerOptions *options) +- } +- if (options->permit_tun == -1) + options->permit_tun = SSH_TUNMODE_NO; ++ if (options->disable_multithreaded == -1) ++ options->disable_multithreaded = 0; + + if (options->none_enabled == -1) + + options->none_enabled = 0; + + if (options->nonemac_enabled == -1) +@@ -1047,17 +1024,17 @@ + Note that + diff --git a/sftp.c b/sftp.c + index fb3c08d1..89bebbb2 100644 +---- a/sftp.c +-+++ b/sftp.c +-@@ -71,7 +71,7 @@ typedef void EditLine; +- #include "sftp-client.h" +- +- #define DEFAULT_COPY_BUFLEN 32768 /* Size of buffer for up/download */ +--#define DEFAULT_NUM_REQUESTS 64 /* # concurrent outstanding requests */ +-+#define DEFAULT_NUM_REQUESTS 256 /* # concurrent outstanding requests */ ++--- a/sftp-client.c +++++ b/sftp-client.c ++@@ -65,7 +65,7 @@ typedef void EditLine; ++ #define DEFAULT_COPY_BUFLEN 32768 ++ ++ /* Default number of concurrent outstanding requests */ ++-#define DEFAULT_NUM_REQUESTS 64 +++#define DEFAULT_NUM_REQUESTS 256 + +- /* File to read commands from */ +- FILE* infile; ++ /* Minimum amount of data to read at a time */ ++ #define MIN_READ_SIZE 512 + diff --git a/ssh-keygen.c b/ssh-keygen.c + index cfb5f115..36a6e519 100644 + --- a/ssh-keygen.c +@@ -1330,9 +1307,9 @@ + + } + + } + + +- debug("Authentication succeeded (%s).", authctxt.method->name); +- } + ++ #ifdef WITH_OPENSSL ++ if (options.disable_multithreaded == 0) { + diff --git a/sshd.c b/sshd.c + index 6277e6d6..d66fa41a 100644 + --- a/sshd.c +@@ -1359,8 +1336,8 @@ + if (bind(listen_sock, ai->ai_addr, ai->ai_addrlen) == -1) { + error("Bind to port %s on %s failed: %.200s.", + @@ -1727,6 +1734,19 @@ main(int ac, char **av) +- /* Fill in default values for those options not explicitly set. */ +- fill_default_server_options(&options); ++ fatal("AuthorizedPrincipalsCommand set without " ++ "AuthorizedPrincipalsCommandUser"); + + + if (options.none_enabled == 1) { + + char *old_ciphers = options.ciphers; +@@ -1375,9 +1352,9 @@ + + } + + } + + +- /* challenge-response is implemented via keyboard interactive */ +- if (options.challenge_response_authentication) +- options.kbd_interactive_authentication = 1; ++ /* ++ * Check whether there is any path through configured auth methods. ++ * Unfortunately it is not possible to verify this generally before + @@ -2166,6 +2186,9 @@ main(int ac, char **av) + rdomain == NULL ? "" : "\""); + free(laddr); |