1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
|
diff -u a/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff b/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff
--- a/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff 2021-03-15 15:10:45.680967455 -0700
+++ b/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff 2021-03-16 10:25:14.710431930 -0700
@@ -536,18 +536,10 @@
if (state->rekey_limit)
*max_blocks = MINIMUM(*max_blocks,
state->rekey_limit / enc->block_size);
-@@ -954,6 +963,24 @@ ssh_set_newkeys(struct ssh *ssh, int mode)
+@@ -954,6 +963,16 @@ ssh_set_newkeys(struct ssh *ssh, int mode)
return 0;
}
-+/* this supports the forced rekeying required for the NONE cipher */
-+int rekey_requested = 0;
-+void
-+packet_request_rekeying(void)
-+{
-+ rekey_requested = 1;
-+}
-+
+/* used to determine if pre or post auth when rekeying for aes-ctr
+ * and none cipher switch */
+int
@@ -561,20 +553,6 @@
#define MAX_PACKETS (1U<<31)
static int
ssh_packet_need_rekeying(struct ssh *ssh, u_int outbound_packet_len)
-@@ -980,6 +1007,13 @@ ssh_packet_need_rekeying(struct ssh *ssh, u_int outbound_packet_len)
- if (state->p_send.packets == 0 && state->p_read.packets == 0)
- return 0;
-
-+ /* used to force rekeying when called for by the none
-+ * cipher switch methods -cjr */
-+ if (rekey_requested == 1) {
-+ rekey_requested = 0;
-+ return 1;
-+ }
-+
- /* Time-based rekeying */
- if (state->rekey_interval != 0 &&
- (int64_t)state->rekey_time + state->rekey_interval <= monotime())
@@ -1317,7 +1351,7 @@ ssh_packet_read_seqnr(struct ssh *ssh, u_char *typep, u_int32_t *seqnr_p)
struct session_state *state = ssh->state;
int len, r, ms_remain;
@@ -598,12 +576,11 @@
};
typedef int (ssh_packet_hook_fn)(struct ssh *, struct sshbuf *,
-@@ -155,6 +158,10 @@ int ssh_packet_inc_alive_timeouts(struct ssh *);
+@@ -155,6 +158,9 @@ int ssh_packet_inc_alive_timeouts(struct ssh *);
int ssh_packet_set_maxsize(struct ssh *, u_int);
u_int ssh_packet_get_maxsize(struct ssh *);
+/* for forced packet rekeying post auth */
-+void packet_request_rekeying(void);
+int packet_authentication_state(const struct ssh *);
+
int ssh_packet_get_state(struct ssh *, struct sshbuf *);
@@ -627,9 +604,9 @@
oLocalCommand, oPermitLocalCommand, oRemoteCommand,
+ oTcpRcvBufPoll, oTcpRcvBuf, oHPNDisabled, oHPNBufferSize,
+ oNoneEnabled, oNoneMacEnabled, oNoneSwitch,
+ oDisableMTAES,
oVisualHostKey,
oKexAlgorithms, oIPQoS, oRequestTTY, oIgnoreUnknown, oProxyUseFdpass,
- oCanonicalDomains, oCanonicalizeHostname, oCanonicalizeMaxDots,
@@ -297,6 +300,9 @@ static struct {
{ "kexalgorithms", oKexAlgorithms },
{ "ipqos", oIPQoS },
@@ -778,9 +755,9 @@
int ip_qos_bulk; /* IP ToS/DSCP/class for bulk traffic */
SyslogFacility log_facility; /* Facility for system logging. */
@@ -120,7 +124,11 @@ typedef struct {
-
int enable_ssh_keysign;
int64_t rekey_limit;
+ int disable_multithreaded; /*disable multithreaded aes-ctr*/
+ int none_switch; /* Use none cipher */
+ int none_enabled; /* Allow none cipher to be used */
+ int nonemac_enabled; /* Allow none MAC to be used */
@@ -842,9 +819,9 @@
/* Portable-specific options */
if (options->use_pam == -1)
@@ -424,6 +434,49 @@ fill_default_server_options(ServerOptions *options)
- }
- if (options->permit_tun == -1)
options->permit_tun = SSH_TUNMODE_NO;
+ if (options->disable_multithreaded == -1)
+ options->disable_multithreaded = 0;
+ if (options->none_enabled == -1)
+ options->none_enabled = 0;
+ if (options->nonemac_enabled == -1)
@@ -1330,9 +1307,9 @@
+ }
+ }
+
- debug("Authentication succeeded (%s).", authctxt.method->name);
- }
+ #ifdef WITH_OPENSSL
+ if (options.disable_multithreaded == 0) {
diff --git a/sshd.c b/sshd.c
index 6277e6d6..d66fa41a 100644
--- a/sshd.c
|
