1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
|
diff -ur '--exclude=*.un~' a/openssh-8_1_P1-hpn-AES-CTR-14.20.diff b/openssh-8_1_P1-hpn-AES-CTR-14.20.diff
--- a/openssh-8_1_P1-hpn-AES-CTR-14.20.diff 2020-02-15 12:50:44.413776914 -0800
+++ b/openssh-8_1_P1-hpn-AES-CTR-14.20.diff 2020-02-15 12:53:06.190742744 -0800
@@ -3,9 +3,9 @@
--- a/Makefile.in
+++ b/Makefile.in
@@ -42,7 +42,7 @@ CC=@CC@
- LD=@LD@
- CFLAGS=@CFLAGS@
+ CFLAGS_NOPIE=@CFLAGS_NOPIE@
CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ $(PATHS) @DEFS@
+ PICFLAG=@PICFLAG@
-LIBS=@LIBS@
+LIBS=@LIBS@ -lpthread
K5LIBS=@K5LIBS@
@@ -902,14 +902,14 @@
/*
@@ -2118,6 +2125,8 @@ fill_default_options(Options * options)
+ options->canonicalize_hostname = SSH_CANONICALISE_NO;
+ if (options->fingerprint_hash == -1)
options->fingerprint_hash = SSH_FP_HASH_DEFAULT;
- if (options->update_hostkeys == -1)
- options->update_hostkeys = 0;
+ if (options->disable_multithreaded == -1)
+ options->disable_multithreaded = 0;
-
- /* Expand KEX name lists */
- all_cipher = cipher_alg_list(',', 0);
+ #ifdef ENABLE_SK_INTERNAL
+ if (options->sk_provider == NULL)
+ options->sk_provider = xstrdup("internal");
diff --git a/readconf.h b/readconf.h
index 8e36bf32..c803eca7 100644
--- a/readconf.h
@@ -952,9 +952,9 @@
sPort, sHostKeyFile, sLoginGraceTime,
sPermitRootLogin, sLogFacility, sLogLevel,
@@ -643,6 +647,7 @@ static struct {
- { "trustedusercakeys", sTrustedUserCAKeys, SSHCFG_ALL },
{ "authorizedprincipalsfile", sAuthorizedPrincipalsFile, SSHCFG_ALL },
{ "kexalgorithms", sKexAlgorithms, SSHCFG_GLOBAL },
+ { "include", sInclude, SSHCFG_ALL },
+ { "disableMTAES", sDisableMTAES, SSHCFG_ALL },
{ "ipqos", sIPQoS, SSHCFG_ALL },
{ "authorizedkeyscommand", sAuthorizedKeysCommand, SSHCFG_ALL },
diff -ur '--exclude=*.un~' a/openssh-8_1_P1-hpn-DynWinNoneSwitch-14.20.diff b/openssh-8_1_P1-hpn-DynWinNoneSwitch-14.20.diff
--- a/openssh-8_1_P1-hpn-DynWinNoneSwitch-14.20.diff 2020-02-15 12:50:44.413776914 -0800
+++ b/openssh-8_1_P1-hpn-DynWinNoneSwitch-14.20.diff 2020-02-15 12:51:19.541768656 -0800
@@ -409,18 +409,10 @@
index 817da43b..b2bcf78f 100644
--- a/packet.c
+++ b/packet.c
-@@ -925,6 +925,24 @@ ssh_set_newkeys(struct ssh *ssh, int mode)
+@@ -925,6 +925,16 @@ ssh_set_newkeys(struct ssh *ssh, int mode)
return 0;
}
-+/* this supports the forced rekeying required for the NONE cipher */
-+int rekey_requested = 0;
-+void
-+packet_request_rekeying(void)
-+{
-+ rekey_requested = 1;
-+}
-+
+/* used to determine if pre or post auth when rekeying for aes-ctr
+ * and none cipher switch */
+int
@@ -434,20 +426,6 @@
#define MAX_PACKETS (1U<<31)
static int
ssh_packet_need_rekeying(struct ssh *ssh, u_int outbound_packet_len)
-@@ -951,6 +969,13 @@ ssh_packet_need_rekeying(struct ssh *ssh, u_int outbound_packet_len)
- if (state->p_send.packets == 0 && state->p_read.packets == 0)
- return 0;
-
-+ /* used to force rekeying when called for by the none
-+ * cipher switch methods -cjr */
-+ if (rekey_requested == 1) {
-+ rekey_requested = 0;
-+ return 1;
-+ }
-+
- /* Time-based rekeying */
- if (state->rekey_interval != 0 &&
- (int64_t)state->rekey_time + state->rekey_interval <= monotime())
diff --git a/packet.h b/packet.h
index 8ccfd2e0..1ad9bc06 100644
--- a/packet.h
@@ -476,9 +454,9 @@
/* Format of the configuration file:
@@ -167,6 +168,8 @@ typedef enum {
- oHashKnownHosts,
oTunnel, oTunnelDevice,
oLocalCommand, oPermitLocalCommand, oRemoteCommand,
+ oDisableMTAES,
+ oTcpRcvBufPoll, oTcpRcvBuf, oHPNDisabled, oHPNBufferSize,
+ oNoneEnabled, oNoneSwitch,
oVisualHostKey,
@@ -615,9 +593,9 @@
int ip_qos_bulk; /* IP ToS/DSCP/class for bulk traffic */
SyslogFacility log_facility; /* Facility for system logging. */
@@ -112,7 +116,10 @@ typedef struct {
-
int enable_ssh_keysign;
int64_t rekey_limit;
+ int disable_multithreaded; /*disable multithreaded aes-ctr*/
+ int none_switch; /* Use none cipher */
+ int none_enabled; /* Allow none to be used */
int rekey_interval;
@@ -700,9 +678,9 @@
+ options->hpn_buffer_size = CHAN_TCP_WINDOW_DEFAULT;
+ }
+
+ if (options->disable_multithreaded == -1)
+ options->disable_multithreaded = 0;
if (options->ip_qos_interactive == -1)
- options->ip_qos_interactive = IPTOS_DSCP_AF21;
- if (options->ip_qos_bulk == -1)
@@ -486,6 +532,8 @@ typedef enum {
sPasswordAuthentication, sKbdInteractiveAuthentication,
sListenAddress, sAddressFamily,
@@ -1079,11 +1057,11 @@
xxx_host = host;
xxx_hostaddr = hostaddr;
-@@ -422,6 +433,28 @@ ssh_userauth2(struct ssh *ssh, const char *local_user,
+@@ -422,7 +433,28 @@ ssh_userauth2(struct ssh *ssh, const char *local_user,
if (!authctxt.success)
fatal("Authentication failed.");
-+
+
+ /*
+ * If the user wants to use the none cipher, do it post authentication
+ * and only if the right conditions are met -- both of the NONE commands
@@ -1105,9 +1083,9 @@
+ }
+ }
+
- debug("Authentication succeeded (%s).", authctxt.method->name);
- }
-
+ #ifdef WITH_OPENSSL
+ if (options.disable_multithreaded == 0) {
+ /* if we are using aes-ctr there can be issues in either a fork or sandbox
diff --git a/sshd.c b/sshd.c
index 11571c01..23a06022 100644
--- a/sshd.c
|