| diff -ur a/openssh-8_1_P1-hpn-DynWinNoneSwitch-14.20.diff b/openssh-8_1_P1-hpn-DynWinNoneSwitch-14.20.diff |
| --- a/openssh-8_1_P1-hpn-DynWinNoneSwitch-14.20.diff 2020-02-04 14:55:30.408567718 -0800 |
| +++ b/openssh-8_1_P1-hpn-DynWinNoneSwitch-14.20.diff 2020-02-04 15:16:14.646567224 -0800 |
| @@ -409,18 +409,10 @@ |
| index 817da43b..b2bcf78f 100644 |
| --- a/packet.c |
| +++ b/packet.c |
| -@@ -925,6 +925,24 @@ ssh_set_newkeys(struct ssh *ssh, int mode) |
| +@@ -925,6 +925,16 @@ ssh_set_newkeys(struct ssh *ssh, int mode) |
| return 0; |
| } |
| |
| -+/* this supports the forced rekeying required for the NONE cipher */ |
| -+int rekey_requested = 0; |
| -+void |
| -+packet_request_rekeying(void) |
| -+{ |
| -+ rekey_requested = 1; |
| -+} |
| -+ |
| +/* used to determine if pre or post auth when rekeying for aes-ctr |
| + * and none cipher switch */ |
| +int |
| @@ -434,20 +426,6 @@ |
| #define MAX_PACKETS (1U<<31) |
| static int |
| ssh_packet_need_rekeying(struct ssh *ssh, u_int outbound_packet_len) |
| -@@ -951,6 +969,13 @@ ssh_packet_need_rekeying(struct ssh *ssh, u_int outbound_packet_len) |
| - if (state->p_send.packets == 0 && state->p_read.packets == 0) |
| - return 0; |
| - |
| -+ /* used to force rekeying when called for by the none |
| -+ * cipher switch methods -cjr */ |
| -+ if (rekey_requested == 1) { |
| -+ rekey_requested = 0; |
| -+ return 1; |
| -+ } |
| -+ |
| - /* Time-based rekeying */ |
| - if (state->rekey_interval != 0 && |
| - (int64_t)state->rekey_time + state->rekey_interval <= monotime()) |
| diff --git a/packet.h b/packet.h |
| index 8ccfd2e0..1ad9bc06 100644 |
| --- a/packet.h |
| @@ -476,9 +454,9 @@ |
| /* Format of the configuration file: |
| |
| @@ -167,6 +168,8 @@ typedef enum { |
| - oHashKnownHosts, |
| oTunnel, oTunnelDevice, |
| oLocalCommand, oPermitLocalCommand, oRemoteCommand, |
| + oDisableMTAES, |
| + oTcpRcvBufPoll, oTcpRcvBuf, oHPNDisabled, oHPNBufferSize, |
| + oNoneEnabled, oNoneSwitch, |
| oVisualHostKey, |
| @@ -615,9 +593,9 @@ |
| int ip_qos_bulk; /* IP ToS/DSCP/class for bulk traffic */ |
| SyslogFacility log_facility; /* Facility for system logging. */ |
| @@ -112,7 +116,10 @@ typedef struct { |
| - |
| int enable_ssh_keysign; |
| int64_t rekey_limit; |
| + int disable_multithreaded; /*disable multithreaded aes-ctr*/ |
| + int none_switch; /* Use none cipher */ |
| + int none_enabled; /* Allow none to be used */ |
| int rekey_interval; |
| @@ -700,9 +678,9 @@ |
| + options->hpn_buffer_size = CHAN_TCP_WINDOW_DEFAULT; |
| + } |
| + |
| + if (options->disable_multithreaded == -1) |
| + options->disable_multithreaded = 0; |
| if (options->ip_qos_interactive == -1) |
| - options->ip_qos_interactive = IPTOS_DSCP_AF21; |
| - if (options->ip_qos_bulk == -1) |
| @@ -486,6 +532,8 @@ typedef enum { |
| sPasswordAuthentication, sKbdInteractiveAuthentication, |
| sListenAddress, sAddressFamily, |
| @@ -1079,11 +1057,11 @@ |
| xxx_host = host; |
| xxx_hostaddr = hostaddr; |
| |
| -@@ -422,6 +433,28 @@ ssh_userauth2(struct ssh *ssh, const char *local_user, |
| +@@ -422,7 +433,28 @@ ssh_userauth2(struct ssh *ssh, const char *local_user, |
| |
| if (!authctxt.success) |
| fatal("Authentication failed."); |
| -+ |
| + |
| + /* |
| + * If the user wants to use the none cipher, do it post authentication |
| + * and only if the right conditions are met -- both of the NONE commands |
| @@ -1105,9 +1083,9 @@ |
| + } |
| + } |
| + |
| - debug("Authentication succeeded (%s).", authctxt.method->name); |
| - } |
| - |
| + #ifdef WITH_OPENSSL |
| + if (options.disable_multithreaded == 0) { |
| + /* if we are using aes-ctr there can be issues in either a fork or sandbox |
| diff --git a/sshd.c b/sshd.c |
| index 11571c01..23a06022 100644 |
| --- a/sshd.c |