net-misc/openssh/files/openssh-8.7_p1-hpn-15.2-glue.patch - third_party/overlays/portage-stable - Git at Google

 diff -ur '--exclude=.*.un~' a/openssh-8_5_P1-hpn-AES-CTR-15.2.diff b/openssh-8_5_P1-hpn-AES-CTR-15.2.diff
 --- a/openssh-8_5_P1-hpn-AES-CTR-15.2.diff	2021-08-20 11:49:32.351767063 -0700
 +++ b/openssh-8_5_P1-hpn-AES-CTR-15.2.diff	2021-08-20 11:58:08.746214945 -0700
 @@ -1026,9 +1026,9 @@
  +	}
  +#endif
  +
 - 	debug("Authentication succeeded (%s).", authctxt.method->name);
 - }
 -
 + 	if (ssh_packet_connection_is_on_socket(ssh)) {
 + 		verbose("Authenticated to %s ([%s]:%d) using \"%s\".", host,
 + 		    ssh_remote_ipaddr(ssh), ssh_remote_port(ssh),
  diff --git a/sshd.c b/sshd.c
  index 6277e6d6..bf3d6e4a 100644
  --- a/sshd.c
 diff -ur '--exclude=.*.un~' a/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff b/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff
 --- a/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff	2021-08-20 11:49:32.351767063 -0700
 +++ b/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff	2021-08-20 12:04:45.008038085 -0700
 @@ -536,18 +536,10 @@
   	if (state->rekey_limit)
   		*max_blocks = MINIMUM(*max_blocks,
   		    state->rekey_limit / enc->block_size);
 -@@ -954,6 +963,24 @@ ssh_set_newkeys(struct ssh *ssh, int mode)
 +@@ -954,6 +963,16 @@ ssh_set_newkeys(struct ssh *ssh, int mode)
   	return 0;
   }

 -+/* this supports the forced rekeying required for the NONE cipher */
 -+int rekey_requested = 0;
 -+void
 -+packet_request_rekeying(void)
 -+{
 -+	rekey_requested = 1;
 -+}
 -+
  +/* used to determine if pre or post auth when rekeying for aes-ctr
  + * and none cipher switch */
  +int
 @@ -561,20 +553,6 @@
   #define MAX_PACKETS	(1U<<31)
   static int
   ssh_packet_need_rekeying(struct ssh *ssh, u_int outbound_packet_len)
 -@@ -980,6 +1007,13 @@ ssh_packet_need_rekeying(struct ssh *ssh, u_int outbound_packet_len)
 - 	if (state->p_send.packets == 0 && state->p_read.packets == 0)
 - 		return 0;
 -
 -+	/* used to force rekeying when called for by the none
 -+         * cipher switch methods -cjr */
 -+        if (rekey_requested == 1) {
 -+                rekey_requested = 0;
 -+                return 1;
 -+        }
 -+
 - 	/* Time-based rekeying */
 - 	if (state->rekey_interval != 0 &&
 - 	    (int64_t)state->rekey_time + state->rekey_interval <= monotime())
  @@ -1317,7 +1351,7 @@ ssh_packet_read_seqnr(struct ssh *ssh, u_char *typep, u_int32_t *seqnr_p)
   	struct session_state *state = ssh->state;
   	int len, r, ms_remain;
 @@ -598,12 +576,11 @@
   };

   typedef int (ssh_packet_hook_fn)(struct ssh *, struct sshbuf *,
 -@@ -155,6 +158,10 @@ int	 ssh_packet_inc_alive_timeouts(struct ssh *);
 +@@ -155,6 +158,9 @@ int	 ssh_packet_inc_alive_timeouts(struct ssh *);
   int	 ssh_packet_set_maxsize(struct ssh *, u_int);
   u_int	 ssh_packet_get_maxsize(struct ssh *);

  +/* for forced packet rekeying post auth */
 -+void	 packet_request_rekeying(void);
  +int	 packet_authentication_state(const struct ssh *);
  +
   int	 ssh_packet_get_state(struct ssh *, struct sshbuf *);
 @@ -627,9 +604,9 @@
   	oLocalCommand, oPermitLocalCommand, oRemoteCommand,
  +	oTcpRcvBufPoll, oTcpRcvBuf, oHPNDisabled, oHPNBufferSize,
  +	oNoneEnabled, oNoneMacEnabled, oNoneSwitch,
 + 	oDisableMTAES,
   	oVisualHostKey,
   	oKexAlgorithms, oIPQoS, oRequestTTY, oIgnoreUnknown, oProxyUseFdpass,
 - 	oCanonicalDomains, oCanonicalizeHostname, oCanonicalizeMaxDots,
  @@ -297,6 +300,9 @@ static struct {
   	{ "kexalgorithms", oKexAlgorithms },
   	{ "ipqos", oIPQoS },
 @@ -637,9 +614,9 @@
  +	{ "noneenabled", oNoneEnabled },
  +	{ "nonemacenabled", oNoneMacEnabled },
  +	{ "noneswitch", oNoneSwitch },
 - 	{ "proxyusefdpass", oProxyUseFdpass },
 - 	{ "canonicaldomains", oCanonicalDomains },
 - 	{ "canonicalizefallbacklocal", oCanonicalizeFallbackLocal },
 + 	{ "sessiontype", oSessionType },
 + 	{ "stdinnull", oStdinNull },
 + 	{ "forkafterauthentication", oForkAfterAuthentication },
  @@ -317,6 +323,11 @@ static struct {
   	{ "securitykeyprovider", oSecurityKeyProvider },
   	{ "knownhostscommand", oKnownHostsCommand },
 @@ -717,9 +694,9 @@
  +	options->hpn_buffer_size = -1;
  +	options->tcp_rcv_buf_poll = -1;
  +	options->tcp_rcv_buf = -1;
 - 	options->proxy_use_fdpass = -1;
 - 	options->ignored_unknown = NULL;
 - 	options->num_canonical_domains = 0;
 + 	options->session_type = -1;
 + 	options->stdin_null = -1;
 + 	options->fork_after_authentication = -1;
  @@ -2426,6 +2484,41 @@ fill_default_options(Options * options)
   		options->server_alive_interval = 0;
   	if (options->server_alive_count_max == -1)
 @@ -778,9 +755,9 @@
   	int	ip_qos_bulk;		/* IP ToS/DSCP/class for bulk traffic */
   	SyslogFacility log_facility;	/* Facility for system logging. */
  @@ -120,7 +124,11 @@ typedef struct {
 -
   	int	enable_ssh_keysign;
   	int64_t rekey_limit;
 + 	int     disable_multithreaded; /*disable multithreaded aes-ctr*/
  +	int     none_switch;    /* Use none cipher */
  +	int     none_enabled;   /* Allow none cipher to be used */
  +  	int     nonemac_enabled;   /* Allow none MAC to be used */
 @@ -842,9 +819,9 @@
   	/* Portable-specific options */
   	if (options->use_pam == -1)
  @@ -424,6 +434,49 @@ fill_default_server_options(ServerOptions *options)
 - 	}
 - 	if (options->permit_tun == -1)
   		options->permit_tun = SSH_TUNMODE_NO;
 + 	if (options->disable_multithreaded == -1)
 + 		options->disable_multithreaded = 0;
  +	if (options->none_enabled == -1)
  +		options->none_enabled = 0;
  +	if (options->nonemac_enabled == -1)
 @@ -1047,17 +1024,17 @@
   Note that
  diff --git a/sftp.c b/sftp.c
  index fb3c08d1..89bebbb2 100644
 ---- a/sftp.c
 -+++ b/sftp.c
 -@@ -71,7 +71,7 @@ typedef void EditLine;
 - #include "sftp-client.h"
 -
 - #define DEFAULT_COPY_BUFLEN	32768	/* Size of buffer for up/download */
 --#define DEFAULT_NUM_REQUESTS	64	/* # concurrent outstanding requests */
 -+#define DEFAULT_NUM_REQUESTS	256	/* # concurrent outstanding requests */
 +--- a/sftp-client.c
 ++++ b/sftp-client.c
 +@@ -65,7 +65,7 @@ typedef void EditLine;
 + #define DEFAULT_COPY_BUFLEN	32768
 +
 + /* Default number of concurrent outstanding requests */
 +-#define DEFAULT_NUM_REQUESTS	64
 ++#define DEFAULT_NUM_REQUESTS	256

 - /* File to read commands from */
 - FILE* infile;
 + /* Minimum amount of data to read at a time */
 + #define MIN_READ_SIZE	512
  diff --git a/ssh-keygen.c b/ssh-keygen.c
  index cfb5f115..36a6e519 100644
  --- a/ssh-keygen.c
 @@ -1330,9 +1307,9 @@
  +		}
  +	}
  +
 - 	debug("Authentication succeeded (%s).", authctxt.method->name);
 - }

 + #ifdef WITH_OPENSSL
 + 	if (options.disable_multithreaded == 0) {
  diff --git a/sshd.c b/sshd.c
  index 6277e6d6..d66fa41a 100644
  --- a/sshd.c
 @@ -1359,8 +1336,8 @@
   		if (bind(listen_sock, ai->ai_addr, ai->ai_addrlen) == -1) {
   			error("Bind to port %s on %s failed: %.200s.",
  @@ -1727,6 +1734,19 @@ main(int ac, char **av)
 - 	/* Fill in default values for those options not explicitly set. */
 - 	fill_default_server_options(&options);
 + 		fatal("AuthorizedPrincipalsCommand set without "
 + 		    "AuthorizedPrincipalsCommandUser");

  +	if (options.none_enabled == 1) {
  +		char *old_ciphers = options.ciphers;
 @@ -1375,9 +1352,9 @@
  +		}
  +	}
  +
 - 	/* challenge-response is implemented via keyboard interactive */
 - 	if (options.challenge_response_authentication)
 - 		options.kbd_interactive_authentication = 1;
 + 	/*
 + 	 * Check whether there is any path through configured auth methods.
 + 	 * Unfortunately it is not possible to verify this generally before
  @@ -2166,6 +2186,9 @@ main(int ac, char **av)
   	    rdomain == NULL ? "" : "\"");
   	free(laddr);
	diff -ur '--exclude=.*.un~' a/openssh-8_5_P1-hpn-AES-CTR-15.2.diff b/openssh-8_5_P1-hpn-AES-CTR-15.2.diff
	--- a/openssh-8_5_P1-hpn-AES-CTR-15.2.diff 2021-08-20 11:49:32.351767063 -0700
	+++ b/openssh-8_5_P1-hpn-AES-CTR-15.2.diff 2021-08-20 11:58:08.746214945 -0700
	@@ -1026,9 +1026,9 @@
	+ }
	+#endif
	+
	- debug("Authentication succeeded (%s).", authctxt.method->name);
	- }
	-
	+ if (ssh_packet_connection_is_on_socket(ssh)) {
	+ verbose("Authenticated to %s ([%s]:%d) using \"%s\".", host,
	+ ssh_remote_ipaddr(ssh), ssh_remote_port(ssh),
	diff --git a/sshd.c b/sshd.c
	index 6277e6d6..bf3d6e4a 100644
	--- a/sshd.c
	diff -ur '--exclude=.*.un~' a/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff b/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff
	--- a/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff 2021-08-20 11:49:32.351767063 -0700
	+++ b/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff 2021-08-20 12:04:45.008038085 -0700
	@@ -536,18 +536,10 @@
	if (state->rekey_limit)
	max_blocks = MINIMUM(max_blocks,
	state->rekey_limit / enc->block_size);
	-@@ -954,6 +963,24 @@ ssh_set_newkeys(struct ssh *ssh, int mode)
	+@@ -954,6 +963,16 @@ ssh_set_newkeys(struct ssh *ssh, int mode)
	return 0;
	}

	-+/* this supports the forced rekeying required for the NONE cipher */
	-+int rekey_requested = 0;
	-+void
	-+packet_request_rekeying(void)
	-+{
	-+ rekey_requested = 1;
	-+}
	-+
	+/* used to determine if pre or post auth when rekeying for aes-ctr
	+ * and none cipher switch */
	+int
	@@ -561,20 +553,6 @@
	#define MAX_PACKETS (1U<<31)
	static int
	ssh_packet_need_rekeying(struct ssh *ssh, u_int outbound_packet_len)
	-@@ -980,6 +1007,13 @@ ssh_packet_need_rekeying(struct ssh *ssh, u_int outbound_packet_len)
	- if (state->p_send.packets == 0 && state->p_read.packets == 0)
	- return 0;
	-
	-+ /* used to force rekeying when called for by the none
	-+ * cipher switch methods -cjr */
	-+ if (rekey_requested == 1) {
	-+ rekey_requested = 0;
	-+ return 1;
	-+ }
	-+
	- /* Time-based rekeying */
	- if (state->rekey_interval != 0 &&
	- (int64_t)state->rekey_time + state->rekey_interval <= monotime())
	@@ -1317,7 +1351,7 @@ ssh_packet_read_seqnr(struct ssh ssh, u_char typep, u_int32_t *seqnr_p)
	struct session_state *state = ssh->state;
	int len, r, ms_remain;
	@@ -598,12 +576,11 @@
	};

	typedef int (ssh_packet_hook_fn)(struct ssh , struct sshbuf ,
	-@@ -155,6 +158,10 @@ int ssh_packet_inc_alive_timeouts(struct ssh *);
	+@@ -155,6 +158,9 @@ int ssh_packet_inc_alive_timeouts(struct ssh *);
	int ssh_packet_set_maxsize(struct ssh *, u_int);
	u_int ssh_packet_get_maxsize(struct ssh *);

	+/* for forced packet rekeying post auth */
	-+void packet_request_rekeying(void);
	+int packet_authentication_state(const struct ssh *);
	+
	int ssh_packet_get_state(struct ssh , struct sshbuf );
	@@ -627,9 +604,9 @@
	oLocalCommand, oPermitLocalCommand, oRemoteCommand,
	+ oTcpRcvBufPoll, oTcpRcvBuf, oHPNDisabled, oHPNBufferSize,
	+ oNoneEnabled, oNoneMacEnabled, oNoneSwitch,
	+ oDisableMTAES,
	oVisualHostKey,
	oKexAlgorithms, oIPQoS, oRequestTTY, oIgnoreUnknown, oProxyUseFdpass,
	- oCanonicalDomains, oCanonicalizeHostname, oCanonicalizeMaxDots,
	@@ -297,6 +300,9 @@ static struct {
	{ "kexalgorithms", oKexAlgorithms },
	{ "ipqos", oIPQoS },
	@@ -637,9 +614,9 @@
	+ { "noneenabled", oNoneEnabled },
	+ { "nonemacenabled", oNoneMacEnabled },
	+ { "noneswitch", oNoneSwitch },
	- { "proxyusefdpass", oProxyUseFdpass },
	- { "canonicaldomains", oCanonicalDomains },
	- { "canonicalizefallbacklocal", oCanonicalizeFallbackLocal },
	+ { "sessiontype", oSessionType },
	+ { "stdinnull", oStdinNull },
	+ { "forkafterauthentication", oForkAfterAuthentication },
	@@ -317,6 +323,11 @@ static struct {
	{ "securitykeyprovider", oSecurityKeyProvider },
	{ "knownhostscommand", oKnownHostsCommand },
	@@ -717,9 +694,9 @@
	+ options->hpn_buffer_size = -1;
	+ options->tcp_rcv_buf_poll = -1;
	+ options->tcp_rcv_buf = -1;
	- options->proxy_use_fdpass = -1;
	- options->ignored_unknown = NULL;
	- options->num_canonical_domains = 0;
	+ options->session_type = -1;
	+ options->stdin_null = -1;
	+ options->fork_after_authentication = -1;
	@@ -2426,6 +2484,41 @@ fill_default_options(Options * options)
	options->server_alive_interval = 0;
	if (options->server_alive_count_max == -1)
	@@ -778,9 +755,9 @@
	int ip_qos_bulk; /* IP ToS/DSCP/class for bulk traffic */
	SyslogFacility log_facility; /* Facility for system logging. */
	@@ -120,7 +124,11 @@ typedef struct {
	-
	int enable_ssh_keysign;
	int64_t rekey_limit;
	+ int disable_multithreaded; /disable multithreaded aes-ctr/
	+ int none_switch; /* Use none cipher */
	+ int none_enabled; /* Allow none cipher to be used */
	+ int nonemac_enabled; /* Allow none MAC to be used */
	@@ -842,9 +819,9 @@
	/* Portable-specific options */
	if (options->use_pam == -1)
	@@ -424,6 +434,49 @@ fill_default_server_options(ServerOptions *options)
	- }
	- if (options->permit_tun == -1)
	options->permit_tun = SSH_TUNMODE_NO;
	+ if (options->disable_multithreaded == -1)
	+ options->disable_multithreaded = 0;
	+ if (options->none_enabled == -1)
	+ options->none_enabled = 0;
	+ if (options->nonemac_enabled == -1)
	@@ -1047,17 +1024,17 @@
	Note that
	diff --git a/sftp.c b/sftp.c
	index fb3c08d1..89bebbb2 100644
	---- a/sftp.c
	-+++ b/sftp.c
	-@@ -71,7 +71,7 @@ typedef void EditLine;
	- #include "sftp-client.h"
	-
	- #define DEFAULT_COPY_BUFLEN 32768 /* Size of buffer for up/download */
	--#define DEFAULT_NUM_REQUESTS 64 /* # concurrent outstanding requests */
	-+#define DEFAULT_NUM_REQUESTS 256 /* # concurrent outstanding requests */
	+--- a/sftp-client.c
	++++ b/sftp-client.c
	+@@ -65,7 +65,7 @@ typedef void EditLine;
	+ #define DEFAULT_COPY_BUFLEN 32768
	+
	+ /* Default number of concurrent outstanding requests */
	+-#define DEFAULT_NUM_REQUESTS 64
	++#define DEFAULT_NUM_REQUESTS 256

	- /* File to read commands from */
	- FILE* infile;
	+ /* Minimum amount of data to read at a time */
	+ #define MIN_READ_SIZE 512
	diff --git a/ssh-keygen.c b/ssh-keygen.c
	index cfb5f115..36a6e519 100644
	--- a/ssh-keygen.c
	@@ -1330,9 +1307,9 @@
	+ }
	+ }
	+
	- debug("Authentication succeeded (%s).", authctxt.method->name);
	- }

	+ #ifdef WITH_OPENSSL
	+ if (options.disable_multithreaded == 0) {
	diff --git a/sshd.c b/sshd.c
	index 6277e6d6..d66fa41a 100644
	--- a/sshd.c
	@@ -1359,8 +1336,8 @@
	if (bind(listen_sock, ai->ai_addr, ai->ai_addrlen) == -1) {
	error("Bind to port %s on %s failed: %.200s.",
	@@ -1727,6 +1734,19 @@ main(int ac, char **av)
	- /* Fill in default values for those options not explicitly set. */
	- fill_default_server_options(&options);
	+ fatal("AuthorizedPrincipalsCommand set without "
	+ "AuthorizedPrincipalsCommandUser");

	+ if (options.none_enabled == 1) {
	+ char *old_ciphers = options.ciphers;
	@@ -1375,9 +1352,9 @@
	+ }
	+ }
	+
	- /* challenge-response is implemented via keyboard interactive */
	- if (options.challenge_response_authentication)
	- options.kbd_interactive_authentication = 1;
	+ /*
	+ * Check whether there is any path through configured auth methods.
	+ * Unfortunately it is not possible to verify this generally before
	@@ -2166,6 +2186,9 @@ main(int ac, char **av)
	rdomain == NULL ? "" : "\"");
	free(laddr);