net-misc/openssh/files/openssh-8.5_p1-hpn-15.1-glue.patch - third_party/overlays/portage-stable - Git at Google

 diff -ur a/openssh-8_4_P1-hpn-AES-CTR-15.1.diff b/openssh-8_4_P1-hpn-AES-CTR-15.1.diff
 --- a/openssh-8_4_P1-hpn-AES-CTR-15.1.diff	2021-03-03 11:08:18.300474672 -0800
 +++ b/openssh-8_4_P1-hpn-AES-CTR-15.1.diff	2021-03-03 11:18:42.408298903 -0800
 @@ -894,9 +894,9 @@
   		intptr = &options->compression;
   		multistate_ptr = multistate_compression;
  @@ -2062,6 +2068,7 @@ initialize_options(Options * options)
 - 	options->update_hostkeys = -1;
 - 	options->hostbased_key_types = NULL;
 - 	options->pubkey_key_types = NULL;
 + 	options->hostbased_accepted_algos = NULL;
 + 	options->pubkey_accepted_algos = NULL;
 + 	options->known_hosts_command = NULL;
  +	options->disable_multithreaded = -1;
   }

 diff -ur a/openssh-8_4_P1-hpn-DynWinNoneSwitch-15.1.diff b/openssh-8_4_P1-hpn-DynWinNoneSwitch-15.1.diff
 --- a/openssh-8_4_P1-hpn-DynWinNoneSwitch-15.1.diff	2021-03-03 11:08:18.300474672 -0800
 +++ b/openssh-8_4_P1-hpn-DynWinNoneSwitch-15.1.diff	2021-03-03 12:53:24.117319233 -0800
 @@ -209,7 +209,7 @@
   static void
   channel_pre_open(struct ssh *ssh, Channel *c,
       fd_set *readset, fd_set *writeset)
 -@@ -2179,25 +2206,34 @@ channel_check_window(struct ssh *ssh, Channel *c)
 +@@ -2179,22 +2206,31 @@ channel_check_window(struct ssh *ssh, Channel *c)

   	if (c->type == SSH_CHANNEL_OPEN &&
   	    !(c->flags & (CHAN_CLOSE_SENT|CHAN_CLOSE_RCVD)) &&
 @@ -229,22 +229,19 @@
  +			debug("Channel: Window growth to %d by %d bytes", c->local_window_max, addition);
  +		}
   		if (!c->have_remote_id)
 - 			fatal(":%s: channel %d: no remote id",
 - 			    __func__, c->self);
 + 			fatal_f("channel %d: no remote id", c->self);
   		if ((r = sshpkt_start(ssh,
   		    SSH2_MSG_CHANNEL_WINDOW_ADJUST)) != 0 ||
   		    (r = sshpkt_put_u32(ssh, c->remote_id)) != 0 ||
  -		    (r = sshpkt_put_u32(ssh, c->local_consumed)) != 0 ||
  +		    (r = sshpkt_put_u32(ssh, c->local_consumed + addition)) != 0 ||
   		    (r = sshpkt_send(ssh)) != 0) {
 - 			fatal("%s: channel %i: %s", __func__,
 - 			    c->self, ssh_err(r));
 + 			fatal_fr(r, "channel %i", c->self);
   		}
 - 		debug2("channel %d: window %d sent adjust %d",
 - 		    c->self, c->local_window,
 --		    c->local_consumed);
 + 		debug2("channel %d: window %d sent adjust %d", c->self,
 +-		    c->local_window, c->local_consumed);
  -		c->local_window += c->local_consumed;
 -+		    c->local_consumed + addition);
 ++		    c->local_window, c->local_consumed + addition);
  +		c->local_window += c->local_consumed + addition;
   		c->local_consumed = 0;
   	}
 @@ -387,18 +384,18 @@
  index dec8e7e9..3c11558e 100644
  --- a/compat.c
  +++ b/compat.c
 -@@ -150,6 +150,13 @@ compat_datafellows(const char *version)
 - 			debug("match: %s pat %s compat 0x%08x",
 +@@ -150,6 +150,13 @@ compat_banner(struct ssh *ssh, const char *version)
 + 			debug_f("match: %s pat %s compat 0x%08x",
   			    version, check[i].pat, check[i].bugs);
 - 			datafellows = check[i].bugs;	/* XXX for now */
 + 			ssh->compat = check[i].bugs;
  +			/* Check to see if the remote side is OpenSSH and not HPN */
  +			if (strstr(version, "OpenSSH") != NULL) {
  +				if (strstr(version, "hpn") == NULL) {
 -+					datafellows |= SSH_BUG_LARGEWINDOW;
 ++					ssh->compat |= SSH_BUG_LARGEWINDOW;
  +					debug("Remote is NON-HPN aware");
  +				}
  +			}
 - 			return check[i].bugs;
 + 			return;
   		}
   	}
  diff --git a/compat.h b/compat.h
 @@ -431,9 +428,9 @@
  --- a/digest-openssl.c
  +++ b/digest-openssl.c
  @@ -61,6 +61,7 @@ const struct ssh_digest digests[] = {
 - 	{ SSH_DIGEST_SHA256,	"SHA256", 	32,	EVP_sha256 },
 + 	{ SSH_DIGEST_SHA256,	"SHA256",	32,	EVP_sha256 },
   	{ SSH_DIGEST_SHA384,	"SHA384",	48,	EVP_sha384 },
 - 	{ SSH_DIGEST_SHA512,	"SHA512", 	64,	EVP_sha512 },
 + 	{ SSH_DIGEST_SHA512,	"SHA512",	64,	EVP_sha512 },
  +	{ SSH_DIGEST_NULL,      "NONEMAC",       0,     EVP_md_null},
   	{ -1,			NULL,		0,	NULL },
   };
 @@ -536,18 +533,10 @@
   	if (state->rekey_limit)
   		*max_blocks = MINIMUM(*max_blocks,
   		    state->rekey_limit / enc->block_size);
 -@@ -966,6 +975,24 @@ ssh_set_newkeys(struct ssh *ssh, int mode)
 +@@ -966,6 +975,16 @@ ssh_set_newkeys(struct ssh *ssh, int mode)
   	return 0;
   }

 -+/* this supports the forced rekeying required for the NONE cipher */
 -+int rekey_requested = 0;
 -+void
 -+packet_request_rekeying(void)
 -+{
 -+	rekey_requested = 1;
 -+}
 -+
  +/* used to determine if pre or post auth when rekeying for aes-ctr
  + * and none cipher switch */
  +int
 @@ -561,20 +550,6 @@
   #define MAX_PACKETS	(1U<<31)
   static int
   ssh_packet_need_rekeying(struct ssh *ssh, u_int outbound_packet_len)
 -@@ -992,6 +1019,13 @@ ssh_packet_need_rekeying(struct ssh *ssh, u_int outbound_packet_len)
 - 	if (state->p_send.packets == 0 && state->p_read.packets == 0)
 - 		return 0;
 -
 -+	/* used to force rekeying when called for by the none
 -+         * cipher switch methods -cjr */
 -+        if (rekey_requested == 1) {
 -+                rekey_requested = 0;
 -+                return 1;
 -+        }
 -+
 - 	/* Time-based rekeying */
 - 	if (state->rekey_interval != 0 &&
 - 	    (int64_t)state->rekey_time + state->rekey_interval <= monotime())
  @@ -1330,7 +1364,7 @@ ssh_packet_read_seqnr(struct ssh *ssh, u_char *typep, u_int32_t *seqnr_p)
   	struct session_state *state = ssh->state;
   	int len, r, ms_remain;
 @@ -622,9 +597,9 @@
   /* Format of the configuration file:

  @@ -165,6 +166,8 @@ typedef enum {
 - 	oHashKnownHosts,
   	oTunnel, oTunnelDevice,
   	oLocalCommand, oPermitLocalCommand, oRemoteCommand,
 + 	oDisableMTAES,
  +	oTcpRcvBufPoll, oTcpRcvBuf, oHPNDisabled, oHPNBufferSize,
  +	oNoneEnabled, oNoneMacEnabled, oNoneSwitch,
   	oVisualHostKey,
 @@ -778,9 +753,9 @@
   	int	ip_qos_bulk;		/* IP ToS/DSCP/class for bulk traffic */
   	SyslogFacility log_facility;	/* Facility for system logging. */
  @@ -115,7 +119,11 @@ typedef struct {
 -
   	int	enable_ssh_keysign;
   	int64_t rekey_limit;
 + 	int     disable_multithreaded; /*disable multithreaded aes-ctr*/
  +	int     none_switch;    /* Use none cipher */
  +	int     none_enabled;   /* Allow none cipher to be used */
  +  	int     nonemac_enabled;   /* Allow none MAC to be used */
 @@ -888,9 +863,9 @@
  +			options->hpn_buffer_size = CHAN_TCP_WINDOW_DEFAULT;
  +	}
  +
 + 	if (options->disable_multithreaded == -1)
 + 		options->disable_multithreaded = 0;
   	if (options->ip_qos_interactive == -1)
 - 		options->ip_qos_interactive = IPTOS_DSCP_AF21;
 - 	if (options->ip_qos_bulk == -1)
  @@ -511,6 +564,8 @@ typedef enum {
   	sPasswordAuthentication, sKbdInteractiveAuthentication,
   	sListenAddress, sAddressFamily,
 @@ -1091,7 +1066,7 @@
   }

  +static void
 -+hpn_options_init(void)
 ++hpn_options_init(struct ssh *ssh)
  +{
  +	/*
  +	 * We need to check to see if what they want to do about buffer
 @@ -1116,7 +1091,7 @@
  +	else
  +		options.hpn_buffer_size = 2 * 1024 * 1024;
  +
 -+	if (datafellows & SSH_BUG_LARGEWINDOW) {
 ++	if (ssh->compat & SSH_BUG_LARGEWINDOW) {
  +		debug("HPN to Non-HPN Connection");
  +	} else {
  +		int sock, socksize;
 @@ -1186,7 +1161,7 @@
  +		c->dynamic_window = 1;
  +		debug("Enabled Dynamic Window Scaling");
  +	}
 - 	debug3("%s: channel_new: %d", __func__, c->self);
 + 	debug3_f("channel_new: %d", c->self);

   	channel_send_open(ssh, c->self);
  @@ -2078,6 +2160,13 @@ ssh_session2(struct ssh *ssh, struct passwd *pw)
 @@ -1198,7 +1173,7 @@
  +	 * might open channels that use the hpn buffer sizes.  We can't send a
  +	 * window of -1 (the default) to the server as it breaks things.
  +	 */
 -+	hpn_options_init();
 ++	hpn_options_init(ssh);
  +
   	/* XXX should be pre-session */
   	if (!options.control_persist)
 @@ -1297,11 +1272,10 @@
   	xxx_host = host;
   	xxx_hostaddr = hostaddr;

 -@@ -482,6 +493,34 @@ ssh_userauth2(struct ssh *ssh, const char *local_user,
 -
 +@@ -482,6 +493,33 @@ ssh_userauth2(struct ssh *ssh, const char *local_user,
   	if (!authctxt.success)
   		fatal("Authentication failed.");
 -+
 +
  +	/*
  +	 * If the user wants to use the none cipher, do it post authentication
  +	 * and only if the right conditions are met -- both of the NONE commands
 @@ -1329,9 +1303,9 @@
  +		}
  +	}
  +
 - 	debug("Authentication succeeded (%s).", authctxt.method->name);
 - }
 -
 + #ifdef WITH_OPENSSL
 + 	if (options.disable_multithreaded == 0) {
 + 		/* if we are using aes-ctr there can be issues in either a fork or sandbox
  diff --git a/sshd.c b/sshd.c
  index 8aa7f3df..d0e3f1b0 100644
  --- a/sshd.c
 @@ -1397,9 +1371,9 @@
  +	if (options.nonemac_enabled == 1)
  +		debug("WARNING: None MAC enabled");
  +
 - 	myproposal[PROPOSAL_KEX_ALGS] = compat_kex_proposal(
 + 	myproposal[PROPOSAL_KEX_ALGS] = compat_kex_proposal(ssh,
   	    options.kex_algorithms);
 - 	myproposal[PROPOSAL_ENC_ALGS_CTOS] = compat_cipher_proposal(
 + 	myproposal[PROPOSAL_ENC_ALGS_CTOS] = compat_cipher_proposal(ssh,
  diff --git a/sshd_config b/sshd_config
  index 19b7c91a..cdd889b2 100644
  --- a/sshd_config
	diff -ur a/openssh-8_4_P1-hpn-AES-CTR-15.1.diff b/openssh-8_4_P1-hpn-AES-CTR-15.1.diff
	--- a/openssh-8_4_P1-hpn-AES-CTR-15.1.diff 2021-03-03 11:08:18.300474672 -0800
	+++ b/openssh-8_4_P1-hpn-AES-CTR-15.1.diff 2021-03-03 11:18:42.408298903 -0800
	@@ -894,9 +894,9 @@
	intptr = &options->compression;
	multistate_ptr = multistate_compression;
	@@ -2062,6 +2068,7 @@ initialize_options(Options * options)
	- options->update_hostkeys = -1;
	- options->hostbased_key_types = NULL;
	- options->pubkey_key_types = NULL;
	+ options->hostbased_accepted_algos = NULL;
	+ options->pubkey_accepted_algos = NULL;
	+ options->known_hosts_command = NULL;
	+ options->disable_multithreaded = -1;
	}

	diff -ur a/openssh-8_4_P1-hpn-DynWinNoneSwitch-15.1.diff b/openssh-8_4_P1-hpn-DynWinNoneSwitch-15.1.diff
	--- a/openssh-8_4_P1-hpn-DynWinNoneSwitch-15.1.diff 2021-03-03 11:08:18.300474672 -0800
	+++ b/openssh-8_4_P1-hpn-DynWinNoneSwitch-15.1.diff 2021-03-03 12:53:24.117319233 -0800
	@@ -209,7 +209,7 @@
	static void
	channel_pre_open(struct ssh ssh, Channel c,
	fd_set readset, fd_set writeset)
	-@@ -2179,25 +2206,34 @@ channel_check_window(struct ssh ssh, Channel c)
	+@@ -2179,22 +2206,31 @@ channel_check_window(struct ssh ssh, Channel c)

	if (c->type == SSH_CHANNEL_OPEN &&
	!(c->flags & (CHAN_CLOSE_SENT\|CHAN_CLOSE_RCVD)) &&
	@@ -229,22 +229,19 @@
	+ debug("Channel: Window growth to %d by %d bytes", c->local_window_max, addition);
	+ }
	if (!c->have_remote_id)
	- fatal(":%s: channel %d: no remote id",
	- __func__, c->self);
	+ fatal_f("channel %d: no remote id", c->self);
	if ((r = sshpkt_start(ssh,
	SSH2_MSG_CHANNEL_WINDOW_ADJUST)) != 0 \|\|
	(r = sshpkt_put_u32(ssh, c->remote_id)) != 0 \|\|
	- (r = sshpkt_put_u32(ssh, c->local_consumed)) != 0 \|\|
	+ (r = sshpkt_put_u32(ssh, c->local_consumed + addition)) != 0 \|\|
	(r = sshpkt_send(ssh)) != 0) {
	- fatal("%s: channel %i: %s", __func__,
	- c->self, ssh_err(r));
	+ fatal_fr(r, "channel %i", c->self);
	}
	- debug2("channel %d: window %d sent adjust %d",
	- c->self, c->local_window,
	-- c->local_consumed);
	+ debug2("channel %d: window %d sent adjust %d", c->self,
	+- c->local_window, c->local_consumed);
	- c->local_window += c->local_consumed;
	-+ c->local_consumed + addition);
	++ c->local_window, c->local_consumed + addition);
	+ c->local_window += c->local_consumed + addition;
	c->local_consumed = 0;
	}
	@@ -387,18 +384,18 @@
	index dec8e7e9..3c11558e 100644
	--- a/compat.c
	+++ b/compat.c
	-@@ -150,6 +150,13 @@ compat_datafellows(const char *version)
	- debug("match: %s pat %s compat 0x%08x",
	+@@ -150,6 +150,13 @@ compat_banner(struct ssh ssh, const char version)
	+ debug_f("match: %s pat %s compat 0x%08x",
	version, check[i].pat, check[i].bugs);
	- datafellows = check[i].bugs; /* XXX for now */
	+ ssh->compat = check[i].bugs;
	+ /* Check to see if the remote side is OpenSSH and not HPN */
	+ if (strstr(version, "OpenSSH") != NULL) {
	+ if (strstr(version, "hpn") == NULL) {
	-+ datafellows \|= SSH_BUG_LARGEWINDOW;
	++ ssh->compat \|= SSH_BUG_LARGEWINDOW;
	+ debug("Remote is NON-HPN aware");
	+ }
	+ }
	- return check[i].bugs;
	+ return;
	}
	}
	diff --git a/compat.h b/compat.h
	@@ -431,9 +428,9 @@
	--- a/digest-openssl.c
	+++ b/digest-openssl.c
	@@ -61,6 +61,7 @@ const struct ssh_digest digests[] = {
	- { SSH_DIGEST_SHA256, "SHA256", 32, EVP_sha256 },
	+ { SSH_DIGEST_SHA256, "SHA256", 32, EVP_sha256 },
	{ SSH_DIGEST_SHA384, "SHA384", 48, EVP_sha384 },
	- { SSH_DIGEST_SHA512, "SHA512", 64, EVP_sha512 },
	+ { SSH_DIGEST_SHA512, "SHA512", 64, EVP_sha512 },
	+ { SSH_DIGEST_NULL, "NONEMAC", 0, EVP_md_null},
	{ -1, NULL, 0, NULL },
	};
	@@ -536,18 +533,10 @@
	if (state->rekey_limit)
	max_blocks = MINIMUM(max_blocks,
	state->rekey_limit / enc->block_size);
	-@@ -966,6 +975,24 @@ ssh_set_newkeys(struct ssh *ssh, int mode)
	+@@ -966,6 +975,16 @@ ssh_set_newkeys(struct ssh *ssh, int mode)
	return 0;
	}

	-+/* this supports the forced rekeying required for the NONE cipher */
	-+int rekey_requested = 0;
	-+void
	-+packet_request_rekeying(void)
	-+{
	-+ rekey_requested = 1;
	-+}
	-+
	+/* used to determine if pre or post auth when rekeying for aes-ctr
	+ * and none cipher switch */
	+int
	@@ -561,20 +550,6 @@
	#define MAX_PACKETS (1U<<31)
	static int
	ssh_packet_need_rekeying(struct ssh *ssh, u_int outbound_packet_len)
	-@@ -992,6 +1019,13 @@ ssh_packet_need_rekeying(struct ssh *ssh, u_int outbound_packet_len)
	- if (state->p_send.packets == 0 && state->p_read.packets == 0)
	- return 0;
	-
	-+ /* used to force rekeying when called for by the none
	-+ * cipher switch methods -cjr */
	-+ if (rekey_requested == 1) {
	-+ rekey_requested = 0;
	-+ return 1;
	-+ }
	-+
	- /* Time-based rekeying */
	- if (state->rekey_interval != 0 &&
	- (int64_t)state->rekey_time + state->rekey_interval <= monotime())
	@@ -1330,7 +1364,7 @@ ssh_packet_read_seqnr(struct ssh ssh, u_char typep, u_int32_t *seqnr_p)
	struct session_state *state = ssh->state;
	int len, r, ms_remain;
	@@ -622,9 +597,9 @@
	/* Format of the configuration file:

	@@ -165,6 +166,8 @@ typedef enum {
	- oHashKnownHosts,
	oTunnel, oTunnelDevice,
	oLocalCommand, oPermitLocalCommand, oRemoteCommand,
	+ oDisableMTAES,
	+ oTcpRcvBufPoll, oTcpRcvBuf, oHPNDisabled, oHPNBufferSize,
	+ oNoneEnabled, oNoneMacEnabled, oNoneSwitch,
	oVisualHostKey,
	@@ -778,9 +753,9 @@
	int ip_qos_bulk; /* IP ToS/DSCP/class for bulk traffic */
	SyslogFacility log_facility; /* Facility for system logging. */
	@@ -115,7 +119,11 @@ typedef struct {
	-
	int enable_ssh_keysign;
	int64_t rekey_limit;
	+ int disable_multithreaded; /disable multithreaded aes-ctr/
	+ int none_switch; /* Use none cipher */
	+ int none_enabled; /* Allow none cipher to be used */
	+ int nonemac_enabled; /* Allow none MAC to be used */
	@@ -888,9 +863,9 @@
	+ options->hpn_buffer_size = CHAN_TCP_WINDOW_DEFAULT;
	+ }
	+
	+ if (options->disable_multithreaded == -1)
	+ options->disable_multithreaded = 0;
	if (options->ip_qos_interactive == -1)
	- options->ip_qos_interactive = IPTOS_DSCP_AF21;
	- if (options->ip_qos_bulk == -1)
	@@ -511,6 +564,8 @@ typedef enum {
	sPasswordAuthentication, sKbdInteractiveAuthentication,
	sListenAddress, sAddressFamily,
	@@ -1091,7 +1066,7 @@
	}

	+static void
	-+hpn_options_init(void)
	++hpn_options_init(struct ssh *ssh)
	+{
	+ /*
	+ * We need to check to see if what they want to do about buffer
	@@ -1116,7 +1091,7 @@
	+ else
	+ options.hpn_buffer_size = 2 * 1024 * 1024;
	+
	-+ if (datafellows & SSH_BUG_LARGEWINDOW) {
	++ if (ssh->compat & SSH_BUG_LARGEWINDOW) {
	+ debug("HPN to Non-HPN Connection");
	+ } else {
	+ int sock, socksize;
	@@ -1186,7 +1161,7 @@
	+ c->dynamic_window = 1;
	+ debug("Enabled Dynamic Window Scaling");
	+ }
	- debug3("%s: channel_new: %d", __func__, c->self);
	+ debug3_f("channel_new: %d", c->self);

	channel_send_open(ssh, c->self);
	@@ -2078,6 +2160,13 @@ ssh_session2(struct ssh ssh, struct passwd pw)
	@@ -1198,7 +1173,7 @@
	+ * might open channels that use the hpn buffer sizes. We can't send a
	+ * window of -1 (the default) to the server as it breaks things.
	+ */
	-+ hpn_options_init();
	++ hpn_options_init(ssh);
	+
	/* XXX should be pre-session */
	if (!options.control_persist)
	@@ -1297,11 +1272,10 @@
	xxx_host = host;
	xxx_hostaddr = hostaddr;

	-@@ -482,6 +493,34 @@ ssh_userauth2(struct ssh ssh, const char local_user,
	-
	+@@ -482,6 +493,33 @@ ssh_userauth2(struct ssh ssh, const char local_user,
	if (!authctxt.success)
	fatal("Authentication failed.");
	-+
	+
	+ /*
	+ * If the user wants to use the none cipher, do it post authentication
	+ * and only if the right conditions are met -- both of the NONE commands
	@@ -1329,9 +1303,9 @@
	+ }
	+ }
	+
	- debug("Authentication succeeded (%s).", authctxt.method->name);
	- }
	-
	+ #ifdef WITH_OPENSSL
	+ if (options.disable_multithreaded == 0) {
	+ /* if we are using aes-ctr there can be issues in either a fork or sandbox
	diff --git a/sshd.c b/sshd.c
	index 8aa7f3df..d0e3f1b0 100644
	--- a/sshd.c
	@@ -1397,9 +1371,9 @@
	+ if (options.nonemac_enabled == 1)
	+ debug("WARNING: None MAC enabled");
	+
	- myproposal[PROPOSAL_KEX_ALGS] = compat_kex_proposal(
	+ myproposal[PROPOSAL_KEX_ALGS] = compat_kex_proposal(ssh,
	options.kex_algorithms);
	- myproposal[PROPOSAL_ENC_ALGS_CTOS] = compat_cipher_proposal(
	+ myproposal[PROPOSAL_ENC_ALGS_CTOS] = compat_cipher_proposal(ssh,
	diff --git a/sshd_config b/sshd_config
	index 19b7c91a..cdd889b2 100644
	--- a/sshd_config