Google Git
Sign in
cos / third_party / overlays / portage-stable / 94ca252724d762f198bd36a4464e02ea9fd5dbb3 / . / net-misc / openssh / files / openssh-8.6_p1-hpn-15.2-X509-glue.patch
blob: 714dffc417126e79af1fa87835485cc381135c3f [file] [log] [blame]
diff -ur a/openssh-8_5_P1-hpn-AES-CTR-15.2.diff b/openssh-8_5_P1-hpn-AES-CTR-15.2.diff
--- a/openssh-8_5_P1-hpn-AES-CTR-15.2.diff 2021-04-23 15:31:47.247434467 -0700
+++ b/openssh-8_5_P1-hpn-AES-CTR-15.2.diff 2021-04-23 15:32:29.807508606 -0700
@@ -3,9 +3,9 @@
--- a/Makefile.in
+++ b/Makefile.in
@@ -46,7 +46,7 @@ CFLAGS=@CFLAGS@
- CFLAGS_NOPIE=@CFLAGS_NOPIE@
- CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ $(PATHS) @DEFS@
- PICFLAG=@PICFLAG@
+ LD=@LD@
+ CFLAGS=@CFLAGS@ $(CFLAGS_EXTRA)
+ CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ @LDAP_CPPFLAGS@ $(PATHS) @DEFS@
-LIBS=@LIBS@
+LIBS=@LIBS@ -lpthread
K5LIBS=@K5LIBS@
@@ -803,8 +803,8 @@
ssh_packet_set_connection(struct ssh *ssh, int fd_in, int fd_out)
{
struct session_state *state;
-- const struct sshcipher *none = cipher_by_name("none");
-+ struct sshcipher *none = cipher_by_name("none");
+- const struct sshcipher *none = cipher_none();
++ struct sshcipher *none = cipher_none();
int r;
if (none == NULL) {
@@ -898,20 +898,20 @@
options->fingerprint_hash = -1;
options->update_hostkeys = -1;
+ options->disable_multithreaded = -1;
- options->hostbased_accepted_algos = NULL;
- options->pubkey_accepted_algos = NULL;
- options->known_hosts_command = NULL;
+ }
+
+ /*
@@ -2467,6 +2474,10 @@ fill_default_options(Options * options)
+ options->update_hostkeys = 0;
if (options->sk_provider == NULL)
options->sk_provider = xstrdup("$SSH_SK_PROVIDER");
- #endif
+ if (options->update_hostkeys == -1)
+ options->update_hostkeys = 0;
+ if (options->disable_multithreaded == -1)
+ options->disable_multithreaded = 0;
- /* Expand KEX name lists */
- all_cipher = cipher_alg_list(',', 0);
+ /* expand KEX and etc. name lists */
+ { char *all;
diff --git a/readconf.h b/readconf.h
index 2fba866e..7f8f0227 100644
--- a/readconf.h
@@ -950,9 +950,9 @@
/* Portable-specific options */
sUsePAM,
+ sDisableMTAES,
- /* Standard Options */
- sPort, sHostKeyFile, sLoginGraceTime,
- sPermitRootLogin, sLogFacility, sLogLevel, sLogVerbose,
+ /* X.509 Standard Options */
+ sHostbasedAlgorithms,
+ sPubkeyAlgorithms,
@@ -662,6 +666,7 @@ static struct {
{ "authorizedprincipalsfile", sAuthorizedPrincipalsFile, SSHCFG_ALL },
{ "kexalgorithms", sKexAlgorithms, SSHCFG_GLOBAL },
diff -ur a/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff b/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff
--- a/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff 2021-04-23 15:31:47.247434467 -0700
+++ b/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff 2021-04-23 15:46:32.296026606 -0700
@@ -157,6 +157,36 @@
+ Allan Jude provided the code for the NoneMac and buffer normalization.
+ This work was financed, in part, by Cisco System, Inc., the National
+ Library of Medicine, and the National Science Foundation.
+diff --git a/auth2.c b/auth2.c
+--- a/auth2.c 2021-03-15 19:30:45.404060786 -0700
++++ b/auth2.c 2021-03-15 19:37:22.078476597 -0700
+@@ -229,16 +229,17 @@
+ double delay;
+
+ digest_alg = ssh_digest_maxbytes();
+- len = ssh_digest_bytes(digest_alg);
+- hash = xmalloc(len);
++ if (len = ssh_digest_bytes(digest_alg) > 0) {
++ hash = xmalloc(len);
+
+- (void)snprintf(b, sizeof b, "%llu%s",
+- (unsigned long long)options.timing_secret, user);
+- if (ssh_digest_memory(digest_alg, b, strlen(b), hash, len) != 0)
+- fatal_f("ssh_digest_memory");
+- /* 0-4.2 ms of delay */
+- delay = (double)PEEK_U32(hash) / 1000 / 1000 / 1000 / 1000;
+- freezero(hash, len);
++ (void)snprintf(b, sizeof b, "%llu%s",
++ (unsigned long long)options.timing_secret, user);
++ if (ssh_digest_memory(digest_alg, b, strlen(b), hash, len) != 0)
++ fatal_f("ssh_digest_memory");
++ /* 0-4.2 ms of delay */
++ delay = (double)PEEK_U32(hash) / 1000 / 1000 / 1000 / 1000;
++ freezero(hash, len);
++ }
+ debug3_f("user specific delay %0.3lfms", delay/1000);
+ return MIN_FAIL_DELAY_SECONDS + delay;
+ }
diff --git a/channels.c b/channels.c
index b60d56c4..0e363c15 100644
--- a/channels.c
@@ -209,14 +239,14 @@
static void
channel_pre_open(struct ssh *ssh, Channel *c,
fd_set *readset, fd_set *writeset)
-@@ -2120,22 +2147,32 @@ channel_check_window(struct ssh *ssh, Channel *c)
+@@ -2164,21 +2191,31 @@ channel_check_window(struct ssh *ssh, Channel *c)
if (c->type == SSH_CHANNEL_OPEN &&
!(c->flags & (CHAN_CLOSE_SENT|CHAN_CLOSE_RCVD)) &&
- ((c->local_window_max - c->local_window >
- c->local_maxpacket*3) ||
-+ ((ssh_packet_is_interactive(ssh) &&
-+ c->local_window_max - c->local_window > c->local_maxpacket*3) ||
++ ((ssh_packet_is_interactive(ssh) &&
++ c->local_window_max - c->local_window > c->local_maxpacket*3) ||
c->local_window < c->local_window_max/2) &&
c->local_consumed > 0) {
+ u_int addition = 0;
@@ -235,9 +265,8 @@
(r = sshpkt_put_u32(ssh, c->remote_id)) != 0 ||
- (r = sshpkt_put_u32(ssh, c->local_consumed)) != 0 ||
+ (r = sshpkt_put_u32(ssh, c->local_consumed + addition)) != 0 ||
- (r = sshpkt_send(ssh)) != 0) {
- fatal_fr(r, "channel %i", c->self);
- }
+ (r = sshpkt_send(ssh)) != 0)
+ fatal_fr(r, "channel %d", c->self);
- debug2("channel %d: window %d sent adjust %d", c->self,
- c->local_window, c->local_consumed);
- c->local_window += c->local_consumed;
@@ -386,21 +415,45 @@
index 69befa96..90b5f338 100644
--- a/compat.c
+++ b/compat.c
-@@ -149,6 +149,14 @@ compat_banner(struct ssh *ssh, const char *version)
- debug_f("match: %s pat %s compat 0x%08x",
+@@ -43,7 +43,7 @@ compat_datafellows(const char *version)
+ static u_int
+ compat_datafellows(const char *version)
+ {
+- int i;
++ int i, bugs = 0;
+ static struct {
+ char *pat;
+ int bugs;
+@@ -147,11 +147,26 @@
+ if (match_pattern_list(version, check[i].pat, 0) == 1) {
+ debug("match: %s pat %s compat 0x%08x",
version, check[i].pat, check[i].bugs);
- ssh->compat = check[i].bugs;
+ /* Check to see if the remote side is OpenSSH and not HPN */
-+ /* TODO: need to use new method to test for this */
+ if (strstr(version, "OpenSSH") != NULL) {
+ if (strstr(version, "hpn") == NULL) {
-+ ssh->compat |= SSH_BUG_LARGEWINDOW;
++ bugs |= SSH_BUG_LARGEWINDOW;
+ debug("Remote is NON-HPN aware");
+ }
+ }
- return;
+- return check[i].bugs;
++ bugs |= check[i].bugs;
}
}
+- debug("no match: %s", version);
+- return 0;
++ /* Check to see if the remote side is OpenSSH and not HPN */
++ if (strstr(version, "OpenSSH") != NULL) {
++ if (strstr(version, "hpn") == NULL) {
++ bugs |= SSH_BUG_LARGEWINDOW;
++ debug("Remote is NON-HPN aware");
++ }
++ }
++ if (bugs == 0)
++ debug("no match: %s", version);
++ return bugs;
+ }
+
+ char *
diff --git a/compat.h b/compat.h
index c197fafc..ea2e17a7 100644
--- a/compat.h
@@ -459,7 +512,7 @@
@@ -890,6 +890,10 @@ kex_choose_conf(struct ssh *ssh)
int nenc, nmac, ncomp;
u_int mode, ctos, need, dh_need, authlen;
- int r, first_kex_follows;
+ int r, first_kex_follows = 0;
+ int auth_flag = 0;
+
+ auth_flag = packet_authentication_state(ssh);
@@ -553,7 +606,7 @@
#define MAX_PACKETS (1U<<31)
static int
ssh_packet_need_rekeying(struct ssh *ssh, u_int outbound_packet_len)
-@@ -1317,7 +1351,7 @@ ssh_packet_read_seqnr(struct ssh *ssh, u_char *typep, u_int32_t *seqnr_p)
+@@ -1317,7 +1336,7 @@ ssh_packet_read_seqnr(struct ssh *ssh, u_char *typep, u_int32_t *seqnr_p)
struct session_state *state = ssh->state;
int len, r, ms_remain;
fd_set *setp;
@@ -1035,19 +1088,6 @@
/* Minimum amount of data to read at a time */
#define MIN_READ_SIZE 512
-diff --git a/ssh-keygen.c b/ssh-keygen.c
-index cfb5f115..36a6e519 100644
---- a/ssh-keygen.c
-+++ b/ssh-keygen.c
-@@ -2971,7 +2971,7 @@ do_download_sk(const char *skprovider, const char *device)
- freezero(pin, strlen(pin));
- error_r(r, "Unable to load resident keys");
- return -1;
-- }
-+ }
- if (nkeys == 0)
- logit("No keys to download");
- if (pin != NULL)
diff --git a/ssh.c b/ssh.c
index 53330da5..27b9770e 100644
--- a/ssh.c
@@ -1093,7 +1133,7 @@
+ else
+ options.hpn_buffer_size = 2 * 1024 * 1024;
+
-+ if (ssh->compat & SSH_BUG_LARGEWINDOW) {
++ if (ssh_compat_fellows(ssh, SSH_BUG_LARGEWINDOW)) {
+ debug("HPN to Non-HPN Connection");
+ } else {
+ int sock, socksize;
@@ -1335,7 +1375,29 @@
/* Bind the socket to the desired port. */
if (bind(listen_sock, ai->ai_addr, ai->ai_addrlen) == -1) {
error("Bind to port %s on %s failed: %.200s.",
-@@ -1727,6 +1734,19 @@ main(int ac, char **av)
+@@ -1625,13 +1632,14 @@
+ if (ssh_digest_update(ctx, sshbuf_ptr(server_cfg),
+ sshbuf_len(server_cfg)) != 0)
+ fatal_f("ssh_digest_update");
+- len = ssh_digest_bytes(digest_alg);
+- hash = xmalloc(len);
+- if (ssh_digest_final(ctx, hash, len) != 0)
+- fatal_f("ssh_digest_final");
+- options.timing_secret = PEEK_U64(hash);
+- freezero(hash, len);
+- ssh_digest_free(ctx);
++ if ((len = ssh_digest_bytes(digest_alg)) > 0) {
++ hash = xmalloc(len);
++ if (ssh_digest_final(ctx, hash, len) != 0)
++ fatal_f("ssh_digest_final");
++ options.timing_secret = PEEK_U64(hash);
++ freezero(hash, len);
++ ssh_digest_free(ctx);
++ }
+ ctx = NULL;
+ return;
+ }
+@@ -1727,6 +1735,19 @@ main(int ac, char **av)
/* Fill in default values for those options not explicitly set. */
fill_default_server_options(&options);
@@ -1355,7 +1417,7 @@
/* challenge-response is implemented via keyboard interactive */
if (options.challenge_response_authentication)
options.kbd_interactive_authentication = 1;
-@@ -2166,6 +2186,9 @@ main(int ac, char **av)
+@@ -2166,6 +2187,9 @@ main(int ac, char **av)
rdomain == NULL ? "" : "\"");
free(laddr);
@@ -1365,7 +1427,7 @@
/*
* We don't want to listen forever unless the other side
* successfully authenticates itself. So we set up an alarm which is
-@@ -2343,6 +2366,12 @@ do_ssh2_kex(struct ssh *ssh)
+@@ -2343,6 +2367,12 @@ do_ssh2_kex(struct ssh *ssh)
struct kex *kex;
int r;
@@ -1405,14 +1467,3 @@
# Example of overriding settings on a per-user basis
#Match User anoncvs
# X11Forwarding no
-diff --git a/version.h b/version.h
-index 6b4fa372..332fb486 100644
---- a/version.h
-+++ b/version.h
-@@ -3,4 +3,5 @@
- #define SSH_VERSION "OpenSSH_8.5"
-
- #define SSH_PORTABLE "p1"
--#define SSH_RELEASE SSH_VERSION SSH_PORTABLE
-+#define SSH_HPN "-hpn15v2"
-+#define SSH_RELEASE SSH_VERSION SSH_PORTABLE SSH_HPN
diff -ur a/openssh-8_5_P1-hpn-PeakTput-15.2.diff b/openssh-8_5_P1-hpn-PeakTput-15.2.diff
--- a/openssh-8_5_P1-hpn-PeakTput-15.2.diff 2021-04-23 15:31:47.247434467 -0700
+++ b/openssh-8_5_P1-hpn-PeakTput-15.2.diff 2021-04-23 15:32:29.808508608 -0700
@@ -12,9 +12,9 @@
static long stalled; /* how long we have been stalled */
static int bytes_per_second; /* current speed in bytes per second */
@@ -127,6 +129,7 @@ refresh_progress_meter(int force_update)
+ off_t bytes_left;
int cur_speed;
- int hours, minutes, seconds;
- int file_len;
+ int len;
+ off_t delta_pos;
if ((!force_update && !alarm_fired && !win_resized) || !can_output())
@@ -30,15 +30,17 @@
if (bytes_left > 0)
elapsed = now - last_update;
else {
-@@ -166,7 +173,7 @@ refresh_progress_meter(int force_update)
-
+@@ -166,8 +173,8 @@ refresh_progress_meter(int force_update)
+ buf[1] = '\0';
+
/* filename */
- buf[0] = '\0';
-- file_len = win_size - 36;
-+ file_len = win_size - 45;
- if (file_len > 0) {
- buf[0] = '\r';
- snmprintf(buf+1, sizeof(buf)-1, &file_len, "%-*s",
+- if (win_size > 36) {
++ if (win_size > 45) {
+- int file_len = win_size - 36;
++ int file_len = win_size - 45;
+ snmprintf(buf+1, sizeof(buf)-1, &file_len, "%-*s ",
+ file_len, file);
+ }
@@ -191,6 +198,15 @@ refresh_progress_meter(int force_update)
(off_t)bytes_per_second);
strlcat(buf, "/s ", win_size);
@@ -63,15 +65,3 @@
}
/*ARGSUSED*/
-diff --git a/ssh-keygen.c b/ssh-keygen.c
-index cfb5f115..986ff59b 100644
---- a/ssh-keygen.c
-+++ b/ssh-keygen.c
-@@ -2959,7 +2959,6 @@ do_download_sk(const char *skprovider, const char *device)
-
- if (skprovider == NULL)
- fatal("Cannot download keys without provider");
--
- pin = read_passphrase("Enter PIN for authenticator: ", RP_ALLOW_STDIN);
- if (!quiet) {
- printf("You may need to touch your authenticator "