| diff -ur a/openssh-8_4_P1-hpn-AES-CTR-15.1.diff b/openssh-8_4_P1-hpn-AES-CTR-15.1.diff |
| --- a/openssh-8_4_P1-hpn-AES-CTR-15.1.diff 2021-03-03 11:08:18.300474672 -0800 |
| +++ b/openssh-8_4_P1-hpn-AES-CTR-15.1.diff 2021-03-03 11:18:42.408298903 -0800 |
| @@ -894,9 +894,9 @@ |
| intptr = &options->compression; |
| multistate_ptr = multistate_compression; |
| @@ -2062,6 +2068,7 @@ initialize_options(Options * options) |
| - options->update_hostkeys = -1; |
| - options->hostbased_key_types = NULL; |
| - options->pubkey_key_types = NULL; |
| + options->hostbased_accepted_algos = NULL; |
| + options->pubkey_accepted_algos = NULL; |
| + options->known_hosts_command = NULL; |
| + options->disable_multithreaded = -1; |
| } |
| |
| diff -ur a/openssh-8_4_P1-hpn-DynWinNoneSwitch-15.1.diff b/openssh-8_4_P1-hpn-DynWinNoneSwitch-15.1.diff |
| --- a/openssh-8_4_P1-hpn-DynWinNoneSwitch-15.1.diff 2021-03-03 11:08:18.300474672 -0800 |
| +++ b/openssh-8_4_P1-hpn-DynWinNoneSwitch-15.1.diff 2021-03-03 12:53:24.117319233 -0800 |
| @@ -209,7 +209,7 @@ |
| static void |
| channel_pre_open(struct ssh *ssh, Channel *c, |
| fd_set *readset, fd_set *writeset) |
| -@@ -2179,25 +2206,34 @@ channel_check_window(struct ssh *ssh, Channel *c) |
| +@@ -2179,22 +2206,31 @@ channel_check_window(struct ssh *ssh, Channel *c) |
| |
| if (c->type == SSH_CHANNEL_OPEN && |
| !(c->flags & (CHAN_CLOSE_SENT|CHAN_CLOSE_RCVD)) && |
| @@ -229,22 +229,19 @@ |
| + debug("Channel: Window growth to %d by %d bytes", c->local_window_max, addition); |
| + } |
| if (!c->have_remote_id) |
| - fatal(":%s: channel %d: no remote id", |
| - __func__, c->self); |
| + fatal_f("channel %d: no remote id", c->self); |
| if ((r = sshpkt_start(ssh, |
| SSH2_MSG_CHANNEL_WINDOW_ADJUST)) != 0 || |
| (r = sshpkt_put_u32(ssh, c->remote_id)) != 0 || |
| - (r = sshpkt_put_u32(ssh, c->local_consumed)) != 0 || |
| + (r = sshpkt_put_u32(ssh, c->local_consumed + addition)) != 0 || |
| (r = sshpkt_send(ssh)) != 0) { |
| - fatal("%s: channel %i: %s", __func__, |
| - c->self, ssh_err(r)); |
| + fatal_fr(r, "channel %i", c->self); |
| } |
| - debug2("channel %d: window %d sent adjust %d", |
| - c->self, c->local_window, |
| -- c->local_consumed); |
| + debug2("channel %d: window %d sent adjust %d", c->self, |
| +- c->local_window, c->local_consumed); |
| - c->local_window += c->local_consumed; |
| -+ c->local_consumed + addition); |
| ++ c->local_window, c->local_consumed + addition); |
| + c->local_window += c->local_consumed + addition; |
| c->local_consumed = 0; |
| } |
| @@ -387,18 +384,18 @@ |
| index dec8e7e9..3c11558e 100644 |
| --- a/compat.c |
| +++ b/compat.c |
| -@@ -150,6 +150,13 @@ compat_datafellows(const char *version) |
| - debug("match: %s pat %s compat 0x%08x", |
| +@@ -150,6 +150,13 @@ compat_banner(struct ssh *ssh, const char *version) |
| + debug_f("match: %s pat %s compat 0x%08x", |
| version, check[i].pat, check[i].bugs); |
| - datafellows = check[i].bugs; /* XXX for now */ |
| + ssh->compat = check[i].bugs; |
| + /* Check to see if the remote side is OpenSSH and not HPN */ |
| + if (strstr(version, "OpenSSH") != NULL) { |
| + if (strstr(version, "hpn") == NULL) { |
| -+ datafellows |= SSH_BUG_LARGEWINDOW; |
| ++ ssh->compat |= SSH_BUG_LARGEWINDOW; |
| + debug("Remote is NON-HPN aware"); |
| + } |
| + } |
| - return check[i].bugs; |
| + return; |
| } |
| } |
| diff --git a/compat.h b/compat.h |
| @@ -431,9 +428,9 @@ |
| --- a/digest-openssl.c |
| +++ b/digest-openssl.c |
| @@ -61,6 +61,7 @@ const struct ssh_digest digests[] = { |
| - { SSH_DIGEST_SHA256, "SHA256", 32, EVP_sha256 }, |
| + { SSH_DIGEST_SHA256, "SHA256", 32, EVP_sha256 }, |
| { SSH_DIGEST_SHA384, "SHA384", 48, EVP_sha384 }, |
| - { SSH_DIGEST_SHA512, "SHA512", 64, EVP_sha512 }, |
| + { SSH_DIGEST_SHA512, "SHA512", 64, EVP_sha512 }, |
| + { SSH_DIGEST_NULL, "NONEMAC", 0, EVP_md_null}, |
| { -1, NULL, 0, NULL }, |
| }; |
| @@ -536,18 +533,10 @@ |
| if (state->rekey_limit) |
| *max_blocks = MINIMUM(*max_blocks, |
| state->rekey_limit / enc->block_size); |
| -@@ -966,6 +975,24 @@ ssh_set_newkeys(struct ssh *ssh, int mode) |
| +@@ -966,6 +975,16 @@ ssh_set_newkeys(struct ssh *ssh, int mode) |
| return 0; |
| } |
| |
| -+/* this supports the forced rekeying required for the NONE cipher */ |
| -+int rekey_requested = 0; |
| -+void |
| -+packet_request_rekeying(void) |
| -+{ |
| -+ rekey_requested = 1; |
| -+} |
| -+ |
| +/* used to determine if pre or post auth when rekeying for aes-ctr |
| + * and none cipher switch */ |
| +int |
| @@ -561,20 +550,6 @@ |
| #define MAX_PACKETS (1U<<31) |
| static int |
| ssh_packet_need_rekeying(struct ssh *ssh, u_int outbound_packet_len) |
| -@@ -992,6 +1019,13 @@ ssh_packet_need_rekeying(struct ssh *ssh, u_int outbound_packet_len) |
| - if (state->p_send.packets == 0 && state->p_read.packets == 0) |
| - return 0; |
| - |
| -+ /* used to force rekeying when called for by the none |
| -+ * cipher switch methods -cjr */ |
| -+ if (rekey_requested == 1) { |
| -+ rekey_requested = 0; |
| -+ return 1; |
| -+ } |
| -+ |
| - /* Time-based rekeying */ |
| - if (state->rekey_interval != 0 && |
| - (int64_t)state->rekey_time + state->rekey_interval <= monotime()) |
| @@ -1330,7 +1364,7 @@ ssh_packet_read_seqnr(struct ssh *ssh, u_char *typep, u_int32_t *seqnr_p) |
| struct session_state *state = ssh->state; |
| int len, r, ms_remain; |
| @@ -622,9 +597,9 @@ |
| /* Format of the configuration file: |
| |
| @@ -165,6 +166,8 @@ typedef enum { |
| - oHashKnownHosts, |
| oTunnel, oTunnelDevice, |
| oLocalCommand, oPermitLocalCommand, oRemoteCommand, |
| + oDisableMTAES, |
| + oTcpRcvBufPoll, oTcpRcvBuf, oHPNDisabled, oHPNBufferSize, |
| + oNoneEnabled, oNoneMacEnabled, oNoneSwitch, |
| oVisualHostKey, |
| @@ -778,9 +753,9 @@ |
| int ip_qos_bulk; /* IP ToS/DSCP/class for bulk traffic */ |
| SyslogFacility log_facility; /* Facility for system logging. */ |
| @@ -115,7 +119,11 @@ typedef struct { |
| - |
| int enable_ssh_keysign; |
| int64_t rekey_limit; |
| + int disable_multithreaded; /*disable multithreaded aes-ctr*/ |
| + int none_switch; /* Use none cipher */ |
| + int none_enabled; /* Allow none cipher to be used */ |
| + int nonemac_enabled; /* Allow none MAC to be used */ |
| @@ -888,9 +863,9 @@ |
| + options->hpn_buffer_size = CHAN_TCP_WINDOW_DEFAULT; |
| + } |
| + |
| + if (options->disable_multithreaded == -1) |
| + options->disable_multithreaded = 0; |
| if (options->ip_qos_interactive == -1) |
| - options->ip_qos_interactive = IPTOS_DSCP_AF21; |
| - if (options->ip_qos_bulk == -1) |
| @@ -511,6 +564,8 @@ typedef enum { |
| sPasswordAuthentication, sKbdInteractiveAuthentication, |
| sListenAddress, sAddressFamily, |
| @@ -1091,7 +1066,7 @@ |
| } |
| |
| +static void |
| -+hpn_options_init(void) |
| ++hpn_options_init(struct ssh *ssh) |
| +{ |
| + /* |
| + * We need to check to see if what they want to do about buffer |
| @@ -1116,7 +1091,7 @@ |
| + else |
| + options.hpn_buffer_size = 2 * 1024 * 1024; |
| + |
| -+ if (datafellows & SSH_BUG_LARGEWINDOW) { |
| ++ if (ssh->compat & SSH_BUG_LARGEWINDOW) { |
| + debug("HPN to Non-HPN Connection"); |
| + } else { |
| + int sock, socksize; |
| @@ -1186,7 +1161,7 @@ |
| + c->dynamic_window = 1; |
| + debug("Enabled Dynamic Window Scaling"); |
| + } |
| - debug3("%s: channel_new: %d", __func__, c->self); |
| + debug3_f("channel_new: %d", c->self); |
| |
| channel_send_open(ssh, c->self); |
| @@ -2078,6 +2160,13 @@ ssh_session2(struct ssh *ssh, struct passwd *pw) |
| @@ -1198,7 +1173,7 @@ |
| + * might open channels that use the hpn buffer sizes. We can't send a |
| + * window of -1 (the default) to the server as it breaks things. |
| + */ |
| -+ hpn_options_init(); |
| ++ hpn_options_init(ssh); |
| + |
| /* XXX should be pre-session */ |
| if (!options.control_persist) |
| @@ -1297,11 +1272,10 @@ |
| xxx_host = host; |
| xxx_hostaddr = hostaddr; |
| |
| -@@ -482,6 +493,34 @@ ssh_userauth2(struct ssh *ssh, const char *local_user, |
| - |
| +@@ -482,6 +493,33 @@ ssh_userauth2(struct ssh *ssh, const char *local_user, |
| if (!authctxt.success) |
| fatal("Authentication failed."); |
| -+ |
| + |
| + /* |
| + * If the user wants to use the none cipher, do it post authentication |
| + * and only if the right conditions are met -- both of the NONE commands |
| @@ -1329,9 +1303,9 @@ |
| + } |
| + } |
| + |
| - debug("Authentication succeeded (%s).", authctxt.method->name); |
| - } |
| - |
| + #ifdef WITH_OPENSSL |
| + if (options.disable_multithreaded == 0) { |
| + /* if we are using aes-ctr there can be issues in either a fork or sandbox |
| diff --git a/sshd.c b/sshd.c |
| index 8aa7f3df..d0e3f1b0 100644 |
| --- a/sshd.c |
| @@ -1397,9 +1371,9 @@ |
| + if (options.nonemac_enabled == 1) |
| + debug("WARNING: None MAC enabled"); |
| + |
| - myproposal[PROPOSAL_KEX_ALGS] = compat_kex_proposal( |
| + myproposal[PROPOSAL_KEX_ALGS] = compat_kex_proposal(ssh, |
| options.kex_algorithms); |
| - myproposal[PROPOSAL_ENC_ALGS_CTOS] = compat_cipher_proposal( |
| + myproposal[PROPOSAL_ENC_ALGS_CTOS] = compat_cipher_proposal(ssh, |
| diff --git a/sshd_config b/sshd_config |
| index 19b7c91a..cdd889b2 100644 |
| --- a/sshd_config |