| diff -ur '--exclude=*.un~' a/openssh-8_1_P1-hpn-AES-CTR-14.20.diff b/openssh-8_1_P1-hpn-AES-CTR-14.20.diff |
| --- a/openssh-8_1_P1-hpn-AES-CTR-14.20.diff 2020-02-15 12:50:44.413776914 -0800 |
| +++ b/openssh-8_1_P1-hpn-AES-CTR-14.20.diff 2020-02-15 12:53:06.190742744 -0800 |
| @@ -3,9 +3,9 @@ |
| --- a/Makefile.in |
| +++ b/Makefile.in |
| @@ -42,7 +42,7 @@ CC=@CC@ |
| - LD=@LD@ |
| - CFLAGS=@CFLAGS@ |
| + CFLAGS_NOPIE=@CFLAGS_NOPIE@ |
| CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ $(PATHS) @DEFS@ |
| + PICFLAG=@PICFLAG@ |
| -LIBS=@LIBS@ |
| +LIBS=@LIBS@ -lpthread |
| K5LIBS=@K5LIBS@ |
| @@ -902,14 +902,14 @@ |
| |
| /* |
| @@ -2118,6 +2125,8 @@ fill_default_options(Options * options) |
| + options->canonicalize_hostname = SSH_CANONICALISE_NO; |
| + if (options->fingerprint_hash == -1) |
| options->fingerprint_hash = SSH_FP_HASH_DEFAULT; |
| - if (options->update_hostkeys == -1) |
| - options->update_hostkeys = 0; |
| + if (options->disable_multithreaded == -1) |
| + options->disable_multithreaded = 0; |
| - |
| - /* Expand KEX name lists */ |
| - all_cipher = cipher_alg_list(',', 0); |
| + #ifdef ENABLE_SK_INTERNAL |
| + if (options->sk_provider == NULL) |
| + options->sk_provider = xstrdup("internal"); |
| diff --git a/readconf.h b/readconf.h |
| index 8e36bf32..c803eca7 100644 |
| --- a/readconf.h |
| @@ -952,9 +952,9 @@ |
| sPort, sHostKeyFile, sLoginGraceTime, |
| sPermitRootLogin, sLogFacility, sLogLevel, |
| @@ -643,6 +647,7 @@ static struct { |
| - { "trustedusercakeys", sTrustedUserCAKeys, SSHCFG_ALL }, |
| { "authorizedprincipalsfile", sAuthorizedPrincipalsFile, SSHCFG_ALL }, |
| { "kexalgorithms", sKexAlgorithms, SSHCFG_GLOBAL }, |
| + { "include", sInclude, SSHCFG_ALL }, |
| + { "disableMTAES", sDisableMTAES, SSHCFG_ALL }, |
| { "ipqos", sIPQoS, SSHCFG_ALL }, |
| { "authorizedkeyscommand", sAuthorizedKeysCommand, SSHCFG_ALL }, |
| diff -ur '--exclude=*.un~' a/openssh-8_1_P1-hpn-DynWinNoneSwitch-14.20.diff b/openssh-8_1_P1-hpn-DynWinNoneSwitch-14.20.diff |
| --- a/openssh-8_1_P1-hpn-DynWinNoneSwitch-14.20.diff 2020-02-15 12:50:44.413776914 -0800 |
| +++ b/openssh-8_1_P1-hpn-DynWinNoneSwitch-14.20.diff 2020-02-15 12:51:19.541768656 -0800 |
| @@ -409,18 +409,10 @@ |
| index 817da43b..b2bcf78f 100644 |
| --- a/packet.c |
| +++ b/packet.c |
| -@@ -925,6 +925,24 @@ ssh_set_newkeys(struct ssh *ssh, int mode) |
| +@@ -925,6 +925,16 @@ ssh_set_newkeys(struct ssh *ssh, int mode) |
| return 0; |
| } |
| |
| -+/* this supports the forced rekeying required for the NONE cipher */ |
| -+int rekey_requested = 0; |
| -+void |
| -+packet_request_rekeying(void) |
| -+{ |
| -+ rekey_requested = 1; |
| -+} |
| -+ |
| +/* used to determine if pre or post auth when rekeying for aes-ctr |
| + * and none cipher switch */ |
| +int |
| @@ -434,20 +426,6 @@ |
| #define MAX_PACKETS (1U<<31) |
| static int |
| ssh_packet_need_rekeying(struct ssh *ssh, u_int outbound_packet_len) |
| -@@ -951,6 +969,13 @@ ssh_packet_need_rekeying(struct ssh *ssh, u_int outbound_packet_len) |
| - if (state->p_send.packets == 0 && state->p_read.packets == 0) |
| - return 0; |
| - |
| -+ /* used to force rekeying when called for by the none |
| -+ * cipher switch methods -cjr */ |
| -+ if (rekey_requested == 1) { |
| -+ rekey_requested = 0; |
| -+ return 1; |
| -+ } |
| -+ |
| - /* Time-based rekeying */ |
| - if (state->rekey_interval != 0 && |
| - (int64_t)state->rekey_time + state->rekey_interval <= monotime()) |
| diff --git a/packet.h b/packet.h |
| index 8ccfd2e0..1ad9bc06 100644 |
| --- a/packet.h |
| @@ -476,9 +454,9 @@ |
| /* Format of the configuration file: |
| |
| @@ -167,6 +168,8 @@ typedef enum { |
| - oHashKnownHosts, |
| oTunnel, oTunnelDevice, |
| oLocalCommand, oPermitLocalCommand, oRemoteCommand, |
| + oDisableMTAES, |
| + oTcpRcvBufPoll, oTcpRcvBuf, oHPNDisabled, oHPNBufferSize, |
| + oNoneEnabled, oNoneSwitch, |
| oVisualHostKey, |
| @@ -615,9 +593,9 @@ |
| int ip_qos_bulk; /* IP ToS/DSCP/class for bulk traffic */ |
| SyslogFacility log_facility; /* Facility for system logging. */ |
| @@ -112,7 +116,10 @@ typedef struct { |
| - |
| int enable_ssh_keysign; |
| int64_t rekey_limit; |
| + int disable_multithreaded; /*disable multithreaded aes-ctr*/ |
| + int none_switch; /* Use none cipher */ |
| + int none_enabled; /* Allow none to be used */ |
| int rekey_interval; |
| @@ -700,9 +678,9 @@ |
| + options->hpn_buffer_size = CHAN_TCP_WINDOW_DEFAULT; |
| + } |
| + |
| + if (options->disable_multithreaded == -1) |
| + options->disable_multithreaded = 0; |
| if (options->ip_qos_interactive == -1) |
| - options->ip_qos_interactive = IPTOS_DSCP_AF21; |
| - if (options->ip_qos_bulk == -1) |
| @@ -486,6 +532,8 @@ typedef enum { |
| sPasswordAuthentication, sKbdInteractiveAuthentication, |
| sListenAddress, sAddressFamily, |
| @@ -1079,11 +1057,11 @@ |
| xxx_host = host; |
| xxx_hostaddr = hostaddr; |
| |
| -@@ -422,6 +433,28 @@ ssh_userauth2(struct ssh *ssh, const char *local_user, |
| +@@ -422,7 +433,28 @@ ssh_userauth2(struct ssh *ssh, const char *local_user, |
| |
| if (!authctxt.success) |
| fatal("Authentication failed."); |
| -+ |
| + |
| + /* |
| + * If the user wants to use the none cipher, do it post authentication |
| + * and only if the right conditions are met -- both of the NONE commands |
| @@ -1105,9 +1083,9 @@ |
| + } |
| + } |
| + |
| - debug("Authentication succeeded (%s).", authctxt.method->name); |
| - } |
| - |
| + #ifdef WITH_OPENSSL |
| + if (options.disable_multithreaded == 0) { |
| + /* if we are using aes-ctr there can be issues in either a fork or sandbox |
| diff --git a/sshd.c b/sshd.c |
| index 11571c01..23a06022 100644 |
| --- a/sshd.c |