1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
|
diff -ur --exclude '.*.un*' a/openssh-7_8_P1-hpn-AES-CTR-14.16.diff b/openssh-7_8_P1-hpn-AES-CTR-14.16.diff
--- a/openssh-7_8_P1-hpn-AES-CTR-14.16.diff 2019-04-18 15:07:06.748067368 -0700
+++ b/openssh-7_8_P1-hpn-AES-CTR-14.16.diff 2019-04-18 19:42:26.689298696 -0700
@@ -998,7 +998,7 @@
+ * so we repoint the define to the multithreaded evp. To start the threads we
+ * then force a rekey
+ */
-+ const void *cc = ssh_packet_get_send_context(active_state);
++ const void *cc = ssh_packet_get_send_context(ssh);
+
+ /* only do this for the ctr cipher. otherwise gcm mode breaks. Don't know why though */
+ if (strstr(cipher_ctx_name(cc), "ctr")) {
@@ -1028,7 +1028,7 @@
+ * so we repoint the define to the multithreaded evp. To start the threads we
+ * then force a rekey
+ */
-+ const void *cc = ssh_packet_get_send_context(active_state);
++ const void *cc = ssh_packet_get_send_context(ssh);
+
+ /* only rekey if necessary. If we don't do this gcm mode cipher breaks */
+ if (strstr(cipher_ctx_name(cc), "ctr")) {
diff -ur --exclude '.*.un*' a/openssh-7_8_P1-hpn-DynWinNoneSwitch-14.16.diff b/openssh-7_8_P1-hpn-DynWinNoneSwitch-14.16.diff
--- a/openssh-7_8_P1-hpn-DynWinNoneSwitch-14.16.diff 2019-04-18 15:07:11.289035776 -0700
+++ b/openssh-7_8_P1-hpn-DynWinNoneSwitch-14.16.diff 2019-04-18 17:07:59.413376785 -0700
@@ -162,24 +162,24 @@
}
+static int
-+channel_tcpwinsz(void)
++channel_tcpwinsz(struct ssh *ssh)
+{
+ u_int32_t tcpwinsz = 0;
+ socklen_t optsz = sizeof(tcpwinsz);
+ int ret = -1;
+
+ /* if we aren't on a socket return 128KB */
-+ if (!packet_connection_is_on_socket())
++ if (!ssh_packet_connection_is_on_socket(ssh))
+ return 128 * 1024;
+
-+ ret = getsockopt(packet_get_connection_in(),
++ ret = getsockopt(ssh_packet_get_connection_in(ssh),
+ SOL_SOCKET, SO_RCVBUF, &tcpwinsz, &optsz);
+ /* return no more than SSHBUF_SIZE_MAX (currently 256MB) */
+ if ((ret == 0) && tcpwinsz > SSHBUF_SIZE_MAX)
+ tcpwinsz = SSHBUF_SIZE_MAX;
+
+ debug2("tcpwinsz: tcp connection %d, Receive window: %d",
-+ packet_get_connection_in(), tcpwinsz);
++ ssh_packet_get_connection_in(ssh), tcpwinsz);
+ return tcpwinsz;
+}
+
@@ -191,7 +191,7 @@
c->local_window < c->local_window_max/2) &&
c->local_consumed > 0) {
+ u_int addition = 0;
-+ u_int32_t tcpwinsz = channel_tcpwinsz();
++ u_int32_t tcpwinsz = channel_tcpwinsz(ssh);
+ /* adjust max window size if we are in a dynamic environment */
+ if (c->dynamic_window && (tcpwinsz > c->local_window_max)) {
+ /* grow the window somewhat aggressively to maintain pressure */
@@ -409,18 +409,10 @@
index dcf35e6..da4ced0 100644
--- a/packet.c
+++ b/packet.c
-@@ -920,6 +920,24 @@ ssh_set_newkeys(struct ssh *ssh, int mode)
+@@ -920,6 +920,16 @@ ssh_set_newkeys(struct ssh *ssh, int mode)
return 0;
}
-+/* this supports the forced rekeying required for the NONE cipher */
-+int rekey_requested = 0;
-+void
-+packet_request_rekeying(void)
-+{
-+ rekey_requested = 1;
-+}
-+
+/* used to determine if pre or post auth when rekeying for aes-ctr
+ * and none cipher switch */
+int
@@ -434,20 +426,6 @@
#define MAX_PACKETS (1U<<31)
static int
ssh_packet_need_rekeying(struct ssh *ssh, u_int outbound_packet_len)
-@@ -946,6 +964,13 @@ ssh_packet_need_rekeying(struct ssh *ssh, u_int outbound_packet_len)
- if (state->p_send.packets == 0 && state->p_read.packets == 0)
- return 0;
-
-+ /* used to force rekeying when called for by the none
-+ * cipher switch methods -cjr */
-+ if (rekey_requested == 1) {
-+ rekey_requested = 0;
-+ return 1;
-+ }
-+
- /* Time-based rekeying */
- if (state->rekey_interval != 0 &&
- (int64_t)state->rekey_time + state->rekey_interval <= monotime())
diff --git a/packet.h b/packet.h
index 170203c..f4d9df2 100644
--- a/packet.h
@@ -476,9 +454,9 @@
/* Format of the configuration file:
@@ -166,6 +167,8 @@ typedef enum {
- oHashKnownHosts,
oTunnel, oTunnelDevice,
oLocalCommand, oPermitLocalCommand, oRemoteCommand,
+ oDisableMTAES,
+ oTcpRcvBufPoll, oTcpRcvBuf, oHPNDisabled, oHPNBufferSize,
+ oNoneEnabled, oNoneSwitch,
oVisualHostKey,
@@ -615,9 +593,9 @@
int ip_qos_bulk; /* IP ToS/DSCP/class for bulk traffic */
SyslogFacility log_facility; /* Facility for system logging. */
@@ -111,7 +115,10 @@ typedef struct {
-
int enable_ssh_keysign;
int64_t rekey_limit;
+ int disable_multithreaded; /*disable multithreaded aes-ctr*/
+ int none_switch; /* Use none cipher */
+ int none_enabled; /* Allow none to be used */
int rekey_interval;
@@ -673,9 +651,9 @@
/* Portable-specific options */
if (options->use_pam == -1)
@@ -391,6 +400,43 @@ fill_default_server_options(ServerOptions *options)
- }
- if (options->permit_tun == -1)
options->permit_tun = SSH_TUNMODE_NO;
+ if (options->disable_multithreaded == -1)
+ options->disable_multithreaded = 0;
+ if (options->none_enabled == -1)
+ options->none_enabled = 0;
+ if (options->hpn_disabled == -1)
@@ -1092,7 +1070,7 @@
xxx_host = host;
xxx_hostaddr = hostaddr;
-@@ -412,6 +423,28 @@ ssh_userauth2(const char *local_user, const char *server_user, char *host,
+@@ -412,6 +423,27 @@ ssh_userauth2(const char *local_user, const char *server_user, char *host,
if (!authctxt.success)
fatal("Authentication failed.");
@@ -1108,7 +1086,7 @@
+ memcpy(&myproposal, &myproposal_default, sizeof(myproposal));
+ myproposal[PROPOSAL_ENC_ALGS_STOC] = "none";
+ myproposal[PROPOSAL_ENC_ALGS_CTOS] = "none";
-+ kex_prop2buf(active_state->kex->my, myproposal);
++ kex_prop2buf(ssh->kex->my, myproposal);
+ packet_request_rekeying();
+ fprintf(stderr, "WARNING: ENABLED NONE CIPHER\n");
+ } else {
@@ -1117,23 +1095,13 @@
+ fprintf(stderr, "NONE cipher switch disabled when a TTY is allocated\n");
+ }
+ }
-+
- debug("Authentication succeeded (%s).", authctxt.method->name);
- }
+ #ifdef WITH_OPENSSL
+ if (options.disable_multithreaded == 0) {
diff --git a/sshd.c b/sshd.c
index a738c3a..b32dbe0 100644
--- a/sshd.c
+++ b/sshd.c
-@@ -373,7 +373,7 @@ sshd_exchange_identification(struct ssh *ssh, int sock_in, int sock_out)
- char remote_version[256]; /* Must be at least as big as buf. */
-
- xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s\r\n",
-- PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION,
-+ PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE,
- *options.version_addendum == '\0' ? "" : " ",
- options.version_addendum);
-
@@ -1037,6 +1037,8 @@ listen_on_addrs(struct listenaddr *la)
int ret, listen_sock;
struct addrinfo *ai;
@@ -1217,11 +1185,10 @@
index f1bbf00..21a70c2 100644
--- a/version.h
+++ b/version.h
-@@ -3,4 +3,6 @@
+@@ -3,4 +3,5 @@
#define SSH_VERSION "OpenSSH_7.8"
#define SSH_PORTABLE "p1"
-#define SSH_RELEASE SSH_VERSION SSH_PORTABLE
-+#define SSH_HPN "-hpn14v16"
+#define SSH_RELEASE SSH_VERSION SSH_PORTABLE SSH_HPN
+
|
GitWeb