SwordArMor-gentoo-overlay/net-misc/openssh/files/openssh-8.9_p1-hpn-15.2-glue.patch

diff -ur '--exclude=.*.un~' a/openssh-8_5_P1-hpn-AES-CTR-15.2.diff b/openssh-8_5_P1-hpn-AES-CTR-15.2.diff
--- a/openssh-8_5_P1-hpn-AES-CTR-15.2.diff	2022-02-23 17:10:24.843395097 -0800
+++ b/openssh-8_5_P1-hpn-AES-CTR-15.2.diff	2022-02-23 17:10:38.206451595 -0800
@@ -1026,9 +1026,9 @@
 +	}
 +#endif
 +
- 	debug("Authentication succeeded (%s).", authctxt.method->name);
- }
- 
+ 	if (ssh_packet_connection_is_on_socket(ssh)) {
+ 		verbose("Authenticated to %s ([%s]:%d) using \"%s\".", host,
+ 		    ssh_remote_ipaddr(ssh), ssh_remote_port(ssh),
 diff --git a/sshd.c b/sshd.c
 index 6277e6d6..bf3d6e4a 100644
 --- a/sshd.c
diff -ur '--exclude=.*.un~' a/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff b/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff
--- a/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff	2022-02-23 17:08:38.124943587 -0800
+++ b/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff	2022-02-23 17:20:59.432070316 -0800
@@ -536,18 +536,10 @@
  	if (state->rekey_limit)
  		*max_blocks = MINIMUM(*max_blocks,
  		    state->rekey_limit / enc->block_size);
-@@ -954,6 +963,24 @@ ssh_set_newkeys(struct ssh *ssh, int mode)
+@@ -954,6 +963,16 @@ ssh_set_newkeys(struct ssh *ssh, int mode)
  	return 0;
  }
  
-+/* this supports the forced rekeying required for the NONE cipher */
-+int rekey_requested = 0;
-+void
-+packet_request_rekeying(void)
-+{
-+	rekey_requested = 1;
-+}
-+
 +/* used to determine if pre or post auth when rekeying for aes-ctr
 + * and none cipher switch */
 +int
@@ -561,27 +553,14 @@
  #define MAX_PACKETS	(1U<<31)
  static int
  ssh_packet_need_rekeying(struct ssh *ssh, u_int outbound_packet_len)
-@@ -980,6 +1007,13 @@ ssh_packet_need_rekeying(struct ssh *ssh, u_int outbound_packet_len)
- 	if (state->p_send.packets == 0 && state->p_read.packets == 0)
- 		return 0;
- 
-+	/* used to force rekeying when called for by the none
-+         * cipher switch methods -cjr */
-+        if (rekey_requested == 1) {
-+                rekey_requested = 0;
-+                return 1;
-+        }
-+
- 	/* Time-based rekeying */
- 	if (state->rekey_interval != 0 &&
- 	    (int64_t)state->rekey_time + state->rekey_interval <= monotime())
 @@ -1317,7 +1351,7 @@ ssh_packet_read_seqnr(struct ssh *ssh, u_char *typep, u_int32_t *seqnr_p)
  	struct session_state *state = ssh->state;
  	int len, r, ms_remain;
- 	fd_set *setp;
+ 	struct pollfd pfd;
 -	char buf[8192];
 +	char buf[SSH_IOBUFSZ];
- 	struct timeval timeout, start, *timeoutp = NULL;
+ 	struct timeval start;
+ 	struct timespec timespec, *timespecp = NULL;
  
  	DBG(debug("packet_read()"));
 diff --git a/packet.h b/packet.h
@@ -598,12 +577,11 @@
  };
  
  typedef int (ssh_packet_hook_fn)(struct ssh *, struct sshbuf *,
-@@ -155,6 +158,10 @@ int	 ssh_packet_inc_alive_timeouts(struct ssh *);
+@@ -155,6 +158,9 @@ int	 ssh_packet_inc_alive_timeouts(struct ssh *);
  int	 ssh_packet_set_maxsize(struct ssh *, u_int);
  u_int	 ssh_packet_get_maxsize(struct ssh *);
  
 +/* for forced packet rekeying post auth */
-+void	 packet_request_rekeying(void);
 +int	 packet_authentication_state(const struct ssh *);
 +
  int	 ssh_packet_get_state(struct ssh *, struct sshbuf *);
@@ -627,9 +605,9 @@
  	oLocalCommand, oPermitLocalCommand, oRemoteCommand,
 +	oTcpRcvBufPoll, oTcpRcvBuf, oHPNDisabled, oHPNBufferSize,
 +	oNoneEnabled, oNoneMacEnabled, oNoneSwitch,
+ 	oDisableMTAES,
  	oVisualHostKey,
  	oKexAlgorithms, oIPQoS, oRequestTTY, oIgnoreUnknown, oProxyUseFdpass,
- 	oCanonicalDomains, oCanonicalizeHostname, oCanonicalizeMaxDots,
 @@ -297,6 +300,9 @@ static struct {
  	{ "kexalgorithms", oKexAlgorithms },
  	{ "ipqos", oIPQoS },
@@ -637,9 +615,9 @@
 +	{ "noneenabled", oNoneEnabled },
 +	{ "nonemacenabled", oNoneMacEnabled },
 +	{ "noneswitch", oNoneSwitch },
- 	{ "proxyusefdpass", oProxyUseFdpass },
- 	{ "canonicaldomains", oCanonicalDomains },
- 	{ "canonicalizefallbacklocal", oCanonicalizeFallbackLocal },
+ 	{ "sessiontype", oSessionType },
+ 	{ "stdinnull", oStdinNull },
+ 	{ "forkafterauthentication", oForkAfterAuthentication },
 @@ -317,6 +323,11 @@ static struct {
  	{ "securitykeyprovider", oSecurityKeyProvider },
  	{ "knownhostscommand", oKnownHostsCommand },
@@ -717,9 +695,9 @@
 +	options->hpn_buffer_size = -1;
 +	options->tcp_rcv_buf_poll = -1;
 +	options->tcp_rcv_buf = -1;
- 	options->proxy_use_fdpass = -1;
- 	options->ignored_unknown = NULL;
- 	options->num_canonical_domains = 0;
+ 	options->session_type = -1;
+ 	options->stdin_null = -1;
+ 	options->fork_after_authentication = -1;
 @@ -2426,6 +2484,41 @@ fill_default_options(Options * options)
  		options->server_alive_interval = 0;
  	if (options->server_alive_count_max == -1)
@@ -778,9 +756,9 @@
  	int	ip_qos_bulk;		/* IP ToS/DSCP/class for bulk traffic */
  	SyslogFacility log_facility;	/* Facility for system logging. */
 @@ -120,7 +124,11 @@ typedef struct {
- 
  	int	enable_ssh_keysign;
  	int64_t rekey_limit;
+ 	int     disable_multithreaded; /*disable multithreaded aes-ctr*/
 +	int     none_switch;    /* Use none cipher */
 +	int     none_enabled;   /* Allow none cipher to be used */
 +  	int     nonemac_enabled;   /* Allow none MAC to be used */
@@ -842,9 +820,9 @@
  	/* Portable-specific options */
  	if (options->use_pam == -1)
 @@ -424,6 +434,49 @@ fill_default_server_options(ServerOptions *options)
- 	}
- 	if (options->permit_tun == -1)
  		options->permit_tun = SSH_TUNMODE_NO;
+ 	if (options->disable_multithreaded == -1)
+ 		options->disable_multithreaded = 0;
 +	if (options->none_enabled == -1)
 +		options->none_enabled = 0;
 +	if (options->nonemac_enabled == -1)
@@ -975,15 +953,6 @@
 index 306658cb..d4309903 100644
 --- a/serverloop.c
 +++ b/serverloop.c
-@@ -322,7 +322,7 @@ static int
- process_input(struct ssh *ssh, fd_set *readset, int connection_in)
- {
- 	int r, len;
--	char buf[16384];
-+	char buf[SSH_IOBUFSZ];
- 
- 	/* Read and buffer any input data from the client. */
- 	if (FD_ISSET(connection_in, readset)) {
 @@ -608,7 +608,8 @@ server_request_tun(struct ssh *ssh)
  	debug("Tunnel forwarding using interface %s", ifname);
  
@@ -1047,30 +1016,17 @@
  Note that
 diff --git a/sftp.c b/sftp.c
 index fb3c08d1..89bebbb2 100644
---- a/sftp.c
-+++ b/sftp.c
-@@ -71,7 +71,7 @@ typedef void EditLine;
- #include "sftp-client.h"
- 
- #define DEFAULT_COPY_BUFLEN	32768	/* Size of buffer for up/download */
--#define DEFAULT_NUM_REQUESTS	64	/* # concurrent outstanding requests */
-+#define DEFAULT_NUM_REQUESTS	256	/* # concurrent outstanding requests */
- 
- /* File to read commands from */
- FILE* infile;
-diff --git a/ssh-keygen.c b/ssh-keygen.c
-index cfb5f115..36a6e519 100644
---- a/ssh-keygen.c
-+++ b/ssh-keygen.c
-@@ -2971,7 +2971,7 @@ do_download_sk(const char *skprovider, const char *device)
- 			freezero(pin, strlen(pin));
- 		error_r(r, "Unable to load resident keys");
- 		return -1;
--	}
-+ 	}
- 	if (nkeys == 0)
- 		logit("No keys to download");
- 	if (pin != NULL)
+--- a/sftp-client.c
++++ b/sftp-client.c
+@@ -65,7 +65,7 @@ typedef void EditLine;
+ #define DEFAULT_COPY_BUFLEN	32768
+ 
+ /* Default number of concurrent outstanding requests */
+-#define DEFAULT_NUM_REQUESTS	64
++#define DEFAULT_NUM_REQUESTS	256
+ 
+ /* Minimum amount of data to read at a time */
+ #define MIN_READ_SIZE	512
 diff --git a/ssh.c b/ssh.c
 index 53330da5..27b9770e 100644
 --- a/ssh.c
@@ -1330,9 +1286,9 @@
 +		}
 +	}
 +
- 	debug("Authentication succeeded (%s).", authctxt.method->name);
- }
  
+ #ifdef WITH_OPENSSL
+ 	if (options.disable_multithreaded == 0) {
 diff --git a/sshd.c b/sshd.c
 index 6277e6d6..d66fa41a 100644
 --- a/sshd.c
@@ -1359,8 +1315,8 @@
  		if (bind(listen_sock, ai->ai_addr, ai->ai_addrlen) == -1) {
  			error("Bind to port %s on %s failed: %.200s.",
 @@ -1727,6 +1734,19 @@ main(int ac, char **av)
- 	/* Fill in default values for those options not explicitly set. */
- 	fill_default_server_options(&options);
+ 		fatal("AuthorizedPrincipalsCommand set without "
+ 		    "AuthorizedPrincipalsCommandUser");
  
 +	if (options.none_enabled == 1) {
 +		char *old_ciphers = options.ciphers;
@@ -1375,9 +1331,9 @@
 +		}
 +	}
 +
- 	/* challenge-response is implemented via keyboard interactive */
- 	if (options.challenge_response_authentication)
- 		options.kbd_interactive_authentication = 1;
+ 	/*
+ 	 * Check whether there is any path through configured auth methods.
+ 	 * Unfortunately it is not possible to verify this generally before
 @@ -2166,6 +2186,9 @@ main(int ac, char **av)
  	    rdomain == NULL ? "" : "\"");
  	free(laddr);
net-misc/openssh: new package 2023-01-13 10:08:39 +01:00			`diff -ur '--exclude=.*.un~' a/openssh-8_5_P1-hpn-AES-CTR-15.2.diff b/openssh-8_5_P1-hpn-AES-CTR-15.2.diff`
			`--- a/openssh-8_5_P1-hpn-AES-CTR-15.2.diff 2022-02-23 17:10:24.843395097 -0800`
			`+++ b/openssh-8_5_P1-hpn-AES-CTR-15.2.diff 2022-02-23 17:10:38.206451595 -0800`
			`@@ -1026,9 +1026,9 @@`
			`+ }`
			`+#endif`
			`+`
			`- debug("Authentication succeeded (%s).", authctxt.method->name);`
			`- }`
			`-`
			`+ if (ssh_packet_connection_is_on_socket(ssh)) {`
			`+ verbose("Authenticated to %s ([%s]:%d) using \"%s\".", host,`
			`+ ssh_remote_ipaddr(ssh), ssh_remote_port(ssh),`
			`diff --git a/sshd.c b/sshd.c`
			`index 6277e6d6..bf3d6e4a 100644`
			`--- a/sshd.c`
			`diff -ur '--exclude=.*.un~' a/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff b/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff`
			`--- a/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff 2022-02-23 17:08:38.124943587 -0800`
			`+++ b/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff 2022-02-23 17:20:59.432070316 -0800`
			`@@ -536,18 +536,10 @@`
			`if (state->rekey_limit)`
			`max_blocks = MINIMUM(max_blocks,`
			`state->rekey_limit / enc->block_size);`
			`-@@ -954,6 +963,24 @@ ssh_set_newkeys(struct ssh *ssh, int mode)`
			`+@@ -954,6 +963,16 @@ ssh_set_newkeys(struct ssh *ssh, int mode)`
			`return 0;`
			`}`

			`-+/* this supports the forced rekeying required for the NONE cipher */`
			`-+int rekey_requested = 0;`
			`-+void`
			`-+packet_request_rekeying(void)`
			`-+{`
			`-+ rekey_requested = 1;`
			`-+}`
			`-+`
			`+/* used to determine if pre or post auth when rekeying for aes-ctr`
			`+ * and none cipher switch */`
			`+int`
			`@@ -561,27 +553,14 @@`
			`#define MAX_PACKETS (1U<<31)`
			`static int`
			`ssh_packet_need_rekeying(struct ssh *ssh, u_int outbound_packet_len)`
			`-@@ -980,6 +1007,13 @@ ssh_packet_need_rekeying(struct ssh *ssh, u_int outbound_packet_len)`
			`- if (state->p_send.packets == 0 && state->p_read.packets == 0)`
			`- return 0;`
			`-`
			`-+ /* used to force rekeying when called for by the none`
			`-+ * cipher switch methods -cjr */`
			`-+ if (rekey_requested == 1) {`
			`-+ rekey_requested = 0;`
			`-+ return 1;`
			`-+ }`
			`-+`
			`- /* Time-based rekeying */`
			`- if (state->rekey_interval != 0 &&`
			`- (int64_t)state->rekey_time + state->rekey_interval <= monotime())`
			`@@ -1317,7 +1351,7 @@ ssh_packet_read_seqnr(struct ssh ssh, u_char typep, u_int32_t *seqnr_p)`
			`struct session_state *state = ssh->state;`
			`int len, r, ms_remain;`
			`- fd_set *setp;`
			`+ struct pollfd pfd;`
			`- char buf[8192];`
			`+ char buf[SSH_IOBUFSZ];`
			`- struct timeval timeout, start, *timeoutp = NULL;`
			`+ struct timeval start;`
			`+ struct timespec timespec, *timespecp = NULL;`

			`DBG(debug("packet_read()"));`
			`diff --git a/packet.h b/packet.h`
			`@@ -598,12 +577,11 @@`
			`};`

			`typedef int (ssh_packet_hook_fn)(struct ssh , struct sshbuf ,`
			`-@@ -155,6 +158,10 @@ int ssh_packet_inc_alive_timeouts(struct ssh *);`
			`+@@ -155,6 +158,9 @@ int ssh_packet_inc_alive_timeouts(struct ssh *);`
			`int ssh_packet_set_maxsize(struct ssh *, u_int);`
			`u_int ssh_packet_get_maxsize(struct ssh *);`

			`+/* for forced packet rekeying post auth */`
			`-+void packet_request_rekeying(void);`
			`+int packet_authentication_state(const struct ssh *);`
			`+`
			`int ssh_packet_get_state(struct ssh , struct sshbuf );`
			`@@ -627,9 +605,9 @@`
			`oLocalCommand, oPermitLocalCommand, oRemoteCommand,`
			`+ oTcpRcvBufPoll, oTcpRcvBuf, oHPNDisabled, oHPNBufferSize,`
			`+ oNoneEnabled, oNoneMacEnabled, oNoneSwitch,`
			`+ oDisableMTAES,`
			`oVisualHostKey,`
			`oKexAlgorithms, oIPQoS, oRequestTTY, oIgnoreUnknown, oProxyUseFdpass,`
			`- oCanonicalDomains, oCanonicalizeHostname, oCanonicalizeMaxDots,`
			`@@ -297,6 +300,9 @@ static struct {`
			`{ "kexalgorithms", oKexAlgorithms },`
			`{ "ipqos", oIPQoS },`
			`@@ -637,9 +615,9 @@`
			`+ { "noneenabled", oNoneEnabled },`
			`+ { "nonemacenabled", oNoneMacEnabled },`
			`+ { "noneswitch", oNoneSwitch },`
			`- { "proxyusefdpass", oProxyUseFdpass },`
			`- { "canonicaldomains", oCanonicalDomains },`
			`- { "canonicalizefallbacklocal", oCanonicalizeFallbackLocal },`
			`+ { "sessiontype", oSessionType },`
			`+ { "stdinnull", oStdinNull },`
			`+ { "forkafterauthentication", oForkAfterAuthentication },`
			`@@ -317,6 +323,11 @@ static struct {`
			`{ "securitykeyprovider", oSecurityKeyProvider },`
			`{ "knownhostscommand", oKnownHostsCommand },`
			`@@ -717,9 +695,9 @@`
			`+ options->hpn_buffer_size = -1;`
			`+ options->tcp_rcv_buf_poll = -1;`
			`+ options->tcp_rcv_buf = -1;`
			`- options->proxy_use_fdpass = -1;`
			`- options->ignored_unknown = NULL;`
			`- options->num_canonical_domains = 0;`
			`+ options->session_type = -1;`
			`+ options->stdin_null = -1;`
			`+ options->fork_after_authentication = -1;`
			`@@ -2426,6 +2484,41 @@ fill_default_options(Options * options)`
			`options->server_alive_interval = 0;`
			`if (options->server_alive_count_max == -1)`
			`@@ -778,9 +756,9 @@`
			`int ip_qos_bulk; /* IP ToS/DSCP/class for bulk traffic */`
			`SyslogFacility log_facility; /* Facility for system logging. */`
			`@@ -120,7 +124,11 @@ typedef struct {`
			`-`
			`int enable_ssh_keysign;`
			`int64_t rekey_limit;`
			`+ int disable_multithreaded; /disable multithreaded aes-ctr/`
			`+ int none_switch; /* Use none cipher */`
			`+ int none_enabled; /* Allow none cipher to be used */`
			`+ int nonemac_enabled; /* Allow none MAC to be used */`
			`@@ -842,9 +820,9 @@`
			`/* Portable-specific options */`
			`if (options->use_pam == -1)`
			`@@ -424,6 +434,49 @@ fill_default_server_options(ServerOptions *options)`
			`- }`
			`- if (options->permit_tun == -1)`
			`options->permit_tun = SSH_TUNMODE_NO;`
			`+ if (options->disable_multithreaded == -1)`
			`+ options->disable_multithreaded = 0;`
			`+ if (options->none_enabled == -1)`
			`+ options->none_enabled = 0;`
			`+ if (options->nonemac_enabled == -1)`
			`@@ -975,15 +953,6 @@`
			`index 306658cb..d4309903 100644`
			`--- a/serverloop.c`
			`+++ b/serverloop.c`
			`-@@ -322,7 +322,7 @@ static int`
			`- process_input(struct ssh ssh, fd_set readset, int connection_in)`
			`- {`
			`- int r, len;`
			`-- char buf[16384];`
			`-+ char buf[SSH_IOBUFSZ];`
			`-`
			`- /* Read and buffer any input data from the client. */`
			`- if (FD_ISSET(connection_in, readset)) {`
			`@@ -608,7 +608,8 @@ server_request_tun(struct ssh *ssh)`
			`debug("Tunnel forwarding using interface %s", ifname);`

			`@@ -1047,30 +1016,17 @@`
			`Note that`
			`diff --git a/sftp.c b/sftp.c`
			`index fb3c08d1..89bebbb2 100644`
			`---- a/sftp.c`
			`-+++ b/sftp.c`
			`-@@ -71,7 +71,7 @@ typedef void EditLine;`
			`- #include "sftp-client.h"`
			`-`
			`- #define DEFAULT_COPY_BUFLEN 32768 /* Size of buffer for up/download */`
			`--#define DEFAULT_NUM_REQUESTS 64 /* # concurrent outstanding requests */`
			`-+#define DEFAULT_NUM_REQUESTS 256 /* # concurrent outstanding requests */`
			`-`
			`- /* File to read commands from */`
			`- FILE* infile;`
			`-diff --git a/ssh-keygen.c b/ssh-keygen.c`
			`-index cfb5f115..36a6e519 100644`
			`---- a/ssh-keygen.c`
			`-+++ b/ssh-keygen.c`
			`-@@ -2971,7 +2971,7 @@ do_download_sk(const char skprovider, const char device)`
			`- freezero(pin, strlen(pin));`
			`- error_r(r, "Unable to load resident keys");`
			`- return -1;`
			`-- }`
			`-+ }`
			`- if (nkeys == 0)`
			`- logit("No keys to download");`
			`- if (pin != NULL)`
			`+--- a/sftp-client.c`
			`++++ b/sftp-client.c`
			`+@@ -65,7 +65,7 @@ typedef void EditLine;`
			`+ #define DEFAULT_COPY_BUFLEN 32768`
			`+`
			`+ /* Default number of concurrent outstanding requests */`
			`+-#define DEFAULT_NUM_REQUESTS 64`
			`++#define DEFAULT_NUM_REQUESTS 256`
			`+`
			`+ /* Minimum amount of data to read at a time */`
			`+ #define MIN_READ_SIZE 512`
			`diff --git a/ssh.c b/ssh.c`
			`index 53330da5..27b9770e 100644`
			`--- a/ssh.c`
			`@@ -1330,9 +1286,9 @@`
			`+ }`
			`+ }`
			`+`
			`- debug("Authentication succeeded (%s).", authctxt.method->name);`
			`- }`

			`+ #ifdef WITH_OPENSSL`
			`+ if (options.disable_multithreaded == 0) {`
			`diff --git a/sshd.c b/sshd.c`
			`index 6277e6d6..d66fa41a 100644`
			`--- a/sshd.c`
			`@@ -1359,8 +1315,8 @@`
			`if (bind(listen_sock, ai->ai_addr, ai->ai_addrlen) == -1) {`
			`error("Bind to port %s on %s failed: %.200s.",`
			`@@ -1727,6 +1734,19 @@ main(int ac, char **av)`
			`- /* Fill in default values for those options not explicitly set. */`
			`- fill_default_server_options(&options);`
			`+ fatal("AuthorizedPrincipalsCommand set without "`
			`+ "AuthorizedPrincipalsCommandUser");`

			`+ if (options.none_enabled == 1) {`
			`+ char *old_ciphers = options.ciphers;`
			`@@ -1375,9 +1331,9 @@`
			`+ }`
			`+ }`
			`+`
			`- /* challenge-response is implemented via keyboard interactive */`
			`- if (options.challenge_response_authentication)`
			`- options.kbd_interactive_authentication = 1;`
			`+ /*`
			`+ * Check whether there is any path through configured auth methods.`
			`+ * Unfortunately it is not possible to verify this generally before`
			`@@ -2166,6 +2186,9 @@ main(int ac, char **av)`
			`rdomain == NULL ? "" : "\"");`
			`free(laddr);`