diff -ur '--exclude=.*.un~' a/openssh-8_5_P1-hpn-AES-CTR-15.2.diff b/openssh-8_5_P1-hpn-AES-CTR-15.2.diff --- a/openssh-8_5_P1-hpn-AES-CTR-15.2.diff 2022-02-23 17:10:24.843395097 -0800 +++ b/openssh-8_5_P1-hpn-AES-CTR-15.2.diff 2022-02-23 17:10:38.206451595 -0800 @@ -1026,9 +1026,9 @@ + } +#endif + - debug("Authentication succeeded (%s).", authctxt.method->name); - } - + if (ssh_packet_connection_is_on_socket(ssh)) { + verbose("Authenticated to %s ([%s]:%d) using \"%s\".", host, + ssh_remote_ipaddr(ssh), ssh_remote_port(ssh), diff --git a/sshd.c b/sshd.c index 6277e6d6..bf3d6e4a 100644 --- a/sshd.c diff -ur '--exclude=.*.un~' a/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff b/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff --- a/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff 2022-02-23 17:08:38.124943587 -0800 +++ b/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff 2022-02-23 17:20:59.432070316 -0800 @@ -536,18 +536,10 @@ if (state->rekey_limit) *max_blocks = MINIMUM(*max_blocks, state->rekey_limit / enc->block_size); -@@ -954,6 +963,24 @@ ssh_set_newkeys(struct ssh *ssh, int mode) +@@ -954,6 +963,16 @@ ssh_set_newkeys(struct ssh *ssh, int mode) return 0; } -+/* this supports the forced rekeying required for the NONE cipher */ -+int rekey_requested = 0; -+void -+packet_request_rekeying(void) -+{ -+ rekey_requested = 1; -+} -+ +/* used to determine if pre or post auth when rekeying for aes-ctr + * and none cipher switch */ +int @@ -561,27 +553,14 @@ #define MAX_PACKETS (1U<<31) static int ssh_packet_need_rekeying(struct ssh *ssh, u_int outbound_packet_len) -@@ -980,6 +1007,13 @@ ssh_packet_need_rekeying(struct ssh *ssh, u_int outbound_packet_len) - if (state->p_send.packets == 0 && state->p_read.packets == 0) - return 0; - -+ /* used to force rekeying when called for by the none -+ * cipher switch methods -cjr */ -+ if (rekey_requested == 1) { -+ rekey_requested = 0; -+ return 1; -+ } -+ - /* Time-based rekeying */ - if (state->rekey_interval != 0 && - (int64_t)state->rekey_time + state->rekey_interval <= monotime()) @@ -1317,7 +1351,7 @@ ssh_packet_read_seqnr(struct ssh *ssh, u_char *typep, u_int32_t *seqnr_p) struct session_state *state = ssh->state; int len, r, ms_remain; - fd_set *setp; + struct pollfd pfd; - char buf[8192]; + char buf[SSH_IOBUFSZ]; - struct timeval timeout, start, *timeoutp = NULL; + struct timeval start; + struct timespec timespec, *timespecp = NULL; DBG(debug("packet_read()")); diff --git a/packet.h b/packet.h @@ -598,12 +577,11 @@ }; typedef int (ssh_packet_hook_fn)(struct ssh *, struct sshbuf *, -@@ -155,6 +158,10 @@ int ssh_packet_inc_alive_timeouts(struct ssh *); +@@ -155,6 +158,9 @@ int ssh_packet_inc_alive_timeouts(struct ssh *); int ssh_packet_set_maxsize(struct ssh *, u_int); u_int ssh_packet_get_maxsize(struct ssh *); +/* for forced packet rekeying post auth */ -+void packet_request_rekeying(void); +int packet_authentication_state(const struct ssh *); + int ssh_packet_get_state(struct ssh *, struct sshbuf *); @@ -627,9 +605,9 @@ oLocalCommand, oPermitLocalCommand, oRemoteCommand, + oTcpRcvBufPoll, oTcpRcvBuf, oHPNDisabled, oHPNBufferSize, + oNoneEnabled, oNoneMacEnabled, oNoneSwitch, + oDisableMTAES, oVisualHostKey, oKexAlgorithms, oIPQoS, oRequestTTY, oIgnoreUnknown, oProxyUseFdpass, - oCanonicalDomains, oCanonicalizeHostname, oCanonicalizeMaxDots, @@ -297,6 +300,9 @@ static struct { { "kexalgorithms", oKexAlgorithms }, { "ipqos", oIPQoS }, @@ -637,9 +615,9 @@ + { "noneenabled", oNoneEnabled }, + { "nonemacenabled", oNoneMacEnabled }, + { "noneswitch", oNoneSwitch }, - { "proxyusefdpass", oProxyUseFdpass }, - { "canonicaldomains", oCanonicalDomains }, - { "canonicalizefallbacklocal", oCanonicalizeFallbackLocal }, + { "sessiontype", oSessionType }, + { "stdinnull", oStdinNull }, + { "forkafterauthentication", oForkAfterAuthentication }, @@ -317,6 +323,11 @@ static struct { { "securitykeyprovider", oSecurityKeyProvider }, { "knownhostscommand", oKnownHostsCommand }, @@ -717,9 +695,9 @@ + options->hpn_buffer_size = -1; + options->tcp_rcv_buf_poll = -1; + options->tcp_rcv_buf = -1; - options->proxy_use_fdpass = -1; - options->ignored_unknown = NULL; - options->num_canonical_domains = 0; + options->session_type = -1; + options->stdin_null = -1; + options->fork_after_authentication = -1; @@ -2426,6 +2484,41 @@ fill_default_options(Options * options) options->server_alive_interval = 0; if (options->server_alive_count_max == -1) @@ -778,9 +756,9 @@ int ip_qos_bulk; /* IP ToS/DSCP/class for bulk traffic */ SyslogFacility log_facility; /* Facility for system logging. */ @@ -120,7 +124,11 @@ typedef struct { - int enable_ssh_keysign; int64_t rekey_limit; + int disable_multithreaded; /*disable multithreaded aes-ctr*/ + int none_switch; /* Use none cipher */ + int none_enabled; /* Allow none cipher to be used */ + int nonemac_enabled; /* Allow none MAC to be used */ @@ -842,9 +820,9 @@ /* Portable-specific options */ if (options->use_pam == -1) @@ -424,6 +434,49 @@ fill_default_server_options(ServerOptions *options) - } - if (options->permit_tun == -1) options->permit_tun = SSH_TUNMODE_NO; + if (options->disable_multithreaded == -1) + options->disable_multithreaded = 0; + if (options->none_enabled == -1) + options->none_enabled = 0; + if (options->nonemac_enabled == -1) @@ -975,15 +953,6 @@ index 306658cb..d4309903 100644 --- a/serverloop.c +++ b/serverloop.c -@@ -322,7 +322,7 @@ static int - process_input(struct ssh *ssh, fd_set *readset, int connection_in) - { - int r, len; -- char buf[16384]; -+ char buf[SSH_IOBUFSZ]; - - /* Read and buffer any input data from the client. */ - if (FD_ISSET(connection_in, readset)) { @@ -608,7 +608,8 @@ server_request_tun(struct ssh *ssh) debug("Tunnel forwarding using interface %s", ifname); @@ -1047,30 +1016,17 @@ Note that diff --git a/sftp.c b/sftp.c index fb3c08d1..89bebbb2 100644 ---- a/sftp.c -+++ b/sftp.c -@@ -71,7 +71,7 @@ typedef void EditLine; - #include "sftp-client.h" - - #define DEFAULT_COPY_BUFLEN 32768 /* Size of buffer for up/download */ --#define DEFAULT_NUM_REQUESTS 64 /* # concurrent outstanding requests */ -+#define DEFAULT_NUM_REQUESTS 256 /* # concurrent outstanding requests */ - - /* File to read commands from */ - FILE* infile; -diff --git a/ssh-keygen.c b/ssh-keygen.c -index cfb5f115..36a6e519 100644 ---- a/ssh-keygen.c -+++ b/ssh-keygen.c -@@ -2971,7 +2971,7 @@ do_download_sk(const char *skprovider, const char *device) - freezero(pin, strlen(pin)); - error_r(r, "Unable to load resident keys"); - return -1; -- } -+ } - if (nkeys == 0) - logit("No keys to download"); - if (pin != NULL) +--- a/sftp-client.c ++++ b/sftp-client.c +@@ -65,7 +65,7 @@ typedef void EditLine; + #define DEFAULT_COPY_BUFLEN 32768 + + /* Default number of concurrent outstanding requests */ +-#define DEFAULT_NUM_REQUESTS 64 ++#define DEFAULT_NUM_REQUESTS 256 + + /* Minimum amount of data to read at a time */ + #define MIN_READ_SIZE 512 diff --git a/ssh.c b/ssh.c index 53330da5..27b9770e 100644 --- a/ssh.c @@ -1330,9 +1286,9 @@ + } + } + - debug("Authentication succeeded (%s).", authctxt.method->name); - } + #ifdef WITH_OPENSSL + if (options.disable_multithreaded == 0) { diff --git a/sshd.c b/sshd.c index 6277e6d6..d66fa41a 100644 --- a/sshd.c @@ -1359,8 +1315,8 @@ if (bind(listen_sock, ai->ai_addr, ai->ai_addrlen) == -1) { error("Bind to port %s on %s failed: %.200s.", @@ -1727,6 +1734,19 @@ main(int ac, char **av) - /* Fill in default values for those options not explicitly set. */ - fill_default_server_options(&options); + fatal("AuthorizedPrincipalsCommand set without " + "AuthorizedPrincipalsCommandUser"); + if (options.none_enabled == 1) { + char *old_ciphers = options.ciphers; @@ -1375,9 +1331,9 @@ + } + } + - /* challenge-response is implemented via keyboard interactive */ - if (options.challenge_response_authentication) - options.kbd_interactive_authentication = 1; + /* + * Check whether there is any path through configured auth methods. + * Unfortunately it is not possible to verify this generally before @@ -2166,6 +2186,9 @@ main(int ac, char **av) rdomain == NULL ? "" : "\""); free(laddr);