SwordArMor-gentoo-overlay/net-misc/openssh/files/openssh-8.9_p1-hpn-15.2-glue.patch

239 lines
8.3 KiB
Diff

diff -ur '--exclude=.*.un~' a/openssh-8_5_P1-hpn-AES-CTR-15.2.diff b/openssh-8_5_P1-hpn-AES-CTR-15.2.diff
--- a/openssh-8_5_P1-hpn-AES-CTR-15.2.diff 2022-02-23 17:10:24.843395097 -0800
+++ b/openssh-8_5_P1-hpn-AES-CTR-15.2.diff 2022-02-23 17:10:38.206451595 -0800
@@ -1026,9 +1026,9 @@
+ }
+#endif
+
- debug("Authentication succeeded (%s).", authctxt.method->name);
- }
-
+ if (ssh_packet_connection_is_on_socket(ssh)) {
+ verbose("Authenticated to %s ([%s]:%d) using \"%s\".", host,
+ ssh_remote_ipaddr(ssh), ssh_remote_port(ssh),
diff --git a/sshd.c b/sshd.c
index 6277e6d6..bf3d6e4a 100644
--- a/sshd.c
diff -ur '--exclude=.*.un~' a/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff b/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff
--- a/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff 2022-02-23 17:08:38.124943587 -0800
+++ b/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff 2022-02-23 17:20:59.432070316 -0800
@@ -536,18 +536,10 @@
if (state->rekey_limit)
*max_blocks = MINIMUM(*max_blocks,
state->rekey_limit / enc->block_size);
-@@ -954,6 +963,24 @@ ssh_set_newkeys(struct ssh *ssh, int mode)
+@@ -954,6 +963,16 @@ ssh_set_newkeys(struct ssh *ssh, int mode)
return 0;
}
-+/* this supports the forced rekeying required for the NONE cipher */
-+int rekey_requested = 0;
-+void
-+packet_request_rekeying(void)
-+{
-+ rekey_requested = 1;
-+}
-+
+/* used to determine if pre or post auth when rekeying for aes-ctr
+ * and none cipher switch */
+int
@@ -561,27 +553,14 @@
#define MAX_PACKETS (1U<<31)
static int
ssh_packet_need_rekeying(struct ssh *ssh, u_int outbound_packet_len)
-@@ -980,6 +1007,13 @@ ssh_packet_need_rekeying(struct ssh *ssh, u_int outbound_packet_len)
- if (state->p_send.packets == 0 && state->p_read.packets == 0)
- return 0;
-
-+ /* used to force rekeying when called for by the none
-+ * cipher switch methods -cjr */
-+ if (rekey_requested == 1) {
-+ rekey_requested = 0;
-+ return 1;
-+ }
-+
- /* Time-based rekeying */
- if (state->rekey_interval != 0 &&
- (int64_t)state->rekey_time + state->rekey_interval <= monotime())
@@ -1317,7 +1351,7 @@ ssh_packet_read_seqnr(struct ssh *ssh, u_char *typep, u_int32_t *seqnr_p)
struct session_state *state = ssh->state;
int len, r, ms_remain;
- fd_set *setp;
+ struct pollfd pfd;
- char buf[8192];
+ char buf[SSH_IOBUFSZ];
- struct timeval timeout, start, *timeoutp = NULL;
+ struct timeval start;
+ struct timespec timespec, *timespecp = NULL;
DBG(debug("packet_read()"));
diff --git a/packet.h b/packet.h
@@ -598,12 +577,11 @@
};
typedef int (ssh_packet_hook_fn)(struct ssh *, struct sshbuf *,
-@@ -155,6 +158,10 @@ int ssh_packet_inc_alive_timeouts(struct ssh *);
+@@ -155,6 +158,9 @@ int ssh_packet_inc_alive_timeouts(struct ssh *);
int ssh_packet_set_maxsize(struct ssh *, u_int);
u_int ssh_packet_get_maxsize(struct ssh *);
+/* for forced packet rekeying post auth */
-+void packet_request_rekeying(void);
+int packet_authentication_state(const struct ssh *);
+
int ssh_packet_get_state(struct ssh *, struct sshbuf *);
@@ -627,9 +605,9 @@
oLocalCommand, oPermitLocalCommand, oRemoteCommand,
+ oTcpRcvBufPoll, oTcpRcvBuf, oHPNDisabled, oHPNBufferSize,
+ oNoneEnabled, oNoneMacEnabled, oNoneSwitch,
+ oDisableMTAES,
oVisualHostKey,
oKexAlgorithms, oIPQoS, oRequestTTY, oIgnoreUnknown, oProxyUseFdpass,
- oCanonicalDomains, oCanonicalizeHostname, oCanonicalizeMaxDots,
@@ -297,6 +300,9 @@ static struct {
{ "kexalgorithms", oKexAlgorithms },
{ "ipqos", oIPQoS },
@@ -637,9 +615,9 @@
+ { "noneenabled", oNoneEnabled },
+ { "nonemacenabled", oNoneMacEnabled },
+ { "noneswitch", oNoneSwitch },
- { "proxyusefdpass", oProxyUseFdpass },
- { "canonicaldomains", oCanonicalDomains },
- { "canonicalizefallbacklocal", oCanonicalizeFallbackLocal },
+ { "sessiontype", oSessionType },
+ { "stdinnull", oStdinNull },
+ { "forkafterauthentication", oForkAfterAuthentication },
@@ -317,6 +323,11 @@ static struct {
{ "securitykeyprovider", oSecurityKeyProvider },
{ "knownhostscommand", oKnownHostsCommand },
@@ -717,9 +695,9 @@
+ options->hpn_buffer_size = -1;
+ options->tcp_rcv_buf_poll = -1;
+ options->tcp_rcv_buf = -1;
- options->proxy_use_fdpass = -1;
- options->ignored_unknown = NULL;
- options->num_canonical_domains = 0;
+ options->session_type = -1;
+ options->stdin_null = -1;
+ options->fork_after_authentication = -1;
@@ -2426,6 +2484,41 @@ fill_default_options(Options * options)
options->server_alive_interval = 0;
if (options->server_alive_count_max == -1)
@@ -778,9 +756,9 @@
int ip_qos_bulk; /* IP ToS/DSCP/class for bulk traffic */
SyslogFacility log_facility; /* Facility for system logging. */
@@ -120,7 +124,11 @@ typedef struct {
-
int enable_ssh_keysign;
int64_t rekey_limit;
+ int disable_multithreaded; /*disable multithreaded aes-ctr*/
+ int none_switch; /* Use none cipher */
+ int none_enabled; /* Allow none cipher to be used */
+ int nonemac_enabled; /* Allow none MAC to be used */
@@ -842,9 +820,9 @@
/* Portable-specific options */
if (options->use_pam == -1)
@@ -424,6 +434,49 @@ fill_default_server_options(ServerOptions *options)
- }
- if (options->permit_tun == -1)
options->permit_tun = SSH_TUNMODE_NO;
+ if (options->disable_multithreaded == -1)
+ options->disable_multithreaded = 0;
+ if (options->none_enabled == -1)
+ options->none_enabled = 0;
+ if (options->nonemac_enabled == -1)
@@ -975,15 +953,6 @@
index 306658cb..d4309903 100644
--- a/serverloop.c
+++ b/serverloop.c
-@@ -322,7 +322,7 @@ static int
- process_input(struct ssh *ssh, fd_set *readset, int connection_in)
- {
- int r, len;
-- char buf[16384];
-+ char buf[SSH_IOBUFSZ];
-
- /* Read and buffer any input data from the client. */
- if (FD_ISSET(connection_in, readset)) {
@@ -608,7 +608,8 @@ server_request_tun(struct ssh *ssh)
debug("Tunnel forwarding using interface %s", ifname);
@@ -1047,30 +1016,17 @@
Note that
diff --git a/sftp.c b/sftp.c
index fb3c08d1..89bebbb2 100644
---- a/sftp.c
-+++ b/sftp.c
-@@ -71,7 +71,7 @@ typedef void EditLine;
- #include "sftp-client.h"
-
- #define DEFAULT_COPY_BUFLEN 32768 /* Size of buffer for up/download */
--#define DEFAULT_NUM_REQUESTS 64 /* # concurrent outstanding requests */
-+#define DEFAULT_NUM_REQUESTS 256 /* # concurrent outstanding requests */
-
- /* File to read commands from */
- FILE* infile;
-diff --git a/ssh-keygen.c b/ssh-keygen.c
-index cfb5f115..36a6e519 100644
---- a/ssh-keygen.c
-+++ b/ssh-keygen.c
-@@ -2971,7 +2971,7 @@ do_download_sk(const char *skprovider, const char *device)
- freezero(pin, strlen(pin));
- error_r(r, "Unable to load resident keys");
- return -1;
-- }
-+ }
- if (nkeys == 0)
- logit("No keys to download");
- if (pin != NULL)
+--- a/sftp-client.c
++++ b/sftp-client.c
+@@ -65,7 +65,7 @@ typedef void EditLine;
+ #define DEFAULT_COPY_BUFLEN 32768
+
+ /* Default number of concurrent outstanding requests */
+-#define DEFAULT_NUM_REQUESTS 64
++#define DEFAULT_NUM_REQUESTS 256
+
+ /* Minimum amount of data to read at a time */
+ #define MIN_READ_SIZE 512
diff --git a/ssh.c b/ssh.c
index 53330da5..27b9770e 100644
--- a/ssh.c
@@ -1330,9 +1286,9 @@
+ }
+ }
+
- debug("Authentication succeeded (%s).", authctxt.method->name);
- }
+ #ifdef WITH_OPENSSL
+ if (options.disable_multithreaded == 0) {
diff --git a/sshd.c b/sshd.c
index 6277e6d6..d66fa41a 100644
--- a/sshd.c
@@ -1359,8 +1315,8 @@
if (bind(listen_sock, ai->ai_addr, ai->ai_addrlen) == -1) {
error("Bind to port %s on %s failed: %.200s.",
@@ -1727,6 +1734,19 @@ main(int ac, char **av)
- /* Fill in default values for those options not explicitly set. */
- fill_default_server_options(&options);
+ fatal("AuthorizedPrincipalsCommand set without "
+ "AuthorizedPrincipalsCommandUser");
+ if (options.none_enabled == 1) {
+ char *old_ciphers = options.ciphers;
@@ -1375,9 +1331,9 @@
+ }
+ }
+
- /* challenge-response is implemented via keyboard interactive */
- if (options.challenge_response_authentication)
- options.kbd_interactive_authentication = 1;
+ /*
+ * Check whether there is any path through configured auth methods.
+ * Unfortunately it is not possible to verify this generally before
@@ -2166,6 +2186,9 @@ main(int ac, char **av)
rdomain == NULL ? "" : "\"");
free(laddr);