Date: Thu, 28 Jun 2018 03:38:33 +0000 (UTC) From: Bryan Drewery <bdrewery@FreeBSD.org> To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org Subject: svn commit: r473485 - in head/security/openssh-portable: . files Message-ID: <201806280338.w5S3cXeJ005107@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: bdrewery Date: Thu Jun 28 03:38:32 2018 New Revision: 473485 URL: https://svnweb.freebsd.org/changeset/ports/473485 Log: - Fix and update HPN patch to latest from upstream but leave it off by default. - Add an 'hpn' FLAVOR to produce a package for users with HPN and NONECIPHER enabled. Approved by: portmgr (implicit) Modified: head/security/openssh-portable/Makefile head/security/openssh-portable/files/extra-patch-hpn head/security/openssh-portable/files/patch-servconf.c Modified: head/security/openssh-portable/Makefile ============================================================================== --- head/security/openssh-portable/Makefile Thu Jun 28 03:11:45 2018 (r473484) +++ head/security/openssh-portable/Makefile Thu Jun 28 03:38:32 2018 (r473485) @@ -3,7 +3,7 @@ PORTNAME= openssh DISTVERSION= 7.7p1 -PORTREVISION= 4 +PORTREVISION= 5 PORTEPOCH= 1 CATEGORIES= security ipv6 MASTER_SITES= OPENBSD/OpenSSH/portable @@ -29,10 +29,18 @@ ETCOLD= ${PREFIX}/etc BROKEN_SSL= openssl-devel BROKEN_SSL_REASON_openssl-devel= error: OpenSSL >= 1.1.0 is not yet supported +FLAVORS= default hpn +default_CONFLICTS_INSTALL= openssl-portable-hpn-[0-9]* +hpn_CONFLICTS_INSTALL= openssh-portable-[0-9]* +hpn_PKGNAMESUFFIX= -portable-hpn + OPTIONS_DEFINE= PAM TCP_WRAPPERS LIBEDIT BSM \ HPN X509 KERB_GSSAPI \ LDNS NONECIPHER XMSS OPTIONS_DEFAULT= LIBEDIT PAM TCP_WRAPPERS LDNS +.if ${FLAVOR:U} == hpn +OPTIONS_DEFAULT+= HPN NONECIPHER +.endif OPTIONS_RADIO= KERBEROS OPTIONS_RADIO_KERBEROS= MIT HEIMDAL HEIMDAL_BASE TCP_WRAPPERS_DESC= tcp_wrappers support @@ -57,7 +65,6 @@ LDNS_EXTRA_PATCHES= ${FILESDIR}/extra-patch-ldns LDNS_CFLAGS= -I${LOCALBASE}/include LDNS_CONFIGURE_ON= --with-ldflags='-L${LOCALBASE}/lib' -# http://www.psc.edu/index.php/hpn-ssh HPN_CONFIGURE_WITH= hpn NONECIPHER_CONFIGURE_WITH= nonecipher @@ -103,12 +110,12 @@ EXTRA_PATCHES+= ${FILESDIR}/extra-patch-hpn-gss-glue PATCHFILES+= openssh-7.7p1-gsskex-all-20141021-debian-rh-20171004.patch.gz:-p1:gsskex .endif -# http://www.psc.edu/index.php/hpn-ssh https://github.com/rapier1/hpn-ssh https://github.com/rapier1/openssh-portable +# https://www.psc.edu/hpn-ssh https://github.com/rapier1/openssh-portable/tree/hpn-openssl1.1-7_7_P1 .if ${PORT_OPTIONS:MHPN} || ${PORT_OPTIONS:MNONECIPHER} -BROKEN= HPN: Not yet updated for ${DISTVERSION} and disabled in base +#BROKEN= HPN: Not yet updated for ${DISTVERSION} and disabled in base PORTDOCS+= HPN-README -HPN_VERSION= 14v5 -HPN_DISTVERSION= 6.7p1 +HPN_VERSION= 14v15 +HPN_DISTVERSION= 7.7p1 #PATCH_SITES+= SOURCEFORGE/hpnssh/HPN-SSH%20${HPN_VERSION}%20${HPN_DISTVERSION}/:hpn #PATCHFILES+= ${PORTNAME}-${HPN_DISTVERSION}-hpnssh${HPN_VERSION}.diff.gz:-p1:hpn EXTRA_PATCHES+= ${FILESDIR}/extra-patch-hpn:-p2 Modified: head/security/openssh-portable/files/extra-patch-hpn ============================================================================== --- head/security/openssh-portable/files/extra-patch-hpn Thu Jun 28 03:11:45 2018 (r473484) +++ head/security/openssh-portable/files/extra-patch-hpn Thu Jun 28 03:38:32 2018 (r473485) @@ -131,11 +131,11 @@ diff -urN -x configure -x config.guess -x config.h.in + (tasota@gmail.com) an NSF REU grant recipient for 2013. + This work was financed, in part, by Cisco System, Inc., the National + Library of Medicine, and the National Science Foundation. ---- work.clean/openssh-6.8p1/channels.c 2015-03-17 00:49:20.000000000 -0500 -+++ work/openssh-6.8p1/channels.c 2015-04-03 15:51:59.599537000 -0500 -@@ -183,8 +183,14 @@ - static int connect_next(struct channel_connect *); - static void channel_connect_ctx_free(struct channel_connect *); +--- work/openssh-7.7p1/channels.c.orig 2018-04-01 22:38:28.000000000 -0700 ++++ work/openssh-7.7p1/channels.c 2018-06-27 16:37:07.663857000 -0700 +@@ -215,6 +215,12 @@ static int rdynamic_connect_finish(struct ssh *, Chann + /* Setup helper */ + static void channel_handler_init(struct ssh_channels *sc); + +#ifdef HPN_ENABLED @@ -145,25 +145,23 @@ diff -urN -x configure -x config.guess -x config.h.in + /* -- channel core */ - Channel * - channel_by_id(int id) - { -@@ -333,6 +339,9 @@ + void +@@ -391,6 +397,9 @@ channel_new(struct ssh *ssh, char *ctype, int type, in + c->local_window = window; c->local_window_max = window; - c->local_consumed = 0; c->local_maxpacket = maxpack; +#ifdef HPN_ENABLED + c->dynamic_window = 0; +#endif - c->remote_id = -1; c->remote_name = xstrdup(remote_name); - c->remote_window = 0; -@@ -837,11 +846,41 @@ - FD_SET(c->sock, writeset); + c->ctl_chan = -1; + c->delayed = 1; /* prevent call to channel_post handler */ +@@ -977,6 +986,30 @@ channel_pre_connecting(struct ssh *ssh, Channel *c, + FD_SET(c->sock, writeset); } +#ifdef HPN_ENABLED -+static u_int ++static int +channel_tcpwinsz(void) +{ + u_int32_t tcpwinsz = 0; @@ -172,56 +170,60 @@ diff -urN -x configure -x config.guess -x config.h.in + + /* if we aren't on a socket return 128KB */ + if (!packet_connection_is_on_socket()) -+ return (128*1024); ++ return 128 * 1024; ++ + ret = getsockopt(packet_get_connection_in(), -+ SOL_SOCKET, SO_RCVBUF, &tcpwinsz, &optsz); -+ /* return no more than SSHBUF_SIZE_MAX */ -+ if (ret == 0 && tcpwinsz > SSHBUF_SIZE_MAX) ++ SOL_SOCKET, SO_RCVBUF, &tcpwinsz, &optsz); ++ /* return no more than SSHBUF_SIZE_MAX (currently 256MB) */ ++ if ((ret == 0) && tcpwinsz > SSHBUF_SIZE_MAX) + tcpwinsz = SSHBUF_SIZE_MAX; -+ debug2("tcpwinsz: %d for connection: %d", tcpwinsz, -+ packet_get_connection_in()); -+ return (tcpwinsz); ++ ++ debug2("tcpwinsz: tcp connection %d, Receive window: %d", ++ packet_get_connection_in(), tcpwinsz); ++ return tcpwinsz; +} +#endif + static void - channel_pre_open(Channel *c, fd_set *readset, fd_set *writeset) - { - u_int limit = compat20 ? c->remote_window : packet_get_maxsize(); - -+#ifdef HPN_ENABLED -+ /* check buffer limits */ -+ if (!c->tcpwinsz || c->dynamic_window > 0) -+ c->tcpwinsz = channel_tcpwinsz(); -+ -+ limit = MIN(limit, 2 * c->tcpwinsz); -+#endif -+ - if (c->istate == CHAN_INPUT_OPEN && - limit > 0 && - buffer_len(&c->input) < limit && -@@ -1846,6 +1885,20 @@ + channel_pre_open(struct ssh *ssh, Channel *c, + fd_set *readset, fd_set *writeset) +@@ -2074,21 +2107,32 @@ channel_check_window(struct ssh *ssh, Channel *c) c->local_maxpacket*3) || c->local_window < c->local_window_max/2) && c->local_consumed > 0) { ++ u_int addition = 0; +#ifdef HPN_ENABLED ++ u_int32_t tcpwinsz = channel_tcpwinsz(); + /* adjust max window size if we are in a dynamic environment */ -+ if (c->dynamic_window && (c->tcpwinsz > c->local_window_max)) { -+ u_int addition = 0; -+ -+ /* -+ * grow the window somewhat aggressively to maintain -+ * pressure -+ */ -+ addition = 1.5*(c->tcpwinsz - c->local_window_max); ++ if (c->dynamic_window && (tcpwinsz > c->local_window_max)) { ++ /* grow the window somewhat aggressively to maintain pressure */ ++ addition = 1.5 * (tcpwinsz - c->local_window_max); + c->local_window_max += addition; -+ c->local_consumed += addition; ++ debug("Channel: Window growth to %d by %d bytes", c->local_window_max, addition); + } +#endif - packet_start(SSH2_MSG_CHANNEL_WINDOW_ADJUST); - packet_put_int(c->remote_id); - packet_put_int(c->local_consumed); -@@ -2794,6 +2847,17 @@ + if (!c->have_remote_id) + fatal(":%s: channel %d: no remote id", + __func__, c->self); + if ((r = sshpkt_start(ssh, + SSH2_MSG_CHANNEL_WINDOW_ADJUST)) != 0 || + (r = sshpkt_put_u32(ssh, c->remote_id)) != 0 || +- (r = sshpkt_put_u32(ssh, c->local_consumed)) != 0 || ++ (r = sshpkt_put_u32(ssh, c->local_consumed + addition)) != 0 || + (r = sshpkt_send(ssh)) != 0) { + fatal("%s: channel %i: %s", __func__, + c->self, ssh_err(r)); + } + debug2("channel %d: window %d sent adjust %d", + c->self, c->local_window, +- c->local_consumed); +- c->local_window += c->local_consumed; ++ c->local_consumed + addition); ++ c->local_window += c->local_consumed + addition; + c->local_consumed = 0; + } + return 1; +@@ -3258,6 +3302,17 @@ channel_fwd_bind_addr(const char *listen_addr, int *wi return addr; } @@ -237,9 +239,9 @@ diff -urN -x configure -x config.guess -x config.h.in +#endif + static int - channel_setup_fwd_listener_tcpip(int type, struct Forward *fwd, - int *allocated_listen_port, struct ForwardOptions *fwd_opts) -@@ -2918,9 +2982,20 @@ + channel_setup_fwd_listener_tcpip(struct ssh *ssh, int type, + struct Forward *fwd, int *allocated_listen_port, +@@ -3398,6 +3453,17 @@ channel_setup_fwd_listener_tcpip(struct ssh *ssh, int } /* Allocate a channel number for the socket. */ @@ -249,136 +251,111 @@ diff -urN -x configure -x config.guess -x config.h.in + * window size. + */ + if (!hpn_disabled) -+ c = channel_new("port listener", type, sock, sock, -1, ++ c = channel_new(ssh, "port listener", type, sock, sock, -1, + hpn_buffer_size, CHAN_TCP_PACKET_DEFAULT, + 0, "port listener", 1); + else +#endif - c = channel_new("port listener", type, sock, sock, -1, + c = channel_new(ssh, "port listener", type, sock, sock, -1, CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, 0, "port listener", 1); - c->path = xstrdup(host); - c->host_port = fwd->connect_port; - c->listening_addr = addr == NULL ? NULL : xstrdup(addr); -@@ -3952,6 +4027,14 @@ +@@ -4457,6 +4523,14 @@ x11_create_display_inet(struct ssh *ssh, int x11_displ *chanids = xcalloc(num_socks + 1, sizeof(**chanids)); for (n = 0; n < num_socks; n++) { sock = socks[n]; +#ifdef HPN_ENABLED + if (!hpn_disabled) -+ nc = channel_new("x11 listener", ++ nc = channel_new(ssh, "x11 listener", + SSH_CHANNEL_X11_LISTENER, sock, sock, -1, + hpn_buffer_size, CHAN_X11_PACKET_DEFAULT, + 0, "X11 inet listener", 1); + else +#endif - nc = channel_new("x11 listener", + nc = channel_new(ssh, "x11 listener", SSH_CHANNEL_X11_LISTENER, sock, sock, -1, CHAN_X11_WINDOW_DEFAULT, CHAN_X11_PACKET_DEFAULT, ---- work.clean/openssh-6.8p1/channels.h 2015-03-17 00:49:20.000000000 -0500 -+++ work/openssh-6.8p1/channels.h 2015-04-03 13:58:44.472717000 -0500 -@@ -136,6 +136,10 @@ +--- work/openssh-7.7p1/channels.h.orig 2018-04-01 22:38:28.000000000 -0700 ++++ work/openssh-7.7p1/channels.h 2018-06-27 16:38:40.766588000 -0700 +@@ -143,6 +143,9 @@ struct Channel { u_int local_maxpacket; int extended_usage; int single_connection; +#ifdef HPN_ENABLED + int dynamic_window; -+ u_int tcpwinsz; +#endif char *ctype; /* type */ -@@ -311,4 +315,9 @@ - void chan_write_failed(Channel *); - void chan_obuf_empty(Channel *); - +@@ -335,5 +338,10 @@ void chan_ibuf_empty(struct ssh *, Channel *); + void chan_rcvd_ieof(struct ssh *, Channel *); + void chan_write_failed(struct ssh *, Channel *); + void chan_obuf_empty(struct ssh *, Channel *); ++ +#ifdef HPN_ENABLED +/* hpn handler */ +void channel_set_hpn(int, int); +#endif -+ + #endif ---- work.clean/openssh-6.8p1/cipher.c 2015-03-17 00:49:20.000000000 -0500 -+++ work/openssh-6.8p1/cipher.c 2015-04-03 16:22:04.972592000 -0500 -@@ -273,7 +273,13 @@ ciphers_valid(const char *names) +--- work/openssh-7.7p1/cipher.c.orig 2018-04-01 22:38:28.000000000 -0700 ++++ work/openssh-7.7p1/cipher.c 2018-06-27 16:55:43.165788000 -0700 +@@ -212,7 +212,12 @@ ciphers_valid(const char *names) for ((p = strsep(&cp, CIPHER_SEP)); p && *p != '\0'; (p = strsep(&cp, CIPHER_SEP))) { c = cipher_by_name(p); -- if (c == NULL || c->number != SSH_CIPHER_SSH2) { -+ if (c == NULL || (c->number != SSH_CIPHER_SSH2 && +#ifdef NONE_CIPHER_ENABLED -+ c->number != SSH_CIPHER_NONE ++ if (c == NULL || ((c->flags & CFLAG_INTERNAL) != 0 && ++ (c->flags & CFLAG_NONE) != 0)) { +#else -+ 1 + if (c == NULL || (c->flags & CFLAG_INTERNAL) != 0) { +#endif -+ )) { free(cipher_list); return 0; } -@@ -605,6 +611,9 @@ cipher_get_keyiv(struct sshcipher_ctx *c - - switch (c->number) { - #ifdef WITH_OPENSSL -+#ifdef NONE_CIPHER_ENABLED -+ case SSH_CIPHER_NONE: -+#endif - case SSH_CIPHER_SSH2: - case SSH_CIPHER_DES: - case SSH_CIPHER_BLOWFISH: -@@ -653,6 +662,9 @@ cipher_set_keyiv(struct sshcipher_ctx *c - - switch (c->number) { - #ifdef WITH_OPENSSL -+#ifdef NONE_CIPHER_ENABLED -+ case SSH_CIPHER_NONE: -+#endif - case SSH_CIPHER_SSH2: - case SSH_CIPHER_DES: - case SSH_CIPHER_BLOWFISH: ---- work.clean/openssh-6.8p1/clientloop.c 2015-03-17 00:49:20.000000000 -0500 -+++ work/openssh-6.8p1/clientloop.c 2015-04-03 17:29:40.618489000 -0500 -@@ -1909,6 +1909,15 @@ - sock = x11_connect_display(); +--- work/openssh-7.7p1/clientloop.c.orig 2018-04-01 22:38:28.000000000 -0700 ++++ work/openssh-7.7p1/clientloop.c 2018-06-27 16:40:24.560906000 -0700 +@@ -1549,6 +1549,15 @@ client_request_x11(struct ssh *ssh, const char *reques + sock = x11_connect_display(ssh); if (sock < 0) return NULL; +#ifdef HPN_ENABLED + /* again is this really necessary for X11? */ + if (!options.hpn_disabled) -+ c = channel_new("x11", ++ c = channel_new(ssh, "x11", + SSH_CHANNEL_X11_OPEN, sock, sock, -1, + options.hpn_buffer_size, + CHAN_X11_PACKET_DEFAULT, 0, "x11", 1); + else +#endif - c = channel_new("x11", + c = channel_new(ssh, "x11", SSH_CHANNEL_X11_OPEN, sock, sock, -1, CHAN_TCP_WINDOW_DEFAULT, CHAN_X11_PACKET_DEFAULT, 0, "x11", 1); -@@ -1934,6 +1943,14 @@ +@@ -1574,6 +1583,14 @@ client_request_agent(struct ssh *ssh, const char *requ __func__, ssh_err(r)); return NULL; } +#ifdef HPN_ENABLED + if (!options.hpn_disabled) -+ c = channel_new("authentication agent connection", ++ c = channel_new(ssh, "authentication agent connection", + SSH_CHANNEL_OPEN, sock, sock, -1, + options.hpn_buffer_size, CHAN_TCP_PACKET_DEFAULT, 0, + "authentication agent connection", 1); + else +#endif - c = channel_new("authentication agent connection", + c = channel_new(ssh, "authentication agent connection", SSH_CHANNEL_OPEN, sock, sock, -1, CHAN_X11_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, 0, -@@ -1964,6 +1981,12 @@ - return -1; +@@ -1602,6 +1619,12 @@ client_request_tun_fwd(struct ssh *ssh, int tun_mode, } + debug("Tunnel forwarding using interface %s", ifname); +#ifdef HPN_ENABLED + if (!options.hpn_disabled) -+ c = channel_new("tun", SSH_CHANNEL_OPENING, fd, fd, -1, ++ c = channel_new(ssh, "tun", SSH_CHANNEL_OPENING, fd, fd, -1, + options.hpn_buffer_size, CHAN_TCP_PACKET_DEFAULT, 0, "tun", 1); + else +#endif - c = channel_new("tun", SSH_CHANNEL_OPENING, fd, fd, -1, + c = channel_new(ssh, "tun", SSH_CHANNEL_OPENING, fd, fd, -1, CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, 0, "tun", 1); c->datagram = 1; --- work.clean/openssh-6.8p1/compat.c 2015-03-17 00:49:20.000000000 -0500 @@ -470,9 +447,9 @@ diff -urN -x configure -x config.guess -x config.h.in debug("kex: %s cipher: %s MAC: %s compression: %s", ctos ? "client->server" : "server->client", newkeys->enc.name, ---- work.clean/openssh-7.2p1/packet.c.orig 2016-02-25 19:40:04.000000000 -0800 -+++ work.clean/openssh-7.2p1/packet.c 2016-02-29 08:05:15.744201000 -0800 -@@ -1037,6 +1037,24 @@ ssh_set_newkeys(struct ssh *ssh, int mod +--- work/openssh-7.7p1/packet.c.orig 2018-04-01 22:38:28.000000000 -0700 ++++ work/openssh-7.7p1/packet.c 2018-06-27 16:42:42.739507000 -0700 +@@ -926,6 +926,24 @@ ssh_set_newkeys(struct ssh *ssh, int mode) return 0; } @@ -497,11 +474,13 @@ diff -urN -x configure -x config.guess -x config.h.in #define MAX_PACKETS (1U<<31) static int ssh_packet_need_rekeying(struct ssh *ssh, u_int outbound_packet_len) -@@ -1055,6 +1073,12 @@ ssh_packet_need_rekeying(struct ssh *ssh +@@ -944,6 +962,14 @@ ssh_packet_need_rekeying(struct ssh *ssh, u_int outbou /* Peer can't rekey */ if (ssh->compat & SSH_BUG_NOREKEY) return 0; +#ifdef NONE_CIPHER_ENABLED ++ /* used to force rekeying when called for by the none ++ * cipher switch methods -cjr */ + if (rekey_requested == 1) { + rekey_requested = 0; + return 1; @@ -524,11 +503,21 @@ diff -urN -x configure -x config.guess -x config.h.in /* OLD API */ extern struct ssh *active_state; #include "opacket.h" ---- work/openssh-6.9p1/readconf.c.orig 2015-07-27 13:32:13.169218000 -0500 -+++ work/openssh-6.9p1/readconf.c 2015-07-27 13:33:00.429332000 -0500 -@@ -153,6 +153,12 @@ typedef enum { - oTunnel, oTunnelDevice, oLocalCommand, oPermitLocalCommand, - oVisualHostKey, oUseRoaming, +--- work/openssh-7.7p1/readconf.c.orig 2018-04-01 22:38:28.000000000 -0700 ++++ work/openssh-7.7p1/readconf.c 2018-06-27 16:58:41.109275000 -0700 +@@ -66,6 +66,9 @@ + #include "uidswap.h" + #include "myproposal.h" + #include "digest.h" ++#ifdef HPN_ENABLED ++#include "sshbuf.h" ++#endif + + /* Format of the configuration file: + +@@ -167,6 +170,12 @@ typedef enum { + oLocalCommand, oPermitLocalCommand, oRemoteCommand, + oVisualHostKey, oKexAlgorithms, oIPQoS, oRequestTTY, oIgnoreUnknown, oProxyUseFdpass, +#ifdef HPN_ENABLED + oHPNDisabled, oHPNBufferSize, oTcpRcvBufPoll, oTcpRcvBuf, @@ -539,7 +528,7 @@ diff -urN -x configure -x config.guess -x config.h.in oCanonicalDomains, oCanonicalizeHostname, oCanonicalizeMaxDots, oCanonicalizeFallbackLocal, oCanonicalizePermittedCNAMEs, oStreamLocalBindMask, oStreamLocalBindUnlink, oRevokedHostKeys, -@@ -277,6 +283,16 @@ static struct { +@@ -304,6 +313,16 @@ static struct { { "updatehostkeys", oUpdateHostkeys }, { "hostbasedkeytypes", oHostbasedKeyTypes }, { "pubkeyacceptedkeytypes", oPubkeyAcceptedKeyTypes }, @@ -554,9 +543,9 @@ diff -urN -x configure -x config.guess -x config.h.in + { "hpnbuffersize", oHPNBufferSize }, +#endif { "ignoreunknown", oIgnoreUnknown }, + { "proxyjump", oProxyJump }, - { NULL, oBadOption } -@@ -906,6 +922,44 @@ parse_time: +@@ -962,6 +981,44 @@ parse_time: intptr = &options->check_host_ip; goto parse_flag; @@ -601,7 +590,7 @@ diff -urN -x configure -x config.guess -x config.h.in case oVerifyHostKeyDNS: intptr = &options->verify_host_key_dns; multistate_ptr = multistate_yesnoask; -@@ -1665,6 +1719,16 @@ initialize_options(Options * options) +@@ -1833,6 +1890,16 @@ initialize_options(Options * options) options->ip_qos_interactive = -1; options->ip_qos_bulk = -1; options->request_tty = -1; @@ -618,7 +607,7 @@ diff -urN -x configure -x config.guess -x config.h.in options->proxy_use_fdpass = -1; options->ignored_unknown = NULL; options->num_canonical_domains = 0; -@@ -1826,6 +1890,35 @@ fill_default_options(Options * options) +@@ -1979,6 +2046,34 @@ fill_default_options(Options * options) options->server_alive_interval = 0; if (options->server_alive_count_max == -1) options->server_alive_count_max = 3; @@ -635,11 +624,10 @@ diff -urN -x configure -x config.guess -x config.h.in + /* if a user tries to set the size to 0 set it to 1KB */ + if (options->hpn_buffer_size == 0) + options->hpn_buffer_size = 1; -+ /* limit the buffer to 64MB */ -+ if (options->hpn_buffer_size > 64*1024) { -+ options->hpn_buffer_size = 64*1024*1024; -+ debug("User requested buffer larger than 64MB. Request" -+ " reverted to 64MB"); ++ /* limit the buffer to SSHBUF_SIZE_MAX (currently 256MB) */ ++ if (options->hpn_buffer_size > (SSHBUF_SIZE_MAX / 1024)) { ++ options->hpn_buffer_size = SSHBUF_SIZE_MAX; ++ debug("User requested buffer larger than 256MB. Request reverted to 256MB"); + } else + options->hpn_buffer_size *= 1024; + debug("hpn_buffer_size set to %d", options->hpn_buffer_size); @@ -693,9 +681,19 @@ diff -urN -x configure -x config.guess -x config.h.in struct timeval tv[2]; #define atime tv[0] ---- work/openssh/servconf.c.orig 2015-05-29 03:27:21.000000000 -0500 -+++ work/openssh/servconf.c 2015-06-02 09:56:36.041601000 -0500 -@@ -159,6 +159,14 @@ initialize_server_options(ServerOptions +--- work/openssh-7.7p1/servconf.c.orig 2018-04-01 22:38:28.000000000 -0700 ++++ work/openssh-7.7p1/servconf.c 2018-06-27 17:01:05.276677000 -0700 +@@ -63,6 +63,9 @@ + #include "auth.h" + #include "myproposal.h" + #include "digest.h" ++#ifdef HPN_ENABLED ++#include "sshbuf.h" ++#endif + + static void add_listen_addr(ServerOptions *, const char *, + const char *, int); +@@ -169,6 +172,14 @@ initialize_server_options(ServerOptions *options) options->authorized_principals_file = NULL; options->authorized_principals_command = NULL; options->authorized_principals_command_user = NULL; @@ -710,7 +708,7 @@ diff -urN -x configure -x config.guess -x config.h.in options->ip_qos_interactive = -1; options->ip_qos_bulk = -1; options->version_addendum = NULL; -@@ -319,6 +327,57 @@ fill_default_server_options(ServerOption +@@ -371,6 +382,57 @@ fill_default_server_options(ServerOptions *options) } if (options->permit_tun == -1) options->permit_tun = SSH_TUNMODE_NO; @@ -754,9 +752,9 @@ diff -urN -x configure -x config.guess -x config.h.in + if (options->hpn_disabled <= 0) { + if (options->hpn_buffer_size == 0) + options->hpn_buffer_size = 1; -+ /* limit the maximum buffer to 64MB */ -+ if (options->hpn_buffer_size > 64*1024) { -+ options->hpn_buffer_size = 64*1024*1024; ++ /* limit the maximum buffer to SSHBUF_SIZE_MAX (currently 256MB) */ ++ if (options->hpn_buffer_size > (SSHBUF_SIZE_MAX / 1024)) { ++ options->hpn_buffer_size = SSHBUF_SIZE_MAX; + } else { + options->hpn_buffer_size *= 1024; + } @@ -768,7 +766,7 @@ diff -urN -x configure -x config.guess -x config.h.in if (options->ip_qos_interactive == -1) options->ip_qos_interactive = IPTOS_LOWDELAY; if (options->ip_qos_bulk == -1) -@@ -412,6 +471,12 @@ typedef enum { +@@ -466,6 +528,12 @@ typedef enum { sUsePrivilegeSeparation, sAllowAgentForwarding, sHostCertificate, sRevokedKeys, sTrustedUserCAKeys, sAuthorizedPrincipalsFile, @@ -781,7 +779,7 @@ diff -urN -x configure -x config.guess -x config.h.in sAuthorizedPrincipalsCommand, sAuthorizedPrincipalsCommandUser, sKexAlgorithms, sIPQoS, sVersionAddendum, sAuthorizedKeysCommand, sAuthorizedKeysCommandUser, -@@ -548,6 +613,14 @@ static struct { +@@ -603,6 +671,14 @@ static struct { { "revokedkeys", sRevokedKeys, SSHCFG_ALL }, { "trustedusercakeys", sTrustedUserCAKeys, SSHCFG_ALL }, { "authorizedprincipalsfile", sAuthorizedPrincipalsFile, SSHCFG_ALL }, @@ -796,10 +794,11 @@ diff -urN -x configure -x config.guess -x config.h.in { "kexalgorithms", sKexAlgorithms, SSHCFG_GLOBAL }, { "ipqos", sIPQoS, SSHCFG_ALL }, { "authorizedkeyscommand", sAuthorizedKeysCommand, SSHCFG_ALL }, -@@ -1153,6 +1226,25 @@ process_server_config_line(ServerOptions +@@ -1351,6 +1427,25 @@ process_server_config_line(ServerOptions *options, cha + case sIgnoreUserKnownHosts: intptr = &options->ignore_user_known_hosts; goto parse_flag; - ++ +#ifdef NONE_CIPHER_ENABLED + case sNoneEnabled: + intptr = &options->none_enabled; @@ -818,10 +817,9 @@ diff -urN -x configure -x config.guess -x config.h.in + intptr = &options->hpn_buffer_size; + goto parse_int; +#endif -+ + case sHostbasedAuthentication: intptr = &options->hostbased_authentication; - goto parse_flag; --- work.clean/openssh-6.8p1/servconf.h 2015-03-17 00:49:20.000000000 -0500 +++ work/openssh-6.8p1/servconf.h 2015-04-03 13:48:37.316827000 -0500 @@ -169,6 +169,15 @@ @@ -840,23 +838,23 @@ diff -urN -x configure -x config.guess -x config.h.in int permit_tun; int num_permitted_opens; ---- work.clean/openssh-6.8p1/serverloop.c 2015-03-17 00:49:20.000000000 -0500 -+++ work/openssh-6.8p1/serverloop.c 2015-04-03 17:14:15.182548000 -0500 -@@ -526,6 +526,12 @@ server_request_tun(void) - sock = tun_open(tun, mode); - if (sock < 0) +--- work/openssh-7.7p1/serverloop.c.orig 2018-04-01 22:38:28.000000000 -0700 ++++ work/openssh-7.7p1/serverloop.c 2018-06-27 16:53:02.246871000 -0700 +@@ -550,6 +550,12 @@ server_request_tun(struct ssh *ssh) goto done; + debug("Tunnel forwarding using interface %s", ifname); + +#ifdef HPN_ENABLED + if (!options.hpn_disabled) -+ c = channel_new("tun", SSH_CHANNEL_OPEN, sock, sock, -1, ++ c = channel_new(ssh, "tun", SSH_CHANNEL_OPEN, sock, sock, -1, + options.hpn_buffer_size, CHAN_TCP_PACKET_DEFAULT, 0, "tun", 1); + else +#endif - c = channel_new("tun", SSH_CHANNEL_OPEN, sock, sock, -1, + c = channel_new(ssh, "tun", SSH_CHANNEL_OPEN, sock, sock, -1, CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, 0, "tun", 1); c->datagram = 1; -@@ -563,6 +569,10 @@ server_request_session(void) - c = channel_new("session", SSH_CHANNEL_LARVAL, +@@ -600,6 +606,10 @@ server_request_session(struct ssh *ssh) + c = channel_new(ssh, "session", SSH_CHANNEL_LARVAL, -1, -1, -1, /*window size*/0, CHAN_SES_PACKET_DEFAULT, 0, "server-session", 1); +#ifdef HPN_ENABLED @@ -865,22 +863,22 @@ diff -urN -x configure -x config.guess -x config.h.in +#endif if (session_open(the_authctxt, c->self) != 1) { debug("session open failed, free channel %d", c->self); - channel_free(c); ---- work.clean/openssh-6.8p1/session.c 2015-04-01 22:07:18.149110000 -0500 -+++ work/openssh-6.8p1/session.c 2015-04-03 17:09:02.984097000 -0500 -@@ -2340,6 +2340,14 @@ + channel_free(ssh, c); +--- work/openssh-7.7p1/session.c.orig 2018-04-01 22:38:28.000000000 -0700 ++++ work/openssh-7.7p1/session.c 2018-06-27 17:01:40.730347000 -0700 +@@ -2116,6 +2116,14 @@ session_set_fds(struct ssh *ssh, Session *s, */ if (s->chanid == -1) fatal("no channel for session %d", s->self); +#ifdef HPN_ENABLED + if (!options.hpn_disabled) -+ channel_set_fds(s->chanid, ++ channel_set_fds(ssh, s->chanid, + fdout, fdin, fderr, + ignore_fderr ? CHAN_EXTENDED_IGNORE : CHAN_EXTENDED_READ, + 1, is_tty, options.hpn_buffer_size); + else +#endif - channel_set_fds(s->chanid, + channel_set_fds(ssh, s->chanid, fdout, fdin, fderr, ignore_fderr ? CHAN_EXTENDED_IGNORE : CHAN_EXTENDED_READ, --- work.clean/openssh-6.8p1/sftp.1 2015-03-17 00:49:20.000000000 -0500 @@ -909,9 +907,9 @@ diff -urN -x configure -x config.guess -x config.h.in /* File to read commands from */ FILE* infile; ---- work.clean/openssh-6.8p1/ssh.c 2015-04-01 22:07:18.166356000 -0500 -+++ work/openssh-6.8p1/ssh.c 2015-04-03 17:16:34.114673000 -0500 -@@ -885,6 +885,14 @@ +--- work/openssh-7.7p1/ssh.c.orig 2018-04-01 22:38:28.000000000 -0700 ++++ work/openssh-7.7p1/ssh.c 2018-06-27 17:05:30.011979000 -0700 +@@ -954,6 +954,14 @@ main(int ac, char **av) break; case 'T': options.request_tty = REQUEST_TTY_NO; @@ -926,80 +924,91 @@ diff -urN -x configure -x config.guess -x config.h.in break; case 'o': line = xstrdup(optarg); -@@ -1848,9 +1856,85 @@ - if (!isatty(err)) - set_nonblock(err); +@@ -1833,6 +1841,78 @@ ssh_session2_setup(struct ssh *ssh, int id, int succes + NULL, fileno(stdin), &command, environ); + } -+#ifdef HPN_ENABLED ++static void ++hpn_options_init(void) ++{ + /* -+ * we need to check to see if what they want to do about buffer ++ * We need to check to see if what they want to do about buffer + * sizes here. In a hpn to nonhpn connection we want to limit + * the window size to something reasonable in case the far side + * has the large window bug. In hpn to hpn connection we want to + * use the max window size but allow the user to override it -+ * lastly if they disabled hpn then use the ssh std window size -+ -+ * so why don't we just do a getsockopt() here and set the ++ * lastly if they disabled hpn then use the ssh std window size. ++ * ++ * So why don't we just do a getsockopt() here and set the + * ssh window to that? In the case of a autotuning receive + * window the window would get stuck at the initial buffer + * size generally less than 96k. Therefore we need to set the + * maximum ssh window size to the maximum hpn buffer size + * unless the user has specifically set the tcprcvbufpoll + * to no. In which case we *can* just set the window to the -+ * minimum of the hpn buffer size and tcp receive buffer size ++ * minimum of the hpn buffer size and tcp receive buffer size. + */ + + if (tty_flag) + options.hpn_buffer_size = CHAN_SES_WINDOW_DEFAULT; + else -+ options.hpn_buffer_size = 2*1024*1024; ++ options.hpn_buffer_size = 2 * 1024 * 1024; + + if (datafellows & SSH_BUG_LARGEWINDOW) { + debug("HPN to Non-HPN Connection"); + } else { + int sock, socksize; -+ socklen_t socksizelen = sizeof(socksize); -+ ++ socklen_t socksizelen; + if (options.tcp_rcv_buf_poll <= 0) { + sock = socket(AF_INET, SOCK_STREAM, 0); ++ socksizelen = sizeof(socksize); + getsockopt(sock, SOL_SOCKET, SO_RCVBUF, -+ &socksize, &socksizelen); ++ &socksize, &socksizelen); + close(sock); + debug("socksize %d", socksize); + options.hpn_buffer_size = socksize; -+ debug ("HPNBufferSize set to TCP RWIN: %d", -+ options.hpn_buffer_size); ++ debug("HPNBufferSize set to TCP RWIN: %d", options.hpn_buffer_size); + } else { + if (options.tcp_rcv_buf > 0) { + /* -+ * create a socket but don't connect it. ++ * Create a socket but don't connect it: + * we use that the get the rcv socket size + */ + sock = socket(AF_INET, SOCK_STREAM, 0); + /* -+ * if they are using the tcp_rcv_buf option -+ * attempt to set the buffer size to that ++ * If they are using the tcp_rcv_buf option, ++ * attempt to set the buffer size to that. + */ -+ if (options.tcp_rcv_buf) ++ if (options.tcp_rcv_buf) { ++ socksizelen = sizeof(options.tcp_rcv_buf); + setsockopt(sock, SOL_SOCKET, SO_RCVBUF, -+ (void *)&options.tcp_rcv_buf, -+ sizeof(options.tcp_rcv_buf)); ++ &options.tcp_rcv_buf, socksizelen); ++ } ++ socksizelen = sizeof(socksize); + getsockopt(sock, SOL_SOCKET, SO_RCVBUF, -+ &socksize, &socksizelen); ++ &socksize, &socksizelen); + close(sock); + debug("socksize %d", socksize); + options.hpn_buffer_size = socksize; -+ debug ("HPNBufferSize set to user TCPRcvBuf: " -+ "%d", options.hpn_buffer_size); ++ debug("HPNBufferSize set to user TCPRcvBuf: %d", options.hpn_buffer_size); + } + } + } + + debug("Final hpn_buffer_size = %d", options.hpn_buffer_size); + -+ window = options.hpn_buffer_size; -+ + channel_set_hpn(options.hpn_disabled, options.hpn_buffer_size); ++} ++ + /* open new channel for a session */ + static int + ssh_session2_open(struct ssh *ssh) +@@ -1859,9 +1939,17 @@ ssh_session2_open(struct ssh *ssh) + if (!isatty(err)) + set_nonblock(err); + ++#ifdef HPN_ENABLED ++ window = options.hpn_buffer_size; +#else window = CHAN_SES_WINDOW_DEFAULT; +#endif @@ -1012,7 +1021,7 @@ diff -urN -x configure -x config.guess -x config.h.in window >>= 1; packetmax >>= 1; } -@@ -1859,6 +1943,12 @@ +@@ -1870,6 +1958,12 @@ ssh_session2_open(struct ssh *ssh) window, packetmax, CHAN_EXTENDED_WRITE, "client-session", /*nonblock*/0); @@ -1022,17 +1031,47 @@ diff -urN -x configure -x config.guess -x config.h.in + debug ("Enabled Dynamic Window Scaling"); + } +#endif - debug3("ssh_session2_open: channel_new: %d", c->self); + debug3("%s: channel_new: %d", __func__, c->self); - channel_send_open(c->self); ---- work.clean/openssh-6.8p1/sshconnect.c 2015-03-17 00:49:20.000000000 -0500 -+++ work/openssh-6.8p1/sshconnect.c 2015-04-03 16:32:38.204744000 -0500 -@@ -266,6 +266,31 @@ - kill(proxy_command_pid, SIGHUP); + channel_send_open(ssh, c->self); +@@ -1885,6 +1979,15 @@ ssh_session2(struct ssh *ssh, struct passwd *pw) + { + int devnull, id = -1; + char *cp, *tun_fwd_ifname = NULL; ++ ++#ifdef HPN_ENABLED ++ /* ++ * We need to initialize this early because the forwarding logic below ++ * might open channels that use the hpn buffer sizes. We can't send a ++ * window of -1 (the default) to the server as it breaks things. ++ */ ++ hpn_options_init(); ++#endif + + /* XXX should be pre-session */ + if (!options.control_persist) +--- work/openssh-7.7p1/sshbuf.h.orig 2018-06-27 16:11:24.503058000 -0700 ++++ work/openssh-7.7p1/sshbuf.h 2018-06-27 16:12:01.359375000 -0700 +@@ -28,7 +28,11 @@ + # endif /* OPENSSL_HAS_ECC */ + #endif /* WITH_OPENSSL */ + ++#ifdef HPN_ENABLED ++#define SSHBUF_SIZE_MAX 0xF000000 /* Hard maximum size 256MB */ ++#else + #define SSHBUF_SIZE_MAX 0x8000000 /* Hard maximum size */ ++#endif + #define SSHBUF_REFS_MAX 0x100000 /* Max child buffers */ + #define SSHBUF_MAX_BIGNUM (16384 / 8) /* Max bignum *bytes* */ + #define SSHBUF_MAX_ECPOINT ((528 * 2 / 8) + 1) /* Max EC point *bytes* */ +--- work/openssh-7.7p1/sshconnect.c.orig 2018-04-01 22:38:28.000000000 -0700 ++++ work/openssh-7.7p1/sshconnect.c 2018-06-26 15:55:19.103812000 -0700 +@@ -337,7 +337,32 @@ check_ifaddrs(const char *ifname, int af, const struct } + #endif +#ifdef HPN_ENABLED -+/* + /* + * Set TCP receive buffer if requested. + * Note: tuning needs to happen after the socket is + * created but before the connection happens @@ -1056,10 +1095,11 @@ diff -urN -x configure -x config.guess -x config.h.in +} +#endif + - /* ++/* * Creates a (possibly privileged) socket for use as the ssh connection. */ -@@ -282,6 +307,11 @@ + static int +@@ -359,6 +384,11 @@ ssh_create_socket(int privileged, struct addrinfo *ai) } fcntl(sock, F_SETFD, FD_CLOEXEC); @@ -1069,54 +1109,42 @@ diff -urN -x configure -x config.guess -x config.h.in +#endif + /* Bind the socket to an alternative local IP address */ - if (options.bind_address == NULL && !privileged) - return sock; -@@ -523,11 +553,23 @@ send_client_banner(int connection_out, i + if (options.bind_address == NULL && options.bind_interface == NULL && + !privileged) +@@ -637,8 +667,14 @@ static void + send_client_banner(int connection_out, int minor1) { /* Send our own protocol version identification. */ - if (compat20) { -- xasprintf(&client_version_string, "SSH-%d.%d-%.100s\r\n", -- PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION); -+ xasprintf(&client_version_string, "SSH-%d.%d-%.100s%s\r\n", -+ PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION, +- xasprintf(&client_version_string, "SSH-%d.%d-%.100s\r\n", +- PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION); ++ xasprintf(&client_version_string, "SSH-%d.%d-%.100s%s\r\n", ++ PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION, +#ifdef HPN_ENABLED -+ options.hpn_disabled ? "" : SSH_HPN ++ options.hpn_disabled ? "" : SSH_HPN +#else -+ "" ++ "" +#endif -+ ); - } else { -- xasprintf(&client_version_string, "SSH-%d.%d-%.100s\n", -- PROTOCOL_MAJOR_1, minor1, SSH_VERSION); -+ xasprintf(&client_version_string, "SSH-%d.%d-%.100s%s\n", -+ PROTOCOL_MAJOR_1, minor1, SSH_VERSION, -+#ifdef HPN_ENABLED -+ options.hpn_disabled ? "" : SSH_HPN -+#else -+ "" -+#endif -+ ); - } - if (roaming_atomicio(vwrite, connection_out, client_version_string, ++ ); + if (atomicio(vwrite, connection_out, client_version_string, strlen(client_version_string)) != strlen(client_version_string)) ---- work.clean/openssh-7.2p1/sshconnect2.c.orig 2016-02-25 19:40:04.000000000 -0800 -+++ work.clean/openssh-7.2p1/sshconnect2.c 2016-02-29 08:06:31.134954000 -0800 -@@ -81,6 +81,14 @@ + fatal("write: %.100s", strerror(errno)); +--- work/openssh-7.7p1/sshconnect2.c.orig 2018-04-01 22:38:28.000000000 -0700 ++++ work/openssh-7.7p1/sshconnect2.c 2018-06-27 17:11:17.543893000 -0700 +@@ -81,7 +81,13 @@ extern char *client_version_string; extern char *server_version_string; extern Options options; +#ifdef NONE_CIPHER_ENABLED -+struct kex *xxx_kex; -+ +/* tty_flag is set in ssh.c. use this in ssh_userauth2 */ +/* if it is set then prevent the switch to the null cipher */ -+ + +extern int tty_flag; +#endif - ++ /* * SSH2 key exchange -@@ -154,14 +162,17 @@ order_hostkeyalgs(char *host, struct soc + */ +@@ -154,14 +160,17 @@ order_hostkeyalgs(char *host, struct sockaddr *hostadd return ret; } @@ -1135,18 +1163,8 @@ diff -urN -x configure -x config.guess -x config.h.in xxx_host = host; xxx_hostaddr = hostaddr; -@@ -235,6 +246,9 @@ ssh_kex2(char *host, struct sockaddr *ho - packet_send(); - packet_write_wait(); - #endif -+#ifdef NONE_CIPHER_ENABLED -+ xxx_kex = kex; -+#endif - } +@@ -409,6 +418,30 @@ ssh_userauth2(const char *local_user, const char *serv - /* -@@ -407,6 +421,29 @@ ssh_userauth2(const char *local_user, co - if (!authctxt.success) fatal("Authentication failed."); +#ifdef NONE_CIPHER_ENABLED @@ -1159,9 +1177,10 @@ diff -urN -x configure -x config.guess -x config.h.in + if ((options.none_switch == 1) && (options.none_enabled == 1)) { + if (!tty_flag) { /* no null on tty sessions */ + debug("Requesting none rekeying..."); ++ memcpy(&myproposal, &myproposal_default, sizeof(myproposal)); + myproposal[PROPOSAL_ENC_ALGS_STOC] = "none"; + myproposal[PROPOSAL_ENC_ALGS_CTOS] = "none"; -+ kex_prop2buf(xxx_kex->my, myproposal); ++ kex_prop2buf(active_state->kex->my, myproposal); + packet_request_rekeying(); + fprintf(stderr, "WARNING: ENABLED NONE CIPHER\n"); + } else { @@ -1175,9 +1194,9 @@ diff -urN -x configure -x config.guess -x config.h.in debug("Authentication succeeded (%s).", authctxt.method->name); } ---- work.clean/openssh-7.1p1/sshd.c.orig 2015-08-20 21:49:03.000000000 -0700 -+++ work.clean/openssh-7.1p1/sshd.c 2015-11-11 12:45:48.202186000 -0800 -@@ -373,8 +373,13 @@ sshd_exchange_identification(struct ssh +--- work/openssh-7.7p1/sshd.c.orig 2018-04-01 22:38:28.000000000 -0700 ++++ work/openssh-7.7p1/sshd.c 2018-06-27 17:13:03.176633000 -0700 +@@ -372,8 +372,13 @@ sshd_exchange_identification(struct ssh *ssh, int sock char buf[256]; /* Must not be larger than remote_version. */ char remote_version[256]; /* Must be at least as big as buf. */ @@ -1192,8 +1211,8 @@ diff -urN -x configure -x config.guess -x config.h.in *options.version_addendum == '\0' ? "" : " ", options.version_addendum); -@@ -1027,6 +1032,10 @@ server_listen(void) - int ret, listen_sock, on = 1; +@@ -1025,6 +1030,10 @@ listen_on_addrs(struct listenaddr *la) + int ret, listen_sock; struct addrinfo *ai; char ntop[NI_MAXHOST], strport[NI_MAXSERV]; +#ifdef HPN_ENABLED @@ -1201,9 +1220,9 @@ diff -urN -x configure -x config.guess -x config.h.in + socklen_t socksizelen = sizeof(socksize); +#endif - for (ai = options.listen_addrs; ai; ai = ai->ai_next) { + for (ai = la->addrs; ai; ai = ai->ai_next) { if (ai->ai_family != AF_INET && ai->ai_family != AF_INET6) -@@ -1072,6 +1081,13 @@ server_listen(void) +@@ -1070,6 +1079,13 @@ listen_on_addrs(struct listenaddr *la) debug("Bind to port %s on %s.", strport, ntop); *** DIFF OUTPUT TRUNCATED AT 1000 LINES ***
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201806280338.w5S3cXeJ005107>