summaryrefslogtreecommitdiff
path: root/net-misc/openssh/files/openssh-8.9_p1-hpn-15.2-glue.patch
diff options
context:
space:
mode:
Diffstat (limited to 'net-misc/openssh/files/openssh-8.9_p1-hpn-15.2-glue.patch')
-rw-r--r--net-misc/openssh/files/openssh-8.9_p1-hpn-15.2-glue.patch238
1 files changed, 238 insertions, 0 deletions
diff --git a/net-misc/openssh/files/openssh-8.9_p1-hpn-15.2-glue.patch b/net-misc/openssh/files/openssh-8.9_p1-hpn-15.2-glue.patch
new file mode 100644
index 000000000000..272270b7e985
--- /dev/null
+++ b/net-misc/openssh/files/openssh-8.9_p1-hpn-15.2-glue.patch
@@ -0,0 +1,238 @@
+diff -ur '--exclude=.*.un~' a/openssh-8_5_P1-hpn-AES-CTR-15.2.diff b/openssh-8_5_P1-hpn-AES-CTR-15.2.diff
+--- a/openssh-8_5_P1-hpn-AES-CTR-15.2.diff 2022-02-23 17:10:24.843395097 -0800
++++ b/openssh-8_5_P1-hpn-AES-CTR-15.2.diff 2022-02-23 17:10:38.206451595 -0800
+@@ -1026,9 +1026,9 @@
+ + }
+ +#endif
+ +
+- debug("Authentication succeeded (%s).", authctxt.method->name);
+- }
+-
++ if (ssh_packet_connection_is_on_socket(ssh)) {
++ verbose("Authenticated to %s ([%s]:%d) using \"%s\".", host,
++ ssh_remote_ipaddr(ssh), ssh_remote_port(ssh),
+ diff --git a/sshd.c b/sshd.c
+ index 6277e6d6..bf3d6e4a 100644
+ --- a/sshd.c
+diff -ur '--exclude=.*.un~' a/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff b/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff
+--- a/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff 2022-02-23 17:08:38.124943587 -0800
++++ b/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff 2022-02-23 17:20:59.432070316 -0800
+@@ -536,18 +536,10 @@
+ if (state->rekey_limit)
+ *max_blocks = MINIMUM(*max_blocks,
+ state->rekey_limit / enc->block_size);
+-@@ -954,6 +963,24 @@ ssh_set_newkeys(struct ssh *ssh, int mode)
++@@ -954,6 +963,16 @@ ssh_set_newkeys(struct ssh *ssh, int mode)
+ return 0;
+ }
+
+-+/* this supports the forced rekeying required for the NONE cipher */
+-+int rekey_requested = 0;
+-+void
+-+packet_request_rekeying(void)
+-+{
+-+ rekey_requested = 1;
+-+}
+-+
+ +/* used to determine if pre or post auth when rekeying for aes-ctr
+ + * and none cipher switch */
+ +int
+@@ -561,27 +553,14 @@
+ #define MAX_PACKETS (1U<<31)
+ static int
+ ssh_packet_need_rekeying(struct ssh *ssh, u_int outbound_packet_len)
+-@@ -980,6 +1007,13 @@ ssh_packet_need_rekeying(struct ssh *ssh, u_int outbound_packet_len)
+- if (state->p_send.packets == 0 && state->p_read.packets == 0)
+- return 0;
+-
+-+ /* used to force rekeying when called for by the none
+-+ * cipher switch methods -cjr */
+-+ if (rekey_requested == 1) {
+-+ rekey_requested = 0;
+-+ return 1;
+-+ }
+-+
+- /* Time-based rekeying */
+- if (state->rekey_interval != 0 &&
+- (int64_t)state->rekey_time + state->rekey_interval <= monotime())
+ @@ -1317,7 +1351,7 @@ ssh_packet_read_seqnr(struct ssh *ssh, u_char *typep, u_int32_t *seqnr_p)
+ struct session_state *state = ssh->state;
+ int len, r, ms_remain;
+- fd_set *setp;
++ struct pollfd pfd;
+ - char buf[8192];
+ + char buf[SSH_IOBUFSZ];
+- struct timeval timeout, start, *timeoutp = NULL;
++ struct timeval start;
++ struct timespec timespec, *timespecp = NULL;
+
+ DBG(debug("packet_read()"));
+ diff --git a/packet.h b/packet.h
+@@ -598,12 +577,11 @@
+ };
+
+ typedef int (ssh_packet_hook_fn)(struct ssh *, struct sshbuf *,
+-@@ -155,6 +158,10 @@ int ssh_packet_inc_alive_timeouts(struct ssh *);
++@@ -155,6 +158,9 @@ int ssh_packet_inc_alive_timeouts(struct ssh *);
+ int ssh_packet_set_maxsize(struct ssh *, u_int);
+ u_int ssh_packet_get_maxsize(struct ssh *);
+
+ +/* for forced packet rekeying post auth */
+-+void packet_request_rekeying(void);
+ +int packet_authentication_state(const struct ssh *);
+ +
+ int ssh_packet_get_state(struct ssh *, struct sshbuf *);
+@@ -627,9 +605,9 @@
+ oLocalCommand, oPermitLocalCommand, oRemoteCommand,
+ + oTcpRcvBufPoll, oTcpRcvBuf, oHPNDisabled, oHPNBufferSize,
+ + oNoneEnabled, oNoneMacEnabled, oNoneSwitch,
++ oDisableMTAES,
+ oVisualHostKey,
+ oKexAlgorithms, oIPQoS, oRequestTTY, oIgnoreUnknown, oProxyUseFdpass,
+- oCanonicalDomains, oCanonicalizeHostname, oCanonicalizeMaxDots,
+ @@ -297,6 +300,9 @@ static struct {
+ { "kexalgorithms", oKexAlgorithms },
+ { "ipqos", oIPQoS },
+@@ -637,9 +615,9 @@
+ + { "noneenabled", oNoneEnabled },
+ + { "nonemacenabled", oNoneMacEnabled },
+ + { "noneswitch", oNoneSwitch },
+- { "proxyusefdpass", oProxyUseFdpass },
+- { "canonicaldomains", oCanonicalDomains },
+- { "canonicalizefallbacklocal", oCanonicalizeFallbackLocal },
++ { "sessiontype", oSessionType },
++ { "stdinnull", oStdinNull },
++ { "forkafterauthentication", oForkAfterAuthentication },
+ @@ -317,6 +323,11 @@ static struct {
+ { "securitykeyprovider", oSecurityKeyProvider },
+ { "knownhostscommand", oKnownHostsCommand },
+@@ -717,9 +695,9 @@
+ + options->hpn_buffer_size = -1;
+ + options->tcp_rcv_buf_poll = -1;
+ + options->tcp_rcv_buf = -1;
+- options->proxy_use_fdpass = -1;
+- options->ignored_unknown = NULL;
+- options->num_canonical_domains = 0;
++ options->session_type = -1;
++ options->stdin_null = -1;
++ options->fork_after_authentication = -1;
+ @@ -2426,6 +2484,41 @@ fill_default_options(Options * options)
+ options->server_alive_interval = 0;
+ if (options->server_alive_count_max == -1)
+@@ -778,9 +756,9 @@
+ int ip_qos_bulk; /* IP ToS/DSCP/class for bulk traffic */
+ SyslogFacility log_facility; /* Facility for system logging. */
+ @@ -120,7 +124,11 @@ typedef struct {
+-
+ int enable_ssh_keysign;
+ int64_t rekey_limit;
++ int disable_multithreaded; /*disable multithreaded aes-ctr*/
+ + int none_switch; /* Use none cipher */
+ + int none_enabled; /* Allow none cipher to be used */
+ + int nonemac_enabled; /* Allow none MAC to be used */
+@@ -842,9 +820,9 @@
+ /* Portable-specific options */
+ if (options->use_pam == -1)
+ @@ -424,6 +434,49 @@ fill_default_server_options(ServerOptions *options)
+- }
+- if (options->permit_tun == -1)
+ options->permit_tun = SSH_TUNMODE_NO;
++ if (options->disable_multithreaded == -1)
++ options->disable_multithreaded = 0;
+ + if (options->none_enabled == -1)
+ + options->none_enabled = 0;
+ + if (options->nonemac_enabled == -1)
+@@ -975,15 +953,6 @@
+ index 306658cb..d4309903 100644
+ --- a/serverloop.c
+ +++ b/serverloop.c
+-@@ -322,7 +322,7 @@ static int
+- process_input(struct ssh *ssh, fd_set *readset, int connection_in)
+- {
+- int r, len;
+-- char buf[16384];
+-+ char buf[SSH_IOBUFSZ];
+-
+- /* Read and buffer any input data from the client. */
+- if (FD_ISSET(connection_in, readset)) {
+ @@ -608,7 +608,8 @@ server_request_tun(struct ssh *ssh)
+ debug("Tunnel forwarding using interface %s", ifname);
+
+@@ -1047,30 +1016,17 @@
+ Note that
+ diff --git a/sftp.c b/sftp.c
+ index fb3c08d1..89bebbb2 100644
+---- a/sftp.c
+-+++ b/sftp.c
+-@@ -71,7 +71,7 @@ typedef void EditLine;
+- #include "sftp-client.h"
+-
+- #define DEFAULT_COPY_BUFLEN 32768 /* Size of buffer for up/download */
+--#define DEFAULT_NUM_REQUESTS 64 /* # concurrent outstanding requests */
+-+#define DEFAULT_NUM_REQUESTS 256 /* # concurrent outstanding requests */
+-
+- /* File to read commands from */
+- FILE* infile;
+-diff --git a/ssh-keygen.c b/ssh-keygen.c
+-index cfb5f115..36a6e519 100644
+---- a/ssh-keygen.c
+-+++ b/ssh-keygen.c
+-@@ -2971,7 +2971,7 @@ do_download_sk(const char *skprovider, const char *device)
+- freezero(pin, strlen(pin));
+- error_r(r, "Unable to load resident keys");
+- return -1;
+-- }
+-+ }
+- if (nkeys == 0)
+- logit("No keys to download");
+- if (pin != NULL)
++--- a/sftp-client.c
+++++ b/sftp-client.c
++@@ -65,7 +65,7 @@ typedef void EditLine;
++ #define DEFAULT_COPY_BUFLEN 32768
++
++ /* Default number of concurrent outstanding requests */
++-#define DEFAULT_NUM_REQUESTS 64
+++#define DEFAULT_NUM_REQUESTS 256
++
++ /* Minimum amount of data to read at a time */
++ #define MIN_READ_SIZE 512
+ diff --git a/ssh.c b/ssh.c
+ index 53330da5..27b9770e 100644
+ --- a/ssh.c
+@@ -1330,9 +1286,9 @@
+ + }
+ + }
+ +
+- debug("Authentication succeeded (%s).", authctxt.method->name);
+- }
+
++ #ifdef WITH_OPENSSL
++ if (options.disable_multithreaded == 0) {
+ diff --git a/sshd.c b/sshd.c
+ index 6277e6d6..d66fa41a 100644
+ --- a/sshd.c
+@@ -1359,8 +1315,8 @@
+ if (bind(listen_sock, ai->ai_addr, ai->ai_addrlen) == -1) {
+ error("Bind to port %s on %s failed: %.200s.",
+ @@ -1727,6 +1734,19 @@ main(int ac, char **av)
+- /* Fill in default values for those options not explicitly set. */
+- fill_default_server_options(&options);
++ fatal("AuthorizedPrincipalsCommand set without "
++ "AuthorizedPrincipalsCommandUser");
+
+ + if (options.none_enabled == 1) {
+ + char *old_ciphers = options.ciphers;
+@@ -1375,9 +1331,9 @@
+ + }
+ + }
+ +
+- /* challenge-response is implemented via keyboard interactive */
+- if (options.challenge_response_authentication)
+- options.kbd_interactive_authentication = 1;
++ /*
++ * Check whether there is any path through configured auth methods.
++ * Unfortunately it is not possible to verify this generally before
+ @@ -2166,6 +2186,9 @@ main(int ac, char **av)
+ rdomain == NULL ? "" : "\"");
+ free(laddr);
generated by cgit v1.2.3 (git 2.25.1) at 2024-08-29 14:03:31 +0000