diff options
Diffstat (limited to 'net-misc/openssh/files/openssh-8.3_p1-hpn-14.20-glue.patch')
-rw-r--r-- | net-misc/openssh/files/openssh-8.3_p1-hpn-14.20-glue.patch | 177 |
1 files changed, 177 insertions, 0 deletions
diff --git a/net-misc/openssh/files/openssh-8.3_p1-hpn-14.20-glue.patch b/net-misc/openssh/files/openssh-8.3_p1-hpn-14.20-glue.patch new file mode 100644 index 000000000000..4414f9be5331 --- /dev/null +++ b/net-misc/openssh/files/openssh-8.3_p1-hpn-14.20-glue.patch @@ -0,0 +1,177 @@ +Only in b: .openssh-8_1_P1-hpn-DynWinNoneSwitch-14.20.diff.un~ +diff -ur a/openssh-8_1_P1-hpn-AES-CTR-14.20.diff b/openssh-8_1_P1-hpn-AES-CTR-14.20.diff +--- a/openssh-8_1_P1-hpn-AES-CTR-14.20.diff 2020-05-27 13:52:27.704108928 -0700 ++++ b/openssh-8_1_P1-hpn-AES-CTR-14.20.diff 2020-05-27 13:52:49.803967500 -0700 +@@ -3,9 +3,9 @@ + --- a/Makefile.in + +++ b/Makefile.in + @@ -42,7 +42,7 @@ CC=@CC@ +- LD=@LD@ +- CFLAGS=@CFLAGS@ ++ CFLAGS_NOPIE=@CFLAGS_NOPIE@ + CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ $(PATHS) @DEFS@ ++ PICFLAG=@PICFLAG@ + -LIBS=@LIBS@ + +LIBS=@LIBS@ -lpthread + K5LIBS=@K5LIBS@ +@@ -902,14 +902,14 @@ + + /* + @@ -2118,6 +2125,8 @@ fill_default_options(Options * options) ++ options->canonicalize_hostname = SSH_CANONICALISE_NO; ++ if (options->fingerprint_hash == -1) + options->fingerprint_hash = SSH_FP_HASH_DEFAULT; +- if (options->update_hostkeys == -1) +- options->update_hostkeys = 0; + + if (options->disable_multithreaded == -1) + + options->disable_multithreaded = 0; +- +- /* Expand KEX name lists */ +- all_cipher = cipher_alg_list(',', 0); ++ #ifdef ENABLE_SK_INTERNAL ++ if (options->sk_provider == NULL) ++ options->sk_provider = xstrdup("internal"); + diff --git a/readconf.h b/readconf.h + index 8e36bf32..c803eca7 100644 + --- a/readconf.h +@@ -952,9 +952,9 @@ + sPort, sHostKeyFile, sLoginGraceTime, + sPermitRootLogin, sLogFacility, sLogLevel, + @@ -643,6 +647,7 @@ static struct { +- { "trustedusercakeys", sTrustedUserCAKeys, SSHCFG_ALL }, + { "authorizedprincipalsfile", sAuthorizedPrincipalsFile, SSHCFG_ALL }, + { "kexalgorithms", sKexAlgorithms, SSHCFG_GLOBAL }, ++ { "include", sInclude, SSHCFG_ALL }, + + { "disableMTAES", sDisableMTAES, SSHCFG_ALL }, + { "ipqos", sIPQoS, SSHCFG_ALL }, + { "authorizedkeyscommand", sAuthorizedKeysCommand, SSHCFG_ALL }, +diff -ur a/openssh-8_1_P1-hpn-DynWinNoneSwitch-14.20.diff b/openssh-8_1_P1-hpn-DynWinNoneSwitch-14.20.diff +--- a/openssh-8_1_P1-hpn-DynWinNoneSwitch-14.20.diff 2020-05-27 13:52:27.705108921 -0700 ++++ b/openssh-8_1_P1-hpn-DynWinNoneSwitch-14.20.diff 2020-05-27 14:03:57.888683100 -0700 +@@ -409,18 +409,10 @@ + index 817da43b..b2bcf78f 100644 + --- a/packet.c + +++ b/packet.c +-@@ -925,6 +925,24 @@ ssh_set_newkeys(struct ssh *ssh, int mode) ++@@ -925,6 +925,16 @@ ssh_set_newkeys(struct ssh *ssh, int mode) + return 0; + } + +-+/* this supports the forced rekeying required for the NONE cipher */ +-+int rekey_requested = 0; +-+void +-+packet_request_rekeying(void) +-+{ +-+ rekey_requested = 1; +-+} +-+ + +/* used to determine if pre or post auth when rekeying for aes-ctr + + * and none cipher switch */ + +int +@@ -434,20 +426,6 @@ + #define MAX_PACKETS (1U<<31) + static int + ssh_packet_need_rekeying(struct ssh *ssh, u_int outbound_packet_len) +-@@ -951,6 +969,13 @@ ssh_packet_need_rekeying(struct ssh *ssh, u_int outbound_packet_len) +- if (state->p_send.packets == 0 && state->p_read.packets == 0) +- return 0; +- +-+ /* used to force rekeying when called for by the none +-+ * cipher switch methods -cjr */ +-+ if (rekey_requested == 1) { +-+ rekey_requested = 0; +-+ return 1; +-+ } +-+ +- /* Time-based rekeying */ +- if (state->rekey_interval != 0 && +- (int64_t)state->rekey_time + state->rekey_interval <= monotime()) + diff --git a/packet.h b/packet.h + index 8ccfd2e0..1ad9bc06 100644 + --- a/packet.h +@@ -476,9 +454,9 @@ + /* Format of the configuration file: + + @@ -167,6 +168,8 @@ typedef enum { +- oHashKnownHosts, + oTunnel, oTunnelDevice, + oLocalCommand, oPermitLocalCommand, oRemoteCommand, ++ oDisableMTAES, + + oTcpRcvBufPoll, oTcpRcvBuf, oHPNDisabled, oHPNBufferSize, + + oNoneEnabled, oNoneSwitch, + oVisualHostKey, +@@ -615,9 +593,9 @@ + int ip_qos_bulk; /* IP ToS/DSCP/class for bulk traffic */ + SyslogFacility log_facility; /* Facility for system logging. */ + @@ -112,7 +116,10 @@ typedef struct { +- + int enable_ssh_keysign; + int64_t rekey_limit; ++ int disable_multithreaded; /*disable multithreaded aes-ctr*/ + + int none_switch; /* Use none cipher */ + + int none_enabled; /* Allow none to be used */ + int rekey_interval; +@@ -700,9 +678,9 @@ + + options->hpn_buffer_size = CHAN_TCP_WINDOW_DEFAULT; + + } + + ++ if (options->disable_multithreaded == -1) ++ options->disable_multithreaded = 0; + if (options->ip_qos_interactive == -1) +- options->ip_qos_interactive = IPTOS_DSCP_AF21; +- if (options->ip_qos_bulk == -1) + @@ -486,6 +532,8 @@ typedef enum { + sPasswordAuthentication, sKbdInteractiveAuthentication, + sListenAddress, sAddressFamily, +@@ -731,11 +709,10 @@ + *flags = keywords[i].flags; + return keywords[i].opcode; + } +-@@ -1424,10 +1477,27 @@ process_server_config_line(ServerOptions *options, char *line, +- multistate_ptr = multistate_flag; ++@@ -1424,12 +1477,28 @@ process_server_config_line(ServerOptions *options, char *line, ++ multistate_ptr = multistate_ignore_rhosts; + goto parse_multistate; + +-+ + + case sTcpRcvBufPoll: + + intptr = &options->tcp_rcv_buf_poll; + + goto parse_flag; +@@ -750,7 +727,9 @@ + + + case sIgnoreUserKnownHosts: + intptr = &options->ignore_user_known_hosts; +- goto parse_flag; ++ parse_flag: ++ multistate_ptr = multistate_flag; ++ goto parse_multistate; + + + case sNoneEnabled: + + intptr = &options->none_enabled; +@@ -1079,11 +1058,11 @@ + xxx_host = host; + xxx_hostaddr = hostaddr; + +-@@ -422,6 +433,28 @@ ssh_userauth2(struct ssh *ssh, const char *local_user, ++@@ -422,7 +433,28 @@ ssh_userauth2(struct ssh *ssh, const char *local_user, + + if (!authctxt.success) + fatal("Authentication failed."); +-+ ++ + + /* + + * If the user wants to use the none cipher, do it post authentication + + * and only if the right conditions are met -- both of the NONE commands +@@ -1105,9 +1084,9 @@ + + } + + } + + +- debug("Authentication succeeded (%s).", authctxt.method->name); +- } +- ++ #ifdef WITH_OPENSSL ++ if (options.disable_multithreaded == 0) { ++ /* if we are using aes-ctr there can be issues in either a fork or sandbox + diff --git a/sshd.c b/sshd.c + index 11571c01..23a06022 100644 + --- a/sshd.c |