diff -ur '--exclude=.*.un~' a/openssh-8_5_P1-hpn-AES-CTR-15.2.diff b/openssh-8_5_P1-hpn-AES-CTR-15.2.diff --- a/openssh-8_5_P1-hpn-AES-CTR-15.2.diff 2021-08-31 11:12:46.412119817 -0700 +++ b/openssh-8_5_P1-hpn-AES-CTR-15.2.diff 2021-08-31 11:26:11.116026151 -0700 @@ -3,9 +3,9 @@ --- a/Makefile.in +++ b/Makefile.in @@ -46,7 +46,7 @@ CFLAGS=@CFLAGS@ - CFLAGS_NOPIE=@CFLAGS_NOPIE@ - CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ $(PATHS) @DEFS@ - PICFLAG=@PICFLAG@ + LD=@LD@ + CFLAGS=@CFLAGS@ $(CFLAGS_EXTRA) + CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ @LDAP_CPPFLAGS@ $(PATHS) @DEFS@ -LIBS=@LIBS@ +LIBS=@LIBS@ -lpthread K5LIBS=@K5LIBS@ @@ -803,8 +803,8 @@ ssh_packet_set_connection(struct ssh *ssh, int fd_in, int fd_out) { struct session_state *state; -- const struct sshcipher *none = cipher_by_name("none"); -+ struct sshcipher *none = cipher_by_name("none"); +- const struct sshcipher *none = cipher_none(); ++ struct sshcipher *none = cipher_none(); int r; if (none == NULL) { @@ -894,24 +894,24 @@ intptr = &options->compression; multistate_ptr = multistate_compression; @@ -2272,6 +2278,7 @@ initialize_options(Options * options) - options->revoked_host_keys = NULL; options->fingerprint_hash = -1; options->update_hostkeys = -1; + options->known_hosts_command = NULL; + options->disable_multithreaded = -1; - options->hostbased_accepted_algos = NULL; - options->pubkey_accepted_algos = NULL; - options->known_hosts_command = NULL; + } + + /* @@ -2467,6 +2474,10 @@ fill_default_options(Options * options) + options->update_hostkeys = 0; if (options->sk_provider == NULL) options->sk_provider = xstrdup("$SSH_SK_PROVIDER"); - #endif + if (options->update_hostkeys == -1) + options->update_hostkeys = 0; + if (options->disable_multithreaded == -1) + options->disable_multithreaded = 0; - /* Expand KEX name lists */ - all_cipher = cipher_alg_list(',', 0); + /* expand KEX and etc. name lists */ + { char *all; diff --git a/readconf.h b/readconf.h index 2fba866e..7f8f0227 100644 --- a/readconf.h @@ -950,9 +950,9 @@ /* Portable-specific options */ sUsePAM, + sDisableMTAES, - /* Standard Options */ - sPort, sHostKeyFile, sLoginGraceTime, - sPermitRootLogin, sLogFacility, sLogLevel, sLogVerbose, + /* X.509 Standard Options */ + sHostbasedAlgorithms, + sPubkeyAlgorithms, @@ -662,6 +666,7 @@ static struct { { "authorizedprincipalsfile", sAuthorizedPrincipalsFile, SSHCFG_ALL }, { "kexalgorithms", sKexAlgorithms, SSHCFG_GLOBAL }, diff -ur '--exclude=.*.un~' a/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff b/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff --- a/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff 2021-08-31 11:12:46.412119817 -0700 +++ b/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff 2021-08-31 14:17:59.366248683 -0700 @@ -157,6 +157,36 @@ + Allan Jude provided the code for the NoneMac and buffer normalization. + This work was financed, in part, by Cisco System, Inc., the National + Library of Medicine, and the National Science Foundation. +diff --git a/auth2.c b/auth2.c +--- a/auth2.c 2021-03-15 19:30:45.404060786 -0700 ++++ b/auth2.c 2021-03-15 19:37:22.078476597 -0700 +@@ -229,16 +229,17 @@ + double delay; + + digest_alg = ssh_digest_maxbytes(); +- len = ssh_digest_bytes(digest_alg); +- hash = xmalloc(len); ++ if (len = ssh_digest_bytes(digest_alg) > 0) { ++ hash = xmalloc(len); + +- (void)snprintf(b, sizeof b, "%llu%s", +- (unsigned long long)options.timing_secret, user); +- if (ssh_digest_memory(digest_alg, b, strlen(b), hash, len) != 0) +- fatal_f("ssh_digest_memory"); +- /* 0-4.2 ms of delay */ +- delay = (double)PEEK_U32(hash) / 1000 / 1000 / 1000 / 1000; +- freezero(hash, len); ++ (void)snprintf(b, sizeof b, "%llu%s", ++ (unsigned long long)options.timing_secret, user); ++ if (ssh_digest_memory(digest_alg, b, strlen(b), hash, len) != 0) ++ fatal_f("ssh_digest_memory"); ++ /* 0-4.2 ms of delay */ ++ delay = (double)PEEK_U32(hash) / 1000 / 1000 / 1000 / 1000; ++ freezero(hash, len); ++ } + debug3_f("user specific delay %0.3lfms", delay/1000); + return MIN_FAIL_DELAY_SECONDS + delay; + } diff --git a/channels.c b/channels.c index b60d56c4..0e363c15 100644 --- a/channels.c @@ -209,14 +239,14 @@ static void channel_pre_open(struct ssh *ssh, Channel *c, fd_set *readset, fd_set *writeset) -@@ -2120,22 +2147,32 @@ channel_check_window(struct ssh *ssh, Channel *c) +@@ -2164,21 +2191,31 @@ channel_check_window(struct ssh *ssh, Channel *c) if (c->type == SSH_CHANNEL_OPEN && !(c->flags & (CHAN_CLOSE_SENT|CHAN_CLOSE_RCVD)) && - ((c->local_window_max - c->local_window > - c->local_maxpacket*3) || -+ ((ssh_packet_is_interactive(ssh) && -+ c->local_window_max - c->local_window > c->local_maxpacket*3) || ++ ((ssh_packet_is_interactive(ssh) && ++ c->local_window_max - c->local_window > c->local_maxpacket*3) || c->local_window < c->local_window_max/2) && c->local_consumed > 0) { + u_int addition = 0; @@ -235,9 +265,8 @@ (r = sshpkt_put_u32(ssh, c->remote_id)) != 0 || - (r = sshpkt_put_u32(ssh, c->local_consumed)) != 0 || + (r = sshpkt_put_u32(ssh, c->local_consumed + addition)) != 0 || - (r = sshpkt_send(ssh)) != 0) { - fatal_fr(r, "channel %i", c->self); - } + (r = sshpkt_send(ssh)) != 0) + fatal_fr(r, "channel %d", c->self); - debug2("channel %d: window %d sent adjust %d", c->self, - c->local_window, c->local_consumed); - c->local_window += c->local_consumed; @@ -337,70 +366,92 @@ index 70f492f8..5503af1d 100644 --- a/clientloop.c +++ b/clientloop.c -@@ -1578,9 +1578,11 @@ client_request_x11(struct ssh *ssh, const char *request_type, int rchan) +@@ -1578,10 +1578,11 @@ client_request_x11(struct ssh *ssh, const char *request_type, int rchan) sock = x11_connect_display(ssh); if (sock < 0) return NULL; - c = channel_new(ssh, "x11", - SSH_CHANNEL_X11_OPEN, sock, sock, -1, -- CHAN_TCP_WINDOW_DEFAULT, CHAN_X11_PACKET_DEFAULT, 0, "x11", 1); -+ c = channel_new(ssh, "x11", -+ SSH_CHANNEL_X11_OPEN, sock, sock, -1, -+ /* again is this really necessary for X11? */ -+ options.hpn_disabled ? CHAN_TCP_WINDOW_DEFAULT : options.hpn_buffer_size, -+ CHAN_X11_PACKET_DEFAULT, 0, "x11", 1); +- CHAN_TCP_WINDOW_DEFAULT, CHAN_X11_PACKET_DEFAULT, 0, "x11", +- CHANNEL_NONBLOCK_SET); ++ c = channel_new(ssh, "x11", ++ SSH_CHANNEL_X11_OPEN, sock, sock, -1, ++ /* again is this really necessary for X11? */ ++ options.hpn_disabled ? CHAN_TCP_WINDOW_DEFAULT : options.hpn_buffer_size, ++ CHAN_X11_PACKET_DEFAULT, 0, "x11", CHANNEL_NONBLOCK_SET); c->force_drain = 1; return c; } -@@ -1608,9 +1610,10 @@ client_request_agent(struct ssh *ssh, const char *request_type, int rchan) +@@ -1608,9 +1609,10 @@ client_request_agent(struct ssh *ssh, const char *request_type, int rchan) return NULL; } c = channel_new(ssh, "authentication agent connection", - SSH_CHANNEL_OPEN, sock, sock, -1, - CHAN_X11_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, 0, -- "authentication agent connection", 1); -+ SSH_CHANNEL_OPEN, sock, sock, -1, -+ options.hpn_disabled ? CHAN_X11_WINDOW_DEFAULT : options.hpn_buffer_size, -+ CHAN_TCP_PACKET_DEFAULT, 0, -+ "authentication agent connection", 1); +- "authentication agent connection", CHANNEL_NONBLOCK_SET); ++ SSH_CHANNEL_OPEN, sock, sock, -1, ++ options.hpn_disabled ? CHAN_X11_WINDOW_DEFAULT : options.hpn_buffer_size, ++ CHAN_TCP_PACKET_DEFAULT, 0, ++ "authentication agent connection", CHANNEL_NONBLOCK_SET); c->force_drain = 1; return c; } -@@ -1635,10 +1638,13 @@ client_request_tun_fwd(struct ssh *ssh, int tun_mode, +@@ -1635,9 +1637,9 @@ client_request_tun_fwd(struct ssh *ssh, int tun_mode, } debug("Tunnel forwarding using interface %s", ifname); - c = channel_new(ssh, "tun", SSH_CHANNEL_OPENING, fd, fd, -1, -- CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, 0, "tun", 1); -+ c = channel_new(ssh, "tun", SSH_CHANNEL_OPENING, fd, fd, -1, +- CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, 0, "tun", +- CHANNEL_NONBLOCK_SET); ++ c = channel_new(ssh, "tun", SSH_CHANNEL_OPENING, fd, fd, -1, + options.hpn_disabled ? CHAN_TCP_WINDOW_DEFAULT : options.hpn_buffer_size, -+ CHAN_TCP_PACKET_DEFAULT, 0, "tun", 1); ++ CHAN_TCP_PACKET_DEFAULT, 0, "tun", CHANNEL_NONBLOCK_SET); c->datagram = 1; -+ -+ #if defined(SSH_TUN_FILTER) - if (options.tun_open == SSH_TUNMODE_POINTOPOINT) - channel_register_filter(ssh, c->self, sys_tun_infilter, diff --git a/compat.c b/compat.c index 69befa96..90b5f338 100644 --- a/compat.c +++ b/compat.c -@@ -149,6 +149,14 @@ compat_banner(struct ssh *ssh, const char *version) - debug_f("match: %s pat %s compat 0x%08x", +@@ -43,7 +43,7 @@ compat_datafellows(const char *version) + static u_int + compat_datafellows(const char *version) + { +- int i; ++ int i, bugs = 0; + static struct { + char *pat; + int bugs; +@@ -147,11 +147,26 @@ + if (match_pattern_list(version, check[i].pat, 0) == 1) { + debug("match: %s pat %s compat 0x%08x", version, check[i].pat, check[i].bugs); - ssh->compat = check[i].bugs; + /* Check to see if the remote side is OpenSSH and not HPN */ -+ /* TODO: need to use new method to test for this */ + if (strstr(version, "OpenSSH") != NULL) { + if (strstr(version, "hpn") == NULL) { -+ ssh->compat |= SSH_BUG_LARGEWINDOW; ++ bugs |= SSH_BUG_LARGEWINDOW; + debug("Remote is NON-HPN aware"); + } + } - return; +- return check[i].bugs; ++ bugs |= check[i].bugs; } } +- debug("no match: %s", version); +- return 0; ++ /* Check to see if the remote side is OpenSSH and not HPN */ ++ if (strstr(version, "OpenSSH") != NULL) { ++ if (strstr(version, "hpn") == NULL) { ++ bugs |= SSH_BUG_LARGEWINDOW; ++ debug("Remote is NON-HPN aware"); ++ } ++ } ++ if (bugs == 0) ++ debug("no match: %s", version); ++ return bugs; + } + + char * diff --git a/compat.h b/compat.h index c197fafc..ea2e17a7 100644 --- a/compat.h @@ -459,7 +510,7 @@ @@ -890,6 +890,10 @@ kex_choose_conf(struct ssh *ssh) int nenc, nmac, ncomp; u_int mode, ctos, need, dh_need, authlen; - int r, first_kex_follows; + int r, first_kex_follows = 0; + int auth_flag = 0; + + auth_flag = packet_authentication_state(ssh); @@ -553,7 +604,7 @@ #define MAX_PACKETS (1U<<31) static int ssh_packet_need_rekeying(struct ssh *ssh, u_int outbound_packet_len) -@@ -1317,7 +1351,7 @@ ssh_packet_read_seqnr(struct ssh *ssh, u_char *typep, u_int32_t *seqnr_p) +@@ -1317,7 +1336,7 @@ ssh_packet_read_seqnr(struct ssh *ssh, u_char *typep, u_int32_t *seqnr_p) struct session_state *state = ssh->state; int len, r, ms_remain; fd_set *setp; @@ -1035,19 +1086,6 @@ /* Minimum amount of data to read at a time */ #define MIN_READ_SIZE 512 -diff --git a/ssh-keygen.c b/ssh-keygen.c -index cfb5f115..36a6e519 100644 ---- a/ssh-keygen.c -+++ b/ssh-keygen.c -@@ -2971,7 +2971,7 @@ do_download_sk(const char *skprovider, const char *device) - freezero(pin, strlen(pin)); - error_r(r, "Unable to load resident keys"); - return -1; -- } -+ } - if (nkeys == 0) - logit("No keys to download"); - if (pin != NULL) diff --git a/ssh.c b/ssh.c index 53330da5..27b9770e 100644 --- a/ssh.c @@ -1093,7 +1131,7 @@ + else + options.hpn_buffer_size = 2 * 1024 * 1024; + -+ if (ssh->compat & SSH_BUG_LARGEWINDOW) { ++ if (ssh_compat_fellows(ssh, SSH_BUG_LARGEWINDOW)) { + debug("HPN to Non-HPN Connection"); + } else { + int sock, socksize; @@ -1157,14 +1195,14 @@ } @@ -2089,6 +2167,11 @@ ssh_session2_open(struct ssh *ssh) window, packetmax, CHAN_EXTENDED_WRITE, - "client-session", /*nonblock*/0); + "client-session", CHANNEL_NONBLOCK_STDIO); + if ((options.tcp_rcv_buf_poll > 0) && !options.hpn_disabled) { + c->dynamic_window = 1; + debug("Enabled Dynamic Window Scaling"); + } + - debug3_f("channel_new: %d", c->self); + debug2_f("channel %d", c->self); channel_send_open(ssh, c->self); @@ -2105,6 +2188,13 @@ ssh_session2(struct ssh *ssh, const struct ssh_conn_info *cinfo) @@ -1335,7 +1373,29 @@ /* Bind the socket to the desired port. */ if (bind(listen_sock, ai->ai_addr, ai->ai_addrlen) == -1) { error("Bind to port %s on %s failed: %.200s.", -@@ -1727,6 +1734,19 @@ main(int ac, char **av) +@@ -1625,13 +1632,14 @@ + if (ssh_digest_update(ctx, sshbuf_ptr(server_cfg), + sshbuf_len(server_cfg)) != 0) + fatal_f("ssh_digest_update"); +- len = ssh_digest_bytes(digest_alg); +- hash = xmalloc(len); +- if (ssh_digest_final(ctx, hash, len) != 0) +- fatal_f("ssh_digest_final"); +- options.timing_secret = PEEK_U64(hash); +- freezero(hash, len); +- ssh_digest_free(ctx); ++ if ((len = ssh_digest_bytes(digest_alg)) > 0) { ++ hash = xmalloc(len); ++ if (ssh_digest_final(ctx, hash, len) != 0) ++ fatal_f("ssh_digest_final"); ++ options.timing_secret = PEEK_U64(hash); ++ freezero(hash, len); ++ ssh_digest_free(ctx); ++ } + ctx = NULL; + return; + } +@@ -1727,6 +1735,19 @@ main(int ac, char **av) fatal("AuthorizedPrincipalsCommand set without " "AuthorizedPrincipalsCommandUser"); @@ -1355,7 +1415,7 @@ /* * Check whether there is any path through configured auth methods. * Unfortunately it is not possible to verify this generally before -@@ -2166,6 +2186,9 @@ main(int ac, char **av) +@@ -2166,6 +2187,9 @@ main(int ac, char **av) rdomain == NULL ? "" : "\""); free(laddr); @@ -1365,7 +1425,7 @@ /* * We don't want to listen forever unless the other side * successfully authenticates itself. So we set up an alarm which is -@@ -2343,6 +2366,12 @@ do_ssh2_kex(struct ssh *ssh) +@@ -2343,6 +2367,12 @@ do_ssh2_kex(struct ssh *ssh) struct kex *kex; int r; @@ -1405,14 +1465,3 @@ # Example of overriding settings on a per-user basis #Match User anoncvs # X11Forwarding no -diff --git a/version.h b/version.h -index 6b4fa372..332fb486 100644 ---- a/version.h -+++ b/version.h -@@ -3,4 +3,5 @@ - #define SSH_VERSION "OpenSSH_8.5" - - #define SSH_PORTABLE "p1" --#define SSH_RELEASE SSH_VERSION SSH_PORTABLE -+#define SSH_HPN "-hpn15v2" -+#define SSH_RELEASE SSH_VERSION SSH_PORTABLE SSH_HPN diff -ur '--exclude=.*.un~' a/openssh-8_5_P1-hpn-PeakTput-15.2.diff b/openssh-8_5_P1-hpn-PeakTput-15.2.diff --- a/openssh-8_5_P1-hpn-PeakTput-15.2.diff 2021-08-31 11:12:16.778011216 -0700 +++ b/openssh-8_5_P1-hpn-PeakTput-15.2.diff 2021-08-31 11:13:11.573211934 -0700 @@ -12,9 +12,9 @@ static long stalled; /* how long we have been stalled */ static int bytes_per_second; /* current speed in bytes per second */ @@ -127,6 +129,7 @@ refresh_progress_meter(int force_update) + off_t bytes_left; int cur_speed; - int hours, minutes, seconds; - int file_len; + int len; + off_t delta_pos; if ((!force_update && !alarm_fired && !win_resized) || !can_output()) @@ -30,15 +30,17 @@ if (bytes_left > 0) elapsed = now - last_update; else { -@@ -166,7 +173,7 @@ refresh_progress_meter(int force_update) - +@@ -166,8 +173,8 @@ refresh_progress_meter(int force_update) + buf[1] = '\0'; + /* filename */ - buf[0] = '\0'; -- file_len = win_size - 36; -+ file_len = win_size - 45; - if (file_len > 0) { - buf[0] = '\r'; - snmprintf(buf+1, sizeof(buf)-1, &file_len, "%-*s", +- if (win_size > 36) { ++ if (win_size > 45) { +- int file_len = win_size - 36; ++ int file_len = win_size - 45; + snmprintf(buf+1, sizeof(buf)-1, &file_len, "%-*s ", + file_len, file); + } @@ -191,6 +198,15 @@ refresh_progress_meter(int force_update) (off_t)bytes_per_second); strlcat(buf, "/s ", win_size); @@ -63,15 +65,3 @@ } /*ARGSUSED*/ -diff --git a/ssh-keygen.c b/ssh-keygen.c -index cfb5f115..986ff59b 100644 ---- a/ssh-keygen.c -+++ b/ssh-keygen.c -@@ -2959,7 +2959,6 @@ do_download_sk(const char *skprovider, const char *device) - - if (skprovider == NULL) - fatal("Cannot download keys without provider"); -- - pin = read_passphrase("Enter PIN for authenticator: ", RP_ALLOW_STDIN); - if (!quiet) { - printf("You may need to touch your authenticator "