diff --git a/security/openssh-portable/Makefile b/security/openssh-portable/Makefile index fe9226f480f1..e9ac6fb39f13 100644 --- a/security/openssh-portable/Makefile +++ b/security/openssh-portable/Makefile @@ -1,234 +1,234 @@ # Created by: dwcjr@inethouston.net PORTNAME= openssh -DISTVERSION= 8.4p1 -PORTREVISION= 4 +DISTVERSION= 8.6p1 +PORTREVISION= 0 PORTEPOCH= 1 CATEGORIES= security MASTER_SITES= OPENBSD/OpenSSH/portable PKGNAMESUFFIX?= -portable MAINTAINER= bdrewery@FreeBSD.org COMMENT= The portable version of OpenBSD's OpenSSH LICENSE= OPENSSH LICENSE_NAME= OpenSSH Licenses LICENSE_FILE= ${WRKSRC}/LICENCE LICENSE_PERMS= dist-mirror dist-sell pkg-mirror pkg-sell auto-accept CONFLICTS?= openssh-3.* ssh-1.* ssh2-3.* openssh-portable-devel-* USES= alias autoreconf compiler:c11 localbase ncurses \ pkgconfig ssl GNU_CONFIGURE= yes CONFIGURE_ARGS= --prefix=${PREFIX} \ --with-ssl-engine \ --with-mantype=man \ --with-Werror ETCOLD= ${PREFIX}/etc FLAVORS= default hpn gssapi default_CONFLICTS_INSTALL= openssh-portable-hpn openssh-portable-gssapi \ openssh-portable-x509 hpn_CONFLICTS_INSTALL= openssh-portable openssh-portable-gssapi \ openssh-portable-x509 hpn_PKGNAMESUFFIX= -portable-hpn gssapi_CONFLICTS_INSTALL= openssh-portable openssh-portable-hpn \ openssh-portable-x509 gssapi_PKGNAMESUFFIX= -portable-gssapi OPTIONS_DEFINE= DOCS PAM TCP_WRAPPERS LIBEDIT BSM \ HPN KERB_GSSAPI \ LDNS NONECIPHER XMSS FIDO_U2F BLACKLISTD OPTIONS_DEFAULT= LIBEDIT PAM TCP_WRAPPERS LDNS FIDO_U2F .if ${FLAVOR:U} == hpn OPTIONS_DEFAULT+= HPN NONECIPHER .endif .if ${FLAVOR:U} == gssapi OPTIONS_DEFAULT+= KERB_GSSAPI MIT .endif OPTIONS_RADIO= KERBEROS OPTIONS_RADIO_KERBEROS= MIT HEIMDAL HEIMDAL_BASE TCP_WRAPPERS_DESC= tcp_wrappers support BSM_DESC= OpenBSM Auditing KERB_GSSAPI_DESC= Kerberos/GSSAPI patch (req: GSSAPI) HPN_DESC= HPN-SSH patch LDNS_DESC= SSHFP/LDNS support HEIMDAL_DESC= Heimdal Kerberos (security/heimdal) HEIMDAL_BASE_DESC= Heimdal Kerberos (base) MIT_DESC= MIT Kerberos (security/krb5) NONECIPHER_DESC= NONE Cipher support XMSS_DESC= XMSS key support (experimental) FIDO_U2F_DESC= FIDO/U2F support (security/libfido2) BLACKLISTD_DESC= FreeBSD blacklistd(8) support OPTIONS_SUB= yes TCP_WRAPPERS_EXTRA_PATCHES=${FILESDIR}/extra-patch-tcpwrappers LDNS_CONFIGURE_WITH= ldns=${LOCALBASE} LDNS_LIB_DEPENDS= libldns.so:dns/ldns LDNS_EXTRA_PATCHES= ${FILESDIR}/extra-patch-ldns HPN_CONFIGURE_WITH= hpn NONECIPHER_CONFIGURE_WITH= nonecipher MIT_LIB_DEPENDS= libkrb5.so.3:security/krb5 HEIMDAL_LIB_DEPENDS= libkrb5.so.26:security/heimdal PAM_CONFIGURE_WITH= pam TCP_WRAPPERS_CONFIGURE_WITH= tcp-wrappers LIBEDIT_CONFIGURE_WITH= libedit LIBEDIT_USES= libedit BSM_CONFIGURE_ON= --with-audit=bsm FIDO_U2F_LIB_DEPENDS= libfido2.so:security/libfido2 FIDO_U2F_CONFIGURE_ON= --with-security-key-builtin FIDO_U2F_CONFIGURE_OFF= --disable-security-key # Until https://reviews.freebsd.org/D27289 is committed FIDO_U2F_EXTRA_PATCHES= ${FILESDIR}/extra-patch-libfido2-configure.ac BLACKLISTD_EXTRA_PATCHES= ${FILESDIR}/extra-patch-blacklistd ETCDIR?= ${PREFIX}/etc/ssh .include PATCH_SITES+= http://mirror.shatow.net/freebsd/${PORTNAME}/:DEFAULT,hpn,gsskex # Must add this patch before HPN due to conflicts -.if ${PORT_OPTIONS:MKERB_GSSAPI} -#BROKEN= KERB_GSSAPI No patch for ${DISTVERSION} yet. +.if ${PORT_OPTIONS:MKERB_GSSAPI} || ${FLAVOR:U} == gssapi +BROKEN= KERB_GSSAPI No patch for ${DISTVERSION} yet. . if ${PORT_OPTIONS:MHPN} || ${PORT_OPTIONS:MNONECIPHER} # Needed glue for applying HPN patch without conflict EXTRA_PATCHES+= ${FILESDIR}/extra-patch-hpn-gss-glue . endif # - See https://sources.debian.org/data/main/o/openssh/ for which subdir to # pull from. GSSAPI_DEBIAN_SUBDIR= ${DISTVERSION}-2 # - Debian does not use a versioned filename so we trick fetch to make one for # us with the ?=/ trick. PATCH_SITES+= https://sources.debian.org/data/main/o/openssh/1:${GSSAPI_DEBIAN_SUBDIR}/debian/patches/gssapi.patch?dummy=/:gsskex # Bump this when updating the patch location GSSAPI_UPDATE_DATE= 20200607 PATCHFILES+= openssh-${DISTVERSION}-gsskex-all-20141021-debian-rh-${GSSAPI_UPDATE_DATE}.patch:-p1:gsskex EXTRA_PATCHES+= ${FILESDIR}/extra-patch-gssapi-sshconnect2.c EXTRA_PATCHES+= ${FILESDIR}/extra-patch-gssapi-kexgssc.c EXTRA_PATCHES+= ${FILESDIR}/extra-patch-gssapi-kexgsss.c .endif .if ${PORT_OPTIONS:MBLACKLISTD} CONFIGURE_LIBS+= -lblacklist .endif # https://www.psc.edu/hpn-ssh https://github.com/rapier1/openssh-portable/tree/hpn-openssl1.1-7_7_P1 .if ${PORT_OPTIONS:MHPN} || ${PORT_OPTIONS:MNONECIPHER} #BROKEN= HPN: Not yet updated for ${DISTVERSION} yet. PORTDOCS+= HPN-README HPN_VERSION= 14v15 HPN_DISTVERSION= 7.7p1 #PATCH_SITES+= SOURCEFORGE/hpnssh/HPN-SSH%20${HPN_VERSION}%20${HPN_DISTVERSION}/:hpn #PATCHFILES+= ${PORTNAME}-${HPN_DISTVERSION}-hpnssh${HPN_VERSION}.diff.gz:-p1:hpn EXTRA_PATCHES+= ${FILESDIR}/extra-patch-hpn:-p2 .elif !${PORT_OPTIONS:MHPN} && !${PORT_OPTIONS:MNONECIPHER} # Apply compatibility patch EXTRA_PATCHES+= ${FILESDIR}/extra-patch-hpn-compat .endif CONFIGURE_ARGS+= --disable-utmp --disable-wtmp --disable-wtmpx --without-lastlog # Keep this last EXTRA_PATCHES+= ${FILESDIR}/extra-patch-version-addendum .if ${PORT_OPTIONS:MHEIMDAL_BASE} && ${PORT_OPTIONS:MKERB_GSSAPI} BROKEN= KERB_GSSAPI Requires either MIT or HEMIDAL, does not build with base Heimdal currently .endif .if ${PORT_OPTIONS:MHEIMDAL_BASE} && !exists(/usr/lib/libkrb5.so) IGNORE= you have selected HEIMDAL_BASE but do not have heimdal installed in base .endif .if ${PORT_OPTIONS:MMIT} || ${PORT_OPTIONS:MHEIMDAL} || ${PORT_OPTIONS:MHEIMDAL_BASE} . if ${PORT_OPTIONS:MHEIMDAL_BASE} CONFIGURE_LIBS+= -lgssapi_krb5 CONFIGURE_ARGS+= --with-kerberos5=/usr . else CONFIGURE_ARGS+= --with-kerberos5=${LOCALBASE} . endif . if ${OPENSSLBASE} == "/usr" CONFIGURE_ARGS+= --without-rpath LDFLAGS= # empty . endif .else . if ${PORT_OPTIONS:MKERB_GSSAPI} IGNORE= KERB_GSSAPI requires one of MIT HEIMDAL or HEIMDAL_BASE . endif .endif .if ${OPENSSLBASE} != "/usr" CONFIGURE_ARGS+= --with-ssl-dir=${OPENSSLBASE} .endif EMPTYDIR= /var/empty USE_RC_SUBR= openssh # After all CONFIGURE_ARGS+= --sysconfdir=${ETCDIR} --with-privsep-path=${EMPTYDIR} .if !empty(CONFIGURE_LIBS) CONFIGURE_ARGS+= --with-libs='${CONFIGURE_LIBS}' .endif CONFIGURE_ARGS+= --with-xauth=${LOCALBASE}/bin/xauth RC_SCRIPT_NAME= openssh VERSION_ADDENDUM_DEFAULT?= ${OPSYS}-${PKGNAME} CFLAGS+= ${CFLAGS_${CHOSEN_COMPILER_TYPE}} CFLAGS_gcc= -Wno-stringop-truncation -Wno-stringop-overflow post-patch: @${REINPLACE_CMD} \ -e 's|install: \(.*\) host-key check-config|install: \1|g' \ ${WRKSRC}/Makefile.in @${REINPLACE_CMD} \ -e 's|\(VersionAddendum\) none|\1 ${VERSION_ADDENDUM_DEFAULT}|' \ ${WRKSRC}/sshd_config @${REINPLACE_CMD} \ -e 's|%%SSH_VERSION_FREEBSD_PORT%%|${VERSION_ADDENDUM_DEFAULT}|' \ ${WRKSRC}/sshd_config.5 @${ECHO_CMD} '#define SSH_VERSION_FREEBSD_PORT "${VERSION_ADDENDUM_DEFAULT}"' >> \ ${WRKSRC}/version.h post-configure-XMSS-on: @${ECHO_CMD} "#define WITH_XMSS 1" >> ${WRKSRC}/config.h post-configure-BLACKLISTD-on: @${ECHO_CMD} "#define USE_BLACKLIST 1" >> ${WRKSRC}/config.h post-install: ${MV} ${STAGEDIR}${ETCDIR}/moduli \ ${STAGEDIR}${ETCDIR}/moduli.sample ${MV} ${STAGEDIR}${ETCDIR}/ssh_config \ ${STAGEDIR}${ETCDIR}/ssh_config.sample ${MV} ${STAGEDIR}${ETCDIR}/sshd_config \ ${STAGEDIR}${ETCDIR}/sshd_config.sample .if ${PORT_OPTIONS:MHPN} || ${PORT_OPTIONS:MNONECIPHER} ${MKDIR} ${STAGEDIR}${DOCSDIR} ${INSTALL_DATA} ${WRKSRC}/HPN-README ${STAGEDIR}${DOCSDIR} .endif test: build cd ${WRKSRC} && ${SETENV} -i \ OBJ=${WRKDIR} ${MAKE_ENV:NHOME=*} \ TEST_SHELL=${SH} \ SUDO="${SUDO}" \ LOGNAME="${LOGNAME}" \ HOME="${HOME}" \ TEST_SSH_TRACE=yes \ PATH=${WRKSRC}:${PREFIX}/bin:${PREFIX}/sbin:${PATH} \ ${MAKE_CMD} ${MAKE_FLAGS} ${MAKEFILE} ${MAKE_ARGS} tests .include diff --git a/security/openssh-portable/distinfo b/security/openssh-portable/distinfo index b1c3c22bc242..209322451613 100644 --- a/security/openssh-portable/distinfo +++ b/security/openssh-portable/distinfo @@ -1,5 +1,3 @@ -TIMESTAMP = 1605552780 -SHA256 (openssh-8.4p1.tar.gz) = 5a01d22e407eb1c05ba8a8f7c654d388a13e9f226e4ed33bd38748dafa1d2b24 -SIZE (openssh-8.4p1.tar.gz) = 1742201 -SHA256 (openssh-8.4p1-gsskex-all-20141021-debian-rh-20200607.patch) = 15139c42894dd0ebd182608ecd7151a9eef6158aed30c676e7685e8407c6d1cb -SIZE (openssh-8.4p1-gsskex-all-20141021-debian-rh-20200607.patch) = 126748 +TIMESTAMP = 1619547768 +SHA256 (openssh-8.6p1.tar.gz) = c3e6e4da1621762c850d03b47eed1e48dff4cc9608ddeb547202a234df8ed7ae +SIZE (openssh-8.6p1.tar.gz) = 1786328 diff --git a/security/openssh-portable/files/extra-patch-blacklistd b/security/openssh-portable/files/extra-patch-blacklistd index 539b68c535ac..92e0fc35903e 100644 --- a/security/openssh-portable/files/extra-patch-blacklistd +++ b/security/openssh-portable/files/extra-patch-blacklistd @@ -1,428 +1,428 @@ ---- blacklist.c.orig 2020-11-16 16:45:24.799150000 -0800 -+++ blacklist.c 2020-11-16 16:45:20.000470000 -0800 +--- blacklist.c.orig 2021-04-28 13:37:52.679784000 -0700 ++++ blacklist.c 2021-04-28 13:56:45.677805000 -0700 @@ -0,0 +1,92 @@ +/*- + * Copyright (c) 2015 The NetBSD Foundation, Inc. + * Copyright (c) 2016 The FreeBSD Foundation, Inc. + * All rights reserved. + * + * Portions of this software were developed by Kurt Lidl + * under sponsorship from the FreeBSD Foundation. + * + * This code is derived from software contributed to The NetBSD Foundation + * by Christos Zoulas. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS + * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED + * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS + * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR + * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + * POSSIBILITY OF SUCH DAMAGE. + */ + +#include "includes.h" + +#include +#include +#include +#include +#include +#include +#include + +#include "ssh.h" +#include "packet.h" +#include "log.h" +#include "misc.h" +#include +#include "blacklist_client.h" + +static struct blacklist *blstate = NULL; + +/* internal definition from bl.h */ +struct blacklist *bl_create(bool, char *, void (*)(int, const char *, va_list)); + +/* impedence match vsyslog() to sshd's internal logging levels */ +void +im_log(int priority, const char *message, va_list args) +{ + LogLevel imlevel; + + switch (priority) { + case LOG_ERR: + imlevel = SYSLOG_LEVEL_ERROR; + break; + case LOG_DEBUG: + imlevel = SYSLOG_LEVEL_DEBUG1; + break; + case LOG_INFO: + imlevel = SYSLOG_LEVEL_INFO; + break; + default: + imlevel = SYSLOG_LEVEL_DEBUG2; + } -+ do_log(imlevel, message, args); ++ do_log2(imlevel, message, args); +} + +void +blacklist_init(void) +{ + + blstate = bl_create(false, NULL, im_log); +} + +void +blacklist_notify(int action, struct ssh *ssh, const char *msg) +{ + + if (blstate != NULL && ssh_packet_connection_is_on_socket(ssh)) + (void)blacklist_r(blstate, action, + ssh_packet_get_connection_in(ssh), msg); +} --- blacklist_client.h.orig 2020-11-16 16:45:22.823087000 -0800 +++ blacklist_client.h 2020-11-16 16:45:09.761962000 -0800 @@ -0,0 +1,61 @@ +/*- + * Copyright (c) 2015 The NetBSD Foundation, Inc. + * Copyright (c) 2016 The FreeBSD Foundation, Inc. + * All rights reserved. + * + * Portions of this software were developed by Kurt Lidl + * under sponsorship from the FreeBSD Foundation. + * + * This code is derived from software contributed to The NetBSD Foundation + * by Christos Zoulas. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS + * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED + * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS + * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR + * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + * POSSIBILITY OF SUCH DAMAGE. + */ + +#ifndef BLACKLIST_CLIENT_H +#define BLACKLIST_CLIENT_H + +#ifndef BLACKLIST_API_ENUM +enum { + BLACKLIST_AUTH_OK = 0, + BLACKLIST_AUTH_FAIL, + BLACKLIST_ABUSIVE_BEHAVIOR, + BLACKLIST_BAD_USER +}; +#endif + +#ifdef USE_BLACKLIST +void blacklist_init(void); +void blacklist_notify(int, struct ssh *, const char *); + +#define BLACKLIST_INIT() blacklist_init() +#define BLACKLIST_NOTIFY(x, ssh, msg) blacklist_notify(x, ssh, msg) + +#else + +#define BLACKLIST_INIT() +#define BLACKLIST_NOTIFY(x, ssh, msg) + +#endif + + +#endif /* BLACKLIST_CLIENT_H */ ---- servconf.c.orig 2020-11-16 15:52:13.175438000 -0800 -+++ servconf.c 2020-11-16 15:52:15.812142000 -0800 -@@ -168,6 +168,7 @@ initialize_server_options(ServerOptions *options) +--- servconf.c.orig 2021-04-15 20:55:25.000000000 -0700 ++++ servconf.c 2021-04-28 13:36:19.591999000 -0700 +@@ -172,6 +172,7 @@ initialize_server_options(ServerOptions *options) options->max_sessions = -1; options->banner = NULL; options->use_dns = -1; + options->use_blacklist = -1; options->client_alive_interval = -1; options->client_alive_count_max = -1; options->num_authkeys_files = 0; -@@ -432,6 +433,8 @@ fill_default_server_options(ServerOptions *options) +@@ -410,6 +411,8 @@ fill_default_server_options(ServerOptions *options) options->max_sessions = DEFAULT_SESSIONS_MAX; if (options->use_dns == -1) options->use_dns = 0; + if (options->use_blacklist == -1) + options->use_blacklist = 0; if (options->client_alive_interval == -1) options->client_alive_interval = 0; if (options->client_alive_count_max == -1) -@@ -528,6 +531,7 @@ typedef enum { - sGatewayPorts, sPubkeyAuthentication, sPubkeyAcceptedKeyTypes, +@@ -506,6 +509,7 @@ typedef enum { + sGatewayPorts, sPubkeyAuthentication, sPubkeyAcceptedAlgorithms, sXAuthLocation, sSubsystem, sMaxStartups, sMaxAuthTries, sMaxSessions, sBanner, sUseDNS, sHostbasedAuthentication, + sUseBlacklist, - sHostbasedUsesNameFromPacketOnly, sHostbasedAcceptedKeyTypes, - sHostKeyAlgorithms, + sHostbasedUsesNameFromPacketOnly, sHostbasedAcceptedAlgorithms, + sHostKeyAlgorithms, sPerSourceMaxStartups, sPerSourceNetBlockSize, sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile, -@@ -658,6 +662,8 @@ static struct { +@@ -642,6 +646,8 @@ static struct { { "maxsessions", sMaxSessions, SSHCFG_ALL }, { "banner", sBanner, SSHCFG_ALL }, { "usedns", sUseDNS, SSHCFG_GLOBAL }, + { "useblacklist", sUseBlacklist, SSHCFG_GLOBAL }, + { "useblocklist", sUseBlacklist, SSHCFG_GLOBAL } /* alias */, { "verifyreversemapping", sDeprecated, SSHCFG_GLOBAL }, { "reversemappingcheck", sDeprecated, SSHCFG_GLOBAL }, { "clientaliveinterval", sClientAliveInterval, SSHCFG_ALL }, -@@ -1708,6 +1714,10 @@ process_server_config_line_depth(ServerOptions *option +@@ -1692,6 +1698,10 @@ process_server_config_line_depth(ServerOptions *option intptr = &options->use_dns; goto parse_flag; + case sUseBlacklist: + intptr = &options->use_blacklist; + goto parse_flag; + case sLogFacility: log_facility_ptr = &options->log_facility; arg = strdelim(&cp); -@@ -2841,6 +2851,7 @@ dump_config(ServerOptions *o) +@@ -2872,6 +2882,7 @@ dump_config(ServerOptions *o) dump_cfg_fmtint(sCompression, o->compression); dump_cfg_fmtint(sGatewayPorts, o->fwd_opts.gateway_ports); dump_cfg_fmtint(sUseDNS, o->use_dns); + dump_cfg_fmtint(sUseBlacklist, o->use_blacklist); dump_cfg_fmtint(sAllowTcpForwarding, o->allow_tcp_forwarding); dump_cfg_fmtint(sAllowAgentForwarding, o->allow_agent_forwarding); dump_cfg_fmtint(sDisableForwarding, o->disable_forwarding); --- servconf.h.orig 2020-11-16 15:51:00.752090000 -0800 +++ servconf.h 2020-11-16 15:51:02.962173000 -0800 @@ -179,6 +179,7 @@ typedef struct { int max_sessions; char *banner; /* SSH-2 banner message */ int use_dns; + int use_blacklist; int client_alive_interval; /* * poke the client this often to * see if it's still there --- auth-pam.c.orig 2020-11-16 15:52:45.816578000 -0800 +++ auth-pam.c 2020-11-16 15:54:19.796583000 -0800 @@ -105,6 +105,7 @@ extern char *__progname; #include "ssh-gss.h" #endif #include "monitor_wrap.h" +#include "blacklist_client.h" extern ServerOptions options; extern struct sshbuf *loginmsg; @@ -916,6 +917,10 @@ sshpam_query(void *ctx, char **name, char **info, sshbuf_free(buffer); return (0); } + /* XXX: ssh context unavailable here, unclear if this is even needed. + BLACKLIST_NOTIFY(BLACKLIST_BAD_USER, + the_active_state, sshpam_authctxt->user); + */ error("PAM: %s for %s%.100s from %.100s", msg, sshpam_authctxt->valid ? "" : "illegal user ", sshpam_authctxt->user, sshpam_rhost); --- auth.c.orig 2020-11-16 15:52:45.824171000 -0800 +++ auth.c 2020-11-16 15:57:51.091969000 -0800 @@ -76,6 +76,7 @@ #include "ssherr.h" #include "compat.h" #include "channels.h" +#include "blacklist_client.h" /* import */ extern ServerOptions options; @@ -331,8 +332,11 @@ auth_log(struct ssh *ssh, int authenticated, int parti authmsg = "Postponed"; else if (partial) authmsg = "Partial"; - else + else { authmsg = authenticated ? "Accepted" : "Failed"; + if (authenticated) + BLACKLIST_NOTIFY(BLACKLIST_AUTH_OK, ssh, "ssh"); + } if ((extra = format_method_key(authctxt)) == NULL) { if (authctxt->auth_method_info != NULL) @@ -586,6 +590,7 @@ getpwnamallow(struct ssh *ssh, const char *user) aix_restoreauthdb(); #endif if (pw == NULL) { + BLACKLIST_NOTIFY(BLACKLIST_BAD_USER, ssh, user); logit("Invalid user %.100s from %.100s port %d", user, ssh_remote_ipaddr(ssh), ssh_remote_port(ssh)); #ifdef CUSTOM_FAILED_LOGIN --- auth2.c.orig 2020-11-16 17:10:36.772062000 -0800 +++ auth2.c 2020-11-16 17:12:04.852943000 -0800 @@ -58,6 +58,7 @@ #endif #include "monitor_wrap.h" #include "digest.h" +#include "blacklist_client.h" /* import */ extern ServerOptions options; @@ -295,6 +296,7 @@ input_userauth_request(int type, u_int32_t seq, struct } else { /* Invalid user, fake password information */ authctxt->pw = fakepw(); + BLACKLIST_NOTIFY(BLACKLIST_BAD_USER, ssh, "ssh"); #ifdef SSH_AUDIT_EVENTS PRIVSEP(audit_event(ssh, SSH_INVALID_USER)); #endif @@ -448,8 +450,10 @@ userauth_finish(struct ssh *ssh, int authenticated, co } else { /* Allow initial try of "none" auth without failure penalty */ if (!partial && !authctxt->server_caused_failure && - (authctxt->attempt > 1 || strcmp(method, "none") != 0)) + (authctxt->attempt > 1 || strcmp(method, "none") != 0)) { authctxt->failures++; + BLACKLIST_NOTIFY(BLACKLIST_AUTH_FAIL, ssh, "ssh"); + } if (authctxt->failures >= options.max_authtries) { #ifdef SSH_AUDIT_EVENTS PRIVSEP(audit_event(ssh, SSH_LOGIN_EXCEED_MAXTRIES)); --- packet.c.orig 2020-11-16 15:52:45.839070000 -0800 +++ packet.c 2020-11-16 15:56:09.285418000 -0800 @@ -96,6 +96,7 @@ #include "packet.h" #include "ssherr.h" #include "sshbuf.h" +#include "blacklist_client.h" #ifdef PACKET_DEBUG #define DBG(x) x @@ -1882,6 +1883,7 @@ sshpkt_vfatal(struct ssh *ssh, int r, const char *fmt, case SSH_ERR_NO_KEX_ALG_MATCH: case SSH_ERR_NO_HOSTKEY_ALG_MATCH: if (ssh && ssh->kex && ssh->kex->failed_choice) { + BLACKLIST_NOTIFY(BLACKLIST_AUTH_FAIL, ssh, "ssh"); ssh_packet_clear_keys(ssh); errno = oerrno; logdie("Unable to negotiate with %s: %s. " ---- sshd.c.orig 2020-11-16 15:52:45.846609000 -0800 -+++ sshd.c 2020-11-16 15:56:34.401305000 -0800 -@@ -131,6 +131,7 @@ +--- sshd.c.orig 2021-04-15 20:55:25.000000000 -0700 ++++ sshd.c 2021-04-28 13:37:18.741786000 -0700 +@@ -123,6 +123,7 @@ #include "version.h" #include "ssherr.h" #include "sk-api.h" +#include "blacklist_client.h" + #include "srclimit.h" + #include "dh.h" - #ifdef LIBWRAP - #include -@@ -388,6 +389,8 @@ grace_alarm_handler(int sig) +@@ -366,6 +367,8 @@ grace_alarm_handler(int sig) kill(0, SIGTERM); } + BLACKLIST_NOTIFY(BLACKLIST_AUTH_FAIL, the_active_state, "ssh"); + /* XXX pre-format ipaddr/port so we don't need to access active_state */ /* Log error and exit. */ sigdie("Timeout before authentication for %s port %d", -@@ -2290,6 +2293,9 @@ main(int ac, char **av) +@@ -2209,6 +2212,9 @@ main(int ac, char **av) if ((loginmsg = sshbuf_new()) == NULL) - fatal("%s: sshbuf_new failed", __func__); + fatal_f("sshbuf_new failed"); auth_debug_reset(); + + if (options.use_blacklist) + BLACKLIST_INIT(); if (use_privsep) { if (privsep_preauth(ssh) == 1) --- Makefile.in.orig 2020-11-16 16:27:13.408700000 -0800 +++ Makefile.in 2020-11-16 16:28:28.083007000 -0800 @@ -180,6 +180,8 @@ FIXPATHSCMD = $(SED) $(PATHSUBS) FIXALGORITHMSCMD= $(SHELL) $(srcdir)/fixalgorithms $(SED) \ @UNSUPPORTED_ALGORITHMS@ +LIBSSH_OBJS+= blacklist.o + all: configure-check $(CONFIGFILES) $(MANPAGES) $(TARGETS) $(LIBSSH_OBJS): Makefile.in config.h --- sshd_config.orig 2020-11-16 16:57:14.276036000 -0800 +++ sshd_config 2020-11-16 16:57:42.183846000 -0800 @@ -94,6 +94,7 @@ #PrintLastLog yes #TCPKeepAlive yes #PermitUserEnvironment no +#UseBlacklist no #Compression delayed #ClientAliveInterval 0 #ClientAliveCountMax 3 --- sshd_config.5.orig 2020-11-16 16:57:58.533307000 -0800 +++ sshd_config.5 2020-11-16 17:00:02.635070000 -0800 @@ -1703,6 +1703,20 @@ for authentication using .Cm TrustedUserCAKeys . For more details on certificates, see the CERTIFICATES section in .Xr ssh-keygen 1 . +.It Cm UseBlacklist +Specifies whether +.Xr sshd 8 +attempts to send authentication success and failure messages +to the +.Xr blacklistd 8 +daemon. +The default is +.Cm no . +For forward compatibility with an upcoming +.Xr blacklistd +rename, the +.Cm UseBlocklist +alias can be used instead. .It Cm UseDNS Specifies whether .Xr sshd 8 --- monitor.c.orig 2020-11-16 17:24:03.457283000 -0800 +++ monitor.c 2020-11-16 17:25:57.642510000 -0800 @@ -96,6 +96,7 @@ #include "match.h" #include "ssherr.h" #include "sk-api.h" +#include "blacklist_client.h" #ifdef GSSAPI static Gssctxt *gsscontext = NULL; @@ -342,8 +343,11 @@ monitor_child_preauth(struct ssh *ssh, struct monitor if (ent->flags & (MON_AUTHDECIDE|MON_ALOG)) { auth_log(ssh, authenticated, partial, auth_method, auth_submethod); - if (!partial && !authenticated) + if (!partial && !authenticated) { authctxt->failures++; + BLACKLIST_NOTIFY(BLACKLIST_AUTH_FAIL, + ssh, "ssh"); + } if (authenticated || partial) { auth2_update_session_info(authctxt, auth_method, auth_submethod); @@ -1228,6 +1232,7 @@ mm_answer_keyallowed(struct ssh *ssh, int sock, struct } else { /* Log failed attempt */ auth_log(ssh, 0, 0, auth_method, NULL); + BLACKLIST_NOTIFY(BLACKLIST_AUTH_FAIL, ssh, "ssh"); free(cuser); free(chost); } diff --git a/security/openssh-portable/files/extra-patch-hpn b/security/openssh-portable/files/extra-patch-hpn index c447b94cb48e..258b36150078 100644 --- a/security/openssh-portable/files/extra-patch-hpn +++ b/security/openssh-portable/files/extra-patch-hpn @@ -1,1323 +1,1307 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/openssh-6.8p1/HPN-README work/openssh-6.8p1/HPN-README --- work.clean/openssh-6.8p1/HPN-README 1969-12-31 18:00:00.000000000 -0600 +++ work/openssh-6.8p1/HPN-README 2015-04-01 22:16:49.869215000 -0500 @@ -0,0 +1,129 @@ +Notes: + +MULTI-THREADED CIPHER: +The AES cipher in CTR mode has been multithreaded (MTR-AES-CTR). This will allow ssh installations +on hosts with multiple cores to use more than one processing core during encryption. +Tests have show significant throughput performance increases when using MTR-AES-CTR up +to and including a full gigabit per second on quad core systems. It should be possible to +achieve full line rate on dual core systems but OS and data management overhead makes this +more difficult to achieve. The cipher stream from MTR-AES-CTR is entirely compatible with single +thread AES-CTR (ST-AES-CTR) implementations and should be 100% backward compatible. Optimal +performance requires the MTR-AES-CTR mode be enabled on both ends of the connection. +The MTR-AES-CTR replaces ST-AES-CTR and is used in exactly the same way with the same +nomenclature. +Use examples: ssh -caes128-ctr you@host.com + scp -oCipher=aes256-ctr file you@host.com:~/file + +NONE CIPHER: +To use the NONE option you must have the NoneEnabled switch set on the server and +you *must* have *both* NoneEnabled and NoneSwitch set to yes on the client. The NONE +feature works with ALL ssh subsystems (as far as we can tell) *AS LONG AS* a tty is not +spawned. If a user uses the -T switch to prevent a tty being created the NONE cipher will +be disabled. + +The performance increase will only be as good as the network and TCP stack tuning +on the reciever side of the connection allows. As a rule of thumb a user will need +at least 10Mb/s connection with a 100ms RTT to see a doubling of performance. The +HPN-SSH home page describes this in greater detail. + +http://www.psc.edu/networking/projects/hpn-ssh + +BUFFER SIZES: + +If HPN is disabled the receive buffer size will be set to the +OpenSSH default of 64K. + +If an HPN system connects to a nonHPN system the receive buffer will +be set to the HPNBufferSize value. The default is 2MB but user adjustable. + +If an HPN to HPN connection is established a number of different things might +happen based on the user options and conditions. + +Conditions: HPNBufferSize NOT Set, TCPRcvBufPoll enabled, TCPRcvBuf NOT Set +HPN Buffer Size = up to 64MB +This is the default state. The HPN buffer size will grow to a maximum of 64MB +as the TCP receive buffer grows. The maximum HPN Buffer size of 64MB is +geared towards 10GigE transcontinental connections. + +Conditions: HPNBufferSize NOT Set, TCPRcvBufPoll disabled, TCPRcvBuf NOT Set +HPN Buffer Size = TCP receive buffer value. +Users on non-autotuning systesm should disable TCPRcvBufPoll in the +ssh_cofig and sshd_config + +Conditions: HPNBufferSize SET, TCPRcvBufPoll disabled, TCPRcvBuf NOT Set +HPN Buffer Size = minmum of TCP receive buffer and HPNBufferSize. +This would be the system defined TCP receive buffer (RWIN). + +Conditions: HPNBufferSize SET, TCPRcvBufPoll disabled, TCPRcvBuf SET +HPN Buffer Size = minmum of TCPRcvBuf and HPNBufferSize. +Generally there is no need to set both. + +Conditions: HPNBufferSize SET, TCPRcvBufPoll enabled, TCPRcvBuf NOT Set +HPN Buffer Size = grows to HPNBufferSize +The buffer will grow up to the maximum size specified here. + +Conditions: HPNBufferSize SET, TCPRcvBufPoll enabled, TCPRcvBuf SET +HPN Buffer Size = minmum of TCPRcvBuf and HPNBufferSize. +Generally there is no need to set both of these, especially on autotuning +systems. However, if the users wishes to override the autotuning this would be +one way to do it. + +Conditions: HPNBufferSize NOT Set, TCPRcvBufPoll enabled, TCPRcvBuf SET +HPN Buffer Size = TCPRcvBuf. +This will override autotuning and set the TCP recieve buffer to the user defined +value. + + +HPN Specific Configuration options + +TcpRcvBuf=[int]KB client + set the TCP socket receive buffer to n Kilobytes. It can be set up to the +maximum socket size allowed by the system. This is useful in situations where +the tcp receive window is set low but the maximum buffer size is set +higher (as is typical). This works on a per TCP connection basis. You can also +use this to artifically limit the transfer rate of the connection. In these +cases the throughput will be no more than n/RTT. The minimum buffer size is 1KB. +Default is the current system wide tcp receive buffer size. + +TcpRcvBufPoll=[yes/no] client/server + enable of disable the polling of the tcp receive buffer through the life +of the connection. You would want to make sure that this option is enabled +for systems making use of autotuning kernels (linux 2.4.24+, 2.6, MS Vista) +default is yes. + +NoneEnabled=[yes/no] client/server + enable or disable the use of the None cipher. Care must always be used +when enabling this as it will allow users to send data in the clear. However, +it is important to note that authentication information remains encrypted +even if this option is enabled. Set to no by default. + +NoneSwitch=[yes/no] client + Switch the encryption cipher being used to the None cipher after +authentication takes place. NoneEnabled must be enabled on both the client +and server side of the connection. When the connection switches to the NONE +cipher a warning is sent to STDERR. The connection attempt will fail with an +error if a client requests a NoneSwitch from the server that does not explicitly +have NoneEnabled set to yes. Note: The NONE cipher cannot be used in +interactive (shell) sessions and it will fail silently. Set to no by default. + +HPNDisabled=[yes/no] client/server + In some situations, such as transfers on a local area network, the impact +of the HPN code produces a net decrease in performance. In these cases it is +helpful to disable the HPN functionality. By default HPNDisabled is set to no. + +HPNBufferSize=[int]KB client/server + This is the default buffer size the HPN functionality uses when interacting +with nonHPN SSH installations. Conceptually this is similar to the TcpRcvBuf +option as applied to the internal SSH flow control. This value can range from +1KB to 64MB (1-65536). Use of oversized or undersized buffers can cause performance +problems depending on the length of the network path. The default size of this buffer +is 2MB. + + +Credits: This patch was conceived, designed, and led by Chris Rapier (rapier@psc.edu) + The majority of the actual coding for versions up to HPN12v1 was performed + by Michael Stevens (mstevens@andrew.cmu.edu). The MT-AES-CTR cipher was + implemented by Ben Bennet (ben@psc.edu) and improved by Mike Tasota + (tasota@gmail.com) an NSF REU grant recipient for 2013. + This work was financed, in part, by Cisco System, Inc., the National + Library of Medicine, and the National Science Foundation. ---- work/openssh-7.7p1/channels.c.orig 2018-04-01 22:38:28.000000000 -0700 -+++ work/openssh-7.7p1/channels.c 2018-06-27 16:37:07.663857000 -0700 +--- work/openssh/channels.c.orig 2021-04-15 20:55:25.000000000 -0700 ++++ work/openssh/channels.c 2021-04-28 14:35:20.732518000 -0700 @@ -220,6 +220,12 @@ static int rdynamic_connect_finish(struct ssh *, Chann /* Setup helper */ static void channel_handler_init(struct ssh_channels *sc); + +#ifdef HPN_ENABLED +static int hpn_disabled = 0; +static int hpn_buffer_size = 2 * 1024 * 1024; +#endif + /* -- channel core */ void -@@ -392,6 +398,9 @@ channel_new(struct ssh *ssh, char *ctype, int type, in +@@ -395,6 +401,9 @@ channel_new(struct ssh *ssh, char *ctype, int type, in c->local_window = window; c->local_window_max = window; c->local_maxpacket = maxpack; +#ifdef HPN_ENABLED + c->dynamic_window = 0; +#endif c->remote_name = xstrdup(remote_name); c->ctl_chan = -1; c->delayed = 1; /* prevent call to channel_post handler */ -@@ -1059,6 +1068,30 @@ channel_pre_connecting(struct ssh *ssh, Channel *c, +@@ -1082,6 +1091,30 @@ channel_pre_connecting(struct ssh *ssh, Channel *c, FD_SET(c->sock, writeset); } +#ifdef HPN_ENABLED +static int +channel_tcpwinsz(struct ssh *ssh) +{ + u_int32_t tcpwinsz = 0; + socklen_t optsz = sizeof(tcpwinsz); + int ret = -1; + + /* if we aren't on a socket return 128KB */ + if (!ssh_packet_connection_is_on_socket(ssh)) + return 128 * 1024; + + ret = getsockopt(ssh_packet_get_connection_in(ssh), + SOL_SOCKET, SO_RCVBUF, &tcpwinsz, &optsz); + /* return no more than SSHBUF_SIZE_MAX (currently 256MB) */ + if ((ret == 0) && tcpwinsz > SSHBUF_SIZE_MAX) + tcpwinsz = SSHBUF_SIZE_MAX; + + debug2("tcpwinsz: tcp connection %d, Receive window: %d", + ssh_packet_get_connection_in(ssh), tcpwinsz); + return tcpwinsz; +} +#endif + static void channel_pre_open(struct ssh *ssh, Channel *c, fd_set *readset, fd_set *writeset) -@@ -2158,21 +2191,32 @@ channel_check_window(struct ssh *ssh, Channel *c) +@@ -2124,18 +2157,29 @@ channel_check_window(struct ssh *ssh, Channel *c) c->local_maxpacket*3) || c->local_window < c->local_window_max/2) && c->local_consumed > 0) { + u_int addition = 0; +#ifdef HPN_ENABLED + u_int32_t tcpwinsz = channel_tcpwinsz(ssh); + /* adjust max window size if we are in a dynamic environment */ + if (c->dynamic_window && (tcpwinsz > c->local_window_max)) { + /* grow the window somewhat aggressively to maintain pressure */ + addition = 1.5 * (tcpwinsz - c->local_window_max); + c->local_window_max += addition; + debug("Channel: Window growth to %d by %d bytes", c->local_window_max, addition); + } +#endif if (!c->have_remote_id) - fatal(":%s: channel %d: no remote id", - __func__, c->self); + fatal_f("channel %d: no remote id", c->self); if ((r = sshpkt_start(ssh, SSH2_MSG_CHANNEL_WINDOW_ADJUST)) != 0 || (r = sshpkt_put_u32(ssh, c->remote_id)) != 0 || - (r = sshpkt_put_u32(ssh, c->local_consumed)) != 0 || + (r = sshpkt_put_u32(ssh, c->local_consumed + addition)) != 0 || (r = sshpkt_send(ssh)) != 0) { - fatal("%s: channel %i: %s", __func__, - c->self, ssh_err(r)); + fatal_fr(r, "channel %i", c->self); } - debug2("channel %d: window %d sent adjust %d", - c->self, c->local_window, -- c->local_consumed); + debug2("channel %d: window %d sent adjust %d", c->self, +- c->local_window, c->local_consumed); - c->local_window += c->local_consumed; -+ c->local_consumed + addition); ++ c->local_window, c->local_consumed + addition); + c->local_window += c->local_consumed + addition; c->local_consumed = 0; } return 1; -@@ -3354,6 +3398,17 @@ channel_fwd_bind_addr(struct ssh *ssh, const char *lis +@@ -3302,6 +3346,17 @@ channel_fwd_bind_addr(struct ssh *ssh, const char *lis return addr; } +#ifdef HPN_ENABLED +void +channel_set_hpn(int external_hpn_disabled, int external_hpn_buffer_size) +{ + hpn_disabled = external_hpn_disabled; + hpn_buffer_size = external_hpn_buffer_size; + debug("HPN Disabled: %d, HPN Buffer Size: %d", hpn_disabled, + hpn_buffer_size); +} +#endif + static int channel_setup_fwd_listener_tcpip(struct ssh *ssh, int type, struct Forward *fwd, int *allocated_listen_port, -@@ -3494,6 +3549,17 @@ channel_setup_fwd_listener_tcpip(struct ssh *ssh, int +@@ -3442,6 +3497,17 @@ channel_setup_fwd_listener_tcpip(struct ssh *ssh, int } /* Allocate a channel number for the socket. */ +#ifdef HPN_ENABLED + /* + * explicitly test for hpn disabled option. if true use smaller + * window size. + */ + if (!hpn_disabled) + c = channel_new(ssh, "port listener", type, sock, sock, -1, + hpn_buffer_size, CHAN_TCP_PACKET_DEFAULT, + 0, "port listener", 1); + else +#endif c = channel_new(ssh, "port listener", type, sock, sock, -1, CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, 0, "port listener", 1); -@@ -4631,6 +4697,14 @@ x11_create_display_inet(struct ssh *ssh, int x11_displ +@@ -4610,6 +4676,14 @@ x11_create_display_inet(struct ssh *ssh, int x11_displ *chanids = xcalloc(num_socks + 1, sizeof(**chanids)); for (n = 0; n < num_socks; n++) { sock = socks[n]; +#ifdef HPN_ENABLED + if (!hpn_disabled) + nc = channel_new(ssh, "x11 listener", + SSH_CHANNEL_X11_LISTENER, sock, sock, -1, + hpn_buffer_size, CHAN_X11_PACKET_DEFAULT, + 0, "X11 inet listener", 1); + else +#endif nc = channel_new(ssh, "x11 listener", SSH_CHANNEL_X11_LISTENER, sock, sock, -1, CHAN_X11_WINDOW_DEFAULT, CHAN_X11_PACKET_DEFAULT, --- work/openssh-7.7p1/channels.h.orig 2018-04-01 22:38:28.000000000 -0700 +++ work/openssh-7.7p1/channels.h 2018-06-27 16:38:40.766588000 -0700 @@ -143,6 +143,9 @@ struct Channel { u_int local_maxpacket; int extended_usage; int single_connection; +#ifdef HPN_ENABLED + int dynamic_window; +#endif char *ctype; /* type */ @@ -335,5 +338,10 @@ void chan_ibuf_empty(struct ssh *, Channel *); void chan_rcvd_ieof(struct ssh *, Channel *); void chan_write_failed(struct ssh *, Channel *); void chan_obuf_empty(struct ssh *, Channel *); + +#ifdef HPN_ENABLED +/* hpn handler */ +void channel_set_hpn(int, int); +#endif #endif --- work/openssh-7.7p1/cipher.c.orig 2018-04-01 22:38:28.000000000 -0700 +++ work/openssh-7.7p1/cipher.c 2018-06-27 16:55:43.165788000 -0700 @@ -212,7 +212,12 @@ ciphers_valid(const char *names) for ((p = strsep(&cp, CIPHER_SEP)); p && *p != '\0'; (p = strsep(&cp, CIPHER_SEP))) { c = cipher_by_name(p); +#ifdef NONE_CIPHER_ENABLED + if (c == NULL || ((c->flags & CFLAG_INTERNAL) != 0 && + (c->flags & CFLAG_NONE) != 0)) { +#else if (c == NULL || (c->flags & CFLAG_INTERNAL) != 0) { +#endif free(cipher_list); return 0; } --- work/openssh-7.7p1/clientloop.c.orig 2018-04-01 22:38:28.000000000 -0700 +++ work/openssh-7.7p1/clientloop.c 2018-06-27 16:40:24.560906000 -0700 @@ -1549,6 +1549,15 @@ client_request_x11(struct ssh *ssh, const char *reques sock = x11_connect_display(ssh); if (sock < 0) return NULL; +#ifdef HPN_ENABLED + /* again is this really necessary for X11? */ + if (!options.hpn_disabled) + c = channel_new(ssh, "x11", + SSH_CHANNEL_X11_OPEN, sock, sock, -1, + options.hpn_buffer_size, + CHAN_X11_PACKET_DEFAULT, 0, "x11", 1); + else +#endif c = channel_new(ssh, "x11", SSH_CHANNEL_X11_OPEN, sock, sock, -1, CHAN_TCP_WINDOW_DEFAULT, CHAN_X11_PACKET_DEFAULT, 0, "x11", 1); @@ -1574,6 +1583,14 @@ client_request_agent(struct ssh *ssh, const char *requ __func__, ssh_err(r)); return NULL; } +#ifdef HPN_ENABLED + if (!options.hpn_disabled) + c = channel_new(ssh, "authentication agent connection", + SSH_CHANNEL_OPEN, sock, sock, -1, + options.hpn_buffer_size, CHAN_TCP_PACKET_DEFAULT, 0, + "authentication agent connection", 1); + else +#endif c = channel_new(ssh, "authentication agent connection", SSH_CHANNEL_OPEN, sock, sock, -1, CHAN_X11_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, 0, @@ -1602,6 +1619,12 @@ client_request_tun_fwd(struct ssh *ssh, int tun_mode, } debug("Tunnel forwarding using interface %s", ifname); +#ifdef HPN_ENABLED + if (!options.hpn_disabled) + c = channel_new(ssh, "tun", SSH_CHANNEL_OPENING, fd, fd, -1, + options.hpn_buffer_size, CHAN_TCP_PACKET_DEFAULT, 0, "tun", 1); + else +#endif c = channel_new(ssh, "tun", SSH_CHANNEL_OPENING, fd, fd, -1, CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, 0, "tun", 1); c->datagram = 1; ---- work.clean/openssh-6.8p1/compat.c 2015-03-17 00:49:20.000000000 -0500 -+++ work/openssh-6.8p1/compat.c 2015-04-03 16:39:57.665699000 -0500 -@@ -177,6 +177,14 @@ - debug("match: %s pat %s compat 0x%08x", +--- work/openssh/compat.c.orig 2021-04-15 20:55:25.000000000 -0700 ++++ work/openssh/compat.c 2021-04-28 14:37:33.129317000 -0700 +@@ -149,6 +149,14 @@ compat_banner(struct ssh *ssh, const char *version) + debug_f("match: %s pat %s compat 0x%08x", version, check[i].pat, check[i].bugs); - datafellows = check[i].bugs; /* XXX for now */ + ssh->compat = check[i].bugs; +#ifdef HPN_ENABLED + /* Check to see if the remote side is OpenSSH and not HPN */ + if (strstr(version,"OpenSSH") != NULL && + strstr(version,"hpn") == NULL) { -+ datafellows |= SSH_BUG_LARGEWINDOW; ++ ssh->compat |= SSH_BUG_LARGEWINDOW; + debug("Remote is NON-HPN aware"); + } +#endif - return check[i].bugs; + return; } } --- work/openssh/compat.h.orig 2015-05-29 03:27:21.000000000 -0500 +++ work/openssh/compat.h 2015-06-02 09:55:04.208681000 -0500 @@ -62,6 +62,9 @@ #define SSH_BUG_CURVE25519PAD 0x10000000 #define SSH_BUG_HOSTKEYS 0x20000000 #define SSH_BUG_DHGEX_LARGE 0x40000000 +#ifdef HPN_ENABLED +#define SSH_BUG_LARGEWINDOW 0x80000000 +#endif void enable_compat13(void); void enable_compat20(void); --- configure.ac.orig 2020-03-22 11:06:53.034550000 -0700 +++ configure.ac 2020-03-22 11:07:10.017487000 -0700 @@ -4778,6 +4778,25 @@ AC_ARG_WITH([maildir], ] ) # maildir +#check whether user wants HPN support +HPN_MSG="no" +AC_ARG_WITH(hpn, + [ --with-hpn Enable HPN support], + [ if test "x$withval" != "xno" ; then + AC_DEFINE(HPN_ENABLED,1,[Define if you want HPN support.]) + HPN_MSG="yes" + fi ] +) +#check whether user wants NONECIPHER support +NONECIPHER_MSG="no" +AC_ARG_WITH(nonecipher, + [ --with-nonecipher Enable NONECIPHER support], + [ if test "x$withval" != "xno" ; then + AC_DEFINE(NONE_CIPHER_ENABLED,1,[Define if you want NONECIPHER support.]) + NONECIPHER_MSG="yes" + fi ] +) + if test ! -z "$cross_compiling" && test "x$cross_compiling" = "xyes"; then AC_MSG_WARN([cross compiling: Disabling /dev/ptmx test]) disable_ptmx_check=yes @@ -5459,6 +5478,8 @@ echo " Random number source: $RAND_MSG" echo " Privsep sandbox style: $SANDBOX_STYLE" echo " PKCS#11 support: $enable_pkcs11" echo " U2F/FIDO support: $enable_sk" +echo " HPN support: $HPN_MSG" +echo " NONECIPHER support: $NONECIPHER_MSG" echo "" ---- work.clean/openssh-7.2p1/kex.c.orig 2016-02-25 19:40:04.000000000 -0800 -+++ work.clean/openssh-7.2p1/kex.c 2016-02-29 08:02:25.565288000 -0800 -@@ -907,6 +907,20 @@ kex_choose_conf(struct ssh *ssh) +--- work/openssh/kex.c.orig 2021-04-15 20:55:25.000000000 -0700 ++++ work/openssh/kex.c 2021-04-28 14:38:31.761909000 -0700 +@@ -960,6 +960,20 @@ kex_choose_conf(struct ssh *ssh) peer[ncomp] = NULL; goto out; } +#ifdef NONE_CIPHER_ENABLED + debug("REQUESTED ENC.NAME is '%s'", newkeys->enc.name); + if (strcmp(newkeys->enc.name, "none") == 0) { + int auth_flag; + + auth_flag = ssh_packet_authentication_state(ssh); + debug("Requesting NONE. Authflag is %d", auth_flag); + if (auth_flag == 1) { + debug("None requested post authentication."); + } else { + fatal("Pre-authentication none cipher requests are not allowed."); + } + } +#endif debug("kex: %s cipher: %s MAC: %s compression: %s", ctos ? "client->server" : "server->client", newkeys->enc.name, -@@ -1108,7 +1122,7 @@ send_error(struct ssh *ssh, char *msg) +@@ -1170,7 +1184,7 @@ send_error(struct ssh *ssh, char *msg) */ int kex_exchange_identification(struct ssh *ssh, int timeout_ms, - const char *version_addendum) + const char *version_addendum, int hpn_disabled) { - int remote_major, remote_minor, mismatch; + int remote_major, remote_minor, mismatch, oerrno = 0; size_t len, i, n; -@@ -1125,8 +1139,13 @@ kex_exchange_identification(struct ssh *ssh, int timeo +@@ -1187,8 +1201,13 @@ kex_exchange_identification(struct ssh *ssh, int timeo sshbuf_reset(our_version); if (version_addendum != NULL && *version_addendum == '\0') version_addendum = NULL; - if ((r = sshbuf_putf(our_version, "SSH-%d.%d-%.100s%s%s\r\n", + if ((r = sshbuf_putf(our_version, "SSH-%d.%d-%.100s%s%s%s\r\n", - PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION, + PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION, +#ifdef HPN_ENABLED + hpn_disabled ? "" : SSH_HPN, +#else + "", +#endif version_addendum == NULL ? "" : " ", version_addendum == NULL ? "" : version_addendum)) != 0) { - error("%s: sshbuf_putf: %s", __func__, ssh_err(r)); + oerrno = errno; --- work/openssh-7.7p1/packet.c.orig 2018-04-01 22:38:28.000000000 -0700 +++ work/openssh-7.7p1/packet.c 2018-06-27 16:42:42.739507000 -0700 @@ -926,6 +926,24 @@ ssh_set_newkeys(struct ssh *ssh, int mode) return 0; } +#ifdef NONE_CIPHER_ENABLED +/* this supports the forced rekeying required for the NONE cipher */ +int rekey_requested = 0; +void +packet_request_rekeying(void) +{ + rekey_requested = 1; +} + +int +ssh_packet_authentication_state(struct ssh *ssh) +{ + struct session_state *state = ssh->state; + + return(state->after_authentication); +} +#endif + #define MAX_PACKETS (1U<<31) static int ssh_packet_need_rekeying(struct ssh *ssh, u_int outbound_packet_len) @@ -944,6 +962,14 @@ ssh_packet_need_rekeying(struct ssh *ssh, u_int outbou /* Peer can't rekey */ if (ssh->compat & SSH_BUG_NOREKEY) return 0; +#ifdef NONE_CIPHER_ENABLED + /* used to force rekeying when called for by the none + * cipher switch methods -cjr */ + if (rekey_requested == 1) { + rekey_requested = 0; + return 1; + } +#endif /* * Permit one packet in or out per rekey - this allows us to --- work.clean/openssh-6.8p1/packet.h 2015-03-17 00:49:20.000000000 -0500 +++ work/openssh-6.8p1/packet.h 2015-04-03 16:10:34.728161000 -0500 @@ -206,6 +206,11 @@ int sshpkt_get_end(struct ssh *ssh); void sshpkt_fmt_connection_id(struct ssh *ssh, char *s, size_t l); const u_char *sshpkt_ptr(struct ssh *, size_t *lenp); +#ifdef NONE_CIPHER_ENABLED +void packet_request_rekeying(void); +int ssh_packet_authentication_state(struct ssh *ssh); +#endif + #if !defined(WITH_OPENSSL) # undef BIGNUM # undef EC_KEY ---- work/openssh-7.7p1/readconf.c.orig 2018-04-01 22:38:28.000000000 -0700 -+++ work/openssh-7.7p1/readconf.c 2018-06-27 16:58:41.109275000 -0700 -@@ -66,6 +66,9 @@ +--- work/openssh/readconf.c.orig 2021-04-28 13:58:36.413806000 -0700 ++++ work/openssh/readconf.c 2021-04-28 14:39:31.145856000 -0700 +@@ -67,6 +67,9 @@ #include "uidswap.h" #include "myproposal.h" #include "digest.h" +#ifdef HPN_ENABLED +#include "sshbuf.h" +#endif /* Format of the configuration file: -@@ -167,6 +170,12 @@ typedef enum { +@@ -168,6 +171,12 @@ typedef enum { oLocalCommand, oPermitLocalCommand, oRemoteCommand, oVisualHostKey, oKexAlgorithms, oIPQoS, oRequestTTY, oIgnoreUnknown, oProxyUseFdpass, +#ifdef HPN_ENABLED + oHPNDisabled, oHPNBufferSize, oTcpRcvBufPoll, oTcpRcvBuf, +#endif +#ifdef NONE_CIPHER_ENABLED + oNoneSwitch, oNoneEnabled, +#endif oCanonicalDomains, oCanonicalizeHostname, oCanonicalizeMaxDots, oCanonicalizeFallbackLocal, oCanonicalizePermittedCNAMEs, oStreamLocalBindMask, oStreamLocalBindUnlink, oRevokedHostKeys, -@@ -304,6 +313,16 @@ static struct { - { "updatehostkeys", oUpdateHostkeys }, - { "hostbasedkeytypes", oHostbasedKeyTypes }, - { "pubkeyacceptedkeytypes", oPubkeyAcceptedKeyTypes }, +@@ -312,6 +321,16 @@ static struct { + { "hostbasedkeytypes", oHostbasedAcceptedAlgorithms }, /* obsolete */ + { "pubkeyacceptedalgorithms", oPubkeyAcceptedAlgorithms }, + { "pubkeyacceptedkeytypes", oPubkeyAcceptedAlgorithms }, /* obsolete */ +#ifdef NONE_CIPHER_ENABLED + { "noneenabled", oNoneEnabled }, + { "noneswitch", oNoneSwitch }, +#endif +#ifdef HPN_ENABLED + { "tcprcvbufpoll", oTcpRcvBufPoll }, + { "tcprcvbuf", oTcpRcvBuf }, + { "hpndisabled", oHPNDisabled }, + { "hpnbuffersize", oHPNBufferSize }, +#endif { "ignoreunknown", oIgnoreUnknown }, { "proxyjump", oProxyJump }, - -@@ -962,6 +981,44 @@ parse_time: + { "securitykeyprovider", oSecurityKeyProvider }, +@@ -1091,6 +1110,44 @@ parse_time: intptr = &options->check_host_ip; goto parse_flag; +#ifdef HPN_ENABLED + case oHPNDisabled: + intptr = &options->hpn_disabled; + goto parse_flag; + + case oHPNBufferSize: + intptr = &options->hpn_buffer_size; + goto parse_int; + + case oTcpRcvBufPoll: + intptr = &options->tcp_rcv_buf_poll; + goto parse_flag; + + case oTcpRcvBuf: + intptr = &options->tcp_rcv_buf; + goto parse_int; +#endif + +#ifdef NONE_CIPHER_ENABLED + case oNoneEnabled: + intptr = &options->none_enabled; + goto parse_flag; + + /* we check to see if the command comes from the */ + /* command line or not. If it does then enable it */ + /* otherwise fail. NONE should never be a default configuration */ + case oNoneSwitch: + if(strcmp(filename,"command-line") == 0) { + intptr = &options->none_switch; + goto parse_flag; + } else { + error("NoneSwitch is found in %.200s.\nYou may only use this configuration option from the command line", filename); + error("Continuing..."); + debug("NoneSwitch directive found in %.200s.", filename); + return 0; + } +#endif + case oVerifyHostKeyDNS: intptr = &options->verify_host_key_dns; multistate_ptr = multistate_yesnoask; -@@ -1833,6 +1890,16 @@ initialize_options(Options * options) +@@ -2262,6 +2319,16 @@ initialize_options(Options * options) options->ip_qos_interactive = -1; options->ip_qos_bulk = -1; options->request_tty = -1; +#ifdef NONE_CIPHER_ENABLED + options->none_switch = -1; + options->none_enabled = -1; +#endif +#ifdef HPN_ENABLED + options->hpn_disabled = -1; + options->hpn_buffer_size = -1; + options->tcp_rcv_buf_poll = -1; + options->tcp_rcv_buf = -1; +#endif options->proxy_use_fdpass = -1; options->ignored_unknown = NULL; options->num_canonical_domains = 0; -@@ -1979,6 +2046,34 @@ fill_default_options(Options * options) +@@ -2432,6 +2499,34 @@ fill_default_options(Options * options) options->server_alive_interval = 0; if (options->server_alive_count_max == -1) options->server_alive_count_max = 3; +#ifdef NONE_CIPHER_ENABLED + if (options->none_switch == -1) + options->none_switch = 0; + if (options->none_enabled == -1) + options->none_enabled = 0; +#endif +#ifdef HPN_ENABLED + if (options->hpn_disabled == -1) + options->hpn_disabled = 0; + if (options->hpn_buffer_size > -1) { + /* if a user tries to set the size to 0 set it to 1KB */ + if (options->hpn_buffer_size == 0) + options->hpn_buffer_size = 1; + /* limit the buffer to SSHBUF_SIZE_MAX (currently 256MB) */ + if (options->hpn_buffer_size > (SSHBUF_SIZE_MAX / 1024)) { + options->hpn_buffer_size = SSHBUF_SIZE_MAX; + debug("User requested buffer larger than 256MB. Request reverted to 256MB"); + } else + options->hpn_buffer_size *= 1024; + debug("hpn_buffer_size set to %d", options->hpn_buffer_size); + } + if (options->tcp_rcv_buf == 0) + options->tcp_rcv_buf = 1; + if (options->tcp_rcv_buf > -1) + options->tcp_rcv_buf *=1024; + if (options->tcp_rcv_buf_poll == -1) + options->tcp_rcv_buf_poll = 1; +#endif if (options->control_master == -1) options->control_master = 0; if (options->control_persist == -1) { --- work.clean/openssh-6.8p1/readconf.h 2015-03-17 00:49:20.000000000 -0500 +++ work/openssh-6.8p1/readconf.h 2015-04-03 13:47:45.670125000 -0500 @@ -105,6 +105,16 @@ int clear_forwardings; int enable_ssh_keysign; +#ifdef NONE_CIPHER_ENABLED + int none_switch; /* Use none cipher */ + int none_enabled; /* Allow none to be used */ +#endif +#ifdef HPN_ENABLED + int tcp_rcv_buf; /* user switch to set tcp recv buffer */ + int tcp_rcv_buf_poll; /* Option to poll recv buf every window transfer */ + int hpn_disabled; /* Switch to disable HPN buffer management */ + int hpn_buffer_size; /* User definable size for HPN buffer window */ +#endif int64_t rekey_limit; int rekey_interval; int no_host_authentication_for_localhost; --- work/openssh/scp.c.orig 2020-09-27 00:25:01.000000000 -0700 +++ work/openssh/scp.c 2020-11-10 10:31:03.060729000 -0800 @@ -1246,7 +1246,7 @@ sink(int argc, char **argv, const char *src) off_t size, statbytes; unsigned long long ull; int setimes, targisdir, wrerr; - char ch, *cp, *np, *targ, *why, *vect[1], buf[2048], visbuf[2048]; + char ch, *cp, *np, *targ, *why, *vect[1], buf[COPY_BUFLEN], visbuf[COPY_BUFLEN]; char **patterns = NULL; size_t n, npatterns = 0; struct timeval tv[2]; --- work/openssh-7.7p1/servconf.c.orig 2018-04-01 22:38:28.000000000 -0700 +++ work/openssh-7.7p1/servconf.c 2018-06-27 17:01:05.276677000 -0700 @@ -63,6 +63,9 @@ #include "auth.h" #include "myproposal.h" #include "digest.h" +#ifdef HPN_ENABLED +#include "sshbuf.h" +#endif static void add_listen_addr(ServerOptions *, const char *, const char *, int); @@ -169,6 +172,14 @@ initialize_server_options(ServerOptions *options) options->authorized_principals_file = NULL; options->authorized_principals_command = NULL; options->authorized_principals_command_user = NULL; +#ifdef NONE_CIPHER_ENABLED + options->none_enabled = -1; +#endif +#ifdef HPN_ENABLED + options->tcp_rcv_buf_poll = -1; + options->hpn_disabled = -1; + options->hpn_buffer_size = -1; +#endif options->ip_qos_interactive = -1; options->ip_qos_bulk = -1; options->version_addendum = NULL; @@ -371,6 +382,57 @@ fill_default_server_options(ServerOptions *options) } if (options->permit_tun == -1) options->permit_tun = SSH_TUNMODE_NO; +#ifdef NONE_CIPHER_ENABLED + if (options->none_enabled == -1) + options->none_enabled = 0; +#endif +#ifdef HPN_ENABLED + if (options->hpn_disabled == -1) + options->hpn_disabled = 0; + + if (options->hpn_buffer_size == -1) { + /* + * option not explicitly set. Now we have to figure out + * what value to use. + */ + if (options->hpn_disabled == 1) { + options->hpn_buffer_size = CHAN_SES_WINDOW_DEFAULT; + } else { + int sock, socksize; + socklen_t socksizelen = sizeof(socksize); + + /* + * get the current RCV size and set it to that + * create a socket but don't connect it + * we use that the get the rcv socket size + */ + sock = socket(AF_INET, SOCK_STREAM, 0); + getsockopt(sock, SOL_SOCKET, SO_RCVBUF, + &socksize, &socksizelen); + close(sock); + options->hpn_buffer_size = socksize; + debug ("HPN Buffer Size: %d", options->hpn_buffer_size); + } + } else { + /* + * we have to do this incase the user sets both values in a + * contradictory manner. hpn_disabled overrrides + * hpn_buffer_size + */ + if (options->hpn_disabled <= 0) { + if (options->hpn_buffer_size == 0) + options->hpn_buffer_size = 1; + /* limit the maximum buffer to SSHBUF_SIZE_MAX (currently 256MB) */ + if (options->hpn_buffer_size > (SSHBUF_SIZE_MAX / 1024)) { + options->hpn_buffer_size = SSHBUF_SIZE_MAX; + } else { + options->hpn_buffer_size *= 1024; + } + } else + options->hpn_buffer_size = CHAN_TCP_WINDOW_DEFAULT; + } +#endif + if (options->ip_qos_interactive == -1) options->ip_qos_interactive = IPTOS_LOWDELAY; if (options->ip_qos_bulk == -1) @@ -466,6 +528,12 @@ typedef enum { sUsePrivilegeSeparation, sAllowAgentForwarding, sHostCertificate, sRevokedKeys, sTrustedUserCAKeys, sAuthorizedPrincipalsFile, +#ifdef NONE_CIPHER_ENABLED + sNoneEnabled, +#endif +#ifdef HPN_ENABLED + sTcpRcvBufPoll, sHPNDisabled, sHPNBufferSize, +#endif sAuthorizedPrincipalsCommand, sAuthorizedPrincipalsCommandUser, sKexAlgorithms, sIPQoS, sVersionAddendum, sAuthorizedKeysCommand, sAuthorizedKeysCommandUser, @@ -603,6 +671,14 @@ static struct { { "revokedkeys", sRevokedKeys, SSHCFG_ALL }, { "trustedusercakeys", sTrustedUserCAKeys, SSHCFG_ALL }, { "authorizedprincipalsfile", sAuthorizedPrincipalsFile, SSHCFG_ALL }, +#ifdef NONE_CIPHER_ENABLED + { "noneenabled", sNoneEnabled, SSHCFG_ALL }, +#endif +#ifdef HPN_ENABLED + { "hpndisabled", sHPNDisabled, SSHCFG_ALL }, + { "hpnbuffersize", sHPNBufferSize, SSHCFG_ALL }, + { "tcprcvbufpoll", sTcpRcvBufPoll, SSHCFG_ALL }, +#endif { "kexalgorithms", sKexAlgorithms, SSHCFG_GLOBAL }, { "ipqos", sIPQoS, SSHCFG_ALL }, { "authorizedkeyscommand", sAuthorizedKeysCommand, SSHCFG_ALL }, @@ -1351,6 +1427,25 @@ process_server_config_line(ServerOptions *options, cha case sIgnoreUserKnownHosts: intptr = &options->ignore_user_known_hosts; goto parse_flag; + +#ifdef NONE_CIPHER_ENABLED + case sNoneEnabled: + intptr = &options->none_enabled; + goto parse_flag; +#endif +#ifdef HPN_ENABLED + case sTcpRcvBufPoll: + intptr = &options->tcp_rcv_buf_poll; + goto parse_flag; + + case sHPNDisabled: + intptr = &options->hpn_disabled; + goto parse_flag; + + case sHPNBufferSize: + intptr = &options->hpn_buffer_size; + goto parse_int; +#endif case sHostbasedAuthentication: intptr = &options->hostbased_authentication; --- work.clean/openssh-6.8p1/servconf.h 2015-03-17 00:49:20.000000000 -0500 +++ work/openssh-6.8p1/servconf.h 2015-04-03 13:48:37.316827000 -0500 @@ -169,6 +169,15 @@ int use_pam; /* Enable auth via PAM */ +#ifdef NONE_CIPHER_ENABLED + int none_enabled; /* enable NONE cipher switch */ +#endif +#ifdef HPN_ENABLED + int tcp_rcv_buf_poll; /* poll tcp rcv window in autotuning kernels*/ + int hpn_disabled; /* disable hpn functionality. false by default */ + int hpn_buffer_size; /* set the hpn buffer size - default 3MB */ +#endif + int permit_tun; int num_permitted_opens; --- work/openssh-7.7p1/serverloop.c.orig 2018-04-01 22:38:28.000000000 -0700 +++ work/openssh-7.7p1/serverloop.c 2018-06-27 16:53:02.246871000 -0700 @@ -550,6 +550,12 @@ server_request_tun(struct ssh *ssh) goto done; debug("Tunnel forwarding using interface %s", ifname); +#ifdef HPN_ENABLED + if (!options.hpn_disabled) + c = channel_new(ssh, "tun", SSH_CHANNEL_OPEN, sock, sock, -1, + options.hpn_buffer_size, CHAN_TCP_PACKET_DEFAULT, 0, "tun", 1); + else +#endif c = channel_new(ssh, "tun", SSH_CHANNEL_OPEN, sock, sock, -1, CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, 0, "tun", 1); c->datagram = 1; @@ -600,6 +606,10 @@ server_request_session(struct ssh *ssh) c = channel_new(ssh, "session", SSH_CHANNEL_LARVAL, -1, -1, -1, /*window size*/0, CHAN_SES_PACKET_DEFAULT, 0, "server-session", 1); +#ifdef HPN_ENABLED + if (options.tcp_rcv_buf_poll && !options.hpn_disabled) + c->dynamic_window = 1; +#endif if (session_open(the_authctxt, c->self) != 1) { debug("session open failed, free channel %d", c->self); channel_free(ssh, c); --- work/openssh-7.7p1/session.c.orig 2018-04-01 22:38:28.000000000 -0700 +++ work/openssh-7.7p1/session.c 2018-06-27 17:01:40.730347000 -0700 @@ -2116,6 +2116,14 @@ session_set_fds(struct ssh *ssh, Session *s, */ if (s->chanid == -1) fatal("no channel for session %d", s->self); +#ifdef HPN_ENABLED + if (!options.hpn_disabled) + channel_set_fds(ssh, s->chanid, + fdout, fdin, fderr, + ignore_fderr ? CHAN_EXTENDED_IGNORE : CHAN_EXTENDED_READ, + 1, is_tty, options.hpn_buffer_size); + else +#endif channel_set_fds(ssh, s->chanid, fdout, fdin, fderr, ignore_fderr ? CHAN_EXTENDED_IGNORE : CHAN_EXTENDED_READ, --- work.clean/openssh-6.8p1/sftp.1 2015-03-17 00:49:20.000000000 -0500 +++ work/openssh-6.8p1/sftp.1 2015-04-01 22:16:49.921688000 -0500 @@ -263,7 +263,8 @@ Specify how many requests may be outstanding at any one time. Increasing this may slightly improve file transfer speed but will increase memory usage. -The default is 64 outstanding requests. +The default is 256 outstanding requests providing for 8MB +of outstanding data with a 32KB buffer. .It Fl r Recursively copy entire directories when uploading and downloading. Note that ---- work.clean/openssh-6.8p1/sftp.c 2015-03-17 00:49:20.000000000 -0500 -+++ work/openssh-6.8p1/sftp.c 2015-04-03 17:16:00.959795000 -0500 -@@ -71,7 +71,11 @@ - #include "sftp-client.h" - - #define DEFAULT_COPY_BUFLEN 32768 /* Size of buffer for up/download */ -+#ifdef HPN_ENABLED -+#define DEFAULT_NUM_REQUESTS 256 /* # concurrent outstanding requests */ -+#else - #define DEFAULT_NUM_REQUESTS 64 /* # concurrent outstanding requests */ -+#endif - - /* File to read commands from */ - FILE* infile; ---- work/openssh-7.7p1/ssh.c.orig 2018-04-01 22:38:28.000000000 -0700 -+++ work/openssh-7.7p1/ssh.c 2018-06-27 17:05:30.011979000 -0700 -@@ -954,6 +954,14 @@ main(int ac, char **av) +--- work/openssh/ssh.c.orig 2021-04-15 20:55:25.000000000 -0700 ++++ work/openssh/ssh.c 2021-04-28 14:51:04.682167000 -0700 +@@ -1027,6 +1027,14 @@ main(int ac, char **av) break; case 'T': options.request_tty = REQUEST_TTY_NO; +#ifdef NONE_CIPHER_ENABLED + /* + * ensure that the user doesn't try to backdoor a + * null cipher switch on an interactive session + * so explicitly disable it no matter what. + */ + options.none_switch = 0; +#endif break; case 'o': line = xstrdup(optarg); -@@ -1833,6 +1841,78 @@ ssh_session2_setup(struct ssh *ssh, int id, int succes - NULL, fileno(stdin), &command, environ); +@@ -2056,6 +2064,78 @@ ssh_session2_setup(struct ssh *ssh, int id, int succes + NULL, fileno(stdin), command, environ); } +static void -+hpn_options_init(void) ++hpn_options_init(struct ssh *ssh) +{ + /* + * We need to check to see if what they want to do about buffer + * sizes here. In a hpn to nonhpn connection we want to limit + * the window size to something reasonable in case the far side + * has the large window bug. In hpn to hpn connection we want to + * use the max window size but allow the user to override it + * lastly if they disabled hpn then use the ssh std window size. + * + * So why don't we just do a getsockopt() here and set the + * ssh window to that? In the case of a autotuning receive + * window the window would get stuck at the initial buffer + * size generally less than 96k. Therefore we need to set the + * maximum ssh window size to the maximum hpn buffer size + * unless the user has specifically set the tcprcvbufpoll + * to no. In which case we *can* just set the window to the + * minimum of the hpn buffer size and tcp receive buffer size. + */ + + if (tty_flag) + options.hpn_buffer_size = CHAN_SES_WINDOW_DEFAULT; + else + options.hpn_buffer_size = 2 * 1024 * 1024; + -+ if (datafellows & SSH_BUG_LARGEWINDOW) { ++ if (ssh->compat & SSH_BUG_LARGEWINDOW) { + debug("HPN to Non-HPN Connection"); + } else { + int sock, socksize; + socklen_t socksizelen; + if (options.tcp_rcv_buf_poll <= 0) { + sock = socket(AF_INET, SOCK_STREAM, 0); + socksizelen = sizeof(socksize); + getsockopt(sock, SOL_SOCKET, SO_RCVBUF, + &socksize, &socksizelen); + close(sock); + debug("socksize %d", socksize); + options.hpn_buffer_size = socksize; + debug("HPNBufferSize set to TCP RWIN: %d", options.hpn_buffer_size); + } else { + if (options.tcp_rcv_buf > 0) { + /* + * Create a socket but don't connect it: + * we use that the get the rcv socket size + */ + sock = socket(AF_INET, SOCK_STREAM, 0); + /* + * If they are using the tcp_rcv_buf option, + * attempt to set the buffer size to that. + */ + if (options.tcp_rcv_buf) { + socksizelen = sizeof(options.tcp_rcv_buf); + setsockopt(sock, SOL_SOCKET, SO_RCVBUF, + &options.tcp_rcv_buf, socksizelen); + } + socksizelen = sizeof(socksize); + getsockopt(sock, SOL_SOCKET, SO_RCVBUF, + &socksize, &socksizelen); + close(sock); + debug("socksize %d", socksize); + options.hpn_buffer_size = socksize; + debug("HPNBufferSize set to user TCPRcvBuf: %d", options.hpn_buffer_size); + } + } + } + + debug("Final hpn_buffer_size = %d", options.hpn_buffer_size); + + channel_set_hpn(options.hpn_disabled, options.hpn_buffer_size); +} + /* open new channel for a session */ static int ssh_session2_open(struct ssh *ssh) -@@ -1859,9 +1939,17 @@ ssh_session2_open(struct ssh *ssh) +@@ -2082,9 +2162,17 @@ ssh_session2_open(struct ssh *ssh) if (!isatty(err)) set_nonblock(err); +#ifdef HPN_ENABLED + window = options.hpn_buffer_size; +#else window = CHAN_SES_WINDOW_DEFAULT; +#endif + packetmax = CHAN_SES_PACKET_DEFAULT; if (tty_flag) { +#ifdef HPN_ENABLED + window = CHAN_SES_WINDOW_DEFAULT; +#endif window >>= 1; packetmax >>= 1; } -@@ -1870,6 +1958,12 @@ ssh_session2_open(struct ssh *ssh) +@@ -2093,6 +2181,12 @@ ssh_session2_open(struct ssh *ssh) window, packetmax, CHAN_EXTENDED_WRITE, "client-session", /*nonblock*/0); +#ifdef HPN_ENABLED + if (options.tcp_rcv_buf_poll > 0 && !options.hpn_disabled) { + c->dynamic_window = 1; + debug ("Enabled Dynamic Window Scaling"); + } +#endif - debug3("%s: channel_new: %d", __func__, c->self); + debug3_f("channel_new: %d", c->self); channel_send_open(ssh, c->self); -@@ -1885,6 +1979,15 @@ ssh_session2(struct ssh *ssh, struct passwd *pw) +@@ -2108,6 +2202,15 @@ ssh_session2(struct ssh *ssh, const struct ssh_conn_in { - int devnull, id = -1; + int r, id = -1; char *cp, *tun_fwd_ifname = NULL; + +#ifdef HPN_ENABLED + /* + * We need to initialize this early because the forwarding logic below + * might open channels that use the hpn buffer sizes. We can't send a + * window of -1 (the default) to the server as it breaks things. + */ -+ hpn_options_init(); ++ hpn_options_init(ssh); +#endif /* XXX should be pre-session */ if (!options.control_persist) --- work/openssh-7.7p1/sshbuf.h.orig 2018-06-27 16:11:24.503058000 -0700 +++ work/openssh-7.7p1/sshbuf.h 2018-06-27 16:12:01.359375000 -0700 @@ -28,7 +28,11 @@ # endif /* OPENSSL_HAS_ECC */ #endif /* WITH_OPENSSL */ +#ifdef HPN_ENABLED +#define SSHBUF_SIZE_MAX 0xF000000 /* Hard maximum size 256MB */ +#else #define SSHBUF_SIZE_MAX 0x8000000 /* Hard maximum size */ +#endif #define SSHBUF_REFS_MAX 0x100000 /* Max child buffers */ #define SSHBUF_MAX_BIGNUM (16384 / 8) /* Max bignum *bytes* */ #define SSHBUF_MAX_ECPOINT ((528 * 2 / 8) + 1) /* Max EC point *bytes* */ --- work/openssh/sshconnect.c.orig 2020-09-27 00:25:01.000000000 -0700 +++ work/openssh/sshconnect.c 2020-11-10 21:35:40.945330000 -0800 @@ -361,7 +361,32 @@ check_ifaddrs(const char *ifname, int af, const struct } #endif +#ifdef HPN_ENABLED /* + * Set TCP receive buffer if requested. + * Note: tuning needs to happen after the socket is + * created but before the connection happens + * so winscale is negotiated properly -cjr + */ +static void +ssh_set_socket_recvbuf(int sock) +{ + void *buf = (void *)&options.tcp_rcv_buf; + int sz = sizeof(options.tcp_rcv_buf); + int socksize; + socklen_t socksizelen = sizeof(socksize); + + debug("setsockopt Attempting to set SO_RCVBUF to %d", options.tcp_rcv_buf); + if (setsockopt(sock, SOL_SOCKET, SO_RCVBUF, buf, sz) >= 0) { + getsockopt(sock, SOL_SOCKET, SO_RCVBUF, &socksize, &socksizelen); + debug("setsockopt SO_RCVBUF: %.100s %d", strerror(errno), socksize); + } else + error("Couldn't set socket receive buffer to %d: %.100s", + options.tcp_rcv_buf, strerror(errno)); +} +#endif + +/* * Creates a socket for use as the ssh connection. */ static int @@ -383,6 +408,11 @@ ssh_create_socket(struct addrinfo *ai) } fcntl(sock, F_SETFD, FD_CLOEXEC); +#ifdef HPN_ENABLED + if (options.tcp_rcv_buf > 0) + ssh_set_socket_recvbuf(sock); +#endif + /* Bind the socket to an alternative local IP address */ if (options.bind_address == NULL && options.bind_interface == NULL) return sock; @@ -1289,7 +1319,8 @@ ssh_login(struct ssh *ssh, Sensitive *sensitive, const lowercase(host); /* Exchange protocol version identification strings with the server. */ - if ((r = kex_exchange_identification(ssh, timeout_ms, NULL)) != 0) + if ((r = kex_exchange_identification(ssh, timeout_ms, NULL, + options.hpn_disabled)) != 0) sshpkt_fatal(ssh, r, "banner exchange"); /* Put the connection into non-blocking mode. */ ---- sshconnect2.c.orig 2020-02-13 16:40:54.000000000 -0800 -+++ sshconnect2.c 2020-03-22 11:10:01.017282000 -0700 -@@ -83,7 +83,13 @@ +--- work/openssh/sshconnect2.c.orig 2021-04-15 20:55:25.000000000 -0700 ++++ work/openssh/sshconnect2.c 2021-04-28 14:51:57.237202000 -0700 +@@ -84,7 +84,13 @@ extern char *client_version_string; extern char *server_version_string; extern Options options; +#ifdef NONE_CIPHER_ENABLED +/* tty_flag is set in ssh.c. use this in ssh_userauth2 */ +/* if it is set then prevent the switch to the null cipher */ +extern int tty_flag; +#endif + /* * SSH2 key exchange */ -@@ -156,10 +162,11 @@ order_hostkeyalgs(char *host, struct sockaddr *hostadd +@@ -212,11 +218,12 @@ order_hostkeyalgs(char *host, struct sockaddr *hostadd return ret; } +static char *myproposal[PROPOSAL_MAX]; +static const char *myproposal_default[PROPOSAL_MAX] = { KEX_CLIENT }; void - ssh_kex2(struct ssh *ssh, char *host, struct sockaddr *hostaddr, u_short port) + ssh_kex2(struct ssh *ssh, char *host, struct sockaddr *hostaddr, u_short port, + const struct ssh_conn_info *cinfo) { - char *myproposal[PROPOSAL_MAX] = { KEX_CLIENT }; char *s, *all_key; int r, use_known_hosts_order = 0; -@@ -183,6 +190,7 @@ ssh_kex2(struct ssh *ssh, char *host, struct sockaddr - fatal("%s: kex_assemble_namelist", __func__); +@@ -241,6 +248,7 @@ ssh_kex2(struct ssh *ssh, char *host, struct sockaddr + fatal_fr(r, "kex_assemble_namelist"); free(all_key); + memcpy(&myproposal, &myproposal_default, sizeof(myproposal)); if ((s = kex_names_cat(options.kex_algorithms, "ext-info-c")) == NULL) - fatal("%s: kex_names_cat", __func__); - myproposal[PROPOSAL_KEX_ALGS] = compat_kex_proposal(s); -@@ -435,6 +443,30 @@ ssh_userauth2(struct ssh *ssh, const char *local_user, + fatal_f("kex_names_cat"); + myproposal[PROPOSAL_KEX_ALGS] = compat_kex_proposal(ssh, s); +@@ -489,6 +497,30 @@ ssh_userauth2(struct ssh *ssh, const char *local_user, if (!authctxt.success) fatal("Authentication failed."); +#ifdef NONE_CIPHER_ENABLED + /* + * if the user wants to use the none cipher do it + * post authentication and only if the right conditions are met + * both of the NONE commands must be true and there must be no + * tty allocated. + */ + if ((options.none_switch == 1) && (options.none_enabled == 1)) { + if (!tty_flag) { /* no null on tty sessions */ + debug("Requesting none rekeying..."); + memcpy(&myproposal, &myproposal_default, sizeof(myproposal)); + myproposal[PROPOSAL_ENC_ALGS_STOC] = "none"; + myproposal[PROPOSAL_ENC_ALGS_CTOS] = "none"; + kex_prop2buf(ssh->kex->my, myproposal); + packet_request_rekeying(); + fprintf(stderr, "WARNING: ENABLED NONE CIPHER\n"); + } else { + /* requested NONE cipher when in a tty */ + debug("Cannot switch to NONE cipher with tty allocated"); + fprintf(stderr, "NONE cipher switch disabled when a TTY is allocated\n"); + } + } +#endif + debug("Authentication succeeded (%s).", authctxt.method->name); } --- work/openssh/sshd.c.orig 2020-11-10 21:36:31.340159000 -0800 +++ work/openssh/sshd.c 2020-11-10 21:37:10.097038000 -0800 @@ -1065,6 +1065,10 @@ listen_on_addrs(struct listenaddr *la) int ret, listen_sock; struct addrinfo *ai; char ntop[NI_MAXHOST], strport[NI_MAXSERV]; +#ifdef HPN_ENABLED + int socksize; + socklen_t socksizelen = sizeof(socksize); +#endif for (ai = la->addrs; ai; ai = ai->ai_next) { if (ai->ai_family != AF_INET && ai->ai_family != AF_INET6) @@ -1110,6 +1114,13 @@ listen_on_addrs(struct listenaddr *la) debug("Bind to port %s on %s.", strport, ntop); +#ifdef HPN_ENABLED + getsockopt(listen_sock, SOL_SOCKET, SO_RCVBUF, + &socksize, &socksizelen); + debug("Server TCP RWIN socket size: %d", socksize); + debug("HPN Buffer Size: %d", options.hpn_buffer_size); +#endif + /* Bind the socket to the desired port. */ if (bind(listen_sock, ai->ai_addr, ai->ai_addrlen) == -1) { error("Bind to port %s on %s failed: %.200s.", @@ -1753,6 +1764,15 @@ main(int ac, char **av) /* Fill in default values for those options not explicitly set. */ fill_default_server_options(&options); +#ifdef NONE_CIPHER_ENABLED + if (options.none_enabled == 1) { + char *old_ciphers = options.ciphers; + + xasprintf(&options.ciphers, "%s,none", old_ciphers); + free(old_ciphers); + } +#endif + /* challenge-response is implemented via keyboard interactive */ if (options.challenge_response_authentication) options.kbd_interactive_authentication = 1; @@ -2220,6 +2240,11 @@ main(int ac, char **av) rdomain == NULL ? "" : "\""); free(laddr); +#ifdef HPN_ENABLED + /* set the HPN options for the child */ + channel_set_hpn(options.hpn_disabled, options.hpn_buffer_size); +#endif + /* * We don't want to listen forever unless the other side * successfully authenticates itself. So we set up an alarm which is @@ -2233,7 +2258,7 @@ main(int ac, char **av) alarm(options.login_grace_time); if ((r = kex_exchange_identification(ssh, -1, - options.version_addendum)) != 0) + options.version_addendum, options.hpn_disabled)) != 0) sshpkt_fatal(ssh, r, "banner exchange"); ssh_packet_set_nonblocking(ssh); @@ -2397,6 +2422,11 @@ do_ssh2_kex(struct ssh *ssh) char *myproposal[PROPOSAL_MAX] = { KEX_SERVER }; struct kex *kex; int r; + +#ifdef NONE_CIPHER_ENABLED + if (options.none_enabled == 1) + debug ("WARNING: None cipher enabled"); +#endif myproposal[PROPOSAL_KEX_ALGS] = compat_kex_proposal( options.kex_algorithms); --- work.clean/openssh-6.8p1/sshd_config 2015-04-01 22:07:18.248858000 -0500 +++ work/openssh-6.8p1/sshd_config 2015-04-01 22:16:49.932279000 -0500 @@ -111,6 +111,20 @@ AuthorizedKeysFile .ssh/authorized_keys # override default of no subsystems Subsystem sftp /usr/libexec/sftp-server +# the following are HPN related configuration options +# tcp receive buffer polling. disable in non autotuning kernels +#TcpRcvBufPoll yes + +# disable hpn performance boosts +#HPNDisabled no + +# buffer size for hpn to non-hpn connections +#HPNBufferSize 2048 + + +# allow the use of the none cipher +#NoneEnabled no + # Example of overriding settings on a per-user basis #Match User anoncvs # X11Forwarding no --- work/openssh-7.7p1/version.h.orig 2018-04-01 22:38:28.000000000 -0700 +++ work/openssh-7.7p1/version.h 2018-06-27 17:13:57.263086000 -0700 @@ -4,3 +4,4 @@ #define SSH_PORTABLE "p1" #define SSH_RELEASE SSH_VERSION SSH_PORTABLE +#define SSH_HPN "-hpn14v15" --- work/openssh/kex.h.orig 2019-07-10 17:35:36.523216000 -0700 +++ work/openssh/kex.h 2019-07-10 17:35:41.997522000 -0700 @@ -178,7 +178,7 @@ char *kex_alg_list(char); char *kex_names_cat(const char *, const char *); int kex_assemble_names(char **, const char *, const char *); -int kex_exchange_identification(struct ssh *, int, const char *); +int kex_exchange_identification(struct ssh *, int, const char *, int); struct kex *kex_new(void); int kex_ready(struct ssh *, char *[PROPOSAL_MAX]); diff --git a/security/openssh-portable/files/extra-patch-hpn-compat b/security/openssh-portable/files/extra-patch-hpn-compat index a02b674ff8b0..c47d0a1d3b5d 100644 --- a/security/openssh-portable/files/extra-patch-hpn-compat +++ b/security/openssh-portable/files/extra-patch-hpn-compat @@ -1,46 +1,46 @@ ------------------------------------------------------------------------ r294563 | des | 2016-01-22 05:13:46 -0800 (Fri, 22 Jan 2016) | 3 lines Changed paths: M /head/crypto/openssh/servconf.c Instead of removing the NoneEnabled option, mark it as unsupported. (should have done this in r291198, but didn't think of it until now) ------------------------------------------------------------------------ ------------------------------------------------------------------------ r294564 | des | 2016-01-22 06:22:11 -0800 (Fri, 22 Jan 2016) | 2 lines Changed paths: M /head/crypto/openssh/readconf.c r294563 was incomplete; re-add the client-side options as well. ------------------------------------------------------------------------ ---- readconf.c.orig 2020-03-21 16:51:23.450425000 -0700 -+++ readconf.c 2020-03-21 17:00:01.827757000 -0700 -@@ -310,6 +310,12 @@ static struct { - { "ignoreunknown", oIgnoreUnknown }, +--- readconf.c.orig 2021-04-27 11:24:15.916596000 -0700 ++++ readconf.c 2021-04-27 11:25:24.222034000 -0700 +@@ -316,6 +316,12 @@ static struct { { "proxyjump", oProxyJump }, { "securitykeyprovider", oSecurityKeyProvider }, + { "knownhostscommand", oKnownHostsCommand }, + { "hpndisabled", oDeprecated }, + { "hpnbuffersize", oDeprecated }, + { "tcprcvbufpoll", oDeprecated }, + { "tcprcvbuf", oDeprecated }, + { "noneenabled", oUnsupported }, + { "noneswitch", oUnsupported }, { NULL, oBadOption } }; --- servconf.c.orig 2020-02-13 16:40:54.000000000 -0800 +++ servconf.c 2020-03-21 17:01:18.011062000 -0700 @@ -695,6 +695,10 @@ static struct { { "rdomain", sRDomain, SSHCFG_ALL }, { "casignaturealgorithms", sCASignatureAlgorithms, SSHCFG_ALL }, { "securitykeyprovider", sSecurityKeyProvider, SSHCFG_GLOBAL }, + { "noneenabled", sUnsupported, SSHCFG_ALL }, + { "hpndisabled", sDeprecated, SSHCFG_ALL }, + { "hpnbuffersize", sDeprecated, SSHCFG_ALL }, + { "tcprcvbufpoll", sDeprecated, SSHCFG_ALL }, { NULL, sBadOption, 0 } }; diff --git a/security/openssh-portable/files/patch-auth.c b/security/openssh-portable/files/patch-auth.c deleted file mode 100644 index f9fba8b6ebc8..000000000000 --- a/security/openssh-portable/files/patch-auth.c +++ /dev/null @@ -1,21 +0,0 @@ ---- UTC -r100838 | fanf | 2002-07-28 19:36:24 -0500 (Sun, 28 Jul 2002) | 7 lines -Changed paths: - M /head/crypto/openssh/auth.c - -Use login_getpwclass() instead of login_getclass() so that the root -vs. default login class distinction is made correctly. - -PR: 37416 - ---- auth.c.orig 2010-08-12 11:33:01.000000000 -0600 -+++ auth.c 2010-09-14 16:14:12.000000000 -0600 -@@ -594,7 +594,7 @@ - if (!allowed_user(pw)) - return (NULL); - #ifdef HAVE_LOGIN_CAP -- if ((lc = login_getclass(pw->pw_class)) == NULL) { -+ if ((lc = login_getpwclass(pw)) == NULL) { - debug("unable to get login class: %s", user); - return (NULL); - } diff --git a/security/openssh-portable/files/patch-readconf.c b/security/openssh-portable/files/patch-readconf.c deleted file mode 100644 index 8d98c57c2f82..000000000000 --- a/security/openssh-portable/files/patch-readconf.c +++ /dev/null @@ -1,22 +0,0 @@ ---- UTC -base defaults - -r99048 | des | 2002-06-29 05:51:56 -0500 (Sat, 29 Jun 2002) | 4 lines -Changed paths: - M /head/crypto/openssh/myproposal.h - M /head/crypto/openssh/readconf.c - M /head/crypto/openssh/servconf.c - -Apply FreeBSD's configuration defaults. - ---- readconf.c.orig 2014-07-17 23:11:26.000000000 -0500 -+++ readconf.c 2014-11-03 16:45:05.188796445 -0600 -@@ -1934,7 +1946,7 @@ fill_default_options(Options * options) - if (options->batch_mode == -1) - options->batch_mode = 0; - if (options->check_host_ip == -1) -- options->check_host_ip = 1; -+ options->check_host_ip = 0; - if (options->strict_host_key_checking == -1) - options->strict_host_key_checking = 2; /* 2 is default */ - if (options->compression == -1) diff --git a/security/openssh-portable/files/patch-session.c b/security/openssh-portable/files/patch-session.c index 84c78b3f9526..b0b9e08008f8 100644 --- a/security/openssh-portable/files/patch-session.c +++ b/security/openssh-portable/files/patch-session.c @@ -1,78 +1,78 @@ bdrewery: - Refactor and simplify original commit. - Stop setting TERM=su without a term. ------------------------------------------------------------------------ r99055 | des | 2002-06-29 04:21:58 -0700 (Sat, 29 Jun 2002) | 6 lines Changed paths: M /head/crypto/openssh/session.c Make sure the environment variables set by setusercontext() are passed on to the child process. Reviewed by: ache Sponsored by: DARPA, NAI Labs ---- session.c.orig 2020-09-27 00:25:01.000000000 -0700 -+++ session.c 2020-11-19 14:41:50.745308000 -0800 -@@ -946,7 +946,7 @@ read_etc_default_login(char ***env, u_int *envsize, ui +--- session.c.orig 2021-04-15 20:55:25.000000000 -0700 ++++ session.c 2021-04-27 13:11:13.515917000 -0700 +@@ -942,7 +942,7 @@ read_etc_default_login(char ***env, u_int *envsize, ui } #endif /* HAVE_ETC_DEFAULT_LOGIN */ -#if defined(USE_PAM) || defined(HAVE_CYGWIN) +#if defined(USE_PAM) || defined(HAVE_CYGWIN) || defined(HAVE_LOGIN_CAP) static void - copy_environment_blacklist(char **source, char ***env, u_int *envsize, - const char *blacklist) -@@ -1056,7 +1056,8 @@ do_setup_env(struct ssh *ssh, Session *s, const char * + copy_environment_denylist(char **source, char ***env, u_int *envsize, + const char *denylist) +@@ -1052,7 +1052,8 @@ do_setup_env(struct ssh *ssh, Session *s, const char * # endif /* HAVE_CYGWIN */ #endif /* HAVE_LOGIN_CAP */ - if (!options.use_pam) { + /* FreeBSD PAM doesn't set default "MAIL" */ + if (1 || !options.use_pam) { snprintf(buf, sizeof buf, "%.200s/%.50s", _PATH_MAILDIR, pw->pw_name); child_set_env(&env, &envsize, "MAIL", buf); -@@ -1067,6 +1068,23 @@ do_setup_env(struct ssh *ssh, Session *s, const char * +@@ -1063,6 +1064,23 @@ do_setup_env(struct ssh *ssh, Session *s, const char * if (getenv("TZ")) child_set_env(&env, &envsize, "TZ", getenv("TZ")); +#ifdef HAVE_LOGIN_CAP + /* Load environment from /etc/login.conf setenv directives. */ + { + extern char **environ; + char **senv, **var; + + senv = environ; + environ = xmalloc(sizeof(char *)); + *environ = NULL; + (void) setusercontext(lc, pw, pw->pw_uid, LOGIN_SETENV); -+ copy_environment_blacklist(environ, &env, &envsize, NULL); ++ copy_environment_denylist(environ, &env, &envsize, NULL); + for (var = environ; *var != NULL; ++var) + free(*var); + free(environ); + environ = senv; + } +#endif if (s->term) child_set_env(&env, &envsize, "TERM", s->term); if (s->display) -@@ -1285,7 +1303,7 @@ do_nologin(struct passwd *pw) +@@ -1281,7 +1299,7 @@ do_nologin(struct passwd *pw) #ifdef HAVE_LOGIN_CAP if (login_getcapbool(lc, "ignorenologin", 0) || pw->pw_uid == 0) return; - nl = login_getcapstr(lc, "nologin", def_nl, def_nl); + nl = (char*)login_getcapstr(lc, "nologin", def_nl, def_nl); #else if (pw->pw_uid == 0) return; -@@ -1373,7 +1391,7 @@ do_setusercontext(struct passwd *pw) +@@ -1365,7 +1383,7 @@ do_setusercontext(struct passwd *pw) if (platform_privileged_uidswap()) { #ifdef HAVE_LOGIN_CAP if (setusercontext(lc, pw, pw->pw_uid, - (LOGIN_SETALL & ~(LOGIN_SETPATH|LOGIN_SETUSER))) < 0) { + (LOGIN_SETALL & ~(LOGIN_SETENV|LOGIN_SETPATH|LOGIN_SETUSER))) < 0) { perror("unable to set user context"); exit(1); } diff --git a/security/openssh-portable/files/patch-ssh-agent.c b/security/openssh-portable/files/patch-ssh-agent.c index 547c8e4958e2..de53881aa541 100644 --- a/security/openssh-portable/files/patch-ssh-agent.c +++ b/security/openssh-portable/files/patch-ssh-agent.c @@ -1,94 +1,95 @@ --- UTC r110506 | des | 2003-02-07 09:48:27 -0600 (Fri, 07 Feb 2003) | 4 lines Set the ruid to the euid at startup as a workaround for a bug in pam_ssh. r226103 | des | 2011-10-07 08:10:16 -0500 (Fri, 07 Oct 2011) | 5 lines Add a -x option that causes ssh-agent(1) to exit when all clients have disconnected. ---- ssh-agent.c.orig 2020-09-27 00:25:01.000000000 -0700 -+++ ssh-agent.c 2020-11-09 09:07:10.924940000 -0800 -@@ -171,15 +171,34 @@ static int fingerprint_hash = SSH_FP_HASH_DEFAULT; +--- ssh-agent.c.orig 2021-04-15 20:55:25.000000000 -0700 ++++ ssh-agent.c 2021-04-27 11:47:59.362589000 -0700 +@@ -171,9 +171,26 @@ static int fingerprint_hash = SSH_FP_HASH_DEFAULT; /* Refuse signing of non-SSH messages for web-origin FIDO keys */ static int restrict_websafe = 1; +/* + * Client connection count; incremented in new_socket() and decremented in + * close_socket(). When it reaches 0, ssh-agent will exit. Since it is + * normally initialized to 1, it will never reach 0. However, if the -x + * option is specified, it is initialized to 0 in main(); in that case, + * ssh-agent will exit as soon as it has had at least one client but no + * longer has any. + */ +static int xcount = 1; + static void close_socket(SocketEntry *e) { + int last = 0; + + if (e->type == AUTH_CONNECTION) { + debug("xcount %d -> %d", xcount, xcount - 1); + if (--xcount == 0) + last = 1; + } close(e->fd); - e->fd = -1; - e->type = AUTH_UNUSED; sshbuf_free(e->input); sshbuf_free(e->output); - sshbuf_free(e->request); +@@ -181,6 +198,8 @@ close_socket(SocketEntry *e) + memset(e, '\0', sizeof(*e)); + e->fd = -1; + e->type = AUTH_UNUSED; + if (last) + cleanup_exit(0); } static void -@@ -961,6 +980,10 @@ new_socket(sock_type type, int fd) - { - u_int i, old_alloc, new_alloc; +@@ -1067,6 +1086,10 @@ new_socket(sock_type type, int fd) + debug_f("type = %s", type == AUTH_CONNECTION ? "CONNECTION" : + (type == AUTH_SOCKET ? "SOCKET" : "UNKNOWN")); + if (type == AUTH_CONNECTION) { + debug("xcount %d -> %d", xcount, xcount + 1); + ++xcount; + } set_nonblock(fd); if (fd > max_fd) -@@ -1261,7 +1284,7 @@ static void +@@ -1360,7 +1383,7 @@ static void usage(void) { fprintf(stderr, - "usage: ssh-agent [-c | -s] [-Dd] [-a bind_address] [-E fingerprint_hash]\n" + "usage: ssh-agent [-c | -s] [-Ddx] [-a bind_address] [-E fingerprint_hash]\n" " [-P allowed_providers] [-t life]\n" " ssh-agent [-a bind_address] [-E fingerprint_hash] [-P allowed_providers]\n" " [-t life] command [arg ...]\n" -@@ -1295,6 +1318,7 @@ main(int ac, char **av) +@@ -1394,6 +1417,7 @@ main(int ac, char **av) /* drop */ setegid(getgid()); setgid(getgid()); + setuid(geteuid()); platform_disable_tracing(0); /* strict=no */ -@@ -1306,7 +1330,7 @@ main(int ac, char **av) +@@ -1405,7 +1429,7 @@ main(int ac, char **av) __progname = ssh_get_progname(av[0]); seed_rng(); - while ((ch = getopt(ac, av, "cDdksE:a:O:P:t:")) != -1) { + while ((ch = getopt(ac, av, "cDdksE:a:O:P:t:x")) != -1) { switch (ch) { case 'E': fingerprint_hash = ssh_digest_alg_by_name(optarg); -@@ -1355,6 +1379,9 @@ main(int ac, char **av) +@@ -1454,6 +1478,9 @@ main(int ac, char **av) fprintf(stderr, "Invalid lifetime\n"); usage(); } + break; + case 'x': + xcount = 0; break; default: usage(); diff --git a/security/openssh-portable/files/patch-ssh_config.5 b/security/openssh-portable/files/patch-ssh_config.5 index 36bfa04c25f1..8c0e2bf1d5be 100644 --- a/security/openssh-portable/files/patch-ssh_config.5 +++ b/security/openssh-portable/files/patch-ssh_config.5 @@ -1,27 +1,13 @@ --- UTC -r100678 | fanf | 2002-07-25 10:59:40 -0500 (Thu, 25 Jul 2002) | 5 lines - -Document the FreeBSD default for CheckHostIP, which was changed in -rev 1.2 of readconf.c. --- ssh_config.5.orig 2020-11-16 11:53:55.871161000 -0800 +++ ssh_config.5 2020-11-16 12:43:41.763006000 -0800 -@@ -420,8 +420,7 @@ or - .Cm no . - .It Cm CheckHostIP - If set to --.Cm yes --(the default), -+.Cm yes , - .Xr ssh 1 - will additionally check the host IP address in the - .Pa known_hosts @@ -434,6 +433,8 @@ in the process, regardless of the setting of If the option is set to .Cm no , the check will not be executed. +The default is +.Cm no . .It Cm Ciphers Specifies the ciphers allowed and their order of preference. Multiple ciphers must be comma-separated. diff --git a/security/openssh-portable/files/patch-sshd.c b/security/openssh-portable/files/patch-sshd.c index c165453ece16..6374e22bbacc 100644 --- a/security/openssh-portable/files/patch-sshd.c +++ b/security/openssh-portable/files/patch-sshd.c @@ -1,100 +1,101 @@ --- UTC r109683 | des | 2003-01-22 08:12:59 -0600 (Wed, 22 Jan 2003) | 7 lines Changed paths: M /head/crypto/openssh/sshd.c Force early initialization of the resolver library, since the resolver configuration files will no longer be available once sshd is chrooted. PR: 39953, 40894 Submitted by: dinoex r199804 | attilio | 2009-11-25 09:12:24 -0600 (Wed, 25 Nov 2009) | 13 lines Changed paths: M /head/crypto/openssh/sshd.c M /head/usr.sbin/cron/cron/cron.c M /head/usr.sbin/inetd/inetd.c M /head/usr.sbin/syslogd/syslogd.c Avoid sshd, cron, syslogd and inetd to be killed under high-pressure swap environments. Please note that this can't be done while such processes run in jails. Note: in future it would be interesting to find a way to do that selectively for any desired proccess (choosen by user himself), probabilly via a ptrace interface or whatever. r206397 | kib | 2010-04-08 07:07:40 -0500 (Thu, 08 Apr 2010) | 8 lines Changed paths: M /head/crypto/openssh/sshd.c Enhance r199804 by marking the daemonised child as immune to OOM instead of short-living parent. Only mark the master process that accepts connections, do not protect connection handlers spawned from inetd. ---- sshd.c.orig 2010-04-15 23:56:22.000000000 -0600 -+++ sshd.c 2010-09-14 16:14:13.000000000 -0600 +--- sshd.c.orig 2021-04-27 11:49:55.540744000 -0700 ++++ sshd.c 2021-04-27 11:50:20.239225000 -0700 @@ -46,6 +46,7 @@ #include #include +#include #include #ifdef HAVE_SYS_STAT_H # include -@@ -83,6 +84,13 @@ +@@ -85,6 +86,13 @@ #include #endif +#ifdef __FreeBSD__ +#include +#ifdef GSSAPI +#include "ssh-gss.h" +#endif +#endif + #include "xmalloc.h" #include "ssh.h" - #include "ssh1.h" -@@ -1877,6 +1885,10 @@ - /* Reinitialize the log (because of the fork above). */ - log_init(__progname, options.log_level, options.log_facility, log_stderr); - -+ /* Avoid killing the process in high-pressure swapping environments. */ -+ if (!inetd_flag && madvise(NULL, 0, MADV_PROTECT) != 0) -+ debug("madvise(): %.200s", strerror(errno)); -+ - /* Chdir to the root directory so that the current disk can be - unmounted if desired. */ - if (chdir("/") == -1) -@@ -1995,6 +2007,29 @@ - signal(SIGCHLD, SIG_DFL); - signal(SIGINT, SIG_DFL); + #include "ssh2.h" +@@ -2007,7 +2015,30 @@ main(int ac, char **av) + for (i = 0; i < options.num_log_verbose; i++) + log_verbose_add(options.log_verbose[i]); +#ifdef __FreeBSD__ -+ /* + /* + * Initialize the resolver. This may not happen automatically + * before privsep chroot(). + */ + if ((_res.options & RES_INIT) == 0) { + debug("res_init()"); + res_init(); + } +#ifdef GSSAPI + /* + * Force GSS-API to parse its configuration and load any + * mechanism plugins. + */ + { + gss_OID_set mechs; + OM_uint32 minor_status; + gss_indicate_mechs(&minor_status, &mechs); + gss_release_oid_set(&minor_status, &mechs); + } +#endif +#endif + ++ /* + * If not in debugging mode, not started from inetd and not already + * daemonized (eg re-exec via SIGHUP), disconnect from the controlling + * terminal, and fork. The original process exits. +@@ -2022,6 +2053,10 @@ main(int ac, char **av) + } + /* Reinitialize the log (because of the fork above). */ + log_init(__progname, options.log_level, options.log_facility, log_stderr); ++ ++ /* Avoid killing the process in high-pressure swapping environments. */ ++ if (!inetd_flag && madvise(NULL, 0, MADV_PROTECT) != 0) ++ debug("madvise(): %.200s", strerror(errno)); + /* - * Register our connection. This turns encryption off because we do - * not have a key. + * Chdir to the root directory so that the current disk can be diff --git a/security/openssh-portable/files/patch-zz-8.4-CVE-2021-28041 b/security/openssh-portable/files/patch-zz-8.4-CVE-2021-28041 deleted file mode 100644 index 4ac4a7061cb6..000000000000 --- a/security/openssh-portable/files/patch-zz-8.4-CVE-2021-28041 +++ /dev/null @@ -1,32 +0,0 @@ -untrusted comment: verify with openbsd-68-base.pub -RWQZj25CSG5R2lgsgSLgQjjy3/BFahe7C64NJOej05Naf0mm//TKykuXL7pxOVsY5rnXH0A6vBdO5UNx7PkuTxLOACHx5xV7Gws= - -OpenBSD 6.8 errata 015, March 4, 2021: - -Double free in ssh-agent(1) - -Apply by doing: - signify -Vep /etc/signify/openbsd-68-base.pub -x 015_sshagent.patch.sig \ - -m - | (cd /usr/src && patch -p0) - -And then rebuild and install ssh (as well as ssh-agent) - cd /usr/src/usr.bin/ssh - make obj - make clean - make - make install - -Index: usr.bin/ssh/ssh-agent.c -=================================================================== -RCS file: /cvs/src/usr.bin/ssh/ssh-agent.c,v -diff -u -p -u -r1.264 ssh-agent.c ---- ssh-agent.c 18 Sep 2020 08:16:38 -0000 1.264 -+++ ssh-agent.c 3 Mar 2021 01:08:25 -0000 -@@ -567,6 +567,7 @@ process_add_identity(SocketEntry *e) - goto err; - } - free(ext_name); -+ ext_name = NULL; - break; - default: - error("%s: Unknown constraint %d", __func__, ctype);