diff options
author | bdrewery <bdrewery@FreeBSD.org> | 2015-04-05 01:16:58 +0800 |
---|---|---|
committer | bdrewery <bdrewery@FreeBSD.org> | 2015-04-05 01:16:58 +0800 |
commit | 70766d757db9c83460023e50b6eda5aad9d18a35 (patch) | |
tree | 3c24e143524ade0c49397c63dd7559370a7e9269 /security/openssh-portable | |
parent | 8fb490aed0fe5818e594dd428211a5f3db4833bf (diff) | |
download | freebsd-ports-gnome-70766d757db9c83460023e50b6eda5aad9d18a35.tar.gz freebsd-ports-gnome-70766d757db9c83460023e50b6eda5aad9d18a35.tar.zst freebsd-ports-gnome-70766d757db9c83460023e50b6eda5aad9d18a35.zip |
- Update to 6.8p1
- Fix 'make test'
- HPN:
- NONECIPHER is no longer default. This is not default in base and should not
be default here as it introduces security holes.
- HPN: I've audited the patch and included it in the port directory for
transparency. I identified several bugs and submitted them to the new
upstream: https://github.com/rapier1/openssh-portable/pull/2
- HPN: The entire patch is now ifdef'd to ensure various bits are properly
removed depending on the OPTIONS selected.
- AES_THREADED is removed. It has questionable benefit on modern HW and is not
stable.
- The "enhanced logging" was removed from the patch as it is too
intrusive and difficult to maintain in the port.
- The progress meter "peak throughput" patch was removed.
- Fixed HPN version showing in client/server version string when HPN
was disabled in the config.
- KERB_GSSAPI is currently BROKEN as it does not apply.
- Update X509 to 8.3
Changelog: http://www.openssh.com/txt/release-6.8
Diffstat (limited to 'security/openssh-portable')
-rw-r--r-- | security/openssh-portable/Makefile | 50 | ||||
-rw-r--r-- | security/openssh-portable/distinfo | 16 | ||||
-rw-r--r-- | security/openssh-portable/files/extra-patch-hpn | 1296 | ||||
-rw-r--r-- | security/openssh-portable/files/extra-patch-hpn-build-options | 142 | ||||
-rw-r--r-- | security/openssh-portable/files/extra-patch-hpn-no-hpn | 32 | ||||
-rw-r--r-- | security/openssh-portable/files/extra-patch-hpn-window-size | 24 | ||||
-rw-r--r-- | security/openssh-portable/files/extra-patch-sshd-utmp-size | 12 | ||||
-rw-r--r-- | security/openssh-portable/files/extra-patch-tcpwrappers | 19 | ||||
-rw-r--r-- | security/openssh-portable/files/patch-regress__test-exec.sh | 10 | ||||
-rw-r--r-- | security/openssh-portable/files/patch-servconf.c | 30 | ||||
-rw-r--r-- | security/openssh-portable/files/patch-ssh-agent.c | 40 | ||||
-rw-r--r-- | security/openssh-portable/files/patch-sshconnect.c | 12 |
12 files changed, 1389 insertions, 294 deletions
diff --git a/security/openssh-portable/Makefile b/security/openssh-portable/Makefile index f7f3dac41c1b..eb739540edca 100644 --- a/security/openssh-portable/Makefile +++ b/security/openssh-portable/Makefile @@ -2,8 +2,8 @@ # $FreeBSD$ PORTNAME= openssh -DISTVERSION= 6.7p1 -PORTREVISION= 5 +DISTVERSION= 6.8p1 +PORTREVISION= 0 PORTEPOCH= 1 CATEGORIES= security ipv6 MASTER_SITES= ${MASTER_SITE_OPENBSD} @@ -27,13 +27,10 @@ CONFIGURE_ARGS= --prefix=${PREFIX} --with-md5-passwords \ --without-zlib-version-check --with-ssl-engine ETCOLD= ${PREFIX}/etc -SUDO?= # empty -MAKE_ENV+= SUDO="${SUDO}" - OPTIONS_DEFINE= PAM TCP_WRAPPERS LIBEDIT BSM \ HPN X509 KERB_GSSAPI \ - OVERWRITE_BASE SCTP AES_THREADED LDNS NONECIPHER -OPTIONS_DEFAULT= LIBEDIT PAM TCP_WRAPPERS HPN LDNS NONECIPHER + OVERWRITE_BASE SCTP LDNS NONECIPHER +OPTIONS_DEFAULT= LIBEDIT PAM TCP_WRAPPERS HPN LDNS OPTIONS_RADIO= KERBEROS OPTIONS_RADIO_KERBEROS= MIT HEIMDAL HEIMDAL_BASE TCP_WRAPPERS_DESC= tcp_wrappers support @@ -47,7 +44,6 @@ OVERWRITE_BASE_DESC= EOL, No longer supported. HEIMDAL_DESC= Heimdal Kerberos (security/heimdal) HEIMDAL_BASE_DESC= Heimdal Kerberos (base) MIT_DESC= MIT Kerberos (security/krb5) -AES_THREADED_DESC= Threaded AES-CTR NONECIPHER_DESC= NONE Cipher support OPTIONS_SUB= yes @@ -61,18 +57,17 @@ LDNS_CFLAGS= -I${LOCALBASE}/include LDNS_CONFIGURE_ON= --with-ldflags='-L${LOCALBASE}/lib' # http://www.psc.edu/index.php/hpn-ssh -HPN_EXTRA_PATCHES= ${FILESDIR}/extra-patch-hpn-window-size HPN_CONFIGURE_WITH= hpn NONECIPHER_CONFIGURE_WITH= nonecipher -AES_THREADED_CONFIGURE_WITH= aes-threaded # See http://www.roumenpetrov.info/openssh/ -X509_VERSION= 8.2 +X509_VERSION= 8.3 X509_PATCH_SITES= http://www.roumenpetrov.info/openssh/x509-${X509_VERSION}/:x509 -X509_PATCHFILES= ${PORTNAME}-6.7p1+x509-${X509_VERSION}.diff.gz:-p1:x509 +X509_PATCHFILES= ${PORTNAME}-6.8p1+x509-${X509_VERSION}.diff.gz:-p1:x509 # See https://bugzilla.mindrot.org/show_bug.cgi?id=2016 -SCTP_PATCHFILES= ${PORTNAME}-6.7p1-sctp-2496.patch.gz:-p1 +# and https://bugzilla.mindrot.org/show_bug.cgi?id=1604 +SCTP_PATCHFILES= ${PORTNAME}-6.8p1-sctp-2573.patch.gz:-p1 SCTP_CONFIGURE_WITH= sctp MIT_LIB_DEPENDS= libkrb5.so.3:${PORTSDIR}/security/krb5 @@ -93,19 +88,15 @@ PATCH_SITES+= http://mirror.shatow.net/freebsd/${PORTNAME}/:DEFAULT,x509,hpn,gs EXTRA_PATCHES:= ${EXTRA_PATCHES:N${TCP_WRAPPERS_EXTRA_PATCHES}} .endif -# http://www.psc.edu/index.php/hpn-ssh -.if ${PORT_OPTIONS:MHPN} || ${PORT_OPTIONS:MAES_THREADED} || ${PORT_OPTIONS:MNONECIPHER} +# http://www.psc.edu/index.php/hpn-ssh https://github.com/rapier1/hpn-ssh https://github.com/rapier1/openssh-portable +.if ${PORT_OPTIONS:MHPN} || ${PORT_OPTIONS:MNONECIPHER} PORTDOCS+= HPN-README HPN_VERSION= 14v5 HPN_DISTVERSION= 6.7p1 #PATCH_SITES+= ${MASTER_SITE_SOURCEFORGE:S/$/:hpn/} #PATCH_SITE_SUBDIR+= hpnssh/HPN-SSH%20${HPN_VERSION}%20${HPN_DISTVERSION}/:hpn -PATCHFILES+= ${PORTNAME}-${HPN_DISTVERSION}-hpnssh${HPN_VERSION}.diff.gz:-p1:hpn -EXTRA_PATCHES+= ${FILESDIR}/extra-patch-hpn-build-options -# Remove HPN if only AES requested -. if !${PORT_OPTIONS:MHPN} -EXTRA_PATCHES+= ${FILESDIR}/extra-patch-hpn-no-hpn -. endif +#PATCHFILES+= ${PORTNAME}-${HPN_DISTVERSION}-hpnssh${HPN_VERSION}.diff.gz:-p1:hpn +EXTRA_PATCHES+= ${FILESDIR}/extra-patch-hpn:-p2 .endif # Must add this patch after HPN due to conflicts @@ -133,7 +124,7 @@ EXTRA_PATCHES+= ${FILESDIR}/extra-patch-sshd-utmp-size EXTRA_PATCHES+= ${FILESDIR}/extra-patch-version-addendum .if ${PORT_OPTIONS:MX509} -. if ${PORT_OPTIONS:MHPN} || ${PORT_OPTIONS:MAES_THREADED} || ${PORT_OPTIONS:MNONECIPHER} +. if ${PORT_OPTIONS:MHPN} || ${PORT_OPTIONS:MNONECIPHER} BROKEN= X509 patch and HPN patch do not apply cleanly together . endif @@ -147,6 +138,10 @@ BROKEN= X509 patch incompatible with KERB_GSSAPI patch .endif +. if ${PORT_OPTIONS:MKERB_GSSAPI} +BROKEN= Does not apply to 6.8 +. endif + .if ${PORT_OPTIONS:MHEIMDAL_BASE} && ${PORT_OPTIONS:MKERB_GSSAPI} BROKEN= KERB_GSSAPI Requires either MIT or HEMIDAL, does not build with base Heimdal currently .endif @@ -218,14 +213,17 @@ post-install: ${STAGEDIR}${ETCDIR}//ssh_config.sample ${MV} ${STAGEDIR}${ETCDIR}/sshd_config \ ${STAGEDIR}${ETCDIR}/sshd_config.sample -.if ${PORT_OPTIONS:MHPN} || ${PORT_OPTIONS:MAES_THREADED} || ${PORT_OPTIONS:MNONECIPHER} +.if ${PORT_OPTIONS:MHPN} || ${PORT_OPTIONS:MNONECIPHER} ${MKDIR} ${STAGEDIR}${DOCSDIR} ${INSTALL_DATA} ${WRKSRC}/HPN-README ${STAGEDIR}${DOCSDIR} .endif -test: build - (cd ${WRKSRC}/regress && ${SETENV} OBJ=${WRKDIR} ${MAKE_ENV} TEST_SHELL=/bin/sh \ +test: build + cd ${WRKSRC} && ${SETENV} -i \ + OBJ=${WRKDIR} ${MAKE_ENV} \ + TEST_SHELL=${SH} \ + SUDO="${SUDO}" \ PATH=${WRKSRC}:${PREFIX}/bin:${PREFIX}/sbin:${PATH} \ - ${MAKE} ${MAKE_FLAGS} ${MAKEFILE} ${MAKE_ARGS}) + ${MAKE_CMD} ${MAKE_FLAGS} ${MAKEFILE} ${MAKE_ARGS} tests .include <bsd.port.post.mk> diff --git a/security/openssh-portable/distinfo b/security/openssh-portable/distinfo index ed8d0395f31d..eafe5741060d 100644 --- a/security/openssh-portable/distinfo +++ b/security/openssh-portable/distinfo @@ -1,12 +1,8 @@ -SHA256 (openssh-6.7p1.tar.gz) = b2f8394eae858dabbdef7dac10b99aec00c95462753e80342e530bbb6f725507 -SIZE (openssh-6.7p1.tar.gz) = 1351367 -SHA256 (openssh-6.7p1-hpnssh14v5.diff.gz) = 846ad51577de8308d60dbfaa58ba18d112d0732fdf21063ebc78407fc8e4a7b6 -SIZE (openssh-6.7p1-hpnssh14v5.diff.gz) = 24326 -SHA256 (openssh-6.7p1+x509-8.2.diff.gz) = 85acfcd560b40d4533b82a4e3f443b7137b377868bab424dacdf00581c83240f -SIZE (openssh-6.7p1+x509-8.2.diff.gz) = 241798 +SHA256 (openssh-6.8p1.tar.gz) = 3ff64ce73ee124480b5bf767b9830d7d3c03bbcb6abe716b78f0192c37ce160e +SIZE (openssh-6.8p1.tar.gz) = 1475953 +SHA256 (openssh-6.8p1+x509-8.3.diff.gz) = 34dbefcce8509d3c876be3e7d8966455c7c3589a6872bdfb1f8ce3d133f4d304 +SIZE (openssh-6.8p1+x509-8.3.diff.gz) = 347942 SHA256 (openssh-6.7p1-gsskex-all-20141021-284f364.patch.gz) = 9a361408269a542d28dae77320f30e94a44098acdbbbc552efb0bdeac6270dc8 SIZE (openssh-6.7p1-gsskex-all-20141021-284f364.patch.gz) = 25825 -SHA256 (openssh-lpk-6.3p1.patch.gz) = d2a8b7da7acebac2afc4d0a3dffe8fca2e49900cf733af2e7012f2449b3668e1 -SIZE (openssh-lpk-6.3p1.patch.gz) = 17815 -SHA256 (openssh-6.7p1-sctp-2496.patch.gz) = ec2b6aa8a6d65a2c11d4453a25294ae5082e7ed7c9f418ec081f750bfba022db -SIZE (openssh-6.7p1-sctp-2496.patch.gz) = 8052 +SHA256 (openssh-6.8p1-sctp-2573.patch.gz) = 0348713ad4cb4463e90cf5202ed41c8f726d7d604f3f93922a9aa55b86abf04a +SIZE (openssh-6.8p1-sctp-2573.patch.gz) = 8531 diff --git a/security/openssh-portable/files/extra-patch-hpn b/security/openssh-portable/files/extra-patch-hpn new file mode 100644 index 000000000000..2649d8169fa0 --- /dev/null +++ b/security/openssh-portable/files/extra-patch-hpn @@ -0,0 +1,1296 @@ +diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/openssh-6.8p1/HPN-README work/openssh-6.8p1/HPN-README +--- work.clean/openssh-6.8p1/HPN-README 1969-12-31 18:00:00.000000000 -0600 ++++ work/openssh-6.8p1/HPN-README 2015-04-01 22:16:49.869215000 -0500 +@@ -0,0 +1,129 @@ ++Notes: ++ ++MULTI-THREADED CIPHER: ++The AES cipher in CTR mode has been multithreaded (MTR-AES-CTR). This will allow ssh installations ++on hosts with multiple cores to use more than one processing core during encryption. ++Tests have show significant throughput performance increases when using MTR-AES-CTR up ++to and including a full gigabit per second on quad core systems. It should be possible to ++achieve full line rate on dual core systems but OS and data management overhead makes this ++more difficult to achieve. The cipher stream from MTR-AES-CTR is entirely compatible with single ++thread AES-CTR (ST-AES-CTR) implementations and should be 100% backward compatible. Optimal ++performance requires the MTR-AES-CTR mode be enabled on both ends of the connection. ++The MTR-AES-CTR replaces ST-AES-CTR and is used in exactly the same way with the same ++nomenclature. ++Use examples: ssh -caes128-ctr you@host.com ++ scp -oCipher=aes256-ctr file you@host.com:~/file ++ ++NONE CIPHER: ++To use the NONE option you must have the NoneEnabled switch set on the server and ++you *must* have *both* NoneEnabled and NoneSwitch set to yes on the client. The NONE ++feature works with ALL ssh subsystems (as far as we can tell) *AS LONG AS* a tty is not ++spawned. If a user uses the -T switch to prevent a tty being created the NONE cipher will ++be disabled. ++ ++The performance increase will only be as good as the network and TCP stack tuning ++on the reciever side of the connection allows. As a rule of thumb a user will need ++at least 10Mb/s connection with a 100ms RTT to see a doubling of performance. The ++HPN-SSH home page describes this in greater detail. ++ ++http://www.psc.edu/networking/projects/hpn-ssh ++ ++BUFFER SIZES: ++ ++If HPN is disabled the receive buffer size will be set to the ++OpenSSH default of 64K. ++ ++If an HPN system connects to a nonHPN system the receive buffer will ++be set to the HPNBufferSize value. The default is 2MB but user adjustable. ++ ++If an HPN to HPN connection is established a number of different things might ++happen based on the user options and conditions. ++ ++Conditions: HPNBufferSize NOT Set, TCPRcvBufPoll enabled, TCPRcvBuf NOT Set ++HPN Buffer Size = up to 64MB ++This is the default state. The HPN buffer size will grow to a maximum of 64MB ++as the TCP receive buffer grows. The maximum HPN Buffer size of 64MB is ++geared towards 10GigE transcontinental connections. ++ ++Conditions: HPNBufferSize NOT Set, TCPRcvBufPoll disabled, TCPRcvBuf NOT Set ++HPN Buffer Size = TCP receive buffer value. ++Users on non-autotuning systesm should disable TCPRcvBufPoll in the ++ssh_cofig and sshd_config ++ ++Conditions: HPNBufferSize SET, TCPRcvBufPoll disabled, TCPRcvBuf NOT Set ++HPN Buffer Size = minmum of TCP receive buffer and HPNBufferSize. ++This would be the system defined TCP receive buffer (RWIN). ++ ++Conditions: HPNBufferSize SET, TCPRcvBufPoll disabled, TCPRcvBuf SET ++HPN Buffer Size = minmum of TCPRcvBuf and HPNBufferSize. ++Generally there is no need to set both. ++ ++Conditions: HPNBufferSize SET, TCPRcvBufPoll enabled, TCPRcvBuf NOT Set ++HPN Buffer Size = grows to HPNBufferSize ++The buffer will grow up to the maximum size specified here. ++ ++Conditions: HPNBufferSize SET, TCPRcvBufPoll enabled, TCPRcvBuf SET ++HPN Buffer Size = minmum of TCPRcvBuf and HPNBufferSize. ++Generally there is no need to set both of these, especially on autotuning ++systems. However, if the users wishes to override the autotuning this would be ++one way to do it. ++ ++Conditions: HPNBufferSize NOT Set, TCPRcvBufPoll enabled, TCPRcvBuf SET ++HPN Buffer Size = TCPRcvBuf. ++This will override autotuning and set the TCP recieve buffer to the user defined ++value. ++ ++ ++HPN Specific Configuration options ++ ++TcpRcvBuf=[int]KB client ++ set the TCP socket receive buffer to n Kilobytes. It can be set up to the ++maximum socket size allowed by the system. This is useful in situations where ++the tcp receive window is set low but the maximum buffer size is set ++higher (as is typical). This works on a per TCP connection basis. You can also ++use this to artifically limit the transfer rate of the connection. In these ++cases the throughput will be no more than n/RTT. The minimum buffer size is 1KB. ++Default is the current system wide tcp receive buffer size. ++ ++TcpRcvBufPoll=[yes/no] client/server ++ enable of disable the polling of the tcp receive buffer through the life ++of the connection. You would want to make sure that this option is enabled ++for systems making use of autotuning kernels (linux 2.4.24+, 2.6, MS Vista) ++default is yes. ++ ++NoneEnabled=[yes/no] client/server ++ enable or disable the use of the None cipher. Care must always be used ++when enabling this as it will allow users to send data in the clear. However, ++it is important to note that authentication information remains encrypted ++even if this option is enabled. Set to no by default. ++ ++NoneSwitch=[yes/no] client ++ Switch the encryption cipher being used to the None cipher after ++authentication takes place. NoneEnabled must be enabled on both the client ++and server side of the connection. When the connection switches to the NONE ++cipher a warning is sent to STDERR. The connection attempt will fail with an ++error if a client requests a NoneSwitch from the server that does not explicitly ++have NoneEnabled set to yes. Note: The NONE cipher cannot be used in ++interactive (shell) sessions and it will fail silently. Set to no by default. ++ ++HPNDisabled=[yes/no] client/server ++ In some situations, such as transfers on a local area network, the impact ++of the HPN code produces a net decrease in performance. In these cases it is ++helpful to disable the HPN functionality. By default HPNDisabled is set to no. ++ ++HPNBufferSize=[int]KB client/server ++ This is the default buffer size the HPN functionality uses when interacting ++with nonHPN SSH installations. Conceptually this is similar to the TcpRcvBuf ++option as applied to the internal SSH flow control. This value can range from ++1KB to 64MB (1-65536). Use of oversized or undersized buffers can cause performance ++problems depending on the length of the network path. The default size of this buffer ++is 2MB. ++ ++ ++Credits: This patch was conceived, designed, and led by Chris Rapier (rapier@psc.edu) ++ The majority of the actual coding for versions up to HPN12v1 was performed ++ by Michael Stevens (mstevens@andrew.cmu.edu). The MT-AES-CTR cipher was ++ implemented by Ben Bennet (ben@psc.edu) and improved by Mike Tasota ++ (tasota@gmail.com) an NSF REU grant recipient for 2013. ++ This work was financed, in part, by Cisco System, Inc., the National ++ Library of Medicine, and the National Science Foundation. +--- work.clean/openssh-6.8p1/channels.c 2015-03-17 00:49:20.000000000 -0500 ++++ work/openssh-6.8p1/channels.c 2015-04-03 15:51:59.599537000 -0500 +@@ -183,8 +183,14 @@ + static int connect_next(struct channel_connect *); + static void channel_connect_ctx_free(struct channel_connect *); + ++ ++#ifdef HPN_ENABLED ++static int hpn_disabled = 0; ++static int hpn_buffer_size = 2 * 1024 * 1024; ++#endif ++ + /* -- channel core */ + + Channel * + channel_by_id(int id) + { +@@ -333,6 +339,9 @@ + c->local_window_max = window; + c->local_consumed = 0; + c->local_maxpacket = maxpack; ++#ifdef HPN_ENABLED ++ c->dynamic_window = 0; ++#endif + c->remote_id = -1; + c->remote_name = xstrdup(remote_name); + c->remote_window = 0; +@@ -837,11 +846,41 @@ + FD_SET(c->sock, writeset); + } + ++#ifdef HPN_ENABLED ++static u_int ++channel_tcpwinsz(void) ++{ ++ u_int32_t tcpwinsz = 0; ++ socklen_t optsz = sizeof(tcpwinsz); ++ int ret = -1; ++ ++ /* if we aren't on a socket return 128KB */ ++ if (!packet_connection_is_on_socket()) ++ return (128*1024); ++ ret = getsockopt(packet_get_connection_in(), ++ SOL_SOCKET, SO_RCVBUF, &tcpwinsz, &optsz); ++ /* return no more than SSHBUF_SIZE_MAX */ ++ if (ret == 0 && tcpwinsz > SSHBUF_SIZE_MAX) ++ tcpwinsz = SSHBUF_SIZE_MAX; ++ debug2("tcpwinsz: %d for connection: %d", tcpwinsz, ++ packet_get_connection_in()); ++ return (tcpwinsz); ++} ++#endif ++ + static void + channel_pre_open(Channel *c, fd_set *readset, fd_set *writeset) + { + u_int limit = compat20 ? c->remote_window : packet_get_maxsize(); + ++#ifdef HPN_ENABLED ++ /* check buffer limits */ ++ if (!c->tcpwinsz || c->dynamic_window > 0) ++ c->tcpwinsz = channel_tcpwinsz(); ++ ++ limit = MIN(limit, 2 * c->tcpwinsz); ++#endif ++ + if (c->istate == CHAN_INPUT_OPEN && + limit > 0 && + buffer_len(&c->input) < limit && +@@ -1846,6 +1885,20 @@ + c->local_maxpacket*3) || + c->local_window < c->local_window_max/2) && + c->local_consumed > 0) { ++#ifdef HPN_ENABLED ++ /* adjust max window size if we are in a dynamic environment */ ++ if (c->dynamic_window && (c->tcpwinsz > c->local_window_max)) { ++ u_int addition = 0; ++ ++ /* ++ * grow the window somewhat aggressively to maintain ++ * pressure ++ */ ++ addition = 1.5*(c->tcpwinsz - c->local_window_max); ++ c->local_window_max += addition; ++ c->local_consumed += addition; ++ } ++#endif + packet_start(SSH2_MSG_CHANNEL_WINDOW_ADJUST); + packet_put_int(c->remote_id); + packet_put_int(c->local_consumed); +@@ -2794,6 +2847,17 @@ + return addr; + } + ++#ifdef HPN_ENABLED ++void ++channel_set_hpn(int external_hpn_disabled, int external_hpn_buffer_size) ++{ ++ hpn_disabled = external_hpn_disabled; ++ hpn_buffer_size = external_hpn_buffer_size; ++ debug("HPN Disabled: %d, HPN Buffer Size: %d", hpn_disabled, ++ hpn_buffer_size); ++} ++#endif ++ + static int + channel_setup_fwd_listener_tcpip(int type, struct Forward *fwd, + int *allocated_listen_port, struct ForwardOptions *fwd_opts) +@@ -2918,9 +2982,20 @@ + } + + /* Allocate a channel number for the socket. */ ++#ifdef HPN_ENABLED ++ /* ++ * explicitly test for hpn disabled option. if true use smaller ++ * window size. ++ */ ++ if (!hpn_disabled) ++ c = channel_new("port listener", type, sock, sock, -1, ++ hpn_buffer_size, CHAN_TCP_PACKET_DEFAULT, ++ 0, "port listener", 1); ++ else ++#endif + c = channel_new("port listener", type, sock, sock, -1, + CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, + 0, "port listener", 1); + c->path = xstrdup(host); + c->host_port = fwd->connect_port; + c->listening_addr = addr == NULL ? NULL : xstrdup(addr); +@@ -3952,6 +4027,14 @@ + *chanids = xcalloc(num_socks + 1, sizeof(**chanids)); + for (n = 0; n < num_socks; n++) { + sock = socks[n]; ++#ifdef HPN_ENABLED ++ if (!hpn_disabled) ++ nc = channel_new("x11 listener", ++ SSH_CHANNEL_X11_LISTENER, sock, sock, -1, ++ hpn_buffer_size, CHAN_X11_PACKET_DEFAULT, ++ 0, "X11 inet listener", 1); ++ else ++#endif + nc = channel_new("x11 listener", + SSH_CHANNEL_X11_LISTENER, sock, sock, -1, + CHAN_X11_WINDOW_DEFAULT, CHAN_X11_PACKET_DEFAULT, +--- work.clean/openssh-6.8p1/channels.h 2015-03-17 00:49:20.000000000 -0500 ++++ work/openssh-6.8p1/channels.h 2015-04-03 13:58:44.472717000 -0500 +@@ -136,6 +136,10 @@ + u_int local_maxpacket; + int extended_usage; + int single_connection; ++#ifdef HPN_ENABLED ++ int dynamic_window; ++ u_int tcpwinsz; ++#endif + + char *ctype; /* type */ + +@@ -311,4 +315,9 @@ + void chan_write_failed(Channel *); + void chan_obuf_empty(Channel *); + ++#ifdef HPN_ENABLED ++/* hpn handler */ ++void channel_set_hpn(int, int); ++#endif ++ + #endif +--- work.clean/openssh-6.8p1/cipher.c 2015-03-17 00:49:20.000000000 -0500 ++++ work/openssh-6.8p1/cipher.c 2015-04-03 16:22:04.972592000 -0500 +@@ -244,7 +244,13 @@ + for ((p = strsep(&cp, CIPHER_SEP)); p && *p != '\0'; + (p = strsep(&cp, CIPHER_SEP))) { + c = cipher_by_name(p); +- if (c == NULL || c->number != SSH_CIPHER_SSH2) { ++ if (c == NULL || (c->number != SSH_CIPHER_SSH2 && ++#ifdef NONE_CIPHER_ENABLED ++ c->number != SSH_CIPHER_NONE ++#else ++ 1 ++#endif ++ )) { + free(cipher_list); + return 0; + } +@@ -545,6 +551,9 @@ + + switch (c->number) { + #ifdef WITH_OPENSSL ++#ifdef NONE_CIPHER_ENABLED ++ case SSH_CIPHER_NONE: ++#endif + case SSH_CIPHER_SSH2: + case SSH_CIPHER_DES: + case SSH_CIPHER_BLOWFISH: +@@ -593,6 +602,9 @@ + + switch (c->number) { + #ifdef WITH_OPENSSL ++#ifdef NONE_CIPHER_ENABLED ++ case SSH_CIPHER_NONE: ++#endif + case SSH_CIPHER_SSH2: + case SSH_CIPHER_DES: + case SSH_CIPHER_BLOWFISH: +--- work.clean/openssh-6.8p1/clientloop.c 2015-03-17 00:49:20.000000000 -0500 ++++ work/openssh-6.8p1/clientloop.c 2015-04-03 17:29:40.618489000 -0500 +@@ -1909,6 +1909,15 @@ + sock = x11_connect_display(); + if (sock < 0) + return NULL; ++#ifdef HPN_ENABLED ++ /* again is this really necessary for X11? */ ++ if (!options.hpn_disabled) ++ c = channel_new("x11", ++ SSH_CHANNEL_X11_OPEN, sock, sock, -1, ++ options.hpn_buffer_size, ++ CHAN_X11_PACKET_DEFAULT, 0, "x11", 1); ++ else ++#endif + c = channel_new("x11", + SSH_CHANNEL_X11_OPEN, sock, sock, -1, + CHAN_TCP_WINDOW_DEFAULT, CHAN_X11_PACKET_DEFAULT, 0, "x11", 1); +@@ -1934,6 +1943,14 @@ + __func__, ssh_err(r)); + return NULL; + } ++#ifdef HPN_ENABLED ++ if (!options.hpn_disabled) ++ c = channel_new("authentication agent connection", ++ SSH_CHANNEL_OPEN, sock, sock, -1, ++ options.hpn_buffer_size, CHAN_TCP_PACKET_DEFAULT, 0, ++ "authentication agent connection", 1); ++ else ++#endif + c = channel_new("authentication agent connection", + SSH_CHANNEL_OPEN, sock, sock, -1, + CHAN_X11_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, 0, +@@ -1964,6 +1981,12 @@ + return -1; + } + ++#ifdef HPN_ENABLED ++ if (!options.hpn_disabled) ++ c = channel_new("tun", SSH_CHANNEL_OPENING, fd, fd, -1, ++ options.hpn_buffer_size, CHAN_TCP_PACKET_DEFAULT, 0, "tun", 1); ++ else ++#endif + c = channel_new("tun", SSH_CHANNEL_OPENING, fd, fd, -1, + CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, 0, "tun", 1); + c->datagram = 1; +--- work.clean/openssh-6.8p1/compat.c 2015-03-17 00:49:20.000000000 -0500 ++++ work/openssh-6.8p1/compat.c 2015-04-03 16:39:57.665699000 -0500 +@@ -177,6 +177,14 @@ + debug("match: %s pat %s compat 0x%08x", + version, check[i].pat, check[i].bugs); + datafellows = check[i].bugs; /* XXX for now */ ++#ifdef HPN_ENABLED ++ /* Check to see if the remote side is OpenSSH and not HPN */ ++ if (strstr(version,"OpenSSH") != NULL && ++ strstr(version,"hpn") == NULL) { ++ datafellows |= SSH_BUG_LARGEWINDOW; ++ debug("Remote is NON-HPN aware"); ++ } ++#endif + return check[i].bugs; + } + } +--- work.clean/openssh-6.8p1/compat.h 2015-03-17 00:49:20.000000000 -0500 ++++ work/openssh-6.8p1/compat.h 2015-04-03 16:39:34.780416000 -0500 +@@ -60,6 +60,9 @@ + #define SSH_NEW_OPENSSH 0x04000000 + #define SSH_BUG_DYNAMIC_RPORT 0x08000000 + #define SSH_BUG_CURVE25519PAD 0x10000000 ++#ifdef HPN_ENABLED ++#define SSH_BUG_LARGEWINDOW 0x20000000 ++#endif + + void enable_compat13(void); + void enable_compat20(void); +--- work.clean/openssh-6.8p1/configure.ac 2015-03-17 00:49:20.000000000 -0500 ++++ work/openssh-6.8p1/configure.ac 2015-04-03 16:36:28.916502000 -0500 +@@ -4238,6 +4238,25 @@ + ] + ) # maildir + ++#check whether user wants HPN support ++HPN_MSG="no" ++AC_ARG_WITH(hpn, ++ [ --with-hpn Enable HPN support], ++ [ if test "x$withval" != "xno" ; then ++ AC_DEFINE(HPN_ENABLED,1,[Define if you want HPN support.]) ++ HPN_MSG="yes" ++ fi ] ++) ++#check whether user wants NONECIPHER support ++NONECIPHER_MSG="no" ++AC_ARG_WITH(nonecipher, ++ [ --with-nonecipher Enable NONECIPHER support], ++ [ if test "x$withval" != "xno" ; then ++ AC_DEFINE(NONE_CIPHER_ENABLED,1,[Define if you want NONECIPHER support.]) ++ NONECIPHER_MSG="yes" ++ fi ] ++) ++ + if test ! -z "$cross_compiling" && test "x$cross_compiling" = "xyes"; then + AC_MSG_WARN([cross compiling: Disabling /dev/ptmx test]) + disable_ptmx_check=yes +@@ -4905,6 +4924,8 @@ + echo " BSD Auth support: $BSD_AUTH_MSG" + echo " Random number source: $RAND_MSG" + echo " Privsep sandbox style: $SANDBOX_STYLE" ++echo " HPN support: $HPN_MSG" ++echo " NONECIPHER support: $NONECIPHER_MSG" + + echo "" + +--- work.clean/openssh-6.8p1/kex.c 2015-03-17 00:49:20.000000000 -0500 ++++ work/openssh-6.8p1/kex.c 2015-04-03 17:06:44.032682000 -0500 +@@ -587,6 +587,13 @@ + int nenc, nmac, ncomp; + u_int mode, ctos, need, dh_need, authlen; + int r, first_kex_follows; ++#ifdef NONE_CIPHER_ENABLED ++ /* XXX: Could this move into the lower block? */ ++ int auth_flag; ++ ++ auth_flag = ssh_packet_authentication_state(ssh); ++ debug ("AUTH STATE IS %d", auth_flag); ++#endif + + if ((r = kex_buf2prop(kex->my, NULL, &my)) != 0 || + (r = kex_buf2prop(kex->peer, &first_kex_follows, &peer)) != 0) +@@ -635,6 +642,17 @@ + if ((r = choose_comp(&newkeys->comp, cprop[ncomp], + sprop[ncomp])) != 0) + goto out; ++#ifdef NONE_CIPHER_ENABLED ++ debug("REQUESTED ENC.NAME is '%s'", newkeys->enc.name); ++ if (strcmp(newkeys->enc.name, "none") == 0) { ++ debug("Requesting NONE. Authflag is %d", auth_flag); ++ if (auth_flag == 1) { ++ debug("None requested post authentication."); ++ } else { ++ fatal("Pre-authentication none cipher requests are not allowed."); ++ } ++ } ++#endif + debug("kex: %s %s %s %s", + ctos ? "client->server" : "server->client", + newkeys->enc.name, +--- work.clean/openssh-6.8p1/myproposal.h 2015-03-17 00:49:20.000000000 -0500 ++++ work/openssh-6.8p1/myproposal.h 2015-04-03 16:43:33.747402000 -0500 +@@ -171,6 +171,10 @@ + #define KEX_DEFAULT_COMP "none,zlib@openssh.com,zlib" + #define KEX_DEFAULT_LANG "" + ++#ifdef NONE_CIPHER_ENABLED ++#define KEX_ENCRYPT_INCLUDE_NONE KEX_SERVER_ENCRYPT ",none" ++#endif ++ + #define KEX_CLIENT \ + KEX_CLIENT_KEX, \ + KEX_DEFAULT_PK_ALG, \ +--- work.clean/openssh-6.8p1/packet.c 2015-03-17 00:49:20.000000000 -0500 ++++ work/openssh-6.8p1/packet.c 2015-04-03 16:10:57.002066000 -0500 +@@ -2199,6 +2199,24 @@ + } + } + ++#ifdef NONE_CIPHER_ENABLED ++/* this supports the forced rekeying required for the NONE cipher */ ++int rekey_requested = 0; ++void ++packet_request_rekeying(void) ++{ ++ rekey_requested = 1; ++} ++ ++int ++ssh_packet_authentication_state(struct ssh *ssh) ++{ ++ struct session_state *state = ssh->state; ++ ++ return(state->after_authentication); ++} ++#endif ++ + #define MAX_PACKETS (1U<<31) + int + ssh_packet_need_rekeying(struct ssh *ssh) +@@ -2207,6 +2225,12 @@ + + if (ssh->compat & SSH_BUG_NOREKEY) + return 0; ++#ifdef NONE_CIPHER_ENABLED ++ if (rekey_requested == 1) { ++ rekey_requested = 0; ++ return 1; ++ } ++#endif + return + (state->p_send.packets > MAX_PACKETS) || + (state->p_read.packets > MAX_PACKETS) || +--- work.clean/openssh-6.8p1/packet.h 2015-03-17 00:49:20.000000000 -0500 ++++ work/openssh-6.8p1/packet.h 2015-04-03 16:10:34.728161000 -0500 +@@ -188,6 +188,11 @@ + int sshpkt_get_end(struct ssh *ssh); + const u_char *sshpkt_ptr(struct ssh *, size_t *lenp); + ++#ifdef NONE_CIPHER_ENABLED ++void packet_request_rekeying(void); ++int ssh_packet_authentication_state(struct ssh *ssh); ++#endif ++ + /* OLD API */ + extern struct ssh *active_state; + #include "opacket.h" +--- work.clean/openssh-6.8p1/readconf.c 2015-04-01 22:07:18.135435000 -0500 ++++ work/openssh-6.8p1/readconf.c 2015-04-03 15:10:44.188916000 -0500 +@@ -154,6 +154,12 @@ + oTunnel, oTunnelDevice, oLocalCommand, oPermitLocalCommand, + oVisualHostKey, oUseRoaming, + oKexAlgorithms, oIPQoS, oRequestTTY, oIgnoreUnknown, oProxyUseFdpass, ++#ifdef HPN_ENABLED ++ oHPNDisabled, oHPNBufferSize, oTcpRcvBufPoll, oTcpRcvBuf, ++#endif ++#ifdef NONE_CIPHER_ENABLED ++ oNoneSwitch, oNoneEnabled, ++#endif + oCanonicalDomains, oCanonicalizeHostname, oCanonicalizeMaxDots, + oCanonicalizeFallbackLocal, oCanonicalizePermittedCNAMEs, + oStreamLocalBindMask, oStreamLocalBindUnlink, oRevokedHostKeys, +@@ -276,6 +282,16 @@ + { "fingerprinthash", oFingerprintHash }, + { "updatehostkeys", oUpdateHostkeys }, + { "hostbasedkeytypes", oHostbasedKeyTypes }, ++#ifdef NONE_CIPHER_ENABLED ++ { "noneenabled", oNoneEnabled }, ++ { "noneswitch", oNoneSwitch }, ++#endif ++#ifdef HPN_ENABLED ++ { "tcprcvbufpoll", oTcpRcvBufPoll }, ++ { "tcprcvbuf", oTcpRcvBuf }, ++ { "hpndisabled", oHPNDisabled }, ++ { "hpnbuffersize", oHPNBufferSize }, ++#endif + { "ignoreunknown", oIgnoreUnknown }, + + { NULL, oBadOption } +@@ -917,6 +933,44 @@ + intptr = &options->check_host_ip; + goto parse_flag; + ++#ifdef HPN_ENABLED ++ case oHPNDisabled: ++ intptr = &options->hpn_disabled; ++ goto parse_flag; ++ ++ case oHPNBufferSize: ++ intptr = &options->hpn_buffer_size; ++ goto parse_int; ++ ++ case oTcpRcvBufPoll: ++ intptr = &options->tcp_rcv_buf_poll; ++ goto parse_flag; ++ ++ case oTcpRcvBuf: ++ intptr = &options->tcp_rcv_buf; ++ goto parse_int; ++#endif ++ ++#ifdef NONE_CIPHER_ENABLED ++ case oNoneEnabled: ++ intptr = &options->none_enabled; ++ goto parse_flag; ++ ++ /* we check to see if the command comes from the */ ++ /* command line or not. If it does then enable it */ ++ /* otherwise fail. NONE should never be a default configuration */ ++ case oNoneSwitch: ++ if(strcmp(filename,"command-line") == 0) { ++ intptr = &options->none_switch; ++ goto parse_flag; ++ } else { ++ error("NoneSwitch is found in %.200s.\nYou may only use this configuration option from the command line", filename); ++ error("Continuing..."); ++ debug("NoneSwitch directive found in %.200s.", filename); ++ return 0; ++ } ++#endif ++ + case oVerifyHostKeyDNS: + intptr = &options->verify_host_key_dns; + multistate_ptr = multistate_yesnoask; +@@ -1678,6 +1732,16 @@ + options->ip_qos_interactive = -1; + options->ip_qos_bulk = -1; + options->request_tty = -1; ++#ifdef NONE_CIPHER_ENABLED ++ options->none_switch = -1; ++ options->none_enabled = -1; ++#endif ++#ifdef HPN_ENABLED ++ options->hpn_disabled = -1; ++ options->hpn_buffer_size = -1; ++ options->tcp_rcv_buf_poll = -1; ++ options->tcp_rcv_buf = -1; ++#endif + options->proxy_use_fdpass = -1; + options->ignored_unknown = NULL; + options->num_canonical_domains = 0; +@@ -1838,6 +1902,35 @@ + options->server_alive_interval = 0; + if (options->server_alive_count_max == -1) + options->server_alive_count_max = 3; ++#ifdef NONE_CIPHER_ENABLED ++ if (options->none_switch == -1) ++ options->none_switch = 0; ++ if (options->none_enabled == -1) ++ options->none_enabled = 0; ++#endif ++#ifdef HPN_ENABLED ++ if (options->hpn_disabled == -1) ++ options->hpn_disabled = 0; ++ if (options->hpn_buffer_size > -1) { ++ /* if a user tries to set the size to 0 set it to 1KB */ ++ if (options->hpn_buffer_size == 0) ++ options->hpn_buffer_size = 1; ++ /* limit the buffer to 64MB */ ++ if (options->hpn_buffer_size > 64*1024) { ++ options->hpn_buffer_size = 64*1024*1024; ++ debug("User requested buffer larger than 64MB. Request" ++ " reverted to 64MB"); ++ } else ++ options->hpn_buffer_size *= 1024; ++ debug("hpn_buffer_size set to %d", options->hpn_buffer_size); ++ } ++ if (options->tcp_rcv_buf == 0) ++ options->tcp_rcv_buf = 1; ++ if (options->tcp_rcv_buf > -1) ++ options->tcp_rcv_buf *=1024; ++ if (options->tcp_rcv_buf_poll == -1) ++ options->tcp_rcv_buf_poll = 1; ++#endif + if (options->control_master == -1) + options->control_master = 0; + if (options->control_persist == -1) { +--- work.clean/openssh-6.8p1/readconf.h 2015-03-17 00:49:20.000000000 -0500 ++++ work/openssh-6.8p1/readconf.h 2015-04-03 13:47:45.670125000 -0500 +@@ -105,6 +105,16 @@ + int clear_forwardings; + + int enable_ssh_keysign; ++#ifdef NONE_CIPHER_ENABLED ++ int none_switch; /* Use none cipher */ ++ int none_enabled; /* Allow none to be used */ ++#endif ++#ifdef HPN_ENABLED ++ int tcp_rcv_buf; /* user switch to set tcp recv buffer */ ++ int tcp_rcv_buf_poll; /* Option to poll recv buf every window transfer */ ++ int hpn_disabled; /* Switch to disable HPN buffer management */ ++ int hpn_buffer_size; /* User definable size for HPN buffer window */ ++#endif + int64_t rekey_limit; + int rekey_interval; + int no_host_authentication_for_localhost; +--- work.clean/openssh-6.8p1/scp.c 2015-03-17 00:49:20.000000000 -0500 ++++ work/openssh-6.8p1/scp.c 2015-04-02 16:51:25.108407000 -0500 +@@ -750,7 +750,7 @@ + off_t i, statbytes; + size_t amt, nr; + int fd = -1, haderr, indx; +- char *last, *name, buf[2048], encname[PATH_MAX]; ++ char *last, *name, buf[16384], encname[PATH_MAX]; + int len; + + for (indx = 0; indx < argc; ++indx) { +@@ -919,7 +919,7 @@ + off_t size, statbytes; + unsigned long long ull; + int setimes, targisdir, wrerrno = 0; +- char ch, *cp, *np, *targ, *why, *vect[1], buf[2048]; ++ char ch, *cp, *np, *targ, *why, *vect[1], buf[16384]; + struct timeval tv[2]; + + #define atime tv[0] +--- work.clean/openssh-6.8p1/servconf.c 2015-04-01 22:07:18.142441000 -0500 ++++ work/openssh-6.8p1/servconf.c 2015-04-03 16:32:16.114236000 -0500 +@@ -160,6 +160,14 @@ + options->revoked_keys_file = NULL; + options->trusted_user_ca_keys = NULL; + options->authorized_principals_file = NULL; ++#ifdef NONE_CIPHER_ENABLED ++ options->none_enabled = -1; ++#endif ++#ifdef HPN_ENABLED ++ options->tcp_rcv_buf_poll = -1; ++ options->hpn_disabled = -1; ++ options->hpn_buffer_size = -1; ++#endif + options->ip_qos_interactive = -1; + options->ip_qos_bulk = -1; + options->version_addendum = NULL; +@@ -326,6 +334,57 @@ + } + if (options->permit_tun == -1) + options->permit_tun = SSH_TUNMODE_NO; ++#ifdef NONE_CIPHER_ENABLED ++ if (options->none_enabled == -1) ++ options->none_enabled = 0; ++#endif ++#ifdef HPN_ENABLED ++ if (options->hpn_disabled == -1) ++ options->hpn_disabled = 0; ++ ++ if (options->hpn_buffer_size == -1) { ++ /* ++ * option not explicitly set. Now we have to figure out ++ * what value to use. ++ */ ++ if (options->hpn_disabled == 1) { ++ options->hpn_buffer_size = CHAN_SES_WINDOW_DEFAULT; ++ } else { ++ int sock, socksize; ++ socklen_t socksizelen = sizeof(socksize); ++ ++ /* ++ * get the current RCV size and set it to that ++ * create a socket but don't connect it ++ * we use that the get the rcv socket size ++ */ ++ sock = socket(AF_INET, SOCK_STREAM, 0); ++ getsockopt(sock, SOL_SOCKET, SO_RCVBUF, ++ &socksize, &socksizelen); ++ close(sock); ++ options->hpn_buffer_size = socksize; ++ debug ("HPN Buffer Size: %d", options->hpn_buffer_size); ++ } ++ } else { ++ /* ++ * we have to do this incase the user sets both values in a ++ * contradictory manner. hpn_disabled overrrides ++ * hpn_buffer_size ++ */ ++ if (options->hpn_disabled <= 0) { ++ if (options->hpn_buffer_size == 0) ++ options->hpn_buffer_size = 1; ++ /* limit the maximum buffer to 64MB */ ++ if (options->hpn_buffer_size > 64*1024) { ++ options->hpn_buffer_size = 64*1024*1024; ++ } else { ++ options->hpn_buffer_size *= 1024; ++ } ++ } else ++ options->hpn_buffer_size = CHAN_TCP_WINDOW_DEFAULT; ++ } ++#endif ++ + if (options->ip_qos_interactive == -1) + options->ip_qos_interactive = IPTOS_LOWDELAY; + if (options->ip_qos_bulk == -1) +@@ -401,6 +460,12 @@ + sUsePrivilegeSeparation, sAllowAgentForwarding, + sHostCertificate, + sRevokedKeys, sTrustedUserCAKeys, sAuthorizedPrincipalsFile, ++#ifdef NONE_CIPHER_ENABLED ++ sNoneEnabled, ++#endif ++#ifdef HPN_ENABLED ++ sTcpRcvBufPoll, sHPNDisabled, sHPNBufferSize, ++#endif + sKexAlgorithms, sIPQoS, sVersionAddendum, + sAuthorizedKeysCommand, sAuthorizedKeysCommandUser, + sAuthenticationMethods, sHostKeyAgent, sPermitUserRC, +@@ -529,6 +594,14 @@ + { "revokedkeys", sRevokedKeys, SSHCFG_ALL }, + { "trustedusercakeys", sTrustedUserCAKeys, SSHCFG_ALL }, + { "authorizedprincipalsfile", sAuthorizedPrincipalsFile, SSHCFG_ALL }, ++#ifdef NONE_CIPHER_ENABLED ++ { "noneenabled", sNoneEnabled, SSHCFG_ALL }, ++#endif ++#ifdef HPN_ENABLED ++ { "hpndisabled", sHPNDisabled, SSHCFG_ALL }, ++ { "hpnbuffersize", sHPNBufferSize, SSHCFG_ALL }, ++ { "tcprcvbufpoll", sTcpRcvBufPoll, SSHCFG_ALL }, ++#endif + { "kexalgorithms", sKexAlgorithms, SSHCFG_GLOBAL }, + { "ipqos", sIPQoS, SSHCFG_ALL }, + { "authorizedkeyscommand", sAuthorizedKeysCommand, SSHCFG_ALL }, +@@ -1113,6 +1186,25 @@ + intptr = &options->ignore_user_known_hosts; + goto parse_flag; + ++#ifdef NONE_CIPHER_ENABLED ++ case sNoneEnabled: ++ intptr = &options->none_enabled; ++ goto parse_flag; ++#endif ++#ifdef HPN_ENABLED ++ case sTcpRcvBufPoll: ++ intptr = &options->tcp_rcv_buf_poll; ++ goto parse_flag; ++ ++ case sHPNDisabled: ++ intptr = &options->hpn_disabled; ++ goto parse_flag; ++ ++ case sHPNBufferSize: ++ intptr = &options->hpn_buffer_size; ++ goto parse_int; ++#endif ++ + case sRhostsRSAAuthentication: + intptr = &options->rhosts_rsa_authentication; + goto parse_flag; +--- work.clean/openssh-6.8p1/servconf.h 2015-03-17 00:49:20.000000000 -0500 ++++ work/openssh-6.8p1/servconf.h 2015-04-03 13:48:37.316827000 -0500 +@@ -169,6 +169,15 @@ + + int use_pam; /* Enable auth via PAM */ + ++#ifdef NONE_CIPHER_ENABLED ++ int none_enabled; /* enable NONE cipher switch */ ++#endif ++#ifdef HPN_ENABLED ++ int tcp_rcv_buf_poll; /* poll tcp rcv window in autotuning kernels*/ ++ int hpn_disabled; /* disable hpn functionality. false by default */ ++ int hpn_buffer_size; /* set the hpn buffer size - default 3MB */ ++#endif ++ + int permit_tun; + + int num_permitted_opens; +--- work.clean/openssh-6.8p1/serverloop.c 2015-03-17 00:49:20.000000000 -0500 ++++ work/openssh-6.8p1/serverloop.c 2015-04-03 17:14:15.182548000 -0500 +@@ -1051,6 +1051,12 @@ + sock = tun_open(tun, mode); + if (sock < 0) + goto done; ++#ifdef HPN_ENABLED ++ if (!options.hpn_disabled) ++ c = channel_new("tun", SSH_CHANNEL_OPEN, sock, sock, -1, ++ options.hpn_buffer_size, CHAN_TCP_PACKET_DEFAULT, 0, "tun", 1); ++ else ++#endif + c = channel_new("tun", SSH_CHANNEL_OPEN, sock, sock, -1, + CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, 0, "tun", 1); + c->datagram = 1; +@@ -1088,6 +1094,10 @@ + c = channel_new("session", SSH_CHANNEL_LARVAL, + -1, -1, -1, /*window size*/0, CHAN_SES_PACKET_DEFAULT, + 0, "server-session", 1); ++#ifdef HPN_ENABLED ++ if (options.tcp_rcv_buf_poll && !options.hpn_disabled) ++ c->dynamic_window = 1; ++#endif + if (session_open(the_authctxt, c->self) != 1) { + debug("session open failed, free channel %d", c->self); + channel_free(c); +--- work.clean/openssh-6.8p1/session.c 2015-04-01 22:07:18.149110000 -0500 ++++ work/openssh-6.8p1/session.c 2015-04-03 17:09:02.984097000 -0500 +@@ -2340,6 +2340,14 @@ + */ + if (s->chanid == -1) + fatal("no channel for session %d", s->self); ++#ifdef HPN_ENABLED ++ if (!options.hpn_disabled) ++ channel_set_fds(s->chanid, ++ fdout, fdin, fderr, ++ ignore_fderr ? CHAN_EXTENDED_IGNORE : CHAN_EXTENDED_READ, ++ 1, is_tty, options.hpn_buffer_size); ++ else ++#endif + channel_set_fds(s->chanid, + fdout, fdin, fderr, + ignore_fderr ? CHAN_EXTENDED_IGNORE : CHAN_EXTENDED_READ, +--- work.clean/openssh-6.8p1/sftp.1 2015-03-17 00:49:20.000000000 -0500 ++++ work/openssh-6.8p1/sftp.1 2015-04-01 22:16:49.921688000 -0500 +@@ -263,7 +263,8 @@ + Specify how many requests may be outstanding at any one time. + Increasing this may slightly improve file transfer speed + but will increase memory usage. +-The default is 64 outstanding requests. ++The default is 256 outstanding requests providing for 8MB ++of outstanding data with a 32KB buffer. + .It Fl r + Recursively copy entire directories when uploading and downloading. + Note that +--- work.clean/openssh-6.8p1/sftp.c 2015-03-17 00:49:20.000000000 -0500 ++++ work/openssh-6.8p1/sftp.c 2015-04-03 17:16:00.959795000 -0500 +@@ -71,7 +71,11 @@ + #include "sftp-client.h" + + #define DEFAULT_COPY_BUFLEN 32768 /* Size of buffer for up/download */ ++#ifdef HPN_ENABLED ++#define DEFAULT_NUM_REQUESTS 256 /* # concurrent outstanding requests */ ++#else + #define DEFAULT_NUM_REQUESTS 64 /* # concurrent outstanding requests */ ++#endif + + /* File to read commands from */ + FILE* infile; +--- work.clean/openssh-6.8p1/ssh.c 2015-04-01 22:07:18.166356000 -0500 ++++ work/openssh-6.8p1/ssh.c 2015-04-03 17:16:34.114673000 -0500 +@@ -885,6 +885,14 @@ + break; + case 'T': + options.request_tty = REQUEST_TTY_NO; ++#ifdef NONE_CIPHER_ENABLED ++ /* ++ * ensure that the user doesn't try to backdoor a ++ * null cipher switch on an interactive session ++ * so explicitly disable it no matter what. ++ */ ++ options.none_switch = 0; ++#endif + break; + case 'o': + line = xstrdup(optarg); +@@ -1848,9 +1856,85 @@ + if (!isatty(err)) + set_nonblock(err); + ++#ifdef HPN_ENABLED ++ /* ++ * we need to check to see if what they want to do about buffer ++ * sizes here. In a hpn to nonhpn connection we want to limit ++ * the window size to something reasonable in case the far side ++ * has the large window bug. In hpn to hpn connection we want to ++ * use the max window size but allow the user to override it ++ * lastly if they disabled hpn then use the ssh std window size ++ ++ * so why don't we just do a getsockopt() here and set the ++ * ssh window to that? In the case of a autotuning receive ++ * window the window would get stuck at the initial buffer ++ * size generally less than 96k. Therefore we need to set the ++ * maximum ssh window size to the maximum hpn buffer size ++ * unless the user has specifically set the tcprcvbufpoll ++ * to no. In which case we *can* just set the window to the ++ * minimum of the hpn buffer size and tcp receive buffer size ++ */ ++ ++ if (tty_flag) ++ options.hpn_buffer_size = CHAN_SES_WINDOW_DEFAULT; ++ else ++ options.hpn_buffer_size = 2*1024*1024; ++ ++ if (datafellows & SSH_BUG_LARGEWINDOW) { ++ debug("HPN to Non-HPN Connection"); ++ } else { ++ int sock, socksize; ++ socklen_t socksizelen = sizeof(socksize); ++ ++ if (options.tcp_rcv_buf_poll <= 0) { ++ sock = socket(AF_INET, SOCK_STREAM, 0); ++ getsockopt(sock, SOL_SOCKET, SO_RCVBUF, ++ &socksize, &socksizelen); ++ close(sock); ++ debug("socksize %d", socksize); ++ options.hpn_buffer_size = socksize; ++ debug ("HPNBufferSize set to TCP RWIN: %d", ++ options.hpn_buffer_size); ++ } else { ++ if (options.tcp_rcv_buf > 0) { ++ /* ++ * create a socket but don't connect it. ++ * we use that the get the rcv socket size ++ */ ++ sock = socket(AF_INET, SOCK_STREAM, 0); ++ /* ++ * if they are using the tcp_rcv_buf option ++ * attempt to set the buffer size to that ++ */ ++ if (options.tcp_rcv_buf) ++ setsockopt(sock, SOL_SOCKET, SO_RCVBUF, ++ (void *)&options.tcp_rcv_buf, ++ sizeof(options.tcp_rcv_buf)); ++ getsockopt(sock, SOL_SOCKET, SO_RCVBUF, ++ &socksize, &socksizelen); ++ close(sock); ++ debug("socksize %d", socksize); ++ options.hpn_buffer_size = socksize; ++ debug ("HPNBufferSize set to user TCPRcvBuf: " ++ "%d", options.hpn_buffer_size); ++ } ++ } ++ } ++ ++ debug("Final hpn_buffer_size = %d", options.hpn_buffer_size); ++ ++ window = options.hpn_buffer_size; ++ ++ channel_set_hpn(options.hpn_disabled, options.hpn_buffer_size); ++#else + window = CHAN_SES_WINDOW_DEFAULT; ++#endif ++ + packetmax = CHAN_SES_PACKET_DEFAULT; + if (tty_flag) { ++#ifdef HPN_ENABLED ++ window = CHAN_SES_WINDOW_DEFAULT; ++#endif + window >>= 1; + packetmax >>= 1; + } +@@ -1859,6 +1943,12 @@ + window, packetmax, CHAN_EXTENDED_WRITE, + "client-session", /*nonblock*/0); + ++#ifdef HPN_ENABLED ++ if (options.tcp_rcv_buf_poll > 0 && !options.hpn_disabled) { ++ c->dynamic_window = 1; ++ debug ("Enabled Dynamic Window Scaling"); ++ } ++#endif + debug3("ssh_session2_open: channel_new: %d", c->self); + + channel_send_open(c->self); +--- work.clean/openssh-6.8p1/sshconnect.c 2015-03-17 00:49:20.000000000 -0500 ++++ work/openssh-6.8p1/sshconnect.c 2015-04-03 16:32:38.204744000 -0500 +@@ -266,6 +266,31 @@ + kill(proxy_command_pid, SIGHUP); + } + ++#ifdef HPN_ENABLED ++/* ++ * Set TCP receive buffer if requested. ++ * Note: tuning needs to happen after the socket is ++ * created but before the connection happens ++ * so winscale is negotiated properly -cjr ++ */ ++static void ++ssh_set_socket_recvbuf(int sock) ++{ ++ void *buf = (void *)&options.tcp_rcv_buf; ++ int sz = sizeof(options.tcp_rcv_buf); ++ int socksize; ++ socklen_t socksizelen = sizeof(socksize); ++ ++ debug("setsockopt Attempting to set SO_RCVBUF to %d", options.tcp_rcv_buf); ++ if (setsockopt(sock, SOL_SOCKET, SO_RCVBUF, buf, sz) >= 0) { ++ getsockopt(sock, SOL_SOCKET, SO_RCVBUF, &socksize, &socksizelen); ++ debug("setsockopt SO_RCVBUF: %.100s %d", strerror(errno), socksize); ++ } else ++ error("Couldn't set socket receive buffer to %d: %.100s", ++ options.tcp_rcv_buf, strerror(errno)); ++} ++#endif ++ + /* + * Creates a (possibly privileged) socket for use as the ssh connection. + */ +@@ -282,6 +307,11 @@ + } + fcntl(sock, F_SETFD, FD_CLOEXEC); + ++#ifdef HPN_ENABLED ++ if (options.tcp_rcv_buf > 0) ++ ssh_set_socket_recvbuf(sock); ++#endif ++ + /* Bind the socket to an alternative local IP address */ + if (options.bind_address == NULL && !privileged) + return sock; +@@ -523,11 +553,23 @@ send_client_banner(int connection_out, i + { + /* Send our own protocol version identification. */ + if (compat20) { +- xasprintf(&client_version_string, "SSH-%d.%d-%.100s\r\n", +- PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION); ++ xasprintf(&client_version_string, "SSH-%d.%d-%.100s%s\r\n", ++ PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION, ++#ifdef HPN_ENABLED ++ options.hpn_disabled ? "" : SSH_HPN ++#else ++ "" ++#endif ++ ); + } else { +- xasprintf(&client_version_string, "SSH-%d.%d-%.100s\n", +- PROTOCOL_MAJOR_1, minor1, SSH_VERSION); ++ xasprintf(&client_version_string, "SSH-%d.%d-%.100s%s\n", ++ PROTOCOL_MAJOR_1, minor1, SSH_VERSION, ++#ifdef HPN_ENABLED ++ options.hpn_disabled ? "" : SSH_HPN ++#else ++ "" ++#endif ++ ); + } + if (roaming_atomicio(vwrite, connection_out, client_version_string, + strlen(client_version_string)) != strlen(client_version_string)) +--- work.clean/openssh-6.8p1/sshconnect2.c 2015-03-17 00:49:20.000000000 -0500 ++++ work/openssh-6.8p1/sshconnect2.c 2015-04-03 16:54:23.936298000 -0500 +@@ -80,6 +80,14 @@ + extern char *client_version_string; + extern char *server_version_string; + extern Options options; ++#ifdef NONE_CIPHER_ENABLED ++struct kex *xxx_kex; ++ ++/* tty_flag is set in ssh.c. use this in ssh_userauth2 */ ++/* if it is set then prevent the switch to the null cipher */ ++ ++extern int tty_flag; ++#endif + + /* + * SSH2 key exchange +@@ -153,13 +161,16 @@ + return ret; + } + ++static char *myproposal[PROPOSAL_MAX]; ++static const char *myproposal_default[PROPOSAL_MAX] = { KEX_CLIENT }; + void + ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port) + { +- char *myproposal[PROPOSAL_MAX] = { KEX_CLIENT }; + struct kex *kex; + int r; + ++ memcpy(&myproposal, &myproposal_default, sizeof(myproposal)); ++ + xxx_host = host; + xxx_hostaddr = hostaddr; + +@@ -222,6 +233,10 @@ + kex->server_version_string=server_version_string; + kex->verify_host_key=&verify_host_key_callback; + ++#ifdef NONE_CIPHER_ENABLED ++ xxx_kex = kex; ++#endif ++ + dispatch_run(DISPATCH_BLOCK, &kex->done, active_state); + + if (options.use_roaming && !kex->roaming) { +@@ -423,6 +438,29 @@ + pubkey_cleanup(&authctxt); + dispatch_range(SSH2_MSG_USERAUTH_MIN, SSH2_MSG_USERAUTH_MAX, NULL); + ++#ifdef NONE_CIPHER_ENABLED ++ /* ++ * if the user wants to use the none cipher do it ++ * post authentication and only if the right conditions are met ++ * both of the NONE commands must be true and there must be no ++ * tty allocated. ++ */ ++ if ((options.none_switch == 1) && (options.none_enabled == 1)) { ++ if (!tty_flag) { /* no null on tty sessions */ ++ debug("Requesting none rekeying..."); ++ myproposal[PROPOSAL_ENC_ALGS_STOC] = "none"; ++ myproposal[PROPOSAL_ENC_ALGS_CTOS] = "none"; ++ kex_prop2buf(xxx_kex->my, myproposal); ++ packet_request_rekeying(); ++ fprintf(stderr, "WARNING: ENABLED NONE CIPHER\n"); ++ } else { ++ /* requested NONE cipher when in a tty */ ++ debug("Cannot switch to NONE cipher with tty allocated"); ++ fprintf(stderr, "NONE cipher switch disabled when a TTY is allocated\n"); ++ } ++ } ++#endif ++ + debug("Authentication succeeded (%s).", authctxt.method->name); + } + +--- work.clean/openssh-6.8p1/sshd.c 2015-04-01 22:07:18.190233000 -0500 ++++ work/openssh-6.8p1/sshd.c 2015-04-03 17:17:03.227774000 -0500 +@@ -439,7 +439,10 @@ + } + +- xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s%s", ++ xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s%s%s", + major, minor, SSH_VERSION, ++#ifdef HPN_ENABLED ++ options.hpn_disabled ? "" : SSH_HPN, ++#endif + *options.version_addendum == '\0' ? "" : " ", + options.version_addendum, newline); + +@@ -1157,6 +1160,10 @@ + int ret, listen_sock, on = 1; + struct addrinfo *ai; + char ntop[NI_MAXHOST], strport[NI_MAXSERV]; ++#ifdef HPN_ENABLED ++ int socksize; ++ socklen_t socksizelen = sizeof(socksize); ++#endif + + for (ai = options.listen_addrs; ai; ai = ai->ai_next) { + if (ai->ai_family != AF_INET && ai->ai_family != AF_INET6) +@@ -1197,6 +1204,13 @@ + + debug("Bind to port %s on %s.", strport, ntop); + ++#ifdef HPN_ENABLED ++ getsockopt(listen_sock, SOL_SOCKET, SO_RCVBUF, ++ &socksize, &socksizelen); ++ debug("Server TCP RWIN socket size: %d", socksize); ++ debug("HPN Buffer Size: %d", options.hpn_buffer_size); ++#endif ++ + /* Bind the socket to the desired port. */ + if (bind(listen_sock, ai->ai_addr, ai->ai_addrlen) < 0) { + error("Bind to port %s on %s failed: %.200s.", +@@ -2167,6 +2181,11 @@ + remote_ip, remote_port, + get_local_ipaddr(sock_in), get_local_port()); + ++#ifdef HPN_ENABLED ++ /* set the HPN options for the child */ ++ channel_set_hpn(options.hpn_disabled, options.hpn_buffer_size); ++#endif ++ + /* + * We don't want to listen forever unless the other side + * successfully authenticates itself. So we set up an alarm which is +@@ -2566,6 +2585,12 @@ + if (options.ciphers != NULL) { + myproposal[PROPOSAL_ENC_ALGS_CTOS] = + myproposal[PROPOSAL_ENC_ALGS_STOC] = options.ciphers; ++#ifdef NONE_CIPHER_ENABLED ++ } else if (options.none_enabled == 1) { ++ debug ("WARNING: None cipher enabled"); ++ myproposal[PROPOSAL_ENC_ALGS_CTOS] = ++ myproposal[PROPOSAL_ENC_ALGS_STOC] = KEX_ENCRYPT_INCLUDE_NONE; ++#endif + } + myproposal[PROPOSAL_ENC_ALGS_CTOS] = + compat_cipher_proposal(myproposal[PROPOSAL_ENC_ALGS_CTOS]); +--- work.clean/openssh-6.8p1/sshd_config 2015-04-01 22:07:18.248858000 -0500 ++++ work/openssh-6.8p1/sshd_config 2015-04-01 22:16:49.932279000 -0500 +@@ -127,6 +127,20 @@ + # override default of no subsystems + Subsystem sftp /usr/libexec/sftp-server + ++# the following are HPN related configuration options ++# tcp receive buffer polling. disable in non autotuning kernels ++#TcpRcvBufPoll yes ++ ++# disable hpn performance boosts ++#HPNDisabled no ++ ++# buffer size for hpn to non-hpn connections ++#HPNBufferSize 2048 ++ ++ ++# allow the use of the none cipher ++#NoneEnabled no ++ + # Example of overriding settings on a per-user basis + #Match User anoncvs + # X11Forwarding no +--- work.clean/openssh-6.8p1/version.h 2015-04-01 22:07:18.258955000 -0500 ++++ work/openssh-6.8p1/version.h 2015-04-02 16:51:25.209617000 -0500 +@@ -3,4 +3,5 @@ + #define SSH_VERSION "OpenSSH_6.8" + + #define SSH_PORTABLE "p1" + #define SSH_RELEASE SSH_VERSION SSH_PORTABLE ++#define SSH_HPN "-hpn14v5" diff --git a/security/openssh-portable/files/extra-patch-hpn-build-options b/security/openssh-portable/files/extra-patch-hpn-build-options deleted file mode 100644 index 664a7510215e..000000000000 --- a/security/openssh-portable/files/extra-patch-hpn-build-options +++ /dev/null @@ -1,142 +0,0 @@ ---- sshconnect2.c.orig 2013-10-11 08:52:17.836129741 -0500 -+++ sshconnect2.c 2013-10-11 08:53:05.776132295 -0500 -@@ -451,6 +451,7 @@ ssh_userauth2(const char *local_user, co - } - } - -+#ifdef AES_THREADED - /* if we are using aes-ctr there can be issues in either a fork or sandbox - * so the initial aes-ctr is defined to point to the original single process - * evp. After authentication we'll be past the fork and the sandboxed privsep -@@ -466,6 +467,7 @@ ssh_userauth2(const char *local_user, co - cipher_reset_multithreaded(); - packet_request_rekeying(); - } -+#endif - - debug("Authentication succeeded (%s).", authctxt.method->name); - } ---- sshd.c.orig 2013-10-11 08:52:17.848126748 -0500 -+++ sshd.c 2013-10-11 08:53:25.929132033 -0500 -@@ -2186,6 +2186,7 @@ main(int ac, char **av) - - /* Start session. */ - -+#ifdef AES_THREADED - /* if we are using aes-ctr there can be issues in either a fork or sandbox - * so the initial aes-ctr is defined to point ot the original single process - * evp. After authentication we'll be past the fork and the sandboxed privsep -@@ -2201,6 +2202,7 @@ main(int ac, char **av) - cipher_reset_multithreaded(); - packet_request_rekeying(); - } -+#endif - - do_authenticated(authctxt); - ---- readconf.c.orig 2013-10-11 09:24:10.812126846 -0500 -+++ readconf.c 2013-10-11 09:19:12.295135966 -0500 -@@ -268,12 +268,16 @@ static struct { - { "canonicalizepermittedcnames", oCanonicalizePermittedCNAMEs }, - { "streamlocalbindmask", oStreamLocalBindMask }, - { "streamlocalbindunlink", oStreamLocalBindUnlink }, -+#ifdef NONECIPHER - { "noneenabled", oNoneEnabled }, - { "noneswitch", oNoneSwitch }, -+#endif -+#ifdef HPN - { "tcprcvbufpoll", oTcpRcvBufPoll }, - { "tcprcvbuf", oTcpRcvBuf }, - { "hpndisabled", oHPNDisabled }, - { "hpnbuffersize", oHPNBufferSize }, -+#endif - { "ignoreunknown", oIgnoreUnknown }, - - { NULL, oBadOption } -@@ -1819,12 +1823,20 @@ fill_default_options(Options * options) - options->server_alive_interval = 0; - if (options->server_alive_count_max == -1) - options->server_alive_count_max = 3; -+#ifdef NONECIPHER - if (options->none_switch == -1) -+#endif - options->none_switch = 0; -+#ifdef NONECIPHER - if (options->none_enabled == -1) -+#endif - options->none_enabled = 0; -+#ifdef HPN - if (options->hpn_disabled == -1) - options->hpn_disabled = 0; -+#else -+ options->hpn_disabled = 1; -+#endif - if (options->hpn_buffer_size > -1) - { - /* if a user tries to set the size to 0 set it to 1KB */ ---- servconf.c.orig 2013-10-11 09:24:44.734138483 -0500 -+++ servconf.c 2013-10-11 09:25:50.777137928 -0500 -@@ -303,10 +303,16 @@ - } - if (options->permit_tun == -1) - options->permit_tun = SSH_TUNMODE_NO; -+#ifdef NONECIPHER - if (options->none_enabled == -1) -+#endif - options->none_enabled = 0; -+#ifdef HPN - if (options->hpn_disabled == -1) - options->hpn_disabled = 0; -+#else -+ options->hpn_disabled = 1; -+#endif - - if (options->hpn_buffer_size == -1) { - /* option not explicitly set. Now we have to figure out */ ---- configure.ac.orig 2013-10-12 17:17:41.525139481 -0500 -+++ configure.ac 2013-10-12 17:18:35.610130039 -0500 -@@ -3968,6 +3968,34 @@ - ] - ) # maildir - -+#check whether user wants HPN support -+HPN_MSG="no" -+AC_ARG_WITH(hpn, -+ [ --with-hpn Enable HPN support], -+ [ if test "x$withval" != "xno" ; then -+ AC_DEFINE(HPN,1,[Define if you want HPN support.]) -+ HPN_MSG="yes" -+ fi ] -+) -+#check whether user wants NONECIPHER support -+NONECIPHER_MSG="no" -+AC_ARG_WITH(nonecipher, -+ [ --with-nonecipher Enable NONECIPHER support], -+ [ if test "x$withval" != "xno" ; then -+ AC_DEFINE(NONECIPHER,1,[Define if you want NONECIPHER support.]) -+ NONECIPHER_MSG="yes" -+ fi ] -+) -+#check whether user wants AES_THREADED support -+AES_THREADED_MSG="no" -+AC_ARG_WITH(aes-threaded, -+ [ --with-aes-threaded Enable AES_THREADED support], -+ [ if test "x$withval" != "xno" ; then -+ AC_DEFINE(AES_THREADED,1,[Define if you want AES_THREADED support.]) -+ AES_THREADED_MSG="yes" -+ fi ] -+) -+ - if test ! -z "$cross_compiling" && test "x$cross_compiling" = "xyes"; then - AC_MSG_WARN([cross compiling: Disabling /dev/ptmx test]) - disable_ptmx_check=yes -@@ -4636,6 +4664,9 @@ - echo " BSD Auth support: $BSD_AUTH_MSG" - echo " Random number source: $RAND_MSG" - echo " Privsep sandbox style: $SANDBOX_STYLE" -+echo " HPN support: $HPN_MSG" -+echo " NONECIPHER support: $NONECIPHER_MSG" -+echo " AES_THREADED support: $AES_THREADED_MSG" - - echo "" - diff --git a/security/openssh-portable/files/extra-patch-hpn-no-hpn b/security/openssh-portable/files/extra-patch-hpn-no-hpn deleted file mode 100644 index dc3b112a2fee..000000000000 --- a/security/openssh-portable/files/extra-patch-hpn-no-hpn +++ /dev/null @@ -1,32 +0,0 @@ ---- sshd_config.orig 2013-10-12 06:40:05.766128740 -0500 -+++ sshd_config 2013-10-12 06:40:06.646129924 -0500 -@@ -125,20 +125,6 @@ - # override default of no subsystems - Subsystem sftp /usr/libexec/sftp-server - --# the following are HPN related configuration options --# tcp receive buffer polling. disable in non autotuning kernels --#TcpRcvBufPoll yes -- --# disable hpn performance boosts --#HPNDisabled no -- --# buffer size for hpn to non-hpn connections --#HPNBufferSize 2048 -- -- --# allow the use of the none cipher --#NoneEnabled no -- - # Example of overriding settings on a per-user basis - #Match User anoncvs - # X11Forwarding no ---- version.h.orig 2013-10-12 06:42:19.578133368 -0500 -+++ version.h 2013-10-12 06:42:28.581136160 -0500 -@@ -3,5 +3,4 @@ - #define SSH_VERSION "OpenSSH_6.3" - - #define SSH_PORTABLE "p1" --#define SSH_HPN "-hpn14v2" --#define SSH_RELEASE SSH_VERSION SSH_PORTABLE SSH_HPN -+#define SSH_RELEASE SSH_VERSION SSH_PORTABLE diff --git a/security/openssh-portable/files/extra-patch-hpn-window-size b/security/openssh-portable/files/extra-patch-hpn-window-size deleted file mode 100644 index 76f50a43eccb..000000000000 --- a/security/openssh-portable/files/extra-patch-hpn-window-size +++ /dev/null @@ -1,24 +0,0 @@ -r223213 | brooks | 2011-06-17 17:01:10 -0500 (Fri, 17 Jun 2011) | 3 lines -Changed paths: - M /user/brooks/openssh-hpn/channels.h - -It looks like the HPN patch didn't track the window size bump in OpenBSD -rev 1.89 back in 2007. Chase the updates to reduce diffs to head - -Index: channels.h -=================================================================== ---- channels.h (revision 223212) -+++ channels.h (revision 223213) -@@ -163,10 +163,10 @@ - - /* default window/packet sizes for tcp/x11-fwd-channel */ - #define CHAN_SES_PACKET_DEFAULT (32*1024) --#define CHAN_SES_WINDOW_DEFAULT (4*CHAN_SES_PACKET_DEFAULT) -+#define CHAN_SES_WINDOW_DEFAULT (64*CHAN_SES_PACKET_DEFAULT) - - #define CHAN_TCP_PACKET_DEFAULT (32*1024) --#define CHAN_TCP_WINDOW_DEFAULT (4*CHAN_TCP_PACKET_DEFAULT) -+#define CHAN_TCP_WINDOW_DEFAULT (64*CHAN_TCP_PACKET_DEFAULT) - - #define CHAN_X11_PACKET_DEFAULT (16*1024) - #define CHAN_X11_WINDOW_DEFAULT (4*CHAN_X11_PACKET_DEFAULT) diff --git a/security/openssh-portable/files/extra-patch-sshd-utmp-size b/security/openssh-portable/files/extra-patch-sshd-utmp-size index d72985ff7768..f6a48e84fb00 100644 --- a/security/openssh-portable/files/extra-patch-sshd-utmp-size +++ b/security/openssh-portable/files/extra-patch-sshd-utmp-size @@ -15,21 +15,21 @@ Submitted by: Bruce Cran <bruce@cran.org.uk> Index: sshd.c =================================================================== ---- sshd.c (revision 184121) -+++ sshd.c (revision 184122) +--- sshd.c.orig 2015-04-04 11:40:24.175508000 -0500 ++++ sshd.c 2015-04-04 11:40:38.082324000 -0500 @@ -72,6 +72,7 @@ - #include <stdlib.h> #include <string.h> #include <unistd.h> + #include <limits.h> +#include <utmp.h> + #ifdef WITH_OPENSSL #include <openssl/dh.h> - #include <openssl/bn.h> -@@ -238,7 +239,7 @@ +@@ -229,7 +230,7 @@ u_char *session_id2 = NULL; u_int session_id2_len = 0; /* record remote hostname or ip */ --u_int utmp_len = MAXHOSTNAMELEN; +-u_int utmp_len = HOST_NAME_MAX+1; +u_int utmp_len = UT_HOSTSIZE; /* options.max_startup sized array of fd ints */ diff --git a/security/openssh-portable/files/extra-patch-tcpwrappers b/security/openssh-portable/files/extra-patch-tcpwrappers index f1514a9c05cc..093845b95f6f 100644 --- a/security/openssh-portable/files/extra-patch-tcpwrappers +++ b/security/openssh-portable/files/extra-patch-tcpwrappers @@ -83,25 +83,6 @@ index 0ade557..045f149 100644 /* Log the connection. */ verbose("Connection from %s port %d on %s port %d", -commit f9696566fb41320820f3b257ab564fa321bb3751 -Author: Darren Tucker <dtucker@zip.com.au> -Date: Fri Jun 13 11:06:04 2014 +1000 - - - (dtucker) [configure.ac] Remove tcpwrappers support, support has already - been removed from sshd.c. - -diff --git ChangeLog ChangeLog -index f4c6ea6..1c043ae 100644 ---- ChangeLog -+++ ChangeLog -@@ -1,7 +1,3 @@ --20140612 -- - (dtucker) [configure.ac] Remove tcpwrappers support, support has already -- been removed from sshd.c. -- - 20140611 - - (dtucker) [defines.h] Add va_copy if we don't already have it, taken from - openbsd-compat/bsd-asprintf.c. diff --git configure.ac configure.ac index f48ba4a..66fbe82 100644 --- configure.ac diff --git a/security/openssh-portable/files/patch-regress__test-exec.sh b/security/openssh-portable/files/patch-regress__test-exec.sh new file mode 100644 index 000000000000..80bd912edfa3 --- /dev/null +++ b/security/openssh-portable/files/patch-regress__test-exec.sh @@ -0,0 +1,10 @@ +--- regress/test-exec.sh.orig 2015-04-03 18:20:32.256126000 -0500 ++++ regress/test-exec.sh 2015-04-03 18:20:41.599903000 -0500 +@@ -408,6 +408,7 @@ cat << EOF > $OBJ/sshd_config + LogLevel DEBUG3 + AcceptEnv _XXX_TEST_* + AcceptEnv _XXX_TEST ++ PermitRootLogin yes + Subsystem sftp $SFTPSERVER + EOF + diff --git a/security/openssh-portable/files/patch-servconf.c b/security/openssh-portable/files/patch-servconf.c index c8d94fcfee94..229ab3c12310 100644 --- a/security/openssh-portable/files/patch-servconf.c +++ b/security/openssh-portable/files/patch-servconf.c @@ -1,23 +1,23 @@ ---- servconf.c.orig 2015-03-22 22:16:53.563005000 -0500 -+++ servconf.c 2015-03-22 22:19:39.207917000 -0500 -@@ -54,6 +54,7 @@ - #include "packet.h" - #include "hostfile.h" +--- servconf.c.orig 2015-03-22 23:58:50.869706000 -0500 ++++ servconf.c 2015-03-22 23:59:46.645390000 -0500 +@@ -81,6 +81,7 @@ #include "auth.h" + #include "myproposal.h" + #include "digest.h" +#include "version.h" static void add_listen_addr(ServerOptions *, char *, int); static void add_one_listen_addr(ServerOptions *, char *, int); -@@ -173,7 +174,7 @@ fill_default_server_options(ServerOption +@@ -216,7 +217,7 @@ fill_default_server_options(ServerOption /* Portable-specific options */ if (options->use_pam == -1) - options->use_pam = 0; + options->use_pam = 1; - /* Standard Options */ - if (options->protocol == SSH_PROTO_UNKNOWN) -@@ -210,7 +211,7 @@ fill_default_server_options(ServerOption + /* X.509 Standard Options */ + #ifdef OPENSSL_FIPS +@@ -277,7 +278,7 @@ fill_default_server_options(ServerOption if (options->key_regeneration_time == -1) options->key_regeneration_time = 3600; if (options->permit_root_login == PERMIT_NOT_SET) @@ -26,7 +26,7 @@ if (options->ignore_rhosts == -1) options->ignore_rhosts = 1; if (options->ignore_user_known_hosts == -1) -@@ -220,7 +221,7 @@ fill_default_server_options(ServerOption +@@ -287,7 +288,7 @@ fill_default_server_options(ServerOption if (options->print_lastlog == -1) options->print_lastlog = 1; if (options->x11_forwarding == -1) @@ -35,7 +35,7 @@ if (options->x11_display_offset == -1) options->x11_display_offset = 10; if (options->x11_use_localhost == -1) -@@ -262,7 +263,11 @@ fill_default_server_options(ServerOption +@@ -333,7 +334,11 @@ fill_default_server_options(ServerOption if (options->gss_cleanup_creds == -1) options->gss_cleanup_creds = 1; if (options->password_authentication == -1) @@ -47,12 +47,12 @@ if (options->kbd_interactive_authentication == -1) options->kbd_interactive_authentication = 0; if (options->challenge_response_authentication == -1) -@@ -368,7 +373,7 @@ fill_default_server_options(ServerOption - options->fwd_opts.streamlocal_bind_unlink = 0; +@@ -396,7 +401,7 @@ fill_default_server_options(ServerOption + options->fingerprint_hash = SSH_FP_HASH_DEFAULT; /* Turn privilege separation on by default */ if (use_privsep == -1) - use_privsep = PRIVSEP_NOSANDBOX; + use_privsep = PRIVSEP_ON; - #ifndef HAVE_MMAP - if (use_privsep && options->compression == 1) { + #define CLEAR_ON_NONE(v) \ + do { \ diff --git a/security/openssh-portable/files/patch-ssh-agent.c b/security/openssh-portable/files/patch-ssh-agent.c index f0ca874922ee..f9699800c7e2 100644 --- a/security/openssh-portable/files/patch-ssh-agent.c +++ b/security/openssh-portable/files/patch-ssh-agent.c @@ -7,11 +7,11 @@ r226103 | des | 2011-10-07 08:10:16 -0500 (Fri, 07 Oct 2011) | 5 lines Add a -x option that causes ssh-agent(1) to exit when all clients have disconnected. ---- ssh-agent.c.orig 2014-07-29 21:32:46.000000000 -0500 -+++ ssh-agent.c 2014-11-03 16:48:03.930786112 -0600 -@@ -142,15 +142,34 @@ extern char *__progname; - /* Default lifetime in seconds (0 == forever) */ - static long lifetime = 0; +--- ssh-agent.c.orig 2015-03-17 00:49:20.000000000 -0500 ++++ ssh-agent.c 2015-03-20 00:00:48.800352000 -0500 +@@ -150,15 +150,34 @@ static long lifetime = 0; + + static int fingerprint_hash = SSH_FP_HASH_DEFAULT; +/* + * Client connection count; incremented in new_socket() and decremented in @@ -36,15 +36,15 @@ disconnected. close(e->fd); e->fd = -1; e->type = AUTH_UNUSED; - buffer_free(&e->input); - buffer_free(&e->output); - buffer_free(&e->request); + sshbuf_free(e->input); + sshbuf_free(e->output); + sshbuf_free(e->request); + if (last) + cleanup_exit(0); } static void -@@ -810,6 +829,10 @@ new_socket(sock_type type, int fd) +@@ -910,6 +929,10 @@ new_socket(sock_type type, int fd) { u_int i, old_alloc, new_alloc; @@ -55,16 +55,16 @@ disconnected. set_nonblock(fd); if (fd > max_fd) -@@ -1026,7 +1049,7 @@ usage(void) +@@ -1138,7 +1161,7 @@ usage(void) { fprintf(stderr, - "usage: ssh-agent [-c | -s] [-d] [-a bind_address] [-t life]\n" -- " [command [arg ...]]\n" -+ " [-x] [command [arg ...]]\n" + "usage: ssh-agent [-c | -s] [-d] [-a bind_address] [-E fingerprint_hash]\n" +- " [-t life] [command [arg ...]]\n" ++ " [-t life] [-x] [command [arg ...]]\n" " ssh-agent [-c | -s] -k\n"); exit(1); } -@@ -1056,6 +1079,7 @@ main(int ac, char **av) +@@ -1168,6 +1191,7 @@ main(int ac, char **av) /* drop */ setegid(getgid()); setgid(getgid()); @@ -72,16 +72,16 @@ disconnected. #if defined(HAVE_PRCTL) && defined(PR_SET_DUMPABLE) /* Disable ptrace on Linux without sgid bit */ -@@ -1069,7 +1093,7 @@ main(int ac, char **av) +@@ -1181,7 +1205,7 @@ main(int ac, char **av) __progname = ssh_get_progname(av[0]); seed_rng(); -- while ((ch = getopt(ac, av, "cdksa:t:")) != -1) { -+ while ((ch = getopt(ac, av, "cdksa:t:x")) != -1) { +- while ((ch = getopt(ac, av, "cdksE:a:t:")) != -1) { ++ while ((ch = getopt(ac, av, "cdksE:a:t:x")) != -1) { switch (ch) { - case 'c': - if (s_flag) -@@ -1098,6 +1122,9 @@ main(int ac, char **av) + case 'E': + fingerprint_hash = ssh_digest_alg_by_name(optarg); +@@ -1215,6 +1239,9 @@ main(int ac, char **av) usage(); } break; diff --git a/security/openssh-portable/files/patch-sshconnect.c b/security/openssh-portable/files/patch-sshconnect.c new file mode 100644 index 000000000000..ddc4ae863a4c --- /dev/null +++ b/security/openssh-portable/files/patch-sshconnect.c @@ -0,0 +1,12 @@ +Added for bindresvport_sa(3) + +--- sshconnect.c.orig 2015-04-02 15:04:24.482112000 -0500 ++++ sshconnect.c 2015-04-02 15:04:26.735851000 -0500 +@@ -40,6 +40,7 @@ + #include <stdio.h> + #include <stdlib.h> + #include <string.h> ++#include <rpc/rpc.h> + #include <unistd.h> + + #include "xmalloc.h" |