Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 28 Jun 2018 03:38:33 +0000 (UTC)
From:      Bryan Drewery <bdrewery@FreeBSD.org>
To:        ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org
Subject:   svn commit: r473485 - in head/security/openssh-portable: . files
Message-ID:  <201806280338.w5S3cXeJ005107@repo.freebsd.org>

next in thread | raw e-mail | index | archive | help
Author: bdrewery
Date: Thu Jun 28 03:38:32 2018
New Revision: 473485
URL: https://svnweb.freebsd.org/changeset/ports/473485

Log:
  - Fix and update HPN patch to latest from upstream but leave it off by
    default.
  - Add an 'hpn' FLAVOR to produce a package for users with HPN and
    NONECIPHER enabled.
  
  Approved by:	portmgr (implicit)

Modified:
  head/security/openssh-portable/Makefile
  head/security/openssh-portable/files/extra-patch-hpn
  head/security/openssh-portable/files/patch-servconf.c

Modified: head/security/openssh-portable/Makefile
==============================================================================
--- head/security/openssh-portable/Makefile	Thu Jun 28 03:11:45 2018	(r473484)
+++ head/security/openssh-portable/Makefile	Thu Jun 28 03:38:32 2018	(r473485)
@@ -3,7 +3,7 @@
 
 PORTNAME=	openssh
 DISTVERSION=	7.7p1
-PORTREVISION=	4
+PORTREVISION=	5
 PORTEPOCH=	1
 CATEGORIES=	security ipv6
 MASTER_SITES=	OPENBSD/OpenSSH/portable
@@ -29,10 +29,18 @@ ETCOLD=			${PREFIX}/etc
 BROKEN_SSL=	openssl-devel
 BROKEN_SSL_REASON_openssl-devel=	error: OpenSSL >= 1.1.0 is not yet supported
 
+FLAVORS=			default hpn
+default_CONFLICTS_INSTALL=	openssl-portable-hpn-[0-9]*
+hpn_CONFLICTS_INSTALL=		openssh-portable-[0-9]*
+hpn_PKGNAMESUFFIX=		-portable-hpn
+
 OPTIONS_DEFINE=		PAM TCP_WRAPPERS LIBEDIT BSM \
 			HPN X509 KERB_GSSAPI \
 			LDNS NONECIPHER XMSS
 OPTIONS_DEFAULT=	LIBEDIT PAM TCP_WRAPPERS LDNS
+.if ${FLAVOR:U} == hpn
+OPTIONS_DEFAULT+=	HPN NONECIPHER
+.endif
 OPTIONS_RADIO=		KERBEROS
 OPTIONS_RADIO_KERBEROS=	MIT HEIMDAL HEIMDAL_BASE
 TCP_WRAPPERS_DESC=	tcp_wrappers support
@@ -57,7 +65,6 @@ LDNS_EXTRA_PATCHES=	${FILESDIR}/extra-patch-ldns
 LDNS_CFLAGS=		-I${LOCALBASE}/include
 LDNS_CONFIGURE_ON=	--with-ldflags='-L${LOCALBASE}/lib'
 
-# http://www.psc.edu/index.php/hpn-ssh
 HPN_CONFIGURE_WITH=		hpn
 NONECIPHER_CONFIGURE_WITH=	nonecipher
 
@@ -103,12 +110,12 @@ EXTRA_PATCHES+=	${FILESDIR}/extra-patch-hpn-gss-glue
 PATCHFILES+=	openssh-7.7p1-gsskex-all-20141021-debian-rh-20171004.patch.gz:-p1:gsskex
 .endif
 
-# http://www.psc.edu/index.php/hpn-ssh https://github.com/rapier1/hpn-ssh https://github.com/rapier1/openssh-portable
+# https://www.psc.edu/hpn-ssh https://github.com/rapier1/openssh-portable/tree/hpn-openssl1.1-7_7_P1
 .if ${PORT_OPTIONS:MHPN} || ${PORT_OPTIONS:MNONECIPHER}
-BROKEN=			HPN: Not yet updated for ${DISTVERSION} and disabled in base
+#BROKEN=			HPN: Not yet updated for ${DISTVERSION} and disabled in base
 PORTDOCS+=		HPN-README
-HPN_VERSION=		14v5
-HPN_DISTVERSION=	6.7p1
+HPN_VERSION=		14v15
+HPN_DISTVERSION=	7.7p1
 #PATCH_SITES+=		SOURCEFORGE/hpnssh/HPN-SSH%20${HPN_VERSION}%20${HPN_DISTVERSION}/:hpn
 #PATCHFILES+=		${PORTNAME}-${HPN_DISTVERSION}-hpnssh${HPN_VERSION}.diff.gz:-p1:hpn
 EXTRA_PATCHES+=		${FILESDIR}/extra-patch-hpn:-p2

Modified: head/security/openssh-portable/files/extra-patch-hpn
==============================================================================
--- head/security/openssh-portable/files/extra-patch-hpn	Thu Jun 28 03:11:45 2018	(r473484)
+++ head/security/openssh-portable/files/extra-patch-hpn	Thu Jun 28 03:38:32 2018	(r473485)
@@ -131,11 +131,11 @@ diff -urN -x configure -x config.guess -x config.h.in 
 +	 (tasota@gmail.com) an NSF REU grant recipient for 2013. 
 +	 This work was financed, in part, by Cisco System, Inc., the National 
 +         Library of Medicine, and the National Science Foundation. 
---- work.clean/openssh-6.8p1/channels.c	2015-03-17 00:49:20.000000000 -0500
-+++ work/openssh-6.8p1/channels.c	2015-04-03 15:51:59.599537000 -0500
-@@ -183,8 +183,14 @@
- static int connect_next(struct channel_connect *);
- static void channel_connect_ctx_free(struct channel_connect *);
+--- work/openssh-7.7p1/channels.c.orig	2018-04-01 22:38:28.000000000 -0700
++++ work/openssh-7.7p1/channels.c	2018-06-27 16:37:07.663857000 -0700
+@@ -215,6 +215,12 @@ static int rdynamic_connect_finish(struct ssh *, Chann
+ /* Setup helper */
+ static void channel_handler_init(struct ssh_channels *sc);
  
 +
 +#ifdef HPN_ENABLED
@@ -145,25 +145,23 @@ diff -urN -x configure -x config.guess -x config.h.in 
 +
  /* -- channel core */
  
- Channel *
- channel_by_id(int id)
- {
-@@ -333,6 +339,9 @@
+ void
+@@ -391,6 +397,9 @@ channel_new(struct ssh *ssh, char *ctype, int type, in
+ 	c->local_window = window;
  	c->local_window_max = window;
- 	c->local_consumed = 0;
  	c->local_maxpacket = maxpack;
 +#ifdef HPN_ENABLED
 +	c->dynamic_window = 0;
 +#endif
- 	c->remote_id = -1;
  	c->remote_name = xstrdup(remote_name);
- 	c->remote_window = 0;
-@@ -837,11 +846,41 @@
- 		FD_SET(c->sock, writeset);
+ 	c->ctl_chan = -1;
+ 	c->delayed = 1;		/* prevent call to channel_post handler */
+@@ -977,6 +986,30 @@ channel_pre_connecting(struct ssh *ssh, Channel *c,
+ 	FD_SET(c->sock, writeset);
  }
  
 +#ifdef HPN_ENABLED
-+static u_int
++static int
 +channel_tcpwinsz(void)
 +{
 +	u_int32_t tcpwinsz = 0;
@@ -172,56 +170,60 @@ diff -urN -x configure -x config.guess -x config.h.in 
 +
 +	/* if we aren't on a socket return 128KB */
 +	if (!packet_connection_is_on_socket())
-+		return (128*1024);
++		return 128 * 1024;
++
 +	ret = getsockopt(packet_get_connection_in(),
-+	    SOL_SOCKET, SO_RCVBUF, &tcpwinsz, &optsz);
-+	/* return no more than SSHBUF_SIZE_MAX */
-+	if (ret == 0 && tcpwinsz > SSHBUF_SIZE_MAX)
++			 SOL_SOCKET, SO_RCVBUF, &tcpwinsz, &optsz);
++	/* return no more than SSHBUF_SIZE_MAX (currently 256MB) */
++	if ((ret == 0) && tcpwinsz > SSHBUF_SIZE_MAX)
 +		tcpwinsz = SSHBUF_SIZE_MAX;
-+	debug2("tcpwinsz: %d for connection: %d", tcpwinsz,
-+	    packet_get_connection_in());
-+	return (tcpwinsz);
++
++	debug2("tcpwinsz: tcp connection %d, Receive window: %d",
++	       packet_get_connection_in(), tcpwinsz);
++	return tcpwinsz;
 +}
 +#endif
 +
  static void
- channel_pre_open(Channel *c, fd_set *readset, fd_set *writeset)
- {
- 	u_int limit = compat20 ? c->remote_window : packet_get_maxsize();
- 
-+#ifdef HPN_ENABLED
-+	/* check buffer limits */
-+	if (!c->tcpwinsz || c->dynamic_window > 0)
-+		c->tcpwinsz = channel_tcpwinsz();
-+
-+	limit = MIN(limit, 2 * c->tcpwinsz);
-+#endif
-+
- 	if (c->istate == CHAN_INPUT_OPEN &&
- 	    limit > 0 &&
- 	    buffer_len(&c->input) < limit &&
-@@ -1846,6 +1885,20 @@
+ channel_pre_open(struct ssh *ssh, Channel *c,
+     fd_set *readset, fd_set *writeset)
+@@ -2074,21 +2107,32 @@ channel_check_window(struct ssh *ssh, Channel *c)
  	    c->local_maxpacket*3) ||
  	    c->local_window < c->local_window_max/2) &&
  	    c->local_consumed > 0) {
++		u_int addition = 0;
 +#ifdef HPN_ENABLED
++		u_int32_t tcpwinsz = channel_tcpwinsz();
 +		/* adjust max window size if we are in a dynamic environment */
-+		if (c->dynamic_window && (c->tcpwinsz > c->local_window_max)) {
-+			u_int addition = 0;
-+
-+			/*
-+			 * grow the window somewhat aggressively to maintain
-+			 * pressure
-+			 */
-+			addition = 1.5*(c->tcpwinsz - c->local_window_max);
++		if (c->dynamic_window && (tcpwinsz > c->local_window_max)) {
++			/* grow the window somewhat aggressively to maintain pressure */
++			addition = 1.5 * (tcpwinsz - c->local_window_max);
 +			c->local_window_max += addition;
-+			c->local_consumed += addition;
++			debug("Channel: Window growth to %d by %d bytes", c->local_window_max, addition);
 +		}
 +#endif
- 		packet_start(SSH2_MSG_CHANNEL_WINDOW_ADJUST);
- 		packet_put_int(c->remote_id);
- 		packet_put_int(c->local_consumed);
-@@ -2794,6 +2847,17 @@
+ 		if (!c->have_remote_id)
+ 			fatal(":%s: channel %d: no remote id",
+ 			    __func__, c->self);
+ 		if ((r = sshpkt_start(ssh,
+ 		    SSH2_MSG_CHANNEL_WINDOW_ADJUST)) != 0 ||
+ 		    (r = sshpkt_put_u32(ssh, c->remote_id)) != 0 ||
+-		    (r = sshpkt_put_u32(ssh, c->local_consumed)) != 0 ||
++		    (r = sshpkt_put_u32(ssh, c->local_consumed + addition)) != 0 ||
+ 		    (r = sshpkt_send(ssh)) != 0) {
+ 			fatal("%s: channel %i: %s", __func__,
+ 			    c->self, ssh_err(r));
+ 		}
+ 		debug2("channel %d: window %d sent adjust %d",
+ 		    c->self, c->local_window,
+-		    c->local_consumed);
+-		c->local_window += c->local_consumed;
++		    c->local_consumed + addition);
++		c->local_window += c->local_consumed + addition;
+ 		c->local_consumed = 0;
+ 	}
+ 	return 1;
+@@ -3258,6 +3302,17 @@ channel_fwd_bind_addr(const char *listen_addr, int *wi
  	return addr;
  }
  
@@ -237,9 +239,9 @@ diff -urN -x configure -x config.guess -x config.h.in 
 +#endif
 +
  static int
- channel_setup_fwd_listener_tcpip(int type, struct Forward *fwd,
-     int *allocated_listen_port, struct ForwardOptions *fwd_opts)
-@@ -2918,9 +2982,20 @@
+ channel_setup_fwd_listener_tcpip(struct ssh *ssh, int type,
+     struct Forward *fwd, int *allocated_listen_port,
+@@ -3398,6 +3453,17 @@ channel_setup_fwd_listener_tcpip(struct ssh *ssh, int 
  		}
  
  		/* Allocate a channel number for the socket. */
@@ -249,136 +251,111 @@ diff -urN -x configure -x config.guess -x config.h.in 
 +		 * window size.
 +		 */
 +		if (!hpn_disabled)
-+			c = channel_new("port listener", type, sock, sock, -1,
++			c = channel_new(ssh, "port listener", type, sock, sock, -1,
 +			    hpn_buffer_size, CHAN_TCP_PACKET_DEFAULT,
 +			    0, "port listener", 1);
 +		else
 +#endif
- 		c = channel_new("port listener", type, sock, sock, -1,
+ 		c = channel_new(ssh, "port listener", type, sock, sock, -1,
  		    CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT,
  		    0, "port listener", 1);
- 		c->path = xstrdup(host);
- 		c->host_port = fwd->connect_port;
- 		c->listening_addr = addr == NULL ? NULL : xstrdup(addr);
-@@ -3952,6 +4027,14 @@
+@@ -4457,6 +4523,14 @@ x11_create_display_inet(struct ssh *ssh, int x11_displ
  	*chanids = xcalloc(num_socks + 1, sizeof(**chanids));
  	for (n = 0; n < num_socks; n++) {
  		sock = socks[n];
 +#ifdef HPN_ENABLED
 +		if (!hpn_disabled)
-+			nc = channel_new("x11 listener",
++			nc = channel_new(ssh, "x11 listener",
 +			    SSH_CHANNEL_X11_LISTENER, sock, sock, -1,
 +			    hpn_buffer_size, CHAN_X11_PACKET_DEFAULT,
 +			    0, "X11 inet listener", 1);
 +		else
 +#endif
- 		nc = channel_new("x11 listener",
+ 		nc = channel_new(ssh, "x11 listener",
  		    SSH_CHANNEL_X11_LISTENER, sock, sock, -1,
  		    CHAN_X11_WINDOW_DEFAULT, CHAN_X11_PACKET_DEFAULT,
---- work.clean/openssh-6.8p1/channels.h	2015-03-17 00:49:20.000000000 -0500
-+++ work/openssh-6.8p1/channels.h	2015-04-03 13:58:44.472717000 -0500
-@@ -136,6 +136,10 @@
+--- work/openssh-7.7p1/channels.h.orig	2018-04-01 22:38:28.000000000 -0700
++++ work/openssh-7.7p1/channels.h	2018-06-27 16:38:40.766588000 -0700
+@@ -143,6 +143,9 @@ struct Channel {
  	u_int	local_maxpacket;
  	int     extended_usage;
  	int	single_connection;
 +#ifdef HPN_ENABLED
 +	int	dynamic_window;
-+	u_int	tcpwinsz;
 +#endif
  
  	char   *ctype;		/* type */
  
-@@ -311,4 +315,9 @@
- void	 chan_write_failed(Channel *);
- void	 chan_obuf_empty(Channel *);
- 
+@@ -335,5 +338,10 @@ void	 chan_ibuf_empty(struct ssh *, Channel *);
+ void	 chan_rcvd_ieof(struct ssh *, Channel *);
+ void	 chan_write_failed(struct ssh *, Channel *);
+ void	 chan_obuf_empty(struct ssh *, Channel *);
++
 +#ifdef HPN_ENABLED
 +/* hpn handler */
 +void     channel_set_hpn(int, int);
 +#endif
-+
+ 
  #endif
---- work.clean/openssh-6.8p1/cipher.c	2015-03-17 00:49:20.000000000 -0500
-+++ work/openssh-6.8p1/cipher.c	2015-04-03 16:22:04.972592000 -0500
-@@ -273,7 +273,13 @@ ciphers_valid(const char *names)
+--- work/openssh-7.7p1/cipher.c.orig	2018-04-01 22:38:28.000000000 -0700
++++ work/openssh-7.7p1/cipher.c	2018-06-27 16:55:43.165788000 -0700
+@@ -212,7 +212,12 @@ ciphers_valid(const char *names)
  	for ((p = strsep(&cp, CIPHER_SEP)); p && *p != '\0';
  	    (p = strsep(&cp, CIPHER_SEP))) {
  		c = cipher_by_name(p);
--		if (c == NULL || c->number != SSH_CIPHER_SSH2) {
-+		if (c == NULL || (c->number != SSH_CIPHER_SSH2 &&
 +#ifdef NONE_CIPHER_ENABLED
-+				  c->number != SSH_CIPHER_NONE
++		if (c == NULL || ((c->flags & CFLAG_INTERNAL) != 0 &&
++		    (c->flags & CFLAG_NONE) != 0)) {
 +#else
-+				  1
+ 		if (c == NULL || (c->flags & CFLAG_INTERNAL) != 0) {
 +#endif
-+				  )) {
  			free(cipher_list);
  			return 0;
  		}
-@@ -605,6 +611,9 @@ cipher_get_keyiv(struct sshcipher_ctx *c
- 
- 	switch (c->number) {
- #ifdef WITH_OPENSSL
-+#ifdef NONE_CIPHER_ENABLED
-+	case SSH_CIPHER_NONE:
-+#endif
- 	case SSH_CIPHER_SSH2:
- 	case SSH_CIPHER_DES:
- 	case SSH_CIPHER_BLOWFISH:
-@@ -653,6 +662,9 @@ cipher_set_keyiv(struct sshcipher_ctx *c
- 
- 	switch (c->number) {
- #ifdef WITH_OPENSSL
-+#ifdef NONE_CIPHER_ENABLED
-+	case SSH_CIPHER_NONE:
-+#endif
- 	case SSH_CIPHER_SSH2:
- 	case SSH_CIPHER_DES:
- 	case SSH_CIPHER_BLOWFISH:
---- work.clean/openssh-6.8p1/clientloop.c	2015-03-17 00:49:20.000000000 -0500
-+++ work/openssh-6.8p1/clientloop.c	2015-04-03 17:29:40.618489000 -0500
-@@ -1909,6 +1909,15 @@
- 	sock = x11_connect_display();
+--- work/openssh-7.7p1/clientloop.c.orig	2018-04-01 22:38:28.000000000 -0700
++++ work/openssh-7.7p1/clientloop.c	2018-06-27 16:40:24.560906000 -0700
+@@ -1549,6 +1549,15 @@ client_request_x11(struct ssh *ssh, const char *reques
+ 	sock = x11_connect_display(ssh);
  	if (sock < 0)
  		return NULL;
 +#ifdef HPN_ENABLED
 +	/* again is this really necessary for X11? */
 +	if (!options.hpn_disabled)
-+		c = channel_new("x11",
++		c = channel_new(ssh, "x11",
 +		    SSH_CHANNEL_X11_OPEN, sock, sock, -1,
 +		    options.hpn_buffer_size,
 +		    CHAN_X11_PACKET_DEFAULT, 0, "x11", 1);
 +	else
 +#endif
- 	c = channel_new("x11",
+ 	c = channel_new(ssh, "x11",
  	    SSH_CHANNEL_X11_OPEN, sock, sock, -1,
  	    CHAN_TCP_WINDOW_DEFAULT, CHAN_X11_PACKET_DEFAULT, 0, "x11", 1);
-@@ -1934,6 +1943,14 @@
+@@ -1574,6 +1583,14 @@ client_request_agent(struct ssh *ssh, const char *requ
  			    __func__, ssh_err(r));
  		return NULL;
  	}
 +#ifdef HPN_ENABLED
 +	if (!options.hpn_disabled)
-+		c = channel_new("authentication agent connection",
++		c = channel_new(ssh, "authentication agent connection",
 +		    SSH_CHANNEL_OPEN, sock, sock, -1,
 +		    options.hpn_buffer_size, CHAN_TCP_PACKET_DEFAULT, 0,
 +		    "authentication agent connection", 1);
 +	else
 +#endif
- 	c = channel_new("authentication agent connection",
+ 	c = channel_new(ssh, "authentication agent connection",
  	    SSH_CHANNEL_OPEN, sock, sock, -1,
  	    CHAN_X11_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, 0,
-@@ -1964,6 +1981,12 @@
- 		return -1;
+@@ -1602,6 +1619,12 @@ client_request_tun_fwd(struct ssh *ssh, int tun_mode,
  	}
+ 	debug("Tunnel forwarding using interface %s", ifname);
  
 +#ifdef HPN_ENABLED
 +	if (!options.hpn_disabled)
-+		c = channel_new("tun", SSH_CHANNEL_OPENING, fd, fd, -1,
++		c = channel_new(ssh, "tun", SSH_CHANNEL_OPENING, fd, fd, -1,
 +		    options.hpn_buffer_size, CHAN_TCP_PACKET_DEFAULT, 0, "tun", 1);
 +	else
 +#endif
- 	c = channel_new("tun", SSH_CHANNEL_OPENING, fd, fd, -1,
+ 	c = channel_new(ssh, "tun", SSH_CHANNEL_OPENING, fd, fd, -1,
  	    CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, 0, "tun", 1);
  	c->datagram = 1;
 --- work.clean/openssh-6.8p1/compat.c	2015-03-17 00:49:20.000000000 -0500
@@ -470,9 +447,9 @@ diff -urN -x configure -x config.guess -x config.h.in 
  		debug("kex: %s cipher: %s MAC: %s compression: %s",
  		    ctos ? "client->server" : "server->client",
  		    newkeys->enc.name,
---- work.clean/openssh-7.2p1/packet.c.orig	2016-02-25 19:40:04.000000000 -0800
-+++ work.clean/openssh-7.2p1/packet.c	2016-02-29 08:05:15.744201000 -0800
-@@ -1037,6 +1037,24 @@ ssh_set_newkeys(struct ssh *ssh, int mod
+--- work/openssh-7.7p1/packet.c.orig	2018-04-01 22:38:28.000000000 -0700
++++ work/openssh-7.7p1/packet.c	2018-06-27 16:42:42.739507000 -0700
+@@ -926,6 +926,24 @@ ssh_set_newkeys(struct ssh *ssh, int mode)
  	return 0;
  }
  
@@ -497,11 +474,13 @@ diff -urN -x configure -x config.guess -x config.h.in 
  #define MAX_PACKETS	(1U<<31)
  static int
  ssh_packet_need_rekeying(struct ssh *ssh, u_int outbound_packet_len)
-@@ -1055,6 +1073,12 @@ ssh_packet_need_rekeying(struct ssh *ssh
+@@ -944,6 +962,14 @@ ssh_packet_need_rekeying(struct ssh *ssh, u_int outbou
  	/* Peer can't rekey */
  	if (ssh->compat & SSH_BUG_NOREKEY)
  		return 0;
 +#ifdef NONE_CIPHER_ENABLED
++	/* used to force rekeying when called for by the none
++         * cipher switch methods -cjr */
 +        if (rekey_requested == 1) {
 +               rekey_requested = 0;
 +               return 1;
@@ -524,11 +503,21 @@ diff -urN -x configure -x config.guess -x config.h.in 
  /* OLD API */
  extern struct ssh *active_state;
  #include "opacket.h"
---- work/openssh-6.9p1/readconf.c.orig	2015-07-27 13:32:13.169218000 -0500
-+++ work/openssh-6.9p1/readconf.c	2015-07-27 13:33:00.429332000 -0500
-@@ -153,6 +153,12 @@ typedef enum {
- 	oTunnel, oTunnelDevice, oLocalCommand, oPermitLocalCommand,
- 	oVisualHostKey, oUseRoaming,
+--- work/openssh-7.7p1/readconf.c.orig	2018-04-01 22:38:28.000000000 -0700
++++ work/openssh-7.7p1/readconf.c	2018-06-27 16:58:41.109275000 -0700
+@@ -66,6 +66,9 @@
+ #include "uidswap.h"
+ #include "myproposal.h"
+ #include "digest.h"
++#ifdef HPN_ENABLED
++#include "sshbuf.h"
++#endif
+ 
+ /* Format of the configuration file:
+ 
+@@ -167,6 +170,12 @@ typedef enum {
+ 	oLocalCommand, oPermitLocalCommand, oRemoteCommand,
+ 	oVisualHostKey,
  	oKexAlgorithms, oIPQoS, oRequestTTY, oIgnoreUnknown, oProxyUseFdpass,
 +#ifdef HPN_ENABLED
 +	oHPNDisabled, oHPNBufferSize, oTcpRcvBufPoll, oTcpRcvBuf,
@@ -539,7 +528,7 @@ diff -urN -x configure -x config.guess -x config.h.in 
  	oCanonicalDomains, oCanonicalizeHostname, oCanonicalizeMaxDots,
  	oCanonicalizeFallbackLocal, oCanonicalizePermittedCNAMEs,
  	oStreamLocalBindMask, oStreamLocalBindUnlink, oRevokedHostKeys,
-@@ -277,6 +283,16 @@ static struct {
+@@ -304,6 +313,16 @@ static struct {
  	{ "updatehostkeys", oUpdateHostkeys },
  	{ "hostbasedkeytypes", oHostbasedKeyTypes },
  	{ "pubkeyacceptedkeytypes", oPubkeyAcceptedKeyTypes },
@@ -554,9 +543,9 @@ diff -urN -x configure -x config.guess -x config.h.in 
 +	{ "hpnbuffersize", oHPNBufferSize },
 +#endif
  	{ "ignoreunknown", oIgnoreUnknown },
+ 	{ "proxyjump", oProxyJump },
  
- 	{ NULL, oBadOption }
-@@ -906,6 +922,44 @@ parse_time:
+@@ -962,6 +981,44 @@ parse_time:
  		intptr = &options->check_host_ip;
  		goto parse_flag;
  
@@ -601,7 +590,7 @@ diff -urN -x configure -x config.guess -x config.h.in 
  	case oVerifyHostKeyDNS:
  		intptr = &options->verify_host_key_dns;
  		multistate_ptr = multistate_yesnoask;
-@@ -1665,6 +1719,16 @@ initialize_options(Options * options)
+@@ -1833,6 +1890,16 @@ initialize_options(Options * options)
  	options->ip_qos_interactive = -1;
  	options->ip_qos_bulk = -1;
  	options->request_tty = -1;
@@ -618,7 +607,7 @@ diff -urN -x configure -x config.guess -x config.h.in 
  	options->proxy_use_fdpass = -1;
  	options->ignored_unknown = NULL;
  	options->num_canonical_domains = 0;
-@@ -1826,6 +1890,35 @@ fill_default_options(Options * options)
+@@ -1979,6 +2046,34 @@ fill_default_options(Options * options)
  		options->server_alive_interval = 0;
  	if (options->server_alive_count_max == -1)
  		options->server_alive_count_max = 3;
@@ -635,11 +624,10 @@ diff -urN -x configure -x config.guess -x config.h.in 
 +		/* if a user tries to set the size to 0 set it to 1KB */
 +		if (options->hpn_buffer_size == 0)
 +			options->hpn_buffer_size = 1;
-+		/* limit the buffer to 64MB */
-+		if (options->hpn_buffer_size > 64*1024) {
-+			options->hpn_buffer_size = 64*1024*1024;
-+			debug("User requested buffer larger than 64MB. Request"
-+			    " reverted to 64MB");
++		/* limit the buffer to SSHBUF_SIZE_MAX (currently 256MB) */
++		if (options->hpn_buffer_size > (SSHBUF_SIZE_MAX / 1024)) {
++			options->hpn_buffer_size = SSHBUF_SIZE_MAX;
++			debug("User requested buffer larger than 256MB. Request reverted to 256MB");
 +		} else
 +			options->hpn_buffer_size *= 1024;
 +		debug("hpn_buffer_size set to %d", options->hpn_buffer_size);
@@ -693,9 +681,19 @@ diff -urN -x configure -x config.guess -x config.h.in 
  	struct timeval tv[2];
  
  #define	atime	tv[0]
---- work/openssh/servconf.c.orig	2015-05-29 03:27:21.000000000 -0500
-+++ work/openssh/servconf.c	2015-06-02 09:56:36.041601000 -0500
-@@ -159,6 +159,14 @@ initialize_server_options(ServerOptions 
+--- work/openssh-7.7p1/servconf.c.orig	2018-04-01 22:38:28.000000000 -0700
++++ work/openssh-7.7p1/servconf.c	2018-06-27 17:01:05.276677000 -0700
+@@ -63,6 +63,9 @@
+ #include "auth.h"
+ #include "myproposal.h"
+ #include "digest.h"
++#ifdef HPN_ENABLED
++#include "sshbuf.h"
++#endif
+ 
+ static void add_listen_addr(ServerOptions *, const char *,
+     const char *, int);
+@@ -169,6 +172,14 @@ initialize_server_options(ServerOptions *options)
  	options->authorized_principals_file = NULL;
  	options->authorized_principals_command = NULL;
  	options->authorized_principals_command_user = NULL;
@@ -710,7 +708,7 @@ diff -urN -x configure -x config.guess -x config.h.in 
  	options->ip_qos_interactive = -1;
  	options->ip_qos_bulk = -1;
  	options->version_addendum = NULL;
-@@ -319,6 +327,57 @@ fill_default_server_options(ServerOption
+@@ -371,6 +382,57 @@ fill_default_server_options(ServerOptions *options)
  	}
  	if (options->permit_tun == -1)
  		options->permit_tun = SSH_TUNMODE_NO;
@@ -754,9 +752,9 @@ diff -urN -x configure -x config.guess -x config.h.in 
 +		if (options->hpn_disabled <= 0) {
 +			if (options->hpn_buffer_size == 0)
 +				options->hpn_buffer_size = 1;
-+			/* limit the maximum buffer to 64MB */
-+			if (options->hpn_buffer_size > 64*1024) {
-+				options->hpn_buffer_size = 64*1024*1024;
++			/* limit the maximum buffer to SSHBUF_SIZE_MAX (currently 256MB) */
++			if (options->hpn_buffer_size > (SSHBUF_SIZE_MAX / 1024)) {
++				options->hpn_buffer_size = SSHBUF_SIZE_MAX;
 +			} else {
 +				options->hpn_buffer_size *= 1024;
 +			}
@@ -768,7 +766,7 @@ diff -urN -x configure -x config.guess -x config.h.in 
  	if (options->ip_qos_interactive == -1)
  		options->ip_qos_interactive = IPTOS_LOWDELAY;
  	if (options->ip_qos_bulk == -1)
-@@ -412,6 +471,12 @@ typedef enum {
+@@ -466,6 +528,12 @@ typedef enum {
  	sUsePrivilegeSeparation, sAllowAgentForwarding,
  	sHostCertificate,
  	sRevokedKeys, sTrustedUserCAKeys, sAuthorizedPrincipalsFile,
@@ -781,7 +779,7 @@ diff -urN -x configure -x config.guess -x config.h.in 
  	sAuthorizedPrincipalsCommand, sAuthorizedPrincipalsCommandUser,
  	sKexAlgorithms, sIPQoS, sVersionAddendum,
  	sAuthorizedKeysCommand, sAuthorizedKeysCommandUser,
-@@ -548,6 +613,14 @@ static struct {
+@@ -603,6 +671,14 @@ static struct {
  	{ "revokedkeys", sRevokedKeys, SSHCFG_ALL },
  	{ "trustedusercakeys", sTrustedUserCAKeys, SSHCFG_ALL },
  	{ "authorizedprincipalsfile", sAuthorizedPrincipalsFile, SSHCFG_ALL },
@@ -796,10 +794,11 @@ diff -urN -x configure -x config.guess -x config.h.in 
  	{ "kexalgorithms", sKexAlgorithms, SSHCFG_GLOBAL },
  	{ "ipqos", sIPQoS, SSHCFG_ALL },
  	{ "authorizedkeyscommand", sAuthorizedKeysCommand, SSHCFG_ALL },
-@@ -1153,6 +1226,25 @@ process_server_config_line(ServerOptions
+@@ -1351,6 +1427,25 @@ process_server_config_line(ServerOptions *options, cha
+ 	case sIgnoreUserKnownHosts:
  		intptr = &options->ignore_user_known_hosts;
  		goto parse_flag;
- 
++
 +#ifdef NONE_CIPHER_ENABLED
 +	case sNoneEnabled:
 +		intptr = &options->none_enabled;
@@ -818,10 +817,9 @@ diff -urN -x configure -x config.guess -x config.h.in 
 +		intptr = &options->hpn_buffer_size;
 +		goto parse_int;
 +#endif
-+
+ 
  	case sHostbasedAuthentication:
  		intptr = &options->hostbased_authentication;
- 		goto parse_flag;
 --- work.clean/openssh-6.8p1/servconf.h	2015-03-17 00:49:20.000000000 -0500
 +++ work/openssh-6.8p1/servconf.h	2015-04-03 13:48:37.316827000 -0500
 @@ -169,6 +169,15 @@
@@ -840,23 +838,23 @@ diff -urN -x configure -x config.guess -x config.h.in 
  	int	permit_tun;
  
  	int	num_permitted_opens;
---- work.clean/openssh-6.8p1/serverloop.c	2015-03-17 00:49:20.000000000 -0500
-+++ work/openssh-6.8p1/serverloop.c	2015-04-03 17:14:15.182548000 -0500
-@@ -526,6 +526,12 @@ server_request_tun(void)
- 	sock = tun_open(tun, mode);
- 	if (sock < 0)
+--- work/openssh-7.7p1/serverloop.c.orig	2018-04-01 22:38:28.000000000 -0700
++++ work/openssh-7.7p1/serverloop.c	2018-06-27 16:53:02.246871000 -0700
+@@ -550,6 +550,12 @@ server_request_tun(struct ssh *ssh)
  		goto done;
+ 	debug("Tunnel forwarding using interface %s", ifname);
+ 
 +#ifdef HPN_ENABLED
 +	if (!options.hpn_disabled)
-+		c = channel_new("tun", SSH_CHANNEL_OPEN, sock, sock, -1,
++		c = channel_new(ssh, "tun", SSH_CHANNEL_OPEN, sock, sock, -1,
 +		    options.hpn_buffer_size, CHAN_TCP_PACKET_DEFAULT, 0, "tun", 1);
 +	else
 +#endif
- 	c = channel_new("tun", SSH_CHANNEL_OPEN, sock, sock, -1,
+ 	c = channel_new(ssh, "tun", SSH_CHANNEL_OPEN, sock, sock, -1,
  	    CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, 0, "tun", 1);
  	c->datagram = 1;
-@@ -563,6 +569,10 @@ server_request_session(void)
- 	c = channel_new("session", SSH_CHANNEL_LARVAL,
+@@ -600,6 +606,10 @@ server_request_session(struct ssh *ssh)
+ 	c = channel_new(ssh, "session", SSH_CHANNEL_LARVAL,
  	    -1, -1, -1, /*window size*/0, CHAN_SES_PACKET_DEFAULT,
  	    0, "server-session", 1);
 +#ifdef HPN_ENABLED
@@ -865,22 +863,22 @@ diff -urN -x configure -x config.guess -x config.h.in 
 +#endif
  	if (session_open(the_authctxt, c->self) != 1) {
  		debug("session open failed, free channel %d", c->self);
- 		channel_free(c);
---- work.clean/openssh-6.8p1/session.c	2015-04-01 22:07:18.149110000 -0500
-+++ work/openssh-6.8p1/session.c	2015-04-03 17:09:02.984097000 -0500
-@@ -2340,6 +2340,14 @@
+ 		channel_free(ssh, c);
+--- work/openssh-7.7p1/session.c.orig	2018-04-01 22:38:28.000000000 -0700
++++ work/openssh-7.7p1/session.c	2018-06-27 17:01:40.730347000 -0700
+@@ -2116,6 +2116,14 @@ session_set_fds(struct ssh *ssh, Session *s,
  	 */
  	if (s->chanid == -1)
  		fatal("no channel for session %d", s->self);
 +#ifdef HPN_ENABLED
 +	if (!options.hpn_disabled)
-+		channel_set_fds(s->chanid,
++		channel_set_fds(ssh, s->chanid,
 +		    fdout, fdin, fderr,
 +		    ignore_fderr ? CHAN_EXTENDED_IGNORE : CHAN_EXTENDED_READ,
 +		    1, is_tty, options.hpn_buffer_size);
 +	else
 +#endif
- 	channel_set_fds(s->chanid,
+ 	channel_set_fds(ssh, s->chanid,
  	    fdout, fdin, fderr,
  	    ignore_fderr ? CHAN_EXTENDED_IGNORE : CHAN_EXTENDED_READ,
 --- work.clean/openssh-6.8p1/sftp.1	2015-03-17 00:49:20.000000000 -0500
@@ -909,9 +907,9 @@ diff -urN -x configure -x config.guess -x config.h.in 
  
  /* File to read commands from */
  FILE* infile;
---- work.clean/openssh-6.8p1/ssh.c	2015-04-01 22:07:18.166356000 -0500
-+++ work/openssh-6.8p1/ssh.c	2015-04-03 17:16:34.114673000 -0500
-@@ -885,6 +885,14 @@
+--- work/openssh-7.7p1/ssh.c.orig	2018-04-01 22:38:28.000000000 -0700
++++ work/openssh-7.7p1/ssh.c	2018-06-27 17:05:30.011979000 -0700
+@@ -954,6 +954,14 @@ main(int ac, char **av)
  			break;
  		case 'T':
  			options.request_tty = REQUEST_TTY_NO;
@@ -926,80 +924,91 @@ diff -urN -x configure -x config.guess -x config.h.in 
  			break;
  		case 'o':
  			line = xstrdup(optarg);
-@@ -1848,9 +1856,85 @@
- 	if (!isatty(err))
- 		set_nonblock(err);
+@@ -1833,6 +1841,78 @@ ssh_session2_setup(struct ssh *ssh, int id, int succes
+ 	    NULL, fileno(stdin), &command, environ);
+ }
  
-+#ifdef HPN_ENABLED
++static void
++hpn_options_init(void)
++{
 +	/*
-+	 * we need to check to see if what they want to do about buffer
++	 * We need to check to see if what they want to do about buffer
 +	 * sizes here. In a hpn to nonhpn connection we want to limit
 +	 * the window size to something reasonable in case the far side
 +	 * has the large window bug. In hpn to hpn connection we want to
 +	 * use the max window size but allow the user to override it
-+	 * lastly if they disabled hpn then use the ssh std window size
-+
-+	 * so why don't we just do a getsockopt() here and set the
++	 * lastly if they disabled hpn then use the ssh std window size.
++	 *
++	 * So why don't we just do a getsockopt() here and set the
 +	 * ssh window to that? In the case of a autotuning receive
 +	 * window the window would get stuck at the initial buffer
 +	 * size generally less than 96k. Therefore we need to set the
 +	 * maximum ssh window size to the maximum hpn buffer size
 +	 * unless the user has specifically set the tcprcvbufpoll
 +	 * to no. In which case we *can* just set the window to the
-+	 * minimum of the hpn buffer size and tcp receive buffer size
++	 * minimum of the hpn buffer size and tcp receive buffer size.
 +	 */
 +
 +	if (tty_flag)
 +		options.hpn_buffer_size = CHAN_SES_WINDOW_DEFAULT;
 +	else
-+		options.hpn_buffer_size = 2*1024*1024;
++		options.hpn_buffer_size = 2 * 1024 * 1024;
 +
 +	if (datafellows & SSH_BUG_LARGEWINDOW) {
 +		debug("HPN to Non-HPN Connection");
 +	} else {
 +		int sock, socksize;
-+		socklen_t socksizelen = sizeof(socksize);
-+
++		socklen_t socksizelen;
 +		if (options.tcp_rcv_buf_poll <= 0) {
 +			sock = socket(AF_INET, SOCK_STREAM, 0);
++			socksizelen = sizeof(socksize);
 +			getsockopt(sock, SOL_SOCKET, SO_RCVBUF,
-+			    &socksize, &socksizelen);
++				   &socksize, &socksizelen);
 +			close(sock);
 +			debug("socksize %d", socksize);
 +			options.hpn_buffer_size = socksize;
-+			debug ("HPNBufferSize set to TCP RWIN: %d",
-+			    options.hpn_buffer_size);
++			debug("HPNBufferSize set to TCP RWIN: %d", options.hpn_buffer_size);
 +		} else {
 +			if (options.tcp_rcv_buf > 0) {
 +				/*
-+				 * create a socket but don't connect it.
++				 * Create a socket but don't connect it:
 +				 * we use that the get the rcv socket size
 +				 */
 +				sock = socket(AF_INET, SOCK_STREAM, 0);
 +				/*
-+				 * if they are using the tcp_rcv_buf option
-+				 * attempt to set the buffer size to that
++				 * If they are using the tcp_rcv_buf option,
++				 * attempt to set the buffer size to that.
 +				 */
-+				if (options.tcp_rcv_buf)
++				if (options.tcp_rcv_buf) {
++					socksizelen = sizeof(options.tcp_rcv_buf);
 +					setsockopt(sock, SOL_SOCKET, SO_RCVBUF,
-+					    (void *)&options.tcp_rcv_buf,
-+					    sizeof(options.tcp_rcv_buf));
++						   &options.tcp_rcv_buf, socksizelen);
++				}
++				socksizelen = sizeof(socksize);
 +				getsockopt(sock, SOL_SOCKET, SO_RCVBUF,
-+				    &socksize, &socksizelen);
++					   &socksize, &socksizelen);
 +				close(sock);
 +				debug("socksize %d", socksize);
 +				options.hpn_buffer_size = socksize;
-+				debug ("HPNBufferSize set to user TCPRcvBuf: "
-+				    "%d", options.hpn_buffer_size);
++				debug("HPNBufferSize set to user TCPRcvBuf: %d", options.hpn_buffer_size);
 +			}
 +		}
 +	}
 +
 +	debug("Final hpn_buffer_size = %d", options.hpn_buffer_size);
 +
-+	window = options.hpn_buffer_size;
-+
 +	channel_set_hpn(options.hpn_disabled, options.hpn_buffer_size);
++}
++
+ /* open new channel for a session */
+ static int
+ ssh_session2_open(struct ssh *ssh)
+@@ -1859,9 +1939,17 @@ ssh_session2_open(struct ssh *ssh)
+ 	if (!isatty(err))
+ 		set_nonblock(err);
+ 
++#ifdef HPN_ENABLED
++	window = options.hpn_buffer_size;
 +#else
  	window = CHAN_SES_WINDOW_DEFAULT;
 +#endif
@@ -1012,7 +1021,7 @@ diff -urN -x configure -x config.guess -x config.h.in 
  		window >>= 1;
  		packetmax >>= 1;
  	}
-@@ -1859,6 +1943,12 @@
+@@ -1870,6 +1958,12 @@ ssh_session2_open(struct ssh *ssh)
  	    window, packetmax, CHAN_EXTENDED_WRITE,
  	    "client-session", /*nonblock*/0);
  
@@ -1022,17 +1031,47 @@ diff -urN -x configure -x config.guess -x config.h.in 
 +		debug ("Enabled Dynamic Window Scaling");
 +	}
 +#endif
- 	debug3("ssh_session2_open: channel_new: %d", c->self);
+ 	debug3("%s: channel_new: %d", __func__, c->self);
  
- 	channel_send_open(c->self);
---- work.clean/openssh-6.8p1/sshconnect.c	2015-03-17 00:49:20.000000000 -0500
-+++ work/openssh-6.8p1/sshconnect.c	2015-04-03 16:32:38.204744000 -0500
-@@ -266,6 +266,31 @@
- 		kill(proxy_command_pid, SIGHUP);
+ 	channel_send_open(ssh, c->self);
+@@ -1885,6 +1979,15 @@ ssh_session2(struct ssh *ssh, struct passwd *pw)
+ {
+ 	int devnull, id = -1;
+ 	char *cp, *tun_fwd_ifname = NULL;
++
++#ifdef HPN_ENABLED
++	/*
++	 * We need to initialize this early because the forwarding logic below
++	 * might open channels that use the hpn buffer sizes.  We can't send a
++	 * window of -1 (the default) to the server as it breaks things.
++	 */
++	hpn_options_init();
++#endif
+ 
+ 	/* XXX should be pre-session */
+ 	if (!options.control_persist)
+--- work/openssh-7.7p1/sshbuf.h.orig	2018-06-27 16:11:24.503058000 -0700
++++ work/openssh-7.7p1/sshbuf.h	2018-06-27 16:12:01.359375000 -0700
+@@ -28,7 +28,11 @@
+ # endif /* OPENSSL_HAS_ECC */
+ #endif /* WITH_OPENSSL */
+ 
++#ifdef HPN_ENABLED
++#define SSHBUF_SIZE_MAX		0xF000000	/* Hard maximum size 256MB */
++#else
+ #define SSHBUF_SIZE_MAX		0x8000000	/* Hard maximum size */
++#endif
+ #define SSHBUF_REFS_MAX		0x100000	/* Max child buffers */
+ #define SSHBUF_MAX_BIGNUM	(16384 / 8)	/* Max bignum *bytes* */
+ #define SSHBUF_MAX_ECPOINT	((528 * 2 / 8) + 1) /* Max EC point *bytes* */
+--- work/openssh-7.7p1/sshconnect.c.orig	2018-04-01 22:38:28.000000000 -0700
++++ work/openssh-7.7p1/sshconnect.c	2018-06-26 15:55:19.103812000 -0700
+@@ -337,7 +337,32 @@ check_ifaddrs(const char *ifname, int af, const struct
  }
+ #endif
  
 +#ifdef HPN_ENABLED
-+/*
+ /*
 + * Set TCP receive buffer if requested.
 + * Note: tuning needs to happen after the socket is
 + * created but before the connection happens
@@ -1056,10 +1095,11 @@ diff -urN -x configure -x config.guess -x config.h.in 
 +}
 +#endif
 +
- /*
++/*
   * Creates a (possibly privileged) socket for use as the ssh connection.
   */
-@@ -282,6 +307,11 @@
+ static int
+@@ -359,6 +384,11 @@ ssh_create_socket(int privileged, struct addrinfo *ai)
  	}
  	fcntl(sock, F_SETFD, FD_CLOEXEC);
  
@@ -1069,54 +1109,42 @@ diff -urN -x configure -x config.guess -x config.h.in 
 +#endif
 +
  	/* Bind the socket to an alternative local IP address */
- 	if (options.bind_address == NULL && !privileged)
- 		return sock;
-@@ -523,11 +553,23 @@ send_client_banner(int connection_out, i
+ 	if (options.bind_address == NULL && options.bind_interface == NULL &&
+ 	    !privileged)
+@@ -637,8 +667,14 @@ static void
+ send_client_banner(int connection_out, int minor1)
  {
  	/* Send our own protocol version identification. */
- 	if (compat20) {
--		xasprintf(&client_version_string, "SSH-%d.%d-%.100s\r\n",
--		    PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION);
-+		xasprintf(&client_version_string, "SSH-%d.%d-%.100s%s\r\n",
-+		    PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION,
+-	xasprintf(&client_version_string, "SSH-%d.%d-%.100s\r\n",
+-	    PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION);
++	xasprintf(&client_version_string, "SSH-%d.%d-%.100s%s\r\n",
++	    PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION,
 +#ifdef HPN_ENABLED
-+		    options.hpn_disabled ? "" : SSH_HPN
++	    options.hpn_disabled ? "" : SSH_HPN
 +#else
-+		    ""
++	    ""
 +#endif
-+		    );
- 	} else {
--		xasprintf(&client_version_string, "SSH-%d.%d-%.100s\n",
--		    PROTOCOL_MAJOR_1, minor1, SSH_VERSION);
-+		xasprintf(&client_version_string, "SSH-%d.%d-%.100s%s\n",
-+		    PROTOCOL_MAJOR_1, minor1, SSH_VERSION,
-+#ifdef HPN_ENABLED
-+		    options.hpn_disabled ? "" : SSH_HPN
-+#else
-+		    ""
-+#endif
-+		    );
- 	}
- 	if (roaming_atomicio(vwrite, connection_out, client_version_string,
++	);
+ 	if (atomicio(vwrite, connection_out, client_version_string,
  	    strlen(client_version_string)) != strlen(client_version_string))
---- work.clean/openssh-7.2p1/sshconnect2.c.orig	2016-02-25 19:40:04.000000000 -0800
-+++ work.clean/openssh-7.2p1/sshconnect2.c	2016-02-29 08:06:31.134954000 -0800
-@@ -81,6 +81,14 @@
+ 		fatal("write: %.100s", strerror(errno));
+--- work/openssh-7.7p1/sshconnect2.c.orig	2018-04-01 22:38:28.000000000 -0700
++++ work/openssh-7.7p1/sshconnect2.c	2018-06-27 17:11:17.543893000 -0700
+@@ -81,7 +81,13 @@
  extern char *client_version_string;
  extern char *server_version_string;
  extern Options options;
 +#ifdef NONE_CIPHER_ENABLED
-+struct kex *xxx_kex;
-+
 +/* tty_flag is set in ssh.c. use this in ssh_userauth2 */
 +/* if it is set then prevent the switch to the null cipher */
-+
+ 
 +extern int tty_flag;
 +#endif
- 
++
  /*
   * SSH2 key exchange
-@@ -154,14 +162,17 @@ order_hostkeyalgs(char *host, struct soc
+  */
+@@ -154,14 +160,17 @@ order_hostkeyalgs(char *host, struct sockaddr *hostadd
  	return ret;
  }
  
@@ -1135,18 +1163,8 @@ diff -urN -x configure -x config.guess -x config.h.in 
  	xxx_host = host;
  	xxx_hostaddr = hostaddr;
  
-@@ -235,6 +246,9 @@ ssh_kex2(char *host, struct sockaddr *ho
- 	packet_send();
- 	packet_write_wait();
- #endif
-+#ifdef NONE_CIPHER_ENABLED
-+	xxx_kex = kex;
-+#endif
- }
+@@ -409,6 +418,30 @@ ssh_userauth2(const char *local_user, const char *serv
  
- /*
-@@ -407,6 +421,29 @@ ssh_userauth2(const char *local_user, co
- 
  	if (!authctxt.success)
  		fatal("Authentication failed.");
 +#ifdef NONE_CIPHER_ENABLED
@@ -1159,9 +1177,10 @@ diff -urN -x configure -x config.guess -x config.h.in 
 +	if ((options.none_switch == 1) && (options.none_enabled == 1)) {
 +		if (!tty_flag) { /* no null on tty sessions */
 +			debug("Requesting none rekeying...");
++			memcpy(&myproposal, &myproposal_default, sizeof(myproposal));
 +			myproposal[PROPOSAL_ENC_ALGS_STOC] = "none";
 +			myproposal[PROPOSAL_ENC_ALGS_CTOS] = "none";
-+			kex_prop2buf(xxx_kex->my, myproposal);
++			kex_prop2buf(active_state->kex->my, myproposal);
 +			packet_request_rekeying();
 +			fprintf(stderr, "WARNING: ENABLED NONE CIPHER\n");
 +		} else {
@@ -1175,9 +1194,9 @@ diff -urN -x configure -x config.guess -x config.h.in 
  	debug("Authentication succeeded (%s).", authctxt.method->name);
  }
  
---- work.clean/openssh-7.1p1/sshd.c.orig	2015-08-20 21:49:03.000000000 -0700
-+++ work.clean/openssh-7.1p1/sshd.c	2015-11-11 12:45:48.202186000 -0800
-@@ -373,8 +373,13 @@ sshd_exchange_identification(struct ssh 
+--- work/openssh-7.7p1/sshd.c.orig	2018-04-01 22:38:28.000000000 -0700
++++ work/openssh-7.7p1/sshd.c	2018-06-27 17:13:03.176633000 -0700
+@@ -372,8 +372,13 @@ sshd_exchange_identification(struct ssh *ssh, int sock
  	char buf[256];			/* Must not be larger than remote_version. */
  	char remote_version[256];	/* Must be at least as big as buf. */
  
@@ -1192,8 +1211,8 @@ diff -urN -x configure -x config.guess -x config.h.in 
  	    *options.version_addendum == '\0' ? "" : " ",
  	    options.version_addendum);
  
-@@ -1027,6 +1032,10 @@ server_listen(void)
- 	int ret, listen_sock, on = 1;
+@@ -1025,6 +1030,10 @@ listen_on_addrs(struct listenaddr *la)
+ 	int ret, listen_sock;
  	struct addrinfo *ai;
  	char ntop[NI_MAXHOST], strport[NI_MAXSERV];
 +#ifdef HPN_ENABLED
@@ -1201,9 +1220,9 @@ diff -urN -x configure -x config.guess -x config.h.in 
 +	socklen_t socksizelen = sizeof(socksize);
 +#endif
  
- 	for (ai = options.listen_addrs; ai; ai = ai->ai_next) {
+ 	for (ai = la->addrs; ai; ai = ai->ai_next) {
  		if (ai->ai_family != AF_INET && ai->ai_family != AF_INET6)
-@@ -1072,6 +1081,13 @@ server_listen(void)
+@@ -1070,6 +1079,13 @@ listen_on_addrs(struct listenaddr *la)
  
  		debug("Bind to port %s on %s.", strport, ntop);

*** DIFF OUTPUT TRUNCATED AT 1000 LINES ***



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201806280338.w5S3cXeJ005107>