From 2b97acc0eb7af4bb0e9f8069de7be115ee5d80b1 Mon Sep 17 00:00:00 2001 From: des Date: Sun, 24 Jan 2016 22:28:18 +0000 Subject: [PATCH] MFH (r291198, r291260, r291261, r291375, r294325, r294335, r294563) Remove the HPN and None cipher patches. git-svn-id: svn://svn.freebsd.org/base/stable/10@294693 ccf9f872-aa2e-dd11-9fc8-001c23d0bc1f --- UPDATING | 4 + crypto/openssh/README.hpn | 120 ------------------ crypto/openssh/auth-pam.c | 2 +- crypto/openssh/auth2-chall.c | 1 - crypto/openssh/bufaux.c | 1 - crypto/openssh/buffer.c | 10 +- crypto/openssh/buffer.h | 3 - crypto/openssh/channels.c | 97 ++------------- crypto/openssh/channels.h | 8 -- crypto/openssh/cipher.c | 14 +-- crypto/openssh/clientloop.c | 36 ++---- crypto/openssh/compat.c | 11 -- crypto/openssh/compat.h | 3 - crypto/openssh/configure.ac | 1 + crypto/openssh/digest-libc.c | 1 - crypto/openssh/freebsd-post-merge.sh | 2 +- crypto/openssh/freebsd-pre-merge.sh | 2 +- crypto/openssh/kex.c | 26 +--- crypto/openssh/kex.h | 5 - crypto/openssh/misc.c | 32 ----- crypto/openssh/misc.h | 2 - crypto/openssh/monitor.c | 1 - crypto/openssh/monitor_wrap.c | 1 - crypto/openssh/myproposal.h | 4 - crypto/openssh/packet.c | 26 ---- crypto/openssh/packet.h | 7 -- crypto/openssh/readconf.c | 99 +-------------- crypto/openssh/readconf.h | 14 +-- crypto/openssh/servconf.c | 70 +---------- crypto/openssh/servconf.h | 9 -- crypto/openssh/serverloop.c | 13 +- crypto/openssh/session.c | 17 +-- crypto/openssh/sftp.1 | 4 +- crypto/openssh/sftp.c | 3 +- crypto/openssh/ssh-agent.1 | 2 +- crypto/openssh/ssh.c | 58 +-------- crypto/openssh/ssh_config | 3 +- crypto/openssh/ssh_config.5 | 2 +- crypto/openssh/ssh_namespace.h | 123 ++++++++++++++++--- crypto/openssh/sshconnect.c | 30 +---- crypto/openssh/sshconnect2.c | 34 ----- crypto/openssh/sshd.c | 28 +---- crypto/openssh/sshd_config | 15 +-- crypto/openssh/sshd_config.5 | 2 +- crypto/openssh/version.h | 3 +- secure/lib/libssh/Makefile | 4 - secure/usr.bin/ssh/Makefile | 4 - secure/usr.sbin/sshd/Makefile | 4 - share/mk/bsd.own.mk | 1 - tools/build/options/WITH_OPENSSH_NONE_CIPHER | 9 -- 50 files changed, 173 insertions(+), 798 deletions(-) delete mode 100644 crypto/openssh/README.hpn delete mode 100644 tools/build/options/WITH_OPENSSH_NONE_CIPHER diff --git a/UPDATING b/UPDATING index c737b7136..387d1175e 100644 --- a/UPDATING +++ b/UPDATING @@ -16,6 +16,10 @@ from older versions of FreeBSD, try WITHOUT_CLANG to bootstrap to the tip of stable/10, and then rebuild without this option. The bootstrap process from older version of current is a bit fragile. +20160124: + The NONE and HPN patches has been removed from OpenSSH. They are + still available in the security/openssh-portable port. + 20151214: r292223 changed the internal interface between the nfsd.ko and nfscommon.ko modules. As such, they must both be upgraded to-gether. diff --git a/crypto/openssh/README.hpn b/crypto/openssh/README.hpn deleted file mode 100644 index 674827fb6..000000000 --- a/crypto/openssh/README.hpn +++ /dev/null @@ -1,120 +0,0 @@ -Notes: - -NONE CIPHER: - To use the NONE option you must have the NoneEnabled switch set on the server - and you MUST have *both* NoneEnabled and NoneSwitch set to yes on the client. - The NONE feature works with ALL ssh subsystems (as far as we can tell) - as long as there is no tty allocated. - If a user uses the -T switch to prevent a tty being created the NONE cipher - will be disabled. - - -PERFORMANCE: - The performance increase will only be as good as the network and TCP stack - tuning on the reciever side of the connection allows. As a rule of thumb a - user will need at least 10Mb/s connection with a 100ms RTT to see a doubling - of performance. - The HPN-SSH home page http://www.psc.edu/networking/projects/hpn-ssh - describes this in greater detail. - - -BUFFER SIZES: -- if HPN is disabled the receive buffer size will be set to the OpenSSH default - of 64K. - -- if a HPN system connects to a non-HPN system the receive buffer will - be set to the HPNBufferSize value. The default is 2MB but user adjustable. - -- If a HPN to HPN connection is established a number of different things might - happen based on the user options and conditions. - - Conditions: HPNBufferSize NOT Set, TCPRcvBufPoll enabled, TCPRcvBuf NOT Set - Result: HPN Buffer Size = up to 64MB - This is the default state. The HPN buffer size will grow to a maximum of - 64MB as the TCP receive buffer grows. The maximum HPN Buffer size of 64MB - is geared towards 10GigE transcontinental connections. - - Conditions: HPNBufferSize NOT Set, TCPRcvBufPoll disabled, TCPRcvBuf NOT Set - Result: HPN Buffer Size = TCP receive buffer value. - Users on non-autotuning systesm should disable TCPRcvBufPoll in the - ssh_cofig and sshd_config - - Conditions: HPNBufferSize SET, TCPRcvBufPoll disabled, TCPRcvBuf NOT Set - Result: HPN Buffer Size = minmum of TCP receive buffer and HPNBufferSize. - This would be the system defined TCP receive buffer (RWIN). - - Conditions: HPNBufferSize SET, TCPRcvBufPoll disabled, TCPRcvBuf SET - Result: HPN Buffer Size = minmum of TCPRcvBuf and HPNBufferSize. - Generally there is no need to set both. - - Conditions: HPNBufferSize SET, TCPRcvBufPoll enabled, TCPRcvBuf NOT Set - Result: HPN Buffer Size = grows to HPNBufferSize - The buffer will grow up to the maximum size specified here. - - Conditions: HPNBufferSize SET, TCPRcvBufPoll enabled, TCPRcvBuf SET - Result: HPN Buffer Size = minmum of TCPRcvBuf and HPNBufferSize. - Generally there is no need to set both of these, especially on autotuning - systems. However, if the users wishes to override the autotuning this would - be one way to do it. - - Conditions: HPNBufferSize NOT Set, TCPRcvBufPoll enabled, TCPRcvBuf SET - Result: HPN Buffer Size = TCPRcvBuf. - This will override autotuning and set the TCP recieve buffer to the user - defined value. - - -HPN SPECIFIC CONFIGURATION OPTIONS: - -- HPNDisabled=[yes/no] client/server - In some situations, such as transfers on a local area network, the impact - of the HPN code produces a net decrease in performance. In these cases it is - helpful to disable the HPN functionality. By default HPNDisabled is set to no. - -- HPNBufferSize=[int]KB client/server - This is the default buffer size the HPN functionality uses when interacting - with non-HPN SSH installations. Conceptually this is similar to the TcpRcvBuf - option as applied to the internal SSH flow control. This value can range from - 1KB to 64MB (1-65536). Use of oversized or undersized buffers can cause - performance problems depending on the roud trip time of the network path. - The default size of this buffer is 2MB. - -- TcpRcvBufPoll=[yes/no] client/server - Enable or disable the polling of the TCP receive buffer through the life - of the connection. You would want to make sure that this option is enabled - for systems making use of autotuning kernels (linux 2.4.24+, 2.6, MS Vista, - FreeBSD 7.x and later). Default is yes. - -- TcpRcvBuf=[int]KB client - Set the TCP socket receive buffer to n Kilobytes. It can be set up to the - maximum socket size allowed by the system. This is useful in situations where - the TCP receive window is set low but the maximum buffer size is set higher - (as is typical). This works on a per TCP connection basis. You can also use - this to artifically limit the transfer rate of the connection. In these cases - the throughput will be no more than n/RTT. The minimum buffer size is 1KB. - Default is the current system wide TCP receive buffer size. - -- NoneEnabled=[yes/no] client/server - Enable or disable the use of the None cipher. Care must always be used when - enabling this as it will allow users to send data in the clear. However, it - is important to note that authentication information remains encrypted even - if this option is enabled. Set to no by default. - -- NoneSwitch=[yes/no] client - Switch the encryption cipher being used to the None cipher after - authentication takes place. NoneEnabled must be enabled on both the client - and server side of the connection. When the connection switches to the NONE - cipher a warning is sent to STDERR. The connection attempt will fail with an - error if a client requests a NoneSwitch from the server that does not - explicitly have NoneEnabled set to yes. - Note: The NONE cipher cannot be used in interactive (shell) sessions and it - will fail silently. Set to no by default. - - -CREDITS: - - This patch was conceived, designed, and led by Chris Rapier (rapier@psc.edu) - The majority of the actual coding for versions up to HPN12v1 was performed - by Michael Stevens (mstevens@andrew.cmu.edu). - The MT-AES-CTR cipher was implemented by Ben Bennet (ben@psc.edu). - This work was financed, in part, by Cisco System, Inc., the National Library - of Medicine, and the National Science Foundation. diff --git a/crypto/openssh/auth-pam.c b/crypto/openssh/auth-pam.c index 50d5d808b..d789bad7b 100644 --- a/crypto/openssh/auth-pam.c +++ b/crypto/openssh/auth-pam.c @@ -45,7 +45,7 @@ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ -/* Based on $FreeBSD$ */ +/* Based on $FreeBSD: src/crypto/openssh/auth2-pam-freebsd.c,v 1.11 2003/03/31 13:48:18 des Exp $ */ #include "includes.h" #include diff --git a/crypto/openssh/auth2-chall.c b/crypto/openssh/auth2-chall.c index 0de721e16..791be5ca3 100644 --- a/crypto/openssh/auth2-chall.c +++ b/crypto/openssh/auth2-chall.c @@ -25,7 +25,6 @@ */ #include "includes.h" -__RCSID("$FreeBSD$"); #include diff --git a/crypto/openssh/bufaux.c b/crypto/openssh/bufaux.c index b33ef752e..f6a6f2ab2 100644 --- a/crypto/openssh/bufaux.c +++ b/crypto/openssh/bufaux.c @@ -38,7 +38,6 @@ */ #include "includes.h" -__RCSID("$FreeBSD$"); #include diff --git a/crypto/openssh/buffer.c b/crypto/openssh/buffer.c index f20d5583d..d240f6753 100644 --- a/crypto/openssh/buffer.c +++ b/crypto/openssh/buffer.c @@ -13,7 +13,6 @@ */ #include "includes.h" -__RCSID("$FreeBSD$"); #include @@ -27,7 +26,7 @@ __RCSID("$FreeBSD$"); #include "log.h" #define BUFFER_MAX_CHUNK 0x100000 -#define BUFFER_MAX_LEN 0x4000000 /* 64MB */ +#define BUFFER_MAX_LEN 0xa00000 #define BUFFER_ALLOCSZ 0x008000 /* Initializes the buffer structure. */ @@ -167,13 +166,6 @@ buffer_len(const Buffer *buffer) return buffer->end - buffer->offset; } -/* Returns the maximum number of bytes of data that may be in the buffer. */ -u_int -buffer_get_max_len(void) -{ - return (BUFFER_MAX_LEN); -} - /* Gets data from the beginning of the buffer. */ int diff --git a/crypto/openssh/buffer.h b/crypto/openssh/buffer.h index 39e04f9d3..7df8a38fa 100644 --- a/crypto/openssh/buffer.h +++ b/crypto/openssh/buffer.h @@ -1,5 +1,4 @@ /* $OpenBSD: buffer.h,v 1.23 2014/01/12 08:13:13 djm Exp $ */ -/* $FreeBSD$ */ /* * Author: Tatu Ylonen @@ -47,8 +46,6 @@ int buffer_get_ret(Buffer *, void *, u_int); int buffer_consume_ret(Buffer *, u_int); int buffer_consume_end_ret(Buffer *, u_int); -u_int buffer_get_max_len(void); - #include void buffer_put_bignum(Buffer *, const BIGNUM *); diff --git a/crypto/openssh/channels.c b/crypto/openssh/channels.c index 20d2f7ea9..9efe89c9c 100644 --- a/crypto/openssh/channels.c +++ b/crypto/openssh/channels.c @@ -40,7 +40,6 @@ */ #include "includes.h" -__RCSID("$FreeBSD$"); #include #include @@ -174,11 +173,6 @@ static void port_open_helper(Channel *c, char *rtype); static int connect_next(struct channel_connect *); static void channel_connect_ctx_free(struct channel_connect *); -/* -- HPN */ - -static int hpn_disabled = 0; -static u_int buffer_size = CHAN_HPN_MIN_WINDOW_DEFAULT; - /* -- channel core */ Channel * @@ -325,7 +319,6 @@ channel_new(char *ctype, int type, int rfd, int wfd, int efd, c->self = found; c->type = type; c->ctype = ctype; - c->dynamic_window = 0; c->local_window = window; c->local_window_max = window; c->local_consumed = 0; @@ -826,45 +819,10 @@ channel_pre_open_13(Channel *c, fd_set *readset, fd_set *writeset) FD_SET(c->sock, writeset); } -static u_int -channel_tcpwinsz(void) -{ - u_int32_t tcpwinsz; - socklen_t optsz; - int ret, sd; - u_int maxlen; - - /* If we are not on a socket return 128KB. */ - if (!packet_connection_is_on_socket()) - return (128 * 1024); - - tcpwinsz = 0; - optsz = sizeof(tcpwinsz); - sd = packet_get_connection_in(); - ret = getsockopt(sd, SOL_SOCKET, SO_RCVBUF, &tcpwinsz, &optsz); - - /* Return no more than the maximum buffer size. */ - maxlen = buffer_get_max_len(); - if ((ret == 0) && tcpwinsz > maxlen) - tcpwinsz = maxlen; - /* In case getsockopt() failed return a minimum. */ - if (tcpwinsz == 0) - tcpwinsz = CHAN_TCP_WINDOW_DEFAULT; - debug2("tcpwinsz: %d for connection: %d", tcpwinsz, sd); - return (tcpwinsz); -} - static void channel_pre_open(Channel *c, fd_set *readset, fd_set *writeset) { - u_int limit; - - /* Check buffer limits. */ - if (!c->tcpwinsz || c->dynamic_window > 0) - c->tcpwinsz = channel_tcpwinsz(); - - limit = MIN(compat20 ? c->remote_window : packet_get_maxsize(), - 2 * c->tcpwinsz); + u_int limit = compat20 ? c->remote_window : packet_get_maxsize(); if (c->istate == CHAN_INPUT_OPEN && limit > 0 && @@ -1857,25 +1815,14 @@ channel_check_window(Channel *c) c->local_maxpacket*3) || c->local_window < c->local_window_max/2) && c->local_consumed > 0) { - u_int addition = 0; - - /* Adjust max window size if we are in a dynamic environment. */ - if (c->dynamic_window && c->tcpwinsz > c->local_window_max) { - /* - * Grow the window somewhat aggressively to maintain - * pressure. - */ - addition = 1.5 * (c->tcpwinsz - c->local_window_max); - c->local_window_max += addition; - } packet_start(SSH2_MSG_CHANNEL_WINDOW_ADJUST); packet_put_int(c->remote_id); - packet_put_int(c->local_consumed + addition); + packet_put_int(c->local_consumed); packet_send(); debug2("channel %d: window %d sent adjust %d", c->self, c->local_window, c->local_consumed); - c->local_window += c->local_consumed + addition; + c->local_window += c->local_consumed; c->local_consumed = 0; } return 1; @@ -2739,14 +2686,6 @@ channel_set_af(int af) IPv4or6 = af; } -void -channel_set_hpn(int disabled, u_int buf_size) -{ - hpn_disabled = disabled; - buffer_size = buf_size; - debug("HPN Disabled: %d, HPN Buffer Size: %d", - hpn_disabled, buffer_size); -} /* * Determine whether or not a port forward listens to loopback, the @@ -2924,18 +2863,10 @@ channel_setup_fwd_listener(int type, const char *listen_addr, *allocated_listen_port); } - /* - * Allocate a channel number for the socket. Explicitly test - * for hpn disabled option. If true use smaller window size. - */ - if (hpn_disabled) - c = channel_new("port listener", type, sock, sock, -1, - CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, - 0, "port listener", 1); - else - c = channel_new("port listener", type, sock, sock, -1, - buffer_size, CHAN_TCP_PACKET_DEFAULT, - 0, "port listener", 1); + /* Allocate a channel number for the socket. */ + c = channel_new("port listener", type, sock, sock, -1, + CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, + 0, "port listener", 1); c->path = xstrdup(host); c->host_port = port_to_connect; c->listening_addr = addr == NULL ? NULL : xstrdup(addr); @@ -3583,16 +3514,10 @@ x11_create_display_inet(int x11_display_offset, int x11_use_localhost, *chanids = xcalloc(num_socks + 1, sizeof(**chanids)); for (n = 0; n < num_socks; n++) { sock = socks[n]; - if (hpn_disabled) - nc = channel_new("x11 listener", - SSH_CHANNEL_X11_LISTENER, sock, sock, -1, - CHAN_X11_WINDOW_DEFAULT, CHAN_X11_PACKET_DEFAULT, - 0, "X11 inet listener", 1); - else - nc = channel_new("x11 listener", - SSH_CHANNEL_X11_LISTENER, sock, sock, -1, - buffer_size, CHAN_X11_PACKET_DEFAULT, - 0, "X11 inet listener", 1); + nc = channel_new("x11 listener", + SSH_CHANNEL_X11_LISTENER, sock, sock, -1, + CHAN_X11_WINDOW_DEFAULT, CHAN_X11_PACKET_DEFAULT, + 0, "X11 inet listener", 1); nc->single_connection = single_connection; (*chanids)[n] = nc->self; } diff --git a/crypto/openssh/channels.h b/crypto/openssh/channels.h index 68ebf098b..4fab9d7c4 100644 --- a/crypto/openssh/channels.h +++ b/crypto/openssh/channels.h @@ -1,5 +1,4 @@ /* $OpenBSD: channels.h,v 1.113 2013/06/07 15:37:52 dtucker Exp $ */ -/* $FreeBSD$ */ /* * Author: Tatu Ylonen @@ -133,8 +132,6 @@ struct Channel { u_int local_window_max; u_int local_consumed; u_int local_maxpacket; - u_int tcpwinsz; - int dynamic_window; int extended_usage; int single_connection; @@ -176,7 +173,6 @@ struct Channel { #define CHAN_TCP_WINDOW_DEFAULT (64*CHAN_TCP_PACKET_DEFAULT) #define CHAN_X11_PACKET_DEFAULT (16*1024) #define CHAN_X11_WINDOW_DEFAULT (4*CHAN_X11_PACKET_DEFAULT) -#define CHAN_HPN_MIN_WINDOW_DEFAULT (2*1024*1024) /* possible input states */ #define CHAN_INPUT_OPEN 0 @@ -310,8 +306,4 @@ void chan_rcvd_ieof(Channel *); void chan_write_failed(Channel *); void chan_obuf_empty(Channel *); -/* hpn handler */ - -void channel_set_hpn(int, u_int); - #endif diff --git a/crypto/openssh/cipher.c b/crypto/openssh/cipher.c index 532b31acf..53d9b4fb7 100644 --- a/crypto/openssh/cipher.c +++ b/crypto/openssh/cipher.c @@ -36,7 +36,6 @@ */ #include "includes.h" -__RCSID("$FreeBSD$"); #include @@ -225,12 +224,7 @@ ciphers_valid(const char *names) for ((p = strsep(&cp, CIPHER_SEP)); p && *p != '\0'; (p = strsep(&cp, CIPHER_SEP))) { c = cipher_by_name(p); -#ifdef NONE_CIPHER_ENABLED - if (c == NULL || (c->number != SSH_CIPHER_SSH2 && - c->number != SSH_CIPHER_NONE)) { -#else - if (c == NULL || (c->number != SSH_CIPHER_SSH2)) { -#endif + if (c == NULL || c->number != SSH_CIPHER_SSH2) { debug("bad cipher %s [%s]", p, names); free(cipher_list); return 0; @@ -485,9 +479,6 @@ cipher_get_keyiv(CipherContext *cc, u_char *iv, u_int len) } switch (c->number) { -#ifdef NONE_CIPHER_ENABLED - case SSH_CIPHER_NONE: -#endif case SSH_CIPHER_SSH2: case SSH_CIPHER_DES: case SSH_CIPHER_BLOWFISH: @@ -527,9 +518,6 @@ cipher_set_keyiv(CipherContext *cc, u_char *iv) return; switch (c->number) { -#ifdef NONE_CIPHER_ENABLED - case SSH_CIPHER_NONE: -#endif case SSH_CIPHER_SSH2: case SSH_CIPHER_DES: case SSH_CIPHER_BLOWFISH: diff --git a/crypto/openssh/clientloop.c b/crypto/openssh/clientloop.c index d9debd2c4..59ad3a2c3 100644 --- a/crypto/openssh/clientloop.c +++ b/crypto/openssh/clientloop.c @@ -60,7 +60,6 @@ */ #include "includes.h" -__RCSID("$FreeBSD$"); #include #include @@ -1892,14 +1891,9 @@ client_request_x11(const char *request_type, int rchan) sock = x11_connect_display(); if (sock < 0) return NULL; - if (options.hpn_disabled) - c = channel_new("x11", SSH_CHANNEL_X11_OPEN, sock, sock, -1, - CHAN_TCP_WINDOW_DEFAULT, CHAN_X11_PACKET_DEFAULT, - 0, "x11", 1); - else - c = channel_new("x11", SSH_CHANNEL_X11_OPEN, sock, sock, -1, - options.hpn_buffer_size, CHAN_X11_PACKET_DEFAULT, - 0, "x11", 1); + c = channel_new("x11", + SSH_CHANNEL_X11_OPEN, sock, sock, -1, + CHAN_TCP_WINDOW_DEFAULT, CHAN_X11_PACKET_DEFAULT, 0, "x11", 1); c->force_drain = 1; return c; } @@ -1919,16 +1913,10 @@ client_request_agent(const char *request_type, int rchan) sock = ssh_get_authentication_socket(); if (sock < 0) return NULL; - if (options.hpn_disabled) - c = channel_new("authentication agent connection", - SSH_CHANNEL_OPEN, sock, sock, -1, - CHAN_X11_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, 0, - "authentication agent connection", 1); - else - c = channel_new("authentication agent connection", - SSH_CHANNEL_OPEN, sock, sock, -1, - options.hpn_buffer_size, options.hpn_buffer_size, 0, - "authentication agent connection", 1); + c = channel_new("authentication agent connection", + SSH_CHANNEL_OPEN, sock, sock, -1, + CHAN_X11_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, 0, + "authentication agent connection", 1); c->force_drain = 1; return c; } @@ -1955,14 +1943,8 @@ client_request_tun_fwd(int tun_mode, int local_tun, int remote_tun) return -1; } - if (options.hpn_disabled) - c = channel_new("tun", SSH_CHANNEL_OPENING, fd, fd, -1, - CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, - 0, "tun", 1); - else - c = channel_new("tun", SSH_CHANNEL_OPENING, fd, fd, -1, - options.hpn_buffer_size, CHAN_TCP_PACKET_DEFAULT, - 0, "tun", 1); + c = channel_new("tun", SSH_CHANNEL_OPENING, fd, fd, -1, + CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, 0, "tun", 1); c->datagram = 1; #if defined(SSH_TUN_FILTER) diff --git a/crypto/openssh/compat.c b/crypto/openssh/compat.c index ba8856b0e..2709dc5cf 100644 --- a/crypto/openssh/compat.c +++ b/crypto/openssh/compat.c @@ -24,7 +24,6 @@ */ #include "includes.h" -__RCSID("$FreeBSD$"); #include @@ -178,16 +177,6 @@ compat_datafellows(const char *version) datafellows = check[i].bugs; debug("match: %s pat %s compat 0x%08x", version, check[i].pat, datafellows); - /* - * Check to see if the remote side is OpenSSH and not - * HPN. It is utterly strange to check it from the - * version string and expose the option that way. - */ - if (strstr(version,"OpenSSH") != NULL && - strstr(version,"hpn") == NULL) { - datafellows |= SSH_BUG_LARGEWINDOW; - debug("Remote is not HPN-aware"); - } return; } } diff --git a/crypto/openssh/compat.h b/crypto/openssh/compat.h index 4af221f24..a6c3f3d7a 100644 --- a/crypto/openssh/compat.h +++ b/crypto/openssh/compat.h @@ -1,5 +1,4 @@ /* $OpenBSD: compat.h,v 1.44 2013/12/30 23:52:27 djm Exp $ */ -/* $FreeBSD$ */ /* * Copyright (c) 1999, 2000, 2001 Markus Friedl. All rights reserved. @@ -62,8 +61,6 @@ #define SSH_BUG_DYNAMIC_RPORT 0x08000000 #define SSH_BUG_CURVE25519PAD 0x10000000 -#define SSH_BUG_LARGEWINDOW 0x80000000 - void enable_compat13(void); void enable_compat20(void); void compat_datafellows(const char *); diff --git a/crypto/openssh/configure.ac b/crypto/openssh/configure.ac index 7c6ce08d8..aeec10fac 100644 --- a/crypto/openssh/configure.ac +++ b/crypto/openssh/configure.ac @@ -1,4 +1,5 @@ # $Id: configure.ac,v 1.571 2014/02/21 17:09:34 tim Exp $ +# $FreeBSD$ # # Copyright (c) 1999-2004 Damien Miller # diff --git a/crypto/openssh/digest-libc.c b/crypto/openssh/digest-libc.c index c11dd0562..9377c774c 100644 --- a/crypto/openssh/digest-libc.c +++ b/crypto/openssh/digest-libc.c @@ -17,7 +17,6 @@ */ #include "includes.h" -__RCSID("$FreeBSD$"); #include #include diff --git a/crypto/openssh/freebsd-post-merge.sh b/crypto/openssh/freebsd-post-merge.sh index af86b9d61..b9e4cbddc 100755 --- a/crypto/openssh/freebsd-post-merge.sh +++ b/crypto/openssh/freebsd-post-merge.sh @@ -1,6 +1,6 @@ #!/bin/sh # -# $FreeBSD: stable/10/crypto/openssh/freebsd-post-merge.sh 263691 2014-03-24 19:15:13Z des $ +# $FreeBSD$ # xargs perl -n -i -e ' diff --git a/crypto/openssh/freebsd-pre-merge.sh b/crypto/openssh/freebsd-pre-merge.sh index 82ddc4d9a..473474c2c 100755 --- a/crypto/openssh/freebsd-pre-merge.sh +++ b/crypto/openssh/freebsd-pre-merge.sh @@ -1,6 +1,6 @@ #!/bin/sh # -# $FreeBSD: stable/10/crypto/openssh/freebsd-pre-merge.sh 263691 2014-03-24 19:15:13Z des $ +# $FreeBSD$ # :>keywords diff --git a/crypto/openssh/kex.c b/crypto/openssh/kex.c index 2536ada96..74e2b8682 100644 --- a/crypto/openssh/kex.c +++ b/crypto/openssh/kex.c @@ -24,7 +24,6 @@ */ #include "includes.h" -__RCSID("$FreeBSD$"); #include @@ -146,13 +145,8 @@ kex_names_valid(const char *names) return 1; } -/* put algorithm proposal into buffer. */ -#ifndef NONE_CIPHER_ENABLED +/* put algorithm proposal into buffer */ static void -#else -/* Also used in sshconnect2.c. */ -void -#endif kex_prop2buf(Buffer *b, char *proposal[PROPOSAL_MAX]) { u_int i; @@ -466,9 +460,6 @@ kex_choose_conf(Kex *kex) int nenc, nmac, ncomp; u_int mode, ctos, need, dh_need, authlen; int first_kex_follows, type; -#ifdef NONE_CIPHER_ENABLED - int auth_flag; -#endif my = kex_buf2prop(&kex->my, NULL); peer = kex_buf2prop(&kex->peer, &first_kex_follows); @@ -492,10 +483,6 @@ kex_choose_conf(Kex *kex) } /* Algorithm Negotiation */ -#ifdef NONE_CIPHER_ENABLED - auth_flag = packet_get_authentication_state(); - debug ("AUTH STATE is %d", auth_flag); -#endif for (mode = 0; mode < MODE_MAX; mode++) { newkeys = xcalloc(1, sizeof(*newkeys)); kex->newkeys[mode] = newkeys; @@ -510,17 +497,6 @@ kex_choose_conf(Kex *kex) if (authlen == 0) choose_mac(&newkeys->mac, cprop[nmac], sprop[nmac]); choose_comp(&newkeys->comp, cprop[ncomp], sprop[ncomp]); -#ifdef NONE_CIPHER_ENABLED - debug("REQUESTED ENC.NAME is '%s'", newkeys->enc.name); - if (strcmp(newkeys->enc.name, "none") == 0) { - debug("Requesting NONE. Authflag is %d", auth_flag); - if (auth_flag == 1) - debug("None requested post authentication."); - else - fatal("Pre-authentication none cipher requests " - "are not allowed."); - } -#endif debug("kex: %s %s %s %s", ctos ? "client->server" : "server->client", newkeys->enc.name, diff --git a/crypto/openssh/kex.h b/crypto/openssh/kex.h index 0d5c3627d..c85680eea 100644 --- a/crypto/openssh/kex.h +++ b/crypto/openssh/kex.h @@ -1,5 +1,4 @@ /* $OpenBSD: kex.h,v 1.62 2014/01/27 18:58:14 markus Exp $ */ -/* $FreeBSD$ */ /* * Copyright (c) 2000, 2001 Markus Friedl. All rights reserved. @@ -149,10 +148,6 @@ struct Kex { int kex_names_valid(const char *); char *kex_alg_list(char); -#ifdef NONE_CIPHER_ENABLED -void kex_prop2buf(Buffer *, char *[PROPOSAL_MAX]); -#endif - Kex *kex_setup(char *[PROPOSAL_MAX]); void kex_finish(Kex *); diff --git a/crypto/openssh/misc.c b/crypto/openssh/misc.c index 4b9e930a7..e4c8c3238 100644 --- a/crypto/openssh/misc.c +++ b/crypto/openssh/misc.c @@ -25,7 +25,6 @@ */ #include "includes.h" -__RCSID("$FreeBSD$"); #include #include @@ -1037,34 +1036,3 @@ sock_set_v6only(int s) error("setsockopt IPV6_V6ONLY: %s", strerror(errno)); #endif } - -void -sock_get_rcvbuf(int *size, int rcvbuf) -{ - int sock, socksize; - socklen_t socksizelen = sizeof(socksize); - - /* - * Create a socket but do not connect it. We use it - * only to get the rcv socket size. - */ - sock = socket(AF_INET6, SOCK_STREAM, 0); - if (sock < 0) - sock = socket(AF_INET, SOCK_STREAM, 0); - if (sock < 0) - return; - - /* - * If the tcp_rcv_buf option is set and passed in, attempt to set the - * buffer size to its value. - */ - if (rcvbuf) - setsockopt(sock, SOL_SOCKET, SO_RCVBUF, (void *)&rcvbuf, - sizeof(rcvbuf)); - - if (getsockopt(sock, SOL_SOCKET, SO_RCVBUF, - &socksize, &socksizelen) == 0) - if (size != NULL) - *size = socksize; - close(sock); -} diff --git a/crypto/openssh/misc.h b/crypto/openssh/misc.h index ce4d78c13..d4df619cd 100644 --- a/crypto/openssh/misc.h +++ b/crypto/openssh/misc.h @@ -1,5 +1,4 @@ /* $OpenBSD: misc.h,v 1.50 2013/10/14 23:28:23 djm Exp $ */ -/* $FreeBSD$ */ /* * Author: Tatu Ylonen @@ -40,7 +39,6 @@ time_t monotime(void); void lowercase(char *s); void sock_set_v6only(int); -void sock_get_rcvbuf(int *, int); struct passwd *pwcopy(struct passwd *); const char *ssh_gai_strerror(int); diff --git a/crypto/openssh/monitor.c b/crypto/openssh/monitor.c index 80e762cef..af63490cf 100644 --- a/crypto/openssh/monitor.c +++ b/crypto/openssh/monitor.c @@ -26,7 +26,6 @@ */ #include "includes.h" -__RCSID("$FreeBSD$"); #include #include diff --git a/crypto/openssh/monitor_wrap.c b/crypto/openssh/monitor_wrap.c index 0d3b7c588..b2bc8dd64 100644 --- a/crypto/openssh/monitor_wrap.c +++ b/crypto/openssh/monitor_wrap.c @@ -26,7 +26,6 @@ */ #include "includes.h" -__RCSID("$FreeBSD$"); #include #include diff --git a/crypto/openssh/myproposal.h b/crypto/openssh/myproposal.h index db25064be..89479e6ef 100644 --- a/crypto/openssh/myproposal.h +++ b/crypto/openssh/myproposal.h @@ -110,10 +110,6 @@ "chacha20-poly1305@openssh.com," \ "aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc," \ "aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se" -#ifdef NONE_CIPHER_ENABLED -#define KEX_ENCRYPT_INCLUDE_NONE KEX_DEFAULT_ENCRYPT \ - ",none" -#endif #define KEX_DEFAULT_MAC \ "hmac-md5-etm@openssh.com," \ diff --git a/crypto/openssh/packet.c b/crypto/openssh/packet.c index a4642371b..ff70e60e0 100644 --- a/crypto/openssh/packet.c +++ b/crypto/openssh/packet.c @@ -202,9 +202,6 @@ struct session_state { }; static struct session_state *active_state, *backup_state; -#ifdef NONE_CIPHER_ENABLED -static int rekey_requested = 0; -#endif static struct session_state * alloc_session_state(void) @@ -1316,7 +1313,6 @@ packet_read_poll2(u_int32_t *seqnr_p) buffer_ptr(&active_state->input), block_size, 0, 0) != 0) fatal("Decryption integrity check failed"); cp = buffer_ptr(&active_state->incoming_packet); - active_state->packlen = get_u32(cp); if (active_state->packlen < 1 + 4 || active_state->packlen > PACKET_MAX_SIZE) { @@ -1943,26 +1939,12 @@ packet_send_ignore(int nbytes) } } -#ifdef NONE_CIPHER_ENABLED -void -packet_request_rekeying(void) -{ - rekey_requested = 1; -} -#endif - #define MAX_PACKETS (1U<<31) int packet_need_rekeying(void) { if (datafellows & SSH_BUG_NOREKEY) return 0; -#ifdef NONE_CIPHER_ENABLED - if (rekey_requested == 1) { - rekey_requested = 0; - return 1; - } -#endif return (active_state->p_send.packets > MAX_PACKETS) || (active_state->p_read.packets > MAX_PACKETS) || @@ -2074,11 +2056,3 @@ packet_restore_state(void) add_recv_bytes(len); } } - -#ifdef NONE_CIPHER_ENABLED -int -packet_get_authentication_state(void) -{ - return (active_state->after_authentication); -} -#endif diff --git a/crypto/openssh/packet.h b/crypto/openssh/packet.h index 524b920d5..f8edf851c 100644 --- a/crypto/openssh/packet.h +++ b/crypto/openssh/packet.h @@ -1,5 +1,4 @@ /* $OpenBSD: packet.h,v 1.59 2013/07/12 00:19:59 djm Exp $ */ -/* $FreeBSD$ */ /* * Author: Tatu Ylonen @@ -39,9 +38,6 @@ void packet_set_interactive(int, int, int); int packet_is_interactive(void); void packet_set_server(void); void packet_set_authenticated(void); -#ifdef NONE_CIPHER_ENABLED -int packet_get_authentication_state(void); -#endif void packet_start(u_char); void packet_put_char(int ch); @@ -119,9 +115,6 @@ do { \ } while (0) int packet_need_rekeying(void); -#ifdef NONE_CIPHER_ENABLED -void packet_request_rekeying(void); -#endif void packet_set_rekey_limits(u_int32_t, time_t); time_t packet_get_rekey_timeout(void); diff --git a/crypto/openssh/readconf.c b/crypto/openssh/readconf.c index a9a1bcfaf..df8387ce2 100644 --- a/crypto/openssh/readconf.c +++ b/crypto/openssh/readconf.c @@ -152,12 +152,8 @@ typedef enum { oKexAlgorithms, oIPQoS, oRequestTTY, oIgnoreUnknown, oProxyUseFdpass, oCanonicalDomains, oCanonicalizeHostname, oCanonicalizeMaxDots, oCanonicalizeFallbackLocal, oCanonicalizePermittedCNAMEs, - oIgnoredUnknownOption, - oHPNDisabled, oHPNBufferSize, oTcpRcvBufPoll, oTcpRcvBuf, -#ifdef NONE_CIPHER_ENABLED - oNoneEnabled, oNoneSwitch, -#endif - oVersionAddendum, oDeprecated, oUnsupported + oVersionAddendum, + oIgnoredUnknownOption, oDeprecated, oUnsupported } OpCodes; /* Textual representations of the tokens. */ @@ -270,14 +266,10 @@ static struct { { "canonicalizemaxdots", oCanonicalizeMaxDots }, { "canonicalizepermittedcnames", oCanonicalizePermittedCNAMEs }, { "ignoreunknown", oIgnoreUnknown }, - { "hpndisabled", oHPNDisabled }, - { "hpnbuffersize", oHPNBufferSize }, - { "tcprcvbufpoll", oTcpRcvBufPoll }, - { "tcprcvbuf", oTcpRcvBuf }, -#ifdef NONE_CIPHER_ENABLED - { "noneenabled", oNoneEnabled }, - { "noneswitch", oNoneSwitch }, -#endif + { "hpndisabled", oDeprecated }, + { "hpnbuffersize", oDeprecated }, + { "tcprcvbufpoll", oDeprecated }, + { "tcprcvbuf", oDeprecated }, { "versionaddendum", oVersionAddendum }, { NULL, oBadOption } @@ -1359,47 +1351,6 @@ process_config_line(Options *options, struct passwd *pw, const char *host, multistate_ptr = multistate_requesttty; goto parse_multistate; - case oHPNDisabled: - intptr = &options->hpn_disabled; - goto parse_flag; - - case oHPNBufferSize: - intptr = &options->hpn_buffer_size; - goto parse_int; - - case oTcpRcvBufPoll: - intptr = &options->tcp_rcv_buf_poll; - goto parse_flag; - - case oTcpRcvBuf: - intptr = &options->tcp_rcv_buf; - goto parse_int; - -#ifdef NONE_CIPHER_ENABLED - case oNoneEnabled: - intptr = &options->none_enabled; - goto parse_flag; - - /* - * We check to see if the command comes from the command line or not. - * If it does then enable it otherwise fail. NONE must never be a - * default configuration. - */ - case oNoneSwitch: - if (strcmp(filename,"command-line") == 0) { - intptr = &options->none_switch; - goto parse_flag; - } else { - debug("NoneSwitch directive found in %.200s.", - filename); - error("NoneSwitch is found in %.200s.\n" - "You may only use this configuration option " - "from the command line", filename); - error("Continuing..."); - return 0; - } -#endif - case oVersionAddendum: if (s == NULL) fatal("%.200s line %d: Missing argument.", filename, @@ -1655,14 +1606,6 @@ initialize_options(Options * options) options->canonicalize_fallback_local = -1; options->canonicalize_hostname = -1; options->version_addendum = NULL; - options->hpn_disabled = -1; - options->hpn_buffer_size = -1; - options->tcp_rcv_buf_poll = -1; - options->tcp_rcv_buf = -1; -#ifdef NONE_CIPHER_ENABLED - options->none_enabled = -1; - options->none_switch = -1; -#endif } /* @@ -1857,36 +1800,6 @@ fill_default_options(Options * options) /* options->preferred_authentications will be set in ssh */ if (options->version_addendum == NULL) options->version_addendum = xstrdup(SSH_VERSION_FREEBSD); - if (options->hpn_disabled == -1) - options->hpn_disabled = 0; - if (options->hpn_buffer_size > -1) - { - u_int maxlen; - - /* If a user tries to set the size to 0 set it to 1KB. */ - if (options->hpn_buffer_size == 0) - options->hpn_buffer_size = 1024; - /* Limit the buffer to BUFFER_MAX_LEN. */ - maxlen = buffer_get_max_len(); - if (options->hpn_buffer_size > (maxlen / 1024)) { - debug("User requested buffer larger than %ub: %ub. " - "Request reverted to %ub", maxlen, - options->hpn_buffer_size * 1024, maxlen); - options->hpn_buffer_size = maxlen; - } - debug("hpn_buffer_size set to %d", options->hpn_buffer_size); - } - if (options->tcp_rcv_buf == 0) - options->tcp_rcv_buf = 1; - if (options->tcp_rcv_buf > -1) - options->tcp_rcv_buf *= 1024; - if (options->tcp_rcv_buf_poll == -1) - options->tcp_rcv_buf_poll = 1; -#ifdef NONE_CIPHER_ENABLED - /* options->none_enabled must not be set by default */ - if (options->none_switch == -1) - options->none_switch = 0; -#endif } /* diff --git a/crypto/openssh/readconf.h b/crypto/openssh/readconf.h index 17a600374..8ce8fecd2 100644 --- a/crypto/openssh/readconf.h +++ b/crypto/openssh/readconf.h @@ -154,21 +154,9 @@ typedef struct { int num_permitted_cnames; struct allowed_cname permitted_cnames[MAX_CANON_DOMAINS]; - char *ignored_unknown; /* Pattern list of unknown tokens to ignore */ - char *version_addendum; /* Appended to SSH banner */ - int hpn_disabled; /* Switch to disable HPN buffer management. */ - int hpn_buffer_size; /* User definable size for HPN buffer - * window. */ - int tcp_rcv_buf_poll; /* Option to poll recv buf every window - * transfer. */ - int tcp_rcv_buf; /* User switch to set tcp recv buffer. */ - -#ifdef NONE_CIPHER_ENABLED - int none_enabled; /* Allow none to be used */ - int none_switch; /* Use none cipher */ -#endif + char *ignored_unknown; /* Pattern list of unknown tokens to ignore */ } Options; #define SSH_CANONICALISE_NO 0 diff --git a/crypto/openssh/servconf.c b/crypto/openssh/servconf.c index 3638710e2..61fe7a91c 100644 --- a/crypto/openssh/servconf.c +++ b/crypto/openssh/servconf.c @@ -155,12 +155,6 @@ initialize_server_options(ServerOptions *options) options->ip_qos_interactive = -1; options->ip_qos_bulk = -1; options->version_addendum = NULL; - options->hpn_disabled = -1; - options->hpn_buffer_size = -1; - options->tcp_rcv_buf_poll = -1; -#ifdef NONE_CIPHER_ENABLED - options->none_enabled = -1; -#endif } void @@ -321,38 +315,6 @@ fill_default_server_options(ServerOptions *options) } #endif - if (options->hpn_disabled == -1) - options->hpn_disabled = 0; - if (options->hpn_buffer_size == -1) { - /* - * HPN buffer size option not explicitly set. Try to figure - * out what value to use or resort to default. - */ - options->hpn_buffer_size = CHAN_SES_WINDOW_DEFAULT; - if (!options->hpn_disabled) { - sock_get_rcvbuf(&options->hpn_buffer_size, 0); - debug ("HPN Buffer Size: %d", options->hpn_buffer_size); - } - } else { - /* - * In the case that the user sets both values in a - * contradictory manner hpn_disabled overrrides hpn_buffer_size. - */ - if (options->hpn_disabled <= 0) { - u_int maxlen; - - maxlen = buffer_get_max_len(); - if (options->hpn_buffer_size == 0) - options->hpn_buffer_size = 1; - /* Limit the maximum buffer to BUFFER_MAX_LEN. */ - if (options->hpn_buffer_size > maxlen / 1024) - options->hpn_buffer_size = maxlen; - else - options->hpn_buffer_size *= 1024; - } else { - options->hpn_buffer_size = CHAN_TCP_WINDOW_DEFAULT; - } - } } /* Keyword tokens. */ @@ -388,10 +350,6 @@ typedef enum { sKexAlgorithms, sIPQoS, sVersionAddendum, sAuthorizedKeysCommand, sAuthorizedKeysCommandUser, sAuthenticationMethods, sHostKeyAgent, - sHPNDisabled, sHPNBufferSize, sTcpRcvBufPoll, -#ifdef NONE_CIPHER_ENABLED - sNoneEnabled, -#endif sDeprecated, sUnsupported } ServerOpCodes; @@ -518,12 +476,10 @@ static struct { { "authorizedkeyscommanduser", sAuthorizedKeysCommandUser, SSHCFG_ALL }, { "versionaddendum", sVersionAddendum, SSHCFG_GLOBAL }, { "authenticationmethods", sAuthenticationMethods, SSHCFG_ALL }, - { "hpndisabled", sHPNDisabled, SSHCFG_ALL }, - { "hpnbuffersize", sHPNBufferSize, SSHCFG_ALL }, - { "tcprcvbufpoll", sTcpRcvBufPoll, SSHCFG_ALL }, -#ifdef NONE_CIPHER_ENABLED - { "noneenabled", sNoneEnabled, SSHCFG_ALL }, -#endif + { "noneenabled", sUnsupported, SSHCFG_ALL }, + { "hpndisabled", sDeprecated, SSHCFG_ALL }, + { "hpnbuffersize", sDeprecated, SSHCFG_ALL }, + { "tcprcvbufpoll", sDeprecated, SSHCFG_ALL }, { NULL, sBadOption, 0 } }; @@ -1670,24 +1626,6 @@ process_server_config_line(ServerOptions *options, char *line, } return 0; - case sHPNDisabled: - intptr = &options->hpn_disabled; - goto parse_flag; - - case sHPNBufferSize: - intptr = &options->hpn_buffer_size; - goto parse_int; - - case sTcpRcvBufPoll: - intptr = &options->tcp_rcv_buf_poll; - goto parse_flag; - -#ifdef NONE_CIPHER_ENABLED - case sNoneEnabled: - intptr = &options->none_enabled; - goto parse_flag; -#endif - case sDeprecated: logit("%s line %d: Deprecated option %s", filename, linenum, arg); diff --git a/crypto/openssh/servconf.h b/crypto/openssh/servconf.h index 36d9966fc..752d1c5ae 100644 --- a/crypto/openssh/servconf.h +++ b/crypto/openssh/servconf.h @@ -1,5 +1,4 @@ /* $OpenBSD: servconf.h,v 1.112 2014/01/29 06:18:35 djm Exp $ */ -/* $FreeBSD$ */ /* * Author: Tatu Ylonen @@ -182,16 +181,8 @@ typedef struct { char *version_addendum; /* Appended to SSH banner */ - int hpn_disabled; /* Disable HPN functionality. */ - int hpn_buffer_size; /* Set HPN buffer size - default 2MB.*/ - int tcp_rcv_buf_poll; /* Poll TCP rcv window in autotuning - * kernels. */ u_int num_auth_methods; char *auth_methods[MAX_AUTH_METHODS]; - -#ifdef NONE_CIPHER_ENABLED - int none_enabled; /* Enable NONE cipher switch. */ -#endif } ServerOptions; /* Information about the incoming connection as used by Match */ diff --git a/crypto/openssh/serverloop.c b/crypto/openssh/serverloop.c index addecaedb..2f8e3a06a 100644 --- a/crypto/openssh/serverloop.c +++ b/crypto/openssh/serverloop.c @@ -36,7 +36,6 @@ */ #include "includes.h" -__RCSID("$FreeBSD$"); #include #include @@ -1016,14 +1015,8 @@ server_request_tun(void) sock = tun_open(tun, mode); if (sock < 0) goto done; - if (options.hpn_disabled) - c = channel_new("tun", SSH_CHANNEL_OPEN, sock, sock, -1, - CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, 0, - "tun", 1); - else - c = channel_new("tun", SSH_CHANNEL_OPEN, sock, sock, -1, - options.hpn_buffer_size, CHAN_TCP_PACKET_DEFAULT, 0, - "tun", 1); + c = channel_new("tun", SSH_CHANNEL_OPEN, sock, sock, -1, + CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, 0, "tun", 1); c->datagram = 1; #if defined(SSH_TUN_FILTER) if (mode == SSH_TUNMODE_POINTOPOINT) @@ -1059,8 +1052,6 @@ server_request_session(void) c = channel_new("session", SSH_CHANNEL_LARVAL, -1, -1, -1, /*window size*/0, CHAN_SES_PACKET_DEFAULT, 0, "server-session", 1); - if (!options.hpn_disabled && options.tcp_rcv_buf_poll) - c->dynamic_window = 1; if (session_open(the_authctxt, c->self) != 1) { debug("session open failed, free channel %d", c->self); channel_free(c); diff --git a/crypto/openssh/session.c b/crypto/openssh/session.c index 430fc1e02..1de0c607a 100644 --- a/crypto/openssh/session.c +++ b/crypto/openssh/session.c @@ -237,10 +237,7 @@ auth_input_request_forwarding(struct passwd * pw) goto authsock_err; } - /* - * Allocate a channel for the authentication agent socket. - * Ignore HPN on that one given no improvement expected. - */ + /* Allocate a channel for the authentication agent socket. */ nc = channel_new("auth socket", SSH_CHANNEL_AUTH_SOCKET, sock, sock, -1, CHAN_X11_WINDOW_DEFAULT, CHAN_X11_PACKET_DEFAULT, @@ -2346,14 +2343,10 @@ session_set_fds(Session *s, int fdin, int fdout, int fderr, int ignore_fderr, */ if (s->chanid == -1) fatal("no channel for session %d", s->self); - if (options.hpn_disabled) - channel_set_fds(s->chanid, fdout, fdin, fderr, - ignore_fderr ? CHAN_EXTENDED_IGNORE : CHAN_EXTENDED_READ, - 1, is_tty, CHAN_SES_WINDOW_DEFAULT); - else - channel_set_fds(s->chanid, fdout, fdin, fderr, - ignore_fderr ? CHAN_EXTENDED_IGNORE : CHAN_EXTENDED_READ, - 1, is_tty, options.hpn_buffer_size); + channel_set_fds(s->chanid, + fdout, fdin, fderr, + ignore_fderr ? CHAN_EXTENDED_IGNORE : CHAN_EXTENDED_READ, + 1, is_tty, CHAN_SES_WINDOW_DEFAULT); } /* diff --git a/crypto/openssh/sftp.1 b/crypto/openssh/sftp.1 index 7c01250b6..a700c2adb 100644 --- a/crypto/openssh/sftp.1 +++ b/crypto/openssh/sftp.1 @@ -1,5 +1,4 @@ .\" $OpenBSD: sftp.1,v 1.97 2013/10/20 09:51:26 djm Exp $ -.\" $FreeBSD$ .\" .\" Copyright (c) 2001 Damien Miller. All rights reserved. .\" @@ -262,8 +261,7 @@ diagnostic messages from Specify how many requests may be outstanding at any one time. Increasing this may slightly improve file transfer speed but will increase memory usage. -The default is 256 outstanding requests providing for 8MB -of outstanding data with a 32KB buffer. +The default is 64 outstanding requests. .It Fl r Recursively copy entire directories when uploading and downloading. Note that diff --git a/crypto/openssh/sftp.c b/crypto/openssh/sftp.c index 3f0a88d64..ad1f8c84d 100644 --- a/crypto/openssh/sftp.c +++ b/crypto/openssh/sftp.c @@ -16,7 +16,6 @@ */ #include "includes.h" -__RCSID("$FreeBSD$"); #include #include @@ -69,7 +68,7 @@ typedef void EditLine; #include "sftp-client.h" #define DEFAULT_COPY_BUFLEN 32768 /* Size of buffer for up/download */ -#define DEFAULT_NUM_REQUESTS 256 /* # concurrent outstanding requests */ +#define DEFAULT_NUM_REQUESTS 64 /* # concurrent outstanding requests */ /* File to read commands from */ FILE* infile; diff --git a/crypto/openssh/ssh-agent.1 b/crypto/openssh/ssh-agent.1 index 2a1c58e6c..90b8fe52c 100644 --- a/crypto/openssh/ssh-agent.1 +++ b/crypto/openssh/ssh-agent.1 @@ -35,7 +35,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd December 7, 2013 +.Dd $Mdocdate: December 7 2013 $ .Dt SSH-AGENT 1 .Os .Sh NAME diff --git a/crypto/openssh/ssh.c b/crypto/openssh/ssh.c index c9433a8ac..eaeb5c772 100644 --- a/crypto/openssh/ssh.c +++ b/crypto/openssh/ssh.c @@ -633,13 +633,11 @@ main(int ac, char **av) case 'V': if (options.version_addendum && *options.version_addendum != '\0') - fprintf(stderr, "%s%s %s, %s\n", SSH_RELEASE, - options.hpn_disabled ? "" : SSH_VERSION_HPN, + fprintf(stderr, "%s %s, %s\n", SSH_RELEASE, options.version_addendum, SSLeay_version(SSLEAY_VERSION)); else - fprintf(stderr, "%s%s, %s\n", SSH_RELEASE, - options.hpn_disabled ? "" : SSH_VERSION_HPN, + fprintf(stderr, "%s, %s\n", SSH_RELEASE, SSLeay_version(SSLEAY_VERSION)); if (opt == 'V') exit(0); @@ -782,15 +780,6 @@ main(int ac, char **av) break; case 'T': options.request_tty = REQUEST_TTY_NO; -#ifdef NONE_CIPHER_ENABLED - /* - * Ensure that the user does not try to backdoor a - * NONE cipher switch on an interactive session by - * explicitly disabling it if the user asks for a - * session without a tty. - */ - options.none_switch = 0; -#endif break; case 'o': line = xstrdup(optarg); @@ -1666,46 +1655,9 @@ ssh_session2_open(void) if (!isatty(err)) set_nonblock(err); - /* - * We need to check to see what to do about buffer sizes here. - * - In an HPN to non-HPN connection we want to limit the window size to - * something reasonable in case the far side has the large window bug. - * - In an HPN to HPN connection we want to use the max window size but - * allow the user to override it. - * - Lastly if HPN is disabled then use the ssh standard window size. - * - * We cannot just do a getsockopt() here and set the ssh window to that - * as in case of autotuning of socket buffers the window would get stuck - * at the initial buffer size, generally less than 96k. Therefore we - * need to set the maximum ssh window size to the maximum HPN buffer - * size unless the user has set TcpRcvBufPoll to no. In that case we - * can just set the window to the minimum of HPN buffer size and TCP - * receive buffer size. - */ - if (tty_flag) - options.hpn_buffer_size = CHAN_SES_WINDOW_DEFAULT; - else - options.hpn_buffer_size = CHAN_HPN_MIN_WINDOW_DEFAULT; - - if (datafellows & SSH_BUG_LARGEWINDOW) { - debug("HPN to Non-HPN Connection"); - } else if (options.tcp_rcv_buf_poll <= 0) { - sock_get_rcvbuf(&options.hpn_buffer_size, 0); - debug("HPNBufferSize set to TCP RWIN: %d", - options.hpn_buffer_size); - } else if (options.tcp_rcv_buf > 0) { - sock_get_rcvbuf(&options.hpn_buffer_size, - options.tcp_rcv_buf); - debug("HPNBufferSize set to user TCPRcvBuf: %d", - options.hpn_buffer_size); - } - debug("Final hpn_buffer_size = %d", options.hpn_buffer_size); - channel_set_hpn(options.hpn_disabled, options.hpn_buffer_size); - window = options.hpn_buffer_size; - + window = CHAN_SES_WINDOW_DEFAULT; packetmax = CHAN_SES_PACKET_DEFAULT; if (tty_flag) { - window = CHAN_SES_WINDOW_DEFAULT; window >>= 1; packetmax >>= 1; } @@ -1713,10 +1665,6 @@ ssh_session2_open(void) "session", SSH_CHANNEL_OPENING, in, out, err, window, packetmax, CHAN_EXTENDED_WRITE, "client-session", /*nonblock*/0); - if (!options.hpn_disabled && options.tcp_rcv_buf_poll > 0) { - c->dynamic_window = 1; - debug("Enabled Dynamic Window Scaling\n"); - } debug3("ssh_session2_open: channel_new: %d", c->self); diff --git a/crypto/openssh/ssh_config b/crypto/openssh/ssh_config index 056a17e50..459f4efd5 100644 --- a/crypto/openssh/ssh_config +++ b/crypto/openssh/ssh_config @@ -1,4 +1,5 @@ # $OpenBSD: ssh_config,v 1.28 2013/09/16 11:35:43 sthen Exp $ +# $FreeBSD$ # This is the ssh client system-wide configuration file. See # ssh_config(5) for more information. This file provides defaults for @@ -47,4 +48,4 @@ # ProxyCommand ssh -q -W %h:%p gateway.example.com # RekeyLimit 1G 1h # VerifyHostKeyDNS yes -# VersionAddendum FreeBSD-20140420 +# VersionAddendum FreeBSD-20160124 diff --git a/crypto/openssh/ssh_config.5 b/crypto/openssh/ssh_config.5 index adf0d2f50..fec66d2f6 100644 --- a/crypto/openssh/ssh_config.5 +++ b/crypto/openssh/ssh_config.5 @@ -1423,7 +1423,7 @@ See also VERIFYING HOST KEYS in Specifies a string to append to the regular version string to identify OS- or site-specific modifications. The default is -.Dq FreeBSD-20140420 . +.Dq FreeBSD-20160124 . The value .Dq none may be used to disable this. diff --git a/crypto/openssh/ssh_namespace.h b/crypto/openssh/ssh_namespace.h index ce1b1a705..8b5e416af 100644 --- a/crypto/openssh/ssh_namespace.h +++ b/crypto/openssh/ssh_namespace.h @@ -7,7 +7,11 @@ * * A list of symbols which need munging is obtained as follows: * - * nm libssh.a | awk '/[0-9a-z] [A-Z] / && $3 !~ /^ssh_/ { printf("#define %-39s ssh_%s\n", $3, $3) }' | unexpand -a | sort -u + # nm libprivatessh.a | LC_ALL=C awk ' + /^[0-9a-z]+ [Tt] [A-Za-z_][0-9A-Za-z_]*$/ && $3 !~ /^ssh_/ { + printf("#define %-39s ssh_%s\n", $3, $3) + }' | unexpand -a | LC_ALL=C sort -u + * * $FreeBSD$ */ @@ -20,9 +24,13 @@ #define a2port ssh_a2port #define a2tun ssh_a2tun #define add_host_to_hostfile ssh_add_host_to_hostfile +#define add_p1p1 ssh_add_p1p1 #define addargs ssh_addargs #define addr_match_cidr_list ssh_addr_match_cidr_list #define addr_match_list ssh_addr_match_list +#define addr_netmatch ssh_addr_netmatch +#define addr_pton ssh_addr_pton +#define addr_pton_cidr ssh_addr_pton_cidr #define ask_permission ssh_ask_permission #define atomicio ssh_atomicio #define atomicio6 ssh_atomicio6 @@ -31,7 +39,10 @@ #define auth_request_forwarding ssh_auth_request_forwarding #define bandwidth_limit ssh_bandwidth_limit #define bandwidth_limit_init ssh_bandwidth_limit_init +#define barrett_reduce ssh_barrett_reduce +#define bcrypt_hash ssh_bcrypt_hash #define bcrypt_pbkdf ssh_bcrypt_pbkdf +#define bf_ssh1_cipher ssh_bf_ssh1_cipher #define blf_cbc_decrypt ssh_blf_cbc_decrypt #define blf_cbc_encrypt ssh_blf_cbc_encrypt #define blf_dec ssh_blf_dec @@ -70,7 +81,6 @@ #define buffer_get_int64 ssh_buffer_get_int64 #define buffer_get_int64_ret ssh_buffer_get_int64_ret #define buffer_get_int_ret ssh_buffer_get_int_ret -#define buffer_get_max_len ssh_buffer_get_max_len #define buffer_get_ret ssh_buffer_get_ret #define buffer_get_short ssh_buffer_get_short #define buffer_get_short_ret ssh_buffer_get_short_ret @@ -95,6 +105,7 @@ #define buffer_put_short ssh_buffer_put_short #define buffer_put_string ssh_buffer_put_string #define buffer_uncompress ssh_buffer_uncompress +#define cert_free ssh_cert_free #define chacha_encrypt_bytes ssh_chacha_encrypt_bytes #define chacha_ivsetup ssh_chacha_ivsetup #define chacha_keysetup ssh_chacha_keysetup @@ -109,6 +120,10 @@ #define chan_rcvd_ieof ssh_chan_rcvd_ieof #define chan_rcvd_oclose ssh_chan_rcvd_oclose #define chan_read_failed ssh_chan_read_failed +#define chan_send_eof2 ssh_chan_send_eof2 +#define chan_send_oclose1 ssh_chan_send_oclose1 +#define chan_shutdown_read ssh_chan_shutdown_read +#define chan_shutdown_write ssh_chan_shutdown_write #define chan_write_failed ssh_chan_write_failed #define channel_add_adm_permitted_opens ssh_channel_add_adm_permitted_opens #define channel_add_permitted_opens ssh_channel_add_permitted_opens @@ -121,6 +136,7 @@ #define channel_clear_permitted_opens ssh_channel_clear_permitted_opens #define channel_close_all ssh_channel_close_all #define channel_close_fd ssh_channel_close_fd +#define channel_close_fds ssh_channel_close_fds #define channel_connect_by_listen_address ssh_channel_connect_by_listen_address #define channel_connect_stdio_fwd ssh_channel_connect_stdio_fwd #define channel_connect_to ssh_channel_connect_to @@ -128,6 +144,8 @@ #define channel_find_open ssh_channel_find_open #define channel_free ssh_channel_free #define channel_free_all ssh_channel_free_all +#define channel_fwd_bind_addr ssh_channel_fwd_bind_addr +#define channel_handler ssh_channel_handler #define channel_input_close ssh_channel_input_close #define channel_input_close_confirmation ssh_channel_input_close_confirmation #define channel_input_data ssh_channel_input_data @@ -146,11 +164,28 @@ #define channel_open_message ssh_channel_open_message #define channel_output_poll ssh_channel_output_poll #define channel_permit_all_opens ssh_channel_permit_all_opens -#define channel_post ssh_channel_post -#define channel_pre ssh_channel_pre +#define channel_post_auth_listener ssh_channel_post_auth_listener +#define channel_post_connecting ssh_channel_post_connecting +#define channel_post_mux_client ssh_channel_post_mux_client +#define channel_post_mux_listener ssh_channel_post_mux_listener +#define channel_post_open ssh_channel_post_open +#define channel_post_output_drain_13 ssh_channel_post_output_drain_13 +#define channel_post_port_listener ssh_channel_post_port_listener +#define channel_post_x11_listener ssh_channel_post_x11_listener +#define channel_pre_connecting ssh_channel_pre_connecting +#define channel_pre_dynamic ssh_channel_pre_dynamic +#define channel_pre_input_draining ssh_channel_pre_input_draining +#define channel_pre_listener ssh_channel_pre_listener +#define channel_pre_mux_client ssh_channel_pre_mux_client +#define channel_pre_open ssh_channel_pre_open +#define channel_pre_open_13 ssh_channel_pre_open_13 +#define channel_pre_output_draining ssh_channel_pre_output_draining +#define channel_pre_x11_open ssh_channel_pre_x11_open +#define channel_pre_x11_open_13 ssh_channel_pre_x11_open_13 #define channel_prepare_select ssh_channel_prepare_select #define channel_print_adm_permitted_opens ssh_channel_print_adm_permitted_opens #define channel_register_cleanup ssh_channel_register_cleanup +#define channel_register_fds ssh_channel_register_fds #define channel_register_filter ssh_channel_register_filter #define channel_register_open_confirm ssh_channel_register_open_confirm #define channel_register_status_confirm ssh_channel_register_status_confirm @@ -161,14 +196,17 @@ #define channel_send_window_changes ssh_channel_send_window_changes #define channel_set_af ssh_channel_set_af #define channel_set_fds ssh_channel_set_fds -#define channel_set_hpn ssh_channel_set_hpn +#define channel_setup_fwd_listener ssh_channel_setup_fwd_listener #define channel_setup_local_fwd_listener ssh_channel_setup_local_fwd_listener #define channel_setup_remote_fwd_listener ssh_channel_setup_remote_fwd_listener #define channel_still_open ssh_channel_still_open #define channel_stop_listening ssh_channel_stop_listening #define channel_update_permitted_opens ssh_channel_update_permitted_opens +#define check_crc ssh_check_crc +#define check_hostkeys_by_key_or_type ssh_check_hostkeys_by_key_or_type #define check_key_in_hostkeys ssh_check_key_in_hostkeys #define choose_dh ssh_choose_dh +#define choose_t ssh_choose_t #define chop ssh_chop #define cipher_alg_list ssh_cipher_alg_list #define cipher_authlen ssh_cipher_authlen @@ -198,16 +236,17 @@ #define cleanup_exit ssh_cleanup_exit #define clear_cached_addr ssh_clear_cached_addr #define colon ssh_colon -#define compat13 ssh_compat13 -#define compat20 ssh_compat20 +#define compare ssh_compare +#define compare_gps ssh_compare_gps #define compat_cipher_proposal ssh_compat_cipher_proposal #define compat_datafellows ssh_compat_datafellows #define compat_kex_proposal ssh_compat_kex_proposal #define compat_pkalg_proposal ssh_compat_pkalg_proposal +#define connect_next ssh_connect_next +#define connect_to ssh_connect_to #define convtime ssh_convtime #define crypto_hash_sha512 ssh_crypto_hash_sha512 #define crypto_hashblocks_sha512 ssh_crypto_hashblocks_sha512 -#define crypto_scalarmult_curve25519 ssh_crypto_scalarmult_curve25519 #define crypto_sign_ed25519 ssh_crypto_sign_ed25519 #define crypto_sign_ed25519_keypair ssh_crypto_sign_ed25519_keypair #define crypto_sign_ed25519_open ssh_crypto_sign_ed25519_open @@ -228,7 +267,6 @@ #define crypto_sign_ed25519_ref_fe25519_square ssh_crypto_sign_ed25519_ref_fe25519_square #define crypto_sign_ed25519_ref_fe25519_sub ssh_crypto_sign_ed25519_ref_fe25519_sub #define crypto_sign_ed25519_ref_fe25519_unpack ssh_crypto_sign_ed25519_ref_fe25519_unpack -#define crypto_sign_ed25519_ref_ge25519_base ssh_crypto_sign_ed25519_ref_ge25519_base #define crypto_sign_ed25519_ref_isneutral_vartime ssh_crypto_sign_ed25519_ref_isneutral_vartime #define crypto_sign_ed25519_ref_pack ssh_crypto_sign_ed25519_ref_pack #define crypto_sign_ed25519_ref_sc25519_2interleave2 ssh_crypto_sign_ed25519_ref_sc25519_2interleave2 @@ -249,8 +287,7 @@ #define crypto_sign_ed25519_ref_shortsc25519_from16bytes ssh_crypto_sign_ed25519_ref_shortsc25519_from16bytes #define crypto_sign_ed25519_ref_unpackneg_vartime ssh_crypto_sign_ed25519_ref_unpackneg_vartime #define crypto_verify_32 ssh_crypto_verify_32 -#define current_keys ssh_current_keys -#define datafellows ssh_datafellows +#define dbl_p1p1 ssh_dbl_p1p1 #define debug ssh_debug #define debug2 ssh_debug2 #define debug3 ssh_debug3 @@ -265,8 +302,6 @@ #define dh_new_group14 ssh_dh_new_group14 #define dh_new_group_asc ssh_dh_new_group_asc #define dh_pub_is_valid ssh_dh_pub_is_valid -#define digests ssh_digests -#define dispatch ssh_dispatch #define dispatch_init ssh_dispatch_init #define dispatch_protocol_error ssh_dispatch_protocol_error #define dispatch_protocol_ignore ssh_dispatch_protocol_ignore @@ -284,6 +319,7 @@ #define explicit_bzero ssh_explicit_bzero #define export_dns_rr ssh_export_dns_rr #define fatal ssh_fatal +#define filter_proposal ssh_filter_proposal #define fmt_scaled ssh_fmt_scaled #define free_hostkeys ssh_free_hostkeys #define freeargs ssh_freeargs @@ -299,20 +335,27 @@ #define get_remote_name_or_ip ssh_get_remote_name_or_ip #define get_remote_port ssh_get_remote_port #define get_sock_port ssh_get_sock_port +#define get_socket_address ssh_get_socket_address #define get_u16 ssh_get_u16 #define get_u32 ssh_get_u32 #define get_u64 ssh_get_u64 #define getrrsetbyname ssh_getrrsetbyname #define glob ssh_glob +#define glob0 ssh_glob0 +#define glob2 ssh_glob2 +#define globexp1 ssh_globexp1 +#define globextend ssh_globextend #define globfree ssh_globfree #define host_hash ssh_host_hash #define hostfile_read_key ssh_hostfile_read_key #define hpdelim ssh_hpdelim -#define incoming_stream ssh_incoming_stream #define init_hostkeys ssh_init_hostkeys #define iptos2str ssh_iptos2str #define ipv64_normalise_mapped ssh_ipv64_normalise_mapped +#define is_key_revoked ssh_is_key_revoked +#define kex_alg_by_name ssh_kex_alg_by_name #define kex_alg_list ssh_kex_alg_list +#define kex_buf2prop ssh_kex_buf2prop #define kex_c25519_hash ssh_kex_c25519_hash #define kex_derive_keys ssh_kex_derive_keys #define kex_derive_keys_bn ssh_kex_derive_keys_bn @@ -322,6 +365,8 @@ #define kex_get_newkeys ssh_kex_get_newkeys #define kex_input_kexinit ssh_kex_input_kexinit #define kex_names_valid ssh_kex_names_valid +#define kex_prop_free ssh_kex_prop_free +#define kex_protocol_error ssh_kex_protocol_error #define kex_send_kexinit ssh_kex_send_kexinit #define kex_setup ssh_kex_setup #define kexc25519_client ssh_kexc25519_client @@ -355,6 +400,7 @@ #define key_fingerprint_raw ssh_key_fingerprint_raw #define key_free ssh_key_free #define key_from_blob ssh_key_from_blob +#define key_from_blob2 ssh_key_from_blob2 #define key_from_private ssh_key_from_private #define key_generate ssh_key_generate #define key_in_file ssh_key_in_file @@ -371,9 +417,14 @@ #define key_new ssh_key_new #define key_new_private ssh_key_new_private #define key_parse_private ssh_key_parse_private +#define key_parse_private2 ssh_key_parse_private2 +#define key_parse_private_pem ssh_key_parse_private_pem +#define key_parse_private_type ssh_key_parse_private_type +#define key_parse_public_rsa1 ssh_key_parse_public_rsa1 #define key_perm_ok ssh_key_perm_ok #define key_private_deserialize ssh_key_private_deserialize #define key_private_serialize ssh_key_private_serialize +#define key_private_to_blob2 ssh_key_private_to_blob2 #define key_read ssh_key_read #define key_save_private ssh_key_save_private #define key_sign ssh_key_sign @@ -382,6 +433,7 @@ #define key_ssh_name_plain ssh_key_ssh_name_plain #define key_to_blob ssh_key_to_blob #define key_to_certified ssh_key_to_certified +#define key_try_load_public ssh_key_try_load_public #define key_type ssh_key_type #define key_type_from_name ssh_key_type_from_name #define key_type_is_cert ssh_key_type_is_cert @@ -406,6 +458,7 @@ #define mac_init ssh_mac_init #define mac_setup ssh_mac_setup #define mac_valid ssh_mac_valid +#define match ssh_match #define match_host_and_ip ssh_match_host_and_ip #define match_hostname ssh_match_hostname #define match_list ssh_match_list @@ -418,13 +471,16 @@ #define monotime ssh_monotime #define ms_subtract_diff ssh_ms_subtract_diff #define ms_to_timeval ssh_ms_to_timeval +#define mult ssh_mult #define mysignal ssh_mysignal -#define outgoing_stream ssh_outgoing_stream +#define nh_aux ssh_nh_aux +#define nh_final ssh_nh_final #define packet_add_padding ssh_packet_add_padding #define packet_backup_state ssh_packet_backup_state #define packet_close ssh_packet_close #define packet_connection_is_on_socket ssh_packet_connection_is_on_socket #define packet_disconnect ssh_packet_disconnect +#define packet_enable_delayed_compress ssh_packet_enable_delayed_compress #define packet_get_bignum ssh_packet_get_bignum #define packet_get_bignum2 ssh_packet_get_bignum2 #define packet_get_char ssh_packet_get_char @@ -471,6 +527,7 @@ #define packet_remaining ssh_packet_remaining #define packet_restore_state ssh_packet_restore_state #define packet_send ssh_packet_send +#define packet_send2_wrapped ssh_packet_send2_wrapped #define packet_send_debug ssh_packet_send_debug #define packet_send_ignore ssh_packet_send_ignore #define packet_set_alive_timeouts ssh_packet_set_alive_timeouts @@ -489,20 +546,32 @@ #define packet_set_timeout ssh_packet_set_timeout #define packet_start ssh_packet_start #define packet_start_compression ssh_packet_start_compression +#define packet_start_discard ssh_packet_start_discard +#define packet_stop_discard ssh_packet_stop_discard #define packet_write_poll ssh_packet_write_poll #define packet_write_wait ssh_packet_write_wait #define parse_ipqos ssh_parse_ipqos +#define parse_prime ssh_parse_prime #define percent_expand ssh_percent_expand #define permanently_drop_suid ssh_permanently_drop_suid #define permanently_set_uid ssh_permanently_set_uid #define permitopen_port ssh_permitopen_port #define pkcs11_add_provider ssh_pkcs11_add_provider #define pkcs11_del_provider ssh_pkcs11_del_provider +#define pkcs11_fetch_keys_filter ssh_pkcs11_fetch_keys_filter +#define pkcs11_find ssh_pkcs11_find #define pkcs11_init ssh_pkcs11_init -#define pkcs11_interactive ssh_pkcs11_interactive -#define pkcs11_providers ssh_pkcs11_providers +#define pkcs11_provider_finalize ssh_pkcs11_provider_finalize +#define pkcs11_provider_unref ssh_pkcs11_provider_unref +#define pkcs11_rsa_finish ssh_pkcs11_rsa_finish +#define pkcs11_rsa_private_decrypt ssh_pkcs11_rsa_private_decrypt +#define pkcs11_rsa_private_encrypt ssh_pkcs11_rsa_private_encrypt #define pkcs11_terminate ssh_pkcs11_terminate +#define plain_key_blob ssh_plain_key_blob #define poly1305_auth ssh_poly1305_auth +#define poly64 ssh_poly64 +#define poly_hash ssh_poly_hash +#define port_open_helper ssh_port_open_helper #define prime_test ssh_prime_test #define proto_spec ssh_proto_spec #define put_host_port ssh_put_host_port @@ -510,11 +579,19 @@ #define put_u32 ssh_put_u32 #define put_u64 ssh_put_u64 #define pwcopy ssh_pwcopy +#define qfileout ssh_qfileout #define read_keyfile_line ssh_read_keyfile_line +#define read_mux ssh_read_mux #define read_passphrase ssh_read_passphrase +#define reduce_add_sub ssh_reduce_add_sub #define refresh_progress_meter ssh_refresh_progress_meter #define replacearg ssh_replacearg #define restore_uid ssh_restore_uid +#define revoke_blob ssh_revoke_blob +#define revoked_blob_tree_RB_REMOVE ssh_revoked_blob_tree_RB_REMOVE +#define revoked_certs_for_ca_key ssh_revoked_certs_for_ca_key +#define revoked_serial_tree_RB_REMOVE ssh_revoked_serial_tree_RB_REMOVE +#define rijndaelKeySetupEnc ssh_rijndaelKeySetupEnc #define rijndael_decrypt ssh_rijndael_decrypt #define rijndael_encrypt ssh_rijndael_encrypt #define rijndael_set_key ssh_rijndael_set_key @@ -529,9 +606,14 @@ #define set_nodelay ssh_set_nodelay #define set_nonblock ssh_set_nonblock #define shadow_pw ssh_shadow_pw +#define sieve_large ssh_sieve_large +#define sig_winch ssh_sig_winch #define sigdie ssh_sigdie -#define sock_get_rcvbuf ssh_sock_get_rcvbuf #define sock_set_v6only ssh_sock_set_v6only +#define square ssh_square +#define ssh1_3des_cbc ssh_ssh1_3des_cbc +#define ssh1_3des_cleanup ssh_ssh1_3des_cleanup +#define ssh1_3des_init ssh_ssh1_3des_init #define ssh1_3des_iv ssh_ssh1_3des_iv #define start_progress_meter ssh_start_progress_meter #define stop_progress_meter ssh_stop_progress_meter @@ -543,21 +625,21 @@ #define temporarily_use_uid ssh_temporarily_use_uid #define tilde_expand_filename ssh_tilde_expand_filename #define timingsafe_bcmp ssh_timingsafe_bcmp +#define to_blob ssh_to_blob #define tohex ssh_tohex #define tty_make_modes ssh_tty_make_modes #define tty_parse_modes ssh_tty_parse_modes #define tun_open ssh_tun_open -#define umac128_ctx ssh_umac128_ctx #define umac128_delete ssh_umac128_delete #define umac128_final ssh_umac128_final #define umac128_new ssh_umac128_new #define umac128_update ssh_umac128_update -#define umac_ctx ssh_umac_ctx #define umac_delete ssh_umac_delete #define umac_final ssh_umac_final #define umac_new ssh_umac_new #define umac_update ssh_umac_update #define unset_nonblock ssh_unset_nonblock +#define update_progress_meter ssh_update_progress_meter #define uudecode ssh_uudecode #define uuencode ssh_uuencode #define verbose ssh_verbose @@ -566,6 +648,7 @@ #define x11_connect_display ssh_x11_connect_display #define x11_create_display_inet ssh_x11_create_display_inet #define x11_input_open ssh_x11_input_open +#define x11_open_helper ssh_x11_open_helper #define x11_request_forwarding_with_spoofing ssh_x11_request_forwarding_with_spoofing #define xasprintf ssh_xasprintf #define xcalloc ssh_xcalloc diff --git a/crypto/openssh/sshconnect.c b/crypto/openssh/sshconnect.c index 102c0bdae..3384de66c 100644 --- a/crypto/openssh/sshconnect.c +++ b/crypto/openssh/sshconnect.c @@ -264,29 +264,6 @@ ssh_kill_proxy_command(void) kill(proxy_command_pid, SIGHUP); } -/* - * Set TCP receive buffer if requested. - * Note: tuning needs to happen after the socket is created but before the - * connection happens so winscale is negotiated properly. - */ -static void -ssh_set_socket_recvbuf(int sock) -{ - void *buf = (void *)&options.tcp_rcv_buf; - int socksize, sz = sizeof(options.tcp_rcv_buf); - socklen_t len = sizeof(int); - - debug("setsockopt attempting to set SO_RCVBUF to %d", - options.tcp_rcv_buf); - if (setsockopt(sock, SOL_SOCKET, SO_RCVBUF, buf, sz) >= 0) { - getsockopt(sock, SOL_SOCKET, SO_RCVBUF, &socksize, &len); - debug("setsockopt SO_RCVBUF: %.100s %d", strerror(errno), - socksize); - } else - error("Couldn't set socket receive buffer to %d: %.100s", - options.tcp_rcv_buf, strerror(errno)); -} - /* * Creates a (possibly privileged) socket for use as the ssh connection. */ @@ -303,9 +280,6 @@ ssh_create_socket(int privileged, struct addrinfo *ai) } fcntl(sock, F_SETFD, FD_CLOEXEC); - if (options.tcp_rcv_buf > 0) - ssh_set_socket_recvbuf(sock); - /* Bind the socket to an alternative local IP address */ if (options.bind_address == NULL && !privileged) return sock; @@ -546,10 +520,10 @@ static void send_client_banner(int connection_out, int minor1) { /* Send our own protocol version identification. */ - xasprintf(&client_version_string, "SSH-%d.%d-%.100s%s%s%s%s", + xasprintf(&client_version_string, "SSH-%d.%d-%.100s%s%s%s", compat20 ? PROTOCOL_MAJOR_2 : PROTOCOL_MAJOR_1, compat20 ? PROTOCOL_MINOR_2 : minor1, - SSH_VERSION, options.hpn_disabled ? "" : SSH_VERSION_HPN, + SSH_VERSION, *options.version_addendum == '\0' ? "" : " ", options.version_addendum, compat20 ? "\r\n" : "\n"); if (roaming_atomicio(vwrite, connection_out, client_version_string, diff --git a/crypto/openssh/sshconnect2.c b/crypto/openssh/sshconnect2.c index 37a685879..ec3ad6a5f 100644 --- a/crypto/openssh/sshconnect2.c +++ b/crypto/openssh/sshconnect2.c @@ -25,7 +25,6 @@ */ #include "includes.h" -__RCSID("$FreeBSD$"); #include #include @@ -80,16 +79,6 @@ __RCSID("$FreeBSD$"); extern char *client_version_string; extern char *server_version_string; extern Options options; -#ifdef NONE_CIPHER_ENABLED -extern Kex *xxx_kex; - -/* - * tty_flag is set in ssh.c so we can use it here. If set then prevent - * the switch to the null cipher. - */ - -extern int tty_flag; -#endif /* * SSH2 key exchange @@ -422,29 +411,6 @@ ssh_userauth2(const char *local_user, const char *server_user, char *host, pubkey_cleanup(&authctxt); dispatch_range(SSH2_MSG_USERAUTH_MIN, SSH2_MSG_USERAUTH_MAX, NULL); -#ifdef NONE_CIPHER_ENABLED - /* - * If the user explicitly requests to use the none cipher enable it - * post authentication and only if the right conditions are met: both - * of the NONE switches must be true and there must be no tty allocated. - */ - if (options.none_switch == 1 && options.none_enabled == 1) { - if (!tty_flag) { - debug("Requesting none cipher re-keying..."); - myproposal[PROPOSAL_ENC_ALGS_STOC] = "none"; - myproposal[PROPOSAL_ENC_ALGS_CTOS] = "none"; - kex_prop2buf(&xxx_kex->my, myproposal); - packet_request_rekeying(); - fprintf(stderr, "WARNING: enabled NONE cipher\n"); - } else { - /* Requested NONE cipher on an interactive session. */ - debug("Cannot switch to NONE cipher with tty " - "allocated"); - fprintf(stderr, "NONE cipher switch disabled given " - "a TTY is allocated\n"); - } - } -#endif debug("Authentication succeeded (%s).", authctxt.method->name); } diff --git a/crypto/openssh/sshd.c b/crypto/openssh/sshd.c index e59fb3d34..838ed897d 100644 --- a/crypto/openssh/sshd.c +++ b/crypto/openssh/sshd.c @@ -446,9 +446,8 @@ sshd_exchange_identification(int sock_in, int sock_out) minor = PROTOCOL_MINOR_1; } - xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s%s%s", + xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s%s", major, minor, SSH_VERSION, - options.hpn_disabled ? "" : SSH_VERSION_HPN, *options.version_addendum == '\0' ? "" : " ", options.version_addendum, newline); @@ -950,13 +949,12 @@ static void usage(void) { if (options.version_addendum && *options.version_addendum != '\0') - fprintf(stderr, "%s%s %s, %s\n", - SSH_RELEASE, options.hpn_disabled ? "" : SSH_VERSION_HPN, + fprintf(stderr, "%s %s, %s\n", + SSH_RELEASE, options.version_addendum, SSLeay_version(SSLEAY_VERSION)); else - fprintf(stderr, "%s%s, %s\n", - SSH_RELEASE, options.hpn_disabled ? "" : SSH_VERSION_HPN, - SSLeay_version(SSLEAY_VERSION)); + fprintf(stderr, "%s, %s\n", + SSH_RELEASE, SSLeay_version(SSLEAY_VERSION)); fprintf(stderr, "usage: sshd [-46DdeiqTt] [-b bits] [-C connection_spec] [-c host_cert_file]\n" " [-E log_file] [-f config_file] [-g login_grace_time]\n" @@ -1145,7 +1143,6 @@ server_listen(void) len = sizeof(socksize); getsockopt(listen_sock, SOL_SOCKET, SO_RCVBUF, &socksize, &len); debug("Server TCP RWIN socket size: %d", socksize); - debug("HPN Buffer Size: %d", options.hpn_buffer_size); /* Bind the socket to the desired port. */ if (bind(listen_sock, ai->ai_addr, ai->ai_addrlen) < 0) { @@ -1679,11 +1676,7 @@ main(int ac, char **av) exit(1); } - debug("sshd version %.100s%.100s%s%.100s, %.100s", - SSH_RELEASE, - options.hpn_disabled ? "" : SSH_VERSION_HPN, - *options.version_addendum == '\0' ? "" : " ", - options.version_addendum, + debug("sshd version %s, %s", SSH_VERSION, SSLeay_version(SSLEAY_VERSION)); /* Store privilege separation user for later use if required. */ @@ -2114,9 +2107,6 @@ main(int ac, char **av) remote_ip, remote_port, get_local_ipaddr(sock_in), get_local_port()); - /* Set HPN options for the child. */ - channel_set_hpn(options.hpn_disabled, options.hpn_buffer_size); - /* * We don't want to listen forever unless the other side * successfully authenticates itself. So we set up an alarm which is @@ -2501,12 +2491,6 @@ do_ssh2_kex(void) if (options.ciphers != NULL) { myproposal[PROPOSAL_ENC_ALGS_CTOS] = myproposal[PROPOSAL_ENC_ALGS_STOC] = options.ciphers; -#ifdef NONE_CIPHER_ENABLED - } else if (options.none_enabled == 1) { - debug ("WARNING: None cipher enabled"); - myproposal[PROPOSAL_ENC_ALGS_CTOS] = - myproposal[PROPOSAL_ENC_ALGS_STOC] = KEX_ENCRYPT_INCLUDE_NONE; -#endif } myproposal[PROPOSAL_ENC_ALGS_CTOS] = compat_cipher_proposal(myproposal[PROPOSAL_ENC_ALGS_CTOS]); diff --git a/crypto/openssh/sshd_config b/crypto/openssh/sshd_config index 059232ca4..011c71437 100644 --- a/crypto/openssh/sshd_config +++ b/crypto/openssh/sshd_config @@ -1,4 +1,5 @@ # $OpenBSD: sshd_config,v 1.93 2014/01/10 05:59:19 djm Exp $ +# $FreeBSD$ # This is the sshd server system-wide configuration file. See # sshd_config(5) for more information. @@ -119,7 +120,7 @@ #MaxStartups 10:30:100 #PermitTunnel no #ChrootDirectory none -#VersionAddendum FreeBSD-20140420 +#VersionAddendum FreeBSD-20160124 # no default banner path #Banner none @@ -127,18 +128,6 @@ # override default of no subsystems Subsystem sftp /usr/libexec/sftp-server -# Change to yes to disable HPN tuning improvements. -#HPNDisabled no - -# Buffer size for HPN to non-HPN connections. -#HPNBufferSize 2048 - -# TCP receive socket buffer polling for HPN. Disable on non autotuning kernels. -#TcpRcvBufPoll yes - -# Allow the use of the NONE cipher. -#NoneEnabled no - # Example of overriding settings on a per-user basis #Match User anoncvs # X11Forwarding no diff --git a/crypto/openssh/sshd_config.5 b/crypto/openssh/sshd_config.5 index 0b98672f1..6796b9daa 100644 --- a/crypto/openssh/sshd_config.5 +++ b/crypto/openssh/sshd_config.5 @@ -1253,7 +1253,7 @@ restrictions. Optionally specifies additional text to append to the SSH protocol banner sent by the server upon connection. The default is -.Dq FreeBSD-20140420 . +.Dq FreeBSD-20160124 . The value .Dq none may be used to disable this. diff --git a/crypto/openssh/version.h b/crypto/openssh/version.h index f62c52639..090914652 100644 --- a/crypto/openssh/version.h +++ b/crypto/openssh/version.h @@ -6,5 +6,4 @@ #define SSH_PORTABLE "p1" #define SSH_RELEASE SSH_VERSION SSH_PORTABLE -#define SSH_VERSION_FREEBSD "FreeBSD-20140420" -#define SSH_VERSION_HPN "_hpn13v11" +#define SSH_VERSION_FREEBSD "FreeBSD-20160124" diff --git a/secure/lib/libssh/Makefile b/secure/lib/libssh/Makefile index 9fd0871e8..2f73b4cf6 100644 --- a/secure/lib/libssh/Makefile +++ b/secure/lib/libssh/Makefile @@ -49,10 +49,6 @@ DPADD+= ${LIBGSSAPI} ${LIBKRB5} ${LIBHX509} ${LIBASN1} ${LIBCOM_ERR} ${LIBMD} ${ LDADD+= -lgssapi -lkrb5 -lhx509 -lasn1 -lcom_err -lmd -lroken .endif -.if ${MK_OPENSSH_NONE_CIPHER} != "no" -CFLAGS+= -DNONE_CIPHER_ENABLED -.endif - NO_LINT= DPADD+= ${LIBCRYPTO} ${LIBCRYPT} ${LIBZ} diff --git a/secure/usr.bin/ssh/Makefile b/secure/usr.bin/ssh/Makefile index be5861f10..a019ec140 100644 --- a/secure/usr.bin/ssh/Makefile +++ b/secure/usr.bin/ssh/Makefile @@ -35,10 +35,6 @@ DPADD+= ${LIBGSSAPI} LDADD+= -lgssapi .endif -.if ${MK_OPENSSH_NONE_CIPHER} != "no" -CFLAGS+= -DNONE_CIPHER_ENABLED -.endif - DPADD+= ${LIBCRYPT} ${LIBCRYPTO} ${LIBZ} LDADD+= -lcrypt -lcrypto -lz diff --git a/secure/usr.sbin/sshd/Makefile b/secure/usr.sbin/sshd/Makefile index 04da063b0..7e7143a0e 100644 --- a/secure/usr.sbin/sshd/Makefile +++ b/secure/usr.sbin/sshd/Makefile @@ -52,10 +52,6 @@ LDADD+= -lgssapi_krb5 -lgssapi -lkrb5 -lhx509 -lasn1 \ -lcom_err -lroken -lwind -lheimbase -lheimipcc .endif -.if ${MK_OPENSSH_NONE_CIPHER} != "no" -CFLAGS+= -DNONE_CIPHER_ENABLED -.endif - DPADD+= ${LIBCRYPT} ${LIBCRYPTO} ${LIBZ} LDADD+= -lcrypt -lcrypto -lz diff --git a/share/mk/bsd.own.mk b/share/mk/bsd.own.mk index ef200d8fb..23ffa2465 100644 --- a/share/mk/bsd.own.mk +++ b/share/mk/bsd.own.mk @@ -405,7 +405,6 @@ __DEFAULT_NO_OPTIONS = \ LLDB \ NAND \ OFED \ - OPENSSH_NONE_CIPHER \ PKGTOOLS \ SHARED_TOOLCHAIN \ SVN \ diff --git a/tools/build/options/WITH_OPENSSH_NONE_CIPHER b/tools/build/options/WITH_OPENSSH_NONE_CIPHER deleted file mode 100644 index 8d44cc00c..000000000 --- a/tools/build/options/WITH_OPENSSH_NONE_CIPHER +++ /dev/null @@ -1,9 +0,0 @@ -.\" $FreeBSD$ -Set to include the "None" cipher support in OpenSSH and its libraries. -Additional adjustments may need to be done to system configuration -files, such as -.Xr sshd_config 5 , -to enable this cipher. -Please see -.Pa /usr/src/crypto/openssh/README.hpn -for full details. -- 2.45.0