<pre style='margin:0'>
Chih-Hsuan Yen (yan12125) pushed a commit to branch master
in repository macports-ports.
</pre>
<p><a href="https://github.com/macports/macports-ports/commit/c15ce48157fd32bd5362ce868b9e32a54ea4d089">https://github.com/macports/macports-ports/commit/c15ce48157fd32bd5362ce868b9e32a54ea4d089</a></p>
<pre style="white-space: pre; background: #F8F8F8">The following commit(s) were added to refs/heads/master by this push:
<span style='display:block; white-space:pre;color:#404040;'> new c15ce48 net/openssh: Upgrade to version 7.9p1.
</span>c15ce48 is described below
<span style='display:block; white-space:pre;color:#808000;'>commit c15ce48157fd32bd5362ce868b9e32a54ea4d089
</span>Author: Andrew L. Moore <slewsys@gmail.com>
AuthorDate: Sun Mar 10 23:46:40 2019 +0000
<span style='display:block; white-space:pre;color:#404040;'> net/openssh: Upgrade to version 7.9p1.
</span><span style='display:block; white-space:pre;color:#404040;'>
</span><span style='display:block; white-space:pre;color:#404040;'> Prepare net/openssh for PR #3822
</span><span style='display:block; white-space:pre;color:#404040;'> Ref: https://trac.macports.org/ticket/56216
</span><span style='display:block; white-space:pre;color:#404040;'>
</span><span style='display:block; white-space:pre;color:#404040;'> Added hpn-ssh patch from FreeBSD-12 ports tree.
</span><span style='display:block; white-space:pre;color:#404040;'> Added gssapi.patch from https://salsa.debian.org/ssh-team/openssh/blob/master/debian/patches/gssapi.patch
</span><span style='display:block; white-space:pre;color:#404040;'>
</span><span style='display:block; white-space:pre;color:#404040;'> Temporarily disabled macOS keychain integration until this can be
</span><span style='display:block; white-space:pre;color:#404040;'> updated to 7.9p1 APIs.
</span>---
net/openssh/Portfile | 32 +-
net/openssh/files/gssapi.patch | 3353 ++++++++++++++++++++++
net/openssh/files/openssh-7.6p1-hpnssh14v13.diff | 2255 ---------------
net/openssh/files/openssh-7.9p1-hpnssh14v15.diff | 1310 +++++++++
4 files changed, 4676 insertions(+), 2274 deletions(-)
<span style='display:block; white-space:pre;color:#808080;'>diff --git a/net/openssh/Portfile b/net/openssh/Portfile
</span><span style='display:block; white-space:pre;color:#808080;'>index 8b4c24d..931e2aa 100644
</span><span style='display:block; white-space:pre;background:#e0e0ff;'>--- a/net/openssh/Portfile
</span><span style='display:block; white-space:pre;background:#e0e0ff;'>+++ b/net/openssh/Portfile
</span><span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -3,8 +3,7 @@
</span> PortSystem 1.0
name openssh
<span style='display:block; white-space:pre;background:#ffe0e0;'>-version 7.6p1
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-revision 7
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+version 7.9p1
</span> categories net
platforms darwin
maintainers nomaintainer
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -27,10 +26,9 @@ long_description OpenSSH is a FREE version of the SSH protocol suite of \
</span>
homepage http://www.openbsd.org/openssh/
<span style='display:block; white-space:pre;background:#ffe0e0;'>-checksums ${distfiles} \
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- rmd160 486ae743f51ffbf8197d564aab9ae54f9e2ac9da \
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- sha256 a323caeeddfe145baaa0db16e98d784b1fbc7dd436a6bf1f479dfd5cd1d21723 \
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- size 1489788
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+checksums rmd160 236617fb9c04dcca12f9d56b5975efda4e798f53 \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ sha256 6b4b3ba2253d84ed3771c8050728d597c91cfce898713beb7b64a305b6f11aad \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ size 1565384
</span>
master_sites openbsd:OpenSSH/portable \
ftp://ftp.cise.ufl.edu/pub/mirrors/openssh/portable/ \
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -129,27 +127,23 @@ if {${name} eq ${subport}} {
</span> # Old location(s):
# http://www.psc.edu/index.php/hpn-ssh
# Current location(s):
<span style='display:block; white-space:pre;background:#ffe0e0;'>- # http://hpnssh.sourceforge.net/
</span> # http://www.freshports.org/security/openssh-portable/
# (is usually quick in updating the HPN patch for new versions,
# take a look there, too.)
<span style='display:block; white-space:pre;background:#ffe0e0;'>- # Formerly from FreeBSD, now copied over from FreeBSD's ports directory.
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- #patch_sites-append http://mirror.shatow.net/freebsd/${name}/ \
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- # freebsd
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- #set hpn_patchfile ${name}-6.7p1-hpnssh14v5.diff.gz
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- #checksums-append ${hpn_patchfile} \
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- # rmd160 0cf7ffdd9b60d518d76076faf31df6a7a6d4ae52 \
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- # sha256 846ad51577de8308d60dbfaa58ba18d112d0732fdf21063ebc78407fc8e4a7b6
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- set hpn_patchfile ${name}-${version}-hpnssh14v13.diff
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- patchfiles-append ${hpn_patchfile}
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # Source: FreeBSD /usr/ports/net/openssh-portable/files/extra-patch-hpn
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # FreeBSD uses patch option `-p2', so first path prefix was removed
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # from the original.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ use_autoreconf yes
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ patchfiles-append ${name}-${version}-hpnssh14v15.diff
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ configure.args-append --with-hpn --with-nonecipher
</span> }
variant gsskex conflicts hpn requires kerberos5 description "Add OpenSSH GSSAPI key exchange patch" {
<span style='display:block; white-space:pre;background:#e0ffe0;'>+ # Source: https://salsa.debian.org/ssh-team/openssh/blob/master/debian/patches/gssapi.patch
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # TODO: Update patch 0002-Apple-keychain-integration-other-changes.patch to use OpenSSL 1.1 APIs.
</span> use_autoreconf yes
<span style='display:block; white-space:pre;background:#ffe0e0;'>- patchfiles-append 0002-Apple-keychain-integration-other-changes.patch \
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- openssh-7.6p1-gsskex-all-20141021-mp-20171009.patch
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ patchfiles-append gssapi.patch
</span> configure.cppflags-append \
-F/System/Library/Frameworks/DirectoryService.framework \
-F/System/Library/Frameworks/CoreFoundation.framework \
<span style='display:block; white-space:pre;color:#808080;'>diff --git a/net/openssh/files/gssapi.patch b/net/openssh/files/gssapi.patch
</span>new file mode 100644
<span style='display:block; white-space:pre;color:#808080;'>index 0000000..f62bf66
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>--- /dev/null
</span><span style='display:block; white-space:pre;background:#e0e0ff;'>+++ b/net/openssh/files/gssapi.patch
</span><span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -0,0 +1,3353 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+From 72b1d308e6400194ef6e4e7dd45bfa48fa39b5e6 Mon Sep 17 00:00:00 2001
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+From: Simon Wilkinson <simon@sxw.org.uk>
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+Date: Sun, 9 Feb 2014 16:09:48 +0000
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+Subject: GSSAPI key exchange support
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+This patch has been rejected upstream: "None of the OpenSSH developers are
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+in favour of adding this, and this situation has not changed for several
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+years. This is not a slight on Simon's patch, which is of fine quality, but
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+just that a) we don't trust GSSAPI implementations that much and b) we don't
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+like adding new KEX since they are pre-auth attack surface. This one is
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+particularly scary, since it requires hooks out to typically root-owned
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+system resources."
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+However, quite a lot of people rely on this in Debian, and it's better to
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+have it merged into the main openssh package rather than having separate
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+-krb5 packages (as we used to have). It seems to have a generally good
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+security history.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1242
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+Last-Updated: 2018-10-20
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+Patch-Name: gssapi.patch
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+---
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ ChangeLog.gssapi | 113 ++++++++++++++++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ Makefile.in | 3 +-
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ auth-krb5.c | 17 ++-
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ auth.c | 96 +------------
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ auth2-gss.c | 54 +++++++-
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ auth2.c | 2 +
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ canohost.c | 93 +++++++++++++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ canohost.h | 3 +
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ clientloop.c | 15 ++-
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ config.h.in | 6 +
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ configure.ac | 24 ++++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ gss-genr.c | 280 +++++++++++++++++++++++++++++++++++++-
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ gss-serv-krb5.c | 85 +++++++++++-
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ gss-serv.c | 184 +++++++++++++++++++++++--
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ kex.c | 19 +++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ kex.h | 14 ++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ kexgssc.c | 341 +++++++++++++++++++++++++++++++++++++++++++++++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ kexgsss.c | 300 +++++++++++++++++++++++++++++++++++++++++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ monitor.c | 122 +++++++++++++++--
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ monitor.h | 3 +
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ monitor_wrap.c | 53 +++++++-
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ monitor_wrap.h | 4 +-
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ opacket.c | 2 +-
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ opacket.h | 2 +-
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ readconf.c | 43 ++++++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ readconf.h | 5 +
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ servconf.c | 26 ++++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ servconf.h | 2 +
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ ssh-gss.h | 41 +++++-
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ ssh_config | 2 +
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ ssh_config.5 | 32 +++++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ sshconnect2.c | 133 +++++++++++++++++-
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ sshd.c | 110 +++++++++++++++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ sshd_config | 2 +
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ sshd_config.5 | 10 ++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ sshkey.c | 3 +-
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ sshkey.h | 1 +
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ 37 files changed, 2099 insertions(+), 146 deletions(-)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ create mode 100644 ChangeLog.gssapi
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ create mode 100644 kexgssc.c
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ create mode 100644 kexgsss.c
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+diff --git a/ChangeLog.gssapi b/ChangeLog.gssapi
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+new file mode 100644
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+index 000000000..f117a336a
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- /dev/null
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/ChangeLog.gssapi
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -0,0 +1,113 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++20110101
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ - Finally update for OpenSSH 5.6p1
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ - Add GSSAPIServerIdentity option from Jim Basney
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++20100308
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ - [ Makefile.in, key.c, key.h ]
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ Updates for OpenSSH 5.4p1
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ - [ servconf.c ]
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ Include GSSAPI options in the sshd -T configuration dump, and flag
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ some older configuration options as being unsupported. Thanks to Colin
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ Watson.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ -
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++20100124
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ - [ sshconnect2.c ]
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ Adapt to deal with additional element in Authmethod structure. Thanks to
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ Colin Watson
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++20090615
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ - [ gss-genr.c gss-serv.c kexgssc.c kexgsss.c monitor.c sshconnect2.c
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ sshd.c ]
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ Fix issues identified by Greg Hudson following a code review
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ Check return value of gss_indicate_mechs
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ Protect GSSAPI calls in monitor, so they can only be used if enabled
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ Check return values of bignum functions in key exchange
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ Use BN_clear_free to clear other side's DH value
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ Make ssh_gssapi_id_kex more robust
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ Only configure kex table pointers if GSSAPI is enabled
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ Don't leak mechanism list, or gss mechanism list
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ Cast data.length before printing
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ If serverkey isn't provided, use an empty string, rather than NULL
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++20090201
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ - [ gss-genr.c gss-serv.c kex.h kexgssc.c readconf.c readconf.h ssh-gss.h
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ ssh_config.5 sshconnet2.c ]
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ Add support for the GSSAPIClientIdentity option, which allows the user
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ to specify which GSSAPI identity to use to contact a given server
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++20080404
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ - [ gss-serv.c ]
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ Add code to actually implement GSSAPIStrictAcceptCheck, which had somehow
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ been omitted from a previous version of this patch. Reported by Borislav
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ Stoichkov
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++20070317
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ - [ gss-serv-krb5.c ]
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ Remove C99ism, where new_ccname was being declared in the middle of a
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ function
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++20061220
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ - [ servconf.c ]
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ Make default for GSSAPIStrictAcceptorCheck be Yes, to match previous, and
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ documented, behaviour. Reported by Dan Watson.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++20060910
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ - [ gss-genr.c kexgssc.c kexgsss.c kex.h monitor.c sshconnect2.c sshd.c
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ ssh-gss.h ]
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ add support for gss-group14-sha1 key exchange mechanisms
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ - [ gss-serv.c servconf.c servconf.h sshd_config sshd_config.5 ]
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ Add GSSAPIStrictAcceptorCheck option to allow the disabling of
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ acceptor principal checking on multi-homed machines.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ <Bugzilla #928>
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ - [ sshd_config ssh_config ]
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ Add settings for GSSAPIKeyExchange and GSSAPITrustDNS to the sample
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ configuration files
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ - [ kexgss.c kegsss.c sshconnect2.c sshd.c ]
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ Code cleanup. Replace strlen/xmalloc/snprintf sequences with xasprintf()
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ Limit length of error messages displayed by client
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++20060909
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ - [ gss-genr.c gss-serv.c ]
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ move ssh_gssapi_acquire_cred() and ssh_gssapi_server_ctx to be server
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ only, where they belong
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ <Bugzilla #1225>
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++20060829
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ - [ gss-serv-krb5.c ]
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ Fix CCAPI credentials cache name when creating KRB5CCNAME environment
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ variable
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++20060828
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ - [ gss-genr.c ]
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ Avoid Heimdal context freeing problem
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ <Fixed upstream 20060829>
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++20060818
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ - [ gss-genr.c ssh-gss.h sshconnect2.c ]
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ Make sure that SPENGO is disabled
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ <Bugzilla #1218 - Fixed upstream 20060818>
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++20060421
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ - [ gssgenr.c, sshconnect2.c ]
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ a few type changes (signed versus unsigned, int versus size_t) to
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ fix compiler errors/warnings
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ (from jbasney AT ncsa.uiuc.edu)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ - [ kexgssc.c, sshconnect2.c ]
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ fix uninitialized variable warnings
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ (from jbasney AT ncsa.uiuc.edu)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ - [ gssgenr.c ]
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ pass oid to gss_display_status (helpful when using GSSAPI mechglue)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ (from jbasney AT ncsa.uiuc.edu)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ <Bugzilla #1220 >
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ - [ gss-serv-krb5.c ]
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ #ifdef HAVE_GSSAPI_KRB5 should be #ifdef HAVE_GSSAPI_KRB5_H
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ (from jbasney AT ncsa.uiuc.edu)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ <Fixed upstream 20060304>
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ - [ readconf.c, readconf.h, ssh_config.5, sshconnect2.c
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ add client-side GssapiKeyExchange option
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ (from jbasney AT ncsa.uiuc.edu)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ - [ sshconnect2.c ]
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ add support for GssapiTrustDns option for gssapi-with-mic
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ (from jbasney AT ncsa.uiuc.edu)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ <gssapi-with-mic support is Bugzilla #1008>
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+diff --git a/Makefile.in b/Makefile.in
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+index 126b2c742..70050ffb6 100644
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- a/Makefile.in
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/Makefile.in
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -100,6 +100,7 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ kex.o kexdh.o kexgex.o kexecdh.o kexc25519.o \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ kexdhc.o kexgexc.o kexecdhc.o kexc25519c.o \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ kexdhs.o kexgexs.o kexecdhs.o kexc25519s.o \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ kexgssc.o \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ platform-pledge.o platform-tracing.o platform-misc.o
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ SSHOBJS= ssh.o readconf.o clientloop.o sshtty.o \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -113,7 +114,7 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passwd.o \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ auth-bsdauth.o auth2-hostbased.o auth2-kbdint.o \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ auth2-none.o auth2-passwd.o auth2-pubkey.o \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ monitor.o monitor_wrap.o auth-krb5.o \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- auth2-gss.o gss-serv.o gss-serv-krb5.o \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ auth2-gss.o gss-serv.o gss-serv-krb5.o kexgsss.o \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ loginrec.o auth-pam.o auth-shadow.o auth-sia.o md5crypt.o \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ sftp-server.o sftp-common.o \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ sandbox-null.o sandbox-rlimit.o sandbox-systrace.o sandbox-darwin.o \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+diff --git a/auth-krb5.c b/auth-krb5.c
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+index 3096f1c8e..204752e1b 100644
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- a/auth-krb5.c
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/auth-krb5.c
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -182,8 +182,13 @@ auth_krb5_password(Authctxt *authctxt, const char *password)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ len = strlen(authctxt->krb5_ticket_file) + 6;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ authctxt->krb5_ccname = xmalloc(len);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#ifdef USE_CCAPI
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ snprintf(authctxt->krb5_ccname, len, "API:%s",
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ authctxt->krb5_ticket_file);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#else
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ snprintf(authctxt->krb5_ccname, len, "FILE:%s",
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ authctxt->krb5_ticket_file);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#endif
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #ifdef USE_PAM
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ if (options.use_pam)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -240,15 +245,22 @@ krb5_cleanup_proc(Authctxt *authctxt)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #ifndef HEIMDAL
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ krb5_error_code
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ ssh_krb5_cc_gen(krb5_context ctx, krb5_ccache *ccache) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- int tmpfd, ret, oerrno;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ int ret, oerrno;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ char ccname[40];
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ mode_t old_umask;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#ifdef USE_CCAPI
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ char cctemplate[] = "API:krb5cc_%d";
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#else
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ char cctemplate[] = "FILE:/tmp/krb5cc_%d_XXXXXXXXXX";
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ int tmpfd;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#endif
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ ret = snprintf(ccname, sizeof(ccname),
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- "FILE:/tmp/krb5cc_%d_XXXXXXXXXX", geteuid());
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ cctemplate, geteuid());
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ if (ret < 0 || (size_t)ret >= sizeof(ccname))
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ return ENOMEM;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#ifndef USE_CCAPI
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ old_umask = umask(0177);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ tmpfd = mkstemp(ccname + strlen("FILE:"));
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ oerrno = errno;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -265,6 +277,7 @@ ssh_krb5_cc_gen(krb5_context ctx, krb5_ccache *ccache) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ return oerrno;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ close(tmpfd);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#endif
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ return (krb5_cc_resolve(ctx, ccname, ccache));
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+diff --git a/auth.c b/auth.c
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+index 3ca3762cc..d8e6b4a3d 100644
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- a/auth.c
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/auth.c
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -399,7 +399,8 @@ auth_root_allowed(struct ssh *ssh, const char *method)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ case PERMIT_NO_PASSWD:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ if (strcmp(method, "publickey") == 0 ||
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ strcmp(method, "hostbased") == 0 ||
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- strcmp(method, "gssapi-with-mic") == 0)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ strcmp(method, "gssapi-with-mic") == 0 ||
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ strcmp(method, "gssapi-keyex") == 0)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ return 1;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ break;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ case PERMIT_FORCED_ONLY:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -737,99 +738,6 @@ fakepw(void)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ return (&fake);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+-/*
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- * Returns the remote DNS hostname as a string. The returned string must not
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- * be freed. NB. this will usually trigger a DNS query the first time it is
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- * called.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- * This function does additional checks on the hostname to mitigate some
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- * attacks on legacy rhosts-style authentication.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- * XXX is RhostsRSAAuthentication vulnerable to these?
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- * XXX Can we remove these checks? (or if not, remove RhostsRSAAuthentication?)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+-
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+-static char *
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+-remote_hostname(struct ssh *ssh)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+-{
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- struct sockaddr_storage from;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- socklen_t fromlen;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- struct addrinfo hints, *ai, *aitop;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- char name[NI_MAXHOST], ntop2[NI_MAXHOST];
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- const char *ntop = ssh_remote_ipaddr(ssh);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+-
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- /* Get IP address of client. */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- fromlen = sizeof(from);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- memset(&from, 0, sizeof(from));
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- if (getpeername(ssh_packet_get_connection_in(ssh),
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- (struct sockaddr *)&from, &fromlen) < 0) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- debug("getpeername failed: %.100s", strerror(errno));
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- return strdup(ntop);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+-
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- ipv64_normalise_mapped(&from, &fromlen);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- if (from.ss_family == AF_INET6)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- fromlen = sizeof(struct sockaddr_in6);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+-
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- debug3("Trying to reverse map address %.100s.", ntop);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- /* Map the IP address to a host name. */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- if (getnameinfo((struct sockaddr *)&from, fromlen, name, sizeof(name),
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- NULL, 0, NI_NAMEREQD) != 0) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- /* Host name not found. Use ip address. */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- return strdup(ntop);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+-
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- /*
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- * if reverse lookup result looks like a numeric hostname,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- * someone is trying to trick us by PTR record like following:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- * 1.1.1.10.in-addr.arpa. IN PTR 2.3.4.5
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- memset(&hints, 0, sizeof(hints));
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- hints.ai_socktype = SOCK_DGRAM; /*dummy*/
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- hints.ai_flags = AI_NUMERICHOST;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- if (getaddrinfo(name, NULL, &hints, &ai) == 0) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- logit("Nasty PTR record \"%s\" is set up for %s, ignoring",
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- name, ntop);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- freeaddrinfo(ai);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- return strdup(ntop);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+-
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- /* Names are stored in lowercase. */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- lowercase(name);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+-
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- /*
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- * Map it back to an IP address and check that the given
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- * address actually is an address of this host. This is
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- * necessary because anyone with access to a name server can
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- * define arbitrary names for an IP address. Mapping from
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- * name to IP address can be trusted better (but can still be
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- * fooled if the intruder has access to the name server of
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- * the domain).
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- memset(&hints, 0, sizeof(hints));
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- hints.ai_family = from.ss_family;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- hints.ai_socktype = SOCK_STREAM;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- if (getaddrinfo(name, NULL, &hints, &aitop) != 0) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- logit("reverse mapping checking getaddrinfo for %.700s "
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- "[%s] failed.", name, ntop);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- return strdup(ntop);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- /* Look for the address from the list of addresses. */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- for (ai = aitop; ai; ai = ai->ai_next) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- if (getnameinfo(ai->ai_addr, ai->ai_addrlen, ntop2,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- sizeof(ntop2), NULL, 0, NI_NUMERICHOST) == 0 &&
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- (strcmp(ntop, ntop2) == 0))
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- break;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- freeaddrinfo(aitop);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- /* If we reached the end of the list, the address was not there. */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- if (ai == NULL) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- /* Address not found for the host name. */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- logit("Address %.100s maps to %.600s, but this does not "
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- "map back to the address.", ntop, name);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- return strdup(ntop);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- return strdup(name);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+-}
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+-
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ /*
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ * Return the canonical name of the host in the other side of the current
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ * connection. The host name is cached, so it is efficient to call this
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+diff --git a/auth2-gss.c b/auth2-gss.c
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+index 9351e0428..1f12bb113 100644
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- a/auth2-gss.c
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/auth2-gss.c
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -1,7 +1,7 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ /* $OpenBSD: auth2-gss.c,v 1.29 2018/07/31 03:10:27 djm Exp $ */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ /*
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * Copyright (c) 2001-2007 Simon Wilkinson. All rights reserved.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ *
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ * Redistribution and use in source and binary forms, with or without
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ * modification, are permitted provided that the following conditions
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -54,6 +54,46 @@ static int input_gssapi_mic(int type, u_int32_t plen, struct ssh *ssh);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ static int input_gssapi_exchange_complete(int type, u_int32_t plen, struct ssh *ssh);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ static int input_gssapi_errtok(int, u_int32_t, struct ssh *);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++/*
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * The 'gssapi_keyex' userauth mechanism.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++static int
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++userauth_gsskeyex(struct ssh *ssh)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++{
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ Authctxt *authctxt = ssh->authctxt;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ int r, authenticated = 0;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ struct sshbuf *b;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ gss_buffer_desc mic, gssbuf;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ u_char *p;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ size_t len;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if ((r = sshpkt_get_string(ssh, &p, &len)) != 0 ||
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ (r = sshpkt_get_end(ssh)) != 0)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ fatal("%s: %s", __func__, ssh_err(r));
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if ((b = sshbuf_new()) == NULL)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ fatal("%s: sshbuf_new failed", __func__);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ mic.value = p;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ mic.length = len;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ ssh_gssapi_buildmic(b, authctxt->user, authctxt->service,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ "gssapi-keyex");
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if ((gssbuf.value = sshbuf_mutable_ptr(b)) == NULL)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ fatal("%s: sshbuf_mutable_ptr failed", __func__);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ gssbuf.length = sshbuf_len(b);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ /* gss_kex_context is NULL with privsep, so we can't check it here */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (!GSS_ERROR(PRIVSEP(ssh_gssapi_checkmic(gss_kex_context,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ &gssbuf, &mic))))
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ authenticated = PRIVSEP(ssh_gssapi_userok(authctxt->user,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ authctxt->pw));
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ sshbuf_free(b);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ free(mic.value);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ return (authenticated);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++}
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ /*
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ * We only support those mechanisms that we know about (ie ones that we know
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ * how to check local user kuserok and the like)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -260,7 +300,8 @@ input_gssapi_exchange_complete(int type, u_int32_t plen, struct ssh *ssh)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ if ((r = sshpkt_get_end(ssh)) != 0)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ fatal("%s: %s", __func__, ssh_err(r));
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- authenticated = PRIVSEP(ssh_gssapi_userok(authctxt->user));
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ authenticated = PRIVSEP(ssh_gssapi_userok(authctxt->user,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ authctxt->pw));
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ if ((!use_privsep || mm_is_monitor()) &&
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ (displayname = ssh_gssapi_displayname()) != NULL)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -306,7 +347,8 @@ input_gssapi_mic(int type, u_int32_t plen, struct ssh *ssh)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ gssbuf.length = sshbuf_len(b);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ if (!GSS_ERROR(PRIVSEP(ssh_gssapi_checkmic(gssctxt, &gssbuf, &mic))))
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- authenticated = PRIVSEP(ssh_gssapi_userok(authctxt->user));
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ authenticated =
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ PRIVSEP(ssh_gssapi_userok(authctxt->user, authctxt->pw));
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ else
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ logit("GSSAPI MIC check failed");
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -326,6 +368,12 @@ input_gssapi_mic(int type, u_int32_t plen, struct ssh *ssh)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ return 0;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++Authmethod method_gsskeyex = {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ "gssapi-keyex",
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ userauth_gsskeyex,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ &options.gss_authentication
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++};
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ Authmethod method_gssapi = {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ "gssapi-with-mic",
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ userauth_gssapi,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+diff --git a/auth2.c b/auth2.c
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+index 4d19957a6..a77742819 100644
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- a/auth2.c
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/auth2.c
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -74,6 +74,7 @@ extern Authmethod method_passwd;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ extern Authmethod method_kbdint;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ extern Authmethod method_hostbased;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #ifdef GSSAPI
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++extern Authmethod method_gsskeyex;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ extern Authmethod method_gssapi;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #endif
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -81,6 +82,7 @@ Authmethod *authmethods[] = {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ &method_none,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ &method_pubkey,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #ifdef GSSAPI
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ &method_gsskeyex,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ &method_gssapi,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #endif
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ &method_passwd,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+diff --git a/canohost.c b/canohost.c
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+index f71a08568..404731d24 100644
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- a/canohost.c
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/canohost.c
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -35,6 +35,99 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #include "canohost.h"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #include "misc.h"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++/*
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * Returns the remote DNS hostname as a string. The returned string must not
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * be freed. NB. this will usually trigger a DNS query the first time it is
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * called.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * This function does additional checks on the hostname to mitigate some
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * attacks on legacy rhosts-style authentication.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * XXX is RhostsRSAAuthentication vulnerable to these?
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * XXX Can we remove these checks? (or if not, remove RhostsRSAAuthentication?)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++char *
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++remote_hostname(struct ssh *ssh)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++{
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ struct sockaddr_storage from;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ socklen_t fromlen;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ struct addrinfo hints, *ai, *aitop;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ char name[NI_MAXHOST], ntop2[NI_MAXHOST];
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ const char *ntop = ssh_remote_ipaddr(ssh);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ /* Get IP address of client. */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ fromlen = sizeof(from);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ memset(&from, 0, sizeof(from));
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (getpeername(ssh_packet_get_connection_in(ssh),
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ (struct sockaddr *)&from, &fromlen) < 0) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ debug("getpeername failed: %.100s", strerror(errno));
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ return strdup(ntop);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ ipv64_normalise_mapped(&from, &fromlen);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (from.ss_family == AF_INET6)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ fromlen = sizeof(struct sockaddr_in6);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ debug3("Trying to reverse map address %.100s.", ntop);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ /* Map the IP address to a host name. */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (getnameinfo((struct sockaddr *)&from, fromlen, name, sizeof(name),
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ NULL, 0, NI_NAMEREQD) != 0) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ /* Host name not found. Use ip address. */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ return strdup(ntop);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ /*
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * if reverse lookup result looks like a numeric hostname,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * someone is trying to trick us by PTR record like following:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * 1.1.1.10.in-addr.arpa. IN PTR 2.3.4.5
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ memset(&hints, 0, sizeof(hints));
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ hints.ai_socktype = SOCK_DGRAM; /*dummy*/
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ hints.ai_flags = AI_NUMERICHOST;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (getaddrinfo(name, NULL, &hints, &ai) == 0) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ logit("Nasty PTR record \"%s\" is set up for %s, ignoring",
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ name, ntop);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ freeaddrinfo(ai);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ return strdup(ntop);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ /* Names are stored in lowercase. */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ lowercase(name);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ /*
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * Map it back to an IP address and check that the given
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * address actually is an address of this host. This is
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * necessary because anyone with access to a name server can
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * define arbitrary names for an IP address. Mapping from
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * name to IP address can be trusted better (but can still be
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * fooled if the intruder has access to the name server of
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * the domain).
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ memset(&hints, 0, sizeof(hints));
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ hints.ai_family = from.ss_family;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ hints.ai_socktype = SOCK_STREAM;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (getaddrinfo(name, NULL, &hints, &aitop) != 0) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ logit("reverse mapping checking getaddrinfo for %.700s "
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ "[%s] failed.", name, ntop);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ return strdup(ntop);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ /* Look for the address from the list of addresses. */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ for (ai = aitop; ai; ai = ai->ai_next) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (getnameinfo(ai->ai_addr, ai->ai_addrlen, ntop2,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ sizeof(ntop2), NULL, 0, NI_NUMERICHOST) == 0 &&
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ (strcmp(ntop, ntop2) == 0))
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ break;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ freeaddrinfo(aitop);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ /* If we reached the end of the list, the address was not there. */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (ai == NULL) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ /* Address not found for the host name. */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ logit("Address %.100s maps to %.600s, but this does not "
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ "map back to the address.", ntop, name);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ return strdup(ntop);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ return strdup(name);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++}
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ void
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ ipv64_normalise_mapped(struct sockaddr_storage *addr, socklen_t *len)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+diff --git a/canohost.h b/canohost.h
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+index 26d62855a..0cadc9f18 100644
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- a/canohost.h
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/canohost.h
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -15,6 +15,9 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #ifndef _CANOHOST_H
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #define _CANOHOST_H
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++struct ssh;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++char *remote_hostname(struct ssh *);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ char *get_peer_ipaddr(int);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ int get_peer_port(int);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ char *get_local_ipaddr(int);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+diff --git a/clientloop.c b/clientloop.c
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+index 8d312cdaa..1464634b0 100644
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- a/clientloop.c
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/clientloop.c
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -112,6 +112,10 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #include "ssherr.h"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #include "hostfile.h"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#ifdef GSSAPI
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#include "ssh-gss.h"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#endif
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ /* import options */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ extern Options options;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -1370,9 +1374,18 @@ client_loop(struct ssh *ssh, int have_pty, int escape_char_arg,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ break;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ /* Do channel operations unless rekeying in progress. */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- if (!ssh_packet_is_rekeying(ssh))
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (!ssh_packet_is_rekeying(ssh)) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ channel_after_select(ssh, readset, writeset);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#ifdef GSSAPI
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (options.gss_renewal_rekey &&
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ ssh_gssapi_credentials_updated(NULL)) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ debug("credentials updated - forcing rekey");
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ need_rekeying = 1;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#endif
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ /* Buffer input from the connection. */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ client_process_net_input(readset);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+diff --git a/config.h.in b/config.h.in
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+index 91b65db8f..209760c7c 100644
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- a/config.h.in
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/config.h.in
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -1845,6 +1845,9 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ /* Use btmp to log bad logins */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #undef USE_BTMP
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++/* platform uses an in-memory credentials cache */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#undef USE_CCAPI
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ /* Use libedit for sftp */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #undef USE_LIBEDIT
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -1860,6 +1863,9 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ /* Use PIPES instead of a socketpair() */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #undef USE_PIPES
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++/* platform has the Security Authorization Session API */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#undef USE_SECURITY_SESSION_API
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ /* Define if you have Solaris privileges */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #undef USE_SOLARIS_PRIVS
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+diff --git a/configure.ac b/configure.ac
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+index 7379ab358..023e7cc55 100644
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- a/configure.ac
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/configure.ac
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -664,6 +664,30 @@ main() { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16))
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ [Use tunnel device compatibility to OpenBSD])
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ AC_DEFINE([SSH_TUN_PREPEND_AF], [1],
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ [Prepend the address family to IP tunnel traffic])
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ AC_MSG_CHECKING([if we have the Security Authorization Session API])
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ AC_TRY_COMPILE([#include <Security/AuthSession.h>],
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ [SessionCreate(0, 0);],
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ [ac_cv_use_security_session_api="yes"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ AC_DEFINE([USE_SECURITY_SESSION_API], [1],
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ [platform has the Security Authorization Session API])
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ LIBS="$LIBS -framework Security"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ AC_MSG_RESULT([yes])],
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ [ac_cv_use_security_session_api="no"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ AC_MSG_RESULT([no])])
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ AC_MSG_CHECKING([if we have an in-memory credentials cache])
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ AC_TRY_COMPILE(
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ [#include <Kerberos/Kerberos.h>],
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ [cc_context_t c;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ (void) cc_initialize (&c, 0, NULL, NULL);],
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ [AC_DEFINE([USE_CCAPI], [1],
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ [platform uses an in-memory credentials cache])
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ LIBS="$LIBS -framework Security"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ AC_MSG_RESULT([yes])
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if test "x$ac_cv_use_security_session_api" = "xno"; then
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ AC_MSG_ERROR([*** Need a security framework to use the credentials cache API ***])
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ fi],
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ [AC_MSG_RESULT([no])]
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ )
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ m4_pattern_allow([AU_IPv])
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ AC_CHECK_DECL([AU_IPv4], [],
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ AC_DEFINE([AU_IPv4], [0], [System only supports IPv4 audit records])
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+diff --git a/gss-genr.c b/gss-genr.c
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+index d56257b4a..491e62cee 100644
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- a/gss-genr.c
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/gss-genr.c
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -1,7 +1,7 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ /* $OpenBSD: gss-genr.c,v 1.26 2018/07/10 09:13:30 djm Exp $ */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ /*
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- * Copyright (c) 2001-2007 Simon Wilkinson. All rights reserved.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ *
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ * Redistribution and use in source and binary forms, with or without
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ * modification, are permitted provided that the following conditions
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -39,14 +39,37 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #include "xmalloc.h"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #include "ssherr.h"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #include "sshbuf.h"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#include "sshkey.h"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #include "log.h"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #include "ssh2.h"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#include "cipher.h"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#include "kex.h"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#include "digest.h"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #include "ssh-gss.h"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ extern u_char *session_id2;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ extern u_int session_id2_len;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++typedef struct {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ char *encoded;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ gss_OID oid;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++} ssh_gss_kex_mapping;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++/*
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * XXX - It would be nice to find a more elegant way of handling the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * XXX passing of the key exchange context to the userauth routines
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++Gssctxt *gss_kex_context = NULL;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++static ssh_gss_kex_mapping *gss_enc2oid = NULL;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++int
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ssh_gssapi_oid_table_ok(void) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ return (gss_enc2oid != NULL);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++}
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ /* sshbuf_get for gss_buffer_desc */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ int
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ ssh_gssapi_get_buffer_desc(struct sshbuf *b, gss_buffer_desc *g)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -62,6 +85,143 @@ ssh_gssapi_get_buffer_desc(struct sshbuf *b, gss_buffer_desc *g)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ return 0;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++/*
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * Return a list of the gss-group1-sha1 mechanisms supported by this program
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ *
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * We test mechanisms to ensure that we can use them, to avoid starting
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * a key exchange with a bad mechanism
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++char *
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ssh_gssapi_client_mechanisms(const char *host, const char *client) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ gss_OID_set gss_supported;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ OM_uint32 min_status;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (GSS_ERROR(gss_indicate_mechs(&min_status, &gss_supported)))
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ return NULL;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ return(ssh_gssapi_kex_mechs(gss_supported, ssh_gssapi_check_mechanism,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ host, client));
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++}
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++char *
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ssh_gssapi_kex_mechs(gss_OID_set gss_supported, ssh_gssapi_check_fn *check,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ const char *host, const char *client) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ struct sshbuf *buf;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ size_t i;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ int r, oidpos, enclen;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ char *mechs, *encoded;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ u_char digest[SSH_DIGEST_MAX_LENGTH];
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ char deroid[2];
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ struct ssh_digest_ctx *md;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (gss_enc2oid != NULL) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ for (i = 0; gss_enc2oid[i].encoded != NULL; i++)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ free(gss_enc2oid[i].encoded);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ free(gss_enc2oid);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ gss_enc2oid = xmalloc(sizeof(ssh_gss_kex_mapping) *
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ (gss_supported->count + 1));
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if ((buf = sshbuf_new()) == NULL)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ fatal("%s: sshbuf_new failed", __func__);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ oidpos = 0;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ for (i = 0; i < gss_supported->count; i++) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (gss_supported->elements[i].length < 128 &&
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ (*check)(NULL, &(gss_supported->elements[i]), host, client)) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ deroid[0] = SSH_GSS_OIDTYPE;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ deroid[1] = gss_supported->elements[i].length;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if ((md = ssh_digest_start(SSH_DIGEST_MD5)) == NULL ||
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ ssh_digest_update(md, deroid, 2) != 0 ||
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ ssh_digest_update(md,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ gss_supported->elements[i].elements,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ gss_supported->elements[i].length) != 0 ||
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ ssh_digest_final(md, digest, sizeof(digest)) != 0)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ fatal("%s: digest failed", __func__);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ encoded = xmalloc(ssh_digest_bytes(SSH_DIGEST_MD5)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * 2);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ enclen = __b64_ntop(digest,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ ssh_digest_bytes(SSH_DIGEST_MD5), encoded,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ ssh_digest_bytes(SSH_DIGEST_MD5) * 2);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (oidpos != 0) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if ((r = sshbuf_put_u8(buf, ',')) != 0)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ fatal("%s: buffer error: %s",
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ __func__, ssh_err(r));
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if ((r = sshbuf_put(buf, KEX_GSS_GEX_SHA1_ID,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ sizeof(KEX_GSS_GEX_SHA1_ID) - 1)) != 0 ||
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ (r = sshbuf_put(buf, encoded, enclen)) != 0 ||
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ (r = sshbuf_put_u8(buf, ',')) != 0 ||
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ (r = sshbuf_put(buf, KEX_GSS_GRP1_SHA1_ID,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ sizeof(KEX_GSS_GRP1_SHA1_ID) - 1)) != 0 ||
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ (r = sshbuf_put(buf, encoded, enclen)) != 0 ||
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ (r = sshbuf_put_u8(buf, ',')) != 0 ||
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ (r = sshbuf_put(buf, KEX_GSS_GRP14_SHA1_ID,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ sizeof(KEX_GSS_GRP14_SHA1_ID) - 1)) != 0 ||
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ (r = sshbuf_put(buf, encoded, enclen)) != 0)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ fatal("%s: buffer error: %s",
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ __func__, ssh_err(r));
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ gss_enc2oid[oidpos].oid = &(gss_supported->elements[i]);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ gss_enc2oid[oidpos].encoded = encoded;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ oidpos++;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ gss_enc2oid[oidpos].oid = NULL;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ gss_enc2oid[oidpos].encoded = NULL;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if ((mechs = sshbuf_dup_string(buf)) == NULL)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ fatal("%s: sshbuf_dup_string failed", __func__);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (strlen(mechs) == 0) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ free(mechs);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ mechs = NULL;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ return (mechs);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++}
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++gss_OID
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ssh_gssapi_id_kex(Gssctxt *ctx, char *name, int kex_type) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ int i = 0;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ switch (kex_type) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ case KEX_GSS_GRP1_SHA1:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (strlen(name) < sizeof(KEX_GSS_GRP1_SHA1_ID))
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ return GSS_C_NO_OID;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ name += sizeof(KEX_GSS_GRP1_SHA1_ID) - 1;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ break;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ case KEX_GSS_GRP14_SHA1:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (strlen(name) < sizeof(KEX_GSS_GRP14_SHA1_ID))
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ return GSS_C_NO_OID;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ name += sizeof(KEX_GSS_GRP14_SHA1_ID) - 1;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ break;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ case KEX_GSS_GEX_SHA1:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (strlen(name) < sizeof(KEX_GSS_GEX_SHA1_ID))
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ return GSS_C_NO_OID;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ name += sizeof(KEX_GSS_GEX_SHA1_ID) - 1;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ break;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ return GSS_C_NO_OID;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ while (gss_enc2oid[i].encoded != NULL &&
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ strcmp(name, gss_enc2oid[i].encoded) != 0)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ i++;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (gss_enc2oid[i].oid != NULL && ctx != NULL)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ ssh_gssapi_set_oid(ctx, gss_enc2oid[i].oid);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ return gss_enc2oid[i].oid;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++}
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ /* Check that the OID in a data stream matches that in the context */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ int
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ ssh_gssapi_check_oid(Gssctxt *ctx, void *data, size_t len)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -218,7 +378,7 @@ ssh_gssapi_init_ctx(Gssctxt *ctx, int deleg_creds, gss_buffer_desc *recv_tok,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ ctx->major = gss_init_sec_context(&ctx->minor,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- GSS_C_NO_CREDENTIAL, &ctx->context, ctx->name, ctx->oid,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ ctx->client_creds, &ctx->context, ctx->name, ctx->oid,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ GSS_C_MUTUAL_FLAG | GSS_C_INTEG_FLAG | deleg_flag,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ 0, NULL, recv_tok, NULL, send_tok, flags, NULL);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -247,9 +407,43 @@ ssh_gssapi_import_name(Gssctxt *ctx, const char *host)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ return (ctx->major);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++OM_uint32
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ssh_gssapi_client_identity(Gssctxt *ctx, const char *name)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++{
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ gss_buffer_desc gssbuf;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ gss_name_t gssname;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ OM_uint32 status;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ gss_OID_set oidset;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ gssbuf.value = (void *) name;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ gssbuf.length = strlen(gssbuf.value);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ gss_create_empty_oid_set(&status, &oidset);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ gss_add_oid_set_member(&status, ctx->oid, &oidset);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ ctx->major = gss_import_name(&ctx->minor, &gssbuf,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ GSS_C_NT_USER_NAME, &gssname);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (!ctx->major)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ ctx->major = gss_acquire_cred(&ctx->minor,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ gssname, 0, oidset, GSS_C_INITIATE,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ &ctx->client_creds, NULL, NULL);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ gss_release_name(&status, &gssname);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ gss_release_oid_set(&status, &oidset);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (ctx->major)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ ssh_gssapi_error(ctx);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ return(ctx->major);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++}
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ OM_uint32
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ ssh_gssapi_sign(Gssctxt *ctx, gss_buffer_t buffer, gss_buffer_t hash)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (ctx == NULL)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ return -1;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ if ((ctx->major = gss_get_mic(&ctx->minor, ctx->context,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ GSS_C_QOP_DEFAULT, buffer, hash)))
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ ssh_gssapi_error(ctx);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -257,6 +451,19 @@ ssh_gssapi_sign(Gssctxt *ctx, gss_buffer_t buffer, gss_buffer_t hash)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ return (ctx->major);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++/* Priviledged when used by server */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++OM_uint32
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ssh_gssapi_checkmic(Gssctxt *ctx, gss_buffer_t gssbuf, gss_buffer_t gssmic)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++{
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (ctx == NULL)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ return -1;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ ctx->major = gss_verify_mic(&ctx->minor, ctx->context,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ gssbuf, gssmic, NULL);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ return (ctx->major);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++}
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ void
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ ssh_gssapi_buildmic(struct sshbuf *b, const char *user, const char *service,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ const char *context)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -273,11 +480,16 @@ ssh_gssapi_buildmic(struct sshbuf *b, const char *user, const char *service,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ int
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+-ssh_gssapi_check_mechanism(Gssctxt **ctx, gss_OID oid, const char *host)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ssh_gssapi_check_mechanism(Gssctxt **ctx, gss_OID oid, const char *host,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ const char *client)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ gss_buffer_desc token = GSS_C_EMPTY_BUFFER;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ OM_uint32 major, minor;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ gss_OID_desc spnego_oid = {6, (void *)"\x2B\x06\x01\x05\x05\x02"};
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ Gssctxt *intctx = NULL;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (ctx == NULL)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ ctx = &intctx;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ /* RFC 4462 says we MUST NOT do SPNEGO */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ if (oid->length == spnego_oid.length &&
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -287,6 +499,10 @@ ssh_gssapi_check_mechanism(Gssctxt **ctx, gss_OID oid, const char *host)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ ssh_gssapi_build_ctx(ctx);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ ssh_gssapi_set_oid(*ctx, oid);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ major = ssh_gssapi_import_name(*ctx, host);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (!GSS_ERROR(major) && client)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ major = ssh_gssapi_client_identity(*ctx, client);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ if (!GSS_ERROR(major)) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ major = ssh_gssapi_init_ctx(*ctx, 0, GSS_C_NO_BUFFER, &token,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ NULL);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -296,10 +512,66 @@ ssh_gssapi_check_mechanism(Gssctxt **ctx, gss_OID oid, const char *host)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ GSS_C_NO_BUFFER);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- if (GSS_ERROR(major))
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (GSS_ERROR(major) || intctx != NULL)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ ssh_gssapi_delete_ctx(ctx);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ return (!GSS_ERROR(major));
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++int
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ssh_gssapi_credentials_updated(Gssctxt *ctxt) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ static gss_name_t saved_name = GSS_C_NO_NAME;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ static OM_uint32 saved_lifetime = 0;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ static gss_OID saved_mech = GSS_C_NO_OID;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ static gss_name_t name;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ static OM_uint32 last_call = 0;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ OM_uint32 lifetime, now, major, minor;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ int equal;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ now = time(NULL);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (ctxt) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ debug("Rekey has happened - updating saved versions");
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (saved_name != GSS_C_NO_NAME)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ gss_release_name(&minor, &saved_name);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ major = gss_inquire_cred(&minor, GSS_C_NO_CREDENTIAL,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ &saved_name, &saved_lifetime, NULL, NULL);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (!GSS_ERROR(major)) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ saved_mech = ctxt->oid;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ saved_lifetime+= now;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ } else {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ /* Handle the error */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ return 0;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (now - last_call < 10)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ return 0;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ last_call = now;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (saved_mech == GSS_C_NO_OID)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ return 0;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ major = gss_inquire_cred(&minor, GSS_C_NO_CREDENTIAL,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ &name, &lifetime, NULL, NULL);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (major == GSS_S_CREDENTIALS_EXPIRED)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ return 0;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ else if (GSS_ERROR(major))
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ return 0;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ major = gss_compare_name(&minor, saved_name, name, &equal);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ gss_release_name(&minor, &name);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (GSS_ERROR(major))
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ return 0;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (equal && (saved_lifetime < lifetime + now - 10))
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ return 1;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ return 0;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++}
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #endif /* GSSAPI */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+diff --git a/gss-serv-krb5.c b/gss-serv-krb5.c
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+index a151bc1e4..90f8692f5 100644
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- a/gss-serv-krb5.c
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/gss-serv-krb5.c
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -1,7 +1,7 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ /* $OpenBSD: gss-serv-krb5.c,v 1.9 2018/07/09 21:37:55 markus Exp $ */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ /*
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * Copyright (c) 2001-2007 Simon Wilkinson. All rights reserved.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ *
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ * Redistribution and use in source and binary forms, with or without
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ * modification, are permitted provided that the following conditions
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -120,8 +120,8 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_client *client)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ krb5_error_code problem;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ krb5_principal princ;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ OM_uint32 maj_status, min_status;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- int len;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ const char *errmsg;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ const char *new_ccname;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ if (client->creds == NULL) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ debug("No credentials stored");
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -180,11 +180,16 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_client *client)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ return;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- client->store.filename = xstrdup(krb5_cc_get_name(krb_context, ccache));
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ new_ccname = krb5_cc_get_name(krb_context, ccache);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ client->store.envvar = "KRB5CCNAME";
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- len = strlen(client->store.filename) + 6;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- client->store.envval = xmalloc(len);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- snprintf(client->store.envval, len, "FILE:%s", client->store.filename);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#ifdef USE_CCAPI
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ xasprintf(&client->store.envval, "API:%s", new_ccname);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ client->store.filename = NULL;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#else
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ xasprintf(&client->store.envval, "FILE:%s", new_ccname);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ client->store.filename = xstrdup(new_ccname);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#endif
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #ifdef USE_PAM
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ if (options.use_pam)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -196,6 +201,71 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_client *client)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ return;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++int
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ssh_gssapi_krb5_updatecreds(ssh_gssapi_ccache *store,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ ssh_gssapi_client *client)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++{
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ krb5_ccache ccache = NULL;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ krb5_principal principal = NULL;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ char *name = NULL;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ krb5_error_code problem;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ OM_uint32 maj_status, min_status;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if ((problem = krb5_cc_resolve(krb_context, store->envval, &ccache))) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ logit("krb5_cc_resolve(): %.100s",
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ krb5_get_err_text(krb_context, problem));
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ return 0;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ /* Find out who the principal in this cache is */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if ((problem = krb5_cc_get_principal(krb_context, ccache,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ &principal))) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ logit("krb5_cc_get_principal(): %.100s",
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ krb5_get_err_text(krb_context, problem));
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ krb5_cc_close(krb_context, ccache);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ return 0;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if ((problem = krb5_unparse_name(krb_context, principal, &name))) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ logit("krb5_unparse_name(): %.100s",
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ krb5_get_err_text(krb_context, problem));
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ krb5_free_principal(krb_context, principal);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ krb5_cc_close(krb_context, ccache);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ return 0;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (strcmp(name,client->exportedname.value)!=0) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ debug("Name in local credentials cache differs. Not storing");
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ krb5_free_principal(krb_context, principal);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ krb5_cc_close(krb_context, ccache);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ krb5_free_unparsed_name(krb_context, name);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ return 0;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ krb5_free_unparsed_name(krb_context, name);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ /* Name matches, so lets get on with it! */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if ((problem = krb5_cc_initialize(krb_context, ccache, principal))) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ logit("krb5_cc_initialize(): %.100s",
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ krb5_get_err_text(krb_context, problem));
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ krb5_free_principal(krb_context, principal);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ krb5_cc_close(krb_context, ccache);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ return 0;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ krb5_free_principal(krb_context, principal);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if ((maj_status = gss_krb5_copy_ccache(&min_status, client->creds,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ ccache))) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ logit("gss_krb5_copy_ccache() failed. Sorry!");
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ krb5_cc_close(krb_context, ccache);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ return 0;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ return 1;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++}
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ ssh_gssapi_mech gssapi_kerberos_mech = {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ "toWM5Slw5Ew8Mqkay+al2g==",
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ "Kerberos",
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -203,7 +273,8 @@ ssh_gssapi_mech gssapi_kerberos_mech = {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ NULL,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ &ssh_gssapi_krb5_userok,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ NULL,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- &ssh_gssapi_krb5_storecreds
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ &ssh_gssapi_krb5_storecreds,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ &ssh_gssapi_krb5_updatecreds
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ };
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #endif /* KRB5 */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+diff --git a/gss-serv.c b/gss-serv.c
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+index ab3a15f0f..6c087a1b1 100644
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- a/gss-serv.c
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/gss-serv.c
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -1,7 +1,7 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ /* $OpenBSD: gss-serv.c,v 1.31 2018/07/09 21:37:55 markus Exp $ */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ /*
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ *
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ * Redistribution and use in source and binary forms, with or without
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ * modification, are permitted provided that the following conditions
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -44,17 +44,22 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #include "session.h"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #include "misc.h"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #include "servconf.h"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#include "uidswap.h"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #include "ssh-gss.h"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#include "monitor_wrap.h"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++extern ServerOptions options;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ extern ServerOptions options;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ static ssh_gssapi_client gssapi_client =
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ { GSS_C_EMPTY_BUFFER, GSS_C_EMPTY_BUFFER,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- GSS_C_NO_CREDENTIAL, NULL, {NULL, NULL, NULL, NULL}};
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ GSS_C_NO_CREDENTIAL, GSS_C_NO_NAME, NULL,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ {NULL, NULL, NULL, NULL, NULL}, 0, 0};
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ ssh_gssapi_mech gssapi_null_mech =
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- { NULL, NULL, {0, NULL}, NULL, NULL, NULL, NULL};
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ { NULL, NULL, {0, NULL}, NULL, NULL, NULL, NULL, NULL};
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #ifdef KRB5
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ extern ssh_gssapi_mech gssapi_kerberos_mech;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -140,6 +145,28 @@ ssh_gssapi_server_ctx(Gssctxt **ctx, gss_OID oid)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ return (ssh_gssapi_acquire_cred(*ctx));
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++/* Unprivileged */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++char *
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ssh_gssapi_server_mechanisms(void) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (supported_oids == NULL)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ ssh_gssapi_prepare_supported_oids();
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ return (ssh_gssapi_kex_mechs(supported_oids,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ &ssh_gssapi_server_check_mech, NULL, NULL));
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++}
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++/* Unprivileged */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++int
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ssh_gssapi_server_check_mech(Gssctxt **dum, gss_OID oid, const char *data,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ const char *dummy) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ Gssctxt *ctx = NULL;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ int res;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ res = !GSS_ERROR(PRIVSEP(ssh_gssapi_server_ctx(&ctx, oid)));
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ ssh_gssapi_delete_ctx(&ctx);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ return (res);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++}
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ /* Unprivileged */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ void
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ ssh_gssapi_supported_oids(gss_OID_set *oidset)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -150,7 +177,9 @@ ssh_gssapi_supported_oids(gss_OID_set *oidset)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ gss_OID_set supported;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ gss_create_empty_oid_set(&min_status, oidset);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- gss_indicate_mechs(&min_status, &supported);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (GSS_ERROR(gss_indicate_mechs(&min_status, &supported)))
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ return;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ while (supported_mechs[i]->name != NULL) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ if (GSS_ERROR(gss_test_oid_set_member(&min_status,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -276,8 +305,48 @@ OM_uint32
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ ssh_gssapi_getclient(Gssctxt *ctx, ssh_gssapi_client *client)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ int i = 0;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ int equal = 0;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ gss_name_t new_name = GSS_C_NO_NAME;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ gss_buffer_desc ename = GSS_C_EMPTY_BUFFER;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (options.gss_store_rekey && client->used && ctx->client_creds) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (client->mech->oid.length != ctx->oid->length ||
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ (memcmp(client->mech->oid.elements,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ ctx->oid->elements, ctx->oid->length) !=0)) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ debug("Rekeyed credentials have different mechanism");
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ return GSS_S_COMPLETE;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if ((ctx->major = gss_inquire_cred_by_mech(&ctx->minor,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ ctx->client_creds, ctx->oid, &new_name,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ NULL, NULL, NULL))) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ ssh_gssapi_error(ctx);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ return (ctx->major);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ ctx->major = gss_compare_name(&ctx->minor, client->name,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ new_name, &equal);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (GSS_ERROR(ctx->major)) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ ssh_gssapi_error(ctx);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ return (ctx->major);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (!equal) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ debug("Rekeyed credentials have different name");
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ return GSS_S_COMPLETE;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- gss_buffer_desc ename;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ debug("Marking rekeyed credentials for export");
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ gss_release_name(&ctx->minor, &client->name);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ gss_release_cred(&ctx->minor, &client->creds);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ client->name = new_name;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ client->creds = ctx->client_creds;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ ctx->client_creds = GSS_C_NO_CREDENTIAL;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ client->updated = 1;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ return GSS_S_COMPLETE;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ client->mech = NULL;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -292,6 +361,13 @@ ssh_gssapi_getclient(Gssctxt *ctx, ssh_gssapi_client *client)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ if (client->mech == NULL)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ return GSS_S_FAILURE;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (ctx->client_creds &&
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ (ctx->major = gss_inquire_cred_by_mech(&ctx->minor,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ ctx->client_creds, ctx->oid, &client->name, NULL, NULL, NULL))) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ ssh_gssapi_error(ctx);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ return (ctx->major);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ if ((ctx->major = gss_display_name(&ctx->minor, ctx->client,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ &client->displayname, NULL))) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ ssh_gssapi_error(ctx);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -309,6 +385,8 @@ ssh_gssapi_getclient(Gssctxt *ctx, ssh_gssapi_client *client)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ return (ctx->major);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ gss_release_buffer(&ctx->minor, &ename);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ /* We can't copy this structure, so we just move the pointer to it */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ client->creds = ctx->client_creds;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ ctx->client_creds = GSS_C_NO_CREDENTIAL;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -356,7 +434,7 @@ ssh_gssapi_do_child(char ***envp, u_int *envsizep)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ /* Privileged */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ int
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+-ssh_gssapi_userok(char *user)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ssh_gssapi_userok(char *user, struct passwd *pw)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ OM_uint32 lmin;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -366,9 +444,11 @@ ssh_gssapi_userok(char *user)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ return 0;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ if (gssapi_client.mech && gssapi_client.mech->userok)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- if ((*gssapi_client.mech->userok)(&gssapi_client, user))
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if ((*gssapi_client.mech->userok)(&gssapi_client, user)) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ gssapi_client.used = 1;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ gssapi_client.store.owner = pw;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ return 1;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- else {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ } else {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ /* Destroy delegated credentials if userok fails */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ gss_release_buffer(&lmin, &gssapi_client.displayname);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ gss_release_buffer(&lmin, &gssapi_client.exportedname);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -382,14 +462,90 @@ ssh_gssapi_userok(char *user)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ return (0);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+-/* Privileged */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+-OM_uint32
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+-ssh_gssapi_checkmic(Gssctxt *ctx, gss_buffer_t gssbuf, gss_buffer_t gssmic)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++/* These bits are only used for rekeying. The unpriviledged child is running
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * as the user, the monitor is root.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ *
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * In the child, we want to :
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * *) Ask the monitor to store our credentials into the store we specify
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * *) If it succeeds, maybe do a PAM update
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++/* Stuff for PAM */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#ifdef USE_PAM
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++static int ssh_gssapi_simple_conv(int n, const struct pam_message **msg,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ struct pam_response **resp, void *data)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- ctx->major = gss_verify_mic(&ctx->minor, ctx->context,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- gssbuf, gssmic, NULL);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ return (PAM_CONV_ERR);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++}
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#endif
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- return (ctx->major);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++void
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ssh_gssapi_rekey_creds(void) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ int ok;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ int ret;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#ifdef USE_PAM
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ pam_handle_t *pamh = NULL;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ struct pam_conv pamconv = {ssh_gssapi_simple_conv, NULL};
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ char *envstr;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#endif
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (gssapi_client.store.filename == NULL &&
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ gssapi_client.store.envval == NULL &&
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ gssapi_client.store.envvar == NULL)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ return;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ ok = PRIVSEP(ssh_gssapi_update_creds(&gssapi_client.store));
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (!ok)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ return;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ debug("Rekeyed credentials stored successfully");
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ /* Actually managing to play with the ssh pam stack from here will
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * be next to impossible. In any case, we may want different options
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * for rekeying. So, use our own :)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#ifdef USE_PAM
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (!use_privsep) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ debug("Not even going to try and do PAM with privsep disabled");
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ return;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ ret = pam_start("sshd-rekey", gssapi_client.store.owner->pw_name,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ &pamconv, &pamh);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (ret)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ return;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ xasprintf(&envstr, "%s=%s", gssapi_client.store.envvar,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ gssapi_client.store.envval);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ ret = pam_putenv(pamh, envstr);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (!ret)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ pam_setcred(pamh, PAM_REINITIALIZE_CRED);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ pam_end(pamh, PAM_SUCCESS);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#endif
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++}
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++int
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ssh_gssapi_update_creds(ssh_gssapi_ccache *store) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ int ok = 0;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ /* Check we've got credentials to store */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (!gssapi_client.updated)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ return 0;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ gssapi_client.updated = 0;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ temporarily_use_uid(gssapi_client.store.owner);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (gssapi_client.mech && gssapi_client.mech->updatecreds)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ ok = (*gssapi_client.mech->updatecreds)(store, &gssapi_client);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ else
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ debug("No update function for this mechanism");
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ restore_uid();
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ return ok;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ /* Privileged */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+diff --git a/kex.c b/kex.c
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+index 25f9f66f6..fb5bfaea5 100644
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- a/kex.c
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/kex.c
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -54,6 +54,10 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #include "sshbuf.h"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #include "digest.h"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#ifdef GSSAPI
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#include "ssh-gss.h"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#endif
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ /* prototype */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ static int kex_choose_conf(struct ssh *);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ static int kex_input_newkeys(int, u_int32_t, struct ssh *);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -105,6 +109,14 @@ static const struct kexalg kexalgs[] = {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #endif /* HAVE_EVP_SHA256 || !WITH_OPENSSL */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ { NULL, -1, -1, -1},
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ };
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++static const struct kexalg kexalg_prefixes[] = {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#ifdef GSSAPI
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ { KEX_GSS_GEX_SHA1_ID, KEX_GSS_GEX_SHA1, 0, SSH_DIGEST_SHA1 },
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ { KEX_GSS_GRP1_SHA1_ID, KEX_GSS_GRP1_SHA1, 0, SSH_DIGEST_SHA1 },
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ { KEX_GSS_GRP14_SHA1_ID, KEX_GSS_GRP14_SHA1, 0, SSH_DIGEST_SHA1 },
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#endif
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ { NULL, -1, -1, -1 },
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++};
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ char *
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ kex_alg_list(char sep)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -137,6 +149,10 @@ kex_alg_by_name(const char *name)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ if (strcmp(k->name, name) == 0)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ return k;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ for (k = kexalg_prefixes; k->name != NULL; k++) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (strncmp(k->name, name, strlen(k->name)) == 0)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ return k;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ return NULL;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -653,6 +669,9 @@ kex_free(struct kex *kex)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ sshbuf_free(kex->peer);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ sshbuf_free(kex->my);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ free(kex->session_id);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#ifdef GSSAPI
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ free(kex->gss_host);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#endif /* GSSAPI */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ free(kex->client_version_string);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ free(kex->server_version_string);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ free(kex->failed_choice);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+diff --git a/kex.h b/kex.h
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+index 593de1208..4e5ead839 100644
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- a/kex.h
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/kex.h
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -100,6 +100,9 @@ enum kex_exchange {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ KEX_DH_GEX_SHA256,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ KEX_ECDH_SHA2,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ KEX_C25519_SHA256,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ KEX_GSS_GRP1_SHA1,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ KEX_GSS_GRP14_SHA1,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ KEX_GSS_GEX_SHA1,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ KEX_MAX
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ };
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -148,6 +151,12 @@ struct kex {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ u_int flags;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ int hash_alg;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ int ec_nid;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#ifdef GSSAPI
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ int gss_deleg_creds;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ int gss_trust_dns;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ char *gss_host;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ char *gss_client;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#endif
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ char *client_version_string;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ char *server_version_string;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ char *failed_choice;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -198,6 +207,11 @@ int kexecdh_server(struct ssh *);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ int kexc25519_client(struct ssh *);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ int kexc25519_server(struct ssh *);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#ifdef GSSAPI
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++int kexgss_client(struct ssh *);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++int kexgss_server(struct ssh *);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#endif
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ int kex_dh_hash(int, const char *, const char *,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ const u_char *, size_t, const u_char *, size_t, const u_char *, size_t,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ const BIGNUM *, const BIGNUM *, const BIGNUM *, u_char *, size_t *);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+diff --git a/kexgssc.c b/kexgssc.c
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+new file mode 100644
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+index 000000000..3c8ae08dd
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- /dev/null
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/kexgssc.c
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -0,0 +1,341 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++/*
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ *
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * Redistribution and use in source and binary forms, with or without
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * modification, are permitted provided that the following conditions
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * are met:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * 1. Redistributions of source code must retain the above copyright
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * notice, this list of conditions and the following disclaimer.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * 2. Redistributions in binary form must reproduce the above copyright
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * notice, this list of conditions and the following disclaimer in the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * documentation and/or other materials provided with the distribution.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ *
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR `AS IS'' AND ANY EXPRESS OR
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#include "includes.h"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#ifdef GSSAPI
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#include "includes.h"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#include <openssl/crypto.h>
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#include <openssl/bn.h>
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#include <string.h>
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#include "xmalloc.h"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#include "sshbuf.h"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#include "ssh2.h"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#include "sshkey.h"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#include "cipher.h"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#include "kex.h"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#include "log.h"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#include "packet.h"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#include "dh.h"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#include "digest.h"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#include "ssh-gss.h"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++int
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++kexgss_client(struct ssh *ssh) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ gss_buffer_desc send_tok = GSS_C_EMPTY_BUFFER;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ gss_buffer_desc recv_tok, gssbuf, msg_tok, *token_ptr;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ Gssctxt *ctxt;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ OM_uint32 maj_status, min_status, ret_flags;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ u_int klen, kout, slen = 0, strlen;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ DH *dh;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ BIGNUM *dh_server_pub = NULL;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ BIGNUM *shared_secret = NULL;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ const BIGNUM *pub_key, *dh_p, *dh_g;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ BIGNUM *p = NULL;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ BIGNUM *g = NULL;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ u_char *kbuf;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ u_char *serverhostkey = NULL;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ u_char *empty = "";
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ char *msg;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ int type = 0;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ int first = 1;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ int nbits = 0, min = DH_GRP_MIN, max = DH_GRP_MAX;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ u_char hash[SSH_DIGEST_MAX_LENGTH];
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ size_t hashlen;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ /* Initialise our GSSAPI world */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ ssh_gssapi_build_ctx(&ctxt);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (ssh_gssapi_id_kex(ctxt, ssh->kex->name, ssh->kex->kex_type)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ == GSS_C_NO_OID)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ fatal("Couldn't identify host exchange");
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (ssh_gssapi_import_name(ctxt, ssh->kex->gss_host))
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ fatal("Couldn't import hostname");
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (ssh->kex->gss_client &&
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ ssh_gssapi_client_identity(ctxt, ssh->kex->gss_client))
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ fatal("Couldn't acquire client credentials");
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ switch (ssh->kex->kex_type) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ case KEX_GSS_GRP1_SHA1:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ dh = dh_new_group1();
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ break;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ case KEX_GSS_GRP14_SHA1:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ dh = dh_new_group14();
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ break;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ case KEX_GSS_GEX_SHA1:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ debug("Doing group exchange\n");
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ nbits = dh_estimate(ssh->kex->we_need * 8);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ packet_start(SSH2_MSG_KEXGSS_GROUPREQ);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ packet_put_int(min);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ packet_put_int(nbits);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ packet_put_int(max);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ packet_send();
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ packet_read_expect(SSH2_MSG_KEXGSS_GROUP);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if ((p = BN_new()) == NULL)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ fatal("BN_new() failed");
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ packet_get_bignum2(p);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if ((g = BN_new()) == NULL)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ fatal("BN_new() failed");
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ packet_get_bignum2(g);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ packet_check_eom();
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (BN_num_bits(p) < min || BN_num_bits(p) > max)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ fatal("GSSGRP_GEX group out of range: %d !< %d !< %d",
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ min, BN_num_bits(p), max);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ dh = dh_new_group(g, p);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ break;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ fatal("%s: Unexpected KEX type %d", __func__, ssh->kex->kex_type);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ /* Step 1 - e is dh->pub_key */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ dh_gen_key(dh, ssh->kex->we_need * 8);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ DH_get0_key(dh, &pub_key, NULL);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ DH_get0_pqg(dh, &dh_p, NULL, &dh_g);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ /* This is f, we initialise it now to make life easier */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ dh_server_pub = BN_new();
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (dh_server_pub == NULL)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ fatal("dh_server_pub == NULL");
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ token_ptr = GSS_C_NO_BUFFER;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ do {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ debug("Calling gss_init_sec_context");
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ maj_status = ssh_gssapi_init_ctx(ctxt,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ ssh->kex->gss_deleg_creds, token_ptr, &send_tok,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ &ret_flags);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (GSS_ERROR(maj_status)) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (send_tok.length != 0) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ packet_start(SSH2_MSG_KEXGSS_CONTINUE);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ packet_put_string(send_tok.value,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ send_tok.length);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ fatal("gss_init_context failed");
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ /* If we've got an old receive buffer get rid of it */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (token_ptr != GSS_C_NO_BUFFER)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ free(recv_tok.value);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (maj_status == GSS_S_COMPLETE) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ /* If mutual state flag is not true, kex fails */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (!(ret_flags & GSS_C_MUTUAL_FLAG))
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ fatal("Mutual authentication failed");
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ /* If integ avail flag is not true kex fails */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (!(ret_flags & GSS_C_INTEG_FLAG))
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ fatal("Integrity check failed");
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ /*
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * If we have data to send, then the last message that we
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * received cannot have been a 'complete'.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (send_tok.length != 0) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (first) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ packet_start(SSH2_MSG_KEXGSS_INIT);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ packet_put_string(send_tok.value,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ send_tok.length);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ packet_put_bignum2(pub_key);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ first = 0;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ } else {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ packet_start(SSH2_MSG_KEXGSS_CONTINUE);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ packet_put_string(send_tok.value,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ send_tok.length);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ packet_send();
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ gss_release_buffer(&min_status, &send_tok);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ /* If we've sent them data, they should reply */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ do {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ type = packet_read();
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (type == SSH2_MSG_KEXGSS_HOSTKEY) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ debug("Received KEXGSS_HOSTKEY");
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (serverhostkey)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ fatal("Server host key received more than once");
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ serverhostkey =
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ packet_get_string(&slen);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ } while (type == SSH2_MSG_KEXGSS_HOSTKEY);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ switch (type) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ case SSH2_MSG_KEXGSS_CONTINUE:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ debug("Received GSSAPI_CONTINUE");
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (maj_status == GSS_S_COMPLETE)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ fatal("GSSAPI Continue received from server when complete");
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ recv_tok.value = packet_get_string(&strlen);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ recv_tok.length = strlen;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ break;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ case SSH2_MSG_KEXGSS_COMPLETE:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ debug("Received GSSAPI_COMPLETE");
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ packet_get_bignum2(dh_server_pub);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ msg_tok.value = packet_get_string(&strlen);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ msg_tok.length = strlen;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ /* Is there a token included? */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (packet_get_char()) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ recv_tok.value=
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ packet_get_string(&strlen);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ recv_tok.length = strlen;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ /* If we're already complete - protocol error */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (maj_status == GSS_S_COMPLETE)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ packet_disconnect("Protocol error: received token when complete");
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ } else {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ /* No token included */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (maj_status != GSS_S_COMPLETE)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ packet_disconnect("Protocol error: did not receive final token");
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ break;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ case SSH2_MSG_KEXGSS_ERROR:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ debug("Received Error");
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ maj_status = packet_get_int();
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ min_status = packet_get_int();
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ msg = packet_get_string(NULL);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ (void) packet_get_string_ptr(NULL);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ fatal("GSSAPI Error: \n%.400s",msg);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ packet_disconnect("Protocol error: didn't expect packet type %d",
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ type);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ token_ptr = &recv_tok;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ } else {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ /* No data, and not complete */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (maj_status != GSS_S_COMPLETE)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ fatal("Not complete, and no token output");
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ } while (maj_status & GSS_S_CONTINUE_NEEDED);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ /*
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * We _must_ have received a COMPLETE message in reply from the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * server, which will have set dh_server_pub and msg_tok
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (type != SSH2_MSG_KEXGSS_COMPLETE)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ fatal("Didn't receive a SSH2_MSG_KEXGSS_COMPLETE when I expected it");
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ /* Check f in range [1, p-1] */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (!dh_pub_is_valid(dh, dh_server_pub))
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ packet_disconnect("bad server public DH value");
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ /* compute K=f^x mod p */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ klen = DH_size(dh);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ kbuf = xmalloc(klen);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ kout = DH_compute_key(kbuf, dh_server_pub, dh);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (kout < 0)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ fatal("DH_compute_key: failed");
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ shared_secret = BN_new();
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (shared_secret == NULL)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ fatal("kexgss_client: BN_new failed");
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (BN_bin2bn(kbuf, kout, shared_secret) == NULL)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ fatal("kexdh_client: BN_bin2bn failed");
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ memset(kbuf, 0, klen);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ free(kbuf);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ hashlen = sizeof(hash);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ switch (ssh->kex->kex_type) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ case KEX_GSS_GRP1_SHA1:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ case KEX_GSS_GRP14_SHA1:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ kex_dh_hash(
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ ssh->kex->hash_alg,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ ssh->kex->client_version_string,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ ssh->kex->server_version_string,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ sshbuf_ptr(ssh->kex->my), sshbuf_len(ssh->kex->my),
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ sshbuf_ptr(ssh->kex->peer), sshbuf_len(ssh->kex->peer),
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ (serverhostkey ? serverhostkey : empty), slen,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ pub_key, /* e */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ dh_server_pub, /* f */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ shared_secret, /* K */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ hash, &hashlen
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ );
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ break;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ case KEX_GSS_GEX_SHA1:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ kexgex_hash(
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ ssh->kex->hash_alg,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ ssh->kex->client_version_string,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ ssh->kex->server_version_string,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ sshbuf_ptr(ssh->kex->my), sshbuf_len(ssh->kex->my),
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ sshbuf_ptr(ssh->kex->peer), sshbuf_len(ssh->kex->peer),
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ (serverhostkey ? serverhostkey : empty), slen,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ min, nbits, max,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ dh_p, dh_g,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ pub_key,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ dh_server_pub,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ shared_secret,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ hash, &hashlen
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ );
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ break;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ fatal("%s: Unexpected KEX type %d", __func__, ssh->kex->kex_type);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ gssbuf.value = hash;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ gssbuf.length = hashlen;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ /* Verify that the hash matches the MIC we just got. */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (GSS_ERROR(ssh_gssapi_checkmic(ctxt, &gssbuf, &msg_tok)))
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ packet_disconnect("Hash's MIC didn't verify");
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ free(msg_tok.value);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ DH_free(dh);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ free(serverhostkey);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ BN_clear_free(dh_server_pub);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ /* save session id */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (ssh->kex->session_id == NULL) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ ssh->kex->session_id_len = hashlen;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ ssh->kex->session_id = xmalloc(ssh->kex->session_id_len);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ memcpy(ssh->kex->session_id, hash, ssh->kex->session_id_len);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (ssh->kex->gss_deleg_creds)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ ssh_gssapi_credentials_updated(ctxt);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (gss_kex_context == NULL)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ gss_kex_context = ctxt;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ else
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ ssh_gssapi_delete_ctx(&ctxt);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ kex_derive_keys_bn(ssh, hash, hashlen, shared_secret);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ BN_clear_free(shared_secret);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ return kex_send_newkeys(ssh);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++}
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#endif /* GSSAPI */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+diff --git a/kexgsss.c b/kexgsss.c
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+new file mode 100644
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+index 000000000..18070f1d7
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- /dev/null
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/kexgsss.c
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -0,0 +1,300 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++/*
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ *
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * Redistribution and use in source and binary forms, with or without
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * modification, are permitted provided that the following conditions
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * are met:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * 1. Redistributions of source code must retain the above copyright
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * notice, this list of conditions and the following disclaimer.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * 2. Redistributions in binary form must reproduce the above copyright
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * notice, this list of conditions and the following disclaimer in the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * documentation and/or other materials provided with the distribution.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ *
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR `AS IS'' AND ANY EXPRESS OR
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#include "includes.h"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#ifdef GSSAPI
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#include <string.h>
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#include <openssl/crypto.h>
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#include <openssl/bn.h>
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#include "xmalloc.h"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#include "sshbuf.h"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#include "ssh2.h"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#include "sshkey.h"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#include "cipher.h"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#include "kex.h"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#include "log.h"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#include "packet.h"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#include "dh.h"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#include "ssh-gss.h"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#include "monitor_wrap.h"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#include "misc.h"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#include "servconf.h"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#include "digest.h"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++extern ServerOptions options;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++int
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++kexgss_server(struct ssh *ssh)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++{
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ OM_uint32 maj_status, min_status;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ /*
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * Some GSSAPI implementations use the input value of ret_flags (an
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * output variable) as a means of triggering mechanism specific
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * features. Initializing it to zero avoids inadvertently
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * activating this non-standard behaviour.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ OM_uint32 ret_flags = 0;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ gss_buffer_desc gssbuf, recv_tok, msg_tok;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ gss_buffer_desc send_tok = GSS_C_EMPTY_BUFFER;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ Gssctxt *ctxt = NULL;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ u_int slen, klen, kout;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ u_char *kbuf;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ DH *dh;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ int min = -1, max = -1, nbits = -1;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ const BIGNUM *pub_key, *dh_p, *dh_g;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ BIGNUM *shared_secret = NULL;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ BIGNUM *dh_client_pub = NULL;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ int type = 0;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ gss_OID oid;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ char *mechs;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ u_char hash[SSH_DIGEST_MAX_LENGTH];
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ size_t hashlen;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ /* Initialise GSSAPI */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ /* If we're rekeying, privsep means that some of the private structures
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * in the GSSAPI code are no longer available. This kludges them back
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * into life
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (!ssh_gssapi_oid_table_ok()) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ mechs = ssh_gssapi_server_mechanisms();
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ free(mechs);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ debug2("%s: Identifying %s", __func__, ssh->kex->name);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ oid = ssh_gssapi_id_kex(NULL, ssh->kex->name, ssh->kex->kex_type);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (oid == GSS_C_NO_OID)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ fatal("Unknown gssapi mechanism");
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ debug2("%s: Acquiring credentials", __func__);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (GSS_ERROR(PRIVSEP(ssh_gssapi_server_ctx(&ctxt, oid))))
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ fatal("Unable to acquire credentials for the server");
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ switch (ssh->kex->kex_type) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ case KEX_GSS_GRP1_SHA1:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ dh = dh_new_group1();
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ break;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ case KEX_GSS_GRP14_SHA1:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ dh = dh_new_group14();
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ break;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ case KEX_GSS_GEX_SHA1:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ debug("Doing group exchange");
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ packet_read_expect(SSH2_MSG_KEXGSS_GROUPREQ);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ min = packet_get_int();
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ nbits = packet_get_int();
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ max = packet_get_int();
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ packet_check_eom();
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (max < min || nbits < min || max < nbits)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ fatal("GSS_GEX, bad parameters: %d !< %d !< %d",
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ min, nbits, max);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ dh = PRIVSEP(choose_dh(MAX(DH_GRP_MIN, min),
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ nbits, MIN(DH_GRP_MAX, max)));
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (dh == NULL)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ packet_disconnect("Protocol error: no matching group found");
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ DH_get0_pqg(dh, &dh_p, NULL, &dh_g);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ packet_start(SSH2_MSG_KEXGSS_GROUP);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ packet_put_bignum2(dh_p);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ packet_put_bignum2(dh_g);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ packet_send();
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ packet_write_wait();
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ break;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ fatal("%s: Unexpected KEX type %d", __func__, ssh->kex->kex_type);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ dh_gen_key(dh, ssh->kex->we_need * 8);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ do {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ debug("Wait SSH2_MSG_GSSAPI_INIT");
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ type = packet_read();
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ switch(type) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ case SSH2_MSG_KEXGSS_INIT:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (dh_client_pub != NULL)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ fatal("Received KEXGSS_INIT after initialising");
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ recv_tok.value = packet_get_string(&slen);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ recv_tok.length = slen;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if ((dh_client_pub = BN_new()) == NULL)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ fatal("dh_client_pub == NULL");
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ packet_get_bignum2(dh_client_pub);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ /* Send SSH_MSG_KEXGSS_HOSTKEY here, if we want */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ break;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ case SSH2_MSG_KEXGSS_CONTINUE:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ recv_tok.value = packet_get_string(&slen);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ recv_tok.length = slen;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ break;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ packet_disconnect(
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ "Protocol error: didn't expect packet type %d",
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ type);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ maj_status = PRIVSEP(ssh_gssapi_accept_ctx(ctxt, &recv_tok,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ &send_tok, &ret_flags));
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ free(recv_tok.value);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (maj_status != GSS_S_COMPLETE && send_tok.length == 0)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ fatal("Zero length token output when incomplete");
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (dh_client_pub == NULL)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ fatal("No client public key");
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (maj_status & GSS_S_CONTINUE_NEEDED) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ debug("Sending GSSAPI_CONTINUE");
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ packet_start(SSH2_MSG_KEXGSS_CONTINUE);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ packet_put_string(send_tok.value, send_tok.length);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ packet_send();
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ gss_release_buffer(&min_status, &send_tok);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ } while (maj_status & GSS_S_CONTINUE_NEEDED);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (GSS_ERROR(maj_status)) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (send_tok.length > 0) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ packet_start(SSH2_MSG_KEXGSS_CONTINUE);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ packet_put_string(send_tok.value, send_tok.length);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ packet_send();
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ fatal("accept_ctx died");
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (!(ret_flags & GSS_C_MUTUAL_FLAG))
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ fatal("Mutual Authentication flag wasn't set");
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (!(ret_flags & GSS_C_INTEG_FLAG))
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ fatal("Integrity flag wasn't set");
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (!dh_pub_is_valid(dh, dh_client_pub))
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ packet_disconnect("bad client public DH value");
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ klen = DH_size(dh);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ kbuf = xmalloc(klen);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ kout = DH_compute_key(kbuf, dh_client_pub, dh);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (kout < 0)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ fatal("DH_compute_key: failed");
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ shared_secret = BN_new();
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (shared_secret == NULL)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ fatal("kexgss_server: BN_new failed");
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (BN_bin2bn(kbuf, kout, shared_secret) == NULL)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ fatal("kexgss_server: BN_bin2bn failed");
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ memset(kbuf, 0, klen);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ free(kbuf);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ DH_get0_key(dh, &pub_key, NULL);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ DH_get0_pqg(dh, &dh_p, NULL, &dh_g);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ hashlen = sizeof(hash);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ switch (ssh->kex->kex_type) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ case KEX_GSS_GRP1_SHA1:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ case KEX_GSS_GRP14_SHA1:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ kex_dh_hash(
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ ssh->kex->hash_alg,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ ssh->kex->client_version_string, ssh->kex->server_version_string,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ sshbuf_ptr(ssh->kex->peer), sshbuf_len(ssh->kex->peer),
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ sshbuf_ptr(ssh->kex->my), sshbuf_len(ssh->kex->my),
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ NULL, 0, /* Change this if we start sending host keys */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ dh_client_pub, pub_key, shared_secret,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ hash, &hashlen
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ );
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ break;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ case KEX_GSS_GEX_SHA1:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ kexgex_hash(
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ ssh->kex->hash_alg,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ ssh->kex->client_version_string, ssh->kex->server_version_string,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ sshbuf_ptr(ssh->kex->peer), sshbuf_len(ssh->kex->peer),
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ sshbuf_ptr(ssh->kex->my), sshbuf_len(ssh->kex->my),
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ NULL, 0,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ min, nbits, max,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ dh_p, dh_g,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ dh_client_pub,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ pub_key,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ shared_secret,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ hash, &hashlen
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ );
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ break;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ fatal("%s: Unexpected KEX type %d", __func__, ssh->kex->kex_type);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ BN_clear_free(dh_client_pub);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (ssh->kex->session_id == NULL) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ ssh->kex->session_id_len = hashlen;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ ssh->kex->session_id = xmalloc(ssh->kex->session_id_len);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ memcpy(ssh->kex->session_id, hash, ssh->kex->session_id_len);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ gssbuf.value = hash;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ gssbuf.length = hashlen;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (GSS_ERROR(PRIVSEP(ssh_gssapi_sign(ctxt,&gssbuf,&msg_tok))))
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ fatal("Couldn't get MIC");
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ packet_start(SSH2_MSG_KEXGSS_COMPLETE);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ packet_put_bignum2(pub_key);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ packet_put_string(msg_tok.value,msg_tok.length);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (send_tok.length != 0) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ packet_put_char(1); /* true */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ packet_put_string(send_tok.value, send_tok.length);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ } else {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ packet_put_char(0); /* false */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ packet_send();
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ gss_release_buffer(&min_status, &send_tok);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ gss_release_buffer(&min_status, &msg_tok);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (gss_kex_context == NULL)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ gss_kex_context = ctxt;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ else
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ ssh_gssapi_delete_ctx(&ctxt);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ DH_free(dh);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ kex_derive_keys_bn(ssh, hash, hashlen, shared_secret);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ BN_clear_free(shared_secret);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ kex_send_newkeys(ssh);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ /* If this was a rekey, then save out any delegated credentials we
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * just exchanged. */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (options.gss_store_rekey)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ ssh_gssapi_rekey_creds();
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ return 0;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++}
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#endif /* GSSAPI */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+diff --git a/monitor.c b/monitor.c
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+index 531b2993a..eabc1e89b 100644
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- a/monitor.c
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/monitor.c
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -145,6 +145,8 @@ int mm_answer_gss_setup_ctx(int, struct sshbuf *);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ int mm_answer_gss_accept_ctx(int, struct sshbuf *);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ int mm_answer_gss_userok(int, struct sshbuf *);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ int mm_answer_gss_checkmic(int, struct sshbuf *);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++int mm_answer_gss_sign(int, struct sshbuf *);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++int mm_answer_gss_updatecreds(int, struct sshbuf *);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #endif
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #ifdef SSH_AUDIT_EVENTS
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -215,11 +217,18 @@ struct mon_table mon_dispatch_proto20[] = {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ {MONITOR_REQ_GSSSTEP, 0, mm_answer_gss_accept_ctx},
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ {MONITOR_REQ_GSSUSEROK, MON_ONCE|MON_AUTHDECIDE, mm_answer_gss_userok},
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ {MONITOR_REQ_GSSCHECKMIC, MON_ONCE, mm_answer_gss_checkmic},
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ {MONITOR_REQ_GSSSIGN, MON_ONCE, mm_answer_gss_sign},
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #endif
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ {0, 0, NULL}
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ };
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ struct mon_table mon_dispatch_postauth20[] = {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#ifdef GSSAPI
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ {MONITOR_REQ_GSSSETUP, 0, mm_answer_gss_setup_ctx},
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ {MONITOR_REQ_GSSSTEP, 0, mm_answer_gss_accept_ctx},
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ {MONITOR_REQ_GSSSIGN, 0, mm_answer_gss_sign},
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ {MONITOR_REQ_GSSUPCREDS, 0, mm_answer_gss_updatecreds},
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#endif
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #ifdef WITH_OPENSSL
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ {MONITOR_REQ_MODULI, 0, mm_answer_moduli},
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #endif
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -289,6 +298,10 @@ monitor_child_preauth(Authctxt *_authctxt, struct monitor *pmonitor)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ /* Permit requests for moduli and signatures */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#ifdef GSSAPI
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ /* and for the GSSAPI key exchange */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ monitor_permit(mon_dispatch, MONITOR_REQ_GSSSETUP, 1);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#endif
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ /* The first few requests do not require asynchronous access */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ while (!authenticated) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -401,6 +414,10 @@ monitor_child_postauth(struct monitor *pmonitor)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#ifdef GSSAPI
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ /* and for the GSSAPI key exchange */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ monitor_permit(mon_dispatch, MONITOR_REQ_GSSSETUP, 1);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#endif
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ if (auth_opts->permit_pty_flag) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ monitor_permit(mon_dispatch, MONITOR_REQ_PTY, 1);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -1666,6 +1683,13 @@ monitor_apply_keystate(struct monitor *pmonitor)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # endif
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #endif /* WITH_OPENSSL */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ kex->kex[KEX_C25519_SHA256] = kexc25519_server;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#ifdef GSSAPI
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (options.gss_keyex) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ kex->kex[KEX_GSS_GRP1_SHA1] = kexgss_server;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ kex->kex[KEX_GSS_GRP14_SHA1] = kexgss_server;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ kex->kex[KEX_GSS_GEX_SHA1] = kexgss_server;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#endif
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ kex->load_host_public_key=&get_hostkey_public_by_type;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ kex->load_host_private_key=&get_hostkey_private_by_type;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ kex->host_key_index=&get_hostkey_index;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -1756,8 +1780,8 @@ mm_answer_gss_setup_ctx(int sock, struct sshbuf *m)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ u_char *p;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ int r;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- if (!options.gss_authentication)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- fatal("%s: GSSAPI authentication not enabled", __func__);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (!options.gss_authentication && !options.gss_keyex)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ fatal("%s: GSSAPI not enabled", __func__);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ if ((r = sshbuf_get_string(m, &p, &len)) != 0)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ fatal("%s: buffer error: %s", __func__, ssh_err(r));
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -1789,8 +1813,8 @@ mm_answer_gss_accept_ctx(int sock, struct sshbuf *m)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ OM_uint32 flags = 0; /* GSI needs this */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ int r;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- if (!options.gss_authentication)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- fatal("%s: GSSAPI authentication not enabled", __func__);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (!options.gss_authentication && !options.gss_keyex)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ fatal("%s: GSSAPI not enabled", __func__);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ if ((r = ssh_gssapi_get_buffer_desc(m, &in)) != 0)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ fatal("%s: buffer error: %s", __func__, ssh_err(r));
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -1810,6 +1834,7 @@ mm_answer_gss_accept_ctx(int sock, struct sshbuf *m)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ monitor_permit(mon_dispatch, MONITOR_REQ_GSSSTEP, 0);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ monitor_permit(mon_dispatch, MONITOR_REQ_GSSUSEROK, 1);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ monitor_permit(mon_dispatch, MONITOR_REQ_GSSCHECKMIC, 1);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ monitor_permit(mon_dispatch, MONITOR_REQ_GSSSIGN, 1);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ return (0);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -1821,8 +1846,8 @@ mm_answer_gss_checkmic(int sock, struct sshbuf *m)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ OM_uint32 ret;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ int r;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- if (!options.gss_authentication)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- fatal("%s: GSSAPI authentication not enabled", __func__);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (!options.gss_authentication && !options.gss_keyex)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ fatal("%s: GSSAPI not enabled", __func__);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ if ((r = ssh_gssapi_get_buffer_desc(m, &gssbuf)) != 0 ||
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ (r = ssh_gssapi_get_buffer_desc(m, &mic)) != 0)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -1851,10 +1876,11 @@ mm_answer_gss_userok(int sock, struct sshbuf *m)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ int r, authenticated;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ const char *displayname;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- if (!options.gss_authentication)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- fatal("%s: GSSAPI authentication not enabled", __func__);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (!options.gss_authentication && !options.gss_keyex)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ fatal("%s: GSSAPI not enabled", __func__);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- authenticated = authctxt->valid && ssh_gssapi_userok(authctxt->user);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ authenticated = authctxt->valid &&
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ ssh_gssapi_userok(authctxt->user, authctxt->pw);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ sshbuf_reset(m);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ if ((r = sshbuf_put_u32(m, authenticated)) != 0)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -1871,5 +1897,83 @@ mm_answer_gss_userok(int sock, struct sshbuf *m)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ /* Monitor loop will terminate if authenticated */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ return (authenticated);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++int
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++mm_answer_gss_sign(int socket, struct sshbuf *m)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++{
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ gss_buffer_desc data;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ gss_buffer_desc hash = GSS_C_EMPTY_BUFFER;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ OM_uint32 major, minor;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ size_t len;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ u_char *p;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ int r;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (!options.gss_authentication && !options.gss_keyex)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ fatal("%s: GSSAPI not enabled", __func__);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if ((r = sshbuf_get_string(m, &p, &len)) != 0)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ fatal("%s: buffer error: %s", __func__, ssh_err(r));
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ data.value = p;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ data.length = len;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (data.length != 20)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ fatal("%s: data length incorrect: %d", __func__,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ (int) data.length);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ /* Save the session ID on the first time around */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (session_id2_len == 0) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ session_id2_len = data.length;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ session_id2 = xmalloc(session_id2_len);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ memcpy(session_id2, data.value, session_id2_len);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ major = ssh_gssapi_sign(gsscontext, &data, &hash);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ free(data.value);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ sshbuf_reset(m);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if ((r = sshbuf_put_u32(m, major)) != 0 ||
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ (r = sshbuf_put_string(m, hash.value, hash.length)) != 0)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ fatal("%s: buffer error: %s", __func__, ssh_err(r));
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ mm_request_send(socket, MONITOR_ANS_GSSSIGN, m);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ gss_release_buffer(&minor, &hash);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ /* Turn on getpwnam permissions */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ monitor_permit(mon_dispatch, MONITOR_REQ_PWNAM, 1);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ /* And credential updating, for when rekeying */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ monitor_permit(mon_dispatch, MONITOR_REQ_GSSUPCREDS, 1);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ return (0);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++}
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++int
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++mm_answer_gss_updatecreds(int socket, struct sshbuf *m) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ ssh_gssapi_ccache store;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ int r, ok;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (!options.gss_authentication && !options.gss_keyex)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ fatal("%s: GSSAPI not enabled", __func__);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if ((r = sshbuf_get_cstring(m, &store.filename, NULL)) != 0 ||
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ (r = sshbuf_get_cstring(m, &store.envvar, NULL)) != 0 ||
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ (r = sshbuf_get_cstring(m, &store.envval, NULL)) != 0)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ fatal("%s: buffer error: %s", __func__, ssh_err(r));
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ ok = ssh_gssapi_update_creds(&store);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ free(store.filename);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ free(store.envvar);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ free(store.envval);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ sshbuf_reset(m);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if ((r = sshbuf_put_u32(m, ok)) != 0)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ fatal("%s: buffer error: %s", __func__, ssh_err(r));
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ mm_request_send(socket, MONITOR_ANS_GSSUPCREDS, m);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ return(0);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++}
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #endif /* GSSAPI */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+diff --git a/monitor.h b/monitor.h
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+index 16047299f..44fbed589 100644
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- a/monitor.h
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/monitor.h
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -63,6 +63,9 @@ enum monitor_reqtype {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ MONITOR_REQ_PAM_FREE_CTX = 110, MONITOR_ANS_PAM_FREE_CTX = 111,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ MONITOR_REQ_AUDIT_EVENT = 112, MONITOR_REQ_AUDIT_COMMAND = 113,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ MONITOR_REQ_GSSSIGN = 150, MONITOR_ANS_GSSSIGN = 151,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ MONITOR_REQ_GSSUPCREDS = 152, MONITOR_ANS_GSSUPCREDS = 153,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ };
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ struct monitor {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+diff --git a/monitor_wrap.c b/monitor_wrap.c
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+index 732fb3476..1865a122a 100644
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- a/monitor_wrap.c
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/monitor_wrap.c
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -984,7 +984,7 @@ mm_ssh_gssapi_checkmic(Gssctxt *ctx, gss_buffer_t gssbuf, gss_buffer_t gssmic)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ int
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+-mm_ssh_gssapi_userok(char *user)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++mm_ssh_gssapi_userok(char *user, struct passwd *pw)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ struct sshbuf *m;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ int r, authenticated = 0;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -1003,4 +1003,55 @@ mm_ssh_gssapi_userok(char *user)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ debug3("%s: user %sauthenticated",__func__, authenticated ? "" : "not ");
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ return (authenticated);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++OM_uint32
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++mm_ssh_gssapi_sign(Gssctxt *ctx, gss_buffer_desc *data, gss_buffer_desc *hash)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++{
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ struct sshbuf *m;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ OM_uint32 major;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ int r;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if ((m = sshbuf_new()) == NULL)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ fatal("%s: sshbuf_new failed", __func__);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if ((r = sshbuf_put_string(m, data->value, data->length)) != 0)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ fatal("%s: buffer error: %s", __func__, ssh_err(r));
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_GSSSIGN, m);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_GSSSIGN, m);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if ((r = sshbuf_get_u32(m, &major)) != 0 ||
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ (r = ssh_gssapi_get_buffer_desc(m, hash)) != 0)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ fatal("%s: buffer error: %s", __func__, ssh_err(r));
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ sshbuf_free(m);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ return(major);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++}
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++int
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++mm_ssh_gssapi_update_creds(ssh_gssapi_ccache *store)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++{
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ struct sshbuf *m;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ int r, ok;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if ((m = sshbuf_new()) == NULL)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ fatal("%s: sshbuf_new failed", __func__);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if ((r = sshbuf_put_cstring(m,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ store->filename ? store->filename : "")) != 0 ||
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ (r = sshbuf_put_cstring(m,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ store->envvar ? store->envvar : "")) != 0 ||
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ (r = sshbuf_put_cstring(m,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ store->envval ? store->envval : "")) != 0)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ fatal("%s: buffer error: %s", __func__, ssh_err(r));
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_GSSUPCREDS, m);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_GSSUPCREDS, m);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if ((r = sshbuf_get_u32(m, &ok)) != 0)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ fatal("%s: buffer error: %s", __func__, ssh_err(r));
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ sshbuf_free(m);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ return (ok);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++}
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #endif /* GSSAPI */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+diff --git a/monitor_wrap.h b/monitor_wrap.h
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+index 644da081d..7f93144ff 100644
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- a/monitor_wrap.h
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/monitor_wrap.h
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -60,8 +60,10 @@ int mm_sshkey_verify(const struct sshkey *, const u_char *, size_t,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ OM_uint32 mm_ssh_gssapi_server_ctx(Gssctxt **, gss_OID);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ OM_uint32 mm_ssh_gssapi_accept_ctx(Gssctxt *,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ gss_buffer_desc *, gss_buffer_desc *, OM_uint32 *);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+-int mm_ssh_gssapi_userok(char *user);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++int mm_ssh_gssapi_userok(char *user, struct passwd *);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ OM_uint32 mm_ssh_gssapi_checkmic(Gssctxt *, gss_buffer_t, gss_buffer_t);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++OM_uint32 mm_ssh_gssapi_sign(Gssctxt *, gss_buffer_t, gss_buffer_t);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++int mm_ssh_gssapi_update_creds(ssh_gssapi_ccache *);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #endif
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #ifdef USE_PAM
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+diff --git a/opacket.c b/opacket.c
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+index e637d7a71..7672c0b59 100644
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- a/opacket.c
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/opacket.c
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -80,7 +80,7 @@ ssh_packet_put_raw(struct ssh *ssh, const void *buf, u_int len)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #ifdef WITH_OPENSSL
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ void
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+-ssh_packet_put_bignum2(struct ssh *ssh, BIGNUM * value)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ssh_packet_put_bignum2(struct ssh *ssh, const BIGNUM * value)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ int r;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+diff --git a/opacket.h b/opacket.h
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+index f92fe586e..1cf66a2d3 100644
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- a/opacket.h
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/opacket.h
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -7,7 +7,7 @@ void ssh_packet_start(struct ssh *, u_char);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ void ssh_packet_put_char(struct ssh *, int ch);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ void ssh_packet_put_int(struct ssh *, u_int value);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ void ssh_packet_put_int64(struct ssh *, u_int64_t value);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+-void ssh_packet_put_bignum2(struct ssh *, BIGNUM * value);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++void ssh_packet_put_bignum2(struct ssh *, const BIGNUM * value);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ void ssh_packet_put_ecpoint(struct ssh *, const EC_GROUP *, const EC_POINT *);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ void ssh_packet_put_string(struct ssh *, const void *buf, u_int len);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ void ssh_packet_put_cstring(struct ssh *, const char *str);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+diff --git a/readconf.c b/readconf.c
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+index 433811521..36bc5e59a 100644
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- a/readconf.c
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/readconf.c
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -161,6 +161,8 @@ typedef enum {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ oClearAllForwardings, oNoHostAuthenticationForLocalhost,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ oAddressFamily, oGssAuthentication, oGssDelegateCreds,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ oGssTrustDns, oGssKeyEx, oGssClientIdentity, oGssRenewalRekey,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ oGssServerIdentity,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ oSendEnv, oSetEnv, oControlPath, oControlMaster, oControlPersist,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ oHashKnownHosts,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -201,10 +203,20 @@ static struct {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ /* Sometimes-unsupported options */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #if defined(GSSAPI)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ { "gssapiauthentication", oGssAuthentication },
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ { "gssapikeyexchange", oGssKeyEx },
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ { "gssapidelegatecredentials", oGssDelegateCreds },
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ { "gssapitrustdns", oGssTrustDns },
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ { "gssapiclientidentity", oGssClientIdentity },
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ { "gssapiserveridentity", oGssServerIdentity },
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ { "gssapirenewalforcesrekey", oGssRenewalRekey },
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # else
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ { "gssapiauthentication", oUnsupported },
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ { "gssapikeyexchange", oUnsupported },
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ { "gssapidelegatecredentials", oUnsupported },
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ { "gssapitrustdns", oUnsupported },
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ { "gssapiclientidentity", oUnsupported },
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ { "gssapiserveridentity", oUnsupported },
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ { "gssapirenewalforcesrekey", oUnsupported },
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #endif
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #ifdef ENABLE_PKCS11
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ { "smartcarddevice", oPKCS11Provider },
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -974,10 +986,30 @@ parse_time:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ intptr = &options->gss_authentication;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ goto parse_flag;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ case oGssKeyEx:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ intptr = &options->gss_keyex;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ goto parse_flag;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ case oGssDelegateCreds:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ intptr = &options->gss_deleg_creds;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ goto parse_flag;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ case oGssTrustDns:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ intptr = &options->gss_trust_dns;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ goto parse_flag;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ case oGssClientIdentity:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ charptr = &options->gss_client_identity;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ goto parse_string;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ case oGssServerIdentity:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ charptr = &options->gss_server_identity;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ goto parse_string;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ case oGssRenewalRekey:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ intptr = &options->gss_renewal_rekey;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ goto parse_flag;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ case oBatchMode:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ intptr = &options->batch_mode;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ goto parse_flag;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -1842,7 +1874,12 @@ initialize_options(Options * options)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ options->pubkey_authentication = -1;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ options->challenge_response_authentication = -1;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ options->gss_authentication = -1;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ options->gss_keyex = -1;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ options->gss_deleg_creds = -1;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ options->gss_trust_dns = -1;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ options->gss_renewal_rekey = -1;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ options->gss_client_identity = NULL;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ options->gss_server_identity = NULL;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ options->password_authentication = -1;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ options->kbd_interactive_authentication = -1;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ options->kbd_interactive_devices = NULL;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -1988,8 +2025,14 @@ fill_default_options(Options * options)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ options->challenge_response_authentication = 1;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ if (options->gss_authentication == -1)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ options->gss_authentication = 0;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (options->gss_keyex == -1)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ options->gss_keyex = 0;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ if (options->gss_deleg_creds == -1)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ options->gss_deleg_creds = 0;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (options->gss_trust_dns == -1)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ options->gss_trust_dns = 0;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (options->gss_renewal_rekey == -1)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ options->gss_renewal_rekey = 0;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ if (options->password_authentication == -1)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ options->password_authentication = 1;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ if (options->kbd_interactive_authentication == -1)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+diff --git a/readconf.h b/readconf.h
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+index fc7e38251..8e4900d01 100644
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- a/readconf.h
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/readconf.h
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -40,7 +40,12 @@ typedef struct {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ int challenge_response_authentication;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ /* Try S/Key or TIS, authentication. */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ int gss_authentication; /* Try GSS authentication */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ int gss_keyex; /* Try GSS key exchange */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ int gss_deleg_creds; /* Delegate GSS credentials */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ int gss_trust_dns; /* Trust DNS for GSS canonicalization */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ int gss_renewal_rekey; /* Credential renewal forces rekey */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ char *gss_client_identity; /* Principal to initiate GSSAPI with */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ char *gss_server_identity; /* GSSAPI target principal */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ int password_authentication; /* Try password
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ * authentication. */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ int kbd_interactive_authentication; /* Try keyboard-interactive auth. */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+diff --git a/servconf.c b/servconf.c
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+index 932d363bb..4668b8a45 100644
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- a/servconf.c
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/servconf.c
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -124,8 +124,10 @@ initialize_server_options(ServerOptions *options)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ options->kerberos_ticket_cleanup = -1;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ options->kerberos_get_afs_token = -1;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ options->gss_authentication=-1;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ options->gss_keyex = -1;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ options->gss_cleanup_creds = -1;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ options->gss_strict_acceptor = -1;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ options->gss_store_rekey = -1;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ options->password_authentication = -1;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ options->kbd_interactive_authentication = -1;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ options->challenge_response_authentication = -1;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -337,10 +339,14 @@ fill_default_server_options(ServerOptions *options)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ options->kerberos_get_afs_token = 0;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ if (options->gss_authentication == -1)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ options->gss_authentication = 0;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (options->gss_keyex == -1)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ options->gss_keyex = 0;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ if (options->gss_cleanup_creds == -1)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ options->gss_cleanup_creds = 1;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ if (options->gss_strict_acceptor == -1)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ options->gss_strict_acceptor = 1;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (options->gss_store_rekey == -1)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ options->gss_store_rekey = 0;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ if (options->password_authentication == -1)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ options->password_authentication = 1;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ if (options->kbd_interactive_authentication == -1)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -485,6 +491,7 @@ typedef enum {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ sHostKeyAlgorithms,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ sGssAuthentication, sGssCleanupCreds, sGssStrictAcceptor,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ sGssKeyEx, sGssStoreRekey,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ sAcceptEnv, sSetEnv, sPermitTunnel,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ sMatch, sPermitOpen, sPermitListen, sForceCommand, sChrootDirectory,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ sUsePrivilegeSeparation, sAllowAgentForwarding,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -559,12 +566,20 @@ static struct {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #ifdef GSSAPI
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ { "gssapiauthentication", sGssAuthentication, SSHCFG_ALL },
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ { "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL },
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ { "gssapicleanupcreds", sGssCleanupCreds, SSHCFG_GLOBAL },
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ { "gssapistrictacceptorcheck", sGssStrictAcceptor, SSHCFG_GLOBAL },
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ { "gssapikeyexchange", sGssKeyEx, SSHCFG_GLOBAL },
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ { "gssapistorecredentialsonrekey", sGssStoreRekey, SSHCFG_GLOBAL },
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #else
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ { "gssapiauthentication", sUnsupported, SSHCFG_ALL },
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ { "gssapicleanupcredentials", sUnsupported, SSHCFG_GLOBAL },
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ { "gssapicleanupcreds", sUnsupported, SSHCFG_GLOBAL },
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ { "gssapistrictacceptorcheck", sUnsupported, SSHCFG_GLOBAL },
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ { "gssapikeyexchange", sUnsupported, SSHCFG_GLOBAL },
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ { "gssapistorecredentialsonrekey", sUnsupported, SSHCFG_GLOBAL },
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #endif
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ { "gssusesessionccache", sUnsupported, SSHCFG_GLOBAL },
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ { "gssapiusesessioncredcache", sUnsupported, SSHCFG_GLOBAL },
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ { "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL },
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ { "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL },
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ { "challengeresponseauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL },
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -1468,6 +1483,10 @@ process_server_config_line(ServerOptions *options, char *line,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ intptr = &options->gss_authentication;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ goto parse_flag;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ case sGssKeyEx:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ intptr = &options->gss_keyex;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ goto parse_flag;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ case sGssCleanupCreds:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ intptr = &options->gss_cleanup_creds;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ goto parse_flag;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -1476,6 +1495,10 @@ process_server_config_line(ServerOptions *options, char *line,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ intptr = &options->gss_strict_acceptor;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ goto parse_flag;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ case sGssStoreRekey:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ intptr = &options->gss_store_rekey;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ goto parse_flag;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ case sPasswordAuthentication:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ intptr = &options->password_authentication;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ goto parse_flag;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -2560,7 +2583,10 @@ dump_config(ServerOptions *o)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #endif
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #ifdef GSSAPI
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ dump_cfg_fmtint(sGssAuthentication, o->gss_authentication);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ dump_cfg_fmtint(sGssKeyEx, o->gss_keyex);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ dump_cfg_fmtint(sGssCleanupCreds, o->gss_cleanup_creds);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ dump_cfg_fmtint(sGssStrictAcceptor, o->gss_strict_acceptor);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ dump_cfg_fmtint(sGssStoreRekey, o->gss_store_rekey);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #endif
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ dump_cfg_fmtint(sPasswordAuthentication, o->password_authentication);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ dump_cfg_fmtint(sKbdInteractiveAuthentication,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+diff --git a/servconf.h b/servconf.h
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+index 0175e00e8..3b76da816 100644
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- a/servconf.h
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/servconf.h
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -125,8 +125,10 @@ typedef struct {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ int kerberos_get_afs_token; /* If true, try to get AFS token if
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ * authenticated with Kerberos. */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ int gss_authentication; /* If true, permit GSSAPI authentication */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ int gss_keyex; /* If true, permit GSSAPI key exchange */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ int gss_cleanup_creds; /* If true, destroy cred cache on logout */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ int gss_strict_acceptor; /* If true, restrict the GSSAPI acceptor name */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ int gss_store_rekey;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ int password_authentication; /* If true, permit password
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ * authentication. */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ int kbd_interactive_authentication; /* If true, permit */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+diff --git a/ssh-gss.h b/ssh-gss.h
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+index 36180d07a..350ce7882 100644
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- a/ssh-gss.h
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/ssh-gss.h
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -1,6 +1,6 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ /* $OpenBSD: ssh-gss.h,v 1.14 2018/07/10 09:13:30 djm Exp $ */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ /*
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ *
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ * Redistribution and use in source and binary forms, with or without
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ * modification, are permitted provided that the following conditions
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -61,10 +61,22 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #define SSH_GSS_OIDTYPE 0x06
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#define SSH2_MSG_KEXGSS_INIT 30
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#define SSH2_MSG_KEXGSS_CONTINUE 31
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#define SSH2_MSG_KEXGSS_COMPLETE 32
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#define SSH2_MSG_KEXGSS_HOSTKEY 33
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#define SSH2_MSG_KEXGSS_ERROR 34
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#define SSH2_MSG_KEXGSS_GROUPREQ 40
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#define SSH2_MSG_KEXGSS_GROUP 41
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#define KEX_GSS_GRP1_SHA1_ID "gss-group1-sha1-"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#define KEX_GSS_GRP14_SHA1_ID "gss-group14-sha1-"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#define KEX_GSS_GEX_SHA1_ID "gss-gex-sha1-"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ typedef struct {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ char *filename;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ char *envvar;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ char *envval;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ struct passwd *owner;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ void *data;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ } ssh_gssapi_ccache;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -72,8 +84,11 @@ typedef struct {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ gss_buffer_desc displayname;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ gss_buffer_desc exportedname;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ gss_cred_id_t creds;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ gss_name_t name;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ struct ssh_gssapi_mech_struct *mech;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ ssh_gssapi_ccache store;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ int used;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ int updated;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ } ssh_gssapi_client;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ typedef struct ssh_gssapi_mech_struct {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -84,6 +99,7 @@ typedef struct ssh_gssapi_mech_struct {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ int (*userok) (ssh_gssapi_client *, char *);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ int (*localname) (ssh_gssapi_client *, char **);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ void (*storecreds) (ssh_gssapi_client *);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ int (*updatecreds) (ssh_gssapi_ccache *, ssh_gssapi_client *);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ } ssh_gssapi_mech;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ typedef struct {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -94,10 +110,11 @@ typedef struct {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ gss_OID oid; /* client */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ gss_cred_id_t creds; /* server */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ gss_name_t client; /* server */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- gss_cred_id_t client_creds; /* server */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ gss_cred_id_t client_creds; /* both */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ } Gssctxt;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ extern ssh_gssapi_mech *supported_mechs[];
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++extern Gssctxt *gss_kex_context;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ int ssh_gssapi_check_oid(Gssctxt *, void *, size_t);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ void ssh_gssapi_set_oid_data(Gssctxt *, void *, size_t);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -123,17 +140,33 @@ void ssh_gssapi_delete_ctx(Gssctxt **);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ OM_uint32 ssh_gssapi_sign(Gssctxt *, gss_buffer_t, gss_buffer_t);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ void ssh_gssapi_buildmic(struct sshbuf *, const char *,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ const char *, const char *);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+-int ssh_gssapi_check_mechanism(Gssctxt **, gss_OID, const char *);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++int ssh_gssapi_check_mechanism(Gssctxt **, gss_OID, const char *, const char *);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++OM_uint32 ssh_gssapi_client_identity(Gssctxt *, const char *);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++int ssh_gssapi_credentials_updated(Gssctxt *);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ /* In the server */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++typedef int ssh_gssapi_check_fn(Gssctxt **, gss_OID, const char *,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ const char *);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++char *ssh_gssapi_client_mechanisms(const char *, const char *);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++char *ssh_gssapi_kex_mechs(gss_OID_set, ssh_gssapi_check_fn *, const char *,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ const char *);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++gss_OID ssh_gssapi_id_kex(Gssctxt *, char *, int);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++int ssh_gssapi_server_check_mech(Gssctxt **,gss_OID, const char *,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ const char *);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ OM_uint32 ssh_gssapi_server_ctx(Gssctxt **, gss_OID);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+-int ssh_gssapi_userok(char *name);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++int ssh_gssapi_userok(char *name, struct passwd *);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ OM_uint32 ssh_gssapi_checkmic(Gssctxt *, gss_buffer_t, gss_buffer_t);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ void ssh_gssapi_do_child(char ***, u_int *);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ void ssh_gssapi_cleanup_creds(void);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ void ssh_gssapi_storecreds(void);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ const char *ssh_gssapi_displayname(void);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++char *ssh_gssapi_server_mechanisms(void);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++int ssh_gssapi_oid_table_ok(void);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++int ssh_gssapi_update_creds(ssh_gssapi_ccache *store);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++void ssh_gssapi_rekey_creds(void);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #endif /* GSSAPI */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #endif /* _SSH_GSS_H */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+diff --git a/ssh_config b/ssh_config
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+index c12f5ef52..bcb9f153d 100644
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- a/ssh_config
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/ssh_config
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -24,6 +24,8 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # HostbasedAuthentication no
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # GSSAPIAuthentication no
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # GSSAPIDelegateCredentials no
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++# GSSAPIKeyExchange no
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++# GSSAPITrustDNS no
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # BatchMode no
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # CheckHostIP yes
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # AddressFamily any
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+diff --git a/ssh_config.5 b/ssh_config.5
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+index 4d5b01d3e..16c79368a 100644
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- a/ssh_config.5
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/ssh_config.5
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -736,10 +736,42 @@ The default is
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ Specifies whether user authentication based on GSSAPI is allowed.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ The default is
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ .Cm no .
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++.It Cm GSSAPIKeyExchange
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++Specifies whether key exchange based on GSSAPI may be used. When using
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++GSSAPI key exchange the server need not have a host key.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++The default is
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++.Cm no .
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++.It Cm GSSAPIClientIdentity
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++If set, specifies the GSSAPI client identity that ssh should use when
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++connecting to the server. The default is unset, which means that the default
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++identity will be used.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++.It Cm GSSAPIServerIdentity
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++If set, specifies the GSSAPI server identity that ssh should expect when
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++connecting to the server. The default is unset, which means that the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++expected GSSAPI server identity will be determined from the target
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++hostname.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ .It Cm GSSAPIDelegateCredentials
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ Forward (delegate) credentials to the server.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ The default is
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ .Cm no .
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++.It Cm GSSAPIRenewalForcesRekey
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++If set to
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++.Cm yes
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++then renewal of the client's GSSAPI credentials will force the rekeying of the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ssh connection. With a compatible server, this can delegate the renewed
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++credentials to a session on the server.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++The default is
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++.Cm no .
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++.It Cm GSSAPITrustDns
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++Set to
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++.Cm yes
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++to indicate that the DNS is trusted to securely canonicalize
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++the name of the host being connected to. If
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++.Cm no ,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++the hostname entered on the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++command line will be passed untouched to the GSSAPI library.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++The default is
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++.Cm no .
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ .It Cm HashKnownHosts
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ Indicates that
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ .Xr ssh 1
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+diff --git a/sshconnect2.c b/sshconnect2.c
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+index 1675f3935..8c872a4fb 100644
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- a/sshconnect2.c
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/sshconnect2.c
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -162,6 +162,11 @@ ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ struct kex *kex;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ int r;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#ifdef GSSAPI
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ char *orig = NULL, *gss = NULL;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ char *gss_host = NULL;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#endif
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ xxx_host = host;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ xxx_hostaddr = hostaddr;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -194,6 +199,35 @@ ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ order_hostkeyalgs(host, hostaddr, port));
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#ifdef GSSAPI
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (options.gss_keyex) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ /* Add the GSSAPI mechanisms currently supported on this
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * client to the key exchange algorithm proposal */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ orig = myproposal[PROPOSAL_KEX_ALGS];
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (options.gss_server_identity)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ gss_host = xstrdup(options.gss_server_identity);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ else if (options.gss_trust_dns)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ gss_host = remote_hostname(active_state);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ else
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ gss_host = xstrdup(host);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ gss = ssh_gssapi_client_mechanisms(gss_host,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ options.gss_client_identity);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (gss) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ debug("Offering GSSAPI proposal: %s", gss);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ xasprintf(&myproposal[PROPOSAL_KEX_ALGS],
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ "%s,%s", gss, orig);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ /* If we've got GSSAPI algorithms, then we also
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * support the 'null' hostkey, as a last resort */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ orig = myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS];
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ xasprintf(&myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS],
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ "%s,null", orig);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#endif
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ if (options.rekey_limit || options.rekey_interval)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ packet_set_rekey_limits(options.rekey_limit,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ options.rekey_interval);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -215,15 +249,41 @@ ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # endif
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #endif
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ kex->kex[KEX_C25519_SHA256] = kexc25519_client;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#ifdef GSSAPI
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (options.gss_keyex) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ kex->kex[KEX_GSS_GRP1_SHA1] = kexgss_client;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ kex->kex[KEX_GSS_GRP14_SHA1] = kexgss_client;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ kex->kex[KEX_GSS_GEX_SHA1] = kexgss_client;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#endif
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ kex->client_version_string=client_version_string;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ kex->server_version_string=server_version_string;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ kex->verify_host_key=&verify_host_key_callback;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#ifdef GSSAPI
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (options.gss_keyex) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ kex->gss_deleg_creds = options.gss_deleg_creds;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ kex->gss_trust_dns = options.gss_trust_dns;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ kex->gss_client = options.gss_client_identity;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ kex->gss_host = gss_host;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#endif
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ ssh_dispatch_run_fatal(active_state, DISPATCH_BLOCK, &kex->done);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ /* remove ext-info from the KEX proposals for rekeying */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ myproposal[PROPOSAL_KEX_ALGS] =
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ compat_kex_proposal(options.kex_algorithms);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#ifdef GSSAPI
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ /* repair myproposal after it was crumpled by the */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ /* ext-info removal above */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (gss) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ orig = myproposal[PROPOSAL_KEX_ALGS];
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ xasprintf(&myproposal[PROPOSAL_KEX_ALGS],
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ "%s,%s", gss, orig);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ free(gss);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#endif
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ if ((r = kex_prop2buf(kex->my, myproposal)) != 0)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ fatal("kex_prop2buf: %s", ssh_err(r));
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -314,6 +374,7 @@ int input_gssapi_token(int type, u_int32_t, struct ssh *);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ int input_gssapi_hash(int type, u_int32_t, struct ssh *);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ int input_gssapi_error(int, u_int32_t, struct ssh *);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ int input_gssapi_errtok(int, u_int32_t, struct ssh *);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++int userauth_gsskeyex(Authctxt *authctxt);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #endif
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ void userauth(Authctxt *, char *);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -330,6 +391,11 @@ static char *authmethods_get(void);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ Authmethod authmethods[] = {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #ifdef GSSAPI
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ {"gssapi-keyex",
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ userauth_gsskeyex,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ NULL,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ &options.gss_authentication,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ NULL},
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ {"gssapi-with-mic",
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ userauth_gssapi,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ NULL,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -686,25 +752,40 @@ userauth_gssapi(Authctxt *authctxt)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ static u_int mech = 0;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ OM_uint32 min;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ int r, ok = 0;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ char *gss_host;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (options.gss_server_identity)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ gss_host = xstrdup(options.gss_server_identity);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ else if (options.gss_trust_dns)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ gss_host = remote_hostname(active_state);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ else
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ gss_host = xstrdup(authctxt->host);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ /* Try one GSSAPI method at a time, rather than sending them all at
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ * once. */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ if (gss_supported == NULL)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- gss_indicate_mechs(&min, &gss_supported);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (GSS_ERROR(gss_indicate_mechs(&min, &gss_supported))) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ gss_supported = NULL;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ free(gss_host);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ return 0;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ /* Check to see if the mechanism is usable before we offer it */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ while (mech < gss_supported->count && !ok) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ /* My DER encoding requires length<128 */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ if (gss_supported->elements[mech].length < 128 &&
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ ssh_gssapi_check_mechanism(&gssctxt,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- &gss_supported->elements[mech], authctxt->host)) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ &gss_supported->elements[mech], gss_host,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ options.gss_client_identity)) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ ok = 1; /* Mechanism works */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ } else {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ mech++;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ free(gss_host);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ if (!ok)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ return 0;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -935,6 +1016,54 @@ input_gssapi_error(int type, u_int32_t plen, struct ssh *ssh)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ free(lang);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ return r;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++int
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++userauth_gsskeyex(Authctxt *authctxt)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++{
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ struct ssh *ssh = active_state; /* XXX */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ struct sshbuf *b;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ gss_buffer_desc gssbuf;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ gss_buffer_desc mic = GSS_C_EMPTY_BUFFER;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ OM_uint32 ms;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ int r;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ static int attempt = 0;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (attempt++ >= 1)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ return (0);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (gss_kex_context == NULL) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ debug("No valid Key exchange context");
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ return (0);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if ((b = sshbuf_new()) == NULL)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ fatal("%s: sshbuf_new failed", __func__);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ ssh_gssapi_buildmic(b, authctxt->server_user, authctxt->service,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ "gssapi-keyex");
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if ((gssbuf.value = sshbuf_mutable_ptr(b)) == NULL)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ fatal("%s: sshbuf_mutable_ptr failed", __func__);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ gssbuf.length = sshbuf_len(b);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (GSS_ERROR(ssh_gssapi_sign(gss_kex_context, &gssbuf, &mic))) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ sshbuf_free(b);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ return (0);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if ((r = sshpkt_start(ssh, SSH2_MSG_USERAUTH_REQUEST)) != 0 ||
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ (r = sshpkt_put_cstring(ssh, authctxt->server_user)) != 0 ||
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ (r = sshpkt_put_cstring(ssh, authctxt->service)) != 0 ||
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ (r = sshpkt_put_cstring(ssh, authctxt->method->name)) != 0 ||
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ (r = sshpkt_put_string(ssh, mic.value, mic.length)) != 0 ||
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ (r = sshpkt_send(ssh)) != 0)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ fatal("%s: %s", __func__, ssh_err(r));
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ sshbuf_free(b);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ gss_release_buffer(&ms, &mic);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ return (1);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++}
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #endif /* GSSAPI */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ int
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+diff --git a/sshd.c b/sshd.c
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+index ba26287ba..539a000fd 100644
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- a/sshd.c
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/sshd.c
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -123,6 +123,10 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #include "version.h"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #include "ssherr.h"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#ifdef USE_SECURITY_SESSION_API
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#include <Security/AuthSession.h>
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#endif
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ /* Re-exec fds */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #define REEXEC_DEVCRYPTO_RESERVED_FD (STDERR_FILENO + 1)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #define REEXEC_STARTUP_PIPE_FD (STDERR_FILENO + 2)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -1810,10 +1814,13 @@ main(int ac, char **av)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ free(fp);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ accumulate_host_timing_secret(cfg, NULL);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#ifndef GSSAPI
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ /* The GSSAPI key exchange can run without a host key */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ if (!sensitive_data.have_ssh2_key) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ logit("sshd: no hostkeys available -- exiting.");
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ exit(1);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#endif
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ /*
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ * Load certificates. They are stored in an array at identical
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -2104,6 +2111,60 @@ main(int ac, char **av)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ rdomain == NULL ? "" : "\"");
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ free(laddr);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#ifdef USE_SECURITY_SESSION_API
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ /*
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * Create a new security session for use by the new user login if
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * the current session is the root session or we are not launched
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * by inetd (eg: debugging mode or server mode). We do not
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * necessarily need to create a session if we are launched from
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * inetd because Panther xinetd will create a session for us.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ *
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * The only case where this logic will fail is if there is an
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * inetd running in a non-root session which is not creating
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * new sessions for us. Then all the users will end up in the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * same session (bad).
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ *
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * When the client exits, the session will be destroyed for us
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * automatically.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ *
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * We must create the session before any credentials are stored
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * (including AFS pags, which happens a few lines below).
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ OSStatus err = 0;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ SecuritySessionId sid = 0;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ SessionAttributeBits sattrs = 0;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ err = SessionGetInfo(callerSecuritySession, &sid, &sattrs);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (err)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ error("SessionGetInfo() failed with error %.8X",
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ (unsigned) err);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ else
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ debug("Current Session ID is %.8X / Session Attributes are %.8X",
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ (unsigned) sid, (unsigned) sattrs);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (inetd_flag && !(sattrs & sessionIsRoot))
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ debug("Running in inetd mode in a non-root session... "
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ "assuming inetd created the session for us.");
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ else {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ debug("Creating new security session...");
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ err = SessionCreate(0, sessionHasTTY | sessionIsRemote);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (err)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ error("SessionCreate() failed with error %.8X",
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ (unsigned) err);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ err = SessionGetInfo(callerSecuritySession, &sid,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ &sattrs);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (err)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ error("SessionGetInfo() failed with error %.8X",
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ (unsigned) err);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ else
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ debug("New Session ID is %.8X / Session Attributes are %.8X",
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ (unsigned) sid, (unsigned) sattrs);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#endif
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ /*
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ * We don't want to listen forever unless the other side
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ * successfully authenticates itself. So we set up an alarm which is
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -2287,6 +2348,48 @@ do_ssh2_kex(void)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = compat_pkalg_proposal(
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ list_hostkey_types());
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#ifdef GSSAPI
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ char *orig;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ char *gss = NULL;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ char *newstr = NULL;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ orig = myproposal[PROPOSAL_KEX_ALGS];
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ /*
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * If we don't have a host key, then there's no point advertising
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * the other key exchange algorithms
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (strlen(myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS]) == 0)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ orig = NULL;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (options.gss_keyex)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ gss = ssh_gssapi_server_mechanisms();
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ else
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ gss = NULL;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (gss && orig)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ xasprintf(&newstr, "%s,%s", gss, orig);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ else if (gss)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ newstr = gss;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ else if (orig)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ newstr = orig;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ /*
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * If we've got GSSAPI mechanisms, then we've got the 'null' host
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * key alg, but we can't tell people about it unless its the only
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * host key algorithm we support
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (gss && (strlen(myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS])) == 0)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = "null";
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (newstr)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ myproposal[PROPOSAL_KEX_ALGS] = newstr;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ else
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ fatal("No supported key exchange algorithms");
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#endif
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ /* start key exchange */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ if ((r = kex_setup(active_state, myproposal)) != 0)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ fatal("kex_setup: %s", ssh_err(r));
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -2304,6 +2407,13 @@ do_ssh2_kex(void)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # endif
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #endif
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ kex->kex[KEX_C25519_SHA256] = kexc25519_server;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#ifdef GSSAPI
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (options.gss_keyex) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ kex->kex[KEX_GSS_GRP1_SHA1] = kexgss_server;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ kex->kex[KEX_GSS_GRP14_SHA1] = kexgss_server;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ kex->kex[KEX_GSS_GEX_SHA1] = kexgss_server;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#endif
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ kex->server = 1;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ kex->client_version_string=client_version_string;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ kex->server_version_string=server_version_string;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+diff --git a/sshd_config b/sshd_config
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+index 19b7c91a1..2c48105f8 100644
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- a/sshd_config
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/sshd_config
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -69,6 +69,8 @@ AuthorizedKeysFile .ssh/authorized_keys
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # GSSAPI options
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #GSSAPIAuthentication no
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #GSSAPICleanupCredentials yes
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#GSSAPIStrictAcceptorCheck yes
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#GSSAPIKeyExchange no
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # Set this to 'yes' to enable PAM authentication, account processing,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # and session processing. If this is enabled, PAM authentication will
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+diff --git a/sshd_config.5 b/sshd_config.5
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+index c6484370b..985eef5a2 100644
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- a/sshd_config.5
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/sshd_config.5
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -648,6 +648,11 @@ The default is
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ Specifies whether user authentication based on GSSAPI is allowed.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ The default is
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ .Cm no .
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++.It Cm GSSAPIKeyExchange
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++Specifies whether key exchange based on GSSAPI is allowed. GSSAPI key exchange
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++doesn't rely on ssh keys to verify host identity.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++The default is
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++.Cm no .
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ .It Cm GSSAPICleanupCredentials
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ Specifies whether to automatically destroy the user's credentials cache
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ on logout.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -667,6 +672,11 @@ machine's default store.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ This facility is provided to assist with operation on multi homed machines.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ The default is
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ .Cm yes .
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++.It Cm GSSAPIStoreCredentialsOnRekey
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++Controls whether the user's GSSAPI credentials should be updated following a
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++successful connection rekeying. This option can be used to accepted renewed
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++or updated credentials from a compatible client. The default is
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++.Cm no .
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ .It Cm HostbasedAcceptedKeyTypes
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ Specifies the key types that will be accepted for hostbased authentication
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ as a list of comma-separated patterns.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+diff --git a/sshkey.c b/sshkey.c
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+index 6555c5ef8..a85c185fc 100644
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- a/sshkey.c
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/sshkey.c
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -135,6 +135,7 @@ static const struct keytype keytypes[] = {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # endif /* OPENSSL_HAS_NISTP521 */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # endif /* OPENSSL_HAS_ECC */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #endif /* WITH_OPENSSL */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ { "null", "null", NULL, KEY_NULL, 0, 0, 0 },
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ { NULL, NULL, NULL, -1, -1, 0, 0 }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ };
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -223,7 +224,7 @@ sshkey_alg_list(int certs_only, int plain_only, int include_sigonly, char sep)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ const struct keytype *kt;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ for (kt = keytypes; kt->type != -1; kt++) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- if (kt->name == NULL)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (kt->name == NULL || kt->type == KEY_NULL)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ continue;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ if (!include_sigonly && kt->sigonly)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ continue;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+diff --git a/sshkey.h b/sshkey.h
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+index f6a007fdf..f54deb0c0 100644
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- a/sshkey.h
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/sshkey.h
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -64,6 +64,7 @@ enum sshkey_types {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ KEY_ED25519_CERT,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ KEY_XMSS,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ KEY_XMSS_CERT,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ KEY_NULL,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ KEY_UNSPEC
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ };
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;color:#808080;'>diff --git a/net/openssh/files/openssh-7.6p1-hpnssh14v13.diff b/net/openssh/files/openssh-7.6p1-hpnssh14v13.diff
</span>deleted file mode 100644
<span style='display:block; white-space:pre;color:#808080;'>index 8bd7c4d..0000000
</span><span style='display:block; white-space:pre;background:#e0e0ff;'>--- a/net/openssh/files/openssh-7.6p1-hpnssh14v13.diff
</span><span style='display:block; white-space:pre;background:#e0e0ff;'>+++ /dev/null
</span><span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -1,2255 +0,0 @@
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>---- /dev/null 1970-01-01 00:00:00.000000000 +0000
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/HPN-README 2017-10-07 06:27:39.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -0,0 +1,130 @@
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+Notes:
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+MULTI-THREADED CIPHER:
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+The AES cipher in CTR mode has been multithreaded (MTR-AES-CTR). This will allow ssh installations
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+on hosts with multiple cores to use more than one processing core during encryption.
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+Tests have show significant throughput performance increases when using MTR-AES-CTR up
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+to and including a full gigabit per second on quad core systems. It should be possible to
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+achieve full line rate on dual core systems but OS and data management overhead makes this
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+more difficult to achieve. The cipher stream from MTR-AES-CTR is entirely compatible with single
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+thread AES-CTR (ST-AES-CTR) implementations and should be 100% backward compatible. Optimal
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+performance requires the MTR-AES-CTR mode be enabled on both ends of the connection.
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+The MTR-AES-CTR replaces ST-AES-CTR and is used in exactly the same way with the same
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+nomenclature.
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+Use examples:
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ ssh -caes128-ctr you@host.com
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ scp -oCipher=aes256-ctr file you@host.com:~/file
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+NONE CIPHER:
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+To use the NONE option you must have the NoneEnabled switch set on the server and
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+you *must* have *both* NoneEnabled and NoneSwitch set to yes on the client. The NONE
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+feature works with ALL ssh subsystems (as far as we can tell) *AS LONG AS* a tty is not
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+spawned. If a user uses the -T switch to prevent a tty being created the NONE cipher will
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+be disabled.
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+The performance increase will only be as good as the network and TCP stack tuning
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+on the reciever side of the connection allows. As a rule of thumb a user will need
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+at least 10Mb/s connection with a 100ms RTT to see a doubling of performance. The
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+HPN-SSH home page describes this in greater detail.
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+http://www.psc.edu/networking/projects/hpn-ssh
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+BUFFER SIZES:
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+If HPN is disabled the receive buffer size will be set to the
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+OpenSSH default of 64K.
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+If an HPN system connects to a nonHPN system the receive buffer will
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+be set to the HPNBufferSize value. The default is 2MB but user adjustable.
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+If an HPN to HPN connection is established a number of different things might
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+happen based on the user options and conditions.
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+Conditions: HPNBufferSize NOT Set, TCPRcvBufPoll enabled, TCPRcvBuf NOT Set
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+HPN Buffer Size = up to 64MB
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+This is the default state. The HPN buffer size will grow to a maximum of 64MB
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+as the TCP receive buffer grows. The maximum HPN Buffer size of 64MB is
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+geared towards 10GigE transcontinental connections.
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+Conditions: HPNBufferSize NOT Set, TCPRcvBufPoll disabled, TCPRcvBuf NOT Set
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+HPN Buffer Size = TCP receive buffer value.
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+Users on non-autotuning systems should disable TCPRcvBufPoll in the
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ssh_config and sshd_config
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+Conditions: HPNBufferSize SET, TCPRcvBufPoll disabled, TCPRcvBuf NOT Set
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+HPN Buffer Size = minimum of TCP receive buffer and HPNBufferSize.
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+This would be the system defined TCP receive buffer (RWIN).
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+Conditions: HPNBufferSize SET, TCPRcvBufPoll disabled, TCPRcvBuf SET
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+HPN Buffer Size = minimum of TCPRcvBuf and HPNBufferSize.
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+Generally there is no need to set both.
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+Conditions: HPNBufferSize SET, TCPRcvBufPoll enabled, TCPRcvBuf NOT Set
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+HPN Buffer Size = grows to HPNBufferSize
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+The buffer will grow up to the maximum size specified here.
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+Conditions: HPNBufferSize SET, TCPRcvBufPoll enabled, TCPRcvBuf SET
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+HPN Buffer Size = minimum of TCPRcvBuf and HPNBufferSize.
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+Generally there is no need to set both of these, especially on autotuning
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+systems. However, if the users wishes to override the autotuning this would be
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+one way to do it.
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+Conditions: HPNBufferSize NOT Set, TCPRcvBufPoll enabled, TCPRcvBuf SET
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+HPN Buffer Size = TCPRcvBuf.
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+This will override autotuning and set the TCP recieve buffer to the user defined
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+value.
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+HPN Specific Configuration options
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+TcpRcvBuf=[int]KB client
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ set the TCP socket receive buffer to n Kilobytes. It can be set up to the
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+maximum socket size allowed by the system. This is useful in situations where
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+the tcp receive window is set low but the maximum buffer size is set
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+higher (as is typical). This works on a per TCP connection basis. You can also
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+use this to artifically limit the transfer rate of the connection. In these
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+cases the throughput will be no more than n/RTT. The minimum buffer size is 1KB.
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+Default is the current system wide tcp receive buffer size.
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+TcpRcvBufPoll=[yes/no] client/server
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ enable of disable the polling of the tcp receive buffer through the life
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+of the connection. You would want to make sure that this option is enabled
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+for systems making use of autotuning kernels (linux 2.4.24+, 2.6, MS Vista)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+default is yes.
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+NoneEnabled=[yes/no] client/server
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ enable or disable the use of the None cipher. Care must always be used
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+when enabling this as it will allow users to send data in the clear. However,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+it is important to note that authentication information remains encrypted
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+even if this option is enabled. Set to no by default.
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+NoneSwitch=[yes/no] client
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ Switch the encryption cipher being used to the None cipher after
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+authentication takes place. NoneEnabled must be enabled on both the client
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+and server side of the connection. When the connection switches to the NONE
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+cipher a warning is sent to STDERR. The connection attempt will fail with an
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+error if a client requests a NoneSwitch from the server that does not explicitly
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+have NoneEnabled set to yes. Note: The NONE cipher cannot be used in
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+interactive (shell) sessions and it will fail silently. Set to no by default.
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+HPNDisabled=[yes/no] client/server
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ In some situations, such as transfers on a local area network, the impact
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+of the HPN code produces a net decrease in performance. In these cases it is
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+helpful to disable the HPN functionality. By default HPNDisabled is set to no.
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+HPNBufferSize=[int]KB client/server
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ This is the default buffer size the HPN functionality uses when interacting
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+with nonHPN SSH installations. Conceptually this is similar to the TcpRcvBuf
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+option as applied to the internal SSH flow control. This value can range from
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+1KB to 64MB (1-65536). Use of oversized or undersized buffers can cause performance
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+problems depending on the length of the network path. The default size of this buffer
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+is 2MB.
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+Credits: This patch was conceived, designed, and led by Chris Rapier (rapier@psc.edu)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ The majority of the actual coding for versions up to HPN12v1 was performed
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ by Michael Stevens (mstevens@andrew.cmu.edu). The MT-AES-CTR cipher was
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ implemented by Ben Bennet (ben@psc.edu) and improved by Mike Tasota
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ (tasota@gmail.com) an NSF REU grant recipient for 2013.
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ This work was financed, in part, by Cisco System, Inc., the National
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ Library of Medicine, and the National Science Foundation.
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>---- a/Makefile.in 2017-10-02 21:34:26.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/Makefile.in 2017-10-07 06:27:39.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -44,7 +44,7 @@ CC=@CC@
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- LD=@LD@
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- CFLAGS=@CFLAGS@
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ $(PATHS) @DEFS@
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>--LIBS=@LIBS@
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+LIBS=@LIBS@ -lpthread
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- K5LIBS=@K5LIBS@
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- GSSLIBS=@GSSLIBS@
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- SSHLIBS=@SSHLIBS@
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -78,7 +78,7 @@ LIBOPENSSH_OBJS=\
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- LIBSSH_OBJS=${LIBOPENSSH_OBJS} \
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- authfd.o authfile.o bufaux.o bufbn.o bufec.o buffer.o \
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- canohost.o channels.o cipher.o cipher-aes.o cipher-aesctr.o \
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-- cipher-ctr.o cleanup.o \
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ cipher-ctr.o cipher-ctr-mt.o cleanup.o \
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- compat.o crc32.o fatal.o hostfile.o \
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- log.o match.o moduli.o nchan.o packet.o opacket.o \
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- readpass.o ttymodes.o xmalloc.o addrmatch.o \
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>---- a/README 2017-10-02 21:34:26.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/README 2017-10-07 06:27:39.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -1,3 +1,22 @@
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+THE FOLLOWING few lines are message from the developer of hpn-ssh. It is not part
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+of the README file for OpenSSH.
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+HOWDY ALL! I hate doing this but I realize that I’ve been working on HPN-SSH for
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+almost 13 years now. Initially I was funded by a generous grant from Cisco, the NSF,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+and NIH. That money is long long gone by now and I can only work on HPN-SSH when I
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+have the time. *IF* I can get some donations to the project at
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+http://www.psc.edu/index.php/hpn-ssh it would let me free up more cycles to work on it.
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+Keep in mind that I don’t get any money from the donations. It all goes to support
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+the work of PSC (see psc.edu). However, if I can get some donations I’d have the
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+back up I need to demand time to work on it. Now, that being said, if you want to
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+support me directly I do have a wishlist at amazon http://amzn.com/w/34XO95A1A9CJL
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+I don’t really expect anyone to buy me things or donate money.
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+It’s not why I’ve spent a whole lot of hours working on this.
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+I just thought I’d throw it out there.
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+----------Original README Follows--------------
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- See https://www.openssh.com/releasenotes.html#7.6p1 for the release notes.
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- Please read https://www.openssh.com/report.html for bug reporting
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>---- a/auth2.c 2017-10-02 21:34:26.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/auth2.c 2017-10-07 06:27:39.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -75,6 +75,8 @@ extern Authmethod method_hostbased;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- extern Authmethod method_gssapi;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- #endif
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+static int log_flag = 0;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- Authmethod *authmethods[] = {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- &method_none,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- &method_pubkey,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -229,6 +231,11 @@ input_userauth_request(int type, u_int32
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- service = packet_get_cstring(NULL);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- method = packet_get_cstring(NULL);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- debug("userauth-request for user %s service %s method %s", user, service, method);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (!log_flag) {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ logit("SSH: Server;Ltype: Authname;Remote: %s-%d;Name: %s",
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ ssh_remote_ipaddr(active_state), ssh_remote_port(active_state), user);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ log_flag = 1;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ }
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- debug("attempt %d failures %d", authctxt->attempt, authctxt->failures);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- if ((style = strchr(user, ':')) != NULL)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>---- a/channels.c 2017-10-07 06:27:38.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/channels.c 2017-10-07 06:37:22.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -215,6 +215,9 @@ static int rdynamic_connect_finish(struc
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- /* Setup helper */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- static void channel_handler_init(struct ssh_channels *sc);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+static int hpn_disabled = 0;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+static int hpn_buffer_size = 2 * 1024 * 1024;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- /* -- channel core */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- void
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -391,6 +394,7 @@ channel_new(struct ssh *ssh, char *ctype
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- c->local_window = window;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- c->local_window_max = window;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- c->local_maxpacket = maxpack;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ c->dynamic_window = 0;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- c->remote_name = xstrdup(remote_name);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- c->ctl_chan = -1;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- c->delayed = 1; /* prevent call to channel_post handler */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -972,13 +976,41 @@ channel_pre_connecting(struct ssh *ssh,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- FD_SET(c->sock, writeset);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- }
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+static int
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+channel_tcpwinsz(void)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+{
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ u_int32_t tcpwinsz = 0;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ socklen_t optsz = sizeof(tcpwinsz);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ int ret = -1;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ /* if we aren't on a socket return 128KB */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (!packet_connection_is_on_socket())
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ return 128 * 1024;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ ret = getsockopt(packet_get_connection_in(),
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ SOL_SOCKET, SO_RCVBUF, &tcpwinsz, &optsz);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ /* return no more than SSHBUF_SIZE_MAX (currently 256MB) */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (ret == 0 && tcpwinsz > SSHBUF_SIZE_MAX)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ tcpwinsz = SSHBUF_SIZE_MAX;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ debug2("tcpwinsz: %d for connection: %d", tcpwinsz,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ packet_get_connection_in());
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ return tcpwinsz;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+}
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- static void
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- channel_pre_open(struct ssh *ssh, Channel *c,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- fd_set *readset, fd_set *writeset)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ /* check buffer limits */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (!c->tcpwinsz || c->dynamic_window > 0)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ c->tcpwinsz = channel_tcpwinsz();
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ u_int limit = MIN(c->remote_window, 2 * c->tcpwinsz);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- if (c->istate == CHAN_INPUT_OPEN &&
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-- c->remote_window > 0 &&
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-- sshbuf_len(c->input) < c->remote_window &&
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ limit > 0 &&
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ sshbuf_len(c->input) < limit &&
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- sshbuf_check_reserve(c->input, CHAN_RBUF) == 0)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- FD_SET(c->rfd, readset);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- if (c->ostate == CHAN_OUTPUT_OPEN ||
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -2092,10 +2124,17 @@ channel_check_window(struct ssh *ssh, Ch
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- if (!c->have_remote_id)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- fatal(":%s: channel %d: no remote id",
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- __func__, c->self);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ u_int addition = 0;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ /* adjust max window size if we are in a dynamic environment */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (c->dynamic_window && c->tcpwinsz > c->local_window_max) {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ /* grow the window somewhat aggressively to maintain pressure */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ addition = 1.5 * (c->tcpwinsz - c->local_window_max);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ c->local_window_max += addition;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ }
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- if ((r = sshpkt_start(ssh,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- SSH2_MSG_CHANNEL_WINDOW_ADJUST)) != 0 ||
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- (r = sshpkt_put_u32(ssh, c->remote_id)) != 0 ||
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-- (r = sshpkt_put_u32(ssh, c->local_consumed)) != 0 ||
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ (r = sshpkt_put_u32(ssh, c->local_consumed + addition)) != 0 ||
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- (r = sshpkt_send(ssh)) != 0) {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- fatal("%s: channel %i: %s", __func__,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- c->self, ssh_err(r));
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -2103,7 +2142,7 @@ channel_check_window(struct ssh *ssh, Ch
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- debug2("channel %d: window %d sent adjust %d",
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- c->self, c->local_window,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- c->local_consumed);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-- c->local_window += c->local_consumed;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ c->local_window += c->local_consumed + addition;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- c->local_consumed = 0;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- }
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- return 1;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -3275,6 +3314,14 @@ channel_fwd_bind_addr(const char *listen
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- return addr;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- }
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+void
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+channel_set_hpn(int external_hpn_disabled, int external_hpn_buffer_size)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+{
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ hpn_disabled = external_hpn_disabled;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ hpn_buffer_size = external_hpn_buffer_size;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ debug("HPN Disabled: %d, HPN Buffer Size: %d", hpn_disabled, hpn_buffer_size);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+}
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- static int
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- channel_setup_fwd_listener_tcpip(struct ssh *ssh, int type,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- struct Forward *fwd, int *allocated_listen_port,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -3410,8 +3457,10 @@ channel_setup_fwd_listener_tcpip(struct
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- }
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- /* Allocate a channel number for the socket. */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ /* explicitly test for hpn disabled option. if true use smaller window size */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- c = channel_new(ssh, "port listener", type, sock, sock, -1,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-- CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ hpn_disabled ? CHAN_TCP_WINDOW_DEFAULT : hpn_buffer_size,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ CHAN_TCP_PACKET_DEFAULT,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- 0, "port listener", 1);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- c->path = xstrdup(host);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- c->host_port = fwd->connect_port;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -4477,7 +4526,9 @@ x11_create_display_inet(struct ssh *ssh,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- sock = socks[n];
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- nc = channel_new(ssh, "x11 listener",
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- SSH_CHANNEL_X11_LISTENER, sock, sock, -1,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-- CHAN_X11_WINDOW_DEFAULT, CHAN_X11_PACKET_DEFAULT,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ /* Is this really necassary? */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ hpn_disabled ? CHAN_X11_WINDOW_DEFAULT : hpn_buffer_size,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ CHAN_X11_PACKET_DEFAULT,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- 0, "X11 inet listener", 1);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- nc->single_connection = single_connection;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- (*chanids)[n] = nc->self;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>---- a/channels.h 2017-10-07 06:27:38.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/channels.h 2017-10-07 06:27:39.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -141,8 +141,10 @@ struct Channel {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- u_int local_window_max;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- u_int local_consumed;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- u_int local_maxpacket;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ int dynamic_window;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- int extended_usage;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- int single_connection;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ u_int tcpwinsz;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- char *ctype; /* type */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -339,4 +341,7 @@ void chan_rcvd_ieof(struct ssh *, Chann
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- void chan_write_failed(struct ssh *, Channel *);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- void chan_obuf_empty(struct ssh *, Channel *);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+/* hpn handler */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+void channel_set_hpn(int, int);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- #endif
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>---- /dev/null 1970-01-01 00:00:00.000000000 +0000
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/cipher-ctr-mt.c 2017-10-07 06:27:39.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -0,0 +1,602 @@
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+/*
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * OpenSSH Multi-threaded AES-CTR Cipher
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ *
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * Author: Benjamin Bennett <ben@psc.edu>
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * Author: Mike Tasota <tasota@gmail.com>
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * Author: Chris Rapier <rapier@psc.edu>
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * Copyright (c) 2008-2013 Pittsburgh Supercomputing Center. All rights reserved.
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ *
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * Based on original OpenSSH AES-CTR cipher. Small portions remain unchanged,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * Copyright (c) 2003 Markus Friedl <markus@openbsd.org>
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ *
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * Permission to use, copy, modify, and distribute this software for any
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * purpose with or without fee is hereby granted, provided that the above
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * copyright notice and this permission notice appear in all copies.
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ *
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#include "includes.h"
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#if defined(WITH_OPENSSL)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#include <sys/types.h>
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#include <stdarg.h>
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#include <string.h>
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#include <openssl/evp.h>
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#include "xmalloc.h"
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#include "log.h"
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+/* compatibility with old or broken OpenSSL versions */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#include "openbsd-compat/openssl-compat.h"
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#ifndef USE_BUILTIN_RIJNDAEL
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#include <openssl/aes.h>
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#endif
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#include <pthread.h>
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+/*-------------------- TUNABLES --------------------*/
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+/* Number of pregen threads to use */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#define CIPHER_THREADS 2
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+/* Number of keystream queues */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#define NUMKQ (CIPHER_THREADS + 2)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+/* Length of a keystream queue */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#define KQLEN 4096
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+/* Processor cacheline length */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#define CACHELINE_LEN 64
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+/* Collect thread stats and print at cancellation when in debug mode */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+/* #define CIPHER_THREAD_STATS */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+/* Can the system do unaligned loads natively? */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#if defined(__aarch64__) || \
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ defined(__i386__) || \
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ defined(__powerpc__) || \
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ defined(__x86_64__)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+# define CIPHER_UNALIGNED_OK
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#endif
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#if defined(__SIZEOF_INT128__)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+# define CIPHER_INT128_OK
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#endif
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+/*-------------------- END TUNABLES --------------------*/
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+const EVP_CIPHER *evp_aes_ctr_mt(void);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#ifdef CIPHER_THREAD_STATS
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+/*
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * Struct to collect thread stats
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+struct thread_stats {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ u_int fills;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ u_int skips;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ u_int waits;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ u_int drains;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+};
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+/*
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * Debug print the thread stats
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * Use with pthread_cleanup_push for displaying at thread cancellation
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+static void
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+thread_loop_stats(void *x)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+{
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ struct thread_stats *s = x;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ debug("tid %lu - %u fills, %u skips, %u waits", pthread_self(),
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ s->fills, s->skips, s->waits);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+}
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+# define STATS_STRUCT(s) struct thread_stats s
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+# define STATS_INIT(s) { memset(&s, 0, sizeof(s)); }
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+# define STATS_FILL(s) { s.fills++; }
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+# define STATS_SKIP(s) { s.skips++; }
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+# define STATS_WAIT(s) { s.waits++; }
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+# define STATS_DRAIN(s) { s.drains++; }
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#else
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+# define STATS_STRUCT(s)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+# define STATS_INIT(s)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+# define STATS_FILL(s)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+# define STATS_SKIP(s)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+# define STATS_WAIT(s)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+# define STATS_DRAIN(s)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#endif
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+/* Keystream Queue state */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+enum {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ KQINIT,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ KQEMPTY,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ KQFILLING,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ KQFULL,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ KQDRAINING
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+};
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+/* Keystream Queue struct */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+struct kq {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ u_char keys[KQLEN][AES_BLOCK_SIZE];
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ u_char ctr[AES_BLOCK_SIZE];
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ u_char pad0[CACHELINE_LEN];
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ int qstate;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ pthread_mutex_t lock;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ pthread_cond_t cond;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ u_char pad1[CACHELINE_LEN];
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+};
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+/* Context struct */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+struct ssh_aes_ctr_ctx
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+{
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ struct kq q[NUMKQ];
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ AES_KEY aes_ctx;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ STATS_STRUCT(stats);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ u_char aes_counter[AES_BLOCK_SIZE];
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ pthread_t tid[CIPHER_THREADS];
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ pthread_rwlock_t tid_lock;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#ifdef __APPLE__
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ pthread_rwlock_t stop_lock;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ int exit_flag;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#endif /* __APPLE__ */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ int state;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ int qidx;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ int ridx;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+};
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+/* <friedl>
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * increment counter 'ctr',
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * the counter is of size 'len' bytes and stored in network-byte-order.
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * (LSB at ctr[len-1], MSB at ctr[0])
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+static void
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ssh_ctr_inc(u_char *ctr, size_t len)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+{
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ int i;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ for (i = len - 1; i >= 0; i--)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (++ctr[i]) /* continue on overflow */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ return;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+}
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+/*
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * Add num to counter 'ctr'
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+static void
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ssh_ctr_add(u_char *ctr, uint32_t num, u_int len)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+{
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ int i;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ uint16_t n;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ for (n = 0, i = len - 1; i >= 0 && (num || n); i--) {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ n = ctr[i] + (num & 0xff) + n;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ num >>= 8;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ ctr[i] = n & 0xff;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ n >>= 8;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ }
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+}
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+/*
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * Threads may be cancelled in a pthread_cond_wait, we must free the mutex
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+static void
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+thread_loop_cleanup(void *x)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+{
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ pthread_mutex_unlock((pthread_mutex_t *)x);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+}
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#ifdef __APPLE__
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+/* Check if we should exit, we are doing both cancel and exit condition
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * since on OSX threads seem to occasionally fail to notice when they have
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * been cancelled. We want to have a backup to make sure that we won't hang
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * when the main process join()-s the cancelled thread.
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+static void
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+thread_loop_check_exit(struct ssh_aes_ctr_ctx *c)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+{
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ int exit_flag;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ pthread_rwlock_rdlock(&c->stop_lock);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ exit_flag = c->exit_flag;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ pthread_rwlock_unlock(&c->stop_lock);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (exit_flag)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ pthread_exit(NULL);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+}
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#else
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+# define thread_loop_check_exit(s)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#endif /* __APPLE__ */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+/*
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * Helper function to terminate the helper threads
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+static void
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+stop_and_join_pregen_threads(struct ssh_aes_ctr_ctx *c)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+{
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ int i;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#ifdef __APPLE__
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ /* notify threads that they should exit */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ pthread_rwlock_wrlock(&c->stop_lock);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ c->exit_flag = TRUE;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ pthread_rwlock_unlock(&c->stop_lock);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#endif /* __APPLE__ */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ /* Cancel pregen threads */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ for (i = 0; i < CIPHER_THREADS; i++) {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ pthread_cancel(c->tid[i]);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ }
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ for (i = 0; i < NUMKQ; i++) {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ pthread_mutex_lock(&c->q[i].lock);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ pthread_cond_broadcast(&c->q[i].cond);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ pthread_mutex_unlock(&c->q[i].lock);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ }
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ for (i = 0; i < CIPHER_THREADS; i++) {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ pthread_join(c->tid[i], NULL);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ }
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+}
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+/*
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * The life of a pregen thread:
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * Find empty keystream queues and fill them using their counter.
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * When done, update counter for the next fill.
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+static void *
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+thread_loop(void *x)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+{
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ AES_KEY key;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ STATS_STRUCT(stats);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ struct ssh_aes_ctr_ctx *c = x;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ struct kq *q;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ int i;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ int qidx;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ pthread_t first_tid;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ /* Threads stats on cancellation */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ STATS_INIT(stats);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#ifdef CIPHER_THREAD_STATS
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ pthread_cleanup_push(thread_loop_stats, &stats);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#endif
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ /* Thread local copy of AES key */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ memcpy(&key, &c->aes_ctx, sizeof(key));
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ pthread_rwlock_rdlock(&c->tid_lock);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ first_tid = c->tid[0];
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ pthread_rwlock_unlock(&c->tid_lock);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ /*
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * Handle the special case of startup, one thread must fill
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * the first KQ then mark it as draining. Lock held throughout.
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (pthread_equal(pthread_self(), first_tid)) {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ q = &c->q[0];
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ pthread_mutex_lock(&q->lock);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (q->qstate == KQINIT) {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ for (i = 0; i < KQLEN; i++) {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ AES_encrypt(q->ctr, q->keys[i], &key);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ ssh_ctr_inc(q->ctr, AES_BLOCK_SIZE);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ }
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ ssh_ctr_add(q->ctr, KQLEN * (NUMKQ - 1), AES_BLOCK_SIZE);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ q->qstate = KQDRAINING;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ STATS_FILL(stats);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ pthread_cond_broadcast(&q->cond);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ }
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ pthread_mutex_unlock(&q->lock);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ } else
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ STATS_SKIP(stats);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ /*
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * Normal case is to find empty queues and fill them, skipping over
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * queues already filled by other threads and stopping to wait for
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * a draining queue to become empty.
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ *
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * Multiple threads may be waiting on a draining queue and awoken
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * when empty. The first thread to wake will mark it as filling,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * others will move on to fill, skip, or wait on the next queue.
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ for (qidx = 1;; qidx = (qidx + 1) % NUMKQ) {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ /* Check if I was cancelled, also checked in cond_wait */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ pthread_testcancel();
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ /* Check if we should exit as well */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ thread_loop_check_exit(c);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ /* Lock queue and block if its draining */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ q = &c->q[qidx];
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ pthread_mutex_lock(&q->lock);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ pthread_cleanup_push(thread_loop_cleanup, &q->lock);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ while (q->qstate == KQDRAINING || q->qstate == KQINIT) {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ STATS_WAIT(stats);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ thread_loop_check_exit(c);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ pthread_cond_wait(&q->cond, &q->lock);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ }
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ pthread_cleanup_pop(0);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ /* If filling or full, somebody else got it, skip */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (q->qstate != KQEMPTY) {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ pthread_mutex_unlock(&q->lock);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ STATS_SKIP(stats);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ continue;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ }
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ /*
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * Empty, let's fill it.
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * Queue lock is relinquished while we do this so others
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * can see that it's being filled.
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ q->qstate = KQFILLING;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ pthread_cond_broadcast(&q->cond);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ pthread_mutex_unlock(&q->lock);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ for (i = 0; i < KQLEN; i++) {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ AES_encrypt(q->ctr, q->keys[i], &key);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ ssh_ctr_inc(q->ctr, AES_BLOCK_SIZE);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ }
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ /* Re-lock, mark full and signal consumer */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ pthread_mutex_lock(&q->lock);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ ssh_ctr_add(q->ctr, KQLEN * (NUMKQ - 1), AES_BLOCK_SIZE);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ q->qstate = KQFULL;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ STATS_FILL(stats);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ pthread_cond_broadcast(&q->cond);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ pthread_mutex_unlock(&q->lock);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ }
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#ifdef CIPHER_THREAD_STATS
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ /* Stats */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ pthread_cleanup_pop(1);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#endif
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ return NULL;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+}
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+static int
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ssh_aes_ctr(EVP_CIPHER_CTX *ctx, u_char *dest, const u_char *src,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ LIBCRYPTO_EVP_INL_TYPE len)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+{
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ typedef union {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#ifdef CIPHER_INT128_OK
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ __uint128_t *u128;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#endif
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ uint64_t *u64;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ uint32_t *u32;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ uint8_t *u8;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ const uint8_t *cu8;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ uintptr_t u;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ } ptrs_t;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ ptrs_t destp, srcp, bufp;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ uintptr_t align;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ struct ssh_aes_ctr_ctx *c;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ struct kq *q, *oldq;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ int ridx;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ u_char *buf;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (len == 0)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ return 1;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if ((c = EVP_CIPHER_CTX_get_app_data(ctx)) == NULL)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ return 0;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ q = &c->q[c->qidx];
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ ridx = c->ridx;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ /* src already padded to block multiple */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ srcp.cu8 = src;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ destp.u8 = dest;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ while (len > 0) {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ buf = q->keys[ridx];
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ bufp.u8 = buf;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ /* figure out the alignment on the fly */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#ifdef CIPHER_UNALIGNED_OK
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ align = 0;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#else
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ align = destp.u | srcp.u | bufp.u;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#endif
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#ifdef CIPHER_INT128_OK
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if ((align & 0xf) == 0) {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ destp.u128[0] = srcp.u128[0] ^ bufp.u128[0];
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ } else
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#endif
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if ((align & 0x7) == 0) {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ destp.u64[0] = srcp.u64[0] ^ bufp.u64[0];
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ destp.u64[1] = srcp.u64[1] ^ bufp.u64[1];
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ } else if ((align & 0x3) == 0) {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ destp.u32[0] = srcp.u32[0] ^ bufp.u32[0];
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ destp.u32[1] = srcp.u32[1] ^ bufp.u32[1];
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ destp.u32[2] = srcp.u32[2] ^ bufp.u32[2];
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ destp.u32[3] = srcp.u32[3] ^ bufp.u32[3];
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ } else {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ size_t i;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ for (i = 0; i < AES_BLOCK_SIZE; ++i)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ dest[i] = src[i] ^ buf[i];
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ }
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ destp.u += AES_BLOCK_SIZE;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ srcp.u += AES_BLOCK_SIZE;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ len -= AES_BLOCK_SIZE;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ ssh_ctr_inc(ctx->iv, AES_BLOCK_SIZE);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ /* Increment read index, switch queues on rollover */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if ((ridx = (ridx + 1) % KQLEN) == 0) {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ oldq = q;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ /* Mark next queue draining, may need to wait */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ c->qidx = (c->qidx + 1) % NUMKQ;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ q = &c->q[c->qidx];
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ pthread_mutex_lock(&q->lock);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ while (q->qstate != KQFULL) {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ STATS_WAIT(c->stats);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ pthread_cond_wait(&q->cond, &q->lock);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ }
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ q->qstate = KQDRAINING;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ pthread_cond_broadcast(&q->cond);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ pthread_mutex_unlock(&q->lock);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ /* Mark consumed queue empty and signal producers */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ pthread_mutex_lock(&oldq->lock);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ oldq->qstate = KQEMPTY;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ STATS_DRAIN(c->stats);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ pthread_cond_broadcast(&oldq->cond);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ pthread_mutex_unlock(&oldq->lock);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ }
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ }
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ c->ridx = ridx;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ return 1;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+}
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#define HAVE_NONE 0
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#define HAVE_KEY 1
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#define HAVE_IV 2
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+static int
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ssh_aes_ctr_init(EVP_CIPHER_CTX *ctx, const u_char *key, const u_char *iv,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ int enc)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+{
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ struct ssh_aes_ctr_ctx *c;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ int i;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if ((c = EVP_CIPHER_CTX_get_app_data(ctx)) == NULL) {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ c = xmalloc(sizeof(*c));
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ pthread_rwlock_init(&c->tid_lock, NULL);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#ifdef __APPLE__
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ pthread_rwlock_init(&c->stop_lock, NULL);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ c->exit_flag = FALSE;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#endif /* __APPLE__ */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ c->state = HAVE_NONE;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ for (i = 0; i < NUMKQ; i++) {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ pthread_mutex_init(&c->q[i].lock, NULL);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ pthread_cond_init(&c->q[i].cond, NULL);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ }
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ STATS_INIT(c->stats);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ EVP_CIPHER_CTX_set_app_data(ctx, c);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ }
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (c->state == (HAVE_KEY | HAVE_IV)) {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ /* tell the pregen threads to exit */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ stop_and_join_pregen_threads(c);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#ifdef __APPLE__
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ /* reset the exit flag */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ c->exit_flag = FALSE;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#endif /* __APPLE__ */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ /* Start over getting key & iv */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ c->state = HAVE_NONE;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ }
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (key != NULL) {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ AES_set_encrypt_key(key, EVP_CIPHER_CTX_key_length(ctx) * 8,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ &c->aes_ctx);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ c->state |= HAVE_KEY;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ }
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (iv != NULL) {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ memcpy(ctx->iv, iv, AES_BLOCK_SIZE);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ c->state |= HAVE_IV;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ }
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (c->state == (HAVE_KEY | HAVE_IV)) {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ /* Clear queues */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ memcpy(c->q[0].ctr, ctx->iv, AES_BLOCK_SIZE);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ c->q[0].qstate = KQINIT;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ for (i = 1; i < NUMKQ; i++) {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ memcpy(c->q[i].ctr, ctx->iv, AES_BLOCK_SIZE);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ ssh_ctr_add(c->q[i].ctr, i * KQLEN, AES_BLOCK_SIZE);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ c->q[i].qstate = KQEMPTY;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ }
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ c->qidx = 0;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ c->ridx = 0;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ /* Start threads */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ for (i = 0; i < CIPHER_THREADS; i++) {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ debug("spawned a thread");
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ pthread_rwlock_wrlock(&c->tid_lock);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ pthread_create(&c->tid[i], NULL, thread_loop, c);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ pthread_rwlock_unlock(&c->tid_lock);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ }
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ pthread_mutex_lock(&c->q[0].lock);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ while (c->q[0].qstate == KQINIT)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ pthread_cond_wait(&c->q[0].cond, &c->q[0].lock);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ pthread_mutex_unlock(&c->q[0].lock);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ }
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ return 1;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+}
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+/* this function is no longer used but might prove handy in the future
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * this comment also applies to ssh_aes_ctr_thread_reconstruction
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+void
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ssh_aes_ctr_thread_destroy(EVP_CIPHER_CTX *ctx)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+{
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ struct ssh_aes_ctr_ctx *c;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ c = EVP_CIPHER_CTX_get_app_data(ctx);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ stop_and_join_pregen_threads(c);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+}
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+void
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ssh_aes_ctr_thread_reconstruction(EVP_CIPHER_CTX *ctx)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+{
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ struct ssh_aes_ctr_ctx *c;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ int i;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ c = EVP_CIPHER_CTX_get_app_data(ctx);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ /* reconstruct threads */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ for (i = 0; i < CIPHER_THREADS; i++) {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ debug("spawned a thread");
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ pthread_rwlock_wrlock(&c->tid_lock);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ pthread_create(&c->tid[i], NULL, thread_loop, c);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ pthread_rwlock_unlock(&c->tid_lock);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ }
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+}
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+static int
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ssh_aes_ctr_cleanup(EVP_CIPHER_CTX *ctx)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+{
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ struct ssh_aes_ctr_ctx *c;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if ((c = EVP_CIPHER_CTX_get_app_data(ctx)) != NULL) {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#ifdef CIPHER_THREAD_STATS
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ debug("main thread: %u drains, %u waits", c->stats.drains,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ c->stats.waits);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#endif
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ stop_and_join_pregen_threads(c);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ memset(c, 0, sizeof(*c));
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ free(c);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ EVP_CIPHER_CTX_set_app_data(ctx, NULL);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ }
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ return 1;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+}
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+/* <friedl> */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+const EVP_CIPHER *
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+evp_aes_ctr_mt(void)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+{
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ static EVP_CIPHER aes_ctr;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ memset(&aes_ctr, 0, sizeof(EVP_CIPHER));
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ aes_ctr.nid = NID_undef;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ aes_ctr.block_size = AES_BLOCK_SIZE;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ aes_ctr.iv_len = AES_BLOCK_SIZE;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ aes_ctr.key_len = 16;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ aes_ctr.init = ssh_aes_ctr_init;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ aes_ctr.cleanup = ssh_aes_ctr_cleanup;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ aes_ctr.do_cipher = ssh_aes_ctr;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#ifndef SSH_OLD_EVP
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ aes_ctr.flags = EVP_CIPH_CBC_MODE | EVP_CIPH_VARIABLE_LENGTH |
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_CUSTOM_IV;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#endif
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ return &aes_ctr;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+}
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#endif /* defined(WITH_OPENSSL) */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>---- a/cipher.c 2017-10-02 21:34:26.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/cipher.c 2017-10-07 06:27:39.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -52,6 +52,13 @@
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- #include "openbsd-compat/openssl-compat.h"
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+/* for multi-threaded aes-ctr cipher */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+extern const EVP_CIPHER *evp_aes_ctr_mt(void);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+/* no longer needed. replaced by evp pointer swap */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+/* extern void ssh_aes_ctr_thread_destroy(EVP_CIPHER_CTX *ctx); */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+/* extern void ssh_aes_ctr_thread_reconstruction(EVP_CIPHER_CTX *ctx); */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- struct sshcipher_ctx {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- int plaintext;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- int encrypt;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -80,7 +87,7 @@ struct sshcipher {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- #endif
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- };
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>--static const struct sshcipher ciphers[] = {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+static struct sshcipher ciphers[] = {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- #ifdef WITH_OPENSSL
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- { "3des-cbc", 8, 24, 0, 0, CFLAG_CBC, EVP_des_ede3_cbc },
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- { "aes128-cbc", 16, 16, 0, 0, CFLAG_CBC, EVP_aes_128_cbc },
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -138,6 +145,29 @@ cipher_alg_list(char sep, int auth_only)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- return ret;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- }
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+/* used to get the cipher name so when force rekeying to handle the
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * single to multithreaded ctr cipher swap we only rekey when appropriate
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+const char *
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+cipher_ctx_name(const struct sshcipher_ctx *cc)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+{
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ return cc->cipher->name;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+}
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+/* in order to get around sandbox and forking issues with a threaded cipher
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * we set the initial pre-auth aes-ctr cipher to the default OpenSSH cipher
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * post auth we set them to the new evp as defined by cipher-ctr-mt
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#ifdef WITH_OPENSSL
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+void
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+cipher_reset_multithreaded(void)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+{
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ cipher_by_name("aes128-ctr")->evptype = evp_aes_ctr_mt;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ cipher_by_name("aes192-ctr")->evptype = evp_aes_ctr_mt;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ cipher_by_name("aes256-ctr")->evptype = evp_aes_ctr_mt;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+}
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#endif
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- u_int
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- cipher_blocksize(const struct sshcipher *c)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -187,10 +217,10 @@ cipher_ctx_is_plaintext(struct sshcipher
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- return cc->plaintext;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- }
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>--const struct sshcipher *
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+struct sshcipher *
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- cipher_by_name(const char *name)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-- const struct sshcipher *c;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ struct sshcipher *c;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- for (c = ciphers; c->name != NULL; c++)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- if (strcmp(c->name, name) == 0)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- return c;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -212,7 +242,7 @@ ciphers_valid(const char *names)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- for ((p = strsep(&cp, CIPHER_SEP)); p && *p != '\0';
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- (p = strsep(&cp, CIPHER_SEP))) {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- c = cipher_by_name(p);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-- if (c == NULL || (c->flags & CFLAG_INTERNAL) != 0) {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (c == NULL) {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- free(cipher_list);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- return 0;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- }
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>---- a/cipher.h 2017-10-02 21:34:26.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/cipher.h 2017-10-07 06:27:39.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -48,7 +48,10 @@
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- struct sshcipher;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- struct sshcipher_ctx;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>--const struct sshcipher *cipher_by_name(const char *);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+void ssh_aes_ctr_thread_destroy(EVP_CIPHER_CTX *ctx); // defined in cipher-ctr-mt.c
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+void ssh_aes_ctr_thread_reconstruction(EVP_CIPHER_CTX *ctx);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+struct sshcipher *cipher_by_name(const char *);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- const char *cipher_warning_message(const struct sshcipher_ctx *);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- int ciphers_valid(const char *);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- char *cipher_alg_list(char, int);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -65,7 +68,9 @@ u_int cipher_seclen(const struct sshcip
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- u_int cipher_authlen(const struct sshcipher *);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- u_int cipher_ivlen(const struct sshcipher *);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- u_int cipher_is_cbc(const struct sshcipher *);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+void cipher_reset_multithreaded(void);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+const char *cipher_ctx_name(const struct sshcipher_ctx *);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- u_int cipher_ctx_is_plaintext(struct sshcipher_ctx *);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- int cipher_get_keyiv(struct sshcipher_ctx *, u_char *, u_int);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>---- a/clientloop.c 2017-10-07 06:27:38.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/clientloop.c 2017-10-07 06:27:39.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -1590,7 +1590,9 @@ client_request_x11(struct ssh *ssh, cons
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- return NULL;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- c = channel_new(ssh, "x11",
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- SSH_CHANNEL_X11_OPEN, sock, sock, -1,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-- CHAN_TCP_WINDOW_DEFAULT, CHAN_X11_PACKET_DEFAULT, 0, "x11", 1);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ /* again is this really necessary for X11? */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ options.hpn_disabled ? CHAN_TCP_WINDOW_DEFAULT : options.hpn_buffer_size,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ CHAN_X11_PACKET_DEFAULT, 0, "x11", 1);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- c->force_drain = 1;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- return c;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- }
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -1615,7 +1617,8 @@ client_request_agent(struct ssh *ssh, co
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- }
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- c = channel_new(ssh, "authentication agent connection",
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- SSH_CHANNEL_OPEN, sock, sock, -1,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-- CHAN_X11_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, 0,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ options.hpn_disabled ? CHAN_X11_WINDOW_DEFAULT : options.hpn_buffer_size,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ CHAN_TCP_PACKET_DEFAULT, 0,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- "authentication agent connection", 1);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- c->force_drain = 1;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- return c;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -1640,7 +1643,8 @@ client_request_tun_fwd(struct ssh *ssh,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- }
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- c = channel_new(ssh, "tun", SSH_CHANNEL_OPENING, fd, fd, -1,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-- CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, 0, "tun", 1);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ options.hpn_disabled ? CHAN_TCP_WINDOW_DEFAULT : options.hpn_buffer_size,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ CHAN_TCP_PACKET_DEFAULT, 0, "tun", 1);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- c->datagram = 1;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- #if defined(SSH_TUN_FILTER)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>---- a/compat.c 2017-10-02 21:34:26.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/compat.c 2017-10-07 06:27:39.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -198,6 +198,13 @@ compat_datafellows(const char *version)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- debug("match: %s pat %s compat 0x%08x",
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- version, check[i].pat, check[i].bugs);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- datafellows = check[i].bugs; /* XXX for now */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ /* Check to see if the remote side is OpenSSH and not HPN */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (strstr(version, "OpenSSH") != NULL) {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (strstr(version, "hpn") == NULL) {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ datafellows |= SSH_BUG_LARGEWINDOW;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ debug("Remote is NON-HPN aware");
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ }
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ }
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- return check[i].bugs;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- }
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- }
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>---- a/compat.h 2017-10-02 21:34:26.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/compat.h 2017-10-07 06:27:39.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -62,6 +62,7 @@
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- #define SSH_BUG_CURVE25519PAD 0x10000000
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- #define SSH_BUG_HOSTKEYS 0x20000000
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- #define SSH_BUG_DHGEX_LARGE 0x40000000
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#define SSH_BUG_LARGEWINDOW 0x80000000
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- u_int compat_datafellows(const char *);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- int proto_spec(const char *);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>---- a/kex.c 2017-10-02 21:34:26.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/kex.c 2017-10-07 06:27:39.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -773,6 +773,11 @@ kex_choose_conf(struct ssh *ssh)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- int nenc, nmac, ncomp;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- u_int mode, ctos, need, dh_need, authlen;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- int r, first_kex_follows;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ int log_flag = 0;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ int auth_flag;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ auth_flag = packet_authentication_state(ssh);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ debug("AUTH STATE IS %d", auth_flag);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- debug2("local %s KEXINIT proposal", kex->server ? "server" : "client");
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- if ((r = kex_buf2prop(kex->my, NULL, &my)) != 0)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -843,11 +848,35 @@ kex_choose_conf(struct ssh *ssh)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- peer[ncomp] = NULL;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- goto out;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- }
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ debug("REQUESTED ENC.NAME is '%s'", newkeys->enc.name);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (strcmp(newkeys->enc.name, "none") == 0) {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ debug("Requesting NONE. Authflag is %d", auth_flag);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (auth_flag == 1)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ debug("None requested post authentication.");
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ else
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ fatal("Pre-authentication none cipher requests are not allowed.");
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ }
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- debug("kex: %s cipher: %s MAC: %s compression: %s",
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- ctos ? "client->server" : "server->client",
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- newkeys->enc.name,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- authlen == 0 ? newkeys->mac.name : "<implicit>",
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- newkeys->comp.name);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ /*
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * client starts with ctos = 0 && log flag = 0 and no log.
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * 2nd client pass ctos = 1 and flag = 1 so no log.
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * server starts with ctos = 1 && log_flag = 0 so log.
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * 2nd sever pass ctos = 1 && log flag = 1 so no log.
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * -cjr
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (ctos && !log_flag) {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ logit("SSH: Server;Ltype: Kex;Remote: %s-%d;Enc: %s;MAC: %s;Comp: %s",
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ ssh_remote_ipaddr(ssh),
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ ssh_remote_port(ssh),
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ newkeys->enc.name,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ authlen == 0 ? newkeys->mac.name : "<implicit>",
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ newkeys->comp.name);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ }
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ log_flag = 1;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- }
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- need = dh_need = 0;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- for (mode = 0; mode < MODE_MAX; mode++) {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>---- a/opacket.c 2017-10-02 21:34:26.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/opacket.c 2017-10-07 06:27:39.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -274,13 +274,15 @@ packet_write_wait(void)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- sshpkt_fatal(active_state, __func__, r);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- }
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>--void
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+int
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- packet_write_poll(void)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- int r;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- if ((r = ssh_packet_write_poll(active_state)) != 0)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- sshpkt_fatal(active_state, __func__, r);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ return r;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- }
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- void
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>---- a/opacket.h 2017-10-02 21:34:26.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/opacket.h 2017-10-07 06:27:39.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -42,7 +42,7 @@ int packet_read_seqnr(u_int32_t *);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- int packet_read_poll_seqnr(u_int32_t *);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- void packet_process_incoming(const char *buf, u_int len);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- void packet_write_wait(void);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>--void packet_write_poll(void);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+int packet_write_poll(void);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- void packet_read_expect(int expected_type);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- #define packet_set_timeout(timeout, count) \
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- ssh_packet_set_timeout(active_state, (timeout), (count))
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>---- a/packet.c 2017-10-02 21:34:26.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/packet.c 2017-10-07 06:27:39.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -280,7 +280,7 @@ struct ssh *
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- ssh_packet_set_connection(struct ssh *ssh, int fd_in, int fd_out)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- struct session_state *state;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-- const struct sshcipher *none = cipher_by_name("none");
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ struct sshcipher *none = cipher_by_name("none");
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- int r;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- if (none == NULL) {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -914,6 +914,24 @@ ssh_set_newkeys(struct ssh *ssh, int mod
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- return 0;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- }
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+/* this supports the forced rekeying required for the NONE cipher */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+int rekey_requested = 0;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+void
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+packet_request_rekeying(void)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+{
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ rekey_requested = 1;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+}
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+/* this determines if authentciation has happened as of yet. Needed for
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * NONE cipher switching. */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+int
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+packet_authentication_state(const struct ssh *ssh)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+{
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ struct session_state *state = ssh->state;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ return state->after_authentication;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+}
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- #define MAX_PACKETS (1U<<31)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- static int
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- ssh_packet_need_rekeying(struct ssh *ssh, u_int outbound_packet_len)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -940,6 +958,13 @@ ssh_packet_need_rekeying(struct ssh *ssh
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- if (state->p_send.packets == 0 && state->p_read.packets == 0)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- return 0;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ /* used to force rekeying when called for by the none
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * cipher switch methods -cjr */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (rekey_requested == 1) {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ rekey_requested = 0;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ return 1;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ }
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- /* Time-based rekeying */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- if (state->rekey_interval != 0 &&
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- (int64_t)state->rekey_time + state->rekey_interval <= monotime())
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -2666,3 +2691,10 @@ sshpkt_add_padding(struct ssh *ssh, u_ch
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- ssh->state->extra_pad = pad;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- return 0;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- }
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+/* need this for the moment for the aes-ctr cipher */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+void *
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ssh_packet_get_send_context(struct ssh *ssh)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+{
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ return ssh->state->send_context;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+}
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>---- a/packet.h 2017-10-02 21:34:26.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/packet.h 2017-10-07 06:27:39.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -155,6 +155,10 @@ int ssh_packet_inc_alive_timeouts(struc
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- int ssh_packet_set_maxsize(struct ssh *, u_int);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- u_int ssh_packet_get_maxsize(struct ssh *);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+/* for forced packet rekeying post auth */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+void packet_request_rekeying(void);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+int packet_authentication_state(const struct ssh *);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- int ssh_packet_get_state(struct ssh *, struct sshbuf *);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- int ssh_packet_set_state(struct ssh *, struct sshbuf *);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -168,6 +172,7 @@ time_t ssh_packet_get_rekey_timeout(str
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- void *ssh_packet_get_input(struct ssh *);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- void *ssh_packet_get_output(struct ssh *);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+void *ssh_packet_get_send_context(struct ssh *);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- /* new API */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- int sshpkt_start(struct ssh *ssh, u_char type);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>---- a/progressmeter.c 2017-10-02 21:34:26.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/progressmeter.c 2017-10-07 06:27:39.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -69,6 +69,8 @@ static const char *file; /* name of the
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- static off_t start_pos; /* initial position of transfer */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- static off_t end_pos; /* ending position of transfer */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- static off_t cur_pos; /* transfer position as of last refresh */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+static off_t last_pos;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+static off_t max_delta_pos = 0;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- static volatile off_t *counter; /* progress counter */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- static long stalled; /* how long we have been stalled */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- static int bytes_per_second; /* current speed in bytes per second */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -128,12 +130,17 @@ refresh_progress_meter(void)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- int hours, minutes, seconds;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- int i, len;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- int file_len;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ off_t delta_pos;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- transferred = *counter - (cur_pos ? cur_pos : start_pos);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- cur_pos = *counter;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- now = monotime_double();
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- bytes_left = end_pos - cur_pos;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ delta_pos = cur_pos - last_pos;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (delta_pos > max_delta_pos)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ max_delta_pos = delta_pos;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- if (bytes_left > 0)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- elapsed = now - last_update;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- else {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -158,7 +165,7 @@ refresh_progress_meter(void)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- /* filename */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- buf[0] = '\0';
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-- file_len = win_size - 35;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ file_len = win_size - 45;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- if (file_len > 0) {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- len = snprintf(buf, file_len + 1, "\r%s", file);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- if (len < 0)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -188,6 +195,15 @@ refresh_progress_meter(void)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- (off_t)bytes_per_second);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- strlcat(buf, "/s ", win_size);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ /* instantaneous rate */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (bytes_left > 0)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ format_rate(buf + strlen(buf), win_size - strlen(buf),
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ delta_pos);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ else
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ format_rate(buf + strlen(buf), win_size - strlen(buf),
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ max_delta_pos);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ strlcat(buf, "/s ", win_size);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- /* ETA */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- if (!transferred)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- stalled += elapsed;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -224,6 +240,7 @@ refresh_progress_meter(void)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- atomicio(vwrite, STDOUT_FILENO, buf, win_size - 1);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- last_update = now;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ last_pos = cur_pos;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- }
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- /*ARGSUSED*/
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>---- a/readconf.c 2017-10-02 21:34:26.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/readconf.c 2017-10-07 06:27:39.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -66,6 +66,7 @@
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- #include "uidswap.h"
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- #include "myproposal.h"
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- #include "digest.h"
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#include "sshbuf.h"
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- /* Format of the configuration file:
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -165,6 +166,9 @@ typedef enum {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- oHashKnownHosts,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- oTunnel, oTunnelDevice,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- oLocalCommand, oPermitLocalCommand, oRemoteCommand,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ oNoneEnabled, oNoneSwitch,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ oDisableMTAES,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ oTcpRcvBufPoll, oTcpRcvBuf, oHPNDisabled, oHPNBufferSize,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- oVisualHostKey,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- oKexAlgorithms, oIPQoS, oRequestTTY, oIgnoreUnknown, oProxyUseFdpass,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- oCanonicalDomains, oCanonicalizeHostname, oCanonicalizeMaxDots,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -290,6 +294,9 @@ static struct {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- { "kexalgorithms", oKexAlgorithms },
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- { "ipqos", oIPQoS },
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- { "requesttty", oRequestTTY },
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ { "noneenabled", oNoneEnabled },
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ { "noneswitch", oNoneSwitch },
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ { "disablemtaes", oDisableMTAES },
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- { "proxyusefdpass", oProxyUseFdpass },
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- { "canonicaldomains", oCanonicalDomains },
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- { "canonicalizefallbacklocal", oCanonicalizeFallbackLocal },
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -306,6 +313,11 @@ static struct {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- { "ignoreunknown", oIgnoreUnknown },
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- { "proxyjump", oProxyJump },
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ { "tcprcvbufpoll", oTcpRcvBufPoll },
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ { "tcprcvbuf", oTcpRcvBuf },
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ { "hpndisabled", oHPNDisabled },
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ { "hpnbuffersize", oHPNBufferSize },
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- { NULL, oBadOption }
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- };
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -988,6 +1000,42 @@ parse_time:
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- intptr = &options->check_host_ip;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- goto parse_flag;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ case oNoneEnabled:
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ intptr = &options->none_enabled;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ goto parse_flag;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ case oDisableMTAES:
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ intptr = &options->disable_multithreaded;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ goto parse_flag;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ /*
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * We check to see if the command comes from the command
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * line or not. If it does then enable it otherwise fail.
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * NONE should never be a default configuration.
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ case oNoneSwitch:
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (strcmp(filename, "command-line") == 0) {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ intptr = &options->none_switch;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ goto parse_flag;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ } else {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ error("NoneSwitch is found in %.200s.\nYou may only use this configuration option from the command line", filename);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ error("Continuing...");
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ debug("NoneSwitch directive found in %.200s.", filename);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ return 0;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ }
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ case oHPNDisabled:
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ intptr = &options->hpn_disabled;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ goto parse_flag;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ case oHPNBufferSize:
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ intptr = &options->hpn_buffer_size;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ goto parse_int;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ case oTcpRcvBufPoll:
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ intptr = &options->tcp_rcv_buf_poll;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ goto parse_flag;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- case oVerifyHostKeyDNS:
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- intptr = &options->verify_host_key_dns;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- multistate_ptr = multistate_yesnoask;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -1176,6 +1224,10 @@ parse_int:
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- intptr = &options->connection_attempts;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- goto parse_int;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ case oTcpRcvBuf:
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ intptr = &options->tcp_rcv_buf;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ goto parse_int;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- case oCiphers:
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- arg = strdelim(&s);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- if (!arg || *arg == '\0')
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -1857,6 +1909,13 @@ initialize_options(Options * options)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- options->ip_qos_interactive = -1;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- options->ip_qos_bulk = -1;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- options->request_tty = -1;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ options->none_switch = -1;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ options->none_enabled = -1;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ options->disable_multithreaded = -1;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ options->hpn_disabled = -1;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ options->hpn_buffer_size = -1;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ options->tcp_rcv_buf_poll = -1;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ options->tcp_rcv_buf = -1;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- options->proxy_use_fdpass = -1;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- options->ignored_unknown = NULL;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- options->num_canonical_domains = 0;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -2002,6 +2061,32 @@ fill_default_options(Options * options)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- options->server_alive_interval = 0;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- if (options->server_alive_count_max == -1)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- options->server_alive_count_max = 3;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (options->none_switch == -1)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ options->none_switch = 0;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (options->none_enabled == -1)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ options->none_enabled = 0;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (options->disable_multithreaded == -1)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ options->disable_multithreaded = 0;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (options->hpn_disabled == -1)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ options->hpn_disabled = 0;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (options->hpn_buffer_size > -1) {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ /* if a user tries to set the size to 0 set it to 1KB */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (options->hpn_buffer_size == 0)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ options->hpn_buffer_size = 1;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ /* limit the buffer to SSHBUF_SIZE_MAX (currently 256MB) */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (options->hpn_buffer_size > (SSHBUF_SIZE_MAX / 1024)) {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ options->hpn_buffer_size = SSHBUF_SIZE_MAX;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ debug("User requested buffer larger than 256MB. Request reverted to 256MB");
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ } else
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ options->hpn_buffer_size *= 1024;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ debug("hpn_buffer_size set to %d", options->hpn_buffer_size);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ }
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (options->tcp_rcv_buf == 0)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ options->tcp_rcv_buf = 1;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (options->tcp_rcv_buf > -1)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ options->tcp_rcv_buf *=1024;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (options->tcp_rcv_buf_poll == -1)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ options->tcp_rcv_buf_poll = 1;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- if (options->control_master == -1)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- options->control_master = 0;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- if (options->control_persist == -1) {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>---- a/readconf.h 2017-10-02 21:34:26.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/readconf.h 2017-10-07 06:27:39.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -52,6 +52,10 @@ typedef struct {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- int strict_host_key_checking; /* Strict host key checking. */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- int compression; /* Compress packets in both directions. */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- int tcp_keep_alive; /* Set SO_KEEPALIVE. */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ int tcp_rcv_buf; /* user switch to set tcp recv buffer */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ int tcp_rcv_buf_poll; /* Option to poll recv buf every window transfer */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ int hpn_disabled; /* Switch to disable HPN buffer management */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ int hpn_buffer_size; /* User definable size for HPN buffer window */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- int ip_qos_interactive; /* IP ToS/DSCP/class for interactive */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- int ip_qos_bulk; /* IP ToS/DSCP/class for bulk traffic */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- SyslogFacility log_facility; /* Facility for system logging. */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -112,7 +116,11 @@ typedef struct {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- int enable_ssh_keysign;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- int64_t rekey_limit;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ int none_switch; /* Use none cipher */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ int none_enabled; /* Allow none to be used */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ int disable_multithreaded; /*disable multithreaded aes-ctr*/
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- int rekey_interval;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- int no_host_authentication_for_localhost;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- int identities_only;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- int server_alive_interval;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>---- a/sandbox-seccomp-filter.c 2017-10-02 21:34:26.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/sandbox-seccomp-filter.c 2017-10-07 06:27:39.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -166,6 +166,9 @@ static const struct sock_filter preauth_
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- #ifdef __NR_exit_group
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- SC_ALLOW(__NR_exit_group),
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- #endif
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#ifdef __NR_getpeername /* not defined on archs that go via socketcall(2) */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ SC_ALLOW(__NR_getpeername),
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#endif
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- #ifdef __NR_getpgid
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- SC_ALLOW(__NR_getpgid),
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- #endif
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -217,6 +220,9 @@ static const struct sock_filter preauth_
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- #ifdef __NR_sigprocmask
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- SC_ALLOW(__NR_sigprocmask),
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- #endif
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#ifdef __NR_socketcall
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ SC_ALLOW(__NR_socketcall),
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#endif
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- #ifdef __NR_time
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- SC_ALLOW(__NR_time),
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- #endif
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>---- a/scp.c 2017-10-02 21:34:26.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/scp.c 2017-10-07 06:27:39.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -770,7 +770,7 @@ source(int argc, char **argv)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- off_t i, statbytes;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- size_t amt, nr;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- int fd = -1, haderr, indx;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-- char *last, *name, buf[2048], encname[PATH_MAX];
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ char *last, *name, buf[16384], encname[PATH_MAX];
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- int len;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- for (indx = 0; indx < argc; ++indx) {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -943,7 +943,7 @@ sink(int argc, char **argv)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- off_t size, statbytes;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- unsigned long long ull;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- int setimes, targisdir, wrerrno = 0;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-- char ch, *cp, *np, *targ, *why, *vect[1], buf[2048], visbuf[2048];
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ char ch, *cp, *np, *targ, *why, *vect[1], buf[16384], visbuf[16384];
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- struct timeval tv[2];
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- #define atime tv[0]
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>---- a/servconf.c 2017-10-07 06:27:38.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/servconf.c 2017-10-07 06:27:39.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -57,6 +57,7 @@
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- #include "auth.h"
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- #include "myproposal.h"
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- #include "digest.h"
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#include "sshbuf.h"
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- static void add_listen_addr(ServerOptions *, char *, int);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- static void add_one_listen_addr(ServerOptions *, char *, int);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -159,6 +160,11 @@ initialize_server_options(ServerOptions
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- options->authorized_principals_file = NULL;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- options->authorized_principals_command = NULL;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- options->authorized_principals_command_user = NULL;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ options->none_enabled = -1;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ options->disable_multithreaded = -1,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ options->tcp_rcv_buf_poll = -1;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ options->hpn_disabled = -1;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ options->hpn_buffer_size = -1;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- options->ip_qos_interactive = -1;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- options->ip_qos_bulk = -1;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- options->version_addendum = NULL;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -192,6 +198,10 @@ void
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- fill_default_server_options(ServerOptions *options)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- int i;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ /* needed for hpn socket tests */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ int sock;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ int socksize;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ int socksizelen = sizeof(int);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- /* Portable-specific options */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- if (options->use_pam == -1)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -320,6 +330,45 @@ fill_default_server_options(ServerOption
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- }
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- if (options->permit_tun == -1)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- options->permit_tun = SSH_TUNMODE_NO;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (options->none_enabled == -1)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ options->none_enabled = 0;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (options->disable_multithreaded == -1)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ options->disable_multithreaded = 0;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (options->hpn_disabled == -1)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ options->hpn_disabled = 0;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (options->hpn_buffer_size == -1) {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ /* option not explicitly set. Now we have to figure out */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ /* what value to use */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (options->hpn_disabled == 1) {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ options->hpn_buffer_size = CHAN_SES_WINDOW_DEFAULT;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ } else {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ /* get the current RCV size and set it to that */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ /*create a socket but don't connect it */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ /* we use that the get the rcv socket size */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ sock = socket(AF_INET, SOCK_STREAM, 0);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ getsockopt(sock, SOL_SOCKET, SO_RCVBUF,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ &socksize, &socksizelen);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ close(sock);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ options->hpn_buffer_size = socksize;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ debug("HPN Buffer Size: %d", options->hpn_buffer_size);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ }
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ } else {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ /* we have to do this in case the user sets both values in a contradictory */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ /* manner. hpn_disabled overrrides hpn_buffer_size*/
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (options->hpn_disabled <= 0) {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (options->hpn_buffer_size == 0)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ options->hpn_buffer_size = 1;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ /* limit the maximum buffer to SSHBUF_SIZE_MAX (currently 256MB) */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (options->hpn_buffer_size > (SSHBUF_SIZE_MAX / 1024)) {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ options->hpn_buffer_size = SSHBUF_SIZE_MAX;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ } else {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ options->hpn_buffer_size *= 1024;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ }
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ } else
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ options->hpn_buffer_size = CHAN_TCP_WINDOW_DEFAULT;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ }
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- if (options->ip_qos_interactive == -1)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- options->ip_qos_interactive = IPTOS_LOWDELAY;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- if (options->ip_qos_bulk == -1)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -398,6 +447,9 @@ typedef enum {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- sPasswordAuthentication, sKbdInteractiveAuthentication,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- sListenAddress, sAddressFamily,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- sPrintMotd, sPrintLastLog, sIgnoreRhosts,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ sNoneEnabled,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ sDisableMTAES,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ sTcpRcvBufPoll, sHPNDisabled, sHPNBufferSize,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- sPermitTTY, sStrictModes, sEmptyPasswd, sTCPKeepAlive,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- sPermitUserEnvironment, sAllowTcpForwarding, sCompression,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -552,6 +604,11 @@ static struct {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- { "revokedkeys", sRevokedKeys, SSHCFG_ALL },
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- { "trustedusercakeys", sTrustedUserCAKeys, SSHCFG_ALL },
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- { "authorizedprincipalsfile", sAuthorizedPrincipalsFile, SSHCFG_ALL },
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ { "noneenabled", sNoneEnabled, SSHCFG_ALL },
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ { "disableMTAES", sDisableMTAES, SSHCFG_ALL },
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ { "hpndisabled", sHPNDisabled, SSHCFG_ALL },
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ { "hpnbuffersize", sHPNBufferSize, SSHCFG_ALL },
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ { "tcprcvbufpoll", sTcpRcvBufPoll, SSHCFG_ALL },
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- { "kexalgorithms", sKexAlgorithms, SSHCFG_GLOBAL },
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- { "ipqos", sIPQoS, SSHCFG_ALL },
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- { "authorizedkeyscommand", sAuthorizedKeysCommand, SSHCFG_ALL },
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -1194,10 +1251,30 @@ process_server_config_line(ServerOptions
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- *intptr = value;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- break;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ case sTcpRcvBufPoll:
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ intptr = &options->tcp_rcv_buf_poll;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ goto parse_flag;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ case sHPNDisabled:
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ intptr = &options->hpn_disabled;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ goto parse_flag;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ case sHPNBufferSize:
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ intptr = &options->hpn_buffer_size;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ goto parse_int;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- case sIgnoreUserKnownHosts:
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- intptr = &options->ignore_user_known_hosts;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- goto parse_flag;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ case sNoneEnabled:
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ intptr = &options->none_enabled;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ goto parse_flag;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ case sDisableMTAES:
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ intptr = &options->disable_multithreaded;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ goto parse_flag;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- case sHostbasedAuthentication:
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- intptr = &options->hostbased_authentication;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- goto parse_flag;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>---- a/servconf.h 2017-10-02 21:34:26.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/servconf.h 2017-10-07 06:27:39.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -173,6 +173,13 @@ typedef struct {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- char *adm_forced_command;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- int use_pam; /* Enable auth via PAM */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ int tcp_rcv_buf_poll; /* poll tcp rcv window in autotuning kernels*/
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ int hpn_disabled; /* disable hpn functionality. false by default */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ int hpn_buffer_size; /* set the hpn buffer size - default 3MB */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ int none_enabled; /* Enable NONE cipher switch */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ int disable_multithreaded; /*disable multithreaded aes-ctr cipher */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- int permit_tun;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>---- a/serverloop.c 2017-10-02 21:34:26.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/serverloop.c 2017-10-07 06:27:39.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -84,6 +84,9 @@ extern ServerOptions options;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- extern Authctxt *the_authctxt;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- extern int use_privsep;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+static u_long stdin_bytes = 0; /* Number of bytes written to stdin. */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+static u_long fdout_bytes = 0; /* Number of stdout bytes read from program. */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- static int no_more_sessions = 0; /* Disallow further sessions. */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- /*
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -100,6 +103,20 @@ static volatile sig_atomic_t received_si
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- static void server_init_dispatch(void);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- /*
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * Returns current time in seconds from Jan 1, 1970 with the maximum
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * available resolution.
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+static double
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+get_current_time(void)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+{
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ struct timeval tv;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ gettimeofday(&tv, NULL);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ return (double) tv.tv_sec + (double) tv.tv_usec / 1000000.0;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+}
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+/*
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- * we write to this pipe if a SIGCHLD is caught in order to avoid
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- * the race between select() and child_terminated
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -317,6 +334,7 @@ process_input(struct ssh *ssh, fd_set *r
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- } else {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- /* Buffer any received data. */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- packet_process_incoming(buf, len);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ fdout_bytes += len;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- }
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- }
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- return 0;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -330,7 +348,7 @@ process_output(fd_set *writeset, int con
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- /* Send any buffered packet data to the client. */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- if (FD_ISSET(connection_out, writeset))
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-- packet_write_poll();
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ stdin_bytes += packet_write_poll();
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- }
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- static void
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -365,11 +383,13 @@ void
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- server_loop2(struct ssh *ssh, Authctxt *authctxt)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- fd_set *readset = NULL, *writeset = NULL;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ double start_time, total_time;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- int max_fd;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- u_int nalloc = 0, connection_in, connection_out;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- u_int64_t rekey_timeout_ms = 0;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- debug("Entering interactive session for SSH2.");
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ start_time = get_current_time();
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- mysignal(SIGCHLD, sigchld_handler);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- child_terminated = 0;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -426,6 +446,11 @@ server_loop2(struct ssh *ssh, Authctxt *
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- /* free remaining sessions, e.g. remove wtmp entries */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- session_destroy_all(ssh, NULL);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ total_time = get_current_time() - start_time;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ logit("SSH: Server;LType: Throughput;Remote: %s-%d;IN: %lu;OUT: %lu;Duration: %.1f;tPut_in: %.1f;tPut_out: %.1f",
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ ssh_remote_ipaddr(active_state), ssh_remote_port(active_state),
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ stdin_bytes, fdout_bytes, total_time, stdin_bytes / total_time,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ fdout_bytes / total_time);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- }
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- static int
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -545,7 +570,8 @@ server_request_tun(struct ssh *ssh)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- if (sock < 0)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- goto done;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- c = channel_new(ssh, "tun", SSH_CHANNEL_OPEN, sock, sock, -1,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-- CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, 0, "tun", 1);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ options.hpn_disabled ? CHAN_TCP_WINDOW_DEFAULT : options.hpn_buffer_size,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ CHAN_TCP_PACKET_DEFAULT, 0, "tun", 1);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- c->datagram = 1;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- #if defined(SSH_TUN_FILTER)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- if (mode == SSH_TUNMODE_POINTOPOINT)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -581,6 +607,8 @@ server_request_session(struct ssh *ssh)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- c = channel_new(ssh, "session", SSH_CHANNEL_LARVAL,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- -1, -1, -1, /*window size*/0, CHAN_SES_PACKET_DEFAULT,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- 0, "server-session", 1);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (options.tcp_rcv_buf_poll && !options.hpn_disabled)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ c->dynamic_window = 1;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- if (session_open(the_authctxt, c->self) != 1) {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- debug("session open failed, free channel %d", c->self);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- channel_free(ssh, c);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>---- a/session.c 2017-10-02 21:34:26.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/session.c 2017-10-07 06:27:39.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -223,6 +223,7 @@ auth_input_request_forwarding(struct ssh
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- goto authsock_err;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- /* Allocate a channel for the authentication agent socket. */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ /* this shouldn't matter if its hpn or not - cjr */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- nc = channel_new(ssh, "auth socket",
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- SSH_CHANNEL_AUTH_SOCKET, sock, sock, -1,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- CHAN_X11_WINDOW_DEFAULT, CHAN_X11_PACKET_DEFAULT,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -2111,7 +2112,8 @@ session_set_fds(struct ssh *ssh, Session
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- channel_set_fds(ssh, s->chanid,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- fdout, fdin, fderr,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- ignore_fderr ? CHAN_EXTENDED_IGNORE : CHAN_EXTENDED_READ,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-- 1, is_tty, CHAN_SES_WINDOW_DEFAULT);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ 1, is_tty,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ options.hpn_disabled ? CHAN_SES_WINDOW_DEFAULT : options.hpn_buffer_size);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- }
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- /*
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>---- a/sftp.1 2017-10-02 21:34:26.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/sftp.1 2017-10-07 06:27:39.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -258,7 +258,8 @@ diagnostic messages from
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- Specify how many requests may be outstanding at any one time.
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- Increasing this may slightly improve file transfer speed
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- but will increase memory usage.
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>--The default is 64 outstanding requests.
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+The default is 256 outstanding requests providing for 8MB
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+of outstanding data with a 32KB buffer.
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- .It Fl r
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- Recursively copy entire directories when uploading and downloading.
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- Note that
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>---- a/sftp.c 2017-10-02 21:34:26.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/sftp.c 2017-10-07 06:27:39.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -72,7 +72,7 @@ typedef void EditLine;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- #include "sftp-client.h"
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- #define DEFAULT_COPY_BUFLEN 32768 /* Size of buffer for up/download */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>--#define DEFAULT_NUM_REQUESTS 64 /* # concurrent outstanding requests */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#define DEFAULT_NUM_REQUESTS 256 /* # concurrent outstanding requests */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- /* File to read commands from */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- FILE* infile;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>---- a/ssh.c 2017-10-02 21:34:26.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/ssh.c 2017-10-07 06:27:39.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -899,6 +899,10 @@ main(int ac, char **av)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- break;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- case 'T':
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- options.request_tty = REQUEST_TTY_NO;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ /* ensure that the user doesn't try to backdoor a */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ /* null cipher switch on an interactive session */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ /* so explicitly disable it no matter what */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ options.none_switch=0;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- break;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- case 'o':
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- line = xstrdup(optarg);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -1524,6 +1528,8 @@ control_persist_detach(void)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- setproctitle("%s [mux]", options.control_path);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- }
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+extern const EVP_CIPHER *evp_aes_ctr_mt(void);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- /* Do fork() after authentication. Used by "ssh -f" */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- static void
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- fork_postauth(void)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -1750,6 +1756,78 @@ ssh_session2_setup(struct ssh *ssh, int
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- NULL, fileno(stdin), &command, environ);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- }
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+static void
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+hpn_options_init(void)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+{
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ /*
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * We need to check to see if what they want to do about buffer
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * sizes here. In a hpn to nonhpn connection we want to limit
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * the window size to something reasonable in case the far side
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * has the large window bug. In hpn to hpn connection we want to
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * use the max window size but allow the user to override it
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * lastly if they disabled hpn then use the ssh std window size.
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ *
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * So why don't we just do a getsockopt() here and set the
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * ssh window to that? In the case of a autotuning receive
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * window the window would get stuck at the initial buffer
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * size generally less than 96k. Therefore we need to set the
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * maximum ssh window size to the maximum hpn buffer size
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * unless the user has specifically set the tcprcvbufpoll
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * to no. In which case we *can* just set the window to the
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * minimum of the hpn buffer size and tcp receive buffer size.
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (tty_flag)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ options.hpn_buffer_size = CHAN_SES_WINDOW_DEFAULT;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ else
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ options.hpn_buffer_size = 2 * 1024 * 1024;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (datafellows & SSH_BUG_LARGEWINDOW) {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ debug("HPN to Non-HPN Connection");
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ } else {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ int sock, socksize;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ socklen_t socksizelen;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (options.tcp_rcv_buf_poll <= 0) {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ sock = socket(AF_INET, SOCK_STREAM, 0);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ socksizelen = sizeof(socksize);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ getsockopt(sock, SOL_SOCKET, SO_RCVBUF,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ &socksize, &socksizelen);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ close(sock);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ debug("socksize %d", socksize);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ options.hpn_buffer_size = socksize;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ debug("HPNBufferSize set to TCP RWIN: %d", options.hpn_buffer_size);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ } else {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (options.tcp_rcv_buf > 0) {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ /*
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * Create a socket but don't connect it:
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * we use that the get the rcv socket size
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ sock = socket(AF_INET, SOCK_STREAM, 0);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ /*
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * If they are using the tcp_rcv_buf option,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * attempt to set the buffer size to that.
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (options.tcp_rcv_buf) {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ socksizelen = sizeof(options.tcp_rcv_buf);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ setsockopt(sock, SOL_SOCKET, SO_RCVBUF,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ &options.tcp_rcv_buf, socksizelen);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ }
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ socksizelen = sizeof(socksize);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ getsockopt(sock, SOL_SOCKET, SO_RCVBUF,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ &socksize, &socksizelen);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ close(sock);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ debug("socksize %d", socksize);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ options.hpn_buffer_size = socksize;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ debug("HPNBufferSize set to user TCPRcvBuf: %d", options.hpn_buffer_size);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ }
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ }
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ }
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ debug("Final hpn_buffer_size = %d", options.hpn_buffer_size);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ channel_set_hpn(options.hpn_disabled, options.hpn_buffer_size);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+}
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- /* open new channel for a session */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- static int
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- ssh_session2_open(struct ssh *ssh)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -1776,9 +1854,11 @@ ssh_session2_open(struct ssh *ssh)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- if (!isatty(err))
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- set_nonblock(err);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-- window = CHAN_SES_WINDOW_DEFAULT;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ window = options.hpn_buffer_size;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- packetmax = CHAN_SES_PACKET_DEFAULT;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- if (tty_flag) {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ window = CHAN_SES_WINDOW_DEFAULT;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- window >>= 1;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- packetmax >>= 1;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- }
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -1787,6 +1867,10 @@ ssh_session2_open(struct ssh *ssh)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- window, packetmax, CHAN_EXTENDED_WRITE,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- "client-session", /*nonblock*/0);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (options.tcp_rcv_buf_poll > 0 && !options.hpn_disabled) {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ c->dynamic_window = 1;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ debug("Enabled Dynamic Window Scaling");
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ }
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- debug3("%s: channel_new: %d", __func__, c->self);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- channel_send_open(ssh, c->self);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -1802,6 +1886,13 @@ ssh_session2(struct ssh *ssh)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- int id = -1;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ /*
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * We need to initialize this early because the forwarding logic below
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * might open channels that use the hpn buffer sizes. We can't send a
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * window of -1 (the default) to the server as it breaks things.
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ hpn_options_init();
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- /* XXX should be pre-session */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- if (!options.control_persist)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- ssh_init_stdio_forwarding(ssh);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>---- a/sshbuf.h 2017-10-02 21:34:26.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/sshbuf.h 2017-10-07 06:27:39.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -28,7 +28,7 @@
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- # endif /* OPENSSL_HAS_ECC */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- #endif /* WITH_OPENSSL */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>--#define SSHBUF_SIZE_MAX 0x8000000 /* Hard maximum size */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#define SSHBUF_SIZE_MAX 0xF000000 /* Hard maximum size 256MB */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- #define SSHBUF_REFS_MAX 0x100000 /* Max child buffers */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- #define SSHBUF_MAX_BIGNUM (16384 / 8) /* Max bignum *bytes* */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- #define SSHBUF_MAX_ECPOINT ((528 * 2 / 8) + 1) /* Max EC point *bytes* */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>---- a/sshconnect.c 2017-10-02 21:34:26.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/sshconnect.c 2017-10-07 06:27:39.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -271,6 +271,30 @@ ssh_kill_proxy_command(void)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- }
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- /*
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * Set TCP receive buffer if requested.
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * Note: tuning needs to happen after the socket is
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * created but before the connection happens
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * so winscale is negotiated properly -cjr
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+static void
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ssh_set_socket_recvbuf(int sock)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+{
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ void *buf = (void *)&options.tcp_rcv_buf;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ int sz = sizeof(options.tcp_rcv_buf);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ int socksize;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ int socksizelen = sizeof(int);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ debug("setsockopt Attempting to set SO_RCVBUF to %d", options.tcp_rcv_buf);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (setsockopt(sock, SOL_SOCKET, SO_RCVBUF, buf, sz) >= 0) {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ getsockopt(sock, SOL_SOCKET, SO_RCVBUF, &socksize, &socksizelen);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ debug("setsockopt SO_RCVBUF: %.100s %d", strerror(errno), socksize);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ }
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ else
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ error("Couldn't set socket receive buffer to %d: %.100s",
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ options.tcp_rcv_buf, strerror(errno));
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+}
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+/*
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- * Creates a (possibly privileged) socket for use as the ssh connection.
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- static int
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -286,6 +310,9 @@ ssh_create_socket(int privileged, struct
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- }
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- fcntl(sock, F_SETFD, FD_CLOEXEC);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (options.tcp_rcv_buf > 0)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ ssh_set_socket_recvbuf(sock);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- /* Bind the socket to an alternative local IP address */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- if (options.bind_address == NULL && !privileged)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- return sock;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -517,7 +544,7 @@ send_client_banner(int connection_out, i
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- /* Send our own protocol version identification. */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- xasprintf(&client_version_string, "SSH-%d.%d-%.100s\r\n",
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-- PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- if (atomicio(vwrite, connection_out, client_version_string,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- strlen(client_version_string)) != strlen(client_version_string))
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- fatal("write: %.100s", strerror(errno));
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>---- a/sshconnect2.c 2017-10-02 21:34:26.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/sshconnect2.c 2017-10-07 06:27:39.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -83,6 +83,13 @@ extern char *server_version_string;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- extern Options options;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- /*
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * tty_flag is set in ssh.c. Use this in ssh_userauth2:
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * if it is set, then prevent the switch to the null cipher.
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+extern int tty_flag;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+/*
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- * SSH2 key exchange
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -154,6 +161,8 @@ order_hostkeyalgs(char *host, struct soc
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- return ret;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- }
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+static char *myproposal[PROPOSAL_MAX];
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+static const char *myproposal_default[PROPOSAL_MAX] = { KEX_CLIENT };
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- void
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -162,6 +171,8 @@ ssh_kex2(char *host, struct sockaddr *ho
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- struct kex *kex;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- int r;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ memcpy(&myproposal, &myproposal_default, sizeof(myproposal));
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- xxx_host = host;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- xxx_hostaddr = hostaddr;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -409,6 +420,47 @@ ssh_userauth2(const char *local_user, co
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- if (!authctxt.success)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- fatal("Authentication failed.");
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ /*
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * If the user wants to use the none cipher, do it post authentication
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * and only if the right conditions are met -- both of the NONE commands
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * must be true and there must be no tty allocated.
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if ((options.none_switch == 1) && (options.none_enabled == 1)) {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (!tty_flag) { /* no null on tty sessions */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ debug("Requesting none rekeying...");
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ memcpy(&myproposal, &myproposal_default, sizeof(myproposal));
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ myproposal[PROPOSAL_ENC_ALGS_STOC] = "none";
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ myproposal[PROPOSAL_ENC_ALGS_CTOS] = "none";
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ kex_prop2buf(active_state->kex->my, myproposal);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ packet_request_rekeying();
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ fprintf(stderr, "WARNING: ENABLED NONE CIPHER\n");
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ } else {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ /* requested NONE cipher when in a tty */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ debug("Cannot switch to NONE cipher with tty allocated");
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ fprintf(stderr, "NONE cipher switch disabled when a TTY is allocated\n");
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ }
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ }
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#ifdef WITH_OPENSSL
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (options.disable_multithreaded == 0) {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ /* if we are using aes-ctr there can be issues in either a fork or sandbox
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * so the initial aes-ctr is defined to point to the original single process
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * evp. After authentication we'll be past the fork and the sandboxed privsep
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * so we repoint the define to the multithreaded evp. To start the threads we
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * then force a rekey
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ const void *cc = ssh_packet_get_send_context(active_state);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ /* only do this for the ctr cipher. otherwise gcm mode breaks. Don't know why though */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (strstr(cipher_ctx_name(cc), "ctr")) {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ debug("Single to Multithread CTR cipher swap - client request");
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ cipher_reset_multithreaded();
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ packet_request_rekeying();
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ }
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ }
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#endif
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- debug("Authentication succeeded (%s).", authctxt.method->name);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- }
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>---- a/sshd.c 2017-10-07 06:27:39.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/sshd.c 2017-10-07 06:27:39.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -367,7 +367,7 @@ sshd_exchange_identification(struct ssh
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- char remote_version[256]; /* Must be at least as big as buf. */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s\r\n",
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-- PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- *options.version_addendum == '\0' ? "" : " ",
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- options.version_addendum);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -422,6 +422,9 @@ sshd_exchange_identification(struct ssh
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- }
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- debug("Client protocol version %d.%d; client software version %.100s",
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- remote_major, remote_minor, remote_version);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ logit("SSH: Server;Ltype: Version;Remote: %s-%d;Protocol: %d.%d;Client: %.100s",
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ ssh_remote_ipaddr(ssh), ssh_remote_port(ssh),
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ remote_major, remote_minor, remote_version);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- ssh->compat = compat_datafellows(remote_version);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -1026,6 +1029,8 @@ server_listen(void)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- int ret, listen_sock, on = 1;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- struct addrinfo *ai;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- char ntop[NI_MAXHOST], strport[NI_MAXSERV];
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ int socksize;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ int socksizelen = sizeof(int);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- for (ai = options.listen_addrs; ai; ai = ai->ai_next) {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- if (ai->ai_family != AF_INET && ai->ai_family != AF_INET6)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -1071,6 +1076,11 @@ server_listen(void)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- debug("Bind to port %s on %s.", strport, ntop);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ getsockopt(listen_sock, SOL_SOCKET, SO_RCVBUF,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ &socksize, &socksizelen);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ debug("Server TCP RWIN socket size: %d", socksize);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ debug("HPN Buffer Size: %d", options.hpn_buffer_size);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- /* Bind the socket to the desired port. */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- if (bind(listen_sock, ai->ai_addr, ai->ai_addrlen) < 0) {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- error("Bind to port %s on %s failed: %.200s.",
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -1595,6 +1605,13 @@ main(int ac, char **av)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- /* Fill in default values for those options not explicitly set. */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- fill_default_server_options(&options);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (options.none_enabled == 1) {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ char *old_ciphers = options.ciphers;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ xasprintf(&options.ciphers, "%s,none", old_ciphers);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ free(old_ciphers);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ }
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- /* challenge-response is implemented via keyboard interactive */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- if (options.challenge_response_authentication)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- options.kbd_interactive_authentication = 1;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -1994,6 +2011,9 @@ main(int ac, char **av)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- remote_ip, remote_port, laddr, ssh_local_port(ssh));
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- free(laddr);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ /* set the HPN options for the child */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ channel_set_hpn(options.hpn_disabled, options.hpn_buffer_size);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- /*
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- * We don't want to listen forever unless the other side
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- * successfully authenticates itself. So we set up an alarm which is
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -2093,6 +2113,26 @@ main(int ac, char **av)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- notify_hostkeys(ssh);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- /* Start session. */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#ifdef WITH_OPENSSL
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (options.disable_multithreaded == 0) {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ /* if we are using aes-ctr there can be issues in either a fork or sandbox
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * so the initial aes-ctr is defined to point ot the original single process
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * evp. After authentication we'll be past the fork and the sandboxed privsep
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * so we repoint the define to the multithreaded evp. To start the threads we
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * then force a rekey
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ const void *cc = ssh_packet_get_send_context(active_state);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ /* only rekey if necessary. If we don't do this gcm mode cipher breaks */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (strstr(cipher_ctx_name(cc), "ctr")) {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ debug("Single to Multithreaded CTR cipher swap - server request");
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ cipher_reset_multithreaded();
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ packet_request_rekeying();
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ }
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ }
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#endif
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- do_authenticated(ssh, authctxt);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- /* The connection has been terminated. */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -2156,6 +2196,9 @@ do_ssh2_kex(void)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- struct kex *kex;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- int r;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (options.none_enabled == 1)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ debug("WARNING: None cipher enabled");
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- myproposal[PROPOSAL_KEX_ALGS] = compat_kex_proposal(
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- options.kex_algorithms);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- myproposal[PROPOSAL_ENC_ALGS_CTOS] = compat_cipher_proposal(
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>---- a/sshd_config 2017-10-02 21:34:26.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/sshd_config 2017-10-07 06:27:39.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -110,6 +110,19 @@ AuthorizedKeysFile .ssh/authorized_keys
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- # override default of no subsystems
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- Subsystem sftp /usr/libexec/sftp-server
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+# the following are HPN related configuration options
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+# tcp receive buffer polling. disable in non autotuning kernels
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#TcpRcvBufPoll yes
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+# disable hpn performance boosts
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#HPNDisabled no
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+# buffer size for hpn to non-hpn connections
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#HPNBufferSize 2048
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+# allow the use of the none cipher
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#NoneEnabled no
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- # Example of overriding settings on a per-user basis
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- #Match User anoncvs
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- # X11Forwarding no
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>---- a/version.h 2017-10-02 21:34:26.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/version.h 2017-10-07 06:27:39.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -3,4 +3,5 @@
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- #define SSH_VERSION "OpenSSH_7.6"
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- #define SSH_PORTABLE "p1"
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>--#define SSH_RELEASE SSH_VERSION SSH_PORTABLE
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#define SSH_HPN "-hpn14v12"
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#define SSH_RELEASE SSH_VERSION SSH_PORTABLE SSH_HPN
</span><span style='display:block; white-space:pre;color:#808080;'>diff --git a/net/openssh/files/openssh-7.9p1-hpnssh14v15.diff b/net/openssh/files/openssh-7.9p1-hpnssh14v15.diff
</span>new file mode 100644
<span style='display:block; white-space:pre;color:#808080;'>index 0000000..2fae049
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>--- /dev/null
</span><span style='display:block; white-space:pre;background:#e0e0ff;'>+++ b/net/openssh/files/openssh-7.9p1-hpnssh14v15.diff
</span><span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -0,0 +1,1310 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+diff -urN -x configure -x config.guess -x config.h.in -x config.sub openssh-6.8p1/HPN-README openssh-6.8p1/HPN-README
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- openssh-6.8p1/HPN-README 1969-12-31 18:00:00.000000000 -0600
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ openssh-6.8p1/HPN-README 2015-04-01 22:16:49.869215000 -0500
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -0,0 +1,129 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++Notes:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++MULTI-THREADED CIPHER:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++The AES cipher in CTR mode has been multithreaded (MTR-AES-CTR). This will allow ssh installations
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++on hosts with multiple cores to use more than one processing core during encryption.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++Tests have show significant throughput performance increases when using MTR-AES-CTR up
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++to and including a full gigabit per second on quad core systems. It should be possible to
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++achieve full line rate on dual core systems but OS and data management overhead makes this
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++more difficult to achieve. The cipher stream from MTR-AES-CTR is entirely compatible with single
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++thread AES-CTR (ST-AES-CTR) implementations and should be 100% backward compatible. Optimal
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++performance requires the MTR-AES-CTR mode be enabled on both ends of the connection.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++The MTR-AES-CTR replaces ST-AES-CTR and is used in exactly the same way with the same
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++nomenclature.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++Use examples: ssh -caes128-ctr you@host.com
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ scp -oCipher=aes256-ctr file you@host.com:~/file
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++NONE CIPHER:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++To use the NONE option you must have the NoneEnabled switch set on the server and
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++you *must* have *both* NoneEnabled and NoneSwitch set to yes on the client. The NONE
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++feature works with ALL ssh subsystems (as far as we can tell) *AS LONG AS* a tty is not
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++spawned. If a user uses the -T switch to prevent a tty being created the NONE cipher will
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++be disabled.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++The performance increase will only be as good as the network and TCP stack tuning
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++on the reciever side of the connection allows. As a rule of thumb a user will need
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++at least 10Mb/s connection with a 100ms RTT to see a doubling of performance. The
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++HPN-SSH home page describes this in greater detail.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++http://www.psc.edu/networking/projects/hpn-ssh
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++BUFFER SIZES:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++If HPN is disabled the receive buffer size will be set to the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++OpenSSH default of 64K.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++If an HPN system connects to a nonHPN system the receive buffer will
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++be set to the HPNBufferSize value. The default is 2MB but user adjustable.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++If an HPN to HPN connection is established a number of different things might
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++happen based on the user options and conditions.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++Conditions: HPNBufferSize NOT Set, TCPRcvBufPoll enabled, TCPRcvBuf NOT Set
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++HPN Buffer Size = up to 64MB
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++This is the default state. The HPN buffer size will grow to a maximum of 64MB
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++as the TCP receive buffer grows. The maximum HPN Buffer size of 64MB is
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++geared towards 10GigE transcontinental connections.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++Conditions: HPNBufferSize NOT Set, TCPRcvBufPoll disabled, TCPRcvBuf NOT Set
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++HPN Buffer Size = TCP receive buffer value.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++Users on non-autotuning systesm should disable TCPRcvBufPoll in the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ssh_cofig and sshd_config
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++Conditions: HPNBufferSize SET, TCPRcvBufPoll disabled, TCPRcvBuf NOT Set
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++HPN Buffer Size = minmum of TCP receive buffer and HPNBufferSize.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++This would be the system defined TCP receive buffer (RWIN).
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++Conditions: HPNBufferSize SET, TCPRcvBufPoll disabled, TCPRcvBuf SET
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++HPN Buffer Size = minmum of TCPRcvBuf and HPNBufferSize.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++Generally there is no need to set both.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++Conditions: HPNBufferSize SET, TCPRcvBufPoll enabled, TCPRcvBuf NOT Set
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++HPN Buffer Size = grows to HPNBufferSize
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++The buffer will grow up to the maximum size specified here.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++Conditions: HPNBufferSize SET, TCPRcvBufPoll enabled, TCPRcvBuf SET
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++HPN Buffer Size = minmum of TCPRcvBuf and HPNBufferSize.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++Generally there is no need to set both of these, especially on autotuning
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++systems. However, if the users wishes to override the autotuning this would be
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++one way to do it.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++Conditions: HPNBufferSize NOT Set, TCPRcvBufPoll enabled, TCPRcvBuf SET
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++HPN Buffer Size = TCPRcvBuf.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++This will override autotuning and set the TCP recieve buffer to the user defined
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++value.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++HPN Specific Configuration options
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++TcpRcvBuf=[int]KB client
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ set the TCP socket receive buffer to n Kilobytes. It can be set up to the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++maximum socket size allowed by the system. This is useful in situations where
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++the tcp receive window is set low but the maximum buffer size is set
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++higher (as is typical). This works on a per TCP connection basis. You can also
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++use this to artifically limit the transfer rate of the connection. In these
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++cases the throughput will be no more than n/RTT. The minimum buffer size is 1KB.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++Default is the current system wide tcp receive buffer size.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++TcpRcvBufPoll=[yes/no] client/server
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ enable of disable the polling of the tcp receive buffer through the life
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++of the connection. You would want to make sure that this option is enabled
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++for systems making use of autotuning kernels (linux 2.4.24+, 2.6, MS Vista)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++default is yes.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++NoneEnabled=[yes/no] client/server
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ enable or disable the use of the None cipher. Care must always be used
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++when enabling this as it will allow users to send data in the clear. However,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++it is important to note that authentication information remains encrypted
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++even if this option is enabled. Set to no by default.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++NoneSwitch=[yes/no] client
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ Switch the encryption cipher being used to the None cipher after
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++authentication takes place. NoneEnabled must be enabled on both the client
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++and server side of the connection. When the connection switches to the NONE
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++cipher a warning is sent to STDERR. The connection attempt will fail with an
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++error if a client requests a NoneSwitch from the server that does not explicitly
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++have NoneEnabled set to yes. Note: The NONE cipher cannot be used in
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++interactive (shell) sessions and it will fail silently. Set to no by default.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++HPNDisabled=[yes/no] client/server
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ In some situations, such as transfers on a local area network, the impact
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++of the HPN code produces a net decrease in performance. In these cases it is
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++helpful to disable the HPN functionality. By default HPNDisabled is set to no.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++HPNBufferSize=[int]KB client/server
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ This is the default buffer size the HPN functionality uses when interacting
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++with nonHPN SSH installations. Conceptually this is similar to the TcpRcvBuf
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++option as applied to the internal SSH flow control. This value can range from
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++1KB to 64MB (1-65536). Use of oversized or undersized buffers can cause performance
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++problems depending on the length of the network path. The default size of this buffer
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++is 2MB.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++Credits: This patch was conceived, designed, and led by Chris Rapier (rapier@psc.edu)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ The majority of the actual coding for versions up to HPN12v1 was performed
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ by Michael Stevens (mstevens@andrew.cmu.edu). The MT-AES-CTR cipher was
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ implemented by Ben Bennet (ben@psc.edu) and improved by Mike Tasota
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ (tasota@gmail.com) an NSF REU grant recipient for 2013.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ This work was financed, in part, by Cisco System, Inc., the National
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ Library of Medicine, and the National Science Foundation.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- openssh-7.7p1/channels.c.orig 2018-04-01 22:38:28.000000000 -0700
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ openssh-7.7p1/channels.c 2018-06-27 16:37:07.663857000 -0700
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -215,6 +215,12 @@ static int rdynamic_connect_finish(struct ssh *, Chann
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ /* Setup helper */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ static void channel_handler_init(struct ssh_channels *sc);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#ifdef HPN_ENABLED
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++static int hpn_disabled = 0;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++static int hpn_buffer_size = 2 * 1024 * 1024;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#endif
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ /* -- channel core */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ void
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -391,6 +397,9 @@ channel_new(struct ssh *ssh, char *ctype, int type, in
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ c->local_window = window;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ c->local_window_max = window;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ c->local_maxpacket = maxpack;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#ifdef HPN_ENABLED
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ c->dynamic_window = 0;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#endif
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ c->remote_name = xstrdup(remote_name);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ c->ctl_chan = -1;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ c->delayed = 1; /* prevent call to channel_post handler */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -977,6 +986,30 @@ channel_pre_connecting(struct ssh *ssh, Channel *c,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ FD_SET(c->sock, writeset);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#ifdef HPN_ENABLED
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++static int
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++channel_tcpwinsz(void)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++{
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ u_int32_t tcpwinsz = 0;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ socklen_t optsz = sizeof(tcpwinsz);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ int ret = -1;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ /* if we aren't on a socket return 128KB */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (!packet_connection_is_on_socket())
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ return 128 * 1024;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ ret = getsockopt(packet_get_connection_in(),
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ SOL_SOCKET, SO_RCVBUF, &tcpwinsz, &optsz);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ /* return no more than SSHBUF_SIZE_MAX (currently 256MB) */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if ((ret == 0) && tcpwinsz > SSHBUF_SIZE_MAX)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ tcpwinsz = SSHBUF_SIZE_MAX;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ debug2("tcpwinsz: tcp connection %d, Receive window: %d",
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ packet_get_connection_in(), tcpwinsz);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ return tcpwinsz;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++}
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#endif
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ static void
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ channel_pre_open(struct ssh *ssh, Channel *c,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ fd_set *readset, fd_set *writeset)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -2074,21 +2107,32 @@ channel_check_window(struct ssh *ssh, Channel *c)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ c->local_maxpacket*3) ||
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ c->local_window < c->local_window_max/2) &&
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ c->local_consumed > 0) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ u_int addition = 0;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#ifdef HPN_ENABLED
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ u_int32_t tcpwinsz = channel_tcpwinsz();
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ /* adjust max window size if we are in a dynamic environment */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (c->dynamic_window && (tcpwinsz > c->local_window_max)) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ /* grow the window somewhat aggressively to maintain pressure */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ addition = 1.5 * (tcpwinsz - c->local_window_max);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ c->local_window_max += addition;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ debug("Channel: Window growth to %d by %d bytes", c->local_window_max, addition);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#endif
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ if (!c->have_remote_id)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ fatal(":%s: channel %d: no remote id",
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ __func__, c->self);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ if ((r = sshpkt_start(ssh,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ SSH2_MSG_CHANNEL_WINDOW_ADJUST)) != 0 ||
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ (r = sshpkt_put_u32(ssh, c->remote_id)) != 0 ||
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- (r = sshpkt_put_u32(ssh, c->local_consumed)) != 0 ||
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ (r = sshpkt_put_u32(ssh, c->local_consumed + addition)) != 0 ||
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ (r = sshpkt_send(ssh)) != 0) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ fatal("%s: channel %i: %s", __func__,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ c->self, ssh_err(r));
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ debug2("channel %d: window %d sent adjust %d",
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ c->self, c->local_window,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- c->local_consumed);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- c->local_window += c->local_consumed;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ c->local_consumed + addition);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ c->local_window += c->local_consumed + addition;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ c->local_consumed = 0;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ return 1;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -3258,6 +3302,17 @@ channel_fwd_bind_addr(const char *listen_addr, int *wi
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ return addr;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#ifdef HPN_ENABLED
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++void
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++channel_set_hpn(int external_hpn_disabled, int external_hpn_buffer_size)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++{
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ hpn_disabled = external_hpn_disabled;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ hpn_buffer_size = external_hpn_buffer_size;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ debug("HPN Disabled: %d, HPN Buffer Size: %d", hpn_disabled,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ hpn_buffer_size);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++}
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#endif
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ static int
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ channel_setup_fwd_listener_tcpip(struct ssh *ssh, int type,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ struct Forward *fwd, int *allocated_listen_port,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -3398,6 +3453,17 @@ channel_setup_fwd_listener_tcpip(struct ssh *ssh, int
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ /* Allocate a channel number for the socket. */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#ifdef HPN_ENABLED
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ /*
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * explicitly test for hpn disabled option. if true use smaller
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * window size.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (!hpn_disabled)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ c = channel_new(ssh, "port listener", type, sock, sock, -1,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ hpn_buffer_size, CHAN_TCP_PACKET_DEFAULT,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ 0, "port listener", 1);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ else
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#endif
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ c = channel_new(ssh, "port listener", type, sock, sock, -1,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ 0, "port listener", 1);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -4457,6 +4523,14 @@ x11_create_display_inet(struct ssh *ssh, int x11_displ
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ *chanids = xcalloc(num_socks + 1, sizeof(**chanids));
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ for (n = 0; n < num_socks; n++) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ sock = socks[n];
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#ifdef HPN_ENABLED
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (!hpn_disabled)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ nc = channel_new(ssh, "x11 listener",
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ SSH_CHANNEL_X11_LISTENER, sock, sock, -1,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ hpn_buffer_size, CHAN_X11_PACKET_DEFAULT,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ 0, "X11 inet listener", 1);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ else
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#endif
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ nc = channel_new(ssh, "x11 listener",
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ SSH_CHANNEL_X11_LISTENER, sock, sock, -1,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ CHAN_X11_WINDOW_DEFAULT, CHAN_X11_PACKET_DEFAULT,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- openssh-7.7p1/channels.h.orig 2018-04-01 22:38:28.000000000 -0700
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ openssh-7.7p1/channels.h 2018-06-27 16:38:40.766588000 -0700
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -143,6 +143,9 @@ struct Channel {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ u_int local_maxpacket;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ int extended_usage;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ int single_connection;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#ifdef HPN_ENABLED
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ int dynamic_window;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#endif
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ char *ctype; /* type */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -335,5 +338,10 @@ void chan_ibuf_empty(struct ssh *, Channel *);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ void chan_rcvd_ieof(struct ssh *, Channel *);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ void chan_write_failed(struct ssh *, Channel *);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ void chan_obuf_empty(struct ssh *, Channel *);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#ifdef HPN_ENABLED
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++/* hpn handler */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++void channel_set_hpn(int, int);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#endif
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #endif
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- openssh-7.7p1/cipher.c.orig 2018-04-01 22:38:28.000000000 -0700
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ openssh-7.7p1/cipher.c 2018-06-27 16:55:43.165788000 -0700
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -212,7 +212,12 @@ ciphers_valid(const char *names)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ for ((p = strsep(&cp, CIPHER_SEP)); p && *p != '\0';
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ (p = strsep(&cp, CIPHER_SEP))) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ c = cipher_by_name(p);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#ifdef NONE_CIPHER_ENABLED
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (c == NULL || ((c->flags & CFLAG_INTERNAL) != 0 &&
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ (c->flags & CFLAG_NONE) != 0)) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#else
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ if (c == NULL || (c->flags & CFLAG_INTERNAL) != 0) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#endif
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ free(cipher_list);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ return 0;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- openssh-7.7p1/clientloop.c.orig 2018-04-01 22:38:28.000000000 -0700
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ openssh-7.7p1/clientloop.c 2018-06-27 16:40:24.560906000 -0700
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -1549,6 +1549,15 @@ client_request_x11(struct ssh *ssh, const char *reques
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ sock = x11_connect_display(ssh);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ if (sock < 0)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ return NULL;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#ifdef HPN_ENABLED
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ /* again is this really necessary for X11? */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (!options.hpn_disabled)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ c = channel_new(ssh, "x11",
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ SSH_CHANNEL_X11_OPEN, sock, sock, -1,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ options.hpn_buffer_size,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ CHAN_X11_PACKET_DEFAULT, 0, "x11", 1);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ else
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#endif
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ c = channel_new(ssh, "x11",
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ SSH_CHANNEL_X11_OPEN, sock, sock, -1,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ CHAN_TCP_WINDOW_DEFAULT, CHAN_X11_PACKET_DEFAULT, 0, "x11", 1);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -1574,6 +1583,14 @@ client_request_agent(struct ssh *ssh, const char *requ
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ __func__, ssh_err(r));
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ return NULL;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#ifdef HPN_ENABLED
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (!options.hpn_disabled)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ c = channel_new(ssh, "authentication agent connection",
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ SSH_CHANNEL_OPEN, sock, sock, -1,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ options.hpn_buffer_size, CHAN_TCP_PACKET_DEFAULT, 0,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ "authentication agent connection", 1);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ else
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#endif
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ c = channel_new(ssh, "authentication agent connection",
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ SSH_CHANNEL_OPEN, sock, sock, -1,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ CHAN_X11_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, 0,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -1602,6 +1619,12 @@ client_request_tun_fwd(struct ssh *ssh, int tun_mode,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ debug("Tunnel forwarding using interface %s", ifname);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#ifdef HPN_ENABLED
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (!options.hpn_disabled)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ c = channel_new(ssh, "tun", SSH_CHANNEL_OPENING, fd, fd, -1,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ options.hpn_buffer_size, CHAN_TCP_PACKET_DEFAULT, 0, "tun", 1);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ else
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#endif
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ c = channel_new(ssh, "tun", SSH_CHANNEL_OPENING, fd, fd, -1,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, 0, "tun", 1);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ c->datagram = 1;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- openssh-6.8p1/compat.c 2015-03-17 00:49:20.000000000 -0500
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ openssh-6.8p1/compat.c 2015-04-03 16:39:57.665699000 -0500
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -177,6 +177,14 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ debug("match: %s pat %s compat 0x%08x",
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ version, check[i].pat, check[i].bugs);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ datafellows = check[i].bugs; /* XXX for now */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#ifdef HPN_ENABLED
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ /* Check to see if the remote side is OpenSSH and not HPN */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (strstr(version,"OpenSSH") != NULL &&
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ strstr(version,"hpn") == NULL) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ datafellows |= SSH_BUG_LARGEWINDOW;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ debug("Remote is NON-HPN aware");
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#endif
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ return check[i].bugs;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- openssh/compat.h.orig 2015-05-29 03:27:21.000000000 -0500
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ openssh/compat.h 2015-06-02 09:55:04.208681000 -0500
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -62,6 +62,9 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #define SSH_BUG_CURVE25519PAD 0x10000000
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #define SSH_BUG_HOSTKEYS 0x20000000
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #define SSH_BUG_DHGEX_LARGE 0x40000000
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#ifdef HPN_ENABLED
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#define SSH_BUG_LARGEWINDOW 0x80000000
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#endif
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ void enable_compat13(void);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ void enable_compat20(void);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- openssh-6.8p1/configure.ac 2015-03-17 00:49:20.000000000 -0500
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ openssh-6.8p1/configure.ac 2015-04-03 16:36:28.916502000 -0500
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -4238,6 +4238,25 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ ]
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ ) # maildir
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#check whether user wants HPN support
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++HPN_MSG="no"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++AC_ARG_WITH(hpn,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ [ --with-hpn Enable HPN support],
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ [ if test "x$withval" != "xno" ; then
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ AC_DEFINE(HPN_ENABLED,1,[Define if you want HPN support.])
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ HPN_MSG="yes"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ fi ]
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#check whether user wants NONECIPHER support
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++NONECIPHER_MSG="no"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++AC_ARG_WITH(nonecipher,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ [ --with-nonecipher Enable NONECIPHER support],
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ [ if test "x$withval" != "xno" ; then
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ AC_DEFINE(NONE_CIPHER_ENABLED,1,[Define if you want NONECIPHER support.])
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ NONECIPHER_MSG="yes"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ fi ]
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ if test ! -z "$cross_compiling" && test "x$cross_compiling" = "xyes"; then
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ AC_MSG_WARN([cross compiling: Disabling /dev/ptmx test])
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ disable_ptmx_check=yes
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -4905,6 +4924,8 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ echo " BSD Auth support: $BSD_AUTH_MSG"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ echo " Random number source: $RAND_MSG"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ echo " Privsep sandbox style: $SANDBOX_STYLE"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++echo " HPN support: $HPN_MSG"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++echo " NONECIPHER support: $NONECIPHER_MSG"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ echo ""
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- openssh-7.2p1/kex.c.orig 2016-02-25 19:40:04.000000000 -0800
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ openssh-7.2p1/kex.c 2016-02-29 08:02:25.565288000 -0800
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -822,6 +822,20 @@ kex_choose_conf(struct ssh *ssh)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ peer[ncomp] = NULL;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ goto out;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#ifdef NONE_CIPHER_ENABLED
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ debug("REQUESTED ENC.NAME is '%s'", newkeys->enc.name);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (strcmp(newkeys->enc.name, "none") == 0) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ int auth_flag;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ auth_flag = ssh_packet_authentication_state(ssh);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ debug("Requesting NONE. Authflag is %d", auth_flag);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (auth_flag == 1) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ debug("None requested post authentication.");
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ } else {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ fatal("Pre-authentication none cipher requests are not allowed.");
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#endif
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ debug("kex: %s cipher: %s MAC: %s compression: %s",
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ ctos ? "client->server" : "server->client",
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ newkeys->enc.name,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- openssh-7.7p1/packet.c.orig 2018-04-01 22:38:28.000000000 -0700
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ openssh-7.7p1/packet.c 2018-06-27 16:42:42.739507000 -0700
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -926,6 +926,24 @@ ssh_set_newkeys(struct ssh *ssh, int mode)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ return 0;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#ifdef NONE_CIPHER_ENABLED
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++/* this supports the forced rekeying required for the NONE cipher */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++int rekey_requested = 0;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++void
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++packet_request_rekeying(void)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++{
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ rekey_requested = 1;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++}
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++int
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ssh_packet_authentication_state(struct ssh *ssh)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++{
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ struct session_state *state = ssh->state;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ return(state->after_authentication);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++}
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#endif
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #define MAX_PACKETS (1U<<31)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ static int
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ ssh_packet_need_rekeying(struct ssh *ssh, u_int outbound_packet_len)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -944,6 +962,14 @@ ssh_packet_need_rekeying(struct ssh *ssh, u_int outbou
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ /* Peer can't rekey */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ if (ssh->compat & SSH_BUG_NOREKEY)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ return 0;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#ifdef NONE_CIPHER_ENABLED
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ /* used to force rekeying when called for by the none
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * cipher switch methods -cjr */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (rekey_requested == 1) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ rekey_requested = 0;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ return 1;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#endif
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ /*
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ * Permit one packet in or out per rekey - this allows us to
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- openssh-6.8p1/packet.h 2015-03-17 00:49:20.000000000 -0500
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ openssh-6.8p1/packet.h 2015-04-03 16:10:34.728161000 -0500
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -188,6 +188,11 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ int sshpkt_get_end(struct ssh *ssh);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ const u_char *sshpkt_ptr(struct ssh *, size_t *lenp);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#ifdef NONE_CIPHER_ENABLED
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++void packet_request_rekeying(void);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++int ssh_packet_authentication_state(struct ssh *ssh);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#endif
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ /* OLD API */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ extern struct ssh *active_state;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #include "opacket.h"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- openssh-7.7p1/readconf.c.orig 2018-04-01 22:38:28.000000000 -0700
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ openssh-7.7p1/readconf.c 2018-06-27 16:58:41.109275000 -0700
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -66,6 +66,9 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #include "uidswap.h"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #include "myproposal.h"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #include "digest.h"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#ifdef HPN_ENABLED
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#include "sshbuf.h"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#endif
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ /* Format of the configuration file:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -167,6 +170,12 @@ typedef enum {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ oLocalCommand, oPermitLocalCommand, oRemoteCommand,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ oVisualHostKey,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ oKexAlgorithms, oIPQoS, oRequestTTY, oIgnoreUnknown, oProxyUseFdpass,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#ifdef HPN_ENABLED
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ oHPNDisabled, oHPNBufferSize, oTcpRcvBufPoll, oTcpRcvBuf,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#endif
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#ifdef NONE_CIPHER_ENABLED
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ oNoneSwitch, oNoneEnabled,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#endif
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ oCanonicalDomains, oCanonicalizeHostname, oCanonicalizeMaxDots,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ oCanonicalizeFallbackLocal, oCanonicalizePermittedCNAMEs,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ oStreamLocalBindMask, oStreamLocalBindUnlink, oRevokedHostKeys,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -304,6 +313,16 @@ static struct {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ { "updatehostkeys", oUpdateHostkeys },
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ { "hostbasedkeytypes", oHostbasedKeyTypes },
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ { "pubkeyacceptedkeytypes", oPubkeyAcceptedKeyTypes },
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#ifdef NONE_CIPHER_ENABLED
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ { "noneenabled", oNoneEnabled },
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ { "noneswitch", oNoneSwitch },
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#endif
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#ifdef HPN_ENABLED
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ { "tcprcvbufpoll", oTcpRcvBufPoll },
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ { "tcprcvbuf", oTcpRcvBuf },
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ { "hpndisabled", oHPNDisabled },
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ { "hpnbuffersize", oHPNBufferSize },
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#endif
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ { "ignoreunknown", oIgnoreUnknown },
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ { "proxyjump", oProxyJump },
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -962,6 +981,44 @@ parse_time:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ intptr = &options->check_host_ip;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ goto parse_flag;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#ifdef HPN_ENABLED
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ case oHPNDisabled:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ intptr = &options->hpn_disabled;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ goto parse_flag;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ case oHPNBufferSize:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ intptr = &options->hpn_buffer_size;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ goto parse_int;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ case oTcpRcvBufPoll:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ intptr = &options->tcp_rcv_buf_poll;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ goto parse_flag;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ case oTcpRcvBuf:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ intptr = &options->tcp_rcv_buf;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ goto parse_int;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#endif
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#ifdef NONE_CIPHER_ENABLED
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ case oNoneEnabled:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ intptr = &options->none_enabled;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ goto parse_flag;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ /* we check to see if the command comes from the */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ /* command line or not. If it does then enable it */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ /* otherwise fail. NONE should never be a default configuration */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ case oNoneSwitch:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if(strcmp(filename,"command-line") == 0) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ intptr = &options->none_switch;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ goto parse_flag;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ } else {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ error("NoneSwitch is found in %.200s.\nYou may only use this configuration option from the command line", filename);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ error("Continuing...");
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ debug("NoneSwitch directive found in %.200s.", filename);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ return 0;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#endif
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ case oVerifyHostKeyDNS:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ intptr = &options->verify_host_key_dns;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ multistate_ptr = multistate_yesnoask;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -1833,6 +1890,16 @@ initialize_options(Options * options)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ options->ip_qos_interactive = -1;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ options->ip_qos_bulk = -1;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ options->request_tty = -1;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#ifdef NONE_CIPHER_ENABLED
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ options->none_switch = -1;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ options->none_enabled = -1;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#endif
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#ifdef HPN_ENABLED
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ options->hpn_disabled = -1;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ options->hpn_buffer_size = -1;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ options->tcp_rcv_buf_poll = -1;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ options->tcp_rcv_buf = -1;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#endif
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ options->proxy_use_fdpass = -1;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ options->ignored_unknown = NULL;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ options->num_canonical_domains = 0;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -1979,6 +2046,34 @@ fill_default_options(Options * options)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ options->server_alive_interval = 0;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ if (options->server_alive_count_max == -1)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ options->server_alive_count_max = 3;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#ifdef NONE_CIPHER_ENABLED
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (options->none_switch == -1)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ options->none_switch = 0;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (options->none_enabled == -1)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ options->none_enabled = 0;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#endif
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#ifdef HPN_ENABLED
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (options->hpn_disabled == -1)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ options->hpn_disabled = 0;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (options->hpn_buffer_size > -1) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ /* if a user tries to set the size to 0 set it to 1KB */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (options->hpn_buffer_size == 0)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ options->hpn_buffer_size = 1;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ /* limit the buffer to SSHBUF_SIZE_MAX (currently 256MB) */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (options->hpn_buffer_size > (SSHBUF_SIZE_MAX / 1024)) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ options->hpn_buffer_size = SSHBUF_SIZE_MAX;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ debug("User requested buffer larger than 256MB. Request reverted to 256MB");
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ } else
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ options->hpn_buffer_size *= 1024;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ debug("hpn_buffer_size set to %d", options->hpn_buffer_size);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (options->tcp_rcv_buf == 0)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ options->tcp_rcv_buf = 1;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (options->tcp_rcv_buf > -1)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ options->tcp_rcv_buf *=1024;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (options->tcp_rcv_buf_poll == -1)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ options->tcp_rcv_buf_poll = 1;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#endif
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ if (options->control_master == -1)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ options->control_master = 0;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ if (options->control_persist == -1) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- openssh-6.8p1/readconf.h 2015-03-17 00:49:20.000000000 -0500
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ openssh-6.8p1/readconf.h 2015-04-03 13:47:45.670125000 -0500
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -105,6 +105,16 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ int clear_forwardings;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ int enable_ssh_keysign;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#ifdef NONE_CIPHER_ENABLED
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ int none_switch; /* Use none cipher */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ int none_enabled; /* Allow none to be used */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#endif
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#ifdef HPN_ENABLED
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ int tcp_rcv_buf; /* user switch to set tcp recv buffer */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ int tcp_rcv_buf_poll; /* Option to poll recv buf every window transfer */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ int hpn_disabled; /* Switch to disable HPN buffer management */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ int hpn_buffer_size; /* User definable size for HPN buffer window */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#endif
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ int64_t rekey_limit;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ int rekey_interval;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ int no_host_authentication_for_localhost;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- openssh-6.8p1/scp.c 2015-03-17 00:49:20.000000000 -0500
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ openssh-6.8p1/scp.c 2015-04-02 16:51:25.108407000 -0500
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -764,7 +764,7 @@ source(int argc, char **argv)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ off_t i, statbytes;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ size_t amt, nr;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ int fd = -1, haderr, indx;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- char *last, *name, buf[2048], encname[PATH_MAX];
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ char *last, *name, buf[16384], encname[PATH_MAX];
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ int len;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ for (indx = 0; indx < argc; ++indx) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -932,7 +932,7 @@ sink(int argc, char **argv)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ off_t size, statbytes;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ unsigned long long ull;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ int setimes, targisdir, wrerrno = 0;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- char ch, *cp, *np, *targ, *why, *vect[1], buf[2048], visbuf[2048];
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ char ch, *cp, *np, *targ, *why, *vect[1], buf[16384], visbuf[16384];
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ struct timeval tv[2];
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #define atime tv[0]
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- openssh-7.7p1/servconf.c.orig 2018-04-01 22:38:28.000000000 -0700
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ openssh-7.7p1/servconf.c 2018-06-27 17:01:05.276677000 -0700
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -63,6 +63,9 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #include "auth.h"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #include "myproposal.h"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #include "digest.h"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#ifdef HPN_ENABLED
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#include "sshbuf.h"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#endif
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ static void add_listen_addr(ServerOptions *, const char *,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ const char *, int);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -169,6 +172,14 @@ initialize_server_options(ServerOptions *options)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ options->authorized_principals_file = NULL;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ options->authorized_principals_command = NULL;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ options->authorized_principals_command_user = NULL;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#ifdef NONE_CIPHER_ENABLED
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ options->none_enabled = -1;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#endif
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#ifdef HPN_ENABLED
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ options->tcp_rcv_buf_poll = -1;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ options->hpn_disabled = -1;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ options->hpn_buffer_size = -1;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#endif
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ options->ip_qos_interactive = -1;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ options->ip_qos_bulk = -1;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ options->version_addendum = NULL;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -371,6 +382,57 @@ fill_default_server_options(ServerOptions *options)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ if (options->permit_tun == -1)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ options->permit_tun = SSH_TUNMODE_NO;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#ifdef NONE_CIPHER_ENABLED
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (options->none_enabled == -1)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ options->none_enabled = 0;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#endif
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#ifdef HPN_ENABLED
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (options->hpn_disabled == -1)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ options->hpn_disabled = 0;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (options->hpn_buffer_size == -1) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ /*
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * option not explicitly set. Now we have to figure out
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * what value to use.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (options->hpn_disabled == 1) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ options->hpn_buffer_size = CHAN_SES_WINDOW_DEFAULT;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ } else {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ int sock, socksize;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ socklen_t socksizelen = sizeof(socksize);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ /*
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * get the current RCV size and set it to that
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * create a socket but don't connect it
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * we use that the get the rcv socket size
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ sock = socket(AF_INET, SOCK_STREAM, 0);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ getsockopt(sock, SOL_SOCKET, SO_RCVBUF,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ &socksize, &socksizelen);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ close(sock);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ options->hpn_buffer_size = socksize;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ debug ("HPN Buffer Size: %d", options->hpn_buffer_size);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ } else {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ /*
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * we have to do this incase the user sets both values in a
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * contradictory manner. hpn_disabled overrrides
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * hpn_buffer_size
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (options->hpn_disabled <= 0) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (options->hpn_buffer_size == 0)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ options->hpn_buffer_size = 1;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ /* limit the maximum buffer to SSHBUF_SIZE_MAX (currently 256MB) */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (options->hpn_buffer_size > (SSHBUF_SIZE_MAX / 1024)) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ options->hpn_buffer_size = SSHBUF_SIZE_MAX;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ } else {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ options->hpn_buffer_size *= 1024;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ } else
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ options->hpn_buffer_size = CHAN_TCP_WINDOW_DEFAULT;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#endif
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ if (options->ip_qos_interactive == -1)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ options->ip_qos_interactive = IPTOS_LOWDELAY;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ if (options->ip_qos_bulk == -1)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -466,6 +528,12 @@ typedef enum {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ sUsePrivilegeSeparation, sAllowAgentForwarding,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ sHostCertificate,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ sRevokedKeys, sTrustedUserCAKeys, sAuthorizedPrincipalsFile,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#ifdef NONE_CIPHER_ENABLED
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ sNoneEnabled,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#endif
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#ifdef HPN_ENABLED
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ sTcpRcvBufPoll, sHPNDisabled, sHPNBufferSize,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#endif
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ sAuthorizedPrincipalsCommand, sAuthorizedPrincipalsCommandUser,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ sKexAlgorithms, sIPQoS, sVersionAddendum,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ sAuthorizedKeysCommand, sAuthorizedKeysCommandUser,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -603,6 +671,14 @@ static struct {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ { "revokedkeys", sRevokedKeys, SSHCFG_ALL },
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ { "trustedusercakeys", sTrustedUserCAKeys, SSHCFG_ALL },
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ { "authorizedprincipalsfile", sAuthorizedPrincipalsFile, SSHCFG_ALL },
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#ifdef NONE_CIPHER_ENABLED
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ { "noneenabled", sNoneEnabled, SSHCFG_ALL },
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#endif
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#ifdef HPN_ENABLED
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ { "hpndisabled", sHPNDisabled, SSHCFG_ALL },
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ { "hpnbuffersize", sHPNBufferSize, SSHCFG_ALL },
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ { "tcprcvbufpoll", sTcpRcvBufPoll, SSHCFG_ALL },
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#endif
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ { "kexalgorithms", sKexAlgorithms, SSHCFG_GLOBAL },
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ { "ipqos", sIPQoS, SSHCFG_ALL },
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ { "authorizedkeyscommand", sAuthorizedKeysCommand, SSHCFG_ALL },
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -1351,6 +1427,25 @@ process_server_config_line(ServerOptions *options, cha
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ case sIgnoreUserKnownHosts:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ intptr = &options->ignore_user_known_hosts;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ goto parse_flag;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#ifdef NONE_CIPHER_ENABLED
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ case sNoneEnabled:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ intptr = &options->none_enabled;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ goto parse_flag;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#endif
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#ifdef HPN_ENABLED
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ case sTcpRcvBufPoll:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ intptr = &options->tcp_rcv_buf_poll;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ goto parse_flag;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ case sHPNDisabled:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ intptr = &options->hpn_disabled;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ goto parse_flag;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ case sHPNBufferSize:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ intptr = &options->hpn_buffer_size;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ goto parse_int;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#endif
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ case sHostbasedAuthentication:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ intptr = &options->hostbased_authentication;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- openssh-6.8p1/servconf.h 2015-03-17 00:49:20.000000000 -0500
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ openssh-6.8p1/servconf.h 2015-04-03 13:48:37.316827000 -0500
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -169,6 +169,15 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ int use_pam; /* Enable auth via PAM */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#ifdef NONE_CIPHER_ENABLED
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ int none_enabled; /* enable NONE cipher switch */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#endif
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#ifdef HPN_ENABLED
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ int tcp_rcv_buf_poll; /* poll tcp rcv window in autotuning kernels*/
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ int hpn_disabled; /* disable hpn functionality. false by default */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ int hpn_buffer_size; /* set the hpn buffer size - default 3MB */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#endif
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ int permit_tun;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ int num_permitted_opens;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- openssh-7.7p1/serverloop.c.orig 2018-04-01 22:38:28.000000000 -0700
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ openssh-7.7p1/serverloop.c 2018-06-27 16:53:02.246871000 -0700
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -550,6 +550,12 @@ server_request_tun(struct ssh *ssh)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ goto done;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ debug("Tunnel forwarding using interface %s", ifname);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#ifdef HPN_ENABLED
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (!options.hpn_disabled)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ c = channel_new(ssh, "tun", SSH_CHANNEL_OPEN, sock, sock, -1,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ options.hpn_buffer_size, CHAN_TCP_PACKET_DEFAULT, 0, "tun", 1);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ else
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#endif
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ c = channel_new(ssh, "tun", SSH_CHANNEL_OPEN, sock, sock, -1,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, 0, "tun", 1);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ c->datagram = 1;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -600,6 +606,10 @@ server_request_session(struct ssh *ssh)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ c = channel_new(ssh, "session", SSH_CHANNEL_LARVAL,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ -1, -1, -1, /*window size*/0, CHAN_SES_PACKET_DEFAULT,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ 0, "server-session", 1);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#ifdef HPN_ENABLED
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (options.tcp_rcv_buf_poll && !options.hpn_disabled)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ c->dynamic_window = 1;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#endif
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ if (session_open(the_authctxt, c->self) != 1) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ debug("session open failed, free channel %d", c->self);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ channel_free(ssh, c);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- openssh-7.7p1/session.c.orig 2018-04-01 22:38:28.000000000 -0700
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ openssh-7.7p1/session.c 2018-06-27 17:01:40.730347000 -0700
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -2116,6 +2116,14 @@ session_set_fds(struct ssh *ssh, Session *s,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ if (s->chanid == -1)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ fatal("no channel for session %d", s->self);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#ifdef HPN_ENABLED
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (!options.hpn_disabled)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ channel_set_fds(ssh, s->chanid,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ fdout, fdin, fderr,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ ignore_fderr ? CHAN_EXTENDED_IGNORE : CHAN_EXTENDED_READ,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ 1, is_tty, options.hpn_buffer_size);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ else
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#endif
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ channel_set_fds(ssh, s->chanid,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ fdout, fdin, fderr,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ ignore_fderr ? CHAN_EXTENDED_IGNORE : CHAN_EXTENDED_READ,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- openssh-6.8p1/sftp.1 2015-03-17 00:49:20.000000000 -0500
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ openssh-6.8p1/sftp.1 2015-04-01 22:16:49.921688000 -0500
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -263,7 +263,8 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ Specify how many requests may be outstanding at any one time.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ Increasing this may slightly improve file transfer speed
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ but will increase memory usage.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+-The default is 64 outstanding requests.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++The default is 256 outstanding requests providing for 8MB
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++of outstanding data with a 32KB buffer.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ .It Fl r
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ Recursively copy entire directories when uploading and downloading.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ Note that
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- openssh-6.8p1/sftp.c 2015-03-17 00:49:20.000000000 -0500
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ openssh-6.8p1/sftp.c 2015-04-03 17:16:00.959795000 -0500
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -71,7 +71,11 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #include "sftp-client.h"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #define DEFAULT_COPY_BUFLEN 32768 /* Size of buffer for up/download */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#ifdef HPN_ENABLED
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#define DEFAULT_NUM_REQUESTS 256 /* # concurrent outstanding requests */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#else
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #define DEFAULT_NUM_REQUESTS 64 /* # concurrent outstanding requests */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#endif
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ /* File to read commands from */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ FILE* infile;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- openssh-7.7p1/ssh.c.orig 2018-04-01 22:38:28.000000000 -0700
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ openssh-7.7p1/ssh.c 2018-06-27 17:05:30.011979000 -0700
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -954,6 +954,14 @@ main(int ac, char **av)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ break;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ case 'T':
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ options.request_tty = REQUEST_TTY_NO;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#ifdef NONE_CIPHER_ENABLED
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ /*
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * ensure that the user doesn't try to backdoor a
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * null cipher switch on an interactive session
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * so explicitly disable it no matter what.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ options.none_switch = 0;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#endif
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ break;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ case 'o':
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ line = xstrdup(optarg);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -1833,6 +1841,78 @@ ssh_session2_setup(struct ssh *ssh, int id, int succes
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ NULL, fileno(stdin), &command, environ);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++static void
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++hpn_options_init(void)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++{
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ /*
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * We need to check to see if what they want to do about buffer
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * sizes here. In a hpn to nonhpn connection we want to limit
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * the window size to something reasonable in case the far side
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * has the large window bug. In hpn to hpn connection we want to
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * use the max window size but allow the user to override it
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * lastly if they disabled hpn then use the ssh std window size.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ *
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * So why don't we just do a getsockopt() here and set the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * ssh window to that? In the case of a autotuning receive
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * window the window would get stuck at the initial buffer
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * size generally less than 96k. Therefore we need to set the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * maximum ssh window size to the maximum hpn buffer size
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * unless the user has specifically set the tcprcvbufpoll
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * to no. In which case we *can* just set the window to the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * minimum of the hpn buffer size and tcp receive buffer size.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (tty_flag)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ options.hpn_buffer_size = CHAN_SES_WINDOW_DEFAULT;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ else
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ options.hpn_buffer_size = 2 * 1024 * 1024;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (datafellows & SSH_BUG_LARGEWINDOW) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ debug("HPN to Non-HPN Connection");
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ } else {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ int sock, socksize;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ socklen_t socksizelen;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (options.tcp_rcv_buf_poll <= 0) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ sock = socket(AF_INET, SOCK_STREAM, 0);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ socksizelen = sizeof(socksize);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ getsockopt(sock, SOL_SOCKET, SO_RCVBUF,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ &socksize, &socksizelen);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ close(sock);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ debug("socksize %d", socksize);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ options.hpn_buffer_size = socksize;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ debug("HPNBufferSize set to TCP RWIN: %d", options.hpn_buffer_size);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ } else {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (options.tcp_rcv_buf > 0) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ /*
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * Create a socket but don't connect it:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * we use that the get the rcv socket size
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ sock = socket(AF_INET, SOCK_STREAM, 0);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ /*
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * If they are using the tcp_rcv_buf option,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * attempt to set the buffer size to that.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (options.tcp_rcv_buf) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ socksizelen = sizeof(options.tcp_rcv_buf);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ setsockopt(sock, SOL_SOCKET, SO_RCVBUF,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ &options.tcp_rcv_buf, socksizelen);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ socksizelen = sizeof(socksize);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ getsockopt(sock, SOL_SOCKET, SO_RCVBUF,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ &socksize, &socksizelen);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ close(sock);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ debug("socksize %d", socksize);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ options.hpn_buffer_size = socksize;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ debug("HPNBufferSize set to user TCPRcvBuf: %d", options.hpn_buffer_size);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ debug("Final hpn_buffer_size = %d", options.hpn_buffer_size);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ channel_set_hpn(options.hpn_disabled, options.hpn_buffer_size);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++}
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ /* open new channel for a session */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ static int
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ ssh_session2_open(struct ssh *ssh)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -1859,9 +1939,17 @@ ssh_session2_open(struct ssh *ssh)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ if (!isatty(err))
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ set_nonblock(err);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#ifdef HPN_ENABLED
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ window = options.hpn_buffer_size;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#else
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ window = CHAN_SES_WINDOW_DEFAULT;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#endif
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ packetmax = CHAN_SES_PACKET_DEFAULT;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ if (tty_flag) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#ifdef HPN_ENABLED
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ window = CHAN_SES_WINDOW_DEFAULT;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#endif
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ window >>= 1;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ packetmax >>= 1;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -1870,6 +1958,12 @@ ssh_session2_open(struct ssh *ssh)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ window, packetmax, CHAN_EXTENDED_WRITE,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ "client-session", /*nonblock*/0);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#ifdef HPN_ENABLED
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (options.tcp_rcv_buf_poll > 0 && !options.hpn_disabled) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ c->dynamic_window = 1;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ debug ("Enabled Dynamic Window Scaling");
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#endif
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ debug3("%s: channel_new: %d", __func__, c->self);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ channel_send_open(ssh, c->self);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -1885,6 +1979,15 @@ ssh_session2(struct ssh *ssh, struct passwd *pw)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ int devnull, id = -1;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ char *cp, *tun_fwd_ifname = NULL;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#ifdef HPN_ENABLED
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ /*
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * We need to initialize this early because the forwarding logic below
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * might open channels that use the hpn buffer sizes. We can't send a
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * window of -1 (the default) to the server as it breaks things.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ hpn_options_init();
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#endif
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ /* XXX should be pre-session */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ if (!options.control_persist)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- openssh-7.7p1/sshbuf.h.orig 2018-06-27 16:11:24.503058000 -0700
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ openssh-7.7p1/sshbuf.h 2018-06-27 16:12:01.359375000 -0700
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -28,7 +28,11 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # endif /* OPENSSL_HAS_ECC */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #endif /* WITH_OPENSSL */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#ifdef HPN_ENABLED
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#define SSHBUF_SIZE_MAX 0xF000000 /* Hard maximum size 256MB */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#else
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #define SSHBUF_SIZE_MAX 0x8000000 /* Hard maximum size */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#endif
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #define SSHBUF_REFS_MAX 0x100000 /* Max child buffers */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #define SSHBUF_MAX_BIGNUM (16384 / 8) /* Max bignum *bytes* */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #define SSHBUF_MAX_ECPOINT ((528 * 2 / 8) + 1) /* Max EC point *bytes* */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- openssh/sshconnect.c.orig 2018-10-16 17:01:20.000000000 -0700
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ openssh/sshconnect.c 2018-11-12 09:04:24.340706000 -0800
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -327,7 +327,32 @@ check_ifaddrs(const char *ifname, int af, const struct
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #endif
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#ifdef HPN_ENABLED
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ /*
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * Set TCP receive buffer if requested.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * Note: tuning needs to happen after the socket is
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * created but before the connection happens
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * so winscale is negotiated properly -cjr
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++static void
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ssh_set_socket_recvbuf(int sock)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++{
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ void *buf = (void *)&options.tcp_rcv_buf;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ int sz = sizeof(options.tcp_rcv_buf);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ int socksize;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ socklen_t socksizelen = sizeof(socksize);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ debug("setsockopt Attempting to set SO_RCVBUF to %d", options.tcp_rcv_buf);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (setsockopt(sock, SOL_SOCKET, SO_RCVBUF, buf, sz) >= 0) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ getsockopt(sock, SOL_SOCKET, SO_RCVBUF, &socksize, &socksizelen);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ debug("setsockopt SO_RCVBUF: %.100s %d", strerror(errno), socksize);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ } else
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ error("Couldn't set socket receive buffer to %d: %.100s",
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ options.tcp_rcv_buf, strerror(errno));
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++}
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#endif
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++/*
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ * Creates a socket for use as the ssh connection.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ static int
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -349,6 +374,11 @@ ssh_create_socket(struct addrinfo *ai)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ fcntl(sock, F_SETFD, FD_CLOEXEC);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#ifdef HPN_ENABLED
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (options.tcp_rcv_buf > 0)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ ssh_set_socket_recvbuf(sock);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#endif
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ /* Bind the socket to an alternative local IP address */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ if (options.bind_address == NULL && options.bind_interface == NULL)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ return sock;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -608,8 +638,14 @@ static void
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ send_client_banner(int connection_out, int minor1)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ /* Send our own protocol version identification. */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- xasprintf(&client_version_string, "SSH-%d.%d-%.100s\r\n",
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ xasprintf(&client_version_string, "SSH-%d.%d-%.100s%s\r\n",
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#ifdef HPN_ENABLED
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ options.hpn_disabled ? "" : SSH_HPN
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#else
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ ""
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#endif
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ );
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ if (atomicio(vwrite, connection_out, client_version_string,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ strlen(client_version_string)) != strlen(client_version_string))
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ fatal("write: %.100s", strerror(errno));
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- openssh/sshconnect2.c.orig 2018-10-16 17:01:20.000000000 -0700
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ openssh/sshconnect2.c 2018-11-12 09:06:06.338515000 -0800
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -81,7 +81,13 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ extern char *client_version_string;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ extern char *server_version_string;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ extern Options options;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#ifdef NONE_CIPHER_ENABLED
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++/* tty_flag is set in ssh.c. use this in ssh_userauth2 */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++/* if it is set then prevent the switch to the null cipher */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++extern int tty_flag;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#endif
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ /*
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ * SSH2 key exchange
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -154,10 +160,11 @@ order_hostkeyalgs(char *host, struct sockaddr *hostadd
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ return ret;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++static char *myproposal[PROPOSAL_MAX];
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++static const char *myproposal_default[PROPOSAL_MAX] = { KEX_CLIENT };
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ void
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- char *myproposal[PROPOSAL_MAX] = { KEX_CLIENT };
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ char *s, *all_key;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ struct kex *kex;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ int r;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -165,6 +172,7 @@ ssh_kex2(char *host, struct sockaddr *hostaddr, u_shor
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ xxx_host = host;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ xxx_hostaddr = hostaddr;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ memcpy(&myproposal, &myproposal_default, sizeof(myproposal));
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ if ((s = kex_names_cat(options.kex_algorithms, "ext-info-c")) == NULL)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ fatal("%s: kex_names_cat", __func__);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ myproposal[PROPOSAL_KEX_ALGS] = compat_kex_proposal(s);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -412,6 +420,30 @@ ssh_userauth2(const char *local_user, const char *serv
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ if (!authctxt.success)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ fatal("Authentication failed.");
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#ifdef NONE_CIPHER_ENABLED
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ /*
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * if the user wants to use the none cipher do it
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * post authentication and only if the right conditions are met
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * both of the NONE commands must be true and there must be no
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * tty allocated.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if ((options.none_switch == 1) && (options.none_enabled == 1)) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (!tty_flag) { /* no null on tty sessions */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ debug("Requesting none rekeying...");
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ memcpy(&myproposal, &myproposal_default, sizeof(myproposal));
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ myproposal[PROPOSAL_ENC_ALGS_STOC] = "none";
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ myproposal[PROPOSAL_ENC_ALGS_CTOS] = "none";
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ kex_prop2buf(active_state->kex->my, myproposal);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ packet_request_rekeying();
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ fprintf(stderr, "WARNING: ENABLED NONE CIPHER\n");
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ } else {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ /* requested NONE cipher when in a tty */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ debug("Cannot switch to NONE cipher with tty allocated");
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ fprintf(stderr, "NONE cipher switch disabled when a TTY is allocated\n");
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#endif
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ debug("Authentication succeeded (%s).", authctxt.method->name);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- openssh-7.7p1/sshd.c.orig 2018-04-01 22:38:28.000000000 -0700
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ openssh-7.7p1/sshd.c 2018-06-27 17:13:03.176633000 -0700
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -372,8 +372,13 @@ sshd_exchange_identification(struct ssh *ssh, int sock
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ char buf[256]; /* Must not be larger than remote_version. */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ char remote_version[256]; /* Must be at least as big as buf. */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s\r\n",
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s%s\r\n",
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#ifdef HPN_ENABLED
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ options.hpn_disabled ? "" : SSH_HPN,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#else
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ "",
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#endif
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ *options.version_addendum == '\0' ? "" : " ",
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ options.version_addendum);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -1025,6 +1030,10 @@ listen_on_addrs(struct listenaddr *la)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ int ret, listen_sock;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ struct addrinfo *ai;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ char ntop[NI_MAXHOST], strport[NI_MAXSERV];
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#ifdef HPN_ENABLED
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ int socksize;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ socklen_t socksizelen = sizeof(socksize);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#endif
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ for (ai = la->addrs; ai; ai = ai->ai_next) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ if (ai->ai_family != AF_INET && ai->ai_family != AF_INET6)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -1070,6 +1079,13 @@ listen_on_addrs(struct listenaddr *la)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ debug("Bind to port %s on %s.", strport, ntop);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#ifdef HPN_ENABLED
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ getsockopt(listen_sock, SOL_SOCKET, SO_RCVBUF,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ &socksize, &socksizelen);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ debug("Server TCP RWIN socket size: %d", socksize);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ debug("HPN Buffer Size: %d", options.hpn_buffer_size);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#endif
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ /* Bind the socket to the desired port. */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ if (bind(listen_sock, ai->ai_addr, ai->ai_addrlen) < 0) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ error("Bind to port %s on %s failed: %.200s.",
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -1634,6 +1650,15 @@ main(int ac, char **av)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ /* Fill in default values for those options not explicitly set. */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ fill_default_server_options(&options);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#ifdef NONE_CIPHER_ENABLED
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (options.none_enabled == 1) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ char *old_ciphers = options.ciphers;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ xasprintf(&options.ciphers, "%s,none", old_ciphers);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ free(old_ciphers);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#endif
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ /* challenge-response is implemented via keyboard interactive */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ if (options.challenge_response_authentication)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ options.kbd_interactive_authentication = 1;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -2047,6 +2072,11 @@ main(int ac, char **av)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ rdomain == NULL ? "" : "\"");
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ free(laddr);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#ifdef HPN_ENABLED
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ /* set the HPN options for the child */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ channel_set_hpn(options.hpn_disabled, options.hpn_buffer_size);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#endif
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ /*
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ * We don't want to listen forever unless the other side
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ * successfully authenticates itself. So we set up an alarm which is
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -2212,6 +2242,11 @@ do_ssh2_kex(void)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ char *myproposal[PROPOSAL_MAX] = { KEX_SERVER };
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ struct kex *kex;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ int r;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#ifdef NONE_CIPHER_ENABLED
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (options.none_enabled == 1)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ debug ("WARNING: None cipher enabled");
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#endif
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ myproposal[PROPOSAL_KEX_ALGS] = compat_kex_proposal(
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ options.kex_algorithms);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- openssh-6.8p1/sshd_config 2015-04-01 22:07:18.248858000 -0500
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ openssh-6.8p1/sshd_config 2015-04-01 22:16:49.932279000 -0500
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -111,6 +111,20 @@ AuthorizedKeysFile .ssh/authorized_keys
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # override default of no subsystems
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ Subsystem sftp /usr/libexec/sftp-server
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++# the following are HPN related configuration options
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++# tcp receive buffer polling. disable in non autotuning kernels
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#TcpRcvBufPoll yes
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++# disable hpn performance boosts
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#HPNDisabled no
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++# buffer size for hpn to non-hpn connections
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#HPNBufferSize 2048
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++# allow the use of the none cipher
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#NoneEnabled no
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # Example of overriding settings on a per-user basis
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #Match User anoncvs
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # X11Forwarding no
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- openssh-7.7p1/version.h.orig 2018-04-01 22:38:28.000000000 -0700
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ openssh-7.7p1/version.h 2018-06-27 17:13:57.263086000 -0700
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -4,3 +4,4 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #define SSH_PORTABLE "p1"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #define SSH_RELEASE SSH_VERSION SSH_PORTABLE
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#define SSH_HPN "-hpn14v15"
</span></pre><pre style='margin:0'>
</pre>