Mail archive
alpine-aports

[alpine-aports] [PATCH] main/openssh: upgrade to 7.6_p1

From: Drew DeVault <sir_at_cmpwn.com>
Date: Sat, 23 Dec 2017 08:49:49 -0800

---
 main/openssh/APKBUILD                    |  23 +-
 main/openssh/CVE-2017-15906.patch        |  31 --
 main/openssh/openssh-7.5p1-sandbox.patch |  23 -
 main/openssh/openssh7.4-dynwindows.patch | 835 -------------------------------
 4 files changed, 4 insertions(+), 908 deletions(-)
 delete mode 100644 main/openssh/CVE-2017-15906.patch
 delete mode 100644 main/openssh/openssh-7.5p1-sandbox.patch
 delete mode 100644 main/openssh/openssh7.4-dynwindows.patch
diff --git a/main/openssh/APKBUILD b/main/openssh/APKBUILD
index bffda04bba..7b66dfd009 100644
--- a/main/openssh/APKBUILD
+++ b/main/openssh/APKBUILD
_at_@ -2,9 +2,9 @@
 # Contributor: Valery Kartel <valery.kartel_at_gmail.com>
 # Maintainer: Natanael Copa <ncopa_at_alpinelinux.org>
 pkgname=openssh
-pkgver=7.5_p1
+pkgver=7.6_p1
 _myver=${pkgver%_*}${pkgver#*_}
-pkgrel=8
+pkgrel=0
 pkgdesc="Port of OpenBSD's free SSH release"
 url="http://www.openssh.org/portable.html"
 arch="all"
_at_@ -31,24 +31,12 @@ done
 
 source="http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/$pkgname-$_myver.tar.gz
 	openssh7.4-peaktput.patch
-	openssh7.4-dynwindows.patch
 	fix-utmp.patch
 	bsd-compatible-realpath.patch
 	sshd.initd
 	sshd.confd
 	sftp-interactive.patch
-	openssh-7.5p1-sandbox.patch
-	CVE-2017-15906.patch
 	"
-# secfixes:
-#   7.5_p1-r0:
-#     - CVE-2017-15906
-#   7.5_p1-r8:
-#     - CVE-2016-10009
-#     - CVE-2016-10010
-#     - CVE-2016-10011
-#     - CVE-2016-10012
-
 # HPN patches are from: http://hpnssh.sourceforge.net/
 
 builddir="$srcdir"/$pkgname-$_myver
_at_@ -197,13 +185,10 @@ _pkg_flavour() {
 	done
 }
 
-sha512sums="58c542e8a110fb4316a68db94abb663fa1c810becd0638d45281df8aeca62c1f705090437a80e788e6c29121769b72a505feced537d3118c933fde01b5285c81  openssh-7.5p1.tar.gz
+sha512sums="de17fdcb8239401f76740c8d689a8761802f6df94e68d953f3c70b9f4f8bdb403617c48c1d01cc8c368d88e9d50aee540bf03d5a36687dfb39dfd28d73029d72  openssh-7.6p1.tar.gz
 398096a89aa104abeff31aa043ac406a6348e0fdd4d313b7888ee0b931d38fd71fc21bceee46145e88f03bc27e00890e068442faee2d33f86cfbc04d58ffa4b6  openssh7.4-peaktput.patch
-b9d736eae9b43de91fa3eb277ba8abc6290a8436b0fb00ae3b0f1b2eabba9983e4d2a1e3c68f5514247d0a3f120037f0795fd88fbf302aabd2d1b54a325a04ee  openssh7.4-dynwindows.patch
 f35fffcd26635249ce5d820e7b3e406e586f2d2d7f6a045f221e2f9fb53aebc1ab1dd1e603b3389462296ed77921a1d08456e7aaa3825cbed08f405b381a58e1  fix-utmp.patch
 f2b8daa537ea3f32754a4485492cc6eb3f40133ed46c0a5a29a89e4bcf8583d82d891d94bf2e5eb1c916fa68ec094abf4e6cd641e9737a6c05053808012b3a73  bsd-compatible-realpath.patch
 394a420a36880bb0dd37dfd8727cea91fd9de6534050169e21212a46513ef3aaafe2752c338699b3d4ccd14871b26cf01a152df8060cd37f86ce0665fd53c63f  sshd.initd
 ce0abddbd2004891f88efd8522c4b37a4989290269fab339c0fa9aacc051f7fd3b20813e192e92e0e64315750041cb74012d4321260f4865ff69d7a935b259d4  sshd.confd
-c1d09c65dbc347f0904edc30f91aa9a24b0baee50309536182455b544f1e3f85a8cecfa959e32be8b101d8282ef06dde3febbbc3f315489339dcf04155c859a9  sftp-interactive.patch
-15c5478bcae56c019a2fbd82ec04808537fd4ba1f1ba4a0a88c0343c16c698c45dbfac59eebc3fcfd3c15b302ebec43e60ffa02442a6c77673b14818ad3f7b60  openssh-7.5p1-sandbox.patch
-e064acdb9b9990ac3e997b0110051150a0e0e86a128228d400707815957cb6414ae167c8992da049ee81f315ef19d0ba4d6f55aef197b1fa16fc7ebb8596d320  CVE-2017-15906.patch"
+c1d09c65dbc347f0904edc30f91aa9a24b0baee50309536182455b544f1e3f85a8cecfa959e32be8b101d8282ef06dde3febbbc3f315489339dcf04155c859a9  sftp-interactive.patch"
diff --git a/main/openssh/CVE-2017-15906.patch b/main/openssh/CVE-2017-15906.patch
deleted file mode 100644
index a80047d49d..0000000000
--- a/main/openssh/CVE-2017-15906.patch
+++ /dev/null
_at_@ -1,31 +0,0 @@
-From a6981567e8e215acc1ef690c8dbb30f2d9b00a19 Mon Sep 17 00:00:00 2001
-From: djm <djm_at_openbsd.org>
-Date: Tue, 4 Apr 2017 00:24:56 +0000
-Subject: [PATCH] disallow creation (of empty files) in read-only mode;
- reported by Michal Zalewski, feedback & ok deraadt_at_
-
----
- usr.bin/ssh/sftp-server.c | 6 +++---
- 1 file changed, 3 insertions(+), 3 deletions(-)
-
-diff --git a/sftp-server.c b/sftp-server.c
-index 2510d234a3a..42249ebd60d 100644
---- a/sftp-server.c
-+++ b/sftp-server.c
-_at_@ -1,4 +1,4 @@
--/* $OpenBSD: sftp-server.c,v 1.110 2016/09/12 01:22:38 deraadt Exp $ */
-+/* $OpenBSD: sftp-server.c,v 1.111 2017/04/04 00:24:56 djm Exp $ */
- /*
-  * Copyright (c) 2000-2004 Markus Friedl.  All rights reserved.
-  *
-_at_@ -683,8 +683,8 @@ process_open(u_int32_t id)
- 	logit("open \"%s\" flags %s mode 0%o",
- 	    name, string_from_portable(pflags), mode);
- 	if (readonly &&
--	    ((flags & O_ACCMODE) == O_WRONLY ||
--	    (flags & O_ACCMODE) == O_RDWR)) {
-+	    ((flags & O_ACCMODE) != O_RDONLY ||
-+	    (flags & (O_CREAT|O_TRUNC)) != 0)) {
- 		verbose("Refusing open request in read-only mode");
- 		status = SSH2_FX_PERMISSION_DENIED;
- 	} else {
diff --git a/main/openssh/openssh-7.5p1-sandbox.patch b/main/openssh/openssh-7.5p1-sandbox.patch
deleted file mode 100644
index 7d09632c8f..0000000000
--- a/main/openssh/openssh-7.5p1-sandbox.patch
+++ /dev/null
_at_@ -1,23 +0,0 @@
-diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
-index 3a1aedce72c2..a8d472a63ccb 100644
---- a/sandbox-seccomp-filter.c
-+++ b/sandbox-seccomp-filter.c
-_at_@ -50,6 +50,9 @@
- #include <elf.h>
- 
- #include <asm/unistd.h>
-+#ifdef __s390__
-+#include <asm/zcrypt.h>
-+#endif
- 
- #include <errno.h>
- #include <signal.h>
-_at_@ -235,7 +235,7 @@ static const struct sock_filter preauth_insns[] = {
- 	 * x86-64 syscall under some circumstances, e.g.
- 	 * https://bugs.debian.org/849923
- 	 */
--	SC_ALLOW(__NR_clock_gettime & ~__X32_SYSCALL_BIT);
-+	SC_ALLOW(__NR_clock_gettime & ~__X32_SYSCALL_BIT),
- #endif
- 
- 	/* Default deny */
diff --git a/main/openssh/openssh7.4-dynwindows.patch b/main/openssh/openssh7.4-dynwindows.patch
deleted file mode 100644
index 45c42159ea..0000000000
--- a/main/openssh/openssh7.4-dynwindows.patch
+++ /dev/null
_at_@ -1,835 +0,0 @@
---- a/buffer.h
-+++ b/buffer.h
-_at_@ -16,6 +16,9 @@
-  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-  */
- 
-+/* move the following to a more appropriate place and name */
-+#define BUFFER_MAX_LEN_HPN          0x4000000  /* 64MB */
-+
- /* Emulation wrappers for legacy OpenSSH buffer API atop sshbuf */
- 
- #ifndef BUFFER_H
---- a/channels.c
-+++ b/channels.c
-_at_@ -191,8 +191,14 @@
- static int connect_next(struct channel_connect *);
- static void channel_connect_ctx_free(struct channel_connect *);
- 
-+
-+static int hpn_disabled = 0;
-+static int hpn_buffer_size = 2 * 1024 * 1024;
-+
- /* -- channel core */
- 
-+
-+
- Channel *
- channel_by_id(int id)
- {
-_at_@ -356,6 +362,7 @@
- 	c->local_window_max = window;
- 	c->local_consumed = 0;
- 	c->local_maxpacket = maxpack;
-+	c->dynamic_window = 0;
- 	c->remote_id = -1;
- 	c->remote_name = xstrdup(remote_name);
- 	c->remote_window = 0;
-_at_@ -904,11 +911,35 @@
- 		FD_SET(c->sock, writeset);
- }
- 
-+int channel_tcpwinsz () {
-+        u_int32_t tcpwinsz = 0;
-+        socklen_t optsz = sizeof(tcpwinsz);
-+	int ret = -1;
-+
-+	/* if we aren't on a socket return 128KB*/
-+	if(!packet_connection_is_on_socket())
-+	    return(128*1024);
-+	ret = getsockopt(packet_get_connection_in(),
-+			 SOL_SOCKET, SO_RCVBUF, &tcpwinsz, &optsz);
-+	/* return no more than 64MB */
-+	if ((ret == 0) && tcpwinsz > BUFFER_MAX_LEN_HPN)
-+	    tcpwinsz = BUFFER_MAX_LEN_HPN;
-+	debug2("tcpwinsz: %d for connection: %d", tcpwinsz,
-+	       packet_get_connection_in());
-+	return(tcpwinsz);
-+}
-+
- static void
- channel_pre_open(Channel *c, fd_set *readset, fd_set *writeset)
- {
- 	u_int limit = compat20 ? c->remote_window : packet_get_maxsize();
- 
-+	/* check buffer limits */
-+	if ((!c->tcpwinsz) || (c->dynamic_window > 0))
-+		c->tcpwinsz = channel_tcpwinsz();
-+
-+	limit = MIN(limit, 2 * c->tcpwinsz);
-+
- 	if (c->istate == CHAN_INPUT_OPEN &&
- 	    limit > 0 &&
- 	    buffer_len(&c->input) < limit &&
-_at_@ -1926,14 +1957,21 @@
- 	    c->local_maxpacket*3) ||
- 	    c->local_window < c->local_window_max/2) &&
- 	    c->local_consumed > 0) {
-+		u_int addition = 0;
-+		/* adjust max window size if we are in a dynamic environment */
-+		if (c->dynamic_window && (c->tcpwinsz > c->local_window_max)) {
-+			/* grow the window somewhat aggressively to maintain pressure */
-+			addition = 1.5*(c->tcpwinsz - c->local_window_max);
-+			c->local_window_max += addition;
-+		}
- 		packet_start(SSH2_MSG_CHANNEL_WINDOW_ADJUST);
- 		packet_put_int(c->remote_id);
--		packet_put_int(c->local_consumed);
-+		packet_put_int(c->local_consumed + addition);
- 		packet_send();
- 		debug2("channel %d: window %d sent adjust %d",
- 		    c->self, c->local_window,
- 		    c->local_consumed);
--		c->local_window += c->local_consumed;
-+		c->local_window += c->local_consumed + addition;
- 		c->local_consumed = 0;
- 	}
- 	return 1;
-_at_@ -3179,6 +3217,15 @@
- 	return addr;
- }
- 
-+
-+void
-+channel_set_hpn(int external_hpn_disabled, int external_hpn_buffer_size)
-+{
-+	hpn_disabled = external_hpn_disabled;
-+	hpn_buffer_size = external_hpn_buffer_size;
-+	debug("HPN Disabled: %d, HPN Buffer Size: %d", hpn_disabled, hpn_buffer_size);
-+}
-+
- static int
- channel_setup_fwd_listener_tcpip(int type, struct Forward *fwd,
-     int *allocated_listen_port, struct ForwardOptions *fwd_opts)
-_at_@ -3307,9 +3354,15 @@
- 		}
- 
- 		/* Allocate a channel number for the socket. */
-+		/* explicitly test for hpn disabled option. if true use smaller window size */
-+		if (hpn_disabled)
- 		c = channel_new("port listener", type, sock, sock, -1,
- 		    CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT,
- 		    0, "port listener", 1);
-+ 		else
-+ 			c = channel_new("port listener", type, sock, sock, -1,
-+ 			  hpn_buffer_size, CHAN_TCP_PACKET_DEFAULT,
-+ 			  0, "port listener", 1);
- 		c->path = xstrdup(host);
- 		c->host_port = fwd->connect_port;
- 		c->listening_addr = addr == NULL ? NULL : xstrdup(addr);
-_at_@ -4313,10 +4366,17 @@
- 	*chanids = xcalloc(num_socks + 1, sizeof(**chanids));
- 	for (n = 0; n < num_socks; n++) {
- 		sock = socks[n];
-+		/* Is this really necassary? */
-+		if (hpn_disabled)
- 		nc = channel_new("x11 listener",
- 		    SSH_CHANNEL_X11_LISTENER, sock, sock, -1,
- 		    CHAN_X11_WINDOW_DEFAULT, CHAN_X11_PACKET_DEFAULT,
- 		    0, "X11 inet listener", 1);
-+		else
-+			nc = channel_new("x11 listener",
-+			    SSH_CHANNEL_X11_LISTENER, sock, sock, -1,
-+			    hpn_buffer_size, CHAN_X11_PACKET_DEFAULT,
-+			    0, "X11 inet listener", 1);
- 		nc->single_connection = single_connection;
- 		(*chanids)[n] = nc->self;
- 	}
---- a/channels.h
-+++ b/channels.h
-_at_@ -135,8 +135,10 @@
- 	u_int	local_window_max;
- 	u_int	local_consumed;
- 	u_int	local_maxpacket;
-+	int	dynamic_window;
- 	int     extended_usage;
- 	int	single_connection;
-+	u_int	tcpwinsz;
- 
- 	char   *ctype;		/* type */
- 
-_at_@ -173,8 +175,10 @@
- /* default window/packet sizes for tcp/x11-fwd-channel */
- #define CHAN_SES_PACKET_DEFAULT	(32*1024)
- #define CHAN_SES_WINDOW_DEFAULT	(64*CHAN_SES_PACKET_DEFAULT)
-+
- #define CHAN_TCP_PACKET_DEFAULT	(32*1024)
- #define CHAN_TCP_WINDOW_DEFAULT	(64*CHAN_TCP_PACKET_DEFAULT)
-+
- #define CHAN_X11_PACKET_DEFAULT	(16*1024)
- #define CHAN_X11_WINDOW_DEFAULT	(4*CHAN_X11_PACKET_DEFAULT)
- 
-_at_@ -318,5 +322,8 @@
- void	 chan_rcvd_ieof(Channel *);
- void	 chan_write_failed(Channel *);
- void	 chan_obuf_empty(Channel *);
-+
-+/* hpn handler */
-+void     channel_set_hpn(int, int);
- 
- #endif
---- a/clientloop.c
-+++ b/clientloop.c
-_at_@ -1990,9 +1990,15 @@
- 	sock = x11_connect_display();
- 	if (sock < 0)
- 		return NULL;
-+	/* again is this really necessary for X11? */
-+	if (options.hpn_disabled)
- 	c = channel_new("x11",
- 	    SSH_CHANNEL_X11_OPEN, sock, sock, -1,
- 	    CHAN_TCP_WINDOW_DEFAULT, CHAN_X11_PACKET_DEFAULT, 0, "x11", 1);
-+	else
-+		c = channel_new("x11",
-+		    SSH_CHANNEL_X11_OPEN, sock, sock, -1,
-+		    options.hpn_buffer_size, CHAN_X11_PACKET_DEFAULT, 0, "x11", 1);
- 	c->force_drain = 1;
- 	return c;
- }
-_at_@ -2015,10 +2021,16 @@
- 			    __func__, ssh_err(r));
- 		return NULL;
- 	}
-+	if (options.hpn_disabled)
- 	c = channel_new("authentication agent connection",
- 	    SSH_CHANNEL_OPEN, sock, sock, -1,
--	    CHAN_X11_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, 0,
-+	    CHAN_X11_WINDOW_DEFAULT, CHAN_TCP_WINDOW_DEFAULT, 0,
- 	    "authentication agent connection", 1);
-+	else
-+	c = channel_new("authentication agent connection",
-+	    SSH_CHANNEL_OPEN, sock, sock, -1,
-+	    options.hpn_buffer_size, options.hpn_buffer_size, 0,
-+ 	    "authentication agent connection", 1);
- 	c->force_drain = 1;
- 	return c;
- }
-_at_@ -2045,9 +2057,17 @@
- 		return -1;
- 	}
- 
-+	if(options.hpn_disabled)
- 	c = channel_new("tun", SSH_CHANNEL_OPENING, fd, fd, -1,
--	    CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, 0, "tun", 1);
-+				CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT,
-+				0, "tun", 1);
-+	else
-+	c = channel_new("tun", SSH_CHANNEL_OPENING, fd, fd, -1,
-+				options.hpn_buffer_size, CHAN_TCP_PACKET_DEFAULT,
-+				0, "tun", 1);
- 	c->datagram = 1;
-+
-+
- 
- #if defined(SSH_TUN_FILTER)
- 	if (options.tun_open == SSH_TUNMODE_POINTOPOINT)
---- a/compat.c
-+++ b/compat.c
-_at_@ -40,7 +40,7 @@
- 
- int compat13 = 0;
- int compat20 = 0;
--int datafellows = 0;
-+unsigned int datafellows = 0;
- 
- void
- enable_compat20(void)
-_at_@ -63,7 +63,7 @@ compat_datafellows(const char *version)
- 	int i;
- 	static struct {
- 		char	*pat;
--		int	bugs;
-+		unsigned int	bugs;
- 	} check[] = {
- 		{ "OpenSSH-2.0*,"
- 		  "OpenSSH-2.1*,"
-_at_@ -210,6 +210,12 @@ compat_datafellows(const char *version)
- 			debug("match: %s pat %s compat 0x%08x",
- 			    version, check[i].pat, check[i].bugs);
- 			datafellows = check[i].bugs;	/* XXX for now */
-+			/* Check to see if the remote side is OpenSSH and not HPN */
-+			if (strstr(version,"OpenSSH") != NULL &&
-+			    strstr(version,"hpn") == NULL) {
-+				datafellows |= SSH_BUG_LARGEWINDOW;
-+				debug("Remote is NON-HPN aware");
-+			}
- 			return check[i].bugs;
- 		}
- 	}
-diff --git a/compat.h b/compat.h
-index 2be290a..453c85e 100644
---- a/compat.h
-+++ b/compat.h
-_at_@ -62,6 +62,7 @@
- #define SSH_BUG_CURVE25519PAD	0x10000000
- #define SSH_BUG_HOSTKEYS	0x20000000
- #define SSH_BUG_DHGEX_LARGE	0x40000000
-+#define SSH_BUG_LARGEWINDOW     0x80000000
- 
- void     enable_compat13(void);
- void     enable_compat20(void);
-_at_@ -73,5 +74,5 @@ char	*compat_kex_proposal(char *);
- 
- extern int compat13;
- extern int compat20;
--extern int datafellows;
-+extern unsigned int datafellows;
- #endif
---- a/readconf.c
-+++ b/readconf.c
-_at_@ -154,6 +154,7 @@
- 	oCompressionLevel, oTCPKeepAlive, oNumberOfPasswordPrompts,
- 	oUsePrivilegedPort, oLogLevel, oCiphers, oProtocol, oMacs,
- 	oPubkeyAuthentication,
-+	oTcpRcvBufPoll, oTcpRcvBuf, oHPNDisabled, oHPNBufferSize,
- 	oKbdInteractiveAuthentication, oKbdInteractiveDevices, oHostKeyAlias,
- 	oDynamicForward, oPreferredAuthentications, oHostbasedAuthentication,
- 	oHostKeyAlgorithms, oBindAddress, oPKCS11Provider,
-_at_@ -297,6 +298,11 @@
- 	{ "ignoreunknown", oIgnoreUnknown },
- 	{ "proxyjump", oProxyJump },
- 
-+	{ "tcprcvbufpoll", oTcpRcvBufPoll },
-+	{ "tcprcvbuf", oTcpRcvBuf },
-+	{ "hpndisabled", oHPNDisabled },
-+	{ "hpnbuffersize", oHPNBufferSize },
-+
- 	{ NULL, oBadOption }
- };
- 
-_at_@ -973,6 +979,18 @@
- 		intptr = &options->check_host_ip;
- 		goto parse_flag;
- 
-+	case oHPNDisabled:
-+		intptr = &options->hpn_disabled;
-+		goto parse_flag;
-+
-+	case oHPNBufferSize:
-+		intptr = &options->hpn_buffer_size;
-+		goto parse_int;
-+
-+	case oTcpRcvBufPoll:
-+		intptr = &options->tcp_rcv_buf_poll;
-+		goto parse_flag;
-+
- 	case oVerifyHostKeyDNS:
- 		intptr = &options->verify_host_key_dns;
- 		multistate_ptr = multistate_yesnoask;
-_at_@ -1165,6 +1183,10 @@
- 		intptr = &options->connection_attempts;
- 		goto parse_int;
- 
-+	case oTcpRcvBuf:
-+		intptr = &options->tcp_rcv_buf;
-+		goto parse_int;
-+
- 	case oCipher:
- 		intptr = &options->cipher;
- 		arg = strdelim(&s);
-_at_@ -1845,6 +1867,10 @@
- 	options->ip_qos_interactive = -1;
- 	options->ip_qos_bulk = -1;
- 	options->request_tty = -1;
-+	options->hpn_disabled = -1;
-+	options->hpn_buffer_size = -1;
-+	options->tcp_rcv_buf_poll = -1;
-+	options->tcp_rcv_buf = -1;
- 	options->proxy_use_fdpass = -1;
- 	options->ignored_unknown = NULL;
- 	options->num_canonical_domains = 0;
-_at_@ -2008,6 +2034,28 @@
- 		options->server_alive_interval = 0;
- 	if (options->server_alive_count_max == -1)
- 		options->server_alive_count_max = 3;
-+	if (options->hpn_disabled == -1)
-+	        options->hpn_disabled = 0;
-+	if (options->hpn_buffer_size > -1)
-+	{
-+	  /* if a user tries to set the size to 0 set it to 1KB */
-+		if (options->hpn_buffer_size == 0)
-+		options->hpn_buffer_size = 1;
-+		/*limit the buffer to 64MB*/
-+		if (options->hpn_buffer_size > 64*1024)
-+		{
-+			options->hpn_buffer_size = 64*1024*1024;
-+			debug("User requested buffer larger than 64MB. Request reverted to 64MB");
-+		}
-+		else options->hpn_buffer_size *= 1024;
-+		debug("hpn_buffer_size set to %d", options->hpn_buffer_size);
-+	}
-+	if (options->tcp_rcv_buf == 0)
-+		options->tcp_rcv_buf = 1;
-+	if (options->tcp_rcv_buf > -1)
-+		options->tcp_rcv_buf *=1024;
-+	if (options->tcp_rcv_buf_poll == -1)
-+		options->tcp_rcv_buf_poll = 1;
- 	if (options->control_master == -1)
- 		options->control_master = 0;
- 	if (options->control_persist == -1) {
---- a/readconf.h
-+++ b/readconf.h
-_at_@ -57,6 +57,10 @@ typedef struct {
- 	int     compression_level;	/* Compression level 1 (fast) to 9
- 					 * (best). */
- 	int     tcp_keep_alive;	/* Set SO_KEEPALIVE. */
-+	int     tcp_rcv_buf; /* user switch to set tcp recv buffer */
-+	int     tcp_rcv_buf_poll; /* Option to poll recv buf every window transfer */
-+	int     hpn_disabled;    /* Switch to disable HPN buffer management */
-+	int     hpn_buffer_size; /* User definable size for HPN buffer window */
- 	int	ip_qos_interactive;	/* IP ToS/DSCP/class for interactive */
- 	int	ip_qos_bulk;		/* IP ToS/DSCP/class for bulk traffic */
- 	LogLevel log_level;	/* Level for logging. */
---- a/scp.c
-+++ b/scp.c
-_at_@ -763,7 +763,7 @@
- 	off_t i, statbytes;
- 	size_t amt, nr;
- 	int fd = -1, haderr, indx;
--	char *last, *name, buf[2048], encname[PATH_MAX];
-+	char *last, *name, buf[16384], encname[PATH_MAX];
- 	int len;
- 
- 	for (indx = 0; indx < argc; ++indx) {
-_at_@ -931,7 +931,7 @@
- 	off_t size, statbytes;
- 	unsigned long long ull;
- 	int setimes, targisdir, wrerrno = 0;
--	char ch, *cp, *np, *targ, *why, *vect[1], buf[2048], visbuf[2048];
-+	char ch, *cp, *np, *targ, *why, *vect[1], buf[16384], visbuf[16384];
- 	struct timeval tv[2];
- 
- #define	atime	tv[0]
---- a/servconf.c
-+++ b/servconf.c
-_at_@ -159,6 +159,9 @@
- 	options->authorized_principals_file = NULL;
- 	options->authorized_principals_command = NULL;
- 	options->authorized_principals_command_user = NULL;
-+	options->tcp_rcv_buf_poll = -1;
-+	options->hpn_disabled = -1;
-+	options->hpn_buffer_size = -1;
- 	options->ip_qos_interactive = -1;
- 	options->ip_qos_bulk = -1;
- 	options->version_addendum = NULL;
-_at_@ -190,6 +193,7 @@
- void
- fill_default_server_options(ServerOptions *options)
- {
-+	int sock, socksize, socksizelen = sizeof(int);
- 	int i;
- 
- 	/* Portable-specific options */
-_at_@ -319,6 +323,41 @@
- 	}
- 	if (options->permit_tun == -1)
- 		options->permit_tun = SSH_TUNMODE_NO;
-+       if (options->hpn_disabled == -1)
-+               options->hpn_disabled = 0;
-+
-+       if (options->hpn_buffer_size == -1) {
-+		/* option not explicitly set. Now we have to figure out */
-+		/* what value to use */
-+		if (options->hpn_disabled == 1) {
-+			options->hpn_buffer_size = CHAN_SES_WINDOW_DEFAULT;
-+		} else {
-+			/* get the current RCV size and set it to that */
-+			/*create a socket but don't connect it */
-+			/* we use that the get the rcv socket size */
-+			sock = socket(AF_INET, SOCK_STREAM, 0);
-+			getsockopt(sock, SOL_SOCKET, SO_RCVBUF,
-+				   &socksize, &socksizelen);
-+			close(sock);
-+			options->hpn_buffer_size = socksize;
-+			debug ("HPN Buffer Size: %d", options->hpn_buffer_size);
-+		}
-+	} else {
-+		/* we have to do this incase the user sets both values in a contradictory */
-+		/* manner. hpn_disabled overrrides hpn_buffer_size*/
-+		if (options->hpn_disabled <= 0) {
-+			if (options->hpn_buffer_size == 0)
-+				options->hpn_buffer_size = 1;
-+			/* limit the maximum buffer to 64MB */
-+			if (options->hpn_buffer_size > 64*1024) {
-+				options->hpn_buffer_size = 64*1024*1024;
-+			} else {
-+				options->hpn_buffer_size *= 1024;
-+			}
-+		} else
-+			options->hpn_buffer_size = CHAN_TCP_WINDOW_DEFAULT;
-+	}
-+
- 	if (options->ip_qos_interactive == -1)
- 		options->ip_qos_interactive = IPTOS_LOWDELAY;
- 	if (options->ip_qos_bulk == -1)
-_at_@ -413,6 +452,7 @@
- 	sHostCertificate,
- 	sRevokedKeys, sTrustedUserCAKeys, sAuthorizedPrincipalsFile,
- 	sAuthorizedPrincipalsCommand, sAuthorizedPrincipalsCommandUser,
-+	sTcpRcvBufPoll, sHPNDisabled, sHPNBufferSize,
- 	sKexAlgorithms, sIPQoS, sVersionAddendum,
- 	sAuthorizedKeysCommand, sAuthorizedKeysCommandUser,
- 	sAuthenticationMethods, sHostKeyAgent, sPermitUserRC,
-_at_@ -548,6 +588,9 @@
- 	{ "revokedkeys", sRevokedKeys, SSHCFG_ALL },
- 	{ "trustedusercakeys", sTrustedUserCAKeys, SSHCFG_ALL },
- 	{ "authorizedprincipalsfile", sAuthorizedPrincipalsFile, SSHCFG_ALL },
-+	{ "hpndisabled", sHPNDisabled, SSHCFG_ALL },
-+	{ "hpnbuffersize", sHPNBufferSize, SSHCFG_ALL },
-+	{ "tcprcvbufpoll", sTcpRcvBufPoll, SSHCFG_ALL },
- 	{ "kexalgorithms", sKexAlgorithms, SSHCFG_GLOBAL },
- 	{ "ipqos", sIPQoS, SSHCFG_ALL },
- 	{ "authorizedkeyscommand", sAuthorizedKeysCommand, SSHCFG_ALL },
-_at_@ -587,6 +630,7 @@
- 
- 	for (i = 0; keywords[i].name; i++)
- 		if (strcasecmp(cp, keywords[i].name) == 0) {
-+			debug ("Config token is %s", keywords[i].name);
- 			*flags = keywords[i].flags;
- 			return keywords[i].opcode;
- 		}
-_at_@ -1148,6 +1192,19 @@
- 		if (*activep && *intptr == -1)
- 			*intptr = value;
- 		break;
-+
-+
-+	case sTcpRcvBufPoll:
-+		intptr = &options->tcp_rcv_buf_poll;
-+		goto parse_flag;
-+
-+	case sHPNDisabled:
-+		intptr = &options->hpn_disabled;
-+		goto parse_flag;
-+
-+	case sHPNBufferSize:
-+		intptr = &options->hpn_buffer_size;
-+		goto parse_int;
- 
- 	case sIgnoreUserKnownHosts:
- 		intptr = &options->ignore_user_known_hosts;
---- a/servconf.h
-+++ b/servconf.h
-_at_@ -166,6 +166,9 @@
- 	char   *adm_forced_command;
- 
- 	int	use_pam;		/* Enable auth via PAM */
-+        int     tcp_rcv_buf_poll;       /* poll tcp rcv window in autotuning kernels*/
-+	int	hpn_disabled;		/* disable hpn functionality. false by default */
-+	int	hpn_buffer_size;	/* set the hpn buffer size - default 3MB */
- 
- 	int	permit_tun;
- 
---- a/serverloop.c
-+++ b/serverloop.c
-_at_@ -526,8 +526,12 @@
- 	sock = tun_open(tun, mode);
- 	if (sock < 0)
- 		goto done;
-+	if (options.hpn_disabled)
- 	c = channel_new("tun", SSH_CHANNEL_OPEN, sock, sock, -1,
- 	    CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, 0, "tun", 1);
-+	else
-+		c = channel_new("tun", SSH_CHANNEL_OPEN, sock, sock, -1,
-+		    options.hpn_buffer_size, CHAN_TCP_PACKET_DEFAULT, 0, "tun", 1);
- 	c->datagram = 1;
- #if defined(SSH_TUN_FILTER)
- 	if (mode == SSH_TUNMODE_POINTOPOINT)
-_at_@ -563,6 +567,8 @@
- 	c = channel_new("session", SSH_CHANNEL_LARVAL,
- 	    -1, -1, -1, /*window size*/0, CHAN_SES_PACKET_DEFAULT,
- 	    0, "server-session", 1);
-+	if ((options.tcp_rcv_buf_poll) && (!options.hpn_disabled))
-+		c->dynamic_window = 1;
- 	if (session_open(the_authctxt, c->self) != 1) {
- 		debug("session open failed, free channel %d", c->self);
- 		channel_free(c);
---- a/session.c
-+++ b/session.c
-_at_@ -220,6 +220,7 @@
- 		goto authsock_err;
- 
- 	/* Allocate a channel for the authentication agent socket. */
-+	/* this shouldn't matter if its hpn or not - cjr */
- 	nc = channel_new("auth socket",
- 	    SSH_CHANNEL_AUTH_SOCKET, sock, sock, -1,
- 	    CHAN_X11_WINDOW_DEFAULT, CHAN_X11_PACKET_DEFAULT,
-_at_@ -2121,10 +2122,16 @@
- 	 */
- 	if (s->chanid == -1)
- 		fatal("no channel for session %d", s->self);
-+	if (options.hpn_disabled)
- 	channel_set_fds(s->chanid,
- 	    fdout, fdin, fderr,
- 	    ignore_fderr ? CHAN_EXTENDED_IGNORE : CHAN_EXTENDED_READ,
- 	    1, is_tty, CHAN_SES_WINDOW_DEFAULT);
-+	else
-+		channel_set_fds(s->chanid,
-+		    fdout, fdin, fderr,
-+		    ignore_fderr ? CHAN_EXTENDED_IGNORE : CHAN_EXTENDED_READ,
-+		    1, is_tty, options.hpn_buffer_size);
- }
- 
- /*
---- a/sftp.1
-+++ b/sftp.1
-_at_@ -266,7 +266,8 @@
- Specify how many requests may be outstanding at any one time.
- Increasing this may slightly improve file transfer speed
- but will increase memory usage.
--The default is 64 outstanding requests.
-+The default is 256 outstanding requests providing for 8MB
-+of outstanding data with a 32KB buffer.
- .It Fl r
- Recursively copy entire directories when uploading and downloading.
- Note that
---- a/sftp.c
-+++ b/sftp.c
-_at_@ -72,7 +72,7 @@
- #include "sftp-client.h"
- 
- #define DEFAULT_COPY_BUFLEN	32768	/* Size of buffer for up/download */
--#define DEFAULT_NUM_REQUESTS	64	/* # concurrent outstanding requests */
-+#define DEFAULT_NUM_REQUESTS	256	/* # concurrent outstanding requests */
- 
- /* File to read commands from */
- FILE* infile;
---- a/ssh.c
-+++ b/ssh.c
-_at_@ -1910,6 +1910,9 @@
- {
- 	Channel *c;
- 	int window, packetmax, in, out, err;
-+	int sock;
-+	int socksize;
-+	int socksizelen = sizeof(int);
- 
- 	if (stdin_null_flag) {
- 		in = open(_PATH_DEVNULL, O_RDONLY);
-_at_@ -1930,9 +1933,74 @@
- 	if (!isatty(err))
- 		set_nonblock(err);
- 
--	window = CHAN_SES_WINDOW_DEFAULT;
-+	/* we need to check to see if what they want to do about buffer */
-+	/* sizes here. In a hpn to nonhpn connection we want to limit */
-+	/* the window size to something reasonable in case the far side */
-+	/* has the large window bug. In hpn to hpn connection we want to */
-+	/* use the max window size but allow the user to override it */
-+	/* lastly if they disabled hpn then use the ssh std window size */
-+
-+	/* so why don't we just do a getsockopt() here and set the */
-+	/* ssh window to that? In the case of a autotuning receive */
-+	/* window the window would get stuck at the initial buffer */
-+	/* size generally less than 96k. Therefore we need to set the */
-+	/* maximum ssh window size to the maximum hpn buffer size */
-+	/* unless the user has specifically set the tcprcvbufpoll */
-+	/* to no. In which case we *can* just set the window to the */
-+	/* minimum of the hpn buffer size and tcp receive buffer size */
-+
-+	if (tty_flag)
-+		options.hpn_buffer_size = CHAN_SES_WINDOW_DEFAULT;
-+	else
-+		options.hpn_buffer_size = 2*1024*1024;
-+
-+	if (datafellows & SSH_BUG_LARGEWINDOW)
-+	{
-+		debug("HPN to Non-HPN Connection");
-+	}
-+	else
-+	{
-+		if (options.tcp_rcv_buf_poll <= 0)
-+		{
-+			sock = socket(AF_INET, SOCK_STREAM, 0);
-+			getsockopt(sock, SOL_SOCKET, SO_RCVBUF,
-+				   &socksize, &socksizelen);
-+			close(sock);
-+			debug("socksize %d", socksize);
-+			options.hpn_buffer_size = socksize;
-+			debug ("HPNBufferSize set to TCP RWIN: %d", options.hpn_buffer_size);
-+		}
-+		else
-+		{
-+			if (options.tcp_rcv_buf > 0)
-+			{
-+				/*create a socket but don't connect it */
-+				/* we use that the get the rcv socket size */
-+				sock = socket(AF_INET, SOCK_STREAM, 0);
-+				/* if they are using the tcp_rcv_buf option */
-+				/* attempt to set the buffer size to that */
-+				if (options.tcp_rcv_buf)
-+					setsockopt(sock, SOL_SOCKET, SO_RCVBUF, (void *)&options.tcp_rcv_buf,
-+						   sizeof(options.tcp_rcv_buf));
-+				getsockopt(sock, SOL_SOCKET, SO_RCVBUF,
-+					   &socksize, &socksizelen);
-+				close(sock);
-+				debug("socksize %d", socksize);
-+				options.hpn_buffer_size = socksize;
-+				debug ("HPNBufferSize set to user TCPRcvBuf: %d", options.hpn_buffer_size);
-+			}
-+ 		}
-+	}
-+
-+	debug("Final hpn_buffer_size = %d", options.hpn_buffer_size);
-+
-+	window = options.hpn_buffer_size;
-+
-+	channel_set_hpn(options.hpn_disabled, options.hpn_buffer_size);
-+
- 	packetmax = CHAN_SES_PACKET_DEFAULT;
- 	if (tty_flag) {
-+		window = 4*CHAN_SES_PACKET_DEFAULT;
- 		window >>= 1;
- 		packetmax >>= 1;
- 	}
-_at_@ -1941,6 +2009,10 @@
- 	    window, packetmax, CHAN_EXTENDED_WRITE,
- 	    "client-session", /*nonblock*/0);
- 
-+	if ((options.tcp_rcv_buf_poll > 0) && (!options.hpn_disabled)) {
-+		c->dynamic_window = 1;
-+		debug ("Enabled Dynamic Window Scaling");
-+	}
- 	debug3("ssh_session2_open: channel_new: %d", c->self);
- 
- 	channel_send_open(c->self);
---- a/sshconnect.c
-+++ b/sshconnect.c
-_at_@ -267,6 +267,31 @@
- }
- 
- /*
-+ * Set TCP receive buffer if requested.
-+ * Note: tuning needs to happen after the socket is
-+ * created but before the connection happens
-+ * so winscale is negotiated properly -cjr
-+ */
-+static void
-+ssh_set_socket_recvbuf(int sock)
-+{
-+	void *buf = (void *)&options.tcp_rcv_buf;
-+	int sz = sizeof(options.tcp_rcv_buf);
-+	int socksize;
-+	int socksizelen = sizeof(int);
-+
-+	debug("setsockopt Attempting to set SO_RCVBUF to %d", options.tcp_rcv_buf);
-+	if (setsockopt(sock, SOL_SOCKET, SO_RCVBUF, buf, sz) >= 0) {
-+	  getsockopt(sock, SOL_SOCKET, SO_RCVBUF, &socksize, &socksizelen);
-+	  debug("setsockopt SO_RCVBUF: %.100s %d", strerror(errno), socksize);
-+	}
-+	else
-+		error("Couldn't set socket receive buffer to %d: %.100s",
-+		    options.tcp_rcv_buf, strerror(errno));
-+}
-+
-+
-+/*
-  * Creates a (possibly privileged) socket for use as the ssh connection.
-  */
- static int
-_at_@ -282,6 +307,9 @@
- 	}
- 	fcntl(sock, F_SETFD, FD_CLOEXEC);
- 
-+	if (options.tcp_rcv_buf > 0)
-+		ssh_set_socket_recvbuf(sock);
-+
- 	/* Bind the socket to an alternative local IP address */
- 	if (options.bind_address == NULL && !privileged)
- 		return sock;
-_at_@ -526,10 +554,10 @@
- 	/* Send our own protocol version identification. */
- 	if (compat20) {
- 		xasprintf(&client_version_string, "SSH-%d.%d-%.100s\r\n",
--		    PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION);
-+		    PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE);
- 	} else {
- 		xasprintf(&client_version_string, "SSH-%d.%d-%.100s\n",
--		    PROTOCOL_MAJOR_1, minor1, SSH_VERSION);
-+		    PROTOCOL_MAJOR_1, minor1, SSH_RELEASE);
- 	}
- 	if (atomicio(vwrite, connection_out, client_version_string,
- 	    strlen(client_version_string)) != strlen(client_version_string))
---- a/sshd.c
-+++ b/sshd.c
-_at_@ -1020,6 +1020,8 @@
- 	int ret, listen_sock, on = 1;
- 	struct addrinfo *ai;
- 	char ntop[NI_MAXHOST], strport[NI_MAXSERV];
-+	int socksize;
-+	int socksizelen = sizeof(int);
- 
- 	for (ai = options.listen_addrs; ai; ai = ai->ai_next) {
- 		if (ai->ai_family != AF_INET && ai->ai_family != AF_INET6)
-_at_@ -1060,6 +1062,11 @@
- 
- 		debug("Bind to port %s on %s.", strport, ntop);
- 
-+		getsockopt(listen_sock, SOL_SOCKET, SO_RCVBUF,
-+				   &socksize, &socksizelen);
-+		debug("Server TCP RWIN socket size: %d", socksize);
-+		debug("HPN Buffer Size: %d", options.hpn_buffer_size);
-+
- 		/* Bind the socket to the desired port. */
- 		if (bind(listen_sock, ai->ai_addr, ai->ai_addrlen) < 0) {
- 			error("Bind to port %s on %s failed: %.200s.",
-_at_@ -1977,6 +1984,9 @@
- 	verbose("Connection from %s port %d on %s port %d",
- 	    remote_ip, remote_port, laddr,  ssh_local_port(ssh));
- 	free(laddr);
-+
-+	/* set the HPN options for the child */
-+	channel_set_hpn(options.hpn_disabled, options.hpn_buffer_size);
- 
- 	/*
- 	 * We don't want to listen forever unless the other side
---- a/sshd_config
-+++ b/sshd_config
-_at_@ -99,7 +99,7 @@
- #ClientAliveInterval 0
- #ClientAliveCountMax 3
- #UseDNS no
--#PidFile /var/run/sshd.pid
-+#PidFile /run/sshd.pid
- #MaxStartups 10:30:100
- #PermitTunnel no
- #ChrootDirectory none
-_at_@ -109,7 +109,18 @@
- #Banner none
- 
- # override default of no subsystems
--Subsystem	sftp	/usr/libexec/sftp-server
-+Subsystem	sftp	/usr/lib/ssh/sftp-server
-+
-+# the following are HPN related configuration options
-+# tcp receive buffer polling. disable in non autotuning kernels
-+#TcpRcvBufPoll yes
-+ 
-+# disable hpn performance boosts
-+#HPNDisabled no
-+
-+# buffer size for hpn to non-hpn connections
-+#HPNBufferSize 2048
-+
- 
- # Example of overriding settings on a per-user basis
- #Match User anoncvs
---- a/version.h
-+++ b/version.h
-_at_@ -3,4 +3,5 @@
- #define SSH_VERSION	"OpenSSH_7.4"
- 
- #define SSH_PORTABLE	"p1"
--#define SSH_RELEASE	SSH_VERSION SSH_PORTABLE
-+#define SSH_HPN		"-hpn14v4"
-+#define SSH_RELEASE	SSH_VERSION SSH_PORTABLE SSH_HPN
-- 
2.15.0
---
Unsubscribe:  alpine-aports+unsubscribe_at_lists.alpinelinux.org
Help:         alpine-aports+help_at_lists.alpinelinux.org
---
Received on Sat Dec 23 2017 - 08:49:49 GMT