Going back to openssh 8.8

2024-10-08 09:54:55 +02:00
parent 09e08245c5
commit 1b2c8330ff
20 changed files with 241 additions and 709 deletions
--- a/security/openssh-portable/files/extra-patch-hpn
+++ b/security/openssh-portable/files/extra-patch-hpn
@ -131,9 +131,9 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
 +	 (tasota@gmail.com) an NSF REU grant recipient for 2013. 
 +	 This work was financed, in part, by Cisco System, Inc., the National 
 +         Library of Medicine, and the National Science Foundation. 
--- channels.c.orig	2023-02-02 04:21:54.000000000 -0800
-+++ channels.c	2023-02-03 10:45:34.136793000 -0800
-@@ -229,6 +229,12 @@ static void channel_handler_init(struct ssh_channels *
+--- work/openssh/channels.c.orig	2021-04-15 20:55:25.000000000 -0700
+++ work/openssh/channels.c	2021-04-28 14:35:20.732518000 -0700
+@@ -220,6 +220,12 @@ static int rdynamic_connect_finish(struct ssh *, Chann
 /* Setup helper */
 static void channel_handler_init(struct ssh_channels *sc);
 
@ -146,7 +146,7 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
 /* -- channel core */
 
 void
-@@ -495,6 +501,9 @@ channel_new(struct ssh *ssh, char *ctype, int type, in
+@@ -395,6 +401,9 @@ channel_new(struct ssh *ssh, char *ctype, int type, in
 	c->local_window = window;
 	c->local_window_max = window;
 	c->local_maxpacket = maxpack;
@ -156,8 +156,8 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
 	c->remote_name = xstrdup(remote_name);
 	c->ctl_chan = -1;
 	c->delayed = 1;		/* prevent call to channel_post handler */
-@@ -1190,6 +1199,30 @@ channel_set_fds(struct ssh *ssh, int id, int rfd, int 
- 		fatal_fr(r, "channel %i", c->self);
+@@ -1082,6 +1091,30 @@ channel_pre_connecting(struct ssh *ssh, Channel *c,
+ 	FD_SET(c->sock, writeset);
 }
 
 +#ifdef HPN_ENABLED
@ -185,9 +185,9 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
 +#endif
 +
 static void
- channel_pre_listener(struct ssh *ssh, Channel *c)
- {
-@@ -2301,18 +2334,29 @@ channel_check_window(struct ssh *ssh, Channel *c)
+ channel_pre_open(struct ssh *ssh, Channel *c,
+     fd_set *readset, fd_set *writeset)
+@@ -2124,18 +2157,29 @@ channel_check_window(struct ssh *ssh, Channel *c)
 	    c->local_maxpacket*3) ||
 	    c->local_window < c->local_window_max/2) &&
 	    c->local_consumed > 0) {
@ -220,7 +220,7 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
 		c->local_consumed = 0;
 	}
 	return 1;
-@@ -3709,6 +3753,17 @@ channel_fwd_bind_addr(struct ssh *ssh, const char *lis
+@@ -3302,6 +3346,17 @@ channel_fwd_bind_addr(struct ssh *ssh, const char *lis
 	return addr;
 }
 
@ -238,7 +238,7 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
 static int
 channel_setup_fwd_listener_tcpip(struct ssh *ssh, int type,
     struct Forward *fwd, int *allocated_listen_port,
-@@ -3848,6 +3903,17 @@ channel_setup_fwd_listener_tcpip(struct ssh *ssh, int 
+@@ -3442,6 +3497,17 @@ channel_setup_fwd_listener_tcpip(struct ssh *ssh, int 
 		}
 
 		/* Allocate a channel number for the socket. */
@ -248,15 +248,15 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
 +		 * window size.
 +		 */
 +		if (!hpn_disabled)
-+			c = channel_new(ssh, "port listener", type, sock, sock,
-+			    -1, hpn_buffer_size, CHAN_TCP_PACKET_DEFAULT,
+			c = channel_new(ssh, "port listener", type, sock, sock, -1,
+			    hpn_buffer_size, CHAN_TCP_PACKET_DEFAULT,
 +			    0, "port listener", 1);
 +		else
 +#endif
- 		c = channel_new(ssh, "port-listener", type, sock, sock, -1,
+ 		c = channel_new(ssh, "port listener", type, sock, sock, -1,
 		    CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT,
 		    0, "port listener", 1);
-@@ -5016,6 +5082,14 @@ x11_create_display_inet(struct ssh *ssh, int x11_displ
+@@ -4610,6 +4676,14 @@ x11_create_display_inet(struct ssh *ssh, int x11_displ
 	*chanids = xcalloc(num_socks + 1, sizeof(**chanids));
 	for (n = 0; n < num_socks; n++) {
 		sock = socks[n];
@ -268,7 +268,7 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
 +			    0, "X11 inet listener", 1);
 +		else
 +#endif
- 		nc = channel_new(ssh, "x11-listener",
+ 		nc = channel_new(ssh, "x11 listener",
 		    SSH_CHANNEL_X11_LISTENER, sock, sock, -1,
 		    CHAN_X11_WINDOW_DEFAULT, CHAN_X11_PACKET_DEFAULT,
 --- work/openssh-7.7p1/channels.h.orig	2018-04-01 22:38:28.000000000 -0700
@ -309,9 +309,9 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
 			free(cipher_list);
 			return 0;
 		}
--- work/openssh/clientloop.c.orig	2022-02-23 03:31:11.000000000 -0800
-+++ work/openssh/clientloop.c	2022-03-02 12:53:47.624273000 -0800
-@@ -1571,6 +1571,15 @@ client_request_x11(struct ssh *ssh, const char *reques
+--- work/openssh-7.7p1/clientloop.c.orig	2018-04-01 22:38:28.000000000 -0700
+++ work/openssh-7.7p1/clientloop.c	2018-06-27 16:40:24.560906000 -0700
+@@ -1549,6 +1549,15 @@ client_request_x11(struct ssh *ssh, const char *reques
 	sock = x11_connect_display(ssh);
 	if (sock < 0)
 		return NULL;
@ -327,10 +327,10 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
 	c = channel_new(ssh, "x11",
 	    SSH_CHANNEL_X11_OPEN, sock, sock, -1,
 	    CHAN_TCP_WINDOW_DEFAULT, CHAN_X11_PACKET_DEFAULT, 0, "x11", 1);
-@@ -1606,6 +1615,14 @@ client_request_agent(struct ssh *ssh, const char *requ
- 	else
- 		debug2_fr(r, "ssh_agent_bind_hostkey");
- 
+@@ -1574,6 +1583,14 @@ client_request_agent(struct ssh *ssh, const char *requ
+ 			    __func__, ssh_err(r));
+ 		return NULL;
+ 	}
 +#ifdef HPN_ENABLED
 +	if (!options.hpn_disabled)
 +		c = channel_new(ssh, "authentication agent connection",
@ -342,7 +342,7 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
 	c = channel_new(ssh, "authentication agent connection",
 	    SSH_CHANNEL_OPEN, sock, sock, -1,
 	    CHAN_X11_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, 0,
-@@ -1634,6 +1651,12 @@ client_request_tun_fwd(struct ssh *ssh, int tun_mode,
+@@ -1602,6 +1619,12 @@ client_request_tun_fwd(struct ssh *ssh, int tun_mode,
 	}
 	debug("Tunnel forwarding using interface %s", ifname);
 
@ -1119,9 +1119,9 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
 		sshpkt_fatal(ssh, r, "banner exchange");
 
 	/* Put the connection into non-blocking mode. */
--- work/openssh/sshconnect2.c.orig	2023-03-15 14:28:19.000000000 -0700
-+++ work/openssh/sshconnect2.c	2023-05-19 14:20:01.965073000 -0700
-@@ -83,7 +83,13 @@ extern Options options;
+--- work/openssh/sshconnect2.c.orig	2021-08-19 21:03:49.000000000 -0700
+++ work/openssh/sshconnect2.c	2021-09-08 10:02:03.037982000 -0700
+@@ -84,7 +84,13 @@
 extern char *client_version_string;
 extern char *server_version_string;
 extern Options options;
@ -1135,7 +1135,29 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
 /*
  * SSH2 key exchange
  */
-@@ -482,6 +488,34 @@ ssh_userauth2(struct ssh *ssh, const char *local_user,
+@@ -212,11 +218,12 @@ order_hostkeyalgs(char *host, struct sockaddr *hostadd
+ 	return ret;
+ }
+ 
+static char *myproposal[PROPOSAL_MAX];
+static const char *myproposal_default[PROPOSAL_MAX] = { KEX_CLIENT };
+ void
+ ssh_kex2(struct ssh *ssh, char *host, struct sockaddr *hostaddr, u_short port,
+     const struct ssh_conn_info *cinfo)
+ {
+-	char *myproposal[PROPOSAL_MAX] = { KEX_CLIENT };
+ 	char *s, *all_key;
+ 	int r, use_known_hosts_order = 0;
+ 
+@@ -241,6 +248,7 @@ ssh_kex2(struct ssh *ssh, char *host, struct sockaddr 
+ 		fatal_fr(r, "kex_assemble_namelist");
+ 	free(all_key);
+ 
+	memcpy(&myproposal, &myproposal_default, sizeof(myproposal));
+ 	if ((s = kex_names_cat(options.kex_algorithms, "ext-info-c")) == NULL)
+ 		fatal_f("kex_names_cat");
+ 	myproposal[PROPOSAL_KEX_ALGS] = compat_kex_proposal(ssh, s);
+@@ -487,6 +495,29 @@ ssh_userauth2(struct ssh *ssh, const char *local_user,
 
 	if (!authctxt.success)
 		fatal("Authentication failed.");
@ -1147,16 +1169,11 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
 +	 * tty allocated.
 +	 */
 +	if ((options.none_switch == 1) && (options.none_enabled == 1)) {
-+		char *myproposal[PROPOSAL_MAX];
-+		char *s = NULL;
-+		const char *none_cipher = "none";
-+
 +		if (!tty_flag) { /* no null on tty sessions */
 +			debug("Requesting none rekeying...");
-+			kex_proposal_populate_entries(ssh, myproposal, s, none_cipher,
-+			    options.macs,
-+			    compression_alg_list(options.compression),
-+			    options.hostkeyalgorithms);
+			memcpy(&myproposal, &myproposal_default, sizeof(myproposal));
+			myproposal[PROPOSAL_ENC_ALGS_STOC] = "none";
+			myproposal[PROPOSAL_ENC_ALGS_CTOS] = "none";
 +			kex_prop2buf(ssh->kex->my, myproposal);
 +			packet_request_rekeying();
 +			fprintf(stderr, "WARNING: ENABLED NONE CIPHER\n");
@ -1269,11 +1286,11 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
 # Example of overriding settings on a per-user basis
 #Match User anoncvs
 #	X11Forwarding no
--- version.h.orig	2023-07-18 23:31:34.000000000 -0700
-+++ version.h	2023-07-21 07:27:08.311422000 -0700
+--- work/openssh-7.7p1/version.h.orig	2018-04-01 22:38:28.000000000 -0700
+++ work/openssh-7.7p1/version.h	2018-06-27 17:13:57.263086000 -0700
@@ -4,3 +4,4 @@
 
- #define SSH_PORTABLE	"p2"
+ #define SSH_PORTABLE	"p1"
 #define SSH_RELEASE	SSH_VERSION SSH_PORTABLE
 +#define SSH_HPN         "-hpn14v15"
 --- work/openssh/kex.h.orig	2019-07-10 17:35:36.523216000 -0700