kiwi/klara-ww2
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

9.6

Browse Source
This commit is contained in:
Xavier Beaudouin
2024-10-07 16:19:51 +02:00
parent 317bd8d30d
commit c469356292
7 changed files with 74 additions and 109 deletions
Download Patch File Download Diff File Expand all files Collapse all files

83
security/openssh-portable/files/extra-patch-hpn
View File

@ -309,50 +309,50 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
free(cipher_list);
return 0;
}
--- work/openssh/clientloop.c.orig 2022-02-23 03:31:11.000000000 -0800
+++ work/openssh/clientloop.c 2022-03-02 12:53:47.624273000 -0800
@@ -1571,6 +1571,15 @@ client_request_x11(struct ssh *ssh, const char *reques
--- work/openssh/clientloop.c.orig 2023-12-18 06:59:50.000000000 -0800
+++ work/openssh/clientloop.c 2024-01-08 16:27:47.806586000 -0800
@@ -1813,6 +1813,15 @@ client_request_x11(struct ssh *ssh, const char *reques
sock = x11_connect_display(ssh);
if (sock < 0)
return NULL;
+#ifdef HPN_ENABLED
+ /* again is this really necessary for X11? */
+ if (!options.hpn_disabled)
+ c = channel_new(ssh, "x11",
+ c = channel_new(ssh, "x11-connection",
+ SSH_CHANNEL_X11_OPEN, sock, sock, -1,
+ options.hpn_buffer_size,
+ CHAN_X11_PACKET_DEFAULT, 0, "x11", 1);
+ else
+#endif
c = channel_new(ssh, "x11",
c = channel_new(ssh, "x11-connection",
SSH_CHANNEL_X11_OPEN, sock, sock, -1,
CHAN_TCP_WINDOW_DEFAULT, CHAN_X11_PACKET_DEFAULT, 0, "x11", 1);
@@ -1606,6 +1615,14 @@ client_request_agent(struct ssh *ssh, const char *requ
@@ -1848,6 +1857,14 @@ client_request_agent(struct ssh *ssh, const char *requ
else
debug2_fr(r, "ssh_agent_bind_hostkey");
+#ifdef HPN_ENABLED
+ if (!options.hpn_disabled)
+ c = channel_new(ssh, "authentication agent connection",
+ c = channel_new(ssh, "agent-connection",
+ SSH_CHANNEL_OPEN, sock, sock, -1,
+ options.hpn_buffer_size, CHAN_TCP_PACKET_DEFAULT, 0,
+ "authentication agent connection", 1);
+ else
+#endif
c = channel_new(ssh, "authentication agent connection",
c = channel_new(ssh, "agent-connection",
SSH_CHANNEL_OPEN, sock, sock, -1,
CHAN_X11_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, 0,
@@ -1634,6 +1651,12 @@ client_request_tun_fwd(struct ssh *ssh, int tun_mode,
@@ -1876,6 +1893,12 @@ client_request_tun_fwd(struct ssh *ssh, int tun_mode,
}
debug("Tunnel forwarding using interface %s", ifname);
+#ifdef HPN_ENABLED
+ if (!options.hpn_disabled)
+ c = channel_new(ssh, "tun", SSH_CHANNEL_OPENING, fd, fd, -1,
+ c = channel_new(ssh, "tun-connection", SSH_CHANNEL_OPENING, fd, fd, -1,
+ options.hpn_buffer_size, CHAN_TCP_PACKET_DEFAULT, 0, "tun", 1);
+ else
+#endif
c = channel_new(ssh, "tun", SSH_CHANNEL_OPENING, fd, fd, -1,
c = channel_new(ssh, "tun-connection", SSH_CHANNEL_OPENING, fd, fd, -1,
CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, 0, "tun", 1);
c->datagram = 1;
--- work/openssh/compat.c.orig 2021-04-15 20:55:25.000000000 -0700
@ -421,9 +421,9 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
echo ""
--- work/openssh/kex.c.orig 2021-04-15 20:55:25.000000000 -0700
+++ work/openssh/kex.c 2021-04-28 14:38:31.761909000 -0700
@@ -960,6 +960,20 @@ kex_choose_conf(struct ssh *ssh)
--- work/openssh/kex.c.orig 2023-12-18 06:59:50.000000000 -0800
+++ work/openssh/kex.c 2024-01-08 16:24:07.547292000 -0800
@@ -1252,6 +1252,20 @@ kex_choose_conf(struct ssh *ssh, uint32_t seq)
peer[ncomp] = NULL;
goto out;
}
@ -444,7 +444,7 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
debug("kex: %s cipher: %s MAC: %s compression: %s",
ctos ? "client->server" : "server->client",
newkeys->enc.name,
@@ -1170,7 +1184,7 @@ send_error(struct ssh *ssh, char *msg)
@@ -1462,7 +1476,7 @@ kex_exchange_identification(struct ssh *ssh, int timeo
*/
int
kex_exchange_identification(struct ssh *ssh, int timeout_ms,
@ -452,13 +452,13 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
+ const char *version_addendum, int hpn_disabled)
{
int remote_major, remote_minor, mismatch, oerrno = 0;
size_t len, i, n;
@@ -1187,8 +1201,13 @@ kex_exchange_identification(struct ssh *ssh, int timeo
size_t len, n;
@@ -1479,8 +1493,13 @@ kex_exchange_identification(struct ssh *ssh, int timeo
sshbuf_reset(our_version);
if (version_addendum != NULL && *version_addendum == '\0')
version_addendum = NULL;
- if ((r = sshbuf_putf(our_version, "SSH-%d.%d-%.100s%s%s\r\n",
+ if ((r = sshbuf_putf(our_version, "SSH-%d.%d-%.100s%s%s%s\r\n",
- if ((r = sshbuf_putf(our_version, "SSH-%d.%d-%s%s%s\r\n",
+ if ((r = sshbuf_putf(our_version, "SSH-%d.%d-%s%s%s%s\r\n",
PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION,
+#ifdef HPN_ENABLED
+ hpn_disabled ? "" : SSH_HPN,
@ -1119,9 +1119,9 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
sshpkt_fatal(ssh, r, "banner exchange");
/* Put the connection into non-blocking mode. */
--- work/openssh/sshconnect2.c.orig 2021-08-19 21:03:49.000000000 -0700
+++ work/openssh/sshconnect2.c 2021-09-08 10:02:03.037982000 -0700
@@ -84,7 +84,13 @@
--- work/openssh/sshconnect2.c.orig 2023-03-15 14:28:19.000000000 -0700
+++ work/openssh/sshconnect2.c 2023-05-19 14:20:01.965073000 -0700
@@ -83,7 +83,13 @@ extern Options options;
extern char *client_version_string;
extern char *server_version_string;
extern Options options;
@ -1135,29 +1135,7 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
/*
* SSH2 key exchange
*/
@@ -212,11 +218,12 @@ order_hostkeyalgs(char *host, struct sockaddr *hostadd
return ret;
}
+static char *myproposal[PROPOSAL_MAX];
+static const char *myproposal_default[PROPOSAL_MAX] = { KEX_CLIENT };
void
ssh_kex2(struct ssh *ssh, char *host, struct sockaddr *hostaddr, u_short port,
const struct ssh_conn_info *cinfo)
{
- char *myproposal[PROPOSAL_MAX] = { KEX_CLIENT };
char *s, *all_key;
int r, use_known_hosts_order = 0;
@@ -241,6 +248,7 @@ ssh_kex2(struct ssh *ssh, char *host, struct sockaddr
fatal_fr(r, "kex_assemble_namelist");
free(all_key);
+ memcpy(&myproposal, &myproposal_default, sizeof(myproposal));
if ((s = kex_names_cat(options.kex_algorithms, "ext-info-c")) == NULL)
fatal_f("kex_names_cat");
myproposal[PROPOSAL_KEX_ALGS] = compat_kex_proposal(ssh, s);
@@ -487,6 +495,29 @@ ssh_userauth2(struct ssh *ssh, const char *local_user,
@@ -482,6 +488,34 @@ ssh_userauth2(struct ssh *ssh, const char *local_user,
if (!authctxt.success)
fatal("Authentication failed.");
@ -1169,11 +1147,16 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
+ * tty allocated.
+ */
+ if ((options.none_switch == 1) && (options.none_enabled == 1)) {
+ char *myproposal[PROPOSAL_MAX];
+ char *s = NULL;
+ const char *none_cipher = "none";
+
+ if (!tty_flag) { /* no null on tty sessions */
+ debug("Requesting none rekeying...");
+ memcpy(&myproposal, &myproposal_default, sizeof(myproposal));
+ myproposal[PROPOSAL_ENC_ALGS_STOC] = "none";
+ myproposal[PROPOSAL_ENC_ALGS_CTOS] = "none";
+ kex_proposal_populate_entries(ssh, myproposal, s, none_cipher,
+ options.macs,
+ compression_alg_list(options.compression),
+ options.hostkeyalgorithms);
+ kex_prop2buf(ssh->kex->my, myproposal);
+ packet_request_rekeying();
+ fprintf(stderr, "WARNING: ENABLED NONE CIPHER\n");
@ -1286,8 +1269,8 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
# Example of overriding settings on a per-user basis
#Match User anoncvs
# X11Forwarding no
--- work/openssh-7.7p1/version.h.orig 2018-04-01 22:38:28.000000000 -0700
+++ work/openssh-7.7p1/version.h 2018-06-27 17:13:57.263086000 -0700
--- work/openssh/version.h.orig 2023-12-18 06:59:50.000000000 -0800
+++ work/openssh/version.h 2024-01-08 16:22:25.632475000 -0800
@@ -4,3 +4,4 @@
#define SSH_PORTABLE "p1"