summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorA. Wilcox <AWilcox@Wilcox-Tech.com>2018-07-29 03:13:39 -0500
committerA. Wilcox <AWilcox@Wilcox-Tech.com>2018-07-29 03:13:39 -0500
commit2552843d964162f7ba105775c05a231d9cdd4ae8 (patch)
tree977329dfae41ddd4e28b52914b1322516a86763b
parentcf4e117cdbf94bf75339cd49de4161a8c6189bbc (diff)
downloadpackages-2552843d964162f7ba105775c05a231d9cdd4ae8.tar.gz
packages-2552843d964162f7ba105775c05a231d9cdd4ae8.tar.bz2
packages-2552843d964162f7ba105775c05a231d9cdd4ae8.tar.xz
packages-2552843d964162f7ba105775c05a231d9cdd4ae8.zip
system/openssh: disable TCP forwarding by default
-rw-r--r--system/openssh/APKBUILD4
-rw-r--r--system/openssh/disable-forwarding-by-default.patch16
-rw-r--r--system/openssh/openssh-7.5p1-sandbox.patch23
-rw-r--r--system/openssh/openssh7.4-dynwindows.patch835
4 files changed, 19 insertions, 859 deletions
diff --git a/system/openssh/APKBUILD b/system/openssh/APKBUILD
index 496d6d7a4..f4ea3ae3c 100644
--- a/system/openssh/APKBUILD
+++ b/system/openssh/APKBUILD
@@ -4,7 +4,7 @@
pkgname=openssh
pkgver=7.7_p1
_myver=${pkgver%_*}${pkgver#*_}
-pkgrel=1
+pkgrel=2
pkgdesc="Port of OpenBSD's free SSH release"
url="http://www.openssh.org/portable.html"
arch="all"
@@ -26,6 +26,7 @@ subpackages="$pkgname-doc
source="http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/$pkgname-$_myver.tar.gz
bsd-compatible-realpath.patch
+ disable-forwarding-by-default.patch
fix-utmpx.patch
openssh7.4-peaktput.patch
sftp-interactive.patch
@@ -151,6 +152,7 @@ server() {
sha512sums="597252cb48209a0cb98ca1928a67e8d63e4275252f25bc37269204c108f034baade6ba0634e32ae63422fddd280f73096a6b31ad2f2e7a848dde75ca30e14261 openssh-7.7p1.tar.gz
f2b8daa537ea3f32754a4485492cc6eb3f40133ed46c0a5a29a89e4bcf8583d82d891d94bf2e5eb1c916fa68ec094abf4e6cd641e9737a6c05053808012b3a73 bsd-compatible-realpath.patch
+8df35d72224cd255eb0685d2c707b24e5eb24f0fdd67ca6cc0f615bdbd3eeeea2d18674a6af0c6dab74c2d8247e2370d0b755a84c99f766a431bc50c40b557de disable-forwarding-by-default.patch
0c1e832cec420bc7b57558041d2288912a438db97050b87f6a57e94a2741a374cc5d141fe352968b0d1ba6accaff965794463fe9169d136678a8915a60d2f0b7 fix-utmpx.patch
398096a89aa104abeff31aa043ac406a6348e0fdd4d313b7888ee0b931d38fd71fc21bceee46145e88f03bc27e00890e068442faee2d33f86cfbc04d58ffa4b6 openssh7.4-peaktput.patch
c1d09c65dbc347f0904edc30f91aa9a24b0baee50309536182455b544f1e3f85a8cecfa959e32be8b101d8282ef06dde3febbbc3f315489339dcf04155c859a9 sftp-interactive.patch
diff --git a/system/openssh/disable-forwarding-by-default.patch b/system/openssh/disable-forwarding-by-default.patch
new file mode 100644
index 000000000..9d27926d9
--- /dev/null
+++ b/system/openssh/disable-forwarding-by-default.patch
@@ -0,0 +1,16 @@
+--- openssh-7.7p1/sshd_config.old 2018-04-02 00:38:28.000000000 -0500
++++ openssh-7.7p1/sshd_config 2018-07-29 03:08:16.340000000 -0500
+@@ -82,9 +82,10 @@
+ #UsePAM no
+
+ #AllowAgentForwarding yes
+-#AllowTcpForwarding yes
+-#GatewayPorts no
+-#X11Forwarding no
++# Feel free to re-enable these if your use case requires them.
++AllowTcpForwarding no
++GatewayPorts no
++X11Forwarding no
+ #X11DisplayOffset 10
+ #X11UseLocalhost yes
+ #PermitTTY yes
diff --git a/system/openssh/openssh-7.5p1-sandbox.patch b/system/openssh/openssh-7.5p1-sandbox.patch
deleted file mode 100644
index 7d09632c8..000000000
--- a/system/openssh/openssh-7.5p1-sandbox.patch
+++ /dev/null
@@ -1,23 +0,0 @@
-diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
-index 3a1aedce72c2..a8d472a63ccb 100644
---- a/sandbox-seccomp-filter.c
-+++ b/sandbox-seccomp-filter.c
-@@ -50,6 +50,9 @@
- #include <elf.h>
-
- #include <asm/unistd.h>
-+#ifdef __s390__
-+#include <asm/zcrypt.h>
-+#endif
-
- #include <errno.h>
- #include <signal.h>
-@@ -235,7 +235,7 @@ static const struct sock_filter preauth_insns[] = {
- * x86-64 syscall under some circumstances, e.g.
- * https://bugs.debian.org/849923
- */
-- SC_ALLOW(__NR_clock_gettime & ~__X32_SYSCALL_BIT);
-+ SC_ALLOW(__NR_clock_gettime & ~__X32_SYSCALL_BIT),
- #endif
-
- /* Default deny */
diff --git a/system/openssh/openssh7.4-dynwindows.patch b/system/openssh/openssh7.4-dynwindows.patch
deleted file mode 100644
index 45c42159e..000000000
--- a/system/openssh/openssh7.4-dynwindows.patch
+++ /dev/null
@@ -1,835 +0,0 @@
---- a/buffer.h
-+++ b/buffer.h
-@@ -16,6 +16,9 @@
- * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-
-+/* move the following to a more appropriate place and name */
-+#define BUFFER_MAX_LEN_HPN 0x4000000 /* 64MB */
-+
- /* Emulation wrappers for legacy OpenSSH buffer API atop sshbuf */
-
- #ifndef BUFFER_H
---- a/channels.c
-+++ b/channels.c
-@@ -191,8 +191,14 @@
- static int connect_next(struct channel_connect *);
- static void channel_connect_ctx_free(struct channel_connect *);
-
-+
-+static int hpn_disabled = 0;
-+static int hpn_buffer_size = 2 * 1024 * 1024;
-+
- /* -- channel core */
-
-+
-+
- Channel *
- channel_by_id(int id)
- {
-@@ -356,6 +362,7 @@
- c->local_window_max = window;
- c->local_consumed = 0;
- c->local_maxpacket = maxpack;
-+ c->dynamic_window = 0;
- c->remote_id = -1;
- c->remote_name = xstrdup(remote_name);
- c->remote_window = 0;
-@@ -904,11 +911,35 @@
- FD_SET(c->sock, writeset);
- }
-
-+int channel_tcpwinsz () {
-+ u_int32_t tcpwinsz = 0;
-+ socklen_t optsz = sizeof(tcpwinsz);
-+ int ret = -1;
-+
-+ /* if we aren't on a socket return 128KB*/
-+ if(!packet_connection_is_on_socket())
-+ return(128*1024);
-+ ret = getsockopt(packet_get_connection_in(),
-+ SOL_SOCKET, SO_RCVBUF, &tcpwinsz, &optsz);
-+ /* return no more than 64MB */
-+ if ((ret == 0) && tcpwinsz > BUFFER_MAX_LEN_HPN)
-+ tcpwinsz = BUFFER_MAX_LEN_HPN;
-+ debug2("tcpwinsz: %d for connection: %d", tcpwinsz,
-+ packet_get_connection_in());
-+ return(tcpwinsz);
-+}
-+
- static void
- channel_pre_open(Channel *c, fd_set *readset, fd_set *writeset)
- {
- u_int limit = compat20 ? c->remote_window : packet_get_maxsize();
-
-+ /* check buffer limits */
-+ if ((!c->tcpwinsz) || (c->dynamic_window > 0))
-+ c->tcpwinsz = channel_tcpwinsz();
-+
-+ limit = MIN(limit, 2 * c->tcpwinsz);
-+
- if (c->istate == CHAN_INPUT_OPEN &&
- limit > 0 &&
- buffer_len(&c->input) < limit &&
-@@ -1926,14 +1957,21 @@
- c->local_maxpacket*3) ||
- c->local_window < c->local_window_max/2) &&
- c->local_consumed > 0) {
-+ u_int addition = 0;
-+ /* adjust max window size if we are in a dynamic environment */
-+ if (c->dynamic_window && (c->tcpwinsz > c->local_window_max)) {
-+ /* grow the window somewhat aggressively to maintain pressure */
-+ addition = 1.5*(c->tcpwinsz - c->local_window_max);
-+ c->local_window_max += addition;
-+ }
- packet_start(SSH2_MSG_CHANNEL_WINDOW_ADJUST);
- packet_put_int(c->remote_id);
-- packet_put_int(c->local_consumed);
-+ packet_put_int(c->local_consumed + addition);
- packet_send();
- debug2("channel %d: window %d sent adjust %d",
- c->self, c->local_window,
- c->local_consumed);
-- c->local_window += c->local_consumed;
-+ c->local_window += c->local_consumed + addition;
- c->local_consumed = 0;
- }
- return 1;
-@@ -3179,6 +3217,15 @@
- return addr;
- }
-
-+
-+void
-+channel_set_hpn(int external_hpn_disabled, int external_hpn_buffer_size)
-+{
-+ hpn_disabled = external_hpn_disabled;
-+ hpn_buffer_size = external_hpn_buffer_size;
-+ debug("HPN Disabled: %d, HPN Buffer Size: %d", hpn_disabled, hpn_buffer_size);
-+}
-+
- static int
- channel_setup_fwd_listener_tcpip(int type, struct Forward *fwd,
- int *allocated_listen_port, struct ForwardOptions *fwd_opts)
-@@ -3307,9 +3354,15 @@
- }
-
- /* Allocate a channel number for the socket. */
-+ /* explicitly test for hpn disabled option. if true use smaller window size */
-+ if (hpn_disabled)
- c = channel_new("port listener", type, sock, sock, -1,
- CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT,
- 0, "port listener", 1);
-+ else
-+ c = channel_new("port listener", type, sock, sock, -1,
-+ hpn_buffer_size, CHAN_TCP_PACKET_DEFAULT,
-+ 0, "port listener", 1);
- c->path = xstrdup(host);
- c->host_port = fwd->connect_port;
- c->listening_addr = addr == NULL ? NULL : xstrdup(addr);
-@@ -4313,10 +4366,17 @@
- *chanids = xcalloc(num_socks + 1, sizeof(**chanids));
- for (n = 0; n < num_socks; n++) {
- sock = socks[n];
-+ /* Is this really necassary? */
-+ if (hpn_disabled)
- nc = channel_new("x11 listener",
- SSH_CHANNEL_X11_LISTENER, sock, sock, -1,
- CHAN_X11_WINDOW_DEFAULT, CHAN_X11_PACKET_DEFAULT,
- 0, "X11 inet listener", 1);
-+ else
-+ nc = channel_new("x11 listener",
-+ SSH_CHANNEL_X11_LISTENER, sock, sock, -1,
-+ hpn_buffer_size, CHAN_X11_PACKET_DEFAULT,
-+ 0, "X11 inet listener", 1);
- nc->single_connection = single_connection;
- (*chanids)[n] = nc->self;
- }
---- a/channels.h
-+++ b/channels.h
-@@ -135,8 +135,10 @@
- u_int local_window_max;
- u_int local_consumed;
- u_int local_maxpacket;
-+ int dynamic_window;
- int extended_usage;
- int single_connection;
-+ u_int tcpwinsz;
-
- char *ctype; /* type */
-
-@@ -173,8 +175,10 @@
- /* default window/packet sizes for tcp/x11-fwd-channel */
- #define CHAN_SES_PACKET_DEFAULT (32*1024)
- #define CHAN_SES_WINDOW_DEFAULT (64*CHAN_SES_PACKET_DEFAULT)
-+
- #define CHAN_TCP_PACKET_DEFAULT (32*1024)
- #define CHAN_TCP_WINDOW_DEFAULT (64*CHAN_TCP_PACKET_DEFAULT)
-+
- #define CHAN_X11_PACKET_DEFAULT (16*1024)
- #define CHAN_X11_WINDOW_DEFAULT (4*CHAN_X11_PACKET_DEFAULT)
-
-@@ -318,5 +322,8 @@
- void chan_rcvd_ieof(Channel *);
- void chan_write_failed(Channel *);
- void chan_obuf_empty(Channel *);
-+
-+/* hpn handler */
-+void channel_set_hpn(int, int);
-
- #endif
---- a/clientloop.c
-+++ b/clientloop.c
-@@ -1990,9 +1990,15 @@
- sock = x11_connect_display();
- if (sock < 0)
- return NULL;
-+ /* again is this really necessary for X11? */
-+ if (options.hpn_disabled)
- c = channel_new("x11",
- SSH_CHANNEL_X11_OPEN, sock, sock, -1,
- CHAN_TCP_WINDOW_DEFAULT, CHAN_X11_PACKET_DEFAULT, 0, "x11", 1);
-+ else
-+ c = channel_new("x11",
-+ SSH_CHANNEL_X11_OPEN, sock, sock, -1,
-+ options.hpn_buffer_size, CHAN_X11_PACKET_DEFAULT, 0, "x11", 1);
- c->force_drain = 1;
- return c;
- }
-@@ -2015,10 +2021,16 @@
- __func__, ssh_err(r));
- return NULL;
- }
-+ if (options.hpn_disabled)
- c = channel_new("authentication agent connection",
- SSH_CHANNEL_OPEN, sock, sock, -1,
-- CHAN_X11_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, 0,
-+ CHAN_X11_WINDOW_DEFAULT, CHAN_TCP_WINDOW_DEFAULT, 0,
- "authentication agent connection", 1);
-+ else
-+ c = channel_new("authentication agent connection",
-+ SSH_CHANNEL_OPEN, sock, sock, -1,
-+ options.hpn_buffer_size, options.hpn_buffer_size, 0,
-+ "authentication agent connection", 1);
- c->force_drain = 1;
- return c;
- }
-@@ -2045,9 +2057,17 @@
- return -1;
- }
-
-+ if(options.hpn_disabled)
- c = channel_new("tun", SSH_CHANNEL_OPENING, fd, fd, -1,
-- CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, 0, "tun", 1);
-+ CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT,
-+ 0, "tun", 1);
-+ else
-+ c = channel_new("tun", SSH_CHANNEL_OPENING, fd, fd, -1,
-+ options.hpn_buffer_size, CHAN_TCP_PACKET_DEFAULT,
-+ 0, "tun", 1);
- c->datagram = 1;
-+
-+
-
- #if defined(SSH_TUN_FILTER)
- if (options.tun_open == SSH_TUNMODE_POINTOPOINT)
---- a/compat.c
-+++ b/compat.c
-@@ -40,7 +40,7 @@
-
- int compat13 = 0;
- int compat20 = 0;
--int datafellows = 0;
-+unsigned int datafellows = 0;
-
- void
- enable_compat20(void)
-@@ -63,7 +63,7 @@ compat_datafellows(const char *version)
- int i;
- static struct {
- char *pat;
-- int bugs;
-+ unsigned int bugs;
- } check[] = {
- { "OpenSSH-2.0*,"
- "OpenSSH-2.1*,"
-@@ -210,6 +210,12 @@ compat_datafellows(const char *version)
- debug("match: %s pat %s compat 0x%08x",
- version, check[i].pat, check[i].bugs);
- datafellows = check[i].bugs; /* XXX for now */
-+ /* Check to see if the remote side is OpenSSH and not HPN */
-+ if (strstr(version,"OpenSSH") != NULL &&
-+ strstr(version,"hpn") == NULL) {
-+ datafellows |= SSH_BUG_LARGEWINDOW;
-+ debug("Remote is NON-HPN aware");
-+ }
- return check[i].bugs;
- }
- }
-diff --git a/compat.h b/compat.h
-index 2be290a..453c85e 100644
---- a/compat.h
-+++ b/compat.h
-@@ -62,6 +62,7 @@
- #define SSH_BUG_CURVE25519PAD 0x10000000
- #define SSH_BUG_HOSTKEYS 0x20000000
- #define SSH_BUG_DHGEX_LARGE 0x40000000
-+#define SSH_BUG_LARGEWINDOW 0x80000000
-
- void enable_compat13(void);
- void enable_compat20(void);
-@@ -73,5 +74,5 @@ char *compat_kex_proposal(char *);
-
- extern int compat13;
- extern int compat20;
--extern int datafellows;
-+extern unsigned int datafellows;
- #endif
---- a/readconf.c
-+++ b/readconf.c
-@@ -154,6 +154,7 @@
- oCompressionLevel, oTCPKeepAlive, oNumberOfPasswordPrompts,
- oUsePrivilegedPort, oLogLevel, oCiphers, oProtocol, oMacs,
- oPubkeyAuthentication,
-+ oTcpRcvBufPoll, oTcpRcvBuf, oHPNDisabled, oHPNBufferSize,
- oKbdInteractiveAuthentication, oKbdInteractiveDevices, oHostKeyAlias,
- oDynamicForward, oPreferredAuthentications, oHostbasedAuthentication,
- oHostKeyAlgorithms, oBindAddress, oPKCS11Provider,
-@@ -297,6 +298,11 @@
- { "ignoreunknown", oIgnoreUnknown },
- { "proxyjump", oProxyJump },
-
-+ { "tcprcvbufpoll", oTcpRcvBufPoll },
-+ { "tcprcvbuf", oTcpRcvBuf },
-+ { "hpndisabled", oHPNDisabled },
-+ { "hpnbuffersize", oHPNBufferSize },
-+
- { NULL, oBadOption }
- };
-
-@@ -973,6 +979,18 @@
- intptr = &options->check_host_ip;
- goto parse_flag;
-
-+ case oHPNDisabled:
-+ intptr = &options->hpn_disabled;
-+ goto parse_flag;
-+
-+ case oHPNBufferSize:
-+ intptr = &options->hpn_buffer_size;
-+ goto parse_int;
-+
-+ case oTcpRcvBufPoll:
-+ intptr = &options->tcp_rcv_buf_poll;
-+ goto parse_flag;
-+
- case oVerifyHostKeyDNS:
- intptr = &options->verify_host_key_dns;
- multistate_ptr = multistate_yesnoask;
-@@ -1165,6 +1183,10 @@
- intptr = &options->connection_attempts;
- goto parse_int;
-
-+ case oTcpRcvBuf:
-+ intptr = &options->tcp_rcv_buf;
-+ goto parse_int;
-+
- case oCipher:
- intptr = &options->cipher;
- arg = strdelim(&s);
-@@ -1845,6 +1867,10 @@
- options->ip_qos_interactive = -1;
- options->ip_qos_bulk = -1;
- options->request_tty = -1;
-+ options->hpn_disabled = -1;
-+ options->hpn_buffer_size = -1;
-+ options->tcp_rcv_buf_poll = -1;
-+ options->tcp_rcv_buf = -1;
- options->proxy_use_fdpass = -1;
- options->ignored_unknown = NULL;
- options->num_canonical_domains = 0;
-@@ -2008,6 +2034,28 @@
- options->server_alive_interval = 0;
- if (options->server_alive_count_max == -1)
- options->server_alive_count_max = 3;
-+ if (options->hpn_disabled == -1)
-+ options->hpn_disabled = 0;
-+ if (options->hpn_buffer_size > -1)
-+ {
-+ /* if a user tries to set the size to 0 set it to 1KB */
-+ if (options->hpn_buffer_size == 0)
-+ options->hpn_buffer_size = 1;
-+ /*limit the buffer to 64MB*/
-+ if (options->hpn_buffer_size > 64*1024)
-+ {
-+ options->hpn_buffer_size = 64*1024*1024;
-+ debug("User requested buffer larger than 64MB. Request reverted to 64MB");
-+ }
-+ else options->hpn_buffer_size *= 1024;
-+ debug("hpn_buffer_size set to %d", options->hpn_buffer_size);
-+ }
-+ if (options->tcp_rcv_buf == 0)
-+ options->tcp_rcv_buf = 1;
-+ if (options->tcp_rcv_buf > -1)
-+ options->tcp_rcv_buf *=1024;
-+ if (options->tcp_rcv_buf_poll == -1)
-+ options->tcp_rcv_buf_poll = 1;
- if (options->control_master == -1)
- options->control_master = 0;
- if (options->control_persist == -1) {
---- a/readconf.h
-+++ b/readconf.h
-@@ -57,6 +57,10 @@ typedef struct {
- int compression_level; /* Compression level 1 (fast) to 9
- * (best). */
- int tcp_keep_alive; /* Set SO_KEEPALIVE. */
-+ int tcp_rcv_buf; /* user switch to set tcp recv buffer */
-+ int tcp_rcv_buf_poll; /* Option to poll recv buf every window transfer */
-+ int hpn_disabled; /* Switch to disable HPN buffer management */
-+ int hpn_buffer_size; /* User definable size for HPN buffer window */
- int ip_qos_interactive; /* IP ToS/DSCP/class for interactive */
- int ip_qos_bulk; /* IP ToS/DSCP/class for bulk traffic */
- LogLevel log_level; /* Level for logging. */
---- a/scp.c
-+++ b/scp.c
-@@ -763,7 +763,7 @@
- off_t i, statbytes;
- size_t amt, nr;
- int fd = -1, haderr, indx;
-- char *last, *name, buf[2048], encname[PATH_MAX];
-+ char *last, *name, buf[16384], encname[PATH_MAX];
- int len;
-
- for (indx = 0; indx < argc; ++indx) {
-@@ -931,7 +931,7 @@
- off_t size, statbytes;
- unsigned long long ull;
- int setimes, targisdir, wrerrno = 0;
-- char ch, *cp, *np, *targ, *why, *vect[1], buf[2048], visbuf[2048];
-+ char ch, *cp, *np, *targ, *why, *vect[1], buf[16384], visbuf[16384];
- struct timeval tv[2];
-
- #define atime tv[0]
---- a/servconf.c
-+++ b/servconf.c
-@@ -159,6 +159,9 @@
- options->authorized_principals_file = NULL;
- options->authorized_principals_command = NULL;
- options->authorized_principals_command_user = NULL;
-+ options->tcp_rcv_buf_poll = -1;
-+ options->hpn_disabled = -1;
-+ options->hpn_buffer_size = -1;
- options->ip_qos_interactive = -1;
- options->ip_qos_bulk = -1;
- options->version_addendum = NULL;
-@@ -190,6 +193,7 @@
- void
- fill_default_server_options(ServerOptions *options)
- {
-+ int sock, socksize, socksizelen = sizeof(int);
- int i;
-
- /* Portable-specific options */
-@@ -319,6 +323,41 @@
- }
- if (options->permit_tun == -1)
- options->permit_tun = SSH_TUNMODE_NO;
-+ if (options->hpn_disabled == -1)
-+ options->hpn_disabled = 0;
-+
-+ if (options->hpn_buffer_size == -1) {
-+ /* option not explicitly set. Now we have to figure out */
-+ /* what value to use */
-+ if (options->hpn_disabled == 1) {
-+ options->hpn_buffer_size = CHAN_SES_WINDOW_DEFAULT;
-+ } else {
-+ /* get the current RCV size and set it to that */
-+ /*create a socket but don't connect it */
-+ /* we use that the get the rcv socket size */
-+ sock = socket(AF_INET, SOCK_STREAM, 0);
-+ getsockopt(sock, SOL_SOCKET, SO_RCVBUF,
-+ &socksize, &socksizelen);
-+ close(sock);
-+ options->hpn_buffer_size = socksize;
-+ debug ("HPN Buffer Size: %d", options->hpn_buffer_size);
-+ }
-+ } else {
-+ /* we have to do this incase the user sets both values in a contradictory */
-+ /* manner. hpn_disabled overrrides hpn_buffer_size*/
-+ if (options->hpn_disabled <= 0) {
-+ if (options->hpn_buffer_size == 0)
-+ options->hpn_buffer_size = 1;
-+ /* limit the maximum buffer to 64MB */
-+ if (options->hpn_buffer_size > 64*1024) {
-+ options->hpn_buffer_size = 64*1024*1024;
-+ } else {
-+ options->hpn_buffer_size *= 1024;
-+ }
-+ } else
-+ options->hpn_buffer_size = CHAN_TCP_WINDOW_DEFAULT;
-+ }
-+
- if (options->ip_qos_interactive == -1)
- options->ip_qos_interactive = IPTOS_LOWDELAY;
- if (options->ip_qos_bulk == -1)
-@@ -413,6 +452,7 @@
- sHostCertificate,
- sRevokedKeys, sTrustedUserCAKeys, sAuthorizedPrincipalsFile,
- sAuthorizedPrincipalsCommand, sAuthorizedPrincipalsCommandUser,
-+ sTcpRcvBufPoll, sHPNDisabled, sHPNBufferSize,
- sKexAlgorithms, sIPQoS, sVersionAddendum,
- sAuthorizedKeysCommand, sAuthorizedKeysCommandUser,
- sAuthenticationMethods, sHostKeyAgent, sPermitUserRC,
-@@ -548,6 +588,9 @@
- { "revokedkeys", sRevokedKeys, SSHCFG_ALL },
- { "trustedusercakeys", sTrustedUserCAKeys, SSHCFG_ALL },
- { "authorizedprincipalsfile", sAuthorizedPrincipalsFile, SSHCFG_ALL },
-+ { "hpndisabled", sHPNDisabled, SSHCFG_ALL },
-+ { "hpnbuffersize", sHPNBufferSize, SSHCFG_ALL },
-+ { "tcprcvbufpoll", sTcpRcvBufPoll, SSHCFG_ALL },
- { "kexalgorithms", sKexAlgorithms, SSHCFG_GLOBAL },
- { "ipqos", sIPQoS, SSHCFG_ALL },
- { "authorizedkeyscommand", sAuthorizedKeysCommand, SSHCFG_ALL },
-@@ -587,6 +630,7 @@
-
- for (i = 0; keywords[i].name; i++)
- if (strcasecmp(cp, keywords[i].name) == 0) {
-+ debug ("Config token is %s", keywords[i].name);
- *flags = keywords[i].flags;
- return keywords[i].opcode;
- }
-@@ -1148,6 +1192,19 @@
- if (*activep && *intptr == -1)
- *intptr = value;
- break;
-+
-+
-+ case sTcpRcvBufPoll:
-+ intptr = &options->tcp_rcv_buf_poll;
-+ goto parse_flag;
-+
-+ case sHPNDisabled:
-+ intptr = &options->hpn_disabled;
-+ goto parse_flag;
-+
-+ case sHPNBufferSize:
-+ intptr = &options->hpn_buffer_size;
-+ goto parse_int;
-
- case sIgnoreUserKnownHosts:
- intptr = &options->ignore_user_known_hosts;
---- a/servconf.h
-+++ b/servconf.h
-@@ -166,6 +166,9 @@
- char *adm_forced_command;
-
- int use_pam; /* Enable auth via PAM */
-+ int tcp_rcv_buf_poll; /* poll tcp rcv window in autotuning kernels*/
-+ int hpn_disabled; /* disable hpn functionality. false by default */
-+ int hpn_buffer_size; /* set the hpn buffer size - default 3MB */
-
- int permit_tun;
-
---- a/serverloop.c
-+++ b/serverloop.c
-@@ -526,8 +526,12 @@
- sock = tun_open(tun, mode);
- if (sock < 0)
- goto done;
-+ if (options.hpn_disabled)
- c = channel_new("tun", SSH_CHANNEL_OPEN, sock, sock, -1,
- CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, 0, "tun", 1);
-+ else
-+ c = channel_new("tun", SSH_CHANNEL_OPEN, sock, sock, -1,
-+ options.hpn_buffer_size, CHAN_TCP_PACKET_DEFAULT, 0, "tun", 1);
- c->datagram = 1;
- #if defined(SSH_TUN_FILTER)
- if (mode == SSH_TUNMODE_POINTOPOINT)
-@@ -563,6 +567,8 @@
- c = channel_new("session", SSH_CHANNEL_LARVAL,
- -1, -1, -1, /*window size*/0, CHAN_SES_PACKET_DEFAULT,
- 0, "server-session", 1);
-+ if ((options.tcp_rcv_buf_poll) && (!options.hpn_disabled))
-+ c->dynamic_window = 1;
- if (session_open(the_authctxt, c->self) != 1) {
- debug("session open failed, free channel %d", c->self);
- channel_free(c);
---- a/session.c
-+++ b/session.c
-@@ -220,6 +220,7 @@
- goto authsock_err;
-
- /* Allocate a channel for the authentication agent socket. */
-+ /* this shouldn't matter if its hpn or not - cjr */
- nc = channel_new("auth socket",
- SSH_CHANNEL_AUTH_SOCKET, sock, sock, -1,
- CHAN_X11_WINDOW_DEFAULT, CHAN_X11_PACKET_DEFAULT,
-@@ -2121,10 +2122,16 @@
- */
- if (s->chanid == -1)
- fatal("no channel for session %d", s->self);
-+ if (options.hpn_disabled)
- channel_set_fds(s->chanid,
- fdout, fdin, fderr,
- ignore_fderr ? CHAN_EXTENDED_IGNORE : CHAN_EXTENDED_READ,
- 1, is_tty, CHAN_SES_WINDOW_DEFAULT);
-+ else
-+ channel_set_fds(s->chanid,
-+ fdout, fdin, fderr,
-+ ignore_fderr ? CHAN_EXTENDED_IGNORE : CHAN_EXTENDED_READ,
-+ 1, is_tty, options.hpn_buffer_size);
- }
-
- /*
---- a/sftp.1
-+++ b/sftp.1
-@@ -266,7 +266,8 @@
- Specify how many requests may be outstanding at any one time.
- Increasing this may slightly improve file transfer speed
- but will increase memory usage.
--The default is 64 outstanding requests.
-+The default is 256 outstanding requests providing for 8MB
-+of outstanding data with a 32KB buffer.
- .It Fl r
- Recursively copy entire directories when uploading and downloading.
- Note that
---- a/sftp.c
-+++ b/sftp.c
-@@ -72,7 +72,7 @@
- #include "sftp-client.h"
-
- #define DEFAULT_COPY_BUFLEN 32768 /* Size of buffer for up/download */
--#define DEFAULT_NUM_REQUESTS 64 /* # concurrent outstanding requests */
-+#define DEFAULT_NUM_REQUESTS 256 /* # concurrent outstanding requests */
-
- /* File to read commands from */
- FILE* infile;
---- a/ssh.c
-+++ b/ssh.c
-@@ -1910,6 +1910,9 @@
- {
- Channel *c;
- int window, packetmax, in, out, err;
-+ int sock;
-+ int socksize;
-+ int socksizelen = sizeof(int);
-
- if (stdin_null_flag) {
- in = open(_PATH_DEVNULL, O_RDONLY);
-@@ -1930,9 +1933,74 @@
- if (!isatty(err))
- set_nonblock(err);
-
-- window = CHAN_SES_WINDOW_DEFAULT;
-+ /* we need to check to see if what they want to do about buffer */
-+ /* sizes here. In a hpn to nonhpn connection we want to limit */
-+ /* the window size to something reasonable in case the far side */
-+ /* has the large window bug. In hpn to hpn connection we want to */
-+ /* use the max window size but allow the user to override it */
-+ /* lastly if they disabled hpn then use the ssh std window size */
-+
-+ /* so why don't we just do a getsockopt() here and set the */
-+ /* ssh window to that? In the case of a autotuning receive */
-+ /* window the window would get stuck at the initial buffer */
-+ /* size generally less than 96k. Therefore we need to set the */
-+ /* maximum ssh window size to the maximum hpn buffer size */
-+ /* unless the user has specifically set the tcprcvbufpoll */
-+ /* to no. In which case we *can* just set the window to the */
-+ /* minimum of the hpn buffer size and tcp receive buffer size */
-+
-+ if (tty_flag)
-+ options.hpn_buffer_size = CHAN_SES_WINDOW_DEFAULT;
-+ else
-+ options.hpn_buffer_size = 2*1024*1024;
-+
-+ if (datafellows & SSH_BUG_LARGEWINDOW)
-+ {
-+ debug("HPN to Non-HPN Connection");
-+ }
-+ else
-+ {
-+ if (options.tcp_rcv_buf_poll <= 0)
-+ {
-+ sock = socket(AF_INET, SOCK_STREAM, 0);
-+ getsockopt(sock, SOL_SOCKET, SO_RCVBUF,
-+ &socksize, &socksizelen);
-+ close(sock);
-+ debug("socksize %d", socksize);
-+ options.hpn_buffer_size = socksize;
-+ debug ("HPNBufferSize set to TCP RWIN: %d", options.hpn_buffer_size);
-+ }
-+ else
-+ {
-+ if (options.tcp_rcv_buf > 0)
-+ {
-+ /*create a socket but don't connect it */
-+ /* we use that the get the rcv socket size */
-+ sock = socket(AF_INET, SOCK_STREAM, 0);
-+ /* if they are using the tcp_rcv_buf option */
-+ /* attempt to set the buffer size to that */
-+ if (options.tcp_rcv_buf)
-+ setsockopt(sock, SOL_SOCKET, SO_RCVBUF, (void *)&options.tcp_rcv_buf,
-+ sizeof(options.tcp_rcv_buf));
-+ getsockopt(sock, SOL_SOCKET, SO_RCVBUF,
-+ &socksize, &socksizelen);
-+ close(sock);
-+ debug("socksize %d", socksize);
-+ options.hpn_buffer_size = socksize;
-+ debug ("HPNBufferSize set to user TCPRcvBuf: %d", options.hpn_buffer_size);
-+ }
-+ }
-+ }
-+
-+ debug("Final hpn_buffer_size = %d", options.hpn_buffer_size);
-+
-+ window = options.hpn_buffer_size;
-+
-+ channel_set_hpn(options.hpn_disabled, options.hpn_buffer_size);
-+
- packetmax = CHAN_SES_PACKET_DEFAULT;
- if (tty_flag) {
-+ window = 4*CHAN_SES_PACKET_DEFAULT;
- window >>= 1;
- packetmax >>= 1;
- }
-@@ -1941,6 +2009,10 @@
- window, packetmax, CHAN_EXTENDED_WRITE,
- "client-session", /*nonblock*/0);
-
-+ if ((options.tcp_rcv_buf_poll > 0) && (!options.hpn_disabled)) {
-+ c->dynamic_window = 1;
-+ debug ("Enabled Dynamic Window Scaling");
-+ }
- debug3("ssh_session2_open: channel_new: %d", c->self);
-
- channel_send_open(c->self);
---- a/sshconnect.c
-+++ b/sshconnect.c
-@@ -267,6 +267,31 @@
- }
-
- /*
-+ * Set TCP receive buffer if requested.
-+ * Note: tuning needs to happen after the socket is
-+ * created but before the connection happens
-+ * so winscale is negotiated properly -cjr
-+ */
-+static void
-+ssh_set_socket_recvbuf(int sock)
-+{
-+ void *buf = (void *)&options.tcp_rcv_buf;
-+ int sz = sizeof(options.tcp_rcv_buf);
-+ int socksize;
-+ int socksizelen = sizeof(int);
-+
-+ debug("setsockopt Attempting to set SO_RCVBUF to %d", options.tcp_rcv_buf);
-+ if (setsockopt(sock, SOL_SOCKET, SO_RCVBUF, buf, sz) >= 0) {
-+ getsockopt(sock, SOL_SOCKET, SO_RCVBUF, &socksize, &socksizelen);
-+ debug("setsockopt SO_RCVBUF: %.100s %d", strerror(errno), socksize);
-+ }
-+ else
-+ error("Couldn't set socket receive buffer to %d: %.100s",
-+ options.tcp_rcv_buf, strerror(errno));
-+}
-+
-+
-+/*
- * Creates a (possibly privileged) socket for use as the ssh connection.
- */
- static int
-@@ -282,6 +307,9 @@
- }
- fcntl(sock, F_SETFD, FD_CLOEXEC);
-
-+ if (options.tcp_rcv_buf > 0)
-+ ssh_set_socket_recvbuf(sock);
-+
- /* Bind the socket to an alternative local IP address */
- if (options.bind_address == NULL && !privileged)
- return sock;
-@@ -526,10 +554,10 @@
- /* Send our own protocol version identification. */
- if (compat20) {
- xasprintf(&client_version_string, "SSH-%d.%d-%.100s\r\n",
-- PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION);
-+ PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE);
- } else {
- xasprintf(&client_version_string, "SSH-%d.%d-%.100s\n",
-- PROTOCOL_MAJOR_1, minor1, SSH_VERSION);
-+ PROTOCOL_MAJOR_1, minor1, SSH_RELEASE);
- }
- if (atomicio(vwrite, connection_out, client_version_string,
- strlen(client_version_string)) != strlen(client_version_string))
---- a/sshd.c
-+++ b/sshd.c
-@@ -1020,6 +1020,8 @@
- int ret, listen_sock, on = 1;
- struct addrinfo *ai;
- char ntop[NI_MAXHOST], strport[NI_MAXSERV];
-+ int socksize;
-+ int socksizelen = sizeof(int);
-
- for (ai = options.listen_addrs; ai; ai = ai->ai_next) {
- if (ai->ai_family != AF_INET && ai->ai_family != AF_INET6)
-@@ -1060,6 +1062,11 @@
-
- debug("Bind to port %s on %s.", strport, ntop);
-
-+ getsockopt(listen_sock, SOL_SOCKET, SO_RCVBUF,
-+ &socksize, &socksizelen);
-+ debug("Server TCP RWIN socket size: %d", socksize);
-+ debug("HPN Buffer Size: %d", options.hpn_buffer_size);
-+
- /* Bind the socket to the desired port. */
- if (bind(listen_sock, ai->ai_addr, ai->ai_addrlen) < 0) {
- error("Bind to port %s on %s failed: %.200s.",
-@@ -1977,6 +1984,9 @@
- verbose("Connection from %s port %d on %s port %d",
- remote_ip, remote_port, laddr, ssh_local_port(ssh));
- free(laddr);
-+
-+ /* set the HPN options for the child */
-+ channel_set_hpn(options.hpn_disabled, options.hpn_buffer_size);
-
- /*
- * We don't want to listen forever unless the other side
---- a/sshd_config
-+++ b/sshd_config
-@@ -99,7 +99,7 @@
- #ClientAliveInterval 0
- #ClientAliveCountMax 3
- #UseDNS no
--#PidFile /var/run/sshd.pid
-+#PidFile /run/sshd.pid
- #MaxStartups 10:30:100
- #PermitTunnel no
- #ChrootDirectory none
-@@ -109,7 +109,18 @@
- #Banner none
-
- # override default of no subsystems
--Subsystem sftp /usr/libexec/sftp-server
-+Subsystem sftp /usr/lib/ssh/sftp-server
-+
-+# the following are HPN related configuration options
-+# tcp receive buffer polling. disable in non autotuning kernels
-+#TcpRcvBufPoll yes
-+
-+# disable hpn performance boosts
-+#HPNDisabled no
-+
-+# buffer size for hpn to non-hpn connections
-+#HPNBufferSize 2048
-+
-
- # Example of overriding settings on a per-user basis
- #Match User anoncvs
---- a/version.h
-+++ b/version.h
-@@ -3,4 +3,5 @@
- #define SSH_VERSION "OpenSSH_7.4"
-
- #define SSH_PORTABLE "p1"
--#define SSH_RELEASE SSH_VERSION SSH_PORTABLE
-+#define SSH_HPN "-hpn14v4"
-+#define SSH_RELEASE SSH_VERSION SSH_PORTABLE SSH_HPN