From 60c59fad8806c9734841a251ca860f88cd1d72f3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Dag-Erling=20Sm=C3=B8rgrav?= Date: Tue, 19 Jan 2016 14:38:20 +0000 Subject: [PATCH] As previously threatened, remove the HPN patch from OpenSSH. --- UPDATING | 4 ++ crypto/openssh/README.hpn | 95 ------------------------- crypto/openssh/buffer.c | 9 +-- crypto/openssh/buffer.h | 2 - crypto/openssh/channels.c | 96 +++---------------------- crypto/openssh/channels.h | 7 -- crypto/openssh/clientloop.c | 35 +++------- crypto/openssh/compat.c | 10 --- crypto/openssh/compat.h | 2 - crypto/openssh/misc.c | 31 --------- crypto/openssh/misc.h | 1 - crypto/openssh/readconf.c | 54 +------------- crypto/openssh/readconf.h | 10 +-- crypto/openssh/servconf.c | 51 -------------- crypto/openssh/servconf.h | 4 -- crypto/openssh/serverloop.c | 12 +--- crypto/openssh/session.c | 17 ++--- crypto/openssh/sftp.1 | 3 +- crypto/openssh/sftp.c | 2 +- crypto/openssh/ssh-agent.1 | 2 +- crypto/openssh/ssh.c | 49 +------------ crypto/openssh/ssh_config | 2 +- crypto/openssh/ssh_config.5 | 2 +- crypto/openssh/ssh_namespace.h | 124 +++++++++++++++++++++++++++------ crypto/openssh/sshconnect.c | 30 +------- crypto/openssh/sshd.c | 22 ++---- crypto/openssh/sshd_config | 11 +-- crypto/openssh/sshd_config.5 | 2 +- crypto/openssh/version.h | 3 +- 29 files changed, 158 insertions(+), 534 deletions(-) delete mode 100644 crypto/openssh/README.hpn diff --git a/UPDATING b/UPDATING index 126d8c13c829..1b98e40cbaf2 100644 --- a/UPDATING +++ b/UPDATING @@ -31,6 +31,10 @@ NOTE TO PEOPLE WHO THINK THAT FreeBSD 11.x IS SLOW: disable the most expensive debugging functionality run "ln -s 'abort:false,junk:false' /etc/malloc.conf".) +20160119: + The NONE and HPN patches has been removed from OpenSSH. They are + still available in the security/openssh-portable port. + 20160113: With the addition of ypldap(8), a new _ypldap user is now required during installworld. "mergemaster -p" can be used to add the user diff --git a/crypto/openssh/README.hpn b/crypto/openssh/README.hpn deleted file mode 100644 index f8afbc1ab945..000000000000 --- a/crypto/openssh/README.hpn +++ /dev/null @@ -1,95 +0,0 @@ -Notes: - -PERFORMANCE: - The performance increase will only be as good as the network and TCP stack - tuning on the reciever side of the connection allows. As a rule of thumb a - user will need at least 10Mb/s connection with a 100ms RTT to see a doubling - of performance. - The HPN-SSH home page http://www.psc.edu/networking/projects/hpn-ssh - describes this in greater detail. - - -BUFFER SIZES: -- if HPN is disabled the receive buffer size will be set to the OpenSSH default - of 64K. - -- if a HPN system connects to a non-HPN system the receive buffer will - be set to the HPNBufferSize value. The default is 2MB but user adjustable. - -- If a HPN to HPN connection is established a number of different things might - happen based on the user options and conditions. - - Conditions: HPNBufferSize NOT Set, TCPRcvBufPoll enabled, TCPRcvBuf NOT Set - Result: HPN Buffer Size = up to 64MB - This is the default state. The HPN buffer size will grow to a maximum of - 64MB as the TCP receive buffer grows. The maximum HPN Buffer size of 64MB - is geared towards 10GigE transcontinental connections. - - Conditions: HPNBufferSize NOT Set, TCPRcvBufPoll disabled, TCPRcvBuf NOT Set - Result: HPN Buffer Size = TCP receive buffer value. - Users on non-autotuning systesm should disable TCPRcvBufPoll in the - ssh_cofig and sshd_config - - Conditions: HPNBufferSize SET, TCPRcvBufPoll disabled, TCPRcvBuf NOT Set - Result: HPN Buffer Size = minmum of TCP receive buffer and HPNBufferSize. - This would be the system defined TCP receive buffer (RWIN). - - Conditions: HPNBufferSize SET, TCPRcvBufPoll disabled, TCPRcvBuf SET - Result: HPN Buffer Size = minmum of TCPRcvBuf and HPNBufferSize. - Generally there is no need to set both. - - Conditions: HPNBufferSize SET, TCPRcvBufPoll enabled, TCPRcvBuf NOT Set - Result: HPN Buffer Size = grows to HPNBufferSize - The buffer will grow up to the maximum size specified here. - - Conditions: HPNBufferSize SET, TCPRcvBufPoll enabled, TCPRcvBuf SET - Result: HPN Buffer Size = minmum of TCPRcvBuf and HPNBufferSize. - Generally there is no need to set both of these, especially on autotuning - systems. However, if the users wishes to override the autotuning this would - be one way to do it. - - Conditions: HPNBufferSize NOT Set, TCPRcvBufPoll enabled, TCPRcvBuf SET - Result: HPN Buffer Size = TCPRcvBuf. - This will override autotuning and set the TCP recieve buffer to the user - defined value. - - -HPN SPECIFIC CONFIGURATION OPTIONS: - -- HPNDisabled=[yes/no] client/server - In some situations, such as transfers on a local area network, the impact - of the HPN code produces a net decrease in performance. In these cases it is - helpful to disable the HPN functionality. By default HPNDisabled is set to no. - -- HPNBufferSize=[int]KB client/server - This is the default buffer size the HPN functionality uses when interacting - with non-HPN SSH installations. Conceptually this is similar to the TcpRcvBuf - option as applied to the internal SSH flow control. This value can range from - 1KB to 64MB (1-65536). Use of oversized or undersized buffers can cause - performance problems depending on the roud trip time of the network path. - The default size of this buffer is 2MB. - -- TcpRcvBufPoll=[yes/no] client/server - Enable or disable the polling of the TCP receive buffer through the life - of the connection. You would want to make sure that this option is enabled - for systems making use of autotuning kernels (linux 2.4.24+, 2.6, MS Vista, - FreeBSD 7.x and later). Default is yes. - -- TcpRcvBuf=[int]KB client - Set the TCP socket receive buffer to n Kilobytes. It can be set up to the - maximum socket size allowed by the system. This is useful in situations where - the TCP receive window is set low but the maximum buffer size is set higher - (as is typical). This works on a per TCP connection basis. You can also use - this to artifically limit the transfer rate of the connection. In these cases - the throughput will be no more than n/RTT. The minimum buffer size is 1KB. - Default is the current system wide TCP receive buffer size. - - -CREDITS: - - This patch was conceived, designed, and led by Chris Rapier (rapier@psc.edu) - The majority of the actual coding for versions up to HPN12v1 was performed - by Michael Stevens (mstevens@andrew.cmu.edu). - The MT-AES-CTR cipher was implemented by Ben Bennet (ben@psc.edu). - This work was financed, in part, by Cisco System, Inc., the National Library - of Medicine, and the National Science Foundation. diff --git a/crypto/openssh/buffer.c b/crypto/openssh/buffer.c index f20d5583d748..5c05a7590eea 100644 --- a/crypto/openssh/buffer.c +++ b/crypto/openssh/buffer.c @@ -27,7 +27,7 @@ __RCSID("$FreeBSD$"); #include "log.h" #define BUFFER_MAX_CHUNK 0x100000 -#define BUFFER_MAX_LEN 0x4000000 /* 64MB */ +#define BUFFER_MAX_LEN 0xa00000 #define BUFFER_ALLOCSZ 0x008000 /* Initializes the buffer structure. */ @@ -167,13 +167,6 @@ buffer_len(const Buffer *buffer) return buffer->end - buffer->offset; } -/* Returns the maximum number of bytes of data that may be in the buffer. */ -u_int -buffer_get_max_len(void) -{ - return (BUFFER_MAX_LEN); -} - /* Gets data from the beginning of the buffer. */ int diff --git a/crypto/openssh/buffer.h b/crypto/openssh/buffer.h index 39e04f9d3450..cbf0fc239ca5 100644 --- a/crypto/openssh/buffer.h +++ b/crypto/openssh/buffer.h @@ -47,8 +47,6 @@ int buffer_get_ret(Buffer *, void *, u_int); int buffer_consume_ret(Buffer *, u_int); int buffer_consume_end_ret(Buffer *, u_int); -u_int buffer_get_max_len(void); - #include void buffer_put_bignum(Buffer *, const BIGNUM *); diff --git a/crypto/openssh/channels.c b/crypto/openssh/channels.c index 20d2f7ea912d..f3c020477716 100644 --- a/crypto/openssh/channels.c +++ b/crypto/openssh/channels.c @@ -174,11 +174,6 @@ static void port_open_helper(Channel *c, char *rtype); static int connect_next(struct channel_connect *); static void channel_connect_ctx_free(struct channel_connect *); -/* -- HPN */ - -static int hpn_disabled = 0; -static u_int buffer_size = CHAN_HPN_MIN_WINDOW_DEFAULT; - /* -- channel core */ Channel * @@ -325,7 +320,6 @@ channel_new(char *ctype, int type, int rfd, int wfd, int efd, c->self = found; c->type = type; c->ctype = ctype; - c->dynamic_window = 0; c->local_window = window; c->local_window_max = window; c->local_consumed = 0; @@ -826,45 +820,10 @@ channel_pre_open_13(Channel *c, fd_set *readset, fd_set *writeset) FD_SET(c->sock, writeset); } -static u_int -channel_tcpwinsz(void) -{ - u_int32_t tcpwinsz; - socklen_t optsz; - int ret, sd; - u_int maxlen; - - /* If we are not on a socket return 128KB. */ - if (!packet_connection_is_on_socket()) - return (128 * 1024); - - tcpwinsz = 0; - optsz = sizeof(tcpwinsz); - sd = packet_get_connection_in(); - ret = getsockopt(sd, SOL_SOCKET, SO_RCVBUF, &tcpwinsz, &optsz); - - /* Return no more than the maximum buffer size. */ - maxlen = buffer_get_max_len(); - if ((ret == 0) && tcpwinsz > maxlen) - tcpwinsz = maxlen; - /* In case getsockopt() failed return a minimum. */ - if (tcpwinsz == 0) - tcpwinsz = CHAN_TCP_WINDOW_DEFAULT; - debug2("tcpwinsz: %d for connection: %d", tcpwinsz, sd); - return (tcpwinsz); -} - static void channel_pre_open(Channel *c, fd_set *readset, fd_set *writeset) { - u_int limit; - - /* Check buffer limits. */ - if (!c->tcpwinsz || c->dynamic_window > 0) - c->tcpwinsz = channel_tcpwinsz(); - - limit = MIN(compat20 ? c->remote_window : packet_get_maxsize(), - 2 * c->tcpwinsz); + u_int limit = compat20 ? c->remote_window : packet_get_maxsize(); if (c->istate == CHAN_INPUT_OPEN && limit > 0 && @@ -1857,25 +1816,14 @@ channel_check_window(Channel *c) c->local_maxpacket*3) || c->local_window < c->local_window_max/2) && c->local_consumed > 0) { - u_int addition = 0; - - /* Adjust max window size if we are in a dynamic environment. */ - if (c->dynamic_window && c->tcpwinsz > c->local_window_max) { - /* - * Grow the window somewhat aggressively to maintain - * pressure. - */ - addition = 1.5 * (c->tcpwinsz - c->local_window_max); - c->local_window_max += addition; - } packet_start(SSH2_MSG_CHANNEL_WINDOW_ADJUST); packet_put_int(c->remote_id); - packet_put_int(c->local_consumed + addition); + packet_put_int(c->local_consumed); packet_send(); debug2("channel %d: window %d sent adjust %d", c->self, c->local_window, c->local_consumed); - c->local_window += c->local_consumed + addition; + c->local_window += c->local_consumed; c->local_consumed = 0; } return 1; @@ -2739,14 +2687,6 @@ channel_set_af(int af) IPv4or6 = af; } -void -channel_set_hpn(int disabled, u_int buf_size) -{ - hpn_disabled = disabled; - buffer_size = buf_size; - debug("HPN Disabled: %d, HPN Buffer Size: %d", - hpn_disabled, buffer_size); -} /* * Determine whether or not a port forward listens to loopback, the @@ -2924,18 +2864,10 @@ channel_setup_fwd_listener(int type, const char *listen_addr, *allocated_listen_port); } - /* - * Allocate a channel number for the socket. Explicitly test - * for hpn disabled option. If true use smaller window size. - */ - if (hpn_disabled) - c = channel_new("port listener", type, sock, sock, -1, - CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, - 0, "port listener", 1); - else - c = channel_new("port listener", type, sock, sock, -1, - buffer_size, CHAN_TCP_PACKET_DEFAULT, - 0, "port listener", 1); + /* Allocate a channel number for the socket. */ + c = channel_new("port listener", type, sock, sock, -1, + CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, + 0, "port listener", 1); c->path = xstrdup(host); c->host_port = port_to_connect; c->listening_addr = addr == NULL ? NULL : xstrdup(addr); @@ -3583,16 +3515,10 @@ x11_create_display_inet(int x11_display_offset, int x11_use_localhost, *chanids = xcalloc(num_socks + 1, sizeof(**chanids)); for (n = 0; n < num_socks; n++) { sock = socks[n]; - if (hpn_disabled) - nc = channel_new("x11 listener", - SSH_CHANNEL_X11_LISTENER, sock, sock, -1, - CHAN_X11_WINDOW_DEFAULT, CHAN_X11_PACKET_DEFAULT, - 0, "X11 inet listener", 1); - else - nc = channel_new("x11 listener", - SSH_CHANNEL_X11_LISTENER, sock, sock, -1, - buffer_size, CHAN_X11_PACKET_DEFAULT, - 0, "X11 inet listener", 1); + nc = channel_new("x11 listener", + SSH_CHANNEL_X11_LISTENER, sock, sock, -1, + CHAN_X11_WINDOW_DEFAULT, CHAN_X11_PACKET_DEFAULT, + 0, "X11 inet listener", 1); nc->single_connection = single_connection; (*chanids)[n] = nc->self; } diff --git a/crypto/openssh/channels.h b/crypto/openssh/channels.h index 68ebf098b16f..90df28a159ed 100644 --- a/crypto/openssh/channels.h +++ b/crypto/openssh/channels.h @@ -133,8 +133,6 @@ struct Channel { u_int local_window_max; u_int local_consumed; u_int local_maxpacket; - u_int tcpwinsz; - int dynamic_window; int extended_usage; int single_connection; @@ -176,7 +174,6 @@ struct Channel { #define CHAN_TCP_WINDOW_DEFAULT (64*CHAN_TCP_PACKET_DEFAULT) #define CHAN_X11_PACKET_DEFAULT (16*1024) #define CHAN_X11_WINDOW_DEFAULT (4*CHAN_X11_PACKET_DEFAULT) -#define CHAN_HPN_MIN_WINDOW_DEFAULT (2*1024*1024) /* possible input states */ #define CHAN_INPUT_OPEN 0 @@ -310,8 +307,4 @@ void chan_rcvd_ieof(Channel *); void chan_write_failed(Channel *); void chan_obuf_empty(Channel *); -/* hpn handler */ - -void channel_set_hpn(int, u_int); - #endif diff --git a/crypto/openssh/clientloop.c b/crypto/openssh/clientloop.c index d9debd2c4d3b..9f5ecd86dd69 100644 --- a/crypto/openssh/clientloop.c +++ b/crypto/openssh/clientloop.c @@ -1892,14 +1892,9 @@ client_request_x11(const char *request_type, int rchan) sock = x11_connect_display(); if (sock < 0) return NULL; - if (options.hpn_disabled) - c = channel_new("x11", SSH_CHANNEL_X11_OPEN, sock, sock, -1, - CHAN_TCP_WINDOW_DEFAULT, CHAN_X11_PACKET_DEFAULT, - 0, "x11", 1); - else - c = channel_new("x11", SSH_CHANNEL_X11_OPEN, sock, sock, -1, - options.hpn_buffer_size, CHAN_X11_PACKET_DEFAULT, - 0, "x11", 1); + c = channel_new("x11", + SSH_CHANNEL_X11_OPEN, sock, sock, -1, + CHAN_TCP_WINDOW_DEFAULT, CHAN_X11_PACKET_DEFAULT, 0, "x11", 1); c->force_drain = 1; return c; } @@ -1919,16 +1914,10 @@ client_request_agent(const char *request_type, int rchan) sock = ssh_get_authentication_socket(); if (sock < 0) return NULL; - if (options.hpn_disabled) - c = channel_new("authentication agent connection", - SSH_CHANNEL_OPEN, sock, sock, -1, - CHAN_X11_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, 0, - "authentication agent connection", 1); - else - c = channel_new("authentication agent connection", - SSH_CHANNEL_OPEN, sock, sock, -1, - options.hpn_buffer_size, options.hpn_buffer_size, 0, - "authentication agent connection", 1); + c = channel_new("authentication agent connection", + SSH_CHANNEL_OPEN, sock, sock, -1, + CHAN_X11_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, 0, + "authentication agent connection", 1); c->force_drain = 1; return c; } @@ -1955,14 +1944,8 @@ client_request_tun_fwd(int tun_mode, int local_tun, int remote_tun) return -1; } - if (options.hpn_disabled) - c = channel_new("tun", SSH_CHANNEL_OPENING, fd, fd, -1, - CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, - 0, "tun", 1); - else - c = channel_new("tun", SSH_CHANNEL_OPENING, fd, fd, -1, - options.hpn_buffer_size, CHAN_TCP_PACKET_DEFAULT, - 0, "tun", 1); + c = channel_new("tun", SSH_CHANNEL_OPENING, fd, fd, -1, + CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, 0, "tun", 1); c->datagram = 1; #if defined(SSH_TUN_FILTER) diff --git a/crypto/openssh/compat.c b/crypto/openssh/compat.c index ba8856b0e9df..e3c6392f2590 100644 --- a/crypto/openssh/compat.c +++ b/crypto/openssh/compat.c @@ -178,16 +178,6 @@ compat_datafellows(const char *version) datafellows = check[i].bugs; debug("match: %s pat %s compat 0x%08x", version, check[i].pat, datafellows); - /* - * Check to see if the remote side is OpenSSH and not - * HPN. It is utterly strange to check it from the - * version string and expose the option that way. - */ - if (strstr(version,"OpenSSH") != NULL && - strstr(version,"hpn") == NULL) { - datafellows |= SSH_BUG_LARGEWINDOW; - debug("Remote is not HPN-aware"); - } return; } } diff --git a/crypto/openssh/compat.h b/crypto/openssh/compat.h index 4af221f24ec5..7b4bb4a89b19 100644 --- a/crypto/openssh/compat.h +++ b/crypto/openssh/compat.h @@ -62,8 +62,6 @@ #define SSH_BUG_DYNAMIC_RPORT 0x08000000 #define SSH_BUG_CURVE25519PAD 0x10000000 -#define SSH_BUG_LARGEWINDOW 0x80000000 - void enable_compat13(void); void enable_compat20(void); void compat_datafellows(const char *); diff --git a/crypto/openssh/misc.c b/crypto/openssh/misc.c index 4b9e930a7f23..fdefb955a151 100644 --- a/crypto/openssh/misc.c +++ b/crypto/openssh/misc.c @@ -1037,34 +1037,3 @@ sock_set_v6only(int s) error("setsockopt IPV6_V6ONLY: %s", strerror(errno)); #endif } - -void -sock_get_rcvbuf(int *size, int rcvbuf) -{ - int sock, socksize; - socklen_t socksizelen = sizeof(socksize); - - /* - * Create a socket but do not connect it. We use it - * only to get the rcv socket size. - */ - sock = socket(AF_INET6, SOCK_STREAM, 0); - if (sock < 0) - sock = socket(AF_INET, SOCK_STREAM, 0); - if (sock < 0) - return; - - /* - * If the tcp_rcv_buf option is set and passed in, attempt to set the - * buffer size to its value. - */ - if (rcvbuf) - setsockopt(sock, SOL_SOCKET, SO_RCVBUF, (void *)&rcvbuf, - sizeof(rcvbuf)); - - if (getsockopt(sock, SOL_SOCKET, SO_RCVBUF, - &socksize, &socksizelen) == 0) - if (size != NULL) - *size = socksize; - close(sock); -} diff --git a/crypto/openssh/misc.h b/crypto/openssh/misc.h index ce4d78c13d05..81f491016fe6 100644 --- a/crypto/openssh/misc.h +++ b/crypto/openssh/misc.h @@ -40,7 +40,6 @@ time_t monotime(void); void lowercase(char *s); void sock_set_v6only(int); -void sock_get_rcvbuf(int *, int); struct passwd *pwcopy(struct passwd *); const char *ssh_gai_strerror(int); diff --git a/crypto/openssh/readconf.c b/crypto/openssh/readconf.c index 9cf6ab9bae8e..0958739179f1 100644 --- a/crypto/openssh/readconf.c +++ b/crypto/openssh/readconf.c @@ -152,9 +152,8 @@ typedef enum { oKexAlgorithms, oIPQoS, oRequestTTY, oIgnoreUnknown, oProxyUseFdpass, oCanonicalDomains, oCanonicalizeHostname, oCanonicalizeMaxDots, oCanonicalizeFallbackLocal, oCanonicalizePermittedCNAMEs, - oIgnoredUnknownOption, - oHPNDisabled, oHPNBufferSize, oTcpRcvBufPoll, oTcpRcvBuf, - oVersionAddendum, oDeprecated, oUnsupported + oVersionAddendum, + oIgnoredUnknownOption, oDeprecated, oUnsupported } OpCodes; /* Textual representations of the tokens. */ @@ -267,10 +266,6 @@ static struct { { "canonicalizemaxdots", oCanonicalizeMaxDots }, { "canonicalizepermittedcnames", oCanonicalizePermittedCNAMEs }, { "ignoreunknown", oIgnoreUnknown }, - { "hpndisabled", oHPNDisabled }, - { "hpnbuffersize", oHPNBufferSize }, - { "tcprcvbufpoll", oTcpRcvBufPoll }, - { "tcprcvbuf", oTcpRcvBuf }, { "versionaddendum", oVersionAddendum }, { NULL, oBadOption } @@ -1352,22 +1347,6 @@ process_config_line(Options *options, struct passwd *pw, const char *host, multistate_ptr = multistate_requesttty; goto parse_multistate; - case oHPNDisabled: - intptr = &options->hpn_disabled; - goto parse_flag; - - case oHPNBufferSize: - intptr = &options->hpn_buffer_size; - goto parse_int; - - case oTcpRcvBufPoll: - intptr = &options->tcp_rcv_buf_poll; - goto parse_flag; - - case oTcpRcvBuf: - intptr = &options->tcp_rcv_buf; - goto parse_int; - case oVersionAddendum: if (s == NULL) fatal("%.200s line %d: Missing argument.", filename, @@ -1623,10 +1602,6 @@ initialize_options(Options * options) options->canonicalize_fallback_local = -1; options->canonicalize_hostname = -1; options->version_addendum = NULL; - options->hpn_disabled = -1; - options->hpn_buffer_size = -1; - options->tcp_rcv_buf_poll = -1; - options->tcp_rcv_buf = -1; } /* @@ -1821,31 +1796,6 @@ fill_default_options(Options * options) /* options->preferred_authentications will be set in ssh */ if (options->version_addendum == NULL) options->version_addendum = xstrdup(SSH_VERSION_FREEBSD); - if (options->hpn_disabled == -1) - options->hpn_disabled = 0; - if (options->hpn_buffer_size > -1) - { - u_int maxlen; - - /* If a user tries to set the size to 0 set it to 1KB. */ - if (options->hpn_buffer_size == 0) - options->hpn_buffer_size = 1024; - /* Limit the buffer to BUFFER_MAX_LEN. */ - maxlen = buffer_get_max_len(); - if (options->hpn_buffer_size > (maxlen / 1024)) { - debug("User requested buffer larger than %ub: %ub. " - "Request reverted to %ub", maxlen, - options->hpn_buffer_size * 1024, maxlen); - options->hpn_buffer_size = maxlen; - } - debug("hpn_buffer_size set to %d", options->hpn_buffer_size); - } - if (options->tcp_rcv_buf == 0) - options->tcp_rcv_buf = 1; - if (options->tcp_rcv_buf > -1) - options->tcp_rcv_buf *= 1024; - if (options->tcp_rcv_buf_poll == -1) - options->tcp_rcv_buf_poll = 1; } /* diff --git a/crypto/openssh/readconf.h b/crypto/openssh/readconf.h index a0bac04603c6..b20b878693a0 100644 --- a/crypto/openssh/readconf.h +++ b/crypto/openssh/readconf.h @@ -153,17 +153,9 @@ typedef struct { int num_permitted_cnames; struct allowed_cname permitted_cnames[MAX_CANON_DOMAINS]; - char *ignored_unknown; /* Pattern list of unknown tokens to ignore */ - char *version_addendum; /* Appended to SSH banner */ - int hpn_disabled; /* Switch to disable HPN buffer management. */ - int hpn_buffer_size; /* User definable size for HPN buffer - * window. */ - int tcp_rcv_buf_poll; /* Option to poll recv buf every window - * transfer. */ - int tcp_rcv_buf; /* User switch to set tcp recv buffer. */ - + char *ignored_unknown; /* Pattern list of unknown tokens to ignore */ } Options; #define SSH_CANONICALISE_NO 0 diff --git a/crypto/openssh/servconf.c b/crypto/openssh/servconf.c index 5f7caeaa7d6e..2684cc2d6a7a 100644 --- a/crypto/openssh/servconf.c +++ b/crypto/openssh/servconf.c @@ -155,9 +155,6 @@ initialize_server_options(ServerOptions *options) options->ip_qos_interactive = -1; options->ip_qos_bulk = -1; options->version_addendum = NULL; - options->hpn_disabled = -1; - options->hpn_buffer_size = -1; - options->tcp_rcv_buf_poll = -1; } void @@ -318,38 +315,6 @@ fill_default_server_options(ServerOptions *options) } #endif - if (options->hpn_disabled == -1) - options->hpn_disabled = 0; - if (options->hpn_buffer_size == -1) { - /* - * HPN buffer size option not explicitly set. Try to figure - * out what value to use or resort to default. - */ - options->hpn_buffer_size = CHAN_SES_WINDOW_DEFAULT; - if (!options->hpn_disabled) { - sock_get_rcvbuf(&options->hpn_buffer_size, 0); - debug ("HPN Buffer Size: %d", options->hpn_buffer_size); - } - } else { - /* - * In the case that the user sets both values in a - * contradictory manner hpn_disabled overrrides hpn_buffer_size. - */ - if (options->hpn_disabled <= 0) { - u_int maxlen; - - maxlen = buffer_get_max_len(); - if (options->hpn_buffer_size == 0) - options->hpn_buffer_size = 1; - /* Limit the maximum buffer to BUFFER_MAX_LEN. */ - if (options->hpn_buffer_size > maxlen / 1024) - options->hpn_buffer_size = maxlen; - else - options->hpn_buffer_size *= 1024; - } else { - options->hpn_buffer_size = CHAN_TCP_WINDOW_DEFAULT; - } - } } /* Keyword tokens. */ @@ -385,7 +350,6 @@ typedef enum { sKexAlgorithms, sIPQoS, sVersionAddendum, sAuthorizedKeysCommand, sAuthorizedKeysCommandUser, sAuthenticationMethods, sHostKeyAgent, - sHPNDisabled, sHPNBufferSize, sTcpRcvBufPoll, sDeprecated, sUnsupported } ServerOpCodes; @@ -512,9 +476,6 @@ static struct { { "authorizedkeyscommanduser", sAuthorizedKeysCommandUser, SSHCFG_ALL }, { "versionaddendum", sVersionAddendum, SSHCFG_GLOBAL }, { "authenticationmethods", sAuthenticationMethods, SSHCFG_ALL }, - { "hpndisabled", sHPNDisabled, SSHCFG_ALL }, - { "hpnbuffersize", sHPNBufferSize, SSHCFG_ALL }, - { "tcprcvbufpoll", sTcpRcvBufPoll, SSHCFG_ALL }, { NULL, sBadOption, 0 } }; @@ -1661,18 +1622,6 @@ process_server_config_line(ServerOptions *options, char *line, } return 0; - case sHPNDisabled: - intptr = &options->hpn_disabled; - goto parse_flag; - - case sHPNBufferSize: - intptr = &options->hpn_buffer_size; - goto parse_int; - - case sTcpRcvBufPoll: - intptr = &options->tcp_rcv_buf_poll; - goto parse_flag; - case sDeprecated: logit("%s line %d: Deprecated option %s", filename, linenum, arg); diff --git a/crypto/openssh/servconf.h b/crypto/openssh/servconf.h index 2c37ceb45908..752d1c5ae083 100644 --- a/crypto/openssh/servconf.h +++ b/crypto/openssh/servconf.h @@ -181,10 +181,6 @@ typedef struct { char *version_addendum; /* Appended to SSH banner */ - int hpn_disabled; /* Disable HPN functionality. */ - int hpn_buffer_size; /* Set HPN buffer size - default 2MB.*/ - int tcp_rcv_buf_poll; /* Poll TCP rcv window in autotuning - * kernels. */ u_int num_auth_methods; char *auth_methods[MAX_AUTH_METHODS]; } ServerOptions; diff --git a/crypto/openssh/serverloop.c b/crypto/openssh/serverloop.c index addecaedb61c..c1e39b50320e 100644 --- a/crypto/openssh/serverloop.c +++ b/crypto/openssh/serverloop.c @@ -1016,14 +1016,8 @@ server_request_tun(void) sock = tun_open(tun, mode); if (sock < 0) goto done; - if (options.hpn_disabled) - c = channel_new("tun", SSH_CHANNEL_OPEN, sock, sock, -1, - CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, 0, - "tun", 1); - else - c = channel_new("tun", SSH_CHANNEL_OPEN, sock, sock, -1, - options.hpn_buffer_size, CHAN_TCP_PACKET_DEFAULT, 0, - "tun", 1); + c = channel_new("tun", SSH_CHANNEL_OPEN, sock, sock, -1, + CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, 0, "tun", 1); c->datagram = 1; #if defined(SSH_TUN_FILTER) if (mode == SSH_TUNMODE_POINTOPOINT) @@ -1059,8 +1053,6 @@ server_request_session(void) c = channel_new("session", SSH_CHANNEL_LARVAL, -1, -1, -1, /*window size*/0, CHAN_SES_PACKET_DEFAULT, 0, "server-session", 1); - if (!options.hpn_disabled && options.tcp_rcv_buf_poll) - c->dynamic_window = 1; if (session_open(the_authctxt, c->self) != 1) { debug("session open failed, free channel %d", c->self); channel_free(c); diff --git a/crypto/openssh/session.c b/crypto/openssh/session.c index 430fc1e024e5..1de0c607a117 100644 --- a/crypto/openssh/session.c +++ b/crypto/openssh/session.c @@ -237,10 +237,7 @@ auth_input_request_forwarding(struct passwd * pw) goto authsock_err; } - /* - * Allocate a channel for the authentication agent socket. - * Ignore HPN on that one given no improvement expected. - */ + /* Allocate a channel for the authentication agent socket. */ nc = channel_new("auth socket", SSH_CHANNEL_AUTH_SOCKET, sock, sock, -1, CHAN_X11_WINDOW_DEFAULT, CHAN_X11_PACKET_DEFAULT, @@ -2346,14 +2343,10 @@ session_set_fds(Session *s, int fdin, int fdout, int fderr, int ignore_fderr, */ if (s->chanid == -1) fatal("no channel for session %d", s->self); - if (options.hpn_disabled) - channel_set_fds(s->chanid, fdout, fdin, fderr, - ignore_fderr ? CHAN_EXTENDED_IGNORE : CHAN_EXTENDED_READ, - 1, is_tty, CHAN_SES_WINDOW_DEFAULT); - else - channel_set_fds(s->chanid, fdout, fdin, fderr, - ignore_fderr ? CHAN_EXTENDED_IGNORE : CHAN_EXTENDED_READ, - 1, is_tty, options.hpn_buffer_size); + channel_set_fds(s->chanid, + fdout, fdin, fderr, + ignore_fderr ? CHAN_EXTENDED_IGNORE : CHAN_EXTENDED_READ, + 1, is_tty, CHAN_SES_WINDOW_DEFAULT); } /* diff --git a/crypto/openssh/sftp.1 b/crypto/openssh/sftp.1 index 8e00b132696d..a700c2adb4fe 100644 --- a/crypto/openssh/sftp.1 +++ b/crypto/openssh/sftp.1 @@ -261,8 +261,7 @@ diagnostic messages from Specify how many requests may be outstanding at any one time. Increasing this may slightly improve file transfer speed but will increase memory usage. -The default is 256 outstanding requests providing for 8MB -of outstanding data with a 32KB buffer. +The default is 64 outstanding requests. .It Fl r Recursively copy entire directories when uploading and downloading. Note that diff --git a/crypto/openssh/sftp.c b/crypto/openssh/sftp.c index 3f0a88d64013..39df88eb26ab 100644 --- a/crypto/openssh/sftp.c +++ b/crypto/openssh/sftp.c @@ -69,7 +69,7 @@ typedef void EditLine; #include "sftp-client.h" #define DEFAULT_COPY_BUFLEN 32768 /* Size of buffer for up/download */ -#define DEFAULT_NUM_REQUESTS 256 /* # concurrent outstanding requests */ +#define DEFAULT_NUM_REQUESTS 64 /* # concurrent outstanding requests */ /* File to read commands from */ FILE* infile; diff --git a/crypto/openssh/ssh-agent.1 b/crypto/openssh/ssh-agent.1 index 2a1c58e6c4e3..90b8fe52c11d 100644 --- a/crypto/openssh/ssh-agent.1 +++ b/crypto/openssh/ssh-agent.1 @@ -35,7 +35,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd December 7, 2013 +.Dd $Mdocdate: December 7 2013 $ .Dt SSH-AGENT 1 .Os .Sh NAME diff --git a/crypto/openssh/ssh.c b/crypto/openssh/ssh.c index 443dcd640c35..eaeb5c7724fb 100644 --- a/crypto/openssh/ssh.c +++ b/crypto/openssh/ssh.c @@ -633,13 +633,11 @@ main(int ac, char **av) case 'V': if (options.version_addendum && *options.version_addendum != '\0') - fprintf(stderr, "%s%s %s, %s\n", SSH_RELEASE, - options.hpn_disabled ? "" : SSH_VERSION_HPN, + fprintf(stderr, "%s %s, %s\n", SSH_RELEASE, options.version_addendum, SSLeay_version(SSLEAY_VERSION)); else - fprintf(stderr, "%s%s, %s\n", SSH_RELEASE, - options.hpn_disabled ? "" : SSH_VERSION_HPN, + fprintf(stderr, "%s, %s\n", SSH_RELEASE, SSLeay_version(SSLEAY_VERSION)); if (opt == 'V') exit(0); @@ -1657,46 +1655,9 @@ ssh_session2_open(void) if (!isatty(err)) set_nonblock(err); - /* - * We need to check to see what to do about buffer sizes here. - * - In an HPN to non-HPN connection we want to limit the window size to - * something reasonable in case the far side has the large window bug. - * - In an HPN to HPN connection we want to use the max window size but - * allow the user to override it. - * - Lastly if HPN is disabled then use the ssh standard window size. - * - * We cannot just do a getsockopt() here and set the ssh window to that - * as in case of autotuning of socket buffers the window would get stuck - * at the initial buffer size, generally less than 96k. Therefore we - * need to set the maximum ssh window size to the maximum HPN buffer - * size unless the user has set TcpRcvBufPoll to no. In that case we - * can just set the window to the minimum of HPN buffer size and TCP - * receive buffer size. - */ - if (tty_flag) - options.hpn_buffer_size = CHAN_SES_WINDOW_DEFAULT; - else - options.hpn_buffer_size = CHAN_HPN_MIN_WINDOW_DEFAULT; - - if (datafellows & SSH_BUG_LARGEWINDOW) { - debug("HPN to Non-HPN Connection"); - } else if (options.tcp_rcv_buf_poll <= 0) { - sock_get_rcvbuf(&options.hpn_buffer_size, 0); - debug("HPNBufferSize set to TCP RWIN: %d", - options.hpn_buffer_size); - } else if (options.tcp_rcv_buf > 0) { - sock_get_rcvbuf(&options.hpn_buffer_size, - options.tcp_rcv_buf); - debug("HPNBufferSize set to user TCPRcvBuf: %d", - options.hpn_buffer_size); - } - debug("Final hpn_buffer_size = %d", options.hpn_buffer_size); - channel_set_hpn(options.hpn_disabled, options.hpn_buffer_size); - window = options.hpn_buffer_size; - + window = CHAN_SES_WINDOW_DEFAULT; packetmax = CHAN_SES_PACKET_DEFAULT; if (tty_flag) { - window = CHAN_SES_WINDOW_DEFAULT; window >>= 1; packetmax >>= 1; } @@ -1704,10 +1665,6 @@ ssh_session2_open(void) "session", SSH_CHANNEL_OPENING, in, out, err, window, packetmax, CHAN_EXTENDED_WRITE, "client-session", /*nonblock*/0); - if (!options.hpn_disabled && options.tcp_rcv_buf_poll > 0) { - c->dynamic_window = 1; - debug("Enabled Dynamic Window Scaling\n"); - } debug3("ssh_session2_open: channel_new: %d", c->self); diff --git a/crypto/openssh/ssh_config b/crypto/openssh/ssh_config index 2d0297bca331..4452d526b606 100644 --- a/crypto/openssh/ssh_config +++ b/crypto/openssh/ssh_config @@ -48,4 +48,4 @@ # ProxyCommand ssh -q -W %h:%p gateway.example.com # RekeyLimit 1G 1h # VerifyHostKeyDNS yes -# VersionAddendum FreeBSD-20140420 +# VersionAddendum FreeBSD-20160119 diff --git a/crypto/openssh/ssh_config.5 b/crypto/openssh/ssh_config.5 index adf0d2f50dd9..bef14fa64d4e 100644 --- a/crypto/openssh/ssh_config.5 +++ b/crypto/openssh/ssh_config.5 @@ -1423,7 +1423,7 @@ See also VERIFYING HOST KEYS in Specifies a string to append to the regular version string to identify OS- or site-specific modifications. The default is -.Dq FreeBSD-20140420 . +.Dq FreeBSD-20160119 . The value .Dq none may be used to disable this. diff --git a/crypto/openssh/ssh_namespace.h b/crypto/openssh/ssh_namespace.h index 50f9b18343e0..8b5e416af144 100644 --- a/crypto/openssh/ssh_namespace.h +++ b/crypto/openssh/ssh_namespace.h @@ -7,7 +7,11 @@ * * A list of symbols which need munging is obtained as follows: * - * nm libssh.a | awk '/[0-9a-z] [A-Z] / && $3 !~ /^ssh_/ { printf("#define %-39s ssh_%s\n", $3, $3) }' | unexpand -a | sort -u + # nm libprivatessh.a | LC_ALL=C awk ' + /^[0-9a-z]+ [Tt] [A-Za-z_][0-9A-Za-z_]*$/ && $3 !~ /^ssh_/ { + printf("#define %-39s ssh_%s\n", $3, $3) + }' | unexpand -a | LC_ALL=C sort -u + * * $FreeBSD$ */ @@ -20,9 +24,13 @@ #define a2port ssh_a2port #define a2tun ssh_a2tun #define add_host_to_hostfile ssh_add_host_to_hostfile +#define add_p1p1 ssh_add_p1p1 #define addargs ssh_addargs #define addr_match_cidr_list ssh_addr_match_cidr_list #define addr_match_list ssh_addr_match_list +#define addr_netmatch ssh_addr_netmatch +#define addr_pton ssh_addr_pton +#define addr_pton_cidr ssh_addr_pton_cidr #define ask_permission ssh_ask_permission #define atomicio ssh_atomicio #define atomicio6 ssh_atomicio6 @@ -31,7 +39,10 @@ #define auth_request_forwarding ssh_auth_request_forwarding #define bandwidth_limit ssh_bandwidth_limit #define bandwidth_limit_init ssh_bandwidth_limit_init +#define barrett_reduce ssh_barrett_reduce +#define bcrypt_hash ssh_bcrypt_hash #define bcrypt_pbkdf ssh_bcrypt_pbkdf +#define bf_ssh1_cipher ssh_bf_ssh1_cipher #define blf_cbc_decrypt ssh_blf_cbc_decrypt #define blf_cbc_encrypt ssh_blf_cbc_encrypt #define blf_dec ssh_blf_dec @@ -70,7 +81,6 @@ #define buffer_get_int64 ssh_buffer_get_int64 #define buffer_get_int64_ret ssh_buffer_get_int64_ret #define buffer_get_int_ret ssh_buffer_get_int_ret -#define buffer_get_max_len ssh_buffer_get_max_len #define buffer_get_ret ssh_buffer_get_ret #define buffer_get_short ssh_buffer_get_short #define buffer_get_short_ret ssh_buffer_get_short_ret @@ -95,6 +105,7 @@ #define buffer_put_short ssh_buffer_put_short #define buffer_put_string ssh_buffer_put_string #define buffer_uncompress ssh_buffer_uncompress +#define cert_free ssh_cert_free #define chacha_encrypt_bytes ssh_chacha_encrypt_bytes #define chacha_ivsetup ssh_chacha_ivsetup #define chacha_keysetup ssh_chacha_keysetup @@ -109,6 +120,10 @@ #define chan_rcvd_ieof ssh_chan_rcvd_ieof #define chan_rcvd_oclose ssh_chan_rcvd_oclose #define chan_read_failed ssh_chan_read_failed +#define chan_send_eof2 ssh_chan_send_eof2 +#define chan_send_oclose1 ssh_chan_send_oclose1 +#define chan_shutdown_read ssh_chan_shutdown_read +#define chan_shutdown_write ssh_chan_shutdown_write #define chan_write_failed ssh_chan_write_failed #define channel_add_adm_permitted_opens ssh_channel_add_adm_permitted_opens #define channel_add_permitted_opens ssh_channel_add_permitted_opens @@ -121,6 +136,7 @@ #define channel_clear_permitted_opens ssh_channel_clear_permitted_opens #define channel_close_all ssh_channel_close_all #define channel_close_fd ssh_channel_close_fd +#define channel_close_fds ssh_channel_close_fds #define channel_connect_by_listen_address ssh_channel_connect_by_listen_address #define channel_connect_stdio_fwd ssh_channel_connect_stdio_fwd #define channel_connect_to ssh_channel_connect_to @@ -128,6 +144,8 @@ #define channel_find_open ssh_channel_find_open #define channel_free ssh_channel_free #define channel_free_all ssh_channel_free_all +#define channel_fwd_bind_addr ssh_channel_fwd_bind_addr +#define channel_handler ssh_channel_handler #define channel_input_close ssh_channel_input_close #define channel_input_close_confirmation ssh_channel_input_close_confirmation #define channel_input_data ssh_channel_input_data @@ -146,11 +164,28 @@ #define channel_open_message ssh_channel_open_message #define channel_output_poll ssh_channel_output_poll #define channel_permit_all_opens ssh_channel_permit_all_opens -#define channel_post ssh_channel_post -#define channel_pre ssh_channel_pre +#define channel_post_auth_listener ssh_channel_post_auth_listener +#define channel_post_connecting ssh_channel_post_connecting +#define channel_post_mux_client ssh_channel_post_mux_client +#define channel_post_mux_listener ssh_channel_post_mux_listener +#define channel_post_open ssh_channel_post_open +#define channel_post_output_drain_13 ssh_channel_post_output_drain_13 +#define channel_post_port_listener ssh_channel_post_port_listener +#define channel_post_x11_listener ssh_channel_post_x11_listener +#define channel_pre_connecting ssh_channel_pre_connecting +#define channel_pre_dynamic ssh_channel_pre_dynamic +#define channel_pre_input_draining ssh_channel_pre_input_draining +#define channel_pre_listener ssh_channel_pre_listener +#define channel_pre_mux_client ssh_channel_pre_mux_client +#define channel_pre_open ssh_channel_pre_open +#define channel_pre_open_13 ssh_channel_pre_open_13 +#define channel_pre_output_draining ssh_channel_pre_output_draining +#define channel_pre_x11_open ssh_channel_pre_x11_open +#define channel_pre_x11_open_13 ssh_channel_pre_x11_open_13 #define channel_prepare_select ssh_channel_prepare_select #define channel_print_adm_permitted_opens ssh_channel_print_adm_permitted_opens #define channel_register_cleanup ssh_channel_register_cleanup +#define channel_register_fds ssh_channel_register_fds #define channel_register_filter ssh_channel_register_filter #define channel_register_open_confirm ssh_channel_register_open_confirm #define channel_register_status_confirm ssh_channel_register_status_confirm @@ -161,14 +196,17 @@ #define channel_send_window_changes ssh_channel_send_window_changes #define channel_set_af ssh_channel_set_af #define channel_set_fds ssh_channel_set_fds -#define channel_set_hpn ssh_channel_set_hpn +#define channel_setup_fwd_listener ssh_channel_setup_fwd_listener #define channel_setup_local_fwd_listener ssh_channel_setup_local_fwd_listener #define channel_setup_remote_fwd_listener ssh_channel_setup_remote_fwd_listener #define channel_still_open ssh_channel_still_open #define channel_stop_listening ssh_channel_stop_listening #define channel_update_permitted_opens ssh_channel_update_permitted_opens +#define check_crc ssh_check_crc +#define check_hostkeys_by_key_or_type ssh_check_hostkeys_by_key_or_type #define check_key_in_hostkeys ssh_check_key_in_hostkeys #define choose_dh ssh_choose_dh +#define choose_t ssh_choose_t #define chop ssh_chop #define cipher_alg_list ssh_cipher_alg_list #define cipher_authlen ssh_cipher_authlen @@ -198,15 +236,17 @@ #define cleanup_exit ssh_cleanup_exit #define clear_cached_addr ssh_clear_cached_addr #define colon ssh_colon -#define compat13 ssh_compat13 -#define compat20 ssh_compat20 +#define compare ssh_compare +#define compare_gps ssh_compare_gps #define compat_cipher_proposal ssh_compat_cipher_proposal #define compat_datafellows ssh_compat_datafellows +#define compat_kex_proposal ssh_compat_kex_proposal #define compat_pkalg_proposal ssh_compat_pkalg_proposal +#define connect_next ssh_connect_next +#define connect_to ssh_connect_to #define convtime ssh_convtime #define crypto_hash_sha512 ssh_crypto_hash_sha512 #define crypto_hashblocks_sha512 ssh_crypto_hashblocks_sha512 -#define crypto_scalarmult_curve25519 ssh_crypto_scalarmult_curve25519 #define crypto_sign_ed25519 ssh_crypto_sign_ed25519 #define crypto_sign_ed25519_keypair ssh_crypto_sign_ed25519_keypair #define crypto_sign_ed25519_open ssh_crypto_sign_ed25519_open @@ -227,7 +267,6 @@ #define crypto_sign_ed25519_ref_fe25519_square ssh_crypto_sign_ed25519_ref_fe25519_square #define crypto_sign_ed25519_ref_fe25519_sub ssh_crypto_sign_ed25519_ref_fe25519_sub #define crypto_sign_ed25519_ref_fe25519_unpack ssh_crypto_sign_ed25519_ref_fe25519_unpack -#define crypto_sign_ed25519_ref_ge25519_base ssh_crypto_sign_ed25519_ref_ge25519_base #define crypto_sign_ed25519_ref_isneutral_vartime ssh_crypto_sign_ed25519_ref_isneutral_vartime #define crypto_sign_ed25519_ref_pack ssh_crypto_sign_ed25519_ref_pack #define crypto_sign_ed25519_ref_sc25519_2interleave2 ssh_crypto_sign_ed25519_ref_sc25519_2interleave2 @@ -248,8 +287,7 @@ #define crypto_sign_ed25519_ref_shortsc25519_from16bytes ssh_crypto_sign_ed25519_ref_shortsc25519_from16bytes #define crypto_sign_ed25519_ref_unpackneg_vartime ssh_crypto_sign_ed25519_ref_unpackneg_vartime #define crypto_verify_32 ssh_crypto_verify_32 -#define current_keys ssh_current_keys -#define datafellows ssh_datafellows +#define dbl_p1p1 ssh_dbl_p1p1 #define debug ssh_debug #define debug2 ssh_debug2 #define debug3 ssh_debug3 @@ -264,8 +302,6 @@ #define dh_new_group14 ssh_dh_new_group14 #define dh_new_group_asc ssh_dh_new_group_asc #define dh_pub_is_valid ssh_dh_pub_is_valid -#define digests ssh_digests -#define dispatch ssh_dispatch #define dispatch_init ssh_dispatch_init #define dispatch_protocol_error ssh_dispatch_protocol_error #define dispatch_protocol_ignore ssh_dispatch_protocol_ignore @@ -283,6 +319,7 @@ #define explicit_bzero ssh_explicit_bzero #define export_dns_rr ssh_export_dns_rr #define fatal ssh_fatal +#define filter_proposal ssh_filter_proposal #define fmt_scaled ssh_fmt_scaled #define free_hostkeys ssh_free_hostkeys #define freeargs ssh_freeargs @@ -298,20 +335,27 @@ #define get_remote_name_or_ip ssh_get_remote_name_or_ip #define get_remote_port ssh_get_remote_port #define get_sock_port ssh_get_sock_port +#define get_socket_address ssh_get_socket_address #define get_u16 ssh_get_u16 #define get_u32 ssh_get_u32 #define get_u64 ssh_get_u64 #define getrrsetbyname ssh_getrrsetbyname #define glob ssh_glob +#define glob0 ssh_glob0 +#define glob2 ssh_glob2 +#define globexp1 ssh_globexp1 +#define globextend ssh_globextend #define globfree ssh_globfree #define host_hash ssh_host_hash #define hostfile_read_key ssh_hostfile_read_key #define hpdelim ssh_hpdelim -#define incoming_stream ssh_incoming_stream #define init_hostkeys ssh_init_hostkeys #define iptos2str ssh_iptos2str #define ipv64_normalise_mapped ssh_ipv64_normalise_mapped +#define is_key_revoked ssh_is_key_revoked +#define kex_alg_by_name ssh_kex_alg_by_name #define kex_alg_list ssh_kex_alg_list +#define kex_buf2prop ssh_kex_buf2prop #define kex_c25519_hash ssh_kex_c25519_hash #define kex_derive_keys ssh_kex_derive_keys #define kex_derive_keys_bn ssh_kex_derive_keys_bn @@ -321,6 +365,8 @@ #define kex_get_newkeys ssh_kex_get_newkeys #define kex_input_kexinit ssh_kex_input_kexinit #define kex_names_valid ssh_kex_names_valid +#define kex_prop_free ssh_kex_prop_free +#define kex_protocol_error ssh_kex_protocol_error #define kex_send_kexinit ssh_kex_send_kexinit #define kex_setup ssh_kex_setup #define kexc25519_client ssh_kexc25519_client @@ -354,6 +400,7 @@ #define key_fingerprint_raw ssh_key_fingerprint_raw #define key_free ssh_key_free #define key_from_blob ssh_key_from_blob +#define key_from_blob2 ssh_key_from_blob2 #define key_from_private ssh_key_from_private #define key_generate ssh_key_generate #define key_in_file ssh_key_in_file @@ -370,9 +417,14 @@ #define key_new ssh_key_new #define key_new_private ssh_key_new_private #define key_parse_private ssh_key_parse_private +#define key_parse_private2 ssh_key_parse_private2 +#define key_parse_private_pem ssh_key_parse_private_pem +#define key_parse_private_type ssh_key_parse_private_type +#define key_parse_public_rsa1 ssh_key_parse_public_rsa1 #define key_perm_ok ssh_key_perm_ok #define key_private_deserialize ssh_key_private_deserialize #define key_private_serialize ssh_key_private_serialize +#define key_private_to_blob2 ssh_key_private_to_blob2 #define key_read ssh_key_read #define key_save_private ssh_key_save_private #define key_sign ssh_key_sign @@ -381,6 +433,7 @@ #define key_ssh_name_plain ssh_key_ssh_name_plain #define key_to_blob ssh_key_to_blob #define key_to_certified ssh_key_to_certified +#define key_try_load_public ssh_key_try_load_public #define key_type ssh_key_type #define key_type_from_name ssh_key_type_from_name #define key_type_is_cert ssh_key_type_is_cert @@ -405,6 +458,7 @@ #define mac_init ssh_mac_init #define mac_setup ssh_mac_setup #define mac_valid ssh_mac_valid +#define match ssh_match #define match_host_and_ip ssh_match_host_and_ip #define match_hostname ssh_match_hostname #define match_list ssh_match_list @@ -417,13 +471,16 @@ #define monotime ssh_monotime #define ms_subtract_diff ssh_ms_subtract_diff #define ms_to_timeval ssh_ms_to_timeval +#define mult ssh_mult #define mysignal ssh_mysignal -#define outgoing_stream ssh_outgoing_stream +#define nh_aux ssh_nh_aux +#define nh_final ssh_nh_final #define packet_add_padding ssh_packet_add_padding #define packet_backup_state ssh_packet_backup_state #define packet_close ssh_packet_close #define packet_connection_is_on_socket ssh_packet_connection_is_on_socket #define packet_disconnect ssh_packet_disconnect +#define packet_enable_delayed_compress ssh_packet_enable_delayed_compress #define packet_get_bignum ssh_packet_get_bignum #define packet_get_bignum2 ssh_packet_get_bignum2 #define packet_get_char ssh_packet_get_char @@ -470,6 +527,7 @@ #define packet_remaining ssh_packet_remaining #define packet_restore_state ssh_packet_restore_state #define packet_send ssh_packet_send +#define packet_send2_wrapped ssh_packet_send2_wrapped #define packet_send_debug ssh_packet_send_debug #define packet_send_ignore ssh_packet_send_ignore #define packet_set_alive_timeouts ssh_packet_set_alive_timeouts @@ -488,20 +546,32 @@ #define packet_set_timeout ssh_packet_set_timeout #define packet_start ssh_packet_start #define packet_start_compression ssh_packet_start_compression +#define packet_start_discard ssh_packet_start_discard +#define packet_stop_discard ssh_packet_stop_discard #define packet_write_poll ssh_packet_write_poll #define packet_write_wait ssh_packet_write_wait #define parse_ipqos ssh_parse_ipqos +#define parse_prime ssh_parse_prime #define percent_expand ssh_percent_expand #define permanently_drop_suid ssh_permanently_drop_suid #define permanently_set_uid ssh_permanently_set_uid #define permitopen_port ssh_permitopen_port #define pkcs11_add_provider ssh_pkcs11_add_provider #define pkcs11_del_provider ssh_pkcs11_del_provider +#define pkcs11_fetch_keys_filter ssh_pkcs11_fetch_keys_filter +#define pkcs11_find ssh_pkcs11_find #define pkcs11_init ssh_pkcs11_init -#define pkcs11_interactive ssh_pkcs11_interactive -#define pkcs11_providers ssh_pkcs11_providers +#define pkcs11_provider_finalize ssh_pkcs11_provider_finalize +#define pkcs11_provider_unref ssh_pkcs11_provider_unref +#define pkcs11_rsa_finish ssh_pkcs11_rsa_finish +#define pkcs11_rsa_private_decrypt ssh_pkcs11_rsa_private_decrypt +#define pkcs11_rsa_private_encrypt ssh_pkcs11_rsa_private_encrypt #define pkcs11_terminate ssh_pkcs11_terminate +#define plain_key_blob ssh_plain_key_blob #define poly1305_auth ssh_poly1305_auth +#define poly64 ssh_poly64 +#define poly_hash ssh_poly_hash +#define port_open_helper ssh_port_open_helper #define prime_test ssh_prime_test #define proto_spec ssh_proto_spec #define put_host_port ssh_put_host_port @@ -509,11 +579,19 @@ #define put_u32 ssh_put_u32 #define put_u64 ssh_put_u64 #define pwcopy ssh_pwcopy +#define qfileout ssh_qfileout #define read_keyfile_line ssh_read_keyfile_line +#define read_mux ssh_read_mux #define read_passphrase ssh_read_passphrase +#define reduce_add_sub ssh_reduce_add_sub #define refresh_progress_meter ssh_refresh_progress_meter #define replacearg ssh_replacearg #define restore_uid ssh_restore_uid +#define revoke_blob ssh_revoke_blob +#define revoked_blob_tree_RB_REMOVE ssh_revoked_blob_tree_RB_REMOVE +#define revoked_certs_for_ca_key ssh_revoked_certs_for_ca_key +#define revoked_serial_tree_RB_REMOVE ssh_revoked_serial_tree_RB_REMOVE +#define rijndaelKeySetupEnc ssh_rijndaelKeySetupEnc #define rijndael_decrypt ssh_rijndael_decrypt #define rijndael_encrypt ssh_rijndael_encrypt #define rijndael_set_key ssh_rijndael_set_key @@ -528,9 +606,14 @@ #define set_nodelay ssh_set_nodelay #define set_nonblock ssh_set_nonblock #define shadow_pw ssh_shadow_pw +#define sieve_large ssh_sieve_large +#define sig_winch ssh_sig_winch #define sigdie ssh_sigdie -#define sock_get_rcvbuf ssh_sock_get_rcvbuf #define sock_set_v6only ssh_sock_set_v6only +#define square ssh_square +#define ssh1_3des_cbc ssh_ssh1_3des_cbc +#define ssh1_3des_cleanup ssh_ssh1_3des_cleanup +#define ssh1_3des_init ssh_ssh1_3des_init #define ssh1_3des_iv ssh_ssh1_3des_iv #define start_progress_meter ssh_start_progress_meter #define stop_progress_meter ssh_stop_progress_meter @@ -542,21 +625,21 @@ #define temporarily_use_uid ssh_temporarily_use_uid #define tilde_expand_filename ssh_tilde_expand_filename #define timingsafe_bcmp ssh_timingsafe_bcmp +#define to_blob ssh_to_blob #define tohex ssh_tohex #define tty_make_modes ssh_tty_make_modes #define tty_parse_modes ssh_tty_parse_modes #define tun_open ssh_tun_open -#define umac128_ctx ssh_umac128_ctx #define umac128_delete ssh_umac128_delete #define umac128_final ssh_umac128_final #define umac128_new ssh_umac128_new #define umac128_update ssh_umac128_update -#define umac_ctx ssh_umac_ctx #define umac_delete ssh_umac_delete #define umac_final ssh_umac_final #define umac_new ssh_umac_new #define umac_update ssh_umac_update #define unset_nonblock ssh_unset_nonblock +#define update_progress_meter ssh_update_progress_meter #define uudecode ssh_uudecode #define uuencode ssh_uuencode #define verbose ssh_verbose @@ -565,6 +648,7 @@ #define x11_connect_display ssh_x11_connect_display #define x11_create_display_inet ssh_x11_create_display_inet #define x11_input_open ssh_x11_input_open +#define x11_open_helper ssh_x11_open_helper #define x11_request_forwarding_with_spoofing ssh_x11_request_forwarding_with_spoofing #define xasprintf ssh_xasprintf #define xcalloc ssh_xcalloc diff --git a/crypto/openssh/sshconnect.c b/crypto/openssh/sshconnect.c index 102c0bdae257..3384de66cb91 100644 --- a/crypto/openssh/sshconnect.c +++ b/crypto/openssh/sshconnect.c @@ -264,29 +264,6 @@ ssh_kill_proxy_command(void) kill(proxy_command_pid, SIGHUP); } -/* - * Set TCP receive buffer if requested. - * Note: tuning needs to happen after the socket is created but before the - * connection happens so winscale is negotiated properly. - */ -static void -ssh_set_socket_recvbuf(int sock) -{ - void *buf = (void *)&options.tcp_rcv_buf; - int socksize, sz = sizeof(options.tcp_rcv_buf); - socklen_t len = sizeof(int); - - debug("setsockopt attempting to set SO_RCVBUF to %d", - options.tcp_rcv_buf); - if (setsockopt(sock, SOL_SOCKET, SO_RCVBUF, buf, sz) >= 0) { - getsockopt(sock, SOL_SOCKET, SO_RCVBUF, &socksize, &len); - debug("setsockopt SO_RCVBUF: %.100s %d", strerror(errno), - socksize); - } else - error("Couldn't set socket receive buffer to %d: %.100s", - options.tcp_rcv_buf, strerror(errno)); -} - /* * Creates a (possibly privileged) socket for use as the ssh connection. */ @@ -303,9 +280,6 @@ ssh_create_socket(int privileged, struct addrinfo *ai) } fcntl(sock, F_SETFD, FD_CLOEXEC); - if (options.tcp_rcv_buf > 0) - ssh_set_socket_recvbuf(sock); - /* Bind the socket to an alternative local IP address */ if (options.bind_address == NULL && !privileged) return sock; @@ -546,10 +520,10 @@ static void send_client_banner(int connection_out, int minor1) { /* Send our own protocol version identification. */ - xasprintf(&client_version_string, "SSH-%d.%d-%.100s%s%s%s%s", + xasprintf(&client_version_string, "SSH-%d.%d-%.100s%s%s%s", compat20 ? PROTOCOL_MAJOR_2 : PROTOCOL_MAJOR_1, compat20 ? PROTOCOL_MINOR_2 : minor1, - SSH_VERSION, options.hpn_disabled ? "" : SSH_VERSION_HPN, + SSH_VERSION, *options.version_addendum == '\0' ? "" : " ", options.version_addendum, compat20 ? "\r\n" : "\n"); if (roaming_atomicio(vwrite, connection_out, client_version_string, diff --git a/crypto/openssh/sshd.c b/crypto/openssh/sshd.c index ab73dec038ff..838ed897dcfc 100644 --- a/crypto/openssh/sshd.c +++ b/crypto/openssh/sshd.c @@ -446,9 +446,8 @@ sshd_exchange_identification(int sock_in, int sock_out) minor = PROTOCOL_MINOR_1; } - xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s%s%s", + xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s%s", major, minor, SSH_VERSION, - options.hpn_disabled ? "" : SSH_VERSION_HPN, *options.version_addendum == '\0' ? "" : " ", options.version_addendum, newline); @@ -950,13 +949,12 @@ static void usage(void) { if (options.version_addendum && *options.version_addendum != '\0') - fprintf(stderr, "%s%s %s, %s\n", - SSH_RELEASE, options.hpn_disabled ? "" : SSH_VERSION_HPN, + fprintf(stderr, "%s %s, %s\n", + SSH_RELEASE, options.version_addendum, SSLeay_version(SSLEAY_VERSION)); else - fprintf(stderr, "%s%s, %s\n", - SSH_RELEASE, options.hpn_disabled ? "" : SSH_VERSION_HPN, - SSLeay_version(SSLEAY_VERSION)); + fprintf(stderr, "%s, %s\n", + SSH_RELEASE, SSLeay_version(SSLEAY_VERSION)); fprintf(stderr, "usage: sshd [-46DdeiqTt] [-b bits] [-C connection_spec] [-c host_cert_file]\n" " [-E log_file] [-f config_file] [-g login_grace_time]\n" @@ -1145,7 +1143,6 @@ server_listen(void) len = sizeof(socksize); getsockopt(listen_sock, SOL_SOCKET, SO_RCVBUF, &socksize, &len); debug("Server TCP RWIN socket size: %d", socksize); - debug("HPN Buffer Size: %d", options.hpn_buffer_size); /* Bind the socket to the desired port. */ if (bind(listen_sock, ai->ai_addr, ai->ai_addrlen) < 0) { @@ -1679,11 +1676,7 @@ main(int ac, char **av) exit(1); } - debug("sshd version %.100s%.100s%s%.100s, %.100s", - SSH_RELEASE, - options.hpn_disabled ? "" : SSH_VERSION_HPN, - *options.version_addendum == '\0' ? "" : " ", - options.version_addendum, + debug("sshd version %s, %s", SSH_VERSION, SSLeay_version(SSLEAY_VERSION)); /* Store privilege separation user for later use if required. */ @@ -2114,9 +2107,6 @@ main(int ac, char **av) remote_ip, remote_port, get_local_ipaddr(sock_in), get_local_port()); - /* Set HPN options for the child. */ - channel_set_hpn(options.hpn_disabled, options.hpn_buffer_size); - /* * We don't want to listen forever unless the other side * successfully authenticates itself. So we set up an alarm which is diff --git a/crypto/openssh/sshd_config b/crypto/openssh/sshd_config index 9a4b9c2d163f..6712744dc61e 100644 --- a/crypto/openssh/sshd_config +++ b/crypto/openssh/sshd_config @@ -120,7 +120,7 @@ #MaxStartups 10:30:100 #PermitTunnel no #ChrootDirectory none -#VersionAddendum FreeBSD-20140420 +#VersionAddendum FreeBSD-20160119 # no default banner path #Banner none @@ -128,15 +128,6 @@ # override default of no subsystems Subsystem sftp /usr/libexec/sftp-server -# Change to yes to disable HPN tuning improvements. -#HPNDisabled no - -# Buffer size for HPN to non-HPN connections. -#HPNBufferSize 2048 - -# TCP receive socket buffer polling for HPN. Disable on non autotuning kernels. -#TcpRcvBufPoll yes - # Example of overriding settings on a per-user basis #Match User anoncvs # X11Forwarding no diff --git a/crypto/openssh/sshd_config.5 b/crypto/openssh/sshd_config.5 index 0b98672f1947..55043ecebb2f 100644 --- a/crypto/openssh/sshd_config.5 +++ b/crypto/openssh/sshd_config.5 @@ -1253,7 +1253,7 @@ restrictions. Optionally specifies additional text to append to the SSH protocol banner sent by the server upon connection. The default is -.Dq FreeBSD-20140420 . +.Dq FreeBSD-20160119 . The value .Dq none may be used to disable this. diff --git a/crypto/openssh/version.h b/crypto/openssh/version.h index f62c52639f37..f224604d5617 100644 --- a/crypto/openssh/version.h +++ b/crypto/openssh/version.h @@ -6,5 +6,4 @@ #define SSH_PORTABLE "p1" #define SSH_RELEASE SSH_VERSION SSH_PORTABLE -#define SSH_VERSION_FREEBSD "FreeBSD-20140420" -#define SSH_VERSION_HPN "_hpn13v11" +#define SSH_VERSION_FREEBSD "FreeBSD-20160119"