]>
Commit | Line | Data |
---|---|---|
0d5b2bd4 ER |
1 | diff -NupwB openssh-5.2p1-canonical/auth2.c openssh-5.2p1-hpn13v6/auth2.c |
2 | --- openssh-5.2p1-canonical/auth2.c 2008-11-05 00:20:46.000000000 -0500 | |
3 | +++ openssh-5.2p1-hpn13v6/auth2.c 2009-05-14 12:36:10.000000000 -0400 | |
4 | @@ -49,6 +49,7 @@ | |
5 | #include "dispatch.h" | |
6 | #include "pathnames.h" | |
7 | #include "buffer.h" | |
8 | +#include "canohost.h" | |
9 | ||
10 | #ifdef GSSAPI | |
11 | #include "ssh-gss.h" | |
12 | @@ -75,6 +76,9 @@ extern Authmethod method_gssapi; | |
13 | extern Authmethod method_jpake; | |
14 | #endif | |
15 | ||
16 | +static int log_flag = 0; | |
17 | + | |
18 | + | |
19 | Authmethod *authmethods[] = { | |
20 | &method_none, | |
21 | &method_pubkey, | |
22 | @@ -225,6 +229,11 @@ input_userauth_request(int type, u_int32 | |
23 | service = packet_get_string(NULL); | |
24 | method = packet_get_string(NULL); | |
25 | debug("userauth-request for user %s service %s method %s", user, service, method); | |
26 | + if (!log_flag) { | |
27 | + logit("SSH: Server;Ltype: Authname;Remote: %s-%d;Name: %s", | |
28 | + get_remote_ipaddr(), get_remote_port(), user); | |
29 | + log_flag = 1; | |
30 | + } | |
31 | debug("attempt %d failures %d", authctxt->attempt, authctxt->failures); | |
32 | ||
33 | if ((style = strchr(user, ':')) != NULL) | |
34 | diff -NupwB openssh-5.2p1-canonical/buffer.c openssh-5.2p1-hpn13v6/buffer.c | |
35 | --- openssh-5.2p1-canonical/buffer.c 2006-08-04 22:39:39.000000000 -0400 | |
36 | +++ openssh-5.2p1-hpn13v6/buffer.c 2009-05-14 12:36:10.000000000 -0400 | |
37 | @@ -127,7 +127,7 @@ restart: | |
38 | ||
39 | /* Increase the size of the buffer and retry. */ | |
40 | newlen = roundup(buffer->alloc + len, BUFFER_ALLOCSZ); | |
41 | - if (newlen > BUFFER_MAX_LEN) | |
42 | + if (newlen > BUFFER_MAX_LEN_HPN) | |
43 | fatal("buffer_append_space: alloc %u not supported", | |
44 | newlen); | |
45 | buffer->buf = xrealloc(buffer->buf, 1, newlen); | |
46 | diff -NupwB openssh-5.2p1-canonical/buffer.h openssh-5.2p1-hpn13v6/buffer.h | |
47 | --- openssh-5.2p1-canonical/buffer.h 2008-05-19 00:59:37.000000000 -0400 | |
48 | +++ openssh-5.2p1-hpn13v6/buffer.h 2009-05-14 12:36:10.000000000 -0400 | |
49 | @@ -16,6 +16,9 @@ | |
50 | #ifndef BUFFER_H | |
51 | #define BUFFER_H | |
52 | ||
53 | +/* move the following to a more appropriate place and name */ | |
54 | +#define BUFFER_MAX_LEN_HPN 0x4000000 /* 64MB */ | |
55 | + | |
56 | typedef struct { | |
57 | u_char *buf; /* Buffer for data. */ | |
58 | u_int alloc; /* Number of bytes allocated for data. */ | |
59 | diff -NupwB openssh-5.2p1-canonical/channels.c openssh-5.2p1-hpn13v6/channels.c | |
60 | --- openssh-5.2p1-canonical/channels.c 2009-02-14 00:28:21.000000000 -0500 | |
61 | +++ openssh-5.2p1-hpn13v6/channels.c 2009-05-14 12:36:10.000000000 -0400 | |
62 | @@ -169,8 +169,14 @@ static void port_open_helper(Channel *c, | |
63 | static int connect_next(struct channel_connect *); | |
64 | static void channel_connect_ctx_free(struct channel_connect *); | |
65 | ||
66 | + | |
67 | +static int hpn_disabled = 0; | |
68 | +static int hpn_buffer_size = 2 * 1024 * 1024; | |
69 | + | |
70 | /* -- channel core */ | |
71 | ||
72 | + | |
73 | + | |
74 | Channel * | |
75 | channel_by_id(int id) | |
76 | { | |
77 | @@ -308,6 +314,7 @@ channel_new(char *ctype, int type, int r | |
78 | c->local_window_max = window; | |
79 | c->local_consumed = 0; | |
80 | c->local_maxpacket = maxpack; | |
81 | + c->dynamic_window = 0; | |
82 | c->remote_id = -1; | |
83 | c->remote_name = xstrdup(remote_name); | |
84 | c->remote_window = 0; | |
85 | @@ -798,11 +805,35 @@ channel_pre_open_13(Channel *c, fd_set * | |
86 | FD_SET(c->sock, writeset); | |
87 | } | |
88 | ||
89 | +int channel_tcpwinsz () { | |
90 | + u_int32_t tcpwinsz = 0; | |
91 | + socklen_t optsz = sizeof(tcpwinsz); | |
92 | + int ret = -1; | |
93 | + | |
94 | + /* if we aren't on a socket return 128KB*/ | |
95 | + if(!packet_connection_is_on_socket()) | |
96 | + return(128*1024); | |
97 | + ret = getsockopt(packet_get_connection_in(), | |
98 | + SOL_SOCKET, SO_RCVBUF, &tcpwinsz, &optsz); | |
99 | + /* return no more than 64MB */ | |
100 | + if ((ret == 0) && tcpwinsz > BUFFER_MAX_LEN_HPN) | |
101 | + tcpwinsz = BUFFER_MAX_LEN_HPN; | |
102 | + debug2("tcpwinsz: %d for connection: %d", tcpwinsz, | |
103 | + packet_get_connection_in()); | |
104 | + return(tcpwinsz); | |
105 | +} | |
106 | + | |
107 | static void | |
108 | channel_pre_open(Channel *c, fd_set *readset, fd_set *writeset) | |
109 | { | |
110 | u_int limit = compat20 ? c->remote_window : packet_get_maxsize(); | |
111 | ||
112 | + /* check buffer limits */ | |
113 | + if ((!c->tcpwinsz) || (c->dynamic_window > 0)) | |
114 | + c->tcpwinsz = channel_tcpwinsz(); | |
115 | + | |
116 | + limit = MIN(limit, 2 * c->tcpwinsz); | |
117 | + | |
118 | if (c->istate == CHAN_INPUT_OPEN && | |
119 | limit > 0 && | |
120 | buffer_len(&c->input) < limit && | |
121 | @@ -1759,14 +1790,21 @@ channel_check_window(Channel *c) | |
122 | c->local_maxpacket*3) || | |
123 | c->local_window < c->local_window_max/2) && | |
124 | c->local_consumed > 0) { | |
125 | + u_int addition = 0; | |
126 | + /* adjust max window size if we are in a dynamic environment */ | |
127 | + if (c->dynamic_window && (c->tcpwinsz > c->local_window_max)) { | |
128 | + /* grow the window somewhat aggressively to maintain pressure */ | |
129 | + addition = 1.5*(c->tcpwinsz - c->local_window_max); | |
130 | + c->local_window_max += addition; | |
131 | + } | |
132 | packet_start(SSH2_MSG_CHANNEL_WINDOW_ADJUST); | |
133 | packet_put_int(c->remote_id); | |
134 | - packet_put_int(c->local_consumed); | |
135 | + packet_put_int(c->local_consumed + addition); | |
136 | packet_send(); | |
137 | debug2("channel %d: window %d sent adjust %d", | |
138 | c->self, c->local_window, | |
139 | c->local_consumed); | |
140 | - c->local_window += c->local_consumed; | |
141 | + c->local_window += c->local_consumed + addition; | |
142 | c->local_consumed = 0; | |
143 | } | |
144 | return 1; | |
145 | @@ -1969,11 +2007,12 @@ channel_after_select(fd_set *readset, fd | |
146 | ||
147 | ||
148 | /* If there is data to send to the connection, enqueue some of it now. */ | |
149 | -void | |
150 | +int | |
151 | channel_output_poll(void) | |
152 | { | |
153 | Channel *c; | |
154 | u_int i, len; | |
155 | + int packet_length = 0; | |
156 | ||
157 | for (i = 0; i < channels_alloc; i++) { | |
158 | c = channels[i]; | |
159 | @@ -2013,7 +2052,7 @@ channel_output_poll(void) | |
160 | packet_start(SSH2_MSG_CHANNEL_DATA); | |
161 | packet_put_int(c->remote_id); | |
162 | packet_put_string(data, dlen); | |
163 | - packet_send(); | |
164 | + packet_length = packet_send(); | |
165 | c->remote_window -= dlen + 4; | |
0fab2cab | 166 | free(data); |
0d5b2bd4 ER |
167 | } |
168 | @@ -2043,7 +2082,7 @@ channel_output_poll(void) | |
169 | SSH2_MSG_CHANNEL_DATA : SSH_MSG_CHANNEL_DATA); | |
170 | packet_put_int(c->remote_id); | |
171 | packet_put_string(buffer_ptr(&c->input), len); | |
172 | - packet_send(); | |
173 | + packet_length = packet_send(); | |
174 | buffer_consume(&c->input, len); | |
175 | c->remote_window -= len; | |
176 | } | |
177 | @@ -2078,12 +2117,13 @@ channel_output_poll(void) | |
178 | packet_put_int(c->remote_id); | |
179 | packet_put_int(SSH2_EXTENDED_DATA_STDERR); | |
180 | packet_put_string(buffer_ptr(&c->extended), len); | |
181 | - packet_send(); | |
182 | + packet_length = packet_send(); | |
183 | buffer_consume(&c->extended, len); | |
184 | c->remote_window -= len; | |
185 | debug2("channel %d: sent ext data %d", c->self, len); | |
186 | } | |
187 | } | |
188 | + return (packet_length); | |
189 | } | |
190 | ||
191 | ||
192 | @@ -2459,6 +2499,15 @@ channel_set_af(int af) | |
193 | IPv4or6 = af; | |
194 | } | |
195 | ||
196 | + | |
197 | +void | |
198 | +channel_set_hpn(int external_hpn_disabled, int external_hpn_buffer_size) | |
199 | +{ | |
200 | + hpn_disabled = external_hpn_disabled; | |
201 | + hpn_buffer_size = external_hpn_buffer_size; | |
202 | + debug("HPN Disabled: %d, HPN Buffer Size: %d", hpn_disabled, hpn_buffer_size); | |
203 | +} | |
204 | + | |
205 | static int | |
206 | channel_setup_fwd_listener(int type, const char *listen_addr, | |
207 | u_short listen_port, int *allocated_listen_port, | |
208 | @@ -2610,9 +2659,15 @@ channel_setup_fwd_listener(int type, con | |
209 | } | |
210 | ||
211 | /* Allocate a channel number for the socket. */ | |
212 | + /* explicitly test for hpn disabled option. if true use smaller window size */ | |
213 | + if (hpn_disabled) | |
214 | c = channel_new("port listener", type, sock, sock, -1, | |
215 | CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, | |
216 | 0, "port listener", 1); | |
217 | + else | |
218 | + c = channel_new("port listener", type, sock, sock, -1, | |
219 | + hpn_buffer_size, CHAN_TCP_PACKET_DEFAULT, | |
220 | + 0, "port listener", 1); | |
221 | c->path = xstrdup(host); | |
222 | c->host_port = port_to_connect; | |
223 | c->listening_port = listen_port; | |
224 | @@ -3151,10 +3206,17 @@ x11_create_display_inet(int x11_display_ | |
225 | *chanids = xcalloc(num_socks + 1, sizeof(**chanids)); | |
226 | for (n = 0; n < num_socks; n++) { | |
227 | sock = socks[n]; | |
228 | + /* Is this really necassary? */ | |
229 | + if (hpn_disabled) | |
230 | nc = channel_new("x11 listener", | |
231 | SSH_CHANNEL_X11_LISTENER, sock, sock, -1, | |
232 | CHAN_X11_WINDOW_DEFAULT, CHAN_X11_PACKET_DEFAULT, | |
233 | 0, "X11 inet listener", 1); | |
234 | + else | |
235 | + nc = channel_new("x11 listener", | |
236 | + SSH_CHANNEL_X11_LISTENER, sock, sock, -1, | |
237 | + hpn_buffer_size, CHAN_X11_PACKET_DEFAULT, | |
238 | + 0, "X11 inet listener", 1); | |
239 | nc->single_connection = single_connection; | |
240 | (*chanids)[n] = nc->self; | |
241 | } | |
242 | diff -NupwB openssh-5.2p1-canonical/channels.h openssh-5.2p1-hpn13v6/channels.h | |
243 | --- openssh-5.2p1-canonical/channels.h 2009-02-14 00:28:21.000000000 -0500 | |
244 | +++ openssh-5.2p1-hpn13v6/channels.h 2009-05-14 12:36:10.000000000 -0400 | |
245 | @@ -115,8 +115,10 @@ struct Channel { | |
246 | u_int local_window_max; | |
247 | u_int local_consumed; | |
248 | u_int local_maxpacket; | |
249 | + int dynamic_window; | |
250 | int extended_usage; | |
251 | int single_connection; | |
252 | + u_int tcpwinsz; | |
253 | ||
254 | char *ctype; /* type */ | |
255 | ||
256 | @@ -146,9 +148,11 @@ struct Channel { | |
257 | ||
258 | /* default window/packet sizes for tcp/x11-fwd-channel */ | |
259 | #define CHAN_SES_PACKET_DEFAULT (32*1024) | |
260 | -#define CHAN_SES_WINDOW_DEFAULT (64*CHAN_SES_PACKET_DEFAULT) | |
261 | +#define CHAN_SES_WINDOW_DEFAULT (4*CHAN_SES_PACKET_DEFAULT) | |
262 | + | |
263 | #define CHAN_TCP_PACKET_DEFAULT (32*1024) | |
264 | -#define CHAN_TCP_WINDOW_DEFAULT (64*CHAN_TCP_PACKET_DEFAULT) | |
265 | +#define CHAN_TCP_WINDOW_DEFAULT (4*CHAN_TCP_PACKET_DEFAULT) | |
266 | + | |
267 | #define CHAN_X11_PACKET_DEFAULT (16*1024) | |
268 | #define CHAN_X11_WINDOW_DEFAULT (4*CHAN_X11_PACKET_DEFAULT) | |
269 | ||
270 | @@ -221,7 +225,7 @@ void channel_input_status_confirm(int, | |
271 | ||
272 | void channel_prepare_select(fd_set **, fd_set **, int *, u_int*, int); | |
273 | void channel_after_select(fd_set *, fd_set *); | |
274 | -void channel_output_poll(void); | |
275 | +int channel_output_poll(void); | |
276 | ||
277 | int channel_not_very_much_buffered_data(void); | |
278 | void channel_close_all(void); | |
279 | @@ -277,4 +281,7 @@ void chan_rcvd_ieof(Channel *); | |
280 | void chan_write_failed(Channel *); | |
281 | void chan_obuf_empty(Channel *); | |
282 | ||
283 | +/* hpn handler */ | |
284 | +void channel_set_hpn(int, int); | |
285 | + | |
286 | #endif | |
287 | diff -NupwB openssh-5.2p1-canonical/cipher.c openssh-5.2p1-hpn13v6/cipher.c | |
288 | --- openssh-5.2p1-canonical/cipher.c 2009-01-28 00:38:41.000000000 -0500 | |
289 | +++ openssh-5.2p1-hpn13v6/cipher.c 2009-05-14 12:36:10.000000000 -0400 | |
290 | @@ -55,6 +55,7 @@ extern const EVP_CIPHER *evp_ssh1_bf(voi | |
291 | extern const EVP_CIPHER *evp_ssh1_3des(void); | |
292 | extern void ssh1_3des_iv(EVP_CIPHER_CTX *, int, u_char *, int); | |
293 | extern const EVP_CIPHER *evp_aes_128_ctr(void); | |
294 | +extern const EVP_CIPHER *evp_aes_ctr_mt(void); | |
295 | extern void ssh_aes_ctr_iv(EVP_CIPHER_CTX *, int, u_char *, u_int); | |
296 | ||
297 | struct Cipher { | |
298 | @@ -82,9 +83,9 @@ struct Cipher { | |
299 | { "aes256-cbc", SSH_CIPHER_SSH2, 16, 32, 0, 1, EVP_aes_256_cbc }, | |
300 | { "rijndael-cbc@lysator.liu.se", | |
301 | SSH_CIPHER_SSH2, 16, 32, 0, 1, EVP_aes_256_cbc }, | |
302 | - { "aes128-ctr", SSH_CIPHER_SSH2, 16, 16, 0, 0, evp_aes_128_ctr }, | |
303 | - { "aes192-ctr", SSH_CIPHER_SSH2, 16, 24, 0, 0, evp_aes_128_ctr }, | |
304 | - { "aes256-ctr", SSH_CIPHER_SSH2, 16, 32, 0, 0, evp_aes_128_ctr }, | |
305 | + { "aes128-ctr", SSH_CIPHER_SSH2, 16, 16, 0, 0, evp_aes_ctr_mt }, | |
306 | + { "aes192-ctr", SSH_CIPHER_SSH2, 16, 24, 0, 0, evp_aes_ctr_mt }, | |
307 | + { "aes256-ctr", SSH_CIPHER_SSH2, 16, 32, 0, 0, evp_aes_ctr_mt }, | |
308 | #ifdef USE_CIPHER_ACSS | |
309 | { "acss@openssh.org", SSH_CIPHER_SSH2, 16, 5, 0, 0, EVP_acss }, | |
310 | #endif | |
311 | @@ -163,7 +164,8 @@ ciphers_valid(const char *names) | |
312 | for ((p = strsep(&cp, CIPHER_SEP)); p && *p != '\0'; | |
313 | (p = strsep(&cp, CIPHER_SEP))) { | |
314 | c = cipher_by_name(p); | |
315 | - if (c == NULL || c->number != SSH_CIPHER_SSH2) { | |
316 | + if (c == NULL || (c->number != SSH_CIPHER_SSH2 && | |
317 | +c->number != SSH_CIPHER_NONE)) { | |
318 | debug("bad cipher %s [%s]", p, names); | |
0fab2cab | 319 | free(cipher_list); |
0d5b2bd4 ER |
320 | return 0; |
321 | @@ -337,6 +339,7 @@ cipher_get_keyiv(CipherContext *cc, u_ch | |
322 | int evplen; | |
323 | ||
324 | switch (c->number) { | |
325 | + case SSH_CIPHER_NONE: | |
326 | case SSH_CIPHER_SSH2: | |
327 | case SSH_CIPHER_DES: | |
328 | case SSH_CIPHER_BLOWFISH: | |
329 | @@ -371,6 +374,7 @@ cipher_set_keyiv(CipherContext *cc, u_ch | |
330 | int evplen = 0; | |
331 | ||
332 | switch (c->number) { | |
333 | + case SSH_CIPHER_NONE: | |
334 | case SSH_CIPHER_SSH2: | |
335 | case SSH_CIPHER_DES: | |
336 | case SSH_CIPHER_BLOWFISH: | |
337 | diff -NupwB openssh-5.2p1-canonical/cipher-ctr-mt.c openssh-5.2p1-hpn13v6/cipher-ctr-mt.c | |
338 | --- openssh-5.2p1-canonical/cipher-ctr-mt.c 1969-12-31 19:00:00.000000000 -0500 | |
339 | +++ openssh-5.2p1-hpn13v6/cipher-ctr-mt.c 2009-05-14 12:36:10.000000000 -0400 | |
340 | @@ -0,0 +1,473 @@ | |
341 | +/* | |
342 | + * OpenSSH Multi-threaded AES-CTR Cipher | |
343 | + * | |
344 | + * Author: Benjamin Bennett <ben@psc.edu> | |
345 | + * Copyright (c) 2008 Pittsburgh Supercomputing Center. All rights reserved. | |
346 | + * | |
347 | + * Based on original OpenSSH AES-CTR cipher. Small portions remain unchanged, | |
348 | + * Copyright (c) 2003 Markus Friedl <markus@openbsd.org> | |
349 | + * | |
350 | + * Permission to use, copy, modify, and distribute this software for any | |
351 | + * purpose with or without fee is hereby granted, provided that the above | |
352 | + * copyright notice and this permission notice appear in all copies. | |
353 | + * | |
354 | + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES | |
355 | + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF | |
356 | + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR | |
357 | + * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES | |
358 | + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN | |
359 | + * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF | |
360 | + * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. | |
361 | + */ | |
362 | +#include "includes.h" | |
363 | + | |
364 | +#include <sys/types.h> | |
365 | + | |
366 | +#include <stdarg.h> | |
367 | +#include <string.h> | |
368 | + | |
369 | +#include <openssl/evp.h> | |
370 | + | |
371 | +#include "xmalloc.h" | |
372 | +#include "log.h" | |
373 | + | |
374 | +/* compatibility with old or broken OpenSSL versions */ | |
375 | +#include "openbsd-compat/openssl-compat.h" | |
376 | + | |
377 | +#ifndef USE_BUILTIN_RIJNDAEL | |
378 | +#include <openssl/aes.h> | |
379 | +#endif | |
380 | + | |
381 | +#include <pthread.h> | |
382 | + | |
383 | +/*-------------------- TUNABLES --------------------*/ | |
384 | +/* Number of pregen threads to use */ | |
385 | +#define CIPHER_THREADS 2 | |
386 | + | |
387 | +/* Number of keystream queues */ | |
388 | +#define NUMKQ (CIPHER_THREADS + 2) | |
389 | + | |
390 | +/* Length of a keystream queue */ | |
391 | +#define KQLEN 4096 | |
392 | + | |
393 | +/* Processor cacheline length */ | |
394 | +#define CACHELINE_LEN 64 | |
395 | + | |
396 | +/* Collect thread stats and print at cancellation when in debug mode */ | |
397 | +/* #define CIPHER_THREAD_STATS */ | |
398 | + | |
399 | +/* Use single-byte XOR instead of 8-byte XOR */ | |
400 | +/* #define CIPHER_BYTE_XOR */ | |
401 | +/*-------------------- END TUNABLES --------------------*/ | |
402 | + | |
403 | + | |
404 | +const EVP_CIPHER *evp_aes_ctr_mt(void); | |
405 | + | |
406 | +#ifdef CIPHER_THREAD_STATS | |
407 | +/* | |
408 | + * Struct to collect thread stats | |
409 | + */ | |
410 | +struct thread_stats { | |
411 | + u_int fills; | |
412 | + u_int skips; | |
413 | + u_int waits; | |
414 | + u_int drains; | |
415 | +}; | |
416 | + | |
417 | +/* | |
418 | + * Debug print the thread stats | |
419 | + * Use with pthread_cleanup_push for displaying at thread cancellation | |
420 | + */ | |
421 | +static void | |
422 | +thread_loop_stats(void *x) | |
423 | +{ | |
424 | + struct thread_stats *s = x; | |
425 | + | |
426 | + debug("tid %lu - %u fills, %u skips, %u waits", pthread_self(), | |
427 | + s->fills, s->skips, s->waits); | |
428 | +} | |
429 | + | |
430 | + #define STATS_STRUCT(s) struct thread_stats s | |
431 | + #define STATS_INIT(s) { memset(&s, 0, sizeof(s)); } | |
432 | + #define STATS_FILL(s) { s.fills++; } | |
433 | + #define STATS_SKIP(s) { s.skips++; } | |
434 | + #define STATS_WAIT(s) { s.waits++; } | |
435 | + #define STATS_DRAIN(s) { s.drains++; } | |
436 | +#else | |
437 | + #define STATS_STRUCT(s) | |
438 | + #define STATS_INIT(s) | |
439 | + #define STATS_FILL(s) | |
440 | + #define STATS_SKIP(s) | |
441 | + #define STATS_WAIT(s) | |
442 | + #define STATS_DRAIN(s) | |
443 | +#endif | |
444 | + | |
445 | +/* Keystream Queue state */ | |
446 | +enum { | |
447 | + KQINIT, | |
448 | + KQEMPTY, | |
449 | + KQFILLING, | |
450 | + KQFULL, | |
451 | + KQDRAINING | |
452 | +}; | |
453 | + | |
454 | +/* Keystream Queue struct */ | |
455 | +struct kq { | |
456 | + u_char keys[KQLEN][AES_BLOCK_SIZE]; | |
457 | + u_char ctr[AES_BLOCK_SIZE]; | |
458 | + u_char pad0[CACHELINE_LEN]; | |
459 | + volatile int qstate; | |
460 | + pthread_mutex_t lock; | |
461 | + pthread_cond_t cond; | |
462 | + u_char pad1[CACHELINE_LEN]; | |
463 | +}; | |
464 | + | |
465 | +/* Context struct */ | |
466 | +struct ssh_aes_ctr_ctx | |
467 | +{ | |
468 | + struct kq q[NUMKQ]; | |
469 | + AES_KEY aes_ctx; | |
470 | + STATS_STRUCT(stats); | |
471 | + u_char aes_counter[AES_BLOCK_SIZE]; | |
472 | + pthread_t tid[CIPHER_THREADS]; | |
473 | + int state; | |
474 | + int qidx; | |
475 | + int ridx; | |
476 | +}; | |
477 | + | |
478 | +/* <friedl> | |
479 | + * increment counter 'ctr', | |
480 | + * the counter is of size 'len' bytes and stored in network-byte-order. | |
481 | + * (LSB at ctr[len-1], MSB at ctr[0]) | |
482 | + */ | |
483 | +static void | |
484 | +ssh_ctr_inc(u_char *ctr, u_int len) | |
485 | +{ | |
486 | + int i; | |
487 | + | |
488 | + for (i = len - 1; i >= 0; i--) | |
489 | + if (++ctr[i]) /* continue on overflow */ | |
490 | + return; | |
491 | +} | |
492 | + | |
493 | +/* | |
494 | + * Add num to counter 'ctr' | |
495 | + */ | |
496 | +static void | |
497 | +ssh_ctr_add(u_char *ctr, uint32_t num, u_int len) | |
498 | +{ | |
499 | + int i; | |
500 | + uint16_t n; | |
501 | + | |
502 | + for (n = 0, i = len - 1; i >= 0 && (num || n); i--) { | |
503 | + n = ctr[i] + (num & 0xff) + n; | |
504 | + num >>= 8; | |
505 | + ctr[i] = n & 0xff; | |
506 | + n >>= 8; | |
507 | + } | |
508 | +} | |
509 | + | |
510 | +/* | |
511 | + * Threads may be cancelled in a pthread_cond_wait, we must free the mutex | |
512 | + */ | |
513 | +static void | |
514 | +thread_loop_cleanup(void *x) | |
515 | +{ | |
516 | + pthread_mutex_unlock((pthread_mutex_t *)x); | |
517 | +} | |
518 | + | |
519 | +/* | |
520 | + * The life of a pregen thread: | |
521 | + * Find empty keystream queues and fill them using their counter. | |
522 | + * When done, update counter for the next fill. | |
523 | + */ | |
524 | +static void * | |
525 | +thread_loop(void *x) | |
526 | +{ | |
527 | + AES_KEY key; | |
528 | + STATS_STRUCT(stats); | |
529 | + struct ssh_aes_ctr_ctx *c = x; | |
530 | + struct kq *q; | |
531 | + int i; | |
532 | + int qidx; | |
533 | + | |
534 | + /* Threads stats on cancellation */ | |
535 | + STATS_INIT(stats); | |
536 | +#ifdef CIPHER_THREAD_STATS | |
537 | + pthread_cleanup_push(thread_loop_stats, &stats); | |
538 | +#endif | |
539 | + | |
540 | + /* Thread local copy of AES key */ | |
541 | + memcpy(&key, &c->aes_ctx, sizeof(key)); | |
542 | + | |
543 | + /* | |
544 | + * Handle the special case of startup, one thread must fill | |
545 | + * the first KQ then mark it as draining. Lock held throughout. | |
546 | + */ | |
547 | + if (pthread_equal(pthread_self(), c->tid[0])) { | |
548 | + q = &c->q[0]; | |
549 | + pthread_mutex_lock(&q->lock); | |
550 | + if (q->qstate == KQINIT) { | |
551 | + for (i = 0; i < KQLEN; i++) { | |
552 | + AES_encrypt(q->ctr, q->keys[i], &key); | |
553 | + ssh_ctr_inc(q->ctr, AES_BLOCK_SIZE); | |
554 | + } | |
555 | + ssh_ctr_add(q->ctr, KQLEN * (NUMKQ - 1), AES_BLOCK_SIZE); | |
556 | + q->qstate = KQDRAINING; | |
557 | + STATS_FILL(stats); | |
558 | + pthread_cond_broadcast(&q->cond); | |
559 | + } | |
560 | + pthread_mutex_unlock(&q->lock); | |
561 | + } | |
562 | + else | |
563 | + STATS_SKIP(stats); | |
564 | + | |
565 | + /* | |
566 | + * Normal case is to find empty queues and fill them, skipping over | |
567 | + * queues already filled by other threads and stopping to wait for | |
568 | + * a draining queue to become empty. | |
569 | + * | |
570 | + * Multiple threads may be waiting on a draining queue and awoken | |
571 | + * when empty. The first thread to wake will mark it as filling, | |
572 | + * others will move on to fill, skip, or wait on the next queue. | |
573 | + */ | |
574 | + for (qidx = 1;; qidx = (qidx + 1) % NUMKQ) { | |
575 | + /* Check if I was cancelled, also checked in cond_wait */ | |
576 | + pthread_testcancel(); | |
577 | + | |
578 | + /* Lock queue and block if its draining */ | |
579 | + q = &c->q[qidx]; | |
580 | + pthread_mutex_lock(&q->lock); | |
581 | + pthread_cleanup_push(thread_loop_cleanup, &q->lock); | |
582 | + while (q->qstate == KQDRAINING || q->qstate == KQINIT) { | |
583 | + STATS_WAIT(stats); | |
584 | + pthread_cond_wait(&q->cond, &q->lock); | |
585 | + } | |
586 | + pthread_cleanup_pop(0); | |
587 | + | |
588 | + /* If filling or full, somebody else got it, skip */ | |
589 | + if (q->qstate != KQEMPTY) { | |
590 | + pthread_mutex_unlock(&q->lock); | |
591 | + STATS_SKIP(stats); | |
592 | + continue; | |
593 | + } | |
594 | + | |
595 | + /* | |
596 | + * Empty, let's fill it. | |
597 | + * Queue lock is relinquished while we do this so others | |
598 | + * can see that it's being filled. | |
599 | + */ | |
600 | + q->qstate = KQFILLING; | |
601 | + pthread_mutex_unlock(&q->lock); | |
602 | + for (i = 0; i < KQLEN; i++) { | |
603 | + AES_encrypt(q->ctr, q->keys[i], &key); | |
604 | + ssh_ctr_inc(q->ctr, AES_BLOCK_SIZE); | |
605 | + } | |
606 | + | |
607 | + /* Re-lock, mark full and signal consumer */ | |
608 | + pthread_mutex_lock(&q->lock); | |
609 | + ssh_ctr_add(q->ctr, KQLEN * (NUMKQ - 1), AES_BLOCK_SIZE); | |
610 | + q->qstate = KQFULL; | |
611 | + STATS_FILL(stats); | |
612 | + pthread_cond_signal(&q->cond); | |
613 | + pthread_mutex_unlock(&q->lock); | |
614 | + } | |
615 | + | |
616 | +#ifdef CIPHER_THREAD_STATS | |
617 | + /* Stats */ | |
618 | + pthread_cleanup_pop(1); | |
619 | +#endif | |
620 | + | |
621 | + return NULL; | |
622 | +} | |
623 | + | |
624 | +static int | |
625 | +ssh_aes_ctr(EVP_CIPHER_CTX *ctx, u_char *dest, const u_char *src, | |
626 | + u_int len) | |
627 | +{ | |
628 | + struct ssh_aes_ctr_ctx *c; | |
629 | + struct kq *q, *oldq; | |
630 | + int ridx; | |
631 | + u_char *buf; | |
632 | + | |
633 | + if (len == 0) | |
634 | + return (1); | |
635 | + if ((c = EVP_CIPHER_CTX_get_app_data(ctx)) == NULL) | |
636 | + return (0); | |
637 | + | |
638 | + q = &c->q[c->qidx]; | |
639 | + ridx = c->ridx; | |
640 | + | |
641 | + /* src already padded to block multiple */ | |
642 | + while (len > 0) { | |
643 | + buf = q->keys[ridx]; | |
644 | + | |
645 | +#ifdef CIPHER_BYTE_XOR | |
646 | + dest[0] = src[0] ^ buf[0]; | |
647 | + dest[1] = src[1] ^ buf[1]; | |
648 | + dest[2] = src[2] ^ buf[2]; | |
649 | + dest[3] = src[3] ^ buf[3]; | |
650 | + dest[4] = src[4] ^ buf[4]; | |
651 | + dest[5] = src[5] ^ buf[5]; | |
652 | + dest[6] = src[6] ^ buf[6]; | |
653 | + dest[7] = src[7] ^ buf[7]; | |
654 | + dest[8] = src[8] ^ buf[8]; | |
655 | + dest[9] = src[9] ^ buf[9]; | |
656 | + dest[10] = src[10] ^ buf[10]; | |
657 | + dest[11] = src[11] ^ buf[11]; | |
658 | + dest[12] = src[12] ^ buf[12]; | |
659 | + dest[13] = src[13] ^ buf[13]; | |
660 | + dest[14] = src[14] ^ buf[14]; | |
661 | + dest[15] = src[15] ^ buf[15]; | |
662 | +#else | |
663 | + *(uint64_t *)dest = *(uint64_t *)src ^ *(uint64_t *)buf; | |
664 | + *(uint64_t *)(dest + 8) = *(uint64_t *)(src + 8) ^ | |
665 | + *(uint64_t *)(buf + 8); | |
666 | +#endif | |
667 | + | |
668 | + dest += 16; | |
669 | + src += 16; | |
670 | + len -= 16; | |
671 | + ssh_ctr_inc(ctx->iv, AES_BLOCK_SIZE); | |
672 | + | |
673 | + /* Increment read index, switch queues on rollover */ | |
674 | + if ((ridx = (ridx + 1) % KQLEN) == 0) { | |
675 | + oldq = q; | |
676 | + | |
677 | + /* Mark next queue draining, may need to wait */ | |
678 | + c->qidx = (c->qidx + 1) % NUMKQ; | |
679 | + q = &c->q[c->qidx]; | |
680 | + pthread_mutex_lock(&q->lock); | |
681 | + while (q->qstate != KQFULL) { | |
682 | + STATS_WAIT(c->stats); | |
683 | + pthread_cond_wait(&q->cond, &q->lock); | |
684 | + } | |
685 | + q->qstate = KQDRAINING; | |
686 | + pthread_mutex_unlock(&q->lock); | |
687 | + | |
688 | + /* Mark consumed queue empty and signal producers */ | |
689 | + pthread_mutex_lock(&oldq->lock); | |
690 | + oldq->qstate = KQEMPTY; | |
691 | + STATS_DRAIN(c->stats); | |
692 | + pthread_cond_broadcast(&oldq->cond); | |
693 | + pthread_mutex_unlock(&oldq->lock); | |
694 | + } | |
695 | + } | |
696 | + c->ridx = ridx; | |
697 | + return (1); | |
698 | +} | |
699 | + | |
700 | +#define HAVE_NONE 0 | |
701 | +#define HAVE_KEY 1 | |
702 | +#define HAVE_IV 2 | |
703 | +static int | |
704 | +ssh_aes_ctr_init(EVP_CIPHER_CTX *ctx, const u_char *key, const u_char *iv, | |
705 | + int enc) | |
706 | +{ | |
707 | + struct ssh_aes_ctr_ctx *c; | |
708 | + int i; | |
709 | + | |
710 | + if ((c = EVP_CIPHER_CTX_get_app_data(ctx)) == NULL) { | |
711 | + c = xmalloc(sizeof(*c)); | |
712 | + | |
713 | + c->state = HAVE_NONE; | |
714 | + for (i = 0; i < NUMKQ; i++) { | |
715 | + pthread_mutex_init(&c->q[i].lock, NULL); | |
716 | + pthread_cond_init(&c->q[i].cond, NULL); | |
717 | + } | |
718 | + | |
719 | + STATS_INIT(c->stats); | |
720 | + | |
721 | + EVP_CIPHER_CTX_set_app_data(ctx, c); | |
722 | + } | |
723 | + | |
724 | + if (c->state == (HAVE_KEY | HAVE_IV)) { | |
725 | + /* Cancel pregen threads */ | |
726 | + for (i = 0; i < CIPHER_THREADS; i++) | |
727 | + pthread_cancel(c->tid[i]); | |
728 | + for (i = 0; i < CIPHER_THREADS; i++) | |
729 | + pthread_join(c->tid[i], NULL); | |
730 | + /* Start over getting key & iv */ | |
731 | + c->state = HAVE_NONE; | |
732 | + } | |
733 | + | |
734 | + if (key != NULL) { | |
735 | + AES_set_encrypt_key(key, EVP_CIPHER_CTX_key_length(ctx) * 8, | |
736 | + &c->aes_ctx); | |
737 | + c->state |= HAVE_KEY; | |
738 | + } | |
739 | + | |
740 | + if (iv != NULL) { | |
741 | + memcpy(ctx->iv, iv, AES_BLOCK_SIZE); | |
742 | + c->state |= HAVE_IV; | |
743 | + } | |
744 | + | |
745 | + if (c->state == (HAVE_KEY | HAVE_IV)) { | |
746 | + /* Clear queues */ | |
747 | + memcpy(c->q[0].ctr, ctx->iv, AES_BLOCK_SIZE); | |
748 | + c->q[0].qstate = KQINIT; | |
749 | + for (i = 1; i < NUMKQ; i++) { | |
750 | + memcpy(c->q[i].ctr, ctx->iv, AES_BLOCK_SIZE); | |
751 | + ssh_ctr_add(c->q[i].ctr, i * KQLEN, AES_BLOCK_SIZE); | |
752 | + c->q[i].qstate = KQEMPTY; | |
753 | + } | |
754 | + c->qidx = 0; | |
755 | + c->ridx = 0; | |
756 | + | |
757 | + /* Start threads */ | |
758 | + for (i = 0; i < CIPHER_THREADS; i++) { | |
759 | + pthread_create(&c->tid[i], NULL, thread_loop, c); | |
760 | + } | |
761 | + pthread_mutex_lock(&c->q[0].lock); | |
762 | + while (c->q[0].qstate != KQDRAINING) | |
763 | + pthread_cond_wait(&c->q[0].cond, &c->q[0].lock); | |
764 | + pthread_mutex_unlock(&c->q[0].lock); | |
765 | + | |
766 | + } | |
767 | + return (1); | |
768 | +} | |
769 | + | |
770 | +static int | |
771 | +ssh_aes_ctr_cleanup(EVP_CIPHER_CTX *ctx) | |
772 | +{ | |
773 | + struct ssh_aes_ctr_ctx *c; | |
774 | + int i; | |
775 | + | |
776 | + if ((c = EVP_CIPHER_CTX_get_app_data(ctx)) != NULL) { | |
777 | +#ifdef CIPHER_THREAD_STATS | |
778 | + debug("main thread: %u drains, %u waits", c->stats.drains, | |
779 | + c->stats.waits); | |
780 | +#endif | |
781 | + /* Cancel pregen threads */ | |
782 | + for (i = 0; i < CIPHER_THREADS; i++) | |
783 | + pthread_cancel(c->tid[i]); | |
784 | + for (i = 0; i < CIPHER_THREADS; i++) | |
785 | + pthread_join(c->tid[i], NULL); | |
786 | + | |
787 | + memset(c, 0, sizeof(*c)); | |
0fab2cab | 788 | + free(c); |
0d5b2bd4 ER |
789 | + EVP_CIPHER_CTX_set_app_data(ctx, NULL); |
790 | + } | |
791 | + return (1); | |
792 | +} | |
793 | + | |
794 | +/* <friedl> */ | |
795 | +const EVP_CIPHER * | |
796 | +evp_aes_ctr_mt(void) | |
797 | +{ | |
798 | + static EVP_CIPHER aes_ctr; | |
799 | + | |
800 | + memset(&aes_ctr, 0, sizeof(EVP_CIPHER)); | |
801 | + aes_ctr.nid = NID_undef; | |
802 | + aes_ctr.block_size = AES_BLOCK_SIZE; | |
803 | + aes_ctr.iv_len = AES_BLOCK_SIZE; | |
804 | + aes_ctr.key_len = 16; | |
805 | + aes_ctr.init = ssh_aes_ctr_init; | |
806 | + aes_ctr.cleanup = ssh_aes_ctr_cleanup; | |
807 | + aes_ctr.do_cipher = ssh_aes_ctr; | |
808 | +#ifndef SSH_OLD_EVP | |
809 | + aes_ctr.flags = EVP_CIPH_CBC_MODE | EVP_CIPH_VARIABLE_LENGTH | | |
810 | + EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_CUSTOM_IV; | |
811 | +#endif | |
812 | + return (&aes_ctr); | |
813 | +} | |
814 | diff -NupwB openssh-5.2p1-canonical/clientloop.c openssh-5.2p1-hpn13v6/clientloop.c | |
815 | --- openssh-5.2p1-canonical/clientloop.c 2009-02-14 00:28:21.000000000 -0500 | |
816 | +++ openssh-5.2p1-hpn13v6/clientloop.c 2009-05-14 12:36:10.000000000 -0400 | |
817 | @@ -1688,9 +1688,15 @@ client_request_x11(const char *request_t | |
818 | sock = x11_connect_display(); | |
819 | if (sock < 0) | |
820 | return NULL; | |
821 | + /* again is this really necessary for X11? */ | |
822 | + if (options.hpn_disabled) | |
823 | c = channel_new("x11", | |
824 | SSH_CHANNEL_X11_OPEN, sock, sock, -1, | |
825 | CHAN_TCP_WINDOW_DEFAULT, CHAN_X11_PACKET_DEFAULT, 0, "x11", 1); | |
826 | + else | |
827 | + c = channel_new("x11", | |
828 | + SSH_CHANNEL_X11_OPEN, sock, sock, -1, | |
829 | + options.hpn_buffer_size, CHAN_X11_PACKET_DEFAULT, 0, "x11", 1); | |
830 | c->force_drain = 1; | |
831 | return c; | |
832 | } | |
833 | @@ -1710,9 +1716,15 @@ client_request_agent(const char *request | |
834 | sock = ssh_get_authentication_socket(); | |
835 | if (sock < 0) | |
836 | return NULL; | |
837 | + if (options.hpn_disabled) | |
838 | c = channel_new("authentication agent connection", | |
839 | SSH_CHANNEL_OPEN, sock, sock, -1, | |
840 | - CHAN_X11_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, 0, | |
841 | + CHAN_X11_WINDOW_DEFAULT, CHAN_TCP_WINDOW_DEFAULT, 0, | |
842 | + "authentication agent connection", 1); | |
843 | + else | |
844 | + c = channel_new("authentication agent connection", | |
845 | + SSH_CHANNEL_OPEN, sock, sock, -1, | |
846 | + options.hpn_buffer_size, options.hpn_buffer_size, 0, | |
847 | "authentication agent connection", 1); | |
848 | c->force_drain = 1; | |
849 | return c; | |
850 | @@ -1740,10 +1752,18 @@ client_request_tun_fwd(int tun_mode, int | |
851 | return -1; | |
852 | } | |
853 | ||
854 | + if(options.hpn_disabled) | |
855 | + c = channel_new("tun", SSH_CHANNEL_OPENING, fd, fd, -1, | |
856 | + CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, | |
857 | + 0, "tun", 1); | |
858 | + else | |
859 | c = channel_new("tun", SSH_CHANNEL_OPENING, fd, fd, -1, | |
860 | - CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, 0, "tun", 1); | |
861 | + options.hpn_buffer_size, CHAN_TCP_PACKET_DEFAULT, | |
862 | + 0, "tun", 1); | |
863 | c->datagram = 1; | |
864 | ||
865 | + | |
866 | + | |
867 | #if defined(SSH_TUN_FILTER) | |
868 | if (options.tun_open == SSH_TUNMODE_POINTOPOINT) | |
869 | channel_register_filter(c->self, sys_tun_infilter, | |
870 | diff -NupwB openssh-5.2p1-canonical/compat.c openssh-5.2p1-hpn13v6/compat.c | |
871 | --- openssh-5.2p1-canonical/compat.c 2008-11-03 03:20:14.000000000 -0500 | |
872 | +++ openssh-5.2p1-hpn13v6/compat.c 2009-05-14 12:36:10.000000000 -0400 | |
873 | @@ -170,6 +170,15 @@ compat_datafellows(const char *version) | |
874 | strlen(check[i].pat), 0) == 1) { | |
875 | debug("match: %s pat %s", version, check[i].pat); | |
876 | datafellows = check[i].bugs; | |
877 | + /* Check to see if the remote side is OpenSSH and not HPN */ | |
878 | + if(strstr(version,"OpenSSH") != NULL) | |
879 | + { | |
880 | + if (strstr(version,"hpn") == NULL) | |
881 | + { | |
882 | + datafellows |= SSH_BUG_LARGEWINDOW; | |
883 | + debug("Remote is NON-HPN aware"); | |
884 | + } | |
885 | + } | |
886 | return; | |
887 | } | |
888 | } | |
889 | diff -NupwB openssh-5.2p1-canonical/compat.h openssh-5.2p1-hpn13v6/compat.h | |
890 | --- openssh-5.2p1-canonical/compat.h 2008-11-03 03:20:14.000000000 -0500 | |
891 | +++ openssh-5.2p1-hpn13v6/compat.h 2009-05-14 12:36:10.000000000 -0400 | |
892 | @@ -58,6 +58,7 @@ | |
893 | #define SSH_OLD_FORWARD_ADDR 0x01000000 | |
894 | #define SSH_BUG_RFWD_ADDR 0x02000000 | |
895 | #define SSH_NEW_OPENSSH 0x04000000 | |
896 | +#define SSH_BUG_LARGEWINDOW 0x08000000 | |
897 | ||
898 | void enable_compat13(void); | |
899 | void enable_compat20(void); | |
900 | Common subdirectories: openssh-5.2p1-canonical/contrib and openssh-5.2p1-hpn13v6/contrib | |
901 | diff -NupwB openssh-5.2p1-canonical/HPN-README openssh-5.2p1-hpn13v6/HPN-README | |
902 | --- openssh-5.2p1-canonical/HPN-README 1969-12-31 19:00:00.000000000 -0500 | |
903 | +++ openssh-5.2p1-hpn13v6/HPN-README 2009-05-14 12:36:10.000000000 -0400 | |
904 | @@ -0,0 +1,128 @@ | |
905 | +Notes: | |
906 | + | |
907 | +MULTI-THREADED CIPHER: | |
908 | +The AES cipher in CTR mode has been multithreaded (MTR-AES-CTR). This will allow ssh installations | |
909 | +on hosts with multiple cores to use more than one processing core during encryption. | |
910 | +Tests have show significant throughput performance increases when using MTR-AES-CTR up | |
911 | +to and including a full gigabit per second on quad core systems. It should be possible to | |
912 | +achieve full line rate on dual core systems but OS and data management overhead makes this | |
913 | +more difficult to achieve. The cipher stream from MTR-AES-CTR is entirely compatible with single | |
914 | +thread AES-CTR (ST-AES-CTR) implementations and should be 100% backward compatible. Optimal | |
915 | +performance requires the MTR-AES-CTR mode be enabled on both ends of the connection. | |
916 | +The MTR-AES-CTR replaces ST-AES-CTR and is used in exactly the same way with the same | |
917 | +nomenclature. | |
918 | +Use examples: ssh -caes128-ctr you@host.com | |
919 | + scp -oCipher=aes256-ctr file you@host.com:~/file | |
920 | + | |
921 | +NONE CIPHER: | |
922 | +To use the NONE option you must have the NoneEnabled switch set on the server and | |
923 | +you *must* have *both* NoneEnabled and NoneSwitch set to yes on the client. The NONE | |
924 | +feature works with ALL ssh subsystems (as far as we can tell) *AS LONG AS* a tty is not | |
925 | +spawned. If a user uses the -T switch to prevent a tty being created the NONE cipher will | |
926 | +be disabled. | |
927 | + | |
928 | +The performance increase will only be as good as the network and TCP stack tuning | |
929 | +on the reciever side of the connection allows. As a rule of thumb a user will need | |
930 | +at least 10Mb/s connection with a 100ms RTT to see a doubling of performance. The | |
931 | +HPN-SSH home page describes this in greater detail. | |
932 | + | |
933 | +http://www.psc.edu/networking/projects/hpn-ssh | |
934 | + | |
935 | +BUFFER SIZES: | |
936 | + | |
937 | +If HPN is disabled the receive buffer size will be set to the | |
938 | +OpenSSH default of 64K. | |
939 | + | |
940 | +If an HPN system connects to a nonHPN system the receive buffer will | |
941 | +be set to the HPNBufferSize value. The default is 2MB but user adjustable. | |
942 | + | |
943 | +If an HPN to HPN connection is established a number of different things might | |
944 | +happen based on the user options and conditions. | |
945 | + | |
946 | +Conditions: HPNBufferSize NOT Set, TCPRcvBufPoll enabled, TCPRcvBuf NOT Set | |
947 | +HPN Buffer Size = up to 64MB | |
948 | +This is the default state. The HPN buffer size will grow to a maximum of 64MB | |
949 | +as the TCP receive buffer grows. The maximum HPN Buffer size of 64MB is | |
950 | +geared towards 10GigE transcontinental connections. | |
951 | + | |
952 | +Conditions: HPNBufferSize NOT Set, TCPRcvBufPoll disabled, TCPRcvBuf NOT Set | |
953 | +HPN Buffer Size = TCP receive buffer value. | |
954 | +Users on non-autotuning systesm should disable TCPRcvBufPoll in the | |
955 | +ssh_cofig and sshd_config | |
956 | + | |
957 | +Conditions: HPNBufferSize SET, TCPRcvBufPoll disabled, TCPRcvBuf NOT Set | |
958 | +HPN Buffer Size = minmum of TCP receive buffer and HPNBufferSize. | |
959 | +This would be the system defined TCP receive buffer (RWIN). | |
960 | + | |
961 | +Conditions: HPNBufferSize SET, TCPRcvBufPoll disabled, TCPRcvBuf SET | |
962 | +HPN Buffer Size = minmum of TCPRcvBuf and HPNBufferSize. | |
963 | +Generally there is no need to set both. | |
964 | + | |
965 | +Conditions: HPNBufferSize SET, TCPRcvBufPoll enabled, TCPRcvBuf NOT Set | |
966 | +HPN Buffer Size = grows to HPNBufferSize | |
967 | +The buffer will grow up to the maximum size specified here. | |
968 | + | |
969 | +Conditions: HPNBufferSize SET, TCPRcvBufPoll enabled, TCPRcvBuf SET | |
970 | +HPN Buffer Size = minmum of TCPRcvBuf and HPNBufferSize. | |
971 | +Generally there is no need to set both of these, especially on autotuning | |
972 | +systems. However, if the users wishes to override the autotuning this would be | |
973 | +one way to do it. | |
974 | + | |
975 | +Conditions: HPNBufferSize NOT Set, TCPRcvBufPoll enabled, TCPRcvBuf SET | |
976 | +HPN Buffer Size = TCPRcvBuf. | |
977 | +This will override autotuning and set the TCP recieve buffer to the user defined | |
978 | +value. | |
979 | + | |
980 | + | |
981 | +HPN Specific Configuration options | |
982 | + | |
983 | +TcpRcvBuf=[int]KB client | |
984 | + set the TCP socket receive buffer to n Kilobytes. It can be set up to the | |
985 | +maximum socket size allowed by the system. This is useful in situations where | |
986 | +the tcp receive window is set low but the maximum buffer size is set | |
987 | +higher (as is typical). This works on a per TCP connection basis. You can also | |
988 | +use this to artifically limit the transfer rate of the connection. In these | |
989 | +cases the throughput will be no more than n/RTT. The minimum buffer size is 1KB. | |
990 | +Default is the current system wide tcp receive buffer size. | |
991 | + | |
992 | +TcpRcvBufPoll=[yes/no] client/server | |
993 | + enable of disable the polling of the tcp receive buffer through the life | |
994 | +of the connection. You would want to make sure that this option is enabled | |
995 | +for systems making use of autotuning kernels (linux 2.4.24+, 2.6, MS Vista) | |
996 | +default is yes. | |
997 | + | |
998 | +NoneEnabled=[yes/no] client/server | |
999 | + enable or disable the use of the None cipher. Care must always be used | |
1000 | +when enabling this as it will allow users to send data in the clear. However, | |
1001 | +it is important to note that authentication information remains encrypted | |
1002 | +even if this option is enabled. Set to no by default. | |
1003 | + | |
1004 | +NoneSwitch=[yes/no] client | |
1005 | + Switch the encryption cipher being used to the None cipher after | |
1006 | +authentication takes place. NoneEnabled must be enabled on both the client | |
1007 | +and server side of the connection. When the connection switches to the NONE | |
1008 | +cipher a warning is sent to STDERR. The connection attempt will fail with an | |
1009 | +error if a client requests a NoneSwitch from the server that does not explicitly | |
1010 | +have NoneEnabled set to yes. Note: The NONE cipher cannot be used in | |
1011 | +interactive (shell) sessions and it will fail silently. Set to no by default. | |
1012 | + | |
1013 | +HPNDisabled=[yes/no] client/server | |
1014 | + In some situations, such as transfers on a local area network, the impact | |
1015 | +of the HPN code produces a net decrease in performance. In these cases it is | |
1016 | +helpful to disable the HPN functionality. By default HPNDisabled is set to no. | |
1017 | + | |
1018 | +HPNBufferSize=[int]KB client/server | |
1019 | + This is the default buffer size the HPN functionality uses when interacting | |
1020 | +with nonHPN SSH installations. Conceptually this is similar to the TcpRcvBuf | |
1021 | +option as applied to the internal SSH flow control. This value can range from | |
1022 | +1KB to 64MB (1-65536). Use of oversized or undersized buffers can cause performance | |
1023 | +problems depending on the length of the network path. The default size of this buffer | |
1024 | +is 2MB. | |
1025 | + | |
1026 | + | |
1027 | +Credits: This patch was conceived, designed, and led by Chris Rapier (rapier@psc.edu) | |
1028 | + The majority of the actual coding for versions up to HPN12v1 was performed | |
1029 | + by Michael Stevens (mstevens@andrew.cmu.edu). The MT-AES-CTR cipher was | |
1030 | + implemented by Ben Bennet (ben@psc.edu). This work was financed, in part, | |
1031 | + by Cisco System, Inc., the National Library of Medicine, | |
1032 | + and the National Science Foundation. | |
1033 | diff -NupwB openssh-5.2p1-canonical/kex.c openssh-5.2p1-hpn13v6/kex.c | |
1034 | --- openssh-5.2p1-canonical/kex.c 2008-11-03 03:19:12.000000000 -0500 | |
1035 | +++ openssh-5.2p1-hpn13v6/kex.c 2009-05-14 12:36:10.000000000 -0400 | |
1036 | @@ -48,6 +48,7 @@ | |
1037 | #include "match.h" | |
1038 | #include "dispatch.h" | |
1039 | #include "monitor.h" | |
1040 | +#include "canohost.h" | |
1041 | ||
1042 | #define KEX_COOKIE_LEN 16 | |
1043 | ||
1044 | @@ -64,7 +65,8 @@ static void kex_kexinit_finish(Kex *); | |
1045 | static void kex_choose_conf(Kex *); | |
1046 | ||
1047 | /* put algorithm proposal into buffer */ | |
1048 | -static void | |
1049 | +/* used in sshconnect.c as well as kex.c */ | |
1050 | +void | |
1051 | kex_prop2buf(Buffer *b, char *proposal[PROPOSAL_MAX]) | |
1052 | { | |
1053 | u_int i; | |
1054 | @@ -376,6 +378,13 @@ kex_choose_conf(Kex *kex) | |
1055 | int nenc, nmac, ncomp; | |
1056 | u_int mode, ctos, need; | |
1057 | int first_kex_follows, type; | |
1058 | + int log_flag = 0; | |
1059 | + | |
1060 | + int auth_flag; | |
1061 | + | |
1062 | + auth_flag = packet_authentication_state(); | |
1063 | + | |
1064 | + debug ("AUTH STATE IS %d", auth_flag); | |
1065 | ||
1066 | my = kex_buf2prop(&kex->my, NULL); | |
1067 | peer = kex_buf2prop(&kex->peer, &first_kex_follows); | |
1068 | @@ -400,11 +409,34 @@ kex_choose_conf(Kex *kex) | |
1069 | choose_enc (&newkeys->enc, cprop[nenc], sprop[nenc]); | |
1070 | choose_mac (&newkeys->mac, cprop[nmac], sprop[nmac]); | |
1071 | choose_comp(&newkeys->comp, cprop[ncomp], sprop[ncomp]); | |
1072 | + debug("REQUESTED ENC.NAME is '%s'", newkeys->enc.name); | |
1073 | + if (strcmp(newkeys->enc.name, "none") == 0) { | |
1074 | + debug("Requesting NONE. Authflag is %d", auth_flag); | |
1075 | + if (auth_flag == 1) { | |
1076 | + debug("None requested post authentication."); | |
1077 | + } else { | |
1078 | + fatal("Pre-authentication none cipher requests are not allowed."); | |
1079 | + } | |
1080 | + } | |
1081 | debug("kex: %s %s %s %s", | |
1082 | ctos ? "client->server" : "server->client", | |
1083 | newkeys->enc.name, | |
1084 | newkeys->mac.name, | |
1085 | newkeys->comp.name); | |
1086 | + /* client starts withctos = 0 && log flag = 0 and no log*/ | |
1087 | + /* 2nd client pass ctos=1 and flag = 1 so no log*/ | |
1088 | + /* server starts with ctos =1 && log_flag = 0 so log */ | |
1089 | + /* 2nd sever pass ctos = 1 && log flag = 1 so no log*/ | |
1090 | + /* -cjr*/ | |
1091 | + if (ctos && !log_flag) { | |
1092 | + logit("SSH: Server;Ltype: Kex;Remote: %s-%d;Enc: %s;MAC: %s;Comp: %s", | |
1093 | + get_remote_ipaddr(), | |
1094 | + get_remote_port(), | |
1095 | + newkeys->enc.name, | |
1096 | + newkeys->mac.name, | |
1097 | + newkeys->comp.name); | |
1098 | + } | |
1099 | + log_flag = 1; | |
1100 | } | |
1101 | choose_kex(kex, cprop[PROPOSAL_KEX_ALGS], sprop[PROPOSAL_KEX_ALGS]); | |
1102 | choose_hostkeyalg(kex, cprop[PROPOSAL_SERVER_HOST_KEY_ALGS], | |
1103 | diff -NupwB openssh-5.2p1-canonical/kex.h openssh-5.2p1-hpn13v6/kex.h | |
1104 | --- openssh-5.2p1-canonical/kex.h 2007-06-11 00:01:42.000000000 -0400 | |
1105 | +++ openssh-5.2p1-hpn13v6/kex.h 2009-05-14 12:36:10.000000000 -0400 | |
1106 | @@ -127,6 +127,8 @@ struct Kex { | |
1107 | void (*kex[KEX_MAX])(Kex *); | |
1108 | }; | |
1109 | ||
1110 | +void kex_prop2buf(Buffer *, char *proposal[PROPOSAL_MAX]); | |
1111 | + | |
1112 | Kex *kex_setup(char *[PROPOSAL_MAX]); | |
1113 | void kex_finish(Kex *); | |
1114 | ||
1115 | diff -NupwB openssh-5.2p1-canonical/Makefile.in openssh-5.2p1-hpn13v6/Makefile.in | |
1116 | --- openssh-5.2p1-canonical/Makefile.in 2008-11-05 00:20:46.000000000 -0500 | |
1117 | +++ openssh-5.2p1-hpn13v6/Makefile.in 2009-05-14 12:36:10.000000000 -0400 | |
1118 | @@ -43,7 +43,7 @@ CC=@CC@ | |
1119 | LD=@LD@ | |
1120 | CFLAGS=@CFLAGS@ | |
1121 | CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ $(PATHS) @DEFS@ | |
1122 | -LIBS=@LIBS@ | |
1123 | +LIBS=@LIBS@ -lpthread | |
1124 | SSHDLIBS=@SSHDLIBS@ | |
1125 | LIBEDIT=@LIBEDIT@ | |
1126 | AR=@AR@ | |
1127 | @@ -64,7 +64,7 @@ TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-a | |
1128 | ||
1129 | LIBSSH_OBJS=acss.o authfd.o authfile.o bufaux.o bufbn.o buffer.o \ | |
1130 | canohost.o channels.o cipher.o cipher-acss.o cipher-aes.o \ | |
1131 | - cipher-bf1.o cipher-ctr.o cipher-3des1.o cleanup.o \ | |
1132 | + cipher-bf1.o cipher-ctr.o cipher-ctr-mt.o cipher-3des1.o cleanup.o \ | |
1133 | compat.o compress.o crc32.o deattack.o fatal.o hostfile.o \ | |
1134 | log.o match.o md-sha256.o moduli.o nchan.o packet.o \ | |
1135 | readpass.o rsa.o ttymodes.o xmalloc.o addrmatch.o \ | |
1136 | diff -NupwB openssh-5.2p1-canonical/myproposal.h openssh-5.2p1-hpn13v6/myproposal.h | |
1137 | --- openssh-5.2p1-canonical/myproposal.h 2009-01-28 00:33:31.000000000 -0500 | |
1138 | +++ openssh-5.2p1-hpn13v6/myproposal.h 2009-05-14 12:36:10.000000000 -0400 | |
1139 | @@ -47,6 +47,8 @@ | |
1140 | "arcfour256,arcfour128," \ | |
1141 | "aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc," \ | |
1142 | "aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se" | |
1143 | +#define KEX_ENCRYPT_INCLUDE_NONE KEX_DEFAULT_ENCRYPT \ | |
1144 | + ",none" | |
1145 | #define KEX_DEFAULT_MAC \ | |
1146 | "hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160," \ | |
1147 | "hmac-ripemd160@openssh.com," \ | |
1148 | Common subdirectories: openssh-5.2p1-canonical/openbsd-compat and openssh-5.2p1-hpn13v6/openbsd-compat | |
1149 | diff -NupwB openssh-5.2p1-canonical/packet.c openssh-5.2p1-hpn13v6/packet.c | |
1150 | --- openssh-5.2p1-canonical/packet.c 2009-02-14 00:35:01.000000000 -0500 | |
1151 | +++ openssh-5.2p1-hpn13v6/packet.c 2009-05-14 12:36:10.000000000 -0400 | |
1152 | @@ -775,7 +775,7 @@ packet_enable_delayed_compress(void) | |
1153 | /* | |
1154 | * Finalize packet in SSH2 format (compress, mac, encrypt, enqueue) | |
1155 | */ | |
1156 | -static void | |
1157 | +static int | |
1158 | packet_send2_wrapped(void) | |
1159 | { | |
1160 | u_char type, *cp, *macbuf = NULL; | |
1161 | @@ -888,11 +888,13 @@ packet_send2_wrapped(void) | |
1162 | set_newkeys(MODE_OUT); | |
1163 | else if (type == SSH2_MSG_USERAUTH_SUCCESS && server_side) | |
1164 | packet_enable_delayed_compress(); | |
1165 | + return(packet_length); | |
1166 | } | |
1167 | ||
1168 | -static void | |
1169 | +static int | |
1170 | packet_send2(void) | |
1171 | { | |
1172 | + static int packet_length = 0; | |
1173 | static int rekeying = 0; | |
1174 | struct packet *p; | |
1175 | u_char type, *cp; | |
1176 | @@ -910,7 +912,7 @@ packet_send2(void) | |
1177 | memcpy(&p->payload, &outgoing_packet, sizeof(Buffer)); | |
1178 | buffer_init(&outgoing_packet); | |
1179 | TAILQ_INSERT_TAIL(&outgoing, p, next); | |
1180 | - return; | |
1181 | + return(sizeof(Buffer)); | |
1182 | } | |
1183 | } | |
1184 | ||
1185 | @@ -918,7 +920,7 @@ packet_send2(void) | |
1186 | if (type == SSH2_MSG_KEXINIT) | |
1187 | rekeying = 1; | |
1188 | ||
1189 | - packet_send2_wrapped(); | |
1190 | + packet_length = packet_send2_wrapped(); | |
1191 | ||
1192 | /* after a NEWKEYS message we can send the complete queue */ | |
1193 | if (type == SSH2_MSG_NEWKEYS) { | |
1194 | @@ -931,19 +933,22 @@ packet_send2(void) | |
1195 | sizeof(Buffer)); | |
1196 | TAILQ_REMOVE(&outgoing, p, next); | |
0fab2cab | 1197 | free(p); |
0d5b2bd4 ER |
1198 | - packet_send2_wrapped(); |
1199 | + packet_length += packet_send2_wrapped(); | |
1200 | } | |
1201 | } | |
1202 | + return(packet_length); | |
1203 | } | |
1204 | ||
1205 | -void | |
1206 | +int | |
1207 | packet_send(void) | |
1208 | { | |
1209 | + int packet_len = 0; | |
1210 | if (compat20) | |
1211 | - packet_send2(); | |
1212 | + packet_len = packet_send2(); | |
1213 | else | |
1214 | packet_send1(); | |
1215 | DBG(debug("packet_send done")); | |
1216 | + return(packet_len); | |
1217 | } | |
1218 | ||
1219 | /* | |
1220 | @@ -1544,23 +1549,25 @@ packet_disconnect(const char *fmt,...) | |
1221 | ||
1222 | /* Checks if there is any buffered output, and tries to write some of the output. */ | |
1223 | ||
1224 | -void | |
1225 | +int | |
1226 | packet_write_poll(void) | |
1227 | { | |
1228 | - int len = buffer_len(&output); | |
1229 | + int len = 0; | |
1230 | + len = buffer_len(&output); | |
1231 | ||
1232 | if (len > 0) { | |
1233 | len = write(connection_out, buffer_ptr(&output), len); | |
1234 | if (len == -1) { | |
1235 | if (errno == EINTR || errno == EAGAIN || | |
1236 | errno == EWOULDBLOCK) | |
1237 | - return; | |
1238 | + return (0); | |
1239 | fatal("Write failed: %.100s", strerror(errno)); | |
1240 | } | |
1241 | if (len == 0) | |
1242 | fatal("Write connection closed"); | |
1243 | buffer_consume(&output, len); | |
1244 | } | |
1245 | + return(len); | |
1246 | } | |
1247 | ||
1248 | ||
1249 | @@ -1569,16 +1576,17 @@ packet_write_poll(void) | |
1250 | * written. | |
1251 | */ | |
1252 | ||
1253 | -void | |
1254 | +int | |
1255 | packet_write_wait(void) | |
1256 | { | |
1257 | fd_set *setp; | |
1258 | int ret, ms_remain; | |
1259 | struct timeval start, timeout, *timeoutp = NULL; | |
1260 | + u_int bytes_sent = 0; | |
1261 | ||
1262 | setp = (fd_set *)xcalloc(howmany(connection_out + 1, NFDBITS), | |
1263 | sizeof(fd_mask)); | |
1264 | - packet_write_poll(); | |
1265 | + bytes_sent += packet_write_poll(); | |
1266 | while (packet_have_data_to_write()) { | |
1267 | memset(setp, 0, howmany(connection_out + 1, NFDBITS) * | |
1268 | sizeof(fd_mask)); | |
1269 | @@ -1612,7 +1620,7 @@ packet_write_wait(void) | |
1270 | "waiting to write", get_remote_ipaddr()); | |
1271 | cleanup_exit(255); | |
1272 | } | |
1273 | - packet_write_poll(); | |
1274 | + bytes_sent += packet_write_poll(); | |
1275 | } | |
0fab2cab | 1276 | free(setp); |
0d5b2bd4 ER |
1277 | } |
1278 | @@ -1736,12 +1744,24 @@ packet_send_ignore(int nbytes) | |
1279 | } | |
1280 | } | |
1281 | ||
1282 | +int rekey_requested = 0; | |
1283 | +void | |
1284 | +packet_request_rekeying(void) | |
1285 | +{ | |
1286 | + rekey_requested = 1; | |
1287 | +} | |
1288 | + | |
1289 | #define MAX_PACKETS (1U<<31) | |
1290 | int | |
1291 | packet_need_rekeying(void) | |
1292 | { | |
1293 | if (datafellows & SSH_BUG_NOREKEY) | |
1294 | return 0; | |
1295 | + if (rekey_requested == 1) | |
1296 | + { | |
1297 | + rekey_requested = 0; | |
1298 | + return 1; | |
1299 | + } | |
1300 | return | |
1301 | (p_send.packets > MAX_PACKETS) || | |
1302 | (p_read.packets > MAX_PACKETS) || | |
1303 | @@ -1766,3 +1786,9 @@ packet_set_authenticated(void) | |
1304 | { | |
1305 | after_authentication = 1; | |
1306 | } | |
1307 | + | |
1308 | +int | |
1309 | +packet_authentication_state(void) | |
1310 | +{ | |
1311 | + return(after_authentication); | |
1312 | +} | |
1313 | diff -NupwB openssh-5.2p1-canonical/packet.h openssh-5.2p1-hpn13v6/packet.h | |
1314 | --- openssh-5.2p1-canonical/packet.h 2008-07-11 03:36:48.000000000 -0400 | |
1315 | +++ openssh-5.2p1-hpn13v6/packet.h 2009-05-14 12:36:10.000000000 -0400 | |
1316 | @@ -20,6 +20,9 @@ | |
1317 | ||
1318 | #include <openssl/bn.h> | |
1319 | ||
1320 | +void | |
1321 | +packet_request_rekeying(void); | |
1322 | + | |
1323 | void packet_set_connection(int, int); | |
1324 | void packet_set_timeout(int, int); | |
1325 | void packet_set_nonblocking(void); | |
1326 | @@ -35,6 +38,7 @@ void packet_set_interactive(int); | |
1327 | int packet_is_interactive(void); | |
1328 | void packet_set_server(void); | |
1329 | void packet_set_authenticated(void); | |
1330 | +int packet_authentication_state(void); | |
1331 | ||
1332 | void packet_start(u_char); | |
1333 | void packet_put_char(int ch); | |
1334 | @@ -44,7 +48,7 @@ void packet_put_bignum2(BIGNUM * val | |
1335 | void packet_put_string(const void *buf, u_int len); | |
1336 | void packet_put_cstring(const char *str); | |
1337 | void packet_put_raw(const void *buf, u_int len); | |
1338 | -void packet_send(void); | |
1339 | +int packet_send(void); | |
1340 | ||
1341 | int packet_read(void); | |
1342 | void packet_read_expect(int type); | |
1343 | @@ -73,8 +77,8 @@ void packet_set_state(int, u_int32_t, u | |
1344 | int packet_get_ssh1_cipher(void); | |
1345 | void packet_set_iv(int, u_char *); | |
1346 | ||
1347 | -void packet_write_poll(void); | |
1348 | -void packet_write_wait(void); | |
1349 | +int packet_write_poll(void); | |
1350 | +int packet_write_wait(void); | |
1351 | int packet_have_data_to_write(void); | |
1352 | int packet_not_very_much_data_to_write(void); | |
1353 | ||
1354 | diff -NupwB openssh-5.2p1-canonical/progressmeter.c openssh-5.2p1-hpn13v6/progressmeter.c | |
1355 | --- openssh-5.2p1-canonical/progressmeter.c 2006-08-04 22:39:40.000000000 -0400 | |
1356 | +++ openssh-5.2p1-hpn13v6/progressmeter.c 2009-05-14 12:36:10.000000000 -0400 | |
1357 | @@ -68,6 +68,8 @@ static time_t last_update; /* last progr | |
1358 | static char *file; /* name of the file being transferred */ | |
1359 | static off_t end_pos; /* ending position of transfer */ | |
1360 | static off_t cur_pos; /* transfer position as of last refresh */ | |
1361 | +static off_t last_pos; | |
1362 | +static off_t max_delta_pos = 0; | |
1363 | static volatile off_t *counter; /* progress counter */ | |
1364 | static long stalled; /* how long we have been stalled */ | |
1365 | static int bytes_per_second; /* current speed in bytes per second */ | |
1366 | @@ -128,12 +130,17 @@ refresh_progress_meter(void) | |
1367 | int hours, minutes, seconds; | |
1368 | int i, len; | |
1369 | int file_len; | |
1370 | + off_t delta_pos; | |
1371 | ||
1372 | transferred = *counter - cur_pos; | |
1373 | cur_pos = *counter; | |
1374 | now = time(NULL); | |
1375 | bytes_left = end_pos - cur_pos; | |
1376 | ||
1377 | + delta_pos = cur_pos - last_pos; | |
1378 | + if (delta_pos > max_delta_pos) | |
1379 | + max_delta_pos = delta_pos; | |
1380 | + | |
1381 | if (bytes_left > 0) | |
1382 | elapsed = now - last_update; | |
1383 | else { | |
1384 | @@ -158,7 +165,7 @@ refresh_progress_meter(void) | |
1385 | ||
1386 | /* filename */ | |
1387 | buf[0] = '\0'; | |
1388 | - file_len = win_size - 35; | |
1389 | + file_len = win_size - 45; | |
1390 | if (file_len > 0) { | |
1391 | len = snprintf(buf, file_len + 1, "\r%s", file); | |
1392 | if (len < 0) | |
1393 | @@ -175,7 +182,8 @@ refresh_progress_meter(void) | |
1394 | percent = ((float)cur_pos / end_pos) * 100; | |
1395 | else | |
1396 | percent = 100; | |
1397 | - snprintf(buf + strlen(buf), win_size - strlen(buf), | |
1398 | + | |
1399 | + snprintf(buf + strlen(buf), win_size - strlen(buf-8), | |
1400 | " %3d%% ", percent); | |
1401 | ||
1402 | /* amount transferred */ | |
1403 | @@ -188,6 +196,15 @@ refresh_progress_meter(void) | |
1404 | (off_t)bytes_per_second); | |
1405 | strlcat(buf, "/s ", win_size); | |
1406 | ||
1407 | + /* instantaneous rate */ | |
1408 | + if (bytes_left > 0) | |
1409 | + format_rate(buf + strlen(buf), win_size - strlen(buf), | |
1410 | + delta_pos); | |
1411 | + else | |
1412 | + format_rate(buf + strlen(buf), win_size - strlen(buf), | |
1413 | + max_delta_pos); | |
1414 | + strlcat(buf, "/s ", win_size); | |
1415 | + | |
1416 | /* ETA */ | |
1417 | if (!transferred) | |
1418 | stalled += elapsed; | |
1419 | @@ -224,6 +241,7 @@ refresh_progress_meter(void) | |
1420 | ||
1421 | atomicio(vwrite, STDOUT_FILENO, buf, win_size - 1); | |
1422 | last_update = now; | |
1423 | + last_pos = cur_pos; | |
1424 | } | |
1425 | ||
1426 | /*ARGSUSED*/ | |
1427 | diff -NupwB openssh-5.2p1-canonical/readconf.c openssh-5.2p1-hpn13v6/readconf.c | |
1428 | --- openssh-5.2p1-canonical/readconf.c 2009-02-14 00:28:21.000000000 -0500 | |
1429 | +++ openssh-5.2p1-hpn13v6/readconf.c 2009-05-14 12:36:10.000000000 -0400 | |
1430 | @@ -131,6 +131,8 @@ typedef enum { | |
1431 | oSendEnv, oControlPath, oControlMaster, oHashKnownHosts, | |
1432 | oTunnel, oTunnelDevice, oLocalCommand, oPermitLocalCommand, | |
1433 | oVisualHostKey, oZeroKnowledgePasswordAuthentication, | |
1434 | + oNoneEnabled, oTcpRcvBufPoll, oTcpRcvBuf, oNoneSwitch, oHPNDisabled, | |
1435 | + oHPNBufferSize, | |
1436 | oDeprecated, oUnsupported | |
1437 | } OpCodes; | |
1438 | ||
1439 | @@ -234,6 +236,12 @@ static struct { | |
1440 | #else | |
1441 | { "zeroknowledgepasswordauthentication", oUnsupported }, | |
1442 | #endif | |
1443 | + { "noneenabled", oNoneEnabled }, | |
1444 | + { "tcprcvbufpoll", oTcpRcvBufPoll }, | |
1445 | + { "tcprcvbuf", oTcpRcvBuf }, | |
1446 | + { "noneswitch", oNoneSwitch }, | |
1447 | + { "hpndisabled", oHPNDisabled }, | |
1448 | + { "hpnbuffersize", oHPNBufferSize }, | |
1449 | ||
1450 | { NULL, oBadOption } | |
1451 | }; | |
1452 | @@ -465,6 +473,37 @@ parse_flag: | |
1453 | intptr = &options->check_host_ip; | |
1454 | goto parse_flag; | |
1455 | ||
1456 | + case oNoneEnabled: | |
1457 | + intptr = &options->none_enabled; | |
1458 | + goto parse_flag; | |
1459 | + | |
1460 | + /* we check to see if the command comes from the */ | |
1461 | + /* command line or not. If it does then enable it */ | |
1462 | + /* otherwise fail. NONE should never be a default configuration */ | |
1463 | + case oNoneSwitch: | |
1464 | + if(strcmp(filename,"command-line")==0) | |
1465 | + { | |
1466 | + intptr = &options->none_switch; | |
1467 | + goto parse_flag; | |
1468 | + } else { | |
1469 | + error("NoneSwitch is found in %.200s.\nYou may only use this configuration option from the command line", filename); | |
1470 | + error("Continuing..."); | |
1471 | + debug("NoneSwitch directive found in %.200s.", filename); | |
1472 | + return 0; | |
1473 | + } | |
1474 | + | |
1475 | + case oHPNDisabled: | |
1476 | + intptr = &options->hpn_disabled; | |
1477 | + goto parse_flag; | |
1478 | + | |
1479 | + case oHPNBufferSize: | |
1480 | + intptr = &options->hpn_buffer_size; | |
1481 | + goto parse_int; | |
1482 | + | |
1483 | + case oTcpRcvBufPoll: | |
1484 | + intptr = &options->tcp_rcv_buf_poll; | |
1485 | + goto parse_flag; | |
1486 | + | |
1487 | case oVerifyHostKeyDNS: | |
1488 | intptr = &options->verify_host_key_dns; | |
1489 | goto parse_yesnoask; | |
1490 | @@ -643,6 +682,10 @@ parse_int: | |
1491 | intptr = &options->connection_attempts; | |
1492 | goto parse_int; | |
1493 | ||
1494 | + case oTcpRcvBuf: | |
1495 | + intptr = &options->tcp_rcv_buf; | |
1496 | + goto parse_int; | |
1497 | + | |
1498 | case oCipher: | |
1499 | intptr = &options->cipher; | |
1500 | arg = strdelim(&s); | |
1501 | @@ -1065,6 +1108,12 @@ initialize_options(Options * options) | |
1502 | options->permit_local_command = -1; | |
1503 | options->visual_host_key = -1; | |
1504 | options->zero_knowledge_password_authentication = -1; | |
1505 | + options->none_switch = -1; | |
1506 | + options->none_enabled = -1; | |
1507 | + options->hpn_disabled = -1; | |
1508 | + options->hpn_buffer_size = -1; | |
1509 | + options->tcp_rcv_buf_poll = -1; | |
1510 | + options->tcp_rcv_buf = -1; | |
1511 | } | |
1512 | ||
1513 | /* | |
1514 | @@ -1187,6 +1236,29 @@ fill_default_options(Options * options) | |
1515 | options->server_alive_interval = 0; | |
1516 | if (options->server_alive_count_max == -1) | |
1517 | options->server_alive_count_max = 3; | |
1518 | + if (options->none_switch == -1) | |
1519 | + options->none_switch = 0; | |
1520 | + if (options->hpn_disabled == -1) | |
1521 | + options->hpn_disabled = 0; | |
1522 | + if (options->hpn_buffer_size > -1) | |
1523 | + { | |
1524 | + /* if a user tries to set the size to 0 set it to 1KB */ | |
1525 | + if (options->hpn_buffer_size == 0) | |
1526 | + options->hpn_buffer_size = 1024; | |
1527 | + /*limit the buffer to 64MB*/ | |
1528 | + if (options->hpn_buffer_size > 65536) | |
1529 | + { | |
1530 | + options->hpn_buffer_size = 65536*1024; | |
1531 | + debug("User requested buffer larger than 64MB. Request reverted to 64MB"); | |
1532 | + } | |
1533 | + debug("hpn_buffer_size set to %d", options->hpn_buffer_size); | |
1534 | + } | |
1535 | + if (options->tcp_rcv_buf == 0) | |
1536 | + options->tcp_rcv_buf = 1; | |
1537 | + if (options->tcp_rcv_buf > -1) | |
1538 | + options->tcp_rcv_buf *=1024; | |
1539 | + if (options->tcp_rcv_buf_poll == -1) | |
1540 | + options->tcp_rcv_buf_poll = 1; | |
1541 | if (options->control_master == -1) | |
1542 | options->control_master = 0; | |
1543 | if (options->hash_known_hosts == -1) | |
1544 | diff -NupwB openssh-5.2p1-canonical/readconf.c.orig openssh-5.2p1-hpn13v6/readconf.c.orig | |
1545 | --- openssh-5.2p1-canonical/readconf.c.orig 1969-12-31 19:00:00.000000000 -0500 | |
1546 | +++ openssh-5.2p1-hpn13v6/readconf.c.orig 2009-02-14 00:28:21.000000000 -0500 | |
1547 | @@ -0,0 +1,1310 @@ | |
1548 | +/* $OpenBSD: readconf.c,v 1.176 2009/02/12 03:00:56 djm Exp $ */ | |
1549 | +/* | |
1550 | + * Author: Tatu Ylonen <ylo@cs.hut.fi> | |
1551 | + * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland | |
1552 | + * All rights reserved | |
1553 | + * Functions for reading the configuration files. | |
1554 | + * | |
1555 | + * As far as I am concerned, the code I have written for this software | |
1556 | + * can be used freely for any purpose. Any derived versions of this | |
1557 | + * software must be clearly marked as such, and if the derived work is | |
1558 | + * incompatible with the protocol description in the RFC file, it must be | |
1559 | + * called by a name other than "ssh" or "Secure Shell". | |
1560 | + */ | |
1561 | + | |
1562 | +#include "includes.h" | |
1563 | + | |
1564 | +#include <sys/types.h> | |
1565 | +#include <sys/stat.h> | |
1566 | +#include <sys/socket.h> | |
1567 | + | |
1568 | +#include <netinet/in.h> | |
1569 | + | |
1570 | +#include <ctype.h> | |
1571 | +#include <errno.h> | |
1572 | +#include <netdb.h> | |
1573 | +#include <signal.h> | |
1574 | +#include <stdarg.h> | |
1575 | +#include <stdio.h> | |
1576 | +#include <string.h> | |
1577 | +#include <unistd.h> | |
1578 | + | |
1579 | +#include "xmalloc.h" | |
1580 | +#include "ssh.h" | |
1581 | +#include "compat.h" | |
1582 | +#include "cipher.h" | |
1583 | +#include "pathnames.h" | |
1584 | +#include "log.h" | |
1585 | +#include "key.h" | |
1586 | +#include "readconf.h" | |
1587 | +#include "match.h" | |
1588 | +#include "misc.h" | |
1589 | +#include "buffer.h" | |
1590 | +#include "kex.h" | |
1591 | +#include "mac.h" | |
1592 | + | |
1593 | +/* Format of the configuration file: | |
1594 | + | |
1595 | + # Configuration data is parsed as follows: | |
1596 | + # 1. command line options | |
1597 | + # 2. user-specific file | |
1598 | + # 3. system-wide file | |
1599 | + # Any configuration value is only changed the first time it is set. | |
1600 | + # Thus, host-specific definitions should be at the beginning of the | |
1601 | + # configuration file, and defaults at the end. | |
1602 | + | |
1603 | + # Host-specific declarations. These may override anything above. A single | |
1604 | + # host may match multiple declarations; these are processed in the order | |
1605 | + # that they are given in. | |
1606 | + | |
1607 | + Host *.ngs.fi ngs.fi | |
1608 | + User foo | |
1609 | + | |
1610 | + Host fake.com | |
1611 | + HostName another.host.name.real.org | |
1612 | + User blaah | |
1613 | + Port 34289 | |
1614 | + ForwardX11 no | |
1615 | + ForwardAgent no | |
1616 | + | |
1617 | + Host books.com | |
1618 | + RemoteForward 9999 shadows.cs.hut.fi:9999 | |
1619 | + Cipher 3des | |
1620 | + | |
1621 | + Host fascist.blob.com | |
1622 | + Port 23123 | |
1623 | + User tylonen | |
1624 | + PasswordAuthentication no | |
1625 | + | |
1626 | + Host puukko.hut.fi | |
1627 | + User t35124p | |
1628 | + ProxyCommand ssh-proxy %h %p | |
1629 | + | |
1630 | + Host *.fr | |
1631 | + PublicKeyAuthentication no | |
1632 | + | |
1633 | + Host *.su | |
1634 | + Cipher none | |
1635 | + PasswordAuthentication no | |
1636 | + | |
1637 | + Host vpn.fake.com | |
1638 | + Tunnel yes | |
1639 | + TunnelDevice 3 | |
1640 | + | |
1641 | + # Defaults for various options | |
1642 | + Host * | |
1643 | + ForwardAgent no | |
1644 | + ForwardX11 no | |
1645 | + PasswordAuthentication yes | |
1646 | + RSAAuthentication yes | |
1647 | + RhostsRSAAuthentication yes | |
1648 | + StrictHostKeyChecking yes | |
1649 | + TcpKeepAlive no | |
1650 | + IdentityFile ~/.ssh/identity | |
1651 | + Port 22 | |
1652 | + EscapeChar ~ | |
1653 | + | |
1654 | +*/ | |
1655 | + | |
1656 | +/* Keyword tokens. */ | |
1657 | + | |
1658 | +typedef enum { | |
1659 | + oBadOption, | |
1660 | + oForwardAgent, oForwardX11, oForwardX11Trusted, oGatewayPorts, | |
1661 | + oExitOnForwardFailure, | |
1662 | + oPasswordAuthentication, oRSAAuthentication, | |
1663 | + oChallengeResponseAuthentication, oXAuthLocation, | |
1664 | + oIdentityFile, oHostName, oPort, oCipher, oRemoteForward, oLocalForward, | |
1665 | + oUser, oHost, oEscapeChar, oRhostsRSAAuthentication, oProxyCommand, | |
1666 | + oGlobalKnownHostsFile, oUserKnownHostsFile, oConnectionAttempts, | |
1667 | + oBatchMode, oCheckHostIP, oStrictHostKeyChecking, oCompression, | |
1668 | + oCompressionLevel, oTCPKeepAlive, oNumberOfPasswordPrompts, | |
1669 | + oUsePrivilegedPort, oLogLevel, oCiphers, oProtocol, oMacs, | |
1670 | + oGlobalKnownHostsFile2, oUserKnownHostsFile2, oPubkeyAuthentication, | |
1671 | + oKbdInteractiveAuthentication, oKbdInteractiveDevices, oHostKeyAlias, | |
1672 | + oDynamicForward, oPreferredAuthentications, oHostbasedAuthentication, | |
1673 | + oHostKeyAlgorithms, oBindAddress, oSmartcardDevice, | |
1674 | + oClearAllForwardings, oNoHostAuthenticationForLocalhost, | |
1675 | + oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout, | |
1676 | + oAddressFamily, oGssAuthentication, oGssDelegateCreds, | |
1677 | + oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly, | |
1678 | + oSendEnv, oControlPath, oControlMaster, oHashKnownHosts, | |
1679 | + oTunnel, oTunnelDevice, oLocalCommand, oPermitLocalCommand, | |
1680 | + oVisualHostKey, oZeroKnowledgePasswordAuthentication, | |
1681 | + oDeprecated, oUnsupported | |
1682 | +} OpCodes; | |
1683 | + | |
1684 | +/* Textual representations of the tokens. */ | |
1685 | + | |
1686 | +static struct { | |
1687 | + const char *name; | |
1688 | + OpCodes opcode; | |
1689 | +} keywords[] = { | |
1690 | + { "forwardagent", oForwardAgent }, | |
1691 | + { "forwardx11", oForwardX11 }, | |
1692 | + { "forwardx11trusted", oForwardX11Trusted }, | |
1693 | + { "exitonforwardfailure", oExitOnForwardFailure }, | |
1694 | + { "xauthlocation", oXAuthLocation }, | |
1695 | + { "gatewayports", oGatewayPorts }, | |
1696 | + { "useprivilegedport", oUsePrivilegedPort }, | |
1697 | + { "rhostsauthentication", oDeprecated }, | |
1698 | + { "passwordauthentication", oPasswordAuthentication }, | |
1699 | + { "kbdinteractiveauthentication", oKbdInteractiveAuthentication }, | |
1700 | + { "kbdinteractivedevices", oKbdInteractiveDevices }, | |
1701 | + { "rsaauthentication", oRSAAuthentication }, | |
1702 | + { "pubkeyauthentication", oPubkeyAuthentication }, | |
1703 | + { "dsaauthentication", oPubkeyAuthentication }, /* alias */ | |
1704 | + { "rhostsrsaauthentication", oRhostsRSAAuthentication }, | |
1705 | + { "hostbasedauthentication", oHostbasedAuthentication }, | |
1706 | + { "challengeresponseauthentication", oChallengeResponseAuthentication }, | |
1707 | + { "skeyauthentication", oChallengeResponseAuthentication }, /* alias */ | |
1708 | + { "tisauthentication", oChallengeResponseAuthentication }, /* alias */ | |
1709 | + { "kerberosauthentication", oUnsupported }, | |
1710 | + { "kerberostgtpassing", oUnsupported }, | |
1711 | + { "afstokenpassing", oUnsupported }, | |
1712 | +#if defined(GSSAPI) | |
1713 | + { "gssapiauthentication", oGssAuthentication }, | |
1714 | + { "gssapidelegatecredentials", oGssDelegateCreds }, | |
1715 | +#else | |
1716 | + { "gssapiauthentication", oUnsupported }, | |
1717 | + { "gssapidelegatecredentials", oUnsupported }, | |
1718 | +#endif | |
1719 | + { "fallbacktorsh", oDeprecated }, | |
1720 | + { "usersh", oDeprecated }, | |
1721 | + { "identityfile", oIdentityFile }, | |
1722 | + { "identityfile2", oIdentityFile }, /* obsolete */ | |
1723 | + { "identitiesonly", oIdentitiesOnly }, | |
1724 | + { "hostname", oHostName }, | |
1725 | + { "hostkeyalias", oHostKeyAlias }, | |
1726 | + { "proxycommand", oProxyCommand }, | |
1727 | + { "port", oPort }, | |
1728 | + { "cipher", oCipher }, | |
1729 | + { "ciphers", oCiphers }, | |
1730 | + { "macs", oMacs }, | |
1731 | + { "protocol", oProtocol }, | |
1732 | + { "remoteforward", oRemoteForward }, | |
1733 | + { "localforward", oLocalForward }, | |
1734 | + { "user", oUser }, | |
1735 | + { "host", oHost }, | |
1736 | + { "escapechar", oEscapeChar }, | |
1737 | + { "globalknownhostsfile", oGlobalKnownHostsFile }, | |
1738 | + { "globalknownhostsfile2", oGlobalKnownHostsFile2 }, /* obsolete */ | |
1739 | + { "userknownhostsfile", oUserKnownHostsFile }, | |
1740 | + { "userknownhostsfile2", oUserKnownHostsFile2 }, /* obsolete */ | |
1741 | + { "connectionattempts", oConnectionAttempts }, | |
1742 | + { "batchmode", oBatchMode }, | |
1743 | + { "checkhostip", oCheckHostIP }, | |
1744 | + { "stricthostkeychecking", oStrictHostKeyChecking }, | |
1745 | + { "compression", oCompression }, | |
1746 | + { "compressionlevel", oCompressionLevel }, | |
1747 | + { "tcpkeepalive", oTCPKeepAlive }, | |
1748 | + { "keepalive", oTCPKeepAlive }, /* obsolete */ | |
1749 | + { "numberofpasswordprompts", oNumberOfPasswordPrompts }, | |
1750 | + { "loglevel", oLogLevel }, | |
1751 | + { "dynamicforward", oDynamicForward }, | |
1752 | + { "preferredauthentications", oPreferredAuthentications }, | |
1753 | + { "hostkeyalgorithms", oHostKeyAlgorithms }, | |
1754 | + { "bindaddress", oBindAddress }, | |
1755 | +#ifdef SMARTCARD | |
1756 | + { "smartcarddevice", oSmartcardDevice }, | |
1757 | +#else | |
1758 | + { "smartcarddevice", oUnsupported }, | |
1759 | +#endif | |
1760 | + { "clearallforwardings", oClearAllForwardings }, | |
1761 | + { "enablesshkeysign", oEnableSSHKeysign }, | |
1762 | + { "verifyhostkeydns", oVerifyHostKeyDNS }, | |
1763 | + { "nohostauthenticationforlocalhost", oNoHostAuthenticationForLocalhost }, | |
1764 | + { "rekeylimit", oRekeyLimit }, | |
1765 | + { "connecttimeout", oConnectTimeout }, | |
1766 | + { "addressfamily", oAddressFamily }, | |
1767 | + { "serveraliveinterval", oServerAliveInterval }, | |
1768 | + { "serveralivecountmax", oServerAliveCountMax }, | |
1769 | + { "sendenv", oSendEnv }, | |
1770 | + { "controlpath", oControlPath }, | |
1771 | + { "controlmaster", oControlMaster }, | |
1772 | + { "hashknownhosts", oHashKnownHosts }, | |
1773 | + { "tunnel", oTunnel }, | |
1774 | + { "tunneldevice", oTunnelDevice }, | |
1775 | + { "localcommand", oLocalCommand }, | |
1776 | + { "permitlocalcommand", oPermitLocalCommand }, | |
1777 | + { "visualhostkey", oVisualHostKey }, | |
1778 | +#ifdef JPAKE | |
1779 | + { "zeroknowledgepasswordauthentication", | |
1780 | + oZeroKnowledgePasswordAuthentication }, | |
1781 | +#else | |
1782 | + { "zeroknowledgepasswordauthentication", oUnsupported }, | |
1783 | +#endif | |
1784 | + | |
1785 | + { NULL, oBadOption } | |
1786 | +}; | |
1787 | + | |
1788 | +/* | |
1789 | + * Adds a local TCP/IP port forward to options. Never returns if there is an | |
1790 | + * error. | |
1791 | + */ | |
1792 | + | |
1793 | +void | |
1794 | +add_local_forward(Options *options, const Forward *newfwd) | |
1795 | +{ | |
1796 | + Forward *fwd; | |
1797 | +#ifndef NO_IPPORT_RESERVED_CONCEPT | |
1798 | + extern uid_t original_real_uid; | |
1799 | + if (newfwd->listen_port < IPPORT_RESERVED && original_real_uid != 0) | |
1800 | + fatal("Privileged ports can only be forwarded by root."); | |
1801 | +#endif | |
1802 | + if (options->num_local_forwards >= SSH_MAX_FORWARDS_PER_DIRECTION) | |
1803 | + fatal("Too many local forwards (max %d).", SSH_MAX_FORWARDS_PER_DIRECTION); | |
1804 | + fwd = &options->local_forwards[options->num_local_forwards++]; | |
1805 | + | |
1806 | + fwd->listen_host = newfwd->listen_host; | |
1807 | + fwd->listen_port = newfwd->listen_port; | |
1808 | + fwd->connect_host = newfwd->connect_host; | |
1809 | + fwd->connect_port = newfwd->connect_port; | |
1810 | +} | |
1811 | + | |
1812 | +/* | |
1813 | + * Adds a remote TCP/IP port forward to options. Never returns if there is | |
1814 | + * an error. | |
1815 | + */ | |
1816 | + | |
1817 | +void | |
1818 | +add_remote_forward(Options *options, const Forward *newfwd) | |
1819 | +{ | |
1820 | + Forward *fwd; | |
1821 | + if (options->num_remote_forwards >= SSH_MAX_FORWARDS_PER_DIRECTION) | |
1822 | + fatal("Too many remote forwards (max %d).", | |
1823 | + SSH_MAX_FORWARDS_PER_DIRECTION); | |
1824 | + fwd = &options->remote_forwards[options->num_remote_forwards++]; | |
1825 | + | |
1826 | + fwd->listen_host = newfwd->listen_host; | |
1827 | + fwd->listen_port = newfwd->listen_port; | |
1828 | + fwd->connect_host = newfwd->connect_host; | |
1829 | + fwd->connect_port = newfwd->connect_port; | |
1830 | +} | |
1831 | + | |
1832 | +static void | |
1833 | +clear_forwardings(Options *options) | |
1834 | +{ | |
1835 | + int i; | |
1836 | + | |
1837 | + for (i = 0; i < options->num_local_forwards; i++) { | |
1838 | + if (options->local_forwards[i].listen_host != NULL) | |
0fab2cab AM |
1839 | + free(options->local_forwards[i].listen_host); |
1840 | + free(options->local_forwards[i].connect_host); | |
0d5b2bd4 ER |
1841 | + } |
1842 | + options->num_local_forwards = 0; | |
1843 | + for (i = 0; i < options->num_remote_forwards; i++) { | |
1844 | + if (options->remote_forwards[i].listen_host != NULL) | |
0fab2cab AM |
1845 | + free(options->remote_forwards[i].listen_host); |
1846 | + free(options->remote_forwards[i].connect_host); | |
0d5b2bd4 ER |
1847 | + } |
1848 | + options->num_remote_forwards = 0; | |
1849 | + options->tun_open = SSH_TUNMODE_NO; | |
1850 | +} | |
1851 | + | |
1852 | +/* | |
1853 | + * Returns the number of the token pointed to by cp or oBadOption. | |
1854 | + */ | |
1855 | + | |
1856 | +static OpCodes | |
1857 | +parse_token(const char *cp, const char *filename, int linenum) | |
1858 | +{ | |
1859 | + u_int i; | |
1860 | + | |
1861 | + for (i = 0; keywords[i].name; i++) | |
1862 | + if (strcasecmp(cp, keywords[i].name) == 0) | |
1863 | + return keywords[i].opcode; | |
1864 | + | |
1865 | + error("%s: line %d: Bad configuration option: %s", | |
1866 | + filename, linenum, cp); | |
1867 | + return oBadOption; | |
1868 | +} | |
1869 | + | |
1870 | +/* | |
1871 | + * Processes a single option line as used in the configuration files. This | |
1872 | + * only sets those values that have not already been set. | |
1873 | + */ | |
1874 | +#define WHITESPACE " \t\r\n" | |
1875 | + | |
1876 | +int | |
1877 | +process_config_line(Options *options, const char *host, | |
1878 | + char *line, const char *filename, int linenum, | |
1879 | + int *activep) | |
1880 | +{ | |
1881 | + char *s, **charptr, *endofnumber, *keyword, *arg, *arg2, fwdarg[256]; | |
1882 | + int opcode, *intptr, value, value2, scale; | |
1883 | + LogLevel *log_level_ptr; | |
1884 | + long long orig, val64; | |
1885 | + size_t len; | |
1886 | + Forward fwd; | |
1887 | + | |
1888 | + /* Strip trailing whitespace */ | |
1889 | + for (len = strlen(line) - 1; len > 0; len--) { | |
1890 | + if (strchr(WHITESPACE, line[len]) == NULL) | |
1891 | + break; | |
1892 | + line[len] = '\0'; | |
1893 | + } | |
1894 | + | |
1895 | + s = line; | |
1896 | + /* Get the keyword. (Each line is supposed to begin with a keyword). */ | |
1897 | + if ((keyword = strdelim(&s)) == NULL) | |
1898 | + return 0; | |
1899 | + /* Ignore leading whitespace. */ | |
1900 | + if (*keyword == '\0') | |
1901 | + keyword = strdelim(&s); | |
1902 | + if (keyword == NULL || !*keyword || *keyword == '\n' || *keyword == '#') | |
1903 | + return 0; | |
1904 | + | |
1905 | + opcode = parse_token(keyword, filename, linenum); | |
1906 | + | |
1907 | + switch (opcode) { | |
1908 | + case oBadOption: | |
1909 | + /* don't panic, but count bad options */ | |
1910 | + return -1; | |
1911 | + /* NOTREACHED */ | |
1912 | + case oConnectTimeout: | |
1913 | + intptr = &options->connection_timeout; | |
1914 | +parse_time: | |
1915 | + arg = strdelim(&s); | |
1916 | + if (!arg || *arg == '\0') | |
1917 | + fatal("%s line %d: missing time value.", | |
1918 | + filename, linenum); | |
1919 | + if ((value = convtime(arg)) == -1) | |
1920 | + fatal("%s line %d: invalid time value.", | |
1921 | + filename, linenum); | |
1922 | + if (*activep && *intptr == -1) | |
1923 | + *intptr = value; | |
1924 | + break; | |
1925 | + | |
1926 | + case oForwardAgent: | |
1927 | + intptr = &options->forward_agent; | |
1928 | +parse_flag: | |
1929 | + arg = strdelim(&s); | |
1930 | + if (!arg || *arg == '\0') | |
1931 | + fatal("%.200s line %d: Missing yes/no argument.", filename, linenum); | |
1932 | + value = 0; /* To avoid compiler warning... */ | |
1933 | + if (strcmp(arg, "yes") == 0 || strcmp(arg, "true") == 0) | |
1934 | + value = 1; | |
1935 | + else if (strcmp(arg, "no") == 0 || strcmp(arg, "false") == 0) | |
1936 | + value = 0; | |
1937 | + else | |
1938 | + fatal("%.200s line %d: Bad yes/no argument.", filename, linenum); | |
1939 | + if (*activep && *intptr == -1) | |
1940 | + *intptr = value; | |
1941 | + break; | |
1942 | + | |
1943 | + case oForwardX11: | |
1944 | + intptr = &options->forward_x11; | |
1945 | + goto parse_flag; | |
1946 | + | |
1947 | + case oForwardX11Trusted: | |
1948 | + intptr = &options->forward_x11_trusted; | |
1949 | + goto parse_flag; | |
1950 | + | |
1951 | + case oGatewayPorts: | |
1952 | + intptr = &options->gateway_ports; | |
1953 | + goto parse_flag; | |
1954 | + | |
1955 | + case oExitOnForwardFailure: | |
1956 | + intptr = &options->exit_on_forward_failure; | |
1957 | + goto parse_flag; | |
1958 | + | |
1959 | + case oUsePrivilegedPort: | |
1960 | + intptr = &options->use_privileged_port; | |
1961 | + goto parse_flag; | |
1962 | + | |
1963 | + case oPasswordAuthentication: | |
1964 | + intptr = &options->password_authentication; | |
1965 | + goto parse_flag; | |
1966 | + | |
1967 | + case oZeroKnowledgePasswordAuthentication: | |
1968 | + intptr = &options->zero_knowledge_password_authentication; | |
1969 | + goto parse_flag; | |
1970 | + | |
1971 | + case oKbdInteractiveAuthentication: | |
1972 | + intptr = &options->kbd_interactive_authentication; | |
1973 | + goto parse_flag; | |
1974 | + | |
1975 | + case oKbdInteractiveDevices: | |
1976 | + charptr = &options->kbd_interactive_devices; | |
1977 | + goto parse_string; | |
1978 | + | |
1979 | + case oPubkeyAuthentication: | |
1980 | + intptr = &options->pubkey_authentication; | |
1981 | + goto parse_flag; | |
1982 | + | |
1983 | + case oRSAAuthentication: | |
1984 | + intptr = &options->rsa_authentication; | |
1985 | + goto parse_flag; | |
1986 | + | |
1987 | + case oRhostsRSAAuthentication: | |
1988 | + intptr = &options->rhosts_rsa_authentication; | |
1989 | + goto parse_flag; | |
1990 | + | |
1991 | + case oHostbasedAuthentication: | |
1992 | + intptr = &options->hostbased_authentication; | |
1993 | + goto parse_flag; | |
1994 | + | |
1995 | + case oChallengeResponseAuthentication: | |
1996 | + intptr = &options->challenge_response_authentication; | |
1997 | + goto parse_flag; | |
1998 | + | |
1999 | + case oGssAuthentication: | |
2000 | + intptr = &options->gss_authentication; | |
2001 | + goto parse_flag; | |
2002 | + | |
2003 | + case oGssDelegateCreds: | |
2004 | + intptr = &options->gss_deleg_creds; | |
2005 | + goto parse_flag; | |
2006 | + | |
2007 | + case oBatchMode: | |
2008 | + intptr = &options->batch_mode; | |
2009 | + goto parse_flag; | |
2010 | + | |
2011 | + case oCheckHostIP: | |
2012 | + intptr = &options->check_host_ip; | |
2013 | + goto parse_flag; | |
2014 | + | |
2015 | + case oVerifyHostKeyDNS: | |
2016 | + intptr = &options->verify_host_key_dns; | |
2017 | + goto parse_yesnoask; | |
2018 | + | |
2019 | + case oStrictHostKeyChecking: | |
2020 | + intptr = &options->strict_host_key_checking; | |
2021 | +parse_yesnoask: | |
2022 | + arg = strdelim(&s); | |
2023 | + if (!arg || *arg == '\0') | |
2024 | + fatal("%.200s line %d: Missing yes/no/ask argument.", | |
2025 | + filename, linenum); | |
2026 | + value = 0; /* To avoid compiler warning... */ | |
2027 | + if (strcmp(arg, "yes") == 0 || strcmp(arg, "true") == 0) | |
2028 | + value = 1; | |
2029 | + else if (strcmp(arg, "no") == 0 || strcmp(arg, "false") == 0) | |
2030 | + value = 0; | |
2031 | + else if (strcmp(arg, "ask") == 0) | |
2032 | + value = 2; | |
2033 | + else | |
2034 | + fatal("%.200s line %d: Bad yes/no/ask argument.", filename, linenum); | |
2035 | + if (*activep && *intptr == -1) | |
2036 | + *intptr = value; | |
2037 | + break; | |
2038 | + | |
2039 | + case oCompression: | |
2040 | + intptr = &options->compression; | |
2041 | + goto parse_flag; | |
2042 | + | |
2043 | + case oTCPKeepAlive: | |
2044 | + intptr = &options->tcp_keep_alive; | |
2045 | + goto parse_flag; | |
2046 | + | |
2047 | + case oNoHostAuthenticationForLocalhost: | |
2048 | + intptr = &options->no_host_authentication_for_localhost; | |
2049 | + goto parse_flag; | |
2050 | + | |
2051 | + case oNumberOfPasswordPrompts: | |
2052 | + intptr = &options->number_of_password_prompts; | |
2053 | + goto parse_int; | |
2054 | + | |
2055 | + case oCompressionLevel: | |
2056 | + intptr = &options->compression_level; | |
2057 | + goto parse_int; | |
2058 | + | |
2059 | + case oRekeyLimit: | |
2060 | + arg = strdelim(&s); | |
2061 | + if (!arg || *arg == '\0') | |
2062 | + fatal("%.200s line %d: Missing argument.", filename, linenum); | |
2063 | + if (arg[0] < '0' || arg[0] > '9') | |
2064 | + fatal("%.200s line %d: Bad number.", filename, linenum); | |
2065 | + orig = val64 = strtoll(arg, &endofnumber, 10); | |
2066 | + if (arg == endofnumber) | |
2067 | + fatal("%.200s line %d: Bad number.", filename, linenum); | |
2068 | + switch (toupper(*endofnumber)) { | |
2069 | + case '\0': | |
2070 | + scale = 1; | |
2071 | + break; | |
2072 | + case 'K': | |
2073 | + scale = 1<<10; | |
2074 | + break; | |
2075 | + case 'M': | |
2076 | + scale = 1<<20; | |
2077 | + break; | |
2078 | + case 'G': | |
2079 | + scale = 1<<30; | |
2080 | + break; | |
2081 | + default: | |
2082 | + fatal("%.200s line %d: Invalid RekeyLimit suffix", | |
2083 | + filename, linenum); | |
2084 | + } | |
2085 | + val64 *= scale; | |
2086 | + /* detect integer wrap and too-large limits */ | |
2087 | + if ((val64 / scale) != orig || val64 > UINT_MAX) | |
2088 | + fatal("%.200s line %d: RekeyLimit too large", | |
2089 | + filename, linenum); | |
2090 | + if (val64 < 16) | |
2091 | + fatal("%.200s line %d: RekeyLimit too small", | |
2092 | + filename, linenum); | |
2093 | + if (*activep && options->rekey_limit == -1) | |
2094 | + options->rekey_limit = (u_int32_t)val64; | |
2095 | + break; | |
2096 | + | |
2097 | + case oIdentityFile: | |
2098 | + arg = strdelim(&s); | |
2099 | + if (!arg || *arg == '\0') | |
2100 | + fatal("%.200s line %d: Missing argument.", filename, linenum); | |
2101 | + if (*activep) { | |
2102 | + intptr = &options->num_identity_files; | |
2103 | + if (*intptr >= SSH_MAX_IDENTITY_FILES) | |
2104 | + fatal("%.200s line %d: Too many identity files specified (max %d).", | |
2105 | + filename, linenum, SSH_MAX_IDENTITY_FILES); | |
2106 | + charptr = &options->identity_files[*intptr]; | |
2107 | + *charptr = xstrdup(arg); | |
2108 | + *intptr = *intptr + 1; | |
2109 | + } | |
2110 | + break; | |
2111 | + | |
2112 | + case oXAuthLocation: | |
2113 | + charptr=&options->xauth_location; | |
2114 | + goto parse_string; | |
2115 | + | |
2116 | + case oUser: | |
2117 | + charptr = &options->user; | |
2118 | +parse_string: | |
2119 | + arg = strdelim(&s); | |
2120 | + if (!arg || *arg == '\0') | |
2121 | + fatal("%.200s line %d: Missing argument.", filename, linenum); | |
2122 | + if (*activep && *charptr == NULL) | |
2123 | + *charptr = xstrdup(arg); | |
2124 | + break; | |
2125 | + | |
2126 | + case oGlobalKnownHostsFile: | |
2127 | + charptr = &options->system_hostfile; | |
2128 | + goto parse_string; | |
2129 | + | |
2130 | + case oUserKnownHostsFile: | |
2131 | + charptr = &options->user_hostfile; | |
2132 | + goto parse_string; | |
2133 | + | |
2134 | + case oGlobalKnownHostsFile2: | |
2135 | + charptr = &options->system_hostfile2; | |
2136 | + goto parse_string; | |
2137 | + | |
2138 | + case oUserKnownHostsFile2: | |
2139 | + charptr = &options->user_hostfile2; | |
2140 | + goto parse_string; | |
2141 | + | |
2142 | + case oHostName: | |
2143 | + charptr = &options->hostname; | |
2144 | + goto parse_string; | |
2145 | + | |
2146 | + case oHostKeyAlias: | |
2147 | + charptr = &options->host_key_alias; | |
2148 | + goto parse_string; | |
2149 | + | |
2150 | + case oPreferredAuthentications: | |
2151 | + charptr = &options->preferred_authentications; | |
2152 | + goto parse_string; | |
2153 | + | |
2154 | + case oBindAddress: | |
2155 | + charptr = &options->bind_address; | |
2156 | + goto parse_string; | |
2157 | + | |
2158 | + case oSmartcardDevice: | |
2159 | + charptr = &options->smartcard_device; | |
2160 | + goto parse_string; | |
2161 | + | |
2162 | + case oProxyCommand: | |
2163 | + charptr = &options->proxy_command; | |
2164 | +parse_command: | |
2165 | + if (s == NULL) | |
2166 | + fatal("%.200s line %d: Missing argument.", filename, linenum); | |
2167 | + len = strspn(s, WHITESPACE "="); | |
2168 | + if (*activep && *charptr == NULL) | |
2169 | + *charptr = xstrdup(s + len); | |
2170 | + return 0; | |
2171 | + | |
2172 | + case oPort: | |
2173 | + intptr = &options->port; | |
2174 | +parse_int: | |
2175 | + arg = strdelim(&s); | |
2176 | + if (!arg || *arg == '\0') | |
2177 | + fatal("%.200s line %d: Missing argument.", filename, linenum); | |
2178 | + if (arg[0] < '0' || arg[0] > '9') | |
2179 | + fatal("%.200s line %d: Bad number.", filename, linenum); | |
2180 | + | |
2181 | + /* Octal, decimal, or hex format? */ | |
2182 | + value = strtol(arg, &endofnumber, 0); | |
2183 | + if (arg == endofnumber) | |
2184 | + fatal("%.200s line %d: Bad number.", filename, linenum); | |
2185 | + if (*activep && *intptr == -1) | |
2186 | + *intptr = value; | |
2187 | + break; | |
2188 | + | |
2189 | + case oConnectionAttempts: | |
2190 | + intptr = &options->connection_attempts; | |
2191 | + goto parse_int; | |
2192 | + | |
2193 | + case oCipher: | |
2194 | + intptr = &options->cipher; | |
2195 | + arg = strdelim(&s); | |
2196 | + if (!arg || *arg == '\0') | |
2197 | + fatal("%.200s line %d: Missing argument.", filename, linenum); | |
2198 | + value = cipher_number(arg); | |
2199 | + if (value == -1) | |
2200 | + fatal("%.200s line %d: Bad cipher '%s'.", | |
2201 | + filename, linenum, arg ? arg : "<NONE>"); | |
2202 | + if (*activep && *intptr == -1) | |
2203 | + *intptr = value; | |
2204 | + break; | |
2205 | + | |
2206 | + case oCiphers: | |
2207 | + arg = strdelim(&s); | |
2208 | + if (!arg || *arg == '\0') | |
2209 | + fatal("%.200s line %d: Missing argument.", filename, linenum); | |
2210 | + if (!ciphers_valid(arg)) | |
2211 | + fatal("%.200s line %d: Bad SSH2 cipher spec '%s'.", | |
2212 | + filename, linenum, arg ? arg : "<NONE>"); | |
2213 | + if (*activep && options->ciphers == NULL) | |
2214 | + options->ciphers = xstrdup(arg); | |
2215 | + break; | |
2216 | + | |
2217 | + case oMacs: | |
2218 | + arg = strdelim(&s); | |
2219 | + if (!arg || *arg == '\0') | |
2220 | + fatal("%.200s line %d: Missing argument.", filename, linenum); | |
2221 | + if (!mac_valid(arg)) | |
2222 | + fatal("%.200s line %d: Bad SSH2 Mac spec '%s'.", | |
2223 | + filename, linenum, arg ? arg : "<NONE>"); | |
2224 | + if (*activep && options->macs == NULL) | |
2225 | + options->macs = xstrdup(arg); | |
2226 | + break; | |
2227 | + | |
2228 | + case oHostKeyAlgorithms: | |
2229 | + arg = strdelim(&s); | |
2230 | + if (!arg || *arg == '\0') | |
2231 | + fatal("%.200s line %d: Missing argument.", filename, linenum); | |
2232 | + if (!key_names_valid2(arg)) | |
2233 | + fatal("%.200s line %d: Bad protocol 2 host key algorithms '%s'.", | |
2234 | + filename, linenum, arg ? arg : "<NONE>"); | |
2235 | + if (*activep && options->hostkeyalgorithms == NULL) | |
2236 | + options->hostkeyalgorithms = xstrdup(arg); | |
2237 | + break; | |
2238 | + | |
2239 | + case oProtocol: | |
2240 | + intptr = &options->protocol; | |
2241 | + arg = strdelim(&s); | |
2242 | + if (!arg || *arg == '\0') | |
2243 | + fatal("%.200s line %d: Missing argument.", filename, linenum); | |
2244 | + value = proto_spec(arg); | |
2245 | + if (value == SSH_PROTO_UNKNOWN) | |
2246 | + fatal("%.200s line %d: Bad protocol spec '%s'.", | |
2247 | + filename, linenum, arg ? arg : "<NONE>"); | |
2248 | + if (*activep && *intptr == SSH_PROTO_UNKNOWN) | |
2249 | + *intptr = value; | |
2250 | + break; | |
2251 | + | |
2252 | + case oLogLevel: | |
2253 | + log_level_ptr = &options->log_level; | |
2254 | + arg = strdelim(&s); | |
2255 | + value = log_level_number(arg); | |
2256 | + if (value == SYSLOG_LEVEL_NOT_SET) | |
2257 | + fatal("%.200s line %d: unsupported log level '%s'", | |
2258 | + filename, linenum, arg ? arg : "<NONE>"); | |
2259 | + if (*activep && *log_level_ptr == SYSLOG_LEVEL_NOT_SET) | |
2260 | + *log_level_ptr = (LogLevel) value; | |
2261 | + break; | |
2262 | + | |
2263 | + case oLocalForward: | |
2264 | + case oRemoteForward: | |
2265 | + case oDynamicForward: | |
2266 | + arg = strdelim(&s); | |
2267 | + if (arg == NULL || *arg == '\0') | |
2268 | + fatal("%.200s line %d: Missing port argument.", | |
2269 | + filename, linenum); | |
2270 | + | |
2271 | + if (opcode == oLocalForward || | |
2272 | + opcode == oRemoteForward) { | |
2273 | + arg2 = strdelim(&s); | |
2274 | + if (arg2 == NULL || *arg2 == '\0') | |
2275 | + fatal("%.200s line %d: Missing target argument.", | |
2276 | + filename, linenum); | |
2277 | + | |
2278 | + /* construct a string for parse_forward */ | |
2279 | + snprintf(fwdarg, sizeof(fwdarg), "%s:%s", arg, arg2); | |
2280 | + } else if (opcode == oDynamicForward) { | |
2281 | + strlcpy(fwdarg, arg, sizeof(fwdarg)); | |
2282 | + } | |
2283 | + | |
2284 | + if (parse_forward(&fwd, fwdarg, | |
2285 | + opcode == oDynamicForward ? 1 : 0, | |
2286 | + opcode == oRemoteForward ? 1 : 0) == 0) | |
2287 | + fatal("%.200s line %d: Bad forwarding specification.", | |
2288 | + filename, linenum); | |
2289 | + | |
2290 | + if (*activep) { | |
2291 | + if (opcode == oLocalForward || | |
2292 | + opcode == oDynamicForward) | |
2293 | + add_local_forward(options, &fwd); | |
2294 | + else if (opcode == oRemoteForward) | |
2295 | + add_remote_forward(options, &fwd); | |
2296 | + } | |
2297 | + break; | |
2298 | + | |
2299 | + case oClearAllForwardings: | |
2300 | + intptr = &options->clear_forwardings; | |
2301 | + goto parse_flag; | |
2302 | + | |
2303 | + case oHost: | |
2304 | + *activep = 0; | |
2305 | + while ((arg = strdelim(&s)) != NULL && *arg != '\0') | |
2306 | + if (match_pattern(host, arg)) { | |
2307 | + debug("Applying options for %.100s", arg); | |
2308 | + *activep = 1; | |
2309 | + break; | |
2310 | + } | |
2311 | + /* Avoid garbage check below, as strdelim is done. */ | |
2312 | + return 0; | |
2313 | + | |
2314 | + case oEscapeChar: | |
2315 | + intptr = &options->escape_char; | |
2316 | + arg = strdelim(&s); | |
2317 | + if (!arg || *arg == '\0') | |
2318 | + fatal("%.200s line %d: Missing argument.", filename, linenum); | |
2319 | + if (arg[0] == '^' && arg[2] == 0 && | |
2320 | + (u_char) arg[1] >= 64 && (u_char) arg[1] < 128) | |
2321 | + value = (u_char) arg[1] & 31; | |
2322 | + else if (strlen(arg) == 1) | |
2323 | + value = (u_char) arg[0]; | |
2324 | + else if (strcmp(arg, "none") == 0) | |
2325 | + value = SSH_ESCAPECHAR_NONE; | |
2326 | + else { | |
2327 | + fatal("%.200s line %d: Bad escape character.", | |
2328 | + filename, linenum); | |
2329 | + /* NOTREACHED */ | |
2330 | + value = 0; /* Avoid compiler warning. */ | |
2331 | + } | |
2332 | + if (*activep && *intptr == -1) | |
2333 | + *intptr = value; | |
2334 | + break; | |
2335 | + | |
2336 | + case oAddressFamily: | |
2337 | + arg = strdelim(&s); | |
2338 | + if (!arg || *arg == '\0') | |
2339 | + fatal("%s line %d: missing address family.", | |
2340 | + filename, linenum); | |
2341 | + intptr = &options->address_family; | |
2342 | + if (strcasecmp(arg, "inet") == 0) | |
2343 | + value = AF_INET; | |
2344 | + else if (strcasecmp(arg, "inet6") == 0) | |
2345 | + value = AF_INET6; | |
2346 | + else if (strcasecmp(arg, "any") == 0) | |
2347 | + value = AF_UNSPEC; | |
2348 | + else | |
2349 | + fatal("Unsupported AddressFamily \"%s\"", arg); | |
2350 | + if (*activep && *intptr == -1) | |
2351 | + *intptr = value; | |
2352 | + break; | |
2353 | + | |
2354 | + case oEnableSSHKeysign: | |
2355 | + intptr = &options->enable_ssh_keysign; | |
2356 | + goto parse_flag; | |
2357 | + | |
2358 | + case oIdentitiesOnly: | |
2359 | + intptr = &options->identities_only; | |
2360 | + goto parse_flag; | |
2361 | + | |
2362 | + case oServerAliveInterval: | |
2363 | + intptr = &options->server_alive_interval; | |
2364 | + goto parse_time; | |
2365 | + | |
2366 | + case oServerAliveCountMax: | |
2367 | + intptr = &options->server_alive_count_max; | |
2368 | + goto parse_int; | |
2369 | + | |
2370 | + case oSendEnv: | |
2371 | + while ((arg = strdelim(&s)) != NULL && *arg != '\0') { | |
2372 | + if (strchr(arg, '=') != NULL) | |
2373 | + fatal("%s line %d: Invalid environment name.", | |
2374 | + filename, linenum); | |
2375 | + if (!*activep) | |
2376 | + continue; | |
2377 | + if (options->num_send_env >= MAX_SEND_ENV) | |
2378 | + fatal("%s line %d: too many send env.", | |
2379 | + filename, linenum); | |
2380 | + options->send_env[options->num_send_env++] = | |
2381 | + xstrdup(arg); | |
2382 | + } | |
2383 | + break; | |
2384 | + | |
2385 | + case oControlPath: | |
2386 | + charptr = &options->control_path; | |
2387 | + goto parse_string; | |
2388 | + | |
2389 | + case oControlMaster: | |
2390 | + intptr = &options->control_master; | |
2391 | + arg = strdelim(&s); | |
2392 | + if (!arg || *arg == '\0') | |
2393 | + fatal("%.200s line %d: Missing ControlMaster argument.", | |
2394 | + filename, linenum); | |
2395 | + value = 0; /* To avoid compiler warning... */ | |
2396 | + if (strcmp(arg, "yes") == 0 || strcmp(arg, "true") == 0) | |
2397 | + value = SSHCTL_MASTER_YES; | |
2398 | + else if (strcmp(arg, "no") == 0 || strcmp(arg, "false") == 0) | |
2399 | + value = SSHCTL_MASTER_NO; | |
2400 | + else if (strcmp(arg, "auto") == 0) | |
2401 | + value = SSHCTL_MASTER_AUTO; | |
2402 | + else if (strcmp(arg, "ask") == 0) | |
2403 | + value = SSHCTL_MASTER_ASK; | |
2404 | + else if (strcmp(arg, "autoask") == 0) | |
2405 | + value = SSHCTL_MASTER_AUTO_ASK; | |
2406 | + else | |
2407 | + fatal("%.200s line %d: Bad ControlMaster argument.", | |
2408 | + filename, linenum); | |
2409 | + if (*activep && *intptr == -1) | |
2410 | + *intptr = value; | |
2411 | + break; | |
2412 | + | |
2413 | + case oHashKnownHosts: | |
2414 | + intptr = &options->hash_known_hosts; | |
2415 | + goto parse_flag; | |
2416 | + | |
2417 | + case oTunnel: | |
2418 | + intptr = &options->tun_open; | |
2419 | + arg = strdelim(&s); | |
2420 | + if (!arg || *arg == '\0') | |
2421 | + fatal("%s line %d: Missing yes/point-to-point/" | |
2422 | + "ethernet/no argument.", filename, linenum); | |
2423 | + value = 0; /* silence compiler */ | |
2424 | + if (strcasecmp(arg, "ethernet") == 0) | |
2425 | + value = SSH_TUNMODE_ETHERNET; | |
2426 | + else if (strcasecmp(arg, "point-to-point") == 0) | |
2427 | + value = SSH_TUNMODE_POINTOPOINT; | |
2428 | + else if (strcasecmp(arg, "yes") == 0) | |
2429 | + value = SSH_TUNMODE_DEFAULT; | |
2430 | + else if (strcasecmp(arg, "no") == 0) | |
2431 | + value = SSH_TUNMODE_NO; | |
2432 | + else | |
2433 | + fatal("%s line %d: Bad yes/point-to-point/ethernet/" | |
2434 | + "no argument: %s", filename, linenum, arg); | |
2435 | + if (*activep) | |
2436 | + *intptr = value; | |
2437 | + break; | |
2438 | + | |
2439 | + case oTunnelDevice: | |
2440 | + arg = strdelim(&s); | |
2441 | + if (!arg || *arg == '\0') | |
2442 | + fatal("%.200s line %d: Missing argument.", filename, linenum); | |
2443 | + value = a2tun(arg, &value2); | |
2444 | + if (value == SSH_TUNID_ERR) | |
2445 | + fatal("%.200s line %d: Bad tun device.", filename, linenum); | |
2446 | + if (*activep) { | |
2447 | + options->tun_local = value; | |
2448 | + options->tun_remote = value2; | |
2449 | + } | |
2450 | + break; | |
2451 | + | |
2452 | + case oLocalCommand: | |
2453 | + charptr = &options->local_command; | |
2454 | + goto parse_command; | |
2455 | + | |
2456 | + case oPermitLocalCommand: | |
2457 | + intptr = &options->permit_local_command; | |
2458 | + goto parse_flag; | |
2459 | + | |
2460 | + case oVisualHostKey: | |
2461 | + intptr = &options->visual_host_key; | |
2462 | + goto parse_flag; | |
2463 | + | |
2464 | + case oDeprecated: | |
2465 | + debug("%s line %d: Deprecated option \"%s\"", | |
2466 | + filename, linenum, keyword); | |
2467 | + return 0; | |
2468 | + | |
2469 | + case oUnsupported: | |
2470 | + error("%s line %d: Unsupported option \"%s\"", | |
2471 | + filename, linenum, keyword); | |
2472 | + return 0; | |
2473 | + | |
2474 | + default: | |
2475 | + fatal("process_config_line: Unimplemented opcode %d", opcode); | |
2476 | + } | |
2477 | + | |
2478 | + /* Check that there is no garbage at end of line. */ | |
2479 | + if ((arg = strdelim(&s)) != NULL && *arg != '\0') { | |
2480 | + fatal("%.200s line %d: garbage at end of line; \"%.200s\".", | |
2481 | + filename, linenum, arg); | |
2482 | + } | |
2483 | + return 0; | |
2484 | +} | |
2485 | + | |
2486 | + | |
2487 | +/* | |
2488 | + * Reads the config file and modifies the options accordingly. Options | |
2489 | + * should already be initialized before this call. This never returns if | |
2490 | + * there is an error. If the file does not exist, this returns 0. | |
2491 | + */ | |
2492 | + | |
2493 | +int | |
2494 | +read_config_file(const char *filename, const char *host, Options *options, | |
2495 | + int checkperm) | |
2496 | +{ | |
2497 | + FILE *f; | |
2498 | + char line[1024]; | |
2499 | + int active, linenum; | |
2500 | + int bad_options = 0; | |
2501 | + | |
2502 | + if ((f = fopen(filename, "r")) == NULL) | |
2503 | + return 0; | |
2504 | + | |
2505 | + if (checkperm) { | |
2506 | + struct stat sb; | |
2507 | + | |
2508 | + if (fstat(fileno(f), &sb) == -1) | |
2509 | + fatal("fstat %s: %s", filename, strerror(errno)); | |
2510 | + if (((sb.st_uid != 0 && sb.st_uid != getuid()) || | |
2511 | + (sb.st_mode & 022) != 0)) | |
2512 | + fatal("Bad owner or permissions on %s", filename); | |
2513 | + } | |
2514 | + | |
2515 | + debug("Reading configuration data %.200s", filename); | |
2516 | + | |
2517 | + /* | |
2518 | + * Mark that we are now processing the options. This flag is turned | |
2519 | + * on/off by Host specifications. | |
2520 | + */ | |
2521 | + active = 1; | |
2522 | + linenum = 0; | |
2523 | + while (fgets(line, sizeof(line), f)) { | |
2524 | + /* Update line number counter. */ | |
2525 | + linenum++; | |
2526 | + if (process_config_line(options, host, line, filename, linenum, &active) != 0) | |
2527 | + bad_options++; | |
2528 | + } | |
2529 | + fclose(f); | |
2530 | + if (bad_options > 0) | |
2531 | + fatal("%s: terminating, %d bad configuration options", | |
2532 | + filename, bad_options); | |
2533 | + return 1; | |
2534 | +} | |
2535 | + | |
2536 | +/* | |
2537 | + * Initializes options to special values that indicate that they have not yet | |
2538 | + * been set. Read_config_file will only set options with this value. Options | |
2539 | + * are processed in the following order: command line, user config file, | |
2540 | + * system config file. Last, fill_default_options is called. | |
2541 | + */ | |
2542 | + | |
2543 | +void | |
2544 | +initialize_options(Options * options) | |
2545 | +{ | |
2546 | + memset(options, 'X', sizeof(*options)); | |
2547 | + options->forward_agent = -1; | |
2548 | + options->forward_x11 = -1; | |
2549 | + options->forward_x11_trusted = -1; | |
2550 | + options->exit_on_forward_failure = -1; | |
2551 | + options->xauth_location = NULL; | |
2552 | + options->gateway_ports = -1; | |
2553 | + options->use_privileged_port = -1; | |
2554 | + options->rsa_authentication = -1; | |
2555 | + options->pubkey_authentication = -1; | |
2556 | + options->challenge_response_authentication = -1; | |
2557 | + options->gss_authentication = -1; | |
2558 | + options->gss_deleg_creds = -1; | |
2559 | + options->password_authentication = -1; | |
2560 | + options->kbd_interactive_authentication = -1; | |
2561 | + options->kbd_interactive_devices = NULL; | |
2562 | + options->rhosts_rsa_authentication = -1; | |
2563 | + options->hostbased_authentication = -1; | |
2564 | + options->batch_mode = -1; | |
2565 | + options->check_host_ip = -1; | |
2566 | + options->strict_host_key_checking = -1; | |
2567 | + options->compression = -1; | |
2568 | + options->tcp_keep_alive = -1; | |
2569 | + options->compression_level = -1; | |
2570 | + options->port = -1; | |
2571 | + options->address_family = -1; | |
2572 | + options->connection_attempts = -1; | |
2573 | + options->connection_timeout = -1; | |
2574 | + options->number_of_password_prompts = -1; | |
2575 | + options->cipher = -1; | |
2576 | + options->ciphers = NULL; | |
2577 | + options->macs = NULL; | |
2578 | + options->hostkeyalgorithms = NULL; | |
2579 | + options->protocol = SSH_PROTO_UNKNOWN; | |
2580 | + options->num_identity_files = 0; | |
2581 | + options->hostname = NULL; | |
2582 | + options->host_key_alias = NULL; | |
2583 | + options->proxy_command = NULL; | |
2584 | + options->user = NULL; | |
2585 | + options->escape_char = -1; | |
2586 | + options->system_hostfile = NULL; | |
2587 | + options->user_hostfile = NULL; | |
2588 | + options->system_hostfile2 = NULL; | |
2589 | + options->user_hostfile2 = NULL; | |
2590 | + options->num_local_forwards = 0; | |
2591 | + options->num_remote_forwards = 0; | |
2592 | + options->clear_forwardings = -1; | |
2593 | + options->log_level = SYSLOG_LEVEL_NOT_SET; | |
2594 | + options->preferred_authentications = NULL; | |
2595 | + options->bind_address = NULL; | |
2596 | + options->smartcard_device = NULL; | |
2597 | + options->enable_ssh_keysign = - 1; | |
2598 | + options->no_host_authentication_for_localhost = - 1; | |
2599 | + options->identities_only = - 1; | |
2600 | + options->rekey_limit = - 1; | |
2601 | + options->verify_host_key_dns = -1; | |
2602 | + options->server_alive_interval = -1; | |
2603 | + options->server_alive_count_max = -1; | |
2604 | + options->num_send_env = 0; | |
2605 | + options->control_path = NULL; | |
2606 | + options->control_master = -1; | |
2607 | + options->hash_known_hosts = -1; | |
2608 | + options->tun_open = -1; | |
2609 | + options->tun_local = -1; | |
2610 | + options->tun_remote = -1; | |
2611 | + options->local_command = NULL; | |
2612 | + options->permit_local_command = -1; | |
2613 | + options->visual_host_key = -1; | |
2614 | + options->zero_knowledge_password_authentication = -1; | |
2615 | +} | |
2616 | + | |
2617 | +/* | |
2618 | + * Called after processing other sources of option data, this fills those | |
2619 | + * options for which no value has been specified with their default values. | |
2620 | + */ | |
2621 | + | |
2622 | +void | |
2623 | +fill_default_options(Options * options) | |
2624 | +{ | |
2625 | + int len; | |
2626 | + | |
2627 | + if (options->forward_agent == -1) | |
2628 | + options->forward_agent = 0; | |
2629 | + if (options->forward_x11 == -1) | |
2630 | + options->forward_x11 = 0; | |
2631 | + if (options->forward_x11_trusted == -1) | |
2632 | + options->forward_x11_trusted = 0; | |
2633 | + if (options->exit_on_forward_failure == -1) | |
2634 | + options->exit_on_forward_failure = 0; | |
2635 | + if (options->xauth_location == NULL) | |
2636 | + options->xauth_location = _PATH_XAUTH; | |
2637 | + if (options->gateway_ports == -1) | |
2638 | + options->gateway_ports = 0; | |
2639 | + if (options->use_privileged_port == -1) | |
2640 | + options->use_privileged_port = 0; | |
2641 | + if (options->rsa_authentication == -1) | |
2642 | + options->rsa_authentication = 1; | |
2643 | + if (options->pubkey_authentication == -1) | |
2644 | + options->pubkey_authentication = 1; | |
2645 | + if (options->challenge_response_authentication == -1) | |
2646 | + options->challenge_response_authentication = 1; | |
2647 | + if (options->gss_authentication == -1) | |
2648 | + options->gss_authentication = 0; | |
2649 | + if (options->gss_deleg_creds == -1) | |
2650 | + options->gss_deleg_creds = 0; | |
2651 | + if (options->password_authentication == -1) | |
2652 | + options->password_authentication = 1; | |
2653 | + if (options->kbd_interactive_authentication == -1) | |
2654 | + options->kbd_interactive_authentication = 1; | |
2655 | + if (options->rhosts_rsa_authentication == -1) | |
2656 | + options->rhosts_rsa_authentication = 0; | |
2657 | + if (options->hostbased_authentication == -1) | |
2658 | + options->hostbased_authentication = 0; | |
2659 | + if (options->batch_mode == -1) | |
2660 | + options->batch_mode = 0; | |
2661 | + if (options->check_host_ip == -1) | |
2662 | + options->check_host_ip = 1; | |
2663 | + if (options->strict_host_key_checking == -1) | |
2664 | + options->strict_host_key_checking = 2; /* 2 is default */ | |
2665 | + if (options->compression == -1) | |
2666 | + options->compression = 0; | |
2667 | + if (options->tcp_keep_alive == -1) | |
2668 | + options->tcp_keep_alive = 1; | |
2669 | + if (options->compression_level == -1) | |
2670 | + options->compression_level = 6; | |
2671 | + if (options->port == -1) | |
2672 | + options->port = 0; /* Filled in ssh_connect. */ | |
2673 | + if (options->address_family == -1) | |
2674 | + options->address_family = AF_UNSPEC; | |
2675 | + if (options->connection_attempts == -1) | |
2676 | + options->connection_attempts = 1; | |
2677 | + if (options->number_of_password_prompts == -1) | |
2678 | + options->number_of_password_prompts = 3; | |
2679 | + /* Selected in ssh_login(). */ | |
2680 | + if (options->cipher == -1) | |
2681 | + options->cipher = SSH_CIPHER_NOT_SET; | |
2682 | + /* options->ciphers, default set in myproposals.h */ | |
2683 | + /* options->macs, default set in myproposals.h */ | |
2684 | + /* options->hostkeyalgorithms, default set in myproposals.h */ | |
2685 | + if (options->protocol == SSH_PROTO_UNKNOWN) | |
2686 | + options->protocol = SSH_PROTO_1|SSH_PROTO_2; | |
2687 | + if (options->num_identity_files == 0) { | |
2688 | + if (options->protocol & SSH_PROTO_1) { | |
2689 | + len = 2 + strlen(_PATH_SSH_CLIENT_IDENTITY) + 1; | |
2690 | + options->identity_files[options->num_identity_files] = | |
2691 | + xmalloc(len); | |
2692 | + snprintf(options->identity_files[options->num_identity_files++], | |
2693 | + len, "~/%.100s", _PATH_SSH_CLIENT_IDENTITY); | |
2694 | + } | |
2695 | + if (options->protocol & SSH_PROTO_2) { | |
2696 | + len = 2 + strlen(_PATH_SSH_CLIENT_ID_RSA) + 1; | |
2697 | + options->identity_files[options->num_identity_files] = | |
2698 | + xmalloc(len); | |
2699 | + snprintf(options->identity_files[options->num_identity_files++], | |
2700 | + len, "~/%.100s", _PATH_SSH_CLIENT_ID_RSA); | |
2701 | + | |
2702 | + len = 2 + strlen(_PATH_SSH_CLIENT_ID_DSA) + 1; | |
2703 | + options->identity_files[options->num_identity_files] = | |
2704 | + xmalloc(len); | |
2705 | + snprintf(options->identity_files[options->num_identity_files++], | |
2706 | + len, "~/%.100s", _PATH_SSH_CLIENT_ID_DSA); | |
2707 | + } | |
2708 | + } | |
2709 | + if (options->escape_char == -1) | |
2710 | + options->escape_char = '~'; | |
2711 | + if (options->system_hostfile == NULL) | |
2712 | + options->system_hostfile = _PATH_SSH_SYSTEM_HOSTFILE; | |
2713 | + if (options->user_hostfile == NULL) | |
2714 | + options->user_hostfile = _PATH_SSH_USER_HOSTFILE; | |
2715 | + if (options->system_hostfile2 == NULL) | |
2716 | + options->system_hostfile2 = _PATH_SSH_SYSTEM_HOSTFILE2; | |
2717 | + if (options->user_hostfile2 == NULL) | |
2718 | + options->user_hostfile2 = _PATH_SSH_USER_HOSTFILE2; | |
2719 | + if (options->log_level == SYSLOG_LEVEL_NOT_SET) | |
2720 | + options->log_level = SYSLOG_LEVEL_INFO; | |
2721 | + if (options->clear_forwardings == 1) | |
2722 | + clear_forwardings(options); | |
2723 | + if (options->no_host_authentication_for_localhost == - 1) | |
2724 | + options->no_host_authentication_for_localhost = 0; | |
2725 | + if (options->identities_only == -1) | |
2726 | + options->identities_only = 0; | |
2727 | + if (options->enable_ssh_keysign == -1) | |
2728 | + options->enable_ssh_keysign = 0; | |
2729 | + if (options->rekey_limit == -1) | |
2730 | + options->rekey_limit = 0; | |
2731 | + if (options->verify_host_key_dns == -1) | |
2732 | + options->verify_host_key_dns = 0; | |
2733 | + if (options->server_alive_interval == -1) | |
2734 | + options->server_alive_interval = 0; | |
2735 | + if (options->server_alive_count_max == -1) | |
2736 | + options->server_alive_count_max = 3; | |
2737 | + if (options->control_master == -1) | |
2738 | + options->control_master = 0; | |
2739 | + if (options->hash_known_hosts == -1) | |
2740 | + options->hash_known_hosts = 0; | |
2741 | + if (options->tun_open == -1) | |
2742 | + options->tun_open = SSH_TUNMODE_NO; | |
2743 | + if (options->tun_local == -1) | |
2744 | + options->tun_local = SSH_TUNID_ANY; | |
2745 | + if (options->tun_remote == -1) | |
2746 | + options->tun_remote = SSH_TUNID_ANY; | |
2747 | + if (options->permit_local_command == -1) | |
2748 | + options->permit_local_command = 0; | |
2749 | + if (options->visual_host_key == -1) | |
2750 | + options->visual_host_key = 0; | |
2751 | + if (options->zero_knowledge_password_authentication == -1) | |
2752 | + options->zero_knowledge_password_authentication = 0; | |
2753 | + /* options->local_command should not be set by default */ | |
2754 | + /* options->proxy_command should not be set by default */ | |
2755 | + /* options->user will be set in the main program if appropriate */ | |
2756 | + /* options->hostname will be set in the main program if appropriate */ | |
2757 | + /* options->host_key_alias should not be set by default */ | |
2758 | + /* options->preferred_authentications will be set in ssh */ | |
2759 | +} | |
2760 | + | |
2761 | +/* | |
2762 | + * parse_forward | |
2763 | + * parses a string containing a port forwarding specification of the form: | |
2764 | + * dynamicfwd == 0 | |
2765 | + * [listenhost:]listenport:connecthost:connectport | |
2766 | + * dynamicfwd == 1 | |
2767 | + * [listenhost:]listenport | |
2768 | + * returns number of arguments parsed or zero on error | |
2769 | + */ | |
2770 | +int | |
2771 | +parse_forward(Forward *fwd, const char *fwdspec, int dynamicfwd, int remotefwd) | |
2772 | +{ | |
2773 | + int i; | |
2774 | + char *p, *cp, *fwdarg[4]; | |
2775 | + | |
2776 | + memset(fwd, '\0', sizeof(*fwd)); | |
2777 | + | |
2778 | + cp = p = xstrdup(fwdspec); | |
2779 | + | |
2780 | + /* skip leading spaces */ | |
2781 | + while (isspace(*cp)) | |
2782 | + cp++; | |
2783 | + | |
2784 | + for (i = 0; i < 4; ++i) | |
2785 | + if ((fwdarg[i] = hpdelim(&cp)) == NULL) | |
2786 | + break; | |
2787 | + | |
2788 | + /* Check for trailing garbage */ | |
2789 | + if (cp != NULL) | |
2790 | + i = 0; /* failure */ | |
2791 | + | |
2792 | + switch (i) { | |
2793 | + case 1: | |
2794 | + fwd->listen_host = NULL; | |
2795 | + fwd->listen_port = a2port(fwdarg[0]); | |
2796 | + fwd->connect_host = xstrdup("socks"); | |
2797 | + break; | |
2798 | + | |
2799 | + case 2: | |
2800 | + fwd->listen_host = xstrdup(cleanhostname(fwdarg[0])); | |
2801 | + fwd->listen_port = a2port(fwdarg[1]); | |
2802 | + fwd->connect_host = xstrdup("socks"); | |
2803 | + break; | |
2804 | + | |
2805 | + case 3: | |
2806 | + fwd->listen_host = NULL; | |
2807 | + fwd->listen_port = a2port(fwdarg[0]); | |
2808 | + fwd->connect_host = xstrdup(cleanhostname(fwdarg[1])); | |
2809 | + fwd->connect_port = a2port(fwdarg[2]); | |
2810 | + break; | |
2811 | + | |
2812 | + case 4: | |
2813 | + fwd->listen_host = xstrdup(cleanhostname(fwdarg[0])); | |
2814 | + fwd->listen_port = a2port(fwdarg[1]); | |
2815 | + fwd->connect_host = xstrdup(cleanhostname(fwdarg[2])); | |
2816 | + fwd->connect_port = a2port(fwdarg[3]); | |
2817 | + break; | |
2818 | + default: | |
2819 | + i = 0; /* failure */ | |
2820 | + } | |
2821 | + | |
0fab2cab | 2822 | + free(p); |
0d5b2bd4 ER |
2823 | + |
2824 | + if (dynamicfwd) { | |
2825 | + if (!(i == 1 || i == 2)) | |
2826 | + goto fail_free; | |
2827 | + } else { | |
2828 | + if (!(i == 3 || i == 4)) | |
2829 | + goto fail_free; | |
2830 | + if (fwd->connect_port <= 0) | |
2831 | + goto fail_free; | |
2832 | + } | |
2833 | + | |
2834 | + if (fwd->listen_port < 0 || (!remotefwd && fwd->listen_port == 0)) | |
2835 | + goto fail_free; | |
2836 | + | |
2837 | + if (fwd->connect_host != NULL && | |
2838 | + strlen(fwd->connect_host) >= NI_MAXHOST) | |
2839 | + goto fail_free; | |
2840 | + if (fwd->listen_host != NULL && | |
2841 | + strlen(fwd->listen_host) >= NI_MAXHOST) | |
2842 | + goto fail_free; | |
2843 | + | |
2844 | + | |
2845 | + return (i); | |
2846 | + | |
2847 | + fail_free: | |
2848 | + if (fwd->connect_host != NULL) { | |
0fab2cab | 2849 | + free(fwd->connect_host); |
0d5b2bd4 ER |
2850 | + fwd->connect_host = NULL; |
2851 | + } | |
2852 | + if (fwd->listen_host != NULL) { | |
0fab2cab | 2853 | + free(fwd->listen_host); |
0d5b2bd4 ER |
2854 | + fwd->listen_host = NULL; |
2855 | + } | |
2856 | + return (0); | |
2857 | +} | |
2858 | diff -NupwB openssh-5.2p1-canonical/readconf.h openssh-5.2p1-hpn13v6/readconf.h | |
2859 | --- openssh-5.2p1-canonical/readconf.h 2009-02-14 00:28:21.000000000 -0500 | |
2860 | +++ openssh-5.2p1-hpn13v6/readconf.h 2009-05-14 12:36:10.000000000 -0400 | |
2861 | @@ -57,6 +57,11 @@ typedef struct { | |
2862 | int compression_level; /* Compression level 1 (fast) to 9 | |
2863 | * (best). */ | |
2864 | int tcp_keep_alive; /* Set SO_KEEPALIVE. */ | |
2865 | + int tcp_rcv_buf; /* user switch to set tcp recv buffer */ | |
2866 | + int tcp_rcv_buf_poll; /* Option to poll recv buf every window transfer */ | |
2867 | + int hpn_disabled; /* Switch to disable HPN buffer management */ | |
2868 | + int hpn_buffer_size; /* User definable size for HPN buffer window */ | |
2869 | + | |
2870 | LogLevel log_level; /* Level for logging. */ | |
2871 | ||
2872 | int port; /* Port to connect. */ | |
2873 | @@ -102,6 +107,8 @@ typedef struct { | |
2874 | ||
2875 | int enable_ssh_keysign; | |
2876 | int64_t rekey_limit; | |
2877 | + int none_switch; /* Use none cipher */ | |
2878 | + int none_enabled; /* Allow none to be used */ | |
2879 | int no_host_authentication_for_localhost; | |
2880 | int identities_only; | |
2881 | int server_alive_interval; | |
2882 | diff -NupwB openssh-5.2p1-canonical/readconf.h.orig openssh-5.2p1-hpn13v6/readconf.h.orig | |
2883 | --- openssh-5.2p1-canonical/readconf.h.orig 1969-12-31 19:00:00.000000000 -0500 | |
2884 | +++ openssh-5.2p1-hpn13v6/readconf.h.orig 2009-02-14 00:28:21.000000000 -0500 | |
2885 | @@ -0,0 +1,145 @@ | |
2886 | +/* $OpenBSD: readconf.h,v 1.78 2009/02/12 03:00:56 djm Exp $ */ | |
2887 | + | |
2888 | +/* | |
2889 | + * Author: Tatu Ylonen <ylo@cs.hut.fi> | |
2890 | + * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland | |
2891 | + * All rights reserved | |
2892 | + * Functions for reading the configuration file. | |
2893 | + * | |
2894 | + * As far as I am concerned, the code I have written for this software | |
2895 | + * can be used freely for any purpose. Any derived versions of this | |
2896 | + * software must be clearly marked as such, and if the derived work is | |
2897 | + * incompatible with the protocol description in the RFC file, it must be | |
2898 | + * called by a name other than "ssh" or "Secure Shell". | |
2899 | + */ | |
2900 | + | |
2901 | +#ifndef READCONF_H | |
2902 | +#define READCONF_H | |
2903 | + | |
2904 | +/* Data structure for representing a forwarding request. */ | |
2905 | + | |
2906 | +typedef struct { | |
2907 | + char *listen_host; /* Host (address) to listen on. */ | |
2908 | + int listen_port; /* Port to forward. */ | |
2909 | + char *connect_host; /* Host to connect. */ | |
2910 | + int connect_port; /* Port to connect on connect_host. */ | |
2911 | +} Forward; | |
2912 | +/* Data structure for representing option data. */ | |
2913 | + | |
2914 | +#define MAX_SEND_ENV 256 | |
2915 | + | |
2916 | +typedef struct { | |
2917 | + int forward_agent; /* Forward authentication agent. */ | |
2918 | + int forward_x11; /* Forward X11 display. */ | |
2919 | + int forward_x11_trusted; /* Trust Forward X11 display. */ | |
2920 | + int exit_on_forward_failure; /* Exit if bind(2) fails for -L/-R */ | |
2921 | + char *xauth_location; /* Location for xauth program */ | |
2922 | + int gateway_ports; /* Allow remote connects to forwarded ports. */ | |
2923 | + int use_privileged_port; /* Don't use privileged port if false. */ | |
2924 | + int rhosts_rsa_authentication; /* Try rhosts with RSA | |
2925 | + * authentication. */ | |
2926 | + int rsa_authentication; /* Try RSA authentication. */ | |
2927 | + int pubkey_authentication; /* Try ssh2 pubkey authentication. */ | |
2928 | + int hostbased_authentication; /* ssh2's rhosts_rsa */ | |
2929 | + int challenge_response_authentication; | |
2930 | + /* Try S/Key or TIS, authentication. */ | |
2931 | + int gss_authentication; /* Try GSS authentication */ | |
2932 | + int gss_deleg_creds; /* Delegate GSS credentials */ | |
2933 | + int password_authentication; /* Try password | |
2934 | + * authentication. */ | |
2935 | + int kbd_interactive_authentication; /* Try keyboard-interactive auth. */ | |
2936 | + char *kbd_interactive_devices; /* Keyboard-interactive auth devices. */ | |
2937 | + int zero_knowledge_password_authentication; /* Try jpake */ | |
2938 | + int batch_mode; /* Batch mode: do not ask for passwords. */ | |
2939 | + int check_host_ip; /* Also keep track of keys for IP address */ | |
2940 | + int strict_host_key_checking; /* Strict host key checking. */ | |
2941 | + int compression; /* Compress packets in both directions. */ | |
2942 | + int compression_level; /* Compression level 1 (fast) to 9 | |
2943 | + * (best). */ | |
2944 | + int tcp_keep_alive; /* Set SO_KEEPALIVE. */ | |
2945 | + LogLevel log_level; /* Level for logging. */ | |
2946 | + | |
2947 | + int port; /* Port to connect. */ | |
2948 | + int address_family; | |
2949 | + int connection_attempts; /* Max attempts (seconds) before | |
2950 | + * giving up */ | |
2951 | + int connection_timeout; /* Max time (seconds) before | |
2952 | + * aborting connection attempt */ | |
2953 | + int number_of_password_prompts; /* Max number of password | |
2954 | + * prompts. */ | |
2955 | + int cipher; /* Cipher to use. */ | |
2956 | + char *ciphers; /* SSH2 ciphers in order of preference. */ | |
2957 | + char *macs; /* SSH2 macs in order of preference. */ | |
2958 | + char *hostkeyalgorithms; /* SSH2 server key types in order of preference. */ | |
2959 | + int protocol; /* Protocol in order of preference. */ | |
2960 | + char *hostname; /* Real host to connect. */ | |
2961 | + char *host_key_alias; /* hostname alias for .ssh/known_hosts */ | |
2962 | + char *proxy_command; /* Proxy command for connecting the host. */ | |
2963 | + char *user; /* User to log in as. */ | |
2964 | + int escape_char; /* Escape character; -2 = none */ | |
2965 | + | |
2966 | + char *system_hostfile;/* Path for /etc/ssh/ssh_known_hosts. */ | |
2967 | + char *user_hostfile; /* Path for $HOME/.ssh/known_hosts. */ | |
2968 | + char *system_hostfile2; | |
2969 | + char *user_hostfile2; | |
2970 | + char *preferred_authentications; | |
2971 | + char *bind_address; /* local socket address for connection to sshd */ | |
2972 | + char *smartcard_device; /* Smartcard reader device */ | |
2973 | + int verify_host_key_dns; /* Verify host key using DNS */ | |
2974 | + | |
2975 | + int num_identity_files; /* Number of files for RSA/DSA identities. */ | |
2976 | + char *identity_files[SSH_MAX_IDENTITY_FILES]; | |
2977 | + Key *identity_keys[SSH_MAX_IDENTITY_FILES]; | |
2978 | + | |
2979 | + /* Local TCP/IP forward requests. */ | |
2980 | + int num_local_forwards; | |
2981 | + Forward local_forwards[SSH_MAX_FORWARDS_PER_DIRECTION]; | |
2982 | + | |
2983 | + /* Remote TCP/IP forward requests. */ | |
2984 | + int num_remote_forwards; | |
2985 | + Forward remote_forwards[SSH_MAX_FORWARDS_PER_DIRECTION]; | |
2986 | + int clear_forwardings; | |
2987 | + | |
2988 | + int enable_ssh_keysign; | |
2989 | + int64_t rekey_limit; | |
2990 | + int no_host_authentication_for_localhost; | |
2991 | + int identities_only; | |
2992 | + int server_alive_interval; | |
2993 | + int server_alive_count_max; | |
2994 | + | |
2995 | + int num_send_env; | |
2996 | + char *send_env[MAX_SEND_ENV]; | |
2997 | + | |
2998 | + char *control_path; | |
2999 | + int control_master; | |
3000 | + | |
3001 | + int hash_known_hosts; | |
3002 | + | |
3003 | + int tun_open; /* tun(4) */ | |
3004 | + int tun_local; /* force tun device (optional) */ | |
3005 | + int tun_remote; /* force tun device (optional) */ | |
3006 | + | |
3007 | + char *local_command; | |
3008 | + int permit_local_command; | |
3009 | + int visual_host_key; | |
3010 | + | |
3011 | +} Options; | |
3012 | + | |
3013 | +#define SSHCTL_MASTER_NO 0 | |
3014 | +#define SSHCTL_MASTER_YES 1 | |
3015 | +#define SSHCTL_MASTER_AUTO 2 | |
3016 | +#define SSHCTL_MASTER_ASK 3 | |
3017 | +#define SSHCTL_MASTER_AUTO_ASK 4 | |
3018 | + | |
3019 | +void initialize_options(Options *); | |
3020 | +void fill_default_options(Options *); | |
3021 | +int read_config_file(const char *, const char *, Options *, int); | |
3022 | +int parse_forward(Forward *, const char *, int, int); | |
3023 | + | |
3024 | +int | |
3025 | +process_config_line(Options *, const char *, char *, const char *, int, int *); | |
3026 | + | |
3027 | +void add_local_forward(Options *, const Forward *); | |
3028 | +void add_remote_forward(Options *, const Forward *); | |
3029 | + | |
3030 | +#endif /* READCONF_H */ | |
3031 | Common subdirectories: openssh-5.2p1-canonical/regress and openssh-5.2p1-hpn13v6/regress | |
3032 | Common subdirectories: openssh-5.2p1-canonical/scard and openssh-5.2p1-hpn13v6/scard | |
3033 | diff -NupwB openssh-5.2p1-canonical/scp.c openssh-5.2p1-hpn13v6/scp.c | |
3034 | --- openssh-5.2p1-canonical/scp.c 2008-11-03 03:23:45.000000000 -0500 | |
3035 | +++ openssh-5.2p1-hpn13v6/scp.c 2009-05-14 12:36:10.000000000 -0400 | |
3036 | @@ -632,7 +632,7 @@ source(int argc, char **argv) | |
3037 | off_t i, statbytes; | |
3038 | size_t amt; | |
3039 | int fd = -1, haderr, indx; | |
3040 | - char *last, *name, buf[2048], encname[MAXPATHLEN]; | |
3041 | + char *last, *name, buf[16384], encname[MAXPATHLEN]; | |
3042 | int len; | |
3043 | ||
3044 | for (indx = 0; indx < argc; ++indx) { | |
3045 | @@ -868,7 +868,7 @@ sink(int argc, char **argv) | |
3046 | mode_t mode, omode, mask; | |
3047 | off_t size, statbytes; | |
3048 | int setimes, targisdir, wrerrno = 0; | |
3049 | - char ch, *cp, *np, *targ, *why, *vect[1], buf[2048]; | |
3050 | + char ch, *cp, *np, *targ, *why, *vect[1], buf[16384]; | |
3051 | struct timeval tv[2]; | |
3052 | ||
3053 | #define atime tv[0] | |
3054 | diff -NupwB openssh-5.2p1-canonical/servconf.c openssh-5.2p1-hpn13v6/servconf.c | |
3055 | --- openssh-5.2p1-canonical/servconf.c 2009-01-28 00:31:23.000000000 -0500 | |
3056 | +++ openssh-5.2p1-hpn13v6/servconf.c 2009-05-14 12:36:10.000000000 -0400 | |
13a27647 | 3057 | @@ -132,6 +132,10 @@ |
0d5b2bd4 ER |
3058 | options->adm_forced_command = NULL; |
3059 | options->chroot_directory = NULL; | |
3060 | options->zero_knowledge_password_authentication = -1; | |
3061 | + options->none_enabled = -1; | |
3062 | + options->tcp_rcv_buf_poll = -1; | |
3063 | + options->hpn_disabled = -1; | |
3064 | + options->hpn_buffer_size = -1; | |
13a27647 ER |
3065 | #ifdef WITH_LDAP_PUBKEY |
3066 | /* XXX dirty */ | |
3067 | options->lpk.ld = NULL; | |
3068 | @@ -156,6 +160,11 @@ | |
0d5b2bd4 ER |
3069 | void |
3070 | fill_default_server_options(ServerOptions *options) | |
3071 | { | |
3072 | + /* needed for hpn socket tests */ | |
3073 | + int sock; | |
3074 | + int socksize; | |
3075 | + int socksizelen = sizeof(int); | |
3076 | + | |
3077 | /* Portable-specific options */ | |
3078 | if (options->use_pam == -1) | |
3079 | options->use_pam = 0; | |
3080 | @@ -262,6 +271,42 @@ fill_default_server_options(ServerOption | |
3081 | if (options->zero_knowledge_password_authentication == -1) | |
3082 | options->zero_knowledge_password_authentication = 0; | |
3083 | ||
3084 | + if (options->hpn_disabled == -1) | |
3085 | + options->hpn_disabled = 0; | |
3086 | + | |
3087 | + if (options->hpn_buffer_size == -1) { | |
3088 | + /* option not explicitly set. Now we have to figure out */ | |
3089 | + /* what value to use */ | |
3090 | + if (options->hpn_disabled == 1) { | |
3091 | + options->hpn_buffer_size = CHAN_SES_WINDOW_DEFAULT; | |
3092 | + } else { | |
3093 | + /* get the current RCV size and set it to that */ | |
3094 | + /*create a socket but don't connect it */ | |
3095 | + /* we use that the get the rcv socket size */ | |
3096 | + sock = socket(AF_INET, SOCK_STREAM, 0); | |
3097 | + getsockopt(sock, SOL_SOCKET, SO_RCVBUF, | |
3098 | + &socksize, &socksizelen); | |
3099 | + close(sock); | |
3100 | + options->hpn_buffer_size = socksize; | |
3101 | + debug ("HPN Buffer Size: %d", options->hpn_buffer_size); | |
3102 | + | |
3103 | + } | |
3104 | + } else { | |
3105 | + /* we have to do this incase the user sets both values in a contradictory */ | |
3106 | + /* manner. hpn_disabled overrrides hpn_buffer_size*/ | |
3107 | + if (options->hpn_disabled <= 0) { | |
3108 | + if (options->hpn_buffer_size == 0) | |
3109 | + options->hpn_buffer_size = 1; | |
3110 | + /* limit the maximum buffer to 64MB */ | |
3111 | + if (options->hpn_buffer_size > 64*1024) { | |
3112 | + options->hpn_buffer_size = 64*1024*1024; | |
3113 | + } else { | |
3114 | + options->hpn_buffer_size *= 1024; | |
3115 | + } | |
3116 | + } else | |
3117 | + options->hpn_buffer_size = CHAN_TCP_WINDOW_DEFAULT; | |
3118 | + } | |
3119 | + | |
3120 | /* Turn privilege separation on by default */ | |
3121 | if (use_privsep == -1) | |
3122 | use_privsep = 1; | |
3123 | @@ -306,6 +351,7 @@ typedef enum { | |
3124 | sMatch, sPermitOpen, sForceCommand, sChrootDirectory, | |
3125 | sUsePrivilegeSeparation, sAllowAgentForwarding, | |
3126 | sZeroKnowledgePasswordAuthentication, | |
3127 | + sNoneEnabled, sTcpRcvBufPoll, sHPNDisabled, sHPNBufferSize, | |
3128 | sDeprecated, sUnsupported | |
3129 | } ServerOpCodes; | |
3130 | ||
3131 | @@ -424,6 +470,10 @@ static struct { | |
3132 | { "permitopen", sPermitOpen, SSHCFG_ALL }, | |
3133 | { "forcecommand", sForceCommand, SSHCFG_ALL }, | |
3134 | { "chrootdirectory", sChrootDirectory, SSHCFG_ALL }, | |
3135 | + { "noneenabled", sNoneEnabled }, | |
3136 | + { "hpndisabled", sHPNDisabled }, | |
3137 | + { "hpnbuffersize", sHPNBufferSize }, | |
3138 | + { "tcprcvbufpoll", sTcpRcvBufPoll }, | |
3139 | { NULL, sBadOption, 0 } | |
3140 | }; | |
3141 | ||
3142 | @@ -450,6 +500,7 @@ parse_token(const char *cp, const char * | |
3143 | ||
3144 | for (i = 0; keywords[i].name; i++) | |
3145 | if (strcasecmp(cp, keywords[i].name) == 0) { | |
3146 | + debug ("Config token is %s", keywords[i].name); | |
3147 | *flags = keywords[i].flags; | |
3148 | return keywords[i].opcode; | |
3149 | } | |
3150 | @@ -847,6 +898,22 @@ process_server_config_line(ServerOptions | |
3151 | *intptr = value; | |
3152 | break; | |
3153 | ||
3154 | + case sNoneEnabled: | |
3155 | + intptr = &options->none_enabled; | |
3156 | + goto parse_flag; | |
3157 | + | |
3158 | + case sTcpRcvBufPoll: | |
3159 | + intptr = &options->tcp_rcv_buf_poll; | |
3160 | + goto parse_flag; | |
3161 | + | |
3162 | + case sHPNDisabled: | |
3163 | + intptr = &options->hpn_disabled; | |
3164 | + goto parse_flag; | |
3165 | + | |
3166 | + case sHPNBufferSize: | |
3167 | + intptr = &options->hpn_buffer_size; | |
3168 | + goto parse_int; | |
3169 | + | |
3170 | case sIgnoreUserKnownHosts: | |
3171 | intptr = &options->ignore_user_known_hosts; | |
3172 | goto parse_flag; | |
3173 | diff -NupwB openssh-5.2p1-canonical/servconf.h openssh-5.2p1-hpn13v6/servconf.h | |
3174 | --- openssh-5.2p1-canonical/servconf.h 2009-01-28 00:31:23.000000000 -0500 | |
3175 | +++ openssh-5.2p1-hpn13v6/servconf.h 2009-05-14 12:36:10.000000000 -0400 | |
3176 | @@ -145,6 +145,10 @@ typedef struct { | |
3177 | char *adm_forced_command; | |
3178 | ||
3179 | int use_pam; /* Enable auth via PAM */ | |
3180 | + int none_enabled; /* enable NONE cipher switch */ | |
3181 | + int tcp_rcv_buf_poll; /* poll tcp rcv window in autotuning kernels*/ | |
3182 | + int hpn_disabled; /* disable hpn functionality. false by default */ | |
3183 | + int hpn_buffer_size; /* set the hpn buffer size - default 3MB */ | |
3184 | ||
3185 | int permit_tun; | |
3186 | ||
3187 | diff -NupwB openssh-5.2p1-canonical/serverloop.c openssh-5.2p1-hpn13v6/serverloop.c | |
3188 | --- openssh-5.2p1-canonical/serverloop.c 2009-02-14 00:33:09.000000000 -0500 | |
3189 | +++ openssh-5.2p1-hpn13v6/serverloop.c 2009-05-14 12:36:10.000000000 -0400 | |
3190 | @@ -93,10 +93,10 @@ static int fdin; /* Descriptor for stdi | |
3191 | static int fdout; /* Descriptor for stdout (for reading); | |
3192 | May be same number as fdin. */ | |
3193 | static int fderr; /* Descriptor for stderr. May be -1. */ | |
3194 | -static long stdin_bytes = 0; /* Number of bytes written to stdin. */ | |
3195 | -static long stdout_bytes = 0; /* Number of stdout bytes sent to client. */ | |
3196 | -static long stderr_bytes = 0; /* Number of stderr bytes sent to client. */ | |
3197 | -static long fdout_bytes = 0; /* Number of stdout bytes read from program. */ | |
3198 | +static u_long stdin_bytes = 0; /* Number of bytes written to stdin. */ | |
3199 | +static u_long stdout_bytes = 0; /* Number of stdout bytes sent to client. */ | |
3200 | +static u_long stderr_bytes = 0; /* Number of stderr bytes sent to client. */ | |
3201 | +static u_long fdout_bytes = 0; /* Number of stdout bytes read from program. */ | |
3202 | static int stdin_eof = 0; /* EOF message received from client. */ | |
3203 | static int fdout_eof = 0; /* EOF encountered reading from fdout. */ | |
3204 | static int fderr_eof = 0; /* EOF encountered readung from fderr. */ | |
3205 | @@ -121,6 +121,20 @@ static volatile sig_atomic_t received_si | |
3206 | static void server_init_dispatch(void); | |
3207 | ||
3208 | /* | |
3209 | + * Returns current time in seconds from Jan 1, 1970 with the maximum | |
3210 | + * available resolution. | |
3211 | + */ | |
3212 | + | |
3213 | +static double | |
3214 | +get_current_time(void) | |
3215 | +{ | |
3216 | + struct timeval tv; | |
3217 | + gettimeofday(&tv, NULL); | |
3218 | + return (double) tv.tv_sec + (double) tv.tv_usec / 1000000.0; | |
3219 | +} | |
3220 | + | |
3221 | + | |
3222 | +/* | |
3223 | * we write to this pipe if a SIGCHLD is caught in order to avoid | |
3224 | * the race between select() and child_terminated | |
3225 | */ | |
3226 | @@ -410,6 +424,7 @@ process_input(fd_set *readset) | |
3227 | } else { | |
3228 | /* Buffer any received data. */ | |
3229 | packet_process_incoming(buf, len); | |
3230 | + fdout_bytes += len; | |
3231 | } | |
3232 | } | |
3233 | if (compat20) | |
3234 | @@ -432,6 +447,7 @@ process_input(fd_set *readset) | |
3235 | } else { | |
3236 | buffer_append(&stdout_buffer, buf, len); | |
3237 | fdout_bytes += len; | |
3238 | + debug ("FD out now: %ld", fdout_bytes); | |
3239 | } | |
3240 | } | |
3241 | /* Read and buffer any available stderr data from the program. */ | |
3242 | @@ -499,7 +515,7 @@ process_output(fd_set *writeset) | |
3243 | } | |
3244 | /* Send any buffered packet data to the client. */ | |
3245 | if (FD_ISSET(connection_out, writeset)) | |
3246 | - packet_write_poll(); | |
3247 | + stdin_bytes += packet_write_poll(); | |
3248 | } | |
3249 | ||
3250 | /* | |
3251 | @@ -816,8 +832,10 @@ server_loop2(Authctxt *authctxt) | |
3252 | { | |
3253 | fd_set *readset = NULL, *writeset = NULL; | |
3254 | int rekeying = 0, max_fd, nalloc = 0; | |
3255 | + double start_time, total_time; | |
3256 | ||
3257 | debug("Entering interactive session for SSH2."); | |
3258 | + start_time = get_current_time(); | |
3259 | ||
3260 | mysignal(SIGCHLD, sigchld_handler); | |
3261 | child_terminated = 0; | |
3262 | @@ -879,6 +897,11 @@ server_loop2(Authctxt *authctxt) | |
3263 | ||
3264 | /* free remaining sessions, e.g. remove wtmp entries */ | |
3265 | session_destroy_all(NULL); | |
3266 | + total_time = get_current_time() - start_time; | |
3267 | + logit("SSH: Server;LType: Throughput;Remote: %s-%d;IN: %lu;OUT: %lu;Duration: %.1f;tPut_in: %.1f;tPut_out: %.1f", | |
3268 | + get_remote_ipaddr(), get_remote_port(), | |
3269 | + stdin_bytes, fdout_bytes, total_time, stdin_bytes / total_time, | |
3270 | + fdout_bytes / total_time); | |
3271 | } | |
3272 | ||
3273 | static void | |
3274 | @@ -994,8 +1017,12 @@ server_request_tun(void) | |
3275 | sock = tun_open(tun, mode); | |
3276 | if (sock < 0) | |
3277 | goto done; | |
3278 | + if (options.hpn_disabled) | |
3279 | c = channel_new("tun", SSH_CHANNEL_OPEN, sock, sock, -1, | |
3280 | CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, 0, "tun", 1); | |
3281 | + else | |
3282 | + c = channel_new("tun", SSH_CHANNEL_OPEN, sock, sock, -1, | |
3283 | + options.hpn_buffer_size, CHAN_TCP_PACKET_DEFAULT, 0, "tun", 1); | |
3284 | c->datagram = 1; | |
3285 | #if defined(SSH_TUN_FILTER) | |
3286 | if (mode == SSH_TUNMODE_POINTOPOINT) | |
3287 | @@ -1031,6 +1058,8 @@ server_request_session(void) | |
3288 | c = channel_new("session", SSH_CHANNEL_LARVAL, | |
3289 | -1, -1, -1, /*window size*/0, CHAN_SES_PACKET_DEFAULT, | |
3290 | 0, "server-session", 1); | |
3291 | + if ((options.tcp_rcv_buf_poll) && (!options.hpn_disabled)) | |
3292 | + c->dynamic_window = 1; | |
3293 | if (session_open(the_authctxt, c->self) != 1) { | |
3294 | debug("session open failed, free channel %d", c->self); | |
3295 | channel_free(c); | |
3296 | diff -NupwB openssh-5.2p1-canonical/session.c openssh-5.2p1-hpn13v6/session.c | |
3297 | --- openssh-5.2p1-canonical/session.c 2009-01-28 00:29:49.000000000 -0500 | |
3298 | +++ openssh-5.2p1-hpn13v6/session.c 2009-05-14 12:36:10.000000000 -0400 | |
3299 | @@ -230,6 +230,7 @@ auth_input_request_forwarding(struct pas | |
3300 | } | |
3301 | ||
3302 | /* Allocate a channel for the authentication agent socket. */ | |
3303 | + /* this shouldn't matter if its hpn or not - cjr */ | |
3304 | nc = channel_new("auth socket", | |
3305 | SSH_CHANNEL_AUTH_SOCKET, sock, sock, -1, | |
3306 | CHAN_X11_WINDOW_DEFAULT, CHAN_X11_PACKET_DEFAULT, | |
3307 | @@ -2301,10 +2302,16 @@ session_set_fds(Session *s, int fdin, in | |
3308 | */ | |
3309 | if (s->chanid == -1) | |
3310 | fatal("no channel for session %d", s->self); | |
3311 | + if (options.hpn_disabled) | |
3312 | channel_set_fds(s->chanid, | |
3313 | fdout, fdin, fderr, | |
3314 | fderr == -1 ? CHAN_EXTENDED_IGNORE : CHAN_EXTENDED_READ, | |
3315 | 1, is_tty, CHAN_SES_WINDOW_DEFAULT); | |
3316 | + else | |
3317 | + channel_set_fds(s->chanid, | |
3318 | + fdout, fdin, fderr, | |
3319 | + fderr == -1 ? CHAN_EXTENDED_IGNORE : CHAN_EXTENDED_READ, | |
3320 | + 1, is_tty, options.hpn_buffer_size); | |
3321 | } | |
3322 | ||
3323 | /* | |
3324 | diff -NupwB openssh-5.2p1-canonical/sftp.1 openssh-5.2p1-hpn13v6/sftp.1 | |
3325 | --- openssh-5.2p1-canonical/sftp.1 2009-01-28 00:14:09.000000000 -0500 | |
3326 | +++ openssh-5.2p1-hpn13v6/sftp.1 2009-05-14 12:36:10.000000000 -0400 | |
3327 | @@ -203,7 +203,8 @@ This option may be useful in debugging t | |
3328 | Specify how many requests may be outstanding at any one time. | |
3329 | Increasing this may slightly improve file transfer speed | |
3330 | but will increase memory usage. | |
3331 | -The default is 64 outstanding requests. | |
3332 | +The default is 256 outstanding requests providing for 8MB | |
3333 | +of outstanding data with a 32KB buffer. | |
3334 | .It Fl S Ar program | |
3335 | Name of the | |
3336 | .Ar program | |
3337 | diff -NupwB openssh-5.2p1-canonical/sftp.c openssh-5.2p1-hpn13v6/sftp.c | |
3338 | --- openssh-5.2p1-canonical/sftp.c 2009-02-14 00:26:19.000000000 -0500 | |
3339 | +++ openssh-5.2p1-hpn13v6/sftp.c 2009-05-14 12:36:10.000000000 -0400 | |
3340 | @@ -75,7 +75,7 @@ int batchmode = 0; | |
3341 | size_t copy_buffer_len = 32768; | |
3342 | ||
3343 | /* Number of concurrent outstanding requests */ | |
3344 | -size_t num_requests = 64; | |
3345 | +size_t num_requests = 256; | |
3346 | ||
3347 | /* PID of ssh transport process */ | |
3348 | static pid_t sshpid = -1; | |
3349 | diff -NupwB openssh-5.2p1-canonical/ssh.c openssh-5.2p1-hpn13v6/ssh.c | |
3350 | --- openssh-5.2p1-canonical/ssh.c 2009-02-14 00:28:21.000000000 -0500 | |
3351 | +++ openssh-5.2p1-hpn13v6/ssh.c 2009-05-14 12:36:10.000000000 -0400 | |
3352 | @@ -492,9 +492,6 @@ main(int ac, char **av) | |
3353 | no_shell_flag = 1; | |
3354 | no_tty_flag = 1; | |
3355 | break; | |
3356 | - case 'T': | |
3357 | - no_tty_flag = 1; | |
3358 | - break; | |
3359 | case 'o': | |
3360 | dummy = 1; | |
3361 | line = xstrdup(optarg); | |
3362 | @@ -503,6 +500,13 @@ main(int ac, char **av) | |
3363 | exit(255); | |
0fab2cab | 3364 | free(line); |
0d5b2bd4 ER |
3365 | break; |
3366 | + case 'T': | |
3367 | + no_tty_flag = 1; | |
3368 | + /* ensure that the user doesn't try to backdoor a */ | |
3369 | + /* null cipher switch on an interactive session */ | |
3370 | + /* so explicitly disable it no matter what */ | |
3371 | + options.none_switch=0; | |
3372 | + break; | |
3373 | case 's': | |
3374 | subsystem_flag = 1; | |
3375 | break; | |
3376 | @@ -1142,6 +1146,9 @@ ssh_session2_open(void) | |
3377 | { | |
3378 | Channel *c; | |
3379 | int window, packetmax, in, out, err; | |
3380 | + int sock; | |
3381 | + int socksize; | |
3382 | + int socksizelen = sizeof(int); | |
3383 | ||
3384 | if (stdin_null_flag) { | |
3385 | in = open(_PATH_DEVNULL, O_RDONLY); | |
3386 | @@ -1162,9 +1169,75 @@ ssh_session2_open(void) | |
3387 | if (!isatty(err)) | |
3388 | set_nonblock(err); | |
3389 | ||
3390 | - window = CHAN_SES_WINDOW_DEFAULT; | |
3391 | + /* we need to check to see if what they want to do about buffer */ | |
3392 | + /* sizes here. In a hpn to nonhpn connection we want to limit */ | |
3393 | + /* the window size to something reasonable in case the far side */ | |
3394 | + /* has the large window bug. In hpn to hpn connection we want to */ | |
3395 | + /* use the max window size but allow the user to override it */ | |
3396 | + /* lastly if they disabled hpn then use the ssh std window size */ | |
3397 | + | |
3398 | + /* so why don't we just do a getsockopt() here and set the */ | |
3399 | + /* ssh window to that? In the case of a autotuning receive */ | |
3400 | + /* window the window would get stuck at the initial buffer */ | |
3401 | + /* size generally less than 96k. Therefore we need to set the */ | |
3402 | + /* maximum ssh window size to the maximum hpn buffer size */ | |
3403 | + /* unless the user has specifically set the tcprcvbufpoll */ | |
3404 | + /* to no. In which case we *can* just set the window to the */ | |
3405 | + /* minimum of the hpn buffer size and tcp receive buffer size */ | |
3406 | + | |
3407 | + if (tty_flag) | |
3408 | + options.hpn_buffer_size = CHAN_SES_WINDOW_DEFAULT; | |
3409 | + else | |
3410 | + options.hpn_buffer_size = 2*1024*1024; | |
3411 | + | |
3412 | + if (datafellows & SSH_BUG_LARGEWINDOW) | |
3413 | + { | |
3414 | + debug("HPN to Non-HPN Connection"); | |
3415 | + } | |
3416 | + else | |
3417 | + { | |
3418 | + if (options.tcp_rcv_buf_poll <= 0) | |
3419 | + { | |
3420 | + sock = socket(AF_INET, SOCK_STREAM, 0); | |
3421 | + getsockopt(sock, SOL_SOCKET, SO_RCVBUF, | |
3422 | + &socksize, &socksizelen); | |
3423 | + close(sock); | |
3424 | + debug("socksize %d", socksize); | |
3425 | + options.hpn_buffer_size = socksize; | |
3426 | + debug ("HPNBufferSize set to TCP RWIN: %d", options.hpn_buffer_size); | |
3427 | + } | |
3428 | + else | |
3429 | + { | |
3430 | + if (options.tcp_rcv_buf > 0) | |
3431 | + { | |
3432 | + /*create a socket but don't connect it */ | |
3433 | + /* we use that the get the rcv socket size */ | |
3434 | + sock = socket(AF_INET, SOCK_STREAM, 0); | |
3435 | + /* if they are using the tcp_rcv_buf option */ | |
3436 | + /* attempt to set the buffer size to that */ | |
3437 | + if (options.tcp_rcv_buf) | |
3438 | + setsockopt(sock, SOL_SOCKET, SO_RCVBUF, (void *)&options.tcp_rcv_buf, | |
3439 | + sizeof(options.tcp_rcv_buf)); | |
3440 | + getsockopt(sock, SOL_SOCKET, SO_RCVBUF, | |
3441 | + &socksize, &socksizelen); | |
3442 | + close(sock); | |
3443 | + debug("socksize %d", socksize); | |
3444 | + options.hpn_buffer_size = socksize; | |
3445 | + debug ("HPNBufferSize set to user TCPRcvBuf: %d", options.hpn_buffer_size); | |
3446 | + } | |
3447 | + } | |
3448 | + | |
3449 | + } | |
3450 | + | |
3451 | + debug("Final hpn_buffer_size = %d", options.hpn_buffer_size); | |
3452 | + | |
3453 | + window = options.hpn_buffer_size; | |
3454 | + | |
3455 | + channel_set_hpn(options.hpn_disabled, options.hpn_buffer_size); | |
3456 | + | |
3457 | packetmax = CHAN_SES_PACKET_DEFAULT; | |
3458 | if (tty_flag) { | |
3459 | + window = 4*CHAN_SES_PACKET_DEFAULT; | |
3460 | window >>= 1; | |
3461 | packetmax >>= 1; | |
3462 | } | |
3463 | @@ -1172,7 +1245,10 @@ ssh_session2_open(void) | |
3464 | "session", SSH_CHANNEL_OPENING, in, out, err, | |
3465 | window, packetmax, CHAN_EXTENDED_WRITE, | |
3466 | "client-session", /*nonblock*/0); | |
3467 | - | |
3468 | + if ((options.tcp_rcv_buf_poll > 0) && (!options.hpn_disabled)) { | |
3469 | + c->dynamic_window = 1; | |
3470 | + debug ("Enabled Dynamic Window Scaling\n"); | |
3471 | + } | |
3472 | debug3("ssh_session2_open: channel_new: %d", c->self); | |
3473 | ||
3474 | channel_send_open(c->self); | |
3475 | diff -NupwB openssh-5.2p1-canonical/sshconnect2.c openssh-5.2p1-hpn13v6/sshconnect2.c | |
3476 | --- openssh-5.2p1-canonical/sshconnect2.c 2008-11-05 00:20:47.000000000 -0500 | |
3477 | +++ openssh-5.2p1-hpn13v6/sshconnect2.c 2009-05-14 12:36:10.000000000 -0400 | |
3478 | @@ -78,6 +78,12 @@ | |
3479 | extern char *client_version_string; | |
3480 | extern char *server_version_string; | |
3481 | extern Options options; | |
3482 | +extern Kex *xxx_kex; | |
3483 | + | |
3484 | +/* tty_flag is set in ssh.c. use this in ssh_userauth2 */ | |
3485 | +/* if it is set then prevent the switch to the null cipher */ | |
3486 | + | |
3487 | +extern int tty_flag; | |
3488 | ||
3489 | /* | |
3490 | * SSH2 key exchange | |
3491 | @@ -350,6 +356,28 @@ ssh_userauth2(const char *local_user, co | |
3492 | pubkey_cleanup(&authctxt); | |
3493 | dispatch_range(SSH2_MSG_USERAUTH_MIN, SSH2_MSG_USERAUTH_MAX, NULL); | |
3494 | ||
3495 | + /* if the user wants to use the none cipher do it */ | |
3496 | + /* post authentication and only if the right conditions are met */ | |
3497 | + /* both of the NONE commands must be true and there must be no */ | |
3498 | + /* tty allocated */ | |
3499 | + if ((options.none_switch == 1) && (options.none_enabled == 1)) | |
3500 | + { | |
3501 | + if (!tty_flag) /* no null on tty sessions */ | |
3502 | + { | |
3503 | + debug("Requesting none rekeying..."); | |
3504 | + myproposal[PROPOSAL_ENC_ALGS_STOC] = "none"; | |
3505 | + myproposal[PROPOSAL_ENC_ALGS_CTOS] = "none"; | |
3506 | + kex_prop2buf(&xxx_kex->my,myproposal); | |
3507 | + packet_request_rekeying(); | |
3508 | + fprintf(stderr, "WARNING: ENABLED NONE CIPHER\n"); | |
3509 | + } | |
3510 | + else | |
3511 | + { | |
3512 | + /* requested NONE cipher when in a tty */ | |
3513 | + debug("Cannot switch to NONE cipher with tty allocated"); | |
3514 | + fprintf(stderr, "NONE cipher switch disabled when a TTY is allocated\n"); | |
3515 | + } | |
3516 | + } | |
3517 | debug("Authentication succeeded (%s).", authctxt.method->name); | |
3518 | } | |
3519 | ||
3520 | diff -NupwB openssh-5.2p1-canonical/sshconnect.c openssh-5.2p1-hpn13v6/sshconnect.c | |
3521 | --- openssh-5.2p1-canonical/sshconnect.c 2009-02-01 06:19:54.000000000 -0500 | |
3522 | +++ openssh-5.2p1-hpn13v6/sshconnect.c 2009-05-14 12:36:10.000000000 -0400 | |
3523 | @@ -165,6 +165,31 @@ ssh_proxy_connect(const char *host, u_sh | |
3524 | } | |
3525 | ||
3526 | /* | |
3527 | + * Set TCP receive buffer if requested. | |
3528 | + * Note: tuning needs to happen after the socket is | |
3529 | + * created but before the connection happens | |
3530 | + * so winscale is negotiated properly -cjr | |
3531 | + */ | |
3532 | +static void | |
3533 | +ssh_set_socket_recvbuf(int sock) | |
3534 | +{ | |
3535 | + void *buf = (void *)&options.tcp_rcv_buf; | |
3536 | + int sz = sizeof(options.tcp_rcv_buf); | |
3537 | + int socksize; | |
3538 | + int socksizelen = sizeof(int); | |
3539 | + | |
3540 | + debug("setsockopt Attempting to set SO_RCVBUF to %d", options.tcp_rcv_buf); | |
3541 | + if (setsockopt(sock, SOL_SOCKET, SO_RCVBUF, buf, sz) >= 0) { | |
3542 | + getsockopt(sock, SOL_SOCKET, SO_RCVBUF, &socksize, &socksizelen); | |
3543 | + debug("setsockopt SO_RCVBUF: %.100s %d", strerror(errno), socksize); | |
3544 | + } | |
3545 | + else | |
3546 | + error("Couldn't set socket receive buffer to %d: %.100s", | |
3547 | + options.tcp_rcv_buf, strerror(errno)); | |
3548 | +} | |
3549 | + | |
3550 | + | |
3551 | +/* | |
3552 | * Creates a (possibly privileged) socket for use as the ssh connection. | |
3553 | */ | |
3554 | static int | |
3555 | @@ -187,12 +212,18 @@ ssh_create_socket(int privileged, struct | |
3556 | strerror(errno)); | |
3557 | else | |
3558 | debug("Allocated local port %d.", p); | |
3559 | + | |
3560 | + if (options.tcp_rcv_buf > 0) | |
3561 | + ssh_set_socket_recvbuf(sock); | |
3562 | return sock; | |
3563 | } | |
3564 | sock = socket(ai->ai_family, ai->ai_socktype, ai->ai_protocol); | |
3565 | if (sock < 0) | |
3566 | error("socket: %.100s", strerror(errno)); | |
3567 | ||
3568 | + if (options.tcp_rcv_buf > 0) | |
3569 | + ssh_set_socket_recvbuf(sock); | |
3570 | + | |
3571 | /* Bind the socket to an alternative local IP address */ | |
3572 | if (options.bind_address == NULL) | |
3573 | return sock; | |
3574 | @@ -536,7 +567,7 @@ ssh_exchange_identification(int timeout_ | |
3575 | snprintf(buf, sizeof buf, "SSH-%d.%d-%.100s%s", | |
3576 | compat20 ? PROTOCOL_MAJOR_2 : PROTOCOL_MAJOR_1, | |
3577 | compat20 ? PROTOCOL_MINOR_2 : minor1, | |
3578 | - SSH_VERSION, compat20 ? "\r\n" : "\n"); | |
3579 | + SSH_RELEASE, compat20 ? "\r\n" : "\n"); | |
3580 | if (atomicio(vwrite, connection_out, buf, strlen(buf)) != strlen(buf)) | |
3581 | fatal("write: %.100s", strerror(errno)); | |
3582 | client_version_string = xstrdup(buf); | |
3583 | diff -NupwB openssh-5.2p1-canonical/sshd.c openssh-5.2p1-hpn13v6/sshd.c | |
3584 | --- openssh-5.2p1-canonical/sshd.c 2009-01-28 00:31:23.000000000 -0500 | |
3585 | +++ openssh-5.2p1-hpn13v6/sshd.c 2009-05-14 12:36:10.000000000 -0400 | |
3586 | @@ -136,6 +136,9 @@ int deny_severity; | |
3587 | #define REEXEC_CONFIG_PASS_FD (STDERR_FILENO + 3) | |
3588 | #define REEXEC_MIN_FREE_FD (STDERR_FILENO + 4) | |
3589 | ||
3590 | +int myflag = 0; | |
3591 | + | |
3592 | + | |
3593 | extern char *__progname; | |
3594 | ||
3595 | /* Server configuration options. */ | |
3596 | @@ -415,7 +418,7 @@ sshd_exchange_identification(int sock_in | |
3597 | minor = PROTOCOL_MINOR_1; | |
3598 | } | |
3599 | snprintf(buf, sizeof buf, "SSH-%d.%d-%.100s%s", major, minor, | |
3600 | - SSH_VERSION, newline); | |
3601 | + SSH_RELEASE, newline); | |
3602 | server_version_string = xstrdup(buf); | |
3603 | ||
3604 | /* Send our protocol version identification. */ | |
3605 | @@ -466,6 +469,9 @@ sshd_exchange_identification(int sock_in | |
3606 | } | |
3607 | debug("Client protocol version %d.%d; client software version %.100s", | |
3608 | remote_major, remote_minor, remote_version); | |
3609 | + logit("SSH: Server;Ltype: Version;Remote: %s-%d;Protocol: %d.%d;Client: %.100s", | |
3610 | + get_remote_ipaddr(), get_remote_port(), | |
3611 | + remote_major, remote_minor, remote_version); | |
3612 | ||
3613 | compat_datafellows(remote_version); | |
3614 | ||
3615 | @@ -944,6 +950,8 @@ server_listen(void) | |
3616 | int ret, listen_sock, on = 1; | |
3617 | struct addrinfo *ai; | |
3618 | char ntop[NI_MAXHOST], strport[NI_MAXSERV]; | |
3619 | + int socksize; | |
3620 | + int socksizelen = sizeof(int); | |
3621 | ||
3622 | for (ai = options.listen_addrs; ai; ai = ai->ai_next) { | |
3623 | if (ai->ai_family != AF_INET && ai->ai_family != AF_INET6) | |
3624 | @@ -990,6 +998,11 @@ server_listen(void) | |
3625 | ||
3626 | debug("Bind to port %s on %s.", strport, ntop); | |
3627 | ||
3628 | + getsockopt(listen_sock, SOL_SOCKET, SO_RCVBUF, | |
3629 | + &socksize, &socksizelen); | |
3630 | + debug("Server TCP RWIN socket size: %d", socksize); | |
3631 | + debug("HPN Buffer Size: %d", options.hpn_buffer_size); | |
3632 | + | |
3633 | /* Bind the socket to the desired port. */ | |
3634 | if (bind(listen_sock, ai->ai_addr, ai->ai_addrlen) < 0) { | |
3635 | error("Bind to port %s on %s failed: %.200s.", | |
3636 | @@ -1817,6 +1830,9 @@ main(int ac, char **av) | |
3637 | /* Log the connection. */ | |
3638 | verbose("Connection from %.500s port %d", remote_ip, remote_port); | |
3639 | ||
3640 | + /* set the HPN options for the child */ | |
3641 | + channel_set_hpn(options.hpn_disabled, options.hpn_buffer_size); | |
3642 | + | |
3643 | /* | |
3644 | * We don't want to listen forever unless the other side | |
3645 | * successfully authenticates itself. So we set up an alarm which is | |
3646 | @@ -2171,9 +2187,15 @@ do_ssh2_kex(void) | |
3647 | { | |
3648 | Kex *kex; | |
3649 | ||
3650 | + myflag++; | |
3651 | + debug ("MYFLAG IS %d", myflag); | |
3652 | if (options.ciphers != NULL) { | |
3653 | myproposal[PROPOSAL_ENC_ALGS_CTOS] = | |
3654 | myproposal[PROPOSAL_ENC_ALGS_STOC] = options.ciphers; | |
3655 | + } else if (options.none_enabled == 1) { | |
3656 | + debug ("WARNING: None cipher enabled"); | |
3657 | + myproposal[PROPOSAL_ENC_ALGS_CTOS] = | |
3658 | + myproposal[PROPOSAL_ENC_ALGS_STOC] = KEX_ENCRYPT_INCLUDE_NONE; | |
3659 | } | |
3660 | myproposal[PROPOSAL_ENC_ALGS_CTOS] = | |
3661 | compat_cipher_proposal(myproposal[PROPOSAL_ENC_ALGS_CTOS]); | |
3662 | diff -NupwB openssh-5.2p1-canonical/sshd_config openssh-5.2p1-hpn13v6/sshd_config | |
3663 | --- openssh-5.2p1-canonical/sshd_config 2008-07-02 08:35:43.000000000 -0400 | |
3664 | +++ openssh-5.2p1-hpn13v6/sshd_config 2009-05-14 12:36:10.000000000 -0400 | |
3665 | @@ -112,6 +112,20 @@ Protocol 2 | |
3666 | # override default of no subsystems | |
3667 | Subsystem sftp /usr/libexec/sftp-server | |
3668 | ||
3669 | +# the following are HPN related configuration options | |
3670 | +# tcp receive buffer polling. disable in non autotuning kernels | |
3671 | +#TcpRcvBufPoll yes | |
3672 | + | |
3673 | +# allow the use of the none cipher | |
3674 | +#NoneEnabled no | |
3675 | + | |
3676 | +# disable hpn performance boosts. | |
3677 | +#HPNDisabled no | |
3678 | + | |
3679 | +# buffer size for hpn to non-hpn connections | |
3680 | +#HPNBufferSize 2048 | |
3681 | + | |
3682 | + | |
3683 | # Example of overriding settings on a per-user basis | |
3684 | #Match User anoncvs | |
3685 | # X11Forwarding no | |
3686 | diff -NupwB openssh-5.2p1-canonical/version.h openssh-5.2p1-hpn13v6/version.h | |
3687 | --- openssh-5.2p1-canonical/version.h 2009-02-22 19:09:26.000000000 -0500 | |
3688 | +++ openssh-5.2p1-hpn13v6/version.h 2009-05-14 12:42:05.000000000 -0400 | |
3689 | @@ -3,4 +3,5 @@ | |
3690 | #define SSH_VERSION "OpenSSH_5.2" | |
3691 | ||
3692 | #define SSH_PORTABLE "p1" | |
3693 | -#define SSH_RELEASE SSH_VERSION SSH_PORTABLE | |
3694 | +#define SSH_HPN "-hpn13v6" | |
3695 | +#define SSH_RELEASE SSH_VERSION SSH_PORTABLE SSH_HPN |