]> git.pld-linux.org Git - packages/openssh.git/blame - openssh-5.2p1-hpn13v6.diff
projects / packages / openssh.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
add missing backslash
[packages/openssh.git] / openssh-5.2p1-hpn13v6.diff
CommitLineData
0d5b2bd4
ER		 1diff -NupwB openssh-5.2p1-canonical/auth2.c openssh-5.2p1-hpn13v6/auth2.c
2--- openssh-5.2p1-canonical/auth2.c 2008-11-05 00:20:46.000000000 -0500
3+++ openssh-5.2p1-hpn13v6/auth2.c 2009-05-14 12:36:10.000000000 -0400
4@@ -49,6 +49,7 @@
5 #include "dispatch.h"
6 #include "pathnames.h"
7 #include "buffer.h"
8+#include "canohost.h"
9
10 #ifdef GSSAPI
11 #include "ssh-gss.h"
12@@ -75,6 +76,9 @@ extern Authmethod method_gssapi;
13 extern Authmethod method_jpake;
14 #endif
15
16+static int log_flag = 0;
17+
18+
19 Authmethod *authmethods[] = {
20 &method_none,
21 &method_pubkey,
22@@ -225,6 +229,11 @@ input_userauth_request(int type, u_int32
23 service = packet_get_string(NULL);
24 method = packet_get_string(NULL);
25 debug("userauth-request for user %s service %s method %s", user, service, method);
26+ if (!log_flag) {
27+ logit("SSH: Server;Ltype: Authname;Remote: %s-%d;Name: %s",
28+ get_remote_ipaddr(), get_remote_port(), user);
29+ log_flag = 1;
30+ }
31 debug("attempt %d failures %d", authctxt->attempt, authctxt->failures);
32
33 if ((style = strchr(user, ':')) != NULL)
34diff -NupwB openssh-5.2p1-canonical/buffer.c openssh-5.2p1-hpn13v6/buffer.c
35--- openssh-5.2p1-canonical/buffer.c 2006-08-04 22:39:39.000000000 -0400
36+++ openssh-5.2p1-hpn13v6/buffer.c 2009-05-14 12:36:10.000000000 -0400
37@@ -127,7 +127,7 @@ restart:
38
39 /* Increase the size of the buffer and retry. */
40 newlen = roundup(buffer->alloc + len, BUFFER_ALLOCSZ);
41- if (newlen > BUFFER_MAX_LEN)
42+ if (newlen > BUFFER_MAX_LEN_HPN)
43 fatal("buffer_append_space: alloc %u not supported",
44 newlen);
45 buffer->buf = xrealloc(buffer->buf, 1, newlen);
46diff -NupwB openssh-5.2p1-canonical/buffer.h openssh-5.2p1-hpn13v6/buffer.h
47--- openssh-5.2p1-canonical/buffer.h 2008-05-19 00:59:37.000000000 -0400
48+++ openssh-5.2p1-hpn13v6/buffer.h 2009-05-14 12:36:10.000000000 -0400
49@@ -16,6 +16,9 @@
50 #ifndef BUFFER_H
51 #define BUFFER_H
52
53+/* move the following to a more appropriate place and name */
54+#define BUFFER_MAX_LEN_HPN 0x4000000 /* 64MB */
55+
56 typedef struct {
57 u_char *buf; /* Buffer for data. */
58 u_int alloc; /* Number of bytes allocated for data. */
59diff -NupwB openssh-5.2p1-canonical/channels.c openssh-5.2p1-hpn13v6/channels.c
60--- openssh-5.2p1-canonical/channels.c 2009-02-14 00:28:21.000000000 -0500
61+++ openssh-5.2p1-hpn13v6/channels.c 2009-05-14 12:36:10.000000000 -0400
62@@ -169,8 +169,14 @@ static void port_open_helper(Channel *c,
63 static int connect_next(struct channel_connect *);
64 static void channel_connect_ctx_free(struct channel_connect *);
65
66+
67+static int hpn_disabled = 0;
68+static int hpn_buffer_size = 2 * 1024 * 1024;
69+
70 /* -- channel core */
71
72+
73+
74 Channel *
75 channel_by_id(int id)
76 {
77@@ -308,6 +314,7 @@ channel_new(char *ctype, int type, int r
78 c->local_window_max = window;
79 c->local_consumed = 0;
80 c->local_maxpacket = maxpack;
81+ c->dynamic_window = 0;
82 c->remote_id = -1;
83 c->remote_name = xstrdup(remote_name);
84 c->remote_window = 0;
85@@ -798,11 +805,35 @@ channel_pre_open_13(Channel *c, fd_set *
86 FD_SET(c->sock, writeset);
87 }
88
89+int channel_tcpwinsz () {
90+ u_int32_t tcpwinsz = 0;
91+ socklen_t optsz = sizeof(tcpwinsz);
92+ int ret = -1;
93+
94+ /* if we aren't on a socket return 128KB*/
95+ if(!packet_connection_is_on_socket())
96+ return(128*1024);
97+ ret = getsockopt(packet_get_connection_in(),
98+ SOL_SOCKET, SO_RCVBUF, &tcpwinsz, &optsz);
99+ /* return no more than 64MB */
100+ if ((ret == 0) && tcpwinsz > BUFFER_MAX_LEN_HPN)
101+ tcpwinsz = BUFFER_MAX_LEN_HPN;
102+ debug2("tcpwinsz: %d for connection: %d", tcpwinsz,
103+ packet_get_connection_in());
104+ return(tcpwinsz);
105+}
106+
107 static void
108 channel_pre_open(Channel *c, fd_set *readset, fd_set *writeset)
109 {
110 u_int limit = compat20 ? c->remote_window : packet_get_maxsize();
111
112+ /* check buffer limits */
113+ if ((!c->tcpwinsz) || (c->dynamic_window > 0))
114+ c->tcpwinsz = channel_tcpwinsz();
115+
116+ limit = MIN(limit, 2 * c->tcpwinsz);
117+
118 if (c->istate == CHAN_INPUT_OPEN &&
119 limit > 0 &&
120 buffer_len(&c->input) < limit &&
121@@ -1759,14 +1790,21 @@ channel_check_window(Channel *c)
122 c->local_maxpacket*3) ||
123 c->local_window < c->local_window_max/2) &&
124 c->local_consumed > 0) {
125+ u_int addition = 0;
126+ /* adjust max window size if we are in a dynamic environment */
127+ if (c->dynamic_window && (c->tcpwinsz > c->local_window_max)) {
128+ /* grow the window somewhat aggressively to maintain pressure */
129+ addition = 1.5*(c->tcpwinsz - c->local_window_max);
130+ c->local_window_max += addition;
131+ }
132 packet_start(SSH2_MSG_CHANNEL_WINDOW_ADJUST);
133 packet_put_int(c->remote_id);
134- packet_put_int(c->local_consumed);
135+ packet_put_int(c->local_consumed + addition);
136 packet_send();
137 debug2("channel %d: window %d sent adjust %d",
138 c->self, c->local_window,
139 c->local_consumed);
140- c->local_window += c->local_consumed;
141+ c->local_window += c->local_consumed + addition;
142 c->local_consumed = 0;
143 }
144 return 1;
145@@ -1969,11 +2007,12 @@ channel_after_select(fd_set *readset, fd
146
147
148 /* If there is data to send to the connection, enqueue some of it now. */
149-void
150+int
151 channel_output_poll(void)
152 {
153 Channel *c;
154 u_int i, len;
155+ int packet_length = 0;
156
157 for (i = 0; i < channels_alloc; i++) {
158 c = channels[i];
159@@ -2013,7 +2052,7 @@ channel_output_poll(void)
160 packet_start(SSH2_MSG_CHANNEL_DATA);
161 packet_put_int(c->remote_id);
162 packet_put_string(data, dlen);
163- packet_send();
164+ packet_length = packet_send();
165 c->remote_window -= dlen + 4;
0fab2cab 166 free(data);
0d5b2bd4
ER		 167 }
168@@ -2043,7 +2082,7 @@ channel_output_poll(void)
169 SSH2_MSG_CHANNEL_DATA : SSH_MSG_CHANNEL_DATA);
170 packet_put_int(c->remote_id);
171 packet_put_string(buffer_ptr(&c->input), len);
172- packet_send();
173+ packet_length = packet_send();
174 buffer_consume(&c->input, len);
175 c->remote_window -= len;
176 }
177@@ -2078,12 +2117,13 @@ channel_output_poll(void)
178 packet_put_int(c->remote_id);
179 packet_put_int(SSH2_EXTENDED_DATA_STDERR);
180 packet_put_string(buffer_ptr(&c->extended), len);
181- packet_send();
182+ packet_length = packet_send();
183 buffer_consume(&c->extended, len);
184 c->remote_window -= len;
185 debug2("channel %d: sent ext data %d", c->self, len);
186 }
187 }
188+ return (packet_length);
189 }
190
191
192@@ -2459,6 +2499,15 @@ channel_set_af(int af)
193 IPv4or6 = af;
194 }
195
196+
197+void
198+channel_set_hpn(int external_hpn_disabled, int external_hpn_buffer_size)
199+{
200+ hpn_disabled = external_hpn_disabled;
201+ hpn_buffer_size = external_hpn_buffer_size;
202+ debug("HPN Disabled: %d, HPN Buffer Size: %d", hpn_disabled, hpn_buffer_size);
203+}
204+
205 static int
206 channel_setup_fwd_listener(int type, const char *listen_addr,
207 u_short listen_port, int *allocated_listen_port,
208@@ -2610,9 +2659,15 @@ channel_setup_fwd_listener(int type, con
209 }
210
211 /* Allocate a channel number for the socket. */
212+ /* explicitly test for hpn disabled option. if true use smaller window size */
213+ if (hpn_disabled)
214 c = channel_new("port listener", type, sock, sock, -1,
215 CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT,
216 0, "port listener", 1);
217+ else
218+ c = channel_new("port listener", type, sock, sock, -1,
219+ hpn_buffer_size, CHAN_TCP_PACKET_DEFAULT,
220+ 0, "port listener", 1);
221 c->path = xstrdup(host);
222 c->host_port = port_to_connect;
223 c->listening_port = listen_port;
224@@ -3151,10 +3206,17 @@ x11_create_display_inet(int x11_display_
225 *chanids = xcalloc(num_socks + 1, sizeof(**chanids));
226 for (n = 0; n < num_socks; n++) {
227 sock = socks[n];
228+ /* Is this really necassary? */
229+ if (hpn_disabled)
230 nc = channel_new("x11 listener",
231 SSH_CHANNEL_X11_LISTENER, sock, sock, -1,
232 CHAN_X11_WINDOW_DEFAULT, CHAN_X11_PACKET_DEFAULT,
233 0, "X11 inet listener", 1);
234+ else
235+ nc = channel_new("x11 listener",
236+ SSH_CHANNEL_X11_LISTENER, sock, sock, -1,
237+ hpn_buffer_size, CHAN_X11_PACKET_DEFAULT,
238+ 0, "X11 inet listener", 1);
239 nc->single_connection = single_connection;
240 (*chanids)[n] = nc->self;
241 }
242diff -NupwB openssh-5.2p1-canonical/channels.h openssh-5.2p1-hpn13v6/channels.h
243--- openssh-5.2p1-canonical/channels.h 2009-02-14 00:28:21.000000000 -0500
244+++ openssh-5.2p1-hpn13v6/channels.h 2009-05-14 12:36:10.000000000 -0400
245@@ -115,8 +115,10 @@ struct Channel {
246 u_int local_window_max;
247 u_int local_consumed;
248 u_int local_maxpacket;
249+ int dynamic_window;
250 int extended_usage;
251 int single_connection;
252+ u_int tcpwinsz;
253
254 char *ctype; /* type */
255
256@@ -146,9 +148,11 @@ struct Channel {
257
258 /* default window/packet sizes for tcp/x11-fwd-channel */
259 #define CHAN_SES_PACKET_DEFAULT (32*1024)
260-#define CHAN_SES_WINDOW_DEFAULT (64*CHAN_SES_PACKET_DEFAULT)
261+#define CHAN_SES_WINDOW_DEFAULT (4*CHAN_SES_PACKET_DEFAULT)
262+
263 #define CHAN_TCP_PACKET_DEFAULT (32*1024)
264-#define CHAN_TCP_WINDOW_DEFAULT (64*CHAN_TCP_PACKET_DEFAULT)
265+#define CHAN_TCP_WINDOW_DEFAULT (4*CHAN_TCP_PACKET_DEFAULT)
266+
267 #define CHAN_X11_PACKET_DEFAULT (16*1024)
268 #define CHAN_X11_WINDOW_DEFAULT (4*CHAN_X11_PACKET_DEFAULT)
269
270@@ -221,7 +225,7 @@ void channel_input_status_confirm(int,
271
272 void channel_prepare_select(fd_set **, fd_set **, int *, u_int*, int);
273 void channel_after_select(fd_set *, fd_set *);
274-void channel_output_poll(void);
275+int channel_output_poll(void);
276
277 int channel_not_very_much_buffered_data(void);
278 void channel_close_all(void);
279@@ -277,4 +281,7 @@ void chan_rcvd_ieof(Channel *);
280 void chan_write_failed(Channel *);
281 void chan_obuf_empty(Channel *);
282
283+/* hpn handler */
284+void channel_set_hpn(int, int);
285+
286 #endif
287diff -NupwB openssh-5.2p1-canonical/cipher.c openssh-5.2p1-hpn13v6/cipher.c
288--- openssh-5.2p1-canonical/cipher.c 2009-01-28 00:38:41.000000000 -0500
289+++ openssh-5.2p1-hpn13v6/cipher.c 2009-05-14 12:36:10.000000000 -0400
290@@ -55,6 +55,7 @@ extern const EVP_CIPHER *evp_ssh1_bf(voi
291 extern const EVP_CIPHER *evp_ssh1_3des(void);
292 extern void ssh1_3des_iv(EVP_CIPHER_CTX *, int, u_char *, int);
293 extern const EVP_CIPHER *evp_aes_128_ctr(void);
294+extern const EVP_CIPHER *evp_aes_ctr_mt(void);
295 extern void ssh_aes_ctr_iv(EVP_CIPHER_CTX *, int, u_char *, u_int);
296
297 struct Cipher {
298@@ -82,9 +83,9 @@ struct Cipher {
299 { "aes256-cbc", SSH_CIPHER_SSH2, 16, 32, 0, 1, EVP_aes_256_cbc },
300 { "rijndael-cbc@lysator.liu.se",
301 SSH_CIPHER_SSH2, 16, 32, 0, 1, EVP_aes_256_cbc },
302- { "aes128-ctr", SSH_CIPHER_SSH2, 16, 16, 0, 0, evp_aes_128_ctr },
303- { "aes192-ctr", SSH_CIPHER_SSH2, 16, 24, 0, 0, evp_aes_128_ctr },
304- { "aes256-ctr", SSH_CIPHER_SSH2, 16, 32, 0, 0, evp_aes_128_ctr },
305+ { "aes128-ctr", SSH_CIPHER_SSH2, 16, 16, 0, 0, evp_aes_ctr_mt },
306+ { "aes192-ctr", SSH_CIPHER_SSH2, 16, 24, 0, 0, evp_aes_ctr_mt },
307+ { "aes256-ctr", SSH_CIPHER_SSH2, 16, 32, 0, 0, evp_aes_ctr_mt },
308 #ifdef USE_CIPHER_ACSS
309 { "acss@openssh.org", SSH_CIPHER_SSH2, 16, 5, 0, 0, EVP_acss },
310 #endif
311@@ -163,7 +164,8 @@ ciphers_valid(const char *names)
312 for ((p = strsep(&cp, CIPHER_SEP)); p && *p != '\0';
313 (p = strsep(&cp, CIPHER_SEP))) {
314 c = cipher_by_name(p);
315- if (c == NULL || c->number != SSH_CIPHER_SSH2) {
316+ if (c == NULL || (c->number != SSH_CIPHER_SSH2 &&
317+c->number != SSH_CIPHER_NONE)) {
318 debug("bad cipher %s [%s]", p, names);
0fab2cab 319 free(cipher_list);
0d5b2bd4
ER		 320 return 0;
321@@ -337,6 +339,7 @@ cipher_get_keyiv(CipherContext *cc, u_ch
322 int evplen;
323
324 switch (c->number) {
325+ case SSH_CIPHER_NONE:
326 case SSH_CIPHER_SSH2:
327 case SSH_CIPHER_DES:
328 case SSH_CIPHER_BLOWFISH:
329@@ -371,6 +374,7 @@ cipher_set_keyiv(CipherContext *cc, u_ch
330 int evplen = 0;
331
332 switch (c->number) {
333+ case SSH_CIPHER_NONE:
334 case SSH_CIPHER_SSH2:
335 case SSH_CIPHER_DES:
336 case SSH_CIPHER_BLOWFISH:
337diff -NupwB openssh-5.2p1-canonical/cipher-ctr-mt.c openssh-5.2p1-hpn13v6/cipher-ctr-mt.c
338--- openssh-5.2p1-canonical/cipher-ctr-mt.c 1969-12-31 19:00:00.000000000 -0500
339+++ openssh-5.2p1-hpn13v6/cipher-ctr-mt.c 2009-05-14 12:36:10.000000000 -0400
340@@ -0,0 +1,473 @@
341+/*
342+ * OpenSSH Multi-threaded AES-CTR Cipher
343+ *
344+ * Author: Benjamin Bennett <ben@psc.edu>
345+ * Copyright (c) 2008 Pittsburgh Supercomputing Center. All rights reserved.
346+ *
347+ * Based on original OpenSSH AES-CTR cipher. Small portions remain unchanged,
348+ * Copyright (c) 2003 Markus Friedl <markus@openbsd.org>
349+ *
350+ * Permission to use, copy, modify, and distribute this software for any
351+ * purpose with or without fee is hereby granted, provided that the above
352+ * copyright notice and this permission notice appear in all copies.
353+ *
354+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
355+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
356+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
357+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
358+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
359+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
360+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
361+ */
362+#include "includes.h"
363+
364+#include <sys/types.h>
365+
366+#include <stdarg.h>
367+#include <string.h>
368+
369+#include <openssl/evp.h>
370+
371+#include "xmalloc.h"
372+#include "log.h"
373+
374+/* compatibility with old or broken OpenSSL versions */
375+#include "openbsd-compat/openssl-compat.h"
376+
377+#ifndef USE_BUILTIN_RIJNDAEL
378+#include <openssl/aes.h>
379+#endif
380+
381+#include <pthread.h>
382+
383+/*-------------------- TUNABLES --------------------*/
384+/* Number of pregen threads to use */
385+#define CIPHER_THREADS 2
386+
387+/* Number of keystream queues */
388+#define NUMKQ (CIPHER_THREADS + 2)
389+
390+/* Length of a keystream queue */
391+#define KQLEN 4096
392+
393+/* Processor cacheline length */
394+#define CACHELINE_LEN 64
395+
396+/* Collect thread stats and print at cancellation when in debug mode */
397+/* #define CIPHER_THREAD_STATS */
398+
399+/* Use single-byte XOR instead of 8-byte XOR */
400+/* #define CIPHER_BYTE_XOR */
401+/*-------------------- END TUNABLES --------------------*/
402+
403+
404+const EVP_CIPHER *evp_aes_ctr_mt(void);
405+
406+#ifdef CIPHER_THREAD_STATS
407+/*
408+ * Struct to collect thread stats
409+ */
410+struct thread_stats {
411+ u_int fills;
412+ u_int skips;
413+ u_int waits;
414+ u_int drains;
415+};
416+
417+/*
418+ * Debug print the thread stats
419+ * Use with pthread_cleanup_push for displaying at thread cancellation
420+ */
421+static void
422+thread_loop_stats(void *x)
423+{
424+ struct thread_stats *s = x;
425+
426+ debug("tid %lu - %u fills, %u skips, %u waits", pthread_self(),
427+ s->fills, s->skips, s->waits);
428+}
429+
430+ #define STATS_STRUCT(s) struct thread_stats s
431+ #define STATS_INIT(s) { memset(&s, 0, sizeof(s)); }
432+ #define STATS_FILL(s) { s.fills++; }
433+ #define STATS_SKIP(s) { s.skips++; }
434+ #define STATS_WAIT(s) { s.waits++; }
435+ #define STATS_DRAIN(s) { s.drains++; }
436+#else
437+ #define STATS_STRUCT(s)
438+ #define STATS_INIT(s)
439+ #define STATS_FILL(s)
440+ #define STATS_SKIP(s)
441+ #define STATS_WAIT(s)
442+ #define STATS_DRAIN(s)
443+#endif
444+
445+/* Keystream Queue state */
446+enum {
447+ KQINIT,
448+ KQEMPTY,
449+ KQFILLING,
450+ KQFULL,
451+ KQDRAINING
452+};
453+
454+/* Keystream Queue struct */
455+struct kq {
456+ u_char keys[KQLEN][AES_BLOCK_SIZE];
457+ u_char ctr[AES_BLOCK_SIZE];
458+ u_char pad0[CACHELINE_LEN];
459+ volatile int qstate;
460+ pthread_mutex_t lock;
461+ pthread_cond_t cond;
462+ u_char pad1[CACHELINE_LEN];
463+};
464+
465+/* Context struct */
466+struct ssh_aes_ctr_ctx
467+{
468+ struct kq q[NUMKQ];
469+ AES_KEY aes_ctx;
470+ STATS_STRUCT(stats);
471+ u_char aes_counter[AES_BLOCK_SIZE];
472+ pthread_t tid[CIPHER_THREADS];
473+ int state;
474+ int qidx;
475+ int ridx;
476+};
477+
478+/* <friedl>
479+ * increment counter 'ctr',
480+ * the counter is of size 'len' bytes and stored in network-byte-order.
481+ * (LSB at ctr[len-1], MSB at ctr[0])
482+ */
483+static void
484+ssh_ctr_inc(u_char *ctr, u_int len)
485+{
486+ int i;
487+
488+ for (i = len - 1; i >= 0; i--)
489+ if (++ctr[i]) /* continue on overflow */
490+ return;
491+}
492+
493+/*
494+ * Add num to counter 'ctr'
495+ */
496+static void
497+ssh_ctr_add(u_char *ctr, uint32_t num, u_int len)
498+{
499+ int i;
500+ uint16_t n;
501+
502+ for (n = 0, i = len - 1; i >= 0 && (num || n); i--) {
503+ n = ctr[i] + (num & 0xff) + n;
504+ num >>= 8;
505+ ctr[i] = n & 0xff;
506+ n >>= 8;
507+ }
508+}
509+
510+/*
511+ * Threads may be cancelled in a pthread_cond_wait, we must free the mutex
512+ */
513+static void
514+thread_loop_cleanup(void *x)
515+{
516+ pthread_mutex_unlock((pthread_mutex_t *)x);
517+}
518+
519+/*
520+ * The life of a pregen thread:
521+ * Find empty keystream queues and fill them using their counter.
522+ * When done, update counter for the next fill.
523+ */
524+static void *
525+thread_loop(void *x)
526+{
527+ AES_KEY key;
528+ STATS_STRUCT(stats);
529+ struct ssh_aes_ctr_ctx *c = x;
530+ struct kq *q;
531+ int i;
532+ int qidx;
533+
534+ /* Threads stats on cancellation */
535+ STATS_INIT(stats);
536+#ifdef CIPHER_THREAD_STATS
537+ pthread_cleanup_push(thread_loop_stats, &stats);
538+#endif
539+
540+ /* Thread local copy of AES key */
541+ memcpy(&key, &c->aes_ctx, sizeof(key));
542+
543+ /*
544+ * Handle the special case of startup, one thread must fill
545+ * the first KQ then mark it as draining. Lock held throughout.
546+ */
547+ if (pthread_equal(pthread_self(), c->tid[0])) {
548+ q = &c->q[0];
549+ pthread_mutex_lock(&q->lock);
550+ if (q->qstate == KQINIT) {
551+ for (i = 0; i < KQLEN; i++) {
552+ AES_encrypt(q->ctr, q->keys[i], &key);
553+ ssh_ctr_inc(q->ctr, AES_BLOCK_SIZE);
554+ }
555+ ssh_ctr_add(q->ctr, KQLEN * (NUMKQ - 1), AES_BLOCK_SIZE);
556+ q->qstate = KQDRAINING;
557+ STATS_FILL(stats);
558+ pthread_cond_broadcast(&q->cond);
559+ }
560+ pthread_mutex_unlock(&q->lock);
561+ }
562+ else
563+ STATS_SKIP(stats);
564+
565+ /*
566+ * Normal case is to find empty queues and fill them, skipping over
567+ * queues already filled by other threads and stopping to wait for
568+ * a draining queue to become empty.
569+ *
570+ * Multiple threads may be waiting on a draining queue and awoken
571+ * when empty. The first thread to wake will mark it as filling,
572+ * others will move on to fill, skip, or wait on the next queue.
573+ */
574+ for (qidx = 1;; qidx = (qidx + 1) % NUMKQ) {
575+ /* Check if I was cancelled, also checked in cond_wait */
576+ pthread_testcancel();
577+
578+ /* Lock queue and block if its draining */
579+ q = &c->q[qidx];
580+ pthread_mutex_lock(&q->lock);
581+ pthread_cleanup_push(thread_loop_cleanup, &q->lock);
582+ while (q->qstate == KQDRAINING || q->qstate == KQINIT) {
583+ STATS_WAIT(stats);
584+ pthread_cond_wait(&q->cond, &q->lock);
585+ }
586+ pthread_cleanup_pop(0);
587+
588+ /* If filling or full, somebody else got it, skip */
589+ if (q->qstate != KQEMPTY) {
590+ pthread_mutex_unlock(&q->lock);
591+ STATS_SKIP(stats);
592+ continue;
593+ }
594+
595+ /*
596+ * Empty, let's fill it.
597+ * Queue lock is relinquished while we do this so others
598+ * can see that it's being filled.
599+ */
600+ q->qstate = KQFILLING;
601+ pthread_mutex_unlock(&q->lock);
602+ for (i = 0; i < KQLEN; i++) {
603+ AES_encrypt(q->ctr, q->keys[i], &key);
604+ ssh_ctr_inc(q->ctr, AES_BLOCK_SIZE);
605+ }
606+
607+ /* Re-lock, mark full and signal consumer */
608+ pthread_mutex_lock(&q->lock);
609+ ssh_ctr_add(q->ctr, KQLEN * (NUMKQ - 1), AES_BLOCK_SIZE);
610+ q->qstate = KQFULL;
611+ STATS_FILL(stats);
612+ pthread_cond_signal(&q->cond);
613+ pthread_mutex_unlock(&q->lock);
614+ }
615+
616+#ifdef CIPHER_THREAD_STATS
617+ /* Stats */
618+ pthread_cleanup_pop(1);
619+#endif
620+
621+ return NULL;
622+}
623+
624+static int
625+ssh_aes_ctr(EVP_CIPHER_CTX *ctx, u_char *dest, const u_char *src,
626+ u_int len)
627+{
628+ struct ssh_aes_ctr_ctx *c;
629+ struct kq *q, *oldq;
630+ int ridx;
631+ u_char *buf;
632+
633+ if (len == 0)
634+ return (1);
635+ if ((c = EVP_CIPHER_CTX_get_app_data(ctx)) == NULL)
636+ return (0);
637+
638+ q = &c->q[c->qidx];
639+ ridx = c->ridx;
640+
641+ /* src already padded to block multiple */
642+ while (len > 0) {
643+ buf = q->keys[ridx];
644+
645+#ifdef CIPHER_BYTE_XOR
646+ dest[0] = src[0] ^ buf[0];
647+ dest[1] = src[1] ^ buf[1];
648+ dest[2] = src[2] ^ buf[2];
649+ dest[3] = src[3] ^ buf[3];
650+ dest[4] = src[4] ^ buf[4];
651+ dest[5] = src[5] ^ buf[5];
652+ dest[6] = src[6] ^ buf[6];
653+ dest[7] = src[7] ^ buf[7];
654+ dest[8] = src[8] ^ buf[8];
655+ dest[9] = src[9] ^ buf[9];
656+ dest[10] = src[10] ^ buf[10];
657+ dest[11] = src[11] ^ buf[11];
658+ dest[12] = src[12] ^ buf[12];
659+ dest[13] = src[13] ^ buf[13];
660+ dest[14] = src[14] ^ buf[14];
661+ dest[15] = src[15] ^ buf[15];
662+#else
663+ *(uint64_t *)dest = *(uint64_t *)src ^ *(uint64_t *)buf;
664+ *(uint64_t *)(dest + 8) = *(uint64_t *)(src + 8) ^
665+ *(uint64_t *)(buf + 8);
666+#endif
667+
668+ dest += 16;
669+ src += 16;
670+ len -= 16;
671+ ssh_ctr_inc(ctx->iv, AES_BLOCK_SIZE);
672+
673+ /* Increment read index, switch queues on rollover */
674+ if ((ridx = (ridx + 1) % KQLEN) == 0) {
675+ oldq = q;
676+
677+ /* Mark next queue draining, may need to wait */
678+ c->qidx = (c->qidx + 1) % NUMKQ;
679+ q = &c->q[c->qidx];
680+ pthread_mutex_lock(&q->lock);
681+ while (q->qstate != KQFULL) {
682+ STATS_WAIT(c->stats);
683+ pthread_cond_wait(&q->cond, &q->lock);
684+ }
685+ q->qstate = KQDRAINING;
686+ pthread_mutex_unlock(&q->lock);
687+
688+ /* Mark consumed queue empty and signal producers */
689+ pthread_mutex_lock(&oldq->lock);
690+ oldq->qstate = KQEMPTY;
691+ STATS_DRAIN(c->stats);
692+ pthread_cond_broadcast(&oldq->cond);
693+ pthread_mutex_unlock(&oldq->lock);
694+ }
695+ }
696+ c->ridx = ridx;
697+ return (1);
698+}
699+
700+#define HAVE_NONE 0
701+#define HAVE_KEY 1
702+#define HAVE_IV 2
703+static int
704+ssh_aes_ctr_init(EVP_CIPHER_CTX *ctx, const u_char *key, const u_char *iv,
705+ int enc)
706+{
707+ struct ssh_aes_ctr_ctx *c;
708+ int i;
709+
710+ if ((c = EVP_CIPHER_CTX_get_app_data(ctx)) == NULL) {
711+ c = xmalloc(sizeof(*c));
712+
713+ c->state = HAVE_NONE;
714+ for (i = 0; i < NUMKQ; i++) {
715+ pthread_mutex_init(&c->q[i].lock, NULL);
716+ pthread_cond_init(&c->q[i].cond, NULL);
717+ }
718+
719+ STATS_INIT(c->stats);
720+
721+ EVP_CIPHER_CTX_set_app_data(ctx, c);
722+ }
723+
724+ if (c->state == (HAVE_KEY | HAVE_IV)) {
725+ /* Cancel pregen threads */
726+ for (i = 0; i < CIPHER_THREADS; i++)
727+ pthread_cancel(c->tid[i]);
728+ for (i = 0; i < CIPHER_THREADS; i++)
729+ pthread_join(c->tid[i], NULL);
730+ /* Start over getting key & iv */
731+ c->state = HAVE_NONE;
732+ }
733+
734+ if (key != NULL) {
735+ AES_set_encrypt_key(key, EVP_CIPHER_CTX_key_length(ctx) * 8,
736+ &c->aes_ctx);
737+ c->state |= HAVE_KEY;
738+ }
739+
740+ if (iv != NULL) {
741+ memcpy(ctx->iv, iv, AES_BLOCK_SIZE);
742+ c->state |= HAVE_IV;
743+ }
744+
745+ if (c->state == (HAVE_KEY | HAVE_IV)) {
746+ /* Clear queues */
747+ memcpy(c->q[0].ctr, ctx->iv, AES_BLOCK_SIZE);
748+ c->q[0].qstate = KQINIT;
749+ for (i = 1; i < NUMKQ; i++) {
750+ memcpy(c->q[i].ctr, ctx->iv, AES_BLOCK_SIZE);
751+ ssh_ctr_add(c->q[i].ctr, i * KQLEN, AES_BLOCK_SIZE);
752+ c->q[i].qstate = KQEMPTY;
753+ }
754+ c->qidx = 0;
755+ c->ridx = 0;
756+
757+ /* Start threads */
758+ for (i = 0; i < CIPHER_THREADS; i++) {
759+ pthread_create(&c->tid[i], NULL, thread_loop, c);
760+ }
761+ pthread_mutex_lock(&c->q[0].lock);
762+ while (c->q[0].qstate != KQDRAINING)
763+ pthread_cond_wait(&c->q[0].cond, &c->q[0].lock);
764+ pthread_mutex_unlock(&c->q[0].lock);
765+
766+ }
767+ return (1);
768+}
769+
770+static int
771+ssh_aes_ctr_cleanup(EVP_CIPHER_CTX *ctx)
772+{
773+ struct ssh_aes_ctr_ctx *c;
774+ int i;
775+
776+ if ((c = EVP_CIPHER_CTX_get_app_data(ctx)) != NULL) {
777+#ifdef CIPHER_THREAD_STATS
778+ debug("main thread: %u drains, %u waits", c->stats.drains,
779+ c->stats.waits);
780+#endif
781+ /* Cancel pregen threads */
782+ for (i = 0; i < CIPHER_THREADS; i++)
783+ pthread_cancel(c->tid[i]);
784+ for (i = 0; i < CIPHER_THREADS; i++)
785+ pthread_join(c->tid[i], NULL);
786+
787+ memset(c, 0, sizeof(*c));
0fab2cab 788+ free(c);
0d5b2bd4
ER		 789+ EVP_CIPHER_CTX_set_app_data(ctx, NULL);
790+ }
791+ return (1);
792+}
793+
794+/* <friedl> */
795+const EVP_CIPHER *
796+evp_aes_ctr_mt(void)
797+{
798+ static EVP_CIPHER aes_ctr;
799+
800+ memset(&aes_ctr, 0, sizeof(EVP_CIPHER));
801+ aes_ctr.nid = NID_undef;
802+ aes_ctr.block_size = AES_BLOCK_SIZE;
803+ aes_ctr.iv_len = AES_BLOCK_SIZE;
804+ aes_ctr.key_len = 16;
805+ aes_ctr.init = ssh_aes_ctr_init;
806+ aes_ctr.cleanup = ssh_aes_ctr_cleanup;
807+ aes_ctr.do_cipher = ssh_aes_ctr;
808+#ifndef SSH_OLD_EVP
809+ aes_ctr.flags = EVP_CIPH_CBC_MODE | EVP_CIPH_VARIABLE_LENGTH |
810+ EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_CUSTOM_IV;
811+#endif
812+ return (&aes_ctr);
813+}
814diff -NupwB openssh-5.2p1-canonical/clientloop.c openssh-5.2p1-hpn13v6/clientloop.c
815--- openssh-5.2p1-canonical/clientloop.c 2009-02-14 00:28:21.000000000 -0500
816+++ openssh-5.2p1-hpn13v6/clientloop.c 2009-05-14 12:36:10.000000000 -0400
817@@ -1688,9 +1688,15 @@ client_request_x11(const char *request_t
818 sock = x11_connect_display();
819 if (sock < 0)
820 return NULL;
821+ /* again is this really necessary for X11? */
822+ if (options.hpn_disabled)
823 c = channel_new("x11",
824 SSH_CHANNEL_X11_OPEN, sock, sock, -1,
825 CHAN_TCP_WINDOW_DEFAULT, CHAN_X11_PACKET_DEFAULT, 0, "x11", 1);
826+ else
827+ c = channel_new("x11",
828+ SSH_CHANNEL_X11_OPEN, sock, sock, -1,
829+ options.hpn_buffer_size, CHAN_X11_PACKET_DEFAULT, 0, "x11", 1);
830 c->force_drain = 1;
831 return c;
832 }
833@@ -1710,9 +1716,15 @@ client_request_agent(const char *request
834 sock = ssh_get_authentication_socket();
835 if (sock < 0)
836 return NULL;
837+ if (options.hpn_disabled)
838 c = channel_new("authentication agent connection",
839 SSH_CHANNEL_OPEN, sock, sock, -1,
840- CHAN_X11_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, 0,
841+ CHAN_X11_WINDOW_DEFAULT, CHAN_TCP_WINDOW_DEFAULT, 0,
842+ "authentication agent connection", 1);
843+ else
844+ c = channel_new("authentication agent connection",
845+ SSH_CHANNEL_OPEN, sock, sock, -1,
846+ options.hpn_buffer_size, options.hpn_buffer_size, 0,
847 "authentication agent connection", 1);
848 c->force_drain = 1;
849 return c;
850@@ -1740,10 +1752,18 @@ client_request_tun_fwd(int tun_mode, int
851 return -1;
852 }
853
854+ if(options.hpn_disabled)
855+ c = channel_new("tun", SSH_CHANNEL_OPENING, fd, fd, -1,
856+ CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT,
857+ 0, "tun", 1);
858+ else
859 c = channel_new("tun", SSH_CHANNEL_OPENING, fd, fd, -1,
860- CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, 0, "tun", 1);
861+ options.hpn_buffer_size, CHAN_TCP_PACKET_DEFAULT,
862+ 0, "tun", 1);
863 c->datagram = 1;
864
865+
866+
867 #if defined(SSH_TUN_FILTER)
868 if (options.tun_open == SSH_TUNMODE_POINTOPOINT)
869 channel_register_filter(c->self, sys_tun_infilter,
870diff -NupwB openssh-5.2p1-canonical/compat.c openssh-5.2p1-hpn13v6/compat.c
871--- openssh-5.2p1-canonical/compat.c 2008-11-03 03:20:14.000000000 -0500
872+++ openssh-5.2p1-hpn13v6/compat.c 2009-05-14 12:36:10.000000000 -0400
873@@ -170,6 +170,15 @@ compat_datafellows(const char *version)
874 strlen(check[i].pat), 0) == 1) {
875 debug("match: %s pat %s", version, check[i].pat);
876 datafellows = check[i].bugs;
877+ /* Check to see if the remote side is OpenSSH and not HPN */
878+ if(strstr(version,"OpenSSH") != NULL)
879+ {
880+ if (strstr(version,"hpn") == NULL)
881+ {
882+ datafellows |= SSH_BUG_LARGEWINDOW;
883+ debug("Remote is NON-HPN aware");
884+ }
885+ }
886 return;
887 }
888 }
889diff -NupwB openssh-5.2p1-canonical/compat.h openssh-5.2p1-hpn13v6/compat.h
890--- openssh-5.2p1-canonical/compat.h 2008-11-03 03:20:14.000000000 -0500
891+++ openssh-5.2p1-hpn13v6/compat.h 2009-05-14 12:36:10.000000000 -0400
892@@ -58,6 +58,7 @@
893 #define SSH_OLD_FORWARD_ADDR 0x01000000
894 #define SSH_BUG_RFWD_ADDR 0x02000000
895 #define SSH_NEW_OPENSSH 0x04000000
896+#define SSH_BUG_LARGEWINDOW 0x08000000
897
898 void enable_compat13(void);
899 void enable_compat20(void);
900Common subdirectories: openssh-5.2p1-canonical/contrib and openssh-5.2p1-hpn13v6/contrib
901diff -NupwB openssh-5.2p1-canonical/HPN-README openssh-5.2p1-hpn13v6/HPN-README
902--- openssh-5.2p1-canonical/HPN-README 1969-12-31 19:00:00.000000000 -0500
903+++ openssh-5.2p1-hpn13v6/HPN-README 2009-05-14 12:36:10.000000000 -0400
904@@ -0,0 +1,128 @@
905+Notes:
906+
907+MULTI-THREADED CIPHER:
908+The AES cipher in CTR mode has been multithreaded (MTR-AES-CTR). This will allow ssh installations
909+on hosts with multiple cores to use more than one processing core during encryption.
910+Tests have show significant throughput performance increases when using MTR-AES-CTR up
911+to and including a full gigabit per second on quad core systems. It should be possible to
912+achieve full line rate on dual core systems but OS and data management overhead makes this
913+more difficult to achieve. The cipher stream from MTR-AES-CTR is entirely compatible with single
914+thread AES-CTR (ST-AES-CTR) implementations and should be 100% backward compatible. Optimal
915+performance requires the MTR-AES-CTR mode be enabled on both ends of the connection.
916+The MTR-AES-CTR replaces ST-AES-CTR and is used in exactly the same way with the same
917+nomenclature.
918+Use examples: ssh -caes128-ctr you@host.com
919+ scp -oCipher=aes256-ctr file you@host.com:~/file
920+
921+NONE CIPHER:
922+To use the NONE option you must have the NoneEnabled switch set on the server and
923+you *must* have *both* NoneEnabled and NoneSwitch set to yes on the client. The NONE
924+feature works with ALL ssh subsystems (as far as we can tell) *AS LONG AS* a tty is not
925+spawned. If a user uses the -T switch to prevent a tty being created the NONE cipher will
926+be disabled.
927+
928+The performance increase will only be as good as the network and TCP stack tuning
929+on the reciever side of the connection allows. As a rule of thumb a user will need
930+at least 10Mb/s connection with a 100ms RTT to see a doubling of performance. The
931+HPN-SSH home page describes this in greater detail.
932+
933+http://www.psc.edu/networking/projects/hpn-ssh
934+
935+BUFFER SIZES:
936+
937+If HPN is disabled the receive buffer size will be set to the
938+OpenSSH default of 64K.
939+
940+If an HPN system connects to a nonHPN system the receive buffer will
941+be set to the HPNBufferSize value. The default is 2MB but user adjustable.
942+
943+If an HPN to HPN connection is established a number of different things might
944+happen based on the user options and conditions.
945+
946+Conditions: HPNBufferSize NOT Set, TCPRcvBufPoll enabled, TCPRcvBuf NOT Set
947+HPN Buffer Size = up to 64MB
948+This is the default state. The HPN buffer size will grow to a maximum of 64MB
949+as the TCP receive buffer grows. The maximum HPN Buffer size of 64MB is
950+geared towards 10GigE transcontinental connections.
951+
952+Conditions: HPNBufferSize NOT Set, TCPRcvBufPoll disabled, TCPRcvBuf NOT Set
953+HPN Buffer Size = TCP receive buffer value.
954+Users on non-autotuning systesm should disable TCPRcvBufPoll in the
955+ssh_cofig and sshd_config
956+
957+Conditions: HPNBufferSize SET, TCPRcvBufPoll disabled, TCPRcvBuf NOT Set
958+HPN Buffer Size = minmum of TCP receive buffer and HPNBufferSize.
959+This would be the system defined TCP receive buffer (RWIN).
960+
961+Conditions: HPNBufferSize SET, TCPRcvBufPoll disabled, TCPRcvBuf SET
962+HPN Buffer Size = minmum of TCPRcvBuf and HPNBufferSize.
963+Generally there is no need to set both.
964+
965+Conditions: HPNBufferSize SET, TCPRcvBufPoll enabled, TCPRcvBuf NOT Set
966+HPN Buffer Size = grows to HPNBufferSize
967+The buffer will grow up to the maximum size specified here.
968+
969+Conditions: HPNBufferSize SET, TCPRcvBufPoll enabled, TCPRcvBuf SET
970+HPN Buffer Size = minmum of TCPRcvBuf and HPNBufferSize.
971+Generally there is no need to set both of these, especially on autotuning
972+systems. However, if the users wishes to override the autotuning this would be
973+one way to do it.
974+
975+Conditions: HPNBufferSize NOT Set, TCPRcvBufPoll enabled, TCPRcvBuf SET
976+HPN Buffer Size = TCPRcvBuf.
977+This will override autotuning and set the TCP recieve buffer to the user defined
978+value.
979+
980+
981+HPN Specific Configuration options
982+
983+TcpRcvBuf=[int]KB client
984+ set the TCP socket receive buffer to n Kilobytes. It can be set up to the
985+maximum socket size allowed by the system. This is useful in situations where
986+the tcp receive window is set low but the maximum buffer size is set
987+higher (as is typical). This works on a per TCP connection basis. You can also
988+use this to artifically limit the transfer rate of the connection. In these
989+cases the throughput will be no more than n/RTT. The minimum buffer size is 1KB.
990+Default is the current system wide tcp receive buffer size.
991+
992+TcpRcvBufPoll=[yes/no] client/server
993+ enable of disable the polling of the tcp receive buffer through the life
994+of the connection. You would want to make sure that this option is enabled
995+for systems making use of autotuning kernels (linux 2.4.24+, 2.6, MS Vista)
996+default is yes.
997+
998+NoneEnabled=[yes/no] client/server
999+ enable or disable the use of the None cipher. Care must always be used
1000+when enabling this as it will allow users to send data in the clear. However,
1001+it is important to note that authentication information remains encrypted
1002+even if this option is enabled. Set to no by default.
1003+
1004+NoneSwitch=[yes/no] client
1005+ Switch the encryption cipher being used to the None cipher after
1006+authentication takes place. NoneEnabled must be enabled on both the client
1007+and server side of the connection. When the connection switches to the NONE
1008+cipher a warning is sent to STDERR. The connection attempt will fail with an
1009+error if a client requests a NoneSwitch from the server that does not explicitly
1010+have NoneEnabled set to yes. Note: The NONE cipher cannot be used in
1011+interactive (shell) sessions and it will fail silently. Set to no by default.
1012+
1013+HPNDisabled=[yes/no] client/server
1014+ In some situations, such as transfers on a local area network, the impact
1015+of the HPN code produces a net decrease in performance. In these cases it is
1016+helpful to disable the HPN functionality. By default HPNDisabled is set to no.
1017+
1018+HPNBufferSize=[int]KB client/server
1019+ This is the default buffer size the HPN functionality uses when interacting
1020+with nonHPN SSH installations. Conceptually this is similar to the TcpRcvBuf
1021+option as applied to the internal SSH flow control. This value can range from
1022+1KB to 64MB (1-65536). Use of oversized or undersized buffers can cause performance
1023+problems depending on the length of the network path. The default size of this buffer
1024+is 2MB.
1025+
1026+
1027+Credits: This patch was conceived, designed, and led by Chris Rapier (rapier@psc.edu)
1028+ The majority of the actual coding for versions up to HPN12v1 was performed
1029+ by Michael Stevens (mstevens@andrew.cmu.edu). The MT-AES-CTR cipher was
1030+ implemented by Ben Bennet (ben@psc.edu). This work was financed, in part,
1031+ by Cisco System, Inc., the National Library of Medicine,
1032+ and the National Science Foundation.
1033diff -NupwB openssh-5.2p1-canonical/kex.c openssh-5.2p1-hpn13v6/kex.c
1034--- openssh-5.2p1-canonical/kex.c 2008-11-03 03:19:12.000000000 -0500
1035+++ openssh-5.2p1-hpn13v6/kex.c 2009-05-14 12:36:10.000000000 -0400
1036@@ -48,6 +48,7 @@
1037 #include "match.h"
1038 #include "dispatch.h"
1039 #include "monitor.h"
1040+#include "canohost.h"
1041
1042 #define KEX_COOKIE_LEN 16
1043
1044@@ -64,7 +65,8 @@ static void kex_kexinit_finish(Kex *);
1045 static void kex_choose_conf(Kex *);
1046
1047 /* put algorithm proposal into buffer */
1048-static void
1049+/* used in sshconnect.c as well as kex.c */
1050+void
1051 kex_prop2buf(Buffer *b, char *proposal[PROPOSAL_MAX])
1052 {
1053 u_int i;
1054@@ -376,6 +378,13 @@ kex_choose_conf(Kex *kex)
1055 int nenc, nmac, ncomp;
1056 u_int mode, ctos, need;
1057 int first_kex_follows, type;
1058+ int log_flag = 0;
1059+
1060+ int auth_flag;
1061+
1062+ auth_flag = packet_authentication_state();
1063+
1064+ debug ("AUTH STATE IS %d", auth_flag);
1065
1066 my = kex_buf2prop(&kex->my, NULL);
1067 peer = kex_buf2prop(&kex->peer, &first_kex_follows);
1068@@ -400,11 +409,34 @@ kex_choose_conf(Kex *kex)
1069 choose_enc (&newkeys->enc, cprop[nenc], sprop[nenc]);
1070 choose_mac (&newkeys->mac, cprop[nmac], sprop[nmac]);
1071 choose_comp(&newkeys->comp, cprop[ncomp], sprop[ncomp]);
1072+ debug("REQUESTED ENC.NAME is '%s'", newkeys->enc.name);
1073+ if (strcmp(newkeys->enc.name, "none") == 0) {
1074+ debug("Requesting NONE. Authflag is %d", auth_flag);
1075+ if (auth_flag == 1) {
1076+ debug("None requested post authentication.");
1077+ } else {
1078+ fatal("Pre-authentication none cipher requests are not allowed.");
1079+ }
1080+ }
1081 debug("kex: %s %s %s %s",
1082 ctos ? "client->server" : "server->client",
1083 newkeys->enc.name,
1084 newkeys->mac.name,
1085 newkeys->comp.name);
1086+ /* client starts withctos = 0 && log flag = 0 and no log*/
1087+ /* 2nd client pass ctos=1 and flag = 1 so no log*/
1088+ /* server starts with ctos =1 && log_flag = 0 so log */
1089+ /* 2nd sever pass ctos = 1 && log flag = 1 so no log*/
1090+ /* -cjr*/
1091+ if (ctos && !log_flag) {
1092+ logit("SSH: Server;Ltype: Kex;Remote: %s-%d;Enc: %s;MAC: %s;Comp: %s",
1093+ get_remote_ipaddr(),
1094+ get_remote_port(),
1095+ newkeys->enc.name,
1096+ newkeys->mac.name,
1097+ newkeys->comp.name);
1098+ }
1099+ log_flag = 1;
1100 }
1101 choose_kex(kex, cprop[PROPOSAL_KEX_ALGS], sprop[PROPOSAL_KEX_ALGS]);
1102 choose_hostkeyalg(kex, cprop[PROPOSAL_SERVER_HOST_KEY_ALGS],
1103diff -NupwB openssh-5.2p1-canonical/kex.h openssh-5.2p1-hpn13v6/kex.h
1104--- openssh-5.2p1-canonical/kex.h 2007-06-11 00:01:42.000000000 -0400
1105+++ openssh-5.2p1-hpn13v6/kex.h 2009-05-14 12:36:10.000000000 -0400
1106@@ -127,6 +127,8 @@ struct Kex {
1107 void (*kex[KEX_MAX])(Kex *);
1108 };
1109
1110+void kex_prop2buf(Buffer *, char *proposal[PROPOSAL_MAX]);
1111+
1112 Kex *kex_setup(char *[PROPOSAL_MAX]);
1113 void kex_finish(Kex *);
1114
1115diff -NupwB openssh-5.2p1-canonical/Makefile.in openssh-5.2p1-hpn13v6/Makefile.in
1116--- openssh-5.2p1-canonical/Makefile.in 2008-11-05 00:20:46.000000000 -0500
1117+++ openssh-5.2p1-hpn13v6/Makefile.in 2009-05-14 12:36:10.000000000 -0400
1118@@ -43,7 +43,7 @@ CC=@CC@
1119 LD=@LD@
1120 CFLAGS=@CFLAGS@
1121 CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ $(PATHS) @DEFS@
1122-LIBS=@LIBS@
1123+LIBS=@LIBS@ -lpthread
1124 SSHDLIBS=@SSHDLIBS@
1125 LIBEDIT=@LIBEDIT@
1126 AR=@AR@
1127@@ -64,7 +64,7 @@ TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-a
1128
1129 LIBSSH_OBJS=acss.o authfd.o authfile.o bufaux.o bufbn.o buffer.o \
1130 canohost.o channels.o cipher.o cipher-acss.o cipher-aes.o \
1131- cipher-bf1.o cipher-ctr.o cipher-3des1.o cleanup.o \
1132+ cipher-bf1.o cipher-ctr.o cipher-ctr-mt.o cipher-3des1.o cleanup.o \
1133 compat.o compress.o crc32.o deattack.o fatal.o hostfile.o \
1134 log.o match.o md-sha256.o moduli.o nchan.o packet.o \
1135 readpass.o rsa.o ttymodes.o xmalloc.o addrmatch.o \
1136diff -NupwB openssh-5.2p1-canonical/myproposal.h openssh-5.2p1-hpn13v6/myproposal.h
1137--- openssh-5.2p1-canonical/myproposal.h 2009-01-28 00:33:31.000000000 -0500
1138+++ openssh-5.2p1-hpn13v6/myproposal.h 2009-05-14 12:36:10.000000000 -0400
1139@@ -47,6 +47,8 @@
1140 "arcfour256,arcfour128," \
1141 "aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc," \
1142 "aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se"
1143+#define KEX_ENCRYPT_INCLUDE_NONE KEX_DEFAULT_ENCRYPT \
1144+ ",none"
1145 #define KEX_DEFAULT_MAC \
1146 "hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160," \
1147 "hmac-ripemd160@openssh.com," \
1148Common subdirectories: openssh-5.2p1-canonical/openbsd-compat and openssh-5.2p1-hpn13v6/openbsd-compat
1149diff -NupwB openssh-5.2p1-canonical/packet.c openssh-5.2p1-hpn13v6/packet.c
1150--- openssh-5.2p1-canonical/packet.c 2009-02-14 00:35:01.000000000 -0500
1151+++ openssh-5.2p1-hpn13v6/packet.c 2009-05-14 12:36:10.000000000 -0400
1152@@ -775,7 +775,7 @@ packet_enable_delayed_compress(void)
1153 /*
1154 * Finalize packet in SSH2 format (compress, mac, encrypt, enqueue)
1155 */
1156-static void
1157+static int
1158 packet_send2_wrapped(void)
1159 {
1160 u_char type, *cp, *macbuf = NULL;
1161@@ -888,11 +888,13 @@ packet_send2_wrapped(void)
1162 set_newkeys(MODE_OUT);
1163 else if (type == SSH2_MSG_USERAUTH_SUCCESS && server_side)
1164 packet_enable_delayed_compress();
1165+ return(packet_length);
1166 }
1167
1168-static void
1169+static int
1170 packet_send2(void)
1171 {
1172+ static int packet_length = 0;
1173 static int rekeying = 0;
1174 struct packet *p;
1175 u_char type, *cp;
1176@@ -910,7 +912,7 @@ packet_send2(void)
1177 memcpy(&p->payload, &outgoing_packet, sizeof(Buffer));
1178 buffer_init(&outgoing_packet);
1179 TAILQ_INSERT_TAIL(&outgoing, p, next);
1180- return;
1181+ return(sizeof(Buffer));
1182 }
1183 }
1184
1185@@ -918,7 +920,7 @@ packet_send2(void)
1186 if (type == SSH2_MSG_KEXINIT)
1187 rekeying = 1;
1188
1189- packet_send2_wrapped();
1190+ packet_length = packet_send2_wrapped();
1191
1192 /* after a NEWKEYS message we can send the complete queue */
1193 if (type == SSH2_MSG_NEWKEYS) {
1194@@ -931,19 +933,22 @@ packet_send2(void)
1195 sizeof(Buffer));
1196 TAILQ_REMOVE(&outgoing, p, next);
0fab2cab 1197 free(p);
0d5b2bd4
ER		 1198- packet_send2_wrapped();
1199+ packet_length += packet_send2_wrapped();
1200 }
1201 }
1202+ return(packet_length);
1203 }
1204
1205-void
1206+int
1207 packet_send(void)
1208 {
1209+ int packet_len = 0;
1210 if (compat20)
1211- packet_send2();
1212+ packet_len = packet_send2();
1213 else
1214 packet_send1();
1215 DBG(debug("packet_send done"));
1216+ return(packet_len);
1217 }
1218
1219 /*
1220@@ -1544,23 +1549,25 @@ packet_disconnect(const char *fmt,...)
1221
1222 /* Checks if there is any buffered output, and tries to write some of the output. */
1223
1224-void
1225+int
1226 packet_write_poll(void)
1227 {
1228- int len = buffer_len(&output);
1229+ int len = 0;
1230+ len = buffer_len(&output);
1231
1232 if (len > 0) {
1233 len = write(connection_out, buffer_ptr(&output), len);
1234 if (len == -1) {
1235 if (errno == EINTR || errno == EAGAIN ||
1236 errno == EWOULDBLOCK)
1237- return;
1238+ return (0);
1239 fatal("Write failed: %.100s", strerror(errno));
1240 }
1241 if (len == 0)
1242 fatal("Write connection closed");
1243 buffer_consume(&output, len);
1244 }
1245+ return(len);
1246 }
1247
1248
1249@@ -1569,16 +1576,17 @@ packet_write_poll(void)
1250 * written.
1251 */
1252
1253-void
1254+int
1255 packet_write_wait(void)
1256 {
1257 fd_set *setp;
1258 int ret, ms_remain;
1259 struct timeval start, timeout, *timeoutp = NULL;
1260+ u_int bytes_sent = 0;
1261
1262 setp = (fd_set *)xcalloc(howmany(connection_out + 1, NFDBITS),
1263 sizeof(fd_mask));
1264- packet_write_poll();
1265+ bytes_sent += packet_write_poll();
1266 while (packet_have_data_to_write()) {
1267 memset(setp, 0, howmany(connection_out + 1, NFDBITS) *
1268 sizeof(fd_mask));
1269@@ -1612,7 +1620,7 @@ packet_write_wait(void)
1270 "waiting to write", get_remote_ipaddr());
1271 cleanup_exit(255);
1272 }
1273- packet_write_poll();
1274+ bytes_sent += packet_write_poll();
1275 }
0fab2cab 1276 free(setp);
0d5b2bd4
ER		 1277 }
1278@@ -1736,12 +1744,24 @@ packet_send_ignore(int nbytes)
1279 }
1280 }
1281
1282+int rekey_requested = 0;
1283+void
1284+packet_request_rekeying(void)
1285+{
1286+ rekey_requested = 1;
1287+}
1288+
1289 #define MAX_PACKETS (1U<<31)
1290 int
1291 packet_need_rekeying(void)
1292 {
1293 if (datafellows & SSH_BUG_NOREKEY)
1294 return 0;
1295+ if (rekey_requested == 1)
1296+ {
1297+ rekey_requested = 0;
1298+ return 1;
1299+ }
1300 return
1301 (p_send.packets > MAX_PACKETS) ||
1302 (p_read.packets > MAX_PACKETS) ||
1303@@ -1766,3 +1786,9 @@ packet_set_authenticated(void)
1304 {
1305 after_authentication = 1;
1306 }
1307+
1308+int
1309+packet_authentication_state(void)
1310+{
1311+ return(after_authentication);
1312+}
1313diff -NupwB openssh-5.2p1-canonical/packet.h openssh-5.2p1-hpn13v6/packet.h
1314--- openssh-5.2p1-canonical/packet.h 2008-07-11 03:36:48.000000000 -0400
1315+++ openssh-5.2p1-hpn13v6/packet.h 2009-05-14 12:36:10.000000000 -0400
1316@@ -20,6 +20,9 @@
1317
1318 #include <openssl/bn.h>
1319
1320+void
1321+packet_request_rekeying(void);
1322+
1323 void packet_set_connection(int, int);
1324 void packet_set_timeout(int, int);
1325 void packet_set_nonblocking(void);
1326@@ -35,6 +38,7 @@ void packet_set_interactive(int);
1327 int packet_is_interactive(void);
1328 void packet_set_server(void);
1329 void packet_set_authenticated(void);
1330+int packet_authentication_state(void);
1331
1332 void packet_start(u_char);
1333 void packet_put_char(int ch);
1334@@ -44,7 +48,7 @@ void packet_put_bignum2(BIGNUM * val
1335 void packet_put_string(const void *buf, u_int len);
1336 void packet_put_cstring(const char *str);
1337 void packet_put_raw(const void *buf, u_int len);
1338-void packet_send(void);
1339+int packet_send(void);
1340
1341 int packet_read(void);
1342 void packet_read_expect(int type);
1343@@ -73,8 +77,8 @@ void packet_set_state(int, u_int32_t, u
1344 int packet_get_ssh1_cipher(void);
1345 void packet_set_iv(int, u_char *);
1346
1347-void packet_write_poll(void);
1348-void packet_write_wait(void);
1349+int packet_write_poll(void);
1350+int packet_write_wait(void);
1351 int packet_have_data_to_write(void);
1352 int packet_not_very_much_data_to_write(void);
1353
1354diff -NupwB openssh-5.2p1-canonical/progressmeter.c openssh-5.2p1-hpn13v6/progressmeter.c
1355--- openssh-5.2p1-canonical/progressmeter.c 2006-08-04 22:39:40.000000000 -0400
1356+++ openssh-5.2p1-hpn13v6/progressmeter.c 2009-05-14 12:36:10.000000000 -0400
1357@@ -68,6 +68,8 @@ static time_t last_update; /* last progr
1358 static char *file; /* name of the file being transferred */
1359 static off_t end_pos; /* ending position of transfer */
1360 static off_t cur_pos; /* transfer position as of last refresh */
1361+static off_t last_pos;
1362+static off_t max_delta_pos = 0;
1363 static volatile off_t *counter; /* progress counter */
1364 static long stalled; /* how long we have been stalled */
1365 static int bytes_per_second; /* current speed in bytes per second */
1366@@ -128,12 +130,17 @@ refresh_progress_meter(void)
1367 int hours, minutes, seconds;
1368 int i, len;
1369 int file_len;
1370+ off_t delta_pos;
1371
1372 transferred = *counter - cur_pos;
1373 cur_pos = *counter;
1374 now = time(NULL);
1375 bytes_left = end_pos - cur_pos;
1376
1377+ delta_pos = cur_pos - last_pos;
1378+ if (delta_pos > max_delta_pos)
1379+ max_delta_pos = delta_pos;
1380+
1381 if (bytes_left > 0)
1382 elapsed = now - last_update;
1383 else {
1384@@ -158,7 +165,7 @@ refresh_progress_meter(void)
1385
1386 /* filename */
1387 buf[0] = '\0';
1388- file_len = win_size - 35;
1389+ file_len = win_size - 45;
1390 if (file_len > 0) {
1391 len = snprintf(buf, file_len + 1, "\r%s", file);
1392 if (len < 0)
1393@@ -175,7 +182,8 @@ refresh_progress_meter(void)
1394 percent = ((float)cur_pos / end_pos) * 100;
1395 else
1396 percent = 100;
1397- snprintf(buf + strlen(buf), win_size - strlen(buf),
1398+
1399+ snprintf(buf + strlen(buf), win_size - strlen(buf-8),
1400 " %3d%% ", percent);
1401
1402 /* amount transferred */
1403@@ -188,6 +196,15 @@ refresh_progress_meter(void)
1404 (off_t)bytes_per_second);
1405 strlcat(buf, "/s ", win_size);
1406
1407+ /* instantaneous rate */
1408+ if (bytes_left > 0)
1409+ format_rate(buf + strlen(buf), win_size - strlen(buf),
1410+ delta_pos);
1411+ else
1412+ format_rate(buf + strlen(buf), win_size - strlen(buf),
1413+ max_delta_pos);
1414+ strlcat(buf, "/s ", win_size);
1415+
1416 /* ETA */
1417 if (!transferred)
1418 stalled += elapsed;
1419@@ -224,6 +241,7 @@ refresh_progress_meter(void)
1420
1421 atomicio(vwrite, STDOUT_FILENO, buf, win_size - 1);
1422 last_update = now;
1423+ last_pos = cur_pos;
1424 }
1425
1426 /*ARGSUSED*/
1427diff -NupwB openssh-5.2p1-canonical/readconf.c openssh-5.2p1-hpn13v6/readconf.c
1428--- openssh-5.2p1-canonical/readconf.c 2009-02-14 00:28:21.000000000 -0500
1429+++ openssh-5.2p1-hpn13v6/readconf.c 2009-05-14 12:36:10.000000000 -0400
1430@@ -131,6 +131,8 @@ typedef enum {
1431 oSendEnv, oControlPath, oControlMaster, oHashKnownHosts,
1432 oTunnel, oTunnelDevice, oLocalCommand, oPermitLocalCommand,
1433 oVisualHostKey, oZeroKnowledgePasswordAuthentication,
1434+ oNoneEnabled, oTcpRcvBufPoll, oTcpRcvBuf, oNoneSwitch, oHPNDisabled,
1435+ oHPNBufferSize,
1436 oDeprecated, oUnsupported
1437 } OpCodes;
1438
1439@@ -234,6 +236,12 @@ static struct {
1440 #else
1441 { "zeroknowledgepasswordauthentication", oUnsupported },
1442 #endif
1443+ { "noneenabled", oNoneEnabled },
1444+ { "tcprcvbufpoll", oTcpRcvBufPoll },
1445+ { "tcprcvbuf", oTcpRcvBuf },
1446+ { "noneswitch", oNoneSwitch },
1447+ { "hpndisabled", oHPNDisabled },
1448+ { "hpnbuffersize", oHPNBufferSize },
1449
1450 { NULL, oBadOption }
1451 };
1452@@ -465,6 +473,37 @@ parse_flag:
1453 intptr = &options->check_host_ip;
1454 goto parse_flag;
1455
1456+ case oNoneEnabled:
1457+ intptr = &options->none_enabled;
1458+ goto parse_flag;
1459+
1460+ /* we check to see if the command comes from the */
1461+ /* command line or not. If it does then enable it */
1462+ /* otherwise fail. NONE should never be a default configuration */
1463+ case oNoneSwitch:
1464+ if(strcmp(filename,"command-line")==0)
1465+ {
1466+ intptr = &options->none_switch;
1467+ goto parse_flag;
1468+ } else {
1469+ error("NoneSwitch is found in %.200s.\nYou may only use this configuration option from the command line", filename);
1470+ error("Continuing...");
1471+ debug("NoneSwitch directive found in %.200s.", filename);
1472+ return 0;
1473+ }
1474+
1475+ case oHPNDisabled:
1476+ intptr = &options->hpn_disabled;
1477+ goto parse_flag;
1478+
1479+ case oHPNBufferSize:
1480+ intptr = &options->hpn_buffer_size;
1481+ goto parse_int;
1482+
1483+ case oTcpRcvBufPoll:
1484+ intptr = &options->tcp_rcv_buf_poll;
1485+ goto parse_flag;
1486+
1487 case oVerifyHostKeyDNS:
1488 intptr = &options->verify_host_key_dns;
1489 goto parse_yesnoask;
1490@@ -643,6 +682,10 @@ parse_int:
1491 intptr = &options->connection_attempts;
1492 goto parse_int;
1493
1494+ case oTcpRcvBuf:
1495+ intptr = &options->tcp_rcv_buf;
1496+ goto parse_int;
1497+
1498 case oCipher:
1499 intptr = &options->cipher;
1500 arg = strdelim(&s);
1501@@ -1065,6 +1108,12 @@ initialize_options(Options * options)
1502 options->permit_local_command = -1;
1503 options->visual_host_key = -1;
1504 options->zero_knowledge_password_authentication = -1;
1505+ options->none_switch = -1;
1506+ options->none_enabled = -1;
1507+ options->hpn_disabled = -1;
1508+ options->hpn_buffer_size = -1;
1509+ options->tcp_rcv_buf_poll = -1;
1510+ options->tcp_rcv_buf = -1;
1511 }
1512
1513 /*
1514@@ -1187,6 +1236,29 @@ fill_default_options(Options * options)
1515 options->server_alive_interval = 0;
1516 if (options->server_alive_count_max == -1)
1517 options->server_alive_count_max = 3;
1518+ if (options->none_switch == -1)
1519+ options->none_switch = 0;
1520+ if (options->hpn_disabled == -1)
1521+ options->hpn_disabled = 0;
1522+ if (options->hpn_buffer_size > -1)
1523+ {
1524+ /* if a user tries to set the size to 0 set it to 1KB */
1525+ if (options->hpn_buffer_size == 0)
1526+ options->hpn_buffer_size = 1024;
1527+ /*limit the buffer to 64MB*/
1528+ if (options->hpn_buffer_size > 65536)
1529+ {
1530+ options->hpn_buffer_size = 65536*1024;
1531+ debug("User requested buffer larger than 64MB. Request reverted to 64MB");
1532+ }
1533+ debug("hpn_buffer_size set to %d", options->hpn_buffer_size);
1534+ }
1535+ if (options->tcp_rcv_buf == 0)
1536+ options->tcp_rcv_buf = 1;
1537+ if (options->tcp_rcv_buf > -1)
1538+ options->tcp_rcv_buf *=1024;
1539+ if (options->tcp_rcv_buf_poll == -1)
1540+ options->tcp_rcv_buf_poll = 1;
1541 if (options->control_master == -1)
1542 options->control_master = 0;
1543 if (options->hash_known_hosts == -1)
1544diff -NupwB openssh-5.2p1-canonical/readconf.c.orig openssh-5.2p1-hpn13v6/readconf.c.orig
1545--- openssh-5.2p1-canonical/readconf.c.orig 1969-12-31 19:00:00.000000000 -0500
1546+++ openssh-5.2p1-hpn13v6/readconf.c.orig 2009-02-14 00:28:21.000000000 -0500
1547@@ -0,0 +1,1310 @@
1548+/* $OpenBSD: readconf.c,v 1.176 2009/02/12 03:00:56 djm Exp $ */
1549+/*
1550+ * Author: Tatu Ylonen <ylo@cs.hut.fi>
1551+ * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
1552+ * All rights reserved
1553+ * Functions for reading the configuration files.
1554+ *
1555+ * As far as I am concerned, the code I have written for this software
1556+ * can be used freely for any purpose. Any derived versions of this
1557+ * software must be clearly marked as such, and if the derived work is
1558+ * incompatible with the protocol description in the RFC file, it must be
1559+ * called by a name other than "ssh" or "Secure Shell".
1560+ */
1561+
1562+#include "includes.h"
1563+
1564+#include <sys/types.h>
1565+#include <sys/stat.h>
1566+#include <sys/socket.h>
1567+
1568+#include <netinet/in.h>
1569+
1570+#include <ctype.h>
1571+#include <errno.h>
1572+#include <netdb.h>
1573+#include <signal.h>
1574+#include <stdarg.h>
1575+#include <stdio.h>
1576+#include <string.h>
1577+#include <unistd.h>
1578+
1579+#include "xmalloc.h"
1580+#include "ssh.h"
1581+#include "compat.h"
1582+#include "cipher.h"
1583+#include "pathnames.h"
1584+#include "log.h"
1585+#include "key.h"
1586+#include "readconf.h"
1587+#include "match.h"
1588+#include "misc.h"
1589+#include "buffer.h"
1590+#include "kex.h"
1591+#include "mac.h"
1592+
1593+/* Format of the configuration file:
1594+
1595+ # Configuration data is parsed as follows:
1596+ # 1. command line options
1597+ # 2. user-specific file
1598+ # 3. system-wide file
1599+ # Any configuration value is only changed the first time it is set.
1600+ # Thus, host-specific definitions should be at the beginning of the
1601+ # configuration file, and defaults at the end.
1602+
1603+ # Host-specific declarations. These may override anything above. A single
1604+ # host may match multiple declarations; these are processed in the order
1605+ # that they are given in.
1606+
1607+ Host *.ngs.fi ngs.fi
1608+ User foo
1609+
1610+ Host fake.com
1611+ HostName another.host.name.real.org
1612+ User blaah
1613+ Port 34289
1614+ ForwardX11 no
1615+ ForwardAgent no
1616+
1617+ Host books.com
1618+ RemoteForward 9999 shadows.cs.hut.fi:9999
1619+ Cipher 3des
1620+
1621+ Host fascist.blob.com
1622+ Port 23123
1623+ User tylonen
1624+ PasswordAuthentication no
1625+
1626+ Host puukko.hut.fi
1627+ User t35124p
1628+ ProxyCommand ssh-proxy %h %p
1629+
1630+ Host *.fr
1631+ PublicKeyAuthentication no
1632+
1633+ Host *.su
1634+ Cipher none
1635+ PasswordAuthentication no
1636+
1637+ Host vpn.fake.com
1638+ Tunnel yes
1639+ TunnelDevice 3
1640+
1641+ # Defaults for various options
1642+ Host *
1643+ ForwardAgent no
1644+ ForwardX11 no
1645+ PasswordAuthentication yes
1646+ RSAAuthentication yes
1647+ RhostsRSAAuthentication yes
1648+ StrictHostKeyChecking yes
1649+ TcpKeepAlive no
1650+ IdentityFile ~/.ssh/identity
1651+ Port 22
1652+ EscapeChar ~
1653+
1654+*/
1655+
1656+/* Keyword tokens. */
1657+
1658+typedef enum {
1659+ oBadOption,
1660+ oForwardAgent, oForwardX11, oForwardX11Trusted, oGatewayPorts,
1661+ oExitOnForwardFailure,
1662+ oPasswordAuthentication, oRSAAuthentication,
1663+ oChallengeResponseAuthentication, oXAuthLocation,
1664+ oIdentityFile, oHostName, oPort, oCipher, oRemoteForward, oLocalForward,
1665+ oUser, oHost, oEscapeChar, oRhostsRSAAuthentication, oProxyCommand,
1666+ oGlobalKnownHostsFile, oUserKnownHostsFile, oConnectionAttempts,
1667+ oBatchMode, oCheckHostIP, oStrictHostKeyChecking, oCompression,
1668+ oCompressionLevel, oTCPKeepAlive, oNumberOfPasswordPrompts,
1669+ oUsePrivilegedPort, oLogLevel, oCiphers, oProtocol, oMacs,
1670+ oGlobalKnownHostsFile2, oUserKnownHostsFile2, oPubkeyAuthentication,
1671+ oKbdInteractiveAuthentication, oKbdInteractiveDevices, oHostKeyAlias,
1672+ oDynamicForward, oPreferredAuthentications, oHostbasedAuthentication,
1673+ oHostKeyAlgorithms, oBindAddress, oSmartcardDevice,
1674+ oClearAllForwardings, oNoHostAuthenticationForLocalhost,
1675+ oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout,
1676+ oAddressFamily, oGssAuthentication, oGssDelegateCreds,
1677+ oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly,
1678+ oSendEnv, oControlPath, oControlMaster, oHashKnownHosts,
1679+ oTunnel, oTunnelDevice, oLocalCommand, oPermitLocalCommand,
1680+ oVisualHostKey, oZeroKnowledgePasswordAuthentication,
1681+ oDeprecated, oUnsupported
1682+} OpCodes;
1683+
1684+/* Textual representations of the tokens. */
1685+
1686+static struct {
1687+ const char *name;
1688+ OpCodes opcode;
1689+} keywords[] = {
1690+ { "forwardagent", oForwardAgent },
1691+ { "forwardx11", oForwardX11 },
1692+ { "forwardx11trusted", oForwardX11Trusted },
1693+ { "exitonforwardfailure", oExitOnForwardFailure },
1694+ { "xauthlocation", oXAuthLocation },
1695+ { "gatewayports", oGatewayPorts },
1696+ { "useprivilegedport", oUsePrivilegedPort },
1697+ { "rhostsauthentication", oDeprecated },
1698+ { "passwordauthentication", oPasswordAuthentication },
1699+ { "kbdinteractiveauthentication", oKbdInteractiveAuthentication },
1700+ { "kbdinteractivedevices", oKbdInteractiveDevices },
1701+ { "rsaauthentication", oRSAAuthentication },
1702+ { "pubkeyauthentication", oPubkeyAuthentication },
1703+ { "dsaauthentication", oPubkeyAuthentication }, /* alias */
1704+ { "rhostsrsaauthentication", oRhostsRSAAuthentication },
1705+ { "hostbasedauthentication", oHostbasedAuthentication },
1706+ { "challengeresponseauthentication", oChallengeResponseAuthentication },
1707+ { "skeyauthentication", oChallengeResponseAuthentication }, /* alias */
1708+ { "tisauthentication", oChallengeResponseAuthentication }, /* alias */
1709+ { "kerberosauthentication", oUnsupported },
1710+ { "kerberostgtpassing", oUnsupported },
1711+ { "afstokenpassing", oUnsupported },
1712+#if defined(GSSAPI)
1713+ { "gssapiauthentication", oGssAuthentication },
1714+ { "gssapidelegatecredentials", oGssDelegateCreds },
1715+#else
1716+ { "gssapiauthentication", oUnsupported },
1717+ { "gssapidelegatecredentials", oUnsupported },
1718+#endif
1719+ { "fallbacktorsh", oDeprecated },
1720+ { "usersh", oDeprecated },
1721+ { "identityfile", oIdentityFile },
1722+ { "identityfile2", oIdentityFile }, /* obsolete */
1723+ { "identitiesonly", oIdentitiesOnly },
1724+ { "hostname", oHostName },
1725+ { "hostkeyalias", oHostKeyAlias },
1726+ { "proxycommand", oProxyCommand },
1727+ { "port", oPort },
1728+ { "cipher", oCipher },
1729+ { "ciphers", oCiphers },
1730+ { "macs", oMacs },
1731+ { "protocol", oProtocol },
1732+ { "remoteforward", oRemoteForward },
1733+ { "localforward", oLocalForward },
1734+ { "user", oUser },
1735+ { "host", oHost },
1736+ { "escapechar", oEscapeChar },
1737+ { "globalknownhostsfile", oGlobalKnownHostsFile },
1738+ { "globalknownhostsfile2", oGlobalKnownHostsFile2 }, /* obsolete */
1739+ { "userknownhostsfile", oUserKnownHostsFile },
1740+ { "userknownhostsfile2", oUserKnownHostsFile2 }, /* obsolete */
1741+ { "connectionattempts", oConnectionAttempts },
1742+ { "batchmode", oBatchMode },
1743+ { "checkhostip", oCheckHostIP },
1744+ { "stricthostkeychecking", oStrictHostKeyChecking },
1745+ { "compression", oCompression },
1746+ { "compressionlevel", oCompressionLevel },
1747+ { "tcpkeepalive", oTCPKeepAlive },
1748+ { "keepalive", oTCPKeepAlive }, /* obsolete */
1749+ { "numberofpasswordprompts", oNumberOfPasswordPrompts },
1750+ { "loglevel", oLogLevel },
1751+ { "dynamicforward", oDynamicForward },
1752+ { "preferredauthentications", oPreferredAuthentications },
1753+ { "hostkeyalgorithms", oHostKeyAlgorithms },
1754+ { "bindaddress", oBindAddress },
1755+#ifdef SMARTCARD
1756+ { "smartcarddevice", oSmartcardDevice },
1757+#else
1758+ { "smartcarddevice", oUnsupported },
1759+#endif
1760+ { "clearallforwardings", oClearAllForwardings },
1761+ { "enablesshkeysign", oEnableSSHKeysign },
1762+ { "verifyhostkeydns", oVerifyHostKeyDNS },
1763+ { "nohostauthenticationforlocalhost", oNoHostAuthenticationForLocalhost },
1764+ { "rekeylimit", oRekeyLimit },
1765+ { "connecttimeout", oConnectTimeout },
1766+ { "addressfamily", oAddressFamily },
1767+ { "serveraliveinterval", oServerAliveInterval },
1768+ { "serveralivecountmax", oServerAliveCountMax },
1769+ { "sendenv", oSendEnv },
1770+ { "controlpath", oControlPath },
1771+ { "controlmaster", oControlMaster },
1772+ { "hashknownhosts", oHashKnownHosts },
1773+ { "tunnel", oTunnel },
1774+ { "tunneldevice", oTunnelDevice },
1775+ { "localcommand", oLocalCommand },
1776+ { "permitlocalcommand", oPermitLocalCommand },
1777+ { "visualhostkey", oVisualHostKey },
1778+#ifdef JPAKE
1779+ { "zeroknowledgepasswordauthentication",
1780+ oZeroKnowledgePasswordAuthentication },
1781+#else
1782+ { "zeroknowledgepasswordauthentication", oUnsupported },
1783+#endif
1784+
1785+ { NULL, oBadOption }
1786+};
1787+
1788+/*
1789+ * Adds a local TCP/IP port forward to options. Never returns if there is an
1790+ * error.
1791+ */
1792+
1793+void
1794+add_local_forward(Options *options, const Forward *newfwd)
1795+{
1796+ Forward *fwd;
1797+#ifndef NO_IPPORT_RESERVED_CONCEPT
1798+ extern uid_t original_real_uid;
1799+ if (newfwd->listen_port < IPPORT_RESERVED && original_real_uid != 0)
1800+ fatal("Privileged ports can only be forwarded by root.");
1801+#endif
1802+ if (options->num_local_forwards >= SSH_MAX_FORWARDS_PER_DIRECTION)
1803+ fatal("Too many local forwards (max %d).", SSH_MAX_FORWARDS_PER_DIRECTION);
1804+ fwd = &options->local_forwards[options->num_local_forwards++];
1805+
1806+ fwd->listen_host = newfwd->listen_host;
1807+ fwd->listen_port = newfwd->listen_port;
1808+ fwd->connect_host = newfwd->connect_host;
1809+ fwd->connect_port = newfwd->connect_port;
1810+}
1811+
1812+/*
1813+ * Adds a remote TCP/IP port forward to options. Never returns if there is
1814+ * an error.
1815+ */
1816+
1817+void
1818+add_remote_forward(Options *options, const Forward *newfwd)
1819+{
1820+ Forward *fwd;
1821+ if (options->num_remote_forwards >= SSH_MAX_FORWARDS_PER_DIRECTION)
1822+ fatal("Too many remote forwards (max %d).",
1823+ SSH_MAX_FORWARDS_PER_DIRECTION);
1824+ fwd = &options->remote_forwards[options->num_remote_forwards++];
1825+
1826+ fwd->listen_host = newfwd->listen_host;
1827+ fwd->listen_port = newfwd->listen_port;
1828+ fwd->connect_host = newfwd->connect_host;
1829+ fwd->connect_port = newfwd->connect_port;
1830+}
1831+
1832+static void
1833+clear_forwardings(Options *options)
1834+{
1835+ int i;
1836+
1837+ for (i = 0; i < options->num_local_forwards; i++) {
1838+ if (options->local_forwards[i].listen_host != NULL)
0fab2cab
AM		 1839+ free(options->local_forwards[i].listen_host);
1840+ free(options->local_forwards[i].connect_host);
0d5b2bd4
ER		 1841+ }
1842+ options->num_local_forwards = 0;
1843+ for (i = 0; i < options->num_remote_forwards; i++) {
1844+ if (options->remote_forwards[i].listen_host != NULL)
0fab2cab
AM		 1845+ free(options->remote_forwards[i].listen_host);
1846+ free(options->remote_forwards[i].connect_host);
0d5b2bd4
ER		 1847+ }
1848+ options->num_remote_forwards = 0;
1849+ options->tun_open = SSH_TUNMODE_NO;
1850+}
1851+
1852+/*
1853+ * Returns the number of the token pointed to by cp or oBadOption.
1854+ */
1855+
1856+static OpCodes
1857+parse_token(const char *cp, const char *filename, int linenum)
1858+{
1859+ u_int i;
1860+
1861+ for (i = 0; keywords[i].name; i++)
1862+ if (strcasecmp(cp, keywords[i].name) == 0)
1863+ return keywords[i].opcode;
1864+
1865+ error("%s: line %d: Bad configuration option: %s",
1866+ filename, linenum, cp);
1867+ return oBadOption;
1868+}
1869+
1870+/*
1871+ * Processes a single option line as used in the configuration files. This
1872+ * only sets those values that have not already been set.
1873+ */
1874+#define WHITESPACE " \t\r\n"
1875+
1876+int
1877+process_config_line(Options *options, const char *host,
1878+ char *line, const char *filename, int linenum,
1879+ int *activep)
1880+{
1881+ char *s, **charptr, *endofnumber, *keyword, *arg, *arg2, fwdarg[256];
1882+ int opcode, *intptr, value, value2, scale;
1883+ LogLevel *log_level_ptr;
1884+ long long orig, val64;
1885+ size_t len;
1886+ Forward fwd;
1887+
1888+ /* Strip trailing whitespace */
1889+ for (len = strlen(line) - 1; len > 0; len--) {
1890+ if (strchr(WHITESPACE, line[len]) == NULL)
1891+ break;
1892+ line[len] = '\0';
1893+ }
1894+
1895+ s = line;
1896+ /* Get the keyword. (Each line is supposed to begin with a keyword). */
1897+ if ((keyword = strdelim(&s)) == NULL)
1898+ return 0;
1899+ /* Ignore leading whitespace. */
1900+ if (*keyword == '\0')
1901+ keyword = strdelim(&s);
1902+ if (keyword == NULL || !*keyword || *keyword == '\n' || *keyword == '#')
1903+ return 0;
1904+
1905+ opcode = parse_token(keyword, filename, linenum);
1906+
1907+ switch (opcode) {
1908+ case oBadOption:
1909+ /* don't panic, but count bad options */
1910+ return -1;
1911+ /* NOTREACHED */
1912+ case oConnectTimeout:
1913+ intptr = &options->connection_timeout;
1914+parse_time:
1915+ arg = strdelim(&s);
1916+ if (!arg || *arg == '\0')
1917+ fatal("%s line %d: missing time value.",
1918+ filename, linenum);
1919+ if ((value = convtime(arg)) == -1)
1920+ fatal("%s line %d: invalid time value.",
1921+ filename, linenum);
1922+ if (*activep && *intptr == -1)
1923+ *intptr = value;
1924+ break;
1925+
1926+ case oForwardAgent:
1927+ intptr = &options->forward_agent;
1928+parse_flag:
1929+ arg = strdelim(&s);
1930+ if (!arg || *arg == '\0')
1931+ fatal("%.200s line %d: Missing yes/no argument.", filename, linenum);
1932+ value = 0; /* To avoid compiler warning... */
1933+ if (strcmp(arg, "yes") == 0 || strcmp(arg, "true") == 0)
1934+ value = 1;
1935+ else if (strcmp(arg, "no") == 0 || strcmp(arg, "false") == 0)
1936+ value = 0;
1937+ else
1938+ fatal("%.200s line %d: Bad yes/no argument.", filename, linenum);
1939+ if (*activep && *intptr == -1)
1940+ *intptr = value;
1941+ break;
1942+
1943+ case oForwardX11:
1944+ intptr = &options->forward_x11;
1945+ goto parse_flag;
1946+
1947+ case oForwardX11Trusted:
1948+ intptr = &options->forward_x11_trusted;
1949+ goto parse_flag;
1950+
1951+ case oGatewayPorts:
1952+ intptr = &options->gateway_ports;
1953+ goto parse_flag;
1954+
1955+ case oExitOnForwardFailure:
1956+ intptr = &options->exit_on_forward_failure;
1957+ goto parse_flag;
1958+
1959+ case oUsePrivilegedPort:
1960+ intptr = &options->use_privileged_port;
1961+ goto parse_flag;
1962+
1963+ case oPasswordAuthentication:
1964+ intptr = &options->password_authentication;
1965+ goto parse_flag;
1966+
1967+ case oZeroKnowledgePasswordAuthentication:
1968+ intptr = &options->zero_knowledge_password_authentication;
1969+ goto parse_flag;
1970+
1971+ case oKbdInteractiveAuthentication:
1972+ intptr = &options->kbd_interactive_authentication;
1973+ goto parse_flag;
1974+
1975+ case oKbdInteractiveDevices:
1976+ charptr = &options->kbd_interactive_devices;
1977+ goto parse_string;
1978+
1979+ case oPubkeyAuthentication:
1980+ intptr = &options->pubkey_authentication;
1981+ goto parse_flag;
1982+
1983+ case oRSAAuthentication:
1984+ intptr = &options->rsa_authentication;
1985+ goto parse_flag;
1986+
1987+ case oRhostsRSAAuthentication:
1988+ intptr = &options->rhosts_rsa_authentication;
1989+ goto parse_flag;
1990+
1991+ case oHostbasedAuthentication:
1992+ intptr = &options->hostbased_authentication;
1993+ goto parse_flag;
1994+
1995+ case oChallengeResponseAuthentication:
1996+ intptr = &options->challenge_response_authentication;
1997+ goto parse_flag;
1998+
1999+ case oGssAuthentication:
2000+ intptr = &options->gss_authentication;
2001+ goto parse_flag;
2002+
2003+ case oGssDelegateCreds:
2004+ intptr = &options->gss_deleg_creds;
2005+ goto parse_flag;
2006+
2007+ case oBatchMode:
2008+ intptr = &options->batch_mode;
2009+ goto parse_flag;
2010+
2011+ case oCheckHostIP:
2012+ intptr = &options->check_host_ip;
2013+ goto parse_flag;
2014+
2015+ case oVerifyHostKeyDNS:
2016+ intptr = &options->verify_host_key_dns;
2017+ goto parse_yesnoask;
2018+
2019+ case oStrictHostKeyChecking:
2020+ intptr = &options->strict_host_key_checking;
2021+parse_yesnoask:
2022+ arg = strdelim(&s);
2023+ if (!arg || *arg == '\0')
2024+ fatal("%.200s line %d: Missing yes/no/ask argument.",
2025+ filename, linenum);
2026+ value = 0; /* To avoid compiler warning... */
2027+ if (strcmp(arg, "yes") == 0 || strcmp(arg, "true") == 0)
2028+ value = 1;
2029+ else if (strcmp(arg, "no") == 0 || strcmp(arg, "false") == 0)
2030+ value = 0;
2031+ else if (strcmp(arg, "ask") == 0)
2032+ value = 2;
2033+ else
2034+ fatal("%.200s line %d: Bad yes/no/ask argument.", filename, linenum);
2035+ if (*activep && *intptr == -1)
2036+ *intptr = value;
2037+ break;
2038+
2039+ case oCompression:
2040+ intptr = &options->compression;
2041+ goto parse_flag;
2042+
2043+ case oTCPKeepAlive:
2044+ intptr = &options->tcp_keep_alive;
2045+ goto parse_flag;
2046+
2047+ case oNoHostAuthenticationForLocalhost:
2048+ intptr = &options->no_host_authentication_for_localhost;
2049+ goto parse_flag;
2050+
2051+ case oNumberOfPasswordPrompts:
2052+ intptr = &options->number_of_password_prompts;
2053+ goto parse_int;
2054+
2055+ case oCompressionLevel:
2056+ intptr = &options->compression_level;
2057+ goto parse_int;
2058+
2059+ case oRekeyLimit:
2060+ arg = strdelim(&s);
2061+ if (!arg || *arg == '\0')
2062+ fatal("%.200s line %d: Missing argument.", filename, linenum);
2063+ if (arg[0] < '0' || arg[0] > '9')
2064+ fatal("%.200s line %d: Bad number.", filename, linenum);
2065+ orig = val64 = strtoll(arg, &endofnumber, 10);
2066+ if (arg == endofnumber)
2067+ fatal("%.200s line %d: Bad number.", filename, linenum);
2068+ switch (toupper(*endofnumber)) {
2069+ case '\0':
2070+ scale = 1;
2071+ break;
2072+ case 'K':
2073+ scale = 1<<10;
2074+ break;
2075+ case 'M':
2076+ scale = 1<<20;
2077+ break;
2078+ case 'G':
2079+ scale = 1<<30;
2080+ break;
2081+ default:
2082+ fatal("%.200s line %d: Invalid RekeyLimit suffix",
2083+ filename, linenum);
2084+ }
2085+ val64 *= scale;
2086+ /* detect integer wrap and too-large limits */
2087+ if ((val64 / scale) != orig || val64 > UINT_MAX)
2088+ fatal("%.200s line %d: RekeyLimit too large",
2089+ filename, linenum);
2090+ if (val64 < 16)
2091+ fatal("%.200s line %d: RekeyLimit too small",
2092+ filename, linenum);
2093+ if (*activep && options->rekey_limit == -1)
2094+ options->rekey_limit = (u_int32_t)val64;
2095+ break;
2096+
2097+ case oIdentityFile:
2098+ arg = strdelim(&s);
2099+ if (!arg || *arg == '\0')
2100+ fatal("%.200s line %d: Missing argument.", filename, linenum);
2101+ if (*activep) {
2102+ intptr = &options->num_identity_files;
2103+ if (*intptr >= SSH_MAX_IDENTITY_FILES)
2104+ fatal("%.200s line %d: Too many identity files specified (max %d).",
2105+ filename, linenum, SSH_MAX_IDENTITY_FILES);
2106+ charptr = &options->identity_files[*intptr];
2107+ *charptr = xstrdup(arg);
2108+ *intptr = *intptr + 1;
2109+ }
2110+ break;
2111+
2112+ case oXAuthLocation:
2113+ charptr=&options->xauth_location;
2114+ goto parse_string;
2115+
2116+ case oUser:
2117+ charptr = &options->user;
2118+parse_string:
2119+ arg = strdelim(&s);
2120+ if (!arg || *arg == '\0')
2121+ fatal("%.200s line %d: Missing argument.", filename, linenum);
2122+ if (*activep && *charptr == NULL)
2123+ *charptr = xstrdup(arg);
2124+ break;
2125+
2126+ case oGlobalKnownHostsFile:
2127+ charptr = &options->system_hostfile;
2128+ goto parse_string;
2129+
2130+ case oUserKnownHostsFile:
2131+ charptr = &options->user_hostfile;
2132+ goto parse_string;
2133+
2134+ case oGlobalKnownHostsFile2:
2135+ charptr = &options->system_hostfile2;
2136+ goto parse_string;
2137+
2138+ case oUserKnownHostsFile2:
2139+ charptr = &options->user_hostfile2;
2140+ goto parse_string;
2141+
2142+ case oHostName:
2143+ charptr = &options->hostname;
2144+ goto parse_string;
2145+
2146+ case oHostKeyAlias:
2147+ charptr = &options->host_key_alias;
2148+ goto parse_string;
2149+
2150+ case oPreferredAuthentications:
2151+ charptr = &options->preferred_authentications;
2152+ goto parse_string;
2153+
2154+ case oBindAddress:
2155+ charptr = &options->bind_address;
2156+ goto parse_string;
2157+
2158+ case oSmartcardDevice:
2159+ charptr = &options->smartcard_device;
2160+ goto parse_string;
2161+
2162+ case oProxyCommand:
2163+ charptr = &options->proxy_command;
2164+parse_command:
2165+ if (s == NULL)
2166+ fatal("%.200s line %d: Missing argument.", filename, linenum);
2167+ len = strspn(s, WHITESPACE "=");
2168+ if (*activep && *charptr == NULL)
2169+ *charptr = xstrdup(s + len);
2170+ return 0;
2171+
2172+ case oPort:
2173+ intptr = &options->port;
2174+parse_int:
2175+ arg = strdelim(&s);
2176+ if (!arg || *arg == '\0')
2177+ fatal("%.200s line %d: Missing argument.", filename, linenum);
2178+ if (arg[0] < '0' || arg[0] > '9')
2179+ fatal("%.200s line %d: Bad number.", filename, linenum);
2180+
2181+ /* Octal, decimal, or hex format? */
2182+ value = strtol(arg, &endofnumber, 0);
2183+ if (arg == endofnumber)
2184+ fatal("%.200s line %d: Bad number.", filename, linenum);
2185+ if (*activep && *intptr == -1)
2186+ *intptr = value;
2187+ break;
2188+
2189+ case oConnectionAttempts:
2190+ intptr = &options->connection_attempts;
2191+ goto parse_int;
2192+
2193+ case oCipher:
2194+ intptr = &options->cipher;
2195+ arg = strdelim(&s);
2196+ if (!arg || *arg == '\0')
2197+ fatal("%.200s line %d: Missing argument.", filename, linenum);
2198+ value = cipher_number(arg);
2199+ if (value == -1)
2200+ fatal("%.200s line %d: Bad cipher '%s'.",
2201+ filename, linenum, arg ? arg : "<NONE>");
2202+ if (*activep && *intptr == -1)
2203+ *intptr = value;
2204+ break;
2205+
2206+ case oCiphers:
2207+ arg = strdelim(&s);
2208+ if (!arg || *arg == '\0')
2209+ fatal("%.200s line %d: Missing argument.", filename, linenum);
2210+ if (!ciphers_valid(arg))
2211+ fatal("%.200s line %d: Bad SSH2 cipher spec '%s'.",
2212+ filename, linenum, arg ? arg : "<NONE>");
2213+ if (*activep && options->ciphers == NULL)
2214+ options->ciphers = xstrdup(arg);
2215+ break;
2216+
2217+ case oMacs:
2218+ arg = strdelim(&s);
2219+ if (!arg || *arg == '\0')
2220+ fatal("%.200s line %d: Missing argument.", filename, linenum);
2221+ if (!mac_valid(arg))
2222+ fatal("%.200s line %d: Bad SSH2 Mac spec '%s'.",
2223+ filename, linenum, arg ? arg : "<NONE>");
2224+ if (*activep && options->macs == NULL)
2225+ options->macs = xstrdup(arg);
2226+ break;
2227+
2228+ case oHostKeyAlgorithms:
2229+ arg = strdelim(&s);
2230+ if (!arg || *arg == '\0')
2231+ fatal("%.200s line %d: Missing argument.", filename, linenum);
2232+ if (!key_names_valid2(arg))
2233+ fatal("%.200s line %d: Bad protocol 2 host key algorithms '%s'.",
2234+ filename, linenum, arg ? arg : "<NONE>");
2235+ if (*activep && options->hostkeyalgorithms == NULL)
2236+ options->hostkeyalgorithms = xstrdup(arg);
2237+ break;
2238+
2239+ case oProtocol:
2240+ intptr = &options->protocol;
2241+ arg = strdelim(&s);
2242+ if (!arg || *arg == '\0')
2243+ fatal("%.200s line %d: Missing argument.", filename, linenum);
2244+ value = proto_spec(arg);
2245+ if (value == SSH_PROTO_UNKNOWN)
2246+ fatal("%.200s line %d: Bad protocol spec '%s'.",
2247+ filename, linenum, arg ? arg : "<NONE>");
2248+ if (*activep && *intptr == SSH_PROTO_UNKNOWN)
2249+ *intptr = value;
2250+ break;
2251+
2252+ case oLogLevel:
2253+ log_level_ptr = &options->log_level;
2254+ arg = strdelim(&s);
2255+ value = log_level_number(arg);
2256+ if (value == SYSLOG_LEVEL_NOT_SET)
2257+ fatal("%.200s line %d: unsupported log level '%s'",
2258+ filename, linenum, arg ? arg : "<NONE>");
2259+ if (*activep && *log_level_ptr == SYSLOG_LEVEL_NOT_SET)
2260+ *log_level_ptr = (LogLevel) value;
2261+ break;
2262+
2263+ case oLocalForward:
2264+ case oRemoteForward:
2265+ case oDynamicForward:
2266+ arg = strdelim(&s);
2267+ if (arg == NULL || *arg == '\0')
2268+ fatal("%.200s line %d: Missing port argument.",
2269+ filename, linenum);
2270+
2271+ if (opcode == oLocalForward ||
2272+ opcode == oRemoteForward) {
2273+ arg2 = strdelim(&s);
2274+ if (arg2 == NULL || *arg2 == '\0')
2275+ fatal("%.200s line %d: Missing target argument.",
2276+ filename, linenum);
2277+
2278+ /* construct a string for parse_forward */
2279+ snprintf(fwdarg, sizeof(fwdarg), "%s:%s", arg, arg2);
2280+ } else if (opcode == oDynamicForward) {
2281+ strlcpy(fwdarg, arg, sizeof(fwdarg));
2282+ }
2283+
2284+ if (parse_forward(&fwd, fwdarg,
2285+ opcode == oDynamicForward ? 1 : 0,
2286+ opcode == oRemoteForward ? 1 : 0) == 0)
2287+ fatal("%.200s line %d: Bad forwarding specification.",
2288+ filename, linenum);
2289+
2290+ if (*activep) {
2291+ if (opcode == oLocalForward ||
2292+ opcode == oDynamicForward)
2293+ add_local_forward(options, &fwd);
2294+ else if (opcode == oRemoteForward)
2295+ add_remote_forward(options, &fwd);
2296+ }
2297+ break;
2298+
2299+ case oClearAllForwardings:
2300+ intptr = &options->clear_forwardings;
2301+ goto parse_flag;
2302+
2303+ case oHost:
2304+ *activep = 0;
2305+ while ((arg = strdelim(&s)) != NULL && *arg != '\0')
2306+ if (match_pattern(host, arg)) {
2307+ debug("Applying options for %.100s", arg);
2308+ *activep = 1;
2309+ break;
2310+ }
2311+ /* Avoid garbage check below, as strdelim is done. */
2312+ return 0;
2313+
2314+ case oEscapeChar:
2315+ intptr = &options->escape_char;
2316+ arg = strdelim(&s);
2317+ if (!arg || *arg == '\0')
2318+ fatal("%.200s line %d: Missing argument.", filename, linenum);
2319+ if (arg[0] == '^' && arg[2] == 0 &&
2320+ (u_char) arg[1] >= 64 && (u_char) arg[1] < 128)
2321+ value = (u_char) arg[1] & 31;
2322+ else if (strlen(arg) == 1)
2323+ value = (u_char) arg[0];
2324+ else if (strcmp(arg, "none") == 0)
2325+ value = SSH_ESCAPECHAR_NONE;
2326+ else {
2327+ fatal("%.200s line %d: Bad escape character.",
2328+ filename, linenum);
2329+ /* NOTREACHED */
2330+ value = 0; /* Avoid compiler warning. */
2331+ }
2332+ if (*activep && *intptr == -1)
2333+ *intptr = value;
2334+ break;
2335+
2336+ case oAddressFamily:
2337+ arg = strdelim(&s);
2338+ if (!arg || *arg == '\0')
2339+ fatal("%s line %d: missing address family.",
2340+ filename, linenum);
2341+ intptr = &options->address_family;
2342+ if (strcasecmp(arg, "inet") == 0)
2343+ value = AF_INET;
2344+ else if (strcasecmp(arg, "inet6") == 0)
2345+ value = AF_INET6;
2346+ else if (strcasecmp(arg, "any") == 0)
2347+ value = AF_UNSPEC;
2348+ else
2349+ fatal("Unsupported AddressFamily \"%s\"", arg);
2350+ if (*activep && *intptr == -1)
2351+ *intptr = value;
2352+ break;
2353+
2354+ case oEnableSSHKeysign:
2355+ intptr = &options->enable_ssh_keysign;
2356+ goto parse_flag;
2357+
2358+ case oIdentitiesOnly:
2359+ intptr = &options->identities_only;
2360+ goto parse_flag;
2361+
2362+ case oServerAliveInterval:
2363+ intptr = &options->server_alive_interval;
2364+ goto parse_time;
2365+
2366+ case oServerAliveCountMax:
2367+ intptr = &options->server_alive_count_max;
2368+ goto parse_int;
2369+
2370+ case oSendEnv:
2371+ while ((arg = strdelim(&s)) != NULL && *arg != '\0') {
2372+ if (strchr(arg, '=') != NULL)
2373+ fatal("%s line %d: Invalid environment name.",
2374+ filename, linenum);
2375+ if (!*activep)
2376+ continue;
2377+ if (options->num_send_env >= MAX_SEND_ENV)
2378+ fatal("%s line %d: too many send env.",
2379+ filename, linenum);
2380+ options->send_env[options->num_send_env++] =
2381+ xstrdup(arg);
2382+ }
2383+ break;
2384+
2385+ case oControlPath:
2386+ charptr = &options->control_path;
2387+ goto parse_string;
2388+
2389+ case oControlMaster:
2390+ intptr = &options->control_master;
2391+ arg = strdelim(&s);
2392+ if (!arg || *arg == '\0')
2393+ fatal("%.200s line %d: Missing ControlMaster argument.",
2394+ filename, linenum);
2395+ value = 0; /* To avoid compiler warning... */
2396+ if (strcmp(arg, "yes") == 0 || strcmp(arg, "true") == 0)
2397+ value = SSHCTL_MASTER_YES;
2398+ else if (strcmp(arg, "no") == 0 || strcmp(arg, "false") == 0)
2399+ value = SSHCTL_MASTER_NO;
2400+ else if (strcmp(arg, "auto") == 0)
2401+ value = SSHCTL_MASTER_AUTO;
2402+ else if (strcmp(arg, "ask") == 0)
2403+ value = SSHCTL_MASTER_ASK;
2404+ else if (strcmp(arg, "autoask") == 0)
2405+ value = SSHCTL_MASTER_AUTO_ASK;
2406+ else
2407+ fatal("%.200s line %d: Bad ControlMaster argument.",
2408+ filename, linenum);
2409+ if (*activep && *intptr == -1)
2410+ *intptr = value;
2411+ break;
2412+
2413+ case oHashKnownHosts:
2414+ intptr = &options->hash_known_hosts;
2415+ goto parse_flag;
2416+
2417+ case oTunnel:
2418+ intptr = &options->tun_open;
2419+ arg = strdelim(&s);
2420+ if (!arg || *arg == '\0')
2421+ fatal("%s line %d: Missing yes/point-to-point/"
2422+ "ethernet/no argument.", filename, linenum);
2423+ value = 0; /* silence compiler */
2424+ if (strcasecmp(arg, "ethernet") == 0)
2425+ value = SSH_TUNMODE_ETHERNET;
2426+ else if (strcasecmp(arg, "point-to-point") == 0)
2427+ value = SSH_TUNMODE_POINTOPOINT;
2428+ else if (strcasecmp(arg, "yes") == 0)
2429+ value = SSH_TUNMODE_DEFAULT;
2430+ else if (strcasecmp(arg, "no") == 0)
2431+ value = SSH_TUNMODE_NO;
2432+ else
2433+ fatal("%s line %d: Bad yes/point-to-point/ethernet/"
2434+ "no argument: %s", filename, linenum, arg);
2435+ if (*activep)
2436+ *intptr = value;
2437+ break;
2438+
2439+ case oTunnelDevice:
2440+ arg = strdelim(&s);
2441+ if (!arg || *arg == '\0')
2442+ fatal("%.200s line %d: Missing argument.", filename, linenum);
2443+ value = a2tun(arg, &value2);
2444+ if (value == SSH_TUNID_ERR)
2445+ fatal("%.200s line %d: Bad tun device.", filename, linenum);
2446+ if (*activep) {
2447+ options->tun_local = value;
2448+ options->tun_remote = value2;
2449+ }
2450+ break;
2451+
2452+ case oLocalCommand:
2453+ charptr = &options->local_command;
2454+ goto parse_command;
2455+
2456+ case oPermitLocalCommand:
2457+ intptr = &options->permit_local_command;
2458+ goto parse_flag;
2459+
2460+ case oVisualHostKey:
2461+ intptr = &options->visual_host_key;
2462+ goto parse_flag;
2463+
2464+ case oDeprecated:
2465+ debug("%s line %d: Deprecated option \"%s\"",
2466+ filename, linenum, keyword);
2467+ return 0;
2468+
2469+ case oUnsupported:
2470+ error("%s line %d: Unsupported option \"%s\"",
2471+ filename, linenum, keyword);
2472+ return 0;
2473+
2474+ default:
2475+ fatal("process_config_line: Unimplemented opcode %d", opcode);
2476+ }
2477+
2478+ /* Check that there is no garbage at end of line. */
2479+ if ((arg = strdelim(&s)) != NULL && *arg != '\0') {
2480+ fatal("%.200s line %d: garbage at end of line; \"%.200s\".",
2481+ filename, linenum, arg);
2482+ }
2483+ return 0;
2484+}
2485+
2486+
2487+/*
2488+ * Reads the config file and modifies the options accordingly. Options
2489+ * should already be initialized before this call. This never returns if
2490+ * there is an error. If the file does not exist, this returns 0.
2491+ */
2492+
2493+int
2494+read_config_file(const char *filename, const char *host, Options *options,
2495+ int checkperm)
2496+{
2497+ FILE *f;
2498+ char line[1024];
2499+ int active, linenum;
2500+ int bad_options = 0;
2501+
2502+ if ((f = fopen(filename, "r")) == NULL)
2503+ return 0;
2504+
2505+ if (checkperm) {
2506+ struct stat sb;
2507+
2508+ if (fstat(fileno(f), &sb) == -1)
2509+ fatal("fstat %s: %s", filename, strerror(errno));
2510+ if (((sb.st_uid != 0 && sb.st_uid != getuid()) ||
2511+ (sb.st_mode & 022) != 0))
2512+ fatal("Bad owner or permissions on %s", filename);
2513+ }
2514+
2515+ debug("Reading configuration data %.200s", filename);
2516+
2517+ /*
2518+ * Mark that we are now processing the options. This flag is turned
2519+ * on/off by Host specifications.
2520+ */
2521+ active = 1;
2522+ linenum = 0;
2523+ while (fgets(line, sizeof(line), f)) {
2524+ /* Update line number counter. */
2525+ linenum++;
2526+ if (process_config_line(options, host, line, filename, linenum, &active) != 0)
2527+ bad_options++;
2528+ }
2529+ fclose(f);
2530+ if (bad_options > 0)
2531+ fatal("%s: terminating, %d bad configuration options",
2532+ filename, bad_options);
2533+ return 1;
2534+}
2535+
2536+/*
2537+ * Initializes options to special values that indicate that they have not yet
2538+ * been set. Read_config_file will only set options with this value. Options
2539+ * are processed in the following order: command line, user config file,
2540+ * system config file. Last, fill_default_options is called.
2541+ */
2542+
2543+void
2544+initialize_options(Options * options)
2545+{
2546+ memset(options, 'X', sizeof(*options));
2547+ options->forward_agent = -1;
2548+ options->forward_x11 = -1;
2549+ options->forward_x11_trusted = -1;
2550+ options->exit_on_forward_failure = -1;
2551+ options->xauth_location = NULL;
2552+ options->gateway_ports = -1;
2553+ options->use_privileged_port = -1;
2554+ options->rsa_authentication = -1;
2555+ options->pubkey_authentication = -1;
2556+ options->challenge_response_authentication = -1;
2557+ options->gss_authentication = -1;
2558+ options->gss_deleg_creds = -1;
2559+ options->password_authentication = -1;
2560+ options->kbd_interactive_authentication = -1;
2561+ options->kbd_interactive_devices = NULL;
2562+ options->rhosts_rsa_authentication = -1;
2563+ options->hostbased_authentication = -1;
2564+ options->batch_mode = -1;
2565+ options->check_host_ip = -1;
2566+ options->strict_host_key_checking = -1;
2567+ options->compression = -1;
2568+ options->tcp_keep_alive = -1;
2569+ options->compression_level = -1;
2570+ options->port = -1;
2571+ options->address_family = -1;
2572+ options->connection_attempts = -1;
2573+ options->connection_timeout = -1;
2574+ options->number_of_password_prompts = -1;
2575+ options->cipher = -1;
2576+ options->ciphers = NULL;
2577+ options->macs = NULL;
2578+ options->hostkeyalgorithms = NULL;
2579+ options->protocol = SSH_PROTO_UNKNOWN;
2580+ options->num_identity_files = 0;
2581+ options->hostname = NULL;
2582+ options->host_key_alias = NULL;
2583+ options->proxy_command = NULL;
2584+ options->user = NULL;
2585+ options->escape_char = -1;
2586+ options->system_hostfile = NULL;
2587+ options->user_hostfile = NULL;
2588+ options->system_hostfile2 = NULL;
2589+ options->user_hostfile2 = NULL;
2590+ options->num_local_forwards = 0;
2591+ options->num_remote_forwards = 0;
2592+ options->clear_forwardings = -1;
2593+ options->log_level = SYSLOG_LEVEL_NOT_SET;
2594+ options->preferred_authentications = NULL;
2595+ options->bind_address = NULL;
2596+ options->smartcard_device = NULL;
2597+ options->enable_ssh_keysign = - 1;
2598+ options->no_host_authentication_for_localhost = - 1;
2599+ options->identities_only = - 1;
2600+ options->rekey_limit = - 1;
2601+ options->verify_host_key_dns = -1;
2602+ options->server_alive_interval = -1;
2603+ options->server_alive_count_max = -1;
2604+ options->num_send_env = 0;
2605+ options->control_path = NULL;
2606+ options->control_master = -1;
2607+ options->hash_known_hosts = -1;
2608+ options->tun_open = -1;
2609+ options->tun_local = -1;
2610+ options->tun_remote = -1;
2611+ options->local_command = NULL;
2612+ options->permit_local_command = -1;
2613+ options->visual_host_key = -1;
2614+ options->zero_knowledge_password_authentication = -1;
2615+}
2616+
2617+/*
2618+ * Called after processing other sources of option data, this fills those
2619+ * options for which no value has been specified with their default values.
2620+ */
2621+
2622+void
2623+fill_default_options(Options * options)
2624+{
2625+ int len;
2626+
2627+ if (options->forward_agent == -1)
2628+ options->forward_agent = 0;
2629+ if (options->forward_x11 == -1)
2630+ options->forward_x11 = 0;
2631+ if (options->forward_x11_trusted == -1)
2632+ options->forward_x11_trusted = 0;
2633+ if (options->exit_on_forward_failure == -1)
2634+ options->exit_on_forward_failure = 0;
2635+ if (options->xauth_location == NULL)
2636+ options->xauth_location = _PATH_XAUTH;
2637+ if (options->gateway_ports == -1)
2638+ options->gateway_ports = 0;
2639+ if (options->use_privileged_port == -1)
2640+ options->use_privileged_port = 0;
2641+ if (options->rsa_authentication == -1)
2642+ options->rsa_authentication = 1;
2643+ if (options->pubkey_authentication == -1)
2644+ options->pubkey_authentication = 1;
2645+ if (options->challenge_response_authentication == -1)
2646+ options->challenge_response_authentication = 1;
2647+ if (options->gss_authentication == -1)
2648+ options->gss_authentication = 0;
2649+ if (options->gss_deleg_creds == -1)
2650+ options->gss_deleg_creds = 0;
2651+ if (options->password_authentication == -1)
2652+ options->password_authentication = 1;
2653+ if (options->kbd_interactive_authentication == -1)
2654+ options->kbd_interactive_authentication = 1;
2655+ if (options->rhosts_rsa_authentication == -1)
2656+ options->rhosts_rsa_authentication = 0;
2657+ if (options->hostbased_authentication == -1)
2658+ options->hostbased_authentication = 0;
2659+ if (options->batch_mode == -1)
2660+ options->batch_mode = 0;
2661+ if (options->check_host_ip == -1)
2662+ options->check_host_ip = 1;
2663+ if (options->strict_host_key_checking == -1)
2664+ options->strict_host_key_checking = 2; /* 2 is default */
2665+ if (options->compression == -1)
2666+ options->compression = 0;
2667+ if (options->tcp_keep_alive == -1)
2668+ options->tcp_keep_alive = 1;
2669+ if (options->compression_level == -1)
2670+ options->compression_level = 6;
2671+ if (options->port == -1)
2672+ options->port = 0; /* Filled in ssh_connect. */
2673+ if (options->address_family == -1)
2674+ options->address_family = AF_UNSPEC;
2675+ if (options->connection_attempts == -1)
2676+ options->connection_attempts = 1;
2677+ if (options->number_of_password_prompts == -1)
2678+ options->number_of_password_prompts = 3;
2679+ /* Selected in ssh_login(). */
2680+ if (options->cipher == -1)
2681+ options->cipher = SSH_CIPHER_NOT_SET;
2682+ /* options->ciphers, default set in myproposals.h */
2683+ /* options->macs, default set in myproposals.h */
2684+ /* options->hostkeyalgorithms, default set in myproposals.h */
2685+ if (options->protocol == SSH_PROTO_UNKNOWN)
2686+ options->protocol = SSH_PROTO_1|SSH_PROTO_2;
2687+ if (options->num_identity_files == 0) {
2688+ if (options->protocol & SSH_PROTO_1) {
2689+ len = 2 + strlen(_PATH_SSH_CLIENT_IDENTITY) + 1;
2690+ options->identity_files[options->num_identity_files] =
2691+ xmalloc(len);
2692+ snprintf(options->identity_files[options->num_identity_files++],
2693+ len, "~/%.100s", _PATH_SSH_CLIENT_IDENTITY);
2694+ }
2695+ if (options->protocol & SSH_PROTO_2) {
2696+ len = 2 + strlen(_PATH_SSH_CLIENT_ID_RSA) + 1;
2697+ options->identity_files[options->num_identity_files] =
2698+ xmalloc(len);
2699+ snprintf(options->identity_files[options->num_identity_files++],
2700+ len, "~/%.100s", _PATH_SSH_CLIENT_ID_RSA);
2701+
2702+ len = 2 + strlen(_PATH_SSH_CLIENT_ID_DSA) + 1;
2703+ options->identity_files[options->num_identity_files] =
2704+ xmalloc(len);
2705+ snprintf(options->identity_files[options->num_identity_files++],
2706+ len, "~/%.100s", _PATH_SSH_CLIENT_ID_DSA);
2707+ }
2708+ }
2709+ if (options->escape_char == -1)
2710+ options->escape_char = '~';
2711+ if (options->system_hostfile == NULL)
2712+ options->system_hostfile = _PATH_SSH_SYSTEM_HOSTFILE;
2713+ if (options->user_hostfile == NULL)
2714+ options->user_hostfile = _PATH_SSH_USER_HOSTFILE;
2715+ if (options->system_hostfile2 == NULL)
2716+ options->system_hostfile2 = _PATH_SSH_SYSTEM_HOSTFILE2;
2717+ if (options->user_hostfile2 == NULL)
2718+ options->user_hostfile2 = _PATH_SSH_USER_HOSTFILE2;
2719+ if (options->log_level == SYSLOG_LEVEL_NOT_SET)
2720+ options->log_level = SYSLOG_LEVEL_INFO;
2721+ if (options->clear_forwardings == 1)
2722+ clear_forwardings(options);
2723+ if (options->no_host_authentication_for_localhost == - 1)
2724+ options->no_host_authentication_for_localhost = 0;
2725+ if (options->identities_only == -1)
2726+ options->identities_only = 0;
2727+ if (options->enable_ssh_keysign == -1)
2728+ options->enable_ssh_keysign = 0;
2729+ if (options->rekey_limit == -1)
2730+ options->rekey_limit = 0;
2731+ if (options->verify_host_key_dns == -1)
2732+ options->verify_host_key_dns = 0;
2733+ if (options->server_alive_interval == -1)
2734+ options->server_alive_interval = 0;
2735+ if (options->server_alive_count_max == -1)
2736+ options->server_alive_count_max = 3;
2737+ if (options->control_master == -1)
2738+ options->control_master = 0;
2739+ if (options->hash_known_hosts == -1)
2740+ options->hash_known_hosts = 0;
2741+ if (options->tun_open == -1)
2742+ options->tun_open = SSH_TUNMODE_NO;
2743+ if (options->tun_local == -1)
2744+ options->tun_local = SSH_TUNID_ANY;
2745+ if (options->tun_remote == -1)
2746+ options->tun_remote = SSH_TUNID_ANY;
2747+ if (options->permit_local_command == -1)
2748+ options->permit_local_command = 0;
2749+ if (options->visual_host_key == -1)
2750+ options->visual_host_key = 0;
2751+ if (options->zero_knowledge_password_authentication == -1)
2752+ options->zero_knowledge_password_authentication = 0;
2753+ /* options->local_command should not be set by default */
2754+ /* options->proxy_command should not be set by default */
2755+ /* options->user will be set in the main program if appropriate */
2756+ /* options->hostname will be set in the main program if appropriate */
2757+ /* options->host_key_alias should not be set by default */
2758+ /* options->preferred_authentications will be set in ssh */
2759+}
2760+
2761+/*
2762+ * parse_forward
2763+ * parses a string containing a port forwarding specification of the form:
2764+ * dynamicfwd == 0
2765+ * [listenhost:]listenport:connecthost:connectport
2766+ * dynamicfwd == 1
2767+ * [listenhost:]listenport
2768+ * returns number of arguments parsed or zero on error
2769+ */
2770+int
2771+parse_forward(Forward *fwd, const char *fwdspec, int dynamicfwd, int remotefwd)
2772+{
2773+ int i;
2774+ char *p, *cp, *fwdarg[4];
2775+
2776+ memset(fwd, '\0', sizeof(*fwd));
2777+
2778+ cp = p = xstrdup(fwdspec);
2779+
2780+ /* skip leading spaces */
2781+ while (isspace(*cp))
2782+ cp++;
2783+
2784+ for (i = 0; i < 4; ++i)
2785+ if ((fwdarg[i] = hpdelim(&cp)) == NULL)
2786+ break;
2787+
2788+ /* Check for trailing garbage */
2789+ if (cp != NULL)
2790+ i = 0; /* failure */
2791+
2792+ switch (i) {
2793+ case 1:
2794+ fwd->listen_host = NULL;
2795+ fwd->listen_port = a2port(fwdarg[0]);
2796+ fwd->connect_host = xstrdup("socks");
2797+ break;
2798+
2799+ case 2:
2800+ fwd->listen_host = xstrdup(cleanhostname(fwdarg[0]));
2801+ fwd->listen_port = a2port(fwdarg[1]);
2802+ fwd->connect_host = xstrdup("socks");
2803+ break;
2804+
2805+ case 3:
2806+ fwd->listen_host = NULL;
2807+ fwd->listen_port = a2port(fwdarg[0]);
2808+ fwd->connect_host = xstrdup(cleanhostname(fwdarg[1]));
2809+ fwd->connect_port = a2port(fwdarg[2]);
2810+ break;
2811+
2812+ case 4:
2813+ fwd->listen_host = xstrdup(cleanhostname(fwdarg[0]));
2814+ fwd->listen_port = a2port(fwdarg[1]);
2815+ fwd->connect_host = xstrdup(cleanhostname(fwdarg[2]));
2816+ fwd->connect_port = a2port(fwdarg[3]);
2817+ break;
2818+ default:
2819+ i = 0; /* failure */
2820+ }
2821+
0fab2cab 2822+ free(p);
0d5b2bd4
ER		 2823+
2824+ if (dynamicfwd) {
2825+ if (!(i == 1 || i == 2))
2826+ goto fail_free;
2827+ } else {
2828+ if (!(i == 3 || i == 4))
2829+ goto fail_free;
2830+ if (fwd->connect_port <= 0)
2831+ goto fail_free;
2832+ }
2833+
2834+ if (fwd->listen_port < 0 || (!remotefwd && fwd->listen_port == 0))
2835+ goto fail_free;
2836+
2837+ if (fwd->connect_host != NULL &&
2838+ strlen(fwd->connect_host) >= NI_MAXHOST)
2839+ goto fail_free;
2840+ if (fwd->listen_host != NULL &&
2841+ strlen(fwd->listen_host) >= NI_MAXHOST)
2842+ goto fail_free;
2843+
2844+
2845+ return (i);
2846+
2847+ fail_free:
2848+ if (fwd->connect_host != NULL) {
0fab2cab 2849+ free(fwd->connect_host);
0d5b2bd4
ER		 2850+ fwd->connect_host = NULL;
2851+ }
2852+ if (fwd->listen_host != NULL) {
0fab2cab 2853+ free(fwd->listen_host);
0d5b2bd4
ER		 2854+ fwd->listen_host = NULL;
2855+ }
2856+ return (0);
2857+}
2858diff -NupwB openssh-5.2p1-canonical/readconf.h openssh-5.2p1-hpn13v6/readconf.h
2859--- openssh-5.2p1-canonical/readconf.h 2009-02-14 00:28:21.000000000 -0500
2860+++ openssh-5.2p1-hpn13v6/readconf.h 2009-05-14 12:36:10.000000000 -0400
2861@@ -57,6 +57,11 @@ typedef struct {
2862 int compression_level; /* Compression level 1 (fast) to 9
2863 * (best). */
2864 int tcp_keep_alive; /* Set SO_KEEPALIVE. */
2865+ int tcp_rcv_buf; /* user switch to set tcp recv buffer */
2866+ int tcp_rcv_buf_poll; /* Option to poll recv buf every window transfer */
2867+ int hpn_disabled; /* Switch to disable HPN buffer management */
2868+ int hpn_buffer_size; /* User definable size for HPN buffer window */
2869+
2870 LogLevel log_level; /* Level for logging. */
2871
2872 int port; /* Port to connect. */
2873@@ -102,6 +107,8 @@ typedef struct {
2874
2875 int enable_ssh_keysign;
2876 int64_t rekey_limit;
2877+ int none_switch; /* Use none cipher */
2878+ int none_enabled; /* Allow none to be used */
2879 int no_host_authentication_for_localhost;
2880 int identities_only;
2881 int server_alive_interval;
2882diff -NupwB openssh-5.2p1-canonical/readconf.h.orig openssh-5.2p1-hpn13v6/readconf.h.orig
2883--- openssh-5.2p1-canonical/readconf.h.orig 1969-12-31 19:00:00.000000000 -0500
2884+++ openssh-5.2p1-hpn13v6/readconf.h.orig 2009-02-14 00:28:21.000000000 -0500
2885@@ -0,0 +1,145 @@
2886+/* $OpenBSD: readconf.h,v 1.78 2009/02/12 03:00:56 djm Exp $ */
2887+
2888+/*
2889+ * Author: Tatu Ylonen <ylo@cs.hut.fi>
2890+ * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
2891+ * All rights reserved
2892+ * Functions for reading the configuration file.
2893+ *
2894+ * As far as I am concerned, the code I have written for this software
2895+ * can be used freely for any purpose. Any derived versions of this
2896+ * software must be clearly marked as such, and if the derived work is
2897+ * incompatible with the protocol description in the RFC file, it must be
2898+ * called by a name other than "ssh" or "Secure Shell".
2899+ */
2900+
2901+#ifndef READCONF_H
2902+#define READCONF_H
2903+
2904+/* Data structure for representing a forwarding request. */
2905+
2906+typedef struct {
2907+ char *listen_host; /* Host (address) to listen on. */
2908+ int listen_port; /* Port to forward. */
2909+ char *connect_host; /* Host to connect. */
2910+ int connect_port; /* Port to connect on connect_host. */
2911+} Forward;
2912+/* Data structure for representing option data. */
2913+
2914+#define MAX_SEND_ENV 256
2915+
2916+typedef struct {
2917+ int forward_agent; /* Forward authentication agent. */
2918+ int forward_x11; /* Forward X11 display. */
2919+ int forward_x11_trusted; /* Trust Forward X11 display. */
2920+ int exit_on_forward_failure; /* Exit if bind(2) fails for -L/-R */
2921+ char *xauth_location; /* Location for xauth program */
2922+ int gateway_ports; /* Allow remote connects to forwarded ports. */
2923+ int use_privileged_port; /* Don't use privileged port if false. */
2924+ int rhosts_rsa_authentication; /* Try rhosts with RSA
2925+ * authentication. */
2926+ int rsa_authentication; /* Try RSA authentication. */
2927+ int pubkey_authentication; /* Try ssh2 pubkey authentication. */
2928+ int hostbased_authentication; /* ssh2's rhosts_rsa */
2929+ int challenge_response_authentication;
2930+ /* Try S/Key or TIS, authentication. */
2931+ int gss_authentication; /* Try GSS authentication */
2932+ int gss_deleg_creds; /* Delegate GSS credentials */
2933+ int password_authentication; /* Try password
2934+ * authentication. */
2935+ int kbd_interactive_authentication; /* Try keyboard-interactive auth. */
2936+ char *kbd_interactive_devices; /* Keyboard-interactive auth devices. */
2937+ int zero_knowledge_password_authentication; /* Try jpake */
2938+ int batch_mode; /* Batch mode: do not ask for passwords. */
2939+ int check_host_ip; /* Also keep track of keys for IP address */
2940+ int strict_host_key_checking; /* Strict host key checking. */
2941+ int compression; /* Compress packets in both directions. */
2942+ int compression_level; /* Compression level 1 (fast) to 9
2943+ * (best). */
2944+ int tcp_keep_alive; /* Set SO_KEEPALIVE. */
2945+ LogLevel log_level; /* Level for logging. */
2946+
2947+ int port; /* Port to connect. */
2948+ int address_family;
2949+ int connection_attempts; /* Max attempts (seconds) before
2950+ * giving up */
2951+ int connection_timeout; /* Max time (seconds) before
2952+ * aborting connection attempt */
2953+ int number_of_password_prompts; /* Max number of password
2954+ * prompts. */
2955+ int cipher; /* Cipher to use. */
2956+ char *ciphers; /* SSH2 ciphers in order of preference. */
2957+ char *macs; /* SSH2 macs in order of preference. */
2958+ char *hostkeyalgorithms; /* SSH2 server key types in order of preference. */
2959+ int protocol; /* Protocol in order of preference. */
2960+ char *hostname; /* Real host to connect. */
2961+ char *host_key_alias; /* hostname alias for .ssh/known_hosts */
2962+ char *proxy_command; /* Proxy command for connecting the host. */
2963+ char *user; /* User to log in as. */
2964+ int escape_char; /* Escape character; -2 = none */
2965+
2966+ char *system_hostfile;/* Path for /etc/ssh/ssh_known_hosts. */
2967+ char *user_hostfile; /* Path for $HOME/.ssh/known_hosts. */
2968+ char *system_hostfile2;
2969+ char *user_hostfile2;
2970+ char *preferred_authentications;
2971+ char *bind_address; /* local socket address for connection to sshd */
2972+ char *smartcard_device; /* Smartcard reader device */
2973+ int verify_host_key_dns; /* Verify host key using DNS */
2974+
2975+ int num_identity_files; /* Number of files for RSA/DSA identities. */
2976+ char *identity_files[SSH_MAX_IDENTITY_FILES];
2977+ Key *identity_keys[SSH_MAX_IDENTITY_FILES];
2978+
2979+ /* Local TCP/IP forward requests. */
2980+ int num_local_forwards;
2981+ Forward local_forwards[SSH_MAX_FORWARDS_PER_DIRECTION];
2982+
2983+ /* Remote TCP/IP forward requests. */
2984+ int num_remote_forwards;
2985+ Forward remote_forwards[SSH_MAX_FORWARDS_PER_DIRECTION];
2986+ int clear_forwardings;
2987+
2988+ int enable_ssh_keysign;
2989+ int64_t rekey_limit;
2990+ int no_host_authentication_for_localhost;
2991+ int identities_only;
2992+ int server_alive_interval;
2993+ int server_alive_count_max;
2994+
2995+ int num_send_env;
2996+ char *send_env[MAX_SEND_ENV];
2997+
2998+ char *control_path;
2999+ int control_master;
3000+
3001+ int hash_known_hosts;
3002+
3003+ int tun_open; /* tun(4) */
3004+ int tun_local; /* force tun device (optional) */
3005+ int tun_remote; /* force tun device (optional) */
3006+
3007+ char *local_command;
3008+ int permit_local_command;
3009+ int visual_host_key;
3010+
3011+} Options;
3012+
3013+#define SSHCTL_MASTER_NO 0
3014+#define SSHCTL_MASTER_YES 1
3015+#define SSHCTL_MASTER_AUTO 2
3016+#define SSHCTL_MASTER_ASK 3
3017+#define SSHCTL_MASTER_AUTO_ASK 4
3018+
3019+void initialize_options(Options *);
3020+void fill_default_options(Options *);
3021+int read_config_file(const char *, const char *, Options *, int);
3022+int parse_forward(Forward *, const char *, int, int);
3023+
3024+int
3025+process_config_line(Options *, const char *, char *, const char *, int, int *);
3026+
3027+void add_local_forward(Options *, const Forward *);
3028+void add_remote_forward(Options *, const Forward *);
3029+
3030+#endif /* READCONF_H */
3031Common subdirectories: openssh-5.2p1-canonical/regress and openssh-5.2p1-hpn13v6/regress
3032Common subdirectories: openssh-5.2p1-canonical/scard and openssh-5.2p1-hpn13v6/scard
3033diff -NupwB openssh-5.2p1-canonical/scp.c openssh-5.2p1-hpn13v6/scp.c
3034--- openssh-5.2p1-canonical/scp.c 2008-11-03 03:23:45.000000000 -0500
3035+++ openssh-5.2p1-hpn13v6/scp.c 2009-05-14 12:36:10.000000000 -0400
3036@@ -632,7 +632,7 @@ source(int argc, char **argv)
3037 off_t i, statbytes;
3038 size_t amt;
3039 int fd = -1, haderr, indx;
3040- char *last, *name, buf[2048], encname[MAXPATHLEN];
3041+ char *last, *name, buf[16384], encname[MAXPATHLEN];
3042 int len;
3043
3044 for (indx = 0; indx < argc; ++indx) {
3045@@ -868,7 +868,7 @@ sink(int argc, char **argv)
3046 mode_t mode, omode, mask;
3047 off_t size, statbytes;
3048 int setimes, targisdir, wrerrno = 0;
3049- char ch, *cp, *np, *targ, *why, *vect[1], buf[2048];
3050+ char ch, *cp, *np, *targ, *why, *vect[1], buf[16384];
3051 struct timeval tv[2];
3052
3053 #define atime tv[0]
3054diff -NupwB openssh-5.2p1-canonical/servconf.c openssh-5.2p1-hpn13v6/servconf.c
3055--- openssh-5.2p1-canonical/servconf.c 2009-01-28 00:31:23.000000000 -0500
3056+++ openssh-5.2p1-hpn13v6/servconf.c 2009-05-14 12:36:10.000000000 -0400
13a27647 3057@@ -132,6 +132,10 @@
0d5b2bd4
ER		 3058 options->adm_forced_command = NULL;
3059 options->chroot_directory = NULL;
3060 options->zero_knowledge_password_authentication = -1;
3061+ options->none_enabled = -1;
3062+ options->tcp_rcv_buf_poll = -1;
3063+ options->hpn_disabled = -1;
3064+ options->hpn_buffer_size = -1;
13a27647
ER		 3065 #ifdef WITH_LDAP_PUBKEY
3066 /* XXX dirty */
3067 options->lpk.ld = NULL;
3068@@ -156,6 +160,11 @@
0d5b2bd4
ER		 3069 void
3070 fill_default_server_options(ServerOptions *options)
3071 {
3072+ /* needed for hpn socket tests */
3073+ int sock;
3074+ int socksize;
3075+ int socksizelen = sizeof(int);
3076+
3077 /* Portable-specific options */
3078 if (options->use_pam == -1)
3079 options->use_pam = 0;
3080@@ -262,6 +271,42 @@ fill_default_server_options(ServerOption
3081 if (options->zero_knowledge_password_authentication == -1)
3082 options->zero_knowledge_password_authentication = 0;
3083
3084+ if (options->hpn_disabled == -1)
3085+ options->hpn_disabled = 0;
3086+
3087+ if (options->hpn_buffer_size == -1) {
3088+ /* option not explicitly set. Now we have to figure out */
3089+ /* what value to use */
3090+ if (options->hpn_disabled == 1) {
3091+ options->hpn_buffer_size = CHAN_SES_WINDOW_DEFAULT;
3092+ } else {
3093+ /* get the current RCV size and set it to that */
3094+ /*create a socket but don't connect it */
3095+ /* we use that the get the rcv socket size */
3096+ sock = socket(AF_INET, SOCK_STREAM, 0);
3097+ getsockopt(sock, SOL_SOCKET, SO_RCVBUF,
3098+ &socksize, &socksizelen);
3099+ close(sock);
3100+ options->hpn_buffer_size = socksize;
3101+ debug ("HPN Buffer Size: %d", options->hpn_buffer_size);
3102+
3103+ }
3104+ } else {
3105+ /* we have to do this incase the user sets both values in a contradictory */
3106+ /* manner. hpn_disabled overrrides hpn_buffer_size*/
3107+ if (options->hpn_disabled <= 0) {
3108+ if (options->hpn_buffer_size == 0)
3109+ options->hpn_buffer_size = 1;
3110+ /* limit the maximum buffer to 64MB */
3111+ if (options->hpn_buffer_size > 64*1024) {
3112+ options->hpn_buffer_size = 64*1024*1024;
3113+ } else {
3114+ options->hpn_buffer_size *= 1024;
3115+ }
3116+ } else
3117+ options->hpn_buffer_size = CHAN_TCP_WINDOW_DEFAULT;
3118+ }
3119+
3120 /* Turn privilege separation on by default */
3121 if (use_privsep == -1)
3122 use_privsep = 1;
3123@@ -306,6 +351,7 @@ typedef enum {
3124 sMatch, sPermitOpen, sForceCommand, sChrootDirectory,
3125 sUsePrivilegeSeparation, sAllowAgentForwarding,
3126 sZeroKnowledgePasswordAuthentication,
3127+ sNoneEnabled, sTcpRcvBufPoll, sHPNDisabled, sHPNBufferSize,
3128 sDeprecated, sUnsupported
3129 } ServerOpCodes;
3130
3131@@ -424,6 +470,10 @@ static struct {
3132 { "permitopen", sPermitOpen, SSHCFG_ALL },
3133 { "forcecommand", sForceCommand, SSHCFG_ALL },
3134 { "chrootdirectory", sChrootDirectory, SSHCFG_ALL },
3135+ { "noneenabled", sNoneEnabled },
3136+ { "hpndisabled", sHPNDisabled },
3137+ { "hpnbuffersize", sHPNBufferSize },
3138+ { "tcprcvbufpoll", sTcpRcvBufPoll },
3139 { NULL, sBadOption, 0 }
3140 };
3141
3142@@ -450,6 +500,7 @@ parse_token(const char *cp, const char *
3143
3144 for (i = 0; keywords[i].name; i++)
3145 if (strcasecmp(cp, keywords[i].name) == 0) {
3146+ debug ("Config token is %s", keywords[i].name);
3147 *flags = keywords[i].flags;
3148 return keywords[i].opcode;
3149 }
3150@@ -847,6 +898,22 @@ process_server_config_line(ServerOptions
3151 *intptr = value;
3152 break;
3153
3154+ case sNoneEnabled:
3155+ intptr = &options->none_enabled;
3156+ goto parse_flag;
3157+
3158+ case sTcpRcvBufPoll:
3159+ intptr = &options->tcp_rcv_buf_poll;
3160+ goto parse_flag;
3161+
3162+ case sHPNDisabled:
3163+ intptr = &options->hpn_disabled;
3164+ goto parse_flag;
3165+
3166+ case sHPNBufferSize:
3167+ intptr = &options->hpn_buffer_size;
3168+ goto parse_int;
3169+
3170 case sIgnoreUserKnownHosts:
3171 intptr = &options->ignore_user_known_hosts;
3172 goto parse_flag;
3173diff -NupwB openssh-5.2p1-canonical/servconf.h openssh-5.2p1-hpn13v6/servconf.h
3174--- openssh-5.2p1-canonical/servconf.h 2009-01-28 00:31:23.000000000 -0500
3175+++ openssh-5.2p1-hpn13v6/servconf.h 2009-05-14 12:36:10.000000000 -0400
3176@@ -145,6 +145,10 @@ typedef struct {
3177 char *adm_forced_command;
3178
3179 int use_pam; /* Enable auth via PAM */
3180+ int none_enabled; /* enable NONE cipher switch */
3181+ int tcp_rcv_buf_poll; /* poll tcp rcv window in autotuning kernels*/
3182+ int hpn_disabled; /* disable hpn functionality. false by default */
3183+ int hpn_buffer_size; /* set the hpn buffer size - default 3MB */
3184
3185 int permit_tun;
3186
3187diff -NupwB openssh-5.2p1-canonical/serverloop.c openssh-5.2p1-hpn13v6/serverloop.c
3188--- openssh-5.2p1-canonical/serverloop.c 2009-02-14 00:33:09.000000000 -0500
3189+++ openssh-5.2p1-hpn13v6/serverloop.c 2009-05-14 12:36:10.000000000 -0400
3190@@ -93,10 +93,10 @@ static int fdin; /* Descriptor for stdi
3191 static int fdout; /* Descriptor for stdout (for reading);
3192 May be same number as fdin. */
3193 static int fderr; /* Descriptor for stderr. May be -1. */
3194-static long stdin_bytes = 0; /* Number of bytes written to stdin. */
3195-static long stdout_bytes = 0; /* Number of stdout bytes sent to client. */
3196-static long stderr_bytes = 0; /* Number of stderr bytes sent to client. */
3197-static long fdout_bytes = 0; /* Number of stdout bytes read from program. */
3198+static u_long stdin_bytes = 0; /* Number of bytes written to stdin. */
3199+static u_long stdout_bytes = 0; /* Number of stdout bytes sent to client. */
3200+static u_long stderr_bytes = 0; /* Number of stderr bytes sent to client. */
3201+static u_long fdout_bytes = 0; /* Number of stdout bytes read from program. */
3202 static int stdin_eof = 0; /* EOF message received from client. */
3203 static int fdout_eof = 0; /* EOF encountered reading from fdout. */
3204 static int fderr_eof = 0; /* EOF encountered readung from fderr. */
3205@@ -121,6 +121,20 @@ static volatile sig_atomic_t received_si
3206 static void server_init_dispatch(void);
3207
3208 /*
3209+ * Returns current time in seconds from Jan 1, 1970 with the maximum
3210+ * available resolution.
3211+ */
3212+
3213+static double
3214+get_current_time(void)
3215+{
3216+ struct timeval tv;
3217+ gettimeofday(&tv, NULL);
3218+ return (double) tv.tv_sec + (double) tv.tv_usec / 1000000.0;
3219+}
3220+
3221+
3222+/*
3223 * we write to this pipe if a SIGCHLD is caught in order to avoid
3224 * the race between select() and child_terminated
3225 */
3226@@ -410,6 +424,7 @@ process_input(fd_set *readset)
3227 } else {
3228 /* Buffer any received data. */
3229 packet_process_incoming(buf, len);
3230+ fdout_bytes += len;
3231 }
3232 }
3233 if (compat20)
3234@@ -432,6 +447,7 @@ process_input(fd_set *readset)
3235 } else {
3236 buffer_append(&stdout_buffer, buf, len);
3237 fdout_bytes += len;
3238+ debug ("FD out now: %ld", fdout_bytes);
3239 }
3240 }
3241 /* Read and buffer any available stderr data from the program. */
3242@@ -499,7 +515,7 @@ process_output(fd_set *writeset)
3243 }
3244 /* Send any buffered packet data to the client. */
3245 if (FD_ISSET(connection_out, writeset))
3246- packet_write_poll();
3247+ stdin_bytes += packet_write_poll();
3248 }
3249
3250 /*
3251@@ -816,8 +832,10 @@ server_loop2(Authctxt *authctxt)
3252 {
3253 fd_set *readset = NULL, *writeset = NULL;
3254 int rekeying = 0, max_fd, nalloc = 0;
3255+ double start_time, total_time;
3256
3257 debug("Entering interactive session for SSH2.");
3258+ start_time = get_current_time();
3259
3260 mysignal(SIGCHLD, sigchld_handler);
3261 child_terminated = 0;
3262@@ -879,6 +897,11 @@ server_loop2(Authctxt *authctxt)
3263
3264 /* free remaining sessions, e.g. remove wtmp entries */
3265 session_destroy_all(NULL);
3266+ total_time = get_current_time() - start_time;
3267+ logit("SSH: Server;LType: Throughput;Remote: %s-%d;IN: %lu;OUT: %lu;Duration: %.1f;tPut_in: %.1f;tPut_out: %.1f",
3268+ get_remote_ipaddr(), get_remote_port(),
3269+ stdin_bytes, fdout_bytes, total_time, stdin_bytes / total_time,
3270+ fdout_bytes / total_time);
3271 }
3272
3273 static void
3274@@ -994,8 +1017,12 @@ server_request_tun(void)
3275 sock = tun_open(tun, mode);
3276 if (sock < 0)
3277 goto done;
3278+ if (options.hpn_disabled)
3279 c = channel_new("tun", SSH_CHANNEL_OPEN, sock, sock, -1,
3280 CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, 0, "tun", 1);
3281+ else
3282+ c = channel_new("tun", SSH_CHANNEL_OPEN, sock, sock, -1,
3283+ options.hpn_buffer_size, CHAN_TCP_PACKET_DEFAULT, 0, "tun", 1);
3284 c->datagram = 1;
3285 #if defined(SSH_TUN_FILTER)
3286 if (mode == SSH_TUNMODE_POINTOPOINT)
3287@@ -1031,6 +1058,8 @@ server_request_session(void)
3288 c = channel_new("session", SSH_CHANNEL_LARVAL,
3289 -1, -1, -1, /*window size*/0, CHAN_SES_PACKET_DEFAULT,
3290 0, "server-session", 1);
3291+ if ((options.tcp_rcv_buf_poll) && (!options.hpn_disabled))
3292+ c->dynamic_window = 1;
3293 if (session_open(the_authctxt, c->self) != 1) {
3294 debug("session open failed, free channel %d", c->self);
3295 channel_free(c);
3296diff -NupwB openssh-5.2p1-canonical/session.c openssh-5.2p1-hpn13v6/session.c
3297--- openssh-5.2p1-canonical/session.c 2009-01-28 00:29:49.000000000 -0500
3298+++ openssh-5.2p1-hpn13v6/session.c 2009-05-14 12:36:10.000000000 -0400
3299@@ -230,6 +230,7 @@ auth_input_request_forwarding(struct pas
3300 }
3301
3302 /* Allocate a channel for the authentication agent socket. */
3303+ /* this shouldn't matter if its hpn or not - cjr */
3304 nc = channel_new("auth socket",
3305 SSH_CHANNEL_AUTH_SOCKET, sock, sock, -1,
3306 CHAN_X11_WINDOW_DEFAULT, CHAN_X11_PACKET_DEFAULT,
3307@@ -2301,10 +2302,16 @@ session_set_fds(Session *s, int fdin, in
3308 */
3309 if (s->chanid == -1)
3310 fatal("no channel for session %d", s->self);
3311+ if (options.hpn_disabled)
3312 channel_set_fds(s->chanid,
3313 fdout, fdin, fderr,
3314 fderr == -1 ? CHAN_EXTENDED_IGNORE : CHAN_EXTENDED_READ,
3315 1, is_tty, CHAN_SES_WINDOW_DEFAULT);
3316+ else
3317+ channel_set_fds(s->chanid,
3318+ fdout, fdin, fderr,
3319+ fderr == -1 ? CHAN_EXTENDED_IGNORE : CHAN_EXTENDED_READ,
3320+ 1, is_tty, options.hpn_buffer_size);
3321 }
3322
3323 /*
3324diff -NupwB openssh-5.2p1-canonical/sftp.1 openssh-5.2p1-hpn13v6/sftp.1
3325--- openssh-5.2p1-canonical/sftp.1 2009-01-28 00:14:09.000000000 -0500
3326+++ openssh-5.2p1-hpn13v6/sftp.1 2009-05-14 12:36:10.000000000 -0400
3327@@ -203,7 +203,8 @@ This option may be useful in debugging t
3328 Specify how many requests may be outstanding at any one time.
3329 Increasing this may slightly improve file transfer speed
3330 but will increase memory usage.
3331-The default is 64 outstanding requests.
3332+The default is 256 outstanding requests providing for 8MB
3333+of outstanding data with a 32KB buffer.
3334 .It Fl S Ar program
3335 Name of the
3336 .Ar program
3337diff -NupwB openssh-5.2p1-canonical/sftp.c openssh-5.2p1-hpn13v6/sftp.c
3338--- openssh-5.2p1-canonical/sftp.c 2009-02-14 00:26:19.000000000 -0500
3339+++ openssh-5.2p1-hpn13v6/sftp.c 2009-05-14 12:36:10.000000000 -0400
3340@@ -75,7 +75,7 @@ int batchmode = 0;
3341 size_t copy_buffer_len = 32768;
3342
3343 /* Number of concurrent outstanding requests */
3344-size_t num_requests = 64;
3345+size_t num_requests = 256;
3346
3347 /* PID of ssh transport process */
3348 static pid_t sshpid = -1;
3349diff -NupwB openssh-5.2p1-canonical/ssh.c openssh-5.2p1-hpn13v6/ssh.c
3350--- openssh-5.2p1-canonical/ssh.c 2009-02-14 00:28:21.000000000 -0500
3351+++ openssh-5.2p1-hpn13v6/ssh.c 2009-05-14 12:36:10.000000000 -0400
3352@@ -492,9 +492,6 @@ main(int ac, char **av)
3353 no_shell_flag = 1;
3354 no_tty_flag = 1;
3355 break;
3356- case 'T':
3357- no_tty_flag = 1;
3358- break;
3359 case 'o':
3360 dummy = 1;
3361 line = xstrdup(optarg);
3362@@ -503,6 +500,13 @@ main(int ac, char **av)
3363 exit(255);
0fab2cab 3364 free(line);
0d5b2bd4
ER		 3365 break;
3366+ case 'T':
3367+ no_tty_flag = 1;
3368+ /* ensure that the user doesn't try to backdoor a */
3369+ /* null cipher switch on an interactive session */
3370+ /* so explicitly disable it no matter what */
3371+ options.none_switch=0;
3372+ break;
3373 case 's':
3374 subsystem_flag = 1;
3375 break;
3376@@ -1142,6 +1146,9 @@ ssh_session2_open(void)
3377 {
3378 Channel *c;
3379 int window, packetmax, in, out, err;
3380+ int sock;
3381+ int socksize;
3382+ int socksizelen = sizeof(int);
3383
3384 if (stdin_null_flag) {
3385 in = open(_PATH_DEVNULL, O_RDONLY);
3386@@ -1162,9 +1169,75 @@ ssh_session2_open(void)
3387 if (!isatty(err))
3388 set_nonblock(err);
3389
3390- window = CHAN_SES_WINDOW_DEFAULT;
3391+ /* we need to check to see if what they want to do about buffer */
3392+ /* sizes here. In a hpn to nonhpn connection we want to limit */
3393+ /* the window size to something reasonable in case the far side */
3394+ /* has the large window bug. In hpn to hpn connection we want to */
3395+ /* use the max window size but allow the user to override it */
3396+ /* lastly if they disabled hpn then use the ssh std window size */
3397+
3398+ /* so why don't we just do a getsockopt() here and set the */
3399+ /* ssh window to that? In the case of a autotuning receive */
3400+ /* window the window would get stuck at the initial buffer */
3401+ /* size generally less than 96k. Therefore we need to set the */
3402+ /* maximum ssh window size to the maximum hpn buffer size */
3403+ /* unless the user has specifically set the tcprcvbufpoll */
3404+ /* to no. In which case we *can* just set the window to the */
3405+ /* minimum of the hpn buffer size and tcp receive buffer size */
3406+
3407+ if (tty_flag)
3408+ options.hpn_buffer_size = CHAN_SES_WINDOW_DEFAULT;
3409+ else
3410+ options.hpn_buffer_size = 2*1024*1024;
3411+
3412+ if (datafellows & SSH_BUG_LARGEWINDOW)
3413+ {
3414+ debug("HPN to Non-HPN Connection");
3415+ }
3416+ else
3417+ {
3418+ if (options.tcp_rcv_buf_poll <= 0)
3419+ {
3420+ sock = socket(AF_INET, SOCK_STREAM, 0);
3421+ getsockopt(sock, SOL_SOCKET, SO_RCVBUF,
3422+ &socksize, &socksizelen);
3423+ close(sock);
3424+ debug("socksize %d", socksize);
3425+ options.hpn_buffer_size = socksize;
3426+ debug ("HPNBufferSize set to TCP RWIN: %d", options.hpn_buffer_size);
3427+ }
3428+ else
3429+ {
3430+ if (options.tcp_rcv_buf > 0)
3431+ {
3432+ /*create a socket but don't connect it */
3433+ /* we use that the get the rcv socket size */
3434+ sock = socket(AF_INET, SOCK_STREAM, 0);
3435+ /* if they are using the tcp_rcv_buf option */
3436+ /* attempt to set the buffer size to that */
3437+ if (options.tcp_rcv_buf)
3438+ setsockopt(sock, SOL_SOCKET, SO_RCVBUF, (void *)&options.tcp_rcv_buf,
3439+ sizeof(options.tcp_rcv_buf));
3440+ getsockopt(sock, SOL_SOCKET, SO_RCVBUF,
3441+ &socksize, &socksizelen);
3442+ close(sock);
3443+ debug("socksize %d", socksize);
3444+ options.hpn_buffer_size = socksize;
3445+ debug ("HPNBufferSize set to user TCPRcvBuf: %d", options.hpn_buffer_size);
3446+ }
3447+ }
3448+
3449+ }
3450+
3451+ debug("Final hpn_buffer_size = %d", options.hpn_buffer_size);
3452+
3453+ window = options.hpn_buffer_size;
3454+
3455+ channel_set_hpn(options.hpn_disabled, options.hpn_buffer_size);
3456+
3457 packetmax = CHAN_SES_PACKET_DEFAULT;
3458 if (tty_flag) {
3459+ window = 4*CHAN_SES_PACKET_DEFAULT;
3460 window >>= 1;
3461 packetmax >>= 1;
3462 }
3463@@ -1172,7 +1245,10 @@ ssh_session2_open(void)
3464 "session", SSH_CHANNEL_OPENING, in, out, err,
3465 window, packetmax, CHAN_EXTENDED_WRITE,
3466 "client-session", /*nonblock*/0);
3467-
3468+ if ((options.tcp_rcv_buf_poll > 0) && (!options.hpn_disabled)) {
3469+ c->dynamic_window = 1;
3470+ debug ("Enabled Dynamic Window Scaling\n");
3471+ }
3472 debug3("ssh_session2_open: channel_new: %d", c->self);
3473
3474 channel_send_open(c->self);
3475diff -NupwB openssh-5.2p1-canonical/sshconnect2.c openssh-5.2p1-hpn13v6/sshconnect2.c
3476--- openssh-5.2p1-canonical/sshconnect2.c 2008-11-05 00:20:47.000000000 -0500
3477+++ openssh-5.2p1-hpn13v6/sshconnect2.c 2009-05-14 12:36:10.000000000 -0400
3478@@ -78,6 +78,12 @@
3479 extern char *client_version_string;
3480 extern char *server_version_string;
3481 extern Options options;
3482+extern Kex *xxx_kex;
3483+
3484+/* tty_flag is set in ssh.c. use this in ssh_userauth2 */
3485+/* if it is set then prevent the switch to the null cipher */
3486+
3487+extern int tty_flag;
3488
3489 /*
3490 * SSH2 key exchange
3491@@ -350,6 +356,28 @@ ssh_userauth2(const char *local_user, co
3492 pubkey_cleanup(&authctxt);
3493 dispatch_range(SSH2_MSG_USERAUTH_MIN, SSH2_MSG_USERAUTH_MAX, NULL);
3494
3495+ /* if the user wants to use the none cipher do it */
3496+ /* post authentication and only if the right conditions are met */
3497+ /* both of the NONE commands must be true and there must be no */
3498+ /* tty allocated */
3499+ if ((options.none_switch == 1) && (options.none_enabled == 1))
3500+ {
3501+ if (!tty_flag) /* no null on tty sessions */
3502+ {
3503+ debug("Requesting none rekeying...");
3504+ myproposal[PROPOSAL_ENC_ALGS_STOC] = "none";
3505+ myproposal[PROPOSAL_ENC_ALGS_CTOS] = "none";
3506+ kex_prop2buf(&xxx_kex->my,myproposal);
3507+ packet_request_rekeying();
3508+ fprintf(stderr, "WARNING: ENABLED NONE CIPHER\n");
3509+ }
3510+ else
3511+ {
3512+ /* requested NONE cipher when in a tty */
3513+ debug("Cannot switch to NONE cipher with tty allocated");
3514+ fprintf(stderr, "NONE cipher switch disabled when a TTY is allocated\n");
3515+ }
3516+ }
3517 debug("Authentication succeeded (%s).", authctxt.method->name);
3518 }
3519
3520diff -NupwB openssh-5.2p1-canonical/sshconnect.c openssh-5.2p1-hpn13v6/sshconnect.c
3521--- openssh-5.2p1-canonical/sshconnect.c 2009-02-01 06:19:54.000000000 -0500
3522+++ openssh-5.2p1-hpn13v6/sshconnect.c 2009-05-14 12:36:10.000000000 -0400
3523@@ -165,6 +165,31 @@ ssh_proxy_connect(const char *host, u_sh
3524 }
3525
3526 /*
3527+ * Set TCP receive buffer if requested.
3528+ * Note: tuning needs to happen after the socket is
3529+ * created but before the connection happens
3530+ * so winscale is negotiated properly -cjr
3531+ */
3532+static void
3533+ssh_set_socket_recvbuf(int sock)
3534+{
3535+ void *buf = (void *)&options.tcp_rcv_buf;
3536+ int sz = sizeof(options.tcp_rcv_buf);
3537+ int socksize;
3538+ int socksizelen = sizeof(int);
3539+
3540+ debug("setsockopt Attempting to set SO_RCVBUF to %d", options.tcp_rcv_buf);
3541+ if (setsockopt(sock, SOL_SOCKET, SO_RCVBUF, buf, sz) >= 0) {
3542+ getsockopt(sock, SOL_SOCKET, SO_RCVBUF, &socksize, &socksizelen);
3543+ debug("setsockopt SO_RCVBUF: %.100s %d", strerror(errno), socksize);
3544+ }
3545+ else
3546+ error("Couldn't set socket receive buffer to %d: %.100s",
3547+ options.tcp_rcv_buf, strerror(errno));
3548+}
3549+
3550+
3551+/*
3552 * Creates a (possibly privileged) socket for use as the ssh connection.
3553 */
3554 static int
3555@@ -187,12 +212,18 @@ ssh_create_socket(int privileged, struct
3556 strerror(errno));
3557 else
3558 debug("Allocated local port %d.", p);
3559+
3560+ if (options.tcp_rcv_buf > 0)
3561+ ssh_set_socket_recvbuf(sock);
3562 return sock;
3563 }
3564 sock = socket(ai->ai_family, ai->ai_socktype, ai->ai_protocol);
3565 if (sock < 0)
3566 error("socket: %.100s", strerror(errno));
3567
3568+ if (options.tcp_rcv_buf > 0)
3569+ ssh_set_socket_recvbuf(sock);
3570+
3571 /* Bind the socket to an alternative local IP address */
3572 if (options.bind_address == NULL)
3573 return sock;
3574@@ -536,7 +567,7 @@ ssh_exchange_identification(int timeout_
3575 snprintf(buf, sizeof buf, "SSH-%d.%d-%.100s%s",
3576 compat20 ? PROTOCOL_MAJOR_2 : PROTOCOL_MAJOR_1,
3577 compat20 ? PROTOCOL_MINOR_2 : minor1,
3578- SSH_VERSION, compat20 ? "\r\n" : "\n");
3579+ SSH_RELEASE, compat20 ? "\r\n" : "\n");
3580 if (atomicio(vwrite, connection_out, buf, strlen(buf)) != strlen(buf))
3581 fatal("write: %.100s", strerror(errno));
3582 client_version_string = xstrdup(buf);
3583diff -NupwB openssh-5.2p1-canonical/sshd.c openssh-5.2p1-hpn13v6/sshd.c
3584--- openssh-5.2p1-canonical/sshd.c 2009-01-28 00:31:23.000000000 -0500
3585+++ openssh-5.2p1-hpn13v6/sshd.c 2009-05-14 12:36:10.000000000 -0400
3586@@ -136,6 +136,9 @@ int deny_severity;
3587 #define REEXEC_CONFIG_PASS_FD (STDERR_FILENO + 3)
3588 #define REEXEC_MIN_FREE_FD (STDERR_FILENO + 4)
3589
3590+int myflag = 0;
3591+
3592+
3593 extern char *__progname;
3594
3595 /* Server configuration options. */
3596@@ -415,7 +418,7 @@ sshd_exchange_identification(int sock_in
3597 minor = PROTOCOL_MINOR_1;
3598 }
3599 snprintf(buf, sizeof buf, "SSH-%d.%d-%.100s%s", major, minor,
3600- SSH_VERSION, newline);
3601+ SSH_RELEASE, newline);
3602 server_version_string = xstrdup(buf);
3603
3604 /* Send our protocol version identification. */
3605@@ -466,6 +469,9 @@ sshd_exchange_identification(int sock_in
3606 }
3607 debug("Client protocol version %d.%d; client software version %.100s",
3608 remote_major, remote_minor, remote_version);
3609+ logit("SSH: Server;Ltype: Version;Remote: %s-%d;Protocol: %d.%d;Client: %.100s",
3610+ get_remote_ipaddr(), get_remote_port(),
3611+ remote_major, remote_minor, remote_version);
3612
3613 compat_datafellows(remote_version);
3614
3615@@ -944,6 +950,8 @@ server_listen(void)
3616 int ret, listen_sock, on = 1;
3617 struct addrinfo *ai;
3618 char ntop[NI_MAXHOST], strport[NI_MAXSERV];
3619+ int socksize;
3620+ int socksizelen = sizeof(int);
3621
3622 for (ai = options.listen_addrs; ai; ai = ai->ai_next) {
3623 if (ai->ai_family != AF_INET && ai->ai_family != AF_INET6)
3624@@ -990,6 +998,11 @@ server_listen(void)
3625
3626 debug("Bind to port %s on %s.", strport, ntop);
3627
3628+ getsockopt(listen_sock, SOL_SOCKET, SO_RCVBUF,
3629+ &socksize, &socksizelen);
3630+ debug("Server TCP RWIN socket size: %d", socksize);
3631+ debug("HPN Buffer Size: %d", options.hpn_buffer_size);
3632+
3633 /* Bind the socket to the desired port. */
3634 if (bind(listen_sock, ai->ai_addr, ai->ai_addrlen) < 0) {
3635 error("Bind to port %s on %s failed: %.200s.",
3636@@ -1817,6 +1830,9 @@ main(int ac, char **av)
3637 /* Log the connection. */
3638 verbose("Connection from %.500s port %d", remote_ip, remote_port);
3639
3640+ /* set the HPN options for the child */
3641+ channel_set_hpn(options.hpn_disabled, options.hpn_buffer_size);
3642+
3643 /*
3644 * We don't want to listen forever unless the other side
3645 * successfully authenticates itself. So we set up an alarm which is
3646@@ -2171,9 +2187,15 @@ do_ssh2_kex(void)
3647 {
3648 Kex *kex;
3649
3650+ myflag++;
3651+ debug ("MYFLAG IS %d", myflag);
3652 if (options.ciphers != NULL) {
3653 myproposal[PROPOSAL_ENC_ALGS_CTOS] =
3654 myproposal[PROPOSAL_ENC_ALGS_STOC] = options.ciphers;
3655+ } else if (options.none_enabled == 1) {
3656+ debug ("WARNING: None cipher enabled");
3657+ myproposal[PROPOSAL_ENC_ALGS_CTOS] =
3658+ myproposal[PROPOSAL_ENC_ALGS_STOC] = KEX_ENCRYPT_INCLUDE_NONE;
3659 }
3660 myproposal[PROPOSAL_ENC_ALGS_CTOS] =
3661 compat_cipher_proposal(myproposal[PROPOSAL_ENC_ALGS_CTOS]);
3662diff -NupwB openssh-5.2p1-canonical/sshd_config openssh-5.2p1-hpn13v6/sshd_config
3663--- openssh-5.2p1-canonical/sshd_config 2008-07-02 08:35:43.000000000 -0400
3664+++ openssh-5.2p1-hpn13v6/sshd_config 2009-05-14 12:36:10.000000000 -0400
3665@@ -112,6 +112,20 @@ Protocol 2
3666 # override default of no subsystems
3667 Subsystem sftp /usr/libexec/sftp-server
3668
3669+# the following are HPN related configuration options
3670+# tcp receive buffer polling. disable in non autotuning kernels
3671+#TcpRcvBufPoll yes
3672+
3673+# allow the use of the none cipher
3674+#NoneEnabled no
3675+
3676+# disable hpn performance boosts.
3677+#HPNDisabled no
3678+
3679+# buffer size for hpn to non-hpn connections
3680+#HPNBufferSize 2048
3681+
3682+
3683 # Example of overriding settings on a per-user basis
3684 #Match User anoncvs
3685 # X11Forwarding no
3686diff -NupwB openssh-5.2p1-canonical/version.h openssh-5.2p1-hpn13v6/version.h
3687--- openssh-5.2p1-canonical/version.h 2009-02-22 19:09:26.000000000 -0500
3688+++ openssh-5.2p1-hpn13v6/version.h 2009-05-14 12:42:05.000000000 -0400
3689@@ -3,4 +3,5 @@
3690 #define SSH_VERSION "OpenSSH_5.2"
3691
3692 #define SSH_PORTABLE "p1"
3693-#define SSH_RELEASE SSH_VERSION SSH_PORTABLE
3694+#define SSH_HPN "-hpn13v6"
3695+#define SSH_RELEASE SSH_VERSION SSH_PORTABLE SSH_HPN
OpenSSH free Secure Shell (SSH) implementation
This page took 0.486753 seconds and 4 git commands to generate.