1 diff -NupwB openssh-5.2p1-canonical/auth2.c openssh-5.2p1-hpn13v6/auth2.c
2 --- openssh-5.2p1-canonical/auth2.c 2008-11-05 00:20:46.000000000 -0500
3 +++ openssh-5.2p1-hpn13v6/auth2.c 2009-05-14 12:36:10.000000000 -0400
12 @@ -75,6 +76,9 @@ extern Authmethod method_gssapi;
13 extern Authmethod method_jpake;
16 +static int log_flag = 0;
19 Authmethod *authmethods[] = {
22 @@ -225,6 +229,11 @@ input_userauth_request(int type, u_int32
23 service = packet_get_string(NULL);
24 method = packet_get_string(NULL);
25 debug("userauth-request for user %s service %s method %s", user, service, method);
27 + logit("SSH: Server;Ltype: Authname;Remote: %s-%d;Name: %s",
28 + get_remote_ipaddr(), get_remote_port(), user);
31 debug("attempt %d failures %d", authctxt->attempt, authctxt->failures);
33 if ((style = strchr(user, ':')) != NULL)
34 diff -NupwB openssh-5.2p1-canonical/buffer.c openssh-5.2p1-hpn13v6/buffer.c
35 --- openssh-5.2p1-canonical/buffer.c 2006-08-04 22:39:39.000000000 -0400
36 +++ openssh-5.2p1-hpn13v6/buffer.c 2009-05-14 12:36:10.000000000 -0400
37 @@ -127,7 +127,7 @@ restart:
39 /* Increase the size of the buffer and retry. */
40 newlen = roundup(buffer->alloc + len, BUFFER_ALLOCSZ);
41 - if (newlen > BUFFER_MAX_LEN)
42 + if (newlen > BUFFER_MAX_LEN_HPN)
43 fatal("buffer_append_space: alloc %u not supported",
45 buffer->buf = xrealloc(buffer->buf, 1, newlen);
46 diff -NupwB openssh-5.2p1-canonical/buffer.h openssh-5.2p1-hpn13v6/buffer.h
47 --- openssh-5.2p1-canonical/buffer.h 2008-05-19 00:59:37.000000000 -0400
48 +++ openssh-5.2p1-hpn13v6/buffer.h 2009-05-14 12:36:10.000000000 -0400
53 +/* move the following to a more appropriate place and name */
54 +#define BUFFER_MAX_LEN_HPN 0x4000000 /* 64MB */
57 u_char *buf; /* Buffer for data. */
58 u_int alloc; /* Number of bytes allocated for data. */
59 diff -NupwB openssh-5.2p1-canonical/channels.c openssh-5.2p1-hpn13v6/channels.c
60 --- openssh-5.2p1-canonical/channels.c 2009-02-14 00:28:21.000000000 -0500
61 +++ openssh-5.2p1-hpn13v6/channels.c 2009-05-14 12:36:10.000000000 -0400
62 @@ -169,8 +169,14 @@ static void port_open_helper(Channel *c,
63 static int connect_next(struct channel_connect *);
64 static void channel_connect_ctx_free(struct channel_connect *);
67 +static int hpn_disabled = 0;
68 +static int hpn_buffer_size = 2 * 1024 * 1024;
77 @@ -308,6 +314,7 @@ channel_new(char *ctype, int type, int r
78 c->local_window_max = window;
79 c->local_consumed = 0;
80 c->local_maxpacket = maxpack;
81 + c->dynamic_window = 0;
83 c->remote_name = xstrdup(remote_name);
85 @@ -798,11 +805,35 @@ channel_pre_open_13(Channel *c, fd_set *
86 FD_SET(c->sock, writeset);
89 +int channel_tcpwinsz () {
90 + u_int32_t tcpwinsz = 0;
91 + socklen_t optsz = sizeof(tcpwinsz);
94 + /* if we aren't on a socket return 128KB*/
95 + if(!packet_connection_is_on_socket())
97 + ret = getsockopt(packet_get_connection_in(),
98 + SOL_SOCKET, SO_RCVBUF, &tcpwinsz, &optsz);
99 + /* return no more than 64MB */
100 + if ((ret == 0) && tcpwinsz > BUFFER_MAX_LEN_HPN)
101 + tcpwinsz = BUFFER_MAX_LEN_HPN;
102 + debug2("tcpwinsz: %d for connection: %d", tcpwinsz,
103 + packet_get_connection_in());
108 channel_pre_open(Channel *c, fd_set *readset, fd_set *writeset)
110 u_int limit = compat20 ? c->remote_window : packet_get_maxsize();
112 + /* check buffer limits */
113 + if ((!c->tcpwinsz) || (c->dynamic_window > 0))
114 + c->tcpwinsz = channel_tcpwinsz();
116 + limit = MIN(limit, 2 * c->tcpwinsz);
118 if (c->istate == CHAN_INPUT_OPEN &&
120 buffer_len(&c->input) < limit &&
121 @@ -1759,14 +1790,21 @@ channel_check_window(Channel *c)
122 c->local_maxpacket*3) ||
123 c->local_window < c->local_window_max/2) &&
124 c->local_consumed > 0) {
125 + u_int addition = 0;
126 + /* adjust max window size if we are in a dynamic environment */
127 + if (c->dynamic_window && (c->tcpwinsz > c->local_window_max)) {
128 + /* grow the window somewhat aggressively to maintain pressure */
129 + addition = 1.5*(c->tcpwinsz - c->local_window_max);
130 + c->local_window_max += addition;
132 packet_start(SSH2_MSG_CHANNEL_WINDOW_ADJUST);
133 packet_put_int(c->remote_id);
134 - packet_put_int(c->local_consumed);
135 + packet_put_int(c->local_consumed + addition);
137 debug2("channel %d: window %d sent adjust %d",
138 c->self, c->local_window,
140 - c->local_window += c->local_consumed;
141 + c->local_window += c->local_consumed + addition;
142 c->local_consumed = 0;
145 @@ -1969,11 +2007,12 @@ channel_after_select(fd_set *readset, fd
148 /* If there is data to send to the connection, enqueue some of it now. */
151 channel_output_poll(void)
155 + int packet_length = 0;
157 for (i = 0; i < channels_alloc; i++) {
159 @@ -2013,7 +2052,7 @@ channel_output_poll(void)
160 packet_start(SSH2_MSG_CHANNEL_DATA);
161 packet_put_int(c->remote_id);
162 packet_put_string(data, dlen);
164 + packet_length = packet_send();
165 c->remote_window -= dlen + 4;
168 @@ -2043,7 +2082,7 @@ channel_output_poll(void)
169 SSH2_MSG_CHANNEL_DATA : SSH_MSG_CHANNEL_DATA);
170 packet_put_int(c->remote_id);
171 packet_put_string(buffer_ptr(&c->input), len);
173 + packet_length = packet_send();
174 buffer_consume(&c->input, len);
175 c->remote_window -= len;
177 @@ -2078,12 +2117,13 @@ channel_output_poll(void)
178 packet_put_int(c->remote_id);
179 packet_put_int(SSH2_EXTENDED_DATA_STDERR);
180 packet_put_string(buffer_ptr(&c->extended), len);
182 + packet_length = packet_send();
183 buffer_consume(&c->extended, len);
184 c->remote_window -= len;
185 debug2("channel %d: sent ext data %d", c->self, len);
188 + return (packet_length);
192 @@ -2459,6 +2499,15 @@ channel_set_af(int af)
198 +channel_set_hpn(int external_hpn_disabled, int external_hpn_buffer_size)
200 + hpn_disabled = external_hpn_disabled;
201 + hpn_buffer_size = external_hpn_buffer_size;
202 + debug("HPN Disabled: %d, HPN Buffer Size: %d", hpn_disabled, hpn_buffer_size);
206 channel_setup_fwd_listener(int type, const char *listen_addr,
207 u_short listen_port, int *allocated_listen_port,
208 @@ -2610,9 +2659,15 @@ channel_setup_fwd_listener(int type, con
211 /* Allocate a channel number for the socket. */
212 + /* explicitly test for hpn disabled option. if true use smaller window size */
214 c = channel_new("port listener", type, sock, sock, -1,
215 CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT,
216 0, "port listener", 1);
218 + c = channel_new("port listener", type, sock, sock, -1,
219 + hpn_buffer_size, CHAN_TCP_PACKET_DEFAULT,
220 + 0, "port listener", 1);
221 c->path = xstrdup(host);
222 c->host_port = port_to_connect;
223 c->listening_port = listen_port;
224 @@ -3151,10 +3206,17 @@ x11_create_display_inet(int x11_display_
225 *chanids = xcalloc(num_socks + 1, sizeof(**chanids));
226 for (n = 0; n < num_socks; n++) {
228 + /* Is this really necassary? */
230 nc = channel_new("x11 listener",
231 SSH_CHANNEL_X11_LISTENER, sock, sock, -1,
232 CHAN_X11_WINDOW_DEFAULT, CHAN_X11_PACKET_DEFAULT,
233 0, "X11 inet listener", 1);
235 + nc = channel_new("x11 listener",
236 + SSH_CHANNEL_X11_LISTENER, sock, sock, -1,
237 + hpn_buffer_size, CHAN_X11_PACKET_DEFAULT,
238 + 0, "X11 inet listener", 1);
239 nc->single_connection = single_connection;
240 (*chanids)[n] = nc->self;
242 diff -NupwB openssh-5.2p1-canonical/channels.h openssh-5.2p1-hpn13v6/channels.h
243 --- openssh-5.2p1-canonical/channels.h 2009-02-14 00:28:21.000000000 -0500
244 +++ openssh-5.2p1-hpn13v6/channels.h 2009-05-14 12:36:10.000000000 -0400
245 @@ -115,8 +115,10 @@ struct Channel {
246 u_int local_window_max;
247 u_int local_consumed;
248 u_int local_maxpacket;
249 + int dynamic_window;
251 int single_connection;
254 char *ctype; /* type */
256 @@ -146,9 +148,11 @@ struct Channel {
258 /* default window/packet sizes for tcp/x11-fwd-channel */
259 #define CHAN_SES_PACKET_DEFAULT (32*1024)
260 -#define CHAN_SES_WINDOW_DEFAULT (64*CHAN_SES_PACKET_DEFAULT)
261 +#define CHAN_SES_WINDOW_DEFAULT (4*CHAN_SES_PACKET_DEFAULT)
263 #define CHAN_TCP_PACKET_DEFAULT (32*1024)
264 -#define CHAN_TCP_WINDOW_DEFAULT (64*CHAN_TCP_PACKET_DEFAULT)
265 +#define CHAN_TCP_WINDOW_DEFAULT (4*CHAN_TCP_PACKET_DEFAULT)
267 #define CHAN_X11_PACKET_DEFAULT (16*1024)
268 #define CHAN_X11_WINDOW_DEFAULT (4*CHAN_X11_PACKET_DEFAULT)
270 @@ -221,7 +225,7 @@ void channel_input_status_confirm(int,
272 void channel_prepare_select(fd_set **, fd_set **, int *, u_int*, int);
273 void channel_after_select(fd_set *, fd_set *);
274 -void channel_output_poll(void);
275 +int channel_output_poll(void);
277 int channel_not_very_much_buffered_data(void);
278 void channel_close_all(void);
279 @@ -277,4 +281,7 @@ void chan_rcvd_ieof(Channel *);
280 void chan_write_failed(Channel *);
281 void chan_obuf_empty(Channel *);
284 +void channel_set_hpn(int, int);
287 diff -NupwB openssh-5.2p1-canonical/cipher.c openssh-5.2p1-hpn13v6/cipher.c
288 --- openssh-5.2p1-canonical/cipher.c 2009-01-28 00:38:41.000000000 -0500
289 +++ openssh-5.2p1-hpn13v6/cipher.c 2009-05-14 12:36:10.000000000 -0400
290 @@ -55,6 +55,7 @@ extern const EVP_CIPHER *evp_ssh1_bf(voi
291 extern const EVP_CIPHER *evp_ssh1_3des(void);
292 extern void ssh1_3des_iv(EVP_CIPHER_CTX *, int, u_char *, int);
293 extern const EVP_CIPHER *evp_aes_128_ctr(void);
294 +extern const EVP_CIPHER *evp_aes_ctr_mt(void);
295 extern void ssh_aes_ctr_iv(EVP_CIPHER_CTX *, int, u_char *, u_int);
298 @@ -82,9 +83,9 @@ struct Cipher {
299 { "aes256-cbc", SSH_CIPHER_SSH2, 16, 32, 0, 1, EVP_aes_256_cbc },
300 { "rijndael-cbc@lysator.liu.se",
301 SSH_CIPHER_SSH2, 16, 32, 0, 1, EVP_aes_256_cbc },
302 - { "aes128-ctr", SSH_CIPHER_SSH2, 16, 16, 0, 0, evp_aes_128_ctr },
303 - { "aes192-ctr", SSH_CIPHER_SSH2, 16, 24, 0, 0, evp_aes_128_ctr },
304 - { "aes256-ctr", SSH_CIPHER_SSH2, 16, 32, 0, 0, evp_aes_128_ctr },
305 + { "aes128-ctr", SSH_CIPHER_SSH2, 16, 16, 0, 0, evp_aes_ctr_mt },
306 + { "aes192-ctr", SSH_CIPHER_SSH2, 16, 24, 0, 0, evp_aes_ctr_mt },
307 + { "aes256-ctr", SSH_CIPHER_SSH2, 16, 32, 0, 0, evp_aes_ctr_mt },
308 #ifdef USE_CIPHER_ACSS
309 { "acss@openssh.org", SSH_CIPHER_SSH2, 16, 5, 0, 0, EVP_acss },
311 @@ -163,7 +164,8 @@ ciphers_valid(const char *names)
312 for ((p = strsep(&cp, CIPHER_SEP)); p && *p != '\0';
313 (p = strsep(&cp, CIPHER_SEP))) {
314 c = cipher_by_name(p);
315 - if (c == NULL || c->number != SSH_CIPHER_SSH2) {
316 + if (c == NULL || (c->number != SSH_CIPHER_SSH2 &&
317 +c->number != SSH_CIPHER_NONE)) {
318 debug("bad cipher %s [%s]", p, names);
321 @@ -337,6 +339,7 @@ cipher_get_keyiv(CipherContext *cc, u_ch
325 + case SSH_CIPHER_NONE:
326 case SSH_CIPHER_SSH2:
328 case SSH_CIPHER_BLOWFISH:
329 @@ -371,6 +374,7 @@ cipher_set_keyiv(CipherContext *cc, u_ch
333 + case SSH_CIPHER_NONE:
334 case SSH_CIPHER_SSH2:
336 case SSH_CIPHER_BLOWFISH:
337 diff -NupwB openssh-5.2p1-canonical/cipher-ctr-mt.c openssh-5.2p1-hpn13v6/cipher-ctr-mt.c
338 --- openssh-5.2p1-canonical/cipher-ctr-mt.c 1969-12-31 19:00:00.000000000 -0500
339 +++ openssh-5.2p1-hpn13v6/cipher-ctr-mt.c 2009-05-14 12:36:10.000000000 -0400
342 + * OpenSSH Multi-threaded AES-CTR Cipher
344 + * Author: Benjamin Bennett <ben@psc.edu>
345 + * Copyright (c) 2008 Pittsburgh Supercomputing Center. All rights reserved.
347 + * Based on original OpenSSH AES-CTR cipher. Small portions remain unchanged,
348 + * Copyright (c) 2003 Markus Friedl <markus@openbsd.org>
350 + * Permission to use, copy, modify, and distribute this software for any
351 + * purpose with or without fee is hereby granted, provided that the above
352 + * copyright notice and this permission notice appear in all copies.
354 + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
355 + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
356 + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
357 + * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
358 + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
359 + * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
360 + * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
362 +#include "includes.h"
364 +#include <sys/types.h>
369 +#include <openssl/evp.h>
371 +#include "xmalloc.h"
374 +/* compatibility with old or broken OpenSSL versions */
375 +#include "openbsd-compat/openssl-compat.h"
377 +#ifndef USE_BUILTIN_RIJNDAEL
378 +#include <openssl/aes.h>
381 +#include <pthread.h>
383 +/*-------------------- TUNABLES --------------------*/
384 +/* Number of pregen threads to use */
385 +#define CIPHER_THREADS 2
387 +/* Number of keystream queues */
388 +#define NUMKQ (CIPHER_THREADS + 2)
390 +/* Length of a keystream queue */
393 +/* Processor cacheline length */
394 +#define CACHELINE_LEN 64
396 +/* Collect thread stats and print at cancellation when in debug mode */
397 +/* #define CIPHER_THREAD_STATS */
399 +/* Use single-byte XOR instead of 8-byte XOR */
400 +/* #define CIPHER_BYTE_XOR */
401 +/*-------------------- END TUNABLES --------------------*/
404 +const EVP_CIPHER *evp_aes_ctr_mt(void);
406 +#ifdef CIPHER_THREAD_STATS
408 + * Struct to collect thread stats
410 +struct thread_stats {
418 + * Debug print the thread stats
419 + * Use with pthread_cleanup_push for displaying at thread cancellation
422 +thread_loop_stats(void *x)
424 + struct thread_stats *s = x;
426 + debug("tid %lu - %u fills, %u skips, %u waits", pthread_self(),
427 + s->fills, s->skips, s->waits);
430 + #define STATS_STRUCT(s) struct thread_stats s
431 + #define STATS_INIT(s) { memset(&s, 0, sizeof(s)); }
432 + #define STATS_FILL(s) { s.fills++; }
433 + #define STATS_SKIP(s) { s.skips++; }
434 + #define STATS_WAIT(s) { s.waits++; }
435 + #define STATS_DRAIN(s) { s.drains++; }
437 + #define STATS_STRUCT(s)
438 + #define STATS_INIT(s)
439 + #define STATS_FILL(s)
440 + #define STATS_SKIP(s)
441 + #define STATS_WAIT(s)
442 + #define STATS_DRAIN(s)
445 +/* Keystream Queue state */
454 +/* Keystream Queue struct */
456 + u_char keys[KQLEN][AES_BLOCK_SIZE];
457 + u_char ctr[AES_BLOCK_SIZE];
458 + u_char pad0[CACHELINE_LEN];
459 + volatile int qstate;
460 + pthread_mutex_t lock;
461 + pthread_cond_t cond;
462 + u_char pad1[CACHELINE_LEN];
465 +/* Context struct */
466 +struct ssh_aes_ctr_ctx
468 + struct kq q[NUMKQ];
470 + STATS_STRUCT(stats);
471 + u_char aes_counter[AES_BLOCK_SIZE];
472 + pthread_t tid[CIPHER_THREADS];
479 + * increment counter 'ctr',
480 + * the counter is of size 'len' bytes and stored in network-byte-order.
481 + * (LSB at ctr[len-1], MSB at ctr[0])
484 +ssh_ctr_inc(u_char *ctr, u_int len)
488 + for (i = len - 1; i >= 0; i--)
489 + if (++ctr[i]) /* continue on overflow */
494 + * Add num to counter 'ctr'
497 +ssh_ctr_add(u_char *ctr, uint32_t num, u_int len)
502 + for (n = 0, i = len - 1; i >= 0 && (num || n); i--) {
503 + n = ctr[i] + (num & 0xff) + n;
511 + * Threads may be cancelled in a pthread_cond_wait, we must free the mutex
514 +thread_loop_cleanup(void *x)
516 + pthread_mutex_unlock((pthread_mutex_t *)x);
520 + * The life of a pregen thread:
521 + * Find empty keystream queues and fill them using their counter.
522 + * When done, update counter for the next fill.
525 +thread_loop(void *x)
528 + STATS_STRUCT(stats);
529 + struct ssh_aes_ctr_ctx *c = x;
534 + /* Threads stats on cancellation */
536 +#ifdef CIPHER_THREAD_STATS
537 + pthread_cleanup_push(thread_loop_stats, &stats);
540 + /* Thread local copy of AES key */
541 + memcpy(&key, &c->aes_ctx, sizeof(key));
544 + * Handle the special case of startup, one thread must fill
545 + * the first KQ then mark it as draining. Lock held throughout.
547 + if (pthread_equal(pthread_self(), c->tid[0])) {
549 + pthread_mutex_lock(&q->lock);
550 + if (q->qstate == KQINIT) {
551 + for (i = 0; i < KQLEN; i++) {
552 + AES_encrypt(q->ctr, q->keys[i], &key);
553 + ssh_ctr_inc(q->ctr, AES_BLOCK_SIZE);
555 + ssh_ctr_add(q->ctr, KQLEN * (NUMKQ - 1), AES_BLOCK_SIZE);
556 + q->qstate = KQDRAINING;
558 + pthread_cond_broadcast(&q->cond);
560 + pthread_mutex_unlock(&q->lock);
566 + * Normal case is to find empty queues and fill them, skipping over
567 + * queues already filled by other threads and stopping to wait for
568 + * a draining queue to become empty.
570 + * Multiple threads may be waiting on a draining queue and awoken
571 + * when empty. The first thread to wake will mark it as filling,
572 + * others will move on to fill, skip, or wait on the next queue.
574 + for (qidx = 1;; qidx = (qidx + 1) % NUMKQ) {
575 + /* Check if I was cancelled, also checked in cond_wait */
576 + pthread_testcancel();
578 + /* Lock queue and block if its draining */
580 + pthread_mutex_lock(&q->lock);
581 + pthread_cleanup_push(thread_loop_cleanup, &q->lock);
582 + while (q->qstate == KQDRAINING || q->qstate == KQINIT) {
584 + pthread_cond_wait(&q->cond, &q->lock);
586 + pthread_cleanup_pop(0);
588 + /* If filling or full, somebody else got it, skip */
589 + if (q->qstate != KQEMPTY) {
590 + pthread_mutex_unlock(&q->lock);
596 + * Empty, let's fill it.
597 + * Queue lock is relinquished while we do this so others
598 + * can see that it's being filled.
600 + q->qstate = KQFILLING;
601 + pthread_mutex_unlock(&q->lock);
602 + for (i = 0; i < KQLEN; i++) {
603 + AES_encrypt(q->ctr, q->keys[i], &key);
604 + ssh_ctr_inc(q->ctr, AES_BLOCK_SIZE);
607 + /* Re-lock, mark full and signal consumer */
608 + pthread_mutex_lock(&q->lock);
609 + ssh_ctr_add(q->ctr, KQLEN * (NUMKQ - 1), AES_BLOCK_SIZE);
610 + q->qstate = KQFULL;
612 + pthread_cond_signal(&q->cond);
613 + pthread_mutex_unlock(&q->lock);
616 +#ifdef CIPHER_THREAD_STATS
618 + pthread_cleanup_pop(1);
625 +ssh_aes_ctr(EVP_CIPHER_CTX *ctx, u_char *dest, const u_char *src,
628 + struct ssh_aes_ctr_ctx *c;
629 + struct kq *q, *oldq;
635 + if ((c = EVP_CIPHER_CTX_get_app_data(ctx)) == NULL)
638 + q = &c->q[c->qidx];
641 + /* src already padded to block multiple */
643 + buf = q->keys[ridx];
645 +#ifdef CIPHER_BYTE_XOR
646 + dest[0] = src[0] ^ buf[0];
647 + dest[1] = src[1] ^ buf[1];
648 + dest[2] = src[2] ^ buf[2];
649 + dest[3] = src[3] ^ buf[3];
650 + dest[4] = src[4] ^ buf[4];
651 + dest[5] = src[5] ^ buf[5];
652 + dest[6] = src[6] ^ buf[6];
653 + dest[7] = src[7] ^ buf[7];
654 + dest[8] = src[8] ^ buf[8];
655 + dest[9] = src[9] ^ buf[9];
656 + dest[10] = src[10] ^ buf[10];
657 + dest[11] = src[11] ^ buf[11];
658 + dest[12] = src[12] ^ buf[12];
659 + dest[13] = src[13] ^ buf[13];
660 + dest[14] = src[14] ^ buf[14];
661 + dest[15] = src[15] ^ buf[15];
663 + *(uint64_t *)dest = *(uint64_t *)src ^ *(uint64_t *)buf;
664 + *(uint64_t *)(dest + 8) = *(uint64_t *)(src + 8) ^
665 + *(uint64_t *)(buf + 8);
671 + ssh_ctr_inc(ctx->iv, AES_BLOCK_SIZE);
673 + /* Increment read index, switch queues on rollover */
674 + if ((ridx = (ridx + 1) % KQLEN) == 0) {
677 + /* Mark next queue draining, may need to wait */
678 + c->qidx = (c->qidx + 1) % NUMKQ;
679 + q = &c->q[c->qidx];
680 + pthread_mutex_lock(&q->lock);
681 + while (q->qstate != KQFULL) {
682 + STATS_WAIT(c->stats);
683 + pthread_cond_wait(&q->cond, &q->lock);
685 + q->qstate = KQDRAINING;
686 + pthread_mutex_unlock(&q->lock);
688 + /* Mark consumed queue empty and signal producers */
689 + pthread_mutex_lock(&oldq->lock);
690 + oldq->qstate = KQEMPTY;
691 + STATS_DRAIN(c->stats);
692 + pthread_cond_broadcast(&oldq->cond);
693 + pthread_mutex_unlock(&oldq->lock);
704 +ssh_aes_ctr_init(EVP_CIPHER_CTX *ctx, const u_char *key, const u_char *iv,
707 + struct ssh_aes_ctr_ctx *c;
710 + if ((c = EVP_CIPHER_CTX_get_app_data(ctx)) == NULL) {
711 + c = xmalloc(sizeof(*c));
713 + c->state = HAVE_NONE;
714 + for (i = 0; i < NUMKQ; i++) {
715 + pthread_mutex_init(&c->q[i].lock, NULL);
716 + pthread_cond_init(&c->q[i].cond, NULL);
719 + STATS_INIT(c->stats);
721 + EVP_CIPHER_CTX_set_app_data(ctx, c);
724 + if (c->state == (HAVE_KEY | HAVE_IV)) {
725 + /* Cancel pregen threads */
726 + for (i = 0; i < CIPHER_THREADS; i++)
727 + pthread_cancel(c->tid[i]);
728 + for (i = 0; i < CIPHER_THREADS; i++)
729 + pthread_join(c->tid[i], NULL);
730 + /* Start over getting key & iv */
731 + c->state = HAVE_NONE;
735 + AES_set_encrypt_key(key, EVP_CIPHER_CTX_key_length(ctx) * 8,
737 + c->state |= HAVE_KEY;
741 + memcpy(ctx->iv, iv, AES_BLOCK_SIZE);
742 + c->state |= HAVE_IV;
745 + if (c->state == (HAVE_KEY | HAVE_IV)) {
747 + memcpy(c->q[0].ctr, ctx->iv, AES_BLOCK_SIZE);
748 + c->q[0].qstate = KQINIT;
749 + for (i = 1; i < NUMKQ; i++) {
750 + memcpy(c->q[i].ctr, ctx->iv, AES_BLOCK_SIZE);
751 + ssh_ctr_add(c->q[i].ctr, i * KQLEN, AES_BLOCK_SIZE);
752 + c->q[i].qstate = KQEMPTY;
757 + /* Start threads */
758 + for (i = 0; i < CIPHER_THREADS; i++) {
759 + pthread_create(&c->tid[i], NULL, thread_loop, c);
761 + pthread_mutex_lock(&c->q[0].lock);
762 + while (c->q[0].qstate != KQDRAINING)
763 + pthread_cond_wait(&c->q[0].cond, &c->q[0].lock);
764 + pthread_mutex_unlock(&c->q[0].lock);
771 +ssh_aes_ctr_cleanup(EVP_CIPHER_CTX *ctx)
773 + struct ssh_aes_ctr_ctx *c;
776 + if ((c = EVP_CIPHER_CTX_get_app_data(ctx)) != NULL) {
777 +#ifdef CIPHER_THREAD_STATS
778 + debug("main thread: %u drains, %u waits", c->stats.drains,
781 + /* Cancel pregen threads */
782 + for (i = 0; i < CIPHER_THREADS; i++)
783 + pthread_cancel(c->tid[i]);
784 + for (i = 0; i < CIPHER_THREADS; i++)
785 + pthread_join(c->tid[i], NULL);
787 + memset(c, 0, sizeof(*c));
789 + EVP_CIPHER_CTX_set_app_data(ctx, NULL);
796 +evp_aes_ctr_mt(void)
798 + static EVP_CIPHER aes_ctr;
800 + memset(&aes_ctr, 0, sizeof(EVP_CIPHER));
801 + aes_ctr.nid = NID_undef;
802 + aes_ctr.block_size = AES_BLOCK_SIZE;
803 + aes_ctr.iv_len = AES_BLOCK_SIZE;
804 + aes_ctr.key_len = 16;
805 + aes_ctr.init = ssh_aes_ctr_init;
806 + aes_ctr.cleanup = ssh_aes_ctr_cleanup;
807 + aes_ctr.do_cipher = ssh_aes_ctr;
809 + aes_ctr.flags = EVP_CIPH_CBC_MODE | EVP_CIPH_VARIABLE_LENGTH |
810 + EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_CUSTOM_IV;
814 diff -NupwB openssh-5.2p1-canonical/clientloop.c openssh-5.2p1-hpn13v6/clientloop.c
815 --- openssh-5.2p1-canonical/clientloop.c 2009-02-14 00:28:21.000000000 -0500
816 +++ openssh-5.2p1-hpn13v6/clientloop.c 2009-05-14 12:36:10.000000000 -0400
817 @@ -1688,9 +1688,15 @@ client_request_x11(const char *request_t
818 sock = x11_connect_display();
821 + /* again is this really necessary for X11? */
822 + if (options.hpn_disabled)
823 c = channel_new("x11",
824 SSH_CHANNEL_X11_OPEN, sock, sock, -1,
825 CHAN_TCP_WINDOW_DEFAULT, CHAN_X11_PACKET_DEFAULT, 0, "x11", 1);
827 + c = channel_new("x11",
828 + SSH_CHANNEL_X11_OPEN, sock, sock, -1,
829 + options.hpn_buffer_size, CHAN_X11_PACKET_DEFAULT, 0, "x11", 1);
833 @@ -1710,9 +1716,15 @@ client_request_agent(const char *request
834 sock = ssh_get_authentication_socket();
837 + if (options.hpn_disabled)
838 c = channel_new("authentication agent connection",
839 SSH_CHANNEL_OPEN, sock, sock, -1,
840 - CHAN_X11_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, 0,
841 + CHAN_X11_WINDOW_DEFAULT, CHAN_TCP_WINDOW_DEFAULT, 0,
842 + "authentication agent connection", 1);
844 + c = channel_new("authentication agent connection",
845 + SSH_CHANNEL_OPEN, sock, sock, -1,
846 + options.hpn_buffer_size, options.hpn_buffer_size, 0,
847 "authentication agent connection", 1);
850 @@ -1740,10 +1752,18 @@ client_request_tun_fwd(int tun_mode, int
854 + if(options.hpn_disabled)
855 + c = channel_new("tun", SSH_CHANNEL_OPENING, fd, fd, -1,
856 + CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT,
859 c = channel_new("tun", SSH_CHANNEL_OPENING, fd, fd, -1,
860 - CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, 0, "tun", 1);
861 + options.hpn_buffer_size, CHAN_TCP_PACKET_DEFAULT,
867 #if defined(SSH_TUN_FILTER)
868 if (options.tun_open == SSH_TUNMODE_POINTOPOINT)
869 channel_register_filter(c->self, sys_tun_infilter,
870 diff -NupwB openssh-5.2p1-canonical/compat.c openssh-5.2p1-hpn13v6/compat.c
871 --- openssh-5.2p1-canonical/compat.c 2008-11-03 03:20:14.000000000 -0500
872 +++ openssh-5.2p1-hpn13v6/compat.c 2009-05-14 12:36:10.000000000 -0400
873 @@ -170,6 +170,15 @@ compat_datafellows(const char *version)
874 strlen(check[i].pat), 0) == 1) {
875 debug("match: %s pat %s", version, check[i].pat);
876 datafellows = check[i].bugs;
877 + /* Check to see if the remote side is OpenSSH and not HPN */
878 + if(strstr(version,"OpenSSH") != NULL)
880 + if (strstr(version,"hpn") == NULL)
882 + datafellows |= SSH_BUG_LARGEWINDOW;
883 + debug("Remote is NON-HPN aware");
889 diff -NupwB openssh-5.2p1-canonical/compat.h openssh-5.2p1-hpn13v6/compat.h
890 --- openssh-5.2p1-canonical/compat.h 2008-11-03 03:20:14.000000000 -0500
891 +++ openssh-5.2p1-hpn13v6/compat.h 2009-05-14 12:36:10.000000000 -0400
893 #define SSH_OLD_FORWARD_ADDR 0x01000000
894 #define SSH_BUG_RFWD_ADDR 0x02000000
895 #define SSH_NEW_OPENSSH 0x04000000
896 +#define SSH_BUG_LARGEWINDOW 0x08000000
898 void enable_compat13(void);
899 void enable_compat20(void);
900 Common subdirectories: openssh-5.2p1-canonical/contrib and openssh-5.2p1-hpn13v6/contrib
901 diff -NupwB openssh-5.2p1-canonical/HPN-README openssh-5.2p1-hpn13v6/HPN-README
902 --- openssh-5.2p1-canonical/HPN-README 1969-12-31 19:00:00.000000000 -0500
903 +++ openssh-5.2p1-hpn13v6/HPN-README 2009-05-14 12:36:10.000000000 -0400
907 +MULTI-THREADED CIPHER:
908 +The AES cipher in CTR mode has been multithreaded (MTR-AES-CTR). This will allow ssh installations
909 +on hosts with multiple cores to use more than one processing core during encryption.
910 +Tests have show significant throughput performance increases when using MTR-AES-CTR up
911 +to and including a full gigabit per second on quad core systems. It should be possible to
912 +achieve full line rate on dual core systems but OS and data management overhead makes this
913 +more difficult to achieve. The cipher stream from MTR-AES-CTR is entirely compatible with single
914 +thread AES-CTR (ST-AES-CTR) implementations and should be 100% backward compatible. Optimal
915 +performance requires the MTR-AES-CTR mode be enabled on both ends of the connection.
916 +The MTR-AES-CTR replaces ST-AES-CTR and is used in exactly the same way with the same
918 +Use examples: ssh -caes128-ctr you@host.com
919 + scp -oCipher=aes256-ctr file you@host.com:~/file
922 +To use the NONE option you must have the NoneEnabled switch set on the server and
923 +you *must* have *both* NoneEnabled and NoneSwitch set to yes on the client. The NONE
924 +feature works with ALL ssh subsystems (as far as we can tell) *AS LONG AS* a tty is not
925 +spawned. If a user uses the -T switch to prevent a tty being created the NONE cipher will
928 +The performance increase will only be as good as the network and TCP stack tuning
929 +on the reciever side of the connection allows. As a rule of thumb a user will need
930 +at least 10Mb/s connection with a 100ms RTT to see a doubling of performance. The
931 +HPN-SSH home page describes this in greater detail.
933 +http://www.psc.edu/networking/projects/hpn-ssh
937 +If HPN is disabled the receive buffer size will be set to the
938 +OpenSSH default of 64K.
940 +If an HPN system connects to a nonHPN system the receive buffer will
941 +be set to the HPNBufferSize value. The default is 2MB but user adjustable.
943 +If an HPN to HPN connection is established a number of different things might
944 +happen based on the user options and conditions.
946 +Conditions: HPNBufferSize NOT Set, TCPRcvBufPoll enabled, TCPRcvBuf NOT Set
947 +HPN Buffer Size = up to 64MB
948 +This is the default state. The HPN buffer size will grow to a maximum of 64MB
949 +as the TCP receive buffer grows. The maximum HPN Buffer size of 64MB is
950 +geared towards 10GigE transcontinental connections.
952 +Conditions: HPNBufferSize NOT Set, TCPRcvBufPoll disabled, TCPRcvBuf NOT Set
953 +HPN Buffer Size = TCP receive buffer value.
954 +Users on non-autotuning systesm should disable TCPRcvBufPoll in the
955 +ssh_cofig and sshd_config
957 +Conditions: HPNBufferSize SET, TCPRcvBufPoll disabled, TCPRcvBuf NOT Set
958 +HPN Buffer Size = minmum of TCP receive buffer and HPNBufferSize.
959 +This would be the system defined TCP receive buffer (RWIN).
961 +Conditions: HPNBufferSize SET, TCPRcvBufPoll disabled, TCPRcvBuf SET
962 +HPN Buffer Size = minmum of TCPRcvBuf and HPNBufferSize.
963 +Generally there is no need to set both.
965 +Conditions: HPNBufferSize SET, TCPRcvBufPoll enabled, TCPRcvBuf NOT Set
966 +HPN Buffer Size = grows to HPNBufferSize
967 +The buffer will grow up to the maximum size specified here.
969 +Conditions: HPNBufferSize SET, TCPRcvBufPoll enabled, TCPRcvBuf SET
970 +HPN Buffer Size = minmum of TCPRcvBuf and HPNBufferSize.
971 +Generally there is no need to set both of these, especially on autotuning
972 +systems. However, if the users wishes to override the autotuning this would be
975 +Conditions: HPNBufferSize NOT Set, TCPRcvBufPoll enabled, TCPRcvBuf SET
976 +HPN Buffer Size = TCPRcvBuf.
977 +This will override autotuning and set the TCP recieve buffer to the user defined
981 +HPN Specific Configuration options
983 +TcpRcvBuf=[int]KB client
984 + set the TCP socket receive buffer to n Kilobytes. It can be set up to the
985 +maximum socket size allowed by the system. This is useful in situations where
986 +the tcp receive window is set low but the maximum buffer size is set
987 +higher (as is typical). This works on a per TCP connection basis. You can also
988 +use this to artifically limit the transfer rate of the connection. In these
989 +cases the throughput will be no more than n/RTT. The minimum buffer size is 1KB.
990 +Default is the current system wide tcp receive buffer size.
992 +TcpRcvBufPoll=[yes/no] client/server
993 + enable of disable the polling of the tcp receive buffer through the life
994 +of the connection. You would want to make sure that this option is enabled
995 +for systems making use of autotuning kernels (linux 2.4.24+, 2.6, MS Vista)
998 +NoneEnabled=[yes/no] client/server
999 + enable or disable the use of the None cipher. Care must always be used
1000 +when enabling this as it will allow users to send data in the clear. However,
1001 +it is important to note that authentication information remains encrypted
1002 +even if this option is enabled. Set to no by default.
1004 +NoneSwitch=[yes/no] client
1005 + Switch the encryption cipher being used to the None cipher after
1006 +authentication takes place. NoneEnabled must be enabled on both the client
1007 +and server side of the connection. When the connection switches to the NONE
1008 +cipher a warning is sent to STDERR. The connection attempt will fail with an
1009 +error if a client requests a NoneSwitch from the server that does not explicitly
1010 +have NoneEnabled set to yes. Note: The NONE cipher cannot be used in
1011 +interactive (shell) sessions and it will fail silently. Set to no by default.
1013 +HPNDisabled=[yes/no] client/server
1014 + In some situations, such as transfers on a local area network, the impact
1015 +of the HPN code produces a net decrease in performance. In these cases it is
1016 +helpful to disable the HPN functionality. By default HPNDisabled is set to no.
1018 +HPNBufferSize=[int]KB client/server
1019 + This is the default buffer size the HPN functionality uses when interacting
1020 +with nonHPN SSH installations. Conceptually this is similar to the TcpRcvBuf
1021 +option as applied to the internal SSH flow control. This value can range from
1022 +1KB to 64MB (1-65536). Use of oversized or undersized buffers can cause performance
1023 +problems depending on the length of the network path. The default size of this buffer
1027 +Credits: This patch was conceived, designed, and led by Chris Rapier (rapier@psc.edu)
1028 + The majority of the actual coding for versions up to HPN12v1 was performed
1029 + by Michael Stevens (mstevens@andrew.cmu.edu). The MT-AES-CTR cipher was
1030 + implemented by Ben Bennet (ben@psc.edu). This work was financed, in part,
1031 + by Cisco System, Inc., the National Library of Medicine,
1032 + and the National Science Foundation.
1033 diff -NupwB openssh-5.2p1-canonical/kex.c openssh-5.2p1-hpn13v6/kex.c
1034 --- openssh-5.2p1-canonical/kex.c 2008-11-03 03:19:12.000000000 -0500
1035 +++ openssh-5.2p1-hpn13v6/kex.c 2009-05-14 12:36:10.000000000 -0400
1038 #include "dispatch.h"
1039 #include "monitor.h"
1040 +#include "canohost.h"
1042 #define KEX_COOKIE_LEN 16
1044 @@ -64,7 +65,8 @@ static void kex_kexinit_finish(Kex *);
1045 static void kex_choose_conf(Kex *);
1047 /* put algorithm proposal into buffer */
1049 +/* used in sshconnect.c as well as kex.c */
1051 kex_prop2buf(Buffer *b, char *proposal[PROPOSAL_MAX])
1054 @@ -376,6 +378,13 @@ kex_choose_conf(Kex *kex)
1055 int nenc, nmac, ncomp;
1056 u_int mode, ctos, need;
1057 int first_kex_follows, type;
1062 + auth_flag = packet_authentication_state();
1064 + debug ("AUTH STATE IS %d", auth_flag);
1066 my = kex_buf2prop(&kex->my, NULL);
1067 peer = kex_buf2prop(&kex->peer, &first_kex_follows);
1068 @@ -400,11 +409,34 @@ kex_choose_conf(Kex *kex)
1069 choose_enc (&newkeys->enc, cprop[nenc], sprop[nenc]);
1070 choose_mac (&newkeys->mac, cprop[nmac], sprop[nmac]);
1071 choose_comp(&newkeys->comp, cprop[ncomp], sprop[ncomp]);
1072 + debug("REQUESTED ENC.NAME is '%s'", newkeys->enc.name);
1073 + if (strcmp(newkeys->enc.name, "none") == 0) {
1074 + debug("Requesting NONE. Authflag is %d", auth_flag);
1075 + if (auth_flag == 1) {
1076 + debug("None requested post authentication.");
1078 + fatal("Pre-authentication none cipher requests are not allowed.");
1081 debug("kex: %s %s %s %s",
1082 ctos ? "client->server" : "server->client",
1085 newkeys->comp.name);
1086 + /* client starts withctos = 0 && log flag = 0 and no log*/
1087 + /* 2nd client pass ctos=1 and flag = 1 so no log*/
1088 + /* server starts with ctos =1 && log_flag = 0 so log */
1089 + /* 2nd sever pass ctos = 1 && log flag = 1 so no log*/
1091 + if (ctos && !log_flag) {
1092 + logit("SSH: Server;Ltype: Kex;Remote: %s-%d;Enc: %s;MAC: %s;Comp: %s",
1093 + get_remote_ipaddr(),
1094 + get_remote_port(),
1095 + newkeys->enc.name,
1096 + newkeys->mac.name,
1097 + newkeys->comp.name);
1101 choose_kex(kex, cprop[PROPOSAL_KEX_ALGS], sprop[PROPOSAL_KEX_ALGS]);
1102 choose_hostkeyalg(kex, cprop[PROPOSAL_SERVER_HOST_KEY_ALGS],
1103 diff -NupwB openssh-5.2p1-canonical/kex.h openssh-5.2p1-hpn13v6/kex.h
1104 --- openssh-5.2p1-canonical/kex.h 2007-06-11 00:01:42.000000000 -0400
1105 +++ openssh-5.2p1-hpn13v6/kex.h 2009-05-14 12:36:10.000000000 -0400
1106 @@ -127,6 +127,8 @@ struct Kex {
1107 void (*kex[KEX_MAX])(Kex *);
1110 +void kex_prop2buf(Buffer *, char *proposal[PROPOSAL_MAX]);
1112 Kex *kex_setup(char *[PROPOSAL_MAX]);
1113 void kex_finish(Kex *);
1115 diff -NupwB openssh-5.2p1-canonical/Makefile.in openssh-5.2p1-hpn13v6/Makefile.in
1116 --- openssh-5.2p1-canonical/Makefile.in 2008-11-05 00:20:46.000000000 -0500
1117 +++ openssh-5.2p1-hpn13v6/Makefile.in 2009-05-14 12:36:10.000000000 -0400
1118 @@ -43,7 +43,7 @@ CC=@CC@
1121 CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ $(PATHS) @DEFS@
1123 +LIBS=@LIBS@ -lpthread
1127 @@ -64,7 +64,7 @@ TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-a
1129 LIBSSH_OBJS=acss.o authfd.o authfile.o bufaux.o bufbn.o buffer.o \
1130 canohost.o channels.o cipher.o cipher-acss.o cipher-aes.o \
1131 - cipher-bf1.o cipher-ctr.o cipher-3des1.o cleanup.o \
1132 + cipher-bf1.o cipher-ctr.o cipher-ctr-mt.o cipher-3des1.o cleanup.o \
1133 compat.o compress.o crc32.o deattack.o fatal.o hostfile.o \
1134 log.o match.o md-sha256.o moduli.o nchan.o packet.o \
1135 readpass.o rsa.o ttymodes.o xmalloc.o addrmatch.o \
1136 diff -NupwB openssh-5.2p1-canonical/myproposal.h openssh-5.2p1-hpn13v6/myproposal.h
1137 --- openssh-5.2p1-canonical/myproposal.h 2009-01-28 00:33:31.000000000 -0500
1138 +++ openssh-5.2p1-hpn13v6/myproposal.h 2009-05-14 12:36:10.000000000 -0400
1140 "arcfour256,arcfour128," \
1141 "aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc," \
1142 "aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se"
1143 +#define KEX_ENCRYPT_INCLUDE_NONE KEX_DEFAULT_ENCRYPT \
1145 #define KEX_DEFAULT_MAC \
1146 "hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160," \
1147 "hmac-ripemd160@openssh.com," \
1148 Common subdirectories: openssh-5.2p1-canonical/openbsd-compat and openssh-5.2p1-hpn13v6/openbsd-compat
1149 diff -NupwB openssh-5.2p1-canonical/packet.c openssh-5.2p1-hpn13v6/packet.c
1150 --- openssh-5.2p1-canonical/packet.c 2009-02-14 00:35:01.000000000 -0500
1151 +++ openssh-5.2p1-hpn13v6/packet.c 2009-05-14 12:36:10.000000000 -0400
1152 @@ -775,7 +775,7 @@ packet_enable_delayed_compress(void)
1154 * Finalize packet in SSH2 format (compress, mac, encrypt, enqueue)
1158 packet_send2_wrapped(void)
1160 u_char type, *cp, *macbuf = NULL;
1161 @@ -888,11 +888,13 @@ packet_send2_wrapped(void)
1162 set_newkeys(MODE_OUT);
1163 else if (type == SSH2_MSG_USERAUTH_SUCCESS && server_side)
1164 packet_enable_delayed_compress();
1165 + return(packet_length);
1172 + static int packet_length = 0;
1173 static int rekeying = 0;
1176 @@ -910,7 +912,7 @@ packet_send2(void)
1177 memcpy(&p->payload, &outgoing_packet, sizeof(Buffer));
1178 buffer_init(&outgoing_packet);
1179 TAILQ_INSERT_TAIL(&outgoing, p, next);
1181 + return(sizeof(Buffer));
1185 @@ -918,7 +920,7 @@ packet_send2(void)
1186 if (type == SSH2_MSG_KEXINIT)
1189 - packet_send2_wrapped();
1190 + packet_length = packet_send2_wrapped();
1192 /* after a NEWKEYS message we can send the complete queue */
1193 if (type == SSH2_MSG_NEWKEYS) {
1194 @@ -931,19 +933,22 @@ packet_send2(void)
1196 TAILQ_REMOVE(&outgoing, p, next);
1198 - packet_send2_wrapped();
1199 + packet_length += packet_send2_wrapped();
1202 + return(packet_length);
1209 + int packet_len = 0;
1212 + packet_len = packet_send2();
1215 DBG(debug("packet_send done"));
1216 + return(packet_len);
1220 @@ -1544,23 +1549,25 @@ packet_disconnect(const char *fmt,...)
1222 /* Checks if there is any buffered output, and tries to write some of the output. */
1226 packet_write_poll(void)
1228 - int len = buffer_len(&output);
1230 + len = buffer_len(&output);
1233 len = write(connection_out, buffer_ptr(&output), len);
1235 if (errno == EINTR || errno == EAGAIN ||
1236 errno == EWOULDBLOCK)
1239 fatal("Write failed: %.100s", strerror(errno));
1242 fatal("Write connection closed");
1243 buffer_consume(&output, len);
1249 @@ -1569,16 +1576,17 @@ packet_write_poll(void)
1255 packet_write_wait(void)
1259 struct timeval start, timeout, *timeoutp = NULL;
1260 + u_int bytes_sent = 0;
1262 setp = (fd_set *)xcalloc(howmany(connection_out + 1, NFDBITS),
1264 - packet_write_poll();
1265 + bytes_sent += packet_write_poll();
1266 while (packet_have_data_to_write()) {
1267 memset(setp, 0, howmany(connection_out + 1, NFDBITS) *
1269 @@ -1612,7 +1620,7 @@ packet_write_wait(void)
1270 "waiting to write", get_remote_ipaddr());
1273 - packet_write_poll();
1274 + bytes_sent += packet_write_poll();
1278 @@ -1736,12 +1744,24 @@ packet_send_ignore(int nbytes)
1282 +int rekey_requested = 0;
1284 +packet_request_rekeying(void)
1286 + rekey_requested = 1;
1289 #define MAX_PACKETS (1U<<31)
1291 packet_need_rekeying(void)
1293 if (datafellows & SSH_BUG_NOREKEY)
1295 + if (rekey_requested == 1)
1297 + rekey_requested = 0;
1301 (p_send.packets > MAX_PACKETS) ||
1302 (p_read.packets > MAX_PACKETS) ||
1303 @@ -1766,3 +1786,9 @@ packet_set_authenticated(void)
1305 after_authentication = 1;
1309 +packet_authentication_state(void)
1311 + return(after_authentication);
1313 diff -NupwB openssh-5.2p1-canonical/packet.h openssh-5.2p1-hpn13v6/packet.h
1314 --- openssh-5.2p1-canonical/packet.h 2008-07-11 03:36:48.000000000 -0400
1315 +++ openssh-5.2p1-hpn13v6/packet.h 2009-05-14 12:36:10.000000000 -0400
1318 #include <openssl/bn.h>
1321 +packet_request_rekeying(void);
1323 void packet_set_connection(int, int);
1324 void packet_set_timeout(int, int);
1325 void packet_set_nonblocking(void);
1326 @@ -35,6 +38,7 @@ void packet_set_interactive(int);
1327 int packet_is_interactive(void);
1328 void packet_set_server(void);
1329 void packet_set_authenticated(void);
1330 +int packet_authentication_state(void);
1332 void packet_start(u_char);
1333 void packet_put_char(int ch);
1334 @@ -44,7 +48,7 @@ void packet_put_bignum2(BIGNUM * val
1335 void packet_put_string(const void *buf, u_int len);
1336 void packet_put_cstring(const char *str);
1337 void packet_put_raw(const void *buf, u_int len);
1338 -void packet_send(void);
1339 +int packet_send(void);
1341 int packet_read(void);
1342 void packet_read_expect(int type);
1343 @@ -73,8 +77,8 @@ void packet_set_state(int, u_int32_t, u
1344 int packet_get_ssh1_cipher(void);
1345 void packet_set_iv(int, u_char *);
1347 -void packet_write_poll(void);
1348 -void packet_write_wait(void);
1349 +int packet_write_poll(void);
1350 +int packet_write_wait(void);
1351 int packet_have_data_to_write(void);
1352 int packet_not_very_much_data_to_write(void);
1354 diff -NupwB openssh-5.2p1-canonical/progressmeter.c openssh-5.2p1-hpn13v6/progressmeter.c
1355 --- openssh-5.2p1-canonical/progressmeter.c 2006-08-04 22:39:40.000000000 -0400
1356 +++ openssh-5.2p1-hpn13v6/progressmeter.c 2009-05-14 12:36:10.000000000 -0400
1357 @@ -68,6 +68,8 @@ static time_t last_update; /* last progr
1358 static char *file; /* name of the file being transferred */
1359 static off_t end_pos; /* ending position of transfer */
1360 static off_t cur_pos; /* transfer position as of last refresh */
1361 +static off_t last_pos;
1362 +static off_t max_delta_pos = 0;
1363 static volatile off_t *counter; /* progress counter */
1364 static long stalled; /* how long we have been stalled */
1365 static int bytes_per_second; /* current speed in bytes per second */
1366 @@ -128,12 +130,17 @@ refresh_progress_meter(void)
1367 int hours, minutes, seconds;
1372 transferred = *counter - cur_pos;
1375 bytes_left = end_pos - cur_pos;
1377 + delta_pos = cur_pos - last_pos;
1378 + if (delta_pos > max_delta_pos)
1379 + max_delta_pos = delta_pos;
1382 elapsed = now - last_update;
1384 @@ -158,7 +165,7 @@ refresh_progress_meter(void)
1388 - file_len = win_size - 35;
1389 + file_len = win_size - 45;
1391 len = snprintf(buf, file_len + 1, "\r%s", file);
1393 @@ -175,7 +182,8 @@ refresh_progress_meter(void)
1394 percent = ((float)cur_pos / end_pos) * 100;
1397 - snprintf(buf + strlen(buf), win_size - strlen(buf),
1399 + snprintf(buf + strlen(buf), win_size - strlen(buf-8),
1400 " %3d%% ", percent);
1402 /* amount transferred */
1403 @@ -188,6 +196,15 @@ refresh_progress_meter(void)
1404 (off_t)bytes_per_second);
1405 strlcat(buf, "/s ", win_size);
1407 + /* instantaneous rate */
1408 + if (bytes_left > 0)
1409 + format_rate(buf + strlen(buf), win_size - strlen(buf),
1412 + format_rate(buf + strlen(buf), win_size - strlen(buf),
1414 + strlcat(buf, "/s ", win_size);
1419 @@ -224,6 +241,7 @@ refresh_progress_meter(void)
1421 atomicio(vwrite, STDOUT_FILENO, buf, win_size - 1);
1423 + last_pos = cur_pos;
1427 diff -NupwB openssh-5.2p1-canonical/readconf.c openssh-5.2p1-hpn13v6/readconf.c
1428 --- openssh-5.2p1-canonical/readconf.c 2009-02-14 00:28:21.000000000 -0500
1429 +++ openssh-5.2p1-hpn13v6/readconf.c 2009-05-14 12:36:10.000000000 -0400
1430 @@ -131,6 +131,8 @@ typedef enum {
1431 oSendEnv, oControlPath, oControlMaster, oHashKnownHosts,
1432 oTunnel, oTunnelDevice, oLocalCommand, oPermitLocalCommand,
1433 oVisualHostKey, oZeroKnowledgePasswordAuthentication,
1434 + oNoneEnabled, oTcpRcvBufPoll, oTcpRcvBuf, oNoneSwitch, oHPNDisabled,
1436 oDeprecated, oUnsupported
1439 @@ -234,6 +236,12 @@ static struct {
1441 { "zeroknowledgepasswordauthentication", oUnsupported },
1443 + { "noneenabled", oNoneEnabled },
1444 + { "tcprcvbufpoll", oTcpRcvBufPoll },
1445 + { "tcprcvbuf", oTcpRcvBuf },
1446 + { "noneswitch", oNoneSwitch },
1447 + { "hpndisabled", oHPNDisabled },
1448 + { "hpnbuffersize", oHPNBufferSize },
1450 { NULL, oBadOption }
1452 @@ -465,6 +473,37 @@ parse_flag:
1453 intptr = &options->check_host_ip;
1456 + case oNoneEnabled:
1457 + intptr = &options->none_enabled;
1460 + /* we check to see if the command comes from the */
1461 + /* command line or not. If it does then enable it */
1462 + /* otherwise fail. NONE should never be a default configuration */
1464 + if(strcmp(filename,"command-line")==0)
1466 + intptr = &options->none_switch;
1469 + error("NoneSwitch is found in %.200s.\nYou may only use this configuration option from the command line", filename);
1470 + error("Continuing...");
1471 + debug("NoneSwitch directive found in %.200s.", filename);
1475 + case oHPNDisabled:
1476 + intptr = &options->hpn_disabled;
1479 + case oHPNBufferSize:
1480 + intptr = &options->hpn_buffer_size;
1483 + case oTcpRcvBufPoll:
1484 + intptr = &options->tcp_rcv_buf_poll;
1487 case oVerifyHostKeyDNS:
1488 intptr = &options->verify_host_key_dns;
1489 goto parse_yesnoask;
1490 @@ -643,6 +682,10 @@ parse_int:
1491 intptr = &options->connection_attempts;
1495 + intptr = &options->tcp_rcv_buf;
1499 intptr = &options->cipher;
1501 @@ -1065,6 +1108,12 @@ initialize_options(Options * options)
1502 options->permit_local_command = -1;
1503 options->visual_host_key = -1;
1504 options->zero_knowledge_password_authentication = -1;
1505 + options->none_switch = -1;
1506 + options->none_enabled = -1;
1507 + options->hpn_disabled = -1;
1508 + options->hpn_buffer_size = -1;
1509 + options->tcp_rcv_buf_poll = -1;
1510 + options->tcp_rcv_buf = -1;
1514 @@ -1187,6 +1236,29 @@ fill_default_options(Options * options)
1515 options->server_alive_interval = 0;
1516 if (options->server_alive_count_max == -1)
1517 options->server_alive_count_max = 3;
1518 + if (options->none_switch == -1)
1519 + options->none_switch = 0;
1520 + if (options->hpn_disabled == -1)
1521 + options->hpn_disabled = 0;
1522 + if (options->hpn_buffer_size > -1)
1524 + /* if a user tries to set the size to 0 set it to 1KB */
1525 + if (options->hpn_buffer_size == 0)
1526 + options->hpn_buffer_size = 1024;
1527 + /*limit the buffer to 64MB*/
1528 + if (options->hpn_buffer_size > 65536)
1530 + options->hpn_buffer_size = 65536*1024;
1531 + debug("User requested buffer larger than 64MB. Request reverted to 64MB");
1533 + debug("hpn_buffer_size set to %d", options->hpn_buffer_size);
1535 + if (options->tcp_rcv_buf == 0)
1536 + options->tcp_rcv_buf = 1;
1537 + if (options->tcp_rcv_buf > -1)
1538 + options->tcp_rcv_buf *=1024;
1539 + if (options->tcp_rcv_buf_poll == -1)
1540 + options->tcp_rcv_buf_poll = 1;
1541 if (options->control_master == -1)
1542 options->control_master = 0;
1543 if (options->hash_known_hosts == -1)
1544 diff -NupwB openssh-5.2p1-canonical/readconf.c.orig openssh-5.2p1-hpn13v6/readconf.c.orig
1545 --- openssh-5.2p1-canonical/readconf.c.orig 1969-12-31 19:00:00.000000000 -0500
1546 +++ openssh-5.2p1-hpn13v6/readconf.c.orig 2009-02-14 00:28:21.000000000 -0500
1548 +/* $OpenBSD: readconf.c,v 1.176 2009/02/12 03:00:56 djm Exp $ */
1550 + * Author: Tatu Ylonen <ylo@cs.hut.fi>
1551 + * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
1552 + * All rights reserved
1553 + * Functions for reading the configuration files.
1555 + * As far as I am concerned, the code I have written for this software
1556 + * can be used freely for any purpose. Any derived versions of this
1557 + * software must be clearly marked as such, and if the derived work is
1558 + * incompatible with the protocol description in the RFC file, it must be
1559 + * called by a name other than "ssh" or "Secure Shell".
1562 +#include "includes.h"
1564 +#include <sys/types.h>
1565 +#include <sys/stat.h>
1566 +#include <sys/socket.h>
1568 +#include <netinet/in.h>
1573 +#include <signal.h>
1574 +#include <stdarg.h>
1576 +#include <string.h>
1577 +#include <unistd.h>
1579 +#include "xmalloc.h"
1581 +#include "compat.h"
1582 +#include "cipher.h"
1583 +#include "pathnames.h"
1586 +#include "readconf.h"
1589 +#include "buffer.h"
1593 +/* Format of the configuration file:
1595 + # Configuration data is parsed as follows:
1596 + # 1. command line options
1597 + # 2. user-specific file
1598 + # 3. system-wide file
1599 + # Any configuration value is only changed the first time it is set.
1600 + # Thus, host-specific definitions should be at the beginning of the
1601 + # configuration file, and defaults at the end.
1603 + # Host-specific declarations. These may override anything above. A single
1604 + # host may match multiple declarations; these are processed in the order
1605 + # that they are given in.
1607 + Host *.ngs.fi ngs.fi
1611 + HostName another.host.name.real.org
1618 + RemoteForward 9999 shadows.cs.hut.fi:9999
1621 + Host fascist.blob.com
1624 + PasswordAuthentication no
1626 + Host puukko.hut.fi
1628 + ProxyCommand ssh-proxy %h %p
1631 + PublicKeyAuthentication no
1635 + PasswordAuthentication no
1641 + # Defaults for various options
1645 + PasswordAuthentication yes
1646 + RSAAuthentication yes
1647 + RhostsRSAAuthentication yes
1648 + StrictHostKeyChecking yes
1650 + IdentityFile ~/.ssh/identity
1656 +/* Keyword tokens. */
1660 + oForwardAgent, oForwardX11, oForwardX11Trusted, oGatewayPorts,
1661 + oExitOnForwardFailure,
1662 + oPasswordAuthentication, oRSAAuthentication,
1663 + oChallengeResponseAuthentication, oXAuthLocation,
1664 + oIdentityFile, oHostName, oPort, oCipher, oRemoteForward, oLocalForward,
1665 + oUser, oHost, oEscapeChar, oRhostsRSAAuthentication, oProxyCommand,
1666 + oGlobalKnownHostsFile, oUserKnownHostsFile, oConnectionAttempts,
1667 + oBatchMode, oCheckHostIP, oStrictHostKeyChecking, oCompression,
1668 + oCompressionLevel, oTCPKeepAlive, oNumberOfPasswordPrompts,
1669 + oUsePrivilegedPort, oLogLevel, oCiphers, oProtocol, oMacs,
1670 + oGlobalKnownHostsFile2, oUserKnownHostsFile2, oPubkeyAuthentication,
1671 + oKbdInteractiveAuthentication, oKbdInteractiveDevices, oHostKeyAlias,
1672 + oDynamicForward, oPreferredAuthentications, oHostbasedAuthentication,
1673 + oHostKeyAlgorithms, oBindAddress, oSmartcardDevice,
1674 + oClearAllForwardings, oNoHostAuthenticationForLocalhost,
1675 + oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout,
1676 + oAddressFamily, oGssAuthentication, oGssDelegateCreds,
1677 + oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly,
1678 + oSendEnv, oControlPath, oControlMaster, oHashKnownHosts,
1679 + oTunnel, oTunnelDevice, oLocalCommand, oPermitLocalCommand,
1680 + oVisualHostKey, oZeroKnowledgePasswordAuthentication,
1681 + oDeprecated, oUnsupported
1684 +/* Textual representations of the tokens. */
1690 + { "forwardagent", oForwardAgent },
1691 + { "forwardx11", oForwardX11 },
1692 + { "forwardx11trusted", oForwardX11Trusted },
1693 + { "exitonforwardfailure", oExitOnForwardFailure },
1694 + { "xauthlocation", oXAuthLocation },
1695 + { "gatewayports", oGatewayPorts },
1696 + { "useprivilegedport", oUsePrivilegedPort },
1697 + { "rhostsauthentication", oDeprecated },
1698 + { "passwordauthentication", oPasswordAuthentication },
1699 + { "kbdinteractiveauthentication", oKbdInteractiveAuthentication },
1700 + { "kbdinteractivedevices", oKbdInteractiveDevices },
1701 + { "rsaauthentication", oRSAAuthentication },
1702 + { "pubkeyauthentication", oPubkeyAuthentication },
1703 + { "dsaauthentication", oPubkeyAuthentication }, /* alias */
1704 + { "rhostsrsaauthentication", oRhostsRSAAuthentication },
1705 + { "hostbasedauthentication", oHostbasedAuthentication },
1706 + { "challengeresponseauthentication", oChallengeResponseAuthentication },
1707 + { "skeyauthentication", oChallengeResponseAuthentication }, /* alias */
1708 + { "tisauthentication", oChallengeResponseAuthentication }, /* alias */
1709 + { "kerberosauthentication", oUnsupported },
1710 + { "kerberostgtpassing", oUnsupported },
1711 + { "afstokenpassing", oUnsupported },
1712 +#if defined(GSSAPI)
1713 + { "gssapiauthentication", oGssAuthentication },
1714 + { "gssapidelegatecredentials", oGssDelegateCreds },
1716 + { "gssapiauthentication", oUnsupported },
1717 + { "gssapidelegatecredentials", oUnsupported },
1719 + { "fallbacktorsh", oDeprecated },
1720 + { "usersh", oDeprecated },
1721 + { "identityfile", oIdentityFile },
1722 + { "identityfile2", oIdentityFile }, /* obsolete */
1723 + { "identitiesonly", oIdentitiesOnly },
1724 + { "hostname", oHostName },
1725 + { "hostkeyalias", oHostKeyAlias },
1726 + { "proxycommand", oProxyCommand },
1727 + { "port", oPort },
1728 + { "cipher", oCipher },
1729 + { "ciphers", oCiphers },
1730 + { "macs", oMacs },
1731 + { "protocol", oProtocol },
1732 + { "remoteforward", oRemoteForward },
1733 + { "localforward", oLocalForward },
1734 + { "user", oUser },
1735 + { "host", oHost },
1736 + { "escapechar", oEscapeChar },
1737 + { "globalknownhostsfile", oGlobalKnownHostsFile },
1738 + { "globalknownhostsfile2", oGlobalKnownHostsFile2 }, /* obsolete */
1739 + { "userknownhostsfile", oUserKnownHostsFile },
1740 + { "userknownhostsfile2", oUserKnownHostsFile2 }, /* obsolete */
1741 + { "connectionattempts", oConnectionAttempts },
1742 + { "batchmode", oBatchMode },
1743 + { "checkhostip", oCheckHostIP },
1744 + { "stricthostkeychecking", oStrictHostKeyChecking },
1745 + { "compression", oCompression },
1746 + { "compressionlevel", oCompressionLevel },
1747 + { "tcpkeepalive", oTCPKeepAlive },
1748 + { "keepalive", oTCPKeepAlive }, /* obsolete */
1749 + { "numberofpasswordprompts", oNumberOfPasswordPrompts },
1750 + { "loglevel", oLogLevel },
1751 + { "dynamicforward", oDynamicForward },
1752 + { "preferredauthentications", oPreferredAuthentications },
1753 + { "hostkeyalgorithms", oHostKeyAlgorithms },
1754 + { "bindaddress", oBindAddress },
1756 + { "smartcarddevice", oSmartcardDevice },
1758 + { "smartcarddevice", oUnsupported },
1760 + { "clearallforwardings", oClearAllForwardings },
1761 + { "enablesshkeysign", oEnableSSHKeysign },
1762 + { "verifyhostkeydns", oVerifyHostKeyDNS },
1763 + { "nohostauthenticationforlocalhost", oNoHostAuthenticationForLocalhost },
1764 + { "rekeylimit", oRekeyLimit },
1765 + { "connecttimeout", oConnectTimeout },
1766 + { "addressfamily", oAddressFamily },
1767 + { "serveraliveinterval", oServerAliveInterval },
1768 + { "serveralivecountmax", oServerAliveCountMax },
1769 + { "sendenv", oSendEnv },
1770 + { "controlpath", oControlPath },
1771 + { "controlmaster", oControlMaster },
1772 + { "hashknownhosts", oHashKnownHosts },
1773 + { "tunnel", oTunnel },
1774 + { "tunneldevice", oTunnelDevice },
1775 + { "localcommand", oLocalCommand },
1776 + { "permitlocalcommand", oPermitLocalCommand },
1777 + { "visualhostkey", oVisualHostKey },
1779 + { "zeroknowledgepasswordauthentication",
1780 + oZeroKnowledgePasswordAuthentication },
1782 + { "zeroknowledgepasswordauthentication", oUnsupported },
1785 + { NULL, oBadOption }
1789 + * Adds a local TCP/IP port forward to options. Never returns if there is an
1794 +add_local_forward(Options *options, const Forward *newfwd)
1797 +#ifndef NO_IPPORT_RESERVED_CONCEPT
1798 + extern uid_t original_real_uid;
1799 + if (newfwd->listen_port < IPPORT_RESERVED && original_real_uid != 0)
1800 + fatal("Privileged ports can only be forwarded by root.");
1802 + if (options->num_local_forwards >= SSH_MAX_FORWARDS_PER_DIRECTION)
1803 + fatal("Too many local forwards (max %d).", SSH_MAX_FORWARDS_PER_DIRECTION);
1804 + fwd = &options->local_forwards[options->num_local_forwards++];
1806 + fwd->listen_host = newfwd->listen_host;
1807 + fwd->listen_port = newfwd->listen_port;
1808 + fwd->connect_host = newfwd->connect_host;
1809 + fwd->connect_port = newfwd->connect_port;
1813 + * Adds a remote TCP/IP port forward to options. Never returns if there is
1818 +add_remote_forward(Options *options, const Forward *newfwd)
1821 + if (options->num_remote_forwards >= SSH_MAX_FORWARDS_PER_DIRECTION)
1822 + fatal("Too many remote forwards (max %d).",
1823 + SSH_MAX_FORWARDS_PER_DIRECTION);
1824 + fwd = &options->remote_forwards[options->num_remote_forwards++];
1826 + fwd->listen_host = newfwd->listen_host;
1827 + fwd->listen_port = newfwd->listen_port;
1828 + fwd->connect_host = newfwd->connect_host;
1829 + fwd->connect_port = newfwd->connect_port;
1833 +clear_forwardings(Options *options)
1837 + for (i = 0; i < options->num_local_forwards; i++) {
1838 + if (options->local_forwards[i].listen_host != NULL)
1839 + xfree(options->local_forwards[i].listen_host);
1840 + xfree(options->local_forwards[i].connect_host);
1842 + options->num_local_forwards = 0;
1843 + for (i = 0; i < options->num_remote_forwards; i++) {
1844 + if (options->remote_forwards[i].listen_host != NULL)
1845 + xfree(options->remote_forwards[i].listen_host);
1846 + xfree(options->remote_forwards[i].connect_host);
1848 + options->num_remote_forwards = 0;
1849 + options->tun_open = SSH_TUNMODE_NO;
1853 + * Returns the number of the token pointed to by cp or oBadOption.
1857 +parse_token(const char *cp, const char *filename, int linenum)
1861 + for (i = 0; keywords[i].name; i++)
1862 + if (strcasecmp(cp, keywords[i].name) == 0)
1863 + return keywords[i].opcode;
1865 + error("%s: line %d: Bad configuration option: %s",
1866 + filename, linenum, cp);
1867 + return oBadOption;
1871 + * Processes a single option line as used in the configuration files. This
1872 + * only sets those values that have not already been set.
1874 +#define WHITESPACE " \t\r\n"
1877 +process_config_line(Options *options, const char *host,
1878 + char *line, const char *filename, int linenum,
1881 + char *s, **charptr, *endofnumber, *keyword, *arg, *arg2, fwdarg[256];
1882 + int opcode, *intptr, value, value2, scale;
1883 + LogLevel *log_level_ptr;
1884 + long long orig, val64;
1888 + /* Strip trailing whitespace */
1889 + for (len = strlen(line) - 1; len > 0; len--) {
1890 + if (strchr(WHITESPACE, line[len]) == NULL)
1896 + /* Get the keyword. (Each line is supposed to begin with a keyword). */
1897 + if ((keyword = strdelim(&s)) == NULL)
1899 + /* Ignore leading whitespace. */
1900 + if (*keyword == '\0')
1901 + keyword = strdelim(&s);
1902 + if (keyword == NULL || !*keyword || *keyword == '\n' || *keyword == '#')
1905 + opcode = parse_token(keyword, filename, linenum);
1909 + /* don't panic, but count bad options */
1912 + case oConnectTimeout:
1913 + intptr = &options->connection_timeout;
1915 + arg = strdelim(&s);
1916 + if (!arg || *arg == '\0')
1917 + fatal("%s line %d: missing time value.",
1918 + filename, linenum);
1919 + if ((value = convtime(arg)) == -1)
1920 + fatal("%s line %d: invalid time value.",
1921 + filename, linenum);
1922 + if (*activep && *intptr == -1)
1926 + case oForwardAgent:
1927 + intptr = &options->forward_agent;
1929 + arg = strdelim(&s);
1930 + if (!arg || *arg == '\0')
1931 + fatal("%.200s line %d: Missing yes/no argument.", filename, linenum);
1932 + value = 0; /* To avoid compiler warning... */
1933 + if (strcmp(arg, "yes") == 0 || strcmp(arg, "true") == 0)
1935 + else if (strcmp(arg, "no") == 0 || strcmp(arg, "false") == 0)
1938 + fatal("%.200s line %d: Bad yes/no argument.", filename, linenum);
1939 + if (*activep && *intptr == -1)
1944 + intptr = &options->forward_x11;
1947 + case oForwardX11Trusted:
1948 + intptr = &options->forward_x11_trusted;
1951 + case oGatewayPorts:
1952 + intptr = &options->gateway_ports;
1955 + case oExitOnForwardFailure:
1956 + intptr = &options->exit_on_forward_failure;
1959 + case oUsePrivilegedPort:
1960 + intptr = &options->use_privileged_port;
1963 + case oPasswordAuthentication:
1964 + intptr = &options->password_authentication;
1967 + case oZeroKnowledgePasswordAuthentication:
1968 + intptr = &options->zero_knowledge_password_authentication;
1971 + case oKbdInteractiveAuthentication:
1972 + intptr = &options->kbd_interactive_authentication;
1975 + case oKbdInteractiveDevices:
1976 + charptr = &options->kbd_interactive_devices;
1977 + goto parse_string;
1979 + case oPubkeyAuthentication:
1980 + intptr = &options->pubkey_authentication;
1983 + case oRSAAuthentication:
1984 + intptr = &options->rsa_authentication;
1987 + case oRhostsRSAAuthentication:
1988 + intptr = &options->rhosts_rsa_authentication;
1991 + case oHostbasedAuthentication:
1992 + intptr = &options->hostbased_authentication;
1995 + case oChallengeResponseAuthentication:
1996 + intptr = &options->challenge_response_authentication;
1999 + case oGssAuthentication:
2000 + intptr = &options->gss_authentication;
2003 + case oGssDelegateCreds:
2004 + intptr = &options->gss_deleg_creds;
2008 + intptr = &options->batch_mode;
2011 + case oCheckHostIP:
2012 + intptr = &options->check_host_ip;
2015 + case oVerifyHostKeyDNS:
2016 + intptr = &options->verify_host_key_dns;
2017 + goto parse_yesnoask;
2019 + case oStrictHostKeyChecking:
2020 + intptr = &options->strict_host_key_checking;
2022 + arg = strdelim(&s);
2023 + if (!arg || *arg == '\0')
2024 + fatal("%.200s line %d: Missing yes/no/ask argument.",
2025 + filename, linenum);
2026 + value = 0; /* To avoid compiler warning... */
2027 + if (strcmp(arg, "yes") == 0 || strcmp(arg, "true") == 0)
2029 + else if (strcmp(arg, "no") == 0 || strcmp(arg, "false") == 0)
2031 + else if (strcmp(arg, "ask") == 0)
2034 + fatal("%.200s line %d: Bad yes/no/ask argument.", filename, linenum);
2035 + if (*activep && *intptr == -1)
2039 + case oCompression:
2040 + intptr = &options->compression;
2043 + case oTCPKeepAlive:
2044 + intptr = &options->tcp_keep_alive;
2047 + case oNoHostAuthenticationForLocalhost:
2048 + intptr = &options->no_host_authentication_for_localhost;
2051 + case oNumberOfPasswordPrompts:
2052 + intptr = &options->number_of_password_prompts;
2055 + case oCompressionLevel:
2056 + intptr = &options->compression_level;
2060 + arg = strdelim(&s);
2061 + if (!arg || *arg == '\0')
2062 + fatal("%.200s line %d: Missing argument.", filename, linenum);
2063 + if (arg[0] < '0' || arg[0] > '9')
2064 + fatal("%.200s line %d: Bad number.", filename, linenum);
2065 + orig = val64 = strtoll(arg, &endofnumber, 10);
2066 + if (arg == endofnumber)
2067 + fatal("%.200s line %d: Bad number.", filename, linenum);
2068 + switch (toupper(*endofnumber)) {
2082 + fatal("%.200s line %d: Invalid RekeyLimit suffix",
2083 + filename, linenum);
2086 + /* detect integer wrap and too-large limits */
2087 + if ((val64 / scale) != orig || val64 > UINT_MAX)
2088 + fatal("%.200s line %d: RekeyLimit too large",
2089 + filename, linenum);
2091 + fatal("%.200s line %d: RekeyLimit too small",
2092 + filename, linenum);
2093 + if (*activep && options->rekey_limit == -1)
2094 + options->rekey_limit = (u_int32_t)val64;
2097 + case oIdentityFile:
2098 + arg = strdelim(&s);
2099 + if (!arg || *arg == '\0')
2100 + fatal("%.200s line %d: Missing argument.", filename, linenum);
2102 + intptr = &options->num_identity_files;
2103 + if (*intptr >= SSH_MAX_IDENTITY_FILES)
2104 + fatal("%.200s line %d: Too many identity files specified (max %d).",
2105 + filename, linenum, SSH_MAX_IDENTITY_FILES);
2106 + charptr = &options->identity_files[*intptr];
2107 + *charptr = xstrdup(arg);
2108 + *intptr = *intptr + 1;
2112 + case oXAuthLocation:
2113 + charptr=&options->xauth_location;
2114 + goto parse_string;
2117 + charptr = &options->user;
2119 + arg = strdelim(&s);
2120 + if (!arg || *arg == '\0')
2121 + fatal("%.200s line %d: Missing argument.", filename, linenum);
2122 + if (*activep && *charptr == NULL)
2123 + *charptr = xstrdup(arg);
2126 + case oGlobalKnownHostsFile:
2127 + charptr = &options->system_hostfile;
2128 + goto parse_string;
2130 + case oUserKnownHostsFile:
2131 + charptr = &options->user_hostfile;
2132 + goto parse_string;
2134 + case oGlobalKnownHostsFile2:
2135 + charptr = &options->system_hostfile2;
2136 + goto parse_string;
2138 + case oUserKnownHostsFile2:
2139 + charptr = &options->user_hostfile2;
2140 + goto parse_string;
2143 + charptr = &options->hostname;
2144 + goto parse_string;
2146 + case oHostKeyAlias:
2147 + charptr = &options->host_key_alias;
2148 + goto parse_string;
2150 + case oPreferredAuthentications:
2151 + charptr = &options->preferred_authentications;
2152 + goto parse_string;
2154 + case oBindAddress:
2155 + charptr = &options->bind_address;
2156 + goto parse_string;
2158 + case oSmartcardDevice:
2159 + charptr = &options->smartcard_device;
2160 + goto parse_string;
2162 + case oProxyCommand:
2163 + charptr = &options->proxy_command;
2166 + fatal("%.200s line %d: Missing argument.", filename, linenum);
2167 + len = strspn(s, WHITESPACE "=");
2168 + if (*activep && *charptr == NULL)
2169 + *charptr = xstrdup(s + len);
2173 + intptr = &options->port;
2175 + arg = strdelim(&s);
2176 + if (!arg || *arg == '\0')
2177 + fatal("%.200s line %d: Missing argument.", filename, linenum);
2178 + if (arg[0] < '0' || arg[0] > '9')
2179 + fatal("%.200s line %d: Bad number.", filename, linenum);
2181 + /* Octal, decimal, or hex format? */
2182 + value = strtol(arg, &endofnumber, 0);
2183 + if (arg == endofnumber)
2184 + fatal("%.200s line %d: Bad number.", filename, linenum);
2185 + if (*activep && *intptr == -1)
2189 + case oConnectionAttempts:
2190 + intptr = &options->connection_attempts;
2194 + intptr = &options->cipher;
2195 + arg = strdelim(&s);
2196 + if (!arg || *arg == '\0')
2197 + fatal("%.200s line %d: Missing argument.", filename, linenum);
2198 + value = cipher_number(arg);
2200 + fatal("%.200s line %d: Bad cipher '%s'.",
2201 + filename, linenum, arg ? arg : "<NONE>");
2202 + if (*activep && *intptr == -1)
2207 + arg = strdelim(&s);
2208 + if (!arg || *arg == '\0')
2209 + fatal("%.200s line %d: Missing argument.", filename, linenum);
2210 + if (!ciphers_valid(arg))
2211 + fatal("%.200s line %d: Bad SSH2 cipher spec '%s'.",
2212 + filename, linenum, arg ? arg : "<NONE>");
2213 + if (*activep && options->ciphers == NULL)
2214 + options->ciphers = xstrdup(arg);
2218 + arg = strdelim(&s);
2219 + if (!arg || *arg == '\0')
2220 + fatal("%.200s line %d: Missing argument.", filename, linenum);
2221 + if (!mac_valid(arg))
2222 + fatal("%.200s line %d: Bad SSH2 Mac spec '%s'.",
2223 + filename, linenum, arg ? arg : "<NONE>");
2224 + if (*activep && options->macs == NULL)
2225 + options->macs = xstrdup(arg);
2228 + case oHostKeyAlgorithms:
2229 + arg = strdelim(&s);
2230 + if (!arg || *arg == '\0')
2231 + fatal("%.200s line %d: Missing argument.", filename, linenum);
2232 + if (!key_names_valid2(arg))
2233 + fatal("%.200s line %d: Bad protocol 2 host key algorithms '%s'.",
2234 + filename, linenum, arg ? arg : "<NONE>");
2235 + if (*activep && options->hostkeyalgorithms == NULL)
2236 + options->hostkeyalgorithms = xstrdup(arg);
2240 + intptr = &options->protocol;
2241 + arg = strdelim(&s);
2242 + if (!arg || *arg == '\0')
2243 + fatal("%.200s line %d: Missing argument.", filename, linenum);
2244 + value = proto_spec(arg);
2245 + if (value == SSH_PROTO_UNKNOWN)
2246 + fatal("%.200s line %d: Bad protocol spec '%s'.",
2247 + filename, linenum, arg ? arg : "<NONE>");
2248 + if (*activep && *intptr == SSH_PROTO_UNKNOWN)
2253 + log_level_ptr = &options->log_level;
2254 + arg = strdelim(&s);
2255 + value = log_level_number(arg);
2256 + if (value == SYSLOG_LEVEL_NOT_SET)
2257 + fatal("%.200s line %d: unsupported log level '%s'",
2258 + filename, linenum, arg ? arg : "<NONE>");
2259 + if (*activep && *log_level_ptr == SYSLOG_LEVEL_NOT_SET)
2260 + *log_level_ptr = (LogLevel) value;
2263 + case oLocalForward:
2264 + case oRemoteForward:
2265 + case oDynamicForward:
2266 + arg = strdelim(&s);
2267 + if (arg == NULL || *arg == '\0')
2268 + fatal("%.200s line %d: Missing port argument.",
2269 + filename, linenum);
2271 + if (opcode == oLocalForward ||
2272 + opcode == oRemoteForward) {
2273 + arg2 = strdelim(&s);
2274 + if (arg2 == NULL || *arg2 == '\0')
2275 + fatal("%.200s line %d: Missing target argument.",
2276 + filename, linenum);
2278 + /* construct a string for parse_forward */
2279 + snprintf(fwdarg, sizeof(fwdarg), "%s:%s", arg, arg2);
2280 + } else if (opcode == oDynamicForward) {
2281 + strlcpy(fwdarg, arg, sizeof(fwdarg));
2284 + if (parse_forward(&fwd, fwdarg,
2285 + opcode == oDynamicForward ? 1 : 0,
2286 + opcode == oRemoteForward ? 1 : 0) == 0)
2287 + fatal("%.200s line %d: Bad forwarding specification.",
2288 + filename, linenum);
2291 + if (opcode == oLocalForward ||
2292 + opcode == oDynamicForward)
2293 + add_local_forward(options, &fwd);
2294 + else if (opcode == oRemoteForward)
2295 + add_remote_forward(options, &fwd);
2299 + case oClearAllForwardings:
2300 + intptr = &options->clear_forwardings;
2305 + while ((arg = strdelim(&s)) != NULL && *arg != '\0')
2306 + if (match_pattern(host, arg)) {
2307 + debug("Applying options for %.100s", arg);
2311 + /* Avoid garbage check below, as strdelim is done. */
2315 + intptr = &options->escape_char;
2316 + arg = strdelim(&s);
2317 + if (!arg || *arg == '\0')
2318 + fatal("%.200s line %d: Missing argument.", filename, linenum);
2319 + if (arg[0] == '^' && arg[2] == 0 &&
2320 + (u_char) arg[1] >= 64 && (u_char) arg[1] < 128)
2321 + value = (u_char) arg[1] & 31;
2322 + else if (strlen(arg) == 1)
2323 + value = (u_char) arg[0];
2324 + else if (strcmp(arg, "none") == 0)
2325 + value = SSH_ESCAPECHAR_NONE;
2327 + fatal("%.200s line %d: Bad escape character.",
2328 + filename, linenum);
2330 + value = 0; /* Avoid compiler warning. */
2332 + if (*activep && *intptr == -1)
2336 + case oAddressFamily:
2337 + arg = strdelim(&s);
2338 + if (!arg || *arg == '\0')
2339 + fatal("%s line %d: missing address family.",
2340 + filename, linenum);
2341 + intptr = &options->address_family;
2342 + if (strcasecmp(arg, "inet") == 0)
2344 + else if (strcasecmp(arg, "inet6") == 0)
2346 + else if (strcasecmp(arg, "any") == 0)
2347 + value = AF_UNSPEC;
2349 + fatal("Unsupported AddressFamily \"%s\"", arg);
2350 + if (*activep && *intptr == -1)
2354 + case oEnableSSHKeysign:
2355 + intptr = &options->enable_ssh_keysign;
2358 + case oIdentitiesOnly:
2359 + intptr = &options->identities_only;
2362 + case oServerAliveInterval:
2363 + intptr = &options->server_alive_interval;
2366 + case oServerAliveCountMax:
2367 + intptr = &options->server_alive_count_max;
2371 + while ((arg = strdelim(&s)) != NULL && *arg != '\0') {
2372 + if (strchr(arg, '=') != NULL)
2373 + fatal("%s line %d: Invalid environment name.",
2374 + filename, linenum);
2377 + if (options->num_send_env >= MAX_SEND_ENV)
2378 + fatal("%s line %d: too many send env.",
2379 + filename, linenum);
2380 + options->send_env[options->num_send_env++] =
2385 + case oControlPath:
2386 + charptr = &options->control_path;
2387 + goto parse_string;
2389 + case oControlMaster:
2390 + intptr = &options->control_master;
2391 + arg = strdelim(&s);
2392 + if (!arg || *arg == '\0')
2393 + fatal("%.200s line %d: Missing ControlMaster argument.",
2394 + filename, linenum);
2395 + value = 0; /* To avoid compiler warning... */
2396 + if (strcmp(arg, "yes") == 0 || strcmp(arg, "true") == 0)
2397 + value = SSHCTL_MASTER_YES;
2398 + else if (strcmp(arg, "no") == 0 || strcmp(arg, "false") == 0)
2399 + value = SSHCTL_MASTER_NO;
2400 + else if (strcmp(arg, "auto") == 0)
2401 + value = SSHCTL_MASTER_AUTO;
2402 + else if (strcmp(arg, "ask") == 0)
2403 + value = SSHCTL_MASTER_ASK;
2404 + else if (strcmp(arg, "autoask") == 0)
2405 + value = SSHCTL_MASTER_AUTO_ASK;
2407 + fatal("%.200s line %d: Bad ControlMaster argument.",
2408 + filename, linenum);
2409 + if (*activep && *intptr == -1)
2413 + case oHashKnownHosts:
2414 + intptr = &options->hash_known_hosts;
2418 + intptr = &options->tun_open;
2419 + arg = strdelim(&s);
2420 + if (!arg || *arg == '\0')
2421 + fatal("%s line %d: Missing yes/point-to-point/"
2422 + "ethernet/no argument.", filename, linenum);
2423 + value = 0; /* silence compiler */
2424 + if (strcasecmp(arg, "ethernet") == 0)
2425 + value = SSH_TUNMODE_ETHERNET;
2426 + else if (strcasecmp(arg, "point-to-point") == 0)
2427 + value = SSH_TUNMODE_POINTOPOINT;
2428 + else if (strcasecmp(arg, "yes") == 0)
2429 + value = SSH_TUNMODE_DEFAULT;
2430 + else if (strcasecmp(arg, "no") == 0)
2431 + value = SSH_TUNMODE_NO;
2433 + fatal("%s line %d: Bad yes/point-to-point/ethernet/"
2434 + "no argument: %s", filename, linenum, arg);
2439 + case oTunnelDevice:
2440 + arg = strdelim(&s);
2441 + if (!arg || *arg == '\0')
2442 + fatal("%.200s line %d: Missing argument.", filename, linenum);
2443 + value = a2tun(arg, &value2);
2444 + if (value == SSH_TUNID_ERR)
2445 + fatal("%.200s line %d: Bad tun device.", filename, linenum);
2447 + options->tun_local = value;
2448 + options->tun_remote = value2;
2452 + case oLocalCommand:
2453 + charptr = &options->local_command;
2454 + goto parse_command;
2456 + case oPermitLocalCommand:
2457 + intptr = &options->permit_local_command;
2460 + case oVisualHostKey:
2461 + intptr = &options->visual_host_key;
2465 + debug("%s line %d: Deprecated option \"%s\"",
2466 + filename, linenum, keyword);
2469 + case oUnsupported:
2470 + error("%s line %d: Unsupported option \"%s\"",
2471 + filename, linenum, keyword);
2475 + fatal("process_config_line: Unimplemented opcode %d", opcode);
2478 + /* Check that there is no garbage at end of line. */
2479 + if ((arg = strdelim(&s)) != NULL && *arg != '\0') {
2480 + fatal("%.200s line %d: garbage at end of line; \"%.200s\".",
2481 + filename, linenum, arg);
2488 + * Reads the config file and modifies the options accordingly. Options
2489 + * should already be initialized before this call. This never returns if
2490 + * there is an error. If the file does not exist, this returns 0.
2494 +read_config_file(const char *filename, const char *host, Options *options,
2499 + int active, linenum;
2500 + int bad_options = 0;
2502 + if ((f = fopen(filename, "r")) == NULL)
2508 + if (fstat(fileno(f), &sb) == -1)
2509 + fatal("fstat %s: %s", filename, strerror(errno));
2510 + if (((sb.st_uid != 0 && sb.st_uid != getuid()) ||
2511 + (sb.st_mode & 022) != 0))
2512 + fatal("Bad owner or permissions on %s", filename);
2515 + debug("Reading configuration data %.200s", filename);
2518 + * Mark that we are now processing the options. This flag is turned
2519 + * on/off by Host specifications.
2523 + while (fgets(line, sizeof(line), f)) {
2524 + /* Update line number counter. */
2526 + if (process_config_line(options, host, line, filename, linenum, &active) != 0)
2530 + if (bad_options > 0)
2531 + fatal("%s: terminating, %d bad configuration options",
2532 + filename, bad_options);
2537 + * Initializes options to special values that indicate that they have not yet
2538 + * been set. Read_config_file will only set options with this value. Options
2539 + * are processed in the following order: command line, user config file,
2540 + * system config file. Last, fill_default_options is called.
2544 +initialize_options(Options * options)
2546 + memset(options, 'X', sizeof(*options));
2547 + options->forward_agent = -1;
2548 + options->forward_x11 = -1;
2549 + options->forward_x11_trusted = -1;
2550 + options->exit_on_forward_failure = -1;
2551 + options->xauth_location = NULL;
2552 + options->gateway_ports = -1;
2553 + options->use_privileged_port = -1;
2554 + options->rsa_authentication = -1;
2555 + options->pubkey_authentication = -1;
2556 + options->challenge_response_authentication = -1;
2557 + options->gss_authentication = -1;
2558 + options->gss_deleg_creds = -1;
2559 + options->password_authentication = -1;
2560 + options->kbd_interactive_authentication = -1;
2561 + options->kbd_interactive_devices = NULL;
2562 + options->rhosts_rsa_authentication = -1;
2563 + options->hostbased_authentication = -1;
2564 + options->batch_mode = -1;
2565 + options->check_host_ip = -1;
2566 + options->strict_host_key_checking = -1;
2567 + options->compression = -1;
2568 + options->tcp_keep_alive = -1;
2569 + options->compression_level = -1;
2570 + options->port = -1;
2571 + options->address_family = -1;
2572 + options->connection_attempts = -1;
2573 + options->connection_timeout = -1;
2574 + options->number_of_password_prompts = -1;
2575 + options->cipher = -1;
2576 + options->ciphers = NULL;
2577 + options->macs = NULL;
2578 + options->hostkeyalgorithms = NULL;
2579 + options->protocol = SSH_PROTO_UNKNOWN;
2580 + options->num_identity_files = 0;
2581 + options->hostname = NULL;
2582 + options->host_key_alias = NULL;
2583 + options->proxy_command = NULL;
2584 + options->user = NULL;
2585 + options->escape_char = -1;
2586 + options->system_hostfile = NULL;
2587 + options->user_hostfile = NULL;
2588 + options->system_hostfile2 = NULL;
2589 + options->user_hostfile2 = NULL;
2590 + options->num_local_forwards = 0;
2591 + options->num_remote_forwards = 0;
2592 + options->clear_forwardings = -1;
2593 + options->log_level = SYSLOG_LEVEL_NOT_SET;
2594 + options->preferred_authentications = NULL;
2595 + options->bind_address = NULL;
2596 + options->smartcard_device = NULL;
2597 + options->enable_ssh_keysign = - 1;
2598 + options->no_host_authentication_for_localhost = - 1;
2599 + options->identities_only = - 1;
2600 + options->rekey_limit = - 1;
2601 + options->verify_host_key_dns = -1;
2602 + options->server_alive_interval = -1;
2603 + options->server_alive_count_max = -1;
2604 + options->num_send_env = 0;
2605 + options->control_path = NULL;
2606 + options->control_master = -1;
2607 + options->hash_known_hosts = -1;
2608 + options->tun_open = -1;
2609 + options->tun_local = -1;
2610 + options->tun_remote = -1;
2611 + options->local_command = NULL;
2612 + options->permit_local_command = -1;
2613 + options->visual_host_key = -1;
2614 + options->zero_knowledge_password_authentication = -1;
2618 + * Called after processing other sources of option data, this fills those
2619 + * options for which no value has been specified with their default values.
2623 +fill_default_options(Options * options)
2627 + if (options->forward_agent == -1)
2628 + options->forward_agent = 0;
2629 + if (options->forward_x11 == -1)
2630 + options->forward_x11 = 0;
2631 + if (options->forward_x11_trusted == -1)
2632 + options->forward_x11_trusted = 0;
2633 + if (options->exit_on_forward_failure == -1)
2634 + options->exit_on_forward_failure = 0;
2635 + if (options->xauth_location == NULL)
2636 + options->xauth_location = _PATH_XAUTH;
2637 + if (options->gateway_ports == -1)
2638 + options->gateway_ports = 0;
2639 + if (options->use_privileged_port == -1)
2640 + options->use_privileged_port = 0;
2641 + if (options->rsa_authentication == -1)
2642 + options->rsa_authentication = 1;
2643 + if (options->pubkey_authentication == -1)
2644 + options->pubkey_authentication = 1;
2645 + if (options->challenge_response_authentication == -1)
2646 + options->challenge_response_authentication = 1;
2647 + if (options->gss_authentication == -1)
2648 + options->gss_authentication = 0;
2649 + if (options->gss_deleg_creds == -1)
2650 + options->gss_deleg_creds = 0;
2651 + if (options->password_authentication == -1)
2652 + options->password_authentication = 1;
2653 + if (options->kbd_interactive_authentication == -1)
2654 + options->kbd_interactive_authentication = 1;
2655 + if (options->rhosts_rsa_authentication == -1)
2656 + options->rhosts_rsa_authentication = 0;
2657 + if (options->hostbased_authentication == -1)
2658 + options->hostbased_authentication = 0;
2659 + if (options->batch_mode == -1)
2660 + options->batch_mode = 0;
2661 + if (options->check_host_ip == -1)
2662 + options->check_host_ip = 1;
2663 + if (options->strict_host_key_checking == -1)
2664 + options->strict_host_key_checking = 2; /* 2 is default */
2665 + if (options->compression == -1)
2666 + options->compression = 0;
2667 + if (options->tcp_keep_alive == -1)
2668 + options->tcp_keep_alive = 1;
2669 + if (options->compression_level == -1)
2670 + options->compression_level = 6;
2671 + if (options->port == -1)
2672 + options->port = 0; /* Filled in ssh_connect. */
2673 + if (options->address_family == -1)
2674 + options->address_family = AF_UNSPEC;
2675 + if (options->connection_attempts == -1)
2676 + options->connection_attempts = 1;
2677 + if (options->number_of_password_prompts == -1)
2678 + options->number_of_password_prompts = 3;
2679 + /* Selected in ssh_login(). */
2680 + if (options->cipher == -1)
2681 + options->cipher = SSH_CIPHER_NOT_SET;
2682 + /* options->ciphers, default set in myproposals.h */
2683 + /* options->macs, default set in myproposals.h */
2684 + /* options->hostkeyalgorithms, default set in myproposals.h */
2685 + if (options->protocol == SSH_PROTO_UNKNOWN)
2686 + options->protocol = SSH_PROTO_1|SSH_PROTO_2;
2687 + if (options->num_identity_files == 0) {
2688 + if (options->protocol & SSH_PROTO_1) {
2689 + len = 2 + strlen(_PATH_SSH_CLIENT_IDENTITY) + 1;
2690 + options->identity_files[options->num_identity_files] =
2692 + snprintf(options->identity_files[options->num_identity_files++],
2693 + len, "~/%.100s", _PATH_SSH_CLIENT_IDENTITY);
2695 + if (options->protocol & SSH_PROTO_2) {
2696 + len = 2 + strlen(_PATH_SSH_CLIENT_ID_RSA) + 1;
2697 + options->identity_files[options->num_identity_files] =
2699 + snprintf(options->identity_files[options->num_identity_files++],
2700 + len, "~/%.100s", _PATH_SSH_CLIENT_ID_RSA);
2702 + len = 2 + strlen(_PATH_SSH_CLIENT_ID_DSA) + 1;
2703 + options->identity_files[options->num_identity_files] =
2705 + snprintf(options->identity_files[options->num_identity_files++],
2706 + len, "~/%.100s", _PATH_SSH_CLIENT_ID_DSA);
2709 + if (options->escape_char == -1)
2710 + options->escape_char = '~';
2711 + if (options->system_hostfile == NULL)
2712 + options->system_hostfile = _PATH_SSH_SYSTEM_HOSTFILE;
2713 + if (options->user_hostfile == NULL)
2714 + options->user_hostfile = _PATH_SSH_USER_HOSTFILE;
2715 + if (options->system_hostfile2 == NULL)
2716 + options->system_hostfile2 = _PATH_SSH_SYSTEM_HOSTFILE2;
2717 + if (options->user_hostfile2 == NULL)
2718 + options->user_hostfile2 = _PATH_SSH_USER_HOSTFILE2;
2719 + if (options->log_level == SYSLOG_LEVEL_NOT_SET)
2720 + options->log_level = SYSLOG_LEVEL_INFO;
2721 + if (options->clear_forwardings == 1)
2722 + clear_forwardings(options);
2723 + if (options->no_host_authentication_for_localhost == - 1)
2724 + options->no_host_authentication_for_localhost = 0;
2725 + if (options->identities_only == -1)
2726 + options->identities_only = 0;
2727 + if (options->enable_ssh_keysign == -1)
2728 + options->enable_ssh_keysign = 0;
2729 + if (options->rekey_limit == -1)
2730 + options->rekey_limit = 0;
2731 + if (options->verify_host_key_dns == -1)
2732 + options->verify_host_key_dns = 0;
2733 + if (options->server_alive_interval == -1)
2734 + options->server_alive_interval = 0;
2735 + if (options->server_alive_count_max == -1)
2736 + options->server_alive_count_max = 3;
2737 + if (options->control_master == -1)
2738 + options->control_master = 0;
2739 + if (options->hash_known_hosts == -1)
2740 + options->hash_known_hosts = 0;
2741 + if (options->tun_open == -1)
2742 + options->tun_open = SSH_TUNMODE_NO;
2743 + if (options->tun_local == -1)
2744 + options->tun_local = SSH_TUNID_ANY;
2745 + if (options->tun_remote == -1)
2746 + options->tun_remote = SSH_TUNID_ANY;
2747 + if (options->permit_local_command == -1)
2748 + options->permit_local_command = 0;
2749 + if (options->visual_host_key == -1)
2750 + options->visual_host_key = 0;
2751 + if (options->zero_knowledge_password_authentication == -1)
2752 + options->zero_knowledge_password_authentication = 0;
2753 + /* options->local_command should not be set by default */
2754 + /* options->proxy_command should not be set by default */
2755 + /* options->user will be set in the main program if appropriate */
2756 + /* options->hostname will be set in the main program if appropriate */
2757 + /* options->host_key_alias should not be set by default */
2758 + /* options->preferred_authentications will be set in ssh */
2763 + * parses a string containing a port forwarding specification of the form:
2765 + * [listenhost:]listenport:connecthost:connectport
2767 + * [listenhost:]listenport
2768 + * returns number of arguments parsed or zero on error
2771 +parse_forward(Forward *fwd, const char *fwdspec, int dynamicfwd, int remotefwd)
2774 + char *p, *cp, *fwdarg[4];
2776 + memset(fwd, '\0', sizeof(*fwd));
2778 + cp = p = xstrdup(fwdspec);
2780 + /* skip leading spaces */
2781 + while (isspace(*cp))
2784 + for (i = 0; i < 4; ++i)
2785 + if ((fwdarg[i] = hpdelim(&cp)) == NULL)
2788 + /* Check for trailing garbage */
2790 + i = 0; /* failure */
2794 + fwd->listen_host = NULL;
2795 + fwd->listen_port = a2port(fwdarg[0]);
2796 + fwd->connect_host = xstrdup("socks");
2800 + fwd->listen_host = xstrdup(cleanhostname(fwdarg[0]));
2801 + fwd->listen_port = a2port(fwdarg[1]);
2802 + fwd->connect_host = xstrdup("socks");
2806 + fwd->listen_host = NULL;
2807 + fwd->listen_port = a2port(fwdarg[0]);
2808 + fwd->connect_host = xstrdup(cleanhostname(fwdarg[1]));
2809 + fwd->connect_port = a2port(fwdarg[2]);
2813 + fwd->listen_host = xstrdup(cleanhostname(fwdarg[0]));
2814 + fwd->listen_port = a2port(fwdarg[1]);
2815 + fwd->connect_host = xstrdup(cleanhostname(fwdarg[2]));
2816 + fwd->connect_port = a2port(fwdarg[3]);
2819 + i = 0; /* failure */
2825 + if (!(i == 1 || i == 2))
2828 + if (!(i == 3 || i == 4))
2830 + if (fwd->connect_port <= 0)
2834 + if (fwd->listen_port < 0 || (!remotefwd && fwd->listen_port == 0))
2837 + if (fwd->connect_host != NULL &&
2838 + strlen(fwd->connect_host) >= NI_MAXHOST)
2840 + if (fwd->listen_host != NULL &&
2841 + strlen(fwd->listen_host) >= NI_MAXHOST)
2848 + if (fwd->connect_host != NULL) {
2849 + xfree(fwd->connect_host);
2850 + fwd->connect_host = NULL;
2852 + if (fwd->listen_host != NULL) {
2853 + xfree(fwd->listen_host);
2854 + fwd->listen_host = NULL;
2858 diff -NupwB openssh-5.2p1-canonical/readconf.h openssh-5.2p1-hpn13v6/readconf.h
2859 --- openssh-5.2p1-canonical/readconf.h 2009-02-14 00:28:21.000000000 -0500
2860 +++ openssh-5.2p1-hpn13v6/readconf.h 2009-05-14 12:36:10.000000000 -0400
2861 @@ -57,6 +57,11 @@ typedef struct {
2862 int compression_level; /* Compression level 1 (fast) to 9
2864 int tcp_keep_alive; /* Set SO_KEEPALIVE. */
2865 + int tcp_rcv_buf; /* user switch to set tcp recv buffer */
2866 + int tcp_rcv_buf_poll; /* Option to poll recv buf every window transfer */
2867 + int hpn_disabled; /* Switch to disable HPN buffer management */
2868 + int hpn_buffer_size; /* User definable size for HPN buffer window */
2870 LogLevel log_level; /* Level for logging. */
2872 int port; /* Port to connect. */
2873 @@ -102,6 +107,8 @@ typedef struct {
2875 int enable_ssh_keysign;
2876 int64_t rekey_limit;
2877 + int none_switch; /* Use none cipher */
2878 + int none_enabled; /* Allow none to be used */
2879 int no_host_authentication_for_localhost;
2880 int identities_only;
2881 int server_alive_interval;
2882 diff -NupwB openssh-5.2p1-canonical/readconf.h.orig openssh-5.2p1-hpn13v6/readconf.h.orig
2883 --- openssh-5.2p1-canonical/readconf.h.orig 1969-12-31 19:00:00.000000000 -0500
2884 +++ openssh-5.2p1-hpn13v6/readconf.h.orig 2009-02-14 00:28:21.000000000 -0500
2886 +/* $OpenBSD: readconf.h,v 1.78 2009/02/12 03:00:56 djm Exp $ */
2889 + * Author: Tatu Ylonen <ylo@cs.hut.fi>
2890 + * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
2891 + * All rights reserved
2892 + * Functions for reading the configuration file.
2894 + * As far as I am concerned, the code I have written for this software
2895 + * can be used freely for any purpose. Any derived versions of this
2896 + * software must be clearly marked as such, and if the derived work is
2897 + * incompatible with the protocol description in the RFC file, it must be
2898 + * called by a name other than "ssh" or "Secure Shell".
2904 +/* Data structure for representing a forwarding request. */
2907 + char *listen_host; /* Host (address) to listen on. */
2908 + int listen_port; /* Port to forward. */
2909 + char *connect_host; /* Host to connect. */
2910 + int connect_port; /* Port to connect on connect_host. */
2912 +/* Data structure for representing option data. */
2914 +#define MAX_SEND_ENV 256
2917 + int forward_agent; /* Forward authentication agent. */
2918 + int forward_x11; /* Forward X11 display. */
2919 + int forward_x11_trusted; /* Trust Forward X11 display. */
2920 + int exit_on_forward_failure; /* Exit if bind(2) fails for -L/-R */
2921 + char *xauth_location; /* Location for xauth program */
2922 + int gateway_ports; /* Allow remote connects to forwarded ports. */
2923 + int use_privileged_port; /* Don't use privileged port if false. */
2924 + int rhosts_rsa_authentication; /* Try rhosts with RSA
2925 + * authentication. */
2926 + int rsa_authentication; /* Try RSA authentication. */
2927 + int pubkey_authentication; /* Try ssh2 pubkey authentication. */
2928 + int hostbased_authentication; /* ssh2's rhosts_rsa */
2929 + int challenge_response_authentication;
2930 + /* Try S/Key or TIS, authentication. */
2931 + int gss_authentication; /* Try GSS authentication */
2932 + int gss_deleg_creds; /* Delegate GSS credentials */
2933 + int password_authentication; /* Try password
2934 + * authentication. */
2935 + int kbd_interactive_authentication; /* Try keyboard-interactive auth. */
2936 + char *kbd_interactive_devices; /* Keyboard-interactive auth devices. */
2937 + int zero_knowledge_password_authentication; /* Try jpake */
2938 + int batch_mode; /* Batch mode: do not ask for passwords. */
2939 + int check_host_ip; /* Also keep track of keys for IP address */
2940 + int strict_host_key_checking; /* Strict host key checking. */
2941 + int compression; /* Compress packets in both directions. */
2942 + int compression_level; /* Compression level 1 (fast) to 9
2944 + int tcp_keep_alive; /* Set SO_KEEPALIVE. */
2945 + LogLevel log_level; /* Level for logging. */
2947 + int port; /* Port to connect. */
2948 + int address_family;
2949 + int connection_attempts; /* Max attempts (seconds) before
2951 + int connection_timeout; /* Max time (seconds) before
2952 + * aborting connection attempt */
2953 + int number_of_password_prompts; /* Max number of password
2955 + int cipher; /* Cipher to use. */
2956 + char *ciphers; /* SSH2 ciphers in order of preference. */
2957 + char *macs; /* SSH2 macs in order of preference. */
2958 + char *hostkeyalgorithms; /* SSH2 server key types in order of preference. */
2959 + int protocol; /* Protocol in order of preference. */
2960 + char *hostname; /* Real host to connect. */
2961 + char *host_key_alias; /* hostname alias for .ssh/known_hosts */
2962 + char *proxy_command; /* Proxy command for connecting the host. */
2963 + char *user; /* User to log in as. */
2964 + int escape_char; /* Escape character; -2 = none */
2966 + char *system_hostfile;/* Path for /etc/ssh/ssh_known_hosts. */
2967 + char *user_hostfile; /* Path for $HOME/.ssh/known_hosts. */
2968 + char *system_hostfile2;
2969 + char *user_hostfile2;
2970 + char *preferred_authentications;
2971 + char *bind_address; /* local socket address for connection to sshd */
2972 + char *smartcard_device; /* Smartcard reader device */
2973 + int verify_host_key_dns; /* Verify host key using DNS */
2975 + int num_identity_files; /* Number of files for RSA/DSA identities. */
2976 + char *identity_files[SSH_MAX_IDENTITY_FILES];
2977 + Key *identity_keys[SSH_MAX_IDENTITY_FILES];
2979 + /* Local TCP/IP forward requests. */
2980 + int num_local_forwards;
2981 + Forward local_forwards[SSH_MAX_FORWARDS_PER_DIRECTION];
2983 + /* Remote TCP/IP forward requests. */
2984 + int num_remote_forwards;
2985 + Forward remote_forwards[SSH_MAX_FORWARDS_PER_DIRECTION];
2986 + int clear_forwardings;
2988 + int enable_ssh_keysign;
2989 + int64_t rekey_limit;
2990 + int no_host_authentication_for_localhost;
2991 + int identities_only;
2992 + int server_alive_interval;
2993 + int server_alive_count_max;
2996 + char *send_env[MAX_SEND_ENV];
2998 + char *control_path;
2999 + int control_master;
3001 + int hash_known_hosts;
3003 + int tun_open; /* tun(4) */
3004 + int tun_local; /* force tun device (optional) */
3005 + int tun_remote; /* force tun device (optional) */
3007 + char *local_command;
3008 + int permit_local_command;
3009 + int visual_host_key;
3013 +#define SSHCTL_MASTER_NO 0
3014 +#define SSHCTL_MASTER_YES 1
3015 +#define SSHCTL_MASTER_AUTO 2
3016 +#define SSHCTL_MASTER_ASK 3
3017 +#define SSHCTL_MASTER_AUTO_ASK 4
3019 +void initialize_options(Options *);
3020 +void fill_default_options(Options *);
3021 +int read_config_file(const char *, const char *, Options *, int);
3022 +int parse_forward(Forward *, const char *, int, int);
3025 +process_config_line(Options *, const char *, char *, const char *, int, int *);
3027 +void add_local_forward(Options *, const Forward *);
3028 +void add_remote_forward(Options *, const Forward *);
3030 +#endif /* READCONF_H */
3031 Common subdirectories: openssh-5.2p1-canonical/regress and openssh-5.2p1-hpn13v6/regress
3032 Common subdirectories: openssh-5.2p1-canonical/scard and openssh-5.2p1-hpn13v6/scard
3033 diff -NupwB openssh-5.2p1-canonical/scp.c openssh-5.2p1-hpn13v6/scp.c
3034 --- openssh-5.2p1-canonical/scp.c 2008-11-03 03:23:45.000000000 -0500
3035 +++ openssh-5.2p1-hpn13v6/scp.c 2009-05-14 12:36:10.000000000 -0400
3036 @@ -632,7 +632,7 @@ source(int argc, char **argv)
3039 int fd = -1, haderr, indx;
3040 - char *last, *name, buf[2048], encname[MAXPATHLEN];
3041 + char *last, *name, buf[16384], encname[MAXPATHLEN];
3044 for (indx = 0; indx < argc; ++indx) {
3045 @@ -868,7 +868,7 @@ sink(int argc, char **argv)
3046 mode_t mode, omode, mask;
3047 off_t size, statbytes;
3048 int setimes, targisdir, wrerrno = 0;
3049 - char ch, *cp, *np, *targ, *why, *vect[1], buf[2048];
3050 + char ch, *cp, *np, *targ, *why, *vect[1], buf[16384];
3051 struct timeval tv[2];
3054 diff -NupwB openssh-5.2p1-canonical/servconf.c openssh-5.2p1-hpn13v6/servconf.c
3055 --- openssh-5.2p1-canonical/servconf.c 2009-01-28 00:31:23.000000000 -0500
3056 +++ openssh-5.2p1-hpn13v6/servconf.c 2009-05-14 12:36:10.000000000 -0400
3057 @@ -132,6 +132,10 @@
3058 options->adm_forced_command = NULL;
3059 options->chroot_directory = NULL;
3060 options->zero_knowledge_password_authentication = -1;
3061 + options->none_enabled = -1;
3062 + options->tcp_rcv_buf_poll = -1;
3063 + options->hpn_disabled = -1;
3064 + options->hpn_buffer_size = -1;
3065 #ifdef WITH_LDAP_PUBKEY
3067 options->lpk.ld = NULL;
3068 @@ -156,6 +160,11 @@
3070 fill_default_server_options(ServerOptions *options)
3072 + /* needed for hpn socket tests */
3075 + int socksizelen = sizeof(int);
3077 /* Portable-specific options */
3078 if (options->use_pam == -1)
3079 options->use_pam = 0;
3080 @@ -262,6 +271,42 @@ fill_default_server_options(ServerOption
3081 if (options->zero_knowledge_password_authentication == -1)
3082 options->zero_knowledge_password_authentication = 0;
3084 + if (options->hpn_disabled == -1)
3085 + options->hpn_disabled = 0;
3087 + if (options->hpn_buffer_size == -1) {
3088 + /* option not explicitly set. Now we have to figure out */
3089 + /* what value to use */
3090 + if (options->hpn_disabled == 1) {
3091 + options->hpn_buffer_size = CHAN_SES_WINDOW_DEFAULT;
3093 + /* get the current RCV size and set it to that */
3094 + /*create a socket but don't connect it */
3095 + /* we use that the get the rcv socket size */
3096 + sock = socket(AF_INET, SOCK_STREAM, 0);
3097 + getsockopt(sock, SOL_SOCKET, SO_RCVBUF,
3098 + &socksize, &socksizelen);
3100 + options->hpn_buffer_size = socksize;
3101 + debug ("HPN Buffer Size: %d", options->hpn_buffer_size);
3105 + /* we have to do this incase the user sets both values in a contradictory */
3106 + /* manner. hpn_disabled overrrides hpn_buffer_size*/
3107 + if (options->hpn_disabled <= 0) {
3108 + if (options->hpn_buffer_size == 0)
3109 + options->hpn_buffer_size = 1;
3110 + /* limit the maximum buffer to 64MB */
3111 + if (options->hpn_buffer_size > 64*1024) {
3112 + options->hpn_buffer_size = 64*1024*1024;
3114 + options->hpn_buffer_size *= 1024;
3117 + options->hpn_buffer_size = CHAN_TCP_WINDOW_DEFAULT;
3120 /* Turn privilege separation on by default */
3121 if (use_privsep == -1)
3123 @@ -306,6 +351,7 @@ typedef enum {
3124 sMatch, sPermitOpen, sForceCommand, sChrootDirectory,
3125 sUsePrivilegeSeparation, sAllowAgentForwarding,
3126 sZeroKnowledgePasswordAuthentication,
3127 + sNoneEnabled, sTcpRcvBufPoll, sHPNDisabled, sHPNBufferSize,
3128 sDeprecated, sUnsupported
3131 @@ -424,6 +470,10 @@ static struct {
3132 { "permitopen", sPermitOpen, SSHCFG_ALL },
3133 { "forcecommand", sForceCommand, SSHCFG_ALL },
3134 { "chrootdirectory", sChrootDirectory, SSHCFG_ALL },
3135 + { "noneenabled", sNoneEnabled },
3136 + { "hpndisabled", sHPNDisabled },
3137 + { "hpnbuffersize", sHPNBufferSize },
3138 + { "tcprcvbufpoll", sTcpRcvBufPoll },
3139 { NULL, sBadOption, 0 }
3142 @@ -450,6 +500,7 @@ parse_token(const char *cp, const char *
3144 for (i = 0; keywords[i].name; i++)
3145 if (strcasecmp(cp, keywords[i].name) == 0) {
3146 + debug ("Config token is %s", keywords[i].name);
3147 *flags = keywords[i].flags;
3148 return keywords[i].opcode;
3150 @@ -847,6 +898,22 @@ process_server_config_line(ServerOptions
3154 + case sNoneEnabled:
3155 + intptr = &options->none_enabled;
3158 + case sTcpRcvBufPoll:
3159 + intptr = &options->tcp_rcv_buf_poll;
3162 + case sHPNDisabled:
3163 + intptr = &options->hpn_disabled;
3166 + case sHPNBufferSize:
3167 + intptr = &options->hpn_buffer_size;
3170 case sIgnoreUserKnownHosts:
3171 intptr = &options->ignore_user_known_hosts;
3173 diff -NupwB openssh-5.2p1-canonical/servconf.h openssh-5.2p1-hpn13v6/servconf.h
3174 --- openssh-5.2p1-canonical/servconf.h 2009-01-28 00:31:23.000000000 -0500
3175 +++ openssh-5.2p1-hpn13v6/servconf.h 2009-05-14 12:36:10.000000000 -0400
3176 @@ -145,6 +145,10 @@ typedef struct {
3177 char *adm_forced_command;
3179 int use_pam; /* Enable auth via PAM */
3180 + int none_enabled; /* enable NONE cipher switch */
3181 + int tcp_rcv_buf_poll; /* poll tcp rcv window in autotuning kernels*/
3182 + int hpn_disabled; /* disable hpn functionality. false by default */
3183 + int hpn_buffer_size; /* set the hpn buffer size - default 3MB */
3187 diff -NupwB openssh-5.2p1-canonical/serverloop.c openssh-5.2p1-hpn13v6/serverloop.c
3188 --- openssh-5.2p1-canonical/serverloop.c 2009-02-14 00:33:09.000000000 -0500
3189 +++ openssh-5.2p1-hpn13v6/serverloop.c 2009-05-14 12:36:10.000000000 -0400
3190 @@ -93,10 +93,10 @@ static int fdin; /* Descriptor for stdi
3191 static int fdout; /* Descriptor for stdout (for reading);
3192 May be same number as fdin. */
3193 static int fderr; /* Descriptor for stderr. May be -1. */
3194 -static long stdin_bytes = 0; /* Number of bytes written to stdin. */
3195 -static long stdout_bytes = 0; /* Number of stdout bytes sent to client. */
3196 -static long stderr_bytes = 0; /* Number of stderr bytes sent to client. */
3197 -static long fdout_bytes = 0; /* Number of stdout bytes read from program. */
3198 +static u_long stdin_bytes = 0; /* Number of bytes written to stdin. */
3199 +static u_long stdout_bytes = 0; /* Number of stdout bytes sent to client. */
3200 +static u_long stderr_bytes = 0; /* Number of stderr bytes sent to client. */
3201 +static u_long fdout_bytes = 0; /* Number of stdout bytes read from program. */
3202 static int stdin_eof = 0; /* EOF message received from client. */
3203 static int fdout_eof = 0; /* EOF encountered reading from fdout. */
3204 static int fderr_eof = 0; /* EOF encountered readung from fderr. */
3205 @@ -121,6 +121,20 @@ static volatile sig_atomic_t received_si
3206 static void server_init_dispatch(void);
3209 + * Returns current time in seconds from Jan 1, 1970 with the maximum
3210 + * available resolution.
3214 +get_current_time(void)
3216 + struct timeval tv;
3217 + gettimeofday(&tv, NULL);
3218 + return (double) tv.tv_sec + (double) tv.tv_usec / 1000000.0;
3223 * we write to this pipe if a SIGCHLD is caught in order to avoid
3224 * the race between select() and child_terminated
3226 @@ -410,6 +424,7 @@ process_input(fd_set *readset)
3228 /* Buffer any received data. */
3229 packet_process_incoming(buf, len);
3230 + fdout_bytes += len;
3234 @@ -432,6 +447,7 @@ process_input(fd_set *readset)
3236 buffer_append(&stdout_buffer, buf, len);
3238 + debug ("FD out now: %ld", fdout_bytes);
3241 /* Read and buffer any available stderr data from the program. */
3242 @@ -499,7 +515,7 @@ process_output(fd_set *writeset)
3244 /* Send any buffered packet data to the client. */
3245 if (FD_ISSET(connection_out, writeset))
3246 - packet_write_poll();
3247 + stdin_bytes += packet_write_poll();
3251 @@ -816,8 +832,10 @@ server_loop2(Authctxt *authctxt)
3253 fd_set *readset = NULL, *writeset = NULL;
3254 int rekeying = 0, max_fd, nalloc = 0;
3255 + double start_time, total_time;
3257 debug("Entering interactive session for SSH2.");
3258 + start_time = get_current_time();
3260 mysignal(SIGCHLD, sigchld_handler);
3261 child_terminated = 0;
3262 @@ -879,6 +897,11 @@ server_loop2(Authctxt *authctxt)
3264 /* free remaining sessions, e.g. remove wtmp entries */
3265 session_destroy_all(NULL);
3266 + total_time = get_current_time() - start_time;
3267 + logit("SSH: Server;LType: Throughput;Remote: %s-%d;IN: %lu;OUT: %lu;Duration: %.1f;tPut_in: %.1f;tPut_out: %.1f",
3268 + get_remote_ipaddr(), get_remote_port(),
3269 + stdin_bytes, fdout_bytes, total_time, stdin_bytes / total_time,
3270 + fdout_bytes / total_time);
3274 @@ -994,8 +1017,12 @@ server_request_tun(void)
3275 sock = tun_open(tun, mode);
3278 + if (options.hpn_disabled)
3279 c = channel_new("tun", SSH_CHANNEL_OPEN, sock, sock, -1,
3280 CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, 0, "tun", 1);
3282 + c = channel_new("tun", SSH_CHANNEL_OPEN, sock, sock, -1,
3283 + options.hpn_buffer_size, CHAN_TCP_PACKET_DEFAULT, 0, "tun", 1);
3285 #if defined(SSH_TUN_FILTER)
3286 if (mode == SSH_TUNMODE_POINTOPOINT)
3287 @@ -1031,6 +1058,8 @@ server_request_session(void)
3288 c = channel_new("session", SSH_CHANNEL_LARVAL,
3289 -1, -1, -1, /*window size*/0, CHAN_SES_PACKET_DEFAULT,
3290 0, "server-session", 1);
3291 + if ((options.tcp_rcv_buf_poll) && (!options.hpn_disabled))
3292 + c->dynamic_window = 1;
3293 if (session_open(the_authctxt, c->self) != 1) {
3294 debug("session open failed, free channel %d", c->self);
3296 diff -NupwB openssh-5.2p1-canonical/session.c openssh-5.2p1-hpn13v6/session.c
3297 --- openssh-5.2p1-canonical/session.c 2009-01-28 00:29:49.000000000 -0500
3298 +++ openssh-5.2p1-hpn13v6/session.c 2009-05-14 12:36:10.000000000 -0400
3299 @@ -230,6 +230,7 @@ auth_input_request_forwarding(struct pas
3302 /* Allocate a channel for the authentication agent socket. */
3303 + /* this shouldn't matter if its hpn or not - cjr */
3304 nc = channel_new("auth socket",
3305 SSH_CHANNEL_AUTH_SOCKET, sock, sock, -1,
3306 CHAN_X11_WINDOW_DEFAULT, CHAN_X11_PACKET_DEFAULT,
3307 @@ -2301,10 +2302,16 @@ session_set_fds(Session *s, int fdin, in
3309 if (s->chanid == -1)
3310 fatal("no channel for session %d", s->self);
3311 + if (options.hpn_disabled)
3312 channel_set_fds(s->chanid,
3314 fderr == -1 ? CHAN_EXTENDED_IGNORE : CHAN_EXTENDED_READ,
3315 1, is_tty, CHAN_SES_WINDOW_DEFAULT);
3317 + channel_set_fds(s->chanid,
3318 + fdout, fdin, fderr,
3319 + fderr == -1 ? CHAN_EXTENDED_IGNORE : CHAN_EXTENDED_READ,
3320 + 1, is_tty, options.hpn_buffer_size);
3324 diff -NupwB openssh-5.2p1-canonical/sftp.1 openssh-5.2p1-hpn13v6/sftp.1
3325 --- openssh-5.2p1-canonical/sftp.1 2009-01-28 00:14:09.000000000 -0500
3326 +++ openssh-5.2p1-hpn13v6/sftp.1 2009-05-14 12:36:10.000000000 -0400
3327 @@ -203,7 +203,8 @@ This option may be useful in debugging t
3328 Specify how many requests may be outstanding at any one time.
3329 Increasing this may slightly improve file transfer speed
3330 but will increase memory usage.
3331 -The default is 64 outstanding requests.
3332 +The default is 256 outstanding requests providing for 8MB
3333 +of outstanding data with a 32KB buffer.
3337 diff -NupwB openssh-5.2p1-canonical/sftp.c openssh-5.2p1-hpn13v6/sftp.c
3338 --- openssh-5.2p1-canonical/sftp.c 2009-02-14 00:26:19.000000000 -0500
3339 +++ openssh-5.2p1-hpn13v6/sftp.c 2009-05-14 12:36:10.000000000 -0400
3340 @@ -75,7 +75,7 @@ int batchmode = 0;
3341 size_t copy_buffer_len = 32768;
3343 /* Number of concurrent outstanding requests */
3344 -size_t num_requests = 64;
3345 +size_t num_requests = 256;
3347 /* PID of ssh transport process */
3348 static pid_t sshpid = -1;
3349 diff -NupwB openssh-5.2p1-canonical/ssh.c openssh-5.2p1-hpn13v6/ssh.c
3350 --- openssh-5.2p1-canonical/ssh.c 2009-02-14 00:28:21.000000000 -0500
3351 +++ openssh-5.2p1-hpn13v6/ssh.c 2009-05-14 12:36:10.000000000 -0400
3352 @@ -492,9 +492,6 @@ main(int ac, char **av)
3361 line = xstrdup(optarg);
3362 @@ -503,6 +500,13 @@ main(int ac, char **av)
3368 + /* ensure that the user doesn't try to backdoor a */
3369 + /* null cipher switch on an interactive session */
3370 + /* so explicitly disable it no matter what */
3371 + options.none_switch=0;
3376 @@ -1142,6 +1146,9 @@ ssh_session2_open(void)
3379 int window, packetmax, in, out, err;
3382 + int socksizelen = sizeof(int);
3384 if (stdin_null_flag) {
3385 in = open(_PATH_DEVNULL, O_RDONLY);
3386 @@ -1162,9 +1169,75 @@ ssh_session2_open(void)
3390 - window = CHAN_SES_WINDOW_DEFAULT;
3391 + /* we need to check to see if what they want to do about buffer */
3392 + /* sizes here. In a hpn to nonhpn connection we want to limit */
3393 + /* the window size to something reasonable in case the far side */
3394 + /* has the large window bug. In hpn to hpn connection we want to */
3395 + /* use the max window size but allow the user to override it */
3396 + /* lastly if they disabled hpn then use the ssh std window size */
3398 + /* so why don't we just do a getsockopt() here and set the */
3399 + /* ssh window to that? In the case of a autotuning receive */
3400 + /* window the window would get stuck at the initial buffer */
3401 + /* size generally less than 96k. Therefore we need to set the */
3402 + /* maximum ssh window size to the maximum hpn buffer size */
3403 + /* unless the user has specifically set the tcprcvbufpoll */
3404 + /* to no. In which case we *can* just set the window to the */
3405 + /* minimum of the hpn buffer size and tcp receive buffer size */
3408 + options.hpn_buffer_size = CHAN_SES_WINDOW_DEFAULT;
3410 + options.hpn_buffer_size = 2*1024*1024;
3412 + if (datafellows & SSH_BUG_LARGEWINDOW)
3414 + debug("HPN to Non-HPN Connection");
3418 + if (options.tcp_rcv_buf_poll <= 0)
3420 + sock = socket(AF_INET, SOCK_STREAM, 0);
3421 + getsockopt(sock, SOL_SOCKET, SO_RCVBUF,
3422 + &socksize, &socksizelen);
3424 + debug("socksize %d", socksize);
3425 + options.hpn_buffer_size = socksize;
3426 + debug ("HPNBufferSize set to TCP RWIN: %d", options.hpn_buffer_size);
3430 + if (options.tcp_rcv_buf > 0)
3432 + /*create a socket but don't connect it */
3433 + /* we use that the get the rcv socket size */
3434 + sock = socket(AF_INET, SOCK_STREAM, 0);
3435 + /* if they are using the tcp_rcv_buf option */
3436 + /* attempt to set the buffer size to that */
3437 + if (options.tcp_rcv_buf)
3438 + setsockopt(sock, SOL_SOCKET, SO_RCVBUF, (void *)&options.tcp_rcv_buf,
3439 + sizeof(options.tcp_rcv_buf));
3440 + getsockopt(sock, SOL_SOCKET, SO_RCVBUF,
3441 + &socksize, &socksizelen);
3443 + debug("socksize %d", socksize);
3444 + options.hpn_buffer_size = socksize;
3445 + debug ("HPNBufferSize set to user TCPRcvBuf: %d", options.hpn_buffer_size);
3451 + debug("Final hpn_buffer_size = %d", options.hpn_buffer_size);
3453 + window = options.hpn_buffer_size;
3455 + channel_set_hpn(options.hpn_disabled, options.hpn_buffer_size);
3457 packetmax = CHAN_SES_PACKET_DEFAULT;
3459 + window = 4*CHAN_SES_PACKET_DEFAULT;
3463 @@ -1172,7 +1245,10 @@ ssh_session2_open(void)
3464 "session", SSH_CHANNEL_OPENING, in, out, err,
3465 window, packetmax, CHAN_EXTENDED_WRITE,
3466 "client-session", /*nonblock*/0);
3468 + if ((options.tcp_rcv_buf_poll > 0) && (!options.hpn_disabled)) {
3469 + c->dynamic_window = 1;
3470 + debug ("Enabled Dynamic Window Scaling\n");
3472 debug3("ssh_session2_open: channel_new: %d", c->self);
3474 channel_send_open(c->self);
3475 diff -NupwB openssh-5.2p1-canonical/sshconnect2.c openssh-5.2p1-hpn13v6/sshconnect2.c
3476 --- openssh-5.2p1-canonical/sshconnect2.c 2008-11-05 00:20:47.000000000 -0500
3477 +++ openssh-5.2p1-hpn13v6/sshconnect2.c 2009-05-14 12:36:10.000000000 -0400
3479 extern char *client_version_string;
3480 extern char *server_version_string;
3481 extern Options options;
3482 +extern Kex *xxx_kex;
3484 +/* tty_flag is set in ssh.c. use this in ssh_userauth2 */
3485 +/* if it is set then prevent the switch to the null cipher */
3487 +extern int tty_flag;
3491 @@ -350,6 +356,28 @@ ssh_userauth2(const char *local_user, co
3492 pubkey_cleanup(&authctxt);
3493 dispatch_range(SSH2_MSG_USERAUTH_MIN, SSH2_MSG_USERAUTH_MAX, NULL);
3495 + /* if the user wants to use the none cipher do it */
3496 + /* post authentication and only if the right conditions are met */
3497 + /* both of the NONE commands must be true and there must be no */
3498 + /* tty allocated */
3499 + if ((options.none_switch == 1) && (options.none_enabled == 1))
3501 + if (!tty_flag) /* no null on tty sessions */
3503 + debug("Requesting none rekeying...");
3504 + myproposal[PROPOSAL_ENC_ALGS_STOC] = "none";
3505 + myproposal[PROPOSAL_ENC_ALGS_CTOS] = "none";
3506 + kex_prop2buf(&xxx_kex->my,myproposal);
3507 + packet_request_rekeying();
3508 + fprintf(stderr, "WARNING: ENABLED NONE CIPHER\n");
3512 + /* requested NONE cipher when in a tty */
3513 + debug("Cannot switch to NONE cipher with tty allocated");
3514 + fprintf(stderr, "NONE cipher switch disabled when a TTY is allocated\n");
3517 debug("Authentication succeeded (%s).", authctxt.method->name);
3520 diff -NupwB openssh-5.2p1-canonical/sshconnect.c openssh-5.2p1-hpn13v6/sshconnect.c
3521 --- openssh-5.2p1-canonical/sshconnect.c 2009-02-01 06:19:54.000000000 -0500
3522 +++ openssh-5.2p1-hpn13v6/sshconnect.c 2009-05-14 12:36:10.000000000 -0400
3523 @@ -165,6 +165,31 @@ ssh_proxy_connect(const char *host, u_sh
3527 + * Set TCP receive buffer if requested.
3528 + * Note: tuning needs to happen after the socket is
3529 + * created but before the connection happens
3530 + * so winscale is negotiated properly -cjr
3533 +ssh_set_socket_recvbuf(int sock)
3535 + void *buf = (void *)&options.tcp_rcv_buf;
3536 + int sz = sizeof(options.tcp_rcv_buf);
3538 + int socksizelen = sizeof(int);
3540 + debug("setsockopt Attempting to set SO_RCVBUF to %d", options.tcp_rcv_buf);
3541 + if (setsockopt(sock, SOL_SOCKET, SO_RCVBUF, buf, sz) >= 0) {
3542 + getsockopt(sock, SOL_SOCKET, SO_RCVBUF, &socksize, &socksizelen);
3543 + debug("setsockopt SO_RCVBUF: %.100s %d", strerror(errno), socksize);
3546 + error("Couldn't set socket receive buffer to %d: %.100s",
3547 + options.tcp_rcv_buf, strerror(errno));
3552 * Creates a (possibly privileged) socket for use as the ssh connection.
3555 @@ -187,12 +212,18 @@ ssh_create_socket(int privileged, struct
3558 debug("Allocated local port %d.", p);
3560 + if (options.tcp_rcv_buf > 0)
3561 + ssh_set_socket_recvbuf(sock);
3564 sock = socket(ai->ai_family, ai->ai_socktype, ai->ai_protocol);
3566 error("socket: %.100s", strerror(errno));
3568 + if (options.tcp_rcv_buf > 0)
3569 + ssh_set_socket_recvbuf(sock);
3571 /* Bind the socket to an alternative local IP address */
3572 if (options.bind_address == NULL)
3574 @@ -536,7 +567,7 @@ ssh_exchange_identification(int timeout_
3575 snprintf(buf, sizeof buf, "SSH-%d.%d-%.100s%s",
3576 compat20 ? PROTOCOL_MAJOR_2 : PROTOCOL_MAJOR_1,
3577 compat20 ? PROTOCOL_MINOR_2 : minor1,
3578 - SSH_VERSION, compat20 ? "\r\n" : "\n");
3579 + SSH_RELEASE, compat20 ? "\r\n" : "\n");
3580 if (atomicio(vwrite, connection_out, buf, strlen(buf)) != strlen(buf))
3581 fatal("write: %.100s", strerror(errno));
3582 client_version_string = xstrdup(buf);
3583 diff -NupwB openssh-5.2p1-canonical/sshd.c openssh-5.2p1-hpn13v6/sshd.c
3584 --- openssh-5.2p1-canonical/sshd.c 2009-01-28 00:31:23.000000000 -0500
3585 +++ openssh-5.2p1-hpn13v6/sshd.c 2009-05-14 12:36:10.000000000 -0400
3586 @@ -136,6 +136,9 @@ int deny_severity;
3587 #define REEXEC_CONFIG_PASS_FD (STDERR_FILENO + 3)
3588 #define REEXEC_MIN_FREE_FD (STDERR_FILENO + 4)
3593 extern char *__progname;
3595 /* Server configuration options. */
3596 @@ -415,7 +418,7 @@ sshd_exchange_identification(int sock_in
3597 minor = PROTOCOL_MINOR_1;
3599 snprintf(buf, sizeof buf, "SSH-%d.%d-%.100s%s", major, minor,
3600 - SSH_VERSION, newline);
3601 + SSH_RELEASE, newline);
3602 server_version_string = xstrdup(buf);
3604 /* Send our protocol version identification. */
3605 @@ -466,6 +469,9 @@ sshd_exchange_identification(int sock_in
3607 debug("Client protocol version %d.%d; client software version %.100s",
3608 remote_major, remote_minor, remote_version);
3609 + logit("SSH: Server;Ltype: Version;Remote: %s-%d;Protocol: %d.%d;Client: %.100s",
3610 + get_remote_ipaddr(), get_remote_port(),
3611 + remote_major, remote_minor, remote_version);
3613 compat_datafellows(remote_version);
3615 @@ -944,6 +950,8 @@ server_listen(void)
3616 int ret, listen_sock, on = 1;
3617 struct addrinfo *ai;
3618 char ntop[NI_MAXHOST], strport[NI_MAXSERV];
3620 + int socksizelen = sizeof(int);
3622 for (ai = options.listen_addrs; ai; ai = ai->ai_next) {
3623 if (ai->ai_family != AF_INET && ai->ai_family != AF_INET6)
3624 @@ -990,6 +998,11 @@ server_listen(void)
3626 debug("Bind to port %s on %s.", strport, ntop);
3628 + getsockopt(listen_sock, SOL_SOCKET, SO_RCVBUF,
3629 + &socksize, &socksizelen);
3630 + debug("Server TCP RWIN socket size: %d", socksize);
3631 + debug("HPN Buffer Size: %d", options.hpn_buffer_size);
3633 /* Bind the socket to the desired port. */
3634 if (bind(listen_sock, ai->ai_addr, ai->ai_addrlen) < 0) {
3635 error("Bind to port %s on %s failed: %.200s.",
3636 @@ -1817,6 +1830,9 @@ main(int ac, char **av)
3637 /* Log the connection. */
3638 verbose("Connection from %.500s port %d", remote_ip, remote_port);
3640 + /* set the HPN options for the child */
3641 + channel_set_hpn(options.hpn_disabled, options.hpn_buffer_size);
3644 * We don't want to listen forever unless the other side
3645 * successfully authenticates itself. So we set up an alarm which is
3646 @@ -2171,9 +2187,15 @@ do_ssh2_kex(void)
3651 + debug ("MYFLAG IS %d", myflag);
3652 if (options.ciphers != NULL) {
3653 myproposal[PROPOSAL_ENC_ALGS_CTOS] =
3654 myproposal[PROPOSAL_ENC_ALGS_STOC] = options.ciphers;
3655 + } else if (options.none_enabled == 1) {
3656 + debug ("WARNING: None cipher enabled");
3657 + myproposal[PROPOSAL_ENC_ALGS_CTOS] =
3658 + myproposal[PROPOSAL_ENC_ALGS_STOC] = KEX_ENCRYPT_INCLUDE_NONE;
3660 myproposal[PROPOSAL_ENC_ALGS_CTOS] =
3661 compat_cipher_proposal(myproposal[PROPOSAL_ENC_ALGS_CTOS]);
3662 diff -NupwB openssh-5.2p1-canonical/sshd_config openssh-5.2p1-hpn13v6/sshd_config
3663 --- openssh-5.2p1-canonical/sshd_config 2008-07-02 08:35:43.000000000 -0400
3664 +++ openssh-5.2p1-hpn13v6/sshd_config 2009-05-14 12:36:10.000000000 -0400
3665 @@ -112,6 +112,20 @@ Protocol 2
3666 # override default of no subsystems
3667 Subsystem sftp /usr/libexec/sftp-server
3669 +# the following are HPN related configuration options
3670 +# tcp receive buffer polling. disable in non autotuning kernels
3673 +# allow the use of the none cipher
3676 +# disable hpn performance boosts.
3679 +# buffer size for hpn to non-hpn connections
3680 +#HPNBufferSize 2048
3683 # Example of overriding settings on a per-user basis
3686 diff -NupwB openssh-5.2p1-canonical/version.h openssh-5.2p1-hpn13v6/version.h
3687 --- openssh-5.2p1-canonical/version.h 2009-02-22 19:09:26.000000000 -0500
3688 +++ openssh-5.2p1-hpn13v6/version.h 2009-05-14 12:42:05.000000000 -0400
3690 #define SSH_VERSION "OpenSSH_5.2"
3692 #define SSH_PORTABLE "p1"
3693 -#define SSH_RELEASE SSH_VERSION SSH_PORTABLE
3694 +#define SSH_HPN "-hpn13v6"
3695 +#define SSH_RELEASE SSH_VERSION SSH_PORTABLE SSH_HPN