Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- diff -NupwB canonical/auth2.c kitchen/auth2.c
- --- canonical/auth2.c 2011-12-18 18:52:51.000000000 -0500
- +++ kitchen/auth2.c 2012-11-07 15:28:16.000000000 -0500
- @@ -49,6 +49,7 @@
- #include "dispatch.h"
- #include "pathnames.h"
- #include "buffer.h"
- +#include "canohost.h"
- #ifdef GSSAPI
- #include "ssh-gss.h"
- @@ -75,6 +76,8 @@ extern Authmethod method_gssapi;
- extern Authmethod method_jpake;
- #endif
- +static int log_flag = 0;
- +
- Authmethod *authmethods[] = {
- &method_none,
- &method_pubkey,
- @@ -227,6 +230,12 @@ input_userauth_request(int type, u_int32
- debug("userauth-request for user %s service %s method %s", user, service, method);
- debug("attempt %d failures %d", authctxt->attempt, authctxt->failures);
- + if (!log_flag) {
- + logit("SSH: Server;Ltype: Authname;Remote: %s-%d;Name: %s",
- + get_remote_ipaddr(), get_remote_port(), user);
- + log_flag = 1;
- + }
- +
- if ((style = strchr(user, ':')) != NULL)
- *style++ = 0;
- diff -NupwB canonical/buffer.c kitchen/buffer.c
- --- canonical/buffer.c 2010-02-11 17:23:40.000000000 -0500
- +++ kitchen/buffer.c 2012-11-07 15:28:16.000000000 -0500
- @@ -127,7 +127,7 @@ restart:
- /* Increase the size of the buffer and retry. */
- newlen = roundup(buffer->alloc + len, BUFFER_ALLOCSZ);
- - if (newlen > BUFFER_MAX_LEN)
- + if (newlen > BUFFER_MAX_LEN_HPN)
- fatal("buffer_append_space: alloc %u not supported",
- newlen);
- buffer->buf = xrealloc(buffer->buf, 1, newlen);
- diff -NupwB canonical/buffer.h kitchen/buffer.h
- --- canonical/buffer.h 2010-09-09 21:39:27.000000000 -0400
- +++ kitchen/buffer.h 2012-11-07 15:28:16.000000000 -0500
- @@ -16,6 +16,9 @@
- #ifndef BUFFER_H
- #define BUFFER_H
- +/* move the following to a more appropriate place and name */
- +#define BUFFER_MAX_LEN_HPN 0x4000000 /* 64MB */
- +
- typedef struct {
- u_char *buf; /* Buffer for data. */
- u_int alloc; /* Number of bytes allocated for data. */
- diff -NupwB canonical/channels.c kitchen/channels.c
- --- canonical/channels.c 2011-10-02 03:59:03.000000000 -0400
- +++ kitchen/channels.c 2012-11-07 15:28:16.000000000 -0500
- @@ -173,8 +173,10 @@ static void port_open_helper(Channel *c,
- static int connect_next(struct channel_connect *);
- static void channel_connect_ctx_free(struct channel_connect *);
- -/* -- channel core */
- +static int hpn_disabled = 0;
- +static int hpn_buffer_size = 2 * 1024 * 1024;
- +/* -- channel core */
- Channel *
- channel_by_id(int id)
- {
- @@ -318,6 +320,7 @@ channel_new(char *ctype, int type, int r
- c->local_window_max = window;
- c->local_consumed = 0;
- c->local_maxpacket = maxpack;
- + c->dynamic_window = 0;
- c->remote_id = -1;
- c->remote_name = xstrdup(remote_name);
- c->remote_window = 0;
- @@ -817,11 +820,36 @@ channel_pre_open_13(Channel *c, fd_set *
- FD_SET(c->sock, writeset);
- }
- +int channel_tcpwinsz () {
- + u_int32_t tcpwinsz = 0;
- + socklen_t optsz = sizeof(tcpwinsz);
- + int ret = -1;
- +
- + /* if we aren't on a socket return 128KB*/
- + if(!packet_connection_is_on_socket())
- + return(128*1024);
- + ret = getsockopt(packet_get_connection_in(),
- + SOL_SOCKET, SO_RCVBUF, &tcpwinsz, &optsz);
- + /* return no more than 64MB */
- + if ((ret == 0) && tcpwinsz > BUFFER_MAX_LEN_HPN)
- + tcpwinsz = BUFFER_MAX_LEN_HPN;
- + debug2("tcpwinsz: %d for connection: %d", tcpwinsz,
- + packet_get_connection_in());
- + return(tcpwinsz);
- +}
- +
- static void
- channel_pre_open(Channel *c, fd_set *readset, fd_set *writeset)
- {
- u_int limit = compat20 ? c->remote_window : packet_get_maxsize();
- + /* check buffer limits */
- + if ((!c->tcpwinsz) || (c->dynamic_window > 0))
- + c->tcpwinsz = channel_tcpwinsz();
- +
- + limit = MIN(limit, 2 * c->tcpwinsz);
- +
- +
- if (c->istate == CHAN_INPUT_OPEN &&
- limit > 0 &&
- buffer_len(&c->input) < limit &&
- @@ -1798,6 +1826,17 @@ channel_check_window(Channel *c)
- c->local_maxpacket*3) ||
- c->local_window < c->local_window_max/2) &&
- c->local_consumed > 0) {
- + u_int addition = 0;
- + /* adjust max window size if we are in a dynamic environment */
- + if (c->dynamic_window && (c->tcpwinsz > c->local_window_max)) {
- + /* grow the window somewhat aggressively to maintain pressure */
- + addition = 1.5*(c->tcpwinsz - c->local_window_max);
- + c->local_window_max += addition;
- + }
- + packet_start(SSH2_MSG_CHANNEL_WINDOW_ADJUST);
- + packet_put_int(c->remote_id);
- + packet_put_int(c->local_consumed + addition);
- +
- packet_start(SSH2_MSG_CHANNEL_WINDOW_ADJUST);
- packet_put_int(c->remote_id);
- packet_put_int(c->local_consumed);
- @@ -1805,7 +1844,7 @@ channel_check_window(Channel *c)
- debug2("channel %d: window %d sent adjust %d",
- c->self, c->local_window,
- c->local_consumed);
- - c->local_window += c->local_consumed;
- + c->local_window += c->local_consumed + addition;
- c->local_consumed = 0;
- }
- return 1;
- @@ -2137,11 +2176,12 @@ channel_after_select(fd_set *readset, fd
- /* If there is data to send to the connection, enqueue some of it now. */
- -void
- +int
- channel_output_poll(void)
- {
- Channel *c;
- u_int i, len;
- + int packet_length = 0;
- for (i = 0; i < channels_alloc; i++) {
- c = channels[i];
- @@ -2189,7 +2229,7 @@ channel_output_poll(void)
- packet_start(SSH2_MSG_CHANNEL_DATA);
- packet_put_int(c->remote_id);
- packet_put_string(data, dlen);
- - packet_send();
- + packet_length = packet_send();
- c->remote_window -= dlen + 4;
- xfree(data);
- }
- @@ -2219,7 +2259,7 @@ channel_output_poll(void)
- SSH2_MSG_CHANNEL_DATA : SSH_MSG_CHANNEL_DATA);
- packet_put_int(c->remote_id);
- packet_put_string(buffer_ptr(&c->input), len);
- - packet_send();
- + packet_length = packet_send();
- buffer_consume(&c->input, len);
- c->remote_window -= len;
- }
- @@ -2254,12 +2294,13 @@ channel_output_poll(void)
- packet_put_int(c->remote_id);
- packet_put_int(SSH2_EXTENDED_DATA_STDERR);
- packet_put_string(buffer_ptr(&c->extended), len);
- - packet_send();
- + packet_length = packet_send();
- buffer_consume(&c->extended, len);
- c->remote_window -= len;
- debug2("channel %d: sent ext data %d", c->self, len);
- }
- }
- + return (packet_length);
- }
- @@ -2683,6 +2724,14 @@ channel_fwd_bind_addr(const char *listen
- return addr;
- }
- +void
- +channel_set_hpn(int external_hpn_disabled, int external_hpn_buffer_size)
- +{
- + hpn_disabled = external_hpn_disabled;
- + hpn_buffer_size = external_hpn_buffer_size;
- + debug("HPN Disabled: %d, HPN Buffer Size: %d", hpn_disabled, hpn_buffer_size);
- +}
- +
- static int
- channel_setup_fwd_listener(int type, const char *listen_addr,
- u_short listen_port, int *allocated_listen_port,
- @@ -2809,9 +2858,15 @@ channel_setup_fwd_listener(int type, con
- }
- /* Allocate a channel number for the socket. */
- + /* explicitly test for hpn disabled option. if true use smaller window size */
- + if (hpn_disabled)
- c = channel_new("port listener", type, sock, sock, -1,
- CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT,
- 0, "port listener", 1);
- + else
- + c = channel_new("port listener", type, sock, sock, -1,
- + hpn_buffer_size, CHAN_TCP_PACKET_DEFAULT,
- + 0, "port listener", 1);
- c->path = xstrdup(host);
- c->host_port = port_to_connect;
- c->listening_addr = addr == NULL ? NULL : xstrdup(addr);
- @@ -3456,10 +3511,17 @@ x11_create_display_inet(int x11_display_
- *chanids = xcalloc(num_socks + 1, sizeof(**chanids));
- for (n = 0; n < num_socks; n++) {
- sock = socks[n];
- + /* Is this really necassary? */
- + if (hpn_disabled)
- nc = channel_new("x11 listener",
- SSH_CHANNEL_X11_LISTENER, sock, sock, -1,
- CHAN_X11_WINDOW_DEFAULT, CHAN_X11_PACKET_DEFAULT,
- 0, "X11 inet listener", 1);
- + else
- + nc = channel_new("x11 listener",
- + SSH_CHANNEL_X11_LISTENER, sock, sock, -1,
- + hpn_buffer_size, CHAN_X11_PACKET_DEFAULT,
- + 0, "X11 inet listener", 1);
- nc->single_connection = single_connection;
- (*chanids)[n] = nc->self;
- }
- diff -NupwB canonical/channels.h kitchen/channels.h
- --- canonical/channels.h 2011-10-02 03:59:03.000000000 -0400
- +++ kitchen/channels.h 2012-11-07 15:28:16.000000000 -0500
- @@ -126,10 +126,12 @@ struct Channel {
- u_int remote_maxpacket;
- u_int local_window;
- u_int local_window_max;
- + int dynamic_window;
- u_int local_consumed;
- u_int local_maxpacket;
- int extended_usage;
- int single_connection;
- + u_int tcpwinsz;
- char *ctype; /* type */
- @@ -164,9 +166,11 @@ struct Channel {
- /* default window/packet sizes for tcp/x11-fwd-channel */
- #define CHAN_SES_PACKET_DEFAULT (32*1024)
- -#define CHAN_SES_WINDOW_DEFAULT (64*CHAN_SES_PACKET_DEFAULT)
- +#define CHAN_SES_WINDOW_DEFAULT (4*CHAN_SES_PACKET_DEFAULT)
- +
- #define CHAN_TCP_PACKET_DEFAULT (32*1024)
- -#define CHAN_TCP_WINDOW_DEFAULT (64*CHAN_TCP_PACKET_DEFAULT)
- +#define CHAN_TCP_WINDOW_DEFAULT (4*CHAN_TCP_PACKET_DEFAULT)
- +
- #define CHAN_X11_PACKET_DEFAULT (16*1024)
- #define CHAN_X11_WINDOW_DEFAULT (4*CHAN_X11_PACKET_DEFAULT)
- @@ -240,7 +244,7 @@ void channel_input_status_confirm(int,
- void channel_prepare_select(fd_set **, fd_set **, int *, u_int*, int);
- void channel_after_select(fd_set *, fd_set *);
- -void channel_output_poll(void);
- +int channel_output_poll(void);
- int channel_not_very_much_buffered_data(void);
- void channel_close_all(void);
- @@ -300,4 +304,8 @@ void chan_rcvd_ieof(Channel *);
- void chan_write_failed(Channel *);
- void chan_obuf_empty(Channel *);
- +/* hpn handler */
- +void channel_set_hpn(int, int);
- +
- +
- #endif
- diff -NupwB canonical/cipher.c kitchen/cipher.c
- --- canonical/cipher.c 2009-01-28 00:38:41.000000000 -0500
- +++ kitchen/cipher.c 2012-11-07 15:28:16.000000000 -0500
- @@ -55,6 +55,7 @@ extern const EVP_CIPHER *evp_ssh1_bf(voi
- extern const EVP_CIPHER *evp_ssh1_3des(void);
- extern void ssh1_3des_iv(EVP_CIPHER_CTX *, int, u_char *, int);
- extern const EVP_CIPHER *evp_aes_128_ctr(void);
- +extern const EVP_CIPHER *evp_aes_ctr_mt(void);
- extern void ssh_aes_ctr_iv(EVP_CIPHER_CTX *, int, u_char *, u_int);
- struct Cipher {
- @@ -82,9 +83,9 @@ struct Cipher {
- { "aes256-cbc", SSH_CIPHER_SSH2, 16, 32, 0, 1, EVP_aes_256_cbc },
- { "rijndael-cbc@lysator.liu.se",
- SSH_CIPHER_SSH2, 16, 32, 0, 1, EVP_aes_256_cbc },
- - { "aes128-ctr", SSH_CIPHER_SSH2, 16, 16, 0, 0, evp_aes_128_ctr },
- - { "aes192-ctr", SSH_CIPHER_SSH2, 16, 24, 0, 0, evp_aes_128_ctr },
- - { "aes256-ctr", SSH_CIPHER_SSH2, 16, 32, 0, 0, evp_aes_128_ctr },
- + { "aes128-ctr", SSH_CIPHER_SSH2, 16, 16, 0, 0, evp_aes_ctr_mt },
- + { "aes192-ctr", SSH_CIPHER_SSH2, 16, 24, 0, 0, evp_aes_ctr_mt },
- + { "aes256-ctr", SSH_CIPHER_SSH2, 16, 32, 0, 0, evp_aes_ctr_mt },
- #ifdef USE_CIPHER_ACSS
- { "acss@openssh.org", SSH_CIPHER_SSH2, 16, 5, 0, 0, EVP_acss },
- #endif
- @@ -163,7 +164,7 @@ ciphers_valid(const char *names)
- for ((p = strsep(&cp, CIPHER_SEP)); p && *p != '\0';
- (p = strsep(&cp, CIPHER_SEP))) {
- c = cipher_by_name(p);
- - if (c == NULL || c->number != SSH_CIPHER_SSH2) {
- + if (c == NULL || (c->number != SSH_CIPHER_SSH2 && c->number != SSH_CIPHER_NONE)) {
- debug("bad cipher %s [%s]", p, names);
- xfree(cipher_list);
- return 0;
- @@ -337,6 +338,7 @@ cipher_get_keyiv(CipherContext *cc, u_ch
- int evplen;
- switch (c->number) {
- + case SSH_CIPHER_NONE:
- case SSH_CIPHER_SSH2:
- case SSH_CIPHER_DES:
- case SSH_CIPHER_BLOWFISH:
- @@ -371,6 +373,7 @@ cipher_set_keyiv(CipherContext *cc, u_ch
- int evplen = 0;
- switch (c->number) {
- + case SSH_CIPHER_NONE:
- case SSH_CIPHER_SSH2:
- case SSH_CIPHER_DES:
- case SSH_CIPHER_BLOWFISH:
- diff -NupwB canonical/cipher-ctr-mt.c kitchen/cipher-ctr-mt.c
- --- canonical/cipher-ctr-mt.c 1969-12-31 19:00:00.000000000 -0500
- +++ kitchen/cipher-ctr-mt.c 2012-11-07 15:28:16.000000000 -0500
- @@ -0,0 +1,473 @@
- +/*
- + * OpenSSH Multi-threaded AES-CTR Cipher
- + *
- + * Author: Benjamin Bennett <ben@psc.edu>
- + * Copyright (c) 2008 Pittsburgh Supercomputing Center. All rights reserved.
- + *
- + * Based on original OpenSSH AES-CTR cipher. Small portions remain unchanged,
- + * Copyright (c) 2003 Markus Friedl <markus@openbsd.org>
- + *
- + * Permission to use, copy, modify, and distribute this software for any
- + * purpose with or without fee is hereby granted, provided that the above
- + * copyright notice and this permission notice appear in all copies.
- + *
- + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
- + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
- + * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- + * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
- + * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- + */
- +#include "includes.h"
- +
- +#include <sys/types.h>
- +
- +#include <stdarg.h>
- +#include <string.h>
- +
- +#include <openssl/evp.h>
- +
- +#include "xmalloc.h"
- +#include "log.h"
- +
- +/* compatibility with old or broken OpenSSL versions */
- +#include "openbsd-compat/openssl-compat.h"
- +
- +#ifndef USE_BUILTIN_RIJNDAEL
- +#include <openssl/aes.h>
- +#endif
- +
- +#include <pthread.h>
- +
- +/*-------------------- TUNABLES --------------------*/
- +/* Number of pregen threads to use */
- +#define CIPHER_THREADS 2
- +
- +/* Number of keystream queues */
- +#define NUMKQ (CIPHER_THREADS + 2)
- +
- +/* Length of a keystream queue */
- +#define KQLEN 4096
- +
- +/* Processor cacheline length */
- +#define CACHELINE_LEN 64
- +
- +/* Collect thread stats and print at cancellation when in debug mode */
- +/* #define CIPHER_THREAD_STATS */
- +
- +/* Use single-byte XOR instead of 8-byte XOR */
- +/* #define CIPHER_BYTE_XOR */
- +/*-------------------- END TUNABLES --------------------*/
- +
- +
- +const EVP_CIPHER *evp_aes_ctr_mt(void);
- +
- +#ifdef CIPHER_THREAD_STATS
- +/*
- + * Struct to collect thread stats
- + */
- +struct thread_stats {
- + u_int fills;
- + u_int skips;
- + u_int waits;
- + u_int drains;
- +};
- +
- +/*
- + * Debug print the thread stats
- + * Use with pthread_cleanup_push for displaying at thread cancellation
- + */
- +static void
- +thread_loop_stats(void *x)
- +{
- + struct thread_stats *s = x;
- +
- + debug("tid %lu - %u fills, %u skips, %u waits", pthread_self(),
- + s->fills, s->skips, s->waits);
- +}
- +
- + #define STATS_STRUCT(s) struct thread_stats s
- + #define STATS_INIT(s) { memset(&s, 0, sizeof(s)); }
- + #define STATS_FILL(s) { s.fills++; }
- + #define STATS_SKIP(s) { s.skips++; }
- + #define STATS_WAIT(s) { s.waits++; }
- + #define STATS_DRAIN(s) { s.drains++; }
- +#else
- + #define STATS_STRUCT(s)
- + #define STATS_INIT(s)
- + #define STATS_FILL(s)
- + #define STATS_SKIP(s)
- + #define STATS_WAIT(s)
- + #define STATS_DRAIN(s)
- +#endif
- +
- +/* Keystream Queue state */
- +enum {
- + KQINIT,
- + KQEMPTY,
- + KQFILLING,
- + KQFULL,
- + KQDRAINING
- +};
- +
- +/* Keystream Queue struct */
- +struct kq {
- + u_char keys[KQLEN][AES_BLOCK_SIZE];
- + u_char ctr[AES_BLOCK_SIZE];
- + u_char pad0[CACHELINE_LEN];
- + volatile int qstate;
- + pthread_mutex_t lock;
- + pthread_cond_t cond;
- + u_char pad1[CACHELINE_LEN];
- +};
- +
- +/* Context struct */
- +struct ssh_aes_ctr_ctx
- +{
- + struct kq q[NUMKQ];
- + AES_KEY aes_ctx;
- + STATS_STRUCT(stats);
- + u_char aes_counter[AES_BLOCK_SIZE];
- + pthread_t tid[CIPHER_THREADS];
- + int state;
- + int qidx;
- + int ridx;
- +};
- +
- +/* <friedl>
- + * increment counter 'ctr',
- + * the counter is of size 'len' bytes and stored in network-byte-order.
- + * (LSB at ctr[len-1], MSB at ctr[0])
- + */
- +static void
- +ssh_ctr_inc(u_char *ctr, u_int len)
- +{
- + int i;
- +
- + for (i = len - 1; i >= 0; i--)
- + if (++ctr[i]) /* continue on overflow */
- + return;
- +}
- +
- +/*
- + * Add num to counter 'ctr'
- + */
- +static void
- +ssh_ctr_add(u_char *ctr, uint32_t num, u_int len)
- +{
- + int i;
- + uint16_t n;
- +
- + for (n = 0, i = len - 1; i >= 0 && (num || n); i--) {
- + n = ctr[i] + (num & 0xff) + n;
- + num >>= 8;
- + ctr[i] = n & 0xff;
- + n >>= 8;
- + }
- +}
- +
- +/*
- + * Threads may be cancelled in a pthread_cond_wait, we must free the mutex
- + */
- +static void
- +thread_loop_cleanup(void *x)
- +{
- + pthread_mutex_unlock((pthread_mutex_t *)x);
- +}
- +
- +/*
- + * The life of a pregen thread:
- + * Find empty keystream queues and fill them using their counter.
- + * When done, update counter for the next fill.
- + */
- +static void *
- +thread_loop(void *x)
- +{
- + AES_KEY key;
- + STATS_STRUCT(stats);
- + struct ssh_aes_ctr_ctx *c = x;
- + struct kq *q;
- + int i;
- + int qidx;
- +
- + /* Threads stats on cancellation */
- + STATS_INIT(stats);
- +#ifdef CIPHER_THREAD_STATS
- + pthread_cleanup_push(thread_loop_stats, &stats);
- +#endif
- +
- + /* Thread local copy of AES key */
- + memcpy(&key, &c->aes_ctx, sizeof(key));
- +
- + /*
- + * Handle the special case of startup, one thread must fill
- + * the first KQ then mark it as draining. Lock held throughout.
- + */
- + if (pthread_equal(pthread_self(), c->tid[0])) {
- + q = &c->q[0];
- + pthread_mutex_lock(&q->lock);
- + if (q->qstate == KQINIT) {
- + for (i = 0; i < KQLEN; i++) {
- + AES_encrypt(q->ctr, q->keys[i], &key);
- + ssh_ctr_inc(q->ctr, AES_BLOCK_SIZE);
- + }
- + ssh_ctr_add(q->ctr, KQLEN * (NUMKQ - 1), AES_BLOCK_SIZE);
- + q->qstate = KQDRAINING;
- + STATS_FILL(stats);
- + pthread_cond_broadcast(&q->cond);
- + }
- + pthread_mutex_unlock(&q->lock);
- + }
- + else
- + STATS_SKIP(stats);
- +
- + /*
- + * Normal case is to find empty queues and fill them, skipping over
- + * queues already filled by other threads and stopping to wait for
- + * a draining queue to become empty.
- + *
- + * Multiple threads may be waiting on a draining queue and awoken
- + * when empty. The first thread to wake will mark it as filling,
- + * others will move on to fill, skip, or wait on the next queue.
- + */
- + for (qidx = 1;; qidx = (qidx + 1) % NUMKQ) {
- + /* Check if I was cancelled, also checked in cond_wait */
- + pthread_testcancel();
- +
- + /* Lock queue and block if its draining */
- + q = &c->q[qidx];
- + pthread_mutex_lock(&q->lock);
- + pthread_cleanup_push(thread_loop_cleanup, &q->lock);
- + while (q->qstate == KQDRAINING || q->qstate == KQINIT) {
- + STATS_WAIT(stats);
- + pthread_cond_wait(&q->cond, &q->lock);
- + }
- + pthread_cleanup_pop(0);
- +
- + /* If filling or full, somebody else got it, skip */
- + if (q->qstate != KQEMPTY) {
- + pthread_mutex_unlock(&q->lock);
- + STATS_SKIP(stats);
- + continue;
- + }
- +
- + /*
- + * Empty, let's fill it.
- + * Queue lock is relinquished while we do this so others
- + * can see that it's being filled.
- + */
- + q->qstate = KQFILLING;
- + pthread_mutex_unlock(&q->lock);
- + for (i = 0; i < KQLEN; i++) {
- + AES_encrypt(q->ctr, q->keys[i], &key);
- + ssh_ctr_inc(q->ctr, AES_BLOCK_SIZE);
- + }
- +
- + /* Re-lock, mark full and signal consumer */
- + pthread_mutex_lock(&q->lock);
- + ssh_ctr_add(q->ctr, KQLEN * (NUMKQ - 1), AES_BLOCK_SIZE);
- + q->qstate = KQFULL;
- + STATS_FILL(stats);
- + pthread_cond_signal(&q->cond);
- + pthread_mutex_unlock(&q->lock);
- + }
- +
- +#ifdef CIPHER_THREAD_STATS
- + /* Stats */
- + pthread_cleanup_pop(1);
- +#endif
- +
- + return NULL;
- +}
- +
- +static int
- +ssh_aes_ctr(EVP_CIPHER_CTX *ctx, u_char *dest, const u_char *src,
- + u_int len)
- +{
- + struct ssh_aes_ctr_ctx *c;
- + struct kq *q, *oldq;
- + int ridx;
- + u_char *buf;
- +
- + if (len == 0)
- + return (1);
- + if ((c = EVP_CIPHER_CTX_get_app_data(ctx)) == NULL)
- + return (0);
- +
- + q = &c->q[c->qidx];
- + ridx = c->ridx;
- +
- + /* src already padded to block multiple */
- + while (len > 0) {
- + buf = q->keys[ridx];
- +
- +#ifdef CIPHER_BYTE_XOR
- + dest[0] = src[0] ^ buf[0];
- + dest[1] = src[1] ^ buf[1];
- + dest[2] = src[2] ^ buf[2];
- + dest[3] = src[3] ^ buf[3];
- + dest[4] = src[4] ^ buf[4];
- + dest[5] = src[5] ^ buf[5];
- + dest[6] = src[6] ^ buf[6];
- + dest[7] = src[7] ^ buf[7];
- + dest[8] = src[8] ^ buf[8];
- + dest[9] = src[9] ^ buf[9];
- + dest[10] = src[10] ^ buf[10];
- + dest[11] = src[11] ^ buf[11];
- + dest[12] = src[12] ^ buf[12];
- + dest[13] = src[13] ^ buf[13];
- + dest[14] = src[14] ^ buf[14];
- + dest[15] = src[15] ^ buf[15];
- +#else
- + *(uint64_t *)dest = *(uint64_t *)src ^ *(uint64_t *)buf;
- + *(uint64_t *)(dest + 8) = *(uint64_t *)(src + 8) ^
- + *(uint64_t *)(buf + 8);
- +#endif
- +
- + dest += 16;
- + src += 16;
- + len -= 16;
- + ssh_ctr_inc(ctx->iv, AES_BLOCK_SIZE);
- +
- + /* Increment read index, switch queues on rollover */
- + if ((ridx = (ridx + 1) % KQLEN) == 0) {
- + oldq = q;
- +
- + /* Mark next queue draining, may need to wait */
- + c->qidx = (c->qidx + 1) % NUMKQ;
- + q = &c->q[c->qidx];
- + pthread_mutex_lock(&q->lock);
- + while (q->qstate != KQFULL) {
- + STATS_WAIT(c->stats);
- + pthread_cond_wait(&q->cond, &q->lock);
- + }
- + q->qstate = KQDRAINING;
- + pthread_mutex_unlock(&q->lock);
- +
- + /* Mark consumed queue empty and signal producers */
- + pthread_mutex_lock(&oldq->lock);
- + oldq->qstate = KQEMPTY;
- + STATS_DRAIN(c->stats);
- + pthread_cond_broadcast(&oldq->cond);
- + pthread_mutex_unlock(&oldq->lock);
- + }
- + }
- + c->ridx = ridx;
- + return (1);
- +}
- +
- +#define HAVE_NONE 0
- +#define HAVE_KEY 1
- +#define HAVE_IV 2
- +static int
- +ssh_aes_ctr_init(EVP_CIPHER_CTX *ctx, const u_char *key, const u_char *iv,
- + int enc)
- +{
- + struct ssh_aes_ctr_ctx *c;
- + int i;
- +
- + if ((c = EVP_CIPHER_CTX_get_app_data(ctx)) == NULL) {
- + c = xmalloc(sizeof(*c));
- +
- + c->state = HAVE_NONE;
- + for (i = 0; i < NUMKQ; i++) {
- + pthread_mutex_init(&c->q[i].lock, NULL);
- + pthread_cond_init(&c->q[i].cond, NULL);
- + }
- +
- + STATS_INIT(c->stats);
- +
- + EVP_CIPHER_CTX_set_app_data(ctx, c);
- + }
- +
- + if (c->state == (HAVE_KEY | HAVE_IV)) {
- + /* Cancel pregen threads */
- + for (i = 0; i < CIPHER_THREADS; i++)
- + pthread_cancel(c->tid[i]);
- + for (i = 0; i < CIPHER_THREADS; i++)
- + pthread_join(c->tid[i], NULL);
- + /* Start over getting key & iv */
- + c->state = HAVE_NONE;
- + }
- +
- + if (key != NULL) {
- + AES_set_encrypt_key(key, EVP_CIPHER_CTX_key_length(ctx) * 8,
- + &c->aes_ctx);
- + c->state |= HAVE_KEY;
- + }
- +
- + if (iv != NULL) {
- + memcpy(ctx->iv, iv, AES_BLOCK_SIZE);
- + c->state |= HAVE_IV;
- + }
- +
- + if (c->state == (HAVE_KEY | HAVE_IV)) {
- + /* Clear queues */
- + memcpy(c->q[0].ctr, ctx->iv, AES_BLOCK_SIZE);
- + c->q[0].qstate = KQINIT;
- + for (i = 1; i < NUMKQ; i++) {
- + memcpy(c->q[i].ctr, ctx->iv, AES_BLOCK_SIZE);
- + ssh_ctr_add(c->q[i].ctr, i * KQLEN, AES_BLOCK_SIZE);
- + c->q[i].qstate = KQEMPTY;
- + }
- + c->qidx = 0;
- + c->ridx = 0;
- +
- + /* Start threads */
- + for (i = 0; i < CIPHER_THREADS; i++) {
- + pthread_create(&c->tid[i], NULL, thread_loop, c);
- + }
- + pthread_mutex_lock(&c->q[0].lock);
- + while (c->q[0].qstate != KQDRAINING)
- + pthread_cond_wait(&c->q[0].cond, &c->q[0].lock);
- + pthread_mutex_unlock(&c->q[0].lock);
- +
- + }
- + return (1);
- +}
- +
- +static int
- +ssh_aes_ctr_cleanup(EVP_CIPHER_CTX *ctx)
- +{
- + struct ssh_aes_ctr_ctx *c;
- + int i;
- +
- + if ((c = EVP_CIPHER_CTX_get_app_data(ctx)) != NULL) {
- +#ifdef CIPHER_THREAD_STATS
- + debug("main thread: %u drains, %u waits", c->stats.drains,
- + c->stats.waits);
- +#endif
- + /* Cancel pregen threads */
- + for (i = 0; i < CIPHER_THREADS; i++)
- + pthread_cancel(c->tid[i]);
- + for (i = 0; i < CIPHER_THREADS; i++)
- + pthread_join(c->tid[i], NULL);
- +
- + memset(c, 0, sizeof(*c));
- + xfree(c);
- + EVP_CIPHER_CTX_set_app_data(ctx, NULL);
- + }
- + return (1);
- +}
- +
- +/* <friedl> */
- +const EVP_CIPHER *
- +evp_aes_ctr_mt(void)
- +{
- + static EVP_CIPHER aes_ctr;
- +
- + memset(&aes_ctr, 0, sizeof(EVP_CIPHER));
- + aes_ctr.nid = NID_undef;
- + aes_ctr.block_size = AES_BLOCK_SIZE;
- + aes_ctr.iv_len = AES_BLOCK_SIZE;
- + aes_ctr.key_len = 16;
- + aes_ctr.init = ssh_aes_ctr_init;
- + aes_ctr.cleanup = ssh_aes_ctr_cleanup;
- + aes_ctr.do_cipher = ssh_aes_ctr;
- +#ifndef SSH_OLD_EVP
- + aes_ctr.flags = EVP_CIPH_CBC_MODE | EVP_CIPH_VARIABLE_LENGTH |
- + EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_CUSTOM_IV;
- +#endif
- + return (&aes_ctr);
- +}
- diff -NupwB canonical/clientloop.c kitchen/clientloop.c
- --- canonical/clientloop.c 2012-02-10 16:18:17.000000000 -0500
- +++ kitchen/clientloop.c 2012-11-07 15:28:16.000000000 -0500
- @@ -1825,9 +1825,15 @@ client_request_x11(const char *request_t
- sock = x11_connect_display();
- if (sock < 0)
- return NULL;
- + /* again is this really necessary for X11? */
- + if (options.hpn_disabled)
- c = channel_new("x11",
- SSH_CHANNEL_X11_OPEN, sock, sock, -1,
- CHAN_TCP_WINDOW_DEFAULT, CHAN_X11_PACKET_DEFAULT, 0, "x11", 1);
- + else
- + c = channel_new("x11",
- + SSH_CHANNEL_X11_OPEN, sock, sock, -1,
- + options.hpn_buffer_size, CHAN_X11_PACKET_DEFAULT, 0, "x11", 1);
- c->force_drain = 1;
- return c;
- }
- @@ -1879,6 +1885,14 @@ client_request_tun_fwd(int tun_mode, int
- c = channel_new("tun", SSH_CHANNEL_OPENING, fd, fd, -1,
- CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, 0, "tun", 1);
- + if(options.hpn_disabled)
- + c = channel_new("tun", SSH_CHANNEL_OPENING, fd, fd, -1,
- + CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT,
- + 0, "tun", 1);
- + else
- + c = channel_new("tun", SSH_CHANNEL_OPENING, fd, fd, -1,
- + options.hpn_buffer_size, CHAN_TCP_PACKET_DEFAULT,
- + 0, "tun", 1);
- c->datagram = 1;
- #if defined(SSH_TUN_FILTER)
- diff -NupwB canonical/compat.c kitchen/compat.c
- --- canonical/compat.c 2011-10-02 03:59:03.000000000 -0400
- +++ kitchen/compat.c 2012-11-07 15:28:16.000000000 -0500
- @@ -171,6 +171,15 @@ compat_datafellows(const char *version)
- strlen(check[i].pat), 0) == 1) {
- debug("match: %s pat %s", version, check[i].pat);
- datafellows = check[i].bugs;
- + /* Check to see if the remote side is OpenSSH and not HPN */
- + if(strstr(version,"OpenSSH") != NULL)
- + {
- + if (strstr(version,"hpn") == NULL)
- + {
- + datafellows |= SSH_BUG_LARGEWINDOW;
- + debug("Remote is NON-HPN aware");
- + }
- + }
- return;
- }
- }
- diff -NupwB canonical/compat.h kitchen/compat.h
- --- canonical/compat.h 2011-10-02 03:59:03.000000000 -0400
- +++ kitchen/compat.h 2012-11-07 15:29:51.000000000 -0500
- @@ -59,6 +59,7 @@
- #define SSH_BUG_RFWD_ADDR 0x02000000
- #define SSH_NEW_OPENSSH 0x04000000
- #define SSH_BUG_DYNAMIC_RPORT 0x08000000
- +#define SSH_BUG_LARGEWINDOW 0x10000000
- void enable_compat13(void);
- void enable_compat20(void);
- Common subdirectories: canonical/contrib and kitchen/contrib
- diff -NupwB canonical/kex.c kitchen/kex.c
- --- canonical/kex.c 2010-09-24 08:11:14.000000000 -0400
- +++ kitchen/kex.c 2012-11-07 15:28:16.000000000 -0500
- @@ -49,6 +49,7 @@
- #include "dispatch.h"
- #include "monitor.h"
- #include "roaming.h"
- +#include "canohost.h"
- #if OPENSSL_VERSION_NUMBER >= 0x00907000L
- # if defined(HAVE_EVP_SHA256)
- @@ -91,7 +92,8 @@ kex_names_valid(const char *names)
- }
- /* put algorithm proposal into buffer */
- -static void
- +/* used in sshconnect.c as well as kex.c */
- +void
- kex_prop2buf(Buffer *b, char *proposal[PROPOSAL_MAX])
- {
- u_int i;
- @@ -408,6 +410,14 @@ kex_choose_conf(Kex *kex)
- u_int mode, ctos, need;
- int first_kex_follows, type;
- + int log_flag = 0;
- +
- + int auth_flag;
- +
- + auth_flag = packet_authentication_state();
- +
- + debug ("AUTH STATE IS %d", auth_flag);
- +
- my = kex_buf2prop(&kex->my, NULL);
- peer = kex_buf2prop(&kex->peer, &first_kex_follows);
- @@ -441,11 +451,34 @@ kex_choose_conf(Kex *kex)
- choose_enc (&newkeys->enc, cprop[nenc], sprop[nenc]);
- choose_mac (&newkeys->mac, cprop[nmac], sprop[nmac]);
- choose_comp(&newkeys->comp, cprop[ncomp], sprop[ncomp]);
- + debug("REQUESTED ENC.NAME is '%s'", newkeys->enc.name);
- + if (strcmp(newkeys->enc.name, "none") == 0) {
- + debug("Requesting NONE. Authflag is %d", auth_flag);
- + if (auth_flag == 1) {
- + debug("None requested post authentication.");
- + } else {
- + fatal("Pre-authentication none cipher requests are not allowed.");
- + }
- + }
- debug("kex: %s %s %s %s",
- ctos ? "client->server" : "server->client",
- newkeys->enc.name,
- newkeys->mac.name,
- newkeys->comp.name);
- + /* client starts withctos = 0 && log flag = 0 and no log*/
- + /* 2nd client pass ctos=1 and flag = 1 so no log*/
- + /* server starts with ctos =1 && log_flag = 0 so log */
- + /* 2nd sever pass ctos = 1 && log flag = 1 so no log*/
- + /* -cjr*/
- + if (ctos && !log_flag) {
- + logit("SSH: Server;Ltype: Kex;Remote: %s-%d;Enc: %s;MAC: %s;Comp: %s",
- + get_remote_ipaddr(),
- + get_remote_port(),
- + newkeys->enc.name,
- + newkeys->mac.name,
- + newkeys->comp.name);
- + }
- + log_flag = 1;
- }
- choose_kex(kex, cprop[PROPOSAL_KEX_ALGS], sprop[PROPOSAL_KEX_ALGS]);
- choose_hostkeyalg(kex, cprop[PROPOSAL_SERVER_HOST_KEY_ALGS],
- diff -NupwB canonical/kex.h kitchen/kex.h
- --- canonical/kex.h 2010-09-24 08:11:14.000000000 -0400
- +++ kitchen/kex.h 2012-11-07 15:28:16.000000000 -0500
- @@ -138,6 +138,8 @@ struct Kex {
- void (*kex[KEX_MAX])(Kex *);
- };
- +void kex_prop2buf(Buffer *, char *proposal[PROPOSAL_MAX]);
- +
- int kex_names_valid(const char *);
- Kex *kex_setup(char *[PROPOSAL_MAX]);
- diff -NupwB canonical/Makefile.in kitchen/Makefile.in
- --- canonical/Makefile.in 2012-04-03 21:27:57.000000000 -0400
- +++ kitchen/Makefile.in 2012-11-07 15:28:16.000000000 -0500
- @@ -43,7 +43,7 @@ CC=@CC@
- LD=@LD@
- CFLAGS=@CFLAGS@
- CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ $(PATHS) @DEFS@
- -LIBS=@LIBS@
- +LIBS=@LIBS@ -lpthread
- SSHLIBS=@SSHLIBS@
- SSHDLIBS=@SSHDLIBS@
- LIBEDIT=@LIBEDIT@
- @@ -63,7 +63,7 @@ TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-a
- LIBSSH_OBJS=acss.o authfd.o authfile.o bufaux.o bufbn.o buffer.o \
- canohost.o channels.o cipher.o cipher-acss.o cipher-aes.o \
- - cipher-bf1.o cipher-ctr.o cipher-3des1.o cleanup.o \
- + cipher-bf1.o cipher-ctr.o cipher-ctr-mt.o cipher-3des1.o cleanup.o \
- compat.o compress.o crc32.o deattack.o fatal.o hostfile.o \
- log.o match.o md-sha256.o moduli.o nchan.o packet.o \
- readpass.o rsa.o ttymodes.o xmalloc.o addrmatch.o \
- diff -NupwB canonical/myproposal.h kitchen/myproposal.h
- --- canonical/myproposal.h 2011-08-16 20:29:03.000000000 -0400
- +++ kitchen/myproposal.h 2012-11-07 15:28:16.000000000 -0500
- @@ -75,6 +75,8 @@
- "arcfour256,arcfour128," \
- "aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc," \
- "aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se"
- +#define KEX_ENCRYPT_INCLUDE_NONE KEX_DEFAULT_ENCRYPT \
- + ",none"
- #ifdef HAVE_EVP_SHA256
- #define SHA2_HMAC_MODES \
- "hmac-sha2-256," \
- Common subdirectories: canonical/openbsd-compat and kitchen/openbsd-compat
- diff -NupwB canonical/packet.c kitchen/packet.c
- --- canonical/packet.c 2012-03-08 18:28:07.000000000 -0500
- +++ kitchen/packet.c 2012-11-07 15:28:16.000000000 -0500
- @@ -838,7 +838,7 @@ packet_enable_delayed_compress(void)
- /*
- * Finalize packet in SSH2 format (compress, mac, encrypt, enqueue)
- */
- -static void
- +static int
- packet_send2_wrapped(void)
- {
- u_char type, *cp, *macbuf = NULL;
- @@ -957,11 +957,13 @@ packet_send2_wrapped(void)
- set_newkeys(MODE_OUT);
- else if (type == SSH2_MSG_USERAUTH_SUCCESS && active_state->server_side)
- packet_enable_delayed_compress();
- + return(packet_length);
- }
- -static void
- +static int
- packet_send2(void)
- {
- + static int packet_length = 0;
- struct packet *p;
- u_char type, *cp;
- @@ -981,7 +983,7 @@ packet_send2(void)
- sizeof(Buffer));
- buffer_init(&active_state->outgoing_packet);
- TAILQ_INSERT_TAIL(&active_state->outgoing, p, next);
- - return;
- + return(sizeof(Buffer));
- }
- }
- @@ -1002,19 +1004,22 @@ packet_send2(void)
- sizeof(Buffer));
- TAILQ_REMOVE(&active_state->outgoing, p, next);
- xfree(p);
- - packet_send2_wrapped();
- + packet_length += packet_send2_wrapped();
- }
- }
- + return(packet_length);
- }
- -void
- +int
- packet_send(void)
- {
- + int packet_len = 0;
- if (compat20)
- - packet_send2();
- + packet_len = packet_send2();
- else
- packet_send1();
- DBG(debug("packet_send done"));
- + return(packet_len);
- }
- /*
- @@ -1647,12 +1652,14 @@ packet_disconnect(const char *fmt,...)
- /* Checks if there is any buffered output, and tries to write some of the output. */
- -void
- +int
- packet_write_poll(void)
- {
- - int len = buffer_len(&active_state->output);
- + int len = 0;
- int cont;
- + len = buffer_len(&active_state->output);
- +
- if (len > 0) {
- cont = 0;
- len = roaming_write(active_state->connection_out,
- @@ -1660,13 +1667,14 @@ packet_write_poll(void)
- if (len == -1) {
- if (errno == EINTR || errno == EAGAIN ||
- errno == EWOULDBLOCK)
- - return;
- + return (0);
- fatal("Write failed: %.100s", strerror(errno));
- }
- if (len == 0 && !cont)
- fatal("Write connection closed");
- buffer_consume(&active_state->output, len);
- }
- + return(len);
- }
- /*
- @@ -1867,12 +1875,24 @@ packet_send_ignore(int nbytes)
- }
- }
- +int rekey_requested = 0;
- +void
- +packet_request_rekeying(void)
- +{
- + rekey_requested = 1;
- +}
- +
- #define MAX_PACKETS (1U<<31)
- int
- packet_need_rekeying(void)
- {
- if (datafellows & SSH_BUG_NOREKEY)
- return 0;
- + if (rekey_requested == 1)
- + {
- + rekey_requested = 0;
- + return 1;
- + }
- return
- (active_state->p_send.packets > MAX_PACKETS) ||
- (active_state->p_read.packets > MAX_PACKETS) ||
- @@ -1964,3 +1984,8 @@ packet_restore_state(void)
- add_recv_bytes(len);
- }
- }
- +int
- +packet_authentication_state(void)
- +{
- + return(active_state->after_authentication);
- +}
- diff -NupwB canonical/packet.h kitchen/packet.h
- --- canonical/packet.h 2012-02-10 16:19:21.000000000 -0500
- +++ kitchen/packet.h 2012-11-07 15:28:16.000000000 -0500
- @@ -19,6 +19,8 @@
- #include <termios.h>
- #include <openssl/bn.h>
- +void
- +packet_request_rekeying(void);
- #ifdef OPENSSL_HAS_ECC
- #include <openssl/ec.h>
- #endif
- @@ -38,6 +40,7 @@ void packet_set_interactive(int, int
- int packet_is_interactive(void);
- void packet_set_server(void);
- void packet_set_authenticated(void);
- +int packet_authentication_state(void);
- void packet_start(u_char);
- void packet_put_char(int ch);
- @@ -51,7 +54,7 @@ void packet_put_ecpoint(const EC_GRO
- void packet_put_string(const void *buf, u_int len);
- void packet_put_cstring(const char *str);
- void packet_put_raw(const void *buf, u_int len);
- -void packet_send(void);
- +int packet_send(void);
- int packet_read(void);
- void packet_read_expect(int type);
- @@ -85,7 +88,7 @@ int packet_get_ssh1_cipher(void);
- void packet_set_iv(int, u_char *);
- void *packet_get_newkeys(int);
- -void packet_write_poll(void);
- +int packet_write_poll(void);
- void packet_write_wait(void);
- int packet_have_data_to_write(void);
- int packet_not_very_much_data_to_write(void);
- diff -NupwB canonical/progressmeter.c kitchen/progressmeter.c
- --- canonical/progressmeter.c 2006-08-04 22:39:40.000000000 -0400
- +++ kitchen/progressmeter.c 2012-11-07 15:28:16.000000000 -0500
- @@ -68,6 +68,8 @@ static time_t last_update; /* last progr
- static char *file; /* name of the file being transferred */
- static off_t end_pos; /* ending position of transfer */
- static off_t cur_pos; /* transfer position as of last refresh */
- +static off_t last_pos;
- +static off_t max_delta_pos = 0;
- static volatile off_t *counter; /* progress counter */
- static long stalled; /* how long we have been stalled */
- static int bytes_per_second; /* current speed in bytes per second */
- @@ -128,12 +130,17 @@ refresh_progress_meter(void)
- int hours, minutes, seconds;
- int i, len;
- int file_len;
- + off_t delta_pos;
- transferred = *counter - cur_pos;
- cur_pos = *counter;
- now = time(NULL);
- bytes_left = end_pos - cur_pos;
- + delta_pos = cur_pos - last_pos;
- + if (delta_pos > max_delta_pos)
- + max_delta_pos = delta_pos;
- +
- if (bytes_left > 0)
- elapsed = now - last_update;
- else {
- @@ -158,7 +165,7 @@ refresh_progress_meter(void)
- /* filename */
- buf[0] = '\0';
- - file_len = win_size - 35;
- + file_len = win_size - 45;
- if (file_len > 0) {
- len = snprintf(buf, file_len + 1, "\r%s", file);
- if (len < 0)
- @@ -175,7 +182,7 @@ refresh_progress_meter(void)
- percent = ((float)cur_pos / end_pos) * 100;
- else
- percent = 100;
- - snprintf(buf + strlen(buf), win_size - strlen(buf),
- + snprintf(buf + strlen(buf), win_size - strlen(buf-8),
- " %3d%% ", percent);
- /* amount transferred */
- @@ -183,6 +190,15 @@ refresh_progress_meter(void)
- cur_pos);
- strlcat(buf, " ", win_size);
- + /* instantaneous rate */
- + if (bytes_left > 0)
- + format_rate(buf + strlen(buf), win_size - strlen(buf),
- + delta_pos);
- + else
- + format_rate(buf + strlen(buf), win_size - strlen(buf),
- + max_delta_pos);
- + strlcat(buf, "/s ", win_size);
- +
- /* bandwidth usage */
- format_rate(buf + strlen(buf), win_size - strlen(buf),
- (off_t)bytes_per_second);
- @@ -224,6 +240,7 @@ refresh_progress_meter(void)
- atomicio(vwrite, STDOUT_FILENO, buf, win_size - 1);
- last_update = now;
- + last_pos = cur_pos;
- }
- /*ARGSUSED*/
- diff -NupwB canonical/readconf.c kitchen/readconf.c
- --- canonical/readconf.c 2011-10-02 03:59:03.000000000 -0400
- +++ kitchen/readconf.c 2012-11-07 15:28:16.000000000 -0500
- @@ -140,6 +140,8 @@ typedef enum {
- oTunnel, oTunnelDevice, oLocalCommand, oPermitLocalCommand,
- oVisualHostKey, oUseRoaming, oZeroKnowledgePasswordAuthentication,
- oKexAlgorithms, oIPQoS, oRequestTTY,
- + oNoneEnabled, oTcpRcvBufPoll, oTcpRcvBuf, oNoneSwitch, oHPNDisabled,
- + oHPNBufferSize,
- oProtocolKeepAlives, oSetupTimeOut,
- oDeprecated, oUnsupported
- } OpCodes;
- @@ -247,6 +249,13 @@ static struct {
- { "ipqos", oIPQoS },
- { "requesttty", oRequestTTY },
- + { "noneenabled", oNoneEnabled },
- + { "tcprcvbufpoll", oTcpRcvBufPoll },
- + { "tcprcvbuf", oTcpRcvBuf },
- + { "noneswitch", oNoneSwitch },
- + { "hpndisabled", oHPNDisabled },
- + { "hpnbuffersize", oHPNBufferSize },
- +
- { NULL, oBadOption }
- };
- @@ -495,6 +504,36 @@ parse_flag:
- intptr = &options->check_host_ip;
- goto parse_flag;
- + case oNoneEnabled:
- + intptr = &options->none_enabled;
- + goto parse_flag;
- +
- + /* we check to see if the command comes from the */
- + /* command line or not. If it does then enable it */
- + /* otherwise fail. NONE should never be a default configuration */
- + case oNoneSwitch:
- + if(strcmp(filename,"command-line") == 0) {
- + intptr = &options->none_switch;
- + goto parse_flag;
- + } else {
- + error("NoneSwitch is found in %.200s.\nYou may only use this configuration option from the command line", filename);
- + error("Continuing...");
- + debug("NoneSwitch directive found in %.200s.", filename);
- + return 0;
- + }
- +
- + case oHPNDisabled:
- + intptr = &options->hpn_disabled;
- + goto parse_flag;
- +
- + case oHPNBufferSize:
- + intptr = &options->hpn_buffer_size;
- + goto parse_int;
- +
- + case oTcpRcvBufPoll:
- + intptr = &options->tcp_rcv_buf_poll;
- + goto parse_flag;
- +
- case oVerifyHostKeyDNS:
- intptr = &options->verify_host_key_dns;
- goto parse_yesnoask;
- @@ -680,6 +719,10 @@ parse_int:
- intptr = &options->connection_attempts;
- goto parse_int;
- + case oTcpRcvBuf:
- + intptr = &options->tcp_rcv_buf;
- + goto parse_int;
- +
- case oCipher:
- intptr = &options->cipher;
- arg = strdelim(&s);
- @@ -1203,6 +1246,13 @@ initialize_options(Options * options)
- options->ip_qos_interactive = -1;
- options->ip_qos_bulk = -1;
- options->request_tty = -1;
- +
- + options->none_switch = -1;
- + options->none_enabled = -1;
- + options->hpn_disabled = -1;
- + options->hpn_buffer_size = -1;
- + options->tcp_rcv_buf_poll = -1;
- + options->tcp_rcv_buf = -1;
- }
- /*
- @@ -1339,6 +1389,30 @@ fill_default_options(Options * options)
- options->server_alive_interval = 0;
- if (options->server_alive_count_max == -1)
- options->server_alive_count_max = 3;
- + if (options->none_switch == -1)
- + options->none_switch = 0;
- + if (options->hpn_disabled == -1)
- + options->hpn_disabled = 0;
- + if (options->hpn_buffer_size > -1)
- + {
- + /* if a user tries to set the size to 0 set it to 1KB */
- + if (options->hpn_buffer_size == 0)
- + options->hpn_buffer_size = 1;
- + /*limit the buffer to 64MB*/
- + if (options->hpn_buffer_size > 64*1024)
- + {
- + options->hpn_buffer_size = 64*1024*1024;
- + debug("User requested buffer larger than 64MB. Request reverted to 64MB");
- + }
- + else options->hpn_buffer_size *= 1024;
- + debug("hpn_buffer_size set to %d", options->hpn_buffer_size);
- + }
- + if (options->tcp_rcv_buf == 0)
- + options->tcp_rcv_buf = 1;
- + if (options->tcp_rcv_buf > -1)
- + options->tcp_rcv_buf *=1024;
- + if (options->tcp_rcv_buf_poll == -1)
- + options->tcp_rcv_buf_poll = 1;
- if (options->control_master == -1)
- options->control_master = 0;
- if (options->control_persist == -1) {
- diff -NupwB canonical/readconf.h kitchen/readconf.h
- --- canonical/readconf.h 2011-10-02 03:59:03.000000000 -0400
- +++ kitchen/readconf.h 2012-11-07 15:28:16.000000000 -0500
- @@ -61,6 +61,11 @@ typedef struct {
- int compression_level; /* Compression level 1 (fast) to 9
- * (best). */
- int tcp_keep_alive; /* Set SO_KEEPALIVE. */
- + int tcp_rcv_buf; /* user switch to set tcp recv buffer */
- + int tcp_rcv_buf_poll; /* Option to poll recv buf every window transfer */
- + int hpn_disabled; /* Switch to disable HPN buffer management */
- + int hpn_buffer_size; /* User definable size for HPN buffer window */
- +
- int ip_qos_interactive; /* IP ToS/DSCP/class for interactive */
- int ip_qos_bulk; /* IP ToS/DSCP/class for bulk traffic */
- LogLevel log_level; /* Level for logging. */
- @@ -109,6 +114,8 @@ typedef struct {
- int enable_ssh_keysign;
- int64_t rekey_limit;
- + int none_switch; /* Use none cipher */
- + int none_enabled; /* Allow none to be used */
- int no_host_authentication_for_localhost;
- int identities_only;
- int server_alive_interval;
- Common subdirectories: canonical/regress and kitchen/regress
- Common subdirectories: canonical/scard and kitchen/scard
- diff -NupwB canonical/scp.c kitchen/scp.c
- --- canonical/scp.c 2011-09-22 07:38:01.000000000 -0400
- +++ kitchen/scp.c 2012-11-07 15:28:16.000000000 -0500
- @@ -731,7 +731,7 @@ source(int argc, char **argv)
- off_t i, statbytes;
- size_t amt;
- int fd = -1, haderr, indx;
- - char *last, *name, buf[2048], encname[MAXPATHLEN];
- + char *last, *name, buf[16384], encname[MAXPATHLEN];
- int len;
- for (indx = 0; indx < argc; ++indx) {
- @@ -913,7 +913,7 @@ sink(int argc, char **argv)
- mode_t mode, omode, mask;
- off_t size, statbytes;
- int setimes, targisdir, wrerrno = 0;
- - char ch, *cp, *np, *targ, *why, *vect[1], buf[2048];
- + char ch, *cp, *np, *targ, *why, *vect[1], buf[16384];
- struct timeval tv[2];
- #define atime tv[0]
- diff -NupwB canonical/servconf.c kitchen/servconf.c
- --- canonical/servconf.c 2011-10-02 03:57:38.000000000 -0400
- +++ kitchen/servconf.c 2012-11-07 15:28:16.000000000 -0500
- @@ -136,6 +136,10 @@ initialize_server_options(ServerOptions
- options->revoked_keys_file = NULL;
- options->trusted_user_ca_keys = NULL;
- options->authorized_principals_file = NULL;
- + options->none_enabled = -1;
- + options->tcp_rcv_buf_poll = -1;
- + options->hpn_disabled = -1;
- + options->hpn_buffer_size = -1;
- options->ip_qos_interactive = -1;
- options->ip_qos_bulk = -1;
- }
- @@ -143,6 +147,11 @@ initialize_server_options(ServerOptions
- void
- fill_default_server_options(ServerOptions *options)
- {
- + /* needed for hpn socket tests */
- + int sock;
- + int socksize;
- + int socksizelen = sizeof(int);
- +
- /* Portable-specific options */
- if (options->use_pam == -1)
- options->use_pam = 0;
- @@ -273,6 +282,43 @@ fill_default_server_options(ServerOption
- options->permit_tun = SSH_TUNMODE_NO;
- if (options->zero_knowledge_password_authentication == -1)
- options->zero_knowledge_password_authentication = 0;
- + if (options->hpn_disabled == -1)
- + options->hpn_disabled = 0;
- +
- + if (options->hpn_buffer_size == -1) {
- + /* option not explicitly set. Now we have to figure out */
- + /* what value to use */
- + if (options->hpn_disabled == 1) {
- + options->hpn_buffer_size = CHAN_SES_WINDOW_DEFAULT;
- + } else {
- + /* get the current RCV size and set it to that */
- + /*create a socket but don't connect it */
- + /* we use that the get the rcv socket size */
- + sock = socket(AF_INET, SOCK_STREAM, 0);
- + getsockopt(sock, SOL_SOCKET, SO_RCVBUF,
- + &socksize, &socksizelen);
- + close(sock);
- + options->hpn_buffer_size = socksize;
- + debug ("HPN Buffer Size: %d", options->hpn_buffer_size);
- +
- + }
- + } else {
- + /* we have to do this incase the user sets both values in a contradictory */
- + /* manner. hpn_disabled overrrides hpn_buffer_size*/
- + if (options->hpn_disabled <= 0) {
- + if (options->hpn_buffer_size == 0)
- + options->hpn_buffer_size = 1;
- + /* limit the maximum buffer to 64MB */
- + if (options->hpn_buffer_size > 64*1024) {
- + options->hpn_buffer_size = 64*1024*1024;
- + } else {
- + options->hpn_buffer_size *= 1024;
- + }
- + } else
- + options->hpn_buffer_size = CHAN_TCP_WINDOW_DEFAULT;
- + }
- +
- +
- if (options->ip_qos_interactive == -1)
- options->ip_qos_interactive = IPTOS_LOWDELAY;
- if (options->ip_qos_bulk == -1)
- @@ -323,6 +369,7 @@ typedef enum {
- sUsePrivilegeSeparation, sAllowAgentForwarding,
- sZeroKnowledgePasswordAuthentication, sHostCertificate,
- sRevokedKeys, sTrustedUserCAKeys, sAuthorizedPrincipalsFile,
- + sNoneEnabled, sTcpRcvBufPoll, sHPNDisabled, sHPNBufferSize,
- sKexAlgorithms, sIPQoS,
- sDeprecated, sUnsupported
- } ServerOpCodes;
- @@ -446,6 +493,10 @@ static struct {
- { "revokedkeys", sRevokedKeys, SSHCFG_ALL },
- { "trustedusercakeys", sTrustedUserCAKeys, SSHCFG_ALL },
- { "authorizedprincipalsfile", sAuthorizedPrincipalsFile, SSHCFG_ALL },
- + { "noneenabled", sNoneEnabled, SSHCFG_ALL },
- + { "hpndisabled", sHPNDisabled, SSHCFG_ALL },
- + { "hpnbuffersize", sHPNBufferSize, SSHCFG_ALL },
- + { "tcprcvbufpoll", sTcpRcvBufPoll, SSHCFG_ALL },
- { "kexalgorithms", sKexAlgorithms, SSHCFG_GLOBAL },
- { "ipqos", sIPQoS, SSHCFG_ALL },
- { NULL, sBadOption, 0 }
- @@ -474,6 +525,7 @@ parse_token(const char *cp, const char *
- for (i = 0; keywords[i].name; i++)
- if (strcasecmp(cp, keywords[i].name) == 0) {
- + debug ("Config token is %s", keywords[i].name);
- *flags = keywords[i].flags;
- return keywords[i].opcode;
- }
- @@ -918,6 +970,23 @@ process_server_config_line(ServerOptions
- *intptr = value;
- break;
- +
- + case sNoneEnabled:
- + intptr = &options->none_enabled;
- + goto parse_flag;
- +
- + case sTcpRcvBufPoll:
- + intptr = &options->tcp_rcv_buf_poll;
- + goto parse_flag;
- +
- + case sHPNDisabled:
- + intptr = &options->hpn_disabled;
- + goto parse_flag;
- +
- + case sHPNBufferSize:
- + intptr = &options->hpn_buffer_size;
- + goto parse_int;
- +
- case sIgnoreUserKnownHosts:
- intptr = &options->ignore_user_known_hosts;
- goto parse_flag;
- diff -NupwB canonical/servconf.h kitchen/servconf.h
- --- canonical/servconf.h 2011-06-22 18:30:03.000000000 -0400
- +++ kitchen/servconf.h 2012-11-07 15:28:16.000000000 -0500
- @@ -158,6 +158,11 @@ typedef struct {
- int use_pam; /* Enable auth via PAM */
- + int none_enabled; /* enable NONE cipher switch */
- + int tcp_rcv_buf_poll; /* poll tcp rcv window in autotuning kernels*/
- + int hpn_disabled; /* disable hpn functionality. false by default */
- + int hpn_buffer_size; /* set the hpn buffer size - default 3MB */
- +
- int permit_tun;
- int num_permitted_opens;
- diff -NupwB canonical/serverloop.c kitchen/serverloop.c
- --- canonical/serverloop.c 2011-05-20 05:02:50.000000000 -0400
- +++ kitchen/serverloop.c 2012-11-07 15:28:16.000000000 -0500
- @@ -94,10 +94,10 @@ static int fdin; /* Descriptor for stdi
- static int fdout; /* Descriptor for stdout (for reading);
- May be same number as fdin. */
- static int fderr; /* Descriptor for stderr. May be -1. */
- -static long stdin_bytes = 0; /* Number of bytes written to stdin. */
- -static long stdout_bytes = 0; /* Number of stdout bytes sent to client. */
- -static long stderr_bytes = 0; /* Number of stderr bytes sent to client. */
- -static long fdout_bytes = 0; /* Number of stdout bytes read from program. */
- +static u_long stdin_bytes = 0; /* Number of bytes written to stdin. */
- +static u_long stdout_bytes = 0; /* Number of stdout bytes sent to client. */
- +static u_long stderr_bytes = 0; /* Number of stderr bytes sent to client. */
- +static u_long fdout_bytes = 0; /* Number of stdout bytes read from program. */
- static int stdin_eof = 0; /* EOF message received from client. */
- static int fdout_eof = 0; /* EOF encountered reading from fdout. */
- static int fderr_eof = 0; /* EOF encountered readung from fderr. */
- @@ -122,6 +122,20 @@ static volatile sig_atomic_t received_si
- static void server_init_dispatch(void);
- /*
- + * Returns current time in seconds from Jan 1, 1970 with the maximum
- + * available resolution.
- + */
- +
- +static double
- +get_current_time(void)
- +{
- + struct timeval tv;
- + gettimeofday(&tv, NULL);
- + return (double) tv.tv_sec + (double) tv.tv_usec / 1000000.0;
- +}
- +
- +
- +/*
- * we write to this pipe if a SIGCHLD is caught in order to avoid
- * the race between select() and child_terminated
- */
- @@ -436,6 +450,7 @@ process_input(fd_set *readset)
- } else {
- buffer_append(&stdout_buffer, buf, len);
- fdout_bytes += len;
- + debug ("FD out now: %ld", fdout_bytes);
- }
- }
- /* Read and buffer any available stderr data from the program. */
- @@ -503,7 +518,7 @@ process_output(fd_set *writeset)
- }
- /* Send any buffered packet data to the client. */
- if (FD_ISSET(connection_out, writeset))
- - packet_write_poll();
- + stdin_bytes += packet_write_poll();
- }
- /*
- @@ -820,8 +835,10 @@ server_loop2(Authctxt *authctxt)
- {
- fd_set *readset = NULL, *writeset = NULL;
- int rekeying = 0, max_fd, nalloc = 0;
- + double start_time, total_time;
- debug("Entering interactive session for SSH2.");
- + start_time = get_current_time();
- mysignal(SIGCHLD, sigchld_handler);
- child_terminated = 0;
- @@ -883,6 +900,11 @@ server_loop2(Authctxt *authctxt)
- /* free remaining sessions, e.g. remove wtmp entries */
- session_destroy_all(NULL);
- + total_time = get_current_time() - start_time;
- + logit("SSH: Server;LType: Throughput;Remote: %s-%d;IN: %lu;OUT: %lu;Duration: %.1f;tPut_in: %.1f;tPut_out: %.1f",
- + get_remote_ipaddr(), get_remote_port(),
- + stdin_bytes, fdout_bytes, total_time, stdin_bytes / total_time,
- + fdout_bytes / total_time);
- }
- static void
- @@ -998,8 +1020,12 @@ server_request_tun(void)
- sock = tun_open(tun, mode);
- if (sock < 0)
- goto done;
- + if (options.hpn_disabled)
- c = channel_new("tun", SSH_CHANNEL_OPEN, sock, sock, -1,
- CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, 0, "tun", 1);
- + else
- + c = channel_new("tun", SSH_CHANNEL_OPEN, sock, sock, -1,
- + options.hpn_buffer_size, CHAN_TCP_PACKET_DEFAULT, 0, "tun", 1);
- c->datagram = 1;
- #if defined(SSH_TUN_FILTER)
- if (mode == SSH_TUNMODE_POINTOPOINT)
- @@ -1035,6 +1061,8 @@ server_request_session(void)
- c = channel_new("session", SSH_CHANNEL_LARVAL,
- -1, -1, -1, /*window size*/0, CHAN_SES_PACKET_DEFAULT,
- 0, "server-session", 1);
- + if ((options.tcp_rcv_buf_poll) && (!options.hpn_disabled))
- + c->dynamic_window = 1;
- if (session_open(the_authctxt, c->self) != 1) {
- debug("session open failed, free channel %d", c->self);
- channel_free(c);
- diff -NupwB canonical/session.c kitchen/session.c
- --- canonical/session.c 2011-11-03 19:55:24.000000000 -0400
- +++ kitchen/session.c 2012-11-07 15:28:16.000000000 -0500
- @@ -236,6 +236,7 @@ auth_input_request_forwarding(struct pas
- }
- /* Allocate a channel for the authentication agent socket. */
- + /* this shouldn't matter if its hpn or not - cjr */
- nc = channel_new("auth socket",
- SSH_CHANNEL_AUTH_SOCKET, sock, sock, -1,
- CHAN_X11_WINDOW_DEFAULT, CHAN_X11_PACKET_DEFAULT,
- @@ -2278,10 +2279,16 @@ session_set_fds(Session *s, int fdin, in
- */
- if (s->chanid == -1)
- fatal("no channel for session %d", s->self);
- + if (options.hpn_disabled)
- channel_set_fds(s->chanid,
- fdout, fdin, fderr,
- ignore_fderr ? CHAN_EXTENDED_IGNORE : CHAN_EXTENDED_READ,
- 1, is_tty, CHAN_SES_WINDOW_DEFAULT);
- + else
- + channel_set_fds(s->chanid,
- + fdout, fdin, fderr,
- + ignore_fderr ? CHAN_EXTENDED_IGNORE : CHAN_EXTENDED_READ,
- + 1, is_tty, options.hpn_buffer_size);
- }
- /*
- diff -NupwB canonical/sftp.1 kitchen/sftp.1
- --- canonical/sftp.1 2011-09-22 07:34:15.000000000 -0400
- +++ kitchen/sftp.1 2012-11-07 15:28:16.000000000 -0500
- @@ -247,7 +247,8 @@ diagnostic messages from
- Specify how many requests may be outstanding at any one time.
- Increasing this may slightly improve file transfer speed
- but will increase memory usage.
- -The default is 64 outstanding requests.
- +The default is 256 outstanding requests providing for 8MB
- +of outstanding data with a 32KB buffer.
- .It Fl r
- Recursively copy entire directories when uploading and downloading.
- Note that
- diff -NupwB canonical/sftp.c kitchen/sftp.c
- --- canonical/sftp.c 2011-11-24 21:53:50.000000000 -0500
- +++ kitchen/sftp.c 2012-11-07 15:28:16.000000000 -0500
- @@ -69,7 +69,7 @@ typedef void EditLine;
- #include "sftp-client.h"
- #define DEFAULT_COPY_BUFLEN 32768 /* Size of buffer for up/download */
- -#define DEFAULT_NUM_REQUESTS 64 /* # concurrent outstanding requests */
- +#define DEFAULT_NUM_REQUESTS 256 /* # concurrent outstanding requests */
- /* File to read commands from */
- FILE* infile;
- diff -NupwB canonical/ssh.c kitchen/ssh.c
- --- canonical/ssh.c 2011-11-03 19:54:22.000000000 -0400
- +++ kitchen/ssh.c 2012-11-07 15:28:16.000000000 -0500
- @@ -577,9 +577,6 @@ main(int ac, char **av)
- no_shell_flag = 1;
- options.request_tty = REQUEST_TTY_NO;
- break;
- - case 'T':
- - options.request_tty = REQUEST_TTY_NO;
- - break;
- case 'o':
- dummy = 1;
- line = xstrdup(optarg);
- @@ -588,6 +585,13 @@ main(int ac, char **av)
- exit(255);
- xfree(line);
- break;
- + case 'T':
- + no_shell_flag = 1;
- + /* ensure that the user doesn't try to backdoor a */
- + /* null cipher switch on an interactive session */
- + /* so explicitly disable it no matter what */
- + options.none_switch=0;
- + break;
- case 's':
- subsystem_flag = 1;
- break;
- @@ -1369,6 +1373,9 @@ ssh_session2_open(void)
- {
- Channel *c;
- int window, packetmax, in, out, err;
- + int sock;
- + int socksize;
- + int socksizelen = sizeof(int);
- if (stdin_null_flag) {
- in = open(_PATH_DEVNULL, O_RDONLY);
- @@ -1389,9 +1396,71 @@ ssh_session2_open(void)
- if (!isatty(err))
- set_nonblock(err);
- - window = CHAN_SES_WINDOW_DEFAULT;
- + /* we need to check to see if what they want to do about buffer */
- + /* sizes here. In a hpn to nonhpn connection we want to limit */
- + /* the window size to something reasonable in case the far side */
- + /* has the large window bug. In hpn to hpn connection we want to */
- + /* use the max window size but allow the user to override it */
- + /* lastly if they disabled hpn then use the ssh std window size */
- +
- + /* so why don't we just do a getsockopt() here and set the */
- + /* ssh window to that? In the case of a autotuning receive */
- + /* window the window would get stuck at the initial buffer */
- + /* size generally less than 96k. Therefore we need to set the */
- + /* maximum ssh window size to the maximum hpn buffer size */
- + /* unless the user has specifically set the tcprcvbufpoll */
- + /* to no. In which case we *can* just set the window to the */
- + /* minimum of the hpn buffer size and tcp receive buffer size */
- +
- + if (tty_flag)
- + options.hpn_buffer_size = CHAN_SES_WINDOW_DEFAULT;
- + else
- + options.hpn_buffer_size = 2*1024*1024;
- +
- + if (datafellows & SSH_BUG_LARGEWINDOW)
- + {
- + debug("HPN to Non-HPN Connection");
- + }
- + else
- + {
- + if (options.tcp_rcv_buf_poll <= 0)
- + {
- + sock = socket(AF_INET, SOCK_STREAM, 0);
- + getsockopt(sock, SOL_SOCKET, SO_RCVBUF,
- + &socksize, &socksizelen);
- + close(sock);
- + debug("socksize %d", socksize);
- + options.hpn_buffer_size = socksize;
- + debug ("HPNBufferSize set to TCP RWIN: %d", options.hpn_buffer_size);
- + }
- + else
- + {
- + if (options.tcp_rcv_buf > 0)
- + {
- + /*create a socket but don't connect it */
- + /* we use that the get the rcv socket size */
- + sock = socket(AF_INET, SOCK_STREAM, 0);
- + /* if they are using the tcp_rcv_buf option */
- + /* attempt to set the buffer size to that */
- + if (options.tcp_rcv_buf)
- + setsockopt(sock, SOL_SOCKET, SO_RCVBUF, (void *)&options.tcp_rcv_buf,
- + sizeof(options.tcp_rcv_buf));
- + getsockopt(sock, SOL_SOCKET, SO_RCVBUF,
- + &socksize, &socksizelen);
- + close(sock);
- + debug("socksize %d", socksize);
- + options.hpn_buffer_size = socksize;
- + debug ("HPNBufferSize set to user TCPRcvBuf: %d", options.hpn_buffer_size);
- + }
- + }
- +
- + }
- + debug("Final hpn_buffer_size = %d", options.hpn_buffer_size);
- + window = options.hpn_buffer_size;
- + channel_set_hpn(options.hpn_disabled, options.hpn_buffer_size);
- packetmax = CHAN_SES_PACKET_DEFAULT;
- if (tty_flag) {
- + window = 4*CHAN_SES_PACKET_DEFAULT;
- window >>= 1;
- packetmax >>= 1;
- }
- @@ -1400,6 +1469,11 @@ ssh_session2_open(void)
- window, packetmax, CHAN_EXTENDED_WRITE,
- "client-session", /*nonblock*/0);
- + if ((options.tcp_rcv_buf_poll > 0) && (!options.hpn_disabled)) {
- + c->dynamic_window = 1;
- + debug ("Enabled Dynamic Window Scaling\n");
- + }
- +
- debug3("ssh_session2_open: channel_new: %d", c->self);
- channel_send_open(c->self);
- diff -NupwB canonical/sshconnect2.c kitchen/sshconnect2.c
- --- canonical/sshconnect2.c 2011-05-29 07:42:34.000000000 -0400
- +++ kitchen/sshconnect2.c 2012-11-07 15:28:16.000000000 -0500
- @@ -81,6 +81,11 @@
- extern char *client_version_string;
- extern char *server_version_string;
- extern Options options;
- +extern Kex *xxx_kex;
- +
- +/* tty_flag is set in ssh.c. use this in ssh_userauth2 */
- +/* if it is set then prevent the switch to the null cipher */
- +extern int tty_flag;
- /*
- * SSH2 key exchange
- @@ -420,6 +425,29 @@ ssh_userauth2(const char *local_user, co
- pubkey_cleanup(&authctxt);
- dispatch_range(SSH2_MSG_USERAUTH_MIN, SSH2_MSG_USERAUTH_MAX, NULL);
- + /* if the user wants to use the none cipher do it */
- + /* post authentication and only if the right conditions are met */
- + /* both of the NONE commands must be true and there must be no */
- + /* tty allocated */
- + if ((options.none_switch == 1) && (options.none_enabled == 1))
- + {
- + if (!tty_flag) /* no null on tty sessions */
- + {
- + debug("Requesting none rekeying...");
- + myproposal[PROPOSAL_ENC_ALGS_STOC] = "none";
- + myproposal[PROPOSAL_ENC_ALGS_CTOS] = "none";
- + kex_prop2buf(&xxx_kex->my,myproposal);
- + packet_request_rekeying();
- + fprintf(stderr, "WARNING: ENABLED NONE CIPHER\n");
- + }
- + else
- + {
- + /* requested NONE cipher when in a tty */
- + debug("Cannot switch to NONE cipher with tty allocated");
- + fprintf(stderr, "NONE cipher switch disabled when a TTY is allocated\n");
- + }
- + }
- +
- debug("Authentication succeeded (%s).", authctxt.method->name);
- }
- diff -NupwB canonical/sshconnect.c kitchen/sshconnect.c
- --- canonical/sshconnect.c 2011-05-29 07:42:34.000000000 -0400
- +++ kitchen/sshconnect.c 2012-11-07 15:28:16.000000000 -0500
- @@ -182,6 +182,33 @@ ssh_kill_proxy_command(void)
- }
- /*
- +
- + /*
- + * Set TCP receive buffer if requested.
- + * Note: tuning needs to happen after the socket is
- + * created but before the connection happens
- + * so winscale is negotiated properly -cjr
- + */
- +static void
- +ssh_set_socket_recvbuf(int sock)
- +{
- + void *buf = (void *)&options.tcp_rcv_buf;
- + int sz = sizeof(options.tcp_rcv_buf);
- + int socksize;
- + int socksizelen = sizeof(int);
- +
- + debug("setsockopt Attempting to set SO_RCVBUF to %d", options.tcp_rcv_buf);
- + if (setsockopt(sock, SOL_SOCKET, SO_RCVBUF, buf, sz) >= 0) {
- + getsockopt(sock, SOL_SOCKET, SO_RCVBUF, &socksize, &socksizelen);
- + debug("setsockopt SO_RCVBUF: %.100s %d", strerror(errno), socksize);
- + }
- + else
- + error("Couldn't set socket receive buffer to %d: %.100s",
- + options.tcp_rcv_buf, strerror(errno));
- +}
- +
- +
- +/*
- * Creates a (possibly privileged) socket for use as the ssh connection.
- */
- static int
- @@ -204,6 +231,8 @@ ssh_create_socket(int privileged, struct
- strerror(errno));
- else
- debug("Allocated local port %d.", p);
- + if (options.tcp_rcv_buf > 0)
- + ssh_set_socket_recvbuf(sock);
- return sock;
- }
- sock = socket(ai->ai_family, ai->ai_socktype, ai->ai_protocol);
- @@ -213,6 +242,10 @@ ssh_create_socket(int privileged, struct
- }
- fcntl(sock, F_SETFD, FD_CLOEXEC);
- + if (options.tcp_rcv_buf > 0)
- + ssh_set_socket_recvbuf(sock);
- +
- +
- /* Bind the socket to an alternative local IP address */
- if (options.bind_address == NULL)
- return sock;
- diff -NupwB canonical/sshd.c kitchen/sshd.c
- --- canonical/sshd.c 2012-02-14 13:03:31.000000000 -0500
- +++ kitchen/sshd.c 2012-11-07 15:28:16.000000000 -0500
- @@ -138,6 +138,8 @@ int deny_severity;
- #define REEXEC_CONFIG_PASS_FD (STDERR_FILENO + 3)
- #define REEXEC_MIN_FREE_FD (STDERR_FILENO + 4)
- +int myflag = 0;
- +
- extern char *__progname;
- /* Server configuration options. */
- @@ -472,6 +474,10 @@ sshd_exchange_identification(int sock_in
- debug("Client protocol version %d.%d; client software version %.100s",
- remote_major, remote_minor, remote_version);
- + logit("SSH: Server;Ltype: Version;Remote: %s-%d;Protocol: %d.%d;Client: %.100s",
- + get_remote_ipaddr(), get_remote_port(),
- + remote_major, remote_minor, remote_version);
- +
- compat_datafellows(remote_version);
- if (datafellows & SSH_BUG_PROBE) {
- @@ -1028,6 +1034,9 @@ server_listen(void)
- struct addrinfo *ai;
- char ntop[NI_MAXHOST], strport[NI_MAXSERV];
- + int socksize;
- + int socksizelen = sizeof(int);
- +
- for (ai = options.listen_addrs; ai; ai = ai->ai_next) {
- if (ai->ai_family != AF_INET && ai->ai_family != AF_INET6)
- continue;
- @@ -1067,6 +1076,12 @@ server_listen(void)
- debug("Bind to port %s on %s.", strport, ntop);
- + getsockopt(listen_sock, SOL_SOCKET, SO_RCVBUF,
- + &socksize, &socksizelen);
- + debug("Server TCP RWIN socket size: %d", socksize);
- + debug("HPN Buffer Size: %d", options.hpn_buffer_size);
- +
- +
- /* Bind the socket to the desired port. */
- if (bind(listen_sock, ai->ai_addr, ai->ai_addrlen) < 0) {
- error("Bind to port %s on %s failed: %.200s.",
- @@ -1948,6 +1963,9 @@ main(int ac, char **av)
- /* Log the connection. */
- verbose("Connection from %.500s port %d", remote_ip, remote_port);
- + /* set the HPN options for the child */
- + channel_set_hpn(options.hpn_disabled, options.hpn_buffer_size);
- +
- /*
- * We don't want to listen forever unless the other side
- * successfully authenticates itself. So we set up an alarm which is
- @@ -2304,9 +2322,16 @@ do_ssh2_kex(void)
- {
- Kex *kex;
- + myflag++;
- + debug ("MYFLAG IS %d", myflag);
- +
- if (options.ciphers != NULL) {
- myproposal[PROPOSAL_ENC_ALGS_CTOS] =
- myproposal[PROPOSAL_ENC_ALGS_STOC] = options.ciphers;
- + } else if (options.none_enabled == 1) {
- + debug ("WARNING: None cipher enabled");
- + myproposal[PROPOSAL_ENC_ALGS_CTOS] =
- + myproposal[PROPOSAL_ENC_ALGS_STOC] = KEX_ENCRYPT_INCLUDE_NONE;
- }
- myproposal[PROPOSAL_ENC_ALGS_CTOS] =
- compat_cipher_proposal(myproposal[PROPOSAL_ENC_ALGS_CTOS]);
- diff -NupwB canonical/sshd_config kitchen/sshd_config
- --- canonical/sshd_config 2011-05-29 07:39:39.000000000 -0400
- +++ kitchen/sshd_config 2012-11-07 15:28:16.000000000 -0500
- @@ -114,6 +114,19 @@ AuthorizedKeysFile .ssh/authorized_keys
- # override default of no subsystems
- Subsystem sftp /usr/libexec/sftp-server
- +# the following are HPN related configuration options
- +# tcp receive buffer polling. disable in non autotuning kernels
- +#TcpRcvBufPoll yes
- +
- +# allow the use of the none cipher
- +#NoneEnabled no
- +
- +# disable hpn performance boosts.
- +#HPNDisabled no
- +
- +# buffer size for hpn to non-hpn connections
- +#HPNBufferSize 2048
- +
- # Example of overriding settings on a per-user basis
- #Match User anoncvs
- # X11Forwarding no
- diff -NupwB canonical/version.h kitchen/version.h
- --- canonical/version.h 2012-02-10 16:19:44.000000000 -0500
- +++ kitchen/version.h 2012-11-07 16:04:59.000000000 -0500
- @@ -3,7 +3,8 @@
- #define SSH_VERSION "OpenSSH_6.0"
- #define SSH_PORTABLE "p1"
- -#define SSH_RELEASE_MINIMUM SSH_VERSION SSH_PORTABLE
- +#define SSH_HPN "-hpn13v13"
- +#define SSH_RELEASE_MINIMUM SSH_VERSION SSH_PORTABLE SSH_HPN
- #ifdef SSH_EXTRAVERSION
- #define SSH_RELEASE SSH_RELEASE_MINIMUM " " SSH_EXTRAVERSION
- #else
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement