diff options
author | Patrick McLean <chutzpah@gentoo.org> | 2016-09-08 18:36:46 -0700 |
---|---|---|
committer | Patrick McLean <chutzpah@gentoo.org> | 2016-09-08 18:37:33 -0700 |
commit | 31f5deb488712534fee522f663ca6bd6b50a888d (patch) | |
tree | bcd97141efaa72ff1b7fd255199c71eaec32ba47 /net-misc | |
parent | app-emulation/xen: security bump, XSA-185/186/187 (diff) | |
download | gentoo-31f5deb488712534fee522f663ca6bd6b50a888d.tar.gz gentoo-31f5deb488712534fee522f663ca6bd6b50a888d.tar.bz2 gentoo-31f5deb488712534fee522f663ca6bd6b50a888d.zip |
net-misc/openssh: Refactor new HPN patch to be it's own patch
Make my own patch rather than going with the patches on patches approach
Package-Manager: portage-2.3.0
Diffstat (limited to 'net-misc')
-rw-r--r-- | net-misc/openssh/Manifest | 2 | ||||
-rw-r--r-- | net-misc/openssh/files/openssh-7.3_p1-hpn-cipher-ctr-mt-no-deadlocks.patch | 213 | ||||
-rw-r--r-- | net-misc/openssh/files/openssh-7.3_p1-hpn-update.patch | 490 | ||||
-rw-r--r-- | net-misc/openssh/files/openssh-7.3_p1-hpn-x509-glue.patch | 4 | ||||
-rw-r--r-- | net-misc/openssh/openssh-7.3_p1-r3.ebuild | 22 |
5 files changed, 224 insertions, 507 deletions
diff --git a/net-misc/openssh/Manifest b/net-misc/openssh/Manifest index c6667a52a2d8..81eba752e644 100644 --- a/net-misc/openssh/Manifest +++ b/net-misc/openssh/Manifest @@ -5,11 +5,11 @@ DIST openssh-7.1p2.tar.gz 1475829 SHA256 dd75f024dcf21e06a0d6421d582690bf987a1f6 DIST openssh-7.2_p1-sctp.patch.xz 8088 SHA256 b9cc21336e23d44548e87964da9ff85ac83ce84693162abb172afb46be4a666e SHA512 b287684337a101a26ab8df6894b679b063cdaa7dfc7b78fcc0ce8350c27526f150a6463c515019beb0af2ff005cc109d2913998f95f828e553b835a4df8b64df WHIRLPOOL 16646a896f746946af84961974be08418b951c80249dce2fd4ae533a4d66e79d4372fd979aeda9c51aff51b86edf4178af18379e948195696a6fa114e2757306 DIST openssh-7.2p2+x509-8.9.diff.gz 449308 SHA256 bd77fcd285d10a86fb2934e90776fe39e4cd2da043384ec2ca45296a60669589 SHA512 c7ed07aae72fd4f967ab5717831c51ad639ca59633c3768f6930bab0947f5429391e3911a7570288a1c688c8c21747f3cb722538ae96de6b50a021010e1506fa WHIRLPOOL 7c1328e471b0e5e9576117ec563b66fea142886b0666b6d51ac9b8ec09286ba7a965b62796c32206e855e484180797a2c31d500c27289f3bc8c7db2d3af95e6f DIST openssh-7.2p2.tar.gz 1499808 SHA256 a72781d1a043876a224ff1b0032daa4094d87565a68528759c1c2cab5482548c SHA512 44f62b3a7bc50a0735d496a5aedeefb71550d8c10ad8f22b94e29fcc8084842db96e8c4ca41fced17af69e1aab09ed1182a12ad8650d9a46fd8743a0344df95b WHIRLPOOL 95e16af6d1d82f4a660b56854b8e9da947b89e47775c06fe277a612cd1a7cabe7454087eb45034aedfb9b08096ce4aa427b9a37f43f70ccf1073664bdec13386 +DIST openssh-7.3_p1-hpn-14.10.patch.xz 20764 SHA256 1c3799d83b52fc5d9370a0d7ccc11f45db0cf089ece7b7b2f5f24943df16f918 SHA512 95e7dfbd3246678f997cb7818add9910136004b9e2e575122981f50b4eadd2517eb38a8de16bfe3a387e6cc65dbd15dae116649d55768767fc13f796a6d15a09 WHIRLPOOL 4167970087e17c8d9c2184109e85226f9a77d040868bd8b9ccab6ebc3d94f81b0d93489c3ad15b028e3fa842786cd2898dce54822b2e870470113634884285b4 DIST openssh-7.3_p1-sctp.patch.xz 9968 SHA256 18c3db45ed1e5495db29626938d8432aee509e88057494f052cfc09d40824c7f SHA512 f249b76898af0c6f1f65f2a1cfb422648aa712818d0dc051b85a171f26bdddf7980fff5de7761161aa41c309e528b3801b4234f5cdd9f79f8eef173ae83f1e3c WHIRLPOOL 1d92b969154b77d8ce9e3a6d0302aa17ec95e2d5ea4de72c0fb5680a8ee12f518ee5b1c47f22ad5d1a923a74c43829ed36cf478fe75fe400de967ab48d93dc99 DIST openssh-7.3p1+x509-9.0.diff.gz 571918 SHA256 ed468fe2e6220065b2bf3e2ed9eb0c7c8183f32f50fa50d64505d5feaef2d900 SHA512 b6183f4441eb036a6e70e35290454faa67da411b60315f6d51779c187abdef377895d5ecfc4fbebac08d5a7a49ce16378b2ed208aee701337f256fd66f779dcd WHIRLPOOL 91107f0040a7d9e09340a1c67547df34c9ed2e7a61d0ca59161574d9e9db90d2a99b1f2a7fa1edf0f820db5712695287c5731cc46cc9264297b5d348d4ce53c4 DIST openssh-7.3p1+x509-9.1.diff.gz 584945 SHA256 1ce361813d585fb543f632d19f73a583e257a404c013587a2ee7a1c57710ae95 SHA512 11165544513eaff2b2e1f6dd11b9fb2870e59eb7e16377cf8fc1bf7e459cf8d09a91cf52f0d252df1bf618423ea8fb93099b96670cebc42aa2523dd439e59a89 WHIRLPOOL 8732cc52ef851a35c0dc8b35e8b6666d347f40ee60792aa23bae8e193ec6fa24928b67e6d8ebfc2c52090e78c525e908596020071495452965fa6244df1e459e DIST openssh-7.3p1.tar.gz 1522617 SHA256 3ffb989a6dcaa69594c3b550d4855a5a2e1718ccdde7f5e36387b424220fbecc SHA512 7ba2d6140f38bd359ebf32ef17626e0ae1c00c3a38c01877b7c6b0317d030f10a8f82a0a51fc3b6273619de9ed73e24b8cf107b1e968f927053a3bedf97ff801 WHIRLPOOL f852026638d173d455f74e3fce16673fc4b10f32d954d5bb8c7c65df8d1ca7efd0938177dd9fb6e1f7354383f21c7bca8a2f01e89793e32f8ca68c30456a611c -DIST openssh-7_2_P2-hpn-14.10.diff 78587 SHA256 f083d4c4a2054808386e974accda385542ce150f0c0f079ec1a0d4fa78888b17 SHA512 49d772c6a071fe1883d5d2844aba1d327c40938af368ba349b44c643e10f4e2d02e5c889810f8914c61324fbf90e53547aa346fdbd47b22b2f8da6afc174692c WHIRLPOOL 516621cdbccae3ecc900fde1b1edd2bac807b628d631289e3002747901d7663f5a2545f6b0396415a850f9695dd57e2ab5dbc548584f2c973726b38ca4d57bac DIST openssh-lpk-7.1p2-0.3.14.patch.xz 17704 SHA256 fbf2e1560cac707f819a539999c758a444ba6bfe140ef80d1af7ef1c9a95f0df SHA512 95851baa699da16720358249d54d2f6a3c57b0ae082375bef228b97697c501c626ab860916c5b17e3c649b44f14f4009ff369962597438dfd60480a0e4882471 WHIRLPOOL 4629b3a7d1f373a678935e889a6cd0d66d70b420e93e40ae0ad19aa7f91be7dcf2169fb797d89df93005a885d54ebaa0d46c2e5418bd2d0a77ad64e65897b518 DIST openssh-lpk-7.2p2-0.3.14.patch.xz 17692 SHA256 2cd4108d60112bd97402f9c27aac2c24d334a37afe0933ad9c6377a257a68aee SHA512 e6a25f8f0106fadcb799300452d6f22034d3fc69bd1c95a3365884873861f41b1e9d49f2c5223dde6fcd00562c652ba466bc8c48833ce5ab353af3a041f75b15 WHIRLPOOL 237343b320772a1588b64c4135758af840199214129d7e8cfa9798f976c32902ca5493ee0c33b16003854fea243556997bc688640a9872b82c06f72c86f2586d DIST openssh-lpk-7.3p1-0.3.14.patch.xz 17800 SHA256 cf1f60235cb8b0e561cd36cbf9e4f437e16fd748c2616d3f511c128c02deb76c SHA512 e9a73c5f13e41f6e11c744fdbcdb2e399c394479f79249e901cb3c101efb06f23d51d3ba4869db872184fa034a5910fc93a730fe906266c8d7409e39ad5b1ecd WHIRLPOOL bbdeadbed8f901148713bd9e4a082a4be2992c3151f995febd8be89bbb85d91185e1f0413b5a94a9340f2f404d18c9cee2aa6e032adaee0306aa1c624f6cc09c diff --git a/net-misc/openssh/files/openssh-7.3_p1-hpn-cipher-ctr-mt-no-deadlocks.patch b/net-misc/openssh/files/openssh-7.3_p1-hpn-cipher-ctr-mt-no-deadlocks.patch new file mode 100644 index 000000000000..cac440608d20 --- /dev/null +++ b/net-misc/openssh/files/openssh-7.3_p1-hpn-cipher-ctr-mt-no-deadlocks.patch @@ -0,0 +1,213 @@ +diff --git a/cipher-ctr-mt.c b/cipher-ctr-mt.c +index fdc9b2f..0b35881 100644 +--- a/cipher-ctr-mt.c ++++ b/cipher-ctr-mt.c +@@ -127,7 +127,7 @@ struct kq { + u_char keys[KQLEN][AES_BLOCK_SIZE]; + u_char ctr[AES_BLOCK_SIZE]; + u_char pad0[CACHELINE_LEN]; +- volatile int qstate; ++ int qstate; + pthread_mutex_t lock; + pthread_cond_t cond; + u_char pad1[CACHELINE_LEN]; +@@ -141,6 +141,9 @@ struct ssh_aes_ctr_ctx + STATS_STRUCT(stats); + u_char aes_counter[AES_BLOCK_SIZE]; + pthread_t tid[CIPHER_THREADS]; ++ pthread_rwlock_t tid_lock; ++ pthread_rwlock_t stop_lock; ++ int exit_flag; + int state; + int qidx; + int ridx; +@@ -187,6 +190,23 @@ thread_loop_cleanup(void *x) + pthread_mutex_unlock((pthread_mutex_t *)x); + } + ++/* Check if we should exit, we are doing both cancel and exit condition ++ * since OSX seems to misbehave with cancel sometimes, so we want to have ++ * a backup to make sure that everything exits properly ++ */ ++static void ++thread_loop_check_exit(struct ssh_aes_ctr_ctx *c) ++{ ++ int exit_flag; ++ ++ pthread_rwlock_rdlock(&c->stop_lock); ++ exit_flag = c->exit_flag; ++ pthread_rwlock_unlock(&c->stop_lock); ++ ++ if (exit_flag == TRUE) ++ pthread_exit(NULL); ++} ++ + /* + * The life of a pregen thread: + * Find empty keystream queues and fill them using their counter. +@@ -201,6 +221,7 @@ thread_loop(void *x) + struct kq *q; + int i; + int qidx; ++ pthread_t first_tid; + + /* Threads stats on cancellation */ + STATS_INIT(stats); +@@ -211,11 +232,15 @@ thread_loop(void *x) + /* Thread local copy of AES key */ + memcpy(&key, &c->aes_ctx, sizeof(key)); + ++ pthread_rwlock_rdlock(&c->tid_lock); ++ first_tid = c->tid[0]; ++ pthread_rwlock_unlock(&c->tid_lock); ++ + /* + * Handle the special case of startup, one thread must fill + * the first KQ then mark it as draining. Lock held throughout. + */ +- if (pthread_equal(pthread_self(), c->tid[0])) { ++ if (pthread_equal(pthread_self(), first_tid)) { + q = &c->q[0]; + pthread_mutex_lock(&q->lock); + if (q->qstate == KQINIT) { +@@ -245,12 +270,16 @@ thread_loop(void *x) + /* Check if I was cancelled, also checked in cond_wait */ + pthread_testcancel(); + ++ /* Check if we should exit as well */ ++ thread_loop_check_exit(c); ++ + /* Lock queue and block if its draining */ + q = &c->q[qidx]; + pthread_mutex_lock(&q->lock); + pthread_cleanup_push(thread_loop_cleanup, &q->lock); + while (q->qstate == KQDRAINING || q->qstate == KQINIT) { + STATS_WAIT(stats); ++ thread_loop_check_exit(c); + pthread_cond_wait(&q->cond, &q->lock); + } + pthread_cleanup_pop(0); +@@ -268,6 +297,7 @@ thread_loop(void *x) + * can see that it's being filled. + */ + q->qstate = KQFILLING; ++ pthread_cond_broadcast(&q->cond); + pthread_mutex_unlock(&q->lock); + for (i = 0; i < KQLEN; i++) { + AES_encrypt(q->ctr, q->keys[i], &key); +@@ -279,7 +309,7 @@ thread_loop(void *x) + ssh_ctr_add(q->ctr, KQLEN * (NUMKQ - 1), AES_BLOCK_SIZE); + q->qstate = KQFULL; + STATS_FILL(stats); +- pthread_cond_signal(&q->cond); ++ pthread_cond_broadcast(&q->cond); + pthread_mutex_unlock(&q->lock); + } + +@@ -371,6 +401,7 @@ ssh_aes_ctr(EVP_CIPHER_CTX *ctx, u_char *dest, const u_char *src, + pthread_cond_wait(&q->cond, &q->lock); + } + q->qstate = KQDRAINING; ++ pthread_cond_broadcast(&q->cond); + pthread_mutex_unlock(&q->lock); + + /* Mark consumed queue empty and signal producers */ +@@ -397,6 +428,9 @@ ssh_aes_ctr_init(EVP_CIPHER_CTX *ctx, const u_char *key, const u_char *iv, + + if ((c = EVP_CIPHER_CTX_get_app_data(ctx)) == NULL) { + c = xmalloc(sizeof(*c)); ++ pthread_rwlock_init(&c->tid_lock, NULL); ++ pthread_rwlock_init(&c->stop_lock, NULL); ++ c->exit_flag = FALSE; + + c->state = HAVE_NONE; + for (i = 0; i < NUMKQ; i++) { +@@ -409,11 +443,22 @@ ssh_aes_ctr_init(EVP_CIPHER_CTX *ctx, const u_char *key, const u_char *iv, + } + + if (c->state == (HAVE_KEY | HAVE_IV)) { ++ /* tell the pregen threads to exit */ ++ pthread_rwlock_wrlock(&c->stop_lock); ++ c->exit_flag = TRUE; ++ pthread_rwlock_unlock(&c->stop_lock); ++ + /* Cancel pregen threads */ + for (i = 0; i < CIPHER_THREADS; i++) + pthread_cancel(c->tid[i]); ++ for (i = 0; i < NUMKQ; i++) { ++ pthread_mutex_lock(&c->q[i].lock); ++ pthread_cond_broadcast(&c->q[i].cond); ++ pthread_mutex_unlock(&c->q[i].lock); ++ } + for (i = 0; i < CIPHER_THREADS; i++) + pthread_join(c->tid[i], NULL); ++ + /* Start over getting key & iv */ + c->state = HAVE_NONE; + } +@@ -444,10 +489,12 @@ ssh_aes_ctr_init(EVP_CIPHER_CTX *ctx, const u_char *key, const u_char *iv, + /* Start threads */ + for (i = 0; i < CIPHER_THREADS; i++) { + debug("spawned a thread"); ++ pthread_rwlock_wrlock(&c->tid_lock); + pthread_create(&c->tid[i], NULL, thread_loop, c); ++ pthread_rwlock_unlock(&c->tid_lock); + } + pthread_mutex_lock(&c->q[0].lock); +- while (c->q[0].qstate != KQDRAINING) ++ while (c->q[0].qstate == KQINIT) + pthread_cond_wait(&c->q[0].cond, &c->q[0].lock); + pthread_mutex_unlock(&c->q[0].lock); + } +@@ -463,10 +510,21 @@ ssh_aes_ctr_thread_destroy(EVP_CIPHER_CTX *ctx) + struct ssh_aes_ctr_ctx *c; + int i; + c = EVP_CIPHER_CTX_get_app_data(ctx); ++ ++ /* notify threads that they should exit */ ++ pthread_rwlock_wrlock(&c->stop_lock); ++ c->exit_flag = TRUE; ++ pthread_rwlock_unlock(&c->stop_lock); ++ + /* destroy threads */ + for (i = 0; i < CIPHER_THREADS; i++) { + pthread_cancel(c->tid[i]); + } ++ for (i = 0; i < NUMKQ; i++) { ++ pthread_mutex_lock(&c->q[i].lock); ++ pthread_cond_broadcast(&c->q[i].cond); ++ pthread_mutex_unlock(&c->q[i].lock); ++ } + for (i = 0; i < CIPHER_THREADS; i++) { + pthread_join(c->tid[i], NULL); + } +@@ -481,7 +539,9 @@ ssh_aes_ctr_thread_reconstruction(EVP_CIPHER_CTX *ctx) + /* reconstruct threads */ + for (i = 0; i < CIPHER_THREADS; i++) { + debug("spawned a thread"); ++ pthread_rwlock_wrlock(&c->tid_lock); + pthread_create(&c->tid[i], NULL, thread_loop, c); ++ pthread_rwlock_unlock(&c->tid_lock); + } + } + +@@ -496,9 +556,19 @@ ssh_aes_ctr_cleanup(EVP_CIPHER_CTX *ctx) + debug("main thread: %u drains, %u waits", c->stats.drains, + c->stats.waits); + #endif ++ /* tell the pregen threads to exit */ ++ pthread_rwlock_wrlock(&c->stop_lock); ++ c->exit_flag = TRUE; ++ pthread_rwlock_unlock(&c->stop_lock); ++ + /* Cancel pregen threads */ + for (i = 0; i < CIPHER_THREADS; i++) + pthread_cancel(c->tid[i]); ++ for (i = 0; i < NUMKQ; i++) { ++ pthread_mutex_lock(&c->q[i].lock); ++ pthread_cond_broadcast(&c->q[i].cond); ++ pthread_mutex_unlock(&c->q[i].lock); ++ } + for (i = 0; i < CIPHER_THREADS; i++) + pthread_join(c->tid[i], NULL); + diff --git a/net-misc/openssh/files/openssh-7.3_p1-hpn-update.patch b/net-misc/openssh/files/openssh-7.3_p1-hpn-update.patch deleted file mode 100644 index 40c775bc32db..000000000000 --- a/net-misc/openssh/files/openssh-7.3_p1-hpn-update.patch +++ /dev/null @@ -1,490 +0,0 @@ ---- openssh-7_2_P2-hpn-14.10.diff.orig 2016-09-01 10:34:05.905112131 -0700 -+++ openssh-7_2_P2-hpn-14.10.diff 2016-09-08 11:35:18.015979358 -0700 -@@ -156,145 +156,6 @@ - compat.o crc32.o deattack.o fatal.o hostfile.o \ - log.o match.o md-sha256.o moduli.o nchan.o packet.o opacket.o \ - readpass.o rsa.o ttymodes.o xmalloc.o addrmatch.o \ --diff --git a/auth2.c b/auth2.c --index 7177962..4af53f0 100644 ----- a/auth2.c --+++ b/auth2.c --@@ -50,6 +50,7 @@ -- #include "dispatch.h" -- #include "pathnames.h" -- #include "buffer.h" --+#include "canohost.h" -- -- #ifdef GSSAPI -- #include "ssh-gss.h" --@@ -73,6 +74,8 @@ extern Authmethod method_hostbased; -- extern Authmethod method_gssapi; -- #endif -- --+static int log_flag = 0; --+ -- Authmethod *authmethods[] = { -- &method_none, -- &method_pubkey, --@@ -224,6 +227,11 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt) -- service = packet_get_cstring(NULL); -- method = packet_get_cstring(NULL); -- debug("userauth-request for user %s service %s method %s", user, service, method); --+ if (!log_flag) { --+ logit("SSH: Server;Ltype: Authname;Remote: %s-%d;Name: %s", --+ get_remote_ipaddr(), get_remote_port(), user); --+ log_flag = 1; --+ } -- debug("attempt %d failures %d", authctxt->attempt, authctxt->failures); -- -- if ((style = strchr(user, ':')) != NULL) --diff --git a/canohost.c b/canohost.c --index 223964e..db35f73 100644 ----- a/canohost.c --+++ b/canohost.c --@@ -338,13 +338,13 @@ clear_cached_addr(void) -- */ -- -- const char * ---get_remote_ipaddr(void) --+ssh_get_remote_ipaddr(struct ssh *ssh) -- { -- /* Check whether we have cached the ipaddr. */ -- if (canonical_host_ip == NULL) { --- if (packet_connection_is_on_socket()) { --+ if (ssh_packet_connection_is_on_socket(ssh)) { -- canonical_host_ip = --- get_peer_ipaddr(packet_get_connection_in()); --+ get_peer_ipaddr(ssh_packet_get_connection_in(ssh)); -- if (canonical_host_ip == NULL) -- cleanup_exit(255); -- } else { --@@ -356,6 +356,12 @@ get_remote_ipaddr(void) -- } -- -- const char * --+get_remote_ipaddr(void) --+{ --+ return ssh_get_remote_ipaddr(active_state); --+} --+ --+const char * -- get_remote_name_or_ip(u_int utmp_len, int use_dns) -- { -- static const char *remote = ""; --@@ -410,17 +416,17 @@ get_sock_port(int sock, int local) -- /* Returns remote/local port number for the current connection. */ -- -- static int ---get_port(int local) --+get_port(struct ssh *ssh, int local) -- { -- /* -- * If the connection is not a socket, return 65535. This is -- * intentionally chosen to be an unprivileged port number. -- */ --- if (!packet_connection_is_on_socket()) --+ if (!ssh_packet_connection_is_on_socket(ssh)) -- return 65535; -- -- /* Get socket and return the port number. */ --- return get_sock_port(packet_get_connection_in(), local); --+ return get_sock_port(ssh_packet_get_connection_in(ssh), local); -- } -- -- int --@@ -430,17 +436,23 @@ get_peer_port(int sock) -- } -- -- int ---get_remote_port(void) --+ssh_get_remote_port(struct ssh *ssh) -- { -- /* Cache to avoid getpeername() on a dead connection */ -- if (cached_port == -1) --- cached_port = get_port(0); --+ cached_port = get_port(ssh, 0); -- -- return cached_port; -- } -- -- int --+get_remote_port(void) --+{ --+ return ssh_get_remote_port(active_state); --+} --+ --+int -- get_local_port(void) -- { --- return get_port(1); --+ return get_port(active_state, 1); -- } --diff --git a/canohost.h b/canohost.h --index 4c8636f..4d60b27 100644 ----- a/canohost.h --+++ b/canohost.h --@@ -12,8 +12,11 @@ -- * called by a name other than "ssh" or "Secure Shell". -- */ -- --+struct ssh; --+ -- const char *get_canonical_hostname(int); -- const char *get_remote_ipaddr(void); --+const char *ssh_get_remote_ipaddr(struct ssh *); -- const char *get_remote_name_or_ip(u_int, int); -- -- char *get_peer_ipaddr(int); --@@ -22,6 +25,7 @@ char *get_local_ipaddr(int); -- char *get_local_name(int); -- -- int get_remote_port(void); --+int ssh_get_remote_port(struct ssh *); -- int get_local_port(void); -- int get_sock_port(int, int); -- void clear_cached_addr(void); - diff --git a/channels.c b/channels.c - index c9d2015..13b30a1 100644 - --- a/channels.c -@@ -519,7 +380,7 @@ - index 0000000..fdc9b2f - --- /dev/null - +++ b/cipher-ctr-mt.c --@@ -0,0 +1,533 @@ -+@@ -0,0 +1,585 @@ - +/* - + * OpenSSH Multi-threaded AES-CTR Cipher - + * -@@ -649,7 +510,7 @@ - + u_char keys[KQLEN][AES_BLOCK_SIZE]; - + u_char ctr[AES_BLOCK_SIZE]; - + u_char pad0[CACHELINE_LEN]; --+ volatile int qstate; -++ int qstate; - + pthread_mutex_t lock; - + pthread_cond_t cond; - + u_char pad1[CACHELINE_LEN]; -@@ -663,6 +524,9 @@ - + STATS_STRUCT(stats); - + u_char aes_counter[AES_BLOCK_SIZE]; - + pthread_t tid[CIPHER_THREADS]; -++ pthread_rwlock_t tid_lock; -++ pthread_rwlock_t stop_lock; -++ int exit_flag; - + int state; - + int qidx; - + int ridx; -@@ -709,6 +573,19 @@ - + pthread_mutex_unlock((pthread_mutex_t *)x); - +} - + -++static void -++thread_loop_check_exit(struct ssh_aes_ctr_ctx *c) -++{ -++ int exit_flag; -++ -++ pthread_rwlock_rdlock(&c->stop_lock); -++ exit_flag = c->exit_flag; -++ pthread_rwlock_unlock(&c->stop_lock); -++ -++ if (exit_flag == TRUE) -++ pthread_exit(NULL); -++} -++ - +/* - + * The life of a pregen thread: - + * Find empty keystream queues and fill them using their counter. -@@ -723,6 +600,7 @@ - + struct kq *q; - + int i; - + int qidx; -++ pthread_t first_tid; - + - + /* Threads stats on cancellation */ - + STATS_INIT(stats); -@@ -733,11 +611,15 @@ - + /* Thread local copy of AES key */ - + memcpy(&key, &c->aes_ctx, sizeof(key)); - + -++ pthread_rwlock_rdlock(&c->tid_lock); -++ first_tid = c->tid[0]; -++ pthread_rwlock_unlock(&c->tid_lock); -++ - + /* - + * Handle the special case of startup, one thread must fill - + * the first KQ then mark it as draining. Lock held throughout. - + */ --+ if (pthread_equal(pthread_self(), c->tid[0])) { -++ if (pthread_equal(pthread_self(), first_tid)) { - + q = &c->q[0]; - + pthread_mutex_lock(&q->lock); - + if (q->qstate == KQINIT) { -@@ -764,8 +646,8 @@ - + * others will move on to fill, skip, or wait on the next queue. - + */ - + for (qidx = 1;; qidx = (qidx + 1) % NUMKQ) { --+ /* Check if I was cancelled, also checked in cond_wait */ --+ pthread_testcancel(); -++ /* Check if we should exit */ -++ thread_loop_check_exit(c); - + - + /* Lock queue and block if its draining */ - + q = &c->q[qidx]; -@@ -773,6 +655,7 @@ - + pthread_cleanup_push(thread_loop_cleanup, &q->lock); - + while (q->qstate == KQDRAINING || q->qstate == KQINIT) { - + STATS_WAIT(stats); -++ thread_loop_check_exit(c); - + pthread_cond_wait(&q->cond, &q->lock); - + } - + pthread_cleanup_pop(0); -@@ -790,6 +673,7 @@ - + * can see that it's being filled. - + */ - + q->qstate = KQFILLING; -++ pthread_cond_broadcast(&q->cond); - + pthread_mutex_unlock(&q->lock); - + for (i = 0; i < KQLEN; i++) { - + AES_encrypt(q->ctr, q->keys[i], &key); -@@ -801,7 +685,7 @@ - + ssh_ctr_add(q->ctr, KQLEN * (NUMKQ - 1), AES_BLOCK_SIZE); - + q->qstate = KQFULL; - + STATS_FILL(stats); --+ pthread_cond_signal(&q->cond); -++ pthread_cond_broadcast(&q->cond); - + pthread_mutex_unlock(&q->lock); - + } - + -@@ -893,6 +777,7 @@ - + pthread_cond_wait(&q->cond, &q->lock); - + } - + q->qstate = KQDRAINING; -++ pthread_cond_broadcast(&q->cond); - + pthread_mutex_unlock(&q->lock); - + - + /* Mark consumed queue empty and signal producers */ -@@ -919,6 +804,9 @@ - + - + if ((c = EVP_CIPHER_CTX_get_app_data(ctx)) == NULL) { - + c = xmalloc(sizeof(*c)); -++ pthread_rwlock_init(&c->tid_lock, NULL); -++ pthread_rwlock_init(&c->stop_lock, NULL); -++ c->exit_flag = FALSE; - + - + c->state = HAVE_NONE; - + for (i = 0; i < NUMKQ; i++) { -@@ -931,11 +819,19 @@ - + } - + - + if (c->state == (HAVE_KEY | HAVE_IV)) { --+ /* Cancel pregen threads */ --+ for (i = 0; i < CIPHER_THREADS; i++) --+ pthread_cancel(c->tid[i]); -++ /* tell the pregen threads to exit */ -++ pthread_rwlock_wrlock(&c->stop_lock); -++ c->exit_flag = TRUE; -++ pthread_rwlock_unlock(&c->stop_lock); -++ -++ for (i = 0; i < NUMKQ; i++) { -++ pthread_mutex_lock(&c->q[i].lock); -++ pthread_cond_broadcast(&c->q[i].cond); -++ pthread_mutex_unlock(&c->q[i].lock); -++ } - + for (i = 0; i < CIPHER_THREADS; i++) - + pthread_join(c->tid[i], NULL); -++ - + /* Start over getting key & iv */ - + c->state = HAVE_NONE; - + } -@@ -966,10 +862,12 @@ - + /* Start threads */ - + for (i = 0; i < CIPHER_THREADS; i++) { - + debug("spawned a thread"); -++ pthread_rwlock_wrlock(&c->tid_lock); - + pthread_create(&c->tid[i], NULL, thread_loop, c); -++ pthread_rwlock_unlock(&c->tid_lock); - + } - + pthread_mutex_lock(&c->q[0].lock); --+ while (c->q[0].qstate != KQDRAINING) -++ while (c->q[0].qstate == KQINIT) - + pthread_cond_wait(&c->q[0].cond, &c->q[0].lock); - + pthread_mutex_unlock(&c->q[0].lock); - + } -@@ -985,9 +883,15 @@ - + struct ssh_aes_ctr_ctx *c; - + int i; - + c = EVP_CIPHER_CTX_get_app_data(ctx); --+ /* destroy threads */ --+ for (i = 0; i < CIPHER_THREADS; i++) { --+ pthread_cancel(c->tid[i]); -++ /* notify threads that they should exit */ -++ pthread_rwlock_wrlock(&c->stop_lock); -++ c->exit_flag = TRUE; -++ pthread_rwlock_unlock(&c->stop_lock); -++ -++ for (i = 0; i < NUMKQ; i++) { -++ pthread_mutex_lock(&c->q[i].lock); -++ pthread_cond_broadcast(&c->q[i].cond); -++ pthread_mutex_unlock(&c->q[i].lock); - + } - + for (i = 0; i < CIPHER_THREADS; i++) { - + pthread_join(c->tid[i], NULL); -@@ -1003,7 +907,9 @@ - + /* reconstruct threads */ - + for (i = 0; i < CIPHER_THREADS; i++) { - + debug("spawned a thread"); -++ pthread_rwlock_wrlock(&c->tid_lock); - + pthread_create(&c->tid[i], NULL, thread_loop, c); -++ pthread_rwlock_unlock(&c->tid_lock); - + } - +} - + -@@ -1018,9 +924,16 @@ - + debug("main thread: %u drains, %u waits", c->stats.drains, - + c->stats.waits); - +#endif --+ /* Cancel pregen threads */ --+ for (i = 0; i < CIPHER_THREADS; i++) --+ pthread_cancel(c->tid[i]); -++ /* tell the pregen threads to exit */ -++ pthread_rwlock_wrlock(&c->stop_lock); -++ c->exit_flag = TRUE; -++ pthread_rwlock_unlock(&c->stop_lock); -++ -++ for (i = 0; i < NUMKQ; i++) { -++ pthread_mutex_lock(&c->q[i].lock); -++ pthread_cond_broadcast(&c->q[i].cond); -++ pthread_mutex_unlock(&c->q[i].lock); -++ } - + for (i = 0; i < CIPHER_THREADS; i++) - + pthread_join(c->tid[i], NULL); - + -@@ -1270,7 +1183,7 @@ - - #include "ssherr.h" - #include "sshbuf.h" --+#include "canohost.h" -++#include "packet.h" - #include "digest.h" - - #if OPENSSL_VERSION_NUMBER >= 0x00907000L -@@ -1312,8 +1225,8 @@ - + */ - + if (ctos && !log_flag) { - + logit("SSH: Server;Ltype: Kex;Remote: %s-%d;Enc: %s;MAC: %s;Comp: %s", --+ ssh_get_remote_ipaddr(ssh), --+ ssh_get_remote_port(ssh), -++ ssh_remote_ipaddr(ssh), -++ ssh_remote_port(ssh), - + newkeys->enc.name, - + authlen == 0 ? newkeys->mac.name : "<implicit>", - + newkeys->comp.name); -@@ -1430,7 +1343,7 @@ - + rekey_requested = 0; - + return 1; - + } --+ -++ - /* Time-based rekeying */ - if (state->rekey_interval != 0 && - state->rekey_time + state->rekey_interval <= monotime()) -@@ -1490,7 +1403,7 @@ - - transferred = *counter - (cur_pos ? cur_pos : start_pos); - cur_pos = *counter; -- now = monotime(); -+ now = monotime_double(); - bytes_left = end_pos - cur_pos; - - + delta_pos = cur_pos - last_pos; -@@ -1564,8 +1477,8 @@ - { "canonicaldomains", oCanonicalDomains }, - { "canonicalizefallbacklocal", oCanonicalizeFallbackLocal }, - @@ -282,6 +287,11 @@ static struct { -- { "pubkeyacceptedkeytypes", oPubkeyAcceptedKeyTypes }, - { "ignoreunknown", oIgnoreUnknown }, -+ { "proxyjump", oProxyJump }, - - + { "tcprcvbufpoll", oTcpRcvBufPoll }, - + { "tcprcvbuf", oTcpRcvBuf }, -@@ -1736,8 +1649,8 @@ - off_t size, statbytes; - unsigned long long ull; - int setimes, targisdir, wrerrno = 0; --- char ch, *cp, *np, *targ, *why, *vect[1], buf[2048]; --+ char ch, *cp, *np, *targ, *why, *vect[1], buf[16384]; -+- char ch, *cp, *np, *targ, *why, *vect[1], buf[2048], visbuf[2048]; -++ char ch, *cp, *np, *targ, *why, *vect[1], buf[16384], visbuf[16384]; - struct timeval tv[2]; - - #define atime tv[0] -@@ -1956,32 +1869,6 @@ - } - - /* --@@ -820,11 +836,13 @@ void -- server_loop2(Authctxt *authctxt) -- { -- fd_set *readset = NULL, *writeset = NULL; --+ double start_time, total_time; -- int max_fd; -- u_int nalloc = 0; -- u_int64_t rekey_timeout_ms = 0; -- -- debug("Entering interactive session for SSH2."); --+ start_time = get_current_time(); -- -- mysignal(SIGCHLD, sigchld_handler); -- child_terminated = 0; --@@ -883,6 +901,11 @@ server_loop2(Authctxt *authctxt) -- -- /* free remaining sessions, e.g. remove wtmp entries */ -- session_destroy_all(NULL); --+ total_time = get_current_time() - start_time; --+ logit("SSH: Server;LType: Throughput;Remote: %s-%d;IN: %lu;OUT: %lu;Duration: %.1f;tPut_in: %.1f;tPut_out: %.1f", --+ get_remote_ipaddr(), get_remote_port(), --+ stdin_bytes, fdout_bytes, total_time, stdin_bytes / total_time, --+ fdout_bytes / total_time); -- } -- -- static int - @@ -1041,8 +1064,12 @@ server_request_tun(void) - sock = tun_open(tun, mode); - if (sock < 0) -@@ -2372,10 +2259,10 @@ - debug("Client protocol version %d.%d; client software version %.100s", - remote_major, remote_minor, remote_version); - + logit("SSH: Server;Ltype: Version;Remote: %s-%d;Protocol: %d.%d;Client: %.100s", --+ get_remote_ipaddr(), get_remote_port(), -++ ssh_remote_ipaddr(ssh), ssh_remote_port(ssh), - + remote_major, remote_minor, remote_version); - -- active_state->compat = compat_datafellows(remote_version); -+ ssh->compat = compat_datafellows(remote_version); - - @@ -1160,6 +1163,8 @@ server_listen(void) - int ret, listen_sock, on = 1; -@@ -2413,7 +2300,7 @@ - if (options.challenge_response_authentication) - options.kbd_interactive_authentication = 1; - @@ -2151,6 +2168,9 @@ main(int ac, char **av) -- remote_ip, remote_port, laddr, get_local_port()); -+ remote_ip, remote_port, laddr, ssh_local_port(ssh)); - free(laddr); - - + /* set the HPN options for the child */ -@@ -2486,11 +2373,10 @@ - index eb4e948..3692722 100644 - --- a/version.h - +++ b/version.h --@@ -3,4 +3,6 @@ -- #define SSH_VERSION "OpenSSH_7.2" -+@@ -3,4 +3,5 @@ -+ #define SSH_VERSION "OpenSSH_7.3" - -- #define SSH_PORTABLE "p2" -+ #define SSH_PORTABLE "p1" - -#define SSH_RELEASE SSH_VERSION SSH_PORTABLE - +#define SSH_HPN "-hpn14v11" - +#define SSH_RELEASE SSH_VERSION SSH_PORTABLE SSH_HPN --+ diff --git a/net-misc/openssh/files/openssh-7.3_p1-hpn-x509-glue.patch b/net-misc/openssh/files/openssh-7.3_p1-hpn-x509-glue.patch index 443392540f6c..d458e9efd7c0 100644 --- a/net-misc/openssh/files/openssh-7.3_p1-hpn-x509-glue.patch +++ b/net-misc/openssh/files/openssh-7.3_p1-hpn-x509-glue.patch @@ -1,5 +1,5 @@ ---- openssh-7_2_P2-hpn-14.10.diff.clean 2016-09-01 12:11:41.120750207 -0700 -+++ openssh-7_2_P2-hpn-14.10.diff 2016-09-01 14:00:44.311487904 -0700 +--- a/openssh-7.3_p1-hpn-14.10.patch 12:11:41.120750207 -0700 ++++ b/openssh-7.3_p1-hpn-14.10.patch 14:00:44.311487904 -0700 @@ -141,7 +141,7 @@ @@ -44,7 +44,7 @@ CC=@CC@ LD=@LD@ diff --git a/net-misc/openssh/openssh-7.3_p1-r3.ebuild b/net-misc/openssh/openssh-7.3_p1-r3.ebuild index be91ad461a22..0e26a92de406 100644 --- a/net-misc/openssh/openssh-7.3_p1-r3.ebuild +++ b/net-misc/openssh/openssh-7.3_p1-r3.ebuild @@ -9,13 +9,10 @@ inherit eutils user flag-o-matic multilib autotools pam systemd versionator # Make it more portable between straight releases # and _p? releases. PARCH=${P/_} -HPN_PV="7.2_p2" +HPN_PV="${PV}" HPN_VER="14.10" -HPN_DIR_PV="${HPN_PV/_}" -HPN_PV="${HPN_PV/./_}" - -HPN_PATCH="${PN}-${HPN_PV/p/P}-hpn-14.10.diff" +HPN_PATCH="${PN}-${HPN_PV}-hpn-14.10.patch" SCTP_PATCH="${PN}-7.3_p1-sctp.patch.xz" LDAP_PATCH="${PN}-lpk-7.3p1-0.3.14.patch.xz" X509_VER="9.1" X509_PATCH="${PN}-${PV/_}+x509-${X509_VER}.diff.gz" @@ -25,8 +22,8 @@ HOMEPAGE="http://www.openssh.org/" SRC_URI="mirror://openbsd/OpenSSH/portable/${PARCH}.tar.gz ${SCTP_PATCH:+mirror://gentoo/${SCTP_PATCH}} ${HPN_PATCH:+hpn? ( - mirror://gentoo/${HPN_PATCH} - mirror://sourceforge/project/hpnssh/HPN-SSH%20${HPN_VER/./v}%20${HPN_DIR_PV}/${HPN_PATCH} + mirror://gentoo/${HPN_PATCH}.xz + http://dev.gentoo.org/~chutzpah/${HPN_PATCH}.xz )} ${LDAP_PATCH:+ldap? ( mirror://gentoo/${LDAP_PATCH} )} ${X509_PATCH:+X509? ( http://roumenpetrov.info/openssh/x509-${X509_VER}/${X509_PATCH} )} @@ -121,8 +118,6 @@ src_prepare() { # don't break .ssh/authorized_keys2 for fun sed -i '/^AuthorizedKeysFile/s:^:#:' sshd_config || die - use hpn && cp -L "${DISTDIR}"/${HPN_PATCH} "${WORKDIR}"/${HPN_PATCH} - if use X509 ; then pushd .. >/dev/null if use hpn ; then @@ -133,24 +128,23 @@ src_prepare() { epatch "${FILESDIR}"/${PN}-7.3_p1-sctp-x509-glue.patch popd >/dev/null epatch "${WORKDIR}"/${X509_PATCH%.*} - #epatch "${FILESDIR}"/${PN}-7.1_p2-x509-hpn14v10-glue.patch - #save_version X509 + save_version X509 fi if use ldap ; then epatch "${WORKDIR}"/${LDAP_PATCH%.*} save_version LPK fi + epatch "${FILESDIR}"/${PN}-7.3_p1-GSSAPI-dns.patch #165444 integrated into gsskex epatch "${FILESDIR}"/${PN}-6.7_p1-openssl-ignore-status.patch epatch "${WORKDIR}"/${SCTP_PATCH%.*} + if use hpn ; then #EPATCH_FORCE="yes" EPATCH_SUFFIX="patch" \ # EPATCH_MULTI_MSG="Applying HPN patchset ..." \ # epatch "${WORKDIR}"/${HPN_PATCH%.*.*} - pushd "${WORKDIR}" >/dev/null - epatch "${FILESDIR}"/${P}-hpn-update.patch - popd >/dev/null epatch "${WORKDIR}"/${HPN_PATCH} + epatch "${FILESDIR}"/${P}-hpn-cipher-ctr-mt-no-deadlocks.patch save_version HPN fi |