Skip to content

Commit

Permalink
Merge pull request #56 from rapier1/release_candidates
Browse files Browse the repository at this point in the history
Merge 18.2.0-RC1 into Master
  • Loading branch information
rapier1 authored Oct 27, 2023
2 parents 5c1ad8d + 70844a7 commit c868a3b
Show file tree
Hide file tree
Showing 58 changed files with 1,483 additions and 1,101 deletions.
4 changes: 4 additions & 0 deletions .github/ci-status.md
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,10 @@ master :
[![Fuzzing Status](https://oss-fuzz-build-logs.storage.googleapis.com/badges/openssh.svg)](https://bugs.chromium.org/p/oss-fuzz/issues/list?sort=-opened&can=1&q=proj:openssh)
[![Coverity Status](https://scan.coverity.com/projects/21341/badge.svg)](https://scan.coverity.com/projects/openssh-portable)

9.4 :
[![C/C++ CI](https://github.com/openssh/openssh-portable/actions/workflows/c-cpp.yml/badge.svg?branch=V_9_4)](https://github.com/openssh/openssh-portable/actions/workflows/c-cpp.yml?query=branch:V_9_4)
[![C/C++ CI self-hosted](https://github.com/openssh/openssh-portable-selfhosted/actions/workflows/selfhosted.yml/badge.svg?branch=V_9_4)](https://github.com/openssh/openssh-portable-selfhosted/actions/workflows/selfhosted.yml?query=branch:V_9_4)

9.3 :
[![C/C++ CI](https://github.com/openssh/openssh-portable/actions/workflows/c-cpp.yml/badge.svg?branch=V_9_3)](https://github.com/openssh/openssh-portable/actions/workflows/c-cpp.yml?query=branch:V_9_3)
[![C/C++ CI self-hosted](https://github.com/openssh/openssh-portable-selfhosted/actions/workflows/selfhosted.yml/badge.svg?branch=V_9_3)](https://github.com/openssh/openssh-portable-selfhosted/actions/workflows/selfhosted.yml?query=branch:V_9_3)
11 changes: 11 additions & 0 deletions .github/configs
Original file line number Diff line number Diff line change
Expand Up @@ -30,6 +30,13 @@ case "$config" in
default|sol64)
;;
c89)
# If we don't have LLONG_MAX, configure will figure out that it can
# get it by setting -std=gnu99, at which point we won't be testing
# C89 any more. To avoid this, feed it in via CFLAGS.
llong_max=`gcc -E -dM - </dev/null | \
awk '$2=="__LONG_LONG_MAX__"{print $3}'`
CPPFLAGS="-DLLONG_MAX=${llong_max}"

CC="gcc"
CFLAGS="-Wall -std=c89 -pedantic -Werror=vla"
CONFIGFLAGS="--without-zlib"
Expand Down Expand Up @@ -213,6 +220,10 @@ case "$config" in
;;
esac
;;
zlib-develop)
INSTALL_ZLIB=develop
CONFIGFLAGS="--with-zlib=/opt/zlib --with-rpath=-Wl,-rpath,"
;;
*)
echo "Unknown configuration $config"
exit 1
Expand Down
8 changes: 8 additions & 0 deletions .github/setup_ci.sh
Original file line number Diff line number Diff line change
Expand Up @@ -135,6 +135,8 @@ for TARGET in $TARGETS; do
valgrind*)
PACKAGES="$PACKAGES valgrind"
;;
zlib-*)
;;
*) echo "Invalid option '${TARGET}'"
exit 1
;;
Expand Down Expand Up @@ -224,3 +226,9 @@ if [ ! -z "${INSTALL_BORINGSSL}" ]; then
cp ${HOME}/boringssl/build/crypto/libcrypto.a /opt/boringssl/lib &&
cp -r ${HOME}/boringssl/include /opt/boringssl)
fi

if [ ! -z "${INSTALL_ZLIB}" ]; then
(cd ${HOME} && git clone https://github.com/madler/zlib.git &&
cd ${HOME}/zlib && ./configure && make &&
sudo make install prefix=/opt/zlib)
fi
11 changes: 6 additions & 5 deletions .github/workflows/c-cpp.yml
Original file line number Diff line number Diff line change
Expand Up @@ -28,7 +28,7 @@ jobs:
- { target: ubuntu-20.04, config: valgrind-2 }
- { target: ubuntu-20.04, config: valgrind-3 }
- { target: ubuntu-20.04, config: valgrind-4 }
- { target: ubuntu-20.04, config: valgrind-5 }
# - { target: ubuntu-20.04, config: valgrind-5 }
- { target: ubuntu-20.04, config: valgrind-6 }
- { target: ubuntu-20.04, config: valgrind-7 }
- { target: ubuntu-20.04, config: c89 }
Expand All @@ -38,10 +38,6 @@ jobs:
- { target: ubuntu-20.04, config: clang-10 }
- { target: ubuntu-20.04, config: clang-11 }
- { target: ubuntu-20.04, config: clang-12-Werror }
- { target: ubuntu-20.04, config: clang-sanitize-address }
- { target: ubuntu-20.04, config: clang-sanitize-undefined }
- { target: ubuntu-20.04, config: gcc-sanitize-address }
- { target: ubuntu-20.04, config: gcc-sanitize-undefined }
- { target: ubuntu-20.04, config: gcc-7 }
- { target: ubuntu-20.04, config: gcc-8 }
- { target: ubuntu-20.04, config: gcc-10 }
Expand All @@ -68,6 +64,7 @@ jobs:
- { target: ubuntu-latest, config: openssl-3.1.0 }
- { target: ubuntu-latest, config: openssl-1.1.1_stable }
- { target: ubuntu-latest, config: openssl-3.0 } # stable branch
- { target: ubuntu-latest, config: zlib-develop }
- { target: ubuntu-22.04, config: pam }
- { target: ubuntu-22.04, config: krb5 }
- { target: ubuntu-22.04, config: heimdal }
Expand All @@ -76,6 +73,10 @@ jobs:
- { target: ubuntu-22.04, config: selinux }
- { target: ubuntu-22.04, config: kitchensink }
- { target: ubuntu-22.04, config: without-openssl }
- { target: ubuntu-22.04, config: clang-sanitize-address }
- { target: ubuntu-22.04, config: clang-sanitize-undefined }
- { target: ubuntu-22.04, config: gcc-sanitize-address }
- { target: ubuntu-22.04, config: gcc-sanitize-undefined }
# we know pam doesn't work because we can't install a new pam file
# for hpnssh via the CI test methods
# - { target: macos-11, config: pam }
Expand Down
3 changes: 3 additions & 0 deletions .github/workflows/selfhosted.yml
Original file line number Diff line number Diff line change
Expand Up @@ -40,6 +40,8 @@ jobs:
- obsd67
- obsd69
- obsd70
- obsd72
- obsd73
- obsdsnap
- obsdsnap-i386
- openindiana
Expand Down Expand Up @@ -76,6 +78,7 @@ jobs:
- { target: ARM64, config: default, host: ARM64 }
- { target: ARM64, config: pam, host: ARM64 }
- { target: debian-riscv64, config: default, host: debian-riscv64 }
- { target: obsd-arm64, config: default, host: obsd-arm64 }
- { target: openwrt-mips, config: default, host: openwrt-mips }
- { target: openwrt-mipsel, config: default, host: openwrt-mipsel }
steps:
Expand Down
88 changes: 8 additions & 80 deletions HPN-README
Original file line number Diff line number Diff line change
Expand Up @@ -51,28 +51,23 @@ metrics from multiplexed sessions will report on the activity of all sessions on
This will likely result in less clear results and, as such, we suggest only gathering metrics
from non-multiplexed session.

SCP with Resume functionality
This feature allows SCP to resume failed transfers. In the event of a failed transfer
HPNSCP with Resume functionality
This feature allows hpnscp to resume failed transfers. In the event of a failed transfer
issues the same scp command with the '-R' option. For example - if you issued:
'scp myhugefile me@host:~'
'hpnscp myhugefile me@host:~'
and it dies halfway through the transfer issuing
'scp -Z myhugefile me@host:~'
'hpnscp -Z myhugefile me@host:~'
will resume the transfer at the point where it left off.

This is implemented by having the source host send a hash (blake2b512) of the file to the
target host. Teh target host then computes it's own hash of the target file. If the hashes match
target host. The target host then computes it's own hash of the target file. If the hashes match
then the file is skipped as this indicates a successful transfer. However, if the hashes do not
match then the target sends the source its hash along with the size of the file. The source then
computes the hash of the file *up to* the size of the target file. If those hashes match then
the source only send the necessary bytes to complete the transfer. If the hashes do not match then
the entire file is resent. If the target file is larger then the source file then the entire
source file is sent and any existing target file is overwritten.

SCP however, will use the first scp in the user's path. This might not support the resume
function and the attempt will fail. In those cases the user can explicitly define the path to the
resume enabled scp with the '-z' option. For example:

'scp -Z -z /opt/hpnssh/usr/bin/scp myhugefile me@host:~'

MULTI-THREADED AES CIPHER:
The AES cipher in CTR mode has been multithreaded (MTR-AES-CTR). This will allow ssh installations
Expand Down Expand Up @@ -124,63 +119,8 @@ more than 30%.

ex: scp -oNoneSwitch=yes -oNoneEnabled=yes -oNoneMacEnabled=yes file host:~

BUFFER SIZES:

If HPN is disabled the receive buffer size will be set to the
OpenSSH default of 2MB (for OpenSSH versions before 4.7: 64KB).

If an HPN system connects to a nonHPN system the receive buffer will
be set to the HPNBufferSize value. The default is 2MB but user adjustable.

If an HPN to HPN connection is established a number of different things might
happen based on the user options and conditions.

Conditions: HPNBufferSize NOT Set, TCPRcvBufPoll enabled, TCPRcvBuf NOT Set
HPN Buffer Size = up to 64MB
This is the default state. The HPN buffer size will grow to a maximum of 64MB
as the TCP receive buffer grows. The maximum HPN Buffer size of 64MB is
geared towards 10GigE transcontinental connections.

Conditions: HPNBufferSize NOT Set, TCPRcvBufPoll disabled, TCPRcvBuf NOT Set
HPN Buffer Size = TCP receive buffer value.
Users on non-autotuning systems should disable TCPRcvBufPoll in the
ssh_config and sshd_config

Conditions: HPNBufferSize SET, TCPRcvBufPoll disabled, TCPRcvBuf NOT Set
HPN Buffer Size = minimum of TCP receive buffer and HPNBufferSize.
This would be the system defined TCP receive buffer (RWIN).

Conditions: HPNBufferSize SET, TCPRcvBufPoll disabled, TCPRcvBuf SET
HPN Buffer Size = minimum of TCPRcvBuf and HPNBufferSize.
Generally there is no need to set both.

Conditions: HPNBufferSize SET, TCPRcvBufPoll enabled, TCPRcvBuf NOT Set
HPN Buffer Size = grows to HPNBufferSize
The buffer will grow up to the maximum size specified here.

Conditions: HPNBufferSize SET, TCPRcvBufPoll enabled, TCPRcvBuf SET
HPN Buffer Size = minimum of TCPRcvBuf and HPNBufferSize.
Generally there is no need to set both of these, especially on autotuning
systems. However, if the users wishes to override the autotuning this would be
one way to do it.

Conditions: HPNBufferSize NOT Set, TCPRcvBufPoll enabled, TCPRcvBuf SET
HPN Buffer Size = TCPRcvBuf.
This will override autotuning and set the TCP recieve buffer to the user defined
value.


HPN Specific Configuration options

TcpRcvBuf=[int]KB client
Set the TCP socket receive buffer to n Kilobytes. It can be set up to the
maximum socket size allowed by the system. This is useful in situations where
the tcp receive window is set low but the maximum buffer size is set
higher (as is typical). This works on a per TCP connection basis. You can also
use this to artifically limit the transfer rate of the connection. In these
cases the throughput will be no more than n/RTT. The minimum buffer size is 1KB.
Default is the current system wide tcp receive buffer size.

TcpRcvBufPoll=[yes/no] client/server
Enable of disable the polling of the tcp receive buffer through the life
of the connection. You would want to make sure that this option is enabled
Expand Down Expand Up @@ -214,21 +154,6 @@ HPNDisabled=[yes/no] client/server
of the HPN code produces a net decrease in performance. In these cases it is
helpful to disable the HPN functionality. By default HPNDisabled is set to no.

HPNBufferSize=[int]KB client/server
This is the default buffer size the HPN functionality uses when interacting
with nonHPN SSH installations. Conceptually this is similar to the TcpRcvBuf
option as applied to the internal SSH flow control. This value can range from
1KB to 64MB (1-65536). Use of oversized or undersized buffers can cause performance
problems depending on the length of the network path. The default size of this buffer
is 2MB.

DisableMTAES=[yes/no] client/server
Switch the encryption cipher being used from the multithreaded MT-AES-CTR cipher
back to the stock single-threaded AES-CTR cipher. Useful on modern processors with
AES-NI instructions which make the stock single-threaded AES-CTR cipher faster than
the multithreaded MT-AES-CTR cipher. Set to no by default.


Credits: This patch was conceived, designed, and led by Chris Rapier (rapier@psc.edu)
The majority of the actual coding for versions up to HPN12v1 was performed
by Michael Stevens (mstevens@andrew.cmu.edu). The MT-AES-CTR cipher was
Expand All @@ -240,3 +165,6 @@ Credits: This patch was conceived, designed, and led by Chris Rapier (rapier@psc

Sponsors: Thanks to Niklas Hambuchen for being the first sponsor of HPN-SSH
via github's sponsor program!


Edited: October 11, 2023
35 changes: 34 additions & 1 deletion PROTOCOL
Original file line number Diff line number Diff line change
Expand Up @@ -104,6 +104,39 @@ http://git.libssh.org/users/aris/libssh.git/plain/doc/curve25519-sha256@libssh.o

This is identical to curve25519-sha256 as later published in RFC8731.

1.9 transport: ping facility

OpenSSH implements a transport level ping message SSH2_MSG_PING
and a corresponding SSH2_MSG_PONG reply.

#define SSH2_MSG_PING 192
#define SSH2_MSG_PONG 193

The ping message is simply:

byte SSH_MSG_PING
string data

The reply copies the data (which may be the empty string) from the
ping:

byte SSH_MSG_PONG
string data

Replies are sent in order. They are sent immediately except when rekeying
is in progress, in which case they are queued until rekeying completes.

The server advertises support for these messages using the
SSH2_MSG_EXT_INFO mechanism (RFC8308), with the following message:

string "ping@openssh.com"
string "0" (version)

The ping/reply message is implemented at the transport layer rather
than as a named global or channel request to allow pings with very
short packet lengths, which would not be possible with other
approaches.

2. Connection protocol changes

2.1. connection: Channel write close extension "eow@openssh.com"
Expand Down Expand Up @@ -712,4 +745,4 @@ master instance and later clients.
OpenSSH extends the usual agent protocol. These changes are documented
in the PROTOCOL.agent file.

$OpenBSD: PROTOCOL,v 1.48 2022/11/07 01:53:01 dtucker Exp $
$OpenBSD: PROTOCOL,v 1.49 2023/08/28 03:28:43 djm Exp $
4 changes: 2 additions & 2 deletions PROTOCOL.agent
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
The SSH agent protocol is described in
https://tools.ietf.org/html/draft-miller-ssh-agent-04
https://tools.ietf.org/html/draft-miller-ssh-agent

This file documents OpenSSH's extensions to the agent protocol.

Expand Down Expand Up @@ -81,4 +81,4 @@ the constraint is:

This option is only valid for XMSS keys.

$OpenBSD: PROTOCOL.agent,v 1.19 2023/04/12 08:53:54 jsg Exp $
$OpenBSD: PROTOCOL.agent,v 1.20 2023/10/03 23:56:10 djm Exp $
2 changes: 1 addition & 1 deletion README
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
See https://www.openssh.com/releasenotes.html#9.4p1 for the release
See https://www.openssh.com/releasenotes.html#9.5p1 for the release
notes.

Please read https://www.openssh.com/report.html for bug reporting
Expand Down
11 changes: 9 additions & 2 deletions auth2.c
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
/* $OpenBSD: auth2.c,v 1.166 2023/03/08 04:43:12 guenther Exp $ */
/* $OpenBSD: auth2.c,v 1.167 2023/08/28 09:48:11 djm Exp $ */
/*
* Copyright (c) 2000 Markus Friedl. All rights reserved.
*
Expand Down Expand Up @@ -225,6 +225,7 @@ input_service_request(int type, u_int32_t seq, struct ssh *ssh)
}

#define MIN_FAIL_DELAY_SECONDS 0.005
#define MAX_FAIL_DELAY_SECONDS 5.0
static double
user_specific_delay(const char *user)
{
Expand All @@ -250,6 +251,12 @@ ensure_minimum_time_since(double start, double seconds)
struct timespec ts;
double elapsed = monotime_double() - start, req = seconds, remain;

if (elapsed > MAX_FAIL_DELAY_SECONDS) {
debug3_f("elapsed %0.3lfms exceeded the max delay "
"requested %0.3lfms)", elapsed*1000, req*1000);
return;
}

/* if we've already passed the requested time, scale up */
while ((remain = seconds - elapsed) < 0.0)
seconds *= 2;
Expand Down Expand Up @@ -346,7 +353,7 @@ input_userauth_request(int type, u_int32_t seq, struct ssh *ssh)
debug2("input_userauth_request: try method %s", method);
authenticated = m->userauth(ssh, method);
}
if (!authctxt->authenticated)
if (!authctxt->authenticated && strcmp(method, "none") != 0)
ensure_minimum_time_since(tstart,
user_specific_delay(authctxt->user));
userauth_finish(ssh, authenticated, method, NULL);
Expand Down
Loading

0 comments on commit c868a3b

Please sign in to comment.