Merge pull request #83 from rapier1/release_candidates

Official Release of 18.4.1

Author: rapier1

.github/workflows/cifuzz.yml

@@ -1,27 +1,27 @@
 name: CIFuzz
 on:
   push:
-    branches: [master, pre-stage]
+    branches: [master, dev_minor, dev_major, release_candidates]
     paths: [ '**.c', '**.h', '**.m4', '**.sh', '.github/**', '**/Makefile.in', 'configure.ac' ]
   pull_request:
     paths: [ '**.c', '**.h', '**.m4', '**.sh', '.github/**', '**/Makefile.in', 'configure.ac' ]
 
 jobs:
   Fuzzing:
-    if: github.repository != 'rapier1/openssh-portable-selfhosted'
+    if: github.repository != 'rapier1/hpn-ssh-selfhosted'
     runs-on: ubuntu-latest
     steps:
     - name: Build Fuzzers
       id: build
       uses: google/oss-fuzz/infra/cifuzz/actions/build_fuzzers@master
       with:
-        oss-fuzz-project-name: 'openssh'
+        oss-fuzz-project-name: 'hpn-ssh'
         dry-run: false
         language: c++
     - name: Run Fuzzers
       uses: google/oss-fuzz/infra/cifuzz/actions/run_fuzzers@master
       with:
-        oss-fuzz-project-name: 'openssh'
+        oss-fuzz-project-name: 'hpn-ssh'
         fuzz-seconds: 600
         dry-run: false
         language: c++
@@ -30,4 +30,4 @@ jobs:
       if: failure() && steps.build.outcome == 'success'
       with:
         name: artifacts
-        path: ./out/artifacts
+        path: ./out/artifacts

channels.c

@@ -534,9 +534,16 @@ channel_new(struct ssh *ssh, char *ctype, int type, int rfd, int wfd, int efd,
 	    (c->output = sshbuf_new()) == NULL ||
 	    (c->extended = sshbuf_new()) == NULL)
 		fatal_f("sshbuf_new failed");
+
+	/* these buffers are important in terms of tracking channel
+	 * buffer usage so label and type them with descriptive names */
 	sshbuf_relabel(c->input, "channel input");
+	sshbuf_type(c->input, BUF_CHANNEL_INPUT);
 	sshbuf_relabel(c->output, "channel output");
+	sshbuf_type(c->output, BUF_CHANNEL_OUTPUT);
 	sshbuf_relabel(c->extended, "channel extended");
+	sshbuf_type(c->extended, BUF_CHANNEL_EXTENDED);
+
 	if ((r = sshbuf_set_max_size(c->input, CHAN_INPUT_MAX)) != 0)
 		fatal_fr(r, "sshbuf_set_max_size");
 	c->ostate = CHAN_OUTPUT_OPEN;
@@ -2401,40 +2408,20 @@ channel_check_window(struct ssh *ssh, Channel *c)
 {
 	int r;
 
-	/* going back to a set denominator of 2. Prior versions had a
-	 * dynamic denominator based on the size of the buffer. This may
-	 * have been helpful in some situations but it isn't helping in
-	 * the general case -cjr 6/30/23 */
 	if (c->type == SSH_CHANNEL_OPEN &&
 	    !(c->flags & (CHAN_CLOSE_SENT|CHAN_CLOSE_RCVD)) &&
 	    ((c->local_window_max - c->local_window > c->local_maxpacket*3) ||
 	    c->local_window < c->local_window_max/2) &&
 	    c->local_consumed > 0) {
-		u_int addition = 0;
+		int addition = 0;
 		u_int32_t tcpwinsz = channel_tcpwinsz(ssh);
 		/* adjust max window size if we are in a dynamic environment
 		 * and the tcp receive buffer is larger than the ssh window */
 		if (c->dynamic_window && (tcpwinsz > c->local_window_max)) {
-			if (c->hpn_buffer_limit) {
-				/* limit window growth to prevent buffer issues
-				 * still not sure what is causing the buffer issues
-				 * but it may be an issue with c->local_consumed not being
-				 * handled properly in the cases of bottenecked IO to the
-				 * wfd endpoint. This does have an impact on throughput
-				 * as we're essentially maxing out local_window_max to
-				 * half of the window size */
-				addition = (tcpwinsz/2 - c->local_window_max);
-			}
-			else {
-				/* aggressively grow the window */
-				addition = tcpwinsz - c->local_window_max;
-			}
+			/* aggressively grow the window */
+			addition = tcpwinsz - c->local_window_max;
 			c->local_window_max += addition;
-			/* doesn't look like we need these
-			 * sshbuf_set_window_max(c->output, c->local_window_max);
-			 * sshbuf_set_window_max(c->input, c->local_window_max);
-			 */
-			debug("Channel %d: Window growth to %d by %d bytes",c->self,
+			debug_f("Channel %d: Window growth to %d by %d bytes",c->self,
 			      c->local_window_max, addition);
 		}
 		if (!c->have_remote_id)

channels.h

@@ -175,7 +175,6 @@ struct Channel {
 	u_int	local_consumed;
 	u_int	local_maxpacket;
 	int	dynamic_window;
-	int     hpn_buffer_limit;
 	int     extended_usage;
 	int	single_connection;
 	/* u_int	tcpwinsz; */

clientloop.c

@@ -2911,11 +2911,6 @@ client_session2_setup(struct ssh *ssh, int id, int want_tty, int want_subsystem,
 	if ((c = channel_lookup(ssh, id)) == NULL)
 		fatal_f("channel %d: unknown channel", id);
 
-	if (options.hpn_buffer_limit) {
-		debug_f("Limiting receive buffer size");
-		c->hpn_buffer_limit = 1;
-	}
-
 	ssh_packet_set_interactive(ssh, want_tty,
 	    options.ip_qos_interactive, options.ip_qos_bulk);
 

configure.ac

@@ -2883,12 +2883,12 @@ if test "x$openssl" = "xyes" ; then
 				*) ;;	# Assume all other versions are good.
 				esac
 				;;
-			300*)
+			300*|301*|302*|303*)
 				# OpenSSL 3; we use the 1.1x API
 				CPPFLAGS="$CPPFLAGS -DOPENSSL_API_COMPAT=0x10100000L"
 				AC_DEFINE([WITH_OPENSSL3], [1], [With OpenSSL3])
 				;;
-			301*|302*|303*)
+			304*)
 				# OpenSSL development branch; request 1.1x API
 				CPPFLAGS="$CPPFLAGS -DOPENSSL_API_COMPAT=0x10100000L"
 				AC_DEFINE([WITH_OPENSSL3], [1], [With OpenSSL3])

hpnssh.1

@@ -555,7 +555,6 @@ For full details of the options listed below, and their possible values, see
 .It HostKeyAlias
 .It Hostname
 .It HPNDisabled*
-.It HPNBufferLimit*
 .It IdentitiesOnly
 .It IdentityAgent
 .It IdentityFile

hpnssh_config.5

@@ -1081,15 +1081,6 @@ In some situations, such as transfers on a local area network, the impact
 of the HPN code produces a net decrease in performance. In these cases it is
 helpful to disable the HPN functionality. By default HPNDisabled is set to 
 .Cm no. HPNSSH only.
-.It Cm HPNBufferLimit
-This option will force the hpnssh receive buffer to grow more slowly and limits
-the growth to one half of the TCP receive buffer. This option can prove useful
-in situation where a high speed path with larger RTTs are writing to a slower
-device or file system. Enabling this option will reduce performance but may provide
-a more stable connection. The option only impacts the receiving side of the connection. 
-For example, a client receiving data from a server but not a client sending data.
-By default this option is set to 
-.Cm no. HPNSSH only.
 .It Cm IdentitiesOnly
 Specifies that
 .Xr ssh 1

hpnsshd_config.5

@@ -890,16 +890,6 @@ In some situations, such as transfers on a local area network, the impact
 of the HPN code produces a net decrease in performance. In these cases it is
 helpful to disable the HPN functionality. By default HPNDisabled is set to 
 .CM no.
-.It Cm HPNBufferLimit
-This option will force the hpnssh receive buffer to grow more slowly and limits
-the growth to one half of the TCP receive buffer. This option can prove useful
-in situation where a high speed path with larger RTTs are writing to a slower
-device or file system. Enabling this option will reduce performance but may provide
-a more stable connection. The option only impacts the receiving side of the connection. 
-For example, a client receiving data from a server but not a client sending data. If 
-enabled on a server this will impact all incoming connections. 
-By default this option is set to 
-.Cm no. HPNSSH only.
 .It Cm IgnoreRhosts
 Specifies whether to ignore per-user
 .Pa .rhosts

kex.c

@@ -1041,9 +1041,11 @@ patch_list(char * orig)
 int
 kex_ready(struct ssh *ssh, char *proposal[PROPOSAL_MAX])
 {
-	int r;
+	int r = 0;
 
 #ifdef WITH_OPENSSL
+	char * orig_ctos = proposal[PROPOSAL_ENC_ALGS_CTOS];
+	char * orig_stoc = proposal[PROPOSAL_ENC_ALGS_STOC];
 	proposal[PROPOSAL_ENC_ALGS_CTOS] =
 	    patch_list(proposal[PROPOSAL_ENC_ALGS_CTOS]);
 	proposal[PROPOSAL_ENC_ALGS_STOC] =
@@ -1057,11 +1059,18 @@ kex_ready(struct ssh *ssh, char *proposal[PROPOSAL_MAX])
 #endif
 
 	if ((r = kex_prop2buf(ssh->kex->my, proposal)) != 0)
-		return r;
+		goto restoreProposal;
 	ssh->kex->flags = KEX_INITIAL;
 	kex_reset_dispatch(ssh);
 	ssh_dispatch_set(ssh, SSH2_MSG_KEXINIT, &kex_input_kexinit);
-	return 0;
+ restoreProposal:
+#ifdef WITH_OPENSSL
+	free(proposal[PROPOSAL_ENC_ALGS_CTOS]);
+	free(proposal[PROPOSAL_ENC_ALGS_STOC]);
+	proposal[PROPOSAL_ENC_ALGS_CTOS] = orig_ctos;
+	proposal[PROPOSAL_ENC_ALGS_STOC] = orig_stoc;
+#endif
+	return r;
 }
 
 int

packet.c

@@ -257,11 +257,15 @@ ssh_alloc_session_state(void)
 	    (state->incoming_packet = sshbuf_new()) == NULL)
 		goto fail;
 	/* these buffers are important in terms of tracking buffer usage
-	 * so we explicitly label them with descriptive names */
+	 * so we explicitly label and type them with descriptive names */
 	sshbuf_relabel(state->input, "input");
+	sshbuf_type(state->input, BUF_PACKET_INPUT);
 	sshbuf_relabel(state->incoming_packet, "inpacket");
+	sshbuf_type(state->incoming_packet, BUF_PACKET_INCOMING);
 	sshbuf_relabel(state->output, "output");
+	sshbuf_type(state->output, BUF_PACKET_OUTPUT);
 	sshbuf_relabel(state->outgoing_packet, "outpacket");
+	sshbuf_type(state->outgoing_packet, BUF_PACKET_OUTGOING);
 
 	TAILQ_INIT(&state->outgoing);
 	TAILQ_INIT(&ssh->private_keys);