--- openssh-6.6p1/kex.c.orig 2017-12-27 19:05:27.270978025 -0500 +++ openssh-6.6p1/kex.c 2017-12-27 19:07:10.806525184 -0500 @@ -391,8 +391,6 @@ choose_comp(Comp *comp, char *client, ch fatal("no matching comp found: client %s server %s", client, server); if (strcmp(name, "zlib@openssh.com") == 0) { comp->type = COMP_DELAYED; - } else if (strcmp(name, "zlib") == 0) { - comp->type = COMP_ZLIB; } else if (strcmp(name, "none") == 0) { comp->type = COMP_NONE; } else { --- a/kex.h +++ b/kex.h @@ -44,12 +44,11 @@ #define KEX_ECDH_SHA2_NISTP384 "ecdh-sha2-nistp384" #define KEX_ECDH_SHA2_NISTP521 "ecdh-sha2-nistp521" #define KEX_CURVE25519_SHA256 "curve25519-sha256@libssh.org" #define COMP_NONE 0 -#define COMP_ZLIB 1 -#define COMP_DELAYED 2 +#define COMP_DELAYED 1 enum kex_init_proposals { PROPOSAL_KEX_ALGS, PROPOSAL_SERVER_HOST_KEY_ALGS, PROPOSAL_ENC_ALGS_CTOS, --- openssh-6.6p1/Makefile.in.orig 2017-12-27 19:05:24.785989150 -0500 +++ openssh-6.6p1/Makefile.in 2017-12-27 19:05:27.271978020 -0500 @@ -92,7 +92,7 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passw auth-chall.o auth2-chall.o groupaccess.o \ auth-skey.o auth-bsdauth.o auth2-hostbased.o auth2-kbdint.o \ auth2-none.o auth2-passwd.o auth2-pubkey.o \ - monitor_mm.o monitor.o monitor_wrap.o kexdhs.o kexgexs.o kexecdhs.o \ + monitor.o monitor_wrap.o kexdhs.o kexgexs.o kexecdhs.o \ kexc25519s.o auth-krb5.o \ auth2-gss.o gss-serv.o gss-serv-krb5.o \ loginrec.o auth-pam.o auth-shadow.o auth-sia.o md5crypt.o \ --- openssh-6.6p1/monitor.c.orig 2017-12-27 19:05:24.791989123 -0500 +++ openssh-6.6p1/monitor.c 2017-12-27 19:05:27.271978020 -0500 @@ -86,7 +86,6 @@ #include "log.h" #include "servconf.h" #include "monitor.h" -#include "monitor_mm.h" #ifdef GSSAPI #include "ssh-gss.h" #endif @@ -116,8 +115,6 @@ extern Buffer loginmsg; /* State exported from the child */ struct { - z_stream incoming; - z_stream outgoing; u_char *keyin; u_int keyinlen; u_char *keyout; @@ -478,15 +475,6 @@ monitor_child_postauth(struct monitor *p monitor_read(pmonitor, mon_dispatch, NULL); } -void -monitor_sync(struct monitor *pmonitor) -{ - if (options.compression) { - /* The member allocation is not visible, so sync it */ - mm_share_sync(&pmonitor->m_zlib, &pmonitor->m_zback); - } -} - static int monitor_read_log(struct monitor *pmonitor) { @@ -1783,15 +1771,6 @@ monitor_apply_keystate(struct monitor *p free(child_state.ivin); } - memcpy(&incoming_stream, &child_state.incoming, - sizeof(incoming_stream)); - memcpy(&outgoing_stream, &child_state.outgoing, - sizeof(outgoing_stream)); - - /* Update with new address */ - if (options.compression) - mm_init_compression(pmonitor->m_zlib); - if (options.rekey_limit || options.rekey_interval) packet_set_rekey_limits((u_int32_t)options.rekey_limit, (time_t)options.rekey_interval); @@ -1863,8 +1842,8 @@ void mm_get_keystate(struct monitor *pmonitor) { Buffer m; - u_char *blob, *p; - u_int bloblen, plen; + u_char *blob; + u_int bloblen; u_int32_t seqnr, packets; u_int64_t blocks, bytes; @@ -1912,20 +1891,6 @@ mm_get_keystate(struct monitor *pmonitor child_state.keyout = buffer_get_string(&m, &child_state.keyoutlen); child_state.keyin = buffer_get_string(&m, &child_state.keyinlen); - debug3("%s: Getting compression state", __func__); - /* Get compression state */ - p = buffer_get_string(&m, &plen); - if (plen != sizeof(child_state.outgoing)) - fatal("%s: bad request size", __func__); - memcpy(&child_state.outgoing, p, sizeof(child_state.outgoing)); - free(p); - - p = buffer_get_string(&m, &plen); - if (plen != sizeof(child_state.incoming)) - fatal("%s: bad request size", __func__); - memcpy(&child_state.incoming, p, sizeof(child_state.incoming)); - free(p); - /* Network I/O buffers */ debug3("%s: Getting Network I/O buffers", __func__); child_state.input = buffer_get_string(&m, &child_state.ilen); @@ -1940,40 +1905,6 @@ mm_get_keystate(struct monitor *pmonitor buffer_free(&m); } - -/* Allocation functions for zlib */ -void * -mm_zalloc(struct mm_master *mm, u_int ncount, u_int size) -{ - size_t len = (size_t) size * ncount; - void *address; - - if (len == 0 || ncount > SIZE_T_MAX / size) - fatal("%s: mm_zalloc(%u, %u)", __func__, ncount, size); - - address = mm_malloc(mm, len); - - return (address); -} - -void -mm_zfree(struct mm_master *mm, void *address) -{ - mm_free(mm, address); -} - -void -mm_init_compression(struct mm_master *mm) -{ - outgoing_stream.zalloc = (alloc_func)mm_zalloc; - outgoing_stream.zfree = (free_func)mm_zfree; - outgoing_stream.opaque = mm; - - incoming_stream.zalloc = (alloc_func)mm_zalloc; - incoming_stream.zfree = (free_func)mm_zfree; - incoming_stream.opaque = mm; -} - /* XXX */ #define FD_CLOSEONEXEC(x) do { \ @@ -2015,14 +1946,6 @@ monitor_init(void) monitor_openfds(mon, 1); - /* Used to share zlib space across processes */ - if (options.compression) { - mon->m_zback = mm_create(NULL, MM_MEMSIZE); - mon->m_zlib = mm_create(mon->m_zback, 20 * MM_MEMSIZE); - - /* Compression needs to share state across borders */ - mm_init_compression(mon->m_zlib); - } return mon; } --- openssh-6.6p1/monitor.h.orig 2014-02-03 19:12:57.000000000 -0500 +++ openssh-6.6p1/monitor.h 2017-12-27 19:05:27.271978020 -0500 @@ -67,21 +67,17 @@ enum monitor_reqtype { }; -struct mm_master; struct monitor { int m_recvfd; int m_sendfd; int m_log_recvfd; int m_log_sendfd; - struct mm_master *m_zback; - struct mm_master *m_zlib; struct Kex **m_pkex; pid_t m_pid; }; struct monitor *monitor_init(void); void monitor_reinit(struct monitor *); -void monitor_sync(struct monitor *); struct Authctxt; void monitor_child_preauth(struct Authctxt *, struct monitor *); --- openssh-6.6p1/monitor_wrap.c.orig 2017-12-27 19:05:24.792989119 -0500 +++ openssh-6.6p1/monitor_wrap.c 2017-12-27 19:05:27.271978020 -0500 @@ -145,7 +145,6 @@ mm_request_receive(int sock, Buffer *m) u_int msg_len; debug3("%s entering", __func__); - if (atomicio(read, sock, buf, sizeof(buf)) != sizeof(buf)) { if (errno == EPIPE) cleanup_exit(255); @@ -512,7 +511,6 @@ mm_newkeys_from_blob(u_char *blob, int b /* Comp structure */ comp->type = buffer_get_int(&b); - comp->enabled = buffer_get_int(&b); comp->name = buffer_get_string(&b, NULL); len = buffer_len(&b); @@ -562,7 +560,6 @@ mm_newkeys_to_blob(int mode, u_char **bl /* Comp structure */ buffer_put_int(&b, comp->type); - buffer_put_int(&b, comp->enabled); buffer_put_cstring(&b, comp->name); len = buffer_len(&b); @@ -674,11 +671,6 @@ mm_send_keystate(struct monitor *monitor buffer_put_string(&m, p, plen); free(p); - /* Compression state */ - debug3("%s: Sending compression state", __func__); - buffer_put_string(&m, &outgoing_stream, sizeof(outgoing_stream)); - buffer_put_string(&m, &incoming_stream, sizeof(incoming_stream)); - /* Network I/O buffers */ input = (Buffer *)packet_get_input(); output = (Buffer *)packet_get_output(); --- openssh-6.6p1/monitor_wrap.h.orig 2014-02-03 19:12:57.000000000 -0500 +++ openssh-6.6p1/monitor_wrap.h 2017-12-27 19:05:27.271978020 -0500 @@ -102,10 +102,4 @@ int mm_bsdauth_respond(void *, u_int, ch int mm_skey_query(void *, char **, char **, u_int *, char ***, u_int **); int mm_skey_respond(void *, u_int, char **); -/* zlib allocation hooks */ - -void *mm_zalloc(struct mm_master *, u_int, u_int); -void mm_zfree(struct mm_master *, void *); -void mm_init_compression(struct mm_master *); - #endif /* _MM_WRAP_H_ */ --- openssh-6.6p1/myproposal.h.orig 2013-12-06 19:24:02.000000000 -0500 +++ openssh-6.6p1/myproposal.h 2017-12-27 19:05:27.271978020 -0500 @@ -130,7 +130,7 @@ "hmac-sha1-96," \ "hmac-md5-96" -#define KEX_DEFAULT_COMP "none,zlib@openssh.com,zlib" +#define KEX_DEFAULT_COMP "none,zlib@openssh.com" #define KEX_DEFAULT_LANG "" --- openssh-6.6p1/packet.c.orig 2014-02-03 19:20:15.000000000 -0500 +++ openssh-6.6p1/packet.c 2017-12-27 19:05:27.272978015 -0500 @@ -790,8 +790,7 @@ set_newkeys(int mode) /* explicit_bzero(enc->iv, enc->block_size); explicit_bzero(enc->key, enc->key_len); explicit_bzero(mac->key, mac->key_len); */ - if ((comp->type == COMP_ZLIB || - (comp->type == COMP_DELAYED && + if (((comp->type == COMP_DELAYED && active_state->after_authentication)) && comp->enabled == 0) { packet_init_compression(); if (mode == MODE_OUT) @@ -799,6 +798,7 @@ set_newkeys(int mode) else buffer_compress_init_recv(); comp->enabled = 1; + } /* * The 2^(blocksize*2) limit is too expensive for 3DES, @@ -1989,6 +1989,7 @@ void packet_set_authenticated(void) { active_state->after_authentication = 1; + packet_enable_delayed_compress(); } void * --- openssh-6.6p1/servconf.c.orig 2014-02-03 19:12:57.000000000 -0500 +++ openssh-6.6p1/servconf.c 2017-12-27 19:05:27.272978015 -0500 @@ -794,8 +794,8 @@ static const struct multistate multistat { NULL, -1 } }; static const struct multistate multistate_compression[] = { + { "yes", COMP_DELAYED }, { "delayed", COMP_DELAYED }, - { "yes", COMP_ZLIB }, { "no", COMP_NONE }, { NULL, -1 } }; --- openssh-6.6p1/sshd.c.orig 2017-12-27 19:05:24.789989132 -0500 +++ openssh-6.6p1/sshd.c 2017-12-27 19:05:27.272978015 -0500 @@ -112,7 +112,6 @@ #include "dispatch.h" #include "channels.h" #include "session.h" -#include "monitor_mm.h" #include "monitor.h" #ifdef GSSAPI #include "ssh-gss.h" @@ -680,9 +679,6 @@ privsep_preauth(Authctxt *authctxt) ssh_sandbox_parent_preauth(box, pid); monitor_child_preauth(authctxt, pmonitor); - /* Sync memory */ - monitor_sync(pmonitor); - /* Wait for the child's exit status */ while (waitpid(pid, &status, 0) < 0) { if (errno == EINTR) @@ -2455,9 +2451,6 @@ do_ssh2_kex(void) if (options.compression == COMP_NONE) { myproposal[PROPOSAL_COMP_ALGS_CTOS] = myproposal[PROPOSAL_COMP_ALGS_STOC] = "none"; - } else if (options.compression == COMP_DELAYED) { - myproposal[PROPOSAL_COMP_ALGS_CTOS] = - myproposal[PROPOSAL_COMP_ALGS_STOC] = "none,zlib@openssh.com"; } if (options.kex_algorithms != NULL) myproposal[PROPOSAL_KEX_ALGS] = options.kex_algorithms; --- openssh-6.6p1/sshd_config.5.orig 2014-02-27 18:01:28.000000000 -0500 +++ openssh-6.6p1/sshd_config.5 2017-12-27 19:05:27.272978015 -0500 @@ -404,15 +404,17 @@ The default is 0, indicating that these messages will not be sent to the client. This option applies to protocol version 2 only. .It Cm Compression -Specifies whether compression is allowed, or delayed until +Specifies whether compression is enabled after the user has authenticated successfully. The argument must be .Dq yes , -.Dq delayed , +.Dq delayed +(a legacy synonym for +.Dq yes ) or .Dq no . The default is -.Dq delayed . +.Dq yes . .It Cm DenyGroups This keyword can be followed by a list of group name patterns, separated by spaces.