wok rev 20313

linux, openssh: add tcp_stealth patch
author Pascal Bellard <pascal.bellard@slitaz.org>
date Fri May 18 13:47:33 2018 +0200 (2018-05-18)
parents f215c72530a6
children d5a889ec499e
files linux/receipt linux/stuff/linux-tcp_stealth.u openssh-pam/receipt openssh/receipt openssh/stuff/knock.u tazlito/receipt
line diff
     1.1 --- a/linux/receipt	Thu May 17 10:47:21 2018 +0200
     1.2 +++ b/linux/receipt	Fri May 18 13:47:33 2018 +0200
     1.3 @@ -219,6 +219,7 @@
     1.4  $PACKAGE-freeinitrd.u
     1.5  $PACKAGE-subroot.u
     1.6  $PACKAGE-romfs.u
     1.7 +$PACKAGE-tcp_stealth.u
     1.8  aufs3-base.patch
     1.9  aufs3-standalone.patch
    1.10  aufs3-loopback.patch
     2.1 --- /dev/null	Thu Jan 01 00:00:00 1970 +0000
     2.2 +++ b/linux/stuff/linux-tcp_stealth.u	Fri May 18 13:47:33 2018 +0200
     2.3 @@ -0,0 +1,630 @@
     2.4 +From https://gnunet.org/knock :
     2.5 +https://gnunet.org/sites/default/files/tcp_stealth_3.16_1.diff
     2.6 +Signed-off-by: Julian Kirsch <kirschju@sec.in.tum.de>
     2.7 +---
     2.8 +diff -Nurp linux-3.16/include/linux/tcp.h linux-3.16-knock/include/linux/tcp.h
     2.9 +--- linux-3.16/include/linux/tcp.h	2014-08-03 18:25:02.000000000 -0400
    2.10 ++++ linux-3.16-knock/include/linux/tcp.h	2014-08-19 06:15:42.329509665 -0400
    2.11 +@@ -20,6 +20,7 @@
    2.12 + 
    2.13 + #include <linux/skbuff.h>
    2.14 + #include <linux/dmaengine.h>
    2.15 ++#include <linux/cryptohash.h>
    2.16 + #include <net/sock.h>
    2.17 + #include <net/inet_connection_sock.h>
    2.18 + #include <net/inet_timewait_sock.h>
    2.19 +@@ -325,6 +326,21 @@ struct tcp_sock {
    2.20 + 	struct tcp_md5sig_info	__rcu *md5sig_info;
    2.21 + #endif
    2.22 + 
    2.23 ++#ifdef CONFIG_TCP_STEALTH
    2.24 ++/* Stealth TCP socket configuration */
    2.25 ++	struct {
    2.26 ++		#define TCP_STEALTH_MODE_AUTH		BIT(0)
    2.27 ++		#define TCP_STEALTH_MODE_INTEGRITY	BIT(1)
    2.28 ++		#define TCP_STEALTH_MODE_INTEGRITY_LEN	BIT(2)
    2.29 ++		int mode;
    2.30 ++		u8 secret[MD5_MESSAGE_BYTES];
    2.31 ++		int integrity_len;
    2.32 ++		u16 integrity_hash;
    2.33 ++		u32 tsval;
    2.34 ++		bool saw_tsval;
    2.35 ++	} stealth;
    2.36 ++#endif
    2.37 ++
    2.38 + /* TCP fastopen related information */
    2.39 + 	struct tcp_fastopen_request *fastopen_req;
    2.40 + 	/* fastopen_rsk points to request_sock that resulted in this big
    2.41 +diff -Nurp linux-3.16/include/net/secure_seq.h linux-3.16-knock/include/net/secure_seq.h
    2.42 +--- linux-3.16/include/net/secure_seq.h	2014-08-03 18:25:02.000000000 -0400
    2.43 ++++ linux-3.16-knock/include/net/secure_seq.h	2014-08-19 05:52:22.389447048 -0400
    2.44 +@@ -14,5 +14,10 @@ u64 secure_dccp_sequence_number(__be32 s
    2.45 + 				__be16 sport, __be16 dport);
    2.46 + u64 secure_dccpv6_sequence_number(__be32 *saddr, __be32 *daddr,
    2.47 + 				  __be16 sport, __be16 dport);
    2.48 ++#ifdef CONFIG_TCP_STEALTH
    2.49 ++u32 tcp_stealth_do_auth(struct sock *sk, struct sk_buff *skb);
    2.50 ++u32 tcp_stealth_sequence_number(struct sock *sk, __be32 *daddr,
    2.51 ++				u32 daddr_size, __be16 dport);
    2.52 ++#endif
    2.53 + 
    2.54 + #endif /* _NET_SECURE_SEQ */
    2.55 +diff -Nurp linux-3.16/include/net/tcp.h linux-3.16-knock/include/net/tcp.h
    2.56 +--- linux-3.16/include/net/tcp.h	2014-08-03 18:25:02.000000000 -0400
    2.57 ++++ linux-3.16-knock/include/net/tcp.h	2014-08-11 07:16:15.968418122 -0400
    2.58 +@@ -442,6 +442,12 @@ void tcp_parse_options(const struct sk_b
    2.59 + 		       struct tcp_options_received *opt_rx,
    2.60 + 		       int estab, struct tcp_fastopen_cookie *foc);
    2.61 + const u8 *tcp_parse_md5sig_option(const struct tcphdr *th);
    2.62 ++#ifdef CONFIG_TCP_STEALTH
    2.63 ++const bool tcp_parse_tsval_option(u32 *tsval, const struct tcphdr *th);
    2.64 ++int tcp_stealth_integrity(u16 *hash, u8 *secret, u8 *payload, int len);
    2.65 ++#define be32_isn_to_be16_av(x)	(((__be16 *)&x)[0])
    2.66 ++#define be32_isn_to_be16_ih(x)	(((__be16 *)&x)[1])
    2.67 ++#endif
    2.68 + 
    2.69 + /*
    2.70 +  *	TCP v4 functions exported for the inet6 API
    2.71 +diff -Nurp linux-3.16/include/uapi/linux/tcp.h linux-3.16-knock/include/uapi/linux/tcp.h
    2.72 +--- linux-3.16/include/uapi/linux/tcp.h	2014-08-03 18:25:02.000000000 -0400
    2.73 ++++ linux-3.16-knock/include/uapi/linux/tcp.h	2014-08-11 07:16:15.968418122 -0400
    2.74 +@@ -112,6 +112,9 @@ enum {
    2.75 + #define TCP_FASTOPEN		23	/* Enable FastOpen on listeners */
    2.76 + #define TCP_TIMESTAMP		24
    2.77 + #define TCP_NOTSENT_LOWAT	25	/* limit number of unsent bytes in write queue */
    2.78 ++#define TCP_STEALTH		26
    2.79 ++#define TCP_STEALTH_INTEGRITY	27
    2.80 ++#define TCP_STEALTH_INTEGRITY_LEN	28
    2.81 + 
    2.82 + struct tcp_repair_opt {
    2.83 + 	__u32	opt_code;
    2.84 +diff -Nurp linux-3.16/net/core/secure_seq.c linux-3.16-knock/net/core/secure_seq.c
    2.85 +--- linux-3.16/net/core/secure_seq.c	2014-08-03 18:25:02.000000000 -0400
    2.86 ++++ linux-3.16-knock/net/core/secure_seq.c	2014-08-19 06:19:31.241519904 -0400
    2.87 +@@ -8,7 +8,11 @@
    2.88 + #include <linux/ktime.h>
    2.89 + #include <linux/string.h>
    2.90 + #include <linux/net.h>
    2.91 ++#include <linux/socket.h>
    2.92 ++#include <linux/ip.h>
    2.93 ++#include <linux/ipv6.h>
    2.94 + 
    2.95 ++#include <net/tcp.h>
    2.96 + #include <net/secure_seq.h>
    2.97 + 
    2.98 + #if IS_ENABLED(CONFIG_IPV6) || IS_ENABLED(CONFIG_INET)
    2.99 +@@ -39,6 +43,102 @@ static u32 seq_scale(u32 seq)
   2.100 + }
   2.101 + #endif
   2.102 + 
   2.103 ++#ifdef CONFIG_TCP_STEALTH
   2.104 ++u32 tcp_stealth_sequence_number(struct sock *sk, __be32 *daddr,
   2.105 ++				u32 daddr_size, __be16 dport)
   2.106 ++{
   2.107 ++	struct tcp_sock *tp = tcp_sk(sk);
   2.108 ++	struct tcp_md5sig_key *md5;
   2.109 ++
   2.110 ++	__u32 sec[MD5_MESSAGE_BYTES / sizeof(__u32)];
   2.111 ++	__u32 i;
   2.112 ++	__u32 tsval = 0;
   2.113 ++
   2.114 ++	__be32 iv[MD5_DIGEST_WORDS] = { 0 };
   2.115 ++	__be32 isn;
   2.116 ++
   2.117 ++	memcpy(iv, (const __u8 *)daddr,
   2.118 ++	       (daddr_size > sizeof(iv)) ? sizeof(iv) : daddr_size);
   2.119 ++
   2.120 ++#ifdef CONFIG_TCP_MD5SIG
   2.121 ++	md5 = tp->af_specific->md5_lookup(sk, sk);
   2.122 ++#else
   2.123 ++	md5 = NULL;
   2.124 ++#endif
   2.125 ++	if (likely(sysctl_tcp_timestamps && !md5) || tp->stealth.saw_tsval)
   2.126 ++		tsval = tp->stealth.tsval;
   2.127 ++
   2.128 ++	((__be16 *)iv)[2] ^= cpu_to_be16(tp->stealth.integrity_hash);
   2.129 ++	iv[2] ^= cpu_to_be32(tsval);
   2.130 ++	((__be16 *)iv)[6] ^= dport;
   2.131 ++
   2.132 ++	for (i = 0; i < MD5_DIGEST_WORDS; i++)
   2.133 ++		iv[i] = le32_to_cpu(iv[i]);
   2.134 ++	for (i = 0; i < MD5_MESSAGE_BYTES / sizeof(__le32); i++)
   2.135 ++		sec[i] = le32_to_cpu(((__le32 *)tp->stealth.secret)[i]);
   2.136 ++
   2.137 ++	md5_transform(iv, sec);
   2.138 ++
   2.139 ++	isn = cpu_to_be32(iv[0]) ^ cpu_to_be32(iv[1]) ^
   2.140 ++	      cpu_to_be32(iv[2]) ^ cpu_to_be32(iv[3]);
   2.141 ++
   2.142 ++	if (tp->stealth.mode & TCP_STEALTH_MODE_INTEGRITY)
   2.143 ++		be32_isn_to_be16_ih(isn) =
   2.144 ++			cpu_to_be16(tp->stealth.integrity_hash);
   2.145 ++
   2.146 ++	return be32_to_cpu(isn);
   2.147 ++}
   2.148 ++EXPORT_SYMBOL(tcp_stealth_sequence_number);
   2.149 ++
   2.150 ++u32 tcp_stealth_do_auth(struct sock *sk, struct sk_buff *skb)
   2.151 ++{
   2.152 ++	struct tcp_sock *tp = tcp_sk(sk);
   2.153 ++	struct tcphdr *th = tcp_hdr(skb);
   2.154 ++	__be32 isn = th->seq;
   2.155 ++	__be32 hash;
   2.156 ++	__be32 *daddr;
   2.157 ++	u32 daddr_size;
   2.158 ++
   2.159 ++	tp->stealth.saw_tsval = tcp_parse_tsval_option(&tp->stealth.tsval, th);
   2.160 ++
   2.161 ++	if (tp->stealth.mode & TCP_STEALTH_MODE_INTEGRITY_LEN)
   2.162 ++		tp->stealth.integrity_hash =
   2.163 ++			be16_to_cpu(be32_isn_to_be16_ih(isn));
   2.164 ++
   2.165 ++	switch (tp->inet_conn.icsk_inet.sk.sk_family) {
   2.166 ++#if IS_ENABLED(CONFIG_IPV6)
   2.167 ++	case PF_INET6:
   2.168 ++		daddr_size = sizeof(ipv6_hdr(skb)->daddr.s6_addr32);
   2.169 ++		daddr = ipv6_hdr(skb)->daddr.s6_addr32;
   2.170 ++	break;
   2.171 ++#endif
   2.172 ++	case PF_INET:
   2.173 ++		daddr_size = sizeof(ip_hdr(skb)->daddr);
   2.174 ++		daddr = &ip_hdr(skb)->daddr;
   2.175 ++	break;
   2.176 ++	default:
   2.177 ++		pr_err("TCP Stealth: Unknown network layer protocol, stop!\n");
   2.178 ++		return 1;
   2.179 ++	}
   2.180 ++
   2.181 ++	hash = tcp_stealth_sequence_number(sk, daddr, daddr_size, th->dest);
   2.182 ++	cpu_to_be32s(&hash);
   2.183 ++
   2.184 ++	if (tp->stealth.mode & TCP_STEALTH_MODE_AUTH &&
   2.185 ++	    tp->stealth.mode & TCP_STEALTH_MODE_INTEGRITY_LEN &&
   2.186 ++	    be32_isn_to_be16_av(isn) == be32_isn_to_be16_av(hash))
   2.187 ++		return 0;
   2.188 ++
   2.189 ++	if (tp->stealth.mode & TCP_STEALTH_MODE_AUTH &&
   2.190 ++	    !(tp->stealth.mode & TCP_STEALTH_MODE_INTEGRITY_LEN) &&
   2.191 ++	    isn == hash)
   2.192 ++		return 0;
   2.193 ++
   2.194 ++	return 1;
   2.195 ++}
   2.196 ++EXPORT_SYMBOL(tcp_stealth_do_auth);
   2.197 ++#endif
   2.198 ++
   2.199 + #if IS_ENABLED(CONFIG_IPV6)
   2.200 + __u32 secure_tcpv6_sequence_number(const __be32 *saddr, const __be32 *daddr,
   2.201 + 				   __be16 sport, __be16 dport)
   2.202 +diff -Nurp linux-3.16/net/ipv4/Kconfig linux-3.16-knock/net/ipv4/Kconfig
   2.203 +--- linux-3.16/net/ipv4/Kconfig	2014-08-03 18:25:02.000000000 -0400
   2.204 ++++ linux-3.16-knock/net/ipv4/Kconfig	2014-08-11 07:16:15.968418122 -0400
   2.205 +@@ -618,3 +618,13 @@ config TCP_MD5SIG
   2.206 + 	  on the Internet.
   2.207 + 
   2.208 + 	  If unsure, say N.
   2.209 ++
   2.210 ++config TCP_STEALTH
   2.211 ++	bool "TCP: Stealth TCP socket support"
   2.212 ++	default n
   2.213 ++	---help---
   2.214 ++	  This option enables support for stealth TCP sockets. If you do not
   2.215 ++	  know what this means, you do not need it.
   2.216 ++
   2.217 ++	  If unsure, say N.
   2.218 ++
   2.219 +diff -Nurp linux-3.16/net/ipv4/tcp.c linux-3.16-knock/net/ipv4/tcp.c
   2.220 +--- linux-3.16/net/ipv4/tcp.c	2014-08-03 18:25:02.000000000 -0400
   2.221 ++++ linux-3.16-knock/net/ipv4/tcp.c	2014-08-19 06:17:19.497514011 -0400
   2.222 +@@ -2443,6 +2443,43 @@ static int tcp_repair_options_est(struct
   2.223 + 	return 0;
   2.224 + }
   2.225 + 
   2.226 ++#ifdef CONFIG_TCP_STEALTH
   2.227 ++int tcp_stealth_integrity(__be16 *hash, u8 *secret, u8 *payload, int len)
   2.228 ++{
   2.229 ++	struct scatterlist sg[2];
   2.230 ++	struct crypto_hash *tfm;
   2.231 ++	struct hash_desc desc;
   2.232 ++	__be16 h[MD5_DIGEST_WORDS * 2];
   2.233 ++	int i;
   2.234 ++	int err = 0;
   2.235 ++
   2.236 ++	tfm = crypto_alloc_hash("md5", 0, CRYPTO_ALG_ASYNC);
   2.237 ++	if (IS_ERR(tfm)) {
   2.238 ++		err = -PTR_ERR(tfm);
   2.239 ++		goto out;
   2.240 ++	}
   2.241 ++	desc.tfm = tfm;
   2.242 ++	desc.flags = 0;
   2.243 ++
   2.244 ++	sg_init_table(sg, 2);
   2.245 ++	sg_set_buf(&sg[0], secret, MD5_MESSAGE_BYTES);
   2.246 ++	sg_set_buf(&sg[1], payload, len);
   2.247 ++
   2.248 ++	if (crypto_hash_digest(&desc, sg, MD5_MESSAGE_BYTES + len, (u8 *)h)) {
   2.249 ++		err = -EFAULT;
   2.250 ++		goto out;
   2.251 ++	}
   2.252 ++
   2.253 ++	*hash = be16_to_cpu(h[0]);
   2.254 ++	for (i = 1; i < MD5_DIGEST_WORDS * 2; i++)
   2.255 ++		*hash ^= be16_to_cpu(h[i]);
   2.256 ++
   2.257 ++out:
   2.258 ++	crypto_free_hash(tfm);
   2.259 ++	return err;
   2.260 ++}
   2.261 ++#endif
   2.262 ++
   2.263 + /*
   2.264 +  *	Socket option code for TCP.
   2.265 +  */
   2.266 +@@ -2473,6 +2510,67 @@ static int do_tcp_setsockopt(struct sock
   2.267 + 		release_sock(sk);
   2.268 + 		return err;
   2.269 + 	}
   2.270 ++#ifdef CONFIG_TCP_STEALTH
   2.271 ++	case TCP_STEALTH: {
   2.272 ++		u8 secret[MD5_MESSAGE_BYTES];
   2.273 ++
   2.274 ++		if (optlen < MD5_MESSAGE_BYTES)
   2.275 ++			return -EINVAL;
   2.276 ++
   2.277 ++		val = copy_from_user(secret, optval, MD5_MESSAGE_BYTES);
   2.278 ++		if (val != 0)
   2.279 ++			return -EFAULT;
   2.280 ++
   2.281 ++		lock_sock(sk);
   2.282 ++		memcpy(tp->stealth.secret, secret, MD5_MESSAGE_BYTES);
   2.283 ++		tp->stealth.mode = TCP_STEALTH_MODE_AUTH;
   2.284 ++		tp->stealth.tsval = 0;
   2.285 ++		tp->stealth.saw_tsval = false;
   2.286 ++		release_sock(sk);
   2.287 ++		return err;
   2.288 ++	}
   2.289 ++	case TCP_STEALTH_INTEGRITY: {
   2.290 ++		u8 *payload;
   2.291 ++
   2.292 ++		lock_sock(sk);
   2.293 ++
   2.294 ++		if (!(tp->stealth.mode & TCP_STEALTH_MODE_AUTH)) {
   2.295 ++			err = -EOPNOTSUPP;
   2.296 ++			goto stealth_integrity_out_1;
   2.297 ++		}
   2.298 ++
   2.299 ++		if (optlen < 1 || optlen > USHRT_MAX) {
   2.300 ++			err = -EINVAL;
   2.301 ++			goto stealth_integrity_out_1;
   2.302 ++		}
   2.303 ++
   2.304 ++		payload = vmalloc(optlen);
   2.305 ++		if (!payload) {
   2.306 ++			err = -ENOMEM;
   2.307 ++			goto stealth_integrity_out_1;
   2.308 ++		}
   2.309 ++
   2.310 ++		val = copy_from_user(payload, optval, optlen);
   2.311 ++		if (val != 0) {
   2.312 ++			err = -EFAULT;
   2.313 ++			goto stealth_integrity_out_2;
   2.314 ++		}
   2.315 ++
   2.316 ++		err = tcp_stealth_integrity(&tp->stealth.integrity_hash,
   2.317 ++					    tp->stealth.secret, payload,
   2.318 ++					    optlen);
   2.319 ++		if (err)
   2.320 ++			goto stealth_integrity_out_2;
   2.321 ++
   2.322 ++		tp->stealth.mode |= TCP_STEALTH_MODE_INTEGRITY;
   2.323 ++
   2.324 ++stealth_integrity_out_2:
   2.325 ++		vfree(payload);
   2.326 ++stealth_integrity_out_1:
   2.327 ++		release_sock(sk);
   2.328 ++		return err;
   2.329 ++	}
   2.330 ++#endif
   2.331 + 	default:
   2.332 + 		/* fallthru */
   2.333 + 		break;
   2.334 +@@ -2717,6 +2815,18 @@ static int do_tcp_setsockopt(struct sock
   2.335 + 		tp->notsent_lowat = val;
   2.336 + 		sk->sk_write_space(sk);
   2.337 + 		break;
   2.338 ++#ifdef CONFIG_TCP_STEALTH
   2.339 ++	case TCP_STEALTH_INTEGRITY_LEN:
   2.340 ++		if (!(tp->stealth.mode & TCP_STEALTH_MODE_AUTH)) {
   2.341 ++			err = -EOPNOTSUPP;
   2.342 ++		} else if (val < 1 || val > USHRT_MAX) {
   2.343 ++			err = -EINVAL;
   2.344 ++		} else {
   2.345 ++			tp->stealth.integrity_len = val;
   2.346 ++			tp->stealth.mode |= TCP_STEALTH_MODE_INTEGRITY_LEN;
   2.347 ++		}
   2.348 ++		break;
   2.349 ++#endif
   2.350 + 	default:
   2.351 + 		err = -ENOPROTOOPT;
   2.352 + 		break;
   2.353 +diff -Nurp linux-3.16/net/ipv4/tcp_input.c linux-3.16-knock/net/ipv4/tcp_input.c
   2.354 +--- linux-3.16/net/ipv4/tcp_input.c	2014-08-03 18:25:02.000000000 -0400
   2.355 ++++ linux-3.16-knock/net/ipv4/tcp_input.c	2014-08-18 13:08:23.956054243 -0400
   2.356 +@@ -76,6 +76,9 @@
   2.357 + #include <net/netdma.h>
   2.358 + 
   2.359 + int sysctl_tcp_timestamps __read_mostly = 1;
   2.360 ++#ifdef CONFIG_TCP_STEALTH
   2.361 ++EXPORT_SYMBOL(sysctl_tcp_timestamps);
   2.362 ++#endif
   2.363 + int sysctl_tcp_window_scaling __read_mostly = 1;
   2.364 + int sysctl_tcp_sack __read_mostly = 1;
   2.365 + int sysctl_tcp_fack __read_mostly = 1;
   2.366 +@@ -3666,6 +3669,47 @@ static bool tcp_fast_parse_options(const
   2.367 + 	return true;
   2.368 + }
   2.369 + 
   2.370 ++#ifdef CONFIG_TCP_STEALTH
   2.371 ++/* Parse only the TSVal field of the TCP Timestamp option header.
   2.372 ++ */
   2.373 ++const bool tcp_parse_tsval_option(u32 *tsval, const struct tcphdr *th)
   2.374 ++{
   2.375 ++	int length = (th->doff << 2) - sizeof(*th);
   2.376 ++	const u8 *ptr = (const u8 *)(th + 1);
   2.377 ++
   2.378 ++	/* If the TCP option is too short, we can short cut */
   2.379 ++	if (length < TCPOLEN_TIMESTAMP)
   2.380 ++		return false;
   2.381 ++
   2.382 ++	while (length > 0) {
   2.383 ++		int opcode = *ptr++;
   2.384 ++		int opsize;
   2.385 ++
   2.386 ++		switch (opcode) {
   2.387 ++		case TCPOPT_EOL:
   2.388 ++			return false;
   2.389 ++		case TCPOPT_NOP:
   2.390 ++			length--;
   2.391 ++			continue;
   2.392 ++		case TCPOPT_TIMESTAMP:
   2.393 ++			opsize = *ptr++;
   2.394 ++			if (opsize != TCPOLEN_TIMESTAMP || opsize > length)
   2.395 ++				return false;
   2.396 ++			*tsval = get_unaligned_be32(ptr);
   2.397 ++			return true;
   2.398 ++		default:
   2.399 ++			opsize = *ptr++;
   2.400 ++			if (opsize < 2 || opsize > length)
   2.401 ++				return false;
   2.402 ++		}
   2.403 ++		ptr += opsize - 2;
   2.404 ++		length -= opsize;
   2.405 ++	}
   2.406 ++	return false;
   2.407 ++}
   2.408 ++EXPORT_SYMBOL(tcp_parse_tsval_option);
   2.409 ++#endif
   2.410 ++
   2.411 + #ifdef CONFIG_TCP_MD5SIG
   2.412 + /*
   2.413 +  * Parse MD5 Signature option
   2.414 +@@ -4337,6 +4381,31 @@ err:
   2.415 + 	return -ENOMEM;
   2.416 + }
   2.417 + 
   2.418 ++#ifdef CONFIG_TCP_STEALTH
   2.419 ++static int __tcp_stealth_integrity_check(struct sock *sk, struct sk_buff *skb)
   2.420 ++{
   2.421 ++	struct tcphdr *th = tcp_hdr(skb);
   2.422 ++	struct tcp_sock *tp = tcp_sk(sk);
   2.423 ++	u16 hash;
   2.424 ++	__be32 seq = cpu_to_be32(TCP_SKB_CB(skb)->seq - 1);
   2.425 ++	char *data = skb->data + th->doff * 4;
   2.426 ++	int len = skb->len - th->doff * 4;
   2.427 ++
   2.428 ++	if (len < tp->stealth.integrity_len)
   2.429 ++		return 1;
   2.430 ++
   2.431 ++	if (tcp_stealth_integrity(&hash, tp->stealth.secret, data,
   2.432 ++				  tp->stealth.integrity_len))
   2.433 ++		return 1;
   2.434 ++
   2.435 ++	if (be32_isn_to_be16_ih(seq) != cpu_to_be16(hash))
   2.436 ++		return 1;
   2.437 ++
   2.438 ++	tp->stealth.mode &= ~TCP_STEALTH_MODE_INTEGRITY_LEN;
   2.439 ++	return 0;
   2.440 ++}
   2.441 ++#endif
   2.442 ++
   2.443 + static void tcp_data_queue(struct sock *sk, struct sk_buff *skb)
   2.444 + {
   2.445 + 	const struct tcphdr *th = tcp_hdr(skb);
   2.446 +@@ -4347,6 +4416,14 @@ static void tcp_data_queue(struct sock *
   2.447 + 	if (TCP_SKB_CB(skb)->seq == TCP_SKB_CB(skb)->end_seq)
   2.448 + 		goto drop;
   2.449 + 
   2.450 ++#ifdef CONFIG_TCP_STEALTH
   2.451 ++	if (unlikely(tp->stealth.mode & TCP_STEALTH_MODE_INTEGRITY_LEN) &&
   2.452 ++	    __tcp_stealth_integrity_check(sk, skb)) {
   2.453 ++		tcp_reset(sk);
   2.454 ++		goto drop;
   2.455 ++	}
   2.456 ++#endif
   2.457 ++
   2.458 + 	skb_dst_drop(skb);
   2.459 + 	__skb_pull(skb, th->doff * 4);
   2.460 + 
   2.461 +@@ -5171,6 +5248,15 @@ void tcp_rcv_established(struct sock *sk
   2.462 + 			int copied_early = 0;
   2.463 + 			bool fragstolen = false;
   2.464 + 
   2.465 ++#ifdef CONFIG_TCP_STEALTH
   2.466 ++			if (unlikely(tp->stealth.mode &
   2.467 ++				     TCP_STEALTH_MODE_INTEGRITY_LEN) &&
   2.468 ++			    __tcp_stealth_integrity_check(sk, skb)) {
   2.469 ++				tcp_reset(sk);
   2.470 ++				goto discard;
   2.471 ++			}
   2.472 ++#endif
   2.473 ++
   2.474 + 			if (tp->copied_seq == tp->rcv_nxt &&
   2.475 + 			    len - tcp_header_len <= tp->ucopy.len) {
   2.476 + #ifdef CONFIG_NET_DMA
   2.477 +diff -Nurp linux-3.16/net/ipv4/tcp_ipv4.c linux-3.16-knock/net/ipv4/tcp_ipv4.c
   2.478 +--- linux-3.16/net/ipv4/tcp_ipv4.c	2014-08-03 18:25:02.000000000 -0400
   2.479 ++++ linux-3.16-knock/net/ipv4/tcp_ipv4.c	2014-08-19 05:50:27.217441897 -0400
   2.480 +@@ -76,6 +76,7 @@
   2.481 + #include <net/secure_seq.h>
   2.482 + #include <net/tcp_memcontrol.h>
   2.483 + #include <net/busy_poll.h>
   2.484 ++#include <net/secure_seq.h>
   2.485 + 
   2.486 + #include <linux/inet.h>
   2.487 + #include <linux/ipv6.h>
   2.488 +@@ -235,6 +236,21 @@ int tcp_v4_connect(struct sock *sk, stru
   2.489 + 	sk->sk_gso_type = SKB_GSO_TCPV4;
   2.490 + 	sk_setup_caps(sk, &rt->dst);
   2.491 + 
   2.492 ++#ifdef CONFIG_TCP_STEALTH
   2.493 ++	/* If CONFIG_TCP_STEALTH is defined, we need to know the timestamp as
   2.494 ++	 * early as possible and thus move taking the snapshot of tcp_time_stamp
   2.495 ++	 * here.
   2.496 ++	 */
   2.497 ++	tp->stealth.tsval = tcp_time_stamp;
   2.498 ++
   2.499 ++	if (!tp->write_seq && likely(!tp->repair) &&
   2.500 ++	    unlikely(tp->stealth.mode & TCP_STEALTH_MODE_AUTH))
   2.501 ++		tp->write_seq = tcp_stealth_sequence_number(sk,
   2.502 ++					&inet->inet_daddr,
   2.503 ++					sizeof(inet->inet_daddr),
   2.504 ++					usin->sin_port);
   2.505 ++#endif
   2.506 ++
   2.507 + 	if (!tp->write_seq && likely(!tp->repair))
   2.508 + 		tp->write_seq = secure_tcp_sequence_number(inet->inet_saddr,
   2.509 + 							   inet->inet_daddr,
   2.510 +@@ -1546,6 +1562,8 @@ static struct sock *tcp_v4_hnd_req(struc
   2.511 +  */
   2.512 + int tcp_v4_do_rcv(struct sock *sk, struct sk_buff *skb)
   2.513 + {
   2.514 ++	struct tcp_sock *tp = tcp_sk(sk);
   2.515 ++	struct tcphdr *th = tcp_hdr(skb);
   2.516 + 	struct sock *rsk;
   2.517 + #ifdef CONFIG_TCP_MD5SIG
   2.518 + 	/*
   2.519 +@@ -1576,6 +1594,15 @@ int tcp_v4_do_rcv(struct sock *sk, struc
   2.520 + 	if (skb->len < tcp_hdrlen(skb) || tcp_checksum_complete(skb))
   2.521 + 		goto csum_err;
   2.522 + 
   2.523 ++#ifdef CONFIG_TCP_STEALTH
   2.524 ++	if (sk->sk_state == TCP_LISTEN && th->syn && !th->fin &&
   2.525 ++	    unlikely(tp->stealth.mode & TCP_STEALTH_MODE_AUTH) &&
   2.526 ++	    tcp_stealth_do_auth(sk, skb)) {
   2.527 ++		rsk = sk;
   2.528 ++		goto reset;
   2.529 ++	}
   2.530 ++#endif
   2.531 ++
   2.532 + 	if (sk->sk_state == TCP_LISTEN) {
   2.533 + 		struct sock *nsk = tcp_v4_hnd_req(sk, skb);
   2.534 + 		if (!nsk)
   2.535 +diff -Nurp linux-3.16/net/ipv4/tcp_output.c linux-3.16-knock/net/ipv4/tcp_output.c
   2.536 +--- linux-3.16/net/ipv4/tcp_output.c	2014-08-03 18:25:02.000000000 -0400
   2.537 ++++ linux-3.16-knock/net/ipv4/tcp_output.c	2014-08-11 07:29:32.776405670 -0400
   2.538 +@@ -2486,10 +2486,22 @@ int __tcp_retransmit_skb(struct sock *sk
   2.539 + 
   2.540 + 	tcp_retrans_try_collapse(sk, skb, cur_mss);
   2.541 + 
   2.542 ++#ifdef CONFIG_TCP_STEALTH
   2.543 ++	if (unlikely(TCP_SKB_CB(skb)->tcp_flags & TCPHDR_SYN &&
   2.544 ++		     tp->stealth.mode & TCP_STEALTH_MODE_AUTH)) {
   2.545 ++		/* If TCP stealth is active, reuse the timestamp from the first
   2.546 ++		 * SYN.
   2.547 ++		 */
   2.548 ++		TCP_SKB_CB(skb)->when = tp->stealth.tsval;
   2.549 ++	} else {
   2.550 ++		TCP_SKB_CB(skb)->when = tcp_time_stamp;
   2.551 ++	}
   2.552 ++#else
   2.553 + 	/* Make a copy, if the first transmission SKB clone we made
   2.554 + 	 * is still in somebody's hands, else make a clone.
   2.555 + 	 */
   2.556 + 	TCP_SKB_CB(skb)->when = tcp_time_stamp;
   2.557 ++#endif
   2.558 + 
   2.559 + 	/* make sure skb->data is aligned on arches that require it
   2.560 + 	 * and check if ack-trimming & collapsing extended the headroom
   2.561 +@@ -3094,7 +3106,15 @@ int tcp_connect(struct sock *sk)
   2.562 + 		return -ENOBUFS;
   2.563 + 
   2.564 + 	tcp_init_nondata_skb(buff, tp->write_seq++, TCPHDR_SYN);
   2.565 ++#ifdef CONFIG_TCP_STEALTH
   2.566 ++	/* The timetamp was already set at the time the ISN was generated
   2.567 ++	 * as we need to know its value in the stealth_tcp_sequence_number()
   2.568 ++	 * function.
   2.569 ++	 */
   2.570 ++	tp->retrans_stamp = TCP_SKB_CB(buff)->when = tp->stealth.tsval;
   2.571 ++#else
   2.572 + 	tp->retrans_stamp = TCP_SKB_CB(buff)->when = tcp_time_stamp;
   2.573 ++#endif
   2.574 + 	tcp_connect_queue_skb(sk, buff);
   2.575 + 	TCP_ECN_send_syn(sk, buff);
   2.576 + 
   2.577 +diff -Nurp linux-3.16/net/ipv6/tcp_ipv6.c linux-3.16-knock/net/ipv6/tcp_ipv6.c
   2.578 +--- linux-3.16/net/ipv6/tcp_ipv6.c	2014-08-03 18:25:02.000000000 -0400
   2.579 ++++ linux-3.16-knock/net/ipv6/tcp_ipv6.c	2014-08-19 06:24:12.497532484 -0400
   2.580 +@@ -64,6 +64,7 @@
   2.581 + #include <net/secure_seq.h>
   2.582 + #include <net/tcp_memcontrol.h>
   2.583 + #include <net/busy_poll.h>
   2.584 ++#include <net/secure_seq.h>
   2.585 + 
   2.586 + #include <linux/proc_fs.h>
   2.587 + #include <linux/seq_file.h>
   2.588 +@@ -294,6 +295,21 @@ static int tcp_v6_connect(struct sock *s
   2.589 + 	if (err)
   2.590 + 		goto late_failure;
   2.591 + 
   2.592 ++#ifdef CONFIG_TCP_STEALTH
   2.593 ++	/* If CONFIG_TCP_STEALTH is defined, we need to know the timestamp as
   2.594 ++	 * early as possible and thus move taking the snapshot of tcp_time_stamp
   2.595 ++	 * here.
   2.596 ++	 */
   2.597 ++	tp->stealth.tsval = tcp_time_stamp;
   2.598 ++
   2.599 ++	if (!tp->write_seq && likely(!tp->repair) &&
   2.600 ++	    unlikely(tp->stealth.mode & TCP_STEALTH_MODE_AUTH))
   2.601 ++		tp->write_seq = tcp_stealth_sequence_number(sk,
   2.602 ++					sk->sk_v6_daddr.s6_addr32,
   2.603 ++					sizeof(sk->sk_v6_daddr),
   2.604 ++					inet->inet_dport);
   2.605 ++#endif
   2.606 ++
   2.607 + 	if (!tp->write_seq && likely(!tp->repair))
   2.608 + 		tp->write_seq = secure_tcpv6_sequence_number(np->saddr.s6_addr32,
   2.609 + 							     sk->sk_v6_daddr.s6_addr32,
   2.610 +@@ -1343,7 +1359,8 @@ out:
   2.611 + static int tcp_v6_do_rcv(struct sock *sk, struct sk_buff *skb)
   2.612 + {
   2.613 + 	struct ipv6_pinfo *np = inet6_sk(sk);
   2.614 +-	struct tcp_sock *tp;
   2.615 ++	struct tcp_sock *tp = tcp_sk(sk);
   2.616 ++	struct tcphdr *th = tcp_hdr(skb);
   2.617 + 	struct sk_buff *opt_skb = NULL;
   2.618 + 
   2.619 + 	/* Imagine: socket is IPv6. IPv4 packet arrives,
   2.620 +@@ -1407,6 +1424,13 @@ static int tcp_v6_do_rcv(struct sock *sk
   2.621 + 	if (skb->len < tcp_hdrlen(skb) || tcp_checksum_complete(skb))
   2.622 + 		goto csum_err;
   2.623 + 
   2.624 ++#ifdef CONFIG_TCP_STEALTH
   2.625 ++	if (sk->sk_state == TCP_LISTEN && th->syn && !th->fin &&
   2.626 ++	    tp->stealth.mode & TCP_STEALTH_MODE_AUTH &&
   2.627 ++	    tcp_stealth_do_auth(sk, skb))
   2.628 ++		goto reset;
   2.629 ++#endif
   2.630 ++
   2.631 + 	if (sk->sk_state == TCP_LISTEN) {
   2.632 + 		struct sock *nsk = tcp_v6_hnd_req(sk, skb);
   2.633 + 		if (!nsk)
     3.1 --- a/openssh-pam/receipt	Thu May 17 10:47:21 2018 +0200
     3.2 +++ b/openssh-pam/receipt	Fri May 18 13:47:33 2018 +0200
     3.3 @@ -21,6 +21,7 @@
     3.4  # Rules to configure and make the package.
     3.5  compile_rules()
     3.6  {
     3.7 +	patch -p1 < ../$SOURCE/stuff/knock.u
     3.8  	unset LD # for cross compiling with --disable-strip
     3.9  	./configure \
    3.10  		--prefix=/usr \
     4.1 --- a/openssh/receipt	Thu May 17 10:47:21 2018 +0200
     4.2 +++ b/openssh/receipt	Fri May 18 13:47:33 2018 +0200
     4.3 @@ -21,6 +21,7 @@
     4.4  # Rules to configure and make the package.
     4.5  compile_rules()
     4.6  {
     4.7 +	patch -p1 < $stuff/knock.u
     4.8  	unset LD # for cross compiling with --disable-strip
     4.9  	./configure \
    4.10  		--prefix=/usr \
     5.1 --- /dev/null	Thu Jan 01 00:00:00 1970 +0000
     5.2 +++ b/openssh/stuff/knock.u	Fri May 18 13:47:33 2018 +0200
     5.3 @@ -0,0 +1,504 @@
     5.4 +From https://gnunet.org/knock :
     5.5 +https://gnunet.org/sites/default/files/openssh-linux-knock-patch.diff
     5.6 +--- a/readconf.c
     5.7 ++++ b/readconf.c
     5.8 +@@ -172,6 +172,9 @@
     5.9 + 	oStreamLocalBindMask, oStreamLocalBindUnlink, oRevokedHostKeys,
    5.10 + 	oFingerprintHash, oUpdateHostkeys, oHostbasedKeyTypes,
    5.11 + 	oPubkeyAcceptedKeyTypes, oProxyJump,
    5.12 ++#ifdef TCP_STEALTH
    5.13 ++	oTCPStealthSecret,
    5.14 ++#endif
    5.15 + 	oIgnore, oIgnoredUnknownOption, oDeprecated, oUnsupported
    5.16 + } OpCodes;
    5.17 + 
    5.18 +@@ -305,6 +308,9 @@
    5.19 + 	{ "pubkeyacceptedkeytypes", oPubkeyAcceptedKeyTypes },
    5.20 + 	{ "ignoreunknown", oIgnoreUnknown },
    5.21 + 	{ "proxyjump", oProxyJump },
    5.22 ++#ifdef TCP_STEALTH
    5.23 ++	{ "tcpstealthsecret", oTCPStealthSecret },
    5.24 ++#endif
    5.25 + 
    5.26 + 	{ NULL, oBadOption }
    5.27 + };
    5.28 +@@ -1669,6 +1675,23 @@
    5.29 + 		charptr = &options->identity_agent;
    5.30 + 		goto parse_string;
    5.31 + 
    5.32 ++#ifdef TCP_STEALTH
    5.33 ++	case oTCPStealthSecret:
    5.34 ++		charptr = &options->tcp_stealth_secret;
    5.35 ++
    5.36 ++		arg = strdelim(&s);
    5.37 ++		if (!arg || *arg == '\0')
    5.38 ++			fatal("%.200s line %d: Missing argument.",
    5.39 ++				filename, linenum);
    5.40 ++
    5.41 ++		if (*activep && *charptr == NULL) {
    5.42 ++			*charptr = xmalloc(TCP_STEALTH_SECRET_SIZE + 1);
    5.43 ++			memset(*charptr, 0x00, TCP_STEALTH_SECRET_SIZE + 1);
    5.44 ++			strncpy(*charptr, arg, TCP_STEALTH_SECRET_SIZE);
    5.45 ++		}
    5.46 ++
    5.47 ++		break;
    5.48 ++#endif
    5.49 + 	case oDeprecated:
    5.50 + 		debug("%s line %d: Deprecated option \"%s\"",
    5.51 + 		    filename, linenum, keyword);
    5.52 +@@ -1869,6 +1892,9 @@
    5.53 + 	options->update_hostkeys = -1;
    5.54 + 	options->hostbased_key_types = NULL;
    5.55 + 	options->pubkey_key_types = NULL;
    5.56 ++#ifdef TCP_STEALTH
    5.57 ++	options->tcp_stealth_secret = NULL;
    5.58 ++#endif
    5.59 + }
    5.60 + 
    5.61 + /*
    5.62 +--- a/readconf.h
    5.63 ++++ b/readconf.h
    5.64 +@@ -164,6 +164,10 @@
    5.65 + 	char   *jump_extra;
    5.66 + 
    5.67 + 	char	*ignored_unknown; /* Pattern list of unknown tokens to ignore */
    5.68 ++
    5.69 ++#ifdef TCP_STEALTH
    5.70 ++	char	*tcp_stealth_secret;
    5.71 ++#endif
    5.72 + }       Options;
    5.73 + 
    5.74 + #define SSH_CANONICALISE_NO	0
    5.75 +--- a/servconf.c
    5.76 ++++ b/servconf.c
    5.77 +@@ -165,6 +165,9 @@
    5.78 + 	options->fingerprint_hash = -1;
    5.79 + 	options->disable_forwarding = -1;
    5.80 + 	options->expose_userauth_info = -1;
    5.81 ++#ifdef TCP_STEALTH
    5.82 ++	options->tcp_stealth_secret = NULL;
    5.83 ++#endif
    5.84 + }
    5.85 + 
    5.86 + /* Returns 1 if a string option is unset or set to "none" or 0 otherwise. */
    5.87 +@@ -422,6 +425,9 @@
    5.88 + 	sStreamLocalBindMask, sStreamLocalBindUnlink,
    5.89 + 	sAllowStreamLocalForwarding, sFingerprintHash, sDisableForwarding,
    5.90 + 	sExposeAuthInfo,
    5.91 ++#ifdef TCP_STEALTH
    5.92 ++	sTCPStealthSecret,
    5.93 ++#endif
    5.94 + 	sDeprecated, sIgnore, sUnsupported
    5.95 + } ServerOpCodes;
    5.96 + 
    5.97 +@@ -566,6 +572,9 @@
    5.98 + 	{ "fingerprinthash", sFingerprintHash, SSHCFG_GLOBAL },
    5.99 + 	{ "disableforwarding", sDisableForwarding, SSHCFG_ALL },
   5.100 + 	{ "exposeauthinfo", sExposeAuthInfo, SSHCFG_ALL },
   5.101 ++#ifdef TCP_STEALTH
   5.102 ++	{ "tcpstealthsecret", sTCPStealthSecret },
   5.103 ++#endif
   5.104 + 	{ NULL, sBadOption, 0 }
   5.105 + };
   5.106 + 
   5.107 +@@ -1883,6 +1892,23 @@
   5.108 + 		intptr = &options->expose_userauth_info;
   5.109 + 		goto parse_flag;
   5.110 + 
   5.111 ++#ifdef TCP_STEALTH
   5.112 ++	case sTCPStealthSecret:
   5.113 ++		charptr = &options->tcp_stealth_secret;
   5.114 ++
   5.115 ++		arg = strdelim(&cp);
   5.116 ++		if (!arg || *arg == '\0')
   5.117 ++			fatal("%s line %d: Missing argument.",
   5.118 ++				filename, linenum);
   5.119 ++
   5.120 ++		if (*activep && *charptr == NULL) {
   5.121 ++			*charptr = xmalloc(TCP_STEALTH_SECRET_SIZE + 1);
   5.122 ++			memset(*charptr, 0x00, TCP_STEALTH_SECRET_SIZE + 1);
   5.123 ++			strncpy(*charptr, arg, TCP_STEALTH_SECRET_SIZE);
   5.124 ++		}
   5.125 ++
   5.126 ++		break;
   5.127 ++#endif
   5.128 + 	case sDeprecated:
   5.129 + 	case sIgnore:
   5.130 + 	case sUnsupported:
   5.131 +--- a/servconf.h
   5.132 ++++ b/servconf.h
   5.133 +@@ -198,6 +198,10 @@
   5.134 + 
   5.135 + 	int	fingerprint_hash;
   5.136 + 	int	expose_userauth_info;
   5.137 ++
   5.138 ++#ifdef TCP_STEALTH
   5.139 ++	char	*tcp_stealth_secret;
   5.140 ++#endif
   5.141 + }       ServerOptions;
   5.142 + 
   5.143 + /* Information about the incoming connection as used by Match */
   5.144 +@@ -219,6 +223,11 @@
   5.145 +  * NB. an option must appear in servconf.c:copy_set_server_options() or
   5.146 +  * COPY_MATCH_STRING_OPTS here but never both.
   5.147 +  */
   5.148 ++#ifdef TCP_STEALTH
   5.149 ++#define M_CP_STEALTHSCRT(X)	M_CP_STROPT(X);
   5.150 ++#else
   5.151 ++#define M_CP_STEALTHSCRT(X)
   5.152 ++#endif
   5.153 + #define COPY_MATCH_STRING_OPTS() do { \
   5.154 + 		M_CP_STROPT(banner); \
   5.155 + 		M_CP_STROPT(trusted_user_ca_keys); \
   5.156 +@@ -238,6 +247,7 @@
   5.157 + 		M_CP_STRARRAYOPT(accept_env, num_accept_env); \
   5.158 + 		M_CP_STRARRAYOPT(auth_methods, num_auth_methods); \
   5.159 + 		M_CP_STRARRAYOPT_ALLOC(permitted_opens, num_permitted_opens); \
   5.160 ++		M_CP_STEALTHSCRT(tcp_stealth_secret); \
   5.161 + 	} while (0)
   5.162 + 
   5.163 + struct connection_info *get_connection_info(int, int);
   5.164 +--- a/ssh.c
   5.165 ++++ b/ssh.c
   5.166 +@@ -191,6 +191,14 @@
   5.167 + extern int muxserver_sock;
   5.168 + extern u_int muxclient_command;
   5.169 + 
   5.170 ++#ifdef TCP_STEALTH
   5.171 ++#define OPT_STEALTH	"[-z tcp_stealth_secret] "
   5.172 ++#define GETOPT_STEALTH	"z:"
   5.173 ++#else
   5.174 ++#define OPT_STEALTH	""
   5.175 ++#define GETOPT_STEALTH	""
   5.176 ++#endif
   5.177 ++
   5.178 + /* Prints a help message to the user.  This function never returns. */
   5.179 + 
   5.180 + static void
   5.181 +@@ -203,7 +211,7 @@
   5.182 + "           [-J [user@]host[:port]] [-L address] [-l login_name] [-m mac_spec]\n"
   5.183 + "           [-O ctl_cmd] [-o option] [-p port] [-Q query_option] [-R address]\n"
   5.184 + "           [-S ctl_path] [-W host:port] [-w local_tun[:remote_tun]]\n"
   5.185 +-"           [user@]hostname [command]\n"
   5.186 ++"           " OPT_STEALTH "[user@]hostname [command]\n"
   5.187 + 	);
   5.188 + 	exit(255);
   5.189 + }
   5.190 +@@ -612,7 +620,7 @@
   5.191 + 
   5.192 +  again:
   5.193 + 	while ((opt = getopt(ac, av, "1246ab:c:e:fgi:kl:m:no:p:qstvx"
   5.194 +-	    "ACD:E:F:GI:J:KL:MNO:PQ:R:S:TVw:W:XYy")) != -1) {
   5.195 ++	    "ACD:E:F:GI:J:KL:MNO:PQ:R:S:TVw:W:XYy" GETOPT_STEALTH)) != -1) {
   5.196 + 		switch (opt) {
   5.197 + 		case '1':
   5.198 + 			fatal("SSH protocol v.1 is no longer supported");
   5.199 +@@ -921,6 +929,14 @@
   5.200 + 		case 'F':
   5.201 + 			config = optarg;
   5.202 + 			break;
   5.203 ++#ifdef TCP_STEALTH
   5.204 ++		case 'z':
   5.205 ++			options.tcp_stealth_secret =
   5.206 ++				xcalloc(TCP_STEALTH_SECRET_SIZE + 1, sizeof(u_int8_t));
   5.207 ++			strncpy(options.tcp_stealth_secret, optarg,
   5.208 ++				TCP_STEALTH_SECRET_SIZE);
   5.209 ++			break;
   5.210 ++#endif
   5.211 + 		default:
   5.212 + 			usage();
   5.213 + 		}
   5.214 +--- a/sshd.c
   5.215 ++++ b/sshd.c
   5.216 +@@ -896,6 +896,14 @@
   5.217 + 	return (r < p) ? 1 : 0;
   5.218 + }
   5.219 + 
   5.220 ++#ifdef TCP_STEALTH
   5.221 ++#define OPT_STEALTH	" [-z tcp_stealth_secret]"
   5.222 ++#define GETOPT_STEALTH	"z:"
   5.223 ++#else
   5.224 ++#define OPT_STEALTH	""
   5.225 ++#define GETOPT_STEALTH	""
   5.226 ++#endif
   5.227 ++
   5.228 + static void
   5.229 + usage(void)
   5.230 + {
   5.231 +@@ -911,6 +919,7 @@
   5.232 + "usage: sshd [-46DdeiqTt] [-C connection_spec] [-c host_cert_file]\n"
   5.233 + "            [-E log_file] [-f config_file] [-g login_grace_time]\n"
   5.234 + "            [-h host_key_file] [-o option] [-p port] [-u len]\n"
   5.235 ++"            " OPT_STEALTH "\n"
   5.236 + 	);
   5.237 + 	exit(1);
   5.238 + }
   5.239 +@@ -1057,6 +1066,15 @@
   5.240 + 		if (setsockopt(listen_sock, SOL_SOCKET, SO_REUSEADDR,
   5.241 + 		    &on, sizeof(on)) == -1)
   5.242 + 			error("setsockopt SO_REUSEADDR: %s", strerror(errno));
   5.243 ++#ifdef TCP_STEALTH
   5.244 ++		if (options.tcp_stealth_secret != NULL) {
   5.245 ++			if (setsockopt(listen_sock, IPPROTO_TCP, TCP_STEALTH,
   5.246 ++			    options.tcp_stealth_secret,
   5.247 ++			    TCP_STEALTH_SECRET_SIZE) == -1)
   5.248 ++				error("setsockopt TCP_STEALTH: %s",
   5.249 ++				      strerror(errno));
   5.250 ++		}
   5.251 ++#endif
   5.252 + 
   5.253 + 		/* Only communicate in IPv6 over AF_INET6 sockets. */
   5.254 + 		if (ai->ai_family == AF_INET6)
   5.255 +@@ -1404,7 +1422,7 @@
   5.256 + 
   5.257 + 	/* Parse command-line arguments. */
   5.258 + 	while ((opt = getopt(ac, av,
   5.259 +-	    "C:E:b:c:f:g:h:k:o:p:u:46DQRTdeiqrt")) != -1) {
   5.260 ++	    GETOPT_STEALTH "C:E:b:c:f:g:h:k:o:p:u:46DQRTdeiqrt")) != -1) {
   5.261 + 		switch (opt) {
   5.262 + 		case '4':
   5.263 + 			options.address_family = AF_INET;
   5.264 +@@ -1512,6 +1530,14 @@
   5.265 + 				exit(1);
   5.266 + 			free(line);
   5.267 + 			break;
   5.268 ++#ifdef TCP_STEALTH
   5.269 ++		case 'z':
   5.270 ++			options.tcp_stealth_secret =
   5.271 ++				xcalloc(TCP_STEALTH_SECRET_SIZE + 1, sizeof(u_int8_t));
   5.272 ++			strncpy(options.tcp_stealth_secret, optarg,
   5.273 ++				TCP_STEALTH_SECRET_SIZE);
   5.274 ++			break;
   5.275 ++#endif
   5.276 + 		case '?':
   5.277 + 		default:
   5.278 + 			usage();
   5.279 +--- a/ssh_config.5
   5.280 ++++ b/ssh_config.5
   5.281 +@@ -1509,6 +1509,15 @@
   5.282 + .Pp
   5.283 + To disable TCP keepalive messages, the value should be set to
   5.284 + .Cm no .
   5.285 ++.It Cm TCPStealthSecret
   5.286 ++Specifies the shared secret which is needed to connect to a stealth SSH TCP
   5.287 ++Server. Any string specified will be truncated to or padded with zeroes to 64
   5.288 ++bytes. This option needs kernel support and is therefore only available if the
   5.289 ++required
   5.290 ++.Xr setsockopt 2
   5.291 ++call is available.
   5.292 ++.Pp
   5.293 ++See http://datatracker.ietf.org/doc/draft-kirsch-ietf-tcp-stealth/ for details.
   5.294 + .It Cm Tunnel
   5.295 + Request
   5.296 + .Xr tun 4
   5.297 +--- a/sshd_config.5
   5.298 ++++ b/sshd_config.5
   5.299 +@@ -1444,6 +1444,18 @@
   5.300 + .Pp
   5.301 + To disable TCP keepalive messages, the value should be set to
   5.302 + .Cm no .
   5.303 ++.It Cm TCPStealthSecret
   5.304 ++Turns this SSH server into a stealth SSH TCP server. This configuration option
   5.305 ++specifies the shared secret needed by the clients in order to be able to connect
   5.306 ++to the port the SSH server is listening on. This means that port scanners will
   5.307 ++receive a TCP RST and thus will not recognize this TCP port being open.  Any
   5.308 ++string specified will be truncated or padded with zeroes to 64 bytes. This
   5.309 ++option needs kernel support and is therefore only available if the required
   5.310 ++.Xr setsockopt 2
   5.311 ++call is available.
   5.312 ++.Pp
   5.313 ++See http://datatracker.ietf.org/doc/draft-kirsch-ietf-tcp-stealth/ for details.
   5.314 ++
   5.315 + .It Cm TrustedUserCAKeys
   5.316 + Specifies a file containing public keys of certificate authorities that are
   5.317 + trusted to sign user certificates for authentication, or
   5.318 +--- a/sshd.0
   5.319 ++++ b/sshd.0
   5.320 +@@ -7,6 +7,7 @@
   5.321 +      sshd [-46DdeiqTt] [-C connection_spec] [-c host_certificate_file]
   5.322 +           [-E log_file] [-f config_file] [-g login_grace_time]
   5.323 +           [-h host_key_file] [-o option] [-p port] [-u len]
   5.324 ++          [-z tcp_stealth_secret]
   5.325 + 
   5.326 + DESCRIPTION
   5.327 +      sshd (OpenSSH Daemon) is the daemon program for ssh(1).  Together these
   5.328 +@@ -121,6 +122,20 @@
   5.329 +              from="pattern-list" option in a key file.  Configuration options
   5.330 +              that require DNS include using a USER@HOST pattern in AllowUsers
   5.331 +              or DenyUsers.
   5.332 ++     -z tcp_stealth_secret
   5.333 ++             Turns this SSH server into a Stealth SSH TCP Server. This option
   5.334 ++             specifies the shared secret which is needed by the clients in order
   5.335 ++             to be able to connect to the port the SSH server is listening on.
   5.336 ++             Any string specified will be truncated or padded with zeroes to 64
   5.337 ++             bytes. This option needs kernel support and is therefore only
   5.338 ++             available if the required setsockopt() call is available.
   5.339 ++             See http://datatracker.ietf.org/doc/draft-kirsch-ietf-tcp-stealth/
   5.340 ++             for details.
   5.341 ++
   5.342 ++             IMPORTANT: This option should only be used for the purpose of
   5.343 ++             testing as other users could easily read out the secret from the
   5.344 ++             command line arguments. The TCPStealthSecret configuration option
   5.345 ++             is the preferred way of specifying the TCP Stealth secret.
   5.346 + 
   5.347 + AUTHENTICATION
   5.348 +      The OpenSSH SSH daemon supports SSH protocol 2 only.  Each host has a
   5.349 +--- openssh-6.7p1/ssh.0	2014-10-05 23:39:37.000000000 -0400
   5.350 ++++ openssh-6.7p1-knock/ssh.0	2014-11-05 20:35:44.216514377 -0500
   5.351 +@@ -425,6 +425,20 @@ DESCRIPTION
   5.352 +      -y      Send log information using the syslog(3) system module.  By
   5.353 +              default this information is sent to stderr.
   5.354 + 
   5.355 ++     -z tcp_stealth_secret
   5.356 ++             Specifies the shared secret which is needed to connect to a stealth
   5.357 ++             SSH TCP server. Any string specified will be truncated to or padded
   5.358 ++             with zeroes to 64 bytes. This option needs kernel support and is
   5.359 ++             therefore only available if the required setsockopt() call is
   5.360 ++             available.
   5.361 ++             See http://datatracker.ietf.org/doc/draft-kirsch-ietf-tcp-stealth/
   5.362 ++             for details.
   5.363 ++
   5.364 ++             IMPORTANT: This option should only be used for the purpose of
   5.365 ++             testing as other users could easily read out the secret from the
   5.366 ++             command line arguments. The TCPStealthSecret configuration option
   5.367 ++             is the preferred way of specifying the TCP Stealth secret.
   5.368 ++
   5.369 +      ssh may additionally obtain configuration data from a per-user
   5.370 +      configuration file and a system-wide configuration file.  The file format
   5.371 +      and configuration options are described in ssh_config(5).
   5.372 +--- openssh-6.7p1/ssh.1	2014-07-29 22:32:28.000000000 -0400
   5.373 ++++ openssh-6.7p1-knock/ssh.1	2014-11-07 13:56:02.022226289 -0500
   5.374 +@@ -64,6 +64,7 @@
   5.375 + .Op Fl S Ar ctl_path
   5.376 + .Op Fl W Ar host : Ns Ar port
   5.377 + .Op Fl w Ar local_tun Ns Op : Ns Ar remote_tun
   5.378 ++.Op Fl z Ar tcp_stealth_secret
   5.379 + .Oo Ar user Ns @ Oc Ns Ar hostname
   5.380 + .Op Ar command
   5.381 + .Ek
   5.382 +@@ -528,6 +529,7 @@ For full details of the options listed b
   5.383 + .It StreamLocalBindUnlink
   5.384 + .It StrictHostKeyChecking
   5.385 + .It TCPKeepAlive
   5.386 ++.It TCPStealthSecret
   5.387 + .It Tunnel
   5.388 + .It TunnelDevice
   5.389 + .It UpdateHostKeys
   5.390 +@@ -777,6 +779,21 @@ Send log information using the
   5.391 + .Xr syslog 3
   5.392 + system module.
   5.393 + By default this information is sent to stderr.
   5.394 ++.It Fl z Ar tcp_stealth_secret
   5.395 ++Specifies the shared secret which is needed to connect to a stealth SSH TCP
   5.396 ++server. Any string specified will be truncated to or padded with zeroes to 64
   5.397 ++bytes. This option needs kernel support and is therefore only available if the
   5.398 ++required
   5.399 ++.Xr setsockopt 2
   5.400 ++call is available.
   5.401 ++.Pp
   5.402 ++See http://datatracker.ietf.org/doc/draft-kirsch-ietf-tcp-stealth/ for details.
   5.403 ++.Pp
   5.404 ++.Cm IMPORTANT:
   5.405 ++This option should only be used for the purpose of testing as other users could
   5.406 ++easily read out the secret from the command line arguments. The
   5.407 ++.Cm TCPStealthSecret
   5.408 ++configuration option is the preferred way of specifying the TCP Stealth secret.
   5.409 + .El
   5.410 + .Pp
   5.411 + .Nm
   5.412 +--- openssh-6.7p1/ssh_config.0	2014-10-05 23:39:38.000000000 -0400
   5.413 ++++ openssh-6.7p1-knock/ssh_config.0	2014-11-05 20:48:17.064514377 -0500
   5.414 +@@ -919,6 +919,15 @@ DESCRIPTION
   5.415 + 
   5.416 +              To disable TCP keepalive messages, the value should be set to no.
   5.417 + 
   5.418 ++     TCPStealthSecret
   5.419 ++             Specifies the shared secret which is needed to connect to a stealth
   5.420 ++             SSH TCP Server. Any string specified will be truncated to or padded
   5.421 ++             with zeroes to 64 bytes. This option needs kernel support and is
   5.422 ++             therefore only available if the required setsockopt() call is
   5.423 ++             available.
   5.424 ++             See http://datatracker.ietf.org/doc/draft-kirsch-ietf-tcp-stealth/
   5.425 ++             for details.
   5.426 ++
   5.427 +      Tunnel  Request tun(4) device forwarding between the client and the
   5.428 +              server.  The argument must be yes, point-to-point (layer 3),
   5.429 +              ethernet (layer 2), or no (the default).  Specifying yes requests
   5.430 +--- openssh-6.7p1/sshconnect.c	2014-07-18 00:11:26.000000000 -0400
   5.431 ++++ openssh-6.7p1-knock/sshconnect.c	2014-11-07 14:07:11.342196835 -0500
   5.432 +@@ -286,6 +286,18 @@ ssh_create_socket(int privileged, struct
   5.433 + 	}
   5.434 + 	fcntl(sock, F_SETFD, FD_CLOEXEC);
   5.435 + 
   5.436 ++#ifdef TCP_STEALTH
   5.437 ++	if (options.tcp_stealth_secret) {
   5.438 ++		if (setsockopt(sock, IPPROTO_TCP, TCP_STEALTH,
   5.439 ++			       options.tcp_stealth_secret,
   5.440 ++			       TCP_STEALTH_SECRET_SIZE) == -1) {
   5.441 ++			error("setsockopt TCP_STEALTH: %s", strerror(errno));
   5.442 ++			close(sock);
   5.443 ++			return -1;
   5.444 ++		}
   5.445 ++	}
   5.446 ++#endif
   5.447 ++
   5.448 + 	/* Bind the socket to an alternative local IP address */
   5.449 + 	if (options.bind_address == NULL && !privileged)
   5.450 + 		return sock;
   5.451 +--- openssh-6.7p1/sshd.8	2014-07-03 19:00:04.000000000 -0400
   5.452 ++++ openssh-6.7p1-knock/sshd.8	2014-11-07 14:00:14.506215178 -0500
   5.453 +@@ -53,6 +53,7 @@
   5.454 + .Op Fl o Ar option
   5.455 + .Op Fl p Ar port
   5.456 + .Op Fl u Ar len
   5.457 ++.Op Fl z Ar tcp_stealth_secret
   5.458 + .Ek
   5.459 + .Sh DESCRIPTION
   5.460 + .Nm
   5.461 +@@ -243,6 +244,24 @@ USER@HOST pattern in
   5.462 + .Cm AllowUsers
   5.463 + or
   5.464 + .Cm DenyUsers .
   5.465 ++.It Fl z Ar tcp_stealth_secret
   5.466 ++Turns this SSH server into a stealth SSH TCP server. This option specifies the
   5.467 ++shared secret which is needed by the clients in order to be able to connect to
   5.468 ++the port the SSH server is listening on.  Any string specified will be truncated
   5.469 ++or padded with zeroes to 64 bytes. This option needs kernel support and is
   5.470 ++therefore only available if the required
   5.471 ++.Xr setsockopt 2
   5.472 ++call is available.
   5.473 ++.Pp
   5.474 ++See http://datatracker.ietf.org/doc/draft-kirsch-ietf-tcp-stealth/ for details.
   5.475 ++
   5.476 ++.Cm IMPORTANT:
   5.477 ++This option should only be used for the purpose of
   5.478 ++testing as other users could easily read out the secret from the
   5.479 ++command line arguments. The
   5.480 ++.Cm TCPStealthSecret
   5.481 ++configuration option
   5.482 ++is the preferred way of specifying the TCP Stealth secret.
   5.483 + .El
   5.484 + .Sh AUTHENTICATION
   5.485 + The OpenSSH SSH daemon supports SSH protocol 2 only.
   5.486 +--- openssh-6.7p1/sshd_config.0	2014-10-05 23:39:38.000000000 -0400
   5.487 ++++ openssh-6.7p1-knock/sshd_config.0	2014-11-07 14:01:07.530212845 -0500
   5.488 +@@ -872,6 +872,19 @@ DESCRIPTION
   5.489 + 
   5.490 +              To disable TCP keepalive messages, the value should be set to no.
   5.491 + 
   5.492 ++     TCPStealthSecret
   5.493 ++             Turns this SSH server into a stealth SSH TCP server. This
   5.494 ++             configuration option specifies the shared secret needed by the
   5.495 ++             clients in order to be able to connect to the port the SSH server
   5.496 ++             is listening on. This means that port scanners will receive a
   5.497 ++             TCP RST and thus will not recognize this TCP port being open.
   5.498 ++
   5.499 ++             Any string specified will be truncated or padded with zeroes to 64
   5.500 ++             bytes. This option needs kernel support and is therefore only
   5.501 ++             available if the required setsockopt() call is available.
   5.502 ++             See http://datatracker.ietf.org/doc/draft-kirsch-ietf-tcp-stealth/
   5.503 ++             for details.
   5.504 ++
   5.505 +      TrustedUserCAKeys
   5.506 +              Specifies a file containing public keys of certificate
   5.507 +              authorities that are trusted to sign user certificates for
     6.1 --- a/tazlito/receipt	Thu May 17 10:47:21 2018 +0200
     6.2 +++ b/tazlito/receipt	Fri May 18 13:47:33 2018 +0200
     6.3 @@ -1,7 +1,7 @@
     6.4  # SliTaz package receipt.
     6.5  
     6.6  PACKAGE="tazlito"
     6.7 -VERSION="498"
     6.8 +VERSION="500"
     6.9  CATEGORY="base-system"
    6.10  SHORT_DESC="SliTaz Live Tool."
    6.11  MAINTAINER="pascal.bellard@slitaz.org"