wok rev 20313
linux, openssh: add tcp_stealth patch
author | Pascal Bellard <pascal.bellard@slitaz.org> |
---|---|
date | Fri May 18 13:47:33 2018 +0200 (2018-05-18) |
parents | f215c72530a6 |
children | d5a889ec499e |
files | linux/receipt linux/stuff/linux-tcp_stealth.u openssh-pam/receipt openssh/receipt openssh/stuff/knock.u tazlito/receipt |
line diff
1.1 --- a/linux/receipt Thu May 17 10:47:21 2018 +0200 1.2 +++ b/linux/receipt Fri May 18 13:47:33 2018 +0200 1.3 @@ -219,6 +219,7 @@ 1.4 $PACKAGE-freeinitrd.u 1.5 $PACKAGE-subroot.u 1.6 $PACKAGE-romfs.u 1.7 +$PACKAGE-tcp_stealth.u 1.8 aufs3-base.patch 1.9 aufs3-standalone.patch 1.10 aufs3-loopback.patch
2.1 --- /dev/null Thu Jan 01 00:00:00 1970 +0000 2.2 +++ b/linux/stuff/linux-tcp_stealth.u Fri May 18 13:47:33 2018 +0200 2.3 @@ -0,0 +1,630 @@ 2.4 +From https://gnunet.org/knock : 2.5 +https://gnunet.org/sites/default/files/tcp_stealth_3.16_1.diff 2.6 +Signed-off-by: Julian Kirsch <kirschju@sec.in.tum.de> 2.7 +--- 2.8 +diff -Nurp linux-3.16/include/linux/tcp.h linux-3.16-knock/include/linux/tcp.h 2.9 +--- linux-3.16/include/linux/tcp.h 2014-08-03 18:25:02.000000000 -0400 2.10 ++++ linux-3.16-knock/include/linux/tcp.h 2014-08-19 06:15:42.329509665 -0400 2.11 +@@ -20,6 +20,7 @@ 2.12 + 2.13 + #include <linux/skbuff.h> 2.14 + #include <linux/dmaengine.h> 2.15 ++#include <linux/cryptohash.h> 2.16 + #include <net/sock.h> 2.17 + #include <net/inet_connection_sock.h> 2.18 + #include <net/inet_timewait_sock.h> 2.19 +@@ -325,6 +326,21 @@ struct tcp_sock { 2.20 + struct tcp_md5sig_info __rcu *md5sig_info; 2.21 + #endif 2.22 + 2.23 ++#ifdef CONFIG_TCP_STEALTH 2.24 ++/* Stealth TCP socket configuration */ 2.25 ++ struct { 2.26 ++ #define TCP_STEALTH_MODE_AUTH BIT(0) 2.27 ++ #define TCP_STEALTH_MODE_INTEGRITY BIT(1) 2.28 ++ #define TCP_STEALTH_MODE_INTEGRITY_LEN BIT(2) 2.29 ++ int mode; 2.30 ++ u8 secret[MD5_MESSAGE_BYTES]; 2.31 ++ int integrity_len; 2.32 ++ u16 integrity_hash; 2.33 ++ u32 tsval; 2.34 ++ bool saw_tsval; 2.35 ++ } stealth; 2.36 ++#endif 2.37 ++ 2.38 + /* TCP fastopen related information */ 2.39 + struct tcp_fastopen_request *fastopen_req; 2.40 + /* fastopen_rsk points to request_sock that resulted in this big 2.41 +diff -Nurp linux-3.16/include/net/secure_seq.h linux-3.16-knock/include/net/secure_seq.h 2.42 +--- linux-3.16/include/net/secure_seq.h 2014-08-03 18:25:02.000000000 -0400 2.43 ++++ linux-3.16-knock/include/net/secure_seq.h 2014-08-19 05:52:22.389447048 -0400 2.44 +@@ -14,5 +14,10 @@ u64 secure_dccp_sequence_number(__be32 s 2.45 + __be16 sport, __be16 dport); 2.46 + u64 secure_dccpv6_sequence_number(__be32 *saddr, __be32 *daddr, 2.47 + __be16 sport, __be16 dport); 2.48 ++#ifdef CONFIG_TCP_STEALTH 2.49 ++u32 tcp_stealth_do_auth(struct sock *sk, struct sk_buff *skb); 2.50 ++u32 tcp_stealth_sequence_number(struct sock *sk, __be32 *daddr, 2.51 ++ u32 daddr_size, __be16 dport); 2.52 ++#endif 2.53 + 2.54 + #endif /* _NET_SECURE_SEQ */ 2.55 +diff -Nurp linux-3.16/include/net/tcp.h linux-3.16-knock/include/net/tcp.h 2.56 +--- linux-3.16/include/net/tcp.h 2014-08-03 18:25:02.000000000 -0400 2.57 ++++ linux-3.16-knock/include/net/tcp.h 2014-08-11 07:16:15.968418122 -0400 2.58 +@@ -442,6 +442,12 @@ void tcp_parse_options(const struct sk_b 2.59 + struct tcp_options_received *opt_rx, 2.60 + int estab, struct tcp_fastopen_cookie *foc); 2.61 + const u8 *tcp_parse_md5sig_option(const struct tcphdr *th); 2.62 ++#ifdef CONFIG_TCP_STEALTH 2.63 ++const bool tcp_parse_tsval_option(u32 *tsval, const struct tcphdr *th); 2.64 ++int tcp_stealth_integrity(u16 *hash, u8 *secret, u8 *payload, int len); 2.65 ++#define be32_isn_to_be16_av(x) (((__be16 *)&x)[0]) 2.66 ++#define be32_isn_to_be16_ih(x) (((__be16 *)&x)[1]) 2.67 ++#endif 2.68 + 2.69 + /* 2.70 + * TCP v4 functions exported for the inet6 API 2.71 +diff -Nurp linux-3.16/include/uapi/linux/tcp.h linux-3.16-knock/include/uapi/linux/tcp.h 2.72 +--- linux-3.16/include/uapi/linux/tcp.h 2014-08-03 18:25:02.000000000 -0400 2.73 ++++ linux-3.16-knock/include/uapi/linux/tcp.h 2014-08-11 07:16:15.968418122 -0400 2.74 +@@ -112,6 +112,9 @@ enum { 2.75 + #define TCP_FASTOPEN 23 /* Enable FastOpen on listeners */ 2.76 + #define TCP_TIMESTAMP 24 2.77 + #define TCP_NOTSENT_LOWAT 25 /* limit number of unsent bytes in write queue */ 2.78 ++#define TCP_STEALTH 26 2.79 ++#define TCP_STEALTH_INTEGRITY 27 2.80 ++#define TCP_STEALTH_INTEGRITY_LEN 28 2.81 + 2.82 + struct tcp_repair_opt { 2.83 + __u32 opt_code; 2.84 +diff -Nurp linux-3.16/net/core/secure_seq.c linux-3.16-knock/net/core/secure_seq.c 2.85 +--- linux-3.16/net/core/secure_seq.c 2014-08-03 18:25:02.000000000 -0400 2.86 ++++ linux-3.16-knock/net/core/secure_seq.c 2014-08-19 06:19:31.241519904 -0400 2.87 +@@ -8,7 +8,11 @@ 2.88 + #include <linux/ktime.h> 2.89 + #include <linux/string.h> 2.90 + #include <linux/net.h> 2.91 ++#include <linux/socket.h> 2.92 ++#include <linux/ip.h> 2.93 ++#include <linux/ipv6.h> 2.94 + 2.95 ++#include <net/tcp.h> 2.96 + #include <net/secure_seq.h> 2.97 + 2.98 + #if IS_ENABLED(CONFIG_IPV6) || IS_ENABLED(CONFIG_INET) 2.99 +@@ -39,6 +43,102 @@ static u32 seq_scale(u32 seq) 2.100 + } 2.101 + #endif 2.102 + 2.103 ++#ifdef CONFIG_TCP_STEALTH 2.104 ++u32 tcp_stealth_sequence_number(struct sock *sk, __be32 *daddr, 2.105 ++ u32 daddr_size, __be16 dport) 2.106 ++{ 2.107 ++ struct tcp_sock *tp = tcp_sk(sk); 2.108 ++ struct tcp_md5sig_key *md5; 2.109 ++ 2.110 ++ __u32 sec[MD5_MESSAGE_BYTES / sizeof(__u32)]; 2.111 ++ __u32 i; 2.112 ++ __u32 tsval = 0; 2.113 ++ 2.114 ++ __be32 iv[MD5_DIGEST_WORDS] = { 0 }; 2.115 ++ __be32 isn; 2.116 ++ 2.117 ++ memcpy(iv, (const __u8 *)daddr, 2.118 ++ (daddr_size > sizeof(iv)) ? sizeof(iv) : daddr_size); 2.119 ++ 2.120 ++#ifdef CONFIG_TCP_MD5SIG 2.121 ++ md5 = tp->af_specific->md5_lookup(sk, sk); 2.122 ++#else 2.123 ++ md5 = NULL; 2.124 ++#endif 2.125 ++ if (likely(sysctl_tcp_timestamps && !md5) || tp->stealth.saw_tsval) 2.126 ++ tsval = tp->stealth.tsval; 2.127 ++ 2.128 ++ ((__be16 *)iv)[2] ^= cpu_to_be16(tp->stealth.integrity_hash); 2.129 ++ iv[2] ^= cpu_to_be32(tsval); 2.130 ++ ((__be16 *)iv)[6] ^= dport; 2.131 ++ 2.132 ++ for (i = 0; i < MD5_DIGEST_WORDS; i++) 2.133 ++ iv[i] = le32_to_cpu(iv[i]); 2.134 ++ for (i = 0; i < MD5_MESSAGE_BYTES / sizeof(__le32); i++) 2.135 ++ sec[i] = le32_to_cpu(((__le32 *)tp->stealth.secret)[i]); 2.136 ++ 2.137 ++ md5_transform(iv, sec); 2.138 ++ 2.139 ++ isn = cpu_to_be32(iv[0]) ^ cpu_to_be32(iv[1]) ^ 2.140 ++ cpu_to_be32(iv[2]) ^ cpu_to_be32(iv[3]); 2.141 ++ 2.142 ++ if (tp->stealth.mode & TCP_STEALTH_MODE_INTEGRITY) 2.143 ++ be32_isn_to_be16_ih(isn) = 2.144 ++ cpu_to_be16(tp->stealth.integrity_hash); 2.145 ++ 2.146 ++ return be32_to_cpu(isn); 2.147 ++} 2.148 ++EXPORT_SYMBOL(tcp_stealth_sequence_number); 2.149 ++ 2.150 ++u32 tcp_stealth_do_auth(struct sock *sk, struct sk_buff *skb) 2.151 ++{ 2.152 ++ struct tcp_sock *tp = tcp_sk(sk); 2.153 ++ struct tcphdr *th = tcp_hdr(skb); 2.154 ++ __be32 isn = th->seq; 2.155 ++ __be32 hash; 2.156 ++ __be32 *daddr; 2.157 ++ u32 daddr_size; 2.158 ++ 2.159 ++ tp->stealth.saw_tsval = tcp_parse_tsval_option(&tp->stealth.tsval, th); 2.160 ++ 2.161 ++ if (tp->stealth.mode & TCP_STEALTH_MODE_INTEGRITY_LEN) 2.162 ++ tp->stealth.integrity_hash = 2.163 ++ be16_to_cpu(be32_isn_to_be16_ih(isn)); 2.164 ++ 2.165 ++ switch (tp->inet_conn.icsk_inet.sk.sk_family) { 2.166 ++#if IS_ENABLED(CONFIG_IPV6) 2.167 ++ case PF_INET6: 2.168 ++ daddr_size = sizeof(ipv6_hdr(skb)->daddr.s6_addr32); 2.169 ++ daddr = ipv6_hdr(skb)->daddr.s6_addr32; 2.170 ++ break; 2.171 ++#endif 2.172 ++ case PF_INET: 2.173 ++ daddr_size = sizeof(ip_hdr(skb)->daddr); 2.174 ++ daddr = &ip_hdr(skb)->daddr; 2.175 ++ break; 2.176 ++ default: 2.177 ++ pr_err("TCP Stealth: Unknown network layer protocol, stop!\n"); 2.178 ++ return 1; 2.179 ++ } 2.180 ++ 2.181 ++ hash = tcp_stealth_sequence_number(sk, daddr, daddr_size, th->dest); 2.182 ++ cpu_to_be32s(&hash); 2.183 ++ 2.184 ++ if (tp->stealth.mode & TCP_STEALTH_MODE_AUTH && 2.185 ++ tp->stealth.mode & TCP_STEALTH_MODE_INTEGRITY_LEN && 2.186 ++ be32_isn_to_be16_av(isn) == be32_isn_to_be16_av(hash)) 2.187 ++ return 0; 2.188 ++ 2.189 ++ if (tp->stealth.mode & TCP_STEALTH_MODE_AUTH && 2.190 ++ !(tp->stealth.mode & TCP_STEALTH_MODE_INTEGRITY_LEN) && 2.191 ++ isn == hash) 2.192 ++ return 0; 2.193 ++ 2.194 ++ return 1; 2.195 ++} 2.196 ++EXPORT_SYMBOL(tcp_stealth_do_auth); 2.197 ++#endif 2.198 ++ 2.199 + #if IS_ENABLED(CONFIG_IPV6) 2.200 + __u32 secure_tcpv6_sequence_number(const __be32 *saddr, const __be32 *daddr, 2.201 + __be16 sport, __be16 dport) 2.202 +diff -Nurp linux-3.16/net/ipv4/Kconfig linux-3.16-knock/net/ipv4/Kconfig 2.203 +--- linux-3.16/net/ipv4/Kconfig 2014-08-03 18:25:02.000000000 -0400 2.204 ++++ linux-3.16-knock/net/ipv4/Kconfig 2014-08-11 07:16:15.968418122 -0400 2.205 +@@ -618,3 +618,13 @@ config TCP_MD5SIG 2.206 + on the Internet. 2.207 + 2.208 + If unsure, say N. 2.209 ++ 2.210 ++config TCP_STEALTH 2.211 ++ bool "TCP: Stealth TCP socket support" 2.212 ++ default n 2.213 ++ ---help--- 2.214 ++ This option enables support for stealth TCP sockets. If you do not 2.215 ++ know what this means, you do not need it. 2.216 ++ 2.217 ++ If unsure, say N. 2.218 ++ 2.219 +diff -Nurp linux-3.16/net/ipv4/tcp.c linux-3.16-knock/net/ipv4/tcp.c 2.220 +--- linux-3.16/net/ipv4/tcp.c 2014-08-03 18:25:02.000000000 -0400 2.221 ++++ linux-3.16-knock/net/ipv4/tcp.c 2014-08-19 06:17:19.497514011 -0400 2.222 +@@ -2443,6 +2443,43 @@ static int tcp_repair_options_est(struct 2.223 + return 0; 2.224 + } 2.225 + 2.226 ++#ifdef CONFIG_TCP_STEALTH 2.227 ++int tcp_stealth_integrity(__be16 *hash, u8 *secret, u8 *payload, int len) 2.228 ++{ 2.229 ++ struct scatterlist sg[2]; 2.230 ++ struct crypto_hash *tfm; 2.231 ++ struct hash_desc desc; 2.232 ++ __be16 h[MD5_DIGEST_WORDS * 2]; 2.233 ++ int i; 2.234 ++ int err = 0; 2.235 ++ 2.236 ++ tfm = crypto_alloc_hash("md5", 0, CRYPTO_ALG_ASYNC); 2.237 ++ if (IS_ERR(tfm)) { 2.238 ++ err = -PTR_ERR(tfm); 2.239 ++ goto out; 2.240 ++ } 2.241 ++ desc.tfm = tfm; 2.242 ++ desc.flags = 0; 2.243 ++ 2.244 ++ sg_init_table(sg, 2); 2.245 ++ sg_set_buf(&sg[0], secret, MD5_MESSAGE_BYTES); 2.246 ++ sg_set_buf(&sg[1], payload, len); 2.247 ++ 2.248 ++ if (crypto_hash_digest(&desc, sg, MD5_MESSAGE_BYTES + len, (u8 *)h)) { 2.249 ++ err = -EFAULT; 2.250 ++ goto out; 2.251 ++ } 2.252 ++ 2.253 ++ *hash = be16_to_cpu(h[0]); 2.254 ++ for (i = 1; i < MD5_DIGEST_WORDS * 2; i++) 2.255 ++ *hash ^= be16_to_cpu(h[i]); 2.256 ++ 2.257 ++out: 2.258 ++ crypto_free_hash(tfm); 2.259 ++ return err; 2.260 ++} 2.261 ++#endif 2.262 ++ 2.263 + /* 2.264 + * Socket option code for TCP. 2.265 + */ 2.266 +@@ -2473,6 +2510,67 @@ static int do_tcp_setsockopt(struct sock 2.267 + release_sock(sk); 2.268 + return err; 2.269 + } 2.270 ++#ifdef CONFIG_TCP_STEALTH 2.271 ++ case TCP_STEALTH: { 2.272 ++ u8 secret[MD5_MESSAGE_BYTES]; 2.273 ++ 2.274 ++ if (optlen < MD5_MESSAGE_BYTES) 2.275 ++ return -EINVAL; 2.276 ++ 2.277 ++ val = copy_from_user(secret, optval, MD5_MESSAGE_BYTES); 2.278 ++ if (val != 0) 2.279 ++ return -EFAULT; 2.280 ++ 2.281 ++ lock_sock(sk); 2.282 ++ memcpy(tp->stealth.secret, secret, MD5_MESSAGE_BYTES); 2.283 ++ tp->stealth.mode = TCP_STEALTH_MODE_AUTH; 2.284 ++ tp->stealth.tsval = 0; 2.285 ++ tp->stealth.saw_tsval = false; 2.286 ++ release_sock(sk); 2.287 ++ return err; 2.288 ++ } 2.289 ++ case TCP_STEALTH_INTEGRITY: { 2.290 ++ u8 *payload; 2.291 ++ 2.292 ++ lock_sock(sk); 2.293 ++ 2.294 ++ if (!(tp->stealth.mode & TCP_STEALTH_MODE_AUTH)) { 2.295 ++ err = -EOPNOTSUPP; 2.296 ++ goto stealth_integrity_out_1; 2.297 ++ } 2.298 ++ 2.299 ++ if (optlen < 1 || optlen > USHRT_MAX) { 2.300 ++ err = -EINVAL; 2.301 ++ goto stealth_integrity_out_1; 2.302 ++ } 2.303 ++ 2.304 ++ payload = vmalloc(optlen); 2.305 ++ if (!payload) { 2.306 ++ err = -ENOMEM; 2.307 ++ goto stealth_integrity_out_1; 2.308 ++ } 2.309 ++ 2.310 ++ val = copy_from_user(payload, optval, optlen); 2.311 ++ if (val != 0) { 2.312 ++ err = -EFAULT; 2.313 ++ goto stealth_integrity_out_2; 2.314 ++ } 2.315 ++ 2.316 ++ err = tcp_stealth_integrity(&tp->stealth.integrity_hash, 2.317 ++ tp->stealth.secret, payload, 2.318 ++ optlen); 2.319 ++ if (err) 2.320 ++ goto stealth_integrity_out_2; 2.321 ++ 2.322 ++ tp->stealth.mode |= TCP_STEALTH_MODE_INTEGRITY; 2.323 ++ 2.324 ++stealth_integrity_out_2: 2.325 ++ vfree(payload); 2.326 ++stealth_integrity_out_1: 2.327 ++ release_sock(sk); 2.328 ++ return err; 2.329 ++ } 2.330 ++#endif 2.331 + default: 2.332 + /* fallthru */ 2.333 + break; 2.334 +@@ -2717,6 +2815,18 @@ static int do_tcp_setsockopt(struct sock 2.335 + tp->notsent_lowat = val; 2.336 + sk->sk_write_space(sk); 2.337 + break; 2.338 ++#ifdef CONFIG_TCP_STEALTH 2.339 ++ case TCP_STEALTH_INTEGRITY_LEN: 2.340 ++ if (!(tp->stealth.mode & TCP_STEALTH_MODE_AUTH)) { 2.341 ++ err = -EOPNOTSUPP; 2.342 ++ } else if (val < 1 || val > USHRT_MAX) { 2.343 ++ err = -EINVAL; 2.344 ++ } else { 2.345 ++ tp->stealth.integrity_len = val; 2.346 ++ tp->stealth.mode |= TCP_STEALTH_MODE_INTEGRITY_LEN; 2.347 ++ } 2.348 ++ break; 2.349 ++#endif 2.350 + default: 2.351 + err = -ENOPROTOOPT; 2.352 + break; 2.353 +diff -Nurp linux-3.16/net/ipv4/tcp_input.c linux-3.16-knock/net/ipv4/tcp_input.c 2.354 +--- linux-3.16/net/ipv4/tcp_input.c 2014-08-03 18:25:02.000000000 -0400 2.355 ++++ linux-3.16-knock/net/ipv4/tcp_input.c 2014-08-18 13:08:23.956054243 -0400 2.356 +@@ -76,6 +76,9 @@ 2.357 + #include <net/netdma.h> 2.358 + 2.359 + int sysctl_tcp_timestamps __read_mostly = 1; 2.360 ++#ifdef CONFIG_TCP_STEALTH 2.361 ++EXPORT_SYMBOL(sysctl_tcp_timestamps); 2.362 ++#endif 2.363 + int sysctl_tcp_window_scaling __read_mostly = 1; 2.364 + int sysctl_tcp_sack __read_mostly = 1; 2.365 + int sysctl_tcp_fack __read_mostly = 1; 2.366 +@@ -3666,6 +3669,47 @@ static bool tcp_fast_parse_options(const 2.367 + return true; 2.368 + } 2.369 + 2.370 ++#ifdef CONFIG_TCP_STEALTH 2.371 ++/* Parse only the TSVal field of the TCP Timestamp option header. 2.372 ++ */ 2.373 ++const bool tcp_parse_tsval_option(u32 *tsval, const struct tcphdr *th) 2.374 ++{ 2.375 ++ int length = (th->doff << 2) - sizeof(*th); 2.376 ++ const u8 *ptr = (const u8 *)(th + 1); 2.377 ++ 2.378 ++ /* If the TCP option is too short, we can short cut */ 2.379 ++ if (length < TCPOLEN_TIMESTAMP) 2.380 ++ return false; 2.381 ++ 2.382 ++ while (length > 0) { 2.383 ++ int opcode = *ptr++; 2.384 ++ int opsize; 2.385 ++ 2.386 ++ switch (opcode) { 2.387 ++ case TCPOPT_EOL: 2.388 ++ return false; 2.389 ++ case TCPOPT_NOP: 2.390 ++ length--; 2.391 ++ continue; 2.392 ++ case TCPOPT_TIMESTAMP: 2.393 ++ opsize = *ptr++; 2.394 ++ if (opsize != TCPOLEN_TIMESTAMP || opsize > length) 2.395 ++ return false; 2.396 ++ *tsval = get_unaligned_be32(ptr); 2.397 ++ return true; 2.398 ++ default: 2.399 ++ opsize = *ptr++; 2.400 ++ if (opsize < 2 || opsize > length) 2.401 ++ return false; 2.402 ++ } 2.403 ++ ptr += opsize - 2; 2.404 ++ length -= opsize; 2.405 ++ } 2.406 ++ return false; 2.407 ++} 2.408 ++EXPORT_SYMBOL(tcp_parse_tsval_option); 2.409 ++#endif 2.410 ++ 2.411 + #ifdef CONFIG_TCP_MD5SIG 2.412 + /* 2.413 + * Parse MD5 Signature option 2.414 +@@ -4337,6 +4381,31 @@ err: 2.415 + return -ENOMEM; 2.416 + } 2.417 + 2.418 ++#ifdef CONFIG_TCP_STEALTH 2.419 ++static int __tcp_stealth_integrity_check(struct sock *sk, struct sk_buff *skb) 2.420 ++{ 2.421 ++ struct tcphdr *th = tcp_hdr(skb); 2.422 ++ struct tcp_sock *tp = tcp_sk(sk); 2.423 ++ u16 hash; 2.424 ++ __be32 seq = cpu_to_be32(TCP_SKB_CB(skb)->seq - 1); 2.425 ++ char *data = skb->data + th->doff * 4; 2.426 ++ int len = skb->len - th->doff * 4; 2.427 ++ 2.428 ++ if (len < tp->stealth.integrity_len) 2.429 ++ return 1; 2.430 ++ 2.431 ++ if (tcp_stealth_integrity(&hash, tp->stealth.secret, data, 2.432 ++ tp->stealth.integrity_len)) 2.433 ++ return 1; 2.434 ++ 2.435 ++ if (be32_isn_to_be16_ih(seq) != cpu_to_be16(hash)) 2.436 ++ return 1; 2.437 ++ 2.438 ++ tp->stealth.mode &= ~TCP_STEALTH_MODE_INTEGRITY_LEN; 2.439 ++ return 0; 2.440 ++} 2.441 ++#endif 2.442 ++ 2.443 + static void tcp_data_queue(struct sock *sk, struct sk_buff *skb) 2.444 + { 2.445 + const struct tcphdr *th = tcp_hdr(skb); 2.446 +@@ -4347,6 +4416,14 @@ static void tcp_data_queue(struct sock * 2.447 + if (TCP_SKB_CB(skb)->seq == TCP_SKB_CB(skb)->end_seq) 2.448 + goto drop; 2.449 + 2.450 ++#ifdef CONFIG_TCP_STEALTH 2.451 ++ if (unlikely(tp->stealth.mode & TCP_STEALTH_MODE_INTEGRITY_LEN) && 2.452 ++ __tcp_stealth_integrity_check(sk, skb)) { 2.453 ++ tcp_reset(sk); 2.454 ++ goto drop; 2.455 ++ } 2.456 ++#endif 2.457 ++ 2.458 + skb_dst_drop(skb); 2.459 + __skb_pull(skb, th->doff * 4); 2.460 + 2.461 +@@ -5171,6 +5248,15 @@ void tcp_rcv_established(struct sock *sk 2.462 + int copied_early = 0; 2.463 + bool fragstolen = false; 2.464 + 2.465 ++#ifdef CONFIG_TCP_STEALTH 2.466 ++ if (unlikely(tp->stealth.mode & 2.467 ++ TCP_STEALTH_MODE_INTEGRITY_LEN) && 2.468 ++ __tcp_stealth_integrity_check(sk, skb)) { 2.469 ++ tcp_reset(sk); 2.470 ++ goto discard; 2.471 ++ } 2.472 ++#endif 2.473 ++ 2.474 + if (tp->copied_seq == tp->rcv_nxt && 2.475 + len - tcp_header_len <= tp->ucopy.len) { 2.476 + #ifdef CONFIG_NET_DMA 2.477 +diff -Nurp linux-3.16/net/ipv4/tcp_ipv4.c linux-3.16-knock/net/ipv4/tcp_ipv4.c 2.478 +--- linux-3.16/net/ipv4/tcp_ipv4.c 2014-08-03 18:25:02.000000000 -0400 2.479 ++++ linux-3.16-knock/net/ipv4/tcp_ipv4.c 2014-08-19 05:50:27.217441897 -0400 2.480 +@@ -76,6 +76,7 @@ 2.481 + #include <net/secure_seq.h> 2.482 + #include <net/tcp_memcontrol.h> 2.483 + #include <net/busy_poll.h> 2.484 ++#include <net/secure_seq.h> 2.485 + 2.486 + #include <linux/inet.h> 2.487 + #include <linux/ipv6.h> 2.488 +@@ -235,6 +236,21 @@ int tcp_v4_connect(struct sock *sk, stru 2.489 + sk->sk_gso_type = SKB_GSO_TCPV4; 2.490 + sk_setup_caps(sk, &rt->dst); 2.491 + 2.492 ++#ifdef CONFIG_TCP_STEALTH 2.493 ++ /* If CONFIG_TCP_STEALTH is defined, we need to know the timestamp as 2.494 ++ * early as possible and thus move taking the snapshot of tcp_time_stamp 2.495 ++ * here. 2.496 ++ */ 2.497 ++ tp->stealth.tsval = tcp_time_stamp; 2.498 ++ 2.499 ++ if (!tp->write_seq && likely(!tp->repair) && 2.500 ++ unlikely(tp->stealth.mode & TCP_STEALTH_MODE_AUTH)) 2.501 ++ tp->write_seq = tcp_stealth_sequence_number(sk, 2.502 ++ &inet->inet_daddr, 2.503 ++ sizeof(inet->inet_daddr), 2.504 ++ usin->sin_port); 2.505 ++#endif 2.506 ++ 2.507 + if (!tp->write_seq && likely(!tp->repair)) 2.508 + tp->write_seq = secure_tcp_sequence_number(inet->inet_saddr, 2.509 + inet->inet_daddr, 2.510 +@@ -1546,6 +1562,8 @@ static struct sock *tcp_v4_hnd_req(struc 2.511 + */ 2.512 + int tcp_v4_do_rcv(struct sock *sk, struct sk_buff *skb) 2.513 + { 2.514 ++ struct tcp_sock *tp = tcp_sk(sk); 2.515 ++ struct tcphdr *th = tcp_hdr(skb); 2.516 + struct sock *rsk; 2.517 + #ifdef CONFIG_TCP_MD5SIG 2.518 + /* 2.519 +@@ -1576,6 +1594,15 @@ int tcp_v4_do_rcv(struct sock *sk, struc 2.520 + if (skb->len < tcp_hdrlen(skb) || tcp_checksum_complete(skb)) 2.521 + goto csum_err; 2.522 + 2.523 ++#ifdef CONFIG_TCP_STEALTH 2.524 ++ if (sk->sk_state == TCP_LISTEN && th->syn && !th->fin && 2.525 ++ unlikely(tp->stealth.mode & TCP_STEALTH_MODE_AUTH) && 2.526 ++ tcp_stealth_do_auth(sk, skb)) { 2.527 ++ rsk = sk; 2.528 ++ goto reset; 2.529 ++ } 2.530 ++#endif 2.531 ++ 2.532 + if (sk->sk_state == TCP_LISTEN) { 2.533 + struct sock *nsk = tcp_v4_hnd_req(sk, skb); 2.534 + if (!nsk) 2.535 +diff -Nurp linux-3.16/net/ipv4/tcp_output.c linux-3.16-knock/net/ipv4/tcp_output.c 2.536 +--- linux-3.16/net/ipv4/tcp_output.c 2014-08-03 18:25:02.000000000 -0400 2.537 ++++ linux-3.16-knock/net/ipv4/tcp_output.c 2014-08-11 07:29:32.776405670 -0400 2.538 +@@ -2486,10 +2486,22 @@ int __tcp_retransmit_skb(struct sock *sk 2.539 + 2.540 + tcp_retrans_try_collapse(sk, skb, cur_mss); 2.541 + 2.542 ++#ifdef CONFIG_TCP_STEALTH 2.543 ++ if (unlikely(TCP_SKB_CB(skb)->tcp_flags & TCPHDR_SYN && 2.544 ++ tp->stealth.mode & TCP_STEALTH_MODE_AUTH)) { 2.545 ++ /* If TCP stealth is active, reuse the timestamp from the first 2.546 ++ * SYN. 2.547 ++ */ 2.548 ++ TCP_SKB_CB(skb)->when = tp->stealth.tsval; 2.549 ++ } else { 2.550 ++ TCP_SKB_CB(skb)->when = tcp_time_stamp; 2.551 ++ } 2.552 ++#else 2.553 + /* Make a copy, if the first transmission SKB clone we made 2.554 + * is still in somebody's hands, else make a clone. 2.555 + */ 2.556 + TCP_SKB_CB(skb)->when = tcp_time_stamp; 2.557 ++#endif 2.558 + 2.559 + /* make sure skb->data is aligned on arches that require it 2.560 + * and check if ack-trimming & collapsing extended the headroom 2.561 +@@ -3094,7 +3106,15 @@ int tcp_connect(struct sock *sk) 2.562 + return -ENOBUFS; 2.563 + 2.564 + tcp_init_nondata_skb(buff, tp->write_seq++, TCPHDR_SYN); 2.565 ++#ifdef CONFIG_TCP_STEALTH 2.566 ++ /* The timetamp was already set at the time the ISN was generated 2.567 ++ * as we need to know its value in the stealth_tcp_sequence_number() 2.568 ++ * function. 2.569 ++ */ 2.570 ++ tp->retrans_stamp = TCP_SKB_CB(buff)->when = tp->stealth.tsval; 2.571 ++#else 2.572 + tp->retrans_stamp = TCP_SKB_CB(buff)->when = tcp_time_stamp; 2.573 ++#endif 2.574 + tcp_connect_queue_skb(sk, buff); 2.575 + TCP_ECN_send_syn(sk, buff); 2.576 + 2.577 +diff -Nurp linux-3.16/net/ipv6/tcp_ipv6.c linux-3.16-knock/net/ipv6/tcp_ipv6.c 2.578 +--- linux-3.16/net/ipv6/tcp_ipv6.c 2014-08-03 18:25:02.000000000 -0400 2.579 ++++ linux-3.16-knock/net/ipv6/tcp_ipv6.c 2014-08-19 06:24:12.497532484 -0400 2.580 +@@ -64,6 +64,7 @@ 2.581 + #include <net/secure_seq.h> 2.582 + #include <net/tcp_memcontrol.h> 2.583 + #include <net/busy_poll.h> 2.584 ++#include <net/secure_seq.h> 2.585 + 2.586 + #include <linux/proc_fs.h> 2.587 + #include <linux/seq_file.h> 2.588 +@@ -294,6 +295,21 @@ static int tcp_v6_connect(struct sock *s 2.589 + if (err) 2.590 + goto late_failure; 2.591 + 2.592 ++#ifdef CONFIG_TCP_STEALTH 2.593 ++ /* If CONFIG_TCP_STEALTH is defined, we need to know the timestamp as 2.594 ++ * early as possible and thus move taking the snapshot of tcp_time_stamp 2.595 ++ * here. 2.596 ++ */ 2.597 ++ tp->stealth.tsval = tcp_time_stamp; 2.598 ++ 2.599 ++ if (!tp->write_seq && likely(!tp->repair) && 2.600 ++ unlikely(tp->stealth.mode & TCP_STEALTH_MODE_AUTH)) 2.601 ++ tp->write_seq = tcp_stealth_sequence_number(sk, 2.602 ++ sk->sk_v6_daddr.s6_addr32, 2.603 ++ sizeof(sk->sk_v6_daddr), 2.604 ++ inet->inet_dport); 2.605 ++#endif 2.606 ++ 2.607 + if (!tp->write_seq && likely(!tp->repair)) 2.608 + tp->write_seq = secure_tcpv6_sequence_number(np->saddr.s6_addr32, 2.609 + sk->sk_v6_daddr.s6_addr32, 2.610 +@@ -1343,7 +1359,8 @@ out: 2.611 + static int tcp_v6_do_rcv(struct sock *sk, struct sk_buff *skb) 2.612 + { 2.613 + struct ipv6_pinfo *np = inet6_sk(sk); 2.614 +- struct tcp_sock *tp; 2.615 ++ struct tcp_sock *tp = tcp_sk(sk); 2.616 ++ struct tcphdr *th = tcp_hdr(skb); 2.617 + struct sk_buff *opt_skb = NULL; 2.618 + 2.619 + /* Imagine: socket is IPv6. IPv4 packet arrives, 2.620 +@@ -1407,6 +1424,13 @@ static int tcp_v6_do_rcv(struct sock *sk 2.621 + if (skb->len < tcp_hdrlen(skb) || tcp_checksum_complete(skb)) 2.622 + goto csum_err; 2.623 + 2.624 ++#ifdef CONFIG_TCP_STEALTH 2.625 ++ if (sk->sk_state == TCP_LISTEN && th->syn && !th->fin && 2.626 ++ tp->stealth.mode & TCP_STEALTH_MODE_AUTH && 2.627 ++ tcp_stealth_do_auth(sk, skb)) 2.628 ++ goto reset; 2.629 ++#endif 2.630 ++ 2.631 + if (sk->sk_state == TCP_LISTEN) { 2.632 + struct sock *nsk = tcp_v6_hnd_req(sk, skb); 2.633 + if (!nsk)
3.1 --- a/openssh-pam/receipt Thu May 17 10:47:21 2018 +0200 3.2 +++ b/openssh-pam/receipt Fri May 18 13:47:33 2018 +0200 3.3 @@ -21,6 +21,7 @@ 3.4 # Rules to configure and make the package. 3.5 compile_rules() 3.6 { 3.7 + patch -p1 < ../$SOURCE/stuff/knock.u 3.8 unset LD # for cross compiling with --disable-strip 3.9 ./configure \ 3.10 --prefix=/usr \
4.1 --- a/openssh/receipt Thu May 17 10:47:21 2018 +0200 4.2 +++ b/openssh/receipt Fri May 18 13:47:33 2018 +0200 4.3 @@ -21,6 +21,7 @@ 4.4 # Rules to configure and make the package. 4.5 compile_rules() 4.6 { 4.7 + patch -p1 < $stuff/knock.u 4.8 unset LD # for cross compiling with --disable-strip 4.9 ./configure \ 4.10 --prefix=/usr \
5.1 --- /dev/null Thu Jan 01 00:00:00 1970 +0000 5.2 +++ b/openssh/stuff/knock.u Fri May 18 13:47:33 2018 +0200 5.3 @@ -0,0 +1,504 @@ 5.4 +From https://gnunet.org/knock : 5.5 +https://gnunet.org/sites/default/files/openssh-linux-knock-patch.diff 5.6 +--- a/readconf.c 5.7 ++++ b/readconf.c 5.8 +@@ -172,6 +172,9 @@ 5.9 + oStreamLocalBindMask, oStreamLocalBindUnlink, oRevokedHostKeys, 5.10 + oFingerprintHash, oUpdateHostkeys, oHostbasedKeyTypes, 5.11 + oPubkeyAcceptedKeyTypes, oProxyJump, 5.12 ++#ifdef TCP_STEALTH 5.13 ++ oTCPStealthSecret, 5.14 ++#endif 5.15 + oIgnore, oIgnoredUnknownOption, oDeprecated, oUnsupported 5.16 + } OpCodes; 5.17 + 5.18 +@@ -305,6 +308,9 @@ 5.19 + { "pubkeyacceptedkeytypes", oPubkeyAcceptedKeyTypes }, 5.20 + { "ignoreunknown", oIgnoreUnknown }, 5.21 + { "proxyjump", oProxyJump }, 5.22 ++#ifdef TCP_STEALTH 5.23 ++ { "tcpstealthsecret", oTCPStealthSecret }, 5.24 ++#endif 5.25 + 5.26 + { NULL, oBadOption } 5.27 + }; 5.28 +@@ -1669,6 +1675,23 @@ 5.29 + charptr = &options->identity_agent; 5.30 + goto parse_string; 5.31 + 5.32 ++#ifdef TCP_STEALTH 5.33 ++ case oTCPStealthSecret: 5.34 ++ charptr = &options->tcp_stealth_secret; 5.35 ++ 5.36 ++ arg = strdelim(&s); 5.37 ++ if (!arg || *arg == '\0') 5.38 ++ fatal("%.200s line %d: Missing argument.", 5.39 ++ filename, linenum); 5.40 ++ 5.41 ++ if (*activep && *charptr == NULL) { 5.42 ++ *charptr = xmalloc(TCP_STEALTH_SECRET_SIZE + 1); 5.43 ++ memset(*charptr, 0x00, TCP_STEALTH_SECRET_SIZE + 1); 5.44 ++ strncpy(*charptr, arg, TCP_STEALTH_SECRET_SIZE); 5.45 ++ } 5.46 ++ 5.47 ++ break; 5.48 ++#endif 5.49 + case oDeprecated: 5.50 + debug("%s line %d: Deprecated option \"%s\"", 5.51 + filename, linenum, keyword); 5.52 +@@ -1869,6 +1892,9 @@ 5.53 + options->update_hostkeys = -1; 5.54 + options->hostbased_key_types = NULL; 5.55 + options->pubkey_key_types = NULL; 5.56 ++#ifdef TCP_STEALTH 5.57 ++ options->tcp_stealth_secret = NULL; 5.58 ++#endif 5.59 + } 5.60 + 5.61 + /* 5.62 +--- a/readconf.h 5.63 ++++ b/readconf.h 5.64 +@@ -164,6 +164,10 @@ 5.65 + char *jump_extra; 5.66 + 5.67 + char *ignored_unknown; /* Pattern list of unknown tokens to ignore */ 5.68 ++ 5.69 ++#ifdef TCP_STEALTH 5.70 ++ char *tcp_stealth_secret; 5.71 ++#endif 5.72 + } Options; 5.73 + 5.74 + #define SSH_CANONICALISE_NO 0 5.75 +--- a/servconf.c 5.76 ++++ b/servconf.c 5.77 +@@ -165,6 +165,9 @@ 5.78 + options->fingerprint_hash = -1; 5.79 + options->disable_forwarding = -1; 5.80 + options->expose_userauth_info = -1; 5.81 ++#ifdef TCP_STEALTH 5.82 ++ options->tcp_stealth_secret = NULL; 5.83 ++#endif 5.84 + } 5.85 + 5.86 + /* Returns 1 if a string option is unset or set to "none" or 0 otherwise. */ 5.87 +@@ -422,6 +425,9 @@ 5.88 + sStreamLocalBindMask, sStreamLocalBindUnlink, 5.89 + sAllowStreamLocalForwarding, sFingerprintHash, sDisableForwarding, 5.90 + sExposeAuthInfo, 5.91 ++#ifdef TCP_STEALTH 5.92 ++ sTCPStealthSecret, 5.93 ++#endif 5.94 + sDeprecated, sIgnore, sUnsupported 5.95 + } ServerOpCodes; 5.96 + 5.97 +@@ -566,6 +572,9 @@ 5.98 + { "fingerprinthash", sFingerprintHash, SSHCFG_GLOBAL }, 5.99 + { "disableforwarding", sDisableForwarding, SSHCFG_ALL }, 5.100 + { "exposeauthinfo", sExposeAuthInfo, SSHCFG_ALL }, 5.101 ++#ifdef TCP_STEALTH 5.102 ++ { "tcpstealthsecret", sTCPStealthSecret }, 5.103 ++#endif 5.104 + { NULL, sBadOption, 0 } 5.105 + }; 5.106 + 5.107 +@@ -1883,6 +1892,23 @@ 5.108 + intptr = &options->expose_userauth_info; 5.109 + goto parse_flag; 5.110 + 5.111 ++#ifdef TCP_STEALTH 5.112 ++ case sTCPStealthSecret: 5.113 ++ charptr = &options->tcp_stealth_secret; 5.114 ++ 5.115 ++ arg = strdelim(&cp); 5.116 ++ if (!arg || *arg == '\0') 5.117 ++ fatal("%s line %d: Missing argument.", 5.118 ++ filename, linenum); 5.119 ++ 5.120 ++ if (*activep && *charptr == NULL) { 5.121 ++ *charptr = xmalloc(TCP_STEALTH_SECRET_SIZE + 1); 5.122 ++ memset(*charptr, 0x00, TCP_STEALTH_SECRET_SIZE + 1); 5.123 ++ strncpy(*charptr, arg, TCP_STEALTH_SECRET_SIZE); 5.124 ++ } 5.125 ++ 5.126 ++ break; 5.127 ++#endif 5.128 + case sDeprecated: 5.129 + case sIgnore: 5.130 + case sUnsupported: 5.131 +--- a/servconf.h 5.132 ++++ b/servconf.h 5.133 +@@ -198,6 +198,10 @@ 5.134 + 5.135 + int fingerprint_hash; 5.136 + int expose_userauth_info; 5.137 ++ 5.138 ++#ifdef TCP_STEALTH 5.139 ++ char *tcp_stealth_secret; 5.140 ++#endif 5.141 + } ServerOptions; 5.142 + 5.143 + /* Information about the incoming connection as used by Match */ 5.144 +@@ -219,6 +223,11 @@ 5.145 + * NB. an option must appear in servconf.c:copy_set_server_options() or 5.146 + * COPY_MATCH_STRING_OPTS here but never both. 5.147 + */ 5.148 ++#ifdef TCP_STEALTH 5.149 ++#define M_CP_STEALTHSCRT(X) M_CP_STROPT(X); 5.150 ++#else 5.151 ++#define M_CP_STEALTHSCRT(X) 5.152 ++#endif 5.153 + #define COPY_MATCH_STRING_OPTS() do { \ 5.154 + M_CP_STROPT(banner); \ 5.155 + M_CP_STROPT(trusted_user_ca_keys); \ 5.156 +@@ -238,6 +247,7 @@ 5.157 + M_CP_STRARRAYOPT(accept_env, num_accept_env); \ 5.158 + M_CP_STRARRAYOPT(auth_methods, num_auth_methods); \ 5.159 + M_CP_STRARRAYOPT_ALLOC(permitted_opens, num_permitted_opens); \ 5.160 ++ M_CP_STEALTHSCRT(tcp_stealth_secret); \ 5.161 + } while (0) 5.162 + 5.163 + struct connection_info *get_connection_info(int, int); 5.164 +--- a/ssh.c 5.165 ++++ b/ssh.c 5.166 +@@ -191,6 +191,14 @@ 5.167 + extern int muxserver_sock; 5.168 + extern u_int muxclient_command; 5.169 + 5.170 ++#ifdef TCP_STEALTH 5.171 ++#define OPT_STEALTH "[-z tcp_stealth_secret] " 5.172 ++#define GETOPT_STEALTH "z:" 5.173 ++#else 5.174 ++#define OPT_STEALTH "" 5.175 ++#define GETOPT_STEALTH "" 5.176 ++#endif 5.177 ++ 5.178 + /* Prints a help message to the user. This function never returns. */ 5.179 + 5.180 + static void 5.181 +@@ -203,7 +211,7 @@ 5.182 + " [-J [user@]host[:port]] [-L address] [-l login_name] [-m mac_spec]\n" 5.183 + " [-O ctl_cmd] [-o option] [-p port] [-Q query_option] [-R address]\n" 5.184 + " [-S ctl_path] [-W host:port] [-w local_tun[:remote_tun]]\n" 5.185 +-" [user@]hostname [command]\n" 5.186 ++" " OPT_STEALTH "[user@]hostname [command]\n" 5.187 + ); 5.188 + exit(255); 5.189 + } 5.190 +@@ -612,7 +620,7 @@ 5.191 + 5.192 + again: 5.193 + while ((opt = getopt(ac, av, "1246ab:c:e:fgi:kl:m:no:p:qstvx" 5.194 +- "ACD:E:F:GI:J:KL:MNO:PQ:R:S:TVw:W:XYy")) != -1) { 5.195 ++ "ACD:E:F:GI:J:KL:MNO:PQ:R:S:TVw:W:XYy" GETOPT_STEALTH)) != -1) { 5.196 + switch (opt) { 5.197 + case '1': 5.198 + fatal("SSH protocol v.1 is no longer supported"); 5.199 +@@ -921,6 +929,14 @@ 5.200 + case 'F': 5.201 + config = optarg; 5.202 + break; 5.203 ++#ifdef TCP_STEALTH 5.204 ++ case 'z': 5.205 ++ options.tcp_stealth_secret = 5.206 ++ xcalloc(TCP_STEALTH_SECRET_SIZE + 1, sizeof(u_int8_t)); 5.207 ++ strncpy(options.tcp_stealth_secret, optarg, 5.208 ++ TCP_STEALTH_SECRET_SIZE); 5.209 ++ break; 5.210 ++#endif 5.211 + default: 5.212 + usage(); 5.213 + } 5.214 +--- a/sshd.c 5.215 ++++ b/sshd.c 5.216 +@@ -896,6 +896,14 @@ 5.217 + return (r < p) ? 1 : 0; 5.218 + } 5.219 + 5.220 ++#ifdef TCP_STEALTH 5.221 ++#define OPT_STEALTH " [-z tcp_stealth_secret]" 5.222 ++#define GETOPT_STEALTH "z:" 5.223 ++#else 5.224 ++#define OPT_STEALTH "" 5.225 ++#define GETOPT_STEALTH "" 5.226 ++#endif 5.227 ++ 5.228 + static void 5.229 + usage(void) 5.230 + { 5.231 +@@ -911,6 +919,7 @@ 5.232 + "usage: sshd [-46DdeiqTt] [-C connection_spec] [-c host_cert_file]\n" 5.233 + " [-E log_file] [-f config_file] [-g login_grace_time]\n" 5.234 + " [-h host_key_file] [-o option] [-p port] [-u len]\n" 5.235 ++" " OPT_STEALTH "\n" 5.236 + ); 5.237 + exit(1); 5.238 + } 5.239 +@@ -1057,6 +1066,15 @@ 5.240 + if (setsockopt(listen_sock, SOL_SOCKET, SO_REUSEADDR, 5.241 + &on, sizeof(on)) == -1) 5.242 + error("setsockopt SO_REUSEADDR: %s", strerror(errno)); 5.243 ++#ifdef TCP_STEALTH 5.244 ++ if (options.tcp_stealth_secret != NULL) { 5.245 ++ if (setsockopt(listen_sock, IPPROTO_TCP, TCP_STEALTH, 5.246 ++ options.tcp_stealth_secret, 5.247 ++ TCP_STEALTH_SECRET_SIZE) == -1) 5.248 ++ error("setsockopt TCP_STEALTH: %s", 5.249 ++ strerror(errno)); 5.250 ++ } 5.251 ++#endif 5.252 + 5.253 + /* Only communicate in IPv6 over AF_INET6 sockets. */ 5.254 + if (ai->ai_family == AF_INET6) 5.255 +@@ -1404,7 +1422,7 @@ 5.256 + 5.257 + /* Parse command-line arguments. */ 5.258 + while ((opt = getopt(ac, av, 5.259 +- "C:E:b:c:f:g:h:k:o:p:u:46DQRTdeiqrt")) != -1) { 5.260 ++ GETOPT_STEALTH "C:E:b:c:f:g:h:k:o:p:u:46DQRTdeiqrt")) != -1) { 5.261 + switch (opt) { 5.262 + case '4': 5.263 + options.address_family = AF_INET; 5.264 +@@ -1512,6 +1530,14 @@ 5.265 + exit(1); 5.266 + free(line); 5.267 + break; 5.268 ++#ifdef TCP_STEALTH 5.269 ++ case 'z': 5.270 ++ options.tcp_stealth_secret = 5.271 ++ xcalloc(TCP_STEALTH_SECRET_SIZE + 1, sizeof(u_int8_t)); 5.272 ++ strncpy(options.tcp_stealth_secret, optarg, 5.273 ++ TCP_STEALTH_SECRET_SIZE); 5.274 ++ break; 5.275 ++#endif 5.276 + case '?': 5.277 + default: 5.278 + usage(); 5.279 +--- a/ssh_config.5 5.280 ++++ b/ssh_config.5 5.281 +@@ -1509,6 +1509,15 @@ 5.282 + .Pp 5.283 + To disable TCP keepalive messages, the value should be set to 5.284 + .Cm no . 5.285 ++.It Cm TCPStealthSecret 5.286 ++Specifies the shared secret which is needed to connect to a stealth SSH TCP 5.287 ++Server. Any string specified will be truncated to or padded with zeroes to 64 5.288 ++bytes. This option needs kernel support and is therefore only available if the 5.289 ++required 5.290 ++.Xr setsockopt 2 5.291 ++call is available. 5.292 ++.Pp 5.293 ++See http://datatracker.ietf.org/doc/draft-kirsch-ietf-tcp-stealth/ for details. 5.294 + .It Cm Tunnel 5.295 + Request 5.296 + .Xr tun 4 5.297 +--- a/sshd_config.5 5.298 ++++ b/sshd_config.5 5.299 +@@ -1444,6 +1444,18 @@ 5.300 + .Pp 5.301 + To disable TCP keepalive messages, the value should be set to 5.302 + .Cm no . 5.303 ++.It Cm TCPStealthSecret 5.304 ++Turns this SSH server into a stealth SSH TCP server. This configuration option 5.305 ++specifies the shared secret needed by the clients in order to be able to connect 5.306 ++to the port the SSH server is listening on. This means that port scanners will 5.307 ++receive a TCP RST and thus will not recognize this TCP port being open. Any 5.308 ++string specified will be truncated or padded with zeroes to 64 bytes. This 5.309 ++option needs kernel support and is therefore only available if the required 5.310 ++.Xr setsockopt 2 5.311 ++call is available. 5.312 ++.Pp 5.313 ++See http://datatracker.ietf.org/doc/draft-kirsch-ietf-tcp-stealth/ for details. 5.314 ++ 5.315 + .It Cm TrustedUserCAKeys 5.316 + Specifies a file containing public keys of certificate authorities that are 5.317 + trusted to sign user certificates for authentication, or 5.318 +--- a/sshd.0 5.319 ++++ b/sshd.0 5.320 +@@ -7,6 +7,7 @@ 5.321 + sshd [-46DdeiqTt] [-C connection_spec] [-c host_certificate_file] 5.322 + [-E log_file] [-f config_file] [-g login_grace_time] 5.323 + [-h host_key_file] [-o option] [-p port] [-u len] 5.324 ++ [-z tcp_stealth_secret] 5.325 + 5.326 + DESCRIPTION 5.327 + sshd (OpenSSH Daemon) is the daemon program for ssh(1). Together these 5.328 +@@ -121,6 +122,20 @@ 5.329 + from="pattern-list" option in a key file. Configuration options 5.330 + that require DNS include using a USER@HOST pattern in AllowUsers 5.331 + or DenyUsers. 5.332 ++ -z tcp_stealth_secret 5.333 ++ Turns this SSH server into a Stealth SSH TCP Server. This option 5.334 ++ specifies the shared secret which is needed by the clients in order 5.335 ++ to be able to connect to the port the SSH server is listening on. 5.336 ++ Any string specified will be truncated or padded with zeroes to 64 5.337 ++ bytes. This option needs kernel support and is therefore only 5.338 ++ available if the required setsockopt() call is available. 5.339 ++ See http://datatracker.ietf.org/doc/draft-kirsch-ietf-tcp-stealth/ 5.340 ++ for details. 5.341 ++ 5.342 ++ IMPORTANT: This option should only be used for the purpose of 5.343 ++ testing as other users could easily read out the secret from the 5.344 ++ command line arguments. The TCPStealthSecret configuration option 5.345 ++ is the preferred way of specifying the TCP Stealth secret. 5.346 + 5.347 + AUTHENTICATION 5.348 + The OpenSSH SSH daemon supports SSH protocol 2 only. Each host has a 5.349 +--- openssh-6.7p1/ssh.0 2014-10-05 23:39:37.000000000 -0400 5.350 ++++ openssh-6.7p1-knock/ssh.0 2014-11-05 20:35:44.216514377 -0500 5.351 +@@ -425,6 +425,20 @@ DESCRIPTION 5.352 + -y Send log information using the syslog(3) system module. By 5.353 + default this information is sent to stderr. 5.354 + 5.355 ++ -z tcp_stealth_secret 5.356 ++ Specifies the shared secret which is needed to connect to a stealth 5.357 ++ SSH TCP server. Any string specified will be truncated to or padded 5.358 ++ with zeroes to 64 bytes. This option needs kernel support and is 5.359 ++ therefore only available if the required setsockopt() call is 5.360 ++ available. 5.361 ++ See http://datatracker.ietf.org/doc/draft-kirsch-ietf-tcp-stealth/ 5.362 ++ for details. 5.363 ++ 5.364 ++ IMPORTANT: This option should only be used for the purpose of 5.365 ++ testing as other users could easily read out the secret from the 5.366 ++ command line arguments. The TCPStealthSecret configuration option 5.367 ++ is the preferred way of specifying the TCP Stealth secret. 5.368 ++ 5.369 + ssh may additionally obtain configuration data from a per-user 5.370 + configuration file and a system-wide configuration file. The file format 5.371 + and configuration options are described in ssh_config(5). 5.372 +--- openssh-6.7p1/ssh.1 2014-07-29 22:32:28.000000000 -0400 5.373 ++++ openssh-6.7p1-knock/ssh.1 2014-11-07 13:56:02.022226289 -0500 5.374 +@@ -64,6 +64,7 @@ 5.375 + .Op Fl S Ar ctl_path 5.376 + .Op Fl W Ar host : Ns Ar port 5.377 + .Op Fl w Ar local_tun Ns Op : Ns Ar remote_tun 5.378 ++.Op Fl z Ar tcp_stealth_secret 5.379 + .Oo Ar user Ns @ Oc Ns Ar hostname 5.380 + .Op Ar command 5.381 + .Ek 5.382 +@@ -528,6 +529,7 @@ For full details of the options listed b 5.383 + .It StreamLocalBindUnlink 5.384 + .It StrictHostKeyChecking 5.385 + .It TCPKeepAlive 5.386 ++.It TCPStealthSecret 5.387 + .It Tunnel 5.388 + .It TunnelDevice 5.389 + .It UpdateHostKeys 5.390 +@@ -777,6 +779,21 @@ Send log information using the 5.391 + .Xr syslog 3 5.392 + system module. 5.393 + By default this information is sent to stderr. 5.394 ++.It Fl z Ar tcp_stealth_secret 5.395 ++Specifies the shared secret which is needed to connect to a stealth SSH TCP 5.396 ++server. Any string specified will be truncated to or padded with zeroes to 64 5.397 ++bytes. This option needs kernel support and is therefore only available if the 5.398 ++required 5.399 ++.Xr setsockopt 2 5.400 ++call is available. 5.401 ++.Pp 5.402 ++See http://datatracker.ietf.org/doc/draft-kirsch-ietf-tcp-stealth/ for details. 5.403 ++.Pp 5.404 ++.Cm IMPORTANT: 5.405 ++This option should only be used for the purpose of testing as other users could 5.406 ++easily read out the secret from the command line arguments. The 5.407 ++.Cm TCPStealthSecret 5.408 ++configuration option is the preferred way of specifying the TCP Stealth secret. 5.409 + .El 5.410 + .Pp 5.411 + .Nm 5.412 +--- openssh-6.7p1/ssh_config.0 2014-10-05 23:39:38.000000000 -0400 5.413 ++++ openssh-6.7p1-knock/ssh_config.0 2014-11-05 20:48:17.064514377 -0500 5.414 +@@ -919,6 +919,15 @@ DESCRIPTION 5.415 + 5.416 + To disable TCP keepalive messages, the value should be set to no. 5.417 + 5.418 ++ TCPStealthSecret 5.419 ++ Specifies the shared secret which is needed to connect to a stealth 5.420 ++ SSH TCP Server. Any string specified will be truncated to or padded 5.421 ++ with zeroes to 64 bytes. This option needs kernel support and is 5.422 ++ therefore only available if the required setsockopt() call is 5.423 ++ available. 5.424 ++ See http://datatracker.ietf.org/doc/draft-kirsch-ietf-tcp-stealth/ 5.425 ++ for details. 5.426 ++ 5.427 + Tunnel Request tun(4) device forwarding between the client and the 5.428 + server. The argument must be yes, point-to-point (layer 3), 5.429 + ethernet (layer 2), or no (the default). Specifying yes requests 5.430 +--- openssh-6.7p1/sshconnect.c 2014-07-18 00:11:26.000000000 -0400 5.431 ++++ openssh-6.7p1-knock/sshconnect.c 2014-11-07 14:07:11.342196835 -0500 5.432 +@@ -286,6 +286,18 @@ ssh_create_socket(int privileged, struct 5.433 + } 5.434 + fcntl(sock, F_SETFD, FD_CLOEXEC); 5.435 + 5.436 ++#ifdef TCP_STEALTH 5.437 ++ if (options.tcp_stealth_secret) { 5.438 ++ if (setsockopt(sock, IPPROTO_TCP, TCP_STEALTH, 5.439 ++ options.tcp_stealth_secret, 5.440 ++ TCP_STEALTH_SECRET_SIZE) == -1) { 5.441 ++ error("setsockopt TCP_STEALTH: %s", strerror(errno)); 5.442 ++ close(sock); 5.443 ++ return -1; 5.444 ++ } 5.445 ++ } 5.446 ++#endif 5.447 ++ 5.448 + /* Bind the socket to an alternative local IP address */ 5.449 + if (options.bind_address == NULL && !privileged) 5.450 + return sock; 5.451 +--- openssh-6.7p1/sshd.8 2014-07-03 19:00:04.000000000 -0400 5.452 ++++ openssh-6.7p1-knock/sshd.8 2014-11-07 14:00:14.506215178 -0500 5.453 +@@ -53,6 +53,7 @@ 5.454 + .Op Fl o Ar option 5.455 + .Op Fl p Ar port 5.456 + .Op Fl u Ar len 5.457 ++.Op Fl z Ar tcp_stealth_secret 5.458 + .Ek 5.459 + .Sh DESCRIPTION 5.460 + .Nm 5.461 +@@ -243,6 +244,24 @@ USER@HOST pattern in 5.462 + .Cm AllowUsers 5.463 + or 5.464 + .Cm DenyUsers . 5.465 ++.It Fl z Ar tcp_stealth_secret 5.466 ++Turns this SSH server into a stealth SSH TCP server. This option specifies the 5.467 ++shared secret which is needed by the clients in order to be able to connect to 5.468 ++the port the SSH server is listening on. Any string specified will be truncated 5.469 ++or padded with zeroes to 64 bytes. This option needs kernel support and is 5.470 ++therefore only available if the required 5.471 ++.Xr setsockopt 2 5.472 ++call is available. 5.473 ++.Pp 5.474 ++See http://datatracker.ietf.org/doc/draft-kirsch-ietf-tcp-stealth/ for details. 5.475 ++ 5.476 ++.Cm IMPORTANT: 5.477 ++This option should only be used for the purpose of 5.478 ++testing as other users could easily read out the secret from the 5.479 ++command line arguments. The 5.480 ++.Cm TCPStealthSecret 5.481 ++configuration option 5.482 ++is the preferred way of specifying the TCP Stealth secret. 5.483 + .El 5.484 + .Sh AUTHENTICATION 5.485 + The OpenSSH SSH daemon supports SSH protocol 2 only. 5.486 +--- openssh-6.7p1/sshd_config.0 2014-10-05 23:39:38.000000000 -0400 5.487 ++++ openssh-6.7p1-knock/sshd_config.0 2014-11-07 14:01:07.530212845 -0500 5.488 +@@ -872,6 +872,19 @@ DESCRIPTION 5.489 + 5.490 + To disable TCP keepalive messages, the value should be set to no. 5.491 + 5.492 ++ TCPStealthSecret 5.493 ++ Turns this SSH server into a stealth SSH TCP server. This 5.494 ++ configuration option specifies the shared secret needed by the 5.495 ++ clients in order to be able to connect to the port the SSH server 5.496 ++ is listening on. This means that port scanners will receive a 5.497 ++ TCP RST and thus will not recognize this TCP port being open. 5.498 ++ 5.499 ++ Any string specified will be truncated or padded with zeroes to 64 5.500 ++ bytes. This option needs kernel support and is therefore only 5.501 ++ available if the required setsockopt() call is available. 5.502 ++ See http://datatracker.ietf.org/doc/draft-kirsch-ietf-tcp-stealth/ 5.503 ++ for details. 5.504 ++ 5.505 + TrustedUserCAKeys 5.506 + Specifies a file containing public keys of certificate 5.507 + authorities that are trusted to sign user certificates for
6.1 --- a/tazlito/receipt Thu May 17 10:47:21 2018 +0200 6.2 +++ b/tazlito/receipt Fri May 18 13:47:33 2018 +0200 6.3 @@ -1,7 +1,7 @@ 6.4 # SliTaz package receipt. 6.5 6.6 PACKAGE="tazlito" 6.7 -VERSION="498" 6.8 +VERSION="500" 6.9 CATEGORY="base-system" 6.10 SHORT_DESC="SliTaz Live Tool." 6.11 MAINTAINER="pascal.bellard@slitaz.org"