There is a situation in SSH -> HPN connection the advertised

rapier1 · rapier1 · commit 28c8606a9c01 · 2024-01-25T16:38:23.000-05:00
window will 16MB and then it will cause some odd behaviour
on the part of the ssh client. Basically it looks like it's
doing a lot of expensive drains and fills on a buffer
that significantly impacts throughput. This is a fix that
annoys me because *any* SSH to HPN connection is now limited
to a maximum recieve window of 15MB. Which is not
optimal in anyway. Still, it's better than the through
put of the pathological state which significantly slower.
diff --git a/channels.c b/channels.c
@@ -1250,10 +1250,12 @@ channel_tcpwinsz(struct ssh *ssh)
 		tcpwinsz = SSHBUF_SIZE_MAX;
 	/* if the remote side is OpenSSH after version 8.8 we need to restrict
 	 * the size of the advertised window. Now this means that any HPN to non-HPN
-	 * connection will be window limited but thats okay. This bug shows up when
-	 * sending data to an hpn */
-	//if ((ssh->compat & SSH_RESTRICT_WINDOW) && (tcpwinsz > NON_HPN_WINDOW_MAX))
-	//	tcpwinsz = NON_HPN_WINDOW_MAX;
+	 * connection will be window limited to 15MB of receive space. This is a
+	 * non-optimal solution.
+	 */
+
+	if ((ssh->compat & SSH_RESTRICT_WINDOW) && (tcpwinsz > NON_HPN_WINDOW_MAX))
+		tcpwinsz = NON_HPN_WINDOW_MAX;
 	return (tcpwinsz);
 }
 
@@ -2368,10 +2370,6 @@ channel_check_window(struct ssh *ssh, Channel *c)
 	    c->local_consumed > 0) {
 		u_int addition = 0;
 		u_int32_t tcpwinsz = channel_tcpwinsz(ssh);
-		if ((ssh->compat & SSH_RESTRICT_WINDOW) &&
-		    (tcpwinsz > NON_HPN_WINDOW_MAX))
-			tcpwinsz = NON_HPN_WINDOW_MAX;
-		
 		/* adjust max window size if we are in a dynamic environment
 		 * and the tcp receive buffer is larger than the ssh window */
 		if (c->dynamic_window && (tcpwinsz > c->local_window_max)) {
@@ -2390,8 +2388,10 @@ channel_check_window(struct ssh *ssh, Channel *c)
 				addition = tcpwinsz - c->local_window_max;
 			}
 			c->local_window_max += addition;
-			//sshbuf_set_window_max(c->output, c->local_window_max);
-			//sshbuf_set_window_max(c->input, c->local_window_max);
+			/* doesn't look like we need these
+			 * sshbuf_set_window_max(c->output, c->local_window_max);
+			 * sshbuf_set_window_max(c->input, c->local_window_max);
+			 */
 			debug("Channel %d: Window growth to %d by %d bytes",c->self,
 			      c->local_window_max, addition);
 		}
diff --git a/compat.c b/compat.c
@@ -124,11 +124,9 @@ compat_banner(struct ssh *ssh, const char *version)
 		{ NULL,			0 }
 	};
 
-	debug ("------------------------ VERSION IS %s", version);
 	/* process table, return first match */
 	ssh->compat = 0;
 	for (i = 0; check[i].pat; i++) {
-		debug_f("PATTERN IS %d for %s\n", i, check[i].pat);
 		if (match_pattern_list(version, check[i].pat, 0) == 1) {
 			debug_f("match: %s pat %s compat 0x%08x",
 			    version, check[i].pat, check[i].bugs);
@@ -155,13 +153,15 @@ compat_banner(struct ssh *ssh, const char *version)
 					debug("Remote uses HPNSSH prefixes.");
 					break;
 				}
+				/* if it's openssh and not hpn */
 				if ((strstr(version, "OpenSSH_8.9") != NULL) ||
 				    (strstr(version, "OpenSSH_9") != NULL)) {
 					ssh->compat |= SSH_RESTRICT_WINDOW;
 					debug("Restricting adverstised window size.");
 				}
 			}
 			debug("ssh->compat is %u", ssh->compat);
+			return;
 		}
 	}
 	debug_f("no match: %s", version);
diff --git a/kex.c b/kex.c
@@ -1753,8 +1753,8 @@ kex_exchange_identification(struct ssh *ssh, int timeout_ms,
 		debug("Non-HPN to HPN Connection.");
 
 	if(ssh->compat & SSH_RESTRICT_WINDOW)
-		debug ("---------------------- RESTRICT");
-	
+		debug ("Window size restricted.");
+
 	mismatch = 0;
 	switch (remote_major) {
 	case 2:
diff --git a/ssh.c b/ssh.c
@@ -2194,14 +2194,6 @@ ssh_session2_setup(struct ssh *ssh, int id, int success, void *arg)
 static void
 hpn_options_init(struct ssh *ssh)
 {
-	if (ssh->compat & SSH_HPNSSH)
-		debug("HPN to HPN Connection.");
-	else
-		debug("Non-HPN to HPN Connection.");
-
-	if(ssh->compat & SSH_RESTRICT_WINDOW)
-		debug ("---------------------- RESTRICT");
-
 	channel_set_hpn_disabled(options.hpn_disabled);
 	debug_f("HPN disabled: %d", options.hpn_disabled);
 }
diff --git a/sshbuf.c b/sshbuf.c
@@ -371,7 +371,7 @@ sshbuf_check_reserve(const struct sshbuf *buf, size_t len)
 void
 sshbuf_set_window_max(struct sshbuf *buf, size_t len)
 {
-	//buf->window_max = len;
+	buf->window_max = len;
 }
 
 int

Original file line number	Diff line number	Diff line change
`@@ -124,11 +124,9 @@ compat_banner(struct ssh ssh, const char version)`
`124`	`124`	`{ NULL, 0 }`
`125`	`125`	`};`
`126`	`126`
`127`		`- debug ("------------------------ VERSION IS %s", version);`
`128`	`127`	`/* process table, return first match */`
`129`	`128`	`ssh->compat = 0;`
`130`	`129`	`for (i = 0; check[i].pat; i++) {`
`131`		`- debug_f("PATTERN IS %d for %s\n", i, check[i].pat);`
`132`	`130`	`if (match_pattern_list(version, check[i].pat, 0) == 1) {`
`133`	`131`	`debug_f("match: %s pat %s compat 0x%08x",`
`134`	`132`	`version, check[i].pat, check[i].bugs);`
`@@ -155,13 +153,15 @@ compat_banner(struct ssh ssh, const char version)`
`155`	`153`	`debug("Remote uses HPNSSH prefixes.");`
`156`	`154`	`break;`
`157`	`155`	`}`
	`156`	`+ /* if it's openssh and not hpn */`
`158`	`157`	`if ((strstr(version, "OpenSSH_8.9") != NULL) \|\|`
`159`	`158`	`(strstr(version, "OpenSSH_9") != NULL)) {`
`160`	`159`	`ssh->compat \|= SSH_RESTRICT_WINDOW;`
`161`	`160`	`debug("Restricting adverstised window size.");`
`162`	`161`	`}`
`163`	`162`	`}`
`164`	`163`	`debug("ssh->compat is %u", ssh->compat);`
	`164`	`+ return;`
`165`	`165`	`}`
`166`	`166`	`}`
`167`	`167`	`debug_f("no match: %s", version);`
Original file line number	Diff line number	Diff line change
`@@ -371,7 +371,7 @@ sshbuf_check_reserve(const struct sshbuf *buf, size_t len)`
`371`	`371`	`void`
`372`	`372`	`sshbuf_set_window_max(struct sshbuf *buf, size_t len)`
`373`	`373`	`{`
`374`		`- //buf->window_max = len;`
	`374`	`+ buf->window_max = len;`
`375`	`375`	`}`
`376`	`376`
`377`	`377`	`int`