aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorbdrewery <bdrewery@FreeBSD.org>2015-04-05 01:16:58 +0800
committerbdrewery <bdrewery@FreeBSD.org>2015-04-05 01:16:58 +0800
commit70766d757db9c83460023e50b6eda5aad9d18a35 (patch)
tree3c24e143524ade0c49397c63dd7559370a7e9269
parent8fb490aed0fe5818e594dd428211a5f3db4833bf (diff)
downloadfreebsd-ports-gnome-70766d757db9c83460023e50b6eda5aad9d18a35.tar.gz
freebsd-ports-gnome-70766d757db9c83460023e50b6eda5aad9d18a35.tar.zst
freebsd-ports-gnome-70766d757db9c83460023e50b6eda5aad9d18a35.zip
- Update to 6.8p1
- Fix 'make test' - HPN: - NONECIPHER is no longer default. This is not default in base and should not be default here as it introduces security holes. - HPN: I've audited the patch and included it in the port directory for transparency. I identified several bugs and submitted them to the new upstream: https://github.com/rapier1/openssh-portable/pull/2 - HPN: The entire patch is now ifdef'd to ensure various bits are properly removed depending on the OPTIONS selected. - AES_THREADED is removed. It has questionable benefit on modern HW and is not stable. - The "enhanced logging" was removed from the patch as it is too intrusive and difficult to maintain in the port. - The progress meter "peak throughput" patch was removed. - Fixed HPN version showing in client/server version string when HPN was disabled in the config. - KERB_GSSAPI is currently BROKEN as it does not apply. - Update X509 to 8.3 Changelog: http://www.openssh.com/txt/release-6.8
-rw-r--r--security/openssh-portable/Makefile50
-rw-r--r--security/openssh-portable/distinfo16
-rw-r--r--security/openssh-portable/files/extra-patch-hpn1296
-rw-r--r--security/openssh-portable/files/extra-patch-hpn-build-options142
-rw-r--r--security/openssh-portable/files/extra-patch-hpn-no-hpn32
-rw-r--r--security/openssh-portable/files/extra-patch-hpn-window-size24
-rw-r--r--security/openssh-portable/files/extra-patch-sshd-utmp-size12
-rw-r--r--security/openssh-portable/files/extra-patch-tcpwrappers19
-rw-r--r--security/openssh-portable/files/patch-regress__test-exec.sh10
-rw-r--r--security/openssh-portable/files/patch-servconf.c30
-rw-r--r--security/openssh-portable/files/patch-ssh-agent.c40
-rw-r--r--security/openssh-portable/files/patch-sshconnect.c12
12 files changed, 1389 insertions, 294 deletions
diff --git a/security/openssh-portable/Makefile b/security/openssh-portable/Makefile
index f7f3dac41c1b..eb739540edca 100644
--- a/security/openssh-portable/Makefile
+++ b/security/openssh-portable/Makefile
@@ -2,8 +2,8 @@
# $FreeBSD$
PORTNAME= openssh
-DISTVERSION= 6.7p1
-PORTREVISION= 5
+DISTVERSION= 6.8p1
+PORTREVISION= 0
PORTEPOCH= 1
CATEGORIES= security ipv6
MASTER_SITES= ${MASTER_SITE_OPENBSD}
@@ -27,13 +27,10 @@ CONFIGURE_ARGS= --prefix=${PREFIX} --with-md5-passwords \
--without-zlib-version-check --with-ssl-engine
ETCOLD= ${PREFIX}/etc
-SUDO?= # empty
-MAKE_ENV+= SUDO="${SUDO}"
-
OPTIONS_DEFINE= PAM TCP_WRAPPERS LIBEDIT BSM \
HPN X509 KERB_GSSAPI \
- OVERWRITE_BASE SCTP AES_THREADED LDNS NONECIPHER
-OPTIONS_DEFAULT= LIBEDIT PAM TCP_WRAPPERS HPN LDNS NONECIPHER
+ OVERWRITE_BASE SCTP LDNS NONECIPHER
+OPTIONS_DEFAULT= LIBEDIT PAM TCP_WRAPPERS HPN LDNS
OPTIONS_RADIO= KERBEROS
OPTIONS_RADIO_KERBEROS= MIT HEIMDAL HEIMDAL_BASE
TCP_WRAPPERS_DESC= tcp_wrappers support
@@ -47,7 +44,6 @@ OVERWRITE_BASE_DESC= EOL, No longer supported.
HEIMDAL_DESC= Heimdal Kerberos (security/heimdal)
HEIMDAL_BASE_DESC= Heimdal Kerberos (base)
MIT_DESC= MIT Kerberos (security/krb5)
-AES_THREADED_DESC= Threaded AES-CTR
NONECIPHER_DESC= NONE Cipher support
OPTIONS_SUB= yes
@@ -61,18 +57,17 @@ LDNS_CFLAGS= -I${LOCALBASE}/include
LDNS_CONFIGURE_ON= --with-ldflags='-L${LOCALBASE}/lib'
# http://www.psc.edu/index.php/hpn-ssh
-HPN_EXTRA_PATCHES= ${FILESDIR}/extra-patch-hpn-window-size
HPN_CONFIGURE_WITH= hpn
NONECIPHER_CONFIGURE_WITH= nonecipher
-AES_THREADED_CONFIGURE_WITH= aes-threaded
# See http://www.roumenpetrov.info/openssh/
-X509_VERSION= 8.2
+X509_VERSION= 8.3
X509_PATCH_SITES= http://www.roumenpetrov.info/openssh/x509-${X509_VERSION}/:x509
-X509_PATCHFILES= ${PORTNAME}-6.7p1+x509-${X509_VERSION}.diff.gz:-p1:x509
+X509_PATCHFILES= ${PORTNAME}-6.8p1+x509-${X509_VERSION}.diff.gz:-p1:x509
# See https://bugzilla.mindrot.org/show_bug.cgi?id=2016
-SCTP_PATCHFILES= ${PORTNAME}-6.7p1-sctp-2496.patch.gz:-p1
+# and https://bugzilla.mindrot.org/show_bug.cgi?id=1604
+SCTP_PATCHFILES= ${PORTNAME}-6.8p1-sctp-2573.patch.gz:-p1
SCTP_CONFIGURE_WITH= sctp
MIT_LIB_DEPENDS= libkrb5.so.3:${PORTSDIR}/security/krb5
@@ -93,19 +88,15 @@ PATCH_SITES+= http://mirror.shatow.net/freebsd/${PORTNAME}/:DEFAULT,x509,hpn,gs
EXTRA_PATCHES:= ${EXTRA_PATCHES:N${TCP_WRAPPERS_EXTRA_PATCHES}}
.endif
-# http://www.psc.edu/index.php/hpn-ssh
-.if ${PORT_OPTIONS:MHPN} || ${PORT_OPTIONS:MAES_THREADED} || ${PORT_OPTIONS:MNONECIPHER}
+# http://www.psc.edu/index.php/hpn-ssh https://github.com/rapier1/hpn-ssh https://github.com/rapier1/openssh-portable
+.if ${PORT_OPTIONS:MHPN} || ${PORT_OPTIONS:MNONECIPHER}
PORTDOCS+= HPN-README
HPN_VERSION= 14v5
HPN_DISTVERSION= 6.7p1
#PATCH_SITES+= ${MASTER_SITE_SOURCEFORGE:S/$/:hpn/}
#PATCH_SITE_SUBDIR+= hpnssh/HPN-SSH%20${HPN_VERSION}%20${HPN_DISTVERSION}/:hpn
-PATCHFILES+= ${PORTNAME}-${HPN_DISTVERSION}-hpnssh${HPN_VERSION}.diff.gz:-p1:hpn
-EXTRA_PATCHES+= ${FILESDIR}/extra-patch-hpn-build-options
-# Remove HPN if only AES requested
-. if !${PORT_OPTIONS:MHPN}
-EXTRA_PATCHES+= ${FILESDIR}/extra-patch-hpn-no-hpn
-. endif
+#PATCHFILES+= ${PORTNAME}-${HPN_DISTVERSION}-hpnssh${HPN_VERSION}.diff.gz:-p1:hpn
+EXTRA_PATCHES+= ${FILESDIR}/extra-patch-hpn:-p2
.endif
# Must add this patch after HPN due to conflicts
@@ -133,7 +124,7 @@ EXTRA_PATCHES+= ${FILESDIR}/extra-patch-sshd-utmp-size
EXTRA_PATCHES+= ${FILESDIR}/extra-patch-version-addendum
.if ${PORT_OPTIONS:MX509}
-. if ${PORT_OPTIONS:MHPN} || ${PORT_OPTIONS:MAES_THREADED} || ${PORT_OPTIONS:MNONECIPHER}
+. if ${PORT_OPTIONS:MHPN} || ${PORT_OPTIONS:MNONECIPHER}
BROKEN= X509 patch and HPN patch do not apply cleanly together
. endif
@@ -147,6 +138,10 @@ BROKEN= X509 patch incompatible with KERB_GSSAPI patch
.endif
+. if ${PORT_OPTIONS:MKERB_GSSAPI}
+BROKEN= Does not apply to 6.8
+. endif
+
.if ${PORT_OPTIONS:MHEIMDAL_BASE} && ${PORT_OPTIONS:MKERB_GSSAPI}
BROKEN= KERB_GSSAPI Requires either MIT or HEMIDAL, does not build with base Heimdal currently
.endif
@@ -218,14 +213,17 @@ post-install:
${STAGEDIR}${ETCDIR}//ssh_config.sample
${MV} ${STAGEDIR}${ETCDIR}/sshd_config \
${STAGEDIR}${ETCDIR}/sshd_config.sample
-.if ${PORT_OPTIONS:MHPN} || ${PORT_OPTIONS:MAES_THREADED} || ${PORT_OPTIONS:MNONECIPHER}
+.if ${PORT_OPTIONS:MHPN} || ${PORT_OPTIONS:MNONECIPHER}
${MKDIR} ${STAGEDIR}${DOCSDIR}
${INSTALL_DATA} ${WRKSRC}/HPN-README ${STAGEDIR}${DOCSDIR}
.endif
-test: build
- (cd ${WRKSRC}/regress && ${SETENV} OBJ=${WRKDIR} ${MAKE_ENV} TEST_SHELL=/bin/sh \
+test: build
+ cd ${WRKSRC} && ${SETENV} -i \
+ OBJ=${WRKDIR} ${MAKE_ENV} \
+ TEST_SHELL=${SH} \
+ SUDO="${SUDO}" \
PATH=${WRKSRC}:${PREFIX}/bin:${PREFIX}/sbin:${PATH} \
- ${MAKE} ${MAKE_FLAGS} ${MAKEFILE} ${MAKE_ARGS})
+ ${MAKE_CMD} ${MAKE_FLAGS} ${MAKEFILE} ${MAKE_ARGS} tests
.include <bsd.port.post.mk>
diff --git a/security/openssh-portable/distinfo b/security/openssh-portable/distinfo
index ed8d0395f31d..eafe5741060d 100644
--- a/security/openssh-portable/distinfo
+++ b/security/openssh-portable/distinfo
@@ -1,12 +1,8 @@
-SHA256 (openssh-6.7p1.tar.gz) = b2f8394eae858dabbdef7dac10b99aec00c95462753e80342e530bbb6f725507
-SIZE (openssh-6.7p1.tar.gz) = 1351367
-SHA256 (openssh-6.7p1-hpnssh14v5.diff.gz) = 846ad51577de8308d60dbfaa58ba18d112d0732fdf21063ebc78407fc8e4a7b6
-SIZE (openssh-6.7p1-hpnssh14v5.diff.gz) = 24326
-SHA256 (openssh-6.7p1+x509-8.2.diff.gz) = 85acfcd560b40d4533b82a4e3f443b7137b377868bab424dacdf00581c83240f
-SIZE (openssh-6.7p1+x509-8.2.diff.gz) = 241798
+SHA256 (openssh-6.8p1.tar.gz) = 3ff64ce73ee124480b5bf767b9830d7d3c03bbcb6abe716b78f0192c37ce160e
+SIZE (openssh-6.8p1.tar.gz) = 1475953
+SHA256 (openssh-6.8p1+x509-8.3.diff.gz) = 34dbefcce8509d3c876be3e7d8966455c7c3589a6872bdfb1f8ce3d133f4d304
+SIZE (openssh-6.8p1+x509-8.3.diff.gz) = 347942
SHA256 (openssh-6.7p1-gsskex-all-20141021-284f364.patch.gz) = 9a361408269a542d28dae77320f30e94a44098acdbbbc552efb0bdeac6270dc8
SIZE (openssh-6.7p1-gsskex-all-20141021-284f364.patch.gz) = 25825
-SHA256 (openssh-lpk-6.3p1.patch.gz) = d2a8b7da7acebac2afc4d0a3dffe8fca2e49900cf733af2e7012f2449b3668e1
-SIZE (openssh-lpk-6.3p1.patch.gz) = 17815
-SHA256 (openssh-6.7p1-sctp-2496.patch.gz) = ec2b6aa8a6d65a2c11d4453a25294ae5082e7ed7c9f418ec081f750bfba022db
-SIZE (openssh-6.7p1-sctp-2496.patch.gz) = 8052
+SHA256 (openssh-6.8p1-sctp-2573.patch.gz) = 0348713ad4cb4463e90cf5202ed41c8f726d7d604f3f93922a9aa55b86abf04a
+SIZE (openssh-6.8p1-sctp-2573.patch.gz) = 8531
diff --git a/security/openssh-portable/files/extra-patch-hpn b/security/openssh-portable/files/extra-patch-hpn
new file mode 100644
index 000000000000..2649d8169fa0
--- /dev/null
+++ b/security/openssh-portable/files/extra-patch-hpn
@@ -0,0 +1,1296 @@
+diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/openssh-6.8p1/HPN-README work/openssh-6.8p1/HPN-README
+--- work.clean/openssh-6.8p1/HPN-README 1969-12-31 18:00:00.000000000 -0600
++++ work/openssh-6.8p1/HPN-README 2015-04-01 22:16:49.869215000 -0500
+@@ -0,0 +1,129 @@
++Notes:
++
++MULTI-THREADED CIPHER:
++The AES cipher in CTR mode has been multithreaded (MTR-AES-CTR). This will allow ssh installations
++on hosts with multiple cores to use more than one processing core during encryption.
++Tests have show significant throughput performance increases when using MTR-AES-CTR up
++to and including a full gigabit per second on quad core systems. It should be possible to
++achieve full line rate on dual core systems but OS and data management overhead makes this
++more difficult to achieve. The cipher stream from MTR-AES-CTR is entirely compatible with single
++thread AES-CTR (ST-AES-CTR) implementations and should be 100% backward compatible. Optimal
++performance requires the MTR-AES-CTR mode be enabled on both ends of the connection.
++The MTR-AES-CTR replaces ST-AES-CTR and is used in exactly the same way with the same
++nomenclature.
++Use examples: ssh -caes128-ctr you@host.com
++ scp -oCipher=aes256-ctr file you@host.com:~/file
++
++NONE CIPHER:
++To use the NONE option you must have the NoneEnabled switch set on the server and
++you *must* have *both* NoneEnabled and NoneSwitch set to yes on the client. The NONE
++feature works with ALL ssh subsystems (as far as we can tell) *AS LONG AS* a tty is not
++spawned. If a user uses the -T switch to prevent a tty being created the NONE cipher will
++be disabled.
++
++The performance increase will only be as good as the network and TCP stack tuning
++on the reciever side of the connection allows. As a rule of thumb a user will need
++at least 10Mb/s connection with a 100ms RTT to see a doubling of performance. The
++HPN-SSH home page describes this in greater detail.
++
++http://www.psc.edu/networking/projects/hpn-ssh
++
++BUFFER SIZES:
++
++If HPN is disabled the receive buffer size will be set to the
++OpenSSH default of 64K.
++
++If an HPN system connects to a nonHPN system the receive buffer will
++be set to the HPNBufferSize value. The default is 2MB but user adjustable.
++
++If an HPN to HPN connection is established a number of different things might
++happen based on the user options and conditions.
++
++Conditions: HPNBufferSize NOT Set, TCPRcvBufPoll enabled, TCPRcvBuf NOT Set
++HPN Buffer Size = up to 64MB
++This is the default state. The HPN buffer size will grow to a maximum of 64MB
++as the TCP receive buffer grows. The maximum HPN Buffer size of 64MB is
++geared towards 10GigE transcontinental connections.
++
++Conditions: HPNBufferSize NOT Set, TCPRcvBufPoll disabled, TCPRcvBuf NOT Set
++HPN Buffer Size = TCP receive buffer value.
++Users on non-autotuning systesm should disable TCPRcvBufPoll in the
++ssh_cofig and sshd_config
++
++Conditions: HPNBufferSize SET, TCPRcvBufPoll disabled, TCPRcvBuf NOT Set
++HPN Buffer Size = minmum of TCP receive buffer and HPNBufferSize.
++This would be the system defined TCP receive buffer (RWIN).
++
++Conditions: HPNBufferSize SET, TCPRcvBufPoll disabled, TCPRcvBuf SET
++HPN Buffer Size = minmum of TCPRcvBuf and HPNBufferSize.
++Generally there is no need to set both.
++
++Conditions: HPNBufferSize SET, TCPRcvBufPoll enabled, TCPRcvBuf NOT Set
++HPN Buffer Size = grows to HPNBufferSize
++The buffer will grow up to the maximum size specified here.
++
++Conditions: HPNBufferSize SET, TCPRcvBufPoll enabled, TCPRcvBuf SET
++HPN Buffer Size = minmum of TCPRcvBuf and HPNBufferSize.
++Generally there is no need to set both of these, especially on autotuning
++systems. However, if the users wishes to override the autotuning this would be
++one way to do it.
++
++Conditions: HPNBufferSize NOT Set, TCPRcvBufPoll enabled, TCPRcvBuf SET
++HPN Buffer Size = TCPRcvBuf.
++This will override autotuning and set the TCP recieve buffer to the user defined
++value.
++
++
++HPN Specific Configuration options
++
++TcpRcvBuf=[int]KB client
++ set the TCP socket receive buffer to n Kilobytes. It can be set up to the
++maximum socket size allowed by the system. This is useful in situations where
++the tcp receive window is set low but the maximum buffer size is set
++higher (as is typical). This works on a per TCP connection basis. You can also
++use this to artifically limit the transfer rate of the connection. In these
++cases the throughput will be no more than n/RTT. The minimum buffer size is 1KB.
++Default is the current system wide tcp receive buffer size.
++
++TcpRcvBufPoll=[yes/no] client/server
++ enable of disable the polling of the tcp receive buffer through the life
++of the connection. You would want to make sure that this option is enabled
++for systems making use of autotuning kernels (linux 2.4.24+, 2.6, MS Vista)
++default is yes.
++
++NoneEnabled=[yes/no] client/server
++ enable or disable the use of the None cipher. Care must always be used
++when enabling this as it will allow users to send data in the clear. However,
++it is important to note that authentication information remains encrypted
++even if this option is enabled. Set to no by default.
++
++NoneSwitch=[yes/no] client
++ Switch the encryption cipher being used to the None cipher after
++authentication takes place. NoneEnabled must be enabled on both the client
++and server side of the connection. When the connection switches to the NONE
++cipher a warning is sent to STDERR. The connection attempt will fail with an
++error if a client requests a NoneSwitch from the server that does not explicitly
++have NoneEnabled set to yes. Note: The NONE cipher cannot be used in
++interactive (shell) sessions and it will fail silently. Set to no by default.
++
++HPNDisabled=[yes/no] client/server
++ In some situations, such as transfers on a local area network, the impact
++of the HPN code produces a net decrease in performance. In these cases it is
++helpful to disable the HPN functionality. By default HPNDisabled is set to no.
++
++HPNBufferSize=[int]KB client/server
++ This is the default buffer size the HPN functionality uses when interacting
++with nonHPN SSH installations. Conceptually this is similar to the TcpRcvBuf
++option as applied to the internal SSH flow control. This value can range from
++1KB to 64MB (1-65536). Use of oversized or undersized buffers can cause performance
++problems depending on the length of the network path. The default size of this buffer
++is 2MB.
++
++
++Credits: This patch was conceived, designed, and led by Chris Rapier (rapier@psc.edu)
++ The majority of the actual coding for versions up to HPN12v1 was performed
++ by Michael Stevens (mstevens@andrew.cmu.edu). The MT-AES-CTR cipher was
++ implemented by Ben Bennet (ben@psc.edu) and improved by Mike Tasota
++ (tasota@gmail.com) an NSF REU grant recipient for 2013.
++ This work was financed, in part, by Cisco System, Inc., the National
++ Library of Medicine, and the National Science Foundation.
+--- work.clean/openssh-6.8p1/channels.c 2015-03-17 00:49:20.000000000 -0500
++++ work/openssh-6.8p1/channels.c 2015-04-03 15:51:59.599537000 -0500
+@@ -183,8 +183,14 @@
+ static int connect_next(struct channel_connect *);
+ static void channel_connect_ctx_free(struct channel_connect *);
+
++
++#ifdef HPN_ENABLED
++static int hpn_disabled = 0;
++static int hpn_buffer_size = 2 * 1024 * 1024;
++#endif
++
+ /* -- channel core */
+
+ Channel *
+ channel_by_id(int id)
+ {
+@@ -333,6 +339,9 @@
+ c->local_window_max = window;
+ c->local_consumed = 0;
+ c->local_maxpacket = maxpack;
++#ifdef HPN_ENABLED
++ c->dynamic_window = 0;
++#endif
+ c->remote_id = -1;
+ c->remote_name = xstrdup(remote_name);
+ c->remote_window = 0;
+@@ -837,11 +846,41 @@
+ FD_SET(c->sock, writeset);
+ }
+
++#ifdef HPN_ENABLED
++static u_int
++channel_tcpwinsz(void)
++{
++ u_int32_t tcpwinsz = 0;
++ socklen_t optsz = sizeof(tcpwinsz);
++ int ret = -1;
++
++ /* if we aren't on a socket return 128KB */
++ if (!packet_connection_is_on_socket())
++ return (128*1024);
++ ret = getsockopt(packet_get_connection_in(),
++ SOL_SOCKET, SO_RCVBUF, &tcpwinsz, &optsz);
++ /* return no more than SSHBUF_SIZE_MAX */
++ if (ret == 0 && tcpwinsz > SSHBUF_SIZE_MAX)
++ tcpwinsz = SSHBUF_SIZE_MAX;
++ debug2("tcpwinsz: %d for connection: %d", tcpwinsz,
++ packet_get_connection_in());
++ return (tcpwinsz);
++}
++#endif
++
+ static void
+ channel_pre_open(Channel *c, fd_set *readset, fd_set *writeset)
+ {
+ u_int limit = compat20 ? c->remote_window : packet_get_maxsize();
+
++#ifdef HPN_ENABLED
++ /* check buffer limits */
++ if (!c->tcpwinsz || c->dynamic_window > 0)
++ c->tcpwinsz = channel_tcpwinsz();
++
++ limit = MIN(limit, 2 * c->tcpwinsz);
++#endif
++
+ if (c->istate == CHAN_INPUT_OPEN &&
+ limit > 0 &&
+ buffer_len(&c->input) < limit &&
+@@ -1846,6 +1885,20 @@
+ c->local_maxpacket*3) ||
+ c->local_window < c->local_window_max/2) &&
+ c->local_consumed > 0) {
++#ifdef HPN_ENABLED
++ /* adjust max window size if we are in a dynamic environment */
++ if (c->dynamic_window && (c->tcpwinsz > c->local_window_max)) {
++ u_int addition = 0;
++
++ /*
++ * grow the window somewhat aggressively to maintain
++ * pressure
++ */
++ addition = 1.5*(c->tcpwinsz - c->local_window_max);
++ c->local_window_max += addition;
++ c->local_consumed += addition;
++ }
++#endif
+ packet_start(SSH2_MSG_CHANNEL_WINDOW_ADJUST);
+ packet_put_int(c->remote_id);
+ packet_put_int(c->local_consumed);
+@@ -2794,6 +2847,17 @@
+ return addr;
+ }
+
++#ifdef HPN_ENABLED
++void
++channel_set_hpn(int external_hpn_disabled, int external_hpn_buffer_size)
++{
++ hpn_disabled = external_hpn_disabled;
++ hpn_buffer_size = external_hpn_buffer_size;
++ debug("HPN Disabled: %d, HPN Buffer Size: %d", hpn_disabled,
++ hpn_buffer_size);
++}
++#endif
++
+ static int
+ channel_setup_fwd_listener_tcpip(int type, struct Forward *fwd,
+ int *allocated_listen_port, struct ForwardOptions *fwd_opts)
+@@ -2918,9 +2982,20 @@
+ }
+
+ /* Allocate a channel number for the socket. */
++#ifdef HPN_ENABLED
++ /*
++ * explicitly test for hpn disabled option. if true use smaller
++ * window size.
++ */
++ if (!hpn_disabled)
++ c = channel_new("port listener", type, sock, sock, -1,
++ hpn_buffer_size, CHAN_TCP_PACKET_DEFAULT,
++ 0, "port listener", 1);
++ else
++#endif
+ c = channel_new("port listener", type, sock, sock, -1,
+ CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT,
+ 0, "port listener", 1);
+ c->path = xstrdup(host);
+ c->host_port = fwd->connect_port;
+ c->listening_addr = addr == NULL ? NULL : xstrdup(addr);
+@@ -3952,6 +4027,14 @@
+ *chanids = xcalloc(num_socks + 1, sizeof(**chanids));
+ for (n = 0; n < num_socks; n++) {
+ sock = socks[n];
++#ifdef HPN_ENABLED
++ if (!hpn_disabled)
++ nc = channel_new("x11 listener",
++ SSH_CHANNEL_X11_LISTENER, sock, sock, -1,
++ hpn_buffer_size, CHAN_X11_PACKET_DEFAULT,
++ 0, "X11 inet listener", 1);
++ else
++#endif
+ nc = channel_new("x11 listener",
+ SSH_CHANNEL_X11_LISTENER, sock, sock, -1,
+ CHAN_X11_WINDOW_DEFAULT, CHAN_X11_PACKET_DEFAULT,
+--- work.clean/openssh-6.8p1/channels.h 2015-03-17 00:49:20.000000000 -0500
++++ work/openssh-6.8p1/channels.h 2015-04-03 13:58:44.472717000 -0500
+@@ -136,6 +136,10 @@
+ u_int local_maxpacket;
+ int extended_usage;
+ int single_connection;
++#ifdef HPN_ENABLED
++ int dynamic_window;
++ u_int tcpwinsz;
++#endif
+
+ char *ctype; /* type */
+
+@@ -311,4 +315,9 @@
+ void chan_write_failed(Channel *);
+ void chan_obuf_empty(Channel *);
+
++#ifdef HPN_ENABLED
++/* hpn handler */
++void channel_set_hpn(int, int);
++#endif
++
+ #endif
+--- work.clean/openssh-6.8p1/cipher.c 2015-03-17 00:49:20.000000000 -0500
++++ work/openssh-6.8p1/cipher.c 2015-04-03 16:22:04.972592000 -0500
+@@ -244,7 +244,13 @@
+ for ((p = strsep(&cp, CIPHER_SEP)); p && *p != '\0';
+ (p = strsep(&cp, CIPHER_SEP))) {
+ c = cipher_by_name(p);
+- if (c == NULL || c->number != SSH_CIPHER_SSH2) {
++ if (c == NULL || (c->number != SSH_CIPHER_SSH2 &&
++#ifdef NONE_CIPHER_ENABLED
++ c->number != SSH_CIPHER_NONE
++#else
++ 1
++#endif
++ )) {
+ free(cipher_list);
+ return 0;
+ }
+@@ -545,6 +551,9 @@
+
+ switch (c->number) {
+ #ifdef WITH_OPENSSL
++#ifdef NONE_CIPHER_ENABLED
++ case SSH_CIPHER_NONE:
++#endif
+ case SSH_CIPHER_SSH2:
+ case SSH_CIPHER_DES:
+ case SSH_CIPHER_BLOWFISH:
+@@ -593,6 +602,9 @@
+
+ switch (c->number) {
+ #ifdef WITH_OPENSSL
++#ifdef NONE_CIPHER_ENABLED
++ case SSH_CIPHER_NONE:
++#endif
+ case SSH_CIPHER_SSH2:
+ case SSH_CIPHER_DES:
+ case SSH_CIPHER_BLOWFISH:
+--- work.clean/openssh-6.8p1/clientloop.c 2015-03-17 00:49:20.000000000 -0500
++++ work/openssh-6.8p1/clientloop.c 2015-04-03 17:29:40.618489000 -0500
+@@ -1909,6 +1909,15 @@
+ sock = x11_connect_display();
+ if (sock < 0)
+ return NULL;
++#ifdef HPN_ENABLED
++ /* again is this really necessary for X11? */
++ if (!options.hpn_disabled)
++ c = channel_new("x11",
++ SSH_CHANNEL_X11_OPEN, sock, sock, -1,
++ options.hpn_buffer_size,
++ CHAN_X11_PACKET_DEFAULT, 0, "x11", 1);
++ else
++#endif
+ c = channel_new("x11",
+ SSH_CHANNEL_X11_OPEN, sock, sock, -1,
+ CHAN_TCP_WINDOW_DEFAULT, CHAN_X11_PACKET_DEFAULT, 0, "x11", 1);
+@@ -1934,6 +1943,14 @@
+ __func__, ssh_err(r));
+ return NULL;
+ }
++#ifdef HPN_ENABLED
++ if (!options.hpn_disabled)
++ c = channel_new("authentication agent connection",
++ SSH_CHANNEL_OPEN, sock, sock, -1,
++ options.hpn_buffer_size, CHAN_TCP_PACKET_DEFAULT, 0,
++ "authentication agent connection", 1);
++ else
++#endif
+ c = channel_new("authentication agent connection",
+ SSH_CHANNEL_OPEN, sock, sock, -1,
+ CHAN_X11_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, 0,
+@@ -1964,6 +1981,12 @@
+ return -1;
+ }
+
++#ifdef HPN_ENABLED
++ if (!options.hpn_disabled)
++ c = channel_new("tun", SSH_CHANNEL_OPENING, fd, fd, -1,
++ options.hpn_buffer_size, CHAN_TCP_PACKET_DEFAULT, 0, "tun", 1);
++ else
++#endif
+ c = channel_new("tun", SSH_CHANNEL_OPENING, fd, fd, -1,
+ CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, 0, "tun", 1);
+ c->datagram = 1;
+--- work.clean/openssh-6.8p1/compat.c 2015-03-17 00:49:20.000000000 -0500
++++ work/openssh-6.8p1/compat.c 2015-04-03 16:39:57.665699000 -0500
+@@ -177,6 +177,14 @@
+ debug("match: %s pat %s compat 0x%08x",
+ version, check[i].pat, check[i].bugs);
+ datafellows = check[i].bugs; /* XXX for now */
++#ifdef HPN_ENABLED
++ /* Check to see if the remote side is OpenSSH and not HPN */
++ if (strstr(version,"OpenSSH") != NULL &&
++ strstr(version,"hpn") == NULL) {
++ datafellows |= SSH_BUG_LARGEWINDOW;
++ debug("Remote is NON-HPN aware");
++ }
++#endif
+ return check[i].bugs;
+ }
+ }
+--- work.clean/openssh-6.8p1/compat.h 2015-03-17 00:49:20.000000000 -0500
++++ work/openssh-6.8p1/compat.h 2015-04-03 16:39:34.780416000 -0500
+@@ -60,6 +60,9 @@
+ #define SSH_NEW_OPENSSH 0x04000000
+ #define SSH_BUG_DYNAMIC_RPORT 0x08000000
+ #define SSH_BUG_CURVE25519PAD 0x10000000
++#ifdef HPN_ENABLED
++#define SSH_BUG_LARGEWINDOW 0x20000000
++#endif
+
+ void enable_compat13(void);
+ void enable_compat20(void);
+--- work.clean/openssh-6.8p1/configure.ac 2015-03-17 00:49:20.000000000 -0500
++++ work/openssh-6.8p1/configure.ac 2015-04-03 16:36:28.916502000 -0500
+@@ -4238,6 +4238,25 @@
+ ]
+ ) # maildir
+
++#check whether user wants HPN support
++HPN_MSG="no"
++AC_ARG_WITH(hpn,
++ [ --with-hpn Enable HPN support],
++ [ if test "x$withval" != "xno" ; then
++ AC_DEFINE(HPN_ENABLED,1,[Define if you want HPN support.])
++ HPN_MSG="yes"
++ fi ]
++)
++#check whether user wants NONECIPHER support
++NONECIPHER_MSG="no"
++AC_ARG_WITH(nonecipher,
++ [ --with-nonecipher Enable NONECIPHER support],
++ [ if test "x$withval" != "xno" ; then
++ AC_DEFINE(NONE_CIPHER_ENABLED,1,[Define if you want NONECIPHER support.])
++ NONECIPHER_MSG="yes"
++ fi ]
++)
++
+ if test ! -z "$cross_compiling" && test "x$cross_compiling" = "xyes"; then
+ AC_MSG_WARN([cross compiling: Disabling /dev/ptmx test])
+ disable_ptmx_check=yes
+@@ -4905,6 +4924,8 @@
+ echo " BSD Auth support: $BSD_AUTH_MSG"
+ echo " Random number source: $RAND_MSG"
+ echo " Privsep sandbox style: $SANDBOX_STYLE"
++echo " HPN support: $HPN_MSG"
++echo " NONECIPHER support: $NONECIPHER_MSG"
+
+ echo ""
+
+--- work.clean/openssh-6.8p1/kex.c 2015-03-17 00:49:20.000000000 -0500
++++ work/openssh-6.8p1/kex.c 2015-04-03 17:06:44.032682000 -0500
+@@ -587,6 +587,13 @@
+ int nenc, nmac, ncomp;
+ u_int mode, ctos, need, dh_need, authlen;
+ int r, first_kex_follows;
++#ifdef NONE_CIPHER_ENABLED
++ /* XXX: Could this move into the lower block? */
++ int auth_flag;
++
++ auth_flag = ssh_packet_authentication_state(ssh);
++ debug ("AUTH STATE IS %d", auth_flag);
++#endif
+
+ if ((r = kex_buf2prop(kex->my, NULL, &my)) != 0 ||
+ (r = kex_buf2prop(kex->peer, &first_kex_follows, &peer)) != 0)
+@@ -635,6 +642,17 @@
+ if ((r = choose_comp(&newkeys->comp, cprop[ncomp],
+ sprop[ncomp])) != 0)
+ goto out;
++#ifdef NONE_CIPHER_ENABLED
++ debug("REQUESTED ENC.NAME is '%s'", newkeys->enc.name);
++ if (strcmp(newkeys->enc.name, "none") == 0) {
++ debug("Requesting NONE. Authflag is %d", auth_flag);
++ if (auth_flag == 1) {
++ debug("None requested post authentication.");
++ } else {
++ fatal("Pre-authentication none cipher requests are not allowed.");
++ }
++ }
++#endif
+ debug("kex: %s %s %s %s",
+ ctos ? "client->server" : "server->client",
+ newkeys->enc.name,
+--- work.clean/openssh-6.8p1/myproposal.h 2015-03-17 00:49:20.000000000 -0500
++++ work/openssh-6.8p1/myproposal.h 2015-04-03 16:43:33.747402000 -0500
+@@ -171,6 +171,10 @@
+ #define KEX_DEFAULT_COMP "none,zlib@openssh.com,zlib"
+ #define KEX_DEFAULT_LANG ""
+
++#ifdef NONE_CIPHER_ENABLED
++#define KEX_ENCRYPT_INCLUDE_NONE KEX_SERVER_ENCRYPT ",none"
++#endif
++
+ #define KEX_CLIENT \
+ KEX_CLIENT_KEX, \
+ KEX_DEFAULT_PK_ALG, \
+--- work.clean/openssh-6.8p1/packet.c 2015-03-17 00:49:20.000000000 -0500
++++ work/openssh-6.8p1/packet.c 2015-04-03 16:10:57.002066000 -0500
+@@ -2199,6 +2199,24 @@
+ }
+ }
+
++#ifdef NONE_CIPHER_ENABLED
++/* this supports the forced rekeying required for the NONE cipher */
++int rekey_requested = 0;
++void
++packet_request_rekeying(void)
++{
++ rekey_requested = 1;
++}
++
++int
++ssh_packet_authentication_state(struct ssh *ssh)
++{
++ struct session_state *state = ssh->state;
++
++ return(state->after_authentication);
++}
++#endif
++
+ #define MAX_PACKETS (1U<<31)
+ int
+ ssh_packet_need_rekeying(struct ssh *ssh)
+@@ -2207,6 +2225,12 @@
+
+ if (ssh->compat & SSH_BUG_NOREKEY)
+ return 0;
++#ifdef NONE_CIPHER_ENABLED
++ if (rekey_requested == 1) {
++ rekey_requested = 0;
++ return 1;
++ }
++#endif
+ return
+ (state->p_send.packets > MAX_PACKETS) ||
+ (state->p_read.packets > MAX_PACKETS) ||
+--- work.clean/openssh-6.8p1/packet.h 2015-03-17 00:49:20.000000000 -0500
++++ work/openssh-6.8p1/packet.h 2015-04-03 16:10:34.728161000 -0500
+@@ -188,6 +188,11 @@
+ int sshpkt_get_end(struct ssh *ssh);
+ const u_char *sshpkt_ptr(struct ssh *, size_t *lenp);
+
++#ifdef NONE_CIPHER_ENABLED
++void packet_request_rekeying(void);
++int ssh_packet_authentication_state(struct ssh *ssh);
++#endif
++
+ /* OLD API */
+ extern struct ssh *active_state;
+ #include "opacket.h"
+--- work.clean/openssh-6.8p1/readconf.c 2015-04-01 22:07:18.135435000 -0500
++++ work/openssh-6.8p1/readconf.c 2015-04-03 15:10:44.188916000 -0500
+@@ -154,6 +154,12 @@
+ oTunnel, oTunnelDevice, oLocalCommand, oPermitLocalCommand,
+ oVisualHostKey, oUseRoaming,
+ oKexAlgorithms, oIPQoS, oRequestTTY, oIgnoreUnknown, oProxyUseFdpass,
++#ifdef HPN_ENABLED
++ oHPNDisabled, oHPNBufferSize, oTcpRcvBufPoll, oTcpRcvBuf,
++#endif
++#ifdef NONE_CIPHER_ENABLED
++ oNoneSwitch, oNoneEnabled,
++#endif
+ oCanonicalDomains, oCanonicalizeHostname, oCanonicalizeMaxDots,
+ oCanonicalizeFallbackLocal, oCanonicalizePermittedCNAMEs,
+ oStreamLocalBindMask, oStreamLocalBindUnlink, oRevokedHostKeys,
+@@ -276,6 +282,16 @@
+ { "fingerprinthash", oFingerprintHash },
+ { "updatehostkeys", oUpdateHostkeys },
+ { "hostbasedkeytypes", oHostbasedKeyTypes },
++#ifdef NONE_CIPHER_ENABLED
++ { "noneenabled", oNoneEnabled },
++ { "noneswitch", oNoneSwitch },
++#endif
++#ifdef HPN_ENABLED
++ { "tcprcvbufpoll", oTcpRcvBufPoll },
++ { "tcprcvbuf", oTcpRcvBuf },
++ { "hpndisabled", oHPNDisabled },
++ { "hpnbuffersize", oHPNBufferSize },
++#endif
+ { "ignoreunknown", oIgnoreUnknown },
+
+ { NULL, oBadOption }
+@@ -917,6 +933,44 @@
+ intptr = &options->check_host_ip;
+ goto parse_flag;
+
++#ifdef HPN_ENABLED
++ case oHPNDisabled:
++ intptr = &options->hpn_disabled;
++ goto parse_flag;
++
++ case oHPNBufferSize:
++ intptr = &options->hpn_buffer_size;
++ goto parse_int;
++
++ case oTcpRcvBufPoll:
++ intptr = &options->tcp_rcv_buf_poll;
++ goto parse_flag;
++
++ case oTcpRcvBuf:
++ intptr = &options->tcp_rcv_buf;
++ goto parse_int;
++#endif
++
++#ifdef NONE_CIPHER_ENABLED
++ case oNoneEnabled:
++ intptr = &options->none_enabled;
++ goto parse_flag;
++
++ /* we check to see if the command comes from the */
++ /* command line or not. If it does then enable it */
++ /* otherwise fail. NONE should never be a default configuration */
++ case oNoneSwitch:
++ if(strcmp(filename,"command-line") == 0) {
++ intptr = &options->none_switch;
++ goto parse_flag;
++ } else {
++ error("NoneSwitch is found in %.200s.\nYou may only use this configuration option from the command line", filename);
++ error("Continuing...");
++ debug("NoneSwitch directive found in %.200s.", filename);
++ return 0;
++ }
++#endif
++
+ case oVerifyHostKeyDNS:
+ intptr = &options->verify_host_key_dns;
+ multistate_ptr = multistate_yesnoask;
+@@ -1678,6 +1732,16 @@
+ options->ip_qos_interactive = -1;
+ options->ip_qos_bulk = -1;
+ options->request_tty = -1;
++#ifdef NONE_CIPHER_ENABLED
++ options->none_switch = -1;
++ options->none_enabled = -1;
++#endif
++#ifdef HPN_ENABLED
++ options->hpn_disabled = -1;
++ options->hpn_buffer_size = -1;
++ options->tcp_rcv_buf_poll = -1;
++ options->tcp_rcv_buf = -1;
++#endif
+ options->proxy_use_fdpass = -1;
+ options->ignored_unknown = NULL;
+ options->num_canonical_domains = 0;
+@@ -1838,6 +1902,35 @@
+ options->server_alive_interval = 0;
+ if (options->server_alive_count_max == -1)
+ options->server_alive_count_max = 3;
++#ifdef NONE_CIPHER_ENABLED
++ if (options->none_switch == -1)
++ options->none_switch = 0;
++ if (options->none_enabled == -1)
++ options->none_enabled = 0;
++#endif
++#ifdef HPN_ENABLED
++ if (options->hpn_disabled == -1)
++ options->hpn_disabled = 0;
++ if (options->hpn_buffer_size > -1) {
++ /* if a user tries to set the size to 0 set it to 1KB */
++ if (options->hpn_buffer_size == 0)
++ options->hpn_buffer_size = 1;
++ /* limit the buffer to 64MB */
++ if (options->hpn_buffer_size > 64*1024) {
++ options->hpn_buffer_size = 64*1024*1024;
++ debug("User requested buffer larger than 64MB. Request"
++ " reverted to 64MB");
++ } else
++ options->hpn_buffer_size *= 1024;
++ debug("hpn_buffer_size set to %d", options->hpn_buffer_size);
++ }
++ if (options->tcp_rcv_buf == 0)
++ options->tcp_rcv_buf = 1;
++ if (options->tcp_rcv_buf > -1)
++ options->tcp_rcv_buf *=1024;
++ if (options->tcp_rcv_buf_poll == -1)
++ options->tcp_rcv_buf_poll = 1;
++#endif
+ if (options->control_master == -1)
+ options->control_master = 0;
+ if (options->control_persist == -1) {
+--- work.clean/openssh-6.8p1/readconf.h 2015-03-17 00:49:20.000000000 -0500
++++ work/openssh-6.8p1/readconf.h 2015-04-03 13:47:45.670125000 -0500
+@@ -105,6 +105,16 @@
+ int clear_forwardings;
+
+ int enable_ssh_keysign;
++#ifdef NONE_CIPHER_ENABLED
++ int none_switch; /* Use none cipher */
++ int none_enabled; /* Allow none to be used */
++#endif
++#ifdef HPN_ENABLED
++ int tcp_rcv_buf; /* user switch to set tcp recv buffer */
++ int tcp_rcv_buf_poll; /* Option to poll recv buf every window transfer */
++ int hpn_disabled; /* Switch to disable HPN buffer management */
++ int hpn_buffer_size; /* User definable size for HPN buffer window */
++#endif
+ int64_t rekey_limit;
+ int rekey_interval;
+ int no_host_authentication_for_localhost;
+--- work.clean/openssh-6.8p1/scp.c 2015-03-17 00:49:20.000000000 -0500
++++ work/openssh-6.8p1/scp.c 2015-04-02 16:51:25.108407000 -0500
+@@ -750,7 +750,7 @@
+ off_t i, statbytes;
+ size_t amt, nr;
+ int fd = -1, haderr, indx;
+- char *last, *name, buf[2048], encname[PATH_MAX];
++ char *last, *name, buf[16384], encname[PATH_MAX];
+ int len;
+
+ for (indx = 0; indx < argc; ++indx) {
+@@ -919,7 +919,7 @@
+ off_t size, statbytes;
+ unsigned long long ull;
+ int setimes, targisdir, wrerrno = 0;
+- char ch, *cp, *np, *targ, *why, *vect[1], buf[2048];
++ char ch, *cp, *np, *targ, *why, *vect[1], buf[16384];
+ struct timeval tv[2];
+
+ #define atime tv[0]
+--- work.clean/openssh-6.8p1/servconf.c 2015-04-01 22:07:18.142441000 -0500
++++ work/openssh-6.8p1/servconf.c 2015-04-03 16:32:16.114236000 -0500
+@@ -160,6 +160,14 @@
+ options->revoked_keys_file = NULL;
+ options->trusted_user_ca_keys = NULL;
+ options->authorized_principals_file = NULL;
++#ifdef NONE_CIPHER_ENABLED
++ options->none_enabled = -1;
++#endif
++#ifdef HPN_ENABLED
++ options->tcp_rcv_buf_poll = -1;
++ options->hpn_disabled = -1;
++ options->hpn_buffer_size = -1;
++#endif
+ options->ip_qos_interactive = -1;
+ options->ip_qos_bulk = -1;
+ options->version_addendum = NULL;
+@@ -326,6 +334,57 @@
+ }
+ if (options->permit_tun == -1)
+ options->permit_tun = SSH_TUNMODE_NO;
++#ifdef NONE_CIPHER_ENABLED
++ if (options->none_enabled == -1)
++ options->none_enabled = 0;
++#endif
++#ifdef HPN_ENABLED
++ if (options->hpn_disabled == -1)
++ options->hpn_disabled = 0;
++
++ if (options->hpn_buffer_size == -1) {
++ /*
++ * option not explicitly set. Now we have to figure out
++ * what value to use.
++ */
++ if (options->hpn_disabled == 1) {
++ options->hpn_buffer_size = CHAN_SES_WINDOW_DEFAULT;
++ } else {
++ int sock, socksize;
++ socklen_t socksizelen = sizeof(socksize);
++
++ /*
++ * get the current RCV size and set it to that
++ * create a socket but don't connect it
++ * we use that the get the rcv socket size
++ */
++ sock = socket(AF_INET, SOCK_STREAM, 0);
++ getsockopt(sock, SOL_SOCKET, SO_RCVBUF,
++ &socksize, &socksizelen);
++ close(sock);
++ options->hpn_buffer_size = socksize;
++ debug ("HPN Buffer Size: %d", options->hpn_buffer_size);
++ }
++ } else {
++ /*
++ * we have to do this incase the user sets both values in a
++ * contradictory manner. hpn_disabled overrrides
++ * hpn_buffer_size
++ */
++ if (options->hpn_disabled <= 0) {
++ if (options->hpn_buffer_size == 0)
++ options->hpn_buffer_size = 1;
++ /* limit the maximum buffer to 64MB */
++ if (options->hpn_buffer_size > 64*1024) {
++ options->hpn_buffer_size = 64*1024*1024;
++ } else {
++ options->hpn_buffer_size *= 1024;
++ }
++ } else
++ options->hpn_buffer_size = CHAN_TCP_WINDOW_DEFAULT;
++ }
++#endif
++
+ if (options->ip_qos_interactive == -1)
+ options->ip_qos_interactive = IPTOS_LOWDELAY;
+ if (options->ip_qos_bulk == -1)
+@@ -401,6 +460,12 @@
+ sUsePrivilegeSeparation, sAllowAgentForwarding,
+ sHostCertificate,
+ sRevokedKeys, sTrustedUserCAKeys, sAuthorizedPrincipalsFile,
++#ifdef NONE_CIPHER_ENABLED
++ sNoneEnabled,
++#endif
++#ifdef HPN_ENABLED
++ sTcpRcvBufPoll, sHPNDisabled, sHPNBufferSize,
++#endif
+ sKexAlgorithms, sIPQoS, sVersionAddendum,
+ sAuthorizedKeysCommand, sAuthorizedKeysCommandUser,
+ sAuthenticationMethods, sHostKeyAgent, sPermitUserRC,
+@@ -529,6 +594,14 @@
+ { "revokedkeys", sRevokedKeys, SSHCFG_ALL },
+ { "trustedusercakeys", sTrustedUserCAKeys, SSHCFG_ALL },
+ { "authorizedprincipalsfile", sAuthorizedPrincipalsFile, SSHCFG_ALL },
++#ifdef NONE_CIPHER_ENABLED
++ { "noneenabled", sNoneEnabled, SSHCFG_ALL },
++#endif
++#ifdef HPN_ENABLED
++ { "hpndisabled", sHPNDisabled, SSHCFG_ALL },
++ { "hpnbuffersize", sHPNBufferSize, SSHCFG_ALL },
++ { "tcprcvbufpoll", sTcpRcvBufPoll, SSHCFG_ALL },
++#endif
+ { "kexalgorithms", sKexAlgorithms, SSHCFG_GLOBAL },
+ { "ipqos", sIPQoS, SSHCFG_ALL },
+ { "authorizedkeyscommand", sAuthorizedKeysCommand, SSHCFG_ALL },
+@@ -1113,6 +1186,25 @@
+ intptr = &options->ignore_user_known_hosts;
+ goto parse_flag;
+
++#ifdef NONE_CIPHER_ENABLED
++ case sNoneEnabled:
++ intptr = &options->none_enabled;
++ goto parse_flag;
++#endif
++#ifdef HPN_ENABLED
++ case sTcpRcvBufPoll:
++ intptr = &options->tcp_rcv_buf_poll;
++ goto parse_flag;
++
++ case sHPNDisabled:
++ intptr = &options->hpn_disabled;
++ goto parse_flag;
++
++ case sHPNBufferSize:
++ intptr = &options->hpn_buffer_size;
++ goto parse_int;
++#endif
++
+ case sRhostsRSAAuthentication:
+ intptr = &options->rhosts_rsa_authentication;
+ goto parse_flag;
+--- work.clean/openssh-6.8p1/servconf.h 2015-03-17 00:49:20.000000000 -0500
++++ work/openssh-6.8p1/servconf.h 2015-04-03 13:48:37.316827000 -0500
+@@ -169,6 +169,15 @@
+
+ int use_pam; /* Enable auth via PAM */
+
++#ifdef NONE_CIPHER_ENABLED
++ int none_enabled; /* enable NONE cipher switch */
++#endif
++#ifdef HPN_ENABLED
++ int tcp_rcv_buf_poll; /* poll tcp rcv window in autotuning kernels*/
++ int hpn_disabled; /* disable hpn functionality. false by default */
++ int hpn_buffer_size; /* set the hpn buffer size - default 3MB */
++#endif
++
+ int permit_tun;
+
+ int num_permitted_opens;
+--- work.clean/openssh-6.8p1/serverloop.c 2015-03-17 00:49:20.000000000 -0500
++++ work/openssh-6.8p1/serverloop.c 2015-04-03 17:14:15.182548000 -0500
+@@ -1051,6 +1051,12 @@
+ sock = tun_open(tun, mode);
+ if (sock < 0)
+ goto done;
++#ifdef HPN_ENABLED
++ if (!options.hpn_disabled)
++ c = channel_new("tun", SSH_CHANNEL_OPEN, sock, sock, -1,
++ options.hpn_buffer_size, CHAN_TCP_PACKET_DEFAULT, 0, "tun", 1);
++ else
++#endif
+ c = channel_new("tun", SSH_CHANNEL_OPEN, sock, sock, -1,
+ CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, 0, "tun", 1);
+ c->datagram = 1;
+@@ -1088,6 +1094,10 @@
+ c = channel_new("session", SSH_CHANNEL_LARVAL,
+ -1, -1, -1, /*window size*/0, CHAN_SES_PACKET_DEFAULT,
+ 0, "server-session", 1);
++#ifdef HPN_ENABLED
++ if (options.tcp_rcv_buf_poll && !options.hpn_disabled)
++ c->dynamic_window = 1;
++#endif
+ if (session_open(the_authctxt, c->self) != 1) {
+ debug("session open failed, free channel %d", c->self);
+ channel_free(c);
+--- work.clean/openssh-6.8p1/session.c 2015-04-01 22:07:18.149110000 -0500
++++ work/openssh-6.8p1/session.c 2015-04-03 17:09:02.984097000 -0500
+@@ -2340,6 +2340,14 @@
+ */
+ if (s->chanid == -1)
+ fatal("no channel for session %d", s->self);
++#ifdef HPN_ENABLED
++ if (!options.hpn_disabled)
++ channel_set_fds(s->chanid,
++ fdout, fdin, fderr,
++ ignore_fderr ? CHAN_EXTENDED_IGNORE : CHAN_EXTENDED_READ,
++ 1, is_tty, options.hpn_buffer_size);
++ else
++#endif
+ channel_set_fds(s->chanid,
+ fdout, fdin, fderr,
+ ignore_fderr ? CHAN_EXTENDED_IGNORE : CHAN_EXTENDED_READ,
+--- work.clean/openssh-6.8p1/sftp.1 2015-03-17 00:49:20.000000000 -0500
++++ work/openssh-6.8p1/sftp.1 2015-04-01 22:16:49.921688000 -0500
+@@ -263,7 +263,8 @@
+ Specify how many requests may be outstanding at any one time.
+ Increasing this may slightly improve file transfer speed
+ but will increase memory usage.
+-The default is 64 outstanding requests.
++The default is 256 outstanding requests providing for 8MB
++of outstanding data with a 32KB buffer.
+ .It Fl r
+ Recursively copy entire directories when uploading and downloading.
+ Note that
+--- work.clean/openssh-6.8p1/sftp.c 2015-03-17 00:49:20.000000000 -0500
++++ work/openssh-6.8p1/sftp.c 2015-04-03 17:16:00.959795000 -0500
+@@ -71,7 +71,11 @@
+ #include "sftp-client.h"
+
+ #define DEFAULT_COPY_BUFLEN 32768 /* Size of buffer for up/download */
++#ifdef HPN_ENABLED
++#define DEFAULT_NUM_REQUESTS 256 /* # concurrent outstanding requests */
++#else
+ #define DEFAULT_NUM_REQUESTS 64 /* # concurrent outstanding requests */
++#endif
+
+ /* File to read commands from */
+ FILE* infile;
+--- work.clean/openssh-6.8p1/ssh.c 2015-04-01 22:07:18.166356000 -0500
++++ work/openssh-6.8p1/ssh.c 2015-04-03 17:16:34.114673000 -0500
+@@ -885,6 +885,14 @@
+ break;
+ case 'T':
+ options.request_tty = REQUEST_TTY_NO;
++#ifdef NONE_CIPHER_ENABLED
++ /*
++ * ensure that the user doesn't try to backdoor a
++ * null cipher switch on an interactive session
++ * so explicitly disable it no matter what.
++ */
++ options.none_switch = 0;
++#endif
+ break;
+ case 'o':
+ line = xstrdup(optarg);
+@@ -1848,9 +1856,85 @@
+ if (!isatty(err))
+ set_nonblock(err);
+
++#ifdef HPN_ENABLED
++ /*
++ * we need to check to see if what they want to do about buffer
++ * sizes here. In a hpn to nonhpn connection we want to limit
++ * the window size to something reasonable in case the far side
++ * has the large window bug. In hpn to hpn connection we want to
++ * use the max window size but allow the user to override it
++ * lastly if they disabled hpn then use the ssh std window size
++
++ * so why don't we just do a getsockopt() here and set the
++ * ssh window to that? In the case of a autotuning receive
++ * window the window would get stuck at the initial buffer
++ * size generally less than 96k. Therefore we need to set the
++ * maximum ssh window size to the maximum hpn buffer size
++ * unless the user has specifically set the tcprcvbufpoll
++ * to no. In which case we *can* just set the window to the
++ * minimum of the hpn buffer size and tcp receive buffer size
++ */
++
++ if (tty_flag)
++ options.hpn_buffer_size = CHAN_SES_WINDOW_DEFAULT;
++ else
++ options.hpn_buffer_size = 2*1024*1024;
++
++ if (datafellows & SSH_BUG_LARGEWINDOW) {
++ debug("HPN to Non-HPN Connection");
++ } else {
++ int sock, socksize;
++ socklen_t socksizelen = sizeof(socksize);
++
++ if (options.tcp_rcv_buf_poll <= 0) {
++ sock = socket(AF_INET, SOCK_STREAM, 0);
++ getsockopt(sock, SOL_SOCKET, SO_RCVBUF,
++ &socksize, &socksizelen);
++ close(sock);
++ debug("socksize %d", socksize);
++ options.hpn_buffer_size = socksize;
++ debug ("HPNBufferSize set to TCP RWIN: %d",
++ options.hpn_buffer_size);
++ } else {
++ if (options.tcp_rcv_buf > 0) {
++ /*
++ * create a socket but don't connect it.
++ * we use that the get the rcv socket size
++ */
++ sock = socket(AF_INET, SOCK_STREAM, 0);
++ /*
++ * if they are using the tcp_rcv_buf option
++ * attempt to set the buffer size to that
++ */
++ if (options.tcp_rcv_buf)
++ setsockopt(sock, SOL_SOCKET, SO_RCVBUF,
++ (void *)&options.tcp_rcv_buf,
++ sizeof(options.tcp_rcv_buf));
++ getsockopt(sock, SOL_SOCKET, SO_RCVBUF,
++ &socksize, &socksizelen);
++ close(sock);
++ debug("socksize %d", socksize);
++ options.hpn_buffer_size = socksize;
++ debug ("HPNBufferSize set to user TCPRcvBuf: "
++ "%d", options.hpn_buffer_size);
++ }
++ }
++ }
++
++ debug("Final hpn_buffer_size = %d", options.hpn_buffer_size);
++
++ window = options.hpn_buffer_size;
++
++ channel_set_hpn(options.hpn_disabled, options.hpn_buffer_size);
++#else
+ window = CHAN_SES_WINDOW_DEFAULT;
++#endif
++
+ packetmax = CHAN_SES_PACKET_DEFAULT;
+ if (tty_flag) {
++#ifdef HPN_ENABLED
++ window = CHAN_SES_WINDOW_DEFAULT;
++#endif
+ window >>= 1;
+ packetmax >>= 1;
+ }
+@@ -1859,6 +1943,12 @@
+ window, packetmax, CHAN_EXTENDED_WRITE,
+ "client-session", /*nonblock*/0);
+
++#ifdef HPN_ENABLED
++ if (options.tcp_rcv_buf_poll > 0 && !options.hpn_disabled) {
++ c->dynamic_window = 1;
++ debug ("Enabled Dynamic Window Scaling");
++ }
++#endif
+ debug3("ssh_session2_open: channel_new: %d", c->self);
+
+ channel_send_open(c->self);
+--- work.clean/openssh-6.8p1/sshconnect.c 2015-03-17 00:49:20.000000000 -0500
++++ work/openssh-6.8p1/sshconnect.c 2015-04-03 16:32:38.204744000 -0500
+@@ -266,6 +266,31 @@
+ kill(proxy_command_pid, SIGHUP);
+ }
+
++#ifdef HPN_ENABLED
++/*
++ * Set TCP receive buffer if requested.
++ * Note: tuning needs to happen after the socket is
++ * created but before the connection happens
++ * so winscale is negotiated properly -cjr
++ */
++static void
++ssh_set_socket_recvbuf(int sock)
++{
++ void *buf = (void *)&options.tcp_rcv_buf;
++ int sz = sizeof(options.tcp_rcv_buf);
++ int socksize;
++ socklen_t socksizelen = sizeof(socksize);
++
++ debug("setsockopt Attempting to set SO_RCVBUF to %d", options.tcp_rcv_buf);
++ if (setsockopt(sock, SOL_SOCKET, SO_RCVBUF, buf, sz) >= 0) {
++ getsockopt(sock, SOL_SOCKET, SO_RCVBUF, &socksize, &socksizelen);
++ debug("setsockopt SO_RCVBUF: %.100s %d", strerror(errno), socksize);
++ } else
++ error("Couldn't set socket receive buffer to %d: %.100s",
++ options.tcp_rcv_buf, strerror(errno));
++}
++#endif
++
+ /*
+ * Creates a (possibly privileged) socket for use as the ssh connection.
+ */
+@@ -282,6 +307,11 @@
+ }
+ fcntl(sock, F_SETFD, FD_CLOEXEC);
+
++#ifdef HPN_ENABLED
++ if (options.tcp_rcv_buf > 0)
++ ssh_set_socket_recvbuf(sock);
++#endif
++
+ /* Bind the socket to an alternative local IP address */
+ if (options.bind_address == NULL && !privileged)
+ return sock;
+@@ -523,11 +553,23 @@ send_client_banner(int connection_out, i
+ {
+ /* Send our own protocol version identification. */
+ if (compat20) {
+- xasprintf(&client_version_string, "SSH-%d.%d-%.100s\r\n",
+- PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION);
++ xasprintf(&client_version_string, "SSH-%d.%d-%.100s%s\r\n",
++ PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION,
++#ifdef HPN_ENABLED
++ options.hpn_disabled ? "" : SSH_HPN
++#else
++ ""
++#endif
++ );
+ } else {
+- xasprintf(&client_version_string, "SSH-%d.%d-%.100s\n",
+- PROTOCOL_MAJOR_1, minor1, SSH_VERSION);
++ xasprintf(&client_version_string, "SSH-%d.%d-%.100s%s\n",
++ PROTOCOL_MAJOR_1, minor1, SSH_VERSION,
++#ifdef HPN_ENABLED
++ options.hpn_disabled ? "" : SSH_HPN
++#else
++ ""
++#endif
++ );
+ }
+ if (roaming_atomicio(vwrite, connection_out, client_version_string,
+ strlen(client_version_string)) != strlen(client_version_string))
+--- work.clean/openssh-6.8p1/sshconnect2.c 2015-03-17 00:49:20.000000000 -0500
++++ work/openssh-6.8p1/sshconnect2.c 2015-04-03 16:54:23.936298000 -0500
+@@ -80,6 +80,14 @@
+ extern char *client_version_string;
+ extern char *server_version_string;
+ extern Options options;
++#ifdef NONE_CIPHER_ENABLED
++struct kex *xxx_kex;
++
++/* tty_flag is set in ssh.c. use this in ssh_userauth2 */
++/* if it is set then prevent the switch to the null cipher */
++
++extern int tty_flag;
++#endif
+
+ /*
+ * SSH2 key exchange
+@@ -153,13 +161,16 @@
+ return ret;
+ }
+
++static char *myproposal[PROPOSAL_MAX];
++static const char *myproposal_default[PROPOSAL_MAX] = { KEX_CLIENT };
+ void
+ ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port)
+ {
+- char *myproposal[PROPOSAL_MAX] = { KEX_CLIENT };
+ struct kex *kex;
+ int r;
+
++ memcpy(&myproposal, &myproposal_default, sizeof(myproposal));
++
+ xxx_host = host;
+ xxx_hostaddr = hostaddr;
+
+@@ -222,6 +233,10 @@
+ kex->server_version_string=server_version_string;
+ kex->verify_host_key=&verify_host_key_callback;
+
++#ifdef NONE_CIPHER_ENABLED
++ xxx_kex = kex;
++#endif
++
+ dispatch_run(DISPATCH_BLOCK, &kex->done, active_state);
+
+ if (options.use_roaming && !kex->roaming) {
+@@ -423,6 +438,29 @@
+ pubkey_cleanup(&authctxt);
+ dispatch_range(SSH2_MSG_USERAUTH_MIN, SSH2_MSG_USERAUTH_MAX, NULL);
+
++#ifdef NONE_CIPHER_ENABLED
++ /*
++ * if the user wants to use the none cipher do it
++ * post authentication and only if the right conditions are met
++ * both of the NONE commands must be true and there must be no
++ * tty allocated.
++ */
++ if ((options.none_switch == 1) && (options.none_enabled == 1)) {
++ if (!tty_flag) { /* no null on tty sessions */
++ debug("Requesting none rekeying...");
++ myproposal[PROPOSAL_ENC_ALGS_STOC] = "none";
++ myproposal[PROPOSAL_ENC_ALGS_CTOS] = "none";
++ kex_prop2buf(xxx_kex->my, myproposal);
++ packet_request_rekeying();
++ fprintf(stderr, "WARNING: ENABLED NONE CIPHER\n");
++ } else {
++ /* requested NONE cipher when in a tty */
++ debug("Cannot switch to NONE cipher with tty allocated");
++ fprintf(stderr, "NONE cipher switch disabled when a TTY is allocated\n");
++ }
++ }
++#endif
++
+ debug("Authentication succeeded (%s).", authctxt.method->name);
+ }
+
+--- work.clean/openssh-6.8p1/sshd.c 2015-04-01 22:07:18.190233000 -0500
++++ work/openssh-6.8p1/sshd.c 2015-04-03 17:17:03.227774000 -0500
+@@ -439,7 +439,10 @@
+ }
+
+- xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s%s",
++ xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s%s%s",
+ major, minor, SSH_VERSION,
++#ifdef HPN_ENABLED
++ options.hpn_disabled ? "" : SSH_HPN,
++#endif
+ *options.version_addendum == '\0' ? "" : " ",
+ options.version_addendum, newline);
+
+@@ -1157,6 +1160,10 @@
+ int ret, listen_sock, on = 1;
+ struct addrinfo *ai;
+ char ntop[NI_MAXHOST], strport[NI_MAXSERV];
++#ifdef HPN_ENABLED
++ int socksize;
++ socklen_t socksizelen = sizeof(socksize);
++#endif
+
+ for (ai = options.listen_addrs; ai; ai = ai->ai_next) {
+ if (ai->ai_family != AF_INET && ai->ai_family != AF_INET6)
+@@ -1197,6 +1204,13 @@
+
+ debug("Bind to port %s on %s.", strport, ntop);
+
++#ifdef HPN_ENABLED
++ getsockopt(listen_sock, SOL_SOCKET, SO_RCVBUF,
++ &socksize, &socksizelen);
++ debug("Server TCP RWIN socket size: %d", socksize);
++ debug("HPN Buffer Size: %d", options.hpn_buffer_size);
++#endif
++
+ /* Bind the socket to the desired port. */
+ if (bind(listen_sock, ai->ai_addr, ai->ai_addrlen) < 0) {
+ error("Bind to port %s on %s failed: %.200s.",
+@@ -2167,6 +2181,11 @@
+ remote_ip, remote_port,
+ get_local_ipaddr(sock_in), get_local_port());
+
++#ifdef HPN_ENABLED
++ /* set the HPN options for the child */
++ channel_set_hpn(options.hpn_disabled, options.hpn_buffer_size);
++#endif
++
+ /*
+ * We don't want to listen forever unless the other side
+ * successfully authenticates itself. So we set up an alarm which is
+@@ -2566,6 +2585,12 @@
+ if (options.ciphers != NULL) {
+ myproposal[PROPOSAL_ENC_ALGS_CTOS] =
+ myproposal[PROPOSAL_ENC_ALGS_STOC] = options.ciphers;
++#ifdef NONE_CIPHER_ENABLED
++ } else if (options.none_enabled == 1) {
++ debug ("WARNING: None cipher enabled");
++ myproposal[PROPOSAL_ENC_ALGS_CTOS] =
++ myproposal[PROPOSAL_ENC_ALGS_STOC] = KEX_ENCRYPT_INCLUDE_NONE;
++#endif
+ }
+ myproposal[PROPOSAL_ENC_ALGS_CTOS] =
+ compat_cipher_proposal(myproposal[PROPOSAL_ENC_ALGS_CTOS]);
+--- work.clean/openssh-6.8p1/sshd_config 2015-04-01 22:07:18.248858000 -0500
++++ work/openssh-6.8p1/sshd_config 2015-04-01 22:16:49.932279000 -0500
+@@ -127,6 +127,20 @@
+ # override default of no subsystems
+ Subsystem sftp /usr/libexec/sftp-server
+
++# the following are HPN related configuration options
++# tcp receive buffer polling. disable in non autotuning kernels
++#TcpRcvBufPoll yes
++
++# disable hpn performance boosts
++#HPNDisabled no
++
++# buffer size for hpn to non-hpn connections
++#HPNBufferSize 2048
++
++
++# allow the use of the none cipher
++#NoneEnabled no
++
+ # Example of overriding settings on a per-user basis
+ #Match User anoncvs
+ # X11Forwarding no
+--- work.clean/openssh-6.8p1/version.h 2015-04-01 22:07:18.258955000 -0500
++++ work/openssh-6.8p1/version.h 2015-04-02 16:51:25.209617000 -0500
+@@ -3,4 +3,5 @@
+ #define SSH_VERSION "OpenSSH_6.8"
+
+ #define SSH_PORTABLE "p1"
+ #define SSH_RELEASE SSH_VERSION SSH_PORTABLE
++#define SSH_HPN "-hpn14v5"
diff --git a/security/openssh-portable/files/extra-patch-hpn-build-options b/security/openssh-portable/files/extra-patch-hpn-build-options
deleted file mode 100644
index 664a7510215e..000000000000
--- a/security/openssh-portable/files/extra-patch-hpn-build-options
+++ /dev/null
@@ -1,142 +0,0 @@
---- sshconnect2.c.orig 2013-10-11 08:52:17.836129741 -0500
-+++ sshconnect2.c 2013-10-11 08:53:05.776132295 -0500
-@@ -451,6 +451,7 @@ ssh_userauth2(const char *local_user, co
- }
- }
-
-+#ifdef AES_THREADED
- /* if we are using aes-ctr there can be issues in either a fork or sandbox
- * so the initial aes-ctr is defined to point to the original single process
- * evp. After authentication we'll be past the fork and the sandboxed privsep
-@@ -466,6 +467,7 @@ ssh_userauth2(const char *local_user, co
- cipher_reset_multithreaded();
- packet_request_rekeying();
- }
-+#endif
-
- debug("Authentication succeeded (%s).", authctxt.method->name);
- }
---- sshd.c.orig 2013-10-11 08:52:17.848126748 -0500
-+++ sshd.c 2013-10-11 08:53:25.929132033 -0500
-@@ -2186,6 +2186,7 @@ main(int ac, char **av)
-
- /* Start session. */
-
-+#ifdef AES_THREADED
- /* if we are using aes-ctr there can be issues in either a fork or sandbox
- * so the initial aes-ctr is defined to point ot the original single process
- * evp. After authentication we'll be past the fork and the sandboxed privsep
-@@ -2201,6 +2202,7 @@ main(int ac, char **av)
- cipher_reset_multithreaded();
- packet_request_rekeying();
- }
-+#endif
-
- do_authenticated(authctxt);
-
---- readconf.c.orig 2013-10-11 09:24:10.812126846 -0500
-+++ readconf.c 2013-10-11 09:19:12.295135966 -0500
-@@ -268,12 +268,16 @@ static struct {
- { "canonicalizepermittedcnames", oCanonicalizePermittedCNAMEs },
- { "streamlocalbindmask", oStreamLocalBindMask },
- { "streamlocalbindunlink", oStreamLocalBindUnlink },
-+#ifdef NONECIPHER
- { "noneenabled", oNoneEnabled },
- { "noneswitch", oNoneSwitch },
-+#endif
-+#ifdef HPN
- { "tcprcvbufpoll", oTcpRcvBufPoll },
- { "tcprcvbuf", oTcpRcvBuf },
- { "hpndisabled", oHPNDisabled },
- { "hpnbuffersize", oHPNBufferSize },
-+#endif
- { "ignoreunknown", oIgnoreUnknown },
-
- { NULL, oBadOption }
-@@ -1819,12 +1823,20 @@ fill_default_options(Options * options)
- options->server_alive_interval = 0;
- if (options->server_alive_count_max == -1)
- options->server_alive_count_max = 3;
-+#ifdef NONECIPHER
- if (options->none_switch == -1)
-+#endif
- options->none_switch = 0;
-+#ifdef NONECIPHER
- if (options->none_enabled == -1)
-+#endif
- options->none_enabled = 0;
-+#ifdef HPN
- if (options->hpn_disabled == -1)
- options->hpn_disabled = 0;
-+#else
-+ options->hpn_disabled = 1;
-+#endif
- if (options->hpn_buffer_size > -1)
- {
- /* if a user tries to set the size to 0 set it to 1KB */
---- servconf.c.orig 2013-10-11 09:24:44.734138483 -0500
-+++ servconf.c 2013-10-11 09:25:50.777137928 -0500
-@@ -303,10 +303,16 @@
- }
- if (options->permit_tun == -1)
- options->permit_tun = SSH_TUNMODE_NO;
-+#ifdef NONECIPHER
- if (options->none_enabled == -1)
-+#endif
- options->none_enabled = 0;
-+#ifdef HPN
- if (options->hpn_disabled == -1)
- options->hpn_disabled = 0;
-+#else
-+ options->hpn_disabled = 1;
-+#endif
-
- if (options->hpn_buffer_size == -1) {
- /* option not explicitly set. Now we have to figure out */
---- configure.ac.orig 2013-10-12 17:17:41.525139481 -0500
-+++ configure.ac 2013-10-12 17:18:35.610130039 -0500
-@@ -3968,6 +3968,34 @@
- ]
- ) # maildir
-
-+#check whether user wants HPN support
-+HPN_MSG="no"
-+AC_ARG_WITH(hpn,
-+ [ --with-hpn Enable HPN support],
-+ [ if test "x$withval" != "xno" ; then
-+ AC_DEFINE(HPN,1,[Define if you want HPN support.])
-+ HPN_MSG="yes"
-+ fi ]
-+)
-+#check whether user wants NONECIPHER support
-+NONECIPHER_MSG="no"
-+AC_ARG_WITH(nonecipher,
-+ [ --with-nonecipher Enable NONECIPHER support],
-+ [ if test "x$withval" != "xno" ; then
-+ AC_DEFINE(NONECIPHER,1,[Define if you want NONECIPHER support.])
-+ NONECIPHER_MSG="yes"
-+ fi ]
-+)
-+#check whether user wants AES_THREADED support
-+AES_THREADED_MSG="no"
-+AC_ARG_WITH(aes-threaded,
-+ [ --with-aes-threaded Enable AES_THREADED support],
-+ [ if test "x$withval" != "xno" ; then
-+ AC_DEFINE(AES_THREADED,1,[Define if you want AES_THREADED support.])
-+ AES_THREADED_MSG="yes"
-+ fi ]
-+)
-+
- if test ! -z "$cross_compiling" && test "x$cross_compiling" = "xyes"; then
- AC_MSG_WARN([cross compiling: Disabling /dev/ptmx test])
- disable_ptmx_check=yes
-@@ -4636,6 +4664,9 @@
- echo " BSD Auth support: $BSD_AUTH_MSG"
- echo " Random number source: $RAND_MSG"
- echo " Privsep sandbox style: $SANDBOX_STYLE"
-+echo " HPN support: $HPN_MSG"
-+echo " NONECIPHER support: $NONECIPHER_MSG"
-+echo " AES_THREADED support: $AES_THREADED_MSG"
-
- echo ""
-
diff --git a/security/openssh-portable/files/extra-patch-hpn-no-hpn b/security/openssh-portable/files/extra-patch-hpn-no-hpn
deleted file mode 100644
index dc3b112a2fee..000000000000
--- a/security/openssh-portable/files/extra-patch-hpn-no-hpn
+++ /dev/null
@@ -1,32 +0,0 @@
---- sshd_config.orig 2013-10-12 06:40:05.766128740 -0500
-+++ sshd_config 2013-10-12 06:40:06.646129924 -0500
-@@ -125,20 +125,6 @@
- # override default of no subsystems
- Subsystem sftp /usr/libexec/sftp-server
-
--# the following are HPN related configuration options
--# tcp receive buffer polling. disable in non autotuning kernels
--#TcpRcvBufPoll yes
--
--# disable hpn performance boosts
--#HPNDisabled no
--
--# buffer size for hpn to non-hpn connections
--#HPNBufferSize 2048
--
--
--# allow the use of the none cipher
--#NoneEnabled no
--
- # Example of overriding settings on a per-user basis
- #Match User anoncvs
- # X11Forwarding no
---- version.h.orig 2013-10-12 06:42:19.578133368 -0500
-+++ version.h 2013-10-12 06:42:28.581136160 -0500
-@@ -3,5 +3,4 @@
- #define SSH_VERSION "OpenSSH_6.3"
-
- #define SSH_PORTABLE "p1"
--#define SSH_HPN "-hpn14v2"
--#define SSH_RELEASE SSH_VERSION SSH_PORTABLE SSH_HPN
-+#define SSH_RELEASE SSH_VERSION SSH_PORTABLE
diff --git a/security/openssh-portable/files/extra-patch-hpn-window-size b/security/openssh-portable/files/extra-patch-hpn-window-size
deleted file mode 100644
index 76f50a43eccb..000000000000
--- a/security/openssh-portable/files/extra-patch-hpn-window-size
+++ /dev/null
@@ -1,24 +0,0 @@
-r223213 | brooks | 2011-06-17 17:01:10 -0500 (Fri, 17 Jun 2011) | 3 lines
-Changed paths:
- M /user/brooks/openssh-hpn/channels.h
-
-It looks like the HPN patch didn't track the window size bump in OpenBSD
-rev 1.89 back in 2007. Chase the updates to reduce diffs to head
-
-Index: channels.h
-===================================================================
---- channels.h (revision 223212)
-+++ channels.h (revision 223213)
-@@ -163,10 +163,10 @@
-
- /* default window/packet sizes for tcp/x11-fwd-channel */
- #define CHAN_SES_PACKET_DEFAULT (32*1024)
--#define CHAN_SES_WINDOW_DEFAULT (4*CHAN_SES_PACKET_DEFAULT)
-+#define CHAN_SES_WINDOW_DEFAULT (64*CHAN_SES_PACKET_DEFAULT)
-
- #define CHAN_TCP_PACKET_DEFAULT (32*1024)
--#define CHAN_TCP_WINDOW_DEFAULT (4*CHAN_TCP_PACKET_DEFAULT)
-+#define CHAN_TCP_WINDOW_DEFAULT (64*CHAN_TCP_PACKET_DEFAULT)
-
- #define CHAN_X11_PACKET_DEFAULT (16*1024)
- #define CHAN_X11_WINDOW_DEFAULT (4*CHAN_X11_PACKET_DEFAULT)
diff --git a/security/openssh-portable/files/extra-patch-sshd-utmp-size b/security/openssh-portable/files/extra-patch-sshd-utmp-size
index d72985ff7768..f6a48e84fb00 100644
--- a/security/openssh-portable/files/extra-patch-sshd-utmp-size
+++ b/security/openssh-portable/files/extra-patch-sshd-utmp-size
@@ -15,21 +15,21 @@ Submitted by: Bruce Cran <bruce@cran.org.uk>
Index: sshd.c
===================================================================
---- sshd.c (revision 184121)
-+++ sshd.c (revision 184122)
+--- sshd.c.orig 2015-04-04 11:40:24.175508000 -0500
++++ sshd.c 2015-04-04 11:40:38.082324000 -0500
@@ -72,6 +72,7 @@
- #include <stdlib.h>
#include <string.h>
#include <unistd.h>
+ #include <limits.h>
+#include <utmp.h>
+ #ifdef WITH_OPENSSL
#include <openssl/dh.h>
- #include <openssl/bn.h>
-@@ -238,7 +239,7 @@
+@@ -229,7 +230,7 @@ u_char *session_id2 = NULL;
u_int session_id2_len = 0;
/* record remote hostname or ip */
--u_int utmp_len = MAXHOSTNAMELEN;
+-u_int utmp_len = HOST_NAME_MAX+1;
+u_int utmp_len = UT_HOSTSIZE;
/* options.max_startup sized array of fd ints */
diff --git a/security/openssh-portable/files/extra-patch-tcpwrappers b/security/openssh-portable/files/extra-patch-tcpwrappers
index f1514a9c05cc..093845b95f6f 100644
--- a/security/openssh-portable/files/extra-patch-tcpwrappers
+++ b/security/openssh-portable/files/extra-patch-tcpwrappers
@@ -83,25 +83,6 @@ index 0ade557..045f149 100644
/* Log the connection. */
verbose("Connection from %s port %d on %s port %d",
-commit f9696566fb41320820f3b257ab564fa321bb3751
-Author: Darren Tucker <dtucker@zip.com.au>
-Date: Fri Jun 13 11:06:04 2014 +1000
-
- - (dtucker) [configure.ac] Remove tcpwrappers support, support has already
- been removed from sshd.c.
-
-diff --git ChangeLog ChangeLog
-index f4c6ea6..1c043ae 100644
---- ChangeLog
-+++ ChangeLog
-@@ -1,7 +1,3 @@
--20140612
-- - (dtucker) [configure.ac] Remove tcpwrappers support, support has already
-- been removed from sshd.c.
--
- 20140611
- - (dtucker) [defines.h] Add va_copy if we don't already have it, taken from
- openbsd-compat/bsd-asprintf.c.
diff --git configure.ac configure.ac
index f48ba4a..66fbe82 100644
--- configure.ac
diff --git a/security/openssh-portable/files/patch-regress__test-exec.sh b/security/openssh-portable/files/patch-regress__test-exec.sh
new file mode 100644
index 000000000000..80bd912edfa3
--- /dev/null
+++ b/security/openssh-portable/files/patch-regress__test-exec.sh
@@ -0,0 +1,10 @@
+--- regress/test-exec.sh.orig 2015-04-03 18:20:32.256126000 -0500
++++ regress/test-exec.sh 2015-04-03 18:20:41.599903000 -0500
+@@ -408,6 +408,7 @@ cat << EOF > $OBJ/sshd_config
+ LogLevel DEBUG3
+ AcceptEnv _XXX_TEST_*
+ AcceptEnv _XXX_TEST
++ PermitRootLogin yes
+ Subsystem sftp $SFTPSERVER
+ EOF
+
diff --git a/security/openssh-portable/files/patch-servconf.c b/security/openssh-portable/files/patch-servconf.c
index c8d94fcfee94..229ab3c12310 100644
--- a/security/openssh-portable/files/patch-servconf.c
+++ b/security/openssh-portable/files/patch-servconf.c
@@ -1,23 +1,23 @@
---- servconf.c.orig 2015-03-22 22:16:53.563005000 -0500
-+++ servconf.c 2015-03-22 22:19:39.207917000 -0500
-@@ -54,6 +54,7 @@
- #include "packet.h"
- #include "hostfile.h"
+--- servconf.c.orig 2015-03-22 23:58:50.869706000 -0500
++++ servconf.c 2015-03-22 23:59:46.645390000 -0500
+@@ -81,6 +81,7 @@
#include "auth.h"
+ #include "myproposal.h"
+ #include "digest.h"
+#include "version.h"
static void add_listen_addr(ServerOptions *, char *, int);
static void add_one_listen_addr(ServerOptions *, char *, int);
-@@ -173,7 +174,7 @@ fill_default_server_options(ServerOption
+@@ -216,7 +217,7 @@ fill_default_server_options(ServerOption
/* Portable-specific options */
if (options->use_pam == -1)
- options->use_pam = 0;
+ options->use_pam = 1;
- /* Standard Options */
- if (options->protocol == SSH_PROTO_UNKNOWN)
-@@ -210,7 +211,7 @@ fill_default_server_options(ServerOption
+ /* X.509 Standard Options */
+ #ifdef OPENSSL_FIPS
+@@ -277,7 +278,7 @@ fill_default_server_options(ServerOption
if (options->key_regeneration_time == -1)
options->key_regeneration_time = 3600;
if (options->permit_root_login == PERMIT_NOT_SET)
@@ -26,7 +26,7 @@
if (options->ignore_rhosts == -1)
options->ignore_rhosts = 1;
if (options->ignore_user_known_hosts == -1)
-@@ -220,7 +221,7 @@ fill_default_server_options(ServerOption
+@@ -287,7 +288,7 @@ fill_default_server_options(ServerOption
if (options->print_lastlog == -1)
options->print_lastlog = 1;
if (options->x11_forwarding == -1)
@@ -35,7 +35,7 @@
if (options->x11_display_offset == -1)
options->x11_display_offset = 10;
if (options->x11_use_localhost == -1)
-@@ -262,7 +263,11 @@ fill_default_server_options(ServerOption
+@@ -333,7 +334,11 @@ fill_default_server_options(ServerOption
if (options->gss_cleanup_creds == -1)
options->gss_cleanup_creds = 1;
if (options->password_authentication == -1)
@@ -47,12 +47,12 @@
if (options->kbd_interactive_authentication == -1)
options->kbd_interactive_authentication = 0;
if (options->challenge_response_authentication == -1)
-@@ -368,7 +373,7 @@ fill_default_server_options(ServerOption
- options->fwd_opts.streamlocal_bind_unlink = 0;
+@@ -396,7 +401,7 @@ fill_default_server_options(ServerOption
+ options->fingerprint_hash = SSH_FP_HASH_DEFAULT;
/* Turn privilege separation on by default */
if (use_privsep == -1)
- use_privsep = PRIVSEP_NOSANDBOX;
+ use_privsep = PRIVSEP_ON;
- #ifndef HAVE_MMAP
- if (use_privsep && options->compression == 1) {
+ #define CLEAR_ON_NONE(v) \
+ do { \
diff --git a/security/openssh-portable/files/patch-ssh-agent.c b/security/openssh-portable/files/patch-ssh-agent.c
index f0ca874922ee..f9699800c7e2 100644
--- a/security/openssh-portable/files/patch-ssh-agent.c
+++ b/security/openssh-portable/files/patch-ssh-agent.c
@@ -7,11 +7,11 @@ r226103 | des | 2011-10-07 08:10:16 -0500 (Fri, 07 Oct 2011) | 5 lines
Add a -x option that causes ssh-agent(1) to exit when all clients have
disconnected.
---- ssh-agent.c.orig 2014-07-29 21:32:46.000000000 -0500
-+++ ssh-agent.c 2014-11-03 16:48:03.930786112 -0600
-@@ -142,15 +142,34 @@ extern char *__progname;
- /* Default lifetime in seconds (0 == forever) */
- static long lifetime = 0;
+--- ssh-agent.c.orig 2015-03-17 00:49:20.000000000 -0500
++++ ssh-agent.c 2015-03-20 00:00:48.800352000 -0500
+@@ -150,15 +150,34 @@ static long lifetime = 0;
+
+ static int fingerprint_hash = SSH_FP_HASH_DEFAULT;
+/*
+ * Client connection count; incremented in new_socket() and decremented in
@@ -36,15 +36,15 @@ disconnected.
close(e->fd);
e->fd = -1;
e->type = AUTH_UNUSED;
- buffer_free(&e->input);
- buffer_free(&e->output);
- buffer_free(&e->request);
+ sshbuf_free(e->input);
+ sshbuf_free(e->output);
+ sshbuf_free(e->request);
+ if (last)
+ cleanup_exit(0);
}
static void
-@@ -810,6 +829,10 @@ new_socket(sock_type type, int fd)
+@@ -910,6 +929,10 @@ new_socket(sock_type type, int fd)
{
u_int i, old_alloc, new_alloc;
@@ -55,16 +55,16 @@ disconnected.
set_nonblock(fd);
if (fd > max_fd)
-@@ -1026,7 +1049,7 @@ usage(void)
+@@ -1138,7 +1161,7 @@ usage(void)
{
fprintf(stderr,
- "usage: ssh-agent [-c | -s] [-d] [-a bind_address] [-t life]\n"
-- " [command [arg ...]]\n"
-+ " [-x] [command [arg ...]]\n"
+ "usage: ssh-agent [-c | -s] [-d] [-a bind_address] [-E fingerprint_hash]\n"
+- " [-t life] [command [arg ...]]\n"
++ " [-t life] [-x] [command [arg ...]]\n"
" ssh-agent [-c | -s] -k\n");
exit(1);
}
-@@ -1056,6 +1079,7 @@ main(int ac, char **av)
+@@ -1168,6 +1191,7 @@ main(int ac, char **av)
/* drop */
setegid(getgid());
setgid(getgid());
@@ -72,16 +72,16 @@ disconnected.
#if defined(HAVE_PRCTL) && defined(PR_SET_DUMPABLE)
/* Disable ptrace on Linux without sgid bit */
-@@ -1069,7 +1093,7 @@ main(int ac, char **av)
+@@ -1181,7 +1205,7 @@ main(int ac, char **av)
__progname = ssh_get_progname(av[0]);
seed_rng();
-- while ((ch = getopt(ac, av, "cdksa:t:")) != -1) {
-+ while ((ch = getopt(ac, av, "cdksa:t:x")) != -1) {
+- while ((ch = getopt(ac, av, "cdksE:a:t:")) != -1) {
++ while ((ch = getopt(ac, av, "cdksE:a:t:x")) != -1) {
switch (ch) {
- case 'c':
- if (s_flag)
-@@ -1098,6 +1122,9 @@ main(int ac, char **av)
+ case 'E':
+ fingerprint_hash = ssh_digest_alg_by_name(optarg);
+@@ -1215,6 +1239,9 @@ main(int ac, char **av)
usage();
}
break;
diff --git a/security/openssh-portable/files/patch-sshconnect.c b/security/openssh-portable/files/patch-sshconnect.c
new file mode 100644
index 000000000000..ddc4ae863a4c
--- /dev/null
+++ b/security/openssh-portable/files/patch-sshconnect.c
@@ -0,0 +1,12 @@
+Added for bindresvport_sa(3)
+
+--- sshconnect.c.orig 2015-04-02 15:04:24.482112000 -0500
++++ sshconnect.c 2015-04-02 15:04:26.735851000 -0500
+@@ -40,6 +40,7 @@
+ #include <stdio.h>
+ #include <stdlib.h>
+ #include <string.h>
++#include <rpc/rpc.h>
+ #include <unistd.h>
+
+ #include "xmalloc.h"