Date: Sat, 4 Apr 2015 20:22:08 -0400 From: "Philip M. Gollucci" <pgollucci@p6m7g8.com> To: Bryan Drewery <bdrewery@freebsd.org> Cc: "svn-ports-head@freebsd.org" <svn-ports-head@freebsd.org>, "svn-ports-all@freebsd.org" <svn-ports-all@freebsd.org>, "ports-committers@freebsd.org" <ports-committers@freebsd.org> Subject: Re: svn commit: r383231 - in head/security/openssh-portable: . files Message-ID: <CACM2dAbb8uTBDiWS2gn6%2Bvawc5qLromcDmzRqJy0Pnjc4f8CHA@mail.gmail.com> In-Reply-To: <201504041716.t34HGxBF057433@svn.freebsd.org> References: <201504041716.t34HGxBF057433@svn.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
You da man! On Sat, Apr 4, 2015 at 1:16 PM, Bryan Drewery <bdrewery@freebsd.org> wrote: > Author: bdrewery > Date: Sat Apr 4 17:16:58 2015 > New Revision: 383231 > URL: https://svnweb.freebsd.org/changeset/ports/383231 > > Log: > - Update to 6.8p1 > - Fix 'make test' > - HPN: > - NONECIPHER is no longer default. This is not default in base and > should not > be default here as it introduces security holes. > - HPN: I've audited the patch and included it in the port directory for > transparency. I identified several bugs and submitted them to the new > upstream: https://github.com/rapier1/openssh-portable/pull/2 > - HPN: The entire patch is now ifdef'd to ensure various bits are > properly > removed depending on the OPTIONS selected. > - AES_THREADED is removed. It has questionable benefit on modern HW > and is not > stable. > - The "enhanced logging" was removed from the patch as it is too > intrusive and difficult to maintain in the port. > - The progress meter "peak throughput" patch was removed. > - Fixed HPN version showing in client/server version string when HPN > was disabled in the config. > - KERB_GSSAPI is currently BROKEN as it does not apply. > - Update X509 to 8.3 > > Changelog: http://www.openssh.com/txt/release-6.8 > > Added: > head/security/openssh-portable/files/extra-patch-hpn (contents, props > changed) > head/security/openssh-portable/files/patch-regress__test-exec.sh > (contents, props changed) > head/security/openssh-portable/files/patch-sshconnect.c (contents, > props changed) > Deleted: > head/security/openssh-portable/files/extra-patch-hpn-build-options > head/security/openssh-portable/files/extra-patch-hpn-no-hpn > head/security/openssh-portable/files/extra-patch-hpn-window-size > Modified: > head/security/openssh-portable/Makefile > head/security/openssh-portable/distinfo > head/security/openssh-portable/files/extra-patch-sshd-utmp-size > head/security/openssh-portable/files/extra-patch-tcpwrappers > head/security/openssh-portable/files/patch-servconf.c > head/security/openssh-portable/files/patch-ssh-agent.c > > Modified: head/security/openssh-portable/Makefile > > ============================================================================== > --- head/security/openssh-portable/Makefile Sat Apr 4 16:23:55 2015 > (r383230) > +++ head/security/openssh-portable/Makefile Sat Apr 4 17:16:58 2015 > (r383231) > @@ -2,8 +2,8 @@ > # $FreeBSD$ > > PORTNAME= openssh > -DISTVERSION= 6.7p1 > -PORTREVISION= 5 > +DISTVERSION= 6.8p1 > +PORTREVISION= 0 > PORTEPOCH= 1 > CATEGORIES= security ipv6 > MASTER_SITES= ${MASTER_SITE_OPENBSD} > @@ -27,13 +27,10 @@ CONFIGURE_ARGS= --prefix=${PREFIX} --wi > --without-zlib-version-check --with-ssl-engine > ETCOLD= ${PREFIX}/etc > > -SUDO?= # empty > -MAKE_ENV+= SUDO="${SUDO}" > - > OPTIONS_DEFINE= PAM TCP_WRAPPERS LIBEDIT BSM \ > HPN X509 KERB_GSSAPI \ > - OVERWRITE_BASE SCTP AES_THREADED LDNS NONECIPHER > -OPTIONS_DEFAULT= LIBEDIT PAM TCP_WRAPPERS HPN LDNS NONECIPHER > + OVERWRITE_BASE SCTP LDNS NONECIPHER > +OPTIONS_DEFAULT= LIBEDIT PAM TCP_WRAPPERS HPN LDNS > OPTIONS_RADIO= KERBEROS > OPTIONS_RADIO_KERBEROS= MIT HEIMDAL HEIMDAL_BASE > TCP_WRAPPERS_DESC= tcp_wrappers support > @@ -47,7 +44,6 @@ OVERWRITE_BASE_DESC= EOL, No longer supp > HEIMDAL_DESC= Heimdal Kerberos (security/heimdal) > HEIMDAL_BASE_DESC= Heimdal Kerberos (base) > MIT_DESC= MIT Kerberos (security/krb5) > -AES_THREADED_DESC= Threaded AES-CTR > NONECIPHER_DESC= NONE Cipher support > > OPTIONS_SUB= yes > @@ -61,18 +57,17 @@ LDNS_CFLAGS= -I${LOCALBASE}/include > LDNS_CONFIGURE_ON= --with-ldflags='-L${LOCALBASE}/lib' > > # http://www.psc.edu/index.php/hpn-ssh > -HPN_EXTRA_PATCHES= ${FILESDIR}/extra-patch-hpn-window-size > HPN_CONFIGURE_WITH= hpn > NONECIPHER_CONFIGURE_WITH= nonecipher > -AES_THREADED_CONFIGURE_WITH= aes-threaded > > # See http://www.roumenpetrov.info/openssh/ > -X509_VERSION= 8.2 > +X509_VERSION= 8.3 > X509_PATCH_SITES= > http://www.roumenpetrov.info/openssh/x509-${X509_VERSION}/:x509 > -X509_PATCHFILES= > ${PORTNAME}-6.7p1+x509-${X509_VERSION}.diff.gz:-p1:x509 > +X509_PATCHFILES= > ${PORTNAME}-6.8p1+x509-${X509_VERSION}.diff.gz:-p1:x509 > > # See https://bugzilla.mindrot.org/show_bug.cgi?id=2016 > -SCTP_PATCHFILES= ${PORTNAME}-6.7p1-sctp-2496.patch.gz:-p1 > +# and https://bugzilla.mindrot.org/show_bug.cgi?id=1604 > +SCTP_PATCHFILES= ${PORTNAME}-6.8p1-sctp-2573.patch.gz:-p1 > SCTP_CONFIGURE_WITH= sctp > > MIT_LIB_DEPENDS= libkrb5.so.3:${PORTSDIR}/security/krb5 > @@ -93,19 +88,15 @@ PATCH_SITES+= http://mirror.shatow.net/ > EXTRA_PATCHES:= > ${EXTRA_PATCHES:N${TCP_WRAPPERS_EXTRA_PATCHES}} > .endif > > -# http://www.psc.edu/index.php/hpn-ssh > -.if ${PORT_OPTIONS:MHPN} || ${PORT_OPTIONS:MAES_THREADED} || > ${PORT_OPTIONS:MNONECIPHER} > +# http://www.psc.edu/index.php/hpn-ssh https://github.com/rapier1/hpn-ssh > https://github.com/rapier1/openssh-portable > +.if ${PORT_OPTIONS:MHPN} || ${PORT_OPTIONS:MNONECIPHER} > PORTDOCS+= HPN-README > HPN_VERSION= 14v5 > HPN_DISTVERSION= 6.7p1 > #PATCH_SITES+= ${MASTER_SITE_SOURCEFORGE:S/$/:hpn/} > #PATCH_SITE_SUBDIR+= > hpnssh/HPN-SSH%20${HPN_VERSION}%20${HPN_DISTVERSION}/:hpn > -PATCHFILES+= > ${PORTNAME}-${HPN_DISTVERSION}-hpnssh${HPN_VERSION}.diff.gz:-p1:hpn > -EXTRA_PATCHES+= ${FILESDIR}/extra-patch-hpn-build-options > -# Remove HPN if only AES requested > -. if !${PORT_OPTIONS:MHPN} > -EXTRA_PATCHES+= ${FILESDIR}/extra-patch-hpn-no-hpn > -. endif > +#PATCHFILES+= > ${PORTNAME}-${HPN_DISTVERSION}-hpnssh${HPN_VERSION}.diff.gz:-p1:hpn > +EXTRA_PATCHES+= ${FILESDIR}/extra-patch-hpn:-p2 > .endif > > # Must add this patch after HPN due to conflicts > @@ -133,7 +124,7 @@ EXTRA_PATCHES+= ${FILESDIR}/extra-patch > EXTRA_PATCHES+= ${FILESDIR}/extra-patch-version-addendum > > .if ${PORT_OPTIONS:MX509} > -. if ${PORT_OPTIONS:MHPN} || ${PORT_OPTIONS:MAES_THREADED} || > ${PORT_OPTIONS:MNONECIPHER} > +. if ${PORT_OPTIONS:MHPN} || ${PORT_OPTIONS:MNONECIPHER} > BROKEN= X509 patch and HPN patch do not apply cleanly > together > . endif > > @@ -147,6 +138,10 @@ BROKEN= X509 patch incompatible with KE > > .endif > > +. if ${PORT_OPTIONS:MKERB_GSSAPI} > +BROKEN= Does not apply to 6.8 > +. endif > + > .if ${PORT_OPTIONS:MHEIMDAL_BASE} && ${PORT_OPTIONS:MKERB_GSSAPI} > BROKEN= KERB_GSSAPI Requires either MIT or HEMIDAL, does > not build with base Heimdal currently > .endif > @@ -218,14 +213,17 @@ post-install: > ${STAGEDIR}${ETCDIR}//ssh_config.sample > ${MV} ${STAGEDIR}${ETCDIR}/sshd_config \ > ${STAGEDIR}${ETCDIR}/sshd_config.sample > -.if ${PORT_OPTIONS:MHPN} || ${PORT_OPTIONS:MAES_THREADED} || > ${PORT_OPTIONS:MNONECIPHER} > +.if ${PORT_OPTIONS:MHPN} || ${PORT_OPTIONS:MNONECIPHER} > ${MKDIR} ${STAGEDIR}${DOCSDIR} > ${INSTALL_DATA} ${WRKSRC}/HPN-README ${STAGEDIR}${DOCSDIR} > .endif > > -test: build > - (cd ${WRKSRC}/regress && ${SETENV} OBJ=${WRKDIR} ${MAKE_ENV} > TEST_SHELL=/bin/sh \ > +test: build > + cd ${WRKSRC} && ${SETENV} -i \ > + OBJ=${WRKDIR} ${MAKE_ENV} \ > + TEST_SHELL=${SH} \ > + SUDO="${SUDO}" \ > PATH=${WRKSRC}:${PREFIX}/bin:${PREFIX}/sbin:${PATH} \ > - ${MAKE} ${MAKE_FLAGS} ${MAKEFILE} ${MAKE_ARGS}) > + ${MAKE_CMD} ${MAKE_FLAGS} ${MAKEFILE} ${MAKE_ARGS} tests > > .include <bsd.port.post.mk> > > Modified: head/security/openssh-portable/distinfo > > ============================================================================== > --- head/security/openssh-portable/distinfo Sat Apr 4 16:23:55 2015 > (r383230) > +++ head/security/openssh-portable/distinfo Sat Apr 4 17:16:58 2015 > (r383231) > @@ -1,12 +1,8 @@ > -SHA256 (openssh-6.7p1.tar.gz) = > b2f8394eae858dabbdef7dac10b99aec00c95462753e80342e530bbb6f725507 > -SIZE (openssh-6.7p1.tar.gz) = 1351367 > -SHA256 (openssh-6.7p1-hpnssh14v5.diff.gz) = > 846ad51577de8308d60dbfaa58ba18d112d0732fdf21063ebc78407fc8e4a7b6 > -SIZE (openssh-6.7p1-hpnssh14v5.diff.gz) = 24326 > -SHA256 (openssh-6.7p1+x509-8.2.diff.gz) = > 85acfcd560b40d4533b82a4e3f443b7137b377868bab424dacdf00581c83240f > -SIZE (openssh-6.7p1+x509-8.2.diff.gz) = 241798 > +SHA256 (openssh-6.8p1.tar.gz) = > 3ff64ce73ee124480b5bf767b9830d7d3c03bbcb6abe716b78f0192c37ce160e > +SIZE (openssh-6.8p1.tar.gz) = 1475953 > +SHA256 (openssh-6.8p1+x509-8.3.diff.gz) = > 34dbefcce8509d3c876be3e7d8966455c7c3589a6872bdfb1f8ce3d133f4d304 > +SIZE (openssh-6.8p1+x509-8.3.diff.gz) = 347942 > SHA256 (openssh-6.7p1-gsskex-all-20141021-284f364.patch.gz) = > 9a361408269a542d28dae77320f30e94a44098acdbbbc552efb0bdeac6270dc8 > SIZE (openssh-6.7p1-gsskex-all-20141021-284f364.patch.gz) = 25825 > -SHA256 (openssh-lpk-6.3p1.patch.gz) = > d2a8b7da7acebac2afc4d0a3dffe8fca2e49900cf733af2e7012f2449b3668e1 > -SIZE (openssh-lpk-6.3p1.patch.gz) = 17815 > -SHA256 (openssh-6.7p1-sctp-2496.patch.gz) = > ec2b6aa8a6d65a2c11d4453a25294ae5082e7ed7c9f418ec081f750bfba022db > -SIZE (openssh-6.7p1-sctp-2496.patch.gz) = 8052 > +SHA256 (openssh-6.8p1-sctp-2573.patch.gz) = > 0348713ad4cb4463e90cf5202ed41c8f726d7d604f3f93922a9aa55b86abf04a > +SIZE (openssh-6.8p1-sctp-2573.patch.gz) = 8531 > > Added: head/security/openssh-portable/files/extra-patch-hpn > > ============================================================================== > --- /dev/null 00:00:00 1970 (empty, because file is newly added) > +++ head/security/openssh-portable/files/extra-patch-hpn Sat Apr 4 > 17:16:58 2015 (r383231) > @@ -0,0 +1,1296 @@ > +diff -urN -x configure -x config.guess -x config.h.in -x config.sub > work.clean/openssh-6.8p1/HPN-README work/openssh-6.8p1/HPN-README > +--- work.clean/openssh-6.8p1/HPN-README 1969-12-31 > 18:00:00.000000000 -0600 > ++++ work/openssh-6.8p1/HPN-README 2015-04-01 22:16:49.869215000 -0500 > +@@ -0,0 +1,129 @@ > ++Notes: > ++ > ++MULTI-THREADED CIPHER: > ++The AES cipher in CTR mode has been multithreaded (MTR-AES-CTR). This > will allow ssh installations > ++on hosts with multiple cores to use more than one processing core during > encryption. > ++Tests have show significant throughput performance increases when using > MTR-AES-CTR up > ++to and including a full gigabit per second on quad core systems. It > should be possible to > ++achieve full line rate on dual core systems but OS and data management > overhead makes this > ++more difficult to achieve. The cipher stream from MTR-AES-CTR is > entirely compatible with single > ++thread AES-CTR (ST-AES-CTR) implementations and should be 100% backward > compatible. Optimal > ++performance requires the MTR-AES-CTR mode be enabled on both ends of the > connection. > ++The MTR-AES-CTR replaces ST-AES-CTR and is used in exactly the same way > with the same > ++nomenclature. > ++Use examples: ssh -caes128-ctr you@host.com > ++ scp -oCipher=aes256-ctr file you@host.com:~/file > ++ > ++NONE CIPHER: > ++To use the NONE option you must have the NoneEnabled switch set on the > server and > ++you *must* have *both* NoneEnabled and NoneSwitch set to yes on the > client. The NONE > ++feature works with ALL ssh subsystems (as far as we can tell) *AS LONG > AS* a tty is not > ++spawned. If a user uses the -T switch to prevent a tty being created the > NONE cipher will > ++be disabled. > ++ > ++The performance increase will only be as good as the network and TCP > stack tuning > ++on the reciever side of the connection allows. As a rule of thumb a user > will need > ++at least 10Mb/s connection with a 100ms RTT to see a doubling of > performance. The > ++HPN-SSH home page describes this in greater detail. > ++ > ++http://www.psc.edu/networking/projects/hpn-ssh > ++ > ++BUFFER SIZES: > ++ > ++If HPN is disabled the receive buffer size will be set to the > ++OpenSSH default of 64K. > ++ > ++If an HPN system connects to a nonHPN system the receive buffer will > ++be set to the HPNBufferSize value. The default is 2MB but user > adjustable. > ++ > ++If an HPN to HPN connection is established a number of different things > might > ++happen based on the user options and conditions. > ++ > ++Conditions: HPNBufferSize NOT Set, TCPRcvBufPoll enabled, TCPRcvBuf NOT > Set > ++HPN Buffer Size = up to 64MB > ++This is the default state. The HPN buffer size will grow to a maximum of > 64MB > ++as the TCP receive buffer grows. The maximum HPN Buffer size of 64MB is > ++geared towards 10GigE transcontinental connections. > ++ > ++Conditions: HPNBufferSize NOT Set, TCPRcvBufPoll disabled, TCPRcvBuf NOT > Set > ++HPN Buffer Size = TCP receive buffer value. > ++Users on non-autotuning systesm should disable TCPRcvBufPoll in the > ++ssh_cofig and sshd_config > ++ > ++Conditions: HPNBufferSize SET, TCPRcvBufPoll disabled, TCPRcvBuf NOT Set > ++HPN Buffer Size = minmum of TCP receive buffer and HPNBufferSize. > ++This would be the system defined TCP receive buffer (RWIN). > ++ > ++Conditions: HPNBufferSize SET, TCPRcvBufPoll disabled, TCPRcvBuf SET > ++HPN Buffer Size = minmum of TCPRcvBuf and HPNBufferSize. > ++Generally there is no need to set both. > ++ > ++Conditions: HPNBufferSize SET, TCPRcvBufPoll enabled, TCPRcvBuf NOT Set > ++HPN Buffer Size = grows to HPNBufferSize > ++The buffer will grow up to the maximum size specified here. > ++ > ++Conditions: HPNBufferSize SET, TCPRcvBufPoll enabled, TCPRcvBuf SET > ++HPN Buffer Size = minmum of TCPRcvBuf and HPNBufferSize. > ++Generally there is no need to set both of these, especially on autotuning > ++systems. However, if the users wishes to override the autotuning this > would be > ++one way to do it. > ++ > ++Conditions: HPNBufferSize NOT Set, TCPRcvBufPoll enabled, TCPRcvBuf SET > ++HPN Buffer Size = TCPRcvBuf. > ++This will override autotuning and set the TCP recieve buffer to the user > defined > ++value. > ++ > ++ > ++HPN Specific Configuration options > ++ > ++TcpRcvBuf=[int]KB client > ++ set the TCP socket receive buffer to n Kilobytes. It can be set up > to the > ++maximum socket size allowed by the system. This is useful in situations > where > ++the tcp receive window is set low but the maximum buffer size is set > ++higher (as is typical). This works on a per TCP connection basis. You > can also > ++use this to artifically limit the transfer rate of the connection. In > these > ++cases the throughput will be no more than n/RTT. The minimum buffer size > is 1KB. > ++Default is the current system wide tcp receive buffer size. > ++ > ++TcpRcvBufPoll=[yes/no] client/server > ++ enable of disable the polling of the tcp receive buffer through > the life > ++of the connection. You would want to make sure that this option is > enabled > ++for systems making use of autotuning kernels (linux 2.4.24+, 2.6, MS > Vista) > ++default is yes. > ++ > ++NoneEnabled=[yes/no] client/server > ++ enable or disable the use of the None cipher. Care must always be > used > ++when enabling this as it will allow users to send data in the clear. > However, > ++it is important to note that authentication information remains encrypted > ++even if this option is enabled. Set to no by default. > ++ > ++NoneSwitch=[yes/no] client > ++ Switch the encryption cipher being used to the None cipher after > ++authentication takes place. NoneEnabled must be enabled on both the > client > ++and server side of the connection. When the connection switches to the > NONE > ++cipher a warning is sent to STDERR. The connection attempt will fail > with an > ++error if a client requests a NoneSwitch from the server that does not > explicitly > ++have NoneEnabled set to yes. Note: The NONE cipher cannot be used in > ++interactive (shell) sessions and it will fail silently. Set to no by > default. > ++ > ++HPNDisabled=[yes/no] client/server > ++ In some situations, such as transfers on a local area network, the > impact > ++of the HPN code produces a net decrease in performance. In these cases > it is > ++helpful to disable the HPN functionality. By default HPNDisabled is set > to no. > ++ > ++HPNBufferSize=[int]KB client/server > ++ This is the default buffer size the HPN functionality uses when > interacting > ++with nonHPN SSH installations. Conceptually this is similar to the > TcpRcvBuf > ++option as applied to the internal SSH flow control. This value can range > from > ++1KB to 64MB (1-65536). Use of oversized or undersized buffers can cause > performance > ++problems depending on the length of the network path. The default size > of this buffer > ++is 2MB. > ++ > ++ > ++Credits: This patch was conceived, designed, and led by Chris Rapier ( > rapier@psc.edu) > ++ The majority of the actual coding for versions up to HPN12v1 > was performed > ++ by Michael Stevens (mstevens@andrew.cmu.edu). The MT-AES-CTR > cipher was > ++ implemented by Ben Bennet (ben@psc.edu) and improved by Mike > Tasota > ++ (tasota@gmail.com) an NSF REU grant recipient for 2013. > ++ This work was financed, in part, by Cisco System, Inc., the > National > ++ Library of Medicine, and the National Science Foundation. > +--- work.clean/openssh-6.8p1/channels.c 2015-03-17 > 00:49:20.000000000 -0500 > ++++ work/openssh-6.8p1/channels.c 2015-04-03 15:51:59.599537000 -0500 > +@@ -183,8 +183,14 @@ > + static int connect_next(struct channel_connect *); > + static void channel_connect_ctx_free(struct channel_connect *); > + > ++ > ++#ifdef HPN_ENABLED > ++static int hpn_disabled = 0; > ++static int hpn_buffer_size = 2 * 1024 * 1024; > ++#endif > ++ > + /* -- channel core */ > + > + Channel * > + channel_by_id(int id) > + { > +@@ -333,6 +339,9 @@ > + c->local_window_max = window; > + c->local_consumed = 0; > + c->local_maxpacket = maxpack; > ++#ifdef HPN_ENABLED > ++ c->dynamic_window = 0; > ++#endif > + c->remote_id = -1; > + c->remote_name = xstrdup(remote_name); > + c->remote_window = 0; > +@@ -837,11 +846,41 @@ > + FD_SET(c->sock, writeset); > + } > + > ++#ifdef HPN_ENABLED > ++static u_int > ++channel_tcpwinsz(void) > ++{ > ++ u_int32_t tcpwinsz = 0; > ++ socklen_t optsz = sizeof(tcpwinsz); > ++ int ret = -1; > ++ > ++ /* if we aren't on a socket return 128KB */ > ++ if (!packet_connection_is_on_socket()) > ++ return (128*1024); > ++ ret = getsockopt(packet_get_connection_in(), > ++ SOL_SOCKET, SO_RCVBUF, &tcpwinsz, &optsz); > ++ /* return no more than SSHBUF_SIZE_MAX */ > ++ if (ret == 0 && tcpwinsz > SSHBUF_SIZE_MAX) > ++ tcpwinsz = SSHBUF_SIZE_MAX; > ++ debug2("tcpwinsz: %d for connection: %d", tcpwinsz, > ++ packet_get_connection_in()); > ++ return (tcpwinsz); > ++} > ++#endif > ++ > + static void > + channel_pre_open(Channel *c, fd_set *readset, fd_set *writeset) > + { > + u_int limit = compat20 ? c->remote_window : packet_get_maxsize(); > + > ++#ifdef HPN_ENABLED > ++ /* check buffer limits */ > ++ if (!c->tcpwinsz || c->dynamic_window > 0) > ++ c->tcpwinsz = channel_tcpwinsz(); > ++ > ++ limit = MIN(limit, 2 * c->tcpwinsz); > ++#endif > ++ > + if (c->istate == CHAN_INPUT_OPEN && > + limit > 0 && > + buffer_len(&c->input) < limit && > +@@ -1846,6 +1885,20 @@ > + c->local_maxpacket*3) || > + c->local_window < c->local_window_max/2) && > + c->local_consumed > 0) { > ++#ifdef HPN_ENABLED > ++ /* adjust max window size if we are in a dynamic > environment */ > ++ if (c->dynamic_window && (c->tcpwinsz > > c->local_window_max)) { > ++ u_int addition = 0; > ++ > ++ /* > ++ * grow the window somewhat aggressively to > maintain > ++ * pressure > ++ */ > ++ addition = 1.5*(c->tcpwinsz - c->local_window_max); > ++ c->local_window_max += addition; > ++ c->local_consumed += addition; > ++ } > ++#endif > + packet_start(SSH2_MSG_CHANNEL_WINDOW_ADJUST); > + packet_put_int(c->remote_id); > + packet_put_int(c->local_consumed); > +@@ -2794,6 +2847,17 @@ > + return addr; > + } > + > ++#ifdef HPN_ENABLED > ++void > ++channel_set_hpn(int external_hpn_disabled, int external_hpn_buffer_size) > ++{ > ++ hpn_disabled = external_hpn_disabled; > ++ hpn_buffer_size = external_hpn_buffer_size; > ++ debug("HPN Disabled: %d, HPN Buffer Size: %d", hpn_disabled, > ++ hpn_buffer_size); > ++} > ++#endif > ++ > + static int > + channel_setup_fwd_listener_tcpip(int type, struct Forward *fwd, > + int *allocated_listen_port, struct ForwardOptions *fwd_opts) > +@@ -2918,9 +2982,20 @@ > + } > + > + /* Allocate a channel number for the socket. */ > ++#ifdef HPN_ENABLED > ++ /* > ++ * explicitly test for hpn disabled option. if true use > smaller > ++ * window size. > ++ */ > ++ if (!hpn_disabled) > ++ c = channel_new("port listener", type, sock, sock, > -1, > ++ hpn_buffer_size, CHAN_TCP_PACKET_DEFAULT, > ++ 0, "port listener", 1); > ++ else > ++#endif > + c = channel_new("port listener", type, sock, sock, -1, > + CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, > + 0, "port listener", 1); > + c->path = xstrdup(host); > + c->host_port = fwd->connect_port; > + c->listening_addr = addr == NULL ? NULL : xstrdup(addr); > +@@ -3952,6 +4027,14 @@ > + *chanids = xcalloc(num_socks + 1, sizeof(**chanids)); > + for (n = 0; n < num_socks; n++) { > + sock = socks[n]; > ++#ifdef HPN_ENABLED > ++ if (!hpn_disabled) > ++ nc = channel_new("x11 listener", > ++ SSH_CHANNEL_X11_LISTENER, sock, sock, -1, > ++ hpn_buffer_size, CHAN_X11_PACKET_DEFAULT, > ++ 0, "X11 inet listener", 1); > ++ else > ++#endif > + nc = channel_new("x11 listener", > + SSH_CHANNEL_X11_LISTENER, sock, sock, -1, > + CHAN_X11_WINDOW_DEFAULT, CHAN_X11_PACKET_DEFAULT, > +--- work.clean/openssh-6.8p1/channels.h 2015-03-17 > 00:49:20.000000000 -0500 > ++++ work/openssh-6.8p1/channels.h 2015-04-03 13:58:44.472717000 -0500 > +@@ -136,6 +136,10 @@ > + u_int local_maxpacket; > + int extended_usage; > + int single_connection; > ++#ifdef HPN_ENABLED > ++ int dynamic_window; > ++ u_int tcpwinsz; > ++#endif > + > + char *ctype; /* type */ > + > +@@ -311,4 +315,9 @@ > + void chan_write_failed(Channel *); > + void chan_obuf_empty(Channel *); > + > ++#ifdef HPN_ENABLED > ++/* hpn handler */ > ++void channel_set_hpn(int, int); > ++#endif > ++ > + #endif > +--- work.clean/openssh-6.8p1/cipher.c 2015-03-17 00:49:20.000000000 -0500 > ++++ work/openssh-6.8p1/cipher.c 2015-04-03 16:22:04.972592000 -0500 > +@@ -244,7 +244,13 @@ > + for ((p = strsep(&cp, CIPHER_SEP)); p && *p != '\0'; > + (p = strsep(&cp, CIPHER_SEP))) { > + c = cipher_by_name(p); > +- if (c == NULL || c->number != SSH_CIPHER_SSH2) { > ++ if (c == NULL || (c->number != SSH_CIPHER_SSH2 && > ++#ifdef NONE_CIPHER_ENABLED > ++ c->number != SSH_CIPHER_NONE > ++#else > ++ 1 > ++#endif > ++ )) { > + free(cipher_list); > + return 0; > + } > +@@ -545,6 +551,9 @@ > + > + switch (c->number) { > + #ifdef WITH_OPENSSL > ++#ifdef NONE_CIPHER_ENABLED > ++ case SSH_CIPHER_NONE: > ++#endif > + case SSH_CIPHER_SSH2: > + case SSH_CIPHER_DES: > + case SSH_CIPHER_BLOWFISH: > +@@ -593,6 +602,9 @@ > + > + switch (c->number) { > + #ifdef WITH_OPENSSL > ++#ifdef NONE_CIPHER_ENABLED > ++ case SSH_CIPHER_NONE: > ++#endif > + case SSH_CIPHER_SSH2: > + case SSH_CIPHER_DES: > + case SSH_CIPHER_BLOWFISH: > +--- work.clean/openssh-6.8p1/clientloop.c 2015-03-17 > 00:49:20.000000000 -0500 > ++++ work/openssh-6.8p1/clientloop.c 2015-04-03 17:29:40.618489000 -0500 > +@@ -1909,6 +1909,15 @@ > + sock = x11_connect_display(); > + if (sock < 0) > + return NULL; > ++#ifdef HPN_ENABLED > ++ /* again is this really necessary for X11? */ > ++ if (!options.hpn_disabled) > ++ c = channel_new("x11", > ++ SSH_CHANNEL_X11_OPEN, sock, sock, -1, > ++ options.hpn_buffer_size, > ++ CHAN_X11_PACKET_DEFAULT, 0, "x11", 1); > ++ else > ++#endif > + c = channel_new("x11", > + SSH_CHANNEL_X11_OPEN, sock, sock, -1, > + CHAN_TCP_WINDOW_DEFAULT, CHAN_X11_PACKET_DEFAULT, 0, "x11", 1); > +@@ -1934,6 +1943,14 @@ > + __func__, ssh_err(r)); > + return NULL; > + } > ++#ifdef HPN_ENABLED > ++ if (!options.hpn_disabled) > ++ c = channel_new("authentication agent connection", > ++ SSH_CHANNEL_OPEN, sock, sock, -1, > ++ options.hpn_buffer_size, CHAN_TCP_PACKET_DEFAULT, 0, > ++ "authentication agent connection", 1); > ++ else > ++#endif > + c = channel_new("authentication agent connection", > + SSH_CHANNEL_OPEN, sock, sock, -1, > + CHAN_X11_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, 0, > +@@ -1964,6 +1981,12 @@ > + return -1; > + } > + > ++#ifdef HPN_ENABLED > ++ if (!options.hpn_disabled) > ++ c = channel_new("tun", SSH_CHANNEL_OPENING, fd, fd, -1, > ++ options.hpn_buffer_size, CHAN_TCP_PACKET_DEFAULT, 0, > "tun", 1); > ++ else > ++#endif > + c = channel_new("tun", SSH_CHANNEL_OPENING, fd, fd, -1, > + CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, 0, "tun", 1); > + c->datagram = 1; > +--- work.clean/openssh-6.8p1/compat.c 2015-03-17 00:49:20.000000000 -0500 > ++++ work/openssh-6.8p1/compat.c 2015-04-03 16:39:57.665699000 -0500 > +@@ -177,6 +177,14 @@ > + debug("match: %s pat %s compat 0x%08x", > + version, check[i].pat, check[i].bugs); > + datafellows = check[i].bugs; /* XXX for now */ > ++#ifdef HPN_ENABLED > ++ /* Check to see if the remote side is OpenSSH and > not HPN */ > ++ if (strstr(version,"OpenSSH") != NULL && > ++ strstr(version,"hpn") == NULL) { > ++ datafellows |= SSH_BUG_LARGEWINDOW; > ++ debug("Remote is NON-HPN aware"); > ++ } > ++#endif > + return check[i].bugs; > + } > + } > +--- work.clean/openssh-6.8p1/compat.h 2015-03-17 00:49:20.000000000 -0500 > ++++ work/openssh-6.8p1/compat.h 2015-04-03 16:39:34.780416000 -0500 > +@@ -60,6 +60,9 @@ > + #define SSH_NEW_OPENSSH 0x04000000 > + #define SSH_BUG_DYNAMIC_RPORT 0x08000000 > + #define SSH_BUG_CURVE25519PAD 0x10000000 > ++#ifdef HPN_ENABLED > ++#define SSH_BUG_LARGEWINDOW 0x20000000 > ++#endif > + > + void enable_compat13(void); > + void enable_compat20(void); > +--- work.clean/openssh-6.8p1/configure.ac 2015-03-17 > 00:49:20.000000000 -0500 > ++++ work/openssh-6.8p1/configure.ac 2015-04-03 16:36:28.916502000 > -0500 > +@@ -4238,6 +4238,25 @@ > + ] > + ) # maildir > + > ++#check whether user wants HPN support > ++HPN_MSG="no" > ++AC_ARG_WITH(hpn, > ++ [ --with-hpn Enable HPN support], > ++ [ if test "x$withval" != "xno" ; then > ++ AC_DEFINE(HPN_ENABLED,1,[Define if you want HPN support.]) > ++ HPN_MSG="yes" > ++ fi ] > ++) > ++#check whether user wants NONECIPHER support > ++NONECIPHER_MSG="no" > ++AC_ARG_WITH(nonecipher, > ++ [ --with-nonecipher Enable NONECIPHER support], > ++ [ if test "x$withval" != "xno" ; then > ++ AC_DEFINE(NONE_CIPHER_ENABLED,1,[Define if you want > NONECIPHER support.]) > ++ NONECIPHER_MSG="yes" > ++ fi ] > ++) > ++ > + if test ! -z "$cross_compiling" && test "x$cross_compiling" = "xyes"; > then > + AC_MSG_WARN([cross compiling: Disabling /dev/ptmx test]) > + disable_ptmx_check=yes > +@@ -4905,6 +4924,8 @@ > + echo " BSD Auth support: $BSD_AUTH_MSG" > + echo " Random number source: $RAND_MSG" > + echo " Privsep sandbox style: $SANDBOX_STYLE" > ++echo " HPN support: $HPN_MSG" > ++echo " NONECIPHER support: $NONECIPHER_MSG" > + > + echo "" > + > +--- work.clean/openssh-6.8p1/kex.c 2015-03-17 00:49:20.000000000 -0500 > ++++ work/openssh-6.8p1/kex.c 2015-04-03 17:06:44.032682000 -0500 > +@@ -587,6 +587,13 @@ > + int nenc, nmac, ncomp; > + u_int mode, ctos, need, dh_need, authlen; > + int r, first_kex_follows; > ++#ifdef NONE_CIPHER_ENABLED > ++ /* XXX: Could this move into the lower block? */ > ++ int auth_flag; > ++ > ++ auth_flag = ssh_packet_authentication_state(ssh); > ++ debug ("AUTH STATE IS %d", auth_flag); > ++#endif > + > + if ((r = kex_buf2prop(kex->my, NULL, &my)) != 0 || > + (r = kex_buf2prop(kex->peer, &first_kex_follows, &peer)) != 0) > +@@ -635,6 +642,17 @@ > + if ((r = choose_comp(&newkeys->comp, cprop[ncomp], > + sprop[ncomp])) != 0) > + goto out; > ++#ifdef NONE_CIPHER_ENABLED > ++ debug("REQUESTED ENC.NAME is '%s'", newkeys->enc.name); > ++ if (strcmp(newkeys->enc.name, "none") == 0) { > ++ debug("Requesting NONE. Authflag is %d", > auth_flag); > ++ if (auth_flag == 1) { > ++ debug("None requested post > authentication."); > ++ } else { > ++ fatal("Pre-authentication none cipher > requests are not allowed."); > ++ } > ++ } > ++#endif > + debug("kex: %s %s %s %s", > + ctos ? "client->server" : "server->client", > + newkeys->enc.name, > +--- work.clean/openssh-6.8p1/myproposal.h 2015-03-17 > 00:49:20.000000000 -0500 > ++++ work/openssh-6.8p1/myproposal.h 2015-04-03 16:43:33.747402000 -0500 > +@@ -171,6 +171,10 @@ > + #define KEX_DEFAULT_COMP "none,zlib@openssh.com,zlib" > + #define KEX_DEFAULT_LANG "" > + > ++#ifdef NONE_CIPHER_ENABLED > ++#define KEX_ENCRYPT_INCLUDE_NONE KEX_SERVER_ENCRYPT ",none" > ++#endif > ++ > + #define KEX_CLIENT \ > + KEX_CLIENT_KEX, \ > + KEX_DEFAULT_PK_ALG, \ > +--- work.clean/openssh-6.8p1/packet.c 2015-03-17 00:49:20.000000000 -0500 > ++++ work/openssh-6.8p1/packet.c 2015-04-03 16:10:57.002066000 -0500 > +@@ -2199,6 +2199,24 @@ > + } > + } > + > ++#ifdef NONE_CIPHER_ENABLED > ++/* this supports the forced rekeying required for the NONE cipher */ > ++int rekey_requested = 0; > ++void > ++packet_request_rekeying(void) > ++{ > ++ rekey_requested = 1; > ++} > ++ > ++int > ++ssh_packet_authentication_state(struct ssh *ssh) > ++{ > ++ struct session_state *state = ssh->state; > ++ > ++ return(state->after_authentication); > ++} > ++#endif > ++ > + #define MAX_PACKETS (1U<<31) > + int > + ssh_packet_need_rekeying(struct ssh *ssh) > +@@ -2207,6 +2225,12 @@ > + > + if (ssh->compat & SSH_BUG_NOREKEY) > + return 0; > ++#ifdef NONE_CIPHER_ENABLED > ++ if (rekey_requested == 1) { > ++ rekey_requested = 0; > ++ return 1; > ++ } > ++#endif > + return > + (state->p_send.packets > MAX_PACKETS) || > + (state->p_read.packets > MAX_PACKETS) || > +--- work.clean/openssh-6.8p1/packet.h 2015-03-17 00:49:20.000000000 -0500 > ++++ work/openssh-6.8p1/packet.h 2015-04-03 16:10:34.728161000 -0500 > +@@ -188,6 +188,11 @@ > + int sshpkt_get_end(struct ssh *ssh); > + const u_char *sshpkt_ptr(struct ssh *, size_t *lenp); > + > ++#ifdef NONE_CIPHER_ENABLED > ++void packet_request_rekeying(void); > ++int ssh_packet_authentication_state(struct ssh *ssh); > ++#endif > ++ > + /* OLD API */ > + extern struct ssh *active_state; > + #include "opacket.h" > +--- work.clean/openssh-6.8p1/readconf.c 2015-04-01 > 22:07:18.135435000 -0500 > ++++ work/openssh-6.8p1/readconf.c 2015-04-03 15:10:44.188916000 -0500 > +@@ -154,6 +154,12 @@ > + oTunnel, oTunnelDevice, oLocalCommand, oPermitLocalCommand, > + oVisualHostKey, oUseRoaming, > + oKexAlgorithms, oIPQoS, oRequestTTY, oIgnoreUnknown, > oProxyUseFdpass, > ++#ifdef HPN_ENABLED > ++ oHPNDisabled, oHPNBufferSize, oTcpRcvBufPoll, oTcpRcvBuf, > ++#endif > ++#ifdef NONE_CIPHER_ENABLED > ++ oNoneSwitch, oNoneEnabled, > ++#endif > + oCanonicalDomains, oCanonicalizeHostname, oCanonicalizeMaxDots, > + oCanonicalizeFallbackLocal, oCanonicalizePermittedCNAMEs, > + oStreamLocalBindMask, oStreamLocalBindUnlink, oRevokedHostKeys, > +@@ -276,6 +282,16 @@ > + { "fingerprinthash", oFingerprintHash }, > + { "updatehostkeys", oUpdateHostkeys }, > + { "hostbasedkeytypes", oHostbasedKeyTypes }, > ++#ifdef NONE_CIPHER_ENABLED > ++ { "noneenabled", oNoneEnabled }, > ++ { "noneswitch", oNoneSwitch }, > ++#endif > ++#ifdef HPN_ENABLED > ++ { "tcprcvbufpoll", oTcpRcvBufPoll }, > ++ { "tcprcvbuf", oTcpRcvBuf }, > ++ { "hpndisabled", oHPNDisabled }, > ++ { "hpnbuffersize", oHPNBufferSize }, > ++#endif > + { "ignoreunknown", oIgnoreUnknown }, > + > + { NULL, oBadOption } > +@@ -917,6 +933,44 @@ > + intptr = &options->check_host_ip; > + goto parse_flag; > + > ++#ifdef HPN_ENABLED > ++ case oHPNDisabled: > ++ intptr = &options->hpn_disabled; > ++ goto parse_flag; > ++ > ++ case oHPNBufferSize: > ++ intptr = &options->hpn_buffer_size; > ++ goto parse_int; > ++ > ++ case oTcpRcvBufPoll: > ++ intptr = &options->tcp_rcv_buf_poll; > ++ goto parse_flag; > ++ > ++ case oTcpRcvBuf: > ++ intptr = &options->tcp_rcv_buf; > ++ goto parse_int; > ++#endif > ++ > ++#ifdef NONE_CIPHER_ENABLED > ++ case oNoneEnabled: > ++ intptr = &options->none_enabled; > ++ goto parse_flag; > ++ > ++ /* we check to see if the command comes from the */ > ++ /* command line or not. If it does then enable it */ > ++ /* otherwise fail. NONE should never be a default > configuration */ > ++ case oNoneSwitch: > ++ if(strcmp(filename,"command-line") == 0) { > ++ intptr = &options->none_switch; > ++ goto parse_flag; > ++ } else { > ++ error("NoneSwitch is found in %.200s.\nYou > may only use this configuration option from the command line", filename); > ++ error("Continuing..."); > ++ debug("NoneSwitch directive found in > %.200s.", filename); > ++ return 0; > ++ } > ++#endif > ++ > + case oVerifyHostKeyDNS: > + intptr = &options->verify_host_key_dns; > + multistate_ptr = multistate_yesnoask; > +@@ -1678,6 +1732,16 @@ > + options->ip_qos_interactive = -1; > + options->ip_qos_bulk = -1; > + options->request_tty = -1; > ++#ifdef NONE_CIPHER_ENABLED > ++ options->none_switch = -1; > ++ options->none_enabled = -1; > ++#endif > ++#ifdef HPN_ENABLED > ++ options->hpn_disabled = -1; > ++ options->hpn_buffer_size = -1; > ++ options->tcp_rcv_buf_poll = -1; > ++ options->tcp_rcv_buf = -1; > ++#endif > + options->proxy_use_fdpass = -1; > + options->ignored_unknown = NULL; > + options->num_canonical_domains = 0; > +@@ -1838,6 +1902,35 @@ > + options->server_alive_interval = 0; > + if (options->server_alive_count_max == -1) > + options->server_alive_count_max = 3; > ++#ifdef NONE_CIPHER_ENABLED > ++ if (options->none_switch == -1) > ++ options->none_switch = 0; > ++ if (options->none_enabled == -1) > ++ options->none_enabled = 0; > ++#endif > ++#ifdef HPN_ENABLED > ++ if (options->hpn_disabled == -1) > ++ options->hpn_disabled = 0; > ++ if (options->hpn_buffer_size > -1) { > ++ /* if a user tries to set the size to 0 set it to 1KB */ > ++ if (options->hpn_buffer_size == 0) > ++ options->hpn_buffer_size = 1; > ++ /* limit the buffer to 64MB */ > ++ if (options->hpn_buffer_size > 64*1024) { > ++ options->hpn_buffer_size = 64*1024*1024; > ++ debug("User requested buffer larger than 64MB. > Request" > ++ " reverted to 64MB"); > ++ } else > ++ options->hpn_buffer_size *= 1024; > ++ debug("hpn_buffer_size set to %d", > options->hpn_buffer_size); > ++ } > ++ if (options->tcp_rcv_buf == 0) > ++ options->tcp_rcv_buf = 1; > ++ if (options->tcp_rcv_buf > -1) > ++ options->tcp_rcv_buf *=1024; > ++ if (options->tcp_rcv_buf_poll == -1) > ++ options->tcp_rcv_buf_poll = 1; > ++#endif > + if (options->control_master == -1) > + options->control_master = 0; > + if (options->control_persist == -1) { > +--- work.clean/openssh-6.8p1/readconf.h 2015-03-17 > 00:49:20.000000000 -0500 > ++++ work/openssh-6.8p1/readconf.h 2015-04-03 13:47:45.670125000 -0500 > +@@ -105,6 +105,16 @@ > + int clear_forwardings; > + > + int enable_ssh_keysign; > ++#ifdef NONE_CIPHER_ENABLED > ++ int none_switch; /* Use none cipher */ > ++ int none_enabled; /* Allow none to be used */ > ++#endif > ++#ifdef HPN_ENABLED > ++ int tcp_rcv_buf; /* user switch to set tcp recv buffer */ > ++ int tcp_rcv_buf_poll; /* Option to poll recv buf every window > transfer */ > ++ int hpn_disabled; /* Switch to disable HPN buffer > management */ > ++ int hpn_buffer_size; /* User definable size for HPN buffer > window */ > ++#endif > + int64_t rekey_limit; > + int rekey_interval; > + int no_host_authentication_for_localhost; > +--- work.clean/openssh-6.8p1/scp.c 2015-03-17 00:49:20.000000000 -0500 > ++++ work/openssh-6.8p1/scp.c 2015-04-02 16:51:25.108407000 -0500 > +@@ -750,7 +750,7 @@ > + off_t i, statbytes; > + size_t amt, nr; > + int fd = -1, haderr, indx; > +- char *last, *name, buf[2048], encname[PATH_MAX]; > ++ char *last, *name, buf[16384], encname[PATH_MAX]; > + int len; > + > + for (indx = 0; indx < argc; ++indx) { > +@@ -919,7 +919,7 @@ > + off_t size, statbytes; > + unsigned long long ull; > + int setimes, targisdir, wrerrno = 0; > +- char ch, *cp, *np, *targ, *why, *vect[1], buf[2048]; > ++ char ch, *cp, *np, *targ, *why, *vect[1], buf[16384]; > + struct timeval tv[2]; > + > + #define atime tv[0] > +--- work.clean/openssh-6.8p1/servconf.c 2015-04-01 > 22:07:18.142441000 -0500 > ++++ work/openssh-6.8p1/servconf.c 2015-04-03 16:32:16.114236000 -0500 > +@@ -160,6 +160,14 @@ > + options->revoked_keys_file = NULL; > + options->trusted_user_ca_keys = NULL; > + options->authorized_principals_file = NULL; > ++#ifdef NONE_CIPHER_ENABLED > ++ options->none_enabled = -1; > ++#endif > ++#ifdef HPN_ENABLED > ++ options->tcp_rcv_buf_poll = -1; > ++ options->hpn_disabled = -1; > ++ options->hpn_buffer_size = -1; > ++#endif > + options->ip_qos_interactive = -1; > + options->ip_qos_bulk = -1; > + options->version_addendum = NULL; > +@@ -326,6 +334,57 @@ > + } > + if (options->permit_tun == -1) > + options->permit_tun = SSH_TUNMODE_NO; > ++#ifdef NONE_CIPHER_ENABLED > ++ if (options->none_enabled == -1) > ++ options->none_enabled = 0; > ++#endif > ++#ifdef HPN_ENABLED > ++ if (options->hpn_disabled == -1) > ++ options->hpn_disabled = 0; > ++ > ++ if (options->hpn_buffer_size == -1) { > ++ /* > ++ * option not explicitly set. Now we have to figure out > ++ * what value to use. > ++ */ > ++ if (options->hpn_disabled == 1) { > ++ options->hpn_buffer_size = CHAN_SES_WINDOW_DEFAULT; > ++ } else { > ++ int sock, socksize; > ++ socklen_t socksizelen = sizeof(socksize); > ++ > ++ /* > ++ * get the current RCV size and set it to that > ++ * create a socket but don't connect it > ++ * we use that the get the rcv socket size > ++ */ > ++ sock = socket(AF_INET, SOCK_STREAM, 0); > ++ getsockopt(sock, SOL_SOCKET, SO_RCVBUF, > ++ &socksize, &socksizelen); > ++ close(sock); > ++ options->hpn_buffer_size = socksize; > ++ debug ("HPN Buffer Size: %d", > options->hpn_buffer_size); > ++ } > ++ } else { > ++ /* > ++ * we have to do this incase the user sets both values in a > ++ * contradictory manner. hpn_disabled overrrides > ++ * hpn_buffer_size > ++ */ > ++ if (options->hpn_disabled <= 0) { > ++ if (options->hpn_buffer_size == 0) > ++ options->hpn_buffer_size = 1; > ++ /* limit the maximum buffer to 64MB */ > ++ if (options->hpn_buffer_size > 64*1024) { > ++ options->hpn_buffer_size = 64*1024*1024; > ++ } else { > ++ options->hpn_buffer_size *= 1024; > ++ } > ++ } else > ++ options->hpn_buffer_size = CHAN_TCP_WINDOW_DEFAULT; > ++ } > ++#endif > ++ > + if (options->ip_qos_interactive == -1) > + options->ip_qos_interactive = IPTOS_LOWDELAY; > + if (options->ip_qos_bulk == -1) > +@@ -401,6 +460,12 @@ > + sUsePrivilegeSeparation, sAllowAgentForwarding, > + sHostCertificate, > + sRevokedKeys, sTrustedUserCAKeys, sAuthorizedPrincipalsFile, > ++#ifdef NONE_CIPHER_ENABLED > ++ sNoneEnabled, > ++#endif > ++#ifdef HPN_ENABLED > ++ sTcpRcvBufPoll, sHPNDisabled, sHPNBufferSize, > ++#endif > + sKexAlgorithms, sIPQoS, sVersionAddendum, > + sAuthorizedKeysCommand, sAuthorizedKeysCommandUser, > + sAuthenticationMethods, sHostKeyAgent, sPermitUserRC, > +@@ -529,6 +594,14 @@ > + { "revokedkeys", sRevokedKeys, SSHCFG_ALL }, > + { "trustedusercakeys", sTrustedUserCAKeys, SSHCFG_ALL }, > + { "authorizedprincipalsfile", sAuthorizedPrincipalsFile, > SSHCFG_ALL }, > ++#ifdef NONE_CIPHER_ENABLED > ++ { "noneenabled", sNoneEnabled, SSHCFG_ALL }, > ++#endif > ++#ifdef HPN_ENABLED > ++ { "hpndisabled", sHPNDisabled, SSHCFG_ALL }, > ++ { "hpnbuffersize", sHPNBufferSize, SSHCFG_ALL }, > ++ { "tcprcvbufpoll", sTcpRcvBufPoll, SSHCFG_ALL }, > ++#endif > + { "kexalgorithms", sKexAlgorithms, SSHCFG_GLOBAL }, > + { "ipqos", sIPQoS, SSHCFG_ALL }, > + { "authorizedkeyscommand", sAuthorizedKeysCommand, SSHCFG_ALL }, > +@@ -1113,6 +1186,25 @@ > + intptr = &options->ignore_user_known_hosts; > + goto parse_flag; > + > ++#ifdef NONE_CIPHER_ENABLED > ++ case sNoneEnabled: > ++ intptr = &options->none_enabled; > ++ goto parse_flag; > ++#endif > ++#ifdef HPN_ENABLED > ++ case sTcpRcvBufPoll: > ++ intptr = &options->tcp_rcv_buf_poll; > ++ goto parse_flag; > ++ > ++ case sHPNDisabled: > ++ intptr = &options->hpn_disabled; > ++ goto parse_flag; > ++ > ++ case sHPNBufferSize: > ++ intptr = &options->hpn_buffer_size; > ++ goto parse_int; > ++#endif > ++ > + case sRhostsRSAAuthentication: > + intptr = &options->rhosts_rsa_authentication; > + goto parse_flag; > +--- work.clean/openssh-6.8p1/servconf.h 2015-03-17 > 00:49:20.000000000 -0500 > ++++ work/openssh-6.8p1/servconf.h 2015-04-03 13:48:37.316827000 -0500 > > *** DIFF OUTPUT TRUNCATED AT 1000 LINES *** > > -- --------------------------------------------------------------------------------- Curb: Your ride is here 4096R/D1EAB94D 2081 E230 3001 6508 8847 1BBF A0A8 DB0F D1EA B94D Philip M. Gollucci (pgollucci@p6m7g8.com) c: 703.336.9354 Member, Apache Software Foundation Committer, FreeBSD Foundation Consultant, P6M7G8 Inc. Sr. Director IT Operations, Curb What doesn't kill us can only make us stronger; Except it almost kills you.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CACM2dAbb8uTBDiWS2gn6%2Bvawc5qLromcDmzRqJy0Pnjc4f8CHA>