Skip site navigation (1)Skip section navigation (2)
Date:      Sat, 4 Apr 2015 20:22:08 -0400
From:      "Philip M. Gollucci" <pgollucci@p6m7g8.com>
To:        Bryan Drewery <bdrewery@freebsd.org>
Cc:        "svn-ports-head@freebsd.org" <svn-ports-head@freebsd.org>, "svn-ports-all@freebsd.org" <svn-ports-all@freebsd.org>, "ports-committers@freebsd.org" <ports-committers@freebsd.org>
Subject:   Re: svn commit: r383231 - in head/security/openssh-portable: . files
Message-ID:  <CACM2dAbb8uTBDiWS2gn6%2Bvawc5qLromcDmzRqJy0Pnjc4f8CHA@mail.gmail.com>
In-Reply-To: <201504041716.t34HGxBF057433@svn.freebsd.org>
References:  <201504041716.t34HGxBF057433@svn.freebsd.org>

next in thread | previous in thread | raw e-mail | index | archive | help
You da man!

On Sat, Apr 4, 2015 at 1:16 PM, Bryan Drewery <bdrewery@freebsd.org> wrote:

> Author: bdrewery
> Date: Sat Apr  4 17:16:58 2015
> New Revision: 383231
> URL: https://svnweb.freebsd.org/changeset/ports/383231
>
> Log:
>   - Update to 6.8p1
>   - Fix 'make test'
>   - HPN:
>     - NONECIPHER is no longer default. This is not default in base and
> should not
>       be default here as it introduces security holes.
>     - HPN: I've audited the patch and included it in the port directory for
>       transparency. I identified several bugs and submitted them to the new
>       upstream: https://github.com/rapier1/openssh-portable/pull/2
>     - HPN: The entire patch is now ifdef'd to ensure various bits are
> properly
>       removed depending on the OPTIONS selected.
>     - AES_THREADED is removed. It has questionable benefit on modern HW
> and is not
>       stable.
>     - The "enhanced logging" was removed from the patch as it is too
>       intrusive and difficult to maintain in the port.
>     - The progress meter "peak throughput" patch was removed.
>     - Fixed HPN version showing in client/server version string when HPN
>       was disabled in the config.
>   - KERB_GSSAPI is currently BROKEN as it does not apply.
>   - Update X509 to 8.3
>
>   Changelog: http://www.openssh.com/txt/release-6.8
>
> Added:
>   head/security/openssh-portable/files/extra-patch-hpn   (contents, props
> changed)
>   head/security/openssh-portable/files/patch-regress__test-exec.sh
>  (contents, props changed)
>   head/security/openssh-portable/files/patch-sshconnect.c   (contents,
> props changed)
> Deleted:
>   head/security/openssh-portable/files/extra-patch-hpn-build-options
>   head/security/openssh-portable/files/extra-patch-hpn-no-hpn
>   head/security/openssh-portable/files/extra-patch-hpn-window-size
> Modified:
>   head/security/openssh-portable/Makefile
>   head/security/openssh-portable/distinfo
>   head/security/openssh-portable/files/extra-patch-sshd-utmp-size
>   head/security/openssh-portable/files/extra-patch-tcpwrappers
>   head/security/openssh-portable/files/patch-servconf.c
>   head/security/openssh-portable/files/patch-ssh-agent.c
>
> Modified: head/security/openssh-portable/Makefile
>
> ==============================================================================
> --- head/security/openssh-portable/Makefile     Sat Apr  4 16:23:55 2015
>       (r383230)
> +++ head/security/openssh-portable/Makefile     Sat Apr  4 17:16:58 2015
>       (r383231)
> @@ -2,8 +2,8 @@
>  # $FreeBSD$
>
>  PORTNAME=      openssh
> -DISTVERSION=   6.7p1
> -PORTREVISION=  5
> +DISTVERSION=   6.8p1
> +PORTREVISION=  0
>  PORTEPOCH=     1
>  CATEGORIES=    security ipv6
>  MASTER_SITES=  ${MASTER_SITE_OPENBSD}
> @@ -27,13 +27,10 @@ CONFIGURE_ARGS=             --prefix=${PREFIX} --wi
>                         --without-zlib-version-check --with-ssl-engine
>  ETCOLD=                        ${PREFIX}/etc
>
> -SUDO?=         # empty
> -MAKE_ENV+=     SUDO="${SUDO}"
> -
>  OPTIONS_DEFINE=                PAM TCP_WRAPPERS LIBEDIT BSM \
>                         HPN X509 KERB_GSSAPI \
> -                       OVERWRITE_BASE SCTP AES_THREADED LDNS NONECIPHER
> -OPTIONS_DEFAULT=       LIBEDIT PAM TCP_WRAPPERS HPN LDNS NONECIPHER
> +                       OVERWRITE_BASE SCTP LDNS NONECIPHER
> +OPTIONS_DEFAULT=       LIBEDIT PAM TCP_WRAPPERS HPN LDNS
>  OPTIONS_RADIO=         KERBEROS
>  OPTIONS_RADIO_KERBEROS=        MIT HEIMDAL HEIMDAL_BASE
>  TCP_WRAPPERS_DESC=     tcp_wrappers support
> @@ -47,7 +44,6 @@ OVERWRITE_BASE_DESC=  EOL, No longer supp
>  HEIMDAL_DESC=          Heimdal Kerberos (security/heimdal)
>  HEIMDAL_BASE_DESC=     Heimdal Kerberos (base)
>  MIT_DESC=              MIT Kerberos (security/krb5)
> -AES_THREADED_DESC=     Threaded AES-CTR
>  NONECIPHER_DESC=       NONE Cipher support
>
>  OPTIONS_SUB=           yes
> @@ -61,18 +57,17 @@ LDNS_CFLAGS=                -I${LOCALBASE}/include
>  LDNS_CONFIGURE_ON=     --with-ldflags='-L${LOCALBASE}/lib'
>
>  # http://www.psc.edu/index.php/hpn-ssh
> -HPN_EXTRA_PATCHES=     ${FILESDIR}/extra-patch-hpn-window-size
>  HPN_CONFIGURE_WITH=            hpn
>  NONECIPHER_CONFIGURE_WITH=     nonecipher
> -AES_THREADED_CONFIGURE_WITH=   aes-threaded
>
>  # See http://www.roumenpetrov.info/openssh/
> -X509_VERSION=          8.2
> +X509_VERSION=          8.3
>  X509_PATCH_SITES=
> http://www.roumenpetrov.info/openssh/x509-${X509_VERSION}/:x509
> -X509_PATCHFILES=
>  ${PORTNAME}-6.7p1+x509-${X509_VERSION}.diff.gz:-p1:x509
> +X509_PATCHFILES=
>  ${PORTNAME}-6.8p1+x509-${X509_VERSION}.diff.gz:-p1:x509
>
>  # See https://bugzilla.mindrot.org/show_bug.cgi?id=2016
> -SCTP_PATCHFILES=       ${PORTNAME}-6.7p1-sctp-2496.patch.gz:-p1
> +# and https://bugzilla.mindrot.org/show_bug.cgi?id=1604
> +SCTP_PATCHFILES=       ${PORTNAME}-6.8p1-sctp-2573.patch.gz:-p1
>  SCTP_CONFIGURE_WITH=   sctp
>
>  MIT_LIB_DEPENDS=               libkrb5.so.3:${PORTSDIR}/security/krb5
> @@ -93,19 +88,15 @@ PATCH_SITES+=               http://mirror.shatow.net/
>  EXTRA_PATCHES:=
> ${EXTRA_PATCHES:N${TCP_WRAPPERS_EXTRA_PATCHES}}
>  .endif
>
> -# http://www.psc.edu/index.php/hpn-ssh
> -.if ${PORT_OPTIONS:MHPN} || ${PORT_OPTIONS:MAES_THREADED} ||
> ${PORT_OPTIONS:MNONECIPHER}
> +# http://www.psc.edu/index.php/hpn-ssh https://github.com/rapier1/hpn-ssh
> https://github.com/rapier1/openssh-portable
> +.if ${PORT_OPTIONS:MHPN} || ${PORT_OPTIONS:MNONECIPHER}
>  PORTDOCS+=             HPN-README
>  HPN_VERSION=           14v5
>  HPN_DISTVERSION=       6.7p1
>  #PATCH_SITES+=         ${MASTER_SITE_SOURCEFORGE:S/$/:hpn/}
>  #PATCH_SITE_SUBDIR+=
>  hpnssh/HPN-SSH%20${HPN_VERSION}%20${HPN_DISTVERSION}/:hpn
> -PATCHFILES+=
>  ${PORTNAME}-${HPN_DISTVERSION}-hpnssh${HPN_VERSION}.diff.gz:-p1:hpn
> -EXTRA_PATCHES+=                ${FILESDIR}/extra-patch-hpn-build-options
> -# Remove HPN if only AES requested
> -.  if !${PORT_OPTIONS:MHPN}
> -EXTRA_PATCHES+=                ${FILESDIR}/extra-patch-hpn-no-hpn
> -.  endif
> +#PATCHFILES+=
> ${PORTNAME}-${HPN_DISTVERSION}-hpnssh${HPN_VERSION}.diff.gz:-p1:hpn
> +EXTRA_PATCHES+=                ${FILESDIR}/extra-patch-hpn:-p2
>  .endif
>
>  # Must add this patch after HPN due to conflicts
> @@ -133,7 +124,7 @@ EXTRA_PATCHES+=             ${FILESDIR}/extra-patch
>  EXTRA_PATCHES+=                ${FILESDIR}/extra-patch-version-addendum
>
>  .if ${PORT_OPTIONS:MX509}
> -.  if ${PORT_OPTIONS:MHPN} || ${PORT_OPTIONS:MAES_THREADED} ||
> ${PORT_OPTIONS:MNONECIPHER}
> +.  if ${PORT_OPTIONS:MHPN} || ${PORT_OPTIONS:MNONECIPHER}
>  BROKEN=                X509 patch and HPN patch do not apply cleanly
> together
>  .  endif
>
> @@ -147,6 +138,10 @@ BROKEN=            X509 patch incompatible with KE
>
>  .endif
>
> +.  if ${PORT_OPTIONS:MKERB_GSSAPI}
> +BROKEN=                Does not apply to 6.8
> +.  endif
> +
>  .if ${PORT_OPTIONS:MHEIMDAL_BASE} && ${PORT_OPTIONS:MKERB_GSSAPI}
>  BROKEN=                KERB_GSSAPI Requires either MIT or HEMIDAL, does
> not build with base Heimdal currently
>  .endif
> @@ -218,14 +213,17 @@ post-install:
>             ${STAGEDIR}${ETCDIR}//ssh_config.sample
>         ${MV} ${STAGEDIR}${ETCDIR}/sshd_config \
>             ${STAGEDIR}${ETCDIR}/sshd_config.sample
> -.if ${PORT_OPTIONS:MHPN} || ${PORT_OPTIONS:MAES_THREADED} ||
> ${PORT_OPTIONS:MNONECIPHER}
> +.if ${PORT_OPTIONS:MHPN} || ${PORT_OPTIONS:MNONECIPHER}
>         ${MKDIR} ${STAGEDIR}${DOCSDIR}
>         ${INSTALL_DATA} ${WRKSRC}/HPN-README ${STAGEDIR}${DOCSDIR}
>  .endif
>
> -test:  build
> -       (cd ${WRKSRC}/regress && ${SETENV} OBJ=${WRKDIR} ${MAKE_ENV}
> TEST_SHELL=/bin/sh \
> +test: build
> +       cd ${WRKSRC} && ${SETENV} -i \
> +               OBJ=${WRKDIR} ${MAKE_ENV} \
> +               TEST_SHELL=${SH} \
> +               SUDO="${SUDO}" \
>                 PATH=${WRKSRC}:${PREFIX}/bin:${PREFIX}/sbin:${PATH} \
> -               ${MAKE} ${MAKE_FLAGS} ${MAKEFILE} ${MAKE_ARGS})
> +               ${MAKE_CMD} ${MAKE_FLAGS} ${MAKEFILE} ${MAKE_ARGS} tests
>
>  .include <bsd.port.post.mk>
>
> Modified: head/security/openssh-portable/distinfo
>
> ==============================================================================
> --- head/security/openssh-portable/distinfo     Sat Apr  4 16:23:55 2015
>       (r383230)
> +++ head/security/openssh-portable/distinfo     Sat Apr  4 17:16:58 2015
>       (r383231)
> @@ -1,12 +1,8 @@
> -SHA256 (openssh-6.7p1.tar.gz) =
> b2f8394eae858dabbdef7dac10b99aec00c95462753e80342e530bbb6f725507
> -SIZE (openssh-6.7p1.tar.gz) = 1351367
> -SHA256 (openssh-6.7p1-hpnssh14v5.diff.gz) =
> 846ad51577de8308d60dbfaa58ba18d112d0732fdf21063ebc78407fc8e4a7b6
> -SIZE (openssh-6.7p1-hpnssh14v5.diff.gz) = 24326
> -SHA256 (openssh-6.7p1+x509-8.2.diff.gz) =
> 85acfcd560b40d4533b82a4e3f443b7137b377868bab424dacdf00581c83240f
> -SIZE (openssh-6.7p1+x509-8.2.diff.gz) = 241798
> +SHA256 (openssh-6.8p1.tar.gz) =
> 3ff64ce73ee124480b5bf767b9830d7d3c03bbcb6abe716b78f0192c37ce160e
> +SIZE (openssh-6.8p1.tar.gz) = 1475953
> +SHA256 (openssh-6.8p1+x509-8.3.diff.gz) =
> 34dbefcce8509d3c876be3e7d8966455c7c3589a6872bdfb1f8ce3d133f4d304
> +SIZE (openssh-6.8p1+x509-8.3.diff.gz) = 347942
>  SHA256 (openssh-6.7p1-gsskex-all-20141021-284f364.patch.gz) =
> 9a361408269a542d28dae77320f30e94a44098acdbbbc552efb0bdeac6270dc8
>  SIZE (openssh-6.7p1-gsskex-all-20141021-284f364.patch.gz) = 25825
> -SHA256 (openssh-lpk-6.3p1.patch.gz) =
> d2a8b7da7acebac2afc4d0a3dffe8fca2e49900cf733af2e7012f2449b3668e1
> -SIZE (openssh-lpk-6.3p1.patch.gz) = 17815
> -SHA256 (openssh-6.7p1-sctp-2496.patch.gz) =
> ec2b6aa8a6d65a2c11d4453a25294ae5082e7ed7c9f418ec081f750bfba022db
> -SIZE (openssh-6.7p1-sctp-2496.patch.gz) = 8052
> +SHA256 (openssh-6.8p1-sctp-2573.patch.gz) =
> 0348713ad4cb4463e90cf5202ed41c8f726d7d604f3f93922a9aa55b86abf04a
> +SIZE (openssh-6.8p1-sctp-2573.patch.gz) = 8531
>
> Added: head/security/openssh-portable/files/extra-patch-hpn
>
> ==============================================================================
> --- /dev/null   00:00:00 1970   (empty, because file is newly added)
> +++ head/security/openssh-portable/files/extra-patch-hpn        Sat Apr  4
> 17:16:58 2015        (r383231)
> @@ -0,0 +1,1296 @@
> +diff -urN -x configure -x config.guess -x config.h.in -x config.sub
> work.clean/openssh-6.8p1/HPN-README work/openssh-6.8p1/HPN-README
> +--- work.clean/openssh-6.8p1/HPN-README        1969-12-31
> 18:00:00.000000000 -0600
> ++++ work/openssh-6.8p1/HPN-README      2015-04-01 22:16:49.869215000 -0500
> +@@ -0,0 +1,129 @@
> ++Notes:
> ++
> ++MULTI-THREADED CIPHER:
> ++The AES cipher in CTR mode has been multithreaded (MTR-AES-CTR). This
> will allow ssh installations
> ++on hosts with multiple cores to use more than one processing core during
> encryption.
> ++Tests have show significant throughput performance increases when using
> MTR-AES-CTR up
> ++to and including a full gigabit per second on quad core systems. It
> should be possible to
> ++achieve full line rate on dual core systems but OS and data management
> overhead makes this
> ++more difficult to achieve. The cipher stream from MTR-AES-CTR is
> entirely compatible with single
> ++thread AES-CTR (ST-AES-CTR) implementations and should be 100% backward
> compatible. Optimal
> ++performance requires the MTR-AES-CTR mode be enabled on both ends of the
> connection.
> ++The MTR-AES-CTR replaces ST-AES-CTR and is used in exactly the same way
> with the same
> ++nomenclature.
> ++Use examples:         ssh -caes128-ctr you@host.com
> ++              scp -oCipher=aes256-ctr file you@host.com:~/file
> ++
> ++NONE CIPHER:
> ++To use the NONE option you must have the NoneEnabled switch set on the
> server and
> ++you *must* have *both* NoneEnabled and NoneSwitch set to yes on the
> client. The NONE
> ++feature works with ALL ssh subsystems (as far as we can tell) *AS LONG
> AS* a tty is not
> ++spawned. If a user uses the -T switch to prevent a tty being created the
> NONE cipher will
> ++be disabled.
> ++
> ++The performance increase will only be as good as the network and TCP
> stack tuning
> ++on the reciever side of the connection allows. As a rule of thumb a user
> will need
> ++at least 10Mb/s connection with a 100ms RTT to see a doubling of
> performance. The
> ++HPN-SSH home page describes this in greater detail.
> ++
> ++http://www.psc.edu/networking/projects/hpn-ssh
> ++
> ++BUFFER SIZES:
> ++
> ++If HPN is disabled the receive buffer size will be set to the
> ++OpenSSH default of 64K.
> ++
> ++If an HPN system connects to a nonHPN system the receive buffer will
> ++be set to the HPNBufferSize value. The default is 2MB but user
> adjustable.
> ++
> ++If an HPN to HPN connection is established a number of different things
> might
> ++happen based on the user options and conditions.
> ++
> ++Conditions: HPNBufferSize NOT Set, TCPRcvBufPoll enabled, TCPRcvBuf NOT
> Set
> ++HPN Buffer Size = up to 64MB
> ++This is the default state. The HPN buffer size will grow to a maximum of
> 64MB
> ++as the TCP receive buffer grows. The maximum HPN Buffer size of 64MB is
> ++geared towards 10GigE transcontinental connections.
> ++
> ++Conditions: HPNBufferSize NOT Set, TCPRcvBufPoll disabled, TCPRcvBuf NOT
> Set
> ++HPN Buffer Size = TCP receive buffer value.
> ++Users on non-autotuning systesm should disable TCPRcvBufPoll in the
> ++ssh_cofig and sshd_config
> ++
> ++Conditions: HPNBufferSize SET, TCPRcvBufPoll disabled, TCPRcvBuf NOT Set
> ++HPN Buffer Size = minmum of TCP receive buffer and HPNBufferSize.
> ++This would be the system defined TCP receive buffer (RWIN).
> ++
> ++Conditions: HPNBufferSize SET, TCPRcvBufPoll disabled, TCPRcvBuf SET
> ++HPN Buffer Size = minmum of TCPRcvBuf and HPNBufferSize.
> ++Generally there is no need to set both.
> ++
> ++Conditions: HPNBufferSize SET, TCPRcvBufPoll enabled, TCPRcvBuf NOT Set
> ++HPN Buffer Size = grows to HPNBufferSize
> ++The buffer will grow up to the maximum size specified here.
> ++
> ++Conditions: HPNBufferSize SET, TCPRcvBufPoll enabled, TCPRcvBuf SET
> ++HPN Buffer Size = minmum of TCPRcvBuf and HPNBufferSize.
> ++Generally there is no need to set both of these, especially on autotuning
> ++systems. However, if the users wishes to override the autotuning this
> would be
> ++one way to do it.
> ++
> ++Conditions: HPNBufferSize NOT Set, TCPRcvBufPoll enabled, TCPRcvBuf SET
> ++HPN Buffer Size = TCPRcvBuf.
> ++This will override autotuning and set the TCP recieve buffer to the user
> defined
> ++value.
> ++
> ++
> ++HPN Specific Configuration options
> ++
> ++TcpRcvBuf=[int]KB client
> ++      set the TCP socket receive buffer to n Kilobytes. It can be set up
> to the
> ++maximum socket size allowed by the system. This is useful in situations
> where
> ++the tcp receive window is set low but the maximum buffer size is set
> ++higher (as is typical). This works on a per TCP connection basis. You
> can also
> ++use this to artifically limit the transfer rate of the connection. In
> these
> ++cases the throughput will be no more than n/RTT. The minimum buffer size
> is 1KB.
> ++Default is the current system wide tcp receive buffer size.
> ++
> ++TcpRcvBufPoll=[yes/no] client/server
> ++      enable of disable the polling of the tcp receive buffer through
> the life
> ++of the connection. You would want to make sure that this option is
> enabled
> ++for systems making use of autotuning kernels (linux 2.4.24+, 2.6, MS
> Vista)
> ++default is yes.
> ++
> ++NoneEnabled=[yes/no] client/server
> ++      enable or disable the use of the None cipher. Care must always be
> used
> ++when enabling this as it will allow users to send data in the clear.
> However,
> ++it is important to note that authentication information remains encrypted
> ++even if this option is enabled. Set to no by default.
> ++
> ++NoneSwitch=[yes/no] client
> ++     Switch the encryption cipher being used to the None cipher after
> ++authentication takes place. NoneEnabled must be enabled on both the
> client
> ++and server side of the connection. When the connection switches to the
> NONE
> ++cipher a warning is sent to STDERR. The connection attempt will fail
> with an
> ++error if a client requests a NoneSwitch from the server that does not
> explicitly
> ++have NoneEnabled set to yes. Note: The NONE cipher cannot be used in
> ++interactive (shell) sessions and it will fail silently. Set to no by
> default.
> ++
> ++HPNDisabled=[yes/no] client/server
> ++     In some situations, such as transfers on a local area network, the
> impact
> ++of the HPN code produces a net decrease in performance. In these cases
> it is
> ++helpful to disable the HPN functionality. By default HPNDisabled is set
> to no.
> ++
> ++HPNBufferSize=[int]KB client/server
> ++     This is the default buffer size the HPN functionality uses when
> interacting
> ++with nonHPN SSH installations. Conceptually this is similar to the
> TcpRcvBuf
> ++option as applied to the internal SSH flow control. This value can range
> from
> ++1KB to 64MB (1-65536). Use of oversized or undersized buffers can cause
> performance
> ++problems depending on the length of the network path. The default size
> of this buffer
> ++is 2MB.
> ++
> ++
> ++Credits: This patch was conceived, designed, and led by Chris Rapier (
> rapier@psc.edu)
> ++         The majority of the actual coding for versions up to HPN12v1
> was performed
> ++         by Michael Stevens (mstevens@andrew.cmu.edu). The MT-AES-CTR
> cipher was
> ++       implemented by Ben Bennet (ben@psc.edu) and improved by Mike
> Tasota
> ++       (tasota@gmail.com) an NSF REU grant recipient for 2013.
> ++       This work was financed, in part, by Cisco System, Inc., the
> National
> ++         Library of Medicine, and the National Science Foundation.
> +--- work.clean/openssh-6.8p1/channels.c        2015-03-17
> 00:49:20.000000000 -0500
> ++++ work/openssh-6.8p1/channels.c      2015-04-03 15:51:59.599537000 -0500
> +@@ -183,8 +183,14 @@
> + static int connect_next(struct channel_connect *);
> + static void channel_connect_ctx_free(struct channel_connect *);
> +
> ++
> ++#ifdef HPN_ENABLED
> ++static int hpn_disabled = 0;
> ++static int hpn_buffer_size = 2 * 1024 * 1024;
> ++#endif
> ++
> + /* -- channel core */
> +
> + Channel *
> + channel_by_id(int id)
> + {
> +@@ -333,6 +339,9 @@
> +       c->local_window_max = window;
> +       c->local_consumed = 0;
> +       c->local_maxpacket = maxpack;
> ++#ifdef HPN_ENABLED
> ++      c->dynamic_window = 0;
> ++#endif
> +       c->remote_id = -1;
> +       c->remote_name = xstrdup(remote_name);
> +       c->remote_window = 0;
> +@@ -837,11 +846,41 @@
> +               FD_SET(c->sock, writeset);
> + }
> +
> ++#ifdef HPN_ENABLED
> ++static u_int
> ++channel_tcpwinsz(void)
> ++{
> ++      u_int32_t tcpwinsz = 0;
> ++      socklen_t optsz = sizeof(tcpwinsz);
> ++      int ret = -1;
> ++
> ++      /* if we aren't on a socket return 128KB */
> ++      if (!packet_connection_is_on_socket())
> ++              return (128*1024);
> ++      ret = getsockopt(packet_get_connection_in(),
> ++          SOL_SOCKET, SO_RCVBUF, &tcpwinsz, &optsz);
> ++      /* return no more than SSHBUF_SIZE_MAX */
> ++      if (ret == 0 && tcpwinsz > SSHBUF_SIZE_MAX)
> ++              tcpwinsz = SSHBUF_SIZE_MAX;
> ++      debug2("tcpwinsz: %d for connection: %d", tcpwinsz,
> ++          packet_get_connection_in());
> ++      return (tcpwinsz);
> ++}
> ++#endif
> ++
> + static void
> + channel_pre_open(Channel *c, fd_set *readset, fd_set *writeset)
> + {
> +       u_int limit = compat20 ? c->remote_window : packet_get_maxsize();
> +
> ++#ifdef HPN_ENABLED
> ++      /* check buffer limits */
> ++      if (!c->tcpwinsz || c->dynamic_window > 0)
> ++              c->tcpwinsz = channel_tcpwinsz();
> ++
> ++      limit = MIN(limit, 2 * c->tcpwinsz);
> ++#endif
> ++
> +       if (c->istate == CHAN_INPUT_OPEN &&
> +           limit > 0 &&
> +           buffer_len(&c->input) < limit &&
> +@@ -1846,6 +1885,20 @@
> +           c->local_maxpacket*3) ||
> +           c->local_window < c->local_window_max/2) &&
> +           c->local_consumed > 0) {
> ++#ifdef HPN_ENABLED
> ++              /* adjust max window size if we are in a dynamic
> environment */
> ++              if (c->dynamic_window && (c->tcpwinsz >
> c->local_window_max)) {
> ++                      u_int addition = 0;
> ++
> ++                      /*
> ++                       * grow the window somewhat aggressively to
> maintain
> ++                       * pressure
> ++                       */
> ++                      addition = 1.5*(c->tcpwinsz - c->local_window_max);
> ++                      c->local_window_max += addition;
> ++                      c->local_consumed += addition;
> ++              }
> ++#endif
> +               packet_start(SSH2_MSG_CHANNEL_WINDOW_ADJUST);
> +               packet_put_int(c->remote_id);
> +               packet_put_int(c->local_consumed);
> +@@ -2794,6 +2847,17 @@
> +       return addr;
> + }
> +
> ++#ifdef HPN_ENABLED
> ++void
> ++channel_set_hpn(int external_hpn_disabled, int external_hpn_buffer_size)
> ++{
> ++      hpn_disabled = external_hpn_disabled;
> ++      hpn_buffer_size = external_hpn_buffer_size;
> ++      debug("HPN Disabled: %d, HPN Buffer Size: %d", hpn_disabled,
> ++          hpn_buffer_size);
> ++}
> ++#endif
> ++
> + static int
> + channel_setup_fwd_listener_tcpip(int type, struct Forward *fwd,
> +     int *allocated_listen_port, struct ForwardOptions *fwd_opts)
> +@@ -2918,9 +2982,20 @@
> +               }
> +
> +               /* Allocate a channel number for the socket. */
> ++#ifdef HPN_ENABLED
> ++              /*
> ++               * explicitly test for hpn disabled option. if true use
> smaller
> ++               * window size.
> ++               */
> ++              if (!hpn_disabled)
> ++                      c = channel_new("port listener", type, sock, sock,
> -1,
> ++                          hpn_buffer_size, CHAN_TCP_PACKET_DEFAULT,
> ++                          0, "port listener", 1);
> ++              else
> ++#endif
> +               c = channel_new("port listener", type, sock, sock, -1,
> +                   CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT,
> +                   0, "port listener", 1);
> +               c->path = xstrdup(host);
> +               c->host_port = fwd->connect_port;
> +               c->listening_addr = addr == NULL ? NULL : xstrdup(addr);
> +@@ -3952,6 +4027,14 @@
> +       *chanids = xcalloc(num_socks + 1, sizeof(**chanids));
> +       for (n = 0; n < num_socks; n++) {
> +               sock = socks[n];
> ++#ifdef HPN_ENABLED
> ++              if (!hpn_disabled)
> ++                      nc = channel_new("x11 listener",
> ++                          SSH_CHANNEL_X11_LISTENER, sock, sock, -1,
> ++                          hpn_buffer_size, CHAN_X11_PACKET_DEFAULT,
> ++                          0, "X11 inet listener", 1);
> ++              else
> ++#endif
> +               nc = channel_new("x11 listener",
> +                   SSH_CHANNEL_X11_LISTENER, sock, sock, -1,
> +                   CHAN_X11_WINDOW_DEFAULT, CHAN_X11_PACKET_DEFAULT,
> +--- work.clean/openssh-6.8p1/channels.h        2015-03-17
> 00:49:20.000000000 -0500
> ++++ work/openssh-6.8p1/channels.h      2015-04-03 13:58:44.472717000 -0500
> +@@ -136,6 +136,10 @@
> +       u_int   local_maxpacket;
> +       int     extended_usage;
> +       int     single_connection;
> ++#ifdef HPN_ENABLED
> ++      int     dynamic_window;
> ++      u_int   tcpwinsz;
> ++#endif
> +
> +       char   *ctype;          /* type */
> +
> +@@ -311,4 +315,9 @@
> + void   chan_write_failed(Channel *);
> + void   chan_obuf_empty(Channel *);
> +
> ++#ifdef HPN_ENABLED
> ++/* hpn handler */
> ++void     channel_set_hpn(int, int);
> ++#endif
> ++
> + #endif
> +--- work.clean/openssh-6.8p1/cipher.c  2015-03-17 00:49:20.000000000 -0500
> ++++ work/openssh-6.8p1/cipher.c        2015-04-03 16:22:04.972592000 -0500
> +@@ -244,7 +244,13 @@
> +       for ((p = strsep(&cp, CIPHER_SEP)); p && *p != '\0';
> +           (p = strsep(&cp, CIPHER_SEP))) {
> +               c = cipher_by_name(p);
> +-              if (c == NULL || c->number != SSH_CIPHER_SSH2) {
> ++              if (c == NULL || (c->number != SSH_CIPHER_SSH2 &&
> ++#ifdef NONE_CIPHER_ENABLED
> ++                                c->number != SSH_CIPHER_NONE
> ++#else
> ++                                1
> ++#endif
> ++                                )) {
> +                       free(cipher_list);
> +                       return 0;
> +               }
> +@@ -545,6 +551,9 @@
> +
> +       switch (c->number) {
> + #ifdef WITH_OPENSSL
> ++#ifdef NONE_CIPHER_ENABLED
> ++      case SSH_CIPHER_NONE:
> ++#endif
> +       case SSH_CIPHER_SSH2:
> +       case SSH_CIPHER_DES:
> +       case SSH_CIPHER_BLOWFISH:
> +@@ -593,6 +602,9 @@
> +
> +       switch (c->number) {
> + #ifdef WITH_OPENSSL
> ++#ifdef NONE_CIPHER_ENABLED
> ++      case SSH_CIPHER_NONE:
> ++#endif
> +       case SSH_CIPHER_SSH2:
> +       case SSH_CIPHER_DES:
> +       case SSH_CIPHER_BLOWFISH:
> +--- work.clean/openssh-6.8p1/clientloop.c      2015-03-17
> 00:49:20.000000000 -0500
> ++++ work/openssh-6.8p1/clientloop.c    2015-04-03 17:29:40.618489000 -0500
> +@@ -1909,6 +1909,15 @@
> +       sock = x11_connect_display();
> +       if (sock < 0)
> +               return NULL;
> ++#ifdef HPN_ENABLED
> ++      /* again is this really necessary for X11? */
> ++      if (!options.hpn_disabled)
> ++              c = channel_new("x11",
> ++                  SSH_CHANNEL_X11_OPEN, sock, sock, -1,
> ++                  options.hpn_buffer_size,
> ++                  CHAN_X11_PACKET_DEFAULT, 0, "x11", 1);
> ++      else
> ++#endif
> +       c = channel_new("x11",
> +           SSH_CHANNEL_X11_OPEN, sock, sock, -1,
> +           CHAN_TCP_WINDOW_DEFAULT, CHAN_X11_PACKET_DEFAULT, 0, "x11", 1);
> +@@ -1934,6 +1943,14 @@
> +                           __func__, ssh_err(r));
> +               return NULL;
> +       }
> ++#ifdef HPN_ENABLED
> ++      if (!options.hpn_disabled)
> ++              c = channel_new("authentication agent connection",
> ++                  SSH_CHANNEL_OPEN, sock, sock, -1,
> ++                  options.hpn_buffer_size, CHAN_TCP_PACKET_DEFAULT, 0,
> ++                  "authentication agent connection", 1);
> ++      else
> ++#endif
> +       c = channel_new("authentication agent connection",
> +           SSH_CHANNEL_OPEN, sock, sock, -1,
> +           CHAN_X11_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, 0,
> +@@ -1964,6 +1981,12 @@
> +               return -1;
> +       }
> +
> ++#ifdef HPN_ENABLED
> ++      if (!options.hpn_disabled)
> ++              c = channel_new("tun", SSH_CHANNEL_OPENING, fd, fd, -1,
> ++                  options.hpn_buffer_size, CHAN_TCP_PACKET_DEFAULT, 0,
> "tun", 1);
> ++      else
> ++#endif
> +       c = channel_new("tun", SSH_CHANNEL_OPENING, fd, fd, -1,
> +           CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, 0, "tun", 1);
> +       c->datagram = 1;
> +--- work.clean/openssh-6.8p1/compat.c  2015-03-17 00:49:20.000000000 -0500
> ++++ work/openssh-6.8p1/compat.c        2015-04-03 16:39:57.665699000 -0500
> +@@ -177,6 +177,14 @@
> +                       debug("match: %s pat %s compat 0x%08x",
> +                           version, check[i].pat, check[i].bugs);
> +                       datafellows = check[i].bugs;    /* XXX for now */
> ++#ifdef HPN_ENABLED
> ++                      /* Check to see if the remote side is OpenSSH and
> not HPN */
> ++                      if (strstr(version,"OpenSSH") != NULL &&
> ++                          strstr(version,"hpn") == NULL) {
> ++                              datafellows |= SSH_BUG_LARGEWINDOW;
> ++                              debug("Remote is NON-HPN aware");
> ++                      }
> ++#endif
> +                       return check[i].bugs;
> +               }
> +       }
> +--- work.clean/openssh-6.8p1/compat.h  2015-03-17 00:49:20.000000000 -0500
> ++++ work/openssh-6.8p1/compat.h        2015-04-03 16:39:34.780416000 -0500
> +@@ -60,6 +60,9 @@
> + #define SSH_NEW_OPENSSH               0x04000000
> + #define SSH_BUG_DYNAMIC_RPORT 0x08000000
> + #define SSH_BUG_CURVE25519PAD 0x10000000
> ++#ifdef HPN_ENABLED
> ++#define SSH_BUG_LARGEWINDOW     0x20000000
> ++#endif
> +
> + void     enable_compat13(void);
> + void     enable_compat20(void);
> +--- work.clean/openssh-6.8p1/configure.ac      2015-03-17
> 00:49:20.000000000 -0500
> ++++ work/openssh-6.8p1/configure.ac    2015-04-03 16:36:28.916502000
> -0500
> +@@ -4238,6 +4238,25 @@
> +     ]
> + ) # maildir
> +
> ++#check whether user wants HPN support
> ++HPN_MSG="no"
> ++AC_ARG_WITH(hpn,
> ++      [  --with-hpn             Enable HPN support],
> ++      [ if test "x$withval" != "xno" ; then
> ++              AC_DEFINE(HPN_ENABLED,1,[Define if you want HPN support.])
> ++              HPN_MSG="yes"
> ++      fi ]
> ++)
> ++#check whether user wants NONECIPHER support
> ++NONECIPHER_MSG="no"
> ++AC_ARG_WITH(nonecipher,
> ++      [  --with-nonecipher             Enable NONECIPHER support],
> ++      [ if test "x$withval" != "xno" ; then
> ++              AC_DEFINE(NONE_CIPHER_ENABLED,1,[Define if you want
> NONECIPHER support.])
> ++              NONECIPHER_MSG="yes"
> ++      fi ]
> ++)
> ++
> + if test ! -z "$cross_compiling" && test "x$cross_compiling" = "xyes";
> then
> +       AC_MSG_WARN([cross compiling: Disabling /dev/ptmx test])
> +       disable_ptmx_check=yes
> +@@ -4905,6 +4924,8 @@
> + echo "                  BSD Auth support: $BSD_AUTH_MSG"
> + echo "              Random number source: $RAND_MSG"
> + echo "             Privsep sandbox style: $SANDBOX_STYLE"
> ++echo "                       HPN support: $HPN_MSG"
> ++echo "                NONECIPHER support: $NONECIPHER_MSG"
> +
> + echo ""
> +
> +--- work.clean/openssh-6.8p1/kex.c     2015-03-17 00:49:20.000000000 -0500
> ++++ work/openssh-6.8p1/kex.c   2015-04-03 17:06:44.032682000 -0500
> +@@ -587,6 +587,13 @@
> +       int nenc, nmac, ncomp;
> +       u_int mode, ctos, need, dh_need, authlen;
> +       int r, first_kex_follows;
> ++#ifdef NONE_CIPHER_ENABLED
> ++      /* XXX: Could this move into the lower block? */
> ++      int auth_flag;
> ++
> ++      auth_flag = ssh_packet_authentication_state(ssh);
> ++      debug ("AUTH STATE IS %d", auth_flag);
> ++#endif
> +
> +       if ((r = kex_buf2prop(kex->my, NULL, &my)) != 0 ||
> +           (r = kex_buf2prop(kex->peer, &first_kex_follows, &peer)) != 0)
> +@@ -635,6 +642,17 @@
> +               if ((r = choose_comp(&newkeys->comp, cprop[ncomp],
> +                   sprop[ncomp])) != 0)
> +                       goto out;
> ++#ifdef NONE_CIPHER_ENABLED
> ++              debug("REQUESTED ENC.NAME is '%s'", newkeys->enc.name);
> ++              if (strcmp(newkeys->enc.name, "none") == 0) {
> ++                      debug("Requesting NONE. Authflag is %d",
> auth_flag);
> ++                      if (auth_flag == 1) {
> ++                              debug("None requested post
> authentication.");
> ++                      } else {
> ++                              fatal("Pre-authentication none cipher
> requests are not allowed.");
> ++                      }
> ++              }
> ++#endif
> +               debug("kex: %s %s %s %s",
> +                   ctos ? "client->server" : "server->client",
> +                   newkeys->enc.name,
> +--- work.clean/openssh-6.8p1/myproposal.h      2015-03-17
> 00:49:20.000000000 -0500
> ++++ work/openssh-6.8p1/myproposal.h    2015-04-03 16:43:33.747402000 -0500
> +@@ -171,6 +171,10 @@
> + #define       KEX_DEFAULT_COMP        "none,zlib@openssh.com,zlib"
> + #define       KEX_DEFAULT_LANG        ""
> +
> ++#ifdef NONE_CIPHER_ENABLED
> ++#define KEX_ENCRYPT_INCLUDE_NONE KEX_SERVER_ENCRYPT ",none"
> ++#endif
> ++
> + #define KEX_CLIENT \
> +       KEX_CLIENT_KEX, \
> +       KEX_DEFAULT_PK_ALG, \
> +--- work.clean/openssh-6.8p1/packet.c  2015-03-17 00:49:20.000000000 -0500
> ++++ work/openssh-6.8p1/packet.c        2015-04-03 16:10:57.002066000 -0500
> +@@ -2199,6 +2199,24 @@
> +       }
> + }
> +
> ++#ifdef NONE_CIPHER_ENABLED
> ++/* this supports the forced rekeying required for the NONE cipher */
> ++int rekey_requested = 0;
> ++void
> ++packet_request_rekeying(void)
> ++{
> ++      rekey_requested = 1;
> ++}
> ++
> ++int
> ++ssh_packet_authentication_state(struct ssh *ssh)
> ++{
> ++      struct session_state *state = ssh->state;
> ++
> ++      return(state->after_authentication);
> ++}
> ++#endif
> ++
> + #define MAX_PACKETS   (1U<<31)
> + int
> + ssh_packet_need_rekeying(struct ssh *ssh)
> +@@ -2207,6 +2225,12 @@
> +
> +       if (ssh->compat & SSH_BUG_NOREKEY)
> +               return 0;
> ++#ifdef NONE_CIPHER_ENABLED
> ++        if (rekey_requested == 1) {
> ++               rekey_requested = 0;
> ++               return 1;
> ++        }
> ++#endif
> +       return
> +           (state->p_send.packets > MAX_PACKETS) ||
> +           (state->p_read.packets > MAX_PACKETS) ||
> +--- work.clean/openssh-6.8p1/packet.h  2015-03-17 00:49:20.000000000 -0500
> ++++ work/openssh-6.8p1/packet.h        2015-04-03 16:10:34.728161000 -0500
> +@@ -188,6 +188,11 @@
> + int   sshpkt_get_end(struct ssh *ssh);
> + const u_char  *sshpkt_ptr(struct ssh *, size_t *lenp);
> +
> ++#ifdef NONE_CIPHER_ENABLED
> ++void  packet_request_rekeying(void);
> ++int   ssh_packet_authentication_state(struct ssh *ssh);
> ++#endif
> ++
> + /* OLD API */
> + extern struct ssh *active_state;
> + #include "opacket.h"
> +--- work.clean/openssh-6.8p1/readconf.c        2015-04-01
> 22:07:18.135435000 -0500
> ++++ work/openssh-6.8p1/readconf.c      2015-04-03 15:10:44.188916000 -0500
> +@@ -154,6 +154,12 @@
> +       oTunnel, oTunnelDevice, oLocalCommand, oPermitLocalCommand,
> +       oVisualHostKey, oUseRoaming,
> +       oKexAlgorithms, oIPQoS, oRequestTTY, oIgnoreUnknown,
> oProxyUseFdpass,
> ++#ifdef HPN_ENABLED
> ++      oHPNDisabled, oHPNBufferSize, oTcpRcvBufPoll, oTcpRcvBuf,
> ++#endif
> ++#ifdef NONE_CIPHER_ENABLED
> ++      oNoneSwitch, oNoneEnabled,
> ++#endif
> +       oCanonicalDomains, oCanonicalizeHostname, oCanonicalizeMaxDots,
> +       oCanonicalizeFallbackLocal, oCanonicalizePermittedCNAMEs,
> +       oStreamLocalBindMask, oStreamLocalBindUnlink, oRevokedHostKeys,
> +@@ -276,6 +282,16 @@
> +       { "fingerprinthash", oFingerprintHash },
> +       { "updatehostkeys", oUpdateHostkeys },
> +       { "hostbasedkeytypes", oHostbasedKeyTypes },
> ++#ifdef NONE_CIPHER_ENABLED
> ++      { "noneenabled", oNoneEnabled },
> ++      { "noneswitch", oNoneSwitch },
> ++#endif
> ++#ifdef HPN_ENABLED
> ++      { "tcprcvbufpoll", oTcpRcvBufPoll },
> ++      { "tcprcvbuf", oTcpRcvBuf },
> ++      { "hpndisabled", oHPNDisabled },
> ++      { "hpnbuffersize", oHPNBufferSize },
> ++#endif
> +       { "ignoreunknown", oIgnoreUnknown },
> +
> +       { NULL, oBadOption }
> +@@ -917,6 +933,44 @@
> +               intptr = &options->check_host_ip;
> +               goto parse_flag;
> +
> ++#ifdef HPN_ENABLED
> ++      case oHPNDisabled:
> ++              intptr = &options->hpn_disabled;
> ++              goto parse_flag;
> ++
> ++      case oHPNBufferSize:
> ++              intptr = &options->hpn_buffer_size;
> ++              goto parse_int;
> ++
> ++      case oTcpRcvBufPoll:
> ++              intptr = &options->tcp_rcv_buf_poll;
> ++              goto parse_flag;
> ++
> ++      case oTcpRcvBuf:
> ++              intptr = &options->tcp_rcv_buf;
> ++              goto parse_int;
> ++#endif
> ++
> ++#ifdef NONE_CIPHER_ENABLED
> ++        case oNoneEnabled:
> ++                      intptr = &options->none_enabled;
> ++                      goto parse_flag;
> ++
> ++              /* we check to see if the command comes from the */
> ++              /* command line or not. If it does then enable it */
> ++              /* otherwise fail. NONE should never be a default
> configuration */
> ++              case oNoneSwitch:
> ++                      if(strcmp(filename,"command-line") == 0) {
> ++                              intptr = &options->none_switch;
> ++                              goto parse_flag;
> ++                      } else {
> ++                              error("NoneSwitch is found in %.200s.\nYou
> may only use this configuration option from the command line", filename);
> ++                              error("Continuing...");
> ++                              debug("NoneSwitch directive found in
> %.200s.", filename);
> ++                              return 0;
> ++                      }
> ++#endif
> ++
> +       case oVerifyHostKeyDNS:
> +               intptr = &options->verify_host_key_dns;
> +               multistate_ptr = multistate_yesnoask;
> +@@ -1678,6 +1732,16 @@
> +       options->ip_qos_interactive = -1;
> +       options->ip_qos_bulk = -1;
> +       options->request_tty = -1;
> ++#ifdef NONE_CIPHER_ENABLED
> ++      options->none_switch = -1;
> ++      options->none_enabled = -1;
> ++#endif
> ++#ifdef HPN_ENABLED
> ++      options->hpn_disabled = -1;
> ++      options->hpn_buffer_size = -1;
> ++      options->tcp_rcv_buf_poll = -1;
> ++      options->tcp_rcv_buf = -1;
> ++#endif
> +       options->proxy_use_fdpass = -1;
> +       options->ignored_unknown = NULL;
> +       options->num_canonical_domains = 0;
> +@@ -1838,6 +1902,35 @@
> +               options->server_alive_interval = 0;
> +       if (options->server_alive_count_max == -1)
> +               options->server_alive_count_max = 3;
> ++#ifdef NONE_CIPHER_ENABLED
> ++      if (options->none_switch == -1)
> ++              options->none_switch = 0;
> ++      if (options->none_enabled == -1)
> ++              options->none_enabled = 0;
> ++#endif
> ++#ifdef HPN_ENABLED
> ++      if (options->hpn_disabled == -1)
> ++              options->hpn_disabled = 0;
> ++      if (options->hpn_buffer_size > -1) {
> ++              /* if a user tries to set the size to 0 set it to 1KB */
> ++              if (options->hpn_buffer_size == 0)
> ++                      options->hpn_buffer_size = 1;
> ++              /* limit the buffer to 64MB */
> ++              if (options->hpn_buffer_size > 64*1024) {
> ++                      options->hpn_buffer_size = 64*1024*1024;
> ++                      debug("User requested buffer larger than 64MB.
> Request"
> ++                          " reverted to 64MB");
> ++              } else
> ++                      options->hpn_buffer_size *= 1024;
> ++              debug("hpn_buffer_size set to %d",
> options->hpn_buffer_size);
> ++      }
> ++      if (options->tcp_rcv_buf == 0)
> ++              options->tcp_rcv_buf = 1;
> ++      if (options->tcp_rcv_buf > -1)
> ++              options->tcp_rcv_buf *=1024;
> ++      if (options->tcp_rcv_buf_poll == -1)
> ++              options->tcp_rcv_buf_poll = 1;
> ++#endif
> +       if (options->control_master == -1)
> +               options->control_master = 0;
> +       if (options->control_persist == -1) {
> +--- work.clean/openssh-6.8p1/readconf.h        2015-03-17
> 00:49:20.000000000 -0500
> ++++ work/openssh-6.8p1/readconf.h      2015-04-03 13:47:45.670125000 -0500
> +@@ -105,6 +105,16 @@
> +       int     clear_forwardings;
> +
> +       int     enable_ssh_keysign;
> ++#ifdef NONE_CIPHER_ENABLED
> ++      int     none_switch;    /* Use none cipher */
> ++      int     none_enabled;   /* Allow none to be used */
> ++#endif
> ++#ifdef HPN_ENABLED
> ++      int     tcp_rcv_buf; /* user switch to set tcp recv buffer */
> ++      int     tcp_rcv_buf_poll; /* Option to poll recv buf every window
> transfer */
> ++      int     hpn_disabled;    /* Switch to disable HPN buffer
> management */
> ++      int     hpn_buffer_size; /* User definable size for HPN buffer
> window */
> ++#endif
> +       int64_t rekey_limit;
> +       int     rekey_interval;
> +       int     no_host_authentication_for_localhost;
> +--- work.clean/openssh-6.8p1/scp.c     2015-03-17 00:49:20.000000000 -0500
> ++++ work/openssh-6.8p1/scp.c   2015-04-02 16:51:25.108407000 -0500
> +@@ -750,7 +750,7 @@
> +       off_t i, statbytes;
> +       size_t amt, nr;
> +       int fd = -1, haderr, indx;
> +-      char *last, *name, buf[2048], encname[PATH_MAX];
> ++      char *last, *name, buf[16384], encname[PATH_MAX];
> +       int len;
> +
> +       for (indx = 0; indx < argc; ++indx) {
> +@@ -919,7 +919,7 @@
> +       off_t size, statbytes;
> +       unsigned long long ull;
> +       int setimes, targisdir, wrerrno = 0;
> +-      char ch, *cp, *np, *targ, *why, *vect[1], buf[2048];
> ++      char ch, *cp, *np, *targ, *why, *vect[1], buf[16384];
> +       struct timeval tv[2];
> +
> + #define       atime   tv[0]
> +--- work.clean/openssh-6.8p1/servconf.c        2015-04-01
> 22:07:18.142441000 -0500
> ++++ work/openssh-6.8p1/servconf.c      2015-04-03 16:32:16.114236000 -0500
> +@@ -160,6 +160,14 @@
> +       options->revoked_keys_file = NULL;
> +       options->trusted_user_ca_keys = NULL;
> +       options->authorized_principals_file = NULL;
> ++#ifdef NONE_CIPHER_ENABLED
> ++      options->none_enabled = -1;
> ++#endif
> ++#ifdef HPN_ENABLED
> ++      options->tcp_rcv_buf_poll = -1;
> ++      options->hpn_disabled = -1;
> ++      options->hpn_buffer_size = -1;
> ++#endif
> +       options->ip_qos_interactive = -1;
> +       options->ip_qos_bulk = -1;
> +       options->version_addendum = NULL;
> +@@ -326,6 +334,57 @@
> +       }
> +       if (options->permit_tun == -1)
> +               options->permit_tun = SSH_TUNMODE_NO;
> ++#ifdef NONE_CIPHER_ENABLED
> ++      if (options->none_enabled == -1)
> ++              options->none_enabled = 0;
> ++#endif
> ++#ifdef HPN_ENABLED
> ++      if (options->hpn_disabled == -1)
> ++              options->hpn_disabled = 0;
> ++
> ++      if (options->hpn_buffer_size == -1) {
> ++              /*
> ++               * option not explicitly set. Now we have to figure out
> ++               * what value to use.
> ++               */
> ++              if (options->hpn_disabled == 1) {
> ++                      options->hpn_buffer_size = CHAN_SES_WINDOW_DEFAULT;
> ++              } else {
> ++                      int sock, socksize;
> ++                      socklen_t socksizelen = sizeof(socksize);
> ++
> ++                      /*
> ++                       * get the current RCV size and set it to that
> ++                       * create a socket but don't connect it
> ++                       * we use that the get the rcv socket size
> ++                       */
> ++                      sock = socket(AF_INET, SOCK_STREAM, 0);
> ++                      getsockopt(sock, SOL_SOCKET, SO_RCVBUF,
> ++                          &socksize, &socksizelen);
> ++                      close(sock);
> ++                      options->hpn_buffer_size = socksize;
> ++                      debug ("HPN Buffer Size: %d",
> options->hpn_buffer_size);
> ++              }
> ++      } else {
> ++              /*
> ++               * we have to do this incase the user sets both values in a
> ++               * contradictory manner. hpn_disabled overrrides
> ++               * hpn_buffer_size
> ++               */
> ++              if (options->hpn_disabled <= 0) {
> ++                      if (options->hpn_buffer_size == 0)
> ++                              options->hpn_buffer_size = 1;
> ++                      /* limit the maximum buffer to 64MB */
> ++                      if (options->hpn_buffer_size > 64*1024) {
> ++                              options->hpn_buffer_size = 64*1024*1024;
> ++                      } else {
> ++                              options->hpn_buffer_size *= 1024;
> ++                      }
> ++              } else
> ++                      options->hpn_buffer_size = CHAN_TCP_WINDOW_DEFAULT;
> ++      }
> ++#endif
> ++
> +       if (options->ip_qos_interactive == -1)
> +               options->ip_qos_interactive = IPTOS_LOWDELAY;
> +       if (options->ip_qos_bulk == -1)
> +@@ -401,6 +460,12 @@
> +       sUsePrivilegeSeparation, sAllowAgentForwarding,
> +       sHostCertificate,
> +       sRevokedKeys, sTrustedUserCAKeys, sAuthorizedPrincipalsFile,
> ++#ifdef NONE_CIPHER_ENABLED
> ++      sNoneEnabled,
> ++#endif
> ++#ifdef HPN_ENABLED
> ++      sTcpRcvBufPoll, sHPNDisabled, sHPNBufferSize,
> ++#endif
> +       sKexAlgorithms, sIPQoS, sVersionAddendum,
> +       sAuthorizedKeysCommand, sAuthorizedKeysCommandUser,
> +       sAuthenticationMethods, sHostKeyAgent, sPermitUserRC,
> +@@ -529,6 +594,14 @@
> +       { "revokedkeys", sRevokedKeys, SSHCFG_ALL },
> +       { "trustedusercakeys", sTrustedUserCAKeys, SSHCFG_ALL },
> +       { "authorizedprincipalsfile", sAuthorizedPrincipalsFile,
> SSHCFG_ALL },
> ++#ifdef NONE_CIPHER_ENABLED
> ++      { "noneenabled", sNoneEnabled, SSHCFG_ALL },
> ++#endif
> ++#ifdef HPN_ENABLED
> ++      { "hpndisabled", sHPNDisabled, SSHCFG_ALL },
> ++      { "hpnbuffersize", sHPNBufferSize, SSHCFG_ALL },
> ++      { "tcprcvbufpoll", sTcpRcvBufPoll, SSHCFG_ALL },
> ++#endif
> +       { "kexalgorithms", sKexAlgorithms, SSHCFG_GLOBAL },
> +       { "ipqos", sIPQoS, SSHCFG_ALL },
> +       { "authorizedkeyscommand", sAuthorizedKeysCommand, SSHCFG_ALL },
> +@@ -1113,6 +1186,25 @@
> +               intptr = &options->ignore_user_known_hosts;
> +               goto parse_flag;
> +
> ++#ifdef NONE_CIPHER_ENABLED
> ++      case sNoneEnabled:
> ++              intptr = &options->none_enabled;
> ++              goto parse_flag;
> ++#endif
> ++#ifdef HPN_ENABLED
> ++      case sTcpRcvBufPoll:
> ++              intptr = &options->tcp_rcv_buf_poll;
> ++              goto parse_flag;
> ++
> ++      case sHPNDisabled:
> ++              intptr = &options->hpn_disabled;
> ++              goto parse_flag;
> ++
> ++      case sHPNBufferSize:
> ++              intptr = &options->hpn_buffer_size;
> ++              goto parse_int;
> ++#endif
> ++
> +       case sRhostsRSAAuthentication:
> +               intptr = &options->rhosts_rsa_authentication;
> +               goto parse_flag;
> +--- work.clean/openssh-6.8p1/servconf.h        2015-03-17
> 00:49:20.000000000 -0500
> ++++ work/openssh-6.8p1/servconf.h      2015-04-03 13:48:37.316827000 -0500
>
> *** DIFF OUTPUT TRUNCATED AT 1000 LINES ***
>
>


-- 
---------------------------------------------------------------------------------
Curb: Your ride is here
4096R/D1EAB94D 2081 E230 3001 6508 8847  1BBF A0A8 DB0F D1EA B94D
Philip M. Gollucci (pgollucci@p6m7g8.com) c: 703.336.9354
Member,                           Apache Software Foundation
Committer,                        FreeBSD Foundation
Consultant,                       P6M7G8 Inc.
Sr. Director IT Operations,       Curb

What doesn't kill us can only make us stronger;
Except it almost kills you.



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CACM2dAbb8uTBDiWS2gn6%2Bvawc5qLromcDmzRqJy0Pnjc4f8CHA>