- Fix and update HPN patch to latest from upstream but leave it off by

default. - Add an 'hpn' FLAVOR to produce a package for users with HPN and NONECIPHER enabled. Approved by: portmgr (implicit)
svn path=/head/; revision=473485
2025-06-16 02:00:30 -04:00 · 2018-06-28 03:38:32 +00:00 · 2018-06-28 03:38:32 +00:00 · 877e47208a · 2021-03-31 03:12:20 +00:00
commit 877e47208a
parent 66e2bc4899
3 changed files with 308 additions and 283 deletions
--- a/security/openssh-portable/Makefile
+++ b/security/openssh-portable/Makefile
@ -3,7 +3,7 @@
 PORTNAME=	openssh
 DISTVERSION=	7.7p1
-PORTREVISION=	4
+PORTREVISION=	5
 PORTEPOCH=	1
 CATEGORIES=	security ipv6
 MASTER_SITES=	OPENBSD/OpenSSH/portable
@ -29,10 +29,18 @@ ETCOLD=			${PREFIX}/etc
 BROKEN_SSL=	openssl-devel
 BROKEN_SSL_REASON_openssl-devel=	error: OpenSSL >= 1.1.0 is not yet supported
 FLAVORS=			default hpn
 default_CONFLICTS_INSTALL=	openssl-portable-hpn-[0-9]*
 hpn_CONFLICTS_INSTALL=		openssh-portable-[0-9]*
 hpn_PKGNAMESUFFIX=		-portable-hpn
 OPTIONS_DEFINE=		PAM TCP_WRAPPERS LIBEDIT BSM \
 			HPN X509 KERB_GSSAPI \
 			LDNS NONECIPHER XMSS
 OPTIONS_DEFAULT=	LIBEDIT PAM TCP_WRAPPERS LDNS
 .if ${FLAVOR:U} == hpn
 OPTIONS_DEFAULT+=	HPN NONECIPHER
 .endif
 OPTIONS_RADIO=		KERBEROS
 OPTIONS_RADIO_KERBEROS=	MIT HEIMDAL HEIMDAL_BASE
 TCP_WRAPPERS_DESC=	tcp_wrappers support
@ -57,7 +65,6 @@ LDNS_EXTRA_PATCHES=	${FILESDIR}/extra-patch-ldns
 LDNS_CFLAGS=		-I${LOCALBASE}/include
 LDNS_CONFIGURE_ON=	--with-ldflags='-L${LOCALBASE}/lib'
 # http://www.psc.edu/index.php/hpn-ssh
 HPN_CONFIGURE_WITH=		hpn
 NONECIPHER_CONFIGURE_WITH=	nonecipher
@ -103,12 +110,12 @@ EXTRA_PATCHES+=	${FILESDIR}/extra-patch-hpn-gss-glue
 PATCHFILES+=	openssh-7.7p1-gsskex-all-20141021-debian-rh-20171004.patch.gz:-p1:gsskex
 .endif
-# http://www.psc.edu/index.php/hpn-ssh https://github.com/rapier1/hpn-ssh https://github.com/rapier1/openssh-portable
+# https://www.psc.edu/hpn-ssh https://github.com/rapier1/openssh-portable/tree/hpn-openssl1.1-7_7_P1
 .if ${PORT_OPTIONS:MHPN} || ${PORT_OPTIONS:MNONECIPHER}
-BROKEN=			HPN: Not yet updated for ${DISTVERSION} and disabled in base
+#BROKEN=			HPN: Not yet updated for ${DISTVERSION} and disabled in base
 PORTDOCS+=		HPN-README
-HPN_VERSION=		14v5
+HPN_VERSION=		14v15
-HPN_DISTVERSION=	6.7p1
+HPN_DISTVERSION=	7.7p1
 #PATCH_SITES+=		SOURCEFORGE/hpnssh/HPN-SSH%20${HPN_VERSION}%20${HPN_DISTVERSION}/:hpn
 #PATCHFILES+=		${PORTNAME}-${HPN_DISTVERSION}-hpnssh${HPN_VERSION}.diff.gz:-p1:hpn
 EXTRA_PATCHES+=		${FILESDIR}/extra-patch-hpn:-p2
--- a/security/openssh-portable/files/extra-patch-hpn
+++ b/security/openssh-portable/files/extra-patch-hpn
@ -131,11 +131,11 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
 +	 (tasota@gmail.com) an NSF REU grant recipient for 2013. 
 +	 This work was financed, in part, by Cisco System, Inc., the National 
 +         Library of Medicine, and the National Science Foundation. 
--- work.clean/openssh-6.8p1/channels.c	2015-03-17 00:49:20.000000000 -0500
+--- work/openssh-7.7p1/channels.c.orig	2018-04-01 22:38:28.000000000 -0700
-+++ work/openssh-6.8p1/channels.c	2015-04-03 15:51:59.599537000 -0500
+++ work/openssh-7.7p1/channels.c	2018-06-27 16:37:07.663857000 -0700
-@@ -183,8 +183,14 @@
+@@ -215,6 +215,12 @@ static int rdynamic_connect_finish(struct ssh *, Chann
- static int connect_next(struct channel_connect *);
+ /* Setup helper */
- static void channel_connect_ctx_free(struct channel_connect *);
+ static void channel_handler_init(struct ssh_channels *sc);
 +
 +#ifdef HPN_ENABLED
@ -145,25 +145,23 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
 +
 /* -- channel core */
- Channel *
+ void
- channel_by_id(int id)
+@@ -391,6 +397,9 @@ channel_new(struct ssh *ssh, char *ctype, int type, in
- {
+ 	c->local_window = window;
@@ -333,6 +339,9 @@
 	c->local_window_max = window;
 	c->local_consumed = 0;
 	c->local_maxpacket = maxpack;
 +#ifdef HPN_ENABLED
 +	c->dynamic_window = 0;
 +#endif
 	c->remote_id = -1;
 	c->remote_name = xstrdup(remote_name);
- 	c->remote_window = 0;
+ 	c->ctl_chan = -1;
-@@ -837,11 +846,41 @@
+ 	c->delayed = 1;		/* prevent call to channel_post handler */
- 		FD_SET(c->sock, writeset);
+@@ -977,6 +986,30 @@ channel_pre_connecting(struct ssh *ssh, Channel *c,
 	FD_SET(c->sock, writeset);
 }
 +#ifdef HPN_ENABLED
-+static u_int
+static int
 +channel_tcpwinsz(void)
 +{
 +	u_int32_t tcpwinsz = 0;
@ -172,56 +170,60 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
 +
 +	/* if we aren't on a socket return 128KB */
 +	if (!packet_connection_is_on_socket())
-+		return (128*1024);
+		return 128 * 1024;
 +
 +	ret = getsockopt(packet_get_connection_in(),
-+	    SOL_SOCKET, SO_RCVBUF, &tcpwinsz, &optsz);
+			 SOL_SOCKET, SO_RCVBUF, &tcpwinsz, &optsz);
-+	/* return no more than SSHBUF_SIZE_MAX */
+	/* return no more than SSHBUF_SIZE_MAX (currently 256MB) */
-+	if (ret == 0 && tcpwinsz > SSHBUF_SIZE_MAX)
+	if ((ret == 0) && tcpwinsz > SSHBUF_SIZE_MAX)
 +		tcpwinsz = SSHBUF_SIZE_MAX;
-+	debug2("tcpwinsz: %d for connection: %d", tcpwinsz,
+
-+	    packet_get_connection_in());
+	debug2("tcpwinsz: tcp connection %d, Receive window: %d",
-+	return (tcpwinsz);
+	       packet_get_connection_in(), tcpwinsz);
 +	return tcpwinsz;
 +}
 +#endif
 +
 static void
- channel_pre_open(Channel *c, fd_set *readset, fd_set *writeset)
+ channel_pre_open(struct ssh *ssh, Channel *c,
- {
+     fd_set *readset, fd_set *writeset)
- 	u_int limit = compat20 ? c->remote_window : packet_get_maxsize();
+@@ -2074,21 +2107,32 @@ channel_check_window(struct ssh *ssh, Channel *c)
 +#ifdef HPN_ENABLED
 +	/* check buffer limits */
 +	if (!c->tcpwinsz || c->dynamic_window > 0)
 +		c->tcpwinsz = channel_tcpwinsz();
 +
 +	limit = MIN(limit, 2 * c->tcpwinsz);
 +#endif
 +
 	if (c->istate == CHAN_INPUT_OPEN &&
 	    limit > 0 &&
 	    buffer_len(&c->input) < limit &&
@@ -1846,6 +1885,20 @@
 	    c->local_maxpacket*3) ||
 	    c->local_window < c->local_window_max/2) &&
 	    c->local_consumed > 0) {
 +		u_int addition = 0;
 +#ifdef HPN_ENABLED
 +		u_int32_t tcpwinsz = channel_tcpwinsz();
 +		/* adjust max window size if we are in a dynamic environment */
-+		if (c->dynamic_window && (c->tcpwinsz > c->local_window_max)) {
+		if (c->dynamic_window && (tcpwinsz > c->local_window_max)) {
-+			u_int addition = 0;
+			/* grow the window somewhat aggressively to maintain pressure */
-+
+			addition = 1.5 * (tcpwinsz - c->local_window_max);
 +			/*
 +			 * grow the window somewhat aggressively to maintain
 +			 * pressure
 +			 */
 +			addition = 1.5*(c->tcpwinsz - c->local_window_max);
 +			c->local_window_max += addition;
-+			c->local_consumed += addition;
+			debug("Channel: Window growth to %d by %d bytes", c->local_window_max, addition);
 +		}
 +#endif
- 		packet_start(SSH2_MSG_CHANNEL_WINDOW_ADJUST);
+ 		if (!c->have_remote_id)
- 		packet_put_int(c->remote_id);
+ 			fatal(":%s: channel %d: no remote id",
- 		packet_put_int(c->local_consumed);
+ 			    __func__, c->self);
-@@ -2794,6 +2847,17 @@
+ 		if ((r = sshpkt_start(ssh,
 		    SSH2_MSG_CHANNEL_WINDOW_ADJUST)) != 0 ||
 		    (r = sshpkt_put_u32(ssh, c->remote_id)) != 0 ||
 -		    (r = sshpkt_put_u32(ssh, c->local_consumed)) != 0 ||
 +		    (r = sshpkt_put_u32(ssh, c->local_consumed + addition)) != 0 ||
 		    (r = sshpkt_send(ssh)) != 0) {
 			fatal("%s: channel %i: %s", __func__,
 			    c->self, ssh_err(r));
 		}
 		debug2("channel %d: window %d sent adjust %d",
 		    c->self, c->local_window,
 -		    c->local_consumed);
 -		c->local_window += c->local_consumed;
 +		    c->local_consumed + addition);
 +		c->local_window += c->local_consumed + addition;
 		c->local_consumed = 0;
 	}
 	return 1;
@@ -3258,6 +3302,17 @@ channel_fwd_bind_addr(const char *listen_addr, int *wi
 	return addr;
 }
@ -237,9 +239,9 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
 +#endif
 +
 static int
- channel_setup_fwd_listener_tcpip(int type, struct Forward *fwd,
+ channel_setup_fwd_listener_tcpip(struct ssh *ssh, int type,
-     int *allocated_listen_port, struct ForwardOptions *fwd_opts)
+     struct Forward *fwd, int *allocated_listen_port,
-@@ -2918,9 +2982,20 @@
+@@ -3398,6 +3453,17 @@ channel_setup_fwd_listener_tcpip(struct ssh *ssh, int 
 		}
 		/* Allocate a channel number for the socket. */
@ -249,136 +251,111 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
 +		 * window size.
 +		 */
 +		if (!hpn_disabled)
-+			c = channel_new("port listener", type, sock, sock, -1,
+			c = channel_new(ssh, "port listener", type, sock, sock, -1,
 +			    hpn_buffer_size, CHAN_TCP_PACKET_DEFAULT,
 +			    0, "port listener", 1);
 +		else
 +#endif
- 		c = channel_new("port listener", type, sock, sock, -1,
+ 		c = channel_new(ssh, "port listener", type, sock, sock, -1,
 		    CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT,
 		    0, "port listener", 1);
- 		c->path = xstrdup(host);
+@@ -4457,6 +4523,14 @@ x11_create_display_inet(struct ssh *ssh, int x11_displ
 		c->host_port = fwd->connect_port;
 		c->listening_addr = addr == NULL ? NULL : xstrdup(addr);
@@ -3952,6 +4027,14 @@
 	*chanids = xcalloc(num_socks + 1, sizeof(**chanids));
 	for (n = 0; n < num_socks; n++) {
 		sock = socks[n];
 +#ifdef HPN_ENABLED
 +		if (!hpn_disabled)
-+			nc = channel_new("x11 listener",
+			nc = channel_new(ssh, "x11 listener",
 +			    SSH_CHANNEL_X11_LISTENER, sock, sock, -1,
 +			    hpn_buffer_size, CHAN_X11_PACKET_DEFAULT,
 +			    0, "X11 inet listener", 1);
 +		else
 +#endif
- 		nc = channel_new("x11 listener",
+ 		nc = channel_new(ssh, "x11 listener",
 		    SSH_CHANNEL_X11_LISTENER, sock, sock, -1,
 		    CHAN_X11_WINDOW_DEFAULT, CHAN_X11_PACKET_DEFAULT,
--- work.clean/openssh-6.8p1/channels.h	2015-03-17 00:49:20.000000000 -0500
+--- work/openssh-7.7p1/channels.h.orig	2018-04-01 22:38:28.000000000 -0700
-+++ work/openssh-6.8p1/channels.h	2015-04-03 13:58:44.472717000 -0500
+++ work/openssh-7.7p1/channels.h	2018-06-27 16:38:40.766588000 -0700
-@@ -136,6 +136,10 @@
+@@ -143,6 +143,9 @@ struct Channel {
 	u_int	local_maxpacket;
 	int     extended_usage;
 	int	single_connection;
 +#ifdef HPN_ENABLED
 +	int	dynamic_window;
 +	u_int	tcpwinsz;
 +#endif
 	char   *ctype;		/* type */
-@@ -311,4 +315,9 @@
+@@ -335,5 +338,10 @@ void	 chan_ibuf_empty(struct ssh *, Channel *);
- void	 chan_write_failed(Channel *);
+ void	 chan_rcvd_ieof(struct ssh *, Channel *);
- void	 chan_obuf_empty(Channel *);
+ void	 chan_write_failed(struct ssh *, Channel *);
- 
+ void	 chan_obuf_empty(struct ssh *, Channel *);
 +
 +#ifdef HPN_ENABLED
 +/* hpn handler */
 +void     channel_set_hpn(int, int);
 +#endif
-+
+ 
 #endif
--- work.clean/openssh-6.8p1/cipher.c	2015-03-17 00:49:20.000000000 -0500
+--- work/openssh-7.7p1/cipher.c.orig	2018-04-01 22:38:28.000000000 -0700
-+++ work/openssh-6.8p1/cipher.c	2015-04-03 16:22:04.972592000 -0500
+++ work/openssh-7.7p1/cipher.c	2018-06-27 16:55:43.165788000 -0700
-@@ -273,7 +273,13 @@ ciphers_valid(const char *names)
+@@ -212,7 +212,12 @@ ciphers_valid(const char *names)
 	for ((p = strsep(&cp, CIPHER_SEP)); p && *p != '\0';
 	    (p = strsep(&cp, CIPHER_SEP))) {
 		c = cipher_by_name(p);
 -		if (c == NULL || c->number != SSH_CIPHER_SSH2) {
 +		if (c == NULL || (c->number != SSH_CIPHER_SSH2 &&
 +#ifdef NONE_CIPHER_ENABLED
-+				  c->number != SSH_CIPHER_NONE
+		if (c == NULL || ((c->flags & CFLAG_INTERNAL) != 0 &&
 +		    (c->flags & CFLAG_NONE) != 0)) {
 +#else
-+				  1
+ 		if (c == NULL || (c->flags & CFLAG_INTERNAL) != 0) {
 +#endif
 +				  )) {
 			free(cipher_list);
 			return 0;
 		}
-@@ -605,6 +611,9 @@ cipher_get_keyiv(struct sshcipher_ctx *c
+--- work/openssh-7.7p1/clientloop.c.orig	2018-04-01 22:38:28.000000000 -0700
- 
+++ work/openssh-7.7p1/clientloop.c	2018-06-27 16:40:24.560906000 -0700
- 	switch (c->number) {
+@@ -1549,6 +1549,15 @@ client_request_x11(struct ssh *ssh, const char *reques
- #ifdef WITH_OPENSSL
+ 	sock = x11_connect_display(ssh);
 +#ifdef NONE_CIPHER_ENABLED
 +	case SSH_CIPHER_NONE:
 +#endif
 	case SSH_CIPHER_SSH2:
 	case SSH_CIPHER_DES:
 	case SSH_CIPHER_BLOWFISH:
@@ -653,6 +662,9 @@ cipher_set_keyiv(struct sshcipher_ctx *c
 	switch (c->number) {
 #ifdef WITH_OPENSSL
 +#ifdef NONE_CIPHER_ENABLED
 +	case SSH_CIPHER_NONE:
 +#endif
 	case SSH_CIPHER_SSH2:
 	case SSH_CIPHER_DES:
 	case SSH_CIPHER_BLOWFISH:
 --- work.clean/openssh-6.8p1/clientloop.c	2015-03-17 00:49:20.000000000 -0500
 +++ work/openssh-6.8p1/clientloop.c	2015-04-03 17:29:40.618489000 -0500
@@ -1909,6 +1909,15 @@
 	sock = x11_connect_display();
 	if (sock < 0)
 		return NULL;
 +#ifdef HPN_ENABLED
 +	/* again is this really necessary for X11? */
 +	if (!options.hpn_disabled)
-+		c = channel_new("x11",
+		c = channel_new(ssh, "x11",
 +		    SSH_CHANNEL_X11_OPEN, sock, sock, -1,
 +		    options.hpn_buffer_size,
 +		    CHAN_X11_PACKET_DEFAULT, 0, "x11", 1);
 +	else
 +#endif
- 	c = channel_new("x11",
+ 	c = channel_new(ssh, "x11",
 	    SSH_CHANNEL_X11_OPEN, sock, sock, -1,
 	    CHAN_TCP_WINDOW_DEFAULT, CHAN_X11_PACKET_DEFAULT, 0, "x11", 1);
-@@ -1934,6 +1943,14 @@
+@@ -1574,6 +1583,14 @@ client_request_agent(struct ssh *ssh, const char *requ
 			    __func__, ssh_err(r));
 		return NULL;
 	}
 +#ifdef HPN_ENABLED
 +	if (!options.hpn_disabled)
-+		c = channel_new("authentication agent connection",
+		c = channel_new(ssh, "authentication agent connection",
 +		    SSH_CHANNEL_OPEN, sock, sock, -1,
 +		    options.hpn_buffer_size, CHAN_TCP_PACKET_DEFAULT, 0,
 +		    "authentication agent connection", 1);
 +	else
 +#endif
- 	c = channel_new("authentication agent connection",
+ 	c = channel_new(ssh, "authentication agent connection",
 	    SSH_CHANNEL_OPEN, sock, sock, -1,
 	    CHAN_X11_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, 0,
-@@ -1964,6 +1981,12 @@
+@@ -1602,6 +1619,12 @@ client_request_tun_fwd(struct ssh *ssh, int tun_mode,
 		return -1;
 	}
 	debug("Tunnel forwarding using interface %s", ifname);
 +#ifdef HPN_ENABLED
 +	if (!options.hpn_disabled)
-+		c = channel_new("tun", SSH_CHANNEL_OPENING, fd, fd, -1,
+		c = channel_new(ssh, "tun", SSH_CHANNEL_OPENING, fd, fd, -1,
 +		    options.hpn_buffer_size, CHAN_TCP_PACKET_DEFAULT, 0, "tun", 1);
 +	else
 +#endif
- 	c = channel_new("tun", SSH_CHANNEL_OPENING, fd, fd, -1,
+ 	c = channel_new(ssh, "tun", SSH_CHANNEL_OPENING, fd, fd, -1,
 	    CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, 0, "tun", 1);
 	c->datagram = 1;
 --- work.clean/openssh-6.8p1/compat.c	2015-03-17 00:49:20.000000000 -0500
@ -470,9 +447,9 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
 		debug("kex: %s cipher: %s MAC: %s compression: %s",
 		    ctos ? "client->server" : "server->client",
 		    newkeys->enc.name,
--- work.clean/openssh-7.2p1/packet.c.orig	2016-02-25 19:40:04.000000000 -0800
+--- work/openssh-7.7p1/packet.c.orig	2018-04-01 22:38:28.000000000 -0700
-+++ work.clean/openssh-7.2p1/packet.c	2016-02-29 08:05:15.744201000 -0800
+++ work/openssh-7.7p1/packet.c	2018-06-27 16:42:42.739507000 -0700
-@@ -1037,6 +1037,24 @@ ssh_set_newkeys(struct ssh *ssh, int mod
+@@ -926,6 +926,24 @@ ssh_set_newkeys(struct ssh *ssh, int mode)
 	return 0;
 }
@ -497,11 +474,13 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
 #define MAX_PACKETS	(1U<<31)
 static int
 ssh_packet_need_rekeying(struct ssh *ssh, u_int outbound_packet_len)
-@@ -1055,6 +1073,12 @@ ssh_packet_need_rekeying(struct ssh *ssh
+@@ -944,6 +962,14 @@ ssh_packet_need_rekeying(struct ssh *ssh, u_int outbou
 	/* Peer can't rekey */
 	if (ssh->compat & SSH_BUG_NOREKEY)
 		return 0;
 +#ifdef NONE_CIPHER_ENABLED
 +	/* used to force rekeying when called for by the none
 +         * cipher switch methods -cjr */
 +        if (rekey_requested == 1) {
 +               rekey_requested = 0;
 +               return 1;
@ -524,11 +503,21 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
 /* OLD API */
 extern struct ssh *active_state;
 #include "opacket.h"
--- work/openssh-6.9p1/readconf.c.orig	2015-07-27 13:32:13.169218000 -0500
+--- work/openssh-7.7p1/readconf.c.orig	2018-04-01 22:38:28.000000000 -0700
-+++ work/openssh-6.9p1/readconf.c	2015-07-27 13:33:00.429332000 -0500
+++ work/openssh-7.7p1/readconf.c	2018-06-27 16:58:41.109275000 -0700
-@@ -153,6 +153,12 @@ typedef enum {
+@@ -66,6 +66,9 @@
- 	oTunnel, oTunnelDevice, oLocalCommand, oPermitLocalCommand,
+ #include "uidswap.h"
- 	oVisualHostKey, oUseRoaming,
+ #include "myproposal.h"
 #include "digest.h"
 +#ifdef HPN_ENABLED
 +#include "sshbuf.h"
 +#endif
 /* Format of the configuration file:
@@ -167,6 +170,12 @@ typedef enum {
 	oLocalCommand, oPermitLocalCommand, oRemoteCommand,
 	oVisualHostKey,
 	oKexAlgorithms, oIPQoS, oRequestTTY, oIgnoreUnknown, oProxyUseFdpass,
 +#ifdef HPN_ENABLED
 +	oHPNDisabled, oHPNBufferSize, oTcpRcvBufPoll, oTcpRcvBuf,
@ -539,7 +528,7 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
 	oCanonicalDomains, oCanonicalizeHostname, oCanonicalizeMaxDots,
 	oCanonicalizeFallbackLocal, oCanonicalizePermittedCNAMEs,
 	oStreamLocalBindMask, oStreamLocalBindUnlink, oRevokedHostKeys,
-@@ -277,6 +283,16 @@ static struct {
+@@ -304,6 +313,16 @@ static struct {
 	{ "updatehostkeys", oUpdateHostkeys },
 	{ "hostbasedkeytypes", oHostbasedKeyTypes },
 	{ "pubkeyacceptedkeytypes", oPubkeyAcceptedKeyTypes },
@ -554,9 +543,9 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
 +	{ "hpnbuffersize", oHPNBufferSize },
 +#endif
 	{ "ignoreunknown", oIgnoreUnknown },
 	{ "proxyjump", oProxyJump },
- 	{ NULL, oBadOption }
+@@ -962,6 +981,44 @@ parse_time:
@@ -906,6 +922,44 @@ parse_time:
 		intptr = &options->check_host_ip;
 		goto parse_flag;
@ -601,7 +590,7 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
 	case oVerifyHostKeyDNS:
 		intptr = &options->verify_host_key_dns;
 		multistate_ptr = multistate_yesnoask;
-@@ -1665,6 +1719,16 @@ initialize_options(Options * options)
+@@ -1833,6 +1890,16 @@ initialize_options(Options * options)
 	options->ip_qos_interactive = -1;
 	options->ip_qos_bulk = -1;
 	options->request_tty = -1;
@ -618,7 +607,7 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
 	options->proxy_use_fdpass = -1;
 	options->ignored_unknown = NULL;
 	options->num_canonical_domains = 0;
-@@ -1826,6 +1890,35 @@ fill_default_options(Options * options)
+@@ -1979,6 +2046,34 @@ fill_default_options(Options * options)
 		options->server_alive_interval = 0;
 	if (options->server_alive_count_max == -1)
 		options->server_alive_count_max = 3;
@ -635,11 +624,10 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
 +		/* if a user tries to set the size to 0 set it to 1KB */
 +		if (options->hpn_buffer_size == 0)
 +			options->hpn_buffer_size = 1;
-+		/* limit the buffer to 64MB */
+		/* limit the buffer to SSHBUF_SIZE_MAX (currently 256MB) */
-+		if (options->hpn_buffer_size > 64*1024) {
+		if (options->hpn_buffer_size > (SSHBUF_SIZE_MAX / 1024)) {
-+			options->hpn_buffer_size = 64*1024*1024;
+			options->hpn_buffer_size = SSHBUF_SIZE_MAX;
-+			debug("User requested buffer larger than 64MB. Request"
+			debug("User requested buffer larger than 256MB. Request reverted to 256MB");
 +			    " reverted to 64MB");
 +		} else
 +			options->hpn_buffer_size *= 1024;
 +		debug("hpn_buffer_size set to %d", options->hpn_buffer_size);
@ -693,9 +681,19 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
 	struct timeval tv[2];
 #define	atime	tv[0]
--- work/openssh/servconf.c.orig	2015-05-29 03:27:21.000000000 -0500
+--- work/openssh-7.7p1/servconf.c.orig	2018-04-01 22:38:28.000000000 -0700
-+++ work/openssh/servconf.c	2015-06-02 09:56:36.041601000 -0500
+++ work/openssh-7.7p1/servconf.c	2018-06-27 17:01:05.276677000 -0700
-@@ -159,6 +159,14 @@ initialize_server_options(ServerOptions 
+@@ -63,6 +63,9 @@
 #include "auth.h"
 #include "myproposal.h"
 #include "digest.h"
 +#ifdef HPN_ENABLED
 +#include "sshbuf.h"
 +#endif
 static void add_listen_addr(ServerOptions *, const char *,
     const char *, int);
@@ -169,6 +172,14 @@ initialize_server_options(ServerOptions *options)
 	options->authorized_principals_file = NULL;
 	options->authorized_principals_command = NULL;
 	options->authorized_principals_command_user = NULL;
@ -710,7 +708,7 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
 	options->ip_qos_interactive = -1;
 	options->ip_qos_bulk = -1;
 	options->version_addendum = NULL;
-@@ -319,6 +327,57 @@ fill_default_server_options(ServerOption
+@@ -371,6 +382,57 @@ fill_default_server_options(ServerOptions *options)
 	}
 	if (options->permit_tun == -1)
 		options->permit_tun = SSH_TUNMODE_NO;
@ -754,9 +752,9 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
 +		if (options->hpn_disabled <= 0) {
 +			if (options->hpn_buffer_size == 0)
 +				options->hpn_buffer_size = 1;
-+			/* limit the maximum buffer to 64MB */
+			/* limit the maximum buffer to SSHBUF_SIZE_MAX (currently 256MB) */
-+			if (options->hpn_buffer_size > 64*1024) {
+			if (options->hpn_buffer_size > (SSHBUF_SIZE_MAX / 1024)) {
-+				options->hpn_buffer_size = 64*1024*1024;
+				options->hpn_buffer_size = SSHBUF_SIZE_MAX;
 +			} else {
 +				options->hpn_buffer_size *= 1024;
 +			}
@ -768,7 +766,7 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
 	if (options->ip_qos_interactive == -1)
 		options->ip_qos_interactive = IPTOS_LOWDELAY;
 	if (options->ip_qos_bulk == -1)
-@@ -412,6 +471,12 @@ typedef enum {
+@@ -466,6 +528,12 @@ typedef enum {
 	sUsePrivilegeSeparation, sAllowAgentForwarding,
 	sHostCertificate,
 	sRevokedKeys, sTrustedUserCAKeys, sAuthorizedPrincipalsFile,
@ -781,7 +779,7 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
 	sAuthorizedPrincipalsCommand, sAuthorizedPrincipalsCommandUser,
 	sKexAlgorithms, sIPQoS, sVersionAddendum,
 	sAuthorizedKeysCommand, sAuthorizedKeysCommandUser,
-@@ -548,6 +613,14 @@ static struct {
+@@ -603,6 +671,14 @@ static struct {
 	{ "revokedkeys", sRevokedKeys, SSHCFG_ALL },
 	{ "trustedusercakeys", sTrustedUserCAKeys, SSHCFG_ALL },
 	{ "authorizedprincipalsfile", sAuthorizedPrincipalsFile, SSHCFG_ALL },
@ -796,10 +794,11 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
 	{ "kexalgorithms", sKexAlgorithms, SSHCFG_GLOBAL },
 	{ "ipqos", sIPQoS, SSHCFG_ALL },
 	{ "authorizedkeyscommand", sAuthorizedKeysCommand, SSHCFG_ALL },
-@@ -1153,6 +1226,25 @@ process_server_config_line(ServerOptions
+@@ -1351,6 +1427,25 @@ process_server_config_line(ServerOptions *options, cha
 	case sIgnoreUserKnownHosts:
 		intptr = &options->ignore_user_known_hosts;
 		goto parse_flag;
- 
+
 +#ifdef NONE_CIPHER_ENABLED
 +	case sNoneEnabled:
 +		intptr = &options->none_enabled;
@ -818,10 +817,9 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
 +		intptr = &options->hpn_buffer_size;
 +		goto parse_int;
 +#endif
-+
+ 
 	case sHostbasedAuthentication:
 		intptr = &options->hostbased_authentication;
 		goto parse_flag;
 --- work.clean/openssh-6.8p1/servconf.h	2015-03-17 00:49:20.000000000 -0500
 +++ work/openssh-6.8p1/servconf.h	2015-04-03 13:48:37.316827000 -0500
@@ -169,6 +169,15 @@
@ -840,23 +838,23 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
 	int	permit_tun;
 	int	num_permitted_opens;
--- work.clean/openssh-6.8p1/serverloop.c	2015-03-17 00:49:20.000000000 -0500
+--- work/openssh-7.7p1/serverloop.c.orig	2018-04-01 22:38:28.000000000 -0700
-+++ work/openssh-6.8p1/serverloop.c	2015-04-03 17:14:15.182548000 -0500
+++ work/openssh-7.7p1/serverloop.c	2018-06-27 16:53:02.246871000 -0700
-@@ -526,6 +526,12 @@ server_request_tun(void)
+@@ -550,6 +550,12 @@ server_request_tun(struct ssh *ssh)
 	sock = tun_open(tun, mode);
 	if (sock < 0)
 		goto done;
 	debug("Tunnel forwarding using interface %s", ifname);
 +#ifdef HPN_ENABLED
 +	if (!options.hpn_disabled)
-+		c = channel_new("tun", SSH_CHANNEL_OPEN, sock, sock, -1,
+		c = channel_new(ssh, "tun", SSH_CHANNEL_OPEN, sock, sock, -1,
 +		    options.hpn_buffer_size, CHAN_TCP_PACKET_DEFAULT, 0, "tun", 1);
 +	else
 +#endif
- 	c = channel_new("tun", SSH_CHANNEL_OPEN, sock, sock, -1,
+ 	c = channel_new(ssh, "tun", SSH_CHANNEL_OPEN, sock, sock, -1,
 	    CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, 0, "tun", 1);
 	c->datagram = 1;
-@@ -563,6 +569,10 @@ server_request_session(void)
+@@ -600,6 +606,10 @@ server_request_session(struct ssh *ssh)
- 	c = channel_new("session", SSH_CHANNEL_LARVAL,
+ 	c = channel_new(ssh, "session", SSH_CHANNEL_LARVAL,
 	    -1, -1, -1, /*window size*/0, CHAN_SES_PACKET_DEFAULT,
 	    0, "server-session", 1);
 +#ifdef HPN_ENABLED
@ -865,22 +863,22 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
 +#endif
 	if (session_open(the_authctxt, c->self) != 1) {
 		debug("session open failed, free channel %d", c->self);
- 		channel_free(c);
+ 		channel_free(ssh, c);
--- work.clean/openssh-6.8p1/session.c	2015-04-01 22:07:18.149110000 -0500
+--- work/openssh-7.7p1/session.c.orig	2018-04-01 22:38:28.000000000 -0700
-+++ work/openssh-6.8p1/session.c	2015-04-03 17:09:02.984097000 -0500
+++ work/openssh-7.7p1/session.c	2018-06-27 17:01:40.730347000 -0700
-@@ -2340,6 +2340,14 @@
+@@ -2116,6 +2116,14 @@ session_set_fds(struct ssh *ssh, Session *s,
 	 */
 	if (s->chanid == -1)
 		fatal("no channel for session %d", s->self);
 +#ifdef HPN_ENABLED
 +	if (!options.hpn_disabled)
-+		channel_set_fds(s->chanid,
+		channel_set_fds(ssh, s->chanid,
 +		    fdout, fdin, fderr,
 +		    ignore_fderr ? CHAN_EXTENDED_IGNORE : CHAN_EXTENDED_READ,
 +		    1, is_tty, options.hpn_buffer_size);
 +	else
 +#endif
- 	channel_set_fds(s->chanid,
+ 	channel_set_fds(ssh, s->chanid,
 	    fdout, fdin, fderr,
 	    ignore_fderr ? CHAN_EXTENDED_IGNORE : CHAN_EXTENDED_READ,
 --- work.clean/openssh-6.8p1/sftp.1	2015-03-17 00:49:20.000000000 -0500
@ -909,9 +907,9 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
 /* File to read commands from */
 FILE* infile;
--- work.clean/openssh-6.8p1/ssh.c	2015-04-01 22:07:18.166356000 -0500
+--- work/openssh-7.7p1/ssh.c.orig	2018-04-01 22:38:28.000000000 -0700
-+++ work/openssh-6.8p1/ssh.c	2015-04-03 17:16:34.114673000 -0500
+++ work/openssh-7.7p1/ssh.c	2018-06-27 17:05:30.011979000 -0700
-@@ -885,6 +885,14 @@
+@@ -954,6 +954,14 @@ main(int ac, char **av)
 			break;
 		case 'T':
 			options.request_tty = REQUEST_TTY_NO;
@ -926,80 +924,91 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
 			break;
 		case 'o':
 			line = xstrdup(optarg);
-@@ -1848,9 +1856,85 @@
+@@ -1833,6 +1841,78 @@ ssh_session2_setup(struct ssh *ssh, int id, int succes
- 	if (!isatty(err))
+ 	    NULL, fileno(stdin), &command, environ);
- 		set_nonblock(err);
+ }
-+#ifdef HPN_ENABLED
+static void
 +hpn_options_init(void)
 +{
 +	/*
-+	 * we need to check to see if what they want to do about buffer
+	 * We need to check to see if what they want to do about buffer
 +	 * sizes here. In a hpn to nonhpn connection we want to limit
 +	 * the window size to something reasonable in case the far side
 +	 * has the large window bug. In hpn to hpn connection we want to
 +	 * use the max window size but allow the user to override it
-+	 * lastly if they disabled hpn then use the ssh std window size
+	 * lastly if they disabled hpn then use the ssh std window size.
-+
+	 *
-+	 * so why don't we just do a getsockopt() here and set the
+	 * So why don't we just do a getsockopt() here and set the
 +	 * ssh window to that? In the case of a autotuning receive
 +	 * window the window would get stuck at the initial buffer
 +	 * size generally less than 96k. Therefore we need to set the
 +	 * maximum ssh window size to the maximum hpn buffer size
 +	 * unless the user has specifically set the tcprcvbufpoll
 +	 * to no. In which case we *can* just set the window to the
-+	 * minimum of the hpn buffer size and tcp receive buffer size
+	 * minimum of the hpn buffer size and tcp receive buffer size.
 +	 */
 +
 +	if (tty_flag)
 +		options.hpn_buffer_size = CHAN_SES_WINDOW_DEFAULT;
 +	else
-+		options.hpn_buffer_size = 2*1024*1024;
+		options.hpn_buffer_size = 2 * 1024 * 1024;
 +
 +	if (datafellows & SSH_BUG_LARGEWINDOW) {
 +		debug("HPN to Non-HPN Connection");
 +	} else {
 +		int sock, socksize;
-+		socklen_t socksizelen = sizeof(socksize);
+		socklen_t socksizelen;
 +
 +		if (options.tcp_rcv_buf_poll <= 0) {
 +			sock = socket(AF_INET, SOCK_STREAM, 0);
 +			socksizelen = sizeof(socksize);
 +			getsockopt(sock, SOL_SOCKET, SO_RCVBUF,
-+			    &socksize, &socksizelen);
+				   &socksize, &socksizelen);
 +			close(sock);
 +			debug("socksize %d", socksize);
 +			options.hpn_buffer_size = socksize;
-+			debug ("HPNBufferSize set to TCP RWIN: %d",
+			debug("HPNBufferSize set to TCP RWIN: %d", options.hpn_buffer_size);
 +			    options.hpn_buffer_size);
 +		} else {
 +			if (options.tcp_rcv_buf > 0) {
 +				/*
-+				 * create a socket but don't connect it.
+				 * Create a socket but don't connect it:
 +				 * we use that the get the rcv socket size
 +				 */
 +				sock = socket(AF_INET, SOCK_STREAM, 0);
 +				/*
-+				 * if they are using the tcp_rcv_buf option
+				 * If they are using the tcp_rcv_buf option,
-+				 * attempt to set the buffer size to that
+				 * attempt to set the buffer size to that.
 +				 */
-+				if (options.tcp_rcv_buf)
+				if (options.tcp_rcv_buf) {
 +					socksizelen = sizeof(options.tcp_rcv_buf);
 +					setsockopt(sock, SOL_SOCKET, SO_RCVBUF,
-+					    (void *)&options.tcp_rcv_buf,
+						   &options.tcp_rcv_buf, socksizelen);
-+					    sizeof(options.tcp_rcv_buf));
+				}
 +				socksizelen = sizeof(socksize);
 +				getsockopt(sock, SOL_SOCKET, SO_RCVBUF,
-+				    &socksize, &socksizelen);
+					   &socksize, &socksizelen);
 +				close(sock);
 +				debug("socksize %d", socksize);
 +				options.hpn_buffer_size = socksize;
-+				debug ("HPNBufferSize set to user TCPRcvBuf: "
+				debug("HPNBufferSize set to user TCPRcvBuf: %d", options.hpn_buffer_size);
 +				    "%d", options.hpn_buffer_size);
 +			}
 +		}
 +	}
 +
 +	debug("Final hpn_buffer_size = %d", options.hpn_buffer_size);
 +
 +	window = options.hpn_buffer_size;
 +
 +	channel_set_hpn(options.hpn_disabled, options.hpn_buffer_size);
 +}
 +
 /* open new channel for a session */
 static int
 ssh_session2_open(struct ssh *ssh)
@@ -1859,9 +1939,17 @@ ssh_session2_open(struct ssh *ssh)
 	if (!isatty(err))
 		set_nonblock(err);
 +#ifdef HPN_ENABLED
 +	window = options.hpn_buffer_size;
 +#else
 	window = CHAN_SES_WINDOW_DEFAULT;
 +#endif
@ -1012,7 +1021,7 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
 		window >>= 1;
 		packetmax >>= 1;
 	}
-@@ -1859,6 +1943,12 @@
+@@ -1870,6 +1958,12 @@ ssh_session2_open(struct ssh *ssh)
 	    window, packetmax, CHAN_EXTENDED_WRITE,
 	    "client-session", /*nonblock*/0);
@ -1022,17 +1031,47 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
 +		debug ("Enabled Dynamic Window Scaling");
 +	}
 +#endif
- 	debug3("ssh_session2_open: channel_new: %d", c->self);
+ 	debug3("%s: channel_new: %d", __func__, c->self);
- 	channel_send_open(c->self);
+ 	channel_send_open(ssh, c->self);
--- work.clean/openssh-6.8p1/sshconnect.c	2015-03-17 00:49:20.000000000 -0500
+@@ -1885,6 +1979,15 @@ ssh_session2(struct ssh *ssh, struct passwd *pw)
-+++ work/openssh-6.8p1/sshconnect.c	2015-04-03 16:32:38.204744000 -0500
+ {
-@@ -266,6 +266,31 @@
+ 	int devnull, id = -1;
- 		kill(proxy_command_pid, SIGHUP);
+ 	char *cp, *tun_fwd_ifname = NULL;
- }
+
 +#ifdef HPN_ENABLED
 +	/*
 +	 * We need to initialize this early because the forwarding logic below
 +	 * might open channels that use the hpn buffer sizes.  We can't send a
 +	 * window of -1 (the default) to the server as it breaks things.
 +	 */
 +	hpn_options_init();
 +#endif
 	/* XXX should be pre-session */
 	if (!options.control_persist)
 --- work/openssh-7.7p1/sshbuf.h.orig	2018-06-27 16:11:24.503058000 -0700
 +++ work/openssh-7.7p1/sshbuf.h	2018-06-27 16:12:01.359375000 -0700
@@ -28,7 +28,11 @@
 # endif /* OPENSSL_HAS_ECC */
 #endif /* WITH_OPENSSL */
 +#ifdef HPN_ENABLED
-+/*
+#define SSHBUF_SIZE_MAX		0xF000000	/* Hard maximum size 256MB */
 +#else
 #define SSHBUF_SIZE_MAX		0x8000000	/* Hard maximum size */
 +#endif
 #define SSHBUF_REFS_MAX		0x100000	/* Max child buffers */
 #define SSHBUF_MAX_BIGNUM	(16384 / 8)	/* Max bignum *bytes* */
 #define SSHBUF_MAX_ECPOINT	((528 * 2 / 8) + 1) /* Max EC point *bytes* */
 --- work/openssh-7.7p1/sshconnect.c.orig	2018-04-01 22:38:28.000000000 -0700
 +++ work/openssh-7.7p1/sshconnect.c	2018-06-26 15:55:19.103812000 -0700
@@ -337,7 +337,32 @@ check_ifaddrs(const char *ifname, int af, const struct
 }
 #endif
 +#ifdef HPN_ENABLED
 /*
 + * Set TCP receive buffer if requested.
 + * Note: tuning needs to happen after the socket is
 + * created but before the connection happens
@ -1056,10 +1095,11 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
 +}
 +#endif
 +
- /*
+/*
  * Creates a (possibly privileged) socket for use as the ssh connection.
  */
-@@ -282,6 +307,11 @@
+ static int
@@ -359,6 +384,11 @@ ssh_create_socket(int privileged, struct addrinfo *ai)
 	}
 	fcntl(sock, F_SETFD, FD_CLOEXEC);
@ -1069,54 +1109,42 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
 +#endif
 +
 	/* Bind the socket to an alternative local IP address */
- 	if (options.bind_address == NULL && !privileged)
+ 	if (options.bind_address == NULL && options.bind_interface == NULL &&
- 		return sock;
+ 	    !privileged)
-@@ -523,11 +553,23 @@ send_client_banner(int connection_out, i
+@@ -637,8 +667,14 @@ static void
 send_client_banner(int connection_out, int minor1)
 {
 	/* Send our own protocol version identification. */
- 	if (compat20) {
+-	xasprintf(&client_version_string, "SSH-%d.%d-%.100s\r\n",
-		xasprintf(&client_version_string, "SSH-%d.%d-%.100s\r\n",
+-	    PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION);
-		    PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION);
+	xasprintf(&client_version_string, "SSH-%d.%d-%.100s%s\r\n",
-+		xasprintf(&client_version_string, "SSH-%d.%d-%.100s%s\r\n",
+	    PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION,
 +		    PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION,
 +#ifdef HPN_ENABLED
-+		    options.hpn_disabled ? "" : SSH_HPN
+	    options.hpn_disabled ? "" : SSH_HPN
 +#else
-+		    ""
+	    ""
 +#endif
-+		    );
+	);
- 	} else {
+ 	if (atomicio(vwrite, connection_out, client_version_string,
 -		xasprintf(&client_version_string, "SSH-%d.%d-%.100s\n",
 -		    PROTOCOL_MAJOR_1, minor1, SSH_VERSION);
 +		xasprintf(&client_version_string, "SSH-%d.%d-%.100s%s\n",
 +		    PROTOCOL_MAJOR_1, minor1, SSH_VERSION,
 +#ifdef HPN_ENABLED
 +		    options.hpn_disabled ? "" : SSH_HPN
 +#else
 +		    ""
 +#endif
 +		    );
 	}
 	if (roaming_atomicio(vwrite, connection_out, client_version_string,
 	    strlen(client_version_string)) != strlen(client_version_string))
--- work.clean/openssh-7.2p1/sshconnect2.c.orig	2016-02-25 19:40:04.000000000 -0800
+ 		fatal("write: %.100s", strerror(errno));
-+++ work.clean/openssh-7.2p1/sshconnect2.c	2016-02-29 08:06:31.134954000 -0800
+--- work/openssh-7.7p1/sshconnect2.c.orig	2018-04-01 22:38:28.000000000 -0700
-@@ -81,6 +81,14 @@
+++ work/openssh-7.7p1/sshconnect2.c	2018-06-27 17:11:17.543893000 -0700
@@ -81,7 +81,13 @@
 extern char *client_version_string;
 extern char *server_version_string;
 extern Options options;
 +#ifdef NONE_CIPHER_ENABLED
 +struct kex *xxx_kex;
 +
 +/* tty_flag is set in ssh.c. use this in ssh_userauth2 */
 +/* if it is set then prevent the switch to the null cipher */
-+
+ 
 +extern int tty_flag;
 +#endif
- 
+
 /*
  * SSH2 key exchange
-@@ -154,14 +162,17 @@ order_hostkeyalgs(char *host, struct soc
+  */
@@ -154,14 +160,17 @@ order_hostkeyalgs(char *host, struct sockaddr *hostadd
 	return ret;
 }
@ -1135,17 +1163,7 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
 	xxx_host = host;
 	xxx_hostaddr = hostaddr;
-@@ -235,6 +246,9 @@ ssh_kex2(char *host, struct sockaddr *ho
+@@ -409,6 +418,30 @@ ssh_userauth2(const char *local_user, const char *serv
 	packet_send();
 	packet_write_wait();
 #endif
 +#ifdef NONE_CIPHER_ENABLED
 +	xxx_kex = kex;
 +#endif
 }
 /*
@@ -407,6 +421,29 @@ ssh_userauth2(const char *local_user, co
 	if (!authctxt.success)
 		fatal("Authentication failed.");
@ -1159,9 +1177,10 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
 +	if ((options.none_switch == 1) && (options.none_enabled == 1)) {
 +		if (!tty_flag) { /* no null on tty sessions */
 +			debug("Requesting none rekeying...");
 +			memcpy(&myproposal, &myproposal_default, sizeof(myproposal));
 +			myproposal[PROPOSAL_ENC_ALGS_STOC] = "none";
 +			myproposal[PROPOSAL_ENC_ALGS_CTOS] = "none";
-+			kex_prop2buf(xxx_kex->my, myproposal);
+			kex_prop2buf(active_state->kex->my, myproposal);
 +			packet_request_rekeying();
 +			fprintf(stderr, "WARNING: ENABLED NONE CIPHER\n");
 +		} else {
@ -1175,9 +1194,9 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
 	debug("Authentication succeeded (%s).", authctxt.method->name);
 }
--- work.clean/openssh-7.1p1/sshd.c.orig	2015-08-20 21:49:03.000000000 -0700
+--- work/openssh-7.7p1/sshd.c.orig	2018-04-01 22:38:28.000000000 -0700
-+++ work.clean/openssh-7.1p1/sshd.c	2015-11-11 12:45:48.202186000 -0800
+++ work/openssh-7.7p1/sshd.c	2018-06-27 17:13:03.176633000 -0700
-@@ -373,8 +373,13 @@ sshd_exchange_identification(struct ssh 
+@@ -372,8 +372,13 @@ sshd_exchange_identification(struct ssh *ssh, int sock
 	char buf[256];			/* Must not be larger than remote_version. */
 	char remote_version[256];	/* Must be at least as big as buf. */
@ -1192,8 +1211,8 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
 	    *options.version_addendum == '\0' ? "" : " ",
 	    options.version_addendum);
-@@ -1027,6 +1032,10 @@ server_listen(void)
+@@ -1025,6 +1030,10 @@ listen_on_addrs(struct listenaddr *la)
- 	int ret, listen_sock, on = 1;
+ 	int ret, listen_sock;
 	struct addrinfo *ai;
 	char ntop[NI_MAXHOST], strport[NI_MAXSERV];
 +#ifdef HPN_ENABLED
@ -1201,9 +1220,9 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
 +	socklen_t socksizelen = sizeof(socksize);
 +#endif
- 	for (ai = options.listen_addrs; ai; ai = ai->ai_next) {
+ 	for (ai = la->addrs; ai; ai = ai->ai_next) {
 		if (ai->ai_family != AF_INET && ai->ai_family != AF_INET6)
-@@ -1072,6 +1081,13 @@ server_listen(void)
+@@ -1070,6 +1079,13 @@ listen_on_addrs(struct listenaddr *la)
 		debug("Bind to port %s on %s.", strport, ntop);
@ -1217,7 +1236,7 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
 		/* Bind the socket to the desired port. */
 		if (bind(listen_sock, ai->ai_addr, ai->ai_addrlen) < 0) {
 			error("Bind to port %s on %s failed: %.200s.",
-@@ -1596,6 +1612,15 @@ main(int ac, char **av)
+@@ -1634,6 +1650,15 @@ main(int ac, char **av)
 	/* Fill in default values for those options not explicitly set. */
 	fill_default_server_options(&options);
@ -1233,9 +1252,9 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
 	/* challenge-response is implemented via keyboard interactive */
 	if (options.challenge_response_authentication)
 		options.kbd_interactive_authentication = 1;
-@@ -2099,6 +2124,11 @@ main(int ac, char **av)
+@@ -2047,6 +2072,11 @@ main(int ac, char **av)
- 	}
+ 	    rdomain == NULL ? "" : "\"");
- #endif
+ 	free(laddr);
 +#ifdef HPN_ENABLED
 +	/* set the HPN options for the child */
@ -1243,20 +1262,20 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
 +#endif
 +
 	/*
- 	 * In privilege separation, we fork another child and prepare
+ 	 * We don't want to listen forever unless the other side
- 	 * file descriptor passing.
+ 	 * successfully authenticates itself.  So we set up an alarm which is
-@@ -2177,6 +2207,11 @@ do_ssh2_kex(void)
+@@ -2212,6 +2242,11 @@ do_ssh2_kex(void)
 	char *myproposal[PROPOSAL_MAX] = { KEX_SERVER };
 	struct kex *kex;
 	int r;
- 
+
 +#ifdef NONE_CIPHER_ENABLED
 +        if (options.none_enabled == 1)
 +                debug ("WARNING: None cipher enabled");
 +#endif
-+
+ 
 	myproposal[PROPOSAL_KEX_ALGS] = compat_kex_proposal(
 	    options.kex_algorithms);
 	myproposal[PROPOSAL_ENC_ALGS_CTOS] = compat_cipher_proposal(
 --- work.clean/openssh-6.8p1/sshd_config	2015-04-01 22:07:18.248858000 -0500
 +++ work/openssh-6.8p1/sshd_config	2015-04-01 22:16:49.932279000 -0500
@@ -111,6 +111,20 @@ AuthorizedKeysFile	.ssh/authorized_keys
@ -1280,11 +1299,10 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
 # Example of overriding settings on a per-user basis
 #Match User anoncvs
 #	X11Forwarding no
--- work.clean/openssh-6.8p1/version.h	2015-04-01 22:07:18.258955000 -0500
+--- work/openssh-7.7p1/version.h.orig	2018-04-01 22:38:28.000000000 -0700
-+++ work/openssh-6.8p1/version.h	2015-04-02 16:51:25.209617000 -0500
+++ work/openssh-7.7p1/version.h	2018-06-27 17:13:57.263086000 -0700
-@@ -3,4 +3,5 @@
+@@ -4,3 +4,4 @@
 #define SSH_VERSION	"OpenSSH_6.8"
 #define SSH_PORTABLE	"p1"
 #define SSH_RELEASE	SSH_VERSION SSH_PORTABLE
-+#define SSH_HPN         "-hpn14v5"
+#define SSH_HPN         "-hpn14v15"
--- a/security/openssh-portable/files/patch-servconf.c
+++ b/security/openssh-portable/files/patch-servconf.c
@ -6,17 +6,17 @@ Changed paths:
 Apply FreeBSD's configuration defaults.
--- servconf.c.orig	2018-06-19 09:26:26 UTC
+--- servconf.c.orig	2018-06-27 17:18:19.513676000 -0700
-+++ servconf.c
+++ servconf.c	2018-06-27 17:19:38.133882000 -0700
-@@ -63,6 +63,7 @@
+@@ -41,6 +41,7 @@
- #include "auth.h"
+ #include <util.h>
- #include "myproposal.h"
+ #endif
 #include "digest.h"
 +#include "version.h"
- static void add_listen_addr(ServerOptions *, const char *,
+#include "version.h"
-     const char *, int);
+ #include "openbsd-compat/sys-queue.h"
-@@ -240,7 +241,11 @@ fill_default_server_options(ServerOption
+ #include "xmalloc.h"
 #include "ssh.h"
@@ -251,7 +252,11 @@ fill_default_server_options(ServerOptions *options)
 	/* Portable-specific options */
 	if (options->use_pam == -1)
@ -28,7 +28,7 @@ Apply FreeBSD's configuration defaults.
 	/* Standard Options */
 	if (options->num_host_key_files == 0) {
-@@ -280,7 +285,7 @@ fill_default_server_options(ServerOption
+@@ -291,7 +296,7 @@ fill_default_server_options(ServerOptions *options)
 	if (options->print_lastlog == -1)
 		options->print_lastlog = 1;
 	if (options->x11_forwarding == -1)
@ -37,7 +37,7 @@ Apply FreeBSD's configuration defaults.
 	if (options->x11_display_offset == -1)
 		options->x11_display_offset = 10;
 	if (options->x11_use_localhost == -1)
-@@ -320,7 +325,11 @@ fill_default_server_options(ServerOption
+@@ -331,7 +336,11 @@ fill_default_server_options(ServerOptions *options)
 	if (options->gss_strict_acceptor == -1)
 		options->gss_strict_acceptor = 1;
 	if (options->password_authentication == -1)