main/openssh: reintroduce dynwindows HPN patch

2 files changed, 265 insertions, 869 deletions

diff --git a/main/openssh/APKBUILD b/main/openssh/APKBUILD
index 8950a088fb..cb4fb27be5 100644
--- a/main/openssh/APKBUILD
+++ b/main/openssh/APKBUILD
@@ -2,7 +2,7 @@
 pkgname=openssh
 pkgver=6.2_p2
 _myver=${pkgver%_*}${pkgver#*_}
-pkgrel=1
+pkgrel=2
 pkgdesc="Port of OpenBSD's free SSH release"
 url="http://www.openssh.org/portable.html"
 arch="all"
@@ -11,12 +11,13 @@ depends="openssh-client"
 makedepends="openssl-dev zlib-dev"
 subpackages="$pkgname-doc $pkgname-client"
 source="ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/$pkgname-$_myver.tar.gz
+	openssh6.2-dynwindows.diff
 	openssh-peaktput.diff
 	openssh-hmac-accel.diff
 	sshd.initd
 	sshd.confd
 	"
-#       openssh-dynwindow_noneswitch.diff
+# HPN patches are from: http://www.psc.edu/index.php/hpn-ssh
 
 _builddir="$srcdir"/$pkgname-$_myver
 prepare() {
@@ -99,16 +100,19 @@ client() {
 }
 
 md5sums="be46174dcbb77ebb4ea88ef140685de1  openssh-6.2p2.tar.gz
+1bf93a2d49f89c4b399ad361bd740921  openssh6.2-dynwindows.diff
 949ff348573438163240c60d6c3618eb  openssh-peaktput.diff
 c65d454dc5b149647273485fc184636d  openssh-hmac-accel.diff
 cb0dd08c413fad346f0c594107b4a2e0  sshd.initd
 b35e9f3829f4cfca07168fcba98749c7  sshd.confd"
 sha256sums="7f29b9d2ad672ae0f9e1dcbff871fc5c2e60a194e90c766432e32161b842313b  openssh-6.2p2.tar.gz
+db1ff210e444f91db53e565620f1a5a1570cd1a4b2c34aaba3cf7d79e9d3a045  openssh6.2-dynwindows.diff
 dab18c1fd1496c1ba4a4fe08c6c6b8cf3347fc82878d85498202f50168161f6b  openssh-peaktput.diff
 902ea83a9ef726f32b096280da0f1b722f4372886c65c4e28985ee57e725d95c  openssh-hmac-accel.diff
 3fa062fd4bfac64abf21f3c1d0548f1dfcf3c6e56e84ece14c848f53a293024e  sshd.initd
 29c6d57ac3ec6018cadc6ba6cd9b90c9ed46e20049b970fdcc68ee2481a2ee41  sshd.confd"
 sha512sums="80c8fb6bb25e86e8261cc7c6671773cdc0d9b0da9c9ebca33b3d5278c44197734fe32e878e1f444b693c4b49b0a525458aa07e57c231cefafc23a9c6975b05df  openssh-6.2p2.tar.gz
+4eabb5a9d6107a43deb408ebddaa697a0f76c977c0b2b8ce32979e1a2e163b83a932dd34f3fb2f6211d0e443dc1a5f49d4fcb646a80e52a609af497e4923f1d5  openssh6.2-dynwindows.diff
 64f2c94f41225c76428440d778b0bf5657408123d1cd7d6cb4bdf5000bfba8ad80ec5e57acd0880adc7a8ea7e2f1a64e329b83cf8be630b9aaebff6ab138d025  openssh-peaktput.diff
 aaa128126400171d0755038a846672aa7b1e87340edf73a672962d403abf404ef1821466b17da51dde25f04ec7533ae4a653399ccc912ea9c4a7b1a14032e76f  openssh-hmac-accel.diff
 1483e2bcd700da9b02f04508d490b472c816344787bf1675fef2f7e27f72b91e4323e4e8c1db701e47d81d37d6d4b0623eaeac46b2cf589ae5ad69f363baa594  sshd.initd
diff --git a/main/openssh/openssh-dynwindow_noneswitch.diff b/main/openssh/openssh6.2-dynwindows.diff
index f8cd593386..c903d30c13 100644
--- a/main/openssh/openssh-dynwindow_noneswitch.diff
+++ b/main/openssh/openssh6.2-dynwindows.diff
@@ -1,175 +1,6 @@
-diff --git a/HPN-README b/HPN-README
-new file mode 100644
-index 0000000..72d822f
---- /dev/null
-+++ b/HPN-README
-@@ -0,0 +1,128 @@
-+Notes:
-+
-+MULTI-THREADED CIPHER:
-+The AES cipher in CTR mode has been multithreaded (MTR-AES-CTR). This will allow ssh installations
-+on hosts with multiple cores to use more than one processing core during encryption.
-+Tests have show significant throughput performance increases when using MTR-AES-CTR up
-+to and including a full gigabit per second on quad core systems. It should be possible to
-+achieve full line rate on dual core systems but OS and data management overhead makes this
-+more difficult to achieve. The cipher stream from MTR-AES-CTR is entirely compatible with single
-+thread AES-CTR (ST-AES-CTR) implementations and should be 100% backward compatible. Optimal
-+performance requires the MTR-AES-CTR mode be enabled on both ends of the connection.
-+The MTR-AES-CTR replaces ST-AES-CTR and is used in exactly the same way with the same
-+nomenclature.
-+Use examples: 	ssh -caes128-ctr you@host.com
-+		scp -oCipher=aes256-ctr file you@host.com:~/file
-+
-+NONE CIPHER:
-+To use the NONE option you must have the NoneEnabled switch set on the server and
-+you *must* have *both* NoneEnabled and NoneSwitch set to yes on the client. The NONE
-+feature works with ALL ssh subsystems (as far as we can tell) *AS LONG AS* a tty is not
-+spawned. If a user uses the -T switch to prevent a tty being created the NONE cipher will
-+be disabled.
-+
-+The performance increase will only be as good as the network and TCP stack tuning
-+on the reciever side of the connection allows. As a rule of thumb a user will need
-+at least 10Mb/s connection with a 100ms RTT to see a doubling of performance. The
-+HPN-SSH home page describes this in greater detail.
-+
-+http://www.psc.edu/networking/projects/hpn-ssh
-+
-+BUFFER SIZES:
-+
-+If HPN is disabled the receive buffer size will be set to the
-+OpenSSH default of 64K.
-+
-+If an HPN system connects to a nonHPN system the receive buffer will
-+be set to the HPNBufferSize value. The default is 2MB but user adjustable.
-+
-+If an HPN to HPN connection is established a number of different things might
-+happen based on the user options and conditions.
-+
-+Conditions: HPNBufferSize NOT Set, TCPRcvBufPoll enabled, TCPRcvBuf NOT Set
-+HPN Buffer Size = up to 64MB
-+This is the default state. The HPN buffer size will grow to a maximum of 64MB
-+as the TCP receive buffer grows. The maximum HPN Buffer size of 64MB is
-+geared towards 10GigE transcontinental connections.
-+
-+Conditions: HPNBufferSize NOT Set, TCPRcvBufPoll disabled, TCPRcvBuf NOT Set
-+HPN Buffer Size = TCP receive buffer value.
-+Users on non-autotuning systesm should disable TCPRcvBufPoll in the
-+ssh_cofig and sshd_config
-+
-+Conditions: HPNBufferSize SET, TCPRcvBufPoll disabled, TCPRcvBuf NOT Set
-+HPN Buffer Size = minmum of TCP receive buffer and HPNBufferSize.
-+This would be the system defined TCP receive buffer (RWIN).
-+
-+Conditions: HPNBufferSize SET, TCPRcvBufPoll disabled, TCPRcvBuf SET
-+HPN Buffer Size = minmum of TCPRcvBuf and HPNBufferSize.
-+Generally there is no need to set both.
-+
-+Conditions: HPNBufferSize SET, TCPRcvBufPoll enabled, TCPRcvBuf NOT Set
-+HPN Buffer Size = grows to HPNBufferSize
-+The buffer will grow up to the maximum size specified here.
-+
-+Conditions: HPNBufferSize SET, TCPRcvBufPoll enabled, TCPRcvBuf SET
-+HPN Buffer Size = minmum of TCPRcvBuf and HPNBufferSize.
-+Generally there is no need to set both of these, especially on autotuning
-+systems. However, if the users wishes to override the autotuning this would be
-+one way to do it.
-+
-+Conditions: HPNBufferSize NOT Set, TCPRcvBufPoll enabled, TCPRcvBuf SET
-+HPN Buffer Size = TCPRcvBuf.
-+This will override autotuning and set the TCP recieve buffer to the user defined
-+value.
-+
-+
-+HPN Specific Configuration options
-+
-+TcpRcvBuf=[int]KB client
-+      set the TCP socket receive buffer to n Kilobytes. It can be set up to the
-+maximum socket size allowed by the system. This is useful in situations where
-+the tcp receive window is set low but the maximum buffer size is set
-+higher (as is typical). This works on a per TCP connection basis. You can also
-+use this to artifically limit the transfer rate of the connection. In these
-+cases the throughput will be no more than n/RTT. The minimum buffer size is 1KB.
-+Default is the current system wide tcp receive buffer size.
-+
-+TcpRcvBufPoll=[yes/no] client/server
-+      enable of disable the polling of the tcp receive buffer through the life
-+of the connection. You would want to make sure that this option is enabled
-+for systems making use of autotuning kernels (linux 2.4.24+, 2.6, MS Vista)
-+default is yes.
-+
-+NoneEnabled=[yes/no] client/server
-+      enable or disable the use of the None cipher. Care must always be used
-+when enabling this as it will allow users to send data in the clear. However,
-+it is important to note that authentication information remains encrypted
-+even if this option is enabled. Set to no by default.
-+
-+NoneSwitch=[yes/no] client
-+     Switch the encryption cipher being used to the None cipher after
-+authentication takes place. NoneEnabled must be enabled on both the client
-+and server side of the connection. When the connection switches to the NONE
-+cipher a warning is sent to STDERR. The connection attempt will fail with an
-+error if a client requests a NoneSwitch from the server that does not explicitly
-+have NoneEnabled set to yes. Note: The NONE cipher cannot be used in
-+interactive (shell) sessions and it will fail silently. Set to no by default.
-+
-+HPNDisabled=[yes/no] client/server
-+     In some situations, such as transfers on a local area network, the impact
-+of the HPN code produces a net decrease in performance. In these cases it is
-+helpful to disable the HPN functionality. By default HPNDisabled is set to no.
-+
-+HPNBufferSize=[int]KB client/server
-+     This is the default buffer size the HPN functionality uses when interacting
-+with nonHPN SSH installations. Conceptually this is similar to the TcpRcvBuf
-+option as applied to the internal SSH flow control. This value can range from
-+1KB to 64MB (1-65536). Use of oversized or undersized buffers can cause performance
-+problems depending on the length of the network path. The default size of this buffer
-+is 2MB.
-+
-+
-+Credits: This patch was conceived, designed, and led by Chris Rapier (rapier@psc.edu)
-+         The majority of the actual coding for versions up to HPN12v1 was performed
-+         by Michael Stevens (mstevens@andrew.cmu.edu). The MT-AES-CTR cipher was
-+	 implemented by Ben Bennet (ben@psc.edu). This work was financed, in part,
-+         by Cisco System, Inc., the National Library of Medicine,
-+	 and the National Science Foundation.
-diff --git a/auth2.c b/auth2.c
-index e367a10..da46852 100644
---- a/auth2.c
-+++ b/auth2.c
-@@ -49,6 +49,7 @@
- #include "dispatch.h"
- #include "pathnames.h"
- #include "buffer.h"
-+#include "canohost.h"
- 
- #ifdef GSSAPI
- #include "ssh-gss.h"
-@@ -75,6 +76,9 @@ extern Authmethod method_gssapi;
- extern Authmethod method_jpake;
- #endif
- 
-+static int log_flag = 0;
-+
-+
- Authmethod *authmethods[] = {
- 	&method_none,
- 	&method_pubkey,
-@@ -227,6 +231,11 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt)
- 	service = packet_get_cstring(NULL);
- 	method = packet_get_cstring(NULL);
- 	debug("userauth-request for user %s service %s method %s", user, service, method);
-+	if (!log_flag) {
-+		logit("SSH: Server;Ltype: Authname;Remote: %s-%d;Name: %s",
-+		      get_remote_ipaddr(), get_remote_port(), user);
-+		log_flag = 1;
-+	}
- 	debug("attempt %d failures %d", authctxt->attempt, authctxt->failures);
- 
- 	if ((style = strchr(user, ':')) != NULL)
-diff --git a/buffer.c b/buffer.c
-index ae97003..dc21850 100644
---- a/buffer.c
-+++ b/buffer.c
+diff -rNuwpB canonical/buffer.c dynamic/buffer.c
+--- canonical/buffer.c	2010-02-11 17:23:40.000000000 -0500
++++ dynamic/buffer.c	2013-08-14 13:56:39.111508385 -0400
 @@ -127,7 +127,7 @@ restart:
  
  	/* Increase the size of the buffer and retry. */
@@ -179,10 +10,9 @@ index ae97003..dc21850 100644
  		fatal("buffer_append_space: alloc %u not supported",
  		    newlen);
  	buffer->buf = xrealloc(buffer->buf, 1, newlen);
-diff --git a/buffer.h b/buffer.h
-index e2a9dd1..2c0b65c 100644
---- a/buffer.h
-+++ b/buffer.h
+diff -rNuwpB canonical/buffer.h dynamic/buffer.h
+--- canonical/buffer.h	2010-09-09 21:39:27.000000000 -0400
++++ dynamic/buffer.h	2013-08-14 13:56:39.113507594 -0400
 @@ -16,6 +16,9 @@
  #ifndef BUFFER_H
  #define BUFFER_H
@@ -193,11 +23,10 @@ index e2a9dd1..2c0b65c 100644
  typedef struct {
  	u_char	*buf;		/* Buffer for data. */
  	u_int	 alloc;		/* Number of bytes allocated for data. */
-diff --git a/channels.c b/channels.c
-index 9cf85a3..862bfd3 100644
---- a/channels.c
-+++ b/channels.c
-@@ -173,8 +173,14 @@ static void port_open_helper(Channel *c, char *rtype);
+diff -rNuwpB canonical/channels.c dynamic/channels.c
+--- canonical/channels.c	2012-12-02 17:50:55.000000000 -0500
++++ dynamic/channels.c	2013-08-14 13:56:39.132511340 -0400
+@@ -173,8 +173,14 @@ static void port_open_helper(Channel *c,
  static int connect_next(struct channel_connect *);
  static void channel_connect_ctx_free(struct channel_connect *);
  
@@ -212,7 +41,7 @@ index 9cf85a3..862bfd3 100644
  Channel *
  channel_by_id(int id)
  {
-@@ -319,6 +325,7 @@ channel_new(char *ctype, int type, int rfd, int wfd, int efd,
+@@ -319,6 +325,7 @@ channel_new(char *ctype, int type, int r
  	c->local_window_max = window;
  	c->local_consumed = 0;
  	c->local_maxpacket = maxpack;
@@ -220,7 +49,7 @@ index 9cf85a3..862bfd3 100644
  	c->remote_id = -1;
  	c->remote_name = xstrdup(remote_name);
  	c->remote_window = 0;
-@@ -818,11 +825,35 @@ channel_pre_open_13(Channel *c, fd_set *readset, fd_set *writeset)
+@@ -818,11 +825,35 @@ channel_pre_open_13(Channel *c, fd_set *
  		FD_SET(c->sock, writeset);
  }
  
@@ -280,54 +109,7 @@ index 9cf85a3..862bfd3 100644
  		c->local_consumed = 0;
  	}
  	return 1;
-@@ -2173,11 +2211,12 @@ channel_after_select(fd_set *readset, fd_set *writeset)
- 
- 
- /* If there is data to send to the connection, enqueue some of it now. */
--void
-+int
- channel_output_poll(void)
- {
- 	Channel *c;
- 	u_int i, len;
-+	int packet_length = 0;
- 
- 	for (i = 0; i < channels_alloc; i++) {
- 		c = channels[i];
-@@ -2225,7 +2264,7 @@ channel_output_poll(void)
- 					packet_start(SSH2_MSG_CHANNEL_DATA);
- 					packet_put_int(c->remote_id);
- 					packet_put_string(data, dlen);
--					packet_send();
-+					packet_length = packet_send();
- 					c->remote_window -= dlen + 4;
- 					xfree(data);
- 				}
-@@ -2255,7 +2294,7 @@ channel_output_poll(void)
- 				    SSH2_MSG_CHANNEL_DATA : SSH_MSG_CHANNEL_DATA);
- 				packet_put_int(c->remote_id);
- 				packet_put_string(buffer_ptr(&c->input), len);
--				packet_send();
-+				packet_length = packet_send();
- 				buffer_consume(&c->input, len);
- 				c->remote_window -= len;
- 			}
-@@ -2290,12 +2329,13 @@ channel_output_poll(void)
- 			packet_put_int(c->remote_id);
- 			packet_put_int(SSH2_EXTENDED_DATA_STDERR);
- 			packet_put_string(buffer_ptr(&c->extended), len);
--			packet_send();
-+			packet_length = packet_send();
- 			buffer_consume(&c->extended, len);
- 			c->remote_window -= len;
- 			debug2("channel %d: sent ext data %d", c->self, len);
- 		}
- 	}
-+	return (packet_length);
- }
- 
- 
-@@ -2719,6 +2759,15 @@ channel_fwd_bind_addr(const char *listen_addr, int *wildcardp,
+@@ -2719,6 +2757,15 @@ channel_fwd_bind_addr(const char *listen
  	return addr;
  }
  
@@ -343,7 +125,7 @@ index 9cf85a3..862bfd3 100644
  static int
  channel_setup_fwd_listener(int type, const char *listen_addr,
      u_short listen_port, int *allocated_listen_port,
-@@ -2845,9 +2894,15 @@ channel_setup_fwd_listener(int type, const char *listen_addr,
+@@ -2845,9 +2892,15 @@ channel_setup_fwd_listener(int type, con
  		}
  
  		/* Allocate a channel number for the socket. */
@@ -359,7 +141,7 @@ index 9cf85a3..862bfd3 100644
  		c->path = xstrdup(host);
  		c->host_port = port_to_connect;
  		c->listening_addr = addr == NULL ? NULL : xstrdup(addr);
-@@ -3503,10 +3558,17 @@ x11_create_display_inet(int x11_display_offset, int x11_use_localhost,
+@@ -3503,10 +3556,17 @@ x11_create_display_inet(int x11_display_
  	*chanids = xcalloc(num_socks + 1, sizeof(**chanids));
  	for (n = 0; n < num_socks; n++) {
  		sock = socks[n];
@@ -377,10 +159,9 @@ index 9cf85a3..862bfd3 100644
  		nc->single_connection = single_connection;
  		(*chanids)[n] = nc->self;
  	}
-diff --git a/channels.h b/channels.h
-index d75b800..0a95283 100644
---- a/channels.h
-+++ b/channels.h
+diff -rNuwpB canonical/channels.h dynamic/channels.h
+--- canonical/channels.h	2012-04-21 21:21:10.000000000 -0400
++++ dynamic/channels.h	2013-08-14 13:56:39.115508853 -0400
 @@ -129,8 +129,10 @@ struct Channel {
  	u_int	local_window_max;
  	u_int	local_consumed;
@@ -406,15 +187,6 @@ index d75b800..0a95283 100644
  #define CHAN_X11_PACKET_DEFAULT	(16*1024)
  #define CHAN_X11_WINDOW_DEFAULT	(4*CHAN_X11_PACKET_DEFAULT)
  
-@@ -242,7 +246,7 @@ void	 channel_input_status_confirm(int, u_int32_t, void *);
- void	 channel_prepare_select(fd_set **, fd_set **, int *, u_int*,
- 	     time_t*, int);
- void     channel_after_select(fd_set *, fd_set *);
--void     channel_output_poll(void);
-+int      channel_output_poll(void);
- 
- int      channel_not_very_much_buffered_data(void);
- void     channel_close_all(void);
 @@ -303,4 +307,7 @@ void	 chan_rcvd_ieof(Channel *);
  void	 chan_write_failed(Channel *);
  void	 chan_obuf_empty(Channel *);
@@ -423,41 +195,10 @@ index d75b800..0a95283 100644
 +void     channel_set_hpn(int, int);
 +
  #endif
-diff --git a/cipher.c b/cipher.c
-index 9ca1d00..ad57555 100644
---- a/cipher.c
-+++ b/cipher.c
-@@ -180,7 +180,8 @@ ciphers_valid(const char *names)
- 	for ((p = strsep(&cp, CIPHER_SEP)); p && *p != '\0';
- 	    (p = strsep(&cp, CIPHER_SEP))) {
- 		c = cipher_by_name(p);
--		if (c == NULL || c->number != SSH_CIPHER_SSH2) {
-+		if (c == NULL || (c->number != SSH_CIPHER_SSH2 &&
-+				   c->number != SSH_CIPHER_NONE)) {
- 			debug("bad cipher %s [%s]", p, names);
- 			xfree(cipher_list);
- 			return 0;
-@@ -406,6 +407,7 @@ cipher_get_keyiv(CipherContext *cc, u_char *iv, u_int len)
- 	int evplen;
- 
- 	switch (c->number) {
-+	case SSH_CIPHER_NONE:
- 	case SSH_CIPHER_SSH2:
- 	case SSH_CIPHER_DES:
- 	case SSH_CIPHER_BLOWFISH:
-@@ -442,6 +444,7 @@ cipher_set_keyiv(CipherContext *cc, u_char *iv)
- 	int evplen = 0;
- 
- 	switch (c->number) {
-+	case SSH_CIPHER_NONE:
- 	case SSH_CIPHER_SSH2:
- 	case SSH_CIPHER_DES:
- 	case SSH_CIPHER_BLOWFISH:
-diff --git a/clientloop.c b/clientloop.c
-index c1d1d44..15cb3a0 100644
---- a/clientloop.c
-+++ b/clientloop.c
-@@ -1884,9 +1884,15 @@ client_request_x11(const char *request_type, int rchan)
+diff -rNuwpB canonical/clientloop.c dynamic/clientloop.c
+--- canonical/clientloop.c	2013-01-08 23:55:51.000000000 -0500
++++ dynamic/clientloop.c	2013-08-14 13:56:39.135511385 -0400
+@@ -1884,9 +1884,15 @@ client_request_x11(const char *request_t
  	sock = x11_connect_display();
  	if (sock < 0)
  		return NULL;
@@ -473,34 +214,34 @@ index c1d1d44..15cb3a0 100644
  	c->force_drain = 1;
  	return c;
  }
-@@ -1906,9 +1912,15 @@ client_request_agent(const char *request_type, int rchan)
+@@ -1906,9 +1912,15 @@ client_request_agent(const char *request
  	sock = ssh_get_authentication_socket();
  	if (sock < 0)
  		return NULL;
 +	if (options.hpn_disabled)
-+	c = channel_new("authentication agent connection",
-+	    SSH_CHANNEL_OPEN, sock, sock, -1,
-+		    CHAN_X11_WINDOW_DEFAULT, CHAN_TCP_WINDOW_DEFAULT, 0,
-+		    "authentication agent connection", 1);
-+	else
  	c = channel_new("authentication agent connection",
  	    SSH_CHANNEL_OPEN, sock, sock, -1,
 -	    CHAN_X11_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, 0,
++		    CHAN_X11_WINDOW_DEFAULT, CHAN_TCP_WINDOW_DEFAULT, 0,
++		    "authentication agent connection", 1);
++	else
++	c = channel_new("authentication agent connection",
++	    SSH_CHANNEL_OPEN, sock, sock, -1,
 +	    options.hpn_buffer_size, options.hpn_buffer_size, 0,
  	    "authentication agent connection", 1);
  	c->force_drain = 1;
  	return c;
-@@ -1936,10 +1948,18 @@ client_request_tun_fwd(int tun_mode, int local_tun, int remote_tun)
+@@ -1936,10 +1948,18 @@ client_request_tun_fwd(int tun_mode, int
  		return -1;
  	}
  
 +	if(options.hpn_disabled)
- 	c = channel_new("tun", SSH_CHANNEL_OPENING, fd, fd, -1,
--	    CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, 0, "tun", 1);
++	c = channel_new("tun", SSH_CHANNEL_OPENING, fd, fd, -1,
 +				CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT,
 +				0, "tun", 1);
 +	else
-+	c = channel_new("tun", SSH_CHANNEL_OPENING, fd, fd, -1,
+ 	c = channel_new("tun", SSH_CHANNEL_OPENING, fd, fd, -1,
+-	    CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, 0, "tun", 1);
 +				options.hpn_buffer_size, CHAN_TCP_PACKET_DEFAULT,
 +				0, "tun", 1);
  	c->datagram = 1;
@@ -510,10 +251,9 @@ index c1d1d44..15cb3a0 100644
  #if defined(SSH_TUN_FILTER)
  	if (options.tun_open == SSH_TUNMODE_POINTOPOINT)
  		channel_register_filter(c->self, sys_tun_infilter,
-diff --git a/compat.c b/compat.c
-index f680f4f..e9a567c 100644
---- a/compat.c
-+++ b/compat.c
+diff -rNuwpB canonical/compat.c dynamic/compat.c
+--- canonical/compat.c	2012-09-06 07:21:56.000000000 -0400
++++ dynamic/compat.c	2013-08-14 13:56:39.114506902 -0400
 @@ -173,6 +173,15 @@ compat_datafellows(const char *version)
  		    strlen(check[i].pat), 0) == 1) {
  			debug("match: %s pat %s", version, check[i].pat);
@@ -530,10 +270,9 @@ index f680f4f..e9a567c 100644
  			return;
  		}
  	}
-diff --git a/compat.h b/compat.h
-index 3ae5d9c..6a7aeb2 100644
---- a/compat.h
-+++ b/compat.h
+diff -rNuwpB canonical/compat.h dynamic/compat.h
+--- canonical/compat.h	2011-10-02 03:59:03.000000000 -0400
++++ dynamic/compat.h	2013-08-14 13:56:39.137511347 -0400
 @@ -59,6 +59,7 @@
  #define SSH_BUG_RFWD_ADDR	0x02000000
  #define SSH_NEW_OPENSSH		0x04000000
@@ -542,324 +281,166 @@ index 3ae5d9c..6a7aeb2 100644
  
  void     enable_compat13(void);
  void     enable_compat20(void);
-diff --git a/kex.c b/kex.c
-index 57a79dd..1edaecb 100644
---- a/kex.c
-+++ b/kex.c
-@@ -49,6 +49,7 @@
- #include "dispatch.h"
- #include "monitor.h"
- #include "roaming.h"
-+#include "canohost.h"
- 
- #if OPENSSL_VERSION_NUMBER >= 0x00907000L
- # if defined(HAVE_EVP_SHA256)
-@@ -91,7 +92,8 @@ kex_names_valid(const char *names)
- }
- 
- /* put algorithm proposal into buffer */
--static void
-+/* used in sshconnect.c as well as kex.c */
-+void
- kex_prop2buf(Buffer *b, char *proposal[PROPOSAL_MAX])
- {
- 	u_int i;
-@@ -418,6 +420,13 @@ kex_choose_conf(Kex *kex)
- 	int nenc, nmac, ncomp;
- 	u_int mode, ctos, need, authlen;
- 	int first_kex_follows, type;
-+	int log_flag = 0;
+diff -rNuwpB canonical/HPN-README dynamic/HPN-README
+--- canonical/HPN-README	1969-12-31 19:00:00.000000000 -0500
++++ dynamic/HPN-README	2013-08-14 13:56:39.121511284 -0400
+@@ -0,0 +1,129 @@
++Notes:
 +
-+	int auth_flag;
++MULTI-THREADED CIPHER:
++The AES cipher in CTR mode has been multithreaded (MTR-AES-CTR). This will allow ssh installations
++on hosts with multiple cores to use more than one processing core during encryption. 
++Tests have show significant throughput performance increases when using MTR-AES-CTR up 
++to and including a full gigabit per second on quad core systems. It should be possible to 
++achieve full line rate on dual core systems but OS and data management overhead makes this
++more difficult to achieve. The cipher stream from MTR-AES-CTR is entirely compatible with single 
++thread AES-CTR (ST-AES-CTR) implementations and should be 100% backward compatible. Optimal 
++performance requires the MTR-AES-CTR mode be enabled on both ends of the connection. 
++The MTR-AES-CTR replaces ST-AES-CTR and is used in exactly the same way with the same
++nomenclature. 
++Use examples: 	ssh -caes128-ctr you@host.com
++		scp -oCipher=aes256-ctr file you@host.com:~/file
 +
-+	auth_flag = packet_authentication_state();
++NONE CIPHER:
++To use the NONE option you must have the NoneEnabled switch set on the server and
++you *must* have *both* NoneEnabled and NoneSwitch set to yes on the client. The NONE
++feature works with ALL ssh subsystems (as far as we can tell) *AS LONG AS* a tty is not 
++spawned. If a user uses the -T switch to prevent a tty being created the NONE cipher will
++be disabled. 
 +
-+	debug ("AUTH STATE IS %d", auth_flag);
- 
- 	my   = kex_buf2prop(&kex->my, NULL);
- 	peer = kex_buf2prop(&kex->peer, &first_kex_follows);
-@@ -455,11 +464,34 @@ kex_choose_conf(Kex *kex)
- 		if (authlen == 0)
- 			choose_mac(&newkeys->mac, cprop[nmac], sprop[nmac]);
- 		choose_comp(&newkeys->comp, cprop[ncomp], sprop[ncomp]);
-+		debug("REQUESTED ENC.NAME is '%s'", newkeys->enc.name);
-+		if (strcmp(newkeys->enc.name, "none") == 0) {
-+			debug("Requesting NONE. Authflag is %d", auth_flag);
-+			if (auth_flag == 1) {
-+				debug("None requested post authentication.");
-+			} else {
-+				fatal("Pre-authentication none cipher requests are not allowed.");
-+			}
-+		}
- 		debug("kex: %s %s %s %s",
- 		    ctos ? "client->server" : "server->client",
- 		    newkeys->enc.name,
- 		    authlen == 0 ? newkeys->mac.name : "<implicit>",
- 		    newkeys->comp.name);
-+		/* client starts withctos = 0 && log flag = 0 and no log*/
-+		/* 2nd client pass ctos=1 and flag = 1 so no log*/
-+		/* server starts with ctos =1 && log_flag = 0 so log */
-+		/* 2nd sever pass ctos = 1 && log flag = 1 so no log*/
-+		/* -cjr*/
-+		if (ctos && !log_flag) {
-+			logit("SSH: Server;Ltype: Kex;Remote: %s-%d;Enc: %s;MAC: %s;Comp: %s",
-+			      get_remote_ipaddr(),
-+			      get_remote_port(),
-+			      newkeys->enc.name,
-+			      newkeys->mac.name,
-+			      newkeys->comp.name);
-+		}
-+		log_flag = 1;
- 	}
- 	choose_kex(kex, cprop[PROPOSAL_KEX_ALGS], sprop[PROPOSAL_KEX_ALGS]);
- 	choose_hostkeyalg(kex, cprop[PROPOSAL_SERVER_HOST_KEY_ALGS],
-diff --git a/kex.h b/kex.h
-index 46731fa..fafe115 100644
---- a/kex.h
-+++ b/kex.h
-@@ -142,6 +142,8 @@ struct Kex {
- 
- int	 kex_names_valid(const char *);
- 
-+void kex_prop2buf(Buffer *, char *proposal[PROPOSAL_MAX]);
++The performance increase will only be as good as the network and TCP stack tuning
++on the reciever side of the connection allows. As a rule of thumb a user will need 
++at least 10Mb/s connection with a 100ms RTT to see a doubling of performance. The
++HPN-SSH home page describes this in greater detail. 
 +
- Kex	*kex_setup(char *[PROPOSAL_MAX]);
- void	 kex_finish(Kex *);
- 
-diff --git a/myproposal.h b/myproposal.h
-index 99d0934..9358dc3 100644
---- a/myproposal.h
-+++ b/myproposal.h
-@@ -106,6 +106,8 @@
- #define	KEX_DEFAULT_COMP	"none,zlib@openssh.com,zlib"
- #define	KEX_DEFAULT_LANG	""
- 
-+#define KEX_ENCRYPT_INCLUDE_NONE KEX_DEFAULT_ENCRYPT \
-+	",none"
- 
- static char *myproposal[PROPOSAL_MAX] = {
- 	KEX_DEFAULT_KEX,
-diff --git a/packet.c b/packet.c
-index 9326dde..dc9dd8d 100644
---- a/packet.c
-+++ b/packet.c
-@@ -841,7 +841,7 @@ packet_enable_delayed_compress(void)
- /*
-  * Finalize packet in SSH2 format (compress, mac, encrypt, enqueue)
-  */
--static void
-+static int
- packet_send2_wrapped(void)
- {
- 	u_char type, *cp, *macbuf = NULL;
-@@ -972,11 +972,13 @@ packet_send2_wrapped(void)
- 		set_newkeys(MODE_OUT);
- 	else if (type == SSH2_MSG_USERAUTH_SUCCESS && active_state->server_side)
- 		packet_enable_delayed_compress();
-+	return len - 4;
- }
- 
--static void
-+static int
- packet_send2(void)
- {
-+	int packet_length = 0;
- 	struct packet *p;
- 	u_char type, *cp;
- 
-@@ -996,7 +998,7 @@ packet_send2(void)
- 			    sizeof(Buffer));
- 			buffer_init(&active_state->outgoing_packet);
- 			TAILQ_INSERT_TAIL(&active_state->outgoing, p, next);
--			return;
-+			return(sizeof(Buffer));
- 		}
- 	}
- 
-@@ -1004,7 +1006,7 @@ packet_send2(void)
- 	if (type == SSH2_MSG_KEXINIT)
- 		active_state->rekeying = 1;
- 
--	packet_send2_wrapped();
-+	packet_length = packet_send2_wrapped();
- 
- 	/* after a NEWKEYS message we can send the complete queue */
- 	if (type == SSH2_MSG_NEWKEYS) {
-@@ -1017,19 +1019,22 @@ packet_send2(void)
- 			    sizeof(Buffer));
- 			TAILQ_REMOVE(&active_state->outgoing, p, next);
- 			xfree(p);
--			packet_send2_wrapped();
-+			packet_length += packet_send2_wrapped();
- 		}
- 	}
-+	return(packet_length);
- }
- 
--void
-+int
- packet_send(void)
- {
-+	int packet_len = 0;
- 	if (compat20)
--		packet_send2();
-+		packet_len = packet_send2();
- 	else
- 		packet_send1();
- 	DBG(debug("packet_send done"));
-+	return(packet_len);
- }
- 
- /*
-@@ -1697,7 +1702,7 @@ packet_disconnect(const char *fmt,...)
- 
- /* Checks if there is any buffered output, and tries to write some of the output. */
- 
--void
-+int
- packet_write_poll(void)
- {
- 	int len = buffer_len(&active_state->output);
-@@ -1710,13 +1715,14 @@ packet_write_poll(void)
- 		if (len == -1) {
- 			if (errno == EINTR || errno == EAGAIN ||
- 			    errno == EWOULDBLOCK)
--				return;
-+				return(0);
- 			fatal("Write failed: %.100s", strerror(errno));
- 		}
- 		if (len == 0 && !cont)
- 			fatal("Write connection closed");
- 		buffer_consume(&active_state->output, len);
- 	}
-+	return(len);
- }
- 
- /*
-@@ -1917,12 +1923,24 @@ packet_send_ignore(int nbytes)
- 	}
- }
- 
-+int rekey_requested = 0;
-+void
-+packet_request_rekeying(void)
-+{
-+	rekey_requested = 1;
-+}
++http://www.psc.edu/networking/projects/hpn-ssh
 +
- #define MAX_PACKETS	(1U<<31)
- int
- packet_need_rekeying(void)
- {
- 	if (datafellows & SSH_BUG_NOREKEY)
- 		return 0;
-+	if (rekey_requested == 1)
-+	{
-+		rekey_requested = 0;
-+		return 1;
-+	}
- 	return
- 	    (active_state->p_send.packets > MAX_PACKETS) ||
- 	    (active_state->p_read.packets > MAX_PACKETS) ||
-@@ -2014,3 +2032,9 @@ packet_restore_state(void)
- 		add_recv_bytes(len);
- 	}
- }
++BUFFER SIZES:
 +
-+int
-+packet_authentication_state(void)
-+{
-+	return(active_state->after_authentication);
-+}
-diff --git a/packet.h b/packet.h
-index 09ba079..d3833dd 100644
---- a/packet.h
-+++ b/packet.h
-@@ -23,6 +23,9 @@
- #include <openssl/ec.h>
- #endif
- 
-+void
-+packet_request_rekeying(void);
-+
- void     packet_set_connection(int, int);
- void     packet_set_timeout(int, int);
- void     packet_set_nonblocking(void);
-@@ -38,6 +41,7 @@ void     packet_set_interactive(int, int, int);
- int      packet_is_interactive(void);
- void     packet_set_server(void);
- void     packet_set_authenticated(void);
-+int	 packet_authentication_state(void);
- 
- void     packet_start(u_char);
- void     packet_put_char(int ch);
-@@ -51,7 +55,7 @@ void     packet_put_ecpoint(const EC_GROUP *, const EC_POINT *);
- void     packet_put_string(const void *buf, u_int len);
- void     packet_put_cstring(const char *str);
- void     packet_put_raw(const void *buf, u_int len);
--void     packet_send(void);
-+int      packet_send(void);
- 
- int      packet_read(void);
- void     packet_read_expect(int type);
-@@ -85,7 +89,7 @@ int	 packet_get_ssh1_cipher(void);
- void	 packet_set_iv(int, u_char *);
- void	*packet_get_newkeys(int);
- 
--void     packet_write_poll(void);
-+int      packet_write_poll(void);
- void     packet_write_wait(void);
- int      packet_have_data_to_write(void);
- int      packet_not_very_much_data_to_write(void);
-diff --git a/readconf.c b/readconf.c
-index 097bb05..b9b2fd6 100644
---- a/readconf.c
-+++ b/readconf.c
-@@ -135,6 +135,8 @@ typedef enum {
++If HPN is disabled the receive buffer size will be set to the 
++OpenSSH default of 64K.
++
++If an HPN system connects to a nonHPN system the receive buffer will
++be set to the HPNBufferSize value. The default is 2MB but user adjustable.
++
++If an HPN to HPN connection is established a number of different things might
++happen based on the user options and conditions. 
++
++Conditions: HPNBufferSize NOT Set, TCPRcvBufPoll enabled, TCPRcvBuf NOT Set 
++HPN Buffer Size = up to 64MB 
++This is the default state. The HPN buffer size will grow to a maximum of 64MB 
++as the TCP receive buffer grows. The maximum HPN Buffer size of 64MB is 
++geared towards 10GigE transcontinental connections. 
++
++Conditions: HPNBufferSize NOT Set, TCPRcvBufPoll disabled, TCPRcvBuf NOT Set
++HPN Buffer Size = TCP receive buffer value. 
++Users on non-autotuning systesm should disable TCPRcvBufPoll in the 
++ssh_cofig and sshd_config
++
++Conditions: HPNBufferSize SET, TCPRcvBufPoll disabled, TCPRcvBuf NOT Set
++HPN Buffer Size = minmum of TCP receive buffer and HPNBufferSize. 
++This would be the system defined TCP receive buffer (RWIN).
++
++Conditions: HPNBufferSize SET, TCPRcvBufPoll disabled, TCPRcvBuf SET
++HPN Buffer Size = minmum of TCPRcvBuf and HPNBufferSize. 
++Generally there is no need to set both.
++
++Conditions: HPNBufferSize SET, TCPRcvBufPoll enabled, TCPRcvBuf NOT Set
++HPN Buffer Size = grows to HPNBufferSize
++The buffer will grow up to the maximum size specified here. 
++
++Conditions: HPNBufferSize SET, TCPRcvBufPoll enabled, TCPRcvBuf SET
++HPN Buffer Size = minmum of TCPRcvBuf and HPNBufferSize. 
++Generally there is no need to set both of these, especially on autotuning 
++systems. However, if the users wishes to override the autotuning this would be 
++one way to do it.
++
++Conditions: HPNBufferSize NOT Set, TCPRcvBufPoll enabled, TCPRcvBuf SET
++HPN Buffer Size = TCPRcvBuf. 
++This will override autotuning and set the TCP recieve buffer to the user defined 
++value.
++
++
++HPN Specific Configuration options
++
++TcpRcvBuf=[int]KB client
++      set the TCP socket receive buffer to n Kilobytes. It can be set up to the 
++maximum socket size allowed by the system. This is useful in situations where 
++the tcp receive window is set low but the maximum buffer size is set 
++higher (as is typical). This works on a per TCP connection basis. You can also 
++use this to artifically limit the transfer rate of the connection. In these 
++cases the throughput will be no more than n/RTT. The minimum buffer size is 1KB. 
++Default is the current system wide tcp receive buffer size.
++
++TcpRcvBufPoll=[yes/no] client/server
++      enable of disable the polling of the tcp receive buffer through the life 
++of the connection. You would want to make sure that this option is enabled 
++for systems making use of autotuning kernels (linux 2.4.24+, 2.6, MS Vista) 
++default is yes.
++
++NoneEnabled=[yes/no] client/server
++      enable or disable the use of the None cipher. Care must always be used 
++when enabling this as it will allow users to send data in the clear. However, 
++it is important to note that authentication information remains encrypted 
++even if this option is enabled. Set to no by default.
++
++NoneSwitch=[yes/no] client
++     Switch the encryption cipher being used to the None cipher after
++authentication takes place. NoneEnabled must be enabled on both the client
++and server side of the connection. When the connection switches to the NONE
++cipher a warning is sent to STDERR. The connection attempt will fail with an
++error if a client requests a NoneSwitch from the server that does not explicitly
++have NoneEnabled set to yes. Note: The NONE cipher cannot be used in
++interactive (shell) sessions and it will fail silently. Set to no by default.
++
++HPNDisabled=[yes/no] client/server
++     In some situations, such as transfers on a local area network, the impact 
++of the HPN code produces a net decrease in performance. In these cases it is 
++helpful to disable the HPN functionality. By default HPNDisabled is set to no. 
++
++HPNBufferSize=[int]KB client/server
++     This is the default buffer size the HPN functionality uses when interacting
++with nonHPN SSH installations. Conceptually this is similar to the TcpRcvBuf
++option as applied to the internal SSH flow control. This value can range from 
++1KB to 64MB (1-65536). Use of oversized or undersized buffers can cause performance
++problems depending on the length of the network path. The default size of this buffer
++is 2MB.
++
++
++Credits: This patch was conceived, designed, and led by Chris Rapier (rapier@psc.edu)
++         The majority of the actual coding for versions up to HPN12v1 was performed
++         by Michael Stevens (mstevens@andrew.cmu.edu). The MT-AES-CTR cipher was 
++	 implemented by Ben Bennet (ben@psc.edu) and improved by Mike Tasota 
++	 (tasota@gmail.com) an NSF REU grant recipient for 2013. 
++	 This work was financed, in part, by Cisco System, Inc., the National 
++         Library of Medicine, and the National Science Foundation. 
+diff -rNuwpB canonical/readconf.c dynamic/readconf.c
+--- canonical/readconf.c	2013-04-04 20:18:58.000000000 -0400
++++ dynamic/readconf.c	2013-08-14 14:06:00.895326378 -0400
+@@ -135,6 +135,7 @@ typedef enum {
  	oTunnel, oTunnelDevice, oLocalCommand, oPermitLocalCommand,
  	oVisualHostKey, oUseRoaming, oZeroKnowledgePasswordAuthentication,
  	oKexAlgorithms, oIPQoS, oRequestTTY,
-+	oNoneEnabled, oTcpRcvBufPoll, oTcpRcvBuf, oNoneSwitch, oHPNDisabled,
-+	oHPNBufferSize,
++	oTcpRcvBufPoll, oTcpRcvBuf, oHPNDisabled, oHPNBufferSize,
  	oDeprecated, oUnsupported
  } OpCodes;
  
-@@ -247,6 +249,13 @@ static struct {
+@@ -247,6 +248,11 @@ static struct {
  	{ "ipqos", oIPQoS },
  	{ "requesttty", oRequestTTY },
  
-+	{ "noneenabled", oNoneEnabled },
 +	{ "tcprcvbufpoll", oTcpRcvBufPoll },
 +	{ "tcprcvbuf", oTcpRcvBuf },
-+	{ "noneswitch", oNoneSwitch },
 +	{ "hpndisabled", oHPNDisabled },
 +	{ "hpnbuffersize", oHPNBufferSize },
 +
  	{ NULL, oBadOption }
  };
  
-@@ -495,6 +504,36 @@ parse_flag:
+@@ -515,6 +521,18 @@ parse_flag:
  		intptr = &options->check_host_ip;
  		goto parse_flag;
  
-+	case oNoneEnabled:
-+		intptr = &options->none_enabled;
-+		goto parse_flag;
-+ 
-+	/* we check to see if the command comes from the */
-+	/* command line or not. If it does then enable it */
-+	/* otherwise fail. NONE should never be a default configuration */
-+	case oNoneSwitch:
-+		if(strcmp(filename,"command-line") == 0) {
-+			intptr = &options->none_switch;
-+			goto parse_flag;
-+		} else {
-+			error("NoneSwitch is found in %.200s.\nYou may only use this configuration option from the command line", filename);
-+			error("Continuing...");
-+			debug("NoneSwitch directive found in %.200s.", filename);
-+			return 0;
-+		}
-+
 +	case oHPNDisabled:
 +		intptr = &options->hpn_disabled;
 +		goto parse_flag;
@@ -875,7 +456,7 @@ index 097bb05..b9b2fd6 100644
  	case oVerifyHostKeyDNS:
  		intptr = &options->verify_host_key_dns;
  		goto parse_yesnoask;
-@@ -680,6 +719,10 @@ parse_int:
+@@ -698,6 +716,10 @@ parse_int:
  		intptr = &options->connection_attempts;
  		goto parse_int;
  
@@ -886,13 +467,11 @@ index 097bb05..b9b2fd6 100644
  	case oCipher:
  		intptr = &options->cipher;
  		arg = strdelim(&s);
-@@ -1203,6 +1246,13 @@ initialize_options(Options * options)
+@@ -1222,6 +1244,11 @@ initialize_options(Options * options)
  	options->ip_qos_interactive = -1;
  	options->ip_qos_bulk = -1;
  	options->request_tty = -1;
 +
-+	options->none_switch = -1;
-+	options->none_enabled = -1;
 +	options->hpn_disabled = -1;
 +	options->hpn_buffer_size = -1;
 +	options->tcp_rcv_buf_poll = -1;
@@ -900,25 +479,24 @@ index 097bb05..b9b2fd6 100644
  }
  
  /*
-@@ -1339,6 +1389,29 @@ fill_default_options(Options * options)
+@@ -1345,6 +1372,28 @@ fill_default_options(Options * options)
  		options->server_alive_interval = 0;
  	if (options->server_alive_count_max == -1)
  		options->server_alive_count_max = 3;
-+	if (options->none_switch == -1)
-+	        options->none_switch = 0;
 +	if (options->hpn_disabled == -1)
 +	        options->hpn_disabled = 0;
 +	if (options->hpn_buffer_size > -1)
 +	{
 +	  /* if a user tries to set the size to 0 set it to 1KB */
 +		if (options->hpn_buffer_size == 0)
-+		options->hpn_buffer_size = 1024;
++		options->hpn_buffer_size = 1;
 +		/*limit the buffer to 64MB*/
-+		if (options->hpn_buffer_size > 65536)
++		if (options->hpn_buffer_size > 64*1024)
 +		{
-+			options->hpn_buffer_size = 65536*1024;
++			options->hpn_buffer_size = 64*1024*1024;
 +			debug("User requested buffer larger than 64MB. Request reverted to 64MB");
 +		}
++		else options->hpn_buffer_size *= 1024;
 +		debug("hpn_buffer_size set to %d", options->hpn_buffer_size);
 +	}
 +	if (options->tcp_rcv_buf == 0)
@@ -930,10 +508,9 @@ index 097bb05..b9b2fd6 100644
  	if (options->control_master == -1)
  		options->control_master = 0;
  	if (options->control_persist == -1) {
-diff --git a/readconf.h b/readconf.h
-index be30ee0..6480539 100644
---- a/readconf.h
-+++ b/readconf.h
+diff -rNuwpB canonical/readconf.h dynamic/readconf.h
+--- canonical/readconf.h	2013-04-04 20:18:58.000000000 -0400
++++ dynamic/readconf.h	2013-08-14 14:06:26.768478684 -0400
 @@ -61,6 +61,10 @@ typedef struct {
  	int     compression_level;	/* Compression level 1 (fast) to 9
  					 * (best). */
@@ -945,19 +522,9 @@ index be30ee0..6480539 100644
  	int	ip_qos_interactive;	/* IP ToS/DSCP/class for interactive */
  	int	ip_qos_bulk;		/* IP ToS/DSCP/class for bulk traffic */
  	LogLevel log_level;	/* Level for logging. */
-@@ -109,6 +113,8 @@ typedef struct {
- 
- 	int	enable_ssh_keysign;
- 	int64_t rekey_limit;
-+	int     none_switch;    /* Use none cipher */
-+	int     none_enabled;   /* Allow none to be used */
- 	int	no_host_authentication_for_localhost;
- 	int	identities_only;
- 	int	server_alive_interval;
-diff --git a/scp.c b/scp.c
-index 645d740..0cd0666 100644
---- a/scp.c
-+++ b/scp.c
+diff -rNuwpB canonical/scp.c dynamic/scp.c
+--- canonical/scp.c	2013-03-19 21:55:15.000000000 -0400
++++ dynamic/scp.c	2013-08-14 13:56:39.131511381 -0400
 @@ -731,7 +731,7 @@ source(int argc, char **argv)
  	off_t i, statbytes;
  	size_t amt;
@@ -976,22 +543,20 @@ index 645d740..0cd0666 100644
  	struct timeval tv[2];
  
  #define	atime	tv[0]
-diff --git a/servconf.c b/servconf.c
-index b2a60fd..0f150c5 100644
---- a/servconf.c
-+++ b/servconf.c
-@@ -143,6 +143,10 @@ initialize_server_options(ServerOptions *options)
+diff -rNuwpB canonical/servconf.c dynamic/servconf.c
+--- canonical/servconf.c	2013-02-11 19:02:08.000000000 -0500
++++ dynamic/servconf.c	2013-08-14 14:07:46.843512578 -0400
+@@ -143,6 +143,9 @@ initialize_server_options(ServerOptions 
  	options->revoked_keys_file = NULL;
  	options->trusted_user_ca_keys = NULL;
  	options->authorized_principals_file = NULL;
-+	options->none_enabled = -1;
 +	options->tcp_rcv_buf_poll = -1;
 +	options->hpn_disabled = -1;
 +	options->hpn_buffer_size = -1;
  	options->ip_qos_interactive = -1;
  	options->ip_qos_bulk = -1;
  	options->version_addendum = NULL;
-@@ -151,6 +155,11 @@ initialize_server_options(ServerOptions *options)
+@@ -151,6 +154,11 @@ initialize_server_options(ServerOptions 
  void
  fill_default_server_options(ServerOptions *options)
  {
@@ -1003,12 +568,13 @@ index b2a60fd..0f150c5 100644
  	/* Portable-specific options */
  	if (options->use_pam == -1)
  		options->use_pam = 0;
-@@ -291,6 +300,40 @@ fill_default_server_options(ServerOptions *options)
- 	if (use_privsep == -1)
- 		use_privsep = PRIVSEP_NOSANDBOX;
- 
-+	if (options->hpn_disabled == -1)
+@@ -281,6 +289,43 @@ fill_default_server_options(ServerOption
+ 		options->permit_tun = SSH_TUNMODE_NO;
+ 	if (options->zero_knowledge_password_authentication == -1)
+ 		options->zero_knowledge_password_authentication = 0;
++	if (options->hpn_disabled == -1) 
 +		options->hpn_disabled = 0;
++
 +	if (options->hpn_buffer_size == -1) {
 +		/* option not explicitly set. Now we have to figure out */
 +		/* what value to use */
@@ -1019,12 +585,13 @@ index b2a60fd..0f150c5 100644
 +			/*create a socket but don't connect it */
 +			/* we use that the get the rcv socket size */
 +			sock = socket(AF_INET, SOCK_STREAM, 0);
-+			getsockopt(sock, SOL_SOCKET, SO_RCVBUF,
++			getsockopt(sock, SOL_SOCKET, SO_RCVBUF, 
 +				   &socksize, &socksizelen);
 +			close(sock);
 +			options->hpn_buffer_size = socksize;
 +			debug ("HPN Buffer Size: %d", options->hpn_buffer_size);
-+		}
++			
++		} 
 +	} else {
 +		/* we have to do this incase the user sets both values in a contradictory */
 +		/* manner. hpn_disabled overrrides hpn_buffer_size*/
@@ -1041,43 +608,40 @@ index b2a60fd..0f150c5 100644
 +			options->hpn_buffer_size = CHAN_TCP_WINDOW_DEFAULT;
 +	}
 +
- #ifndef HAVE_MMAP
- 	if (use_privsep && options->compression == 1) {
- 		error("This platform does not support both privilege "
-@@ -332,6 +375,7 @@ typedef enum {
++
+ 	if (options->ip_qos_interactive == -1)
+ 		options->ip_qos_interactive = IPTOS_LOWDELAY;
+ 	if (options->ip_qos_bulk == -1)
+@@ -332,6 +377,7 @@ typedef enum {
  	sUsePrivilegeSeparation, sAllowAgentForwarding,
  	sZeroKnowledgePasswordAuthentication, sHostCertificate,
  	sRevokedKeys, sTrustedUserCAKeys, sAuthorizedPrincipalsFile,
-+	sNoneEnabled, sTcpRcvBufPoll, sHPNDisabled, sHPNBufferSize,
++	sTcpRcvBufPoll, sHPNDisabled, sHPNBufferSize,
  	sKexAlgorithms, sIPQoS, sVersionAddendum,
  	sAuthorizedKeysCommand, sAuthorizedKeysCommandUser,
  	sAuthenticationMethods,
-@@ -457,6 +501,10 @@ static struct {
+@@ -457,6 +503,9 @@ static struct {
  	{ "revokedkeys", sRevokedKeys, SSHCFG_ALL },
  	{ "trustedusercakeys", sTrustedUserCAKeys, SSHCFG_ALL },
  	{ "authorizedprincipalsfile", sAuthorizedPrincipalsFile, SSHCFG_ALL },
-+	{ "noneenabled", sNoneEnabled, SSHCFG_ALL },
 +	{ "hpndisabled", sHPNDisabled, SSHCFG_ALL },
 +	{ "hpnbuffersize", sHPNBufferSize, SSHCFG_ALL },
 +	{ "tcprcvbufpoll", sTcpRcvBufPoll, SSHCFG_ALL },
  	{ "kexalgorithms", sKexAlgorithms, SSHCFG_GLOBAL },
  	{ "ipqos", sIPQoS, SSHCFG_ALL },
  	{ "authorizedkeyscommand", sAuthorizedKeysCommand, SSHCFG_ALL },
-@@ -489,6 +537,7 @@ parse_token(const char *cp, const char *filename,
+@@ -489,6 +538,7 @@ parse_token(const char *cp, const char *
  
  	for (i = 0; keywords[i].name; i++)
  		if (strcasecmp(cp, keywords[i].name) == 0) {
-+		        debug ("Config token is %s", keywords[i].name);
++			debug ("Config token is %s", keywords[i].name);
  			*flags = keywords[i].flags;
  			return keywords[i].opcode;
  		}
-@@ -1005,6 +1054,22 @@ process_server_config_line(ServerOptions *options, char *line,
+@@ -1005,6 +1055,19 @@ process_server_config_line(ServerOptions
  			*intptr = value;
  		break;
  
-+	case sNoneEnabled:
-+		intptr = &options->none_enabled;
-+		goto parse_flag;
 +
 +	case sTcpRcvBufPoll:
 +		intptr = &options->tcp_rcv_buf_poll;
@@ -1094,110 +658,23 @@ index b2a60fd..0f150c5 100644
  	case sIgnoreUserKnownHosts:
  		intptr = &options->ignore_user_known_hosts;
  		goto parse_flag;
-diff --git a/servconf.h b/servconf.h
-index 870c709..f042fe4 100644
---- a/servconf.h
-+++ b/servconf.h
-@@ -164,6 +164,10 @@ typedef struct {
+diff -rNuwpB canonical/servconf.h dynamic/servconf.h
+--- canonical/servconf.h	2013-01-08 23:56:45.000000000 -0500
++++ dynamic/servconf.h	2013-08-14 14:08:00.893421688 -0400
+@@ -164,6 +164,9 @@ typedef struct {
  	char   *adm_forced_command;
  
  	int	use_pam;		/* Enable auth via PAM */
-+        int     none_enabled;           /* enable NONE cipher switch */
 +        int     tcp_rcv_buf_poll;       /* poll tcp rcv window in autotuning kernels*/
 +	int	hpn_disabled;		/* disable hpn functionality. false by default */
 +	int	hpn_buffer_size;	/* set the hpn buffer size - default 3MB */
  
  	int	permit_tun;
  
-diff --git a/serverloop.c b/serverloop.c
-index e224bd0..4d642d5 100644
---- a/serverloop.c
-+++ b/serverloop.c
-@@ -94,10 +94,10 @@ static int fdin;		/* Descriptor for stdin (for writing) */
- static int fdout;		/* Descriptor for stdout (for reading);
- 				   May be same number as fdin. */
- static int fderr;		/* Descriptor for stderr.  May be -1. */
--static long stdin_bytes = 0;	/* Number of bytes written to stdin. */
--static long stdout_bytes = 0;	/* Number of stdout bytes sent to client. */
--static long stderr_bytes = 0;	/* Number of stderr bytes sent to client. */
--static long fdout_bytes = 0;	/* Number of stdout bytes read from program. */
-+static u_long stdin_bytes = 0;	/* Number of bytes written to stdin. */
-+static u_long stdout_bytes = 0;	/* Number of stdout bytes sent to client. */
-+static u_long stderr_bytes = 0;	/* Number of stderr bytes sent to client. */
-+static u_long fdout_bytes = 0;	/* Number of stdout bytes read from program. */
- static int stdin_eof = 0;	/* EOF message received from client. */
- static int fdout_eof = 0;	/* EOF encountered reading from fdout. */
- static int fderr_eof = 0;	/* EOF encountered readung from fderr. */
-@@ -122,6 +122,20 @@ static volatile sig_atomic_t received_sigterm = 0;
- static void server_init_dispatch(void);
- 
- /*
-+ * Returns current time in seconds from Jan 1, 1970 with the maximum
-+ * available resolution.
-+ */
-+
-+static double
-+get_current_time(void)
-+{
-+	struct timeval tv;
-+	gettimeofday(&tv, NULL);
-+	return (double) tv.tv_sec + (double) tv.tv_usec / 1000000.0;
-+}
-+
-+
-+/*
-  * we write to this pipe if a SIGCHLD is caught in order to avoid
-  * the race between select() and child_terminated
-  */
-@@ -420,6 +434,7 @@ process_input(fd_set *readset)
- 		} else {
- 			/* Buffer any received data. */
- 			packet_process_incoming(buf, len);
-+			fdout_bytes += len;
- 		}
- 	}
- 	if (compat20)
-@@ -442,6 +457,7 @@ process_input(fd_set *readset)
- 		} else {
- 			buffer_append(&stdout_buffer, buf, len);
- 			fdout_bytes += len;
-+			debug ("FD out now: %ld", fdout_bytes);
- 		}
- 	}
- 	/* Read and buffer any available stderr data from the program. */
-@@ -509,7 +525,7 @@ process_output(fd_set *writeset)
- 	}
- 	/* Send any buffered packet data to the client. */
- 	if (FD_ISSET(connection_out, writeset))
--		packet_write_poll();
-+		stdin_bytes += packet_write_poll();
- }
- 
- /*
-@@ -826,8 +842,10 @@ server_loop2(Authctxt *authctxt)
- {
- 	fd_set *readset = NULL, *writeset = NULL;
- 	int rekeying = 0, max_fd, nalloc = 0;
-+	double start_time, total_time;
- 
- 	debug("Entering interactive session for SSH2.");
-+	start_time = get_current_time();
- 
- 	mysignal(SIGCHLD, sigchld_handler);
- 	child_terminated = 0;
-@@ -889,6 +907,11 @@ server_loop2(Authctxt *authctxt)
- 
- 	/* free remaining sessions, e.g. remove wtmp entries */
- 	session_destroy_all(NULL);
-+	total_time = get_current_time() - start_time;
-+	logit("SSH: Server;LType: Throughput;Remote: %s-%d;IN: %lu;OUT: %lu;Duration: %.1f;tPut_in: %.1f;tPut_out: %.1f",
-+	      get_remote_ipaddr(), get_remote_port(),
-+	      stdin_bytes, fdout_bytes, total_time, stdin_bytes / total_time, 
-+	      fdout_bytes / total_time);
- }
- 
- static void
-@@ -1011,8 +1034,12 @@ server_request_tun(void)
+diff -rNuwpB canonical/serverloop.c dynamic/serverloop.c
+--- canonical/serverloop.c	2012-12-06 21:07:47.000000000 -0500
++++ dynamic/serverloop.c	2013-08-14 13:56:39.128511264 -0400
+@@ -1011,8 +1011,12 @@ server_request_tun(void)
  	sock = tun_open(tun, mode);
  	if (sock < 0)
  		goto done;
@@ -1210,7 +687,7 @@ index e224bd0..4d642d5 100644
  	c->datagram = 1;
  #if defined(SSH_TUN_FILTER)
  	if (mode == SSH_TUNMODE_POINTOPOINT)
-@@ -1048,6 +1075,8 @@ server_request_session(void)
+@@ -1048,6 +1052,8 @@ server_request_session(void)
  	c = channel_new("session", SSH_CHANNEL_LARVAL,
  	    -1, -1, -1, /*window size*/0, CHAN_SES_PACKET_DEFAULT,
  	    0, "server-session", 1);
@@ -1219,11 +696,10 @@ index e224bd0..4d642d5 100644
  	if (session_open(the_authctxt, c->self) != 1) {
  		debug("session open failed, free channel %d", c->self);
  		channel_free(c);
-diff --git a/session.c b/session.c
-index 19eaa20..57ebeca 100644
---- a/session.c
-+++ b/session.c
-@@ -236,6 +236,7 @@ auth_input_request_forwarding(struct passwd * pw)
+diff -rNuwpB canonical/session.c dynamic/session.c
+--- canonical/session.c	2013-03-14 20:22:37.000000000 -0400
++++ dynamic/session.c	2013-08-14 13:56:39.146511349 -0400
+@@ -236,6 +236,7 @@ auth_input_request_forwarding(struct pas
  	}
  
  	/* Allocate a channel for the authentication agent socket. */
@@ -1231,7 +707,7 @@ index 19eaa20..57ebeca 100644
  	nc = channel_new("auth socket",
  	    SSH_CHANNEL_AUTH_SOCKET, sock, sock, -1,
  	    CHAN_X11_WINDOW_DEFAULT, CHAN_X11_PACKET_DEFAULT,
-@@ -2286,10 +2287,16 @@ session_set_fds(Session *s, int fdin, int fdout, int fderr, int ignore_fderr,
+@@ -2286,10 +2287,16 @@ session_set_fds(Session *s, int fdin, in
  	 */
  	if (s->chanid == -1)
  		fatal("no channel for session %d", s->self);
@@ -1248,10 +724,9 @@ index 19eaa20..57ebeca 100644
  }
  
  /*
-diff --git a/sftp.1 b/sftp.1
-index bcb4721..284d618 100644
---- a/sftp.1
-+++ b/sftp.1
+diff -rNuwpB canonical/sftp.1 dynamic/sftp.1
+--- canonical/sftp.1	2011-09-22 07:34:15.000000000 -0400
++++ dynamic/sftp.1	2013-08-14 13:56:39.114506902 -0400
 @@ -247,7 +247,8 @@ diagnostic messages from
  Specify how many requests may be outstanding at any one time.
  Increasing this may slightly improve file transfer speed
@@ -1262,10 +737,9 @@ index bcb4721..284d618 100644
  .It Fl r
  Recursively copy entire directories when uploading and downloading.
  Note that
-diff --git a/sftp.c b/sftp.c
-index 342ae7e..65dacd9 100644
---- a/sftp.c
-+++ b/sftp.c
+diff -rNuwpB canonical/sftp.c dynamic/sftp.c
+--- canonical/sftp.c	2013-02-22 17:12:24.000000000 -0500
++++ dynamic/sftp.c	2013-08-14 13:56:39.129511313 -0400
 @@ -65,7 +65,7 @@ typedef void EditLine;
  #include "sftp-client.h"
  
@@ -1275,22 +749,10 @@ index 342ae7e..65dacd9 100644
  
  /* File to read commands from */
  FILE* infile;
-diff --git a/ssh.c b/ssh.c
-index 3f61eb0..62f56de 100644
---- a/ssh.c
-+++ b/ssh.c
-@@ -579,6 +579,10 @@ main(int ac, char **av)
- 			break;
- 		case 'T':
- 			options.request_tty = REQUEST_TTY_NO;
-+			/* ensure that the user doesn't try to backdoor a */
-+			/* null cipher switch on an interactive session */
-+			/* so explicitly disable it no matter what */
-+			options.none_switch=0;
- 			break;
- 		case 'o':
- 			dummy = 1;
-@@ -1372,6 +1376,9 @@ ssh_session2_open(void)
+diff -rNuwpB canonical/ssh.c dynamic/ssh.c
+--- canonical/ssh.c	2013-04-04 20:22:36.000000000 -0400
++++ dynamic/ssh.c	2013-08-14 14:09:15.549478496 -0400
+@@ -1369,6 +1369,9 @@ ssh_session2_open(void)
  {
  	Channel *c;
  	int window, packetmax, in, out, err;
@@ -1300,7 +762,7 @@ index 3f61eb0..62f56de 100644
  
  	if (stdin_null_flag) {
  		in = open(_PATH_DEVNULL, O_RDONLY);
-@@ -1392,9 +1399,74 @@ ssh_session2_open(void)
+@@ -1389,9 +1392,74 @@ ssh_session2_open(void)
  	if (!isatty(err))
  		set_nonblock(err);
  
@@ -1376,7 +838,7 @@ index 3f61eb0..62f56de 100644
  		window >>= 1;
  		packetmax >>= 1;
  	}
-@@ -1403,6 +1475,10 @@ ssh_session2_open(void)
+@@ -1400,6 +1468,10 @@ ssh_session2_open(void)
  	    window, packetmax, CHAN_EXTENDED_WRITE,
  	    "client-session", /*nonblock*/0);
  
@@ -1387,11 +849,10 @@ index 3f61eb0..62f56de 100644
  	debug3("ssh_session2_open: channel_new: %d", c->self);
  
  	channel_send_open(c->self);
-diff --git a/sshconnect.c b/sshconnect.c
-index 07800a6..6b2b3c0 100644
---- a/sshconnect.c
-+++ b/sshconnect.c
-@@ -182,6 +182,31 @@ ssh_kill_proxy_command(void)
+diff -rNuwpB canonical/sshconnect.c dynamic/sshconnect.c
+--- canonical/sshconnect.c	2013-04-04 20:20:19.000000000 -0400
++++ dynamic/sshconnect.c	2013-08-14 13:56:39.130511360 -0400
+@@ -189,6 +189,31 @@ ssh_kill_proxy_command(void)
  }
  
  /*
@@ -1423,7 +884,7 @@ index 07800a6..6b2b3c0 100644
   * Creates a (possibly privileged) socket for use as the ssh connection.
   */
  static int
-@@ -204,6 +229,8 @@ ssh_create_socket(int privileged, struct addrinfo *ai)
+@@ -211,6 +236,8 @@ ssh_create_socket(int privileged, struct
  			    strerror(errno));
  		else
  			debug("Allocated local port %d.", p);
@@ -1432,7 +893,7 @@ index 07800a6..6b2b3c0 100644
  		return sock;
  	}
  	sock = socket(ai->ai_family, ai->ai_socktype, ai->ai_protocol);
-@@ -213,6 +240,9 @@ ssh_create_socket(int privileged, struct addrinfo *ai)
+@@ -220,6 +247,9 @@ ssh_create_socket(int privileged, struct
  	}
  	fcntl(sock, F_SETFD, FD_CLOEXEC);
  
@@ -1442,7 +903,7 @@ index 07800a6..6b2b3c0 100644
  	/* Bind the socket to an alternative local IP address */
  	if (options.bind_address == NULL)
  		return sock;
-@@ -435,10 +465,10 @@ send_client_banner(int connection_out, int minor1)
+@@ -442,10 +472,10 @@ send_client_banner(int connection_out, i
  	/* Send our own protocol version identification. */
  	if (compat20) {
  		xasprintf(&client_version_string, "SSH-%d.%d-%.100s\r\n",
@@ -1455,56 +916,9 @@ index 07800a6..6b2b3c0 100644
  	}
  	if (roaming_atomicio(vwrite, connection_out, client_version_string,
  	    strlen(client_version_string)) != strlen(client_version_string))
-diff --git a/sshconnect2.c b/sshconnect2.c
-index d6af0b9..9b0aea2 100644
---- a/sshconnect2.c
-+++ b/sshconnect2.c
-@@ -81,6 +81,12 @@
- extern char *client_version_string;
- extern char *server_version_string;
- extern Options options;
-+extern Kex *xxx_kex;
-+
-+/* tty_flag is set in ssh.c. use this in ssh_userauth2 */
-+/* if it is set then prevent the switch to the null cipher */
-+
-+extern int tty_flag;
- 
- /*
-  * SSH2 key exchange
-@@ -421,6 +427,28 @@ ssh_userauth2(const char *local_user, const char *server_user, char *host,
- 	pubkey_cleanup(&authctxt);
- 	dispatch_range(SSH2_MSG_USERAUTH_MIN, SSH2_MSG_USERAUTH_MAX, NULL);
- 
-+	/* if the user wants to use the none cipher do it */
-+	/* post authentication and only if the right conditions are met */
-+	/* both of the NONE commands must be true and there must be no */
-+	/* tty allocated */
-+	if ((options.none_switch == 1) && (options.none_enabled == 1))
-+	{
-+		if (!tty_flag) /* no null on tty sessions */
-+		{
-+			debug("Requesting none rekeying...");
-+			myproposal[PROPOSAL_ENC_ALGS_STOC] = "none";
-+			myproposal[PROPOSAL_ENC_ALGS_CTOS] = "none";
-+			kex_prop2buf(&xxx_kex->my,myproposal);
-+			packet_request_rekeying();
-+			fprintf(stderr, "WARNING: ENABLED NONE CIPHER\n");
-+		}
-+		else
-+		{
-+			/* requested NONE cipher when in a tty */
-+			debug("Cannot switch to NONE cipher with tty allocated");
-+			fprintf(stderr, "NONE cipher switch disabled when a TTY is allocated\n");
-+		}
-+	}
- 	debug("Authentication succeeded (%s).", authctxt.method->name);
- }
- 
-diff --git a/sshd.c b/sshd.c
-index 3e9d176..b05b2df 100644
---- a/sshd.c
-+++ b/sshd.c
+diff -rNuwpB canonical/sshd.c dynamic/sshd.c
+--- canonical/sshd.c	2013-02-11 19:04:48.000000000 -0500
++++ dynamic/sshd.c	2013-08-14 14:10:20.793512623 -0400
 @@ -138,6 +138,9 @@ int deny_severity;
  #define REEXEC_CONFIG_PASS_FD		(STDERR_FILENO + 3)
  #define REEXEC_MIN_FREE_FD		(STDERR_FILENO + 4)
@@ -1515,7 +929,7 @@ index 3e9d176..b05b2df 100644
  extern char *__progname;
  
  /* Server configuration options. */
-@@ -430,7 +433,7 @@ sshd_exchange_identification(int sock_in, int sock_out)
+@@ -430,7 +433,7 @@ sshd_exchange_identification(int sock_in
  	}
  
  	xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s%s",
@@ -1524,17 +938,7 @@ index 3e9d176..b05b2df 100644
  	    *options.version_addendum == '\0' ? "" : " ",
  	    options.version_addendum, newline);
  
-@@ -482,6 +485,9 @@ sshd_exchange_identification(int sock_in, int sock_out)
- 	}
- 	debug("Client protocol version %d.%d; client software version %.100s",
- 	    remote_major, remote_minor, remote_version);
-+	logit("SSH: Server;Ltype: Version;Remote: %s-%d;Protocol: %d.%d;Client: %.100s",
-+	      get_remote_ipaddr(), get_remote_port(),
-+	    remote_major, remote_minor, remote_version);
- 
- 	compat_datafellows(remote_version);
- 
-@@ -1038,6 +1044,8 @@ server_listen(void)
+@@ -1038,6 +1041,8 @@ server_listen(void)
  	int ret, listen_sock, on = 1;
  	struct addrinfo *ai;
  	char ntop[NI_MAXHOST], strport[NI_MAXSERV];
@@ -1543,7 +947,7 @@ index 3e9d176..b05b2df 100644
  
  	for (ai = options.listen_addrs; ai; ai = ai->ai_next) {
  		if (ai->ai_family != AF_INET && ai->ai_family != AF_INET6)
-@@ -1078,6 +1086,11 @@ server_listen(void)
+@@ -1078,6 +1083,11 @@ server_listen(void)
  
  		debug("Bind to port %s on %s.", strport, ntop);
  
@@ -1555,7 +959,7 @@ index 3e9d176..b05b2df 100644
  		/* Bind the socket to the desired port. */
  		if (bind(listen_sock, ai->ai_addr, ai->ai_addrlen) < 0) {
  			error("Bind to port %s on %s failed: %.200s.",
-@@ -1976,6 +1989,9 @@ main(int ac, char **av)
+@@ -1976,6 +1986,9 @@ main(int ac, char **av)
  	/* Log the connection. */
  	verbose("Connection from %.500s port %d", remote_ip, remote_port);
  
@@ -1565,7 +969,7 @@ index 3e9d176..b05b2df 100644
  	/*
  	 * We don't want to listen forever unless the other side
  	 * successfully authenticates itself.  So we set up an alarm which is
-@@ -2332,9 +2348,15 @@ do_ssh2_kex(void)
+@@ -2332,6 +2345,8 @@ do_ssh2_kex(void)
  {
  	Kex *kex;
  
@@ -1574,18 +978,10 @@ index 3e9d176..b05b2df 100644
  	if (options.ciphers != NULL) {
  		myproposal[PROPOSAL_ENC_ALGS_CTOS] =
  		myproposal[PROPOSAL_ENC_ALGS_STOC] = options.ciphers;
-+	} else if (options.none_enabled == 1) {
-+		debug ("WARNING: None cipher enabled");
-+		myproposal[PROPOSAL_ENC_ALGS_CTOS] =
-+		myproposal[PROPOSAL_ENC_ALGS_STOC] = KEX_ENCRYPT_INCLUDE_NONE;
- 	}
- 	myproposal[PROPOSAL_ENC_ALGS_CTOS] =
- 	    compat_cipher_proposal(myproposal[PROPOSAL_ENC_ALGS_CTOS]);
-diff --git a/sshd_config b/sshd_config
-index 9cd2fdd..27f43eb 100644
---- a/sshd_config
-+++ b/sshd_config
-@@ -120,6 +120,20 @@ UsePrivilegeSeparation sandbox		# Default for new installations.
+diff -rNuwpB canonical/sshd_config dynamic/sshd_config
+--- canonical/sshd_config	2013-02-11 19:02:09.000000000 -0500
++++ dynamic/sshd_config	2013-08-14 14:09:54.107478485 -0400
+@@ -120,6 +120,17 @@ UsePrivilegeSeparation sandbox		# Defaul
  # override default of no subsystems
  Subsystem	sftp	/usr/libexec/sftp-server
  
@@ -1593,9 +989,6 @@ index 9cd2fdd..27f43eb 100644
 +# tcp receive buffer polling. disable in non autotuning kernels
 +#TcpRcvBufPoll yes
 + 
-+# allow the use of the none cipher
-+#NoneEnabled no
-+
 +# disable hpn performance boosts
 +#HPNDisabled no
 +
@@ -1606,14 +999,13 @@ index 9cd2fdd..27f43eb 100644
  # Example of overriding settings on a per-user basis
  #Match User anoncvs
  #	X11Forwarding no
-diff --git a/version.h b/version.h
-index 784f707..c8f04d5 100644
---- a/version.h
-+++ b/version.h
+diff -rNuwpB canonical/version.h dynamic/version.h
+--- canonical/version.h	2013-05-10 02:02:21.000000000 -0400
++++ dynamic/version.h	2013-08-14 15:27:52.736478576 -0400
 @@ -3,4 +3,5 @@
  #define SSH_VERSION	"OpenSSH_6.2"
  
- #define SSH_PORTABLE	"p1"
+ #define SSH_PORTABLE	"p2"
 -#define SSH_RELEASE	SSH_VERSION SSH_PORTABLE
-+#define SSH_HPN		"-hpn13v11"
++#define SSH_HPN                "-hpn14v1"
 +#define SSH_RELEASE	SSH_VERSION SSH_PORTABLE SSH_HPN