summaryrefslogtreecommitdiffstats
path: root/main/openssh
diff options
context:
space:
mode:
authorNatanael Copa <ncopa@alpinelinux.org>2013-09-02 08:56:59 +0000
committerNatanael Copa <ncopa@alpinelinux.org>2013-09-02 08:56:59 +0000
commita19f6b51dea86b5c13e6dae719cdc0ee7dfe54ea (patch)
tree9eed36b806bb8484e05191862782e97ab2d69636 /main/openssh
parente972f7f35baa2e461d874d7fdf3ac907d94ab903 (diff)
downloadaports-a19f6b51dea86b5c13e6dae719cdc0ee7dfe54ea.tar.bz2
aports-a19f6b51dea86b5c13e6dae719cdc0ee7dfe54ea.tar.xz
main/openssh: reintroduce dynwindows HPN patch
Diffstat (limited to 'main/openssh')
-rw-r--r--main/openssh/APKBUILD8
-rw-r--r--main/openssh/openssh6.2-dynwindows.diff (renamed from main/openssh/openssh-dynwindow_noneswitch.diff)1126
2 files changed, 265 insertions, 869 deletions
diff --git a/main/openssh/APKBUILD b/main/openssh/APKBUILD
index 8950a088f..cb4fb27be 100644
--- a/main/openssh/APKBUILD
+++ b/main/openssh/APKBUILD
@@ -2,7 +2,7 @@
pkgname=openssh
pkgver=6.2_p2
_myver=${pkgver%_*}${pkgver#*_}
-pkgrel=1
+pkgrel=2
pkgdesc="Port of OpenBSD's free SSH release"
url="http://www.openssh.org/portable.html"
arch="all"
@@ -11,12 +11,13 @@ depends="openssh-client"
makedepends="openssl-dev zlib-dev"
subpackages="$pkgname-doc $pkgname-client"
source="ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/$pkgname-$_myver.tar.gz
+ openssh6.2-dynwindows.diff
openssh-peaktput.diff
openssh-hmac-accel.diff
sshd.initd
sshd.confd
"
-# openssh-dynwindow_noneswitch.diff
+# HPN patches are from: http://www.psc.edu/index.php/hpn-ssh
_builddir="$srcdir"/$pkgname-$_myver
prepare() {
@@ -99,16 +100,19 @@ client() {
}
md5sums="be46174dcbb77ebb4ea88ef140685de1 openssh-6.2p2.tar.gz
+1bf93a2d49f89c4b399ad361bd740921 openssh6.2-dynwindows.diff
949ff348573438163240c60d6c3618eb openssh-peaktput.diff
c65d454dc5b149647273485fc184636d openssh-hmac-accel.diff
cb0dd08c413fad346f0c594107b4a2e0 sshd.initd
b35e9f3829f4cfca07168fcba98749c7 sshd.confd"
sha256sums="7f29b9d2ad672ae0f9e1dcbff871fc5c2e60a194e90c766432e32161b842313b openssh-6.2p2.tar.gz
+db1ff210e444f91db53e565620f1a5a1570cd1a4b2c34aaba3cf7d79e9d3a045 openssh6.2-dynwindows.diff
dab18c1fd1496c1ba4a4fe08c6c6b8cf3347fc82878d85498202f50168161f6b openssh-peaktput.diff
902ea83a9ef726f32b096280da0f1b722f4372886c65c4e28985ee57e725d95c openssh-hmac-accel.diff
3fa062fd4bfac64abf21f3c1d0548f1dfcf3c6e56e84ece14c848f53a293024e sshd.initd
29c6d57ac3ec6018cadc6ba6cd9b90c9ed46e20049b970fdcc68ee2481a2ee41 sshd.confd"
sha512sums="80c8fb6bb25e86e8261cc7c6671773cdc0d9b0da9c9ebca33b3d5278c44197734fe32e878e1f444b693c4b49b0a525458aa07e57c231cefafc23a9c6975b05df openssh-6.2p2.tar.gz
+4eabb5a9d6107a43deb408ebddaa697a0f76c977c0b2b8ce32979e1a2e163b83a932dd34f3fb2f6211d0e443dc1a5f49d4fcb646a80e52a609af497e4923f1d5 openssh6.2-dynwindows.diff
64f2c94f41225c76428440d778b0bf5657408123d1cd7d6cb4bdf5000bfba8ad80ec5e57acd0880adc7a8ea7e2f1a64e329b83cf8be630b9aaebff6ab138d025 openssh-peaktput.diff
aaa128126400171d0755038a846672aa7b1e87340edf73a672962d403abf404ef1821466b17da51dde25f04ec7533ae4a653399ccc912ea9c4a7b1a14032e76f openssh-hmac-accel.diff
1483e2bcd700da9b02f04508d490b472c816344787bf1675fef2f7e27f72b91e4323e4e8c1db701e47d81d37d6d4b0623eaeac46b2cf589ae5ad69f363baa594 sshd.initd
diff --git a/main/openssh/openssh-dynwindow_noneswitch.diff b/main/openssh/openssh6.2-dynwindows.diff
index f8cd59338..c903d30c1 100644
--- a/main/openssh/openssh-dynwindow_noneswitch.diff
+++ b/main/openssh/openssh6.2-dynwindows.diff
@@ -1,175 +1,6 @@
-diff --git a/HPN-README b/HPN-README
-new file mode 100644
-index 0000000..72d822f
---- /dev/null
-+++ b/HPN-README
-@@ -0,0 +1,128 @@
-+Notes:
-+
-+MULTI-THREADED CIPHER:
-+The AES cipher in CTR mode has been multithreaded (MTR-AES-CTR). This will allow ssh installations
-+on hosts with multiple cores to use more than one processing core during encryption.
-+Tests have show significant throughput performance increases when using MTR-AES-CTR up
-+to and including a full gigabit per second on quad core systems. It should be possible to
-+achieve full line rate on dual core systems but OS and data management overhead makes this
-+more difficult to achieve. The cipher stream from MTR-AES-CTR is entirely compatible with single
-+thread AES-CTR (ST-AES-CTR) implementations and should be 100% backward compatible. Optimal
-+performance requires the MTR-AES-CTR mode be enabled on both ends of the connection.
-+The MTR-AES-CTR replaces ST-AES-CTR and is used in exactly the same way with the same
-+nomenclature.
-+Use examples: ssh -caes128-ctr you@host.com
-+ scp -oCipher=aes256-ctr file you@host.com:~/file
-+
-+NONE CIPHER:
-+To use the NONE option you must have the NoneEnabled switch set on the server and
-+you *must* have *both* NoneEnabled and NoneSwitch set to yes on the client. The NONE
-+feature works with ALL ssh subsystems (as far as we can tell) *AS LONG AS* a tty is not
-+spawned. If a user uses the -T switch to prevent a tty being created the NONE cipher will
-+be disabled.
-+
-+The performance increase will only be as good as the network and TCP stack tuning
-+on the reciever side of the connection allows. As a rule of thumb a user will need
-+at least 10Mb/s connection with a 100ms RTT to see a doubling of performance. The
-+HPN-SSH home page describes this in greater detail.
-+
-+http://www.psc.edu/networking/projects/hpn-ssh
-+
-+BUFFER SIZES:
-+
-+If HPN is disabled the receive buffer size will be set to the
-+OpenSSH default of 64K.
-+
-+If an HPN system connects to a nonHPN system the receive buffer will
-+be set to the HPNBufferSize value. The default is 2MB but user adjustable.
-+
-+If an HPN to HPN connection is established a number of different things might
-+happen based on the user options and conditions.
-+
-+Conditions: HPNBufferSize NOT Set, TCPRcvBufPoll enabled, TCPRcvBuf NOT Set
-+HPN Buffer Size = up to 64MB
-+This is the default state. The HPN buffer size will grow to a maximum of 64MB
-+as the TCP receive buffer grows. The maximum HPN Buffer size of 64MB is
-+geared towards 10GigE transcontinental connections.
-+
-+Conditions: HPNBufferSize NOT Set, TCPRcvBufPoll disabled, TCPRcvBuf NOT Set
-+HPN Buffer Size = TCP receive buffer value.
-+Users on non-autotuning systesm should disable TCPRcvBufPoll in the
-+ssh_cofig and sshd_config
-+
-+Conditions: HPNBufferSize SET, TCPRcvBufPoll disabled, TCPRcvBuf NOT Set
-+HPN Buffer Size = minmum of TCP receive buffer and HPNBufferSize.
-+This would be the system defined TCP receive buffer (RWIN).
-+
-+Conditions: HPNBufferSize SET, TCPRcvBufPoll disabled, TCPRcvBuf SET
-+HPN Buffer Size = minmum of TCPRcvBuf and HPNBufferSize.
-+Generally there is no need to set both.
-+
-+Conditions: HPNBufferSize SET, TCPRcvBufPoll enabled, TCPRcvBuf NOT Set
-+HPN Buffer Size = grows to HPNBufferSize
-+The buffer will grow up to the maximum size specified here.
-+
-+Conditions: HPNBufferSize SET, TCPRcvBufPoll enabled, TCPRcvBuf SET
-+HPN Buffer Size = minmum of TCPRcvBuf and HPNBufferSize.
-+Generally there is no need to set both of these, especially on autotuning
-+systems. However, if the users wishes to override the autotuning this would be
-+one way to do it.
-+
-+Conditions: HPNBufferSize NOT Set, TCPRcvBufPoll enabled, TCPRcvBuf SET
-+HPN Buffer Size = TCPRcvBuf.
-+This will override autotuning and set the TCP recieve buffer to the user defined
-+value.
-+
-+
-+HPN Specific Configuration options
-+
-+TcpRcvBuf=[int]KB client
-+ set the TCP socket receive buffer to n Kilobytes. It can be set up to the
-+maximum socket size allowed by the system. This is useful in situations where
-+the tcp receive window is set low but the maximum buffer size is set
-+higher (as is typical). This works on a per TCP connection basis. You can also
-+use this to artifically limit the transfer rate of the connection. In these
-+cases the throughput will be no more than n/RTT. The minimum buffer size is 1KB.
-+Default is the current system wide tcp receive buffer size.
-+
-+TcpRcvBufPoll=[yes/no] client/server
-+ enable of disable the polling of the tcp receive buffer through the life
-+of the connection. You would want to make sure that this option is enabled
-+for systems making use of autotuning kernels (linux 2.4.24+, 2.6, MS Vista)
-+default is yes.
-+
-+NoneEnabled=[yes/no] client/server
-+ enable or disable the use of the None cipher. Care must always be used
-+when enabling this as it will allow users to send data in the clear. However,
-+it is important to note that authentication information remains encrypted
-+even if this option is enabled. Set to no by default.
-+
-+NoneSwitch=[yes/no] client
-+ Switch the encryption cipher being used to the None cipher after
-+authentication takes place. NoneEnabled must be enabled on both the client
-+and server side of the connection. When the connection switches to the NONE
-+cipher a warning is sent to STDERR. The connection attempt will fail with an
-+error if a client requests a NoneSwitch from the server that does not explicitly
-+have NoneEnabled set to yes. Note: The NONE cipher cannot be used in
-+interactive (shell) sessions and it will fail silently. Set to no by default.
-+
-+HPNDisabled=[yes/no] client/server
-+ In some situations, such as transfers on a local area network, the impact
-+of the HPN code produces a net decrease in performance. In these cases it is
-+helpful to disable the HPN functionality. By default HPNDisabled is set to no.
-+
-+HPNBufferSize=[int]KB client/server
-+ This is the default buffer size the HPN functionality uses when interacting
-+with nonHPN SSH installations. Conceptually this is similar to the TcpRcvBuf
-+option as applied to the internal SSH flow control. This value can range from
-+1KB to 64MB (1-65536). Use of oversized or undersized buffers can cause performance
-+problems depending on the length of the network path. The default size of this buffer
-+is 2MB.
-+
-+
-+Credits: This patch was conceived, designed, and led by Chris Rapier (rapier@psc.edu)
-+ The majority of the actual coding for versions up to HPN12v1 was performed
-+ by Michael Stevens (mstevens@andrew.cmu.edu). The MT-AES-CTR cipher was
-+ implemented by Ben Bennet (ben@psc.edu). This work was financed, in part,
-+ by Cisco System, Inc., the National Library of Medicine,
-+ and the National Science Foundation.
-diff --git a/auth2.c b/auth2.c
-index e367a10..da46852 100644
---- a/auth2.c
-+++ b/auth2.c
-@@ -49,6 +49,7 @@
- #include "dispatch.h"
- #include "pathnames.h"
- #include "buffer.h"
-+#include "canohost.h"
-
- #ifdef GSSAPI
- #include "ssh-gss.h"
-@@ -75,6 +76,9 @@ extern Authmethod method_gssapi;
- extern Authmethod method_jpake;
- #endif
-
-+static int log_flag = 0;
-+
-+
- Authmethod *authmethods[] = {
- &method_none,
- &method_pubkey,
-@@ -227,6 +231,11 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt)
- service = packet_get_cstring(NULL);
- method = packet_get_cstring(NULL);
- debug("userauth-request for user %s service %s method %s", user, service, method);
-+ if (!log_flag) {
-+ logit("SSH: Server;Ltype: Authname;Remote: %s-%d;Name: %s",
-+ get_remote_ipaddr(), get_remote_port(), user);
-+ log_flag = 1;
-+ }
- debug("attempt %d failures %d", authctxt->attempt, authctxt->failures);
-
- if ((style = strchr(user, ':')) != NULL)
-diff --git a/buffer.c b/buffer.c
-index ae97003..dc21850 100644
---- a/buffer.c
-+++ b/buffer.c
+diff -rNuwpB canonical/buffer.c dynamic/buffer.c
+--- canonical/buffer.c 2010-02-11 17:23:40.000000000 -0500
++++ dynamic/buffer.c 2013-08-14 13:56:39.111508385 -0400
@@ -127,7 +127,7 @@ restart:
/* Increase the size of the buffer and retry. */
@@ -179,10 +10,9 @@ index ae97003..dc21850 100644
fatal("buffer_append_space: alloc %u not supported",
newlen);
buffer->buf = xrealloc(buffer->buf, 1, newlen);
-diff --git a/buffer.h b/buffer.h
-index e2a9dd1..2c0b65c 100644
---- a/buffer.h
-+++ b/buffer.h
+diff -rNuwpB canonical/buffer.h dynamic/buffer.h
+--- canonical/buffer.h 2010-09-09 21:39:27.000000000 -0400
++++ dynamic/buffer.h 2013-08-14 13:56:39.113507594 -0400
@@ -16,6 +16,9 @@
#ifndef BUFFER_H
#define BUFFER_H
@@ -193,11 +23,10 @@ index e2a9dd1..2c0b65c 100644
typedef struct {
u_char *buf; /* Buffer for data. */
u_int alloc; /* Number of bytes allocated for data. */
-diff --git a/channels.c b/channels.c
-index 9cf85a3..862bfd3 100644
---- a/channels.c
-+++ b/channels.c
-@@ -173,8 +173,14 @@ static void port_open_helper(Channel *c, char *rtype);
+diff -rNuwpB canonical/channels.c dynamic/channels.c
+--- canonical/channels.c 2012-12-02 17:50:55.000000000 -0500
++++ dynamic/channels.c 2013-08-14 13:56:39.132511340 -0400
+@@ -173,8 +173,14 @@ static void port_open_helper(Channel *c,
static int connect_next(struct channel_connect *);
static void channel_connect_ctx_free(struct channel_connect *);
@@ -212,7 +41,7 @@ index 9cf85a3..862bfd3 100644
Channel *
channel_by_id(int id)
{
-@@ -319,6 +325,7 @@ channel_new(char *ctype, int type, int rfd, int wfd, int efd,
+@@ -319,6 +325,7 @@ channel_new(char *ctype, int type, int r
c->local_window_max = window;
c->local_consumed = 0;
c->local_maxpacket = maxpack;
@@ -220,7 +49,7 @@ index 9cf85a3..862bfd3 100644
c->remote_id = -1;
c->remote_name = xstrdup(remote_name);
c->remote_window = 0;
-@@ -818,11 +825,35 @@ channel_pre_open_13(Channel *c, fd_set *readset, fd_set *writeset)
+@@ -818,11 +825,35 @@ channel_pre_open_13(Channel *c, fd_set *
FD_SET(c->sock, writeset);
}
@@ -280,54 +109,7 @@ index 9cf85a3..862bfd3 100644
c->local_consumed = 0;
}
return 1;
-@@ -2173,11 +2211,12 @@ channel_after_select(fd_set *readset, fd_set *writeset)
-
-
- /* If there is data to send to the connection, enqueue some of it now. */
--void
-+int
- channel_output_poll(void)
- {
- Channel *c;
- u_int i, len;
-+ int packet_length = 0;
-
- for (i = 0; i < channels_alloc; i++) {
- c = channels[i];
-@@ -2225,7 +2264,7 @@ channel_output_poll(void)
- packet_start(SSH2_MSG_CHANNEL_DATA);
- packet_put_int(c->remote_id);
- packet_put_string(data, dlen);
-- packet_send();
-+ packet_length = packet_send();
- c->remote_window -= dlen + 4;
- xfree(data);
- }
-@@ -2255,7 +2294,7 @@ channel_output_poll(void)
- SSH2_MSG_CHANNEL_DATA : SSH_MSG_CHANNEL_DATA);
- packet_put_int(c->remote_id);
- packet_put_string(buffer_ptr(&c->input), len);
-- packet_send();
-+ packet_length = packet_send();
- buffer_consume(&c->input, len);
- c->remote_window -= len;
- }
-@@ -2290,12 +2329,13 @@ channel_output_poll(void)
- packet_put_int(c->remote_id);
- packet_put_int(SSH2_EXTENDED_DATA_STDERR);
- packet_put_string(buffer_ptr(&c->extended), len);
-- packet_send();
-+ packet_length = packet_send();
- buffer_consume(&c->extended, len);
- c->remote_window -= len;
- debug2("channel %d: sent ext data %d", c->self, len);
- }
- }
-+ return (packet_length);
- }
-
-
-@@ -2719,6 +2759,15 @@ channel_fwd_bind_addr(const char *listen_addr, int *wildcardp,
+@@ -2719,6 +2757,15 @@ channel_fwd_bind_addr(const char *listen
return addr;
}
@@ -343,7 +125,7 @@ index 9cf85a3..862bfd3 100644
static int
channel_setup_fwd_listener(int type, const char *listen_addr,
u_short listen_port, int *allocated_listen_port,
-@@ -2845,9 +2894,15 @@ channel_setup_fwd_listener(int type, const char *listen_addr,
+@@ -2845,9 +2892,15 @@ channel_setup_fwd_listener(int type, con
}
/* Allocate a channel number for the socket. */
@@ -359,7 +141,7 @@ index 9cf85a3..862bfd3 100644
c->path = xstrdup(host);
c->host_port = port_to_connect;
c->listening_addr = addr == NULL ? NULL : xstrdup(addr);
-@@ -3503,10 +3558,17 @@ x11_create_display_inet(int x11_display_offset, int x11_use_localhost,
+@@ -3503,10 +3556,17 @@ x11_create_display_inet(int x11_display_
*chanids = xcalloc(num_socks + 1, sizeof(**chanids));
for (n = 0; n < num_socks; n++) {
sock = socks[n];
@@ -377,10 +159,9 @@ index 9cf85a3..862bfd3 100644
nc->single_connection = single_connection;
(*chanids)[n] = nc->self;
}
-diff --git a/channels.h b/channels.h
-index d75b800..0a95283 100644
---- a/channels.h
-+++ b/channels.h
+diff -rNuwpB canonical/channels.h dynamic/channels.h
+--- canonical/channels.h 2012-04-21 21:21:10.000000000 -0400
++++ dynamic/channels.h 2013-08-14 13:56:39.115508853 -0400
@@ -129,8 +129,10 @@ struct Channel {
u_int local_window_max;
u_int local_consumed;
@@ -406,15 +187,6 @@ index d75b800..0a95283 100644
#define CHAN_X11_PACKET_DEFAULT (16*1024)
#define CHAN_X11_WINDOW_DEFAULT (4*CHAN_X11_PACKET_DEFAULT)
-@@ -242,7 +246,7 @@ void channel_input_status_confirm(int, u_int32_t, void *);
- void channel_prepare_select(fd_set **, fd_set **, int *, u_int*,
- time_t*, int);
- void channel_after_select(fd_set *, fd_set *);
--void channel_output_poll(void);
-+int channel_output_poll(void);
-
- int channel_not_very_much_buffered_data(void);
- void channel_close_all(void);
@@ -303,4 +307,7 @@ void chan_rcvd_ieof(Channel *);
void chan_write_failed(Channel *);
void chan_obuf_empty(Channel *);
@@ -423,41 +195,10 @@ index d75b800..0a95283 100644
+void channel_set_hpn(int, int);
+
#endif
-diff --git a/cipher.c b/cipher.c
-index 9ca1d00..ad57555 100644
---- a/cipher.c
-+++ b/cipher.c
-@@ -180,7 +180,8 @@ ciphers_valid(const char *names)
- for ((p = strsep(&cp, CIPHER_SEP)); p && *p != '\0';
- (p = strsep(&cp, CIPHER_SEP))) {
- c = cipher_by_name(p);
-- if (c == NULL || c->number != SSH_CIPHER_SSH2) {
-+ if (c == NULL || (c->number != SSH_CIPHER_SSH2 &&
-+ c->number != SSH_CIPHER_NONE)) {
- debug("bad cipher %s [%s]", p, names);
- xfree(cipher_list);
- return 0;
-@@ -406,6 +407,7 @@ cipher_get_keyiv(CipherContext *cc, u_char *iv, u_int len)
- int evplen;
-
- switch (c->number) {
-+ case SSH_CIPHER_NONE:
- case SSH_CIPHER_SSH2:
- case SSH_CIPHER_DES:
- case SSH_CIPHER_BLOWFISH:
-@@ -442,6 +444,7 @@ cipher_set_keyiv(CipherContext *cc, u_char *iv)
- int evplen = 0;
-
- switch (c->number) {
-+ case SSH_CIPHER_NONE:
- case SSH_CIPHER_SSH2:
- case SSH_CIPHER_DES:
- case SSH_CIPHER_BLOWFISH:
-diff --git a/clientloop.c b/clientloop.c
-index c1d1d44..15cb3a0 100644
---- a/clientloop.c
-+++ b/clientloop.c
-@@ -1884,9 +1884,15 @@ client_request_x11(const char *request_type, int rchan)
+diff -rNuwpB canonical/clientloop.c dynamic/clientloop.c
+--- canonical/clientloop.c 2013-01-08 23:55:51.000000000 -0500
++++ dynamic/clientloop.c 2013-08-14 13:56:39.135511385 -0400
+@@ -1884,9 +1884,15 @@ client_request_x11(const char *request_t
sock = x11_connect_display();
if (sock < 0)
return NULL;
@@ -473,34 +214,34 @@ index c1d1d44..15cb3a0 100644
c->force_drain = 1;
return c;
}
-@@ -1906,9 +1912,15 @@ client_request_agent(const char *request_type, int rchan)
+@@ -1906,9 +1912,15 @@ client_request_agent(const char *request
sock = ssh_get_authentication_socket();
if (sock < 0)
return NULL;
+ if (options.hpn_disabled)
-+ c = channel_new("authentication agent connection",
-+ SSH_CHANNEL_OPEN, sock, sock, -1,
-+ CHAN_X11_WINDOW_DEFAULT, CHAN_TCP_WINDOW_DEFAULT, 0,
-+ "authentication agent connection", 1);
-+ else
c = channel_new("authentication agent connection",
SSH_CHANNEL_OPEN, sock, sock, -1,
- CHAN_X11_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, 0,
++ CHAN_X11_WINDOW_DEFAULT, CHAN_TCP_WINDOW_DEFAULT, 0,
++ "authentication agent connection", 1);
++ else
++ c = channel_new("authentication agent connection",
++ SSH_CHANNEL_OPEN, sock, sock, -1,
+ options.hpn_buffer_size, options.hpn_buffer_size, 0,
"authentication agent connection", 1);
c->force_drain = 1;
return c;
-@@ -1936,10 +1948,18 @@ client_request_tun_fwd(int tun_mode, int local_tun, int remote_tun)
+@@ -1936,10 +1948,18 @@ client_request_tun_fwd(int tun_mode, int
return -1;
}
+ if(options.hpn_disabled)
- c = channel_new("tun", SSH_CHANNEL_OPENING, fd, fd, -1,
-- CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, 0, "tun", 1);
++ c = channel_new("tun", SSH_CHANNEL_OPENING, fd, fd, -1,
+ CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT,
+ 0, "tun", 1);
+ else
-+ c = channel_new("tun", SSH_CHANNEL_OPENING, fd, fd, -1,
+ c = channel_new("tun", SSH_CHANNEL_OPENING, fd, fd, -1,
+- CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, 0, "tun", 1);
+ options.hpn_buffer_size, CHAN_TCP_PACKET_DEFAULT,
+ 0, "tun", 1);
c->datagram = 1;
@@ -510,10 +251,9 @@ index c1d1d44..15cb3a0 100644
#if defined(SSH_TUN_FILTER)
if (options.tun_open == SSH_TUNMODE_POINTOPOINT)
channel_register_filter(c->self, sys_tun_infilter,
-diff --git a/compat.c b/compat.c
-index f680f4f..e9a567c 100644
---- a/compat.c
-+++ b/compat.c
+diff -rNuwpB canonical/compat.c dynamic/compat.c
+--- canonical/compat.c 2012-09-06 07:21:56.000000000 -0400
++++ dynamic/compat.c 2013-08-14 13:56:39.114506902 -0400
@@ -173,6 +173,15 @@ compat_datafellows(const char *version)
strlen(check[i].pat), 0) == 1) {
debug("match: %s pat %s", version, check[i].pat);
@@ -530,10 +270,9 @@ index f680f4f..e9a567c 100644
return;
}
}
-diff --git a/compat.h b/compat.h
-index 3ae5d9c..6a7aeb2 100644
---- a/compat.h
-+++ b/compat.h
+diff -rNuwpB canonical/compat.h dynamic/compat.h
+--- canonical/compat.h 2011-10-02 03:59:03.000000000 -0400
++++ dynamic/compat.h 2013-08-14 13:56:39.137511347 -0400
@@ -59,6 +59,7 @@
#define SSH_BUG_RFWD_ADDR 0x02000000
#define SSH_NEW_OPENSSH 0x04000000
@@ -542,324 +281,166 @@ index 3ae5d9c..6a7aeb2 100644
void enable_compat13(void);
void enable_compat20(void);
-diff --git a/kex.c b/kex.c
-index 57a79dd..1edaecb 100644
---- a/kex.c
-+++ b/kex.c
-@@ -49,6 +49,7 @@
- #include "dispatch.h"
- #include "monitor.h"
- #include "roaming.h"
-+#include "canohost.h"
-
- #if OPENSSL_VERSION_NUMBER >= 0x00907000L
- # if defined(HAVE_EVP_SHA256)
-@@ -91,7 +92,8 @@ kex_names_valid(const char *names)
- }
-
- /* put algorithm proposal into buffer */
--static void
-+/* used in sshconnect.c as well as kex.c */
-+void
- kex_prop2buf(Buffer *b, char *proposal[PROPOSAL_MAX])
- {
- u_int i;
-@@ -418,6 +420,13 @@ kex_choose_conf(Kex *kex)
- int nenc, nmac, ncomp;
- u_int mode, ctos, need, authlen;
- int first_kex_follows, type;
-+ int log_flag = 0;
+diff -rNuwpB canonical/HPN-README dynamic/HPN-README
+--- canonical/HPN-README 1969-12-31 19:00:00.000000000 -0500
++++ dynamic/HPN-README 2013-08-14 13:56:39.121511284 -0400
+@@ -0,0 +1,129 @@
++Notes:
+
-+ int auth_flag;
++MULTI-THREADED CIPHER:
++The AES cipher in CTR mode has been multithreaded (MTR-AES-CTR). This will allow ssh installations
++on hosts with multiple cores to use more than one processing core during encryption.
++Tests have show significant throughput performance increases when using MTR-AES-CTR up
++to and including a full gigabit per second on quad core systems. It should be possible to
++achieve full line rate on dual core systems but OS and data management overhead makes this
++more difficult to achieve. The cipher stream from MTR-AES-CTR is entirely compatible with single
++thread AES-CTR (ST-AES-CTR) implementations and should be 100% backward compatible. Optimal
++performance requires the MTR-AES-CTR mode be enabled on both ends of the connection.
++The MTR-AES-CTR replaces ST-AES-CTR and is used in exactly the same way with the same
++nomenclature.
++Use examples: ssh -caes128-ctr you@host.com
++ scp -oCipher=aes256-ctr file you@host.com:~/file
+
-+ auth_flag = packet_authentication_state();
++NONE CIPHER:
++To use the NONE option you must have the NoneEnabled switch set on the server and
++you *must* have *both* NoneEnabled and NoneSwitch set to yes on the client. The NONE
++feature works with ALL ssh subsystems (as far as we can tell) *AS LONG AS* a tty is not
++spawned. If a user uses the -T switch to prevent a tty being created the NONE cipher will
++be disabled.
+
-+ debug ("AUTH STATE IS %d", auth_flag);
-
- my = kex_buf2prop(&kex->my, NULL);
- peer = kex_buf2prop(&kex->peer, &first_kex_follows);
-@@ -455,11 +464,34 @@ kex_choose_conf(Kex *kex)
- if (authlen == 0)
- choose_mac(&newkeys->mac, cprop[nmac], sprop[nmac]);
- choose_comp(&newkeys->comp, cprop[ncomp], sprop[ncomp]);
-+ debug("REQUESTED ENC.NAME is '%s'", newkeys->enc.name);
-+ if (strcmp(newkeys->enc.name, "none") == 0) {
-+ debug("Requesting NONE. Authflag is %d", auth_flag);
-+ if (auth_flag == 1) {
-+ debug("None requested post authentication.");
-+ } else {
-+ fatal("Pre-authentication none cipher requests are not allowed.");
-+ }
-+ }
- debug("kex: %s %s %s %s",
- ctos ? "client->server" : "server->client",
- newkeys->enc.name,
- authlen == 0 ? newkeys->mac.name : "<implicit>",
- newkeys->comp.name);
-+ /* client starts withctos = 0 && log flag = 0 and no log*/
-+ /* 2nd client pass ctos=1 and flag = 1 so no log*/
-+ /* server starts with ctos =1 && log_flag = 0 so log */
-+ /* 2nd sever pass ctos = 1 && log flag = 1 so no log*/
-+ /* -cjr*/
-+ if (ctos && !log_flag) {
-+ logit("SSH: Server;Ltype: Kex;Remote: %s-%d;Enc: %s;MAC: %s;Comp: %s",
-+ get_remote_ipaddr(),
-+ get_remote_port(),
-+ newkeys->enc.name,
-+ newkeys->mac.name,
-+ newkeys->comp.name);
-+ }
-+ log_flag = 1;
- }
- choose_kex(kex, cprop[PROPOSAL_KEX_ALGS], sprop[PROPOSAL_KEX_ALGS]);
- choose_hostkeyalg(kex, cprop[PROPOSAL_SERVER_HOST_KEY_ALGS],
-diff --git a/kex.h b/kex.h
-index 46731fa..fafe115 100644
---- a/kex.h
-+++ b/kex.h
-@@ -142,6 +142,8 @@ struct Kex {
-
- int kex_names_valid(const char *);
-
-+void kex_prop2buf(Buffer *, char *proposal[PROPOSAL_MAX]);
++The performance increase will only be as good as the network and TCP stack tuning
++on the reciever side of the connection allows. As a rule of thumb a user will need
++at least 10Mb/s connection with a 100ms RTT to see a doubling of performance. The
++HPN-SSH home page describes this in greater detail.
+
- Kex *kex_setup(char *[PROPOSAL_MAX]);
- void kex_finish(Kex *);
-
-diff --git a/myproposal.h b/myproposal.h
-index 99d0934..9358dc3 100644
---- a/myproposal.h
-+++ b/myproposal.h
-@@ -106,6 +106,8 @@
- #define KEX_DEFAULT_COMP "none,zlib@openssh.com,zlib"
- #define KEX_DEFAULT_LANG ""
-
-+#define KEX_ENCRYPT_INCLUDE_NONE KEX_DEFAULT_ENCRYPT \
-+ ",none"
-
- static char *myproposal[PROPOSAL_MAX] = {
- KEX_DEFAULT_KEX,
-diff --git a/packet.c b/packet.c
-index 9326dde..dc9dd8d 100644
---- a/packet.c
-+++ b/packet.c
-@@ -841,7 +841,7 @@ packet_enable_delayed_compress(void)
- /*
- * Finalize packet in SSH2 format (compress, mac, encrypt, enqueue)
- */
--static void
-+static int
- packet_send2_wrapped(void)
- {
- u_char type, *cp, *macbuf = NULL;
-@@ -972,11 +972,13 @@ packet_send2_wrapped(void)
- set_newkeys(MODE_OUT);
- else if (type == SSH2_MSG_USERAUTH_SUCCESS && active_state->server_side)
- packet_enable_delayed_compress();
-+ return len - 4;
- }
-
--static void
-+static int
- packet_send2(void)
- {
-+ int packet_length = 0;
- struct packet *p;
- u_char type, *cp;
-
-@@ -996,7 +998,7 @@ packet_send2(void)
- sizeof(Buffer));
- buffer_init(&active_state->outgoing_packet);
- TAILQ_INSERT_TAIL(&active_state->outgoing, p, next);
-- return;
-+ return(sizeof(Buffer));
- }
- }
-
-@@ -1004,7 +1006,7 @@ packet_send2(void)
- if (type == SSH2_MSG_KEXINIT)
- active_state->rekeying = 1;
-
-- packet_send2_wrapped();
-+ packet_length = packet_send2_wrapped();
-
- /* after a NEWKEYS message we can send the complete queue */
- if (type == SSH2_MSG_NEWKEYS) {
-@@ -1017,19 +1019,22 @@ packet_send2(void)
- sizeof(Buffer));
- TAILQ_REMOVE(&active_state->outgoing, p, next);
- xfree(p);
-- packet_send2_wrapped();
-+ packet_length += packet_send2_wrapped();
- }
- }
-+ return(packet_length);
- }
-
--void
-+int
- packet_send(void)
- {
-+ int packet_len = 0;
- if (compat20)
-- packet_send2();
-+ packet_len = packet_send2();
- else
- packet_send1();
- DBG(debug("packet_send done"));
-+ return(packet_len);
- }
-
- /*
-@@ -1697,7 +1702,7 @@ packet_disconnect(const char *fmt,...)
-
- /* Checks if there is any buffered output, and tries to write some of the output. */
-
--void
-+int
- packet_write_poll(void)
- {
- int len = buffer_len(&active_state->output);
-@@ -1710,13 +1715,14 @@ packet_write_poll(void)
- if (len == -1) {
- if (errno == EINTR || errno == EAGAIN ||
- errno == EWOULDBLOCK)
-- return;
-+ return(0);
- fatal("Write failed: %.100s", strerror(errno));
- }
- if (len == 0 && !cont)
- fatal("Write connection closed");
- buffer_consume(&active_state->output, len);
- }
-+ return(len);
- }
-
- /*
-@@ -1917,12 +1923,24 @@ packet_send_ignore(int nbytes)
- }
- }
-
-+int rekey_requested = 0;
-+void
-+packet_request_rekeying(void)
-+{
-+ rekey_requested = 1;
-+}
++http://www.psc.edu/networking/projects/hpn-ssh
+
- #define MAX_PACKETS (1U<<31)
- int
- packet_need_rekeying(void)
- {
- if (datafellows & SSH_BUG_NOREKEY)
- return 0;
-+ if (rekey_requested == 1)
-+ {
-+ rekey_requested = 0;
-+ return 1;
-+ }
- return
- (active_state->p_send.packets > MAX_PACKETS) ||
- (active_state->p_read.packets > MAX_PACKETS) ||
-@@ -2014,3 +2032,9 @@ packet_restore_state(void)
- add_recv_bytes(len);
- }
- }
++BUFFER SIZES:
+
-+int
-+packet_authentication_state(void)
-+{
-+ return(active_state->after_authentication);
-+}
-diff --git a/packet.h b/packet.h
-index 09ba079..d3833dd 100644
---- a/packet.h
-+++ b/packet.h
-@@ -23,6 +23,9 @@
- #include <openssl/ec.h>
- #endif
-
-+void
-+packet_request_rekeying(void);
-+
- void packet_set_connection(int, int);
- void packet_set_timeout(int, int);
- void packet_set_nonblocking(void);
-@@ -38,6 +41,7 @@ void packet_set_interactive(int, int, int);
- int packet_is_interactive(void);
- void packet_set_server(void);
- void packet_set_authenticated(void);
-+int packet_authentication_state(void);
-
- void packet_start(u_char);
- void packet_put_char(int ch);
-@@ -51,7 +55,7 @@ void packet_put_ecpoint(const EC_GROUP *, const EC_POINT *);
- void packet_put_string(const void *buf, u_int len);
- void packet_put_cstring(const char *str);
- void packet_put_raw(const void *buf, u_int len);
--void packet_send(void);
-+int packet_send(void);
-
- int packet_read(void);
- void packet_read_expect(int type);
-@@ -85,7 +89,7 @@ int packet_get_ssh1_cipher(void);
- void packet_set_iv(int, u_char *);
- void *packet_get_newkeys(int);
-
--void packet_write_poll(void);
-+int packet_write_poll(void);
- void packet_write_wait(void);
- int packet_have_data_to_write(void);
- int packet_not_very_much_data_to_write(void);
-diff --git a/readconf.c b/readconf.c
-index 097bb05..b9b2fd6 100644
---- a/readconf.c
-+++ b/readconf.c
-@@ -135,6 +135,8 @@ typedef enum {
++If HPN is disabled the receive buffer size will be set to the
++OpenSSH default of 64K.
++
++If an HPN system connects to a nonHPN system the receive buffer will
++be set to the HPNBufferSize value. The default is 2MB but user adjustable.
++
++If an HPN to HPN connection is established a number of different things might
++happen based on the user options and conditions.
++
++Conditions: HPNBufferSize NOT Set, TCPRcvBufPoll enabled, TCPRcvBuf NOT Set
++HPN Buffer Size = up to 64MB
++This is the default state. The HPN buffer size will grow to a maximum of 64MB
++as the TCP receive buffer grows. The maximum HPN Buffer size of 64MB is
++geared towards 10GigE transcontinental connections.
++
++Conditions: HPNBufferSize NOT Set, TCPRcvBufPoll disabled, TCPRcvBuf NOT Set
++HPN Buffer Size = TCP receive buffer value.
++Users on non-autotuning systesm should disable TCPRcvBufPoll in the
++ssh_cofig and sshd_config
++
++Conditions: HPNBufferSize SET, TCPRcvBufPoll disabled, TCPRcvBuf NOT Set
++HPN Buffer Size = minmum of TCP receive buffer and HPNBufferSize.
++This would be the system defined TCP receive buffer (RWIN).
++
++Conditions: HPNBufferSize SET, TCPRcvBufPoll disabled, TCPRcvBuf SET
++HPN Buffer Size = minmum of TCPRcvBuf and HPNBufferSize.
++Generally there is no need to set both.
++
++Conditions: HPNBufferSize SET, TCPRcvBufPoll enabled, TCPRcvBuf NOT Set
++HPN Buffer Size = grows to HPNBufferSize
++The buffer will grow up to the maximum size specified here.
++
++Conditions: HPNBufferSize SET, TCPRcvBufPoll enabled, TCPRcvBuf SET
++HPN Buffer Size = minmum of TCPRcvBuf and HPNBufferSize.
++Generally there is no need to set both of these, especially on autotuning
++systems. However, if the users wishes to override the autotuning this would be
++one way to do it.
++
++Conditions: HPNBufferSize NOT Set, TCPRcvBufPoll enabled, TCPRcvBuf SET
++HPN Buffer Size = TCPRcvBuf.
++This will override autotuning and set the TCP recieve buffer to the user defined
++value.
++
++
++HPN Specific Configuration options
++
++TcpRcvBuf=[int]KB client
++ set the TCP socket receive buffer to n Kilobytes. It can be set up to the
++maximum socket size allowed by the system. This is useful in situations where
++the tcp receive window is set low but the maximum buffer size is set
++higher (as is typical). This works on a per TCP connection basis. You can also
++use this to artifically limit the transfer rate of the connection. In these
++cases the throughput will be no more than n/RTT. The minimum buffer size is 1KB.
++Default is the current system wide tcp receive buffer size.
++
++TcpRcvBufPoll=[yes/no] client/server
++ enable of disable the polling of the tcp receive buffer through the life
++of the connection. You would want to make sure that this option is enabled
++for systems making use of autotuning kernels (linux 2.4.24+, 2.6, MS Vista)
++default is yes.
++
++NoneEnabled=[yes/no] client/server
++ enable or disable the use of the None cipher. Care must always be used
++when enabling this as it will allow users to send data in the clear. However,
++it is important to note that authentication information remains encrypted
++even if this option is enabled. Set to no by default.
++
++NoneSwitch=[yes/no] client
++ Switch the encryption cipher being used to the None cipher after
++authentication takes place. NoneEnabled must be enabled on both the client
++and server side of the connection. When the connection switches to the NONE
++cipher a warning is sent to STDERR. The connection attempt will fail with an
++error if a client requests a NoneSwitch from the server that does not explicitly
++have NoneEnabled set to yes. Note: The NONE cipher cannot be used in
++interactive (shell) sessions and it will fail silently. Set to no by default.
++
++HPNDisabled=[yes/no] client/server
++ In some situations, such as transfers on a local area network, the impact
++of the HPN code produces a net decrease in performance. In these cases it is
++helpful to disable the HPN functionality. By default HPNDisabled is set to no.
++
++HPNBufferSize=[int]KB client/server
++ This is the default buffer size the HPN functionality uses when interacting
++with nonHPN SSH installations. Conceptually this is similar to the TcpRcvBuf
++option as applied to the internal SSH flow control. This value can range from
++1KB to 64MB (1-65536). Use of oversized or undersized buffers can cause performance
++problems depending on the length of the network path. The default size of this buffer
++is 2MB.
++
++
++Credits: This patch was conceived, designed, and led by Chris Rapier (rapier@psc.edu)
++ The majority of the actual coding for versions up to HPN12v1 was performed
++ by Michael Stevens (mstevens@andrew.cmu.edu). The MT-AES-CTR cipher was
++ implemented by Ben Bennet (ben@psc.edu) and improved by Mike Tasota
++ (tasota@gmail.com) an NSF REU grant recipient for 2013.
++ This work was financed, in part, by Cisco System, Inc., the National
++ Library of Medicine, and the National Science Foundation.
+diff -rNuwpB canonical/readconf.c dynamic/readconf.c
+--- canonical/readconf.c 2013-04-04 20:18:58.000000000 -0400
++++ dynamic/readconf.c 2013-08-14 14:06:00.895326378 -0400
+@@ -135,6 +135,7 @@ typedef enum {
oTunnel, oTunnelDevice, oLocalCommand, oPermitLocalCommand,
oVisualHostKey, oUseRoaming, oZeroKnowledgePasswordAuthentication,
oKexAlgorithms, oIPQoS, oRequestTTY,
-+ oNoneEnabled, oTcpRcvBufPoll, oTcpRcvBuf, oNoneSwitch, oHPNDisabled,
-+ oHPNBufferSize,
++ oTcpRcvBufPoll, oTcpRcvBuf, oHPNDisabled, oHPNBufferSize,
oDeprecated, oUnsupported
} OpCodes;
-@@ -247,6 +249,13 @@ static struct {
+@@ -247,6 +248,11 @@ static struct {
{ "ipqos", oIPQoS },
{ "requesttty", oRequestTTY },
-+ { "noneenabled", oNoneEnabled },
+ { "tcprcvbufpoll", oTcpRcvBufPoll },
+ { "tcprcvbuf", oTcpRcvBuf },
-+ { "noneswitch", oNoneSwitch },
+ { "hpndisabled", oHPNDisabled },
+ { "hpnbuffersize", oHPNBufferSize },
+
{ NULL, oBadOption }
};
-@@ -495,6 +504,36 @@ parse_flag:
+@@ -515,6 +521,18 @@ parse_flag:
intptr = &options->check_host_ip;
goto parse_flag;
-+ case oNoneEnabled:
-+ intptr = &options->none_enabled;
-+ goto parse_flag;
-+
-+ /* we check to see if the command comes from the */
-+ /* command line or not. If it does then enable it */
-+ /* otherwise fail. NONE should never be a default configuration */
-+ case oNoneSwitch:
-+ if(strcmp(filename,"command-line") == 0) {
-+ intptr = &options->none_switch;
-+ goto parse_flag;
-+ } else {
-+ error("NoneSwitch is found in %.200s.\nYou may only use this configuration option from the command line", filename);
-+ error("Continuing...");
-+ debug("NoneSwitch directive found in %.200s.", filename);
-+ return 0;
-+ }
-+
+ case oHPNDisabled:
+ intptr = &options->hpn_disabled;
+ goto parse_flag;
@@ -875,7 +456,7 @@ index 097bb05..b9b2fd6 100644
case oVerifyHostKeyDNS:
intptr = &options->verify_host_key_dns;
goto parse_yesnoask;
-@@ -680,6 +719,10 @@ parse_int:
+@@ -698,6 +716,10 @@ parse_int:
intptr = &options->connection_attempts;
goto parse_int;
@@ -886,13 +467,11 @@ index 097bb05..b9b2fd6 100644
case oCipher:
intptr = &options->cipher;
arg = strdelim(&s);
-@@ -1203,6 +1246,13 @@ initialize_options(Options * options)
+@@ -1222,6 +1244,11 @@ initialize_options(Options * options)
options->ip_qos_interactive = -1;
options->ip_qos_bulk = -1;
options->request_tty = -1;
+
-+ options->none_switch = -1;
-+ options->none_enabled = -1;
+ options->hpn_disabled = -1;
+ options->hpn_buffer_size = -1;
+ options->tcp_rcv_buf_poll = -1;
@@ -900,25 +479,24 @@ index 097bb05..b9b2fd6 100644
}
/*
-@@ -1339,6 +1389,29 @@ fill_default_options(Options * options)
+@@ -1345,6 +1372,28 @@ fill_default_options(Options * options)
options->server_alive_interval = 0;
if (options->server_alive_count_max == -1)
options->server_alive_count_max = 3;
-+ if (options->none_switch == -1)
-+ options->none_switch = 0;
+ if (options->hpn_disabled == -1)
+ options->hpn_disabled = 0;
+ if (options->hpn_buffer_size > -1)
+ {
+ /* if a user tries to set the size to 0 set it to 1KB */
+ if (options->hpn_buffer_size == 0)
-+ options->hpn_buffer_size = 1024;
++ options->hpn_buffer_size = 1;
+ /*limit the buffer to 64MB*/
-+ if (options->hpn_buffer_size > 65536)
++ if (options->hpn_buffer_size > 64*1024)
+ {
-+ options->hpn_buffer_size = 65536*1024;
++ options->hpn_buffer_size = 64*1024*1024;
+ debug("User requested buffer larger than 64MB. Request reverted to 64MB");
+ }
++ else options->hpn_buffer_size *= 1024;
+ debug("hpn_buffer_size set to %d", options->hpn_buffer_size);
+ }
+ if (options->tcp_rcv_buf == 0)
@@ -930,10 +508,9 @@ index 097bb05..b9b2fd6 100644
if (options->control_master == -1)
options->control_master = 0;
if (options->control_persist == -1) {
-diff --git a/readconf.h b/readconf.h
-index be30ee0..6480539 100644
---- a/readconf.h
-+++ b/readconf.h
+diff -rNuwpB canonical/readconf.h dynamic/readconf.h
+--- canonical/readconf.h 2013-04-04 20:18:58.000000000 -0400
++++ dynamic/readconf.h 2013-08-14 14:06:26.768478684 -0400
@@ -61,6 +61,10 @@ typedef struct {
int compression_level; /* Compression level 1 (fast) to 9
* (best). */
@@ -945,19 +522,9 @@ index be30ee0..6480539 100644
int ip_qos_interactive; /* IP ToS/DSCP/class for interactive */
int ip_qos_bulk; /* IP ToS/DSCP/class for bulk traffic */
LogLevel log_level; /* Level for logging. */
-@@ -109,6 +113,8 @@ typedef struct {
-
- int enable_ssh_keysign;
- int64_t rekey_limit;
-+ int none_switch; /* Use none cipher */
-+ int none_enabled; /* Allow none to be used */
- int no_host_authentication_for_localhost;
- int identities_only;
- int server_alive_interval;
-diff --git a/scp.c b/scp.c
-index 645d740..0cd0666 100644
---- a/scp.c
-+++ b/scp.c
+diff -rNuwpB canonical/scp.c dynamic/scp.c
+--- canonical/scp.c 2013-03-19 21:55:15.000000000 -0400
++++ dynamic/scp.c 2013-08-14 13:56:39.131511381 -0400
@@ -731,7 +731,7 @@ source(int argc, char **argv)
off_t i, statbytes;
size_t amt;
@@ -976,22 +543,20 @@ index 645d740..0cd0666 100644
struct timeval tv[2];
#define atime tv[0]
-diff --git a/servconf.c b/servconf.c
-index b2a60fd..0f150c5 100644
---- a/servconf.c
-+++ b/servconf.c
-@@ -143,6 +143,10 @@ initialize_server_options(ServerOptions *options)
+diff -rNuwpB canonical/servconf.c dynamic/servconf.c
+--- canonical/servconf.c 2013-02-11 19:02:08.000000000 -0500
++++ dynamic/servconf.c 2013-08-14 14:07:46.843512578 -0400
+@@ -143,6 +143,9 @@ initialize_server_options(ServerOptions
options->revoked_keys_file = NULL;
options->trusted_user_ca_keys = NULL;
options->authorized_principals_file = NULL;
-+ options->none_enabled = -1;
+ options->tcp_rcv_buf_poll = -1;
+ options->hpn_disabled = -1;
+ options->hpn_buffer_size = -1;
options->ip_qos_interactive = -1;
options->ip_qos_bulk = -1;
options->version_addendum = NULL;
-@@ -151,6 +155,11 @@ initialize_server_options(ServerOptions *options)
+@@ -151,6 +154,11 @@ initialize_server_options(ServerOptions
void
fill_default_server_options(ServerOptions *options)
{
@@ -1003,12 +568,13 @@ index b2a60fd..0f150c5 100644
/* Portable-specific options */
if (options->use_pam == -1)
options->use_pam = 0;
-@@ -291,6 +300,40 @@ fill_default_server_options(ServerOptions *options)
- if (use_privsep == -1)
- use_privsep = PRIVSEP_NOSANDBOX;
-
-+ if (options->hpn_disabled == -1)
+@@ -281,6 +289,43 @@ fill_default_server_options(ServerOption
+ options->permit_tun = SSH_TUNMODE_NO;
+ if (options->zero_knowledge_password_authentication == -1)
+ options->zero_knowledge_password_authentication = 0;
++ if (options->hpn_disabled == -1)
+ options->hpn_disabled = 0;
++
+ if (options->hpn_buffer_size == -1) {
+ /* option not explicitly set. Now we have to figure out */
+ /* what value to use */
@@ -1019,12 +585,13 @@ index b2a60fd..0f150c5 100644
+ /*create a socket but don't connect it */
+ /* we use that the get the rcv socket size */
+ sock = socket(AF_INET, SOCK_STREAM, 0);
-+ getsockopt(sock, SOL_SOCKET, SO_RCVBUF,
++ getsockopt(sock, SOL_SOCKET, SO_RCVBUF,
+ &socksize, &socksizelen);
+ close(sock);
+ options->hpn_buffer_size = socksize;
+ debug ("HPN Buffer Size: %d", options->hpn_buffer_size);
-+ }
++
++ }
+ } else {
+ /* we have to do this incase the user sets both values in a contradictory */
+ /* manner. hpn_disabled overrrides hpn_buffer_size*/
@@ -1041,43 +608,40 @@ index b2a60fd..0f150c5 100644
+ options->hpn_buffer_size = CHAN_TCP_WINDOW_DEFAULT;
+ }
+
- #ifndef HAVE_MMAP
- if (use_privsep && options->compression == 1) {
- error("This platform does not support both privilege "
-@@ -332,6 +375,7 @@ typedef enum {
++
+ if (options->ip_qos_interactive == -1)
+ options->ip_qos_interactive = IPTOS_LOWDELAY;
+ if (options->ip_qos_bulk == -1)
+@@ -332,6 +377,7 @@ typedef enum {
sUsePrivilegeSeparation, sAllowAgentForwarding,
sZeroKnowledgePasswordAuthentication, sHostCertificate,
sRevokedKeys, sTrustedUserCAKeys, sAuthorizedPrincipalsFile,
-+ sNoneEnabled, sTcpRcvBufPoll, sHPNDisabled, sHPNBufferSize,
++ sTcpRcvBufPoll, sHPNDisabled, sHPNBufferSize,
sKexAlgorithms, sIPQoS, sVersionAddendum,
sAuthorizedKeysCommand, sAuthorizedKeysCommandUser,
sAuthenticationMethods,
-@@ -457,6 +501,10 @@ static struct {
+@@ -457,6 +503,9 @@ static struct {
{ "revokedkeys", sRevokedKeys, SSHCFG_ALL },
{ "trustedusercakeys", sTrustedUserCAKeys, SSHCFG_ALL },
{ "authorizedprincipalsfile", sAuthorizedPrincipalsFile, SSHCFG_ALL },
-+ { "noneenabled", sNoneEnabled, SSHCFG_ALL },
+ { "hpndisabled", sHPNDisabled, SSHCFG_ALL },
+ { "hpnbuffersize", sHPNBufferSize, SSHCFG_ALL },
+ { "tcprcvbufpoll", sTcpRcvBufPoll, SSHCFG_ALL },
{ "kexalgorithms", sKexAlgorithms, SSHCFG_GLOBAL },
{ "ipqos", sIPQoS, SSHCFG_ALL },
{ "authorizedkeyscommand", sAuthorizedKeysCommand, SSHCFG_ALL },
-@@ -489,6 +537,7 @@ parse_token(const char *cp, const char *filename,
+@@ -489,6 +538,7 @@ parse_token(const char *cp, const char *
for (i = 0; keywords[i].name; i++)
if (strcasecmp(cp, keywords[i].name) == 0) {
-+ debug ("Config token is %s", keywords[i].name);
++ debug ("Config token is %s", keywords[i].name);
*flags = keywords[i].flags;
return keywords[i].opcode;
}
-@@ -1005,6 +1054,22 @@ process_server_config_line(ServerOptions *options, char *line,
+@@ -1005,6 +1055,19 @@ process_server_config_line(ServerOptions
*intptr = value;
break;
-+ case sNoneEnabled:
-+ intptr = &options->none_enabled;
-+ goto parse_flag;
+
+ case sTcpRcvBufPoll:
+ intptr = &options->tcp_rcv_buf_poll;
@@ -1094,110 +658,23 @@ index b2a60fd..0f150c5 100644
case sIgnoreUserKnownHosts:
intptr = &options->ignore_user_known_hosts;
goto parse_flag;
-diff --git a/servconf.h b/servconf.h
-index 870c709..f042fe4 100644
---- a/servconf.h
-+++ b/servconf.h
-@@ -164,6 +164,10 @@ typedef struct {
+diff -rNuwpB canonical/servconf.h dynamic/servconf.h
+--- canonical/servconf.h 2013-01-08 23:56:45.000000000 -0500
++++ dynamic/servconf.h 2013-08-14 14:08:00.893421688 -0400
+@@ -164,6 +164,9 @@ typedef struct {
char *adm_forced_command;
int use_pam; /* Enable auth via PAM */
-+ int none_enabled; /* enable NONE cipher switch */
+ int tcp_rcv_buf_poll; /* poll tcp rcv window in autotuning kernels*/
+ int hpn_disabled; /* disable hpn functionality. false by default */
+ int hpn_buffer_size; /* set the hpn buffer size - default 3MB */
int permit_tun;
-diff --git a/serverloop.c b/serverloop.c
-index e224bd0..4d642d5 100644
---- a/serverloop.c
-+++ b/serverloop.c
-@@ -94,10 +94,10 @@ static int fdin; /* Descriptor for stdin (for writing) */
- static int fdout; /* Descriptor for stdout (for reading);
- May be same number as fdin. */
- static int fderr; /* Descriptor for stderr. May be -1. */
--static long stdin_bytes = 0; /* Number of bytes written to stdin. */
--static long stdout_bytes = 0; /* Number of stdout bytes sent to client. */
--static long stderr_bytes = 0; /* Number of stderr bytes sent to client. */
--static long fdout_bytes = 0; /* Number of stdout bytes read from program. */
-+static u_long stdin_bytes = 0; /* Number of bytes written to stdin. */
-+static u_long stdout_bytes = 0; /* Number of stdout bytes sent to client. */
-+static u_long stderr_bytes = 0; /* Number of stderr bytes sent to client. */
-+static u_long fdout_bytes = 0; /* Number of stdout bytes read from program. */
- static int stdin_eof = 0; /* EOF message received from client. */
- static int fdout_eof = 0; /* EOF encountered reading from fdout. */
- static int fderr_eof = 0; /* EOF encountered readung from fderr. */
-@@ -122,6 +122,20 @@ static volatile sig_atomic_t received_sigterm = 0;
- static void server_init_dispatch(void);
-
- /*
-+ * Returns current time in seconds from Jan 1, 1970 with the maximum
-+ * available resolution.
-+ */
-+
-+static double
-+get_current_time(void)
-+{
-+ struct timeval tv;
-+ gettimeofday(&tv, NULL);
-+ return (double) tv.tv_sec + (double) tv.tv_usec / 1000000.0;
-+}
-+
-+
-+/*
- * we write to this pipe if a SIGCHLD is caught in order to avoid
- * the race between select() and child_terminated
- */
-@@ -420,6 +434,7 @@ process_input(fd_set *readset)
- } else {
- /* Buffer any received data. */
- packet_process_incoming(buf, len);
-+ fdout_bytes += len;
- }
- }
- if (compat20)
-@@ -442,6 +457,7 @@ process_input(fd_set *readset)
- } else {
- buffer_append(&stdout_buffer, buf, len);
- fdout_bytes += len;
-+ debug ("FD out now: %ld", fdout_bytes);
- }
- }
- /* Read and buffer any available stderr data from the program. */
-@@ -509,7 +525,7 @@ process_output(fd_set *writeset)
- }
- /* Send any buffered packet data to the client. */
- if (FD_ISSET(connection_out, writeset))
-- packet_write_poll();
-+ stdin_bytes += packet_write_poll();
- }
-
- /*
-@@ -826,8 +842,10 @@ server_loop2(Authctxt *authctxt)
- {
- fd_set *readset = NULL, *writeset = NULL;
- int rekeying = 0, max_fd, nalloc = 0;
-+ double start_time, total_time;
-
- debug("Entering interactive session for SSH2.");
-+ start_time = get_current_time();
-
- mysignal(SIGCHLD, sigchld_handler);
- child_terminated = 0;
-@@ -889,6 +907,11 @@ server_loop2(Authctxt *authctxt)
-
- /* free remaining sessions, e.g. remove wtmp entries */
- session_destroy_all(NULL);
-+ total_time = get_current_time() - start_time;
-+ logit("SSH: Server;LType: Throughput;Remote: %s-%d;IN: %lu;OUT: %lu;Duration: %.1f;tPut_in: %.1f;tPut_out: %.1f",
-+ get_remote_ipaddr(), get_remote_port(),
-+ stdin_bytes, fdout_bytes, total_time, stdin_bytes / total_time,
-+ fdout_bytes / total_time);
- }
-
- static void
-@@ -1011,8 +1034,12 @@ server_request_tun(void)
+diff -rNuwpB canonical/serverloop.c dynamic/serverloop.c
+--- canonical/serverloop.c 2012-12-06 21:07:47.000000000 -0500
++++ dynamic/serverloop.c 2013-08-14 13:56:39.128511264 -0400
+@@ -1011,8 +1011,12 @@ server_request_tun(void)
sock = tun_open(tun, mode);
if (sock < 0)
goto done;
@@ -1210,7 +687,7 @@ index e224bd0..4d642d5 100644
c->datagram = 1;
#if defined(SSH_TUN_FILTER)
if (mode == SSH_TUNMODE_POINTOPOINT)
-@@ -1048,6 +1075,8 @@ server_request_session(void)
+@@ -1048,6 +1052,8 @@ server_request_session(void)
c = channel_new("session", SSH_CHANNEL_LARVAL,
-1, -1, -1, /*window size*/0, CHAN_SES_PACKET_DEFAULT,
0, "server-session", 1);
@@ -1219,11 +696,10 @@ index e224bd0..4d642d5 100644
if (session_open(the_authctxt, c->self) != 1) {
debug("session open failed, free channel %d", c->self);
channel_free(c);
-diff --git a/session.c b/session.c
-index 19eaa20..57ebeca 100644
---- a/session.c
-+++ b/session.c
-@@ -236,6 +236,7 @@ auth_input_request_forwarding(struct passwd * pw)
+diff -rNuwpB canonical/session.c dynamic/session.c
+--- canonical/session.c 2013-03-14 20:22:37.000000000 -0400
++++ dynamic/session.c 2013-08-14 13:56:39.146511349 -0400
+@@ -236,6 +236,7 @@ auth_input_request_forwarding(struct pas
}
/* Allocate a channel for the authentication agent socket. */
@@ -1231,7 +707,7 @@ index 19eaa20..57ebeca 100644
nc = channel_new("auth socket",
SSH_CHANNEL_AUTH_SOCKET, sock, sock, -1,
CHAN_X11_WINDOW_DEFAULT, CHAN_X11_PACKET_DEFAULT,
-@@ -2286,10 +2287,16 @@ session_set_fds(Session *s, int fdin, int fdout, int fderr, int ignore_fderr,
+@@ -2286,10 +2287,16 @@ session_set_fds(Session *s, int fdin, in
*/
if (s->chanid == -1)
fatal("no channel for session %d", s->self);
@@ -1248,10 +724,9 @@ index 19eaa20..57ebeca 100644
}
/*
-diff --git a/sftp.1 b/sftp.1
-index bcb4721..284d618 100644
---- a/sftp.1
-+++ b/sftp.1
+diff -rNuwpB canonical/sftp.1 dynamic/sftp.1
+--- canonical/sftp.1 2011-09-22 07:34:15.000000000 -0400
++++ dynamic/sftp.1 2013-08-14 13:56:39.114506902 -0400
@@ -247,7 +247,8 @@ diagnostic messages from
Specify how many requests may be outstanding at any one time.
Increasing this may slightly improve file transfer speed
@@ -1262,10 +737,9 @@ index bcb4721..284d618 100644
.It Fl r
Recursively copy entire directories when uploading and downloading.
Note that
-diff --git a/sftp.c b/sftp.c
-index 342ae7e..65dacd9 100644
---- a/sftp.c
-+++ b/sftp.c
+diff -rNuwpB canonical/sftp.c dynamic/sftp.c
+--- canonical/sftp.c 2013-02-22 17:12:24.000000000 -0500
++++ dynamic/sftp.c 2013-08-14 13:56:39.129511313 -0400
@@ -65,7 +65,7 @@ typedef void EditLine;
#include "sftp-client.h"
@@ -1275,22 +749,10 @@ index 342ae7e..65dacd9 100644
/* File to read commands from */
FILE* infile;
-diff --git a/ssh.c b/ssh.c
-index 3f61eb0..62f56de 100644
---- a/ssh.c
-+++ b/ssh.c
-@@ -579,6 +579,10 @@ main(int ac, char **av)
- break;
- case 'T':
- options.request_tty = REQUEST_TTY_NO;
-+ /* ensure that the user doesn't try to backdoor a */
-+ /* null cipher switch on an interactive session */
-+ /* so explicitly disable it no matter what */
-+ options.none_switch=0;
- break;
- case 'o':
- dummy = 1;
-@@ -1372,6 +1376,9 @@ ssh_session2_open(void)
+diff -rNuwpB canonical/ssh.c dynamic/ssh.c
+--- canonical/ssh.c 2013-04-04 20:22:36.000000000 -0400
++++ dynamic/ssh.c 2013-08-14 14:09:15.549478496 -0400
+@@ -1369,6 +1369,9 @@ ssh_session2_open(void)
{
Channel *c;
int window, packetmax, in, out, err;
@@ -1300,7 +762,7 @@ index 3f61eb0..62f56de 100644
if (stdin_null_flag) {
in = open(_PATH_DEVNULL, O_RDONLY);
-@@ -1392,9 +1399,74 @@ ssh_session2_open(void)
+@@ -1389,9 +1392,74 @@ ssh_session2_open(void)
if (!isatty(err))
set_nonblock(err);
@@ -1376,7 +838,7 @@ index 3f61eb0..62f56de 100644
window >>= 1;
packetmax >>= 1;
}
-@@ -1403,6 +1475,10 @@ ssh_session2_open(void)
+@@ -1400,6 +1468,10 @@ ssh_session2_open(void)
window, packetmax, CHAN_EXTENDED_WRITE,
"client-session", /*nonblock*/0);
@@ -1387,11 +849,10 @@ index 3f61eb0..62f56de 100644
debug3("ssh_session2_open: channel_new: %d", c->self);
channel_send_open(c->self);
-diff --git a/sshconnect.c b/sshconnect.c
-index 07800a6..6b2b3c0 100644
---- a/sshconnect.c
-+++ b/sshconnect.c
-@@ -182,6 +182,31 @@ ssh_kill_proxy_command(void)
+diff -rNuwpB canonical/sshconnect.c dynamic/sshconnect.c
+--- canonical/sshconnect.c 2013-04-04 20:20:19.000000000 -0400
++++ dynamic/sshconnect.c 2013-08-14 13:56:39.130511360 -0400
+@@ -189,6 +189,31 @@ ssh_kill_proxy_command(void)
}
/*
@@ -1423,7 +884,7 @@ index 07800a6..6b2b3c0 100644
* Creates a (possibly privileged) socket for use as the ssh connection.
*/
static int
-@@ -204,6 +229,8 @@ ssh_create_socket(int privileged, struct addrinfo *ai)
+@@ -211,6 +236,8 @@ ssh_create_socket(int privileged, struct
strerror(errno));
else
debug("Allocated local port %d.", p);
@@ -1432,7 +893,7 @@ index 07800a6..6b2b3c0 100644
return sock;
}
sock = socket(ai->ai_family, ai->ai_socktype, ai->ai_protocol);
-@@ -213,6 +240,9 @@ ssh_create_socket(int privileged, struct addrinfo *ai)
+@@ -220,6 +247,9 @@ ssh_create_socket(int privileged, struct
}
fcntl(sock, F_SETFD, FD_CLOEXEC);
@@ -1442,7 +903,7 @@ index 07800a6..6b2b3c0 100644
/* Bind the socket to an alternative local IP address */
if (options.bind_address == NULL)
return sock;
-@@ -435,10 +465,10 @@ send_client_banner(int connection_out, int minor1)
+@@ -442,10 +472,10 @@ send_client_banner(int connection_out, i
/* Send our own protocol version identification. */
if (compat20) {
xasprintf(&client_version_string, "SSH-%d.%d-%.100s\r\n",
@@ -1455,56 +916,9 @@ index 07800a6..6b2b3c0 100644
}
if (roaming_atomicio(vwrite, connection_out, client_version_string,
strlen(client_version_string)) != strlen(client_version_string))
-diff --git a/sshconnect2.c b/sshconnect2.c
-index d6af0b9..9b0aea2 100644
---- a/sshconnect2.c
-+++ b/sshconnect2.c
-@@ -81,6 +81,12 @@
- extern char *client_version_string;
- extern char *server_version_string;
- extern Options options;
-+extern Kex *xxx_kex;
-+
-+/* tty_flag is set in ssh.c. use this in ssh_userauth2 */
-+/* if it is set then prevent the switch to the null cipher */
-+
-+extern int tty_flag;
-
- /*
- * SSH2 key exchange
-@@ -421,6 +427,28 @@ ssh_userauth2(const char *local_user, const char *server_user, char *host,
- pubkey_cleanup(&authctxt);
- dispatch_range(SSH2_MSG_USERAUTH_MIN, SSH2_MSG_USERAUTH_MAX, NULL);
-
-+ /* if the user wants to use the none cipher do it */
-+ /* post authentication and only if the right conditions are met */
-+ /* both of the NONE commands must be true and there must be no */
-+ /* tty allocated */
-+ if ((options.none_switch == 1) && (options.none_enabled == 1))
-+ {
-+ if (!tty_flag) /* no null on tty sessions */
-+ {
-+ debug("Requesting none rekeying...");
-+ myproposal[PROPOSAL_ENC_ALGS_STOC] = "none";
-+ myproposal[PROPOSAL_ENC_ALGS_CTOS] = "none";
-+ kex_prop2buf(&xxx_kex->my,myproposal);
-+ packet_request_rekeying();
-+ fprintf(stderr, "WARNING: ENABLED NONE CIPHER\n");
-+ }
-+ else
-+ {
-+ /* requested NONE cipher when in a tty */
-+ debug("Cannot switch to NONE cipher with tty allocated");
-+ fprintf(stderr, "NONE cipher switch disabled when a TTY is allocated\n");
-+ }
-+ }
- debug("Authentication succeeded (%s).", authctxt.method->name);
- }
-
-diff --git a/sshd.c b/sshd.c
-index 3e9d176..b05b2df 100644
---- a/sshd.c
-+++ b/sshd.c
+diff -rNuwpB canonical/sshd.c dynamic/sshd.c
+--- canonical/sshd.c 2013-02-11 19:04:48.000000000 -0500
++++ dynamic/sshd.c 2013-08-14 14:10:20.793512623 -0400
@@ -138,6 +138,9 @@ int deny_severity;
#define REEXEC_CONFIG_PASS_FD (STDERR_FILENO + 3)
#define REEXEC_MIN_FREE_FD (STDERR_FILENO + 4)
@@ -1515,7 +929,7 @@ index 3e9d176..b05b2df 100644
extern char *__progname;
/* Server configuration options. */
-@@ -430,7 +433,7 @@ sshd_exchange_identification(int sock_in, int sock_out)
+@@ -430,7 +433,7 @@ sshd_exchange_identification(int sock_in
}
xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s%s",
@@ -1524,17 +938,7 @@ index 3e9d176..b05b2df 100644
*options.version_addendum == '\0' ? "" : " ",
options.version_addendum, newline);
-@@ -482,6 +485,9 @@ sshd_exchange_identification(int sock_in, int sock_out)
- }
- debug("Client protocol version %d.%d; client software version %.100s",
- remote_major, remote_minor, remote_version);
-+ logit("SSH: Server;Ltype: Version;Remote: %s-%d;Protocol: %d.%d;Client: %.100s",
-+ get_remote_ipaddr(), get_remote_port(),
-+ remote_major, remote_minor, remote_version);
-
- compat_datafellows(remote_version);
-
-@@ -1038,6 +1044,8 @@ server_listen(void)
+@@ -1038,6 +1041,8 @@ server_listen(void)
int ret, listen_sock, on = 1;
struct addrinfo *ai;
char ntop[NI_MAXHOST], strport[NI_MAXSERV];
@@ -1543,7 +947,7 @@ index 3e9d176..b05b2df 100644
for (ai = options.listen_addrs; ai; ai = ai->ai_next) {
if (ai->ai_family != AF_INET && ai->ai_family != AF_INET6)
-@@ -1078,6 +1086,11 @@ server_listen(void)
+@@ -1078,6 +1083,11 @@ server_listen(void)
debug("Bind to port %s on %s.", strport, ntop);
@@ -1555,7 +959,7 @@ index 3e9d176..b05b2df 100644
/* Bind the socket to the desired port. */
if (bind(listen_sock, ai->ai_addr, ai->ai_addrlen) < 0) {
error("Bind to port %s on %s failed: %.200s.",
-@@ -1976,6 +1989,9 @@ main(int ac, char **av)
+@@ -1976,6 +1986,9 @@ main(int ac, char **av)
/* Log the connection. */
verbose("Connection from %.500s port %d", remote_ip, remote_port);
@@ -1565,7 +969,7 @@ index 3e9d176..b05b2df 100644
/*
* We don't want to listen forever unless the other side
* successfully authenticates itself. So we set up an alarm which is
-@@ -2332,9 +2348,15 @@ do_ssh2_kex(void)
+@@ -2332,6 +2345,8 @@ do_ssh2_kex(void)
{
Kex *kex;
@@ -1574,18 +978,10 @@ index 3e9d176..b05b2df 100644
if (options.ciphers != NULL) {
myproposal[PROPOSAL_ENC_ALGS_CTOS] =
myproposal[PROPOSAL_ENC_ALGS_STOC] = options.ciphers;
-+ } else if (options.none_enabled == 1) {
-+ debug ("WARNING: None cipher enabled");
-+ myproposal[PROPOSAL_ENC_ALGS_CTOS] =
-+ myproposal[PROPOSAL_ENC_ALGS_STOC] = KEX_ENCRYPT_INCLUDE_NONE;
- }
- myproposal[PROPOSAL_ENC_ALGS_CTOS] =
- compat_cipher_proposal(myproposal[PROPOSAL_ENC_ALGS_CTOS]);
-diff --git a/sshd_config b/sshd_config
-index 9cd2fdd..27f43eb 100644
---- a/sshd_config
-+++ b/sshd_config
-@@ -120,6 +120,20 @@ UsePrivilegeSeparation sandbox # Default for new installations.
+diff -rNuwpB canonical/sshd_config dynamic/sshd_config
+--- canonical/sshd_config 2013-02-11 19:02:09.000000000 -0500
++++ dynamic/sshd_config 2013-08-14 14:09:54.107478485 -0400
+@@ -120,6 +120,17 @@ UsePrivilegeSeparation sandbox # Defaul
# override default of no subsystems
Subsystem sftp /usr/libexec/sftp-server
@@ -1593,9 +989,6 @@ index 9cd2fdd..27f43eb 100644
+# tcp receive buffer polling. disable in non autotuning kernels
+#TcpRcvBufPoll yes
+
-+# allow the use of the none cipher
-+#NoneEnabled no
-+
+# disable hpn performance boosts
+#HPNDisabled no
+
@@ -1606,14 +999,13 @@ index 9cd2fdd..27f43eb 100644
# Example of overriding settings on a per-user basis
#Match User anoncvs
# X11Forwarding no
-diff --git a/version.h b/version.h
-index 784f707..c8f04d5 100644
---- a/version.h
-+++ b/version.h
+diff -rNuwpB canonical/version.h dynamic/version.h
+--- canonical/version.h 2013-05-10 02:02:21.000000000 -0400
++++ dynamic/version.h 2013-08-14 15:27:52.736478576 -0400
@@ -3,4 +3,5 @@
#define SSH_VERSION "OpenSSH_6.2"
- #define SSH_PORTABLE "p1"
+ #define SSH_PORTABLE "p2"
-#define SSH_RELEASE SSH_VERSION SSH_PORTABLE
-+#define SSH_HPN "-hpn13v11"
++#define SSH_HPN "-hpn14v1"
+#define SSH_RELEASE SSH_VERSION SSH_PORTABLE SSH_HPN