Ticket #50852: 7.2p2-patch.diff

File 7.2p2-patch.diff, 44.9 KB (added by danielluke (Daniel J. Luke), 9 years ago)

version bump, rename hpn patchfile

  • Portfile

     
    44PortSystem          1.0
    55
    66name                openssh
    7 version             7.2p1
    8 revision            0
     7version             7.2p2
    98categories          net
    109platforms           darwin
    1110maintainers         nomaintainer
     
    2827homepage            http://www.openbsd.org/openssh/
    2928
    3029checksums           ${distfiles} \
    31                     rmd160  8af707c17337f223d5cbd1c7510f73dde2b22ff5 \
    32                     sha256  973cc37b2f3597e4cf599b09e604e79c0fe5d9b6f595a24e91ed0662860b4ac3
     30                    rmd160  d18d73719ceeefa5116b5b741124f3604d7ddb99 \
     31                    sha256  a72781d1a043876a224ff1b0032daa4094d87565a68528759c1c2cab5482548c
    3332
    3433master_sites        openbsd:OpenSSH/portable \
    3534                    ftp://ftp.cise.ufl.edu/pub/mirrors/openssh/portable/ \
  • files/openssh-7.2p1-hpnssh14v5.diff

     
    1 --- /dev/null   1970-01-01 00:00:00.000000000 +0000
    2 +++ b/HPN-README        2016-03-01 04:32:19.000000000 +0100
    3 @@ -0,0 +1,129 @@
    4 +Notes:
    5 +
    6 +MULTI-THREADED CIPHER:
    7 +The AES cipher in CTR mode has been multithreaded (MTR-AES-CTR). This will allow ssh installations
    8 +on hosts with multiple cores to use more than one processing core during encryption.
    9 +Tests have show significant throughput performance increases when using MTR-AES-CTR up
    10 +to and including a full gigabit per second on quad core systems. It should be possible to
    11 +achieve full line rate on dual core systems but OS and data management overhead makes this
    12 +more difficult to achieve. The cipher stream from MTR-AES-CTR is entirely compatible with single
    13 +thread AES-CTR (ST-AES-CTR) implementations and should be 100% backward compatible. Optimal
    14 +performance requires the MTR-AES-CTR mode be enabled on both ends of the connection.
    15 +The MTR-AES-CTR replaces ST-AES-CTR and is used in exactly the same way with the same
    16 +nomenclature.
    17 +Use examples:  ssh -caes128-ctr you@host.com
    18 +               scp -oCipher=aes256-ctr file you@host.com:~/file
    19 +
    20 +NONE CIPHER:
    21 +To use the NONE option you must have the NoneEnabled switch set on the server and
    22 +you *must* have *both* NoneEnabled and NoneSwitch set to yes on the client. The NONE
    23 +feature works with ALL ssh subsystems (as far as we can tell) *AS LONG AS* a tty is not
    24 +spawned. If a user uses the -T switch to prevent a tty being created the NONE cipher will
    25 +be disabled.
    26 +
    27 +The performance increase will only be as good as the network and TCP stack tuning
    28 +on the receiver side of the connection allows. As a rule of thumb a user will need
    29 +at least 10Mb/s connection with a 100ms RTT to see a doubling of performance. The
    30 +HPN-SSH home page describes this in greater detail.
    31 +
    32 +http://www.psc.edu/networking/projects/hpn-ssh
    33 +
    34 +BUFFER SIZES:
    35 +
    36 +If HPN is disabled the receive buffer size will be set to the
    37 +OpenSSH default of 64K.
    38 +
    39 +If an HPN system connects to a nonHPN system the receive buffer will
    40 +be set to the HPNBufferSize value. The default is 2MB but user adjustable.
    41 +
    42 +If an HPN to HPN connection is established a number of different things might
    43 +happen based on the user options and conditions.
    44 +
    45 +Conditions: HPNBufferSize NOT Set, TCPRcvBufPoll enabled, TCPRcvBuf NOT Set
    46 +HPN Buffer Size = up to 64MB
    47 +This is the default state. The HPN buffer size will grow to a maximum of 64MB
    48 +as the TCP receive buffer grows. The maximum HPN Buffer size of 64MB is
    49 +geared towards 10GigE transcontinental connections.
    50 +
    51 +Conditions: HPNBufferSize NOT Set, TCPRcvBufPoll disabled, TCPRcvBuf NOT Set
    52 +HPN Buffer Size = TCP receive buffer value.
    53 +Users on non-autotuning systesm should disable TCPRcvBufPoll in the
    54 +ssh_cofig and sshd_config
    55 +
    56 +Conditions: HPNBufferSize SET, TCPRcvBufPoll disabled, TCPRcvBuf NOT Set
    57 +HPN Buffer Size = minmum of TCP receive buffer and HPNBufferSize.
    58 +This would be the system defined TCP receive buffer (RWIN).
    59 +
    60 +Conditions: HPNBufferSize SET, TCPRcvBufPoll disabled, TCPRcvBuf SET
    61 +HPN Buffer Size = minmum of TCPRcvBuf and HPNBufferSize.
    62 +Generally there is no need to set both.
    63 +
    64 +Conditions: HPNBufferSize SET, TCPRcvBufPoll enabled, TCPRcvBuf NOT Set
    65 +HPN Buffer Size = grows to HPNBufferSize
    66 +The buffer will grow up to the maximum size specified here.
    67 +
    68 +Conditions: HPNBufferSize SET, TCPRcvBufPoll enabled, TCPRcvBuf SET
    69 +HPN Buffer Size = minmum of TCPRcvBuf and HPNBufferSize.
    70 +Generally there is no need to set both of these, especially on autotuning
    71 +systems. However, if the users wishes to override the autotuning this would be
    72 +one way to do it.
    73 +
    74 +Conditions: HPNBufferSize NOT Set, TCPRcvBufPoll enabled, TCPRcvBuf SET
    75 +HPN Buffer Size = TCPRcvBuf.
    76 +This will override autotuning and set the TCP recieve buffer to the user defined
    77 +value.
    78 +
    79 +
    80 +HPN Specific Configuration options
    81 +
    82 +TcpRcvBuf=[int]KB client
    83 +      set the TCP socket receive buffer to n Kilobytes. It can be set up to the
    84 +maximum socket size allowed by the system. This is useful in situations where
    85 +the tcp receive window is set low but the maximum buffer size is set
    86 +higher (as is typical). This works on a per TCP connection basis. You can also
    87 +use this to artifically limit the transfer rate of the connection. In these
    88 +cases the throughput will be no more than n/RTT. The minimum buffer size is 1KB.
    89 +Default is the current system wide tcp receive buffer size.
    90 +
    91 +TcpRcvBufPoll=[yes/no] client/server
    92 +      enable of disable the polling of the tcp receive buffer through the life
    93 +of the connection. You would want to make sure that this option is enabled
    94 +for systems making use of autotuning kernels (linux 2.4.24+, 2.6, MS Vista)
    95 +default is yes.
    96 +
    97 +NoneEnabled=[yes/no] client/server
    98 +      enable or disable the use of the None cipher. Care must always be used
    99 +when enabling this as it will allow users to send data in the clear. However,
    100 +it is important to note that authentication information remains encrypted
    101 +even if this option is enabled. Set to no by default.
    102 +
    103 +NoneSwitch=[yes/no] client
    104 +     Switch the encryption cipher being used to the None cipher after
    105 +authentication takes place. NoneEnabled must be enabled on both the client
    106 +and server side of the connection. When the connection switches to the NONE
    107 +cipher a warning is sent to STDERR. The connection attempt will fail with an
    108 +error if a client requests a NoneSwitch from the server that does not explicitly
    109 +have NoneEnabled set to yes. Note: The NONE cipher cannot be used in
    110 +interactive (shell) sessions and it will fail silently. Set to no by default.
    111 +
    112 +HPNDisabled=[yes/no] client/server
    113 +     In some situations, such as transfers on a local area network, the impact
    114 +of the HPN code produces a net decrease in performance. In these cases it is
    115 +helpful to disable the HPN functionality. By default HPNDisabled is set to no.
    116 +
    117 +HPNBufferSize=[int]KB client/server
    118 +     This is the default buffer size the HPN functionality uses when interacting
    119 +with nonHPN SSH installations. Conceptually this is similar to the TcpRcvBuf
    120 +option as applied to the internal SSH flow control. This value can range from
    121 +1KB to 64MB (1-65536). Use of oversized or undersized buffers can cause performance
    122 +problems depending on the length of the network path. The default size of this buffer
    123 +is 2MB.
    124 +
    125 +
    126 +Credits: This patch was conceived, designed, and led by Chris Rapier (rapier@psc.edu)
    127 +         The majority of the actual coding for versions up to HPN12v1 was performed
    128 +         by Michael Stevens (mstevens@andrew.cmu.edu). The MT-AES-CTR cipher was
    129 +        implemented by Ben Bennet (ben@psc.edu) and improved by Mike Tasota
    130 +        (tasota@gmail.com) an NSF REU grant recipient for 2013.
    131 +        This work was financed, in part, by Cisco System, Inc., the National
    132 +         Library of Medicine, and the National Science Foundation.
    133 --- a/channels.c        2016-03-01 04:32:11.000000000 +0100
    134 +++ b/channels.c        2016-03-01 04:32:19.000000000 +0100
    135 @@ -186,6 +186,12 @@ static void port_open_helper(Channel *c,
    136  static int connect_next(struct channel_connect *);
    137  static void channel_connect_ctx_free(struct channel_connect *);
    138  
    139 +
    140 +#ifdef HPN_ENABLED
    141 +static int hpn_disabled = 0;
    142 +static int hpn_buffer_size = 2 * 1024 * 1024;
    143 +#endif
    144 +
    145  /* -- channel core */
    146  
    147  Channel *
    148 @@ -336,6 +342,9 @@ channel_new(char *ctype, int type, int r
    149         c->local_window_max = window;
    150         c->local_consumed = 0;
    151         c->local_maxpacket = maxpack;
    152 +#ifdef HPN_ENABLED
    153 +       c->dynamic_window = 0;
    154 +#endif
    155         c->remote_id = -1;
    156         c->remote_name = xstrdup(remote_name);
    157         c->remote_window = 0;
    158 @@ -840,11 +849,41 @@ channel_pre_open_13(Channel *c, fd_set *
    159                 FD_SET(c->sock, writeset);
    160  }
    161  
    162 +#ifdef HPN_ENABLED
    163 +static u_int
    164 +channel_tcpwinsz(void)
    165 +{
    166 +       u_int32_t tcpwinsz = 0;
    167 +       socklen_t optsz = sizeof(tcpwinsz);
    168 +       int ret = -1;
    169 +
    170 +       /* if we aren't on a socket return 128KB */
    171 +       if (!packet_connection_is_on_socket())
    172 +               return (128*1024);
    173 +       ret = getsockopt(packet_get_connection_in(),
    174 +           SOL_SOCKET, SO_RCVBUF, &tcpwinsz, &optsz);
    175 +       /* return no more than SSHBUF_SIZE_MAX */
    176 +       if (ret == 0 && tcpwinsz > SSHBUF_SIZE_MAX)
    177 +               tcpwinsz = SSHBUF_SIZE_MAX;
    178 +       debug2("tcpwinsz: %d for connection: %d", tcpwinsz,
    179 +           packet_get_connection_in());
    180 +       return (tcpwinsz);
    181 +}
    182 +#endif
    183 +
    184  static void
    185  channel_pre_open(Channel *c, fd_set *readset, fd_set *writeset)
    186  {
    187         u_int limit = compat20 ? c->remote_window : packet_get_maxsize();
    188  
    189 +#ifdef HPN_ENABLED
    190 +       /* check buffer limits */
    191 +       if (!c->tcpwinsz || c->dynamic_window > 0)
    192 +               c->tcpwinsz = channel_tcpwinsz();
    193 +
    194 +       limit = MIN(limit, 2 * c->tcpwinsz);
    195 +#endif
    196 +
    197         if (c->istate == CHAN_INPUT_OPEN &&
    198             limit > 0 &&
    199             buffer_len(&c->input) < limit &&
    200 @@ -1862,6 +1901,20 @@ channel_check_window(Channel *c)
    201             c->local_maxpacket*3) ||
    202             c->local_window < c->local_window_max/2) &&
    203             c->local_consumed > 0) {
    204 +#ifdef HPN_ENABLED
    205 +               /* adjust max window size if we are in a dynamic environment */
    206 +               if (c->dynamic_window && (c->tcpwinsz > c->local_window_max)) {
    207 +                       u_int addition = 0;
    208 +
    209 +                       /*
    210 +                        * grow the window somewhat aggressively to maintain
    211 +                        * pressure
    212 +                        */
    213 +                       addition = 1.5*(c->tcpwinsz - c->local_window_max);
    214 +                       c->local_window_max += addition;
    215 +                       c->local_consumed += addition;
    216 +               }
    217 +#endif
    218                 packet_start(SSH2_MSG_CHANNEL_WINDOW_ADJUST);
    219                 packet_put_int(c->remote_id);
    220                 packet_put_int(c->local_consumed);
    221 @@ -2813,6 +2866,17 @@ channel_fwd_bind_addr(const char *listen
    222         return addr;
    223  }
    224  
    225 +#ifdef HPN_ENABLED
    226 +void
    227 +channel_set_hpn(int external_hpn_disabled, int external_hpn_buffer_size)
    228 +{
    229 +       hpn_disabled = external_hpn_disabled;
    230 +       hpn_buffer_size = external_hpn_buffer_size;
    231 +       debug("HPN Disabled: %d, HPN Buffer Size: %d", hpn_disabled,
    232 +           hpn_buffer_size);
    233 +}
    234 +#endif
    235 +
    236  static int
    237  channel_setup_fwd_listener_tcpip(int type, struct Forward *fwd,
    238      int *allocated_listen_port, struct ForwardOptions *fwd_opts)
    239 @@ -2941,6 +3005,17 @@ channel_setup_fwd_listener_tcpip(int typ
    240                 }
    241  
    242                 /* Allocate a channel number for the socket. */
    243 +#ifdef HPN_ENABLED
    244 +               /*
    245 +                * explicitly test for hpn disabled option. if true use smaller
    246 +                * window size.
    247 +                */
    248 +               if (!hpn_disabled)
    249 +                       c = channel_new("port listener", type, sock, sock, -1,
    250 +                           hpn_buffer_size, CHAN_TCP_PACKET_DEFAULT,
    251 +                           0, "port listener", 1);
    252 +               else
    253 +#endif
    254                 c = channel_new("port listener", type, sock, sock, -1,
    255                     CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT,
    256                     0, "port listener", 1);
    257 @@ -3975,6 +4050,14 @@ x11_create_display_inet(int x11_display_
    258         *chanids = xcalloc(num_socks + 1, sizeof(**chanids));
    259         for (n = 0; n < num_socks; n++) {
    260                 sock = socks[n];
    261 +#ifdef HPN_ENABLED
    262 +               if (!hpn_disabled)
    263 +                       nc = channel_new("x11 listener",
    264 +                           SSH_CHANNEL_X11_LISTENER, sock, sock, -1,
    265 +                           hpn_buffer_size, CHAN_X11_PACKET_DEFAULT,
    266 +                           0, "X11 inet listener", 1);
    267 +               else
    268 +#endif
    269                 nc = channel_new("x11 listener",
    270                     SSH_CHANNEL_X11_LISTENER, sock, sock, -1,
    271                     CHAN_X11_WINDOW_DEFAULT, CHAN_X11_PACKET_DEFAULT,
    272 --- a/channels.h        2016-02-26 04:40:04.000000000 +0100
    273 +++ b/channels.h        2016-03-01 04:32:19.000000000 +0100
    274 @@ -136,6 +136,10 @@ struct Channel {
    275         u_int   local_maxpacket;
    276         int     extended_usage;
    277         int     single_connection;
    278 +#ifdef HPN_ENABLED
    279 +       int     dynamic_window;
    280 +       u_int   tcpwinsz;
    281 +#endif
    282  
    283         char   *ctype;          /* type */
    284  
    285 @@ -312,4 +316,9 @@ void         chan_rcvd_ieof(Channel *);
    286  void    chan_write_failed(Channel *);
    287  void    chan_obuf_empty(Channel *);
    288  
    289 +#ifdef HPN_ENABLED
    290 +/* hpn handler */
    291 +void     channel_set_hpn(int, int);
    292 +#endif
    293 +
    294  #endif
    295 --- a/cipher.c  2016-02-26 04:40:04.000000000 +0100
    296 +++ b/cipher.c  2016-03-01 04:32:19.000000000 +0100
    297 @@ -244,7 +244,13 @@ ciphers_valid(const char *names)
    298         for ((p = strsep(&cp, CIPHER_SEP)); p && *p != '\0';
    299             (p = strsep(&cp, CIPHER_SEP))) {
    300                 c = cipher_by_name(p);
    301 -               if (c == NULL || c->number != SSH_CIPHER_SSH2) {
    302 +               if (c == NULL || (c->number != SSH_CIPHER_SSH2 &&
    303 +#ifdef NONE_CIPHER_ENABLED
    304 +                                 c->number != SSH_CIPHER_NONE
    305 +#else
    306 +                                 1
    307 +#endif
    308 +                                 )) {
    309                         free(cipher_list);
    310                         return 0;
    311                 }
    312 @@ -544,6 +550,9 @@ cipher_get_keyiv(struct sshcipher_ctx *c
    313  
    314         switch (c->number) {
    315  #ifdef WITH_OPENSSL
    316 +#ifdef NONE_CIPHER_ENABLED
    317 +       case SSH_CIPHER_NONE:
    318 +#endif
    319         case SSH_CIPHER_SSH2:
    320         case SSH_CIPHER_DES:
    321         case SSH_CIPHER_BLOWFISH:
    322 @@ -592,6 +601,9 @@ cipher_set_keyiv(struct sshcipher_ctx *c
    323  
    324         switch (c->number) {
    325  #ifdef WITH_OPENSSL
    326 +#ifdef NONE_CIPHER_ENABLED
    327 +       case SSH_CIPHER_NONE:
    328 +#endif
    329         case SSH_CIPHER_SSH2:
    330         case SSH_CIPHER_DES:
    331         case SSH_CIPHER_BLOWFISH:
    332 --- a/clientloop.c      2016-03-01 04:32:11.000000000 +0100
    333 +++ b/clientloop.c      2016-03-01 04:32:19.000000000 +0100
    334 @@ -1995,6 +1995,15 @@ client_request_x11(const char *request_t
    335         sock = x11_connect_display();
    336         if (sock < 0)
    337                 return NULL;
    338 +#ifdef HPN_ENABLED
    339 +       /* again is this really necessary for X11? */
    340 +       if (!options.hpn_disabled)
    341 +               c = channel_new("x11",
    342 +                   SSH_CHANNEL_X11_OPEN, sock, sock, -1,
    343 +                   options.hpn_buffer_size,
    344 +                   CHAN_X11_PACKET_DEFAULT, 0, "x11", 1);
    345 +       else
    346 +#endif
    347         c = channel_new("x11",
    348             SSH_CHANNEL_X11_OPEN, sock, sock, -1,
    349             CHAN_TCP_WINDOW_DEFAULT, CHAN_X11_PACKET_DEFAULT, 0, "x11", 1);
    350 @@ -2020,6 +2029,14 @@ client_request_agent(const char *request
    351                             __func__, ssh_err(r));
    352                 return NULL;
    353         }
    354 +#ifdef HPN_ENABLED
    355 +       if (!options.hpn_disabled)
    356 +               c = channel_new("authentication agent connection",
    357 +                   SSH_CHANNEL_OPEN, sock, sock, -1,
    358 +                   options.hpn_buffer_size, CHAN_TCP_PACKET_DEFAULT, 0,
    359 +                   "authentication agent connection", 1);
    360 +       else
    361 +#endif
    362         c = channel_new("authentication agent connection",
    363             SSH_CHANNEL_OPEN, sock, sock, -1,
    364             CHAN_X11_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, 0,
    365 @@ -2050,6 +2067,12 @@ client_request_tun_fwd(int tun_mode, int
    366                 return -1;
    367         }
    368  
    369 +#ifdef HPN_ENABLED
    370 +       if (!options.hpn_disabled)
    371 +               c = channel_new("tun", SSH_CHANNEL_OPENING, fd, fd, -1,
    372 +                   options.hpn_buffer_size, CHAN_TCP_PACKET_DEFAULT, 0, "tun", 1);
    373 +       else
    374 +#endif
    375         c = channel_new("tun", SSH_CHANNEL_OPENING, fd, fd, -1,
    376             CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, 0, "tun", 1);
    377         c->datagram = 1;
    378 --- a/compat.c  2016-02-26 04:40:04.000000000 +0100
    379 +++ b/compat.c  2016-03-01 04:32:19.000000000 +0100
    380 @@ -210,6 +210,14 @@ compat_datafellows(const char *version)
    381                         debug("match: %s pat %s compat 0x%08x",
    382                             version, check[i].pat, check[i].bugs);
    383                         datafellows = check[i].bugs;    /* XXX for now */
    384 +#ifdef HPN_ENABLED
    385 +                       /* Check to see if the remote side is OpenSSH and not HPN */
    386 +                       if (strstr(version,"OpenSSH") != NULL &&
    387 +                           strstr(version,"hpn") == NULL) {
    388 +                               datafellows |= SSH_BUG_LARGEWINDOW;
    389 +                               debug("Remote is NON-HPN aware");
    390 +                       }
    391 +#endif
    392                         return check[i].bugs;
    393                 }
    394         }
    395 --- a/compat.h  2016-02-26 04:40:04.000000000 +0100
    396 +++ b/compat.h  2016-03-01 04:32:19.000000000 +0100
    397 @@ -62,6 +62,9 @@
    398  #define SSH_BUG_CURVE25519PAD  0x10000000
    399  #define SSH_BUG_HOSTKEYS       0x20000000
    400  #define SSH_BUG_DHGEX_LARGE    0x40000000
    401 +#ifdef HPN_ENABLED
    402 +#define SSH_BUG_LARGEWINDOW     0x80000000
    403 +#endif
    404  
    405  void     enable_compat13(void);
    406  void     enable_compat20(void);
    407 --- a/configure.ac      2016-02-26 04:40:04.000000000 +0100
    408 +++ b/configure.ac      2016-03-01 04:32:19.000000000 +0100
    409 @@ -4321,6 +4321,25 @@ AC_ARG_WITH([maildir],
    410      ]
    411  ) # maildir
    412  
    413 +#check whether user wants HPN support
    414 +HPN_MSG="no"
    415 +AC_ARG_WITH(hpn,
    416 +       [  --with-hpn             Enable HPN support],
    417 +       [ if test "x$withval" != "xno" ; then
    418 +               AC_DEFINE(HPN_ENABLED,1,[Define if you want HPN support.])
    419 +               HPN_MSG="yes"
    420 +       fi ]
    421 +)
    422 +#check whether user wants NONECIPHER support
    423 +NONECIPHER_MSG="no"
    424 +AC_ARG_WITH(nonecipher,
    425 +       [  --with-nonecipher             Enable NONECIPHER support],
    426 +       [ if test "x$withval" != "xno" ; then
    427 +               AC_DEFINE(NONE_CIPHER_ENABLED,1,[Define if you want NONECIPHER support.])
    428 +               NONECIPHER_MSG="yes"
    429 +       fi ]
    430 +)
    431 +
    432  if test ! -z "$cross_compiling" && test "x$cross_compiling" = "xyes"; then
    433         AC_MSG_WARN([cross compiling: Disabling /dev/ptmx test])
    434         disable_ptmx_check=yes
    435 @@ -4989,6 +5008,8 @@ echo "           Translate v4 in v6 hack
    436  echo "                  BSD Auth support: $BSD_AUTH_MSG"
    437  echo "              Random number source: $RAND_MSG"
    438  echo "             Privsep sandbox style: $SANDBOX_STYLE"
    439 +echo "                       HPN support: $HPN_MSG"
    440 +echo "                NONECIPHER support: $NONECIPHER_MSG"
    441  
    442  echo ""
    443  
    444 --- a/kex.c     2016-02-26 04:40:04.000000000 +0100
    445 +++ b/kex.c     2016-03-01 04:32:19.000000000 +0100
    446 @@ -822,6 +822,20 @@ kex_choose_conf(struct ssh *ssh)
    447                         peer[ncomp] = NULL;
    448                         goto out;
    449                 }
    450 +#ifdef NONE_CIPHER_ENABLED
    451 +               debug("REQUESTED ENC.NAME is '%s'", newkeys->enc.name);
    452 +               if (strcmp(newkeys->enc.name, "none") == 0) {
    453 +                       int auth_flag;
    454 +
    455 +                       auth_flag = ssh_packet_authentication_state(ssh);
    456 +                       debug("Requesting NONE. Authflag is %d", auth_flag);
    457 +                       if (auth_flag == 1) {
    458 +                               debug("None requested post authentication.");
    459 +                       } else {
    460 +                               fatal("Pre-authentication none cipher requests are not allowed.");
    461 +                       }
    462 +               }
    463 +#endif
    464                 debug("kex: %s cipher: %s MAC: %s compression: %s",
    465                     ctos ? "client->server" : "server->client",
    466                     newkeys->enc.name,
    467 --- a/packet.c  2016-02-26 04:40:04.000000000 +0100
    468 +++ b/packet.c  2016-03-01 04:32:19.000000000 +0100
    469 @@ -1037,6 +1037,24 @@ ssh_set_newkeys(struct ssh *ssh, int mod
    470         return 0;
    471  }
    472  
    473 +#ifdef NONE_CIPHER_ENABLED
    474 +/* this supports the forced rekeying required for the NONE cipher */
    475 +int rekey_requested = 0;
    476 +void
    477 +packet_request_rekeying(void)
    478 +{
    479 +       rekey_requested = 1;
    480 +}
    481 +
    482 +int
    483 +ssh_packet_authentication_state(struct ssh *ssh)
    484 +{
    485 +       struct session_state *state = ssh->state;
    486 +
    487 +       return(state->after_authentication);
    488 +}
    489 +#endif
    490 +
    491  #define MAX_PACKETS    (1U<<31)
    492  static int
    493  ssh_packet_need_rekeying(struct ssh *ssh, u_int outbound_packet_len)
    494 @@ -1055,6 +1073,12 @@ ssh_packet_need_rekeying(struct ssh *ssh
    495         /* Peer can't rekey */
    496         if (ssh->compat & SSH_BUG_NOREKEY)
    497                 return 0;
    498 +#ifdef NONE_CIPHER_ENABLED
    499 +        if (rekey_requested == 1) {
    500 +               rekey_requested = 0;
    501 +               return 1;
    502 +        }
    503 +#endif
    504  
    505         /*
    506          * Permit one packet in or out per rekey - this allows us to
    507 --- a/packet.h  2016-02-26 04:40:04.000000000 +0100
    508 +++ b/packet.h  2016-03-01 04:32:19.000000000 +0100
    509 @@ -185,6 +185,11 @@ int        sshpkt_get_bignum2(struct ssh *ssh,
    510  int    sshpkt_get_end(struct ssh *ssh);
    511  const u_char   *sshpkt_ptr(struct ssh *, size_t *lenp);
    512  
    513 +#ifdef NONE_CIPHER_ENABLED
    514 +void  packet_request_rekeying(void);
    515 +int   ssh_packet_authentication_state(struct ssh *ssh);
    516 +#endif
    517 +
    518  /* OLD API */
    519  extern struct ssh *active_state;
    520  #include "opacket.h"
    521 --- a/readconf.c        2016-02-26 04:40:04.000000000 +0100
    522 +++ b/readconf.c        2016-03-01 04:32:19.000000000 +0100
    523 @@ -154,6 +154,12 @@ typedef enum {
    524         oTunnel, oTunnelDevice, oLocalCommand, oPermitLocalCommand,
    525         oVisualHostKey,
    526         oKexAlgorithms, oIPQoS, oRequestTTY, oIgnoreUnknown, oProxyUseFdpass,
    527 +#ifdef HPN_ENABLED
    528 +       oHPNDisabled, oHPNBufferSize, oTcpRcvBufPoll, oTcpRcvBuf,
    529 +#endif
    530 +#ifdef NONE_CIPHER_ENABLED
    531 +       oNoneSwitch, oNoneEnabled,
    532 +#endif
    533         oCanonicalDomains, oCanonicalizeHostname, oCanonicalizeMaxDots,
    534         oCanonicalizeFallbackLocal, oCanonicalizePermittedCNAMEs,
    535         oStreamLocalBindMask, oStreamLocalBindUnlink, oRevokedHostKeys,
    536 @@ -280,6 +286,16 @@ static struct {
    537         { "updatehostkeys", oUpdateHostkeys },
    538         { "hostbasedkeytypes", oHostbasedKeyTypes },
    539         { "pubkeyacceptedkeytypes", oPubkeyAcceptedKeyTypes },
    540 +#ifdef NONE_CIPHER_ENABLED
    541 +       { "noneenabled", oNoneEnabled },
    542 +       { "noneswitch", oNoneSwitch },
    543 +#endif
    544 +#ifdef HPN_ENABLED
    545 +       { "tcprcvbufpoll", oTcpRcvBufPoll },
    546 +       { "tcprcvbuf", oTcpRcvBuf },
    547 +       { "hpndisabled", oHPNDisabled },
    548 +       { "hpnbuffersize", oHPNBufferSize },
    549 +#endif
    550         { "ignoreunknown", oIgnoreUnknown },
    551  
    552         { NULL, oBadOption }
    553 @@ -938,6 +954,44 @@ parse_time:
    554                 intptr = &options->check_host_ip;
    555                 goto parse_flag;
    556  
    557 +#ifdef HPN_ENABLED
    558 +       case oHPNDisabled:
    559 +               intptr = &options->hpn_disabled;
    560 +               goto parse_flag;
    561 +
    562 +       case oHPNBufferSize:
    563 +               intptr = &options->hpn_buffer_size;
    564 +               goto parse_int;
    565 +
    566 +       case oTcpRcvBufPoll:
    567 +               intptr = &options->tcp_rcv_buf_poll;
    568 +               goto parse_flag;
    569 +
    570 +       case oTcpRcvBuf:
    571 +               intptr = &options->tcp_rcv_buf;
    572 +               goto parse_int;
    573 +#endif
    574 +
    575 +#ifdef NONE_CIPHER_ENABLED
    576 +        case oNoneEnabled:
    577 +                intptr = &options->none_enabled;
    578 +                goto parse_flag;
    579 +
    580 +        /* we check to see if the command comes from the */
    581 +        /* command line or not. If it does then enable it */
    582 +        /* otherwise fail. NONE should never be a default configuration */
    583 +        case oNoneSwitch:
    584 +                if(strcmp(filename,"command-line") == 0) {
    585 +                        intptr = &options->none_switch;
    586 +                        goto parse_flag;
    587 +                } else {
    588 +                        error("NoneSwitch is found in %.200s.\nYou may only use this configuration option from the command line", filename);
    589 +                        error("Continuing...");
    590 +                        debug("NoneSwitch directive found in %.200s.", filename);
    591 +                        return 0;
    592 +                }
    593 +#endif
    594 +
    595         case oVerifyHostKeyDNS:
    596                 intptr = &options->verify_host_key_dns;
    597                 multistate_ptr = multistate_yesnoask;
    598 @@ -1713,6 +1767,16 @@ initialize_options(Options * options)
    599         options->ip_qos_interactive = -1;
    600         options->ip_qos_bulk = -1;
    601         options->request_tty = -1;
    602 +#ifdef NONE_CIPHER_ENABLED
    603 +       options->none_switch = -1;
    604 +       options->none_enabled = -1;
    605 +#endif
    606 +#ifdef HPN_ENABLED
    607 +       options->hpn_disabled = -1;
    608 +       options->hpn_buffer_size = -1;
    609 +       options->tcp_rcv_buf_poll = -1;
    610 +       options->tcp_rcv_buf = -1;
    611 +#endif
    612         options->proxy_use_fdpass = -1;
    613         options->ignored_unknown = NULL;
    614         options->num_canonical_domains = 0;
    615 @@ -1867,6 +1931,35 @@ fill_default_options(Options * options)
    616                 options->server_alive_interval = 0;
    617         if (options->server_alive_count_max == -1)
    618                 options->server_alive_count_max = 3;
    619 +#ifdef NONE_CIPHER_ENABLED
    620 +       if (options->none_switch == -1)
    621 +               options->none_switch = 0;
    622 +       if (options->none_enabled == -1)
    623 +               options->none_enabled = 0;
    624 +#endif
    625 +#ifdef HPN_ENABLED
    626 +       if (options->hpn_disabled == -1)
    627 +               options->hpn_disabled = 0;
    628 +       if (options->hpn_buffer_size > -1) {
    629 +               /* if a user tries to set the size to 0 set it to 1KB */
    630 +               if (options->hpn_buffer_size == 0)
    631 +                       options->hpn_buffer_size = 1;
    632 +               /* limit the buffer to 64MB */
    633 +               if (options->hpn_buffer_size > 64*1024) {
    634 +                       options->hpn_buffer_size = 64*1024*1024;
    635 +                       debug("User requested buffer larger than 64MB. Request"
    636 +                           " reverted to 64MB");
    637 +               } else
    638 +                       options->hpn_buffer_size *= 1024;
    639 +               debug("hpn_buffer_size set to %d", options->hpn_buffer_size);
    640 +       }
    641 +       if (options->tcp_rcv_buf == 0)
    642 +               options->tcp_rcv_buf = 1;
    643 +       if (options->tcp_rcv_buf > -1)
    644 +               options->tcp_rcv_buf *=1024;
    645 +       if (options->tcp_rcv_buf_poll == -1)
    646 +               options->tcp_rcv_buf_poll = 1;
    647 +#endif
    648         if (options->control_master == -1)
    649                 options->control_master = 0;
    650         if (options->control_persist == -1) {
    651 --- a/readconf.h        2016-02-26 04:40:04.000000000 +0100
    652 +++ b/readconf.h        2016-03-01 04:32:19.000000000 +0100
    653 @@ -112,6 +112,16 @@ typedef struct {
    654         int     clear_forwardings;
    655  
    656         int     enable_ssh_keysign;
    657 +#ifdef NONE_CIPHER_ENABLED
    658 +       int     none_switch;    /* Use none cipher */
    659 +       int     none_enabled;   /* Allow none to be used */
    660 +#endif
    661 +#ifdef HPN_ENABLED
    662 +       int     tcp_rcv_buf; /* user switch to set tcp recv buffer */
    663 +       int     tcp_rcv_buf_poll; /* Option to poll recv buf every window transfer */
    664 +       int     hpn_disabled;    /* Switch to disable HPN buffer management */
    665 +       int     hpn_buffer_size; /* User definable size for HPN buffer window */
    666 +#endif
    667         int64_t rekey_limit;
    668         int     rekey_interval;
    669         int     no_host_authentication_for_localhost;
    670 --- a/scp.c     2016-02-26 04:40:04.000000000 +0100
    671 +++ b/scp.c     2016-03-01 04:32:19.000000000 +0100
    672 @@ -760,7 +760,7 @@ source(int argc, char **argv)
    673         off_t i, statbytes;
    674         size_t amt, nr;
    675         int fd = -1, haderr, indx;
    676 -       char *last, *name, buf[2048], encname[PATH_MAX];
    677 +       char *last, *name, buf[16384], encname[PATH_MAX];
    678         int len;
    679  
    680         for (indx = 0; indx < argc; ++indx) {
    681 @@ -929,7 +929,7 @@ sink(int argc, char **argv)
    682         off_t size, statbytes;
    683         unsigned long long ull;
    684         int setimes, targisdir, wrerrno = 0;
    685 -       char ch, *cp, *np, *targ, *why, *vect[1], buf[2048];
    686 +       char ch, *cp, *np, *targ, *why, *vect[1], buf[16384];
    687         struct timeval tv[2];
    688  
    689  #define        atime   tv[0]
    690 --- a/servconf.c        2016-03-01 04:32:13.000000000 +0100
    691 +++ b/servconf.c        2016-03-01 04:32:19.000000000 +0100
    692 @@ -165,6 +165,14 @@ initialize_server_options(ServerOptions
    693         options->authorized_principals_file = NULL;
    694         options->authorized_principals_command = NULL;
    695         options->authorized_principals_command_user = NULL;
    696 +#ifdef NONE_CIPHER_ENABLED
    697 +       options->none_enabled = -1;
    698 +#endif
    699 +#ifdef HPN_ENABLED
    700 +       options->tcp_rcv_buf_poll = -1;
    701 +       options->hpn_disabled = -1;
    702 +       options->hpn_buffer_size = -1;
    703 +#endif
    704         options->ip_qos_interactive = -1;
    705         options->ip_qos_bulk = -1;
    706         options->version_addendum = NULL;
    707 @@ -341,6 +349,57 @@ fill_default_server_options(ServerOption
    708         }
    709         if (options->permit_tun == -1)
    710                 options->permit_tun = SSH_TUNMODE_NO;
    711 +#ifdef NONE_CIPHER_ENABLED
    712 +       if (options->none_enabled == -1)
    713 +               options->none_enabled = 0;
    714 +#endif
    715 +#ifdef HPN_ENABLED
    716 +       if (options->hpn_disabled == -1)
    717 +               options->hpn_disabled = 0;
    718 +
    719 +       if (options->hpn_buffer_size == -1) {
    720 +               /*
    721 +                * option not explicitly set. Now we have to figure out
    722 +                * what value to use.
    723 +                */
    724 +               if (options->hpn_disabled == 1) {
    725 +                       options->hpn_buffer_size = CHAN_SES_WINDOW_DEFAULT;
    726 +               } else {
    727 +                       int sock, socksize;
    728 +                       socklen_t socksizelen = sizeof(socksize);
    729 +
    730 +                       /*
    731 +                        * get the current RCV size and set it to that
    732 +                        * create a socket but don't connect it
    733 +                        * we use that the get the rcv socket size
    734 +                        */
    735 +                       sock = socket(AF_INET, SOCK_STREAM, 0);
    736 +                       getsockopt(sock, SOL_SOCKET, SO_RCVBUF,
    737 +                           &socksize, &socksizelen);
    738 +                       close(sock);
    739 +                       options->hpn_buffer_size = socksize;
    740 +                       debug ("HPN Buffer Size: %d", options->hpn_buffer_size);
    741 +               }
    742 +       } else {
    743 +               /*
    744 +                * we have to do this incase the user sets both values in a
    745 +                * contradictory manner. hpn_disabled overrrides
    746 +                * hpn_buffer_size
    747 +                */
    748 +               if (options->hpn_disabled <= 0) {
    749 +                       if (options->hpn_buffer_size == 0)
    750 +                               options->hpn_buffer_size = 1;
    751 +                       /* limit the maximum buffer to 64MB */
    752 +                       if (options->hpn_buffer_size > 64*1024) {
    753 +                               options->hpn_buffer_size = 64*1024*1024;
    754 +                       } else {
    755 +                               options->hpn_buffer_size *= 1024;
    756 +                       }
    757 +               } else
    758 +                       options->hpn_buffer_size = CHAN_TCP_WINDOW_DEFAULT;
    759 +       }
    760 +#endif
    761 +
    762         if (options->ip_qos_interactive == -1)
    763                 options->ip_qos_interactive = IPTOS_LOWDELAY;
    764         if (options->ip_qos_bulk == -1)
    765 @@ -425,6 +484,12 @@ typedef enum {
    766         sHostCertificate,
    767         sRevokedKeys, sTrustedUserCAKeys, sAuthorizedPrincipalsFile,
    768         sAuthorizedPrincipalsCommand, sAuthorizedPrincipalsCommandUser,
    769 +#ifdef NONE_CIPHER_ENABLED
    770 +       sNoneEnabled,
    771 +#endif
    772 +#ifdef HPN_ENABLED
    773 +       sTcpRcvBufPoll, sHPNDisabled, sHPNBufferSize,
    774 +#endif
    775         sKexAlgorithms, sIPQoS, sVersionAddendum,
    776         sAuthorizedKeysCommand, sAuthorizedKeysCommandUser,
    777         sAuthenticationMethods, sHostKeyAgent, sPermitUserRC,
    778 @@ -560,6 +625,14 @@ static struct {
    779         { "revokedkeys", sRevokedKeys, SSHCFG_ALL },
    780         { "trustedusercakeys", sTrustedUserCAKeys, SSHCFG_ALL },
    781         { "authorizedprincipalsfile", sAuthorizedPrincipalsFile, SSHCFG_ALL },
    782 +#ifdef NONE_CIPHER_ENABLED
    783 +       { "noneenabled", sNoneEnabled, SSHCFG_ALL },
    784 +#endif
    785 +#ifdef HPN_ENABLED
    786 +       { "hpndisabled", sHPNDisabled, SSHCFG_ALL },
    787 +       { "hpnbuffersize", sHPNBufferSize, SSHCFG_ALL },
    788 +       { "tcprcvbufpoll", sTcpRcvBufPoll, SSHCFG_ALL },
    789 +#endif
    790         { "kexalgorithms", sKexAlgorithms, SSHCFG_GLOBAL },
    791         { "ipqos", sIPQoS, SSHCFG_ALL },
    792         { "authorizedkeyscommand", sAuthorizedKeysCommand, SSHCFG_ALL },
    793 @@ -1180,6 +1253,25 @@ process_server_config_line(ServerOptions
    794                 intptr = &options->ignore_user_known_hosts;
    795                 goto parse_flag;
    796  
    797 +#ifdef NONE_CIPHER_ENABLED
    798 +       case sNoneEnabled:
    799 +               intptr = &options->none_enabled;
    800 +               goto parse_flag;
    801 +#endif
    802 +#ifdef HPN_ENABLED
    803 +       case sTcpRcvBufPoll:
    804 +               intptr = &options->tcp_rcv_buf_poll;
    805 +               goto parse_flag;
    806 +
    807 +       case sHPNDisabled:
    808 +               intptr = &options->hpn_disabled;
    809 +               goto parse_flag;
    810 +
    811 +       case sHPNBufferSize:
    812 +               intptr = &options->hpn_buffer_size;
    813 +               goto parse_int;
    814 +#endif
    815 +
    816         case sRhostsRSAAuthentication:
    817                 intptr = &options->rhosts_rsa_authentication;
    818                 goto parse_flag;
    819 --- a/servconf.h        2016-02-26 04:40:04.000000000 +0100
    820 +++ b/servconf.h        2016-03-01 04:32:19.000000000 +0100
    821 @@ -173,6 +173,15 @@ typedef struct {
    822  
    823         int     use_pam;                /* Enable auth via PAM */
    824  
    825 +#ifdef NONE_CIPHER_ENABLED
    826 +       int     none_enabled;           /* enable NONE cipher switch */
    827 +#endif
    828 +#ifdef HPN_ENABLED
    829 +       int     tcp_rcv_buf_poll;       /* poll tcp rcv window in autotuning kernels*/
    830 +       int     hpn_disabled;           /* disable hpn functionality. false by default */
    831 +       int     hpn_buffer_size;        /* set the hpn buffer size - default 3MB */
    832 +#endif
    833 +
    834         int     permit_tun;
    835  
    836         int     num_permitted_opens;
    837 --- a/serverloop.c      2016-02-26 04:40:04.000000000 +0100
    838 +++ b/serverloop.c      2016-03-01 04:32:19.000000000 +0100
    839 @@ -1041,6 +1041,12 @@ server_request_tun(void)
    840         sock = tun_open(tun, mode);
    841         if (sock < 0)
    842                 goto done;
    843 +#ifdef HPN_ENABLED
    844 +       if (!options.hpn_disabled)
    845 +               c = channel_new("tun", SSH_CHANNEL_OPEN, sock, sock, -1,
    846 +                   options.hpn_buffer_size, CHAN_TCP_PACKET_DEFAULT, 0, "tun", 1);
    847 +       else
    848 +#endif
    849         c = channel_new("tun", SSH_CHANNEL_OPEN, sock, sock, -1,
    850             CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, 0, "tun", 1);
    851         c->datagram = 1;
    852 @@ -1078,6 +1084,10 @@ server_request_session(void)
    853         c = channel_new("session", SSH_CHANNEL_LARVAL,
    854             -1, -1, -1, /*window size*/0, CHAN_SES_PACKET_DEFAULT,
    855             0, "server-session", 1);
    856 +#ifdef HPN_ENABLED
    857 +       if (options.tcp_rcv_buf_poll && !options.hpn_disabled)
    858 +               c->dynamic_window = 1;
    859 +#endif
    860         if (session_open(the_authctxt, c->self) != 1) {
    861                 debug("session open failed, free channel %d", c->self);
    862                 channel_free(c);
    863 --- a/session.c 2016-02-26 04:40:04.000000000 +0100
    864 +++ b/session.c 2016-03-01 04:32:19.000000000 +0100
    865 @@ -2326,6 +2326,14 @@ session_set_fds(Session *s, int fdin, in
    866          */
    867         if (s->chanid == -1)
    868                 fatal("no channel for session %d", s->self);
    869 +#ifdef HPN_ENABLED
    870 +       if (!options.hpn_disabled)
    871 +               channel_set_fds(s->chanid,
    872 +                   fdout, fdin, fderr,
    873 +                   ignore_fderr ? CHAN_EXTENDED_IGNORE : CHAN_EXTENDED_READ,
    874 +                   1, is_tty, options.hpn_buffer_size);
    875 +       else
    876 +#endif
    877         channel_set_fds(s->chanid,
    878             fdout, fdin, fderr,
    879             ignore_fderr ? CHAN_EXTENDED_IGNORE : CHAN_EXTENDED_READ,
    880 --- a/sftp.1    2016-02-26 04:40:04.000000000 +0100
    881 +++ b/sftp.1    2016-03-01 04:32:19.000000000 +0100
    882 @@ -264,7 +264,8 @@ diagnostic messages from
    883  Specify how many requests may be outstanding at any one time.
    884  Increasing this may slightly improve file transfer speed
    885  but will increase memory usage.
    886 -The default is 64 outstanding requests.
    887 +The default is 256 outstanding requests providing for 8MB
    888 +of outstanding data with a 32KB buffer.
    889  .It Fl r
    890  Recursively copy entire directories when uploading and downloading.
    891  Note that
    892 --- a/sftp.c    2016-02-26 04:40:04.000000000 +0100
    893 +++ b/sftp.c    2016-03-01 04:32:19.000000000 +0100
    894 @@ -71,7 +71,11 @@ typedef void EditLine;
    895  #include "sftp-client.h"
    896  
    897  #define DEFAULT_COPY_BUFLEN    32768   /* Size of buffer for up/download */
    898 +#ifdef HPN_ENABLED
    899 +#define DEFAULT_NUM_REQUESTS   256     /* # concurrent outstanding requests */
    900 +#else
    901  #define DEFAULT_NUM_REQUESTS   64      /* # concurrent outstanding requests */
    902 +#endif
    903  
    904  /* File to read commands from */
    905  FILE* infile;
    906 --- a/ssh.c     2016-02-26 04:40:04.000000000 +0100
    907 +++ b/ssh.c     2016-03-01 04:32:19.000000000 +0100
    908 @@ -898,6 +898,14 @@ main(int ac, char **av)
    909                         break;
    910                 case 'T':
    911                         options.request_tty = REQUEST_TTY_NO;
    912 +#ifdef NONE_CIPHER_ENABLED
    913 +                       /*
    914 +                        * ensure that the user doesn't try to backdoor a
    915 +                        * null cipher switch on an interactive session
    916 +                        * so explicitly disable it no matter what.
    917 +                        */
    918 +                       options.none_switch = 0;
    919 +#endif
    920                         break;
    921                 case 'o':
    922                         line = xstrdup(optarg);
    923 @@ -1851,9 +1859,85 @@ ssh_session2_open(void)
    924         if (!isatty(err))
    925                 set_nonblock(err);
    926  
    927 +#ifdef HPN_ENABLED
    928 +       /*
    929 +        * we need to check to see if what they want to do about buffer
    930 +        * sizes here. In a hpn to nonhpn connection we want to limit
    931 +        * the window size to something reasonable in case the far side
    932 +        * has the large window bug. In hpn to hpn connection we want to
    933 +        * use the max window size but allow the user to override it
    934 +        * lastly if they disabled hpn then use the ssh std window size
    935 +
    936 +        * so why don't we just do a getsockopt() here and set the
    937 +        * ssh window to that? In the case of a autotuning receive
    938 +        * window the window would get stuck at the initial buffer
    939 +        * size generally less than 96k. Therefore we need to set the
    940 +        * maximum ssh window size to the maximum hpn buffer size
    941 +        * unless the user has specifically set the tcprcvbufpoll
    942 +        * to no. In which case we *can* just set the window to the
    943 +        * minimum of the hpn buffer size and tcp receive buffer size
    944 +        */
    945 +
    946 +       if (tty_flag)
    947 +               options.hpn_buffer_size = CHAN_SES_WINDOW_DEFAULT;
    948 +       else
    949 +               options.hpn_buffer_size = 2*1024*1024;
    950 +
    951 +       if (datafellows & SSH_BUG_LARGEWINDOW) {
    952 +               debug("HPN to Non-HPN Connection");
    953 +       } else {
    954 +               int sock, socksize;
    955 +               socklen_t socksizelen = sizeof(socksize);
    956 +
    957 +               if (options.tcp_rcv_buf_poll <= 0) {
    958 +                       sock = socket(AF_INET, SOCK_STREAM, 0);
    959 +                       getsockopt(sock, SOL_SOCKET, SO_RCVBUF,
    960 +                           &socksize, &socksizelen);
    961 +                       close(sock);
    962 +                       debug("socksize %d", socksize);
    963 +                       options.hpn_buffer_size = socksize;
    964 +                       debug ("HPNBufferSize set to TCP RWIN: %d",
    965 +                           options.hpn_buffer_size);
    966 +               } else {
    967 +                       if (options.tcp_rcv_buf > 0) {
    968 +                               /*
    969 +                                * create a socket but don't connect it.
    970 +                                * we use that the get the rcv socket size
    971 +                                */
    972 +                               sock = socket(AF_INET, SOCK_STREAM, 0);
    973 +                               /*
    974 +                                * if they are using the tcp_rcv_buf option
    975 +                                * attempt to set the buffer size to that
    976 +                                */
    977 +                               if (options.tcp_rcv_buf)
    978 +                                       setsockopt(sock, SOL_SOCKET, SO_RCVBUF,
    979 +                                           (void *)&options.tcp_rcv_buf,
    980 +                                           sizeof(options.tcp_rcv_buf));
    981 +                               getsockopt(sock, SOL_SOCKET, SO_RCVBUF,
    982 +                                   &socksize, &socksizelen);
    983 +                               close(sock);
    984 +                               debug("socksize %d", socksize);
    985 +                               options.hpn_buffer_size = socksize;
    986 +                               debug ("HPNBufferSize set to user TCPRcvBuf: "
    987 +                                   "%d", options.hpn_buffer_size);
    988 +                       }
    989 +               }
    990 +       }
    991 +
    992 +       debug("Final hpn_buffer_size = %d", options.hpn_buffer_size);
    993 +
    994 +       window = options.hpn_buffer_size;
    995 +
    996 +       channel_set_hpn(options.hpn_disabled, options.hpn_buffer_size);
    997 +#else
    998         window = CHAN_SES_WINDOW_DEFAULT;
    999 +#endif
    1000 +
    1001         packetmax = CHAN_SES_PACKET_DEFAULT;
    1002         if (tty_flag) {
    1003 +#ifdef HPN_ENABLED
    1004 +               window = CHAN_SES_WINDOW_DEFAULT;
    1005 +#endif
    1006                 window >>= 1;
    1007                 packetmax >>= 1;
    1008         }
    1009 @@ -1862,6 +1946,12 @@ ssh_session2_open(void)
    1010             window, packetmax, CHAN_EXTENDED_WRITE,
    1011             "client-session", /*nonblock*/0);
    1012  
    1013 +#ifdef HPN_ENABLED
    1014 +       if (options.tcp_rcv_buf_poll > 0 && !options.hpn_disabled) {
    1015 +               c->dynamic_window = 1;
    1016 +               debug ("Enabled Dynamic Window Scaling");
    1017 +       }
    1018 +#endif
    1019         debug3("ssh_session2_open: channel_new: %d", c->self);
    1020  
    1021         channel_send_open(c->self);
    1022 --- a/sshconnect.c      2016-02-26 04:40:04.000000000 +0100
    1023 +++ b/sshconnect.c      2016-03-01 04:32:19.000000000 +0100
    1024 @@ -267,6 +267,31 @@ ssh_kill_proxy_command(void)
    1025                 kill(proxy_command_pid, SIGHUP);
    1026  }
    1027  
    1028 +#ifdef HPN_ENABLED
    1029 +/*
    1030 + * Set TCP receive buffer if requested.
    1031 + * Note: tuning needs to happen after the socket is
    1032 + * created but before the connection happens
    1033 + * so winscale is negotiated properly -cjr
    1034 + */
    1035 +static void
    1036 +ssh_set_socket_recvbuf(int sock)
    1037 +{
    1038 +       void *buf = (void *)&options.tcp_rcv_buf;
    1039 +       int sz = sizeof(options.tcp_rcv_buf);
    1040 +       int socksize;
    1041 +       socklen_t socksizelen = sizeof(socksize);
    1042 +
    1043 +       debug("setsockopt Attempting to set SO_RCVBUF to %d", options.tcp_rcv_buf);
    1044 +       if (setsockopt(sock, SOL_SOCKET, SO_RCVBUF, buf, sz) >= 0) {
    1045 +         getsockopt(sock, SOL_SOCKET, SO_RCVBUF, &socksize, &socksizelen);
    1046 +         debug("setsockopt SO_RCVBUF: %.100s %d", strerror(errno), socksize);
    1047 +       } else
    1048 +               error("Couldn't set socket receive buffer to %d: %.100s",
    1049 +                   options.tcp_rcv_buf, strerror(errno));
    1050 +}
    1051 +#endif
    1052 +
    1053  /*
    1054   * Creates a (possibly privileged) socket for use as the ssh connection.
    1055   */
    1056 @@ -283,6 +308,11 @@ ssh_create_socket(int privileged, struct
    1057         }
    1058         fcntl(sock, F_SETFD, FD_CLOEXEC);
    1059  
    1060 +#ifdef HPN_ENABLED
    1061 +       if (options.tcp_rcv_buf > 0)
    1062 +               ssh_set_socket_recvbuf(sock);
    1063 +#endif
    1064 +
    1065         /* Bind the socket to an alternative local IP address */
    1066         if (options.bind_address == NULL && !privileged)
    1067                 return sock;
    1068 @@ -526,11 +556,23 @@ send_client_banner(int connection_out, i
    1069  {
    1070         /* Send our own protocol version identification. */
    1071         if (compat20) {
    1072 -               xasprintf(&client_version_string, "SSH-%d.%d-%.100s\r\n",
    1073 -                   PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION);
    1074 +               xasprintf(&client_version_string, "SSH-%d.%d-%.100s%s\r\n",
    1075 +                   PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION,
    1076 +#ifdef HPN_ENABLED
    1077 +                   options.hpn_disabled ? "" : SSH_HPN
    1078 +#else
    1079 +                   ""
    1080 +#endif
    1081 +                   );
    1082         } else {
    1083 -               xasprintf(&client_version_string, "SSH-%d.%d-%.100s\n",
    1084 -                   PROTOCOL_MAJOR_1, minor1, SSH_VERSION);
    1085 +               xasprintf(&client_version_string, "SSH-%d.%d-%.100s%s\n",
    1086 +                   PROTOCOL_MAJOR_1, minor1, SSH_VERSION,
    1087 +#ifdef HPN_ENABLED
    1088 +                   options.hpn_disabled ? "" : SSH_HPN
    1089 +#else
    1090 +                   ""
    1091 +#endif
    1092 +                   );
    1093         }
    1094         if (atomicio(vwrite, connection_out, client_version_string,
    1095             strlen(client_version_string)) != strlen(client_version_string))
    1096 --- a/sshconnect2.c     2016-02-26 04:40:04.000000000 +0100
    1097 +++ b/sshconnect2.c     2016-03-01 04:32:19.000000000 +0100
    1098 @@ -80,6 +80,14 @@
    1099  extern char *client_version_string;
    1100  extern char *server_version_string;
    1101  extern Options options;
    1102 +#ifdef NONE_CIPHER_ENABLED
    1103 +struct kex *xxx_kex;
    1104 +
    1105 +/* tty_flag is set in ssh.c. use this in ssh_userauth2 */
    1106 +/* if it is set then prevent the switch to the null cipher */
    1107 +
    1108 +extern int tty_flag;
    1109 +#endif
    1110  
    1111  /*
    1112   * SSH2 key exchange
    1113 @@ -153,14 +161,17 @@ order_hostkeyalgs(char *host, struct soc
    1114         return ret;
    1115  }
    1116  
    1117 +static char *myproposal[PROPOSAL_MAX];
    1118 +static const char *myproposal_default[PROPOSAL_MAX] = { KEX_CLIENT };
    1119  void
    1120  ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port)
    1121  {
    1122 -       char *myproposal[PROPOSAL_MAX] = { KEX_CLIENT };
    1123         char *s;
    1124         struct kex *kex;
    1125         int r;
    1126  
    1127 +       memcpy(&myproposal, &myproposal_default, sizeof(myproposal));
    1128 +
    1129         xxx_host = host;
    1130         xxx_hostaddr = hostaddr;
    1131  
    1132 @@ -235,6 +246,9 @@ ssh_kex2(char *host, struct sockaddr *ho
    1133         packet_send();
    1134         packet_write_wait();
    1135  #endif
    1136 +#ifdef NONE_CIPHER_ENABLED
    1137 +       xxx_kex = kex;
    1138 +#endif
    1139  }
    1140  
    1141  /*
    1142 @@ -404,6 +418,29 @@ ssh_userauth2(const char *local_user, co
    1143         pubkey_cleanup(&authctxt);
    1144         ssh_dispatch_range(ssh, SSH2_MSG_USERAUTH_MIN, SSH2_MSG_USERAUTH_MAX, NULL);
    1145  
    1146 +#ifdef NONE_CIPHER_ENABLED
    1147 +       /*
    1148 +        * if the user wants to use the none cipher do it
    1149 +        * post authentication and only if the right conditions are met
    1150 +        * both of the NONE commands must be true and there must be no
    1151 +        * tty allocated.
    1152 +        */
    1153 +       if ((options.none_switch == 1) && (options.none_enabled == 1)) {
    1154 +               if (!tty_flag) { /* no null on tty sessions */
    1155 +                       debug("Requesting none rekeying...");
    1156 +                       myproposal[PROPOSAL_ENC_ALGS_STOC] = "none";
    1157 +                       myproposal[PROPOSAL_ENC_ALGS_CTOS] = "none";
    1158 +                       kex_prop2buf(xxx_kex->my, myproposal);
    1159 +                       packet_request_rekeying();
    1160 +                       fprintf(stderr, "WARNING: ENABLED NONE CIPHER\n");
    1161 +               } else {
    1162 +                       /* requested NONE cipher when in a tty */
    1163 +                       debug("Cannot switch to NONE cipher with tty allocated");
    1164 +                       fprintf(stderr, "NONE cipher switch disabled when a TTY is allocated\n");
    1165 +               }
    1166 +       }
    1167 +#endif
    1168 +
    1169         debug("Authentication succeeded (%s).", authctxt.method->name);
    1170  }
    1171  
    1172 --- a/sshd.c    2016-03-01 04:32:17.000000000 +0100
    1173 +++ b/sshd.c    2016-03-01 04:32:19.000000000 +0100
    1174 @@ -430,8 +430,13 @@ sshd_exchange_identification(int sock_in
    1175                 minor = PROTOCOL_MINOR_1;
    1176         }
    1177  
    1178 -       xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s%s",
    1179 +       xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s%s%s",
    1180             major, minor, SSH_VERSION,
    1181 +#ifdef HPN_ENABLED
    1182 +           options.hpn_disabled ? "" : SSH_HPN,
    1183 +#else
    1184 +           "",
    1185 +#endif
    1186             *options.version_addendum == '\0' ? "" : " ",
    1187             options.version_addendum, newline);
    1188  
    1189 @@ -1167,6 +1172,10 @@ server_listen(void)
    1190         int ret, listen_sock, on = 1;
    1191         struct addrinfo *ai;
    1192         char ntop[NI_MAXHOST], strport[NI_MAXSERV];
    1193 +#ifdef HPN_ENABLED
    1194 +       int socksize;
    1195 +       socklen_t socksizelen = sizeof(socksize);
    1196 +#endif
    1197  
    1198         for (ai = options.listen_addrs; ai; ai = ai->ai_next) {
    1199                 if (ai->ai_family != AF_INET && ai->ai_family != AF_INET6)
    1200 @@ -1207,6 +1216,13 @@ server_listen(void)
    1201  
    1202                 debug("Bind to port %s on %s.", strport, ntop);
    1203  
    1204 +#ifdef HPN_ENABLED
    1205 +               getsockopt(listen_sock, SOL_SOCKET, SO_RCVBUF,
    1206 +                                  &socksize, &socksizelen);
    1207 +               debug("Server TCP RWIN socket size: %d", socksize);
    1208 +               debug("HPN Buffer Size: %d", options.hpn_buffer_size);
    1209 +#endif
    1210 +
    1211                 /* Bind the socket to the desired port. */
    1212                 if (bind(listen_sock, ai->ai_addr, ai->ai_addrlen) < 0) {
    1213                         error("Bind to port %s on %s failed: %.200s.",
    1214 @@ -1706,6 +1722,15 @@ main(int ac, char **av)
    1215         /* Fill in default values for those options not explicitly set. */
    1216         fill_default_server_options(&options);
    1217  
    1218 +#ifdef NONE_CIPHER_ENABLED
    1219 +       if (options.none_enabled == 1) {
    1220 +               char *old_ciphers = options.ciphers;
    1221 +
    1222 +               xasprintf(&options.ciphers, "%s,none", old_ciphers);
    1223 +               free(old_ciphers);
    1224 +       }
    1225 +#endif
    1226 +
    1227         /* challenge-response is implemented via keyboard interactive */
    1228         if (options.challenge_response_authentication)
    1229                 options.kbd_interactive_authentication = 1;
    1230 @@ -2136,6 +2161,11 @@ main(int ac, char **av)
    1231                 cleanup_exit(255);
    1232         }
    1233  
    1234 +#ifdef HPN_ENABLED
    1235 +       /* set the HPN options for the child */
    1236 +       channel_set_hpn(options.hpn_disabled, options.hpn_buffer_size);
    1237 +#endif
    1238 +
    1239         /*
    1240          * We use get_canonical_hostname with usedns = 0 instead of
    1241          * get_remote_ipaddr here so IP options will be checked.
    1242 @@ -2554,6 +2584,12 @@ do_ssh2_kex(void)
    1243         struct kex *kex;
    1244         int r;
    1245  
    1246 +#ifdef NONE_CIPHER_ENABLED
    1247 +        if (options.none_enabled == 1) {
    1248 +                debug ("WARNING: None cipher enabled");
    1249 +        }
    1250 +#endif
    1251 +
    1252         myproposal[PROPOSAL_KEX_ALGS] = compat_kex_proposal(
    1253             options.kex_algorithms);
    1254         myproposal[PROPOSAL_ENC_ALGS_CTOS] = compat_cipher_proposal(
    1255 --- a/sshd_config       2016-02-26 04:40:04.000000000 +0100
    1256 +++ b/sshd_config       2016-03-01 04:32:19.000000000 +0100
    1257 @@ -125,6 +125,20 @@ AuthorizedKeysFile .ssh/authorized_keys
    1258  # override default of no subsystems
    1259  Subsystem      sftp    /usr/libexec/sftp-server
    1260  
    1261 +# the following are HPN related configuration options
    1262 +# tcp receive buffer polling. disable in non autotuning kernels
    1263 +#TcpRcvBufPoll yes
    1264 +
    1265 +# disable hpn performance boosts
    1266 +#HPNDisabled no
    1267 +
    1268 +# buffer size for hpn to non-hpn connections
    1269 +#HPNBufferSize 2048
    1270 +
    1271 +
    1272 +# allow the use of the none cipher
    1273 +#NoneEnabled no
    1274 +
    1275  # Example of overriding settings on a per-user basis
    1276  #Match User anoncvs
    1277  #      X11Forwarding no
    1278 --- a/version.h 2016-02-26 04:40:04.000000000 +0100
    1279 +++ b/version.h 2016-03-01 04:32:20.000000000 +0100
    1280 @@ -4,3 +4,4 @@
    1281  
    1282  #define SSH_PORTABLE   "p1"
    1283  #define SSH_RELEASE    SSH_VERSION SSH_PORTABLE
    1284 +#define SSH_HPN         "-hpn14v5"