net-misc/openssh/files/openssh-8.7_p1-hpn-15.2-X509-glue.patch - third_party/overlays/portage-stable - Git at Google

 diff -ur '--exclude=.*.un~' a/openssh-8_5_P1-hpn-AES-CTR-15.2.diff b/openssh-8_5_P1-hpn-AES-CTR-15.2.diff
 --- a/openssh-8_5_P1-hpn-AES-CTR-15.2.diff	2021-08-31 11:12:46.412119817 -0700
 +++ b/openssh-8_5_P1-hpn-AES-CTR-15.2.diff	2021-08-31 11:26:11.116026151 -0700
 @@ -3,9 +3,9 @@
  --- a/Makefile.in
  +++ b/Makefile.in
  @@ -46,7 +46,7 @@ CFLAGS=@CFLAGS@
 - CFLAGS_NOPIE=@CFLAGS_NOPIE@
 - CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ $(PATHS) @DEFS@
 - PICFLAG=@PICFLAG@
 + LD=@LD@
 + CFLAGS=@CFLAGS@ $(CFLAGS_EXTRA)
 + CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ @LDAP_CPPFLAGS@ $(PATHS) @DEFS@
  -LIBS=@LIBS@
  +LIBS=@LIBS@ -lpthread
   K5LIBS=@K5LIBS@
 @@ -803,8 +803,8 @@
   ssh_packet_set_connection(struct ssh *ssh, int fd_in, int fd_out)
   {
   	struct session_state *state;
 --	const struct sshcipher *none = cipher_by_name("none");
 -+	struct sshcipher *none = cipher_by_name("none");
 +-	const struct sshcipher *none = cipher_none();
 ++	struct sshcipher *none = cipher_none();
   	int r;

   	if (none == NULL) {
 @@ -894,24 +894,24 @@
   		intptr = &options->compression;
   		multistate_ptr = multistate_compression;
  @@ -2272,6 +2278,7 @@ initialize_options(Options * options)
 - 	options->revoked_host_keys = NULL;
   	options->fingerprint_hash = -1;
   	options->update_hostkeys = -1;
 +	options->known_hosts_command = NULL;
  +	options->disable_multithreaded = -1;
 - 	options->hostbased_accepted_algos = NULL;
 - 	options->pubkey_accepted_algos = NULL;
 - 	options->known_hosts_command = NULL;
 + }
 +
 + /*
  @@ -2467,6 +2474,10 @@ fill_default_options(Options * options)
 + 		options->update_hostkeys = 0;
   	if (options->sk_provider == NULL)
   		options->sk_provider = xstrdup("$SSH_SK_PROVIDER");
 - #endif
  +	if (options->update_hostkeys == -1)
  +		options->update_hostkeys = 0;
  +	if (options->disable_multithreaded == -1)
  +		options->disable_multithreaded = 0;

 - 	/* Expand KEX name lists */
 - 	all_cipher = cipher_alg_list(',', 0);
 + 	/* expand KEX and etc. name lists */
 + {	char *all;
  diff --git a/readconf.h b/readconf.h
  index 2fba866e..7f8f0227 100644
  --- a/readconf.h
 @@ -950,9 +950,9 @@
   	/* Portable-specific options */
   	sUsePAM,
  +	sDisableMTAES,
 - 	/* Standard Options */
 - 	sPort, sHostKeyFile, sLoginGraceTime,
 - 	sPermitRootLogin, sLogFacility, sLogLevel, sLogVerbose,
 + 	/* X.509 Standard Options */
 + 	sHostbasedAlgorithms,
 + 	sPubkeyAlgorithms,
  @@ -662,6 +666,7 @@ static struct {
   	{ "authorizedprincipalsfile", sAuthorizedPrincipalsFile, SSHCFG_ALL },
   	{ "kexalgorithms", sKexAlgorithms, SSHCFG_GLOBAL },
 diff -ur '--exclude=.*.un~' a/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff b/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff
 --- a/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff	2021-08-31 11:12:46.412119817 -0700
 +++ b/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff	2021-08-31 14:17:59.366248683 -0700
 @@ -157,6 +157,36 @@
  +	 Allan Jude provided the code for the NoneMac and buffer normalization.
  +         This work was financed, in part, by Cisco System, Inc., the National
  +         Library of Medicine, and the National Science Foundation.
 +diff --git a/auth2.c b/auth2.c
 +--- a/auth2.c	2021-03-15 19:30:45.404060786 -0700
 ++++ b/auth2.c	2021-03-15 19:37:22.078476597 -0700
 +@@ -229,16 +229,17 @@
 + 	double delay;
 +
 + 	digest_alg = ssh_digest_maxbytes();
 +-	len = ssh_digest_bytes(digest_alg);
 +-	hash = xmalloc(len);
 ++	if (len = ssh_digest_bytes(digest_alg) > 0) {
 ++		hash = xmalloc(len);
 +
 +-	(void)snprintf(b, sizeof b, "%llu%s",
 +-	    (unsigned long long)options.timing_secret, user);
 +-	if (ssh_digest_memory(digest_alg, b, strlen(b), hash, len) != 0)
 +-		fatal_f("ssh_digest_memory");
 +-	/* 0-4.2 ms of delay */
 +-	delay = (double)PEEK_U32(hash) / 1000 / 1000 / 1000 / 1000;
 +-	freezero(hash, len);
 ++		(void)snprintf(b, sizeof b, "%llu%s",
 ++		    (unsigned long long)options.timing_secret, user);
 ++		if (ssh_digest_memory(digest_alg, b, strlen(b), hash, len) != 0)
 ++			fatal_f("ssh_digest_memory");
 ++		/* 0-4.2 ms of delay */
 ++		delay = (double)PEEK_U32(hash) / 1000 / 1000 / 1000 / 1000;
 ++		freezero(hash, len);
 ++	}
 + 	debug3_f("user specific delay %0.3lfms", delay/1000);
 + 	return MIN_FAIL_DELAY_SECONDS + delay;
 + }
  diff --git a/channels.c b/channels.c
  index b60d56c4..0e363c15 100644
  --- a/channels.c
 @@ -209,14 +239,14 @@
   static void
   channel_pre_open(struct ssh *ssh, Channel *c,
       fd_set *readset, fd_set *writeset)
 -@@ -2120,22 +2147,32 @@ channel_check_window(struct ssh *ssh, Channel *c)
 +@@ -2164,21 +2191,31 @@ channel_check_window(struct ssh *ssh, Channel *c)

   	if (c->type == SSH_CHANNEL_OPEN &&
   	    !(c->flags & (CHAN_CLOSE_SENT|CHAN_CLOSE_RCVD)) &&
  -	    ((c->local_window_max - c->local_window >
  -	    c->local_maxpacket*3) ||
 -+            ((ssh_packet_is_interactive(ssh) &&
 -+            c->local_window_max - c->local_window > c->local_maxpacket*3) ||
 ++	    ((ssh_packet_is_interactive(ssh) &&
 ++	    c->local_window_max - c->local_window > c->local_maxpacket*3) ||
   	    c->local_window < c->local_window_max/2) &&
   	    c->local_consumed > 0) {
  +		u_int addition = 0;
 @@ -235,9 +265,8 @@
   		    (r = sshpkt_put_u32(ssh, c->remote_id)) != 0 ||
  -		    (r = sshpkt_put_u32(ssh, c->local_consumed)) != 0 ||
  +		    (r = sshpkt_put_u32(ssh, c->local_consumed + addition)) != 0 ||
 - 		    (r = sshpkt_send(ssh)) != 0) {
 - 			fatal_fr(r, "channel %i", c->self);
 - 		}
 + 		    (r = sshpkt_send(ssh)) != 0)
 + 			fatal_fr(r, "channel %d", c->self);
  -		debug2("channel %d: window %d sent adjust %d", c->self,
  -		    c->local_window, c->local_consumed);
  -		c->local_window += c->local_consumed;
 @@ -337,70 +366,92 @@
  index 70f492f8..5503af1d 100644
  --- a/clientloop.c
  +++ b/clientloop.c
 -@@ -1578,9 +1578,11 @@ client_request_x11(struct ssh *ssh, const char *request_type, int rchan)
 +@@ -1578,10 +1578,11 @@ client_request_x11(struct ssh *ssh, const char *request_type, int rchan)
   	sock = x11_connect_display(ssh);
   	if (sock < 0)
   		return NULL;
  -	c = channel_new(ssh, "x11",
  -	    SSH_CHANNEL_X11_OPEN, sock, sock, -1,
 --	    CHAN_TCP_WINDOW_DEFAULT, CHAN_X11_PACKET_DEFAULT, 0, "x11", 1);
 -+        c = channel_new(ssh, "x11",
 -+			SSH_CHANNEL_X11_OPEN, sock, sock, -1,
 -+			/* again is this really necessary for X11? */
 -+			options.hpn_disabled ? CHAN_TCP_WINDOW_DEFAULT : options.hpn_buffer_size,
 -+			CHAN_X11_PACKET_DEFAULT, 0, "x11", 1);
 +-	    CHAN_TCP_WINDOW_DEFAULT, CHAN_X11_PACKET_DEFAULT, 0, "x11",
 +-	    CHANNEL_NONBLOCK_SET);
 ++	c = channel_new(ssh, "x11",
 ++	    SSH_CHANNEL_X11_OPEN, sock, sock, -1,
 ++	    /* again is this really necessary for X11? */
 ++	    options.hpn_disabled ? CHAN_TCP_WINDOW_DEFAULT : options.hpn_buffer_size,
 ++	    CHAN_X11_PACKET_DEFAULT, 0, "x11", CHANNEL_NONBLOCK_SET);
   	c->force_drain = 1;
   	return c;
   }
 -@@ -1608,9 +1610,10 @@ client_request_agent(struct ssh *ssh, const char *request_type, int rchan)
 +@@ -1608,9 +1609,10 @@ client_request_agent(struct ssh *ssh, const char *request_type, int rchan)
   		return NULL;
   	}
   	c = channel_new(ssh, "authentication agent connection",
  -	    SSH_CHANNEL_OPEN, sock, sock, -1,
  -	    CHAN_X11_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, 0,
 --	    "authentication agent connection", 1);
 -+			SSH_CHANNEL_OPEN, sock, sock, -1,
 -+			options.hpn_disabled ? CHAN_X11_WINDOW_DEFAULT : options.hpn_buffer_size,
 -+			CHAN_TCP_PACKET_DEFAULT, 0,
 -+			"authentication agent connection", 1);
 +-	    "authentication agent connection", CHANNEL_NONBLOCK_SET);
 ++	    SSH_CHANNEL_OPEN, sock, sock, -1,
 ++	    options.hpn_disabled ? CHAN_X11_WINDOW_DEFAULT : options.hpn_buffer_size,
 ++	    CHAN_TCP_PACKET_DEFAULT, 0,
 ++	    "authentication agent connection", CHANNEL_NONBLOCK_SET);
   	c->force_drain = 1;
   	return c;
   }
 -@@ -1635,10 +1638,13 @@ client_request_tun_fwd(struct ssh *ssh, int tun_mode,
 +@@ -1635,9 +1637,9 @@ client_request_tun_fwd(struct ssh *ssh, int tun_mode,
   	}
   	debug("Tunnel forwarding using interface %s", ifname);

  -	c = channel_new(ssh, "tun", SSH_CHANNEL_OPENING, fd, fd, -1,
 --	    CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, 0, "tun", 1);
 -+        c = channel_new(ssh, "tun", SSH_CHANNEL_OPENING, fd, fd, -1,
 +-	    CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, 0, "tun",
 +-	    CHANNEL_NONBLOCK_SET);
 ++	c = channel_new(ssh, "tun", SSH_CHANNEL_OPENING, fd, fd, -1,
  +	    options.hpn_disabled ? CHAN_TCP_WINDOW_DEFAULT : options.hpn_buffer_size,
 -+	    CHAN_TCP_PACKET_DEFAULT, 0, "tun", 1);
 ++	    CHAN_TCP_PACKET_DEFAULT, 0, "tun", CHANNEL_NONBLOCK_SET);
   	c->datagram = 1;

 -+
 -+
   #if defined(SSH_TUN_FILTER)
 - 	if (options.tun_open == SSH_TUNMODE_POINTOPOINT)
 - 		channel_register_filter(ssh, c->self, sys_tun_infilter,
  diff --git a/compat.c b/compat.c
  index 69befa96..90b5f338 100644
  --- a/compat.c
  +++ b/compat.c
 -@@ -149,6 +149,14 @@ compat_banner(struct ssh *ssh, const char *version)
 - 			debug_f("match: %s pat %s compat 0x%08x",
 +@@ -43,7 +43,7 @@ compat_datafellows(const char *version)
 + static u_int
 + compat_datafellows(const char *version)
 + {
 +-	int i;
 ++	int i, bugs = 0;
 + 	static struct {
 + 		char	*pat;
 + 		int	bugs;
 +@@ -147,11 +147,26 @@
 + 		if (match_pattern_list(version, check[i].pat, 0) == 1) {
 + 			debug("match: %s pat %s compat 0x%08x",
   			    version, check[i].pat, check[i].bugs);
 - 			ssh->compat = check[i].bugs;
  +			/* Check to see if the remote side is OpenSSH and not HPN */
 -+			/* TODO: need to use new method to test for this */
  +			if (strstr(version, "OpenSSH") != NULL) {
  +				if (strstr(version, "hpn") == NULL) {
 -+					ssh->compat |= SSH_BUG_LARGEWINDOW;
 ++					bugs |= SSH_BUG_LARGEWINDOW;
  +					debug("Remote is NON-HPN aware");
  +				}
  +			}
 - 			return;
 +-			return check[i].bugs;
 ++			bugs |= check[i].bugs;
   		}
   	}
 +-	debug("no match: %s", version);
 +-	return 0;
 ++	/* Check to see if the remote side is OpenSSH and not HPN */
 ++	if (strstr(version, "OpenSSH") != NULL) {
 ++		if (strstr(version, "hpn") == NULL) {
 ++			bugs |= SSH_BUG_LARGEWINDOW;
 ++			debug("Remote is NON-HPN aware");
 ++		}
 ++	}
 ++	if (bugs == 0)
 ++		debug("no match: %s", version);
 ++	return bugs;
 + }
 +
 + char *
  diff --git a/compat.h b/compat.h
  index c197fafc..ea2e17a7 100644
  --- a/compat.h
 @@ -459,7 +510,7 @@
  @@ -890,6 +890,10 @@ kex_choose_conf(struct ssh *ssh)
   	int nenc, nmac, ncomp;
   	u_int mode, ctos, need, dh_need, authlen;
 - 	int r, first_kex_follows;
 + 	int r, first_kex_follows = 0;
  +	int auth_flag = 0;
  +
  +	auth_flag = packet_authentication_state(ssh);
 @@ -553,7 +604,7 @@
   #define MAX_PACKETS	(1U<<31)
   static int
   ssh_packet_need_rekeying(struct ssh *ssh, u_int outbound_packet_len)
 -@@ -1317,7 +1351,7 @@ ssh_packet_read_seqnr(struct ssh *ssh, u_char *typep, u_int32_t *seqnr_p)
 +@@ -1317,7 +1336,7 @@ ssh_packet_read_seqnr(struct ssh *ssh, u_char *typep, u_int32_t *seqnr_p)
   	struct session_state *state = ssh->state;
   	int len, r, ms_remain;
   	fd_set *setp;
 @@ -1035,19 +1086,6 @@

   /* Minimum amount of data to read at a time */
   #define MIN_READ_SIZE	512
 -diff --git a/ssh-keygen.c b/ssh-keygen.c
 -index cfb5f115..36a6e519 100644
 ---- a/ssh-keygen.c
 -+++ b/ssh-keygen.c
 -@@ -2971,7 +2971,7 @@ do_download_sk(const char *skprovider, const char *device)
 - 			freezero(pin, strlen(pin));
 - 		error_r(r, "Unable to load resident keys");
 - 		return -1;
 --	}
 -+ 	}
 - 	if (nkeys == 0)
 - 		logit("No keys to download");
 - 	if (pin != NULL)
  diff --git a/ssh.c b/ssh.c
  index 53330da5..27b9770e 100644
  --- a/ssh.c
 @@ -1093,7 +1131,7 @@
  +	else
  +		options.hpn_buffer_size = 2 * 1024 * 1024;
  +
 -+	if (ssh->compat & SSH_BUG_LARGEWINDOW) {
 ++	if (ssh_compat_fellows(ssh, SSH_BUG_LARGEWINDOW)) {
  +		debug("HPN to Non-HPN Connection");
  +	} else {
  +		int sock, socksize;
 @@ -1157,14 +1195,14 @@
   	}
  @@ -2089,6 +2167,11 @@ ssh_session2_open(struct ssh *ssh)
   	    window, packetmax, CHAN_EXTENDED_WRITE,
 - 	    "client-session", /*nonblock*/0);
 + 	    "client-session", CHANNEL_NONBLOCK_STDIO);

  +	if ((options.tcp_rcv_buf_poll > 0) && !options.hpn_disabled) {
  +		c->dynamic_window = 1;
  +		debug("Enabled Dynamic Window Scaling");
  +	}
  +
 - 	debug3_f("channel_new: %d", c->self);
 + 	debug2_f("channel %d", c->self);

   	channel_send_open(ssh, c->self);
  @@ -2105,6 +2188,13 @@ ssh_session2(struct ssh *ssh, const struct ssh_conn_info *cinfo)
 @@ -1335,7 +1373,29 @@
   		/* Bind the socket to the desired port. */
   		if (bind(listen_sock, ai->ai_addr, ai->ai_addrlen) == -1) {
   			error("Bind to port %s on %s failed: %.200s.",
 -@@ -1727,6 +1734,19 @@ main(int ac, char **av)
 +@@ -1625,13 +1632,14 @@
 + 		if (ssh_digest_update(ctx, sshbuf_ptr(server_cfg),
 + 		    sshbuf_len(server_cfg)) != 0)
 + 			fatal_f("ssh_digest_update");
 +-		len = ssh_digest_bytes(digest_alg);
 +-		hash = xmalloc(len);
 +-		if (ssh_digest_final(ctx, hash, len) != 0)
 +-			fatal_f("ssh_digest_final");
 +-		options.timing_secret = PEEK_U64(hash);
 +-		freezero(hash, len);
 +-		ssh_digest_free(ctx);
 ++		if ((len = ssh_digest_bytes(digest_alg)) > 0) {
 ++			hash = xmalloc(len);
 ++			if (ssh_digest_final(ctx, hash, len) != 0)
 ++				fatal_f("ssh_digest_final");
 ++			options.timing_secret = PEEK_U64(hash);
 ++			freezero(hash, len);
 ++			ssh_digest_free(ctx);
 ++		}
 + 		ctx = NULL;
 + 		return;
 + 	}
 +@@ -1727,6 +1735,19 @@ main(int ac, char **av)
   		fatal("AuthorizedPrincipalsCommand set without "
   		    "AuthorizedPrincipalsCommandUser");

 @@ -1355,7 +1415,7 @@
   	/*
   	 * Check whether there is any path through configured auth methods.
   	 * Unfortunately it is not possible to verify this generally before
 -@@ -2166,6 +2186,9 @@ main(int ac, char **av)
 +@@ -2166,6 +2187,9 @@ main(int ac, char **av)
   	    rdomain == NULL ? "" : "\"");
   	free(laddr);

 @@ -1365,7 +1425,7 @@
   	/*
   	 * We don't want to listen forever unless the other side
   	 * successfully authenticates itself.  So we set up an alarm which is
 -@@ -2343,6 +2366,12 @@ do_ssh2_kex(struct ssh *ssh)
 +@@ -2343,6 +2367,12 @@ do_ssh2_kex(struct ssh *ssh)
   	struct kex *kex;
   	int r;

 @@ -1405,14 +1465,3 @@
   # Example of overriding settings on a per-user basis
   #Match User anoncvs
   #	X11Forwarding no
 -diff --git a/version.h b/version.h
 -index 6b4fa372..332fb486 100644
 ---- a/version.h
 -+++ b/version.h
 -@@ -3,4 +3,5 @@
 - #define SSH_VERSION	"OpenSSH_8.5"
 -
 - #define SSH_PORTABLE	"p1"
 --#define SSH_RELEASE	SSH_VERSION SSH_PORTABLE
 -+#define SSH_HPN         "-hpn15v2"
 -+#define SSH_RELEASE	SSH_VERSION SSH_PORTABLE SSH_HPN
 diff -ur '--exclude=.*.un~' a/openssh-8_5_P1-hpn-PeakTput-15.2.diff b/openssh-8_5_P1-hpn-PeakTput-15.2.diff
 --- a/openssh-8_5_P1-hpn-PeakTput-15.2.diff	2021-08-31 11:12:16.778011216 -0700
 +++ b/openssh-8_5_P1-hpn-PeakTput-15.2.diff	2021-08-31 11:13:11.573211934 -0700
 @@ -12,9 +12,9 @@
   static long stalled;		/* how long we have been stalled */
   static int bytes_per_second;	/* current speed in bytes per second */
  @@ -127,6 +129,7 @@ refresh_progress_meter(int force_update)
 + 	off_t bytes_left;
   	int cur_speed;
 - 	int hours, minutes, seconds;
 - 	int file_len;
 + 	int len;
  +	off_t delta_pos;

   	if ((!force_update && !alarm_fired && !win_resized) || !can_output())
 @@ -30,15 +30,17 @@
   	if (bytes_left > 0)
   		elapsed = now - last_update;
   	else {
 -@@ -166,7 +173,7 @@ refresh_progress_meter(int force_update)
 -
 +@@ -166,8 +173,8 @@ refresh_progress_meter(int force_update)
 + 	buf[1] = '\0';
 +
   	/* filename */
 - 	buf[0] = '\0';
 --	file_len = win_size - 36;
 -+	file_len = win_size - 45;
 - 	if (file_len > 0) {
 - 		buf[0] = '\r';
 - 		snmprintf(buf+1, sizeof(buf)-1, &file_len, "%-*s",
 +-	if (win_size > 36) {
 ++	if (win_size > 45) {
 +-		int file_len = win_size - 36;
 ++		int file_len = win_size - 45;
 + 		snmprintf(buf+1, sizeof(buf)-1, &file_len, "%-*s ",
 + 		    file_len, file);
 + 	}
  @@ -191,6 +198,15 @@ refresh_progress_meter(int force_update)
   	    (off_t)bytes_per_second);
   	strlcat(buf, "/s ", win_size);
 @@ -63,15 +65,3 @@
   }

   /*ARGSUSED*/
 -diff --git a/ssh-keygen.c b/ssh-keygen.c
 -index cfb5f115..986ff59b 100644
 ---- a/ssh-keygen.c
 -+++ b/ssh-keygen.c
 -@@ -2959,7 +2959,6 @@ do_download_sk(const char *skprovider, const char *device)
 -
 - 	if (skprovider == NULL)
 - 		fatal("Cannot download keys without provider");
 --
 - 	pin = read_passphrase("Enter PIN for authenticator: ", RP_ALLOW_STDIN);
 - 	if (!quiet) {
 - 		printf("You may need to touch your authenticator "
	diff -ur '--exclude=.*.un~' a/openssh-8_5_P1-hpn-AES-CTR-15.2.diff b/openssh-8_5_P1-hpn-AES-CTR-15.2.diff
	--- a/openssh-8_5_P1-hpn-AES-CTR-15.2.diff 2021-08-31 11:12:46.412119817 -0700
	+++ b/openssh-8_5_P1-hpn-AES-CTR-15.2.diff 2021-08-31 11:26:11.116026151 -0700
	@@ -3,9 +3,9 @@
	--- a/Makefile.in
	+++ b/Makefile.in
	@@ -46,7 +46,7 @@ CFLAGS=@CFLAGS@
	- CFLAGS_NOPIE=@CFLAGS_NOPIE@
	- CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ $(PATHS) @DEFS@
	- PICFLAG=@PICFLAG@
	+ LD=@LD@
	+ CFLAGS=@CFLAGS@ $(CFLAGS_EXTRA)
	+ CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ @LDAP_CPPFLAGS@ $(PATHS) @DEFS@
	-LIBS=@LIBS@
	+LIBS=@LIBS@ -lpthread
	K5LIBS=@K5LIBS@
	@@ -803,8 +803,8 @@
	ssh_packet_set_connection(struct ssh *ssh, int fd_in, int fd_out)
	{
	struct session_state *state;
	-- const struct sshcipher *none = cipher_by_name("none");
	-+ struct sshcipher *none = cipher_by_name("none");
	+- const struct sshcipher *none = cipher_none();
	++ struct sshcipher *none = cipher_none();
	int r;

	if (none == NULL) {
	@@ -894,24 +894,24 @@
	intptr = &options->compression;
	multistate_ptr = multistate_compression;
	@@ -2272,6 +2278,7 @@ initialize_options(Options * options)
	- options->revoked_host_keys = NULL;
	options->fingerprint_hash = -1;
	options->update_hostkeys = -1;
	+ options->known_hosts_command = NULL;
	+ options->disable_multithreaded = -1;
	- options->hostbased_accepted_algos = NULL;
	- options->pubkey_accepted_algos = NULL;
	- options->known_hosts_command = NULL;
	+ }
	+
	+ /*
	@@ -2467,6 +2474,10 @@ fill_default_options(Options * options)
	+ options->update_hostkeys = 0;
	if (options->sk_provider == NULL)
	options->sk_provider = xstrdup("$SSH_SK_PROVIDER");
	- #endif
	+ if (options->update_hostkeys == -1)
	+ options->update_hostkeys = 0;
	+ if (options->disable_multithreaded == -1)
	+ options->disable_multithreaded = 0;

	- /* Expand KEX name lists */
	- all_cipher = cipher_alg_list(',', 0);
	+ /* expand KEX and etc. name lists */
	+ { char *all;
	diff --git a/readconf.h b/readconf.h
	index 2fba866e..7f8f0227 100644
	--- a/readconf.h
	@@ -950,9 +950,9 @@
	/* Portable-specific options */
	sUsePAM,
	+ sDisableMTAES,
	- /* Standard Options */
	- sPort, sHostKeyFile, sLoginGraceTime,
	- sPermitRootLogin, sLogFacility, sLogLevel, sLogVerbose,
	+ /* X.509 Standard Options */
	+ sHostbasedAlgorithms,
	+ sPubkeyAlgorithms,
	@@ -662,6 +666,7 @@ static struct {
	{ "authorizedprincipalsfile", sAuthorizedPrincipalsFile, SSHCFG_ALL },
	{ "kexalgorithms", sKexAlgorithms, SSHCFG_GLOBAL },
	diff -ur '--exclude=.*.un~' a/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff b/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff
	--- a/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff 2021-08-31 11:12:46.412119817 -0700
	+++ b/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff 2021-08-31 14:17:59.366248683 -0700
	@@ -157,6 +157,36 @@
	+ Allan Jude provided the code for the NoneMac and buffer normalization.
	+ This work was financed, in part, by Cisco System, Inc., the National
	+ Library of Medicine, and the National Science Foundation.
	+diff --git a/auth2.c b/auth2.c
	+--- a/auth2.c 2021-03-15 19:30:45.404060786 -0700
	++++ b/auth2.c 2021-03-15 19:37:22.078476597 -0700
	+@@ -229,16 +229,17 @@
	+ double delay;
	+
	+ digest_alg = ssh_digest_maxbytes();
	+- len = ssh_digest_bytes(digest_alg);
	+- hash = xmalloc(len);
	++ if (len = ssh_digest_bytes(digest_alg) > 0) {
	++ hash = xmalloc(len);
	+
	+- (void)snprintf(b, sizeof b, "%llu%s",
	+- (unsigned long long)options.timing_secret, user);
	+- if (ssh_digest_memory(digest_alg, b, strlen(b), hash, len) != 0)
	+- fatal_f("ssh_digest_memory");
	+- /* 0-4.2 ms of delay */
	+- delay = (double)PEEK_U32(hash) / 1000 / 1000 / 1000 / 1000;
	+- freezero(hash, len);
	++ (void)snprintf(b, sizeof b, "%llu%s",
	++ (unsigned long long)options.timing_secret, user);
	++ if (ssh_digest_memory(digest_alg, b, strlen(b), hash, len) != 0)
	++ fatal_f("ssh_digest_memory");
	++ /* 0-4.2 ms of delay */
	++ delay = (double)PEEK_U32(hash) / 1000 / 1000 / 1000 / 1000;
	++ freezero(hash, len);
	++ }
	+ debug3_f("user specific delay %0.3lfms", delay/1000);
	+ return MIN_FAIL_DELAY_SECONDS + delay;
	+ }
	diff --git a/channels.c b/channels.c
	index b60d56c4..0e363c15 100644
	--- a/channels.c
	@@ -209,14 +239,14 @@
	static void
	channel_pre_open(struct ssh ssh, Channel c,
	fd_set readset, fd_set writeset)
	-@@ -2120,22 +2147,32 @@ channel_check_window(struct ssh ssh, Channel c)
	+@@ -2164,21 +2191,31 @@ channel_check_window(struct ssh ssh, Channel c)

	if (c->type == SSH_CHANNEL_OPEN &&
	!(c->flags & (CHAN_CLOSE_SENT\|CHAN_CLOSE_RCVD)) &&
	- ((c->local_window_max - c->local_window >
	- c->local_maxpacket*3) \|\|
	-+ ((ssh_packet_is_interactive(ssh) &&
	-+ c->local_window_max - c->local_window > c->local_maxpacket*3) \|\|
	++ ((ssh_packet_is_interactive(ssh) &&
	++ c->local_window_max - c->local_window > c->local_maxpacket*3) \|\|
	c->local_window < c->local_window_max/2) &&
	c->local_consumed > 0) {
	+ u_int addition = 0;
	@@ -235,9 +265,8 @@
	(r = sshpkt_put_u32(ssh, c->remote_id)) != 0 \|\|
	- (r = sshpkt_put_u32(ssh, c->local_consumed)) != 0 \|\|
	+ (r = sshpkt_put_u32(ssh, c->local_consumed + addition)) != 0 \|\|
	- (r = sshpkt_send(ssh)) != 0) {
	- fatal_fr(r, "channel %i", c->self);
	- }
	+ (r = sshpkt_send(ssh)) != 0)
	+ fatal_fr(r, "channel %d", c->self);
	- debug2("channel %d: window %d sent adjust %d", c->self,
	- c->local_window, c->local_consumed);
	- c->local_window += c->local_consumed;
	@@ -337,70 +366,92 @@
	index 70f492f8..5503af1d 100644
	--- a/clientloop.c
	+++ b/clientloop.c
	-@@ -1578,9 +1578,11 @@ client_request_x11(struct ssh ssh, const char request_type, int rchan)
	+@@ -1578,10 +1578,11 @@ client_request_x11(struct ssh ssh, const char request_type, int rchan)
	sock = x11_connect_display(ssh);
	if (sock < 0)
	return NULL;
	- c = channel_new(ssh, "x11",
	- SSH_CHANNEL_X11_OPEN, sock, sock, -1,
	-- CHAN_TCP_WINDOW_DEFAULT, CHAN_X11_PACKET_DEFAULT, 0, "x11", 1);
	-+ c = channel_new(ssh, "x11",
	-+ SSH_CHANNEL_X11_OPEN, sock, sock, -1,
	-+ /* again is this really necessary for X11? */
	-+ options.hpn_disabled ? CHAN_TCP_WINDOW_DEFAULT : options.hpn_buffer_size,
	-+ CHAN_X11_PACKET_DEFAULT, 0, "x11", 1);
	+- CHAN_TCP_WINDOW_DEFAULT, CHAN_X11_PACKET_DEFAULT, 0, "x11",
	+- CHANNEL_NONBLOCK_SET);
	++ c = channel_new(ssh, "x11",
	++ SSH_CHANNEL_X11_OPEN, sock, sock, -1,
	++ /* again is this really necessary for X11? */
	++ options.hpn_disabled ? CHAN_TCP_WINDOW_DEFAULT : options.hpn_buffer_size,
	++ CHAN_X11_PACKET_DEFAULT, 0, "x11", CHANNEL_NONBLOCK_SET);
	c->force_drain = 1;
	return c;
	}
	-@@ -1608,9 +1610,10 @@ client_request_agent(struct ssh ssh, const char request_type, int rchan)
	+@@ -1608,9 +1609,10 @@ client_request_agent(struct ssh ssh, const char request_type, int rchan)
	return NULL;
	}
	c = channel_new(ssh, "authentication agent connection",
	- SSH_CHANNEL_OPEN, sock, sock, -1,
	- CHAN_X11_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, 0,
	-- "authentication agent connection", 1);
	-+ SSH_CHANNEL_OPEN, sock, sock, -1,
	-+ options.hpn_disabled ? CHAN_X11_WINDOW_DEFAULT : options.hpn_buffer_size,
	-+ CHAN_TCP_PACKET_DEFAULT, 0,
	-+ "authentication agent connection", 1);
	+- "authentication agent connection", CHANNEL_NONBLOCK_SET);
	++ SSH_CHANNEL_OPEN, sock, sock, -1,
	++ options.hpn_disabled ? CHAN_X11_WINDOW_DEFAULT : options.hpn_buffer_size,
	++ CHAN_TCP_PACKET_DEFAULT, 0,
	++ "authentication agent connection", CHANNEL_NONBLOCK_SET);
	c->force_drain = 1;
	return c;
	}
	-@@ -1635,10 +1638,13 @@ client_request_tun_fwd(struct ssh *ssh, int tun_mode,
	+@@ -1635,9 +1637,9 @@ client_request_tun_fwd(struct ssh *ssh, int tun_mode,
	}
	debug("Tunnel forwarding using interface %s", ifname);

	- c = channel_new(ssh, "tun", SSH_CHANNEL_OPENING, fd, fd, -1,
	-- CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, 0, "tun", 1);
	-+ c = channel_new(ssh, "tun", SSH_CHANNEL_OPENING, fd, fd, -1,
	+- CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, 0, "tun",
	+- CHANNEL_NONBLOCK_SET);
	++ c = channel_new(ssh, "tun", SSH_CHANNEL_OPENING, fd, fd, -1,
	+ options.hpn_disabled ? CHAN_TCP_WINDOW_DEFAULT : options.hpn_buffer_size,
	-+ CHAN_TCP_PACKET_DEFAULT, 0, "tun", 1);
	++ CHAN_TCP_PACKET_DEFAULT, 0, "tun", CHANNEL_NONBLOCK_SET);
	c->datagram = 1;

	-+
	-+
	#if defined(SSH_TUN_FILTER)
	- if (options.tun_open == SSH_TUNMODE_POINTOPOINT)
	- channel_register_filter(ssh, c->self, sys_tun_infilter,
	diff --git a/compat.c b/compat.c
	index 69befa96..90b5f338 100644
	--- a/compat.c
	+++ b/compat.c
	-@@ -149,6 +149,14 @@ compat_banner(struct ssh ssh, const char version)
	- debug_f("match: %s pat %s compat 0x%08x",
	+@@ -43,7 +43,7 @@ compat_datafellows(const char *version)
	+ static u_int
	+ compat_datafellows(const char *version)
	+ {
	+- int i;
	++ int i, bugs = 0;
	+ static struct {
	+ char *pat;
	+ int bugs;
	+@@ -147,11 +147,26 @@
	+ if (match_pattern_list(version, check[i].pat, 0) == 1) {
	+ debug("match: %s pat %s compat 0x%08x",
	version, check[i].pat, check[i].bugs);
	- ssh->compat = check[i].bugs;
	+ /* Check to see if the remote side is OpenSSH and not HPN */
	-+ /* TODO: need to use new method to test for this */
	+ if (strstr(version, "OpenSSH") != NULL) {
	+ if (strstr(version, "hpn") == NULL) {
	-+ ssh->compat \|= SSH_BUG_LARGEWINDOW;
	++ bugs \|= SSH_BUG_LARGEWINDOW;
	+ debug("Remote is NON-HPN aware");
	+ }
	+ }
	- return;
	+- return check[i].bugs;
	++ bugs \|= check[i].bugs;
	}
	}
	+- debug("no match: %s", version);
	+- return 0;
	++ /* Check to see if the remote side is OpenSSH and not HPN */
	++ if (strstr(version, "OpenSSH") != NULL) {
	++ if (strstr(version, "hpn") == NULL) {
	++ bugs \|= SSH_BUG_LARGEWINDOW;
	++ debug("Remote is NON-HPN aware");
	++ }
	++ }
	++ if (bugs == 0)
	++ debug("no match: %s", version);
	++ return bugs;
	+ }
	+
	+ char *
	diff --git a/compat.h b/compat.h
	index c197fafc..ea2e17a7 100644
	--- a/compat.h
	@@ -459,7 +510,7 @@
	@@ -890,6 +890,10 @@ kex_choose_conf(struct ssh *ssh)
	int nenc, nmac, ncomp;
	u_int mode, ctos, need, dh_need, authlen;
	- int r, first_kex_follows;
	+ int r, first_kex_follows = 0;
	+ int auth_flag = 0;
	+
	+ auth_flag = packet_authentication_state(ssh);
	@@ -553,7 +604,7 @@
	#define MAX_PACKETS (1U<<31)
	static int
	ssh_packet_need_rekeying(struct ssh *ssh, u_int outbound_packet_len)
	-@@ -1317,7 +1351,7 @@ ssh_packet_read_seqnr(struct ssh ssh, u_char typep, u_int32_t *seqnr_p)
	+@@ -1317,7 +1336,7 @@ ssh_packet_read_seqnr(struct ssh ssh, u_char typep, u_int32_t *seqnr_p)
	struct session_state *state = ssh->state;
	int len, r, ms_remain;
	fd_set *setp;
	@@ -1035,19 +1086,6 @@

	/* Minimum amount of data to read at a time */
	#define MIN_READ_SIZE 512
	-diff --git a/ssh-keygen.c b/ssh-keygen.c
	-index cfb5f115..36a6e519 100644
	---- a/ssh-keygen.c
	-+++ b/ssh-keygen.c
	-@@ -2971,7 +2971,7 @@ do_download_sk(const char skprovider, const char device)
	- freezero(pin, strlen(pin));
	- error_r(r, "Unable to load resident keys");
	- return -1;
	-- }
	-+ }
	- if (nkeys == 0)
	- logit("No keys to download");
	- if (pin != NULL)
	diff --git a/ssh.c b/ssh.c
	index 53330da5..27b9770e 100644
	--- a/ssh.c
	@@ -1093,7 +1131,7 @@
	+ else
	+ options.hpn_buffer_size = 2 * 1024 * 1024;
	+
	-+ if (ssh->compat & SSH_BUG_LARGEWINDOW) {
	++ if (ssh_compat_fellows(ssh, SSH_BUG_LARGEWINDOW)) {
	+ debug("HPN to Non-HPN Connection");
	+ } else {
	+ int sock, socksize;
	@@ -1157,14 +1195,14 @@
	}
	@@ -2089,6 +2167,11 @@ ssh_session2_open(struct ssh *ssh)
	window, packetmax, CHAN_EXTENDED_WRITE,
	- "client-session", /nonblock/0);
	+ "client-session", CHANNEL_NONBLOCK_STDIO);

	+ if ((options.tcp_rcv_buf_poll > 0) && !options.hpn_disabled) {
	+ c->dynamic_window = 1;
	+ debug("Enabled Dynamic Window Scaling");
	+ }
	+
	- debug3_f("channel_new: %d", c->self);
	+ debug2_f("channel %d", c->self);

	channel_send_open(ssh, c->self);
	@@ -2105,6 +2188,13 @@ ssh_session2(struct ssh ssh, const struct ssh_conn_info cinfo)
	@@ -1335,7 +1373,29 @@
	/* Bind the socket to the desired port. */
	if (bind(listen_sock, ai->ai_addr, ai->ai_addrlen) == -1) {
	error("Bind to port %s on %s failed: %.200s.",
	-@@ -1727,6 +1734,19 @@ main(int ac, char **av)
	+@@ -1625,13 +1632,14 @@
	+ if (ssh_digest_update(ctx, sshbuf_ptr(server_cfg),
	+ sshbuf_len(server_cfg)) != 0)
	+ fatal_f("ssh_digest_update");
	+- len = ssh_digest_bytes(digest_alg);
	+- hash = xmalloc(len);
	+- if (ssh_digest_final(ctx, hash, len) != 0)
	+- fatal_f("ssh_digest_final");
	+- options.timing_secret = PEEK_U64(hash);
	+- freezero(hash, len);
	+- ssh_digest_free(ctx);
	++ if ((len = ssh_digest_bytes(digest_alg)) > 0) {
	++ hash = xmalloc(len);
	++ if (ssh_digest_final(ctx, hash, len) != 0)
	++ fatal_f("ssh_digest_final");
	++ options.timing_secret = PEEK_U64(hash);
	++ freezero(hash, len);
	++ ssh_digest_free(ctx);
	++ }
	+ ctx = NULL;
	+ return;
	+ }
	+@@ -1727,6 +1735,19 @@ main(int ac, char **av)
	fatal("AuthorizedPrincipalsCommand set without "
	"AuthorizedPrincipalsCommandUser");

	@@ -1355,7 +1415,7 @@
	/*
	* Check whether there is any path through configured auth methods.
	* Unfortunately it is not possible to verify this generally before
	-@@ -2166,6 +2186,9 @@ main(int ac, char **av)
	+@@ -2166,6 +2187,9 @@ main(int ac, char **av)
	rdomain == NULL ? "" : "\"");
	free(laddr);

	@@ -1365,7 +1425,7 @@
	/*
	* We don't want to listen forever unless the other side
	* successfully authenticates itself. So we set up an alarm which is
	-@@ -2343,6 +2366,12 @@ do_ssh2_kex(struct ssh *ssh)
	+@@ -2343,6 +2367,12 @@ do_ssh2_kex(struct ssh *ssh)
	struct kex *kex;
	int r;

	@@ -1405,14 +1465,3 @@
	# Example of overriding settings on a per-user basis
	#Match User anoncvs
	# X11Forwarding no
	-diff --git a/version.h b/version.h
	-index 6b4fa372..332fb486 100644
	---- a/version.h
	-+++ b/version.h
	-@@ -3,4 +3,5 @@
	- #define SSH_VERSION "OpenSSH_8.5"
	-
	- #define SSH_PORTABLE "p1"
	--#define SSH_RELEASE SSH_VERSION SSH_PORTABLE
	-+#define SSH_HPN "-hpn15v2"
	-+#define SSH_RELEASE SSH_VERSION SSH_PORTABLE SSH_HPN
	diff -ur '--exclude=.*.un~' a/openssh-8_5_P1-hpn-PeakTput-15.2.diff b/openssh-8_5_P1-hpn-PeakTput-15.2.diff
	--- a/openssh-8_5_P1-hpn-PeakTput-15.2.diff 2021-08-31 11:12:16.778011216 -0700
	+++ b/openssh-8_5_P1-hpn-PeakTput-15.2.diff 2021-08-31 11:13:11.573211934 -0700
	@@ -12,9 +12,9 @@
	static long stalled; /* how long we have been stalled */
	static int bytes_per_second; /* current speed in bytes per second */
	@@ -127,6 +129,7 @@ refresh_progress_meter(int force_update)
	+ off_t bytes_left;
	int cur_speed;
	- int hours, minutes, seconds;
	- int file_len;
	+ int len;
	+ off_t delta_pos;

	if ((!force_update && !alarm_fired && !win_resized) \|\| !can_output())
	@@ -30,15 +30,17 @@
	if (bytes_left > 0)
	elapsed = now - last_update;
	else {
	-@@ -166,7 +173,7 @@ refresh_progress_meter(int force_update)
	-
	+@@ -166,8 +173,8 @@ refresh_progress_meter(int force_update)
	+ buf[1] = '\0';
	+
	/* filename */
	- buf[0] = '\0';
	-- file_len = win_size - 36;
	-+ file_len = win_size - 45;
	- if (file_len > 0) {
	- buf[0] = '\r';
	- snmprintf(buf+1, sizeof(buf)-1, &file_len, "%-*s",
	+- if (win_size > 36) {
	++ if (win_size > 45) {
	+- int file_len = win_size - 36;
	++ int file_len = win_size - 45;
	+ snmprintf(buf+1, sizeof(buf)-1, &file_len, "%-*s ",
	+ file_len, file);
	+ }
	@@ -191,6 +198,15 @@ refresh_progress_meter(int force_update)
	(off_t)bytes_per_second);
	strlcat(buf, "/s ", win_size);
	@@ -63,15 +65,3 @@
	}

	/ARGSUSED/
	-diff --git a/ssh-keygen.c b/ssh-keygen.c
	-index cfb5f115..986ff59b 100644
	---- a/ssh-keygen.c
	-+++ b/ssh-keygen.c
	-@@ -2959,7 +2959,6 @@ do_download_sk(const char skprovider, const char device)
	-
	- if (skprovider == NULL)
	- fatal("Cannot download keys without provider");
	--
	- pin = read_passphrase("Enter PIN for authenticator: ", RP_ALLOW_STDIN);
	- if (!quiet) {
	- printf("You may need to touch your authenticator "