diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/openssh-6.8p1/HPN-README work/openssh-6.8p1/HPN-README
--- work.clean/openssh-6.8p1/HPN-README	1969-12-31 18:00:00.000000000 -0600
+++ work/openssh-6.8p1/HPN-README	2015-04-01 22:16:49.869215000 -0500
@@ -0,0 +1,129 @@
+Notes:
+
+MULTI-THREADED CIPHER:
+The AES cipher in CTR mode has been multithreaded (MTR-AES-CTR). This will allow ssh installations
+on hosts with multiple cores to use more than one processing core during encryption. 
+Tests have show significant throughput performance increases when using MTR-AES-CTR up 
+to and including a full gigabit per second on quad core systems. It should be possible to 
+achieve full line rate on dual core systems but OS and data management overhead makes this
+more difficult to achieve. The cipher stream from MTR-AES-CTR is entirely compatible with single 
+thread AES-CTR (ST-AES-CTR) implementations and should be 100% backward compatible. Optimal 
+performance requires the MTR-AES-CTR mode be enabled on both ends of the connection. 
+The MTR-AES-CTR replaces ST-AES-CTR and is used in exactly the same way with the same
+nomenclature. 
+Use examples: 	ssh -caes128-ctr you@host.com
+		scp -oCipher=aes256-ctr file you@host.com:~/file
+
+NONE CIPHER:
+To use the NONE option you must have the NoneEnabled switch set on the server and
+you *must* have *both* NoneEnabled and NoneSwitch set to yes on the client. The NONE
+feature works with ALL ssh subsystems (as far as we can tell) *AS LONG AS* a tty is not 
+spawned. If a user uses the -T switch to prevent a tty being created the NONE cipher will
+be disabled. 
+
+The performance increase will only be as good as the network and TCP stack tuning
+on the reciever side of the connection allows. As a rule of thumb a user will need 
+at least 10Mb/s connection with a 100ms RTT to see a doubling of performance. The
+HPN-SSH home page describes this in greater detail. 
+
+http://www.psc.edu/networking/projects/hpn-ssh
+
+BUFFER SIZES:
+
+If HPN is disabled the receive buffer size will be set to the 
+OpenSSH default of 64K.
+
+If an HPN system connects to a nonHPN system the receive buffer will
+be set to the HPNBufferSize value. The default is 2MB but user adjustable.
+
+If an HPN to HPN connection is established a number of different things might
+happen based on the user options and conditions. 
+
+Conditions: HPNBufferSize NOT Set, TCPRcvBufPoll enabled, TCPRcvBuf NOT Set 
+HPN Buffer Size = up to 64MB 
+This is the default state. The HPN buffer size will grow to a maximum of 64MB 
+as the TCP receive buffer grows. The maximum HPN Buffer size of 64MB is 
+geared towards 10GigE transcontinental connections. 
+
+Conditions: HPNBufferSize NOT Set, TCPRcvBufPoll disabled, TCPRcvBuf NOT Set
+HPN Buffer Size = TCP receive buffer value. 
+Users on non-autotuning systesm should disable TCPRcvBufPoll in the 
+ssh_cofig and sshd_config
+
+Conditions: HPNBufferSize SET, TCPRcvBufPoll disabled, TCPRcvBuf NOT Set
+HPN Buffer Size = minmum of TCP receive buffer and HPNBufferSize. 
+This would be the system defined TCP receive buffer (RWIN).
+
+Conditions: HPNBufferSize SET, TCPRcvBufPoll disabled, TCPRcvBuf SET
+HPN Buffer Size = minmum of TCPRcvBuf and HPNBufferSize. 
+Generally there is no need to set both.
+
+Conditions: HPNBufferSize SET, TCPRcvBufPoll enabled, TCPRcvBuf NOT Set
+HPN Buffer Size = grows to HPNBufferSize
+The buffer will grow up to the maximum size specified here. 
+
+Conditions: HPNBufferSize SET, TCPRcvBufPoll enabled, TCPRcvBuf SET
+HPN Buffer Size = minmum of TCPRcvBuf and HPNBufferSize. 
+Generally there is no need to set both of these, especially on autotuning 
+systems. However, if the users wishes to override the autotuning this would be 
+one way to do it.
+
+Conditions: HPNBufferSize NOT Set, TCPRcvBufPoll enabled, TCPRcvBuf SET
+HPN Buffer Size = TCPRcvBuf. 
+This will override autotuning and set the TCP recieve buffer to the user defined 
+value.
+
+
+HPN Specific Configuration options
+
+TcpRcvBuf=[int]KB client
+      set the TCP socket receive buffer to n Kilobytes. It can be set up to the 
+maximum socket size allowed by the system. This is useful in situations where 
+the tcp receive window is set low but the maximum buffer size is set 
+higher (as is typical). This works on a per TCP connection basis. You can also 
+use this to artifically limit the transfer rate of the connection. In these 
+cases the throughput will be no more than n/RTT. The minimum buffer size is 1KB. 
+Default is the current system wide tcp receive buffer size.
+
+TcpRcvBufPoll=[yes/no] client/server
+      enable of disable the polling of the tcp receive buffer through the life 
+of the connection. You would want to make sure that this option is enabled 
+for systems making use of autotuning kernels (linux 2.4.24+, 2.6, MS Vista) 
+default is yes.
+
+NoneEnabled=[yes/no] client/server
+      enable or disable the use of the None cipher. Care must always be used 
+when enabling this as it will allow users to send data in the clear. However, 
+it is important to note that authentication information remains encrypted 
+even if this option is enabled. Set to no by default.
+
+NoneSwitch=[yes/no] client
+     Switch the encryption cipher being used to the None cipher after
+authentication takes place. NoneEnabled must be enabled on both the client
+and server side of the connection. When the connection switches to the NONE
+cipher a warning is sent to STDERR. The connection attempt will fail with an
+error if a client requests a NoneSwitch from the server that does not explicitly
+have NoneEnabled set to yes. Note: The NONE cipher cannot be used in
+interactive (shell) sessions and it will fail silently. Set to no by default.
+
+HPNDisabled=[yes/no] client/server
+     In some situations, such as transfers on a local area network, the impact 
+of the HPN code produces a net decrease in performance. In these cases it is 
+helpful to disable the HPN functionality. By default HPNDisabled is set to no. 
+
+HPNBufferSize=[int]KB client/server
+     This is the default buffer size the HPN functionality uses when interacting
+with nonHPN SSH installations. Conceptually this is similar to the TcpRcvBuf
+option as applied to the internal SSH flow control. This value can range from 
+1KB to 64MB (1-65536). Use of oversized or undersized buffers can cause performance
+problems depending on the length of the network path. The default size of this buffer
+is 2MB.
+
+
+Credits: This patch was conceived, designed, and led by Chris Rapier (rapier@psc.edu)
+         The majority of the actual coding for versions up to HPN12v1 was performed
+         by Michael Stevens (mstevens@andrew.cmu.edu). The MT-AES-CTR cipher was 
+	 implemented by Ben Bennet (ben@psc.edu) and improved by Mike Tasota 
+	 (tasota@gmail.com) an NSF REU grant recipient for 2013. 
+	 This work was financed, in part, by Cisco System, Inc., the National 
+         Library of Medicine, and the National Science Foundation. 
--- work/openssh/channels.c.orig	2021-04-15 20:55:25.000000000 -0700
+++ work/openssh/channels.c	2021-04-28 14:35:20.732518000 -0700
@@ -220,6 +220,12 @@ static int rdynamic_connect_finish(struct ssh *, Chann
 /* Setup helper */
 static void channel_handler_init(struct ssh_channels *sc);
 
+
+#ifdef HPN_ENABLED
+static int hpn_disabled = 0;
+static int hpn_buffer_size = 2 * 1024 * 1024;
+#endif
+
 /* -- channel core */
 
 void
@@ -395,6 +401,9 @@ channel_new(struct ssh *ssh, char *ctype, int type, in
 	c->local_window = window;
 	c->local_window_max = window;
 	c->local_maxpacket = maxpack;
+#ifdef HPN_ENABLED
+	c->dynamic_window = 0;
+#endif
 	c->remote_name = xstrdup(remote_name);
 	c->ctl_chan = -1;
 	c->delayed = 1;		/* prevent call to channel_post handler */
@@ -1082,6 +1091,30 @@ channel_pre_connecting(struct ssh *ssh, Channel *c,
 	FD_SET(c->sock, writeset);
 }
 
+#ifdef HPN_ENABLED
+static int
+channel_tcpwinsz(struct ssh *ssh)
+{
+	u_int32_t tcpwinsz = 0;
+	socklen_t optsz = sizeof(tcpwinsz);
+	int ret = -1;
+
+	/* if we aren't on a socket return 128KB */
+	if (!ssh_packet_connection_is_on_socket(ssh))
+		return 128 * 1024;
+
+	ret = getsockopt(ssh_packet_get_connection_in(ssh),
+			 SOL_SOCKET, SO_RCVBUF, &tcpwinsz, &optsz);
+	/* return no more than SSHBUF_SIZE_MAX (currently 256MB) */
+	if ((ret == 0) && tcpwinsz > SSHBUF_SIZE_MAX)
+		tcpwinsz = SSHBUF_SIZE_MAX;
+
+	debug2("tcpwinsz: tcp connection %d, Receive window: %d",
+	       ssh_packet_get_connection_in(ssh), tcpwinsz);
+	return tcpwinsz;
+}
+#endif
+
 static void
 channel_pre_open(struct ssh *ssh, Channel *c,
     fd_set *readset, fd_set *writeset)
@@ -2124,18 +2157,29 @@ channel_check_window(struct ssh *ssh, Channel *c)
 	    c->local_maxpacket*3) ||
 	    c->local_window < c->local_window_max/2) &&
 	    c->local_consumed > 0) {
+		u_int addition = 0;
+#ifdef HPN_ENABLED
+		u_int32_t tcpwinsz = channel_tcpwinsz(ssh);
+		/* adjust max window size if we are in a dynamic environment */
+		if (c->dynamic_window && (tcpwinsz > c->local_window_max)) {
+			/* grow the window somewhat aggressively to maintain pressure */
+			addition = 1.5 * (tcpwinsz - c->local_window_max);
+			c->local_window_max += addition;
+			debug("Channel: Window growth to %d by %d bytes", c->local_window_max, addition);
+		}
+#endif
 		if (!c->have_remote_id)
 			fatal_f("channel %d: no remote id", c->self);
 		if ((r = sshpkt_start(ssh,
 		    SSH2_MSG_CHANNEL_WINDOW_ADJUST)) != 0 ||
 		    (r = sshpkt_put_u32(ssh, c->remote_id)) != 0 ||
-		    (r = sshpkt_put_u32(ssh, c->local_consumed)) != 0 ||
+		    (r = sshpkt_put_u32(ssh, c->local_consumed + addition)) != 0 ||
 		    (r = sshpkt_send(ssh)) != 0) {
 			fatal_fr(r, "channel %i", c->self);
 		}
 		debug2("channel %d: window %d sent adjust %d", c->self,
-		    c->local_window, c->local_consumed);
-		c->local_window += c->local_consumed;
+		    c->local_window, c->local_consumed + addition);
+		c->local_window += c->local_consumed + addition;
 		c->local_consumed = 0;
 	}
 	return 1;
@@ -3302,6 +3346,17 @@ channel_fwd_bind_addr(struct ssh *ssh, const char *lis
 	return addr;
 }
 
+#ifdef HPN_ENABLED
+void
+channel_set_hpn(int external_hpn_disabled, int external_hpn_buffer_size)
+{
+	hpn_disabled = external_hpn_disabled;
+	hpn_buffer_size = external_hpn_buffer_size;
+	debug("HPN Disabled: %d, HPN Buffer Size: %d", hpn_disabled,
+	    hpn_buffer_size);
+}
+#endif
+
 static int
 channel_setup_fwd_listener_tcpip(struct ssh *ssh, int type,
     struct Forward *fwd, int *allocated_listen_port,
@@ -3442,6 +3497,17 @@ channel_setup_fwd_listener_tcpip(struct ssh *ssh, int 
 		}
 
 		/* Allocate a channel number for the socket. */
+#ifdef HPN_ENABLED
+		/*
+		 * explicitly test for hpn disabled option. if true use smaller
+		 * window size.
+		 */
+		if (!hpn_disabled)
+			c = channel_new(ssh, "port listener", type, sock, sock, -1,
+			    hpn_buffer_size, CHAN_TCP_PACKET_DEFAULT,
+			    0, "port listener", 1);
+		else
+#endif
 		c = channel_new(ssh, "port listener", type, sock, sock, -1,
 		    CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT,
 		    0, "port listener", 1);
@@ -4610,6 +4676,14 @@ x11_create_display_inet(struct ssh *ssh, int x11_displ
 	*chanids = xcalloc(num_socks + 1, sizeof(**chanids));
 	for (n = 0; n < num_socks; n++) {
 		sock = socks[n];
+#ifdef HPN_ENABLED
+		if (!hpn_disabled)
+			nc = channel_new(ssh, "x11 listener",
+			    SSH_CHANNEL_X11_LISTENER, sock, sock, -1,
+			    hpn_buffer_size, CHAN_X11_PACKET_DEFAULT,
+			    0, "X11 inet listener", 1);
+		else
+#endif
 		nc = channel_new(ssh, "x11 listener",
 		    SSH_CHANNEL_X11_LISTENER, sock, sock, -1,
 		    CHAN_X11_WINDOW_DEFAULT, CHAN_X11_PACKET_DEFAULT,
--- work/openssh-7.7p1/channels.h.orig	2018-04-01 22:38:28.000000000 -0700
+++ work/openssh-7.7p1/channels.h	2018-06-27 16:38:40.766588000 -0700
@@ -143,6 +143,9 @@ struct Channel {
 	u_int	local_maxpacket;
 	int     extended_usage;
 	int	single_connection;
+#ifdef HPN_ENABLED
+	int	dynamic_window;
+#endif
 
 	char   *ctype;		/* type */
 
@@ -335,5 +338,10 @@ void	 chan_ibuf_empty(struct ssh *, Channel *);
 void	 chan_rcvd_ieof(struct ssh *, Channel *);
 void	 chan_write_failed(struct ssh *, Channel *);
 void	 chan_obuf_empty(struct ssh *, Channel *);
+
+#ifdef HPN_ENABLED
+/* hpn handler */
+void     channel_set_hpn(int, int);
+#endif
 
 #endif
--- work/openssh-7.7p1/cipher.c.orig	2018-04-01 22:38:28.000000000 -0700
+++ work/openssh-7.7p1/cipher.c	2018-06-27 16:55:43.165788000 -0700
@@ -212,7 +212,12 @@ ciphers_valid(const char *names)
 	for ((p = strsep(&cp, CIPHER_SEP)); p && *p != '\0';
 	    (p = strsep(&cp, CIPHER_SEP))) {
 		c = cipher_by_name(p);
+#ifdef NONE_CIPHER_ENABLED
+		if (c == NULL || ((c->flags & CFLAG_INTERNAL) != 0 &&
+		    (c->flags & CFLAG_NONE) != 0)) {
+#else
 		if (c == NULL || (c->flags & CFLAG_INTERNAL) != 0) {
+#endif
 			free(cipher_list);
 			return 0;
 		}
--- work/openssh-7.7p1/clientloop.c.orig	2018-04-01 22:38:28.000000000 -0700
+++ work/openssh-7.7p1/clientloop.c	2018-06-27 16:40:24.560906000 -0700
@@ -1549,6 +1549,15 @@ client_request_x11(struct ssh *ssh, const char *reques
 	sock = x11_connect_display(ssh);
 	if (sock < 0)
 		return NULL;
+#ifdef HPN_ENABLED
+	/* again is this really necessary for X11? */
+	if (!options.hpn_disabled)
+		c = channel_new(ssh, "x11",
+		    SSH_CHANNEL_X11_OPEN, sock, sock, -1,
+		    options.hpn_buffer_size,
+		    CHAN_X11_PACKET_DEFAULT, 0, "x11", 1);
+	else
+#endif
 	c = channel_new(ssh, "x11",
 	    SSH_CHANNEL_X11_OPEN, sock, sock, -1,
 	    CHAN_TCP_WINDOW_DEFAULT, CHAN_X11_PACKET_DEFAULT, 0, "x11", 1);
@@ -1574,6 +1583,14 @@ client_request_agent(struct ssh *ssh, const char *requ
 			    __func__, ssh_err(r));
 		return NULL;
 	}
+#ifdef HPN_ENABLED
+	if (!options.hpn_disabled)
+		c = channel_new(ssh, "authentication agent connection",
+		    SSH_CHANNEL_OPEN, sock, sock, -1,
+		    options.hpn_buffer_size, CHAN_TCP_PACKET_DEFAULT, 0,
+		    "authentication agent connection", 1);
+	else
+#endif
 	c = channel_new(ssh, "authentication agent connection",
 	    SSH_CHANNEL_OPEN, sock, sock, -1,
 	    CHAN_X11_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, 0,
@@ -1602,6 +1619,12 @@ client_request_tun_fwd(struct ssh *ssh, int tun_mode,
 	}
 	debug("Tunnel forwarding using interface %s", ifname);
 
+#ifdef HPN_ENABLED
+	if (!options.hpn_disabled)
+		c = channel_new(ssh, "tun", SSH_CHANNEL_OPENING, fd, fd, -1,
+		    options.hpn_buffer_size, CHAN_TCP_PACKET_DEFAULT, 0, "tun", 1);
+	else
+#endif
 	c = channel_new(ssh, "tun", SSH_CHANNEL_OPENING, fd, fd, -1,
 	    CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, 0, "tun", 1);
 	c->datagram = 1;
--- work/openssh/compat.c.orig	2021-04-15 20:55:25.000000000 -0700
+++ work/openssh/compat.c	2021-04-28 14:37:33.129317000 -0700
@@ -149,6 +149,14 @@ compat_banner(struct ssh *ssh, const char *version)
 			debug_f("match: %s pat %s compat 0x%08x",
 			    version, check[i].pat, check[i].bugs);
 			ssh->compat = check[i].bugs;
+#ifdef HPN_ENABLED
+			/* Check to see if the remote side is OpenSSH and not HPN */
+			if (strstr(version,"OpenSSH") != NULL &&
+			    strstr(version,"hpn") == NULL) {
+				ssh->compat |= SSH_BUG_LARGEWINDOW;
+				debug("Remote is NON-HPN aware");
+			}
+#endif
 			return;
 		}
 	}
--- work/openssh/compat.h.orig	2015-05-29 03:27:21.000000000 -0500
+++ work/openssh/compat.h	2015-06-02 09:55:04.208681000 -0500
@@ -62,6 +62,9 @@
 #define SSH_BUG_CURVE25519PAD	0x10000000
 #define SSH_BUG_HOSTKEYS	0x20000000
 #define SSH_BUG_DHGEX_LARGE	0x40000000
+#ifdef HPN_ENABLED
+#define SSH_BUG_LARGEWINDOW     0x80000000
+#endif
 
 void     enable_compat13(void);
 void     enable_compat20(void);
--- work/openssh/configure.ac.orig	2020-03-22 11:06:53.034550000 -0700
+++ work/openssh/configure.ac	2020-03-22 11:07:10.017487000 -0700
@@ -4778,6 +4778,25 @@ AC_ARG_WITH([maildir],
     ]
 ) # maildir
 
+#check whether user wants HPN support
+HPN_MSG="no"
+AC_ARG_WITH(hpn,
+	[  --with-hpn             Enable HPN support],
+	[ if test "x$withval" != "xno" ; then
+		AC_DEFINE(HPN_ENABLED,1,[Define if you want HPN support.])
+		HPN_MSG="yes"
+	fi ]
+)
+#check whether user wants NONECIPHER support
+NONECIPHER_MSG="no"
+AC_ARG_WITH(nonecipher,
+	[  --with-nonecipher             Enable NONECIPHER support],
+	[ if test "x$withval" != "xno" ; then
+		AC_DEFINE(NONE_CIPHER_ENABLED,1,[Define if you want NONECIPHER support.])
+		NONECIPHER_MSG="yes"
+	fi ]
+)
+
 if test ! -z "$cross_compiling" && test "x$cross_compiling" = "xyes"; then
 	AC_MSG_WARN([cross compiling: Disabling /dev/ptmx test])
 	disable_ptmx_check=yes
@@ -5459,6 +5478,8 @@ echo "              Random number source: $RAND_MSG"
 echo "             Privsep sandbox style: $SANDBOX_STYLE"
 echo "                   PKCS#11 support: $enable_pkcs11"
 echo "                  U2F/FIDO support: $enable_sk"
+echo "                       HPN support: $HPN_MSG"
+echo "                NONECIPHER support: $NONECIPHER_MSG"
 
 echo ""
 
--- work/openssh/kex.c.orig	2021-04-15 20:55:25.000000000 -0700
+++ work/openssh/kex.c	2021-04-28 14:38:31.761909000 -0700
@@ -960,6 +960,20 @@ kex_choose_conf(struct ssh *ssh)
 			peer[ncomp] = NULL;
 			goto out;
 		}
+#ifdef NONE_CIPHER_ENABLED
+		debug("REQUESTED ENC.NAME is '%s'", newkeys->enc.name);
+		if (strcmp(newkeys->enc.name, "none") == 0) {
+			int auth_flag;
+
+			auth_flag = ssh_packet_authentication_state(ssh);
+			debug("Requesting NONE. Authflag is %d", auth_flag);
+			if (auth_flag == 1) {
+				debug("None requested post authentication.");
+			} else {
+				fatal("Pre-authentication none cipher requests are not allowed.");
+			}
+		}
+#endif
 		debug("kex: %s cipher: %s MAC: %s compression: %s",
 		    ctos ? "client->server" : "server->client",
 		    newkeys->enc.name,
@@ -1170,7 +1184,7 @@ send_error(struct ssh *ssh, char *msg)
  */
 int
 kex_exchange_identification(struct ssh *ssh, int timeout_ms,
-    const char *version_addendum)
+    const char *version_addendum, int hpn_disabled)
 {
 	int remote_major, remote_minor, mismatch, oerrno = 0;
 	size_t len, i, n;
@@ -1187,8 +1201,13 @@ kex_exchange_identification(struct ssh *ssh, int timeo
 	sshbuf_reset(our_version);
 	if (version_addendum != NULL && *version_addendum == '\0')
 		version_addendum = NULL;
-	if ((r = sshbuf_putf(our_version, "SSH-%d.%d-%.100s%s%s\r\n",
+	if ((r = sshbuf_putf(our_version, "SSH-%d.%d-%.100s%s%s%s\r\n",
 	    PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION,
+#ifdef HPN_ENABLED
+	    hpn_disabled ? "" : SSH_HPN,
+#else
+	    "",
+#endif
 	    version_addendum == NULL ? "" : " ",
 	    version_addendum == NULL ? "" : version_addendum)) != 0) {
 		oerrno = errno;
--- work/openssh-7.7p1/packet.c.orig	2018-04-01 22:38:28.000000000 -0700
+++ work/openssh-7.7p1/packet.c	2018-06-27 16:42:42.739507000 -0700
@@ -926,6 +926,24 @@ ssh_set_newkeys(struct ssh *ssh, int mode)
 	return 0;
 }
 
+#ifdef NONE_CIPHER_ENABLED
+/* this supports the forced rekeying required for the NONE cipher */
+int rekey_requested = 0;
+void
+packet_request_rekeying(void)
+{
+	rekey_requested = 1;
+}
+
+int
+ssh_packet_authentication_state(struct ssh *ssh)
+{
+	struct session_state *state = ssh->state;
+
+	return(state->after_authentication);
+}
+#endif
+
 #define MAX_PACKETS	(1U<<31)
 static int
 ssh_packet_need_rekeying(struct ssh *ssh, u_int outbound_packet_len)
@@ -944,6 +962,14 @@ ssh_packet_need_rekeying(struct ssh *ssh, u_int outbou
 	/* Peer can't rekey */
 	if (ssh->compat & SSH_BUG_NOREKEY)
 		return 0;
+#ifdef NONE_CIPHER_ENABLED
+	/* used to force rekeying when called for by the none
+         * cipher switch methods -cjr */
+        if (rekey_requested == 1) {
+               rekey_requested = 0;
+               return 1;
+        }
+#endif
 
 	/*
 	 * Permit one packet in or out per rekey - this allows us to
--- work.clean/openssh-6.8p1/packet.h	2015-03-17 00:49:20.000000000 -0500
+++ work/openssh-6.8p1/packet.h	2015-04-03 16:10:34.728161000 -0500
@@ -206,6 +206,11 @@ int	sshpkt_get_end(struct ssh *ssh);
 void	sshpkt_fmt_connection_id(struct ssh *ssh, char *s, size_t l);
 const u_char	*sshpkt_ptr(struct ssh *, size_t *lenp);
 
+#ifdef NONE_CIPHER_ENABLED
+void  packet_request_rekeying(void);
+int   ssh_packet_authentication_state(struct ssh *ssh);
+#endif
+
 #if !defined(WITH_OPENSSL)
 # undef BIGNUM
 # undef EC_KEY
--- work/openssh/readconf.c.orig	2021-09-08 09:56:20.567664000 -0700
+++ work/openssh/readconf.c	2021-09-08 09:57:31.560617000 -0700
@@ -67,6 +67,9 @@
 #include "uidswap.h"
 #include "myproposal.h"
 #include "digest.h"
+#ifdef HPN_ENABLED
+#include "sshbuf.h"
+#endif
 
 /* Format of the configuration file:
 
@@ -168,6 +171,12 @@ typedef enum {
 	oLocalCommand, oPermitLocalCommand, oRemoteCommand,
 	oVisualHostKey,
 	oKexAlgorithms, oIPQoS, oRequestTTY, oSessionType, oStdinNull,
+#ifdef HPN_ENABLED
+	oHPNDisabled, oHPNBufferSize, oTcpRcvBufPoll, oTcpRcvBuf,
+#endif
+#ifdef NONE_CIPHER_ENABLED
+	oNoneSwitch, oNoneEnabled, 
+#endif
 	oForkAfterAuthentication, oIgnoreUnknown, oProxyUseFdpass,
 	oCanonicalDomains, oCanonicalizeHostname, oCanonicalizeMaxDots,
 	oCanonicalizeFallbackLocal, oCanonicalizePermittedCNAMEs,
@@ -316,6 +325,16 @@ static struct {
 	{ "hostbasedkeytypes", oHostbasedAcceptedAlgorithms }, /* obsolete */
 	{ "pubkeyacceptedalgorithms", oPubkeyAcceptedAlgorithms },
 	{ "pubkeyacceptedkeytypes", oPubkeyAcceptedAlgorithms }, /* obsolete */
+#ifdef NONE_CIPHER_ENABLED
+	{ "noneenabled", oNoneEnabled },
+	{ "noneswitch", oNoneSwitch },
+#endif
+#ifdef HPN_ENABLED
+	{ "tcprcvbufpoll", oTcpRcvBufPoll },
+	{ "tcprcvbuf", oTcpRcvBuf },
+	{ "hpndisabled", oHPNDisabled },
+	{ "hpnbuffersize", oHPNBufferSize },
+#endif
 	{ "ignoreunknown", oIgnoreUnknown },
 	{ "proxyjump", oProxyJump },
 	{ "securitykeyprovider", oSecurityKeyProvider },
@@ -1125,6 +1144,44 @@ parse_time:
 		intptr = &options->check_host_ip;
 		goto parse_flag;
 
+#ifdef HPN_ENABLED
+	case oHPNDisabled:
+		intptr = &options->hpn_disabled;
+		goto parse_flag;
+
+	case oHPNBufferSize:
+		intptr = &options->hpn_buffer_size;
+		goto parse_int;
+
+	case oTcpRcvBufPoll:
+		intptr = &options->tcp_rcv_buf_poll;
+		goto parse_flag;
+
+	case oTcpRcvBuf:
+		intptr = &options->tcp_rcv_buf;
+		goto parse_int;
+#endif
+
+#ifdef NONE_CIPHER_ENABLED
+        case oNoneEnabled:
+               	intptr = &options->none_enabled;
+               	goto parse_flag;
+ 
+       	/* we check to see if the command comes from the */
+       	/* command line or not. If it does then enable it */
+       	/* otherwise fail. NONE should never be a default configuration */
+       	case oNoneSwitch:
+               	if(strcmp(filename,"command-line") == 0) {
+                       	intptr = &options->none_switch;
+                       	goto parse_flag;
+               	} else {
+                       	error("NoneSwitch is found in %.200s.\nYou may only use this configuration option from the command line", filename);
+                       	error("Continuing...");
+                       	debug("NoneSwitch directive found in %.200s.", filename);
+                       	return 0;
+               	}
+#endif
+
 	case oVerifyHostKeyDNS:
 		intptr = &options->verify_host_key_dns;
 		multistate_ptr = multistate_yesnoask;
@@ -2386,6 +2443,16 @@ initialize_options(Options * options)
 	options->ip_qos_interactive = -1;
 	options->ip_qos_bulk = -1;
 	options->request_tty = -1;
+#ifdef NONE_CIPHER_ENABLED
+	options->none_switch = -1;
+	options->none_enabled = -1;
+#endif
+#ifdef HPN_ENABLED
+	options->hpn_disabled = -1;
+	options->hpn_buffer_size = -1;
+	options->tcp_rcv_buf_poll = -1;
+	options->tcp_rcv_buf = -1;
+#endif
 	options->session_type = -1;
 	options->stdin_null = -1;
 	options->fork_after_authentication = -1;
@@ -2557,6 +2624,34 @@ fill_default_options(Options * options)
 		options->server_alive_interval = 0;
 	if (options->server_alive_count_max == -1)
 		options->server_alive_count_max = 3;
+#ifdef NONE_CIPHER_ENABLED
+	if (options->none_switch == -1)
+		options->none_switch = 0;
+	if (options->none_enabled == -1)
+		options->none_enabled = 0;
+#endif
+#ifdef HPN_ENABLED
+	if (options->hpn_disabled == -1)
+		options->hpn_disabled = 0;
+	if (options->hpn_buffer_size > -1) {
+		/* if a user tries to set the size to 0 set it to 1KB */
+		if (options->hpn_buffer_size == 0)
+			options->hpn_buffer_size = 1;
+		/* limit the buffer to SSHBUF_SIZE_MAX (currently 256MB) */
+		if (options->hpn_buffer_size > (SSHBUF_SIZE_MAX / 1024)) {
+			options->hpn_buffer_size = SSHBUF_SIZE_MAX;
+			debug("User requested buffer larger than 256MB. Request reverted to 256MB");
+		} else
+			options->hpn_buffer_size *= 1024;
+		debug("hpn_buffer_size set to %d", options->hpn_buffer_size);
+	}
+	if (options->tcp_rcv_buf == 0)
+		options->tcp_rcv_buf = 1;
+	if (options->tcp_rcv_buf > -1)
+		options->tcp_rcv_buf *=1024;
+	if (options->tcp_rcv_buf_poll == -1)
+		options->tcp_rcv_buf_poll = 1;
+#endif
 	if (options->control_master == -1)
 		options->control_master = 0;
 	if (options->control_persist == -1) {
--- work.clean/openssh-6.8p1/readconf.h	2015-03-17 00:49:20.000000000 -0500
+++ work/openssh-6.8p1/readconf.h	2015-04-03 13:47:45.670125000 -0500
@@ -105,6 +105,16 @@
 	int	clear_forwardings;
 
 	int	enable_ssh_keysign;
+#ifdef NONE_CIPHER_ENABLED
+	int     none_switch;    /* Use none cipher */
+	int     none_enabled;   /* Allow none to be used */ 
+#endif
+#ifdef HPN_ENABLED
+	int     tcp_rcv_buf; /* user switch to set tcp recv buffer */
+	int     tcp_rcv_buf_poll; /* Option to poll recv buf every window transfer */
+	int     hpn_disabled;    /* Switch to disable HPN buffer management */
+	int     hpn_buffer_size; /* User definable size for HPN buffer window */
+#endif
 	int64_t rekey_limit;
 	int	rekey_interval;
 	int	no_host_authentication_for_localhost;
--- work/openssh/scp.c.orig	2020-09-27 00:25:01.000000000 -0700
+++ work/openssh/scp.c	2020-11-10 10:31:03.060729000 -0800
@@ -1246,7 +1246,7 @@ sink(int argc, char **argv, const char *src)
 	off_t size, statbytes;
 	unsigned long long ull;
 	int setimes, targisdir, wrerr;
-	char ch, *cp, *np, *targ, *why, *vect[1], buf[2048], visbuf[2048];
+	char ch, *cp, *np, *targ, *why, *vect[1], buf[COPY_BUFLEN], visbuf[COPY_BUFLEN];
 	char **patterns = NULL;
 	size_t n, npatterns = 0;
 	struct timeval tv[2];
--- work/openssh-7.7p1/servconf.c.orig	2018-04-01 22:38:28.000000000 -0700
+++ work/openssh-7.7p1/servconf.c	2018-06-27 17:01:05.276677000 -0700
@@ -63,6 +63,9 @@
 #include "auth.h"
 #include "myproposal.h"
 #include "digest.h"
+#ifdef HPN_ENABLED
+#include "sshbuf.h"
+#endif
 
 static void add_listen_addr(ServerOptions *, const char *,
     const char *, int);
@@ -169,6 +172,14 @@ initialize_server_options(ServerOptions *options)
 	options->authorized_principals_file = NULL;
 	options->authorized_principals_command = NULL;
 	options->authorized_principals_command_user = NULL;
+#ifdef NONE_CIPHER_ENABLED
+	options->none_enabled = -1;
+#endif
+#ifdef HPN_ENABLED
+	options->tcp_rcv_buf_poll = -1;
+	options->hpn_disabled = -1;
+	options->hpn_buffer_size = -1;
+#endif
 	options->ip_qos_interactive = -1;
 	options->ip_qos_bulk = -1;
 	options->version_addendum = NULL;
@@ -371,6 +382,57 @@ fill_default_server_options(ServerOptions *options)
 	}
 	if (options->permit_tun == -1)
 		options->permit_tun = SSH_TUNMODE_NO;
+#ifdef NONE_CIPHER_ENABLED
+	if (options->none_enabled == -1) 
+		options->none_enabled = 0;
+#endif
+#ifdef HPN_ENABLED
+	if (options->hpn_disabled == -1) 
+		options->hpn_disabled = 0;
+
+	if (options->hpn_buffer_size == -1) {
+		/*
+		 * option not explicitly set. Now we have to figure out
+		 * what value to use.
+		 */
+		if (options->hpn_disabled == 1) {
+			options->hpn_buffer_size = CHAN_SES_WINDOW_DEFAULT;
+		} else {
+			int sock, socksize;
+			socklen_t socksizelen = sizeof(socksize);
+
+			/*
+			 * get the current RCV size and set it to that
+			 * create a socket but don't connect it
+			 * we use that the get the rcv socket size
+			 */
+			sock = socket(AF_INET, SOCK_STREAM, 0);
+			getsockopt(sock, SOL_SOCKET, SO_RCVBUF, 
+			    &socksize, &socksizelen);
+			close(sock);
+			options->hpn_buffer_size = socksize;
+			debug ("HPN Buffer Size: %d", options->hpn_buffer_size);
+		} 
+	} else {
+		/*
+		 * we have to do this incase the user sets both values in a
+		 * contradictory manner. hpn_disabled overrrides
+		 * hpn_buffer_size
+		 */
+		if (options->hpn_disabled <= 0) {
+			if (options->hpn_buffer_size == 0)
+				options->hpn_buffer_size = 1;
+			/* limit the maximum buffer to SSHBUF_SIZE_MAX (currently 256MB) */
+			if (options->hpn_buffer_size > (SSHBUF_SIZE_MAX / 1024)) {
+				options->hpn_buffer_size = SSHBUF_SIZE_MAX;
+			} else {
+				options->hpn_buffer_size *= 1024;
+			}
+		} else
+			options->hpn_buffer_size = CHAN_TCP_WINDOW_DEFAULT;
+	}
+#endif
+
 	if (options->ip_qos_interactive == -1)
 		options->ip_qos_interactive = IPTOS_LOWDELAY;
 	if (options->ip_qos_bulk == -1)
@@ -466,6 +528,12 @@ typedef enum {
 	sUsePrivilegeSeparation, sAllowAgentForwarding,
 	sHostCertificate,
 	sRevokedKeys, sTrustedUserCAKeys, sAuthorizedPrincipalsFile,
+#ifdef NONE_CIPHER_ENABLED
+	sNoneEnabled,
+#endif
+#ifdef HPN_ENABLED
+	sTcpRcvBufPoll, sHPNDisabled, sHPNBufferSize,
+#endif
 	sAuthorizedPrincipalsCommand, sAuthorizedPrincipalsCommandUser,
 	sKexAlgorithms, sIPQoS, sVersionAddendum,
 	sAuthorizedKeysCommand, sAuthorizedKeysCommandUser,
@@ -603,6 +671,14 @@ static struct {
 	{ "revokedkeys", sRevokedKeys, SSHCFG_ALL },
 	{ "trustedusercakeys", sTrustedUserCAKeys, SSHCFG_ALL },
 	{ "authorizedprincipalsfile", sAuthorizedPrincipalsFile, SSHCFG_ALL },
+#ifdef NONE_CIPHER_ENABLED
+	{ "noneenabled", sNoneEnabled, SSHCFG_ALL },
+#endif
+#ifdef HPN_ENABLED
+	{ "hpndisabled", sHPNDisabled, SSHCFG_ALL },
+	{ "hpnbuffersize", sHPNBufferSize, SSHCFG_ALL },
+	{ "tcprcvbufpoll", sTcpRcvBufPoll, SSHCFG_ALL },
+#endif
 	{ "kexalgorithms", sKexAlgorithms, SSHCFG_GLOBAL },
 	{ "ipqos", sIPQoS, SSHCFG_ALL },
 	{ "authorizedkeyscommand", sAuthorizedKeysCommand, SSHCFG_ALL },
@@ -1351,6 +1427,25 @@ process_server_config_line(ServerOptions *options, cha
 	case sIgnoreUserKnownHosts:
 		intptr = &options->ignore_user_known_hosts;
 		goto parse_flag;
+
+#ifdef NONE_CIPHER_ENABLED
+	case sNoneEnabled:
+		intptr = &options->none_enabled;
+		goto parse_flag;
+#endif
+#ifdef HPN_ENABLED
+	case sTcpRcvBufPoll:
+		intptr = &options->tcp_rcv_buf_poll;
+		goto parse_flag;
+
+	case sHPNDisabled:
+		intptr = &options->hpn_disabled;
+		goto parse_flag;
+
+	case sHPNBufferSize:
+		intptr = &options->hpn_buffer_size;
+		goto parse_int;
+#endif
 
 	case sHostbasedAuthentication:
 		intptr = &options->hostbased_authentication;
--- work.clean/openssh-6.8p1/servconf.h	2015-03-17 00:49:20.000000000 -0500
+++ work/openssh-6.8p1/servconf.h	2015-04-03 13:48:37.316827000 -0500
@@ -169,6 +169,15 @@
 
 	int	use_pam;		/* Enable auth via PAM */
 
+#ifdef NONE_CIPHER_ENABLED
+	int	none_enabled;		/* enable NONE cipher switch */	
+#endif
+#ifdef HPN_ENABLED
+	int     tcp_rcv_buf_poll;       /* poll tcp rcv window in autotuning kernels*/
+	int	hpn_disabled;		/* disable hpn functionality. false by default */
+	int	hpn_buffer_size;	/* set the hpn buffer size - default 3MB */
+#endif
+
 	int	permit_tun;
 
 	int	num_permitted_opens;
--- work/openssh-7.7p1/serverloop.c.orig	2018-04-01 22:38:28.000000000 -0700
+++ work/openssh-7.7p1/serverloop.c	2018-06-27 16:53:02.246871000 -0700
@@ -550,6 +550,12 @@ server_request_tun(struct ssh *ssh)
 		goto done;
 	debug("Tunnel forwarding using interface %s", ifname);
 
+#ifdef HPN_ENABLED
+	if (!options.hpn_disabled)
+		c = channel_new(ssh, "tun", SSH_CHANNEL_OPEN, sock, sock, -1,
+		    options.hpn_buffer_size, CHAN_TCP_PACKET_DEFAULT, 0, "tun", 1);
+	else
+#endif
 	c = channel_new(ssh, "tun", SSH_CHANNEL_OPEN, sock, sock, -1,
 	    CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, 0, "tun", 1);
 	c->datagram = 1;
@@ -600,6 +606,10 @@ server_request_session(struct ssh *ssh)
 	c = channel_new(ssh, "session", SSH_CHANNEL_LARVAL,
 	    -1, -1, -1, /*window size*/0, CHAN_SES_PACKET_DEFAULT,
 	    0, "server-session", 1);
+#ifdef HPN_ENABLED
+	if (options.tcp_rcv_buf_poll && !options.hpn_disabled)
+		c->dynamic_window = 1;
+#endif
 	if (session_open(the_authctxt, c->self) != 1) {
 		debug("session open failed, free channel %d", c->self);
 		channel_free(ssh, c);
--- work/openssh-7.7p1/session.c.orig	2018-04-01 22:38:28.000000000 -0700
+++ work/openssh-7.7p1/session.c	2018-06-27 17:01:40.730347000 -0700
@@ -2116,6 +2116,14 @@ session_set_fds(struct ssh *ssh, Session *s,
 	 */
 	if (s->chanid == -1)
 		fatal("no channel for session %d", s->self);
+#ifdef HPN_ENABLED
+	if (!options.hpn_disabled)
+		channel_set_fds(ssh, s->chanid,
+		    fdout, fdin, fderr,
+		    ignore_fderr ? CHAN_EXTENDED_IGNORE : CHAN_EXTENDED_READ,
+		    1, is_tty, options.hpn_buffer_size);
+	else
+#endif
 	channel_set_fds(ssh, s->chanid,
 	    fdout, fdin, fderr,
 	    ignore_fderr ? CHAN_EXTENDED_IGNORE : CHAN_EXTENDED_READ,
--- work.clean/openssh-6.8p1/sftp.1	2015-03-17 00:49:20.000000000 -0500
+++ work/openssh-6.8p1/sftp.1	2015-04-01 22:16:49.921688000 -0500
@@ -263,7 +263,8 @@
 Specify how many requests may be outstanding at any one time.
 Increasing this may slightly improve file transfer speed
 but will increase memory usage.
-The default is 64 outstanding requests.
+The default is 256 outstanding requests providing for 8MB
+of outstanding data with a 32KB buffer.
 .It Fl r
 Recursively copy entire directories when uploading and downloading.
 Note that
--- work/openssh/ssh.c.orig	2021-04-15 20:55:25.000000000 -0700
+++ work/openssh/ssh.c	2021-04-28 14:51:04.682167000 -0700
@@ -1027,6 +1027,14 @@ main(int ac, char **av)
 			break;
 		case 'T':
 			options.request_tty = REQUEST_TTY_NO;
+#ifdef NONE_CIPHER_ENABLED
+			/*
+			 * ensure that the user doesn't try to backdoor a
+			 * null cipher switch on an interactive session
+			 * so explicitly disable it no matter what.
+			 */
+			options.none_switch = 0;
+#endif
 			break;
 		case 'o':
 			line = xstrdup(optarg);
@@ -2056,6 +2064,78 @@ ssh_session2_setup(struct ssh *ssh, int id, int succes
 	    NULL, fileno(stdin), command, environ);
 }
 
+static void
+hpn_options_init(struct ssh *ssh)
+{
+	/*
+	 * We need to check to see if what they want to do about buffer
+	 * sizes here. In a hpn to nonhpn connection we want to limit
+	 * the window size to something reasonable in case the far side
+	 * has the large window bug. In hpn to hpn connection we want to
+	 * use the max window size but allow the user to override it
+	 * lastly if they disabled hpn then use the ssh std window size.
+	 *
+	 * So why don't we just do a getsockopt() here and set the
+	 * ssh window to that? In the case of a autotuning receive
+	 * window the window would get stuck at the initial buffer
+	 * size generally less than 96k. Therefore we need to set the
+	 * maximum ssh window size to the maximum hpn buffer size
+	 * unless the user has specifically set the tcprcvbufpoll
+	 * to no. In which case we *can* just set the window to the
+	 * minimum of the hpn buffer size and tcp receive buffer size.
+	 */
+
+	if (tty_flag)
+		options.hpn_buffer_size = CHAN_SES_WINDOW_DEFAULT;
+	else
+		options.hpn_buffer_size = 2 * 1024 * 1024;
+
+	if (ssh->compat & SSH_BUG_LARGEWINDOW) {
+		debug("HPN to Non-HPN Connection");
+	} else {
+		int sock, socksize;
+		socklen_t socksizelen;
+		if (options.tcp_rcv_buf_poll <= 0) {
+			sock = socket(AF_INET, SOCK_STREAM, 0);
+			socksizelen = sizeof(socksize);
+			getsockopt(sock, SOL_SOCKET, SO_RCVBUF,
+				   &socksize, &socksizelen);
+			close(sock);
+			debug("socksize %d", socksize);
+			options.hpn_buffer_size = socksize;
+			debug("HPNBufferSize set to TCP RWIN: %d", options.hpn_buffer_size);
+		} else {
+			if (options.tcp_rcv_buf > 0) {
+				/*
+				 * Create a socket but don't connect it:
+				 * we use that the get the rcv socket size
+				 */
+				sock = socket(AF_INET, SOCK_STREAM, 0);
+				/*
+				 * If they are using the tcp_rcv_buf option,
+				 * attempt to set the buffer size to that.
+				 */
+				if (options.tcp_rcv_buf) {
+					socksizelen = sizeof(options.tcp_rcv_buf);
+					setsockopt(sock, SOL_SOCKET, SO_RCVBUF,
+						   &options.tcp_rcv_buf, socksizelen);
+				}
+				socksizelen = sizeof(socksize);
+				getsockopt(sock, SOL_SOCKET, SO_RCVBUF,
+					   &socksize, &socksizelen);
+				close(sock);
+				debug("socksize %d", socksize);
+				options.hpn_buffer_size = socksize;
+				debug("HPNBufferSize set to user TCPRcvBuf: %d", options.hpn_buffer_size);
+			}
+		}
+	}
+
+	debug("Final hpn_buffer_size = %d", options.hpn_buffer_size);
+
+	channel_set_hpn(options.hpn_disabled, options.hpn_buffer_size);
+}
+
 /* open new channel for a session */
 static int
 ssh_session2_open(struct ssh *ssh)
@@ -2082,9 +2162,17 @@ ssh_session2_open(struct ssh *ssh)
 	if (!isatty(err))
 		set_nonblock(err);
 
+#ifdef HPN_ENABLED
+	window = options.hpn_buffer_size;
+#else
 	window = CHAN_SES_WINDOW_DEFAULT;
+#endif
+
 	packetmax = CHAN_SES_PACKET_DEFAULT;
 	if (tty_flag) {
+#ifdef HPN_ENABLED
+		window = CHAN_SES_WINDOW_DEFAULT;
+#endif
 		window >>= 1;
 		packetmax >>= 1;
 	}
@@ -2093,6 +2181,12 @@ ssh_session2_open(struct ssh *ssh)
 	    window, packetmax, CHAN_EXTENDED_WRITE,
 	    "client-session", /*nonblock*/0);
 
+#ifdef HPN_ENABLED
+	if (options.tcp_rcv_buf_poll > 0 && !options.hpn_disabled) {
+		c->dynamic_window = 1;
+		debug ("Enabled Dynamic Window Scaling");
+	}
+#endif
 	debug3_f("channel_new: %d", c->self);
 
 	channel_send_open(ssh, c->self);
@@ -2108,6 +2202,15 @@ ssh_session2(struct ssh *ssh, const struct ssh_conn_in
 {
 	int r, id = -1;
 	char *cp, *tun_fwd_ifname = NULL;
+
+#ifdef HPN_ENABLED
+	/*
+	 * We need to initialize this early because the forwarding logic below
+	 * might open channels that use the hpn buffer sizes.  We can't send a
+	 * window of -1 (the default) to the server as it breaks things.
+	 */
+	hpn_options_init(ssh);
+#endif
 
 	/* XXX should be pre-session */
 	if (!options.control_persist)
--- work/openssh-7.7p1/sshbuf.h.orig	2018-06-27 16:11:24.503058000 -0700
+++ work/openssh-7.7p1/sshbuf.h	2018-06-27 16:12:01.359375000 -0700
@@ -28,7 +28,11 @@
 # endif /* OPENSSL_HAS_ECC */
 #endif /* WITH_OPENSSL */
 
+#ifdef HPN_ENABLED
+#define SSHBUF_SIZE_MAX		0xF000000	/* Hard maximum size 256MB */
+#else
 #define SSHBUF_SIZE_MAX		0x8000000	/* Hard maximum size */
+#endif
 #define SSHBUF_REFS_MAX		0x100000	/* Max child buffers */
 #define SSHBUF_MAX_BIGNUM	(16384 / 8)	/* Max bignum *bytes* */
 #define SSHBUF_MAX_ECPOINT	((528 * 2 / 8) + 1) /* Max EC point *bytes* */
--- work/openssh/sshconnect.c.orig	2020-09-27 00:25:01.000000000 -0700
+++ work/openssh/sshconnect.c	2020-11-10 21:35:40.945330000 -0800
@@ -361,7 +361,32 @@ check_ifaddrs(const char *ifname, int af, const struct
 }
 #endif
 
+#ifdef HPN_ENABLED
 /*
+ * Set TCP receive buffer if requested.
+ * Note: tuning needs to happen after the socket is
+ * created but before the connection happens
+ * so winscale is negotiated properly -cjr
+ */
+static void
+ssh_set_socket_recvbuf(int sock)
+{
+	void *buf = (void *)&options.tcp_rcv_buf;
+	int sz = sizeof(options.tcp_rcv_buf);
+	int socksize;
+	socklen_t socksizelen = sizeof(socksize);
+
+	debug("setsockopt Attempting to set SO_RCVBUF to %d", options.tcp_rcv_buf);
+	if (setsockopt(sock, SOL_SOCKET, SO_RCVBUF, buf, sz) >= 0) {
+	  getsockopt(sock, SOL_SOCKET, SO_RCVBUF, &socksize, &socksizelen);
+	  debug("setsockopt SO_RCVBUF: %.100s %d", strerror(errno), socksize);
+	} else
+		error("Couldn't set socket receive buffer to %d: %.100s",
+		    options.tcp_rcv_buf, strerror(errno));
+}
+#endif
+
+/*
  * Creates a socket for use as the ssh connection.
  */
 static int
@@ -383,6 +408,11 @@ ssh_create_socket(struct addrinfo *ai)
 	}
 	fcntl(sock, F_SETFD, FD_CLOEXEC);
 
+#ifdef HPN_ENABLED
+	if (options.tcp_rcv_buf > 0)
+		ssh_set_socket_recvbuf(sock);
+#endif
+
 	/* Bind the socket to an alternative local IP address */
 	if (options.bind_address == NULL && options.bind_interface == NULL)
 		return sock;
@@ -1289,7 +1319,8 @@ ssh_login(struct ssh *ssh, Sensitive *sensitive, const
 	lowercase(host);
 
 	/* Exchange protocol version identification strings with the server. */
-	if ((r = kex_exchange_identification(ssh, timeout_ms, NULL)) != 0)
+	if ((r = kex_exchange_identification(ssh, timeout_ms, NULL,
+	    options.hpn_disabled)) != 0)
 		sshpkt_fatal(ssh, r, "banner exchange");
 
 	/* Put the connection into non-blocking mode. */
--- work/openssh/sshconnect2.c.orig	2021-08-19 21:03:49.000000000 -0700
+++ work/openssh/sshconnect2.c	2021-09-08 10:02:03.037982000 -0700
@@ -84,7 +84,13 @@
 extern char *client_version_string;
 extern char *server_version_string;
 extern Options options;
+#ifdef NONE_CIPHER_ENABLED
+/* tty_flag is set in ssh.c. use this in ssh_userauth2 */
+/* if it is set then prevent the switch to the null cipher */
 
+extern int tty_flag;
+#endif
+
 /*
  * SSH2 key exchange
  */
@@ -212,11 +218,12 @@ order_hostkeyalgs(char *host, struct sockaddr *hostadd
 	return ret;
 }
 
+static char *myproposal[PROPOSAL_MAX];
+static const char *myproposal_default[PROPOSAL_MAX] = { KEX_CLIENT };
 void
 ssh_kex2(struct ssh *ssh, char *host, struct sockaddr *hostaddr, u_short port,
     const struct ssh_conn_info *cinfo)
 {
-	char *myproposal[PROPOSAL_MAX] = { KEX_CLIENT };
 	char *s, *all_key;
 	int r, use_known_hosts_order = 0;
 
@@ -241,6 +248,7 @@ ssh_kex2(struct ssh *ssh, char *host, struct sockaddr 
 		fatal_fr(r, "kex_assemble_namelist");
 	free(all_key);
 
+	memcpy(&myproposal, &myproposal_default, sizeof(myproposal));
 	if ((s = kex_names_cat(options.kex_algorithms, "ext-info-c")) == NULL)
 		fatal_f("kex_names_cat");
 	myproposal[PROPOSAL_KEX_ALGS] = compat_kex_proposal(ssh, s);
@@ -487,6 +495,29 @@ ssh_userauth2(struct ssh *ssh, const char *local_user,
 
 	if (!authctxt.success)
 		fatal("Authentication failed.");
+#ifdef NONE_CIPHER_ENABLED
+	/*
+	 * if the user wants to use the none cipher do it
+	 * post authentication and only if the right conditions are met
+	 * both of the NONE commands must be true and there must be no
+	 * tty allocated.
+	 */
+	if ((options.none_switch == 1) && (options.none_enabled == 1)) {
+		if (!tty_flag) { /* no null on tty sessions */
+			debug("Requesting none rekeying...");
+			memcpy(&myproposal, &myproposal_default, sizeof(myproposal));
+			myproposal[PROPOSAL_ENC_ALGS_STOC] = "none";
+			myproposal[PROPOSAL_ENC_ALGS_CTOS] = "none";
+			kex_prop2buf(ssh->kex->my, myproposal);
+			packet_request_rekeying();
+			fprintf(stderr, "WARNING: ENABLED NONE CIPHER\n");
+		} else {
+			/* requested NONE cipher when in a tty */
+			debug("Cannot switch to NONE cipher with tty allocated");
+			fprintf(stderr, "NONE cipher switch disabled when a TTY is allocated\n");
+		}
+	}
+#endif
 	if (ssh_packet_connection_is_on_socket(ssh)) {
 		verbose("Authenticated to %s ([%s]:%d) using \"%s\".", host,
 		    ssh_remote_ipaddr(ssh), ssh_remote_port(ssh),
--- work/openssh/sshd.c.orig	2021-09-08 10:00:01.411822000 -0700
+++ work/openssh/sshd.c	2021-09-08 10:03:02.820813000 -0700
@@ -1042,6 +1042,10 @@ listen_on_addrs(struct listenaddr *la)
 	int ret, listen_sock;
 	struct addrinfo *ai;
 	char ntop[NI_MAXHOST], strport[NI_MAXSERV];
+#ifdef HPN_ENABLED
+	int socksize;
+	socklen_t socksizelen = sizeof(socksize);
+#endif
 
 	for (ai = la->addrs; ai; ai = ai->ai_next) {
 		if (ai->ai_family != AF_INET && ai->ai_family != AF_INET6)
@@ -1087,6 +1091,13 @@ listen_on_addrs(struct listenaddr *la)
 
 		debug("Bind to port %s on %s.", strport, ntop);
 
+#ifdef HPN_ENABLED
+		getsockopt(listen_sock, SOL_SOCKET, SO_RCVBUF,
+				   &socksize, &socksizelen);
+		debug("Server TCP RWIN socket size: %d", socksize);
+		debug("HPN Buffer Size: %d", options.hpn_buffer_size);
+#endif
+
 		/* Bind the socket to the desired port. */
 		if (bind(listen_sock, ai->ai_addr, ai->ai_addrlen) == -1) {
 			error("Bind to port %s on %s failed: %.200s.",
@@ -1760,6 +1771,15 @@ main(int ac, char **av)
 	/* Fill in default values for those options not explicitly set. */
 	fill_default_server_options(&options);
 
+#ifdef NONE_CIPHER_ENABLED
+	if (options.none_enabled == 1) {
+		char *old_ciphers = options.ciphers;
+
+		xasprintf(&options.ciphers, "%s,none", old_ciphers);
+		free(old_ciphers);
+	}
+#endif
+
 	/* Check that options are sensible */
 	if (options.authorized_keys_command_user == NULL &&
 	    (options.authorized_keys_command != NULL &&
@@ -2216,6 +2236,11 @@ main(int ac, char **av)
 	    rdomain == NULL ? "" : "\"");
 	free(laddr);
 
+#ifdef HPN_ENABLED
+	/* set the HPN options for the child */
+	channel_set_hpn(options.hpn_disabled, options.hpn_buffer_size);
+#endif
+
 	/*
 	 * We don't want to listen forever unless the other side
 	 * successfully authenticates itself.  So we set up an alarm which is
@@ -2229,7 +2254,7 @@ main(int ac, char **av)
 		alarm(options.login_grace_time);
 
 	if ((r = kex_exchange_identification(ssh, -1,
-	    options.version_addendum)) != 0)
+	    options.version_addendum, options.hpn_disabled)) != 0)
 		sshpkt_fatal(ssh, r, "banner exchange");
 
 	ssh_packet_set_nonblocking(ssh);
@@ -2392,6 +2417,11 @@ do_ssh2_kex(struct ssh *ssh)
 	char *myproposal[PROPOSAL_MAX] = { KEX_SERVER };
 	struct kex *kex;
 	int r;
+
+#ifdef NONE_CIPHER_ENABLED
+        if (options.none_enabled == 1)
+                debug ("WARNING: None cipher enabled");
+#endif
 
 	myproposal[PROPOSAL_KEX_ALGS] = compat_kex_proposal(ssh,
 	    options.kex_algorithms);
--- work.clean/openssh-6.8p1/sshd_config	2015-04-01 22:07:18.248858000 -0500
+++ work/openssh-6.8p1/sshd_config	2015-04-01 22:16:49.932279000 -0500
@@ -111,6 +111,20 @@ AuthorizedKeysFile	.ssh/authorized_keys
 # override default of no subsystems
 Subsystem	sftp	/usr/libexec/sftp-server
 
+# the following are HPN related configuration options
+# tcp receive buffer polling. disable in non autotuning kernels
+#TcpRcvBufPoll yes
+ 
+# disable hpn performance boosts
+#HPNDisabled no
+
+# buffer size for hpn to non-hpn connections
+#HPNBufferSize 2048
+
+
+# allow the use of the none cipher
+#NoneEnabled no
+
 # Example of overriding settings on a per-user basis
 #Match User anoncvs
 #	X11Forwarding no
--- work/openssh-7.7p1/version.h.orig	2018-04-01 22:38:28.000000000 -0700
+++ work/openssh-7.7p1/version.h	2018-06-27 17:13:57.263086000 -0700
@@ -4,3 +4,4 @@
 
 #define SSH_PORTABLE	"p1"
 #define SSH_RELEASE	SSH_VERSION SSH_PORTABLE
+#define SSH_HPN         "-hpn14v15"
--- work/openssh/kex.h.orig	2019-07-10 17:35:36.523216000 -0700
+++ work/openssh/kex.h	2019-07-10 17:35:41.997522000 -0700
@@ -178,7 +178,7 @@ char	*kex_alg_list(char);
 char	*kex_names_cat(const char *, const char *);
 int	 kex_assemble_names(char **, const char *, const char *);
 
-int	 kex_exchange_identification(struct ssh *, int, const char *);
+int	 kex_exchange_identification(struct ssh *, int, const char *, int);
 
 struct kex *kex_new(void);
 int	 kex_ready(struct ssh *, char *[PROPOSAL_MAX]);
