As previously threatened, remove the HPN patch from OpenSSH.

UPDATING

@@ -31,6 +31,10 @@ NOTE TO PEOPLE WHO THINK THAT FreeBSD 11.x IS SLOW:
 	disable the most expensive debugging functionality run
 	"ln -s 'abort:false,junk:false' /etc/malloc.conf".)
 
+20160119:
+	The NONE and HPN patches has been removed from OpenSSH.  They are
+	still available in the security/openssh-portable port.
+
 20160113:
 	With the addition of ypldap(8), a new _ypldap user is now required
 	during installworld. "mergemaster -p" can be used to add the user

crypto/openssh/buffer.c

@@ -27,7 +27,7 @@ __RCSID("$FreeBSD$");
 #include "log.h"
 
 #define	BUFFER_MAX_CHUNK	0x100000
-#define	BUFFER_MAX_LEN		0x4000000	/* 64MB */
+#define	BUFFER_MAX_LEN		0xa00000
 #define	BUFFER_ALLOCSZ		0x008000
 
 /* Initializes the buffer structure. */
@@ -167,13 +167,6 @@ buffer_len(const Buffer *buffer)
 	return buffer->end - buffer->offset;
 }
 
-/* Returns the maximum number of bytes of data that may be in the buffer. */
-u_int
-buffer_get_max_len(void)
-{
-	return (BUFFER_MAX_LEN);
-}
-
 /* Gets data from the beginning of the buffer. */
 
 int

crypto/openssh/buffer.h

@@ -47,8 +47,6 @@ int	 buffer_get_ret(Buffer *, void *, u_int);
 int	 buffer_consume_ret(Buffer *, u_int);
 int	 buffer_consume_end_ret(Buffer *, u_int);
 
-u_int	 buffer_get_max_len(void);
-
 #include <openssl/bn.h>
 
 void    buffer_put_bignum(Buffer *, const BIGNUM *);

crypto/openssh/channels.c

@@ -174,11 +174,6 @@ static void port_open_helper(Channel *c, char *rtype);
 static int connect_next(struct channel_connect *);
 static void channel_connect_ctx_free(struct channel_connect *);
 
-/* -- HPN */
-
-static int hpn_disabled = 0;
-static u_int buffer_size = CHAN_HPN_MIN_WINDOW_DEFAULT;
-
 /* -- channel core */
 
 Channel *
@@ -325,7 +320,6 @@ channel_new(char *ctype, int type, int rfd, int wfd, int efd,
 	c->self = found;
 	c->type = type;
 	c->ctype = ctype;
-	c->dynamic_window = 0;
 	c->local_window = window;
 	c->local_window_max = window;
 	c->local_consumed = 0;
@@ -826,45 +820,10 @@ channel_pre_open_13(Channel *c, fd_set *readset, fd_set *writeset)
 		FD_SET(c->sock, writeset);
 }
 
-static u_int
-channel_tcpwinsz(void)
-{
-	u_int32_t tcpwinsz;
-	socklen_t optsz;
-	int ret, sd;
-	u_int maxlen;
-
-	/* If we are not on a socket return 128KB. */
-	if (!packet_connection_is_on_socket())
-		return (128 * 1024);
-
-	tcpwinsz = 0;
-	optsz = sizeof(tcpwinsz);
-	sd = packet_get_connection_in();
-	ret = getsockopt(sd, SOL_SOCKET, SO_RCVBUF, &tcpwinsz, &optsz);
-
-	/* Return no more than the maximum buffer size. */
-	maxlen = buffer_get_max_len();
-	if ((ret == 0) && tcpwinsz > maxlen)
-		tcpwinsz = maxlen;
-	/* In case getsockopt() failed return a minimum. */
-	if (tcpwinsz == 0)
-		tcpwinsz = CHAN_TCP_WINDOW_DEFAULT;
-	debug2("tcpwinsz: %d for connection: %d", tcpwinsz, sd);
-	return (tcpwinsz);
-}
-
 static void
 channel_pre_open(Channel *c, fd_set *readset, fd_set *writeset)
 {
-	u_int limit;
-
-	/* Check buffer limits. */
-	if (!c->tcpwinsz || c->dynamic_window > 0)
-		c->tcpwinsz = channel_tcpwinsz();
-
-	limit = MIN(compat20 ? c->remote_window : packet_get_maxsize(),
-	    2 * c->tcpwinsz);
+	u_int limit = compat20 ? c->remote_window : packet_get_maxsize();
 
 	if (c->istate == CHAN_INPUT_OPEN &&
 	    limit > 0 &&
@@ -1857,25 +1816,14 @@ channel_check_window(Channel *c)
 	    c->local_maxpacket*3) ||
 	    c->local_window < c->local_window_max/2) &&
 	    c->local_consumed > 0) {
-		u_int addition = 0;
-
-		/* Adjust max window size if we are in a dynamic environment. */
-		if (c->dynamic_window && c->tcpwinsz > c->local_window_max) {
-			/*
-			 * Grow the window somewhat aggressively to maintain
-			 * pressure.
-			 */
-			addition = 1.5 * (c->tcpwinsz - c->local_window_max);
-			c->local_window_max += addition;
-		}
 		packet_start(SSH2_MSG_CHANNEL_WINDOW_ADJUST);
 		packet_put_int(c->remote_id);
-		packet_put_int(c->local_consumed + addition);
+		packet_put_int(c->local_consumed);
 		packet_send();
 		debug2("channel %d: window %d sent adjust %d",
 		    c->self, c->local_window,
 		    c->local_consumed);
-		c->local_window += c->local_consumed + addition;
+		c->local_window += c->local_consumed;
 		c->local_consumed = 0;
 	}
 	return 1;
@@ -2739,14 +2687,6 @@ channel_set_af(int af)
 	IPv4or6 = af;
 }
 
-void
-channel_set_hpn(int disabled, u_int buf_size)
-{
-	hpn_disabled = disabled;
-	buffer_size = buf_size;
-	debug("HPN Disabled: %d, HPN Buffer Size: %d",
-	    hpn_disabled, buffer_size);
-}
 
 /*
  * Determine whether or not a port forward listens to loopback, the
@@ -2924,18 +2864,10 @@ channel_setup_fwd_listener(int type, const char *listen_addr,
 			    *allocated_listen_port);
 		}
 
-		/*
-		 * Allocate a channel number for the socket.  Explicitly test
-		 * for hpn disabled option.  If true use smaller window size.
-		 */
-		if (hpn_disabled)
-			c = channel_new("port listener", type, sock, sock, -1,
-			    CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT,
-			    0, "port listener", 1);
-		else
-			c = channel_new("port listener", type, sock, sock, -1,
-			    buffer_size, CHAN_TCP_PACKET_DEFAULT,
-			    0, "port listener", 1);
+		/* Allocate a channel number for the socket. */
+		c = channel_new("port listener", type, sock, sock, -1,
+		    CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT,
+		    0, "port listener", 1);
 		c->path = xstrdup(host);
 		c->host_port = port_to_connect;
 		c->listening_addr = addr == NULL ? NULL : xstrdup(addr);
@@ -3583,16 +3515,10 @@ x11_create_display_inet(int x11_display_offset, int x11_use_localhost,
 	*chanids = xcalloc(num_socks + 1, sizeof(**chanids));
 	for (n = 0; n < num_socks; n++) {
 		sock = socks[n];
-		if (hpn_disabled)
-			nc = channel_new("x11 listener",
-			    SSH_CHANNEL_X11_LISTENER, sock, sock, -1,
-			    CHAN_X11_WINDOW_DEFAULT, CHAN_X11_PACKET_DEFAULT,
-			    0, "X11 inet listener", 1);
-		else
-			nc = channel_new("x11 listener",
-			    SSH_CHANNEL_X11_LISTENER, sock, sock, -1,
-			    buffer_size, CHAN_X11_PACKET_DEFAULT,
-			    0, "X11 inet listener", 1);
+		nc = channel_new("x11 listener",
+		    SSH_CHANNEL_X11_LISTENER, sock, sock, -1,
+		    CHAN_X11_WINDOW_DEFAULT, CHAN_X11_PACKET_DEFAULT,
+		    0, "X11 inet listener", 1);
 		nc->single_connection = single_connection;
 		(*chanids)[n] = nc->self;
 	}

crypto/openssh/channels.h

@@ -133,8 +133,6 @@ struct Channel {
 	u_int	local_window_max;
 	u_int	local_consumed;
 	u_int	local_maxpacket;
-	u_int	tcpwinsz;
-	int	dynamic_window;
 	int     extended_usage;
 	int	single_connection;
 
@@ -176,7 +174,6 @@ struct Channel {
 #define CHAN_TCP_WINDOW_DEFAULT	(64*CHAN_TCP_PACKET_DEFAULT)
 #define CHAN_X11_PACKET_DEFAULT	(16*1024)
 #define CHAN_X11_WINDOW_DEFAULT	(4*CHAN_X11_PACKET_DEFAULT)
-#define CHAN_HPN_MIN_WINDOW_DEFAULT	(2*1024*1024)
 
 /* possible input states */
 #define CHAN_INPUT_OPEN			0
@@ -310,8 +307,4 @@ void	 chan_rcvd_ieof(Channel *);
 void	 chan_write_failed(Channel *);
 void	 chan_obuf_empty(Channel *);
 
-/* hpn handler */
-
-void	channel_set_hpn(int, u_int);
-
 #endif

crypto/openssh/clientloop.c

@@ -1892,14 +1892,9 @@ client_request_x11(const char *request_type, int rchan)
 	sock = x11_connect_display();
 	if (sock < 0)
 		return NULL;
-	if (options.hpn_disabled)
-		c = channel_new("x11", SSH_CHANNEL_X11_OPEN, sock, sock, -1,
-		    CHAN_TCP_WINDOW_DEFAULT, CHAN_X11_PACKET_DEFAULT,
-		    0, "x11", 1);
-	else
-		c = channel_new("x11", SSH_CHANNEL_X11_OPEN, sock, sock, -1,
-		    options.hpn_buffer_size, CHAN_X11_PACKET_DEFAULT,
-		    0, "x11", 1);
+	c = channel_new("x11",
+	    SSH_CHANNEL_X11_OPEN, sock, sock, -1,
+	    CHAN_TCP_WINDOW_DEFAULT, CHAN_X11_PACKET_DEFAULT, 0, "x11", 1);
 	c->force_drain = 1;
 	return c;
 }
@@ -1919,16 +1914,10 @@ client_request_agent(const char *request_type, int rchan)
 	sock = ssh_get_authentication_socket();
 	if (sock < 0)
 		return NULL;
-	if (options.hpn_disabled)
-		c = channel_new("authentication agent connection",
-		    SSH_CHANNEL_OPEN, sock, sock, -1,
-		    CHAN_X11_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, 0,
-		    "authentication agent connection", 1);
-	else
-		c = channel_new("authentication agent connection",
-		    SSH_CHANNEL_OPEN, sock, sock, -1,
-		    options.hpn_buffer_size, options.hpn_buffer_size, 0,
-		    "authentication agent connection", 1);
+	c = channel_new("authentication agent connection",
+	    SSH_CHANNEL_OPEN, sock, sock, -1,
+	    CHAN_X11_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, 0,
+	    "authentication agent connection", 1);
 	c->force_drain = 1;
 	return c;
 }
@@ -1955,14 +1944,8 @@ client_request_tun_fwd(int tun_mode, int local_tun, int remote_tun)
 		return -1;
 	}
 
-	if (options.hpn_disabled)
-		c = channel_new("tun", SSH_CHANNEL_OPENING, fd, fd, -1,
-		    CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT,
-		    0, "tun", 1);
-	else
-		c = channel_new("tun", SSH_CHANNEL_OPENING, fd, fd, -1,
-		    options.hpn_buffer_size, CHAN_TCP_PACKET_DEFAULT,
-		    0, "tun", 1);
+	c = channel_new("tun", SSH_CHANNEL_OPENING, fd, fd, -1,
+	    CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, 0, "tun", 1);
 	c->datagram = 1;
 
 #if defined(SSH_TUN_FILTER)

crypto/openssh/compat.c

@@ -178,16 +178,6 @@ compat_datafellows(const char *version)
 			datafellows = check[i].bugs;
 			debug("match: %s pat %s compat 0x%08x",
 			    version, check[i].pat, datafellows);
-			/*
-			 * Check to see if the remote side is OpenSSH and not
-			 * HPN.  It is utterly strange to check it from the
-			 * version string and expose the option that way.
-			 */
-			if (strstr(version,"OpenSSH") != NULL &&
-			    strstr(version,"hpn") == NULL) {
-				datafellows |= SSH_BUG_LARGEWINDOW;
-				debug("Remote is not HPN-aware");
-			}
 			return;
 		}
 	}