As previously threatened, remove the HPN patch from OpenSSH.

28 files changed, 154 insertions, 534 deletions

diff --git a/crypto/openssh/README.hpn b/crypto/openssh/README.hpn
deleted file mode 100644
index f8afbc1..0000000
--- a/crypto/openssh/README.hpn
+++ /dev/null
@@ -1,95 +0,0 @@
-Notes:
-
-PERFORMANCE:
-  The performance increase will only be as good as the network and TCP stack
-  tuning on the reciever side of the connection allows.  As a rule of thumb a
-  user will need at least 10Mb/s connection with a 100ms RTT to see a doubling
-  of performance.
-  The HPN-SSH home page  http://www.psc.edu/networking/projects/hpn-ssh
-  describes this in greater detail. 
-
-
-BUFFER SIZES:
-- if HPN is disabled the receive buffer size will be set to the OpenSSH default
-  of 64K.
-
-- if a HPN system connects to a non-HPN system the receive buffer will
-  be set to the HPNBufferSize value. The default is 2MB but user adjustable.
-
-- If a HPN to HPN connection is established a number of different things might
-  happen based on the user options and conditions. 
-
-  Conditions: HPNBufferSize NOT Set, TCPRcvBufPoll enabled, TCPRcvBuf NOT Set 
-  Result: HPN Buffer Size = up to 64MB 
-    This is the default state.  The HPN buffer size will grow to a maximum of
-    64MB as the TCP receive buffer grows.  The maximum HPN Buffer size of 64MB
-    is geared towards 10GigE transcontinental connections. 
-
-  Conditions: HPNBufferSize NOT Set, TCPRcvBufPoll disabled, TCPRcvBuf NOT Set
-  Result: HPN Buffer Size = TCP receive buffer value. 
-    Users on non-autotuning systesm should disable TCPRcvBufPoll in the 
-    ssh_cofig and sshd_config
-
-  Conditions: HPNBufferSize SET, TCPRcvBufPoll disabled, TCPRcvBuf NOT Set
-  Result: HPN Buffer Size = minmum of TCP receive buffer and HPNBufferSize. 
-    This would be the system defined TCP receive buffer (RWIN).
-
-  Conditions: HPNBufferSize SET, TCPRcvBufPoll disabled, TCPRcvBuf SET
-  Result: HPN Buffer Size = minmum of TCPRcvBuf and HPNBufferSize. 
-    Generally there is no need to set both.
-
-  Conditions: HPNBufferSize SET, TCPRcvBufPoll enabled, TCPRcvBuf NOT Set
-  Result: HPN Buffer Size = grows to HPNBufferSize
-    The buffer will grow up to the maximum size specified here. 
-
-  Conditions: HPNBufferSize SET, TCPRcvBufPoll enabled, TCPRcvBuf SET
-  Result: HPN Buffer Size = minmum of TCPRcvBuf and HPNBufferSize. 
-    Generally there is no need to set both of these, especially on autotuning 
-    systems. However, if the users wishes to override the autotuning this would
-    be one way to do it.
-
-  Conditions: HPNBufferSize NOT Set, TCPRcvBufPoll enabled, TCPRcvBuf SET
-  Result: HPN Buffer Size = TCPRcvBuf. 
-   This will override autotuning and set the TCP recieve buffer to the user
-   defined value.
-
-
-HPN SPECIFIC CONFIGURATION OPTIONS:
-
-- HPNDisabled=[yes/no] client/server
-  In some situations, such as transfers on a local area network, the impact 
-  of the HPN code produces a net decrease in performance.  In these cases it is 
-  helpful to disable the HPN functionality. By default HPNDisabled is set to no. 
-
-- HPNBufferSize=[int]KB client/server
-  This is the default buffer size the HPN functionality uses when interacting
-  with non-HPN SSH installations.  Conceptually this is similar to the TcpRcvBuf
-  option as applied to the internal SSH flow control.  This value can range from 
-  1KB to 64MB (1-65536).  Use of oversized or undersized buffers can cause
-  performance problems depending on the roud trip time of the network path.
-  The default size of this buffer is 2MB.
-
-- TcpRcvBufPoll=[yes/no] client/server
-  Enable or disable the polling of the TCP receive buffer through the life 
-  of the connection.  You would want to make sure that this option is enabled 
-  for systems making use of autotuning kernels (linux 2.4.24+, 2.6, MS Vista,
-  FreeBSD 7.x and later). Default is yes.
-
-- TcpRcvBuf=[int]KB client
-  Set the TCP socket receive buffer to n Kilobytes.  It can be set up to the 
-  maximum socket size allowed by the system.  This is useful in situations where 
-  the TCP receive window is set low but the maximum buffer size is set higher
-  (as is typical).  This works on a per TCP connection basis.  You can also use
-  this to artifically limit the transfer rate of the connection.  In these cases
-  the throughput will be no more than n/RTT.  The minimum buffer size is 1KB. 
-  Default is the current system wide TCP receive buffer size.
-
-
-CREDITS:
-
-  This patch was conceived, designed, and led by Chris Rapier (rapier@psc.edu)
-  The majority of the actual coding for versions up to HPN12v1 was performed
-  by Michael Stevens (mstevens@andrew.cmu.edu).
-  The MT-AES-CTR cipher was implemented by Ben Bennet (ben@psc.edu).
-  This work was financed, in part, by Cisco System, Inc., the National Library
-  of Medicine, and the National Science Foundation. 
diff --git a/crypto/openssh/buffer.c b/crypto/openssh/buffer.c
index f20d558..5c05a75 100644
--- a/crypto/openssh/buffer.c
+++ b/crypto/openssh/buffer.c
@@ -27,7 +27,7 @@ __RCSID("$FreeBSD$");
 #include "log.h"
 
 #define	BUFFER_MAX_CHUNK	0x100000
-#define	BUFFER_MAX_LEN		0x4000000	/* 64MB */
+#define	BUFFER_MAX_LEN		0xa00000
 #define	BUFFER_ALLOCSZ		0x008000
 
 /* Initializes the buffer structure. */
@@ -167,13 +167,6 @@ buffer_len(const Buffer *buffer)
 	return buffer->end - buffer->offset;
 }
 
-/* Returns the maximum number of bytes of data that may be in the buffer. */
-u_int
-buffer_get_max_len(void)
-{
-	return (BUFFER_MAX_LEN);
-}
-
 /* Gets data from the beginning of the buffer. */
 
 int
diff --git a/crypto/openssh/buffer.h b/crypto/openssh/buffer.h
index 39e04f9..cbf0fc2 100644
--- a/crypto/openssh/buffer.h
+++ b/crypto/openssh/buffer.h
@@ -47,8 +47,6 @@ int	 buffer_get_ret(Buffer *, void *, u_int);
 int	 buffer_consume_ret(Buffer *, u_int);
 int	 buffer_consume_end_ret(Buffer *, u_int);
 
-u_int	 buffer_get_max_len(void);
-
 #include <openssl/bn.h>
 
 void    buffer_put_bignum(Buffer *, const BIGNUM *);
diff --git a/crypto/openssh/channels.c b/crypto/openssh/channels.c
index 20d2f7e..f3c0204 100644
--- a/crypto/openssh/channels.c
+++ b/crypto/openssh/channels.c
@@ -174,11 +174,6 @@ static void port_open_helper(Channel *c, char *rtype);
 static int connect_next(struct channel_connect *);
 static void channel_connect_ctx_free(struct channel_connect *);
 
-/* -- HPN */
-
-static int hpn_disabled = 0;
-static u_int buffer_size = CHAN_HPN_MIN_WINDOW_DEFAULT;
-
 /* -- channel core */
 
 Channel *
@@ -325,7 +320,6 @@ channel_new(char *ctype, int type, int rfd, int wfd, int efd,
 	c->self = found;
 	c->type = type;
 	c->ctype = ctype;
-	c->dynamic_window = 0;
 	c->local_window = window;
 	c->local_window_max = window;
 	c->local_consumed = 0;
@@ -826,45 +820,10 @@ channel_pre_open_13(Channel *c, fd_set *readset, fd_set *writeset)
 		FD_SET(c->sock, writeset);
 }
 
-static u_int
-channel_tcpwinsz(void)
-{
-	u_int32_t tcpwinsz;
-	socklen_t optsz;
-	int ret, sd;
-	u_int maxlen;
-
-	/* If we are not on a socket return 128KB. */
-	if (!packet_connection_is_on_socket())
-		return (128 * 1024);
-
-	tcpwinsz = 0;
-	optsz = sizeof(tcpwinsz);
-	sd = packet_get_connection_in();
-	ret = getsockopt(sd, SOL_SOCKET, SO_RCVBUF, &tcpwinsz, &optsz);
-
-	/* Return no more than the maximum buffer size. */
-	maxlen = buffer_get_max_len();
-	if ((ret == 0) && tcpwinsz > maxlen)
-		tcpwinsz = maxlen;
-	/* In case getsockopt() failed return a minimum. */
-	if (tcpwinsz == 0)
-		tcpwinsz = CHAN_TCP_WINDOW_DEFAULT;
-	debug2("tcpwinsz: %d for connection: %d", tcpwinsz, sd);
-	return (tcpwinsz);
-}
-
 static void
 channel_pre_open(Channel *c, fd_set *readset, fd_set *writeset)
 {
-	u_int limit;
-
-	/* Check buffer limits. */
-	if (!c->tcpwinsz || c->dynamic_window > 0)
-		c->tcpwinsz = channel_tcpwinsz();
-
-	limit = MIN(compat20 ? c->remote_window : packet_get_maxsize(),
-	    2 * c->tcpwinsz);
+	u_int limit = compat20 ? c->remote_window : packet_get_maxsize();
 
 	if (c->istate == CHAN_INPUT_OPEN &&
 	    limit > 0 &&
@@ -1857,25 +1816,14 @@ channel_check_window(Channel *c)
 	    c->local_maxpacket*3) ||
 	    c->local_window < c->local_window_max/2) &&
 	    c->local_consumed > 0) {
-		u_int addition = 0;
-
-		/* Adjust max window size if we are in a dynamic environment. */
-		if (c->dynamic_window && c->tcpwinsz > c->local_window_max) {
-			/*
-			 * Grow the window somewhat aggressively to maintain
-			 * pressure.
-			 */
-			addition = 1.5 * (c->tcpwinsz - c->local_window_max);
-			c->local_window_max += addition;
-		}
 		packet_start(SSH2_MSG_CHANNEL_WINDOW_ADJUST);
 		packet_put_int(c->remote_id);
-		packet_put_int(c->local_consumed + addition);
+		packet_put_int(c->local_consumed);
 		packet_send();
 		debug2("channel %d: window %d sent adjust %d",
 		    c->self, c->local_window,
 		    c->local_consumed);
-		c->local_window += c->local_consumed + addition;
+		c->local_window += c->local_consumed;
 		c->local_consumed = 0;
 	}
 	return 1;
@@ -2739,14 +2687,6 @@ channel_set_af(int af)
 	IPv4or6 = af;
 }
 
-void
-channel_set_hpn(int disabled, u_int buf_size)
-{
-	hpn_disabled = disabled;
-	buffer_size = buf_size;
-	debug("HPN Disabled: %d, HPN Buffer Size: %d",
-	    hpn_disabled, buffer_size);
-}
 
 /*
  * Determine whether or not a port forward listens to loopback, the
@@ -2924,18 +2864,10 @@ channel_setup_fwd_listener(int type, const char *listen_addr,
 			    *allocated_listen_port);
 		}
 
-		/*
-		 * Allocate a channel number for the socket.  Explicitly test
-		 * for hpn disabled option.  If true use smaller window size.
-		 */
-		if (hpn_disabled)
-			c = channel_new("port listener", type, sock, sock, -1,
-			    CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT,
-			    0, "port listener", 1);
-		else
-			c = channel_new("port listener", type, sock, sock, -1,
-			    buffer_size, CHAN_TCP_PACKET_DEFAULT,
-			    0, "port listener", 1);
+		/* Allocate a channel number for the socket. */
+		c = channel_new("port listener", type, sock, sock, -1,
+		    CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT,
+		    0, "port listener", 1);
 		c->path = xstrdup(host);
 		c->host_port = port_to_connect;
 		c->listening_addr = addr == NULL ? NULL : xstrdup(addr);
@@ -3583,16 +3515,10 @@ x11_create_display_inet(int x11_display_offset, int x11_use_localhost,
 	*chanids = xcalloc(num_socks + 1, sizeof(**chanids));
 	for (n = 0; n < num_socks; n++) {
 		sock = socks[n];
-		if (hpn_disabled)
-			nc = channel_new("x11 listener",
-			    SSH_CHANNEL_X11_LISTENER, sock, sock, -1,
-			    CHAN_X11_WINDOW_DEFAULT, CHAN_X11_PACKET_DEFAULT,
-			    0, "X11 inet listener", 1);
-		else
-			nc = channel_new("x11 listener",
-			    SSH_CHANNEL_X11_LISTENER, sock, sock, -1,
-			    buffer_size, CHAN_X11_PACKET_DEFAULT,
-			    0, "X11 inet listener", 1);
+		nc = channel_new("x11 listener",
+		    SSH_CHANNEL_X11_LISTENER, sock, sock, -1,
+		    CHAN_X11_WINDOW_DEFAULT, CHAN_X11_PACKET_DEFAULT,
+		    0, "X11 inet listener", 1);
 		nc->single_connection = single_connection;
 		(*chanids)[n] = nc->self;
 	}
diff --git a/crypto/openssh/channels.h b/crypto/openssh/channels.h
index 68ebf09..90df28a 100644
--- a/crypto/openssh/channels.h
+++ b/crypto/openssh/channels.h
@@ -133,8 +133,6 @@ struct Channel {
 	u_int	local_window_max;
 	u_int	local_consumed;
 	u_int	local_maxpacket;
-	u_int	tcpwinsz;
-	int	dynamic_window;
 	int     extended_usage;
 	int	single_connection;
 
@@ -176,7 +174,6 @@ struct Channel {
 #define CHAN_TCP_WINDOW_DEFAULT	(64*CHAN_TCP_PACKET_DEFAULT)
 #define CHAN_X11_PACKET_DEFAULT	(16*1024)
 #define CHAN_X11_WINDOW_DEFAULT	(4*CHAN_X11_PACKET_DEFAULT)
-#define CHAN_HPN_MIN_WINDOW_DEFAULT	(2*1024*1024)
 
 /* possible input states */
 #define CHAN_INPUT_OPEN			0
@@ -310,8 +307,4 @@ void	 chan_rcvd_ieof(Channel *);
 void	 chan_write_failed(Channel *);
 void	 chan_obuf_empty(Channel *);
 
-/* hpn handler */
-
-void	channel_set_hpn(int, u_int);
-
 #endif
diff --git a/crypto/openssh/clientloop.c b/crypto/openssh/clientloop.c
index d9debd2..9f5ecd8 100644
--- a/crypto/openssh/clientloop.c
+++ b/crypto/openssh/clientloop.c
@@ -1892,14 +1892,9 @@ client_request_x11(const char *request_type, int rchan)
 	sock = x11_connect_display();
 	if (sock < 0)
 		return NULL;
-	if (options.hpn_disabled)
-		c = channel_new("x11", SSH_CHANNEL_X11_OPEN, sock, sock, -1,
-		    CHAN_TCP_WINDOW_DEFAULT, CHAN_X11_PACKET_DEFAULT,
-		    0, "x11", 1);
-	else
-		c = channel_new("x11", SSH_CHANNEL_X11_OPEN, sock, sock, -1,
-		    options.hpn_buffer_size, CHAN_X11_PACKET_DEFAULT,
-		    0, "x11", 1);
+	c = channel_new("x11",
+	    SSH_CHANNEL_X11_OPEN, sock, sock, -1,
+	    CHAN_TCP_WINDOW_DEFAULT, CHAN_X11_PACKET_DEFAULT, 0, "x11", 1);
 	c->force_drain = 1;
 	return c;
 }
@@ -1919,16 +1914,10 @@ client_request_agent(const char *request_type, int rchan)
 	sock = ssh_get_authentication_socket();
 	if (sock < 0)
 		return NULL;
-	if (options.hpn_disabled)
-		c = channel_new("authentication agent connection",
-		    SSH_CHANNEL_OPEN, sock, sock, -1,
-		    CHAN_X11_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, 0,
-		    "authentication agent connection", 1);
-	else
-		c = channel_new("authentication agent connection",
-		    SSH_CHANNEL_OPEN, sock, sock, -1,
-		    options.hpn_buffer_size, options.hpn_buffer_size, 0,
-		    "authentication agent connection", 1);
+	c = channel_new("authentication agent connection",
+	    SSH_CHANNEL_OPEN, sock, sock, -1,
+	    CHAN_X11_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, 0,
+	    "authentication agent connection", 1);
 	c->force_drain = 1;
 	return c;
 }
@@ -1955,14 +1944,8 @@ client_request_tun_fwd(int tun_mode, int local_tun, int remote_tun)
 		return -1;
 	}
 
-	if (options.hpn_disabled)
-		c = channel_new("tun", SSH_CHANNEL_OPENING, fd, fd, -1,
-		    CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT,
-		    0, "tun", 1);
-	else
-		c = channel_new("tun", SSH_CHANNEL_OPENING, fd, fd, -1,
-		    options.hpn_buffer_size, CHAN_TCP_PACKET_DEFAULT,
-		    0, "tun", 1);
+	c = channel_new("tun", SSH_CHANNEL_OPENING, fd, fd, -1,
+	    CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, 0, "tun", 1);
 	c->datagram = 1;
 
 #if defined(SSH_TUN_FILTER)
diff --git a/crypto/openssh/compat.c b/crypto/openssh/compat.c
index ba8856b..e3c6392 100644
--- a/crypto/openssh/compat.c
+++ b/crypto/openssh/compat.c
@@ -178,16 +178,6 @@ compat_datafellows(const char *version)
 			datafellows = check[i].bugs;
 			debug("match: %s pat %s compat 0x%08x",
 			    version, check[i].pat, datafellows);
-			/*
-			 * Check to see if the remote side is OpenSSH and not
-			 * HPN.  It is utterly strange to check it from the
-			 * version string and expose the option that way.
-			 */
-			if (strstr(version,"OpenSSH") != NULL &&
-			    strstr(version,"hpn") == NULL) {
-				datafellows |= SSH_BUG_LARGEWINDOW;
-				debug("Remote is not HPN-aware");
-			}
 			return;
 		}
 	}
diff --git a/crypto/openssh/compat.h b/crypto/openssh/compat.h
index 4af221f..7b4bb4a 100644
--- a/crypto/openssh/compat.h
+++ b/crypto/openssh/compat.h
@@ -62,8 +62,6 @@
 #define SSH_BUG_DYNAMIC_RPORT	0x08000000
 #define SSH_BUG_CURVE25519PAD	0x10000000
 
-#define SSH_BUG_LARGEWINDOW	0x80000000
-
 void     enable_compat13(void);
 void     enable_compat20(void);
 void     compat_datafellows(const char *);
diff --git a/crypto/openssh/misc.c b/crypto/openssh/misc.c
index 4b9e930..fdefb95 100644
--- a/crypto/openssh/misc.c
+++ b/crypto/openssh/misc.c
@@ -1037,34 +1037,3 @@ sock_set_v6only(int s)
 		error("setsockopt IPV6_V6ONLY: %s", strerror(errno));
 #endif
 }
-
-void
-sock_get_rcvbuf(int *size, int rcvbuf)
-{
-	int sock, socksize;
-	socklen_t socksizelen = sizeof(socksize);
-
-	/*
-	 * Create a socket but do not connect it.  We use it
-	 * only to get the rcv socket size.
-	 */
-	sock = socket(AF_INET6, SOCK_STREAM, 0);
-	if (sock < 0)
-		sock = socket(AF_INET, SOCK_STREAM, 0);
-	if (sock < 0)
-		return;
-
-	/*
-	 * If the tcp_rcv_buf option is set and passed in, attempt to set the
-	 *  buffer size to its value.
-	 */
-	if (rcvbuf)
-		setsockopt(sock, SOL_SOCKET, SO_RCVBUF, (void *)&rcvbuf,
-		    sizeof(rcvbuf));
-
-	if (getsockopt(sock, SOL_SOCKET, SO_RCVBUF,
-	    &socksize, &socksizelen) == 0)
-		if (size != NULL)
-			*size = socksize;
-	close(sock);
-}
diff --git a/crypto/openssh/misc.h b/crypto/openssh/misc.h
index ce4d78c..81f4910 100644
--- a/crypto/openssh/misc.h
+++ b/crypto/openssh/misc.h
@@ -40,7 +40,6 @@ time_t	 monotime(void);
 void	 lowercase(char *s);
 
 void	 sock_set_v6only(int);
-void	 sock_get_rcvbuf(int *, int);
 
 struct passwd *pwcopy(struct passwd *);
 const char *ssh_gai_strerror(int);
diff --git a/crypto/openssh/readconf.c b/crypto/openssh/readconf.c
index 9cf6ab9..0958739 100644
--- a/crypto/openssh/readconf.c
+++ b/crypto/openssh/readconf.c
@@ -152,9 +152,8 @@ typedef enum {
 	oKexAlgorithms, oIPQoS, oRequestTTY, oIgnoreUnknown, oProxyUseFdpass,
 	oCanonicalDomains, oCanonicalizeHostname, oCanonicalizeMaxDots,
 	oCanonicalizeFallbackLocal, oCanonicalizePermittedCNAMEs,
-	oIgnoredUnknownOption,
-	oHPNDisabled, oHPNBufferSize, oTcpRcvBufPoll, oTcpRcvBuf,
-	oVersionAddendum, oDeprecated, oUnsupported
+	oVersionAddendum,
+	oIgnoredUnknownOption, oDeprecated, oUnsupported
 } OpCodes;
 
 /* Textual representations of the tokens. */
@@ -267,10 +266,6 @@ static struct {
 	{ "canonicalizemaxdots", oCanonicalizeMaxDots },
 	{ "canonicalizepermittedcnames", oCanonicalizePermittedCNAMEs },
 	{ "ignoreunknown", oIgnoreUnknown },
-	{ "hpndisabled", oHPNDisabled },
-	{ "hpnbuffersize", oHPNBufferSize },
-	{ "tcprcvbufpoll", oTcpRcvBufPoll },
-	{ "tcprcvbuf", oTcpRcvBuf },
 	{ "versionaddendum", oVersionAddendum },
 
 	{ NULL, oBadOption }
@@ -1352,22 +1347,6 @@ parse_int:
 		multistate_ptr = multistate_requesttty;
 		goto parse_multistate;
 
-	case oHPNDisabled:
-		intptr = &options->hpn_disabled;
-		goto parse_flag;
-
-	case oHPNBufferSize:
-		intptr = &options->hpn_buffer_size;
-		goto parse_int;
-
-	case oTcpRcvBufPoll:
-		intptr = &options->tcp_rcv_buf_poll;
-		goto parse_flag;
-
-	case oTcpRcvBuf:
-		intptr = &options->tcp_rcv_buf;
-		goto parse_int;
-
 	case oVersionAddendum:
 		if (s == NULL)
 			fatal("%.200s line %d: Missing argument.", filename,
@@ -1623,10 +1602,6 @@ initialize_options(Options * options)
 	options->canonicalize_fallback_local = -1;
 	options->canonicalize_hostname = -1;
 	options->version_addendum = NULL;
-	options->hpn_disabled = -1;
-	options->hpn_buffer_size = -1;
-	options->tcp_rcv_buf_poll = -1;
-	options->tcp_rcv_buf = -1;
 }
 
 /*
@@ -1821,31 +1796,6 @@ fill_default_options(Options * options)
 	/* options->preferred_authentications will be set in ssh */
 	if (options->version_addendum == NULL)
 		options->version_addendum = xstrdup(SSH_VERSION_FREEBSD);
-	if (options->hpn_disabled == -1)
-		options->hpn_disabled = 0;
-	if (options->hpn_buffer_size > -1)
-	{
-		u_int maxlen;
-
-		/* If a user tries to set the size to 0 set it to 1KB. */
-		if (options->hpn_buffer_size == 0)
-			options->hpn_buffer_size = 1024;
-		/* Limit the buffer to BUFFER_MAX_LEN. */
-		maxlen = buffer_get_max_len();
-		if (options->hpn_buffer_size > (maxlen / 1024)) {
-			debug("User requested buffer larger than %ub: %ub. "
-			    "Request reverted to %ub", maxlen,
-			    options->hpn_buffer_size * 1024, maxlen);
-			options->hpn_buffer_size = maxlen;
-		}
-		debug("hpn_buffer_size set to %d", options->hpn_buffer_size);
-	}
-	if (options->tcp_rcv_buf == 0)
-		options->tcp_rcv_buf = 1;
-	if (options->tcp_rcv_buf > -1)
-		options->tcp_rcv_buf *= 1024;
-	if (options->tcp_rcv_buf_poll == -1)
-		options->tcp_rcv_buf_poll = 1;
 }
 
 /*
diff --git a/crypto/openssh/readconf.h b/crypto/openssh/readconf.h
index a0bac04..b20b878 100644
--- a/crypto/openssh/readconf.h
+++ b/crypto/openssh/readconf.h
@@ -153,17 +153,9 @@ typedef struct {
 	int	num_permitted_cnames;
 	struct allowed_cname permitted_cnames[MAX_CANON_DOMAINS];
 
-	char	*ignored_unknown; /* Pattern list of unknown tokens to ignore */
-
 	char   *version_addendum;	/* Appended to SSH banner */
 
-	int	hpn_disabled;	/* Switch to disable HPN buffer management. */
-	int	hpn_buffer_size;	/* User definable size for HPN buffer
-					 * window. */
-	int	tcp_rcv_buf_poll;	/* Option to poll recv buf every window
-					 * transfer. */
-	int	tcp_rcv_buf;	/* User switch to set tcp recv buffer. */
-
+	char	*ignored_unknown; /* Pattern list of unknown tokens to ignore */
 }       Options;
 
 #define SSH_CANONICALISE_NO	0
diff --git a/crypto/openssh/servconf.c b/crypto/openssh/servconf.c
index 5f7caea..2684cc2 100644
--- a/crypto/openssh/servconf.c
+++ b/crypto/openssh/servconf.c
@@ -155,9 +155,6 @@ initialize_server_options(ServerOptions *options)
 	options->ip_qos_interactive = -1;
 	options->ip_qos_bulk = -1;
 	options->version_addendum = NULL;
-	options->hpn_disabled = -1;
-	options->hpn_buffer_size = -1;
-	options->tcp_rcv_buf_poll = -1;
 }
 
 void
@@ -318,38 +315,6 @@ fill_default_server_options(ServerOptions *options)
 	}
 #endif
 
-	if (options->hpn_disabled == -1)
-		options->hpn_disabled = 0;
-	if (options->hpn_buffer_size == -1) {
-		/*
-		 * HPN buffer size option not explicitly set.  Try to figure
-		 * out what value to use or resort to default.
-		 */
-		options->hpn_buffer_size = CHAN_SES_WINDOW_DEFAULT;
-		if (!options->hpn_disabled) {
-			sock_get_rcvbuf(&options->hpn_buffer_size, 0);
-			debug ("HPN Buffer Size: %d", options->hpn_buffer_size);
-		}
-	} else {
-		/*
-		 * In the case that the user sets both values in a
-		 * contradictory manner hpn_disabled overrrides hpn_buffer_size.
-		 */
-		if (options->hpn_disabled <= 0) {
-			u_int maxlen;
-
-			maxlen = buffer_get_max_len();
-			if (options->hpn_buffer_size == 0)
-				options->hpn_buffer_size = 1;
-			/* Limit the maximum buffer to BUFFER_MAX_LEN. */
-			if (options->hpn_buffer_size > maxlen / 1024)
-				options->hpn_buffer_size = maxlen;
-			else
-				options->hpn_buffer_size *= 1024;
-		} else {
-			options->hpn_buffer_size = CHAN_TCP_WINDOW_DEFAULT;
-		}
-	}
 }
 
 /* Keyword tokens. */
@@ -385,7 +350,6 @@ typedef enum {
 	sKexAlgorithms, sIPQoS, sVersionAddendum,
 	sAuthorizedKeysCommand, sAuthorizedKeysCommandUser,
 	sAuthenticationMethods, sHostKeyAgent,
-	sHPNDisabled, sHPNBufferSize, sTcpRcvBufPoll,
 	sDeprecated, sUnsupported
 } ServerOpCodes;
 
@@ -512,9 +476,6 @@ static struct {
 	{ "authorizedkeyscommanduser", sAuthorizedKeysCommandUser, SSHCFG_ALL },
 	{ "versionaddendum", sVersionAddendum, SSHCFG_GLOBAL },
 	{ "authenticationmethods", sAuthenticationMethods, SSHCFG_ALL },
-	{ "hpndisabled", sHPNDisabled, SSHCFG_ALL },
-	{ "hpnbuffersize", sHPNBufferSize, SSHCFG_ALL },
-	{ "tcprcvbufpoll", sTcpRcvBufPoll, SSHCFG_ALL },
 	{ NULL, sBadOption, 0 }
 };
 
@@ -1661,18 +1622,6 @@ process_server_config_line(ServerOptions *options, char *line,
 		}
 		return 0;
 
-	case sHPNDisabled:
-		intptr = &options->hpn_disabled;
-		goto parse_flag;
-
-	case sHPNBufferSize:
-		intptr = &options->hpn_buffer_size;
-		goto parse_int;
-
-	case sTcpRcvBufPoll:
-		intptr = &options->tcp_rcv_buf_poll;
-		goto parse_flag;
-
 	case sDeprecated:
 		logit("%s line %d: Deprecated option %s",
 		    filename, linenum, arg);
diff --git a/crypto/openssh/servconf.h b/crypto/openssh/servconf.h
index 2c37ceb..752d1c5 100644
--- a/crypto/openssh/servconf.h
+++ b/crypto/openssh/servconf.h
@@ -181,10 +181,6 @@ typedef struct {
 
 	char   *version_addendum;	/* Appended to SSH banner */
 
-	int	hpn_disabled;		/* Disable HPN functionality. */
-	int	hpn_buffer_size;	/* Set HPN buffer size - default 2MB.*/
-	int	tcp_rcv_buf_poll;	/* Poll TCP rcv window in autotuning
-					 * kernels. */
 	u_int	num_auth_methods;
 	char   *auth_methods[MAX_AUTH_METHODS];
 }       ServerOptions;
diff --git a/crypto/openssh/serverloop.c b/crypto/openssh/serverloop.c
index addecae..c1e39b5 100644
--- a/crypto/openssh/serverloop.c
+++ b/crypto/openssh/serverloop.c
@@ -1016,14 +1016,8 @@ server_request_tun(void)
 	sock = tun_open(tun, mode);
 	if (sock < 0)
 		goto done;
-	if (options.hpn_disabled)
-		c = channel_new("tun", SSH_CHANNEL_OPEN, sock, sock, -1,
-		    CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, 0,
-		    "tun", 1);
-	else
-		c = channel_new("tun", SSH_CHANNEL_OPEN, sock, sock, -1,
-		    options.hpn_buffer_size, CHAN_TCP_PACKET_DEFAULT, 0,
-		    "tun", 1);
+	c = channel_new("tun", SSH_CHANNEL_OPEN, sock, sock, -1,
+	    CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, 0, "tun", 1);
 	c->datagram = 1;
 #if defined(SSH_TUN_FILTER)
 	if (mode == SSH_TUNMODE_POINTOPOINT)
@@ -1059,8 +1053,6 @@ server_request_session(void)
 	c = channel_new("session", SSH_CHANNEL_LARVAL,
 	    -1, -1, -1, /*window size*/0, CHAN_SES_PACKET_DEFAULT,
 	    0, "server-session", 1);
-	if (!options.hpn_disabled && options.tcp_rcv_buf_poll)
-		c->dynamic_window = 1;
 	if (session_open(the_authctxt, c->self) != 1) {
 		debug("session open failed, free channel %d", c->self);
 		channel_free(c);
diff --git a/crypto/openssh/session.c b/crypto/openssh/session.c
index 430fc1e..1de0c60 100644
--- a/crypto/openssh/session.c
+++ b/crypto/openssh/session.c
@@ -237,10 +237,7 @@ auth_input_request_forwarding(struct passwd * pw)
 		goto authsock_err;
 	}
 
-	/*
-	 * Allocate a channel for the authentication agent socket.
-	 * Ignore HPN on that one given no improvement expected.
-	 */
+	/* Allocate a channel for the authentication agent socket. */
 	nc = channel_new("auth socket",
 	    SSH_CHANNEL_AUTH_SOCKET, sock, sock, -1,
 	    CHAN_X11_WINDOW_DEFAULT, CHAN_X11_PACKET_DEFAULT,
@@ -2346,14 +2343,10 @@ session_set_fds(Session *s, int fdin, int fdout, int fderr, int ignore_fderr,
 	 */
 	if (s->chanid == -1)
 		fatal("no channel for session %d", s->self);
-	if (options.hpn_disabled)
-		channel_set_fds(s->chanid, fdout, fdin, fderr,
-		    ignore_fderr ? CHAN_EXTENDED_IGNORE : CHAN_EXTENDED_READ,
-		    1, is_tty, CHAN_SES_WINDOW_DEFAULT);
-	else
-		channel_set_fds(s->chanid, fdout, fdin, fderr,
-		    ignore_fderr ? CHAN_EXTENDED_IGNORE : CHAN_EXTENDED_READ,
-		    1, is_tty, options.hpn_buffer_size);
+	channel_set_fds(s->chanid,
+	    fdout, fdin, fderr,
+	    ignore_fderr ? CHAN_EXTENDED_IGNORE : CHAN_EXTENDED_READ,
+	    1, is_tty, CHAN_SES_WINDOW_DEFAULT);
 }
 
 /*
diff --git a/crypto/openssh/sftp.1 b/crypto/openssh/sftp.1
index 8e00b13..a700c2a 100644
--- a/crypto/openssh/sftp.1
+++ b/crypto/openssh/sftp.1
@@ -261,8 +261,7 @@ diagnostic messages from
 Specify how many requests may be outstanding at any one time.
 Increasing this may slightly improve file transfer speed
 but will increase memory usage.
-The default is 256 outstanding requests providing for 8MB
-of outstanding data with a 32KB buffer.
+The default is 64 outstanding requests.
 .It Fl r
 Recursively copy entire directories when uploading and downloading.
 Note that
diff --git a/crypto/openssh/sftp.c b/crypto/openssh/sftp.c
index 3f0a88d..39df88e 100644
--- a/crypto/openssh/sftp.c
+++ b/crypto/openssh/sftp.c
@@ -69,7 +69,7 @@ typedef void EditLine;
 #include "sftp-client.h"
 
 #define DEFAULT_COPY_BUFLEN	32768	/* Size of buffer for up/download */
-#define DEFAULT_NUM_REQUESTS	256	/* # concurrent outstanding requests */
+#define DEFAULT_NUM_REQUESTS	64	/* # concurrent outstanding requests */
 
 /* File to read commands from */
 FILE* infile;
diff --git a/crypto/openssh/ssh-agent.1 b/crypto/openssh/ssh-agent.1
index 2a1c58e..90b8fe5 100644
--- a/crypto/openssh/ssh-agent.1
+++ b/crypto/openssh/ssh-agent.1
@@ -35,7 +35,7 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd December 7, 2013
+.Dd $Mdocdate: December 7 2013 $
 .Dt SSH-AGENT 1
 .Os
 .Sh NAME
diff --git a/crypto/openssh/ssh.c b/crypto/openssh/ssh.c
index 443dcd6..eaeb5c7 100644
--- a/crypto/openssh/ssh.c
+++ b/crypto/openssh/ssh.c
@@ -633,13 +633,11 @@ main(int ac, char **av)
 		case 'V':
 			if (options.version_addendum &&
 			    *options.version_addendum != '\0')
-				fprintf(stderr, "%s%s %s, %s\n", SSH_RELEASE,
-				    options.hpn_disabled ? "" : SSH_VERSION_HPN,
+				fprintf(stderr, "%s %s, %s\n", SSH_RELEASE,
 				    options.version_addendum,
 				    SSLeay_version(SSLEAY_VERSION));
 			else
-				fprintf(stderr, "%s%s, %s\n", SSH_RELEASE,
-				    options.hpn_disabled ? "" : SSH_VERSION_HPN,
+				fprintf(stderr, "%s, %s\n", SSH_RELEASE,
 				    SSLeay_version(SSLEAY_VERSION));
 			if (opt == 'V')
 				exit(0);
@@ -1657,46 +1655,9 @@ ssh_session2_open(void)
 	if (!isatty(err))
 		set_nonblock(err);
 
-	/*
-	 * We need to check to see what to do about buffer sizes here.
-	 * - In an HPN to non-HPN connection we want to limit the window size to
-	 *   something reasonable in case the far side has the large window bug.
-	 * - In an HPN to HPN connection we want to use the max window size but
-	 *   allow the user to override it.
-	 * - Lastly if HPN is disabled then use the ssh standard window size.
-	 *
-	 * We cannot just do a getsockopt() here and set the ssh window to that
-	 * as in case of autotuning of socket buffers the window would get stuck
-	 * at the initial buffer size, generally less than 96k.  Therefore we
-	 * need to set the maximum ssh window size to the maximum HPN buffer
-	 * size unless the user has set TcpRcvBufPoll to no.  In that case we
-	 * can just set the window to the minimum of HPN buffer size and TCP
-	 * receive buffer size.
-	 */
-	if (tty_flag)
-		options.hpn_buffer_size = CHAN_SES_WINDOW_DEFAULT;
-	else
-		options.hpn_buffer_size = CHAN_HPN_MIN_WINDOW_DEFAULT;
-
-	if (datafellows & SSH_BUG_LARGEWINDOW) {
-		debug("HPN to Non-HPN Connection");
-	} else if (options.tcp_rcv_buf_poll <= 0) {
-		sock_get_rcvbuf(&options.hpn_buffer_size, 0);
-		debug("HPNBufferSize set to TCP RWIN: %d",
-		    options.hpn_buffer_size);
-	} else if (options.tcp_rcv_buf > 0) {
-		sock_get_rcvbuf(&options.hpn_buffer_size,
-		    options.tcp_rcv_buf);
-		debug("HPNBufferSize set to user TCPRcvBuf: %d",
-		    options.hpn_buffer_size);
-	}
-	debug("Final hpn_buffer_size = %d", options.hpn_buffer_size);
-	channel_set_hpn(options.hpn_disabled, options.hpn_buffer_size);
-	window = options.hpn_buffer_size;
-
+	window = CHAN_SES_WINDOW_DEFAULT;
 	packetmax = CHAN_SES_PACKET_DEFAULT;
 	if (tty_flag) {
-		window = CHAN_SES_WINDOW_DEFAULT;
 		window >>= 1;
 		packetmax >>= 1;
 	}
@@ -1704,10 +1665,6 @@ ssh_session2_open(void)
 	    "session", SSH_CHANNEL_OPENING, in, out, err,
 	    window, packetmax, CHAN_EXTENDED_WRITE,
 	    "client-session", /*nonblock*/0);
-	if (!options.hpn_disabled && options.tcp_rcv_buf_poll > 0) {
-		c->dynamic_window = 1;
-		debug("Enabled Dynamic Window Scaling\n");
-	}
 
 	debug3("ssh_session2_open: channel_new: %d", c->self);
 
diff --git a/crypto/openssh/ssh_config b/crypto/openssh/ssh_config
index 2d0297b..4452d52 100644
--- a/crypto/openssh/ssh_config
+++ b/crypto/openssh/ssh_config
@@ -48,4 +48,4 @@
 #   ProxyCommand ssh -q -W %h:%p gateway.example.com
 #   RekeyLimit 1G 1h
 #   VerifyHostKeyDNS yes
-#   VersionAddendum FreeBSD-20140420
+#   VersionAddendum FreeBSD-20160119
diff --git a/crypto/openssh/ssh_config.5 b/crypto/openssh/ssh_config.5
index adf0d2f..bef14fa 100644
--- a/crypto/openssh/ssh_config.5
+++ b/crypto/openssh/ssh_config.5
@@ -1423,7 +1423,7 @@ See also VERIFYING HOST KEYS in
 Specifies a string to append to the regular version string to identify
 OS- or site-specific modifications.
 The default is
-.Dq FreeBSD-20140420 .
+.Dq FreeBSD-20160119 .
 The value
 .Dq none
 may be used to disable this.
diff --git a/crypto/openssh/ssh_namespace.h b/crypto/openssh/ssh_namespace.h
index 50f9b18..8b5e416 100644
--- a/crypto/openssh/ssh_namespace.h
+++ b/crypto/openssh/ssh_namespace.h
@@ -7,7 +7,11 @@
  *
  * A list of symbols which need munging is obtained as follows:
  *
- * nm libssh.a | awk '/[0-9a-z] [A-Z] / && $3 !~ /^ssh_/ { printf("#define %-39s ssh_%s\n", $3, $3) }' | unexpand -a | sort -u
+ # nm libprivatessh.a | LC_ALL=C awk '
+     /^[0-9a-z]+ [Tt] [A-Za-z_][0-9A-Za-z_]*$/ && $3 !~ /^ssh_/ {
+         printf("#define %-39s ssh_%s\n", $3, $3)
+     }' | unexpand -a | LC_ALL=C sort -u
+ *
  * $FreeBSD$
  */
 
@@ -20,9 +24,13 @@
 #define a2port					ssh_a2port
 #define a2tun					ssh_a2tun
 #define add_host_to_hostfile			ssh_add_host_to_hostfile
+#define add_p1p1				ssh_add_p1p1
 #define addargs					ssh_addargs
 #define addr_match_cidr_list			ssh_addr_match_cidr_list
 #define addr_match_list				ssh_addr_match_list
+#define addr_netmatch				ssh_addr_netmatch
+#define addr_pton				ssh_addr_pton
+#define addr_pton_cidr				ssh_addr_pton_cidr
 #define ask_permission				ssh_ask_permission
 #define atomicio				ssh_atomicio
 #define atomicio6				ssh_atomicio6
@@ -31,7 +39,10 @@
 #define auth_request_forwarding			ssh_auth_request_forwarding
 #define bandwidth_limit				ssh_bandwidth_limit
 #define bandwidth_limit_init			ssh_bandwidth_limit_init
+#define barrett_reduce				ssh_barrett_reduce
+#define bcrypt_hash				ssh_bcrypt_hash
 #define bcrypt_pbkdf				ssh_bcrypt_pbkdf
+#define bf_ssh1_cipher				ssh_bf_ssh1_cipher
 #define blf_cbc_decrypt				ssh_blf_cbc_decrypt
 #define blf_cbc_encrypt				ssh_blf_cbc_encrypt
 #define blf_dec					ssh_blf_dec
@@ -70,7 +81,6 @@
 #define buffer_get_int64			ssh_buffer_get_int64
 #define buffer_get_int64_ret			ssh_buffer_get_int64_ret
 #define buffer_get_int_ret			ssh_buffer_get_int_ret
-#define buffer_get_max_len			ssh_buffer_get_max_len
 #define buffer_get_ret				ssh_buffer_get_ret
 #define buffer_get_short			ssh_buffer_get_short
 #define buffer_get_short_ret			ssh_buffer_get_short_ret
@@ -95,6 +105,7 @@
 #define buffer_put_short			ssh_buffer_put_short
 #define buffer_put_string			ssh_buffer_put_string
 #define buffer_uncompress			ssh_buffer_uncompress
+#define cert_free				ssh_cert_free
 #define chacha_encrypt_bytes			ssh_chacha_encrypt_bytes
 #define chacha_ivsetup				ssh_chacha_ivsetup
 #define chacha_keysetup				ssh_chacha_keysetup
@@ -109,6 +120,10 @@
 #define chan_rcvd_ieof				ssh_chan_rcvd_ieof
 #define chan_rcvd_oclose			ssh_chan_rcvd_oclose
 #define chan_read_failed			ssh_chan_read_failed
+#define chan_send_eof2				ssh_chan_send_eof2
+#define chan_send_oclose1			ssh_chan_send_oclose1
+#define chan_shutdown_read			ssh_chan_shutdown_read
+#define chan_shutdown_write			ssh_chan_shutdown_write
 #define chan_write_failed			ssh_chan_write_failed
 #define channel_add_adm_permitted_opens		ssh_channel_add_adm_permitted_opens
 #define channel_add_permitted_opens		ssh_channel_add_permitted_opens
@@ -121,6 +136,7 @@
 #define channel_clear_permitted_opens		ssh_channel_clear_permitted_opens
 #define channel_close_all			ssh_channel_close_all
 #define channel_close_fd			ssh_channel_close_fd
+#define channel_close_fds			ssh_channel_close_fds
 #define channel_connect_by_listen_address	ssh_channel_connect_by_listen_address
 #define channel_connect_stdio_fwd		ssh_channel_connect_stdio_fwd
 #define channel_connect_to			ssh_channel_connect_to
@@ -128,6 +144,8 @@
 #define channel_find_open			ssh_channel_find_open
 #define channel_free				ssh_channel_free
 #define channel_free_all			ssh_channel_free_all
+#define channel_fwd_bind_addr			ssh_channel_fwd_bind_addr
+#define channel_handler				ssh_channel_handler
 #define channel_input_close			ssh_channel_input_close
 #define channel_input_close_confirmation	ssh_channel_input_close_confirmation
 #define channel_input_data			ssh_channel_input_data
@@ -146,11 +164,28 @@
 #define channel_open_message			ssh_channel_open_message
 #define channel_output_poll			ssh_channel_output_poll
 #define channel_permit_all_opens		ssh_channel_permit_all_opens
-#define channel_post				ssh_channel_post
-#define channel_pre				ssh_channel_pre
+#define channel_post_auth_listener		ssh_channel_post_auth_listener
+#define channel_post_connecting			ssh_channel_post_connecting
+#define channel_post_mux_client			ssh_channel_post_mux_client
+#define channel_post_mux_listener		ssh_channel_post_mux_listener
+#define channel_post_open			ssh_channel_post_open
+#define channel_post_output_drain_13		ssh_channel_post_output_drain_13
+#define channel_post_port_listener		ssh_channel_post_port_listener
+#define channel_post_x11_listener		ssh_channel_post_x11_listener
+#define channel_pre_connecting			ssh_channel_pre_connecting
+#define channel_pre_dynamic			ssh_channel_pre_dynamic
+#define channel_pre_input_draining		ssh_channel_pre_input_draining
+#define channel_pre_listener			ssh_channel_pre_listener
+#define channel_pre_mux_client			ssh_channel_pre_mux_client
+#define channel_pre_open			ssh_channel_pre_open
+#define channel_pre_open_13			ssh_channel_pre_open_13
+#define channel_pre_output_draining		ssh_channel_pre_output_draining
+#define channel_pre_x11_open			ssh_channel_pre_x11_open
+#define channel_pre_x11_open_13			ssh_channel_pre_x11_open_13
 #define channel_prepare_select			ssh_channel_prepare_select
 #define channel_print_adm_permitted_opens	ssh_channel_print_adm_permitted_opens
 #define channel_register_cleanup		ssh_channel_register_cleanup
+#define channel_register_fds			ssh_channel_register_fds
 #define channel_register_filter			ssh_channel_register_filter
 #define channel_register_open_confirm		ssh_channel_register_open_confirm
 #define channel_register_status_confirm		ssh_channel_register_status_confirm
@@ -161,14 +196,17 @@
 #define channel_send_window_changes		ssh_channel_send_window_changes
 #define channel_set_af				ssh_channel_set_af
 #define channel_set_fds				ssh_channel_set_fds
-#define channel_set_hpn				ssh_channel_set_hpn
+#define channel_setup_fwd_listener		ssh_channel_setup_fwd_listener
 #define channel_setup_local_fwd_listener	ssh_channel_setup_local_fwd_listener
 #define channel_setup_remote_fwd_listener	ssh_channel_setup_remote_fwd_listener
 #define channel_still_open			ssh_channel_still_open
 #define channel_stop_listening			ssh_channel_stop_listening
 #define channel_update_permitted_opens		ssh_channel_update_permitted_opens
+#define check_crc				ssh_check_crc
+#define check_hostkeys_by_key_or_type		ssh_check_hostkeys_by_key_or_type
 #define check_key_in_hostkeys			ssh_check_key_in_hostkeys
 #define choose_dh				ssh_choose_dh
+#define choose_t				ssh_choose_t
 #define chop					ssh_chop
 #define cipher_alg_list				ssh_cipher_alg_list
 #define cipher_authlen				ssh_cipher_authlen
@@ -198,15 +236,17 @@
 #define cleanup_exit				ssh_cleanup_exit
 #define clear_cached_addr			ssh_clear_cached_addr
 #define colon					ssh_colon
-#define compat13				ssh_compat13
-#define compat20				ssh_compat20
+#define compare					ssh_compare
+#define compare_gps				ssh_compare_gps
 #define compat_cipher_proposal			ssh_compat_cipher_proposal
 #define compat_datafellows			ssh_compat_datafellows
+#define compat_kex_proposal			ssh_compat_kex_proposal
 #define compat_pkalg_proposal			ssh_compat_pkalg_proposal
+#define connect_next				ssh_connect_next
+#define connect_to				ssh_connect_to
 #define convtime				ssh_convtime
 #define crypto_hash_sha512			ssh_crypto_hash_sha512
 #define crypto_hashblocks_sha512		ssh_crypto_hashblocks_sha512
-#define crypto_scalarmult_curve25519		ssh_crypto_scalarmult_curve25519
 #define crypto_sign_ed25519			ssh_crypto_sign_ed25519
 #define crypto_sign_ed25519_keypair		ssh_crypto_sign_ed25519_keypair
 #define crypto_sign_ed25519_open		ssh_crypto_sign_ed25519_open
@@ -227,7 +267,6 @@
 #define crypto_sign_ed25519_ref_fe25519_square	ssh_crypto_sign_ed25519_ref_fe25519_square
 #define crypto_sign_ed25519_ref_fe25519_sub	ssh_crypto_sign_ed25519_ref_fe25519_sub
 #define crypto_sign_ed25519_ref_fe25519_unpack	ssh_crypto_sign_ed25519_ref_fe25519_unpack
-#define crypto_sign_ed25519_ref_ge25519_base	ssh_crypto_sign_ed25519_ref_ge25519_base
 #define crypto_sign_ed25519_ref_isneutral_vartime ssh_crypto_sign_ed25519_ref_isneutral_vartime
 #define crypto_sign_ed25519_ref_pack		ssh_crypto_sign_ed25519_ref_pack
 #define crypto_sign_ed25519_ref_sc25519_2interleave2 ssh_crypto_sign_ed25519_ref_sc25519_2interleave2
@@ -248,8 +287,7 @@
 #define crypto_sign_ed25519_ref_shortsc25519_from16bytes ssh_crypto_sign_ed25519_ref_shortsc25519_from16bytes
 #define crypto_sign_ed25519_ref_unpackneg_vartime ssh_crypto_sign_ed25519_ref_unpackneg_vartime
 #define crypto_verify_32			ssh_crypto_verify_32
-#define current_keys				ssh_current_keys
-#define datafellows				ssh_datafellows
+#define dbl_p1p1				ssh_dbl_p1p1
 #define debug					ssh_debug
 #define debug2					ssh_debug2
 #define debug3					ssh_debug3
@@ -264,8 +302,6 @@
 #define dh_new_group14				ssh_dh_new_group14
 #define dh_new_group_asc			ssh_dh_new_group_asc
 #define dh_pub_is_valid				ssh_dh_pub_is_valid
-#define digests					ssh_digests
-#define dispatch				ssh_dispatch
 #define dispatch_init				ssh_dispatch_init
 #define dispatch_protocol_error			ssh_dispatch_protocol_error
 #define dispatch_protocol_ignore		ssh_dispatch_protocol_ignore
@@ -283,6 +319,7 @@
 #define explicit_bzero				ssh_explicit_bzero
 #define export_dns_rr				ssh_export_dns_rr
 #define fatal					ssh_fatal
+#define filter_proposal				ssh_filter_proposal
 #define fmt_scaled				ssh_fmt_scaled
 #define free_hostkeys				ssh_free_hostkeys
 #define freeargs				ssh_freeargs
@@ -298,20 +335,27 @@
 #define get_remote_name_or_ip			ssh_get_remote_name_or_ip
 #define get_remote_port				ssh_get_remote_port
 #define get_sock_port				ssh_get_sock_port
+#define get_socket_address			ssh_get_socket_address
 #define get_u16					ssh_get_u16
 #define get_u32					ssh_get_u32
 #define get_u64					ssh_get_u64
 #define getrrsetbyname				ssh_getrrsetbyname
 #define glob					ssh_glob
+#define glob0					ssh_glob0
+#define glob2					ssh_glob2
+#define globexp1				ssh_globexp1
+#define globextend				ssh_globextend
 #define globfree				ssh_globfree
 #define host_hash				ssh_host_hash
 #define hostfile_read_key			ssh_hostfile_read_key
 #define hpdelim					ssh_hpdelim
-#define incoming_stream				ssh_incoming_stream
 #define init_hostkeys				ssh_init_hostkeys
 #define iptos2str				ssh_iptos2str
 #define ipv64_normalise_mapped			ssh_ipv64_normalise_mapped
+#define is_key_revoked				ssh_is_key_revoked
+#define kex_alg_by_name				ssh_kex_alg_by_name
 #define kex_alg_list				ssh_kex_alg_list
+#define kex_buf2prop				ssh_kex_buf2prop
 #define kex_c25519_hash				ssh_kex_c25519_hash
 #define kex_derive_keys				ssh_kex_derive_keys
 #define kex_derive_keys_bn			ssh_kex_derive_keys_bn
@@ -321,6 +365,8 @@
 #define kex_get_newkeys				ssh_kex_get_newkeys
 #define kex_input_kexinit			ssh_kex_input_kexinit
 #define kex_names_valid				ssh_kex_names_valid
+#define kex_prop_free				ssh_kex_prop_free
+#define kex_protocol_error			ssh_kex_protocol_error
 #define kex_send_kexinit			ssh_kex_send_kexinit
 #define kex_setup				ssh_kex_setup
 #define kexc25519_client			ssh_kexc25519_client
@@ -354,6 +400,7 @@
 #define key_fingerprint_raw			ssh_key_fingerprint_raw
 #define key_free				ssh_key_free
 #define key_from_blob				ssh_key_from_blob
+#define key_from_blob2				ssh_key_from_blob2
 #define key_from_private			ssh_key_from_private
 #define key_generate				ssh_key_generate
 #define key_in_file				ssh_key_in_file
@@ -370,9 +417,14 @@
 #define key_new					ssh_key_new
 #define key_new_private				ssh_key_new_private
 #define key_parse_private			ssh_key_parse_private
+#define key_parse_private2			ssh_key_parse_private2
+#define key_parse_private_pem			ssh_key_parse_private_pem
+#define key_parse_private_type			ssh_key_parse_private_type
+#define key_parse_public_rsa1			ssh_key_parse_public_rsa1
 #define key_perm_ok				ssh_key_perm_ok
 #define key_private_deserialize			ssh_key_private_deserialize
 #define key_private_serialize			ssh_key_private_serialize
+#define key_private_to_blob2			ssh_key_private_to_blob2
 #define key_read				ssh_key_read
 #define key_save_private			ssh_key_save_private
 #define key_sign				ssh_key_sign
@@ -381,6 +433,7 @@
 #define key_ssh_name_plain			ssh_key_ssh_name_plain
 #define key_to_blob				ssh_key_to_blob
 #define key_to_certified			ssh_key_to_certified
+#define key_try_load_public			ssh_key_try_load_public
 #define key_type				ssh_key_type
 #define key_type_from_name			ssh_key_type_from_name
 #define key_type_is_cert			ssh_key_type_is_cert
@@ -405,6 +458,7 @@
 #define mac_init				ssh_mac_init
 #define mac_setup				ssh_mac_setup
 #define mac_valid				ssh_mac_valid
+#define match					ssh_match
 #define match_host_and_ip			ssh_match_host_and_ip
 #define match_hostname				ssh_match_hostname
 #define match_list				ssh_match_list
@@ -417,13 +471,16 @@
 #define monotime				ssh_monotime
 #define ms_subtract_diff			ssh_ms_subtract_diff
 #define ms_to_timeval				ssh_ms_to_timeval
+#define mult					ssh_mult
 #define mysignal				ssh_mysignal
-#define outgoing_stream				ssh_outgoing_stream
+#define nh_aux					ssh_nh_aux
+#define nh_final				ssh_nh_final
 #define packet_add_padding			ssh_packet_add_padding
 #define packet_backup_state			ssh_packet_backup_state
 #define packet_close				ssh_packet_close
 #define packet_connection_is_on_socket		ssh_packet_connection_is_on_socket
 #define packet_disconnect			ssh_packet_disconnect
+#define packet_enable_delayed_compress		ssh_packet_enable_delayed_compress
 #define packet_get_bignum			ssh_packet_get_bignum
 #define packet_get_bignum2			ssh_packet_get_bignum2
 #define packet_get_char				ssh_packet_get_char
@@ -470,6 +527,7 @@
 #define packet_remaining			ssh_packet_remaining
 #define packet_restore_state			ssh_packet_restore_state
 #define packet_send				ssh_packet_send
+#define packet_send2_wrapped			ssh_packet_send2_wrapped
 #define packet_send_debug			ssh_packet_send_debug
 #define packet_send_ignore			ssh_packet_send_ignore
 #define packet_set_alive_timeouts		ssh_packet_set_alive_timeouts
@@ -488,20 +546,32 @@
 #define packet_set_timeout			ssh_packet_set_timeout
 #define packet_start				ssh_packet_start
 #define packet_start_compression		ssh_packet_start_compression
+#define packet_start_discard			ssh_packet_start_discard
+#define packet_stop_discard			ssh_packet_stop_discard
 #define packet_write_poll			ssh_packet_write_poll
 #define packet_write_wait			ssh_packet_write_wait
 #define parse_ipqos				ssh_parse_ipqos
+#define parse_prime				ssh_parse_prime
 #define percent_expand				ssh_percent_expand
 #define permanently_drop_suid			ssh_permanently_drop_suid
 #define permanently_set_uid			ssh_permanently_set_uid
 #define permitopen_port				ssh_permitopen_port
 #define pkcs11_add_provider			ssh_pkcs11_add_provider
 #define pkcs11_del_provider			ssh_pkcs11_del_provider
+#define pkcs11_fetch_keys_filter		ssh_pkcs11_fetch_keys_filter
+#define pkcs11_find				ssh_pkcs11_find
 #define pkcs11_init				ssh_pkcs11_init
-#define pkcs11_interactive			ssh_pkcs11_interactive
-#define pkcs11_providers			ssh_pkcs11_providers
+#define pkcs11_provider_finalize		ssh_pkcs11_provider_finalize
+#define pkcs11_provider_unref			ssh_pkcs11_provider_unref
+#define pkcs11_rsa_finish			ssh_pkcs11_rsa_finish
+#define pkcs11_rsa_private_decrypt		ssh_pkcs11_rsa_private_decrypt
+#define pkcs11_rsa_private_encrypt		ssh_pkcs11_rsa_private_encrypt
 #define pkcs11_terminate			ssh_pkcs11_terminate
+#define plain_key_blob				ssh_plain_key_blob
 #define poly1305_auth				ssh_poly1305_auth
+#define poly64					ssh_poly64
+#define poly_hash				ssh_poly_hash
+#define port_open_helper			ssh_port_open_helper
 #define prime_test				ssh_prime_test
 #define proto_spec				ssh_proto_spec
 #define put_host_port				ssh_put_host_port
@@ -509,11 +579,19 @@
 #define put_u32					ssh_put_u32
 #define put_u64					ssh_put_u64
 #define pwcopy					ssh_pwcopy
+#define qfileout				ssh_qfileout
 #define read_keyfile_line			ssh_read_keyfile_line
+#define read_mux				ssh_read_mux
 #define read_passphrase				ssh_read_passphrase
+#define reduce_add_sub				ssh_reduce_add_sub
 #define refresh_progress_meter			ssh_refresh_progress_meter
 #define replacearg				ssh_replacearg
 #define restore_uid				ssh_restore_uid
+#define revoke_blob				ssh_revoke_blob
+#define revoked_blob_tree_RB_REMOVE		ssh_revoked_blob_tree_RB_REMOVE
+#define revoked_certs_for_ca_key		ssh_revoked_certs_for_ca_key
+#define revoked_serial_tree_RB_REMOVE		ssh_revoked_serial_tree_RB_REMOVE
+#define rijndaelKeySetupEnc			ssh_rijndaelKeySetupEnc
 #define rijndael_decrypt			ssh_rijndael_decrypt
 #define rijndael_encrypt			ssh_rijndael_encrypt
 #define rijndael_set_key			ssh_rijndael_set_key
@@ -528,9 +606,14 @@
 #define set_nodelay				ssh_set_nodelay
 #define set_nonblock				ssh_set_nonblock
 #define shadow_pw				ssh_shadow_pw
+#define sieve_large				ssh_sieve_large
+#define sig_winch				ssh_sig_winch
 #define sigdie					ssh_sigdie
-#define sock_get_rcvbuf				ssh_sock_get_rcvbuf
 #define sock_set_v6only				ssh_sock_set_v6only
+#define square					ssh_square
+#define ssh1_3des_cbc				ssh_ssh1_3des_cbc
+#define ssh1_3des_cleanup			ssh_ssh1_3des_cleanup
+#define ssh1_3des_init				ssh_ssh1_3des_init
 #define ssh1_3des_iv				ssh_ssh1_3des_iv
 #define start_progress_meter			ssh_start_progress_meter
 #define stop_progress_meter			ssh_stop_progress_meter
@@ -542,21 +625,21 @@
 #define temporarily_use_uid			ssh_temporarily_use_uid
 #define tilde_expand_filename			ssh_tilde_expand_filename
 #define timingsafe_bcmp				ssh_timingsafe_bcmp
+#define to_blob					ssh_to_blob
 #define tohex					ssh_tohex
 #define tty_make_modes				ssh_tty_make_modes
 #define tty_parse_modes				ssh_tty_parse_modes
 #define tun_open				ssh_tun_open
-#define umac128_ctx				ssh_umac128_ctx
 #define umac128_delete				ssh_umac128_delete
 #define umac128_final				ssh_umac128_final
 #define umac128_new				ssh_umac128_new
 #define umac128_update				ssh_umac128_update
-#define umac_ctx				ssh_umac_ctx
 #define umac_delete				ssh_umac_delete
 #define umac_final				ssh_umac_final
 #define umac_new				ssh_umac_new
 #define umac_update				ssh_umac_update
 #define unset_nonblock				ssh_unset_nonblock
+#define update_progress_meter			ssh_update_progress_meter
 #define uudecode				ssh_uudecode
 #define uuencode				ssh_uuencode
 #define verbose					ssh_verbose
@@ -565,6 +648,7 @@
 #define x11_connect_display			ssh_x11_connect_display
 #define x11_create_display_inet			ssh_x11_create_display_inet
 #define x11_input_open				ssh_x11_input_open
+#define x11_open_helper				ssh_x11_open_helper
 #define x11_request_forwarding_with_spoofing	ssh_x11_request_forwarding_with_spoofing
 #define xasprintf				ssh_xasprintf
 #define xcalloc					ssh_xcalloc
diff --git a/crypto/openssh/sshconnect.c b/crypto/openssh/sshconnect.c
index 102c0bd..3384de6 100644
--- a/crypto/openssh/sshconnect.c
+++ b/crypto/openssh/sshconnect.c
@@ -265,29 +265,6 @@ ssh_kill_proxy_command(void)
 }
 
 /*
- * Set TCP receive buffer if requested.
- * Note: tuning needs to happen after the socket is created but before the
- * connection happens so winscale is negotiated properly.
- */
-static void
-ssh_set_socket_recvbuf(int sock)
-{
-	void *buf = (void *)&options.tcp_rcv_buf;
-	int socksize, sz = sizeof(options.tcp_rcv_buf);
-	socklen_t len = sizeof(int);
-
-	debug("setsockopt attempting to set SO_RCVBUF to %d",
-	    options.tcp_rcv_buf);
-	if (setsockopt(sock, SOL_SOCKET, SO_RCVBUF, buf, sz) >= 0) {
-		getsockopt(sock, SOL_SOCKET, SO_RCVBUF, &socksize, &len);
-		debug("setsockopt SO_RCVBUF: %.100s %d", strerror(errno),
-		    socksize);
-	} else
-		error("Couldn't set socket receive buffer to %d: %.100s",
-		    options.tcp_rcv_buf, strerror(errno));
-}
-
-/*
  * Creates a (possibly privileged) socket for use as the ssh connection.
  */
 static int
@@ -303,9 +280,6 @@ ssh_create_socket(int privileged, struct addrinfo *ai)
 	}
 	fcntl(sock, F_SETFD, FD_CLOEXEC);
 
-	if (options.tcp_rcv_buf > 0)
-		ssh_set_socket_recvbuf(sock);
-
 	/* Bind the socket to an alternative local IP address */
 	if (options.bind_address == NULL && !privileged)
 		return sock;
@@ -546,10 +520,10 @@ static void
 send_client_banner(int connection_out, int minor1)
 {
 	/* Send our own protocol version identification. */
-	xasprintf(&client_version_string, "SSH-%d.%d-%.100s%s%s%s%s",
+	xasprintf(&client_version_string, "SSH-%d.%d-%.100s%s%s%s",
 	    compat20 ? PROTOCOL_MAJOR_2 : PROTOCOL_MAJOR_1,
 	    compat20 ? PROTOCOL_MINOR_2 : minor1,
-	    SSH_VERSION, options.hpn_disabled ? "" : SSH_VERSION_HPN,
+	    SSH_VERSION,
 	    *options.version_addendum == '\0' ? "" : " ",
 	    options.version_addendum, compat20 ? "\r\n" : "\n");
 	if (roaming_atomicio(vwrite, connection_out, client_version_string,
diff --git a/crypto/openssh/sshd.c b/crypto/openssh/sshd.c
index ab73dec..838ed89 100644
--- a/crypto/openssh/sshd.c
+++ b/crypto/openssh/sshd.c
@@ -446,9 +446,8 @@ sshd_exchange_identification(int sock_in, int sock_out)
 		minor = PROTOCOL_MINOR_1;
 	}
 
-	xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s%s%s",
+	xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s%s",
 	    major, minor, SSH_VERSION,
-	    options.hpn_disabled ? "" : SSH_VERSION_HPN,
 	    *options.version_addendum == '\0' ? "" : " ",
 	    options.version_addendum, newline);
 
@@ -950,13 +949,12 @@ static void
 usage(void)
 {
 	if (options.version_addendum && *options.version_addendum != '\0')
-		fprintf(stderr, "%s%s %s, %s\n",
-		    SSH_RELEASE, options.hpn_disabled ? "" : SSH_VERSION_HPN,
+		fprintf(stderr, "%s %s, %s\n",
+		    SSH_RELEASE,
 		    options.version_addendum, SSLeay_version(SSLEAY_VERSION));
 	else
-		fprintf(stderr, "%s%s, %s\n",
-		    SSH_RELEASE, options.hpn_disabled ? "" : SSH_VERSION_HPN,
-		    SSLeay_version(SSLEAY_VERSION));
+		fprintf(stderr, "%s, %s\n",
+		    SSH_RELEASE, SSLeay_version(SSLEAY_VERSION));
 	fprintf(stderr,
 "usage: sshd [-46DdeiqTt] [-b bits] [-C connection_spec] [-c host_cert_file]\n"
 "            [-E log_file] [-f config_file] [-g login_grace_time]\n"
@@ -1145,7 +1143,6 @@ server_listen(void)
 		len = sizeof(socksize);
 		getsockopt(listen_sock, SOL_SOCKET, SO_RCVBUF, &socksize, &len);
 		debug("Server TCP RWIN socket size: %d", socksize);
-		debug("HPN Buffer Size: %d", options.hpn_buffer_size);
 
 		/* Bind the socket to the desired port. */
 		if (bind(listen_sock, ai->ai_addr, ai->ai_addrlen) < 0) {
@@ -1679,11 +1676,7 @@ main(int ac, char **av)
 		exit(1);
 	}
 
-	debug("sshd version %.100s%.100s%s%.100s, %.100s",
-	    SSH_RELEASE,
-	    options.hpn_disabled ? "" : SSH_VERSION_HPN,
-	    *options.version_addendum == '\0' ? "" : " ",
-	    options.version_addendum,
+	debug("sshd version %s, %s", SSH_VERSION,
 	    SSLeay_version(SSLEAY_VERSION));
 
 	/* Store privilege separation user for later use if required. */
@@ -2114,9 +2107,6 @@ main(int ac, char **av)
 	    remote_ip, remote_port,
 	    get_local_ipaddr(sock_in), get_local_port());
 
-	/* Set HPN options for the child. */
-	channel_set_hpn(options.hpn_disabled, options.hpn_buffer_size);
-
 	/*
 	 * We don't want to listen forever unless the other side
 	 * successfully authenticates itself.  So we set up an alarm which is
diff --git a/crypto/openssh/sshd_config b/crypto/openssh/sshd_config
index 9a4b9c2..6712744 100644
--- a/crypto/openssh/sshd_config
+++ b/crypto/openssh/sshd_config
@@ -120,7 +120,7 @@
 #MaxStartups 10:30:100
 #PermitTunnel no
 #ChrootDirectory none
-#VersionAddendum FreeBSD-20140420
+#VersionAddendum FreeBSD-20160119
 
 # no default banner path
 #Banner none
@@ -128,15 +128,6 @@
 # override default of no subsystems
 Subsystem	sftp	/usr/libexec/sftp-server
 
-# Change to yes to disable HPN tuning improvements.
-#HPNDisabled no
-
-# Buffer size for HPN to non-HPN connections.
-#HPNBufferSize 2048
-
-# TCP receive socket buffer polling for HPN.  Disable on non autotuning kernels.
-#TcpRcvBufPoll yes
-
 # Example of overriding settings on a per-user basis
 #Match User anoncvs
 #	X11Forwarding no
diff --git a/crypto/openssh/sshd_config.5 b/crypto/openssh/sshd_config.5
index 0b98672..55043ec 100644
--- a/crypto/openssh/sshd_config.5
+++ b/crypto/openssh/sshd_config.5
@@ -1253,7 +1253,7 @@ restrictions.
 Optionally specifies additional text to append to the SSH protocol banner
 sent by the server upon connection.
 The default is
-.Dq FreeBSD-20140420 .
+.Dq FreeBSD-20160119 .
 The value
 .Dq none
 may be used to disable this.
diff --git a/crypto/openssh/version.h b/crypto/openssh/version.h
index f62c526..f224604 100644
--- a/crypto/openssh/version.h
+++ b/crypto/openssh/version.h
@@ -6,5 +6,4 @@
 #define SSH_PORTABLE	"p1"
 #define SSH_RELEASE	SSH_VERSION SSH_PORTABLE
 
-#define SSH_VERSION_FREEBSD	"FreeBSD-20140420"
-#define SSH_VERSION_HPN		"_hpn13v11"
+#define SSH_VERSION_FREEBSD	"FreeBSD-20160119"