diff -ur '--exclude=.*.un~' a/openssh-8_5_P1-hpn-AES-CTR-15.2.diff b/openssh-8_5_P1-hpn-AES-CTR-15.2.diff
--- a/openssh-8_5_P1-hpn-AES-CTR-15.2.diff	2022-02-24 18:48:19.078457000 -0800
+++ b/openssh-8_5_P1-hpn-AES-CTR-15.2.diff	2022-02-24 18:49:22.195632128 -0800
@@ -3,9 +3,9 @@
 --- a/Makefile.in
 +++ b/Makefile.in
 @@ -46,7 +46,7 @@ CFLAGS=@CFLAGS@
- CFLAGS_NOPIE=@CFLAGS_NOPIE@
- CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ $(PATHS) @DEFS@
- PICFLAG=@PICFLAG@
+ LD=@LD@
+ CFLAGS=@CFLAGS@ $(CFLAGS_EXTRA)
+ CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ @LDAP_CPPFLAGS@ $(PATHS) @DEFS@
 -LIBS=@LIBS@
 +LIBS=@LIBS@ -lpthread
  K5LIBS=@K5LIBS@
@@ -803,8 +803,8 @@
  ssh_packet_set_connection(struct ssh *ssh, int fd_in, int fd_out)
  {
  	struct session_state *state;
--	const struct sshcipher *none = cipher_by_name("none");
-+	struct sshcipher *none = cipher_by_name("none");
+-	const struct sshcipher *none = cipher_none();
++	struct sshcipher *none = cipher_none();
  	int r;
  
  	if (none == NULL) {
@@ -894,24 +894,24 @@
  		intptr = &options->compression;
  		multistate_ptr = multistate_compression;
 @@ -2272,6 +2278,7 @@ initialize_options(Options * options)
- 	options->revoked_host_keys = NULL;
  	options->fingerprint_hash = -1;
  	options->update_hostkeys = -1;
+	options->known_hosts_command = NULL;
 +	options->disable_multithreaded = -1;
- 	options->hostbased_accepted_algos = NULL;
- 	options->pubkey_accepted_algos = NULL;
- 	options->known_hosts_command = NULL;
+ }
+ 
+ /*
 @@ -2467,6 +2474,10 @@ fill_default_options(Options * options)
+ 		options->update_hostkeys = 0;
  	if (options->sk_provider == NULL)
  		options->sk_provider = xstrdup("$SSH_SK_PROVIDER");
- #endif
 +	if (options->update_hostkeys == -1)
 +		options->update_hostkeys = 0;
 +	if (options->disable_multithreaded == -1)
 +		options->disable_multithreaded = 0;
  
- 	/* Expand KEX name lists */
- 	all_cipher = cipher_alg_list(',', 0);
+ 	/* expand KEX and etc. name lists */
+ {	char *all;
 diff --git a/readconf.h b/readconf.h
 index 2fba866e..7f8f0227 100644
 --- a/readconf.h
@@ -950,9 +950,9 @@
  	/* Portable-specific options */
  	sUsePAM,
 +	sDisableMTAES,
- 	/* Standard Options */
- 	sPort, sHostKeyFile, sLoginGraceTime,
- 	sPermitRootLogin, sLogFacility, sLogLevel, sLogVerbose,
+ 	/* X.509 Standard Options */
+ 	sHostbasedAlgorithms,
+ 	sPubkeyAlgorithms,
 @@ -662,6 +666,7 @@ static struct {
  	{ "authorizedprincipalsfile", sAuthorizedPrincipalsFile, SSHCFG_ALL },
  	{ "kexalgorithms", sKexAlgorithms, SSHCFG_GLOBAL },
diff -ur '--exclude=.*.un~' a/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff b/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff
--- a/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff	2022-02-24 18:48:19.078457000 -0800
+++ b/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff	2022-02-24 18:54:51.800546480 -0800
@@ -157,6 +157,36 @@
 +	 Allan Jude provided the code for the NoneMac and buffer normalization.
 +         This work was financed, in part, by Cisco System, Inc., the National
 +         Library of Medicine, and the National Science Foundation.
+diff --git a/auth2.c b/auth2.c
+--- a/auth2.c	2021-03-15 19:30:45.404060786 -0700
++++ b/auth2.c	2021-03-15 19:37:22.078476597 -0700
+@@ -229,16 +229,17 @@
+ 	double delay;
+ 
+ 	digest_alg = ssh_digest_maxbytes();
+-	len = ssh_digest_bytes(digest_alg);
+-	hash = xmalloc(len);
++	if (len = ssh_digest_bytes(digest_alg) > 0) {
++		hash = xmalloc(len);
+ 
+-	(void)snprintf(b, sizeof b, "%llu%s",
+-	    (unsigned long long)options.timing_secret, user);
+-	if (ssh_digest_memory(digest_alg, b, strlen(b), hash, len) != 0)
+-		fatal_f("ssh_digest_memory");
+-	/* 0-4.2 ms of delay */
+-	delay = (double)PEEK_U32(hash) / 1000 / 1000 / 1000 / 1000;
+-	freezero(hash, len);
++		(void)snprintf(b, sizeof b, "%llu%s",
++		    (unsigned long long)options.timing_secret, user);
++		if (ssh_digest_memory(digest_alg, b, strlen(b), hash, len) != 0)
++			fatal_f("ssh_digest_memory");
++		/* 0-4.2 ms of delay */
++		delay = (double)PEEK_U32(hash) / 1000 / 1000 / 1000 / 1000;
++		freezero(hash, len);
++	}
+ 	debug3_f("user specific delay %0.3lfms", delay/1000);
+ 	return MIN_FAIL_DELAY_SECONDS + delay;
+ }
 diff --git a/channels.c b/channels.c
 index b60d56c4..0e363c15 100644
 --- a/channels.c
@@ -209,14 +239,14 @@
  static void
  channel_pre_open(struct ssh *ssh, Channel *c,
      fd_set *readset, fd_set *writeset)
-@@ -2120,22 +2147,32 @@ channel_check_window(struct ssh *ssh, Channel *c)
+@@ -2164,21 +2191,31 @@ channel_check_window(struct ssh *ssh, Channel *c)
  
  	if (c->type == SSH_CHANNEL_OPEN &&
  	    !(c->flags & (CHAN_CLOSE_SENT|CHAN_CLOSE_RCVD)) &&
 -	    ((c->local_window_max - c->local_window >
 -	    c->local_maxpacket*3) ||
-+            ((ssh_packet_is_interactive(ssh) &&
-+            c->local_window_max - c->local_window > c->local_maxpacket*3) ||
++	    ((ssh_packet_is_interactive(ssh) &&
++	    c->local_window_max - c->local_window > c->local_maxpacket*3) ||
  	    c->local_window < c->local_window_max/2) &&
  	    c->local_consumed > 0) {
 +		u_int addition = 0;
@@ -235,9 +265,8 @@
  		    (r = sshpkt_put_u32(ssh, c->remote_id)) != 0 ||
 -		    (r = sshpkt_put_u32(ssh, c->local_consumed)) != 0 ||
 +		    (r = sshpkt_put_u32(ssh, c->local_consumed + addition)) != 0 ||
- 		    (r = sshpkt_send(ssh)) != 0) {
- 			fatal_fr(r, "channel %i", c->self);
- 		}
+ 		    (r = sshpkt_send(ssh)) != 0)
+ 			fatal_fr(r, "channel %d", c->self);
 -		debug2("channel %d: window %d sent adjust %d", c->self,
 -		    c->local_window, c->local_consumed);
 -		c->local_window += c->local_consumed;
@@ -337,70 +366,92 @@
 index 70f492f8..5503af1d 100644
 --- a/clientloop.c
 +++ b/clientloop.c
-@@ -1578,9 +1578,11 @@ client_request_x11(struct ssh *ssh, const char *request_type, int rchan)
+@@ -1578,10 +1578,11 @@ client_request_x11(struct ssh *ssh, const char *request_type, int rchan)
  	sock = x11_connect_display(ssh);
  	if (sock < 0)
  		return NULL;
 -	c = channel_new(ssh, "x11",
 -	    SSH_CHANNEL_X11_OPEN, sock, sock, -1,
--	    CHAN_TCP_WINDOW_DEFAULT, CHAN_X11_PACKET_DEFAULT, 0, "x11", 1);
-+        c = channel_new(ssh, "x11",
-+			SSH_CHANNEL_X11_OPEN, sock, sock, -1,
-+			/* again is this really necessary for X11? */
-+			options.hpn_disabled ? CHAN_TCP_WINDOW_DEFAULT : options.hpn_buffer_size,
-+			CHAN_X11_PACKET_DEFAULT, 0, "x11", 1);
+-	    CHAN_TCP_WINDOW_DEFAULT, CHAN_X11_PACKET_DEFAULT, 0, "x11",
+-	    CHANNEL_NONBLOCK_SET);
++	c = channel_new(ssh, "x11",
++	    SSH_CHANNEL_X11_OPEN, sock, sock, -1,
++	    /* again is this really necessary for X11? */
++	    options.hpn_disabled ? CHAN_TCP_WINDOW_DEFAULT : options.hpn_buffer_size,
++	    CHAN_X11_PACKET_DEFAULT, 0, "x11", CHANNEL_NONBLOCK_SET);
  	c->force_drain = 1;
  	return c;
  }
-@@ -1608,9 +1610,10 @@ client_request_agent(struct ssh *ssh, const char *request_type, int rchan)
+@@ -1608,9 +1609,10 @@ client_request_agent(struct ssh *ssh, const char *request_type, int rchan)
  		return NULL;
  	}
  	c = channel_new(ssh, "authentication agent connection",
 -	    SSH_CHANNEL_OPEN, sock, sock, -1,
 -	    CHAN_X11_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, 0,
--	    "authentication agent connection", 1);
-+			SSH_CHANNEL_OPEN, sock, sock, -1,
-+			options.hpn_disabled ? CHAN_X11_WINDOW_DEFAULT : options.hpn_buffer_size,
-+			CHAN_TCP_PACKET_DEFAULT, 0,
-+			"authentication agent connection", 1);
+-	    "authentication agent connection", CHANNEL_NONBLOCK_SET);
++	    SSH_CHANNEL_OPEN, sock, sock, -1,
++	    options.hpn_disabled ? CHAN_X11_WINDOW_DEFAULT : options.hpn_buffer_size,
++	    CHAN_TCP_PACKET_DEFAULT, 0,
++	    "authentication agent connection", CHANNEL_NONBLOCK_SET);
  	c->force_drain = 1;
  	return c;
  }
-@@ -1635,10 +1638,13 @@ client_request_tun_fwd(struct ssh *ssh, int tun_mode,
+@@ -1635,9 +1637,9 @@ client_request_tun_fwd(struct ssh *ssh, int tun_mode,
  	}
  	debug("Tunnel forwarding using interface %s", ifname);
  
 -	c = channel_new(ssh, "tun", SSH_CHANNEL_OPENING, fd, fd, -1,
--	    CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, 0, "tun", 1);
-+        c = channel_new(ssh, "tun", SSH_CHANNEL_OPENING, fd, fd, -1,
+-	    CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, 0, "tun",
+-	    CHANNEL_NONBLOCK_SET);
++	c = channel_new(ssh, "tun", SSH_CHANNEL_OPENING, fd, fd, -1,
 +	    options.hpn_disabled ? CHAN_TCP_WINDOW_DEFAULT : options.hpn_buffer_size,
-+	    CHAN_TCP_PACKET_DEFAULT, 0, "tun", 1);
++	    CHAN_TCP_PACKET_DEFAULT, 0, "tun", CHANNEL_NONBLOCK_SET);
  	c->datagram = 1;
  
-+
-+
  #if defined(SSH_TUN_FILTER)
- 	if (options.tun_open == SSH_TUNMODE_POINTOPOINT)
- 		channel_register_filter(ssh, c->self, sys_tun_infilter,
 diff --git a/compat.c b/compat.c
 index 69befa96..90b5f338 100644
 --- a/compat.c
 +++ b/compat.c
-@@ -149,6 +149,14 @@ compat_banner(struct ssh *ssh, const char *version)
- 			debug_f("match: %s pat %s compat 0x%08x",
+@@ -43,7 +43,7 @@ compat_datafellows(const char *version)
+ static u_int
+ compat_datafellows(const char *version)
+ {
+-	int i;
++	int i, bugs = 0;
+ 	static struct {
+ 		char	*pat;
+ 		int	bugs;
+@@ -147,11 +147,26 @@
+ 		if (match_pattern_list(version, check[i].pat, 0) == 1) {
+ 			debug("match: %s pat %s compat 0x%08x",
  			    version, check[i].pat, check[i].bugs);
- 			ssh->compat = check[i].bugs;
 +			/* Check to see if the remote side is OpenSSH and not HPN */
-+			/* TODO: need to use new method to test for this */
 +			if (strstr(version, "OpenSSH") != NULL) {
 +				if (strstr(version, "hpn") == NULL) {
-+					ssh->compat |= SSH_BUG_LARGEWINDOW;
++					bugs |= SSH_BUG_LARGEWINDOW;
 +					debug("Remote is NON-HPN aware");
 +				}
 +			}
- 			return;
+-			return check[i].bugs;
++			bugs |= check[i].bugs;
  		}
  	}
+-	debug("no match: %s", version);
+-	return 0;
++	/* Check to see if the remote side is OpenSSH and not HPN */
++	if (strstr(version, "OpenSSH") != NULL) {
++		if (strstr(version, "hpn") == NULL) {
++			bugs |= SSH_BUG_LARGEWINDOW;
++			debug("Remote is NON-HPN aware");
++		}
++	}
++	if (bugs == 0)
++		debug("no match: %s", version);
++	return bugs;
+ }
+ 
+ char *
 diff --git a/compat.h b/compat.h
 index c197fafc..ea2e17a7 100644
 --- a/compat.h
@@ -459,7 +510,7 @@
 @@ -890,6 +890,10 @@ kex_choose_conf(struct ssh *ssh)
  	int nenc, nmac, ncomp;
  	u_int mode, ctos, need, dh_need, authlen;
- 	int r, first_kex_follows;
+ 	int r, first_kex_follows = 0;
 +	int auth_flag = 0;
 +
 +	auth_flag = packet_authentication_state(ssh);
@@ -553,10 +604,10 @@
  #define MAX_PACKETS	(1U<<31)
  static int
  ssh_packet_need_rekeying(struct ssh *ssh, u_int outbound_packet_len)
-@@ -1317,7 +1351,7 @@ ssh_packet_read_seqnr(struct ssh *ssh, u_char *typep, u_int32_t *seqnr_p)
+@@ -1317,7 +1336,7 @@ ssh_packet_read_seqnr(struct ssh *ssh, u_char *typep, u_int32_t *seqnr_p)
+ {
  	struct session_state *state = ssh->state;
  	int len, r, ms_remain;
- 	struct pollfd pfd;
 -	char buf[8192];
 +	char buf[SSH_IOBUFSZ];
  	struct timeval start;
@@ -1072,7 +1123,7 @@
 +	else
 +		options.hpn_buffer_size = 2 * 1024 * 1024;
 +
-+	if (ssh->compat & SSH_BUG_LARGEWINDOW) {
++	if (ssh_compat_fellows(ssh, SSH_BUG_LARGEWINDOW)) {
 +		debug("HPN to Non-HPN Connection");
 +	} else {
 +		int sock, socksize;
@@ -1136,14 +1187,14 @@
  	}
 @@ -2089,6 +2167,11 @@ ssh_session2_open(struct ssh *ssh)
  	    window, packetmax, CHAN_EXTENDED_WRITE,
- 	    "client-session", /*nonblock*/0);
+ 	    "client-session", CHANNEL_NONBLOCK_STDIO);
  
 +	if ((options.tcp_rcv_buf_poll > 0) && !options.hpn_disabled) {
 +		c->dynamic_window = 1;
 +		debug("Enabled Dynamic Window Scaling");
 +	}
 +
- 	debug3_f("channel_new: %d", c->self);
+ 	debug2_f("channel %d", c->self);
  
  	channel_send_open(ssh, c->self);
 @@ -2105,6 +2188,13 @@ ssh_session2(struct ssh *ssh, const struct ssh_conn_info *cinfo)
@@ -1314,7 +1365,29 @@
  		/* Bind the socket to the desired port. */
  		if (bind(listen_sock, ai->ai_addr, ai->ai_addrlen) == -1) {
  			error("Bind to port %s on %s failed: %.200s.",
-@@ -1727,6 +1734,19 @@ main(int ac, char **av)
+@@ -1625,13 +1632,14 @@
+ 		if (ssh_digest_update(ctx, sshbuf_ptr(server_cfg),
+ 		    sshbuf_len(server_cfg)) != 0)
+ 			fatal_f("ssh_digest_update");
+-		len = ssh_digest_bytes(digest_alg);
+-		hash = xmalloc(len);
+-		if (ssh_digest_final(ctx, hash, len) != 0)
+-			fatal_f("ssh_digest_final");
+-		options.timing_secret = PEEK_U64(hash);
+-		freezero(hash, len);
+-		ssh_digest_free(ctx);
++		if ((len = ssh_digest_bytes(digest_alg)) > 0) {
++			hash = xmalloc(len);
++			if (ssh_digest_final(ctx, hash, len) != 0)
++				fatal_f("ssh_digest_final");
++			options.timing_secret = PEEK_U64(hash);
++			freezero(hash, len);
++			ssh_digest_free(ctx);
++		}
+ 		ctx = NULL;
+ 		return;
+ 	}
+@@ -1727,6 +1735,19 @@ main(int ac, char **av)
  		fatal("AuthorizedPrincipalsCommand set without "
  		    "AuthorizedPrincipalsCommandUser");
  
@@ -1334,7 +1407,7 @@
  	/*
  	 * Check whether there is any path through configured auth methods.
  	 * Unfortunately it is not possible to verify this generally before
-@@ -2166,6 +2186,9 @@ main(int ac, char **av)
+@@ -2166,6 +2187,9 @@ main(int ac, char **av)
  	    rdomain == NULL ? "" : "\"");
  	free(laddr);
  
@@ -1344,7 +1417,7 @@
  	/*
  	 * We don't want to listen forever unless the other side
  	 * successfully authenticates itself.  So we set up an alarm which is
-@@ -2343,6 +2366,12 @@ do_ssh2_kex(struct ssh *ssh)
+@@ -2343,6 +2367,12 @@ do_ssh2_kex(struct ssh *ssh)
  	struct kex *kex;
  	int r;
  
@@ -1384,14 +1457,3 @@
  # Example of overriding settings on a per-user basis
  #Match User anoncvs
  #	X11Forwarding no
-diff --git a/version.h b/version.h
-index 6b4fa372..332fb486 100644
---- a/version.h
-+++ b/version.h
-@@ -3,4 +3,5 @@
- #define SSH_VERSION	"OpenSSH_8.5"
- 
- #define SSH_PORTABLE	"p1"
--#define SSH_RELEASE	SSH_VERSION SSH_PORTABLE
-+#define SSH_HPN         "-hpn15v2"
-+#define SSH_RELEASE	SSH_VERSION SSH_PORTABLE SSH_HPN
diff -ur '--exclude=.*.un~' a/openssh-8_5_P1-hpn-PeakTput-15.2.diff b/openssh-8_5_P1-hpn-PeakTput-15.2.diff
--- a/openssh-8_5_P1-hpn-PeakTput-15.2.diff	2022-02-24 18:48:19.078457000 -0800
+++ b/openssh-8_5_P1-hpn-PeakTput-15.2.diff	2022-02-24 18:49:22.196632131 -0800
@@ -12,9 +12,9 @@
  static long stalled;		/* how long we have been stalled */
  static int bytes_per_second;	/* current speed in bytes per second */
 @@ -127,6 +129,7 @@ refresh_progress_meter(int force_update)
+ 	off_t bytes_left;
  	int cur_speed;
- 	int hours, minutes, seconds;
- 	int file_len;
+ 	int len;
 +	off_t delta_pos;
  
  	if ((!force_update && !alarm_fired && !win_resized) || !can_output())
@@ -30,15 +30,17 @@
  	if (bytes_left > 0)
  		elapsed = now - last_update;
  	else {
-@@ -166,7 +173,7 @@ refresh_progress_meter(int force_update)
- 
+@@ -166,8 +173,8 @@ refresh_progress_meter(int force_update)
+ 	buf[1] = '\0';
+
  	/* filename */
- 	buf[0] = '\0';
--	file_len = win_size - 36;
-+	file_len = win_size - 45;
- 	if (file_len > 0) {
- 		buf[0] = '\r';
- 		snmprintf(buf+1, sizeof(buf)-1, &file_len, "%-*s",
+-	if (win_size > 36) {
++	if (win_size > 45) {
+-		int file_len = win_size - 36;
++		int file_len = win_size - 45;
+ 		snmprintf(buf+1, sizeof(buf)-1, &file_len, "%-*s ",
+ 		    file_len, file);
+ 	}
 @@ -191,6 +198,15 @@ refresh_progress_meter(int force_update)
  	    (off_t)bytes_per_second);
  	strlcat(buf, "/s ", win_size);
@@ -63,15 +65,3 @@
  }
  
  /*ARGSUSED*/
-diff --git a/ssh-keygen.c b/ssh-keygen.c
-index cfb5f115..986ff59b 100644
---- a/ssh-keygen.c
-+++ b/ssh-keygen.c
-@@ -2959,7 +2959,6 @@ do_download_sk(const char *skprovider, const char *device)
- 
- 	if (skprovider == NULL)
- 		fatal("Cannot download keys without provider");
--
- 	pin = read_passphrase("Enter PIN for authenticator: ", RP_ALLOW_STDIN);
- 	if (!quiet) {
- 		printf("You may need to touch your authenticator "