From 732779be795da930624c366583f257d94920fa80 Mon Sep 17 00:00:00 2001
From: Chris Rapier <rapier@psc.edu>
Date: Tue, 24 Mar 2026 11:35:22 -0400
Subject: [PATCH 1/4] Update version matching in compat.c

The old version uses a clunky set of strstrs to determine if the remote
was hpnssh and if they are using hpn-prefixed binaries. It was also
checking to see if it was openssh and had strict window checking. This
replaces both methods using sscanf() to get the version numbers which means
we shouldn't have to touch this section of code for future versions.
---
 compat.c | 41 ++++++++++++++++++++---------------------
 1 file changed, 20 insertions(+), 21 deletions(-)

diff --git a/compat.c b/compat.c
index be3766b798b1..db73203c9ba6 100644
--- a/compat.c
+++ b/compat.c
@@ -134,30 +134,29 @@ compat_banner(struct ssh *ssh, const char *version)
 			/* Check to see if the remote side is OpenSSH and not HPN */
 			/* TODO: See if we can work this into the new method for bug checks */
 			if (strstr(version, "OpenSSH") != NULL) {
-				if (strstr(version, "hpn")) {
+				/* check if the remote is hpn and if the version
+				 * uses hpn prefixed binaries */
+				const char *op;
+				if ((op = strstr(version, "hpn")) != NULL) {
+					int hpnver = 0;
 					ssh->compat |= SSH_HPNSSH;
 					debug("Remote is HPN enabled");
+					if (sscanf(op, "hpn%d", &hpnver) == 1 &&
+					    hpnver >= 16) {
+						ssh->compat |= SSH_HPNSSH_PREFIX;
+						debug("Remote uses HPNSSH prefixes.");
+					}
 				}
-				/* this checks to see if the remote
-				 * version string indicates that we
-				 * have access to hpn prefixed binaries
-				 * You'll need to change this to include
-				 * new major version numbers. Which is
-				 * why we should figure out how to make
-				 * the match pattern list work
-				 */
-				if ((strstr(version, "hpn16") != NULL) ||
-				    (strstr(version, "hpn17") != NULL) ||
-				    (strstr(version, "hpn18") != NULL)) {
-					ssh->compat |= SSH_HPNSSH_PREFIX;
-					debug("Remote uses HPNSSH prefixes.");
-					break;
-				}
-				/* if it's openssh and not hpn */
-				if ((strstr(version, "OpenSSH_8.9") != NULL) ||
-				    (strstr(version, "OpenSSH_9") != NULL)) {
-					ssh->compat |= SSH_RESTRICT_WINDOW;
-					debug("Restricting adverstised window size.");
+				/* Restrict advertised window for non-HPN OpenSSH >= 8.9. */
+				if (!(ssh->compat & SSH_HPNSSH)) {
+					const char *op;
+					int omaj = 0, omin = 0;
+					if ((op = strstr(version, "OpenSSH_")) != NULL &&
+					    sscanf(op, "OpenSSH_%d.%d", &omaj, &omin) == 2 &&
+					    (omaj >= 9 || (omaj == 8 && omin >= 9))) {
+						ssh->compat |= SSH_RESTRICT_WINDOW;
+						debug("Restricting advertised window size.");
+					}
 				}
 			}
 			debug("ssh->compat is %u", ssh->compat);

From 1b9478cedc9e7b47287e7dc164a23c831f28b941 Mon Sep 17 00:00:00 2001
From: Chris Rapier <rapier@psc.edu>
Date: Tue, 24 Mar 2026 12:11:13 -0400
Subject: [PATCH 2/4] Minor additions to make clean.

While not associated with the compat.c fixes this
removes some more files in /regress when cleaning.
---
 Makefile.in | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/Makefile.in b/Makefile.in
index f0c8cfa0712d..59cf9e5b8fe7 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -371,6 +371,11 @@ clean:	regressclean
 	rm -f regress/ecdsa-sha2-*
 	rm -f regress/host.sk-ecdsa-sha2-nistp256@openssh.com
 	rm -f regress/misc/ssh-verify-attestation/ssh-verify-attestation$(EXEEXT)
+	rm -f regress/dbclient.log
+	rm -f regress/finished.?
+	rm -f regress/ssh-proxy.sh
+	rm -rf regress/.ssh
+	rm -f regress/ssh_proxy.sh
 	rm -f regress/misc/ssh-verify-attestation/*.o
 	(cd openbsd-compat && $(MAKE) clean)
 

From 9b5bfb751908cfdfb7f70eb7e92264e185ee6876 Mon Sep 17 00:00:00 2001
From: Chris Rapier <rapier@psc.edu>
Date: Tue, 24 Mar 2026 12:17:27 -0400
Subject: [PATCH 3/4] Increment subversion number.

---
 version.h | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/version.h b/version.h
index 2d3d65b5baac..1fbc512bae01 100644
--- a/version.h
+++ b/version.h
@@ -3,5 +3,5 @@
 #define SSH_VERSION	"OpenSSH_10.2"
 
 #define SSH_PORTABLE	"p1"
-#define SSH_HPN         "_hpn18.8.0"
+#define SSH_HPN         "_hpn18.8.1"
 #define SSH_RELEASE	SSH_VERSION SSH_PORTABLE SSH_HPN

From 415df68b1cf09a0b80215a809cf091b3d6ad3aa3 Mon Sep 17 00:00:00 2001
From: Chris Rapier <rapier@psc.edu>
Date: Tue, 24 Mar 2026 15:01:28 -0400
Subject: [PATCH 4/4] Section off call to EVP_CIPHER_meth_free() in cipher.c

OpenSSL 4 has removed the API for EVP_CIPHER_meth*. It was
deprecated in OpenSSL3 but it's gone now. Wrap the call around
an 'if !defined(WITH_OPENSSL3)' and it won't get triggered
except on OpenSSL 1.1.
---
 cipher.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/cipher.c b/cipher.c
index 817b102f29c0..19ec5560d2ff 100644
--- a/cipher.c
+++ b/cipher.c
@@ -582,10 +582,12 @@ cipher_free(struct sshcipher_ctx *cc)
 	 * the ctx it is a part of it doesn't get freed. So...
 	 * cjr 2/7/2023
 	 */
+#if !defined(WITH_OPENSSL3)
 	if (cc->meth_ptr != NULL) {
 		EVP_CIPHER_meth_free((void *)(EVP_CIPHER *)cc->meth_ptr);
 		cc->meth_ptr = NULL;
 	}
+#endif
 #endif
 	freezero(cc, sizeof(*cc));
 }