Date: Wed, 19 Dec 2012 11:21:17 GMT From: oleg <proler@gmail.com> To: freebsd-gnats-submit@FreeBSD.org Subject: ports/174570: update security/openssh-portable with new sctp patch Message-ID: <201212191121.qBJBLHJg091428@red.freebsd.org> Resent-Message-ID: <201212191130.qBJBU0bk084200@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 174570
>Category: ports
>Synopsis: update security/openssh-portable with new sctp patch
>Confidential: no
>Severity: non-critical
>Priority: low
>Responsible: freebsd-ports-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: update
>Submitter-Id: current-users
>Arrival-Date: Wed Dec 19 11:30:00 UTC 2012
>Closed-Date:
>Last-Modified:
>Originator: oleg
>Release:
>Organization:
>Environment:
>Description:
Update to 5.9p1 with sctp patch
but this patches may be broken: openssh-5.8p1-hpn13v11.diff.gz openssh-5.8p1+x509-7.0.diff.gz openssh-5.7p1-gsskex-all-20110125.patch
>How-To-Repeat:
>Fix:
Patch attached with submission follows:
diff -ruN --exclude=CVS /usr/ports/security/openssh-portable/Makefile ./Makefile
--- /usr/ports/security/openssh-portable/Makefile 2012-12-06 02:36:31.000000000 +0400
+++ ./Makefile 2012-12-19 02:43:02.000000000 +0400
@@ -2,7 +2,7 @@
# $FreeBSD: ports/security/openssh-portable/Makefile,v 1.166 2012/12/05 22:36:31 svnexp Exp $
PORTNAME= openssh
-DISTVERSION= 5.8p2
+DISTVERSION= 5.9p1
PORTREVISION= 3
PORTEPOCH= 1
CATEGORIES= security ipv6
@@ -31,12 +31,13 @@
ssh_host_rsa_key ssh_host_rsa_key.pub ssh_host_dsa_key \
ssh_host_dsa_key.pub
ETCOLD= ${PREFIX}/etc
+USE_AUTOTOOLS= autoconf
SUDO?= # empty
MAKE_ENV+= SUDO="${SUDO}"
OPTIONS_DEFINE= PAM TCP_WRAPPERS LIBEDIT SUID_SSH BSM KERBEROS \
- KERB_GSSAPI OPENSSH_CHROOT HPN LPK X509 FILECONTROL \
+ KERB_GSSAPI OPENSSH_CHROOT HPN LPK X509 FILECONTROL SCTP \
OVERWRITE_BASE
OPTIONS_DEFAULT= LIBEDIT PAM TCP_WRAPPERS
TCP_WRAPPERS_DESC= Enable tcp_wrappers support
@@ -49,11 +50,12 @@
X509_DESC= Enable x509 certificate patch
FILECONTROL_DESC= Enable file control patch (broken)
OVERWRITE_BASE_DESC= OpenSSH overwrite base
+SCTP_DESC= SCTP support
.include <bsd.port.pre.mk>
.if ${OSVERSION} >= 900000
-EXTRA_PATCHES= ${FILESDIR}/extra-patch-configure
+#EXTRA_PATCHES= ${FILESDIR}/extra-patch-configure
.endif
.if ${OSVERSION} >= 900007
@@ -152,13 +154,19 @@
EXTRA_PATCHES+= ${FILESDIR}/openssh-${DISTVERSION}.sftpfilecontrol-v1.3.patch
.endif
+# See https://bugzilla.mindrot.org/show_bug.cgi?id=2016
+.if ${PORT_OPTIONS:MSCTP}
+EXTRA_PATCHES+= ${FILESDIR}/sctp.patch
+CONFIGURE_ARGS+= --with-sctp
+.endif
+
.if ${PORT_OPTIONS:MOVERWRITE_BASE}
WITH_OPENSSL_BASE= yes
CONFIGURE_ARGS+= --localstatedir=/var
EMPTYDIR= /var/empty
PREFIX= /usr
ETCSSH= /etc/ssh
-USE_RCORDER= openssh
+USE_RC_SUBRR= openssh
PLIST_SUB+= NOTBASE="@comment "
PLIST_SUB+= BASE=""
PLIST_SUB+= BASEPREFIX="${PREFIX}"
@@ -184,6 +192,11 @@
RC_SCRIPT_NAME= openssh
+run-autotools: run-autotools-autoreconf
+
+run-autotools-autoreconf:
+ @cd ${CONFIGURE_WRKSRC} && ${SETENV} ${AUTOTOOLS_ENV} ${AUTORECONF} -i
+
post-patch:
@${REINPLACE_CMD} -e 's|-ldes|-lcrypto|g' ${WRKSRC}/configure
@${REINPLACE_CMD} -e 's|%%PREFIX%%|${LOCALBASE}|' \
diff -ruN --exclude=CVS /usr/ports/security/openssh-portable/distinfo ./distinfo
--- /usr/ports/security/openssh-portable/distinfo 2011-10-21 20:18:56.000000000 +0400
+++ ./distinfo 2012-12-19 02:36:35.000000000 +0400
@@ -1,5 +1,5 @@
-SHA256 (openssh-5.8p2.tar.gz) = 5c35ec7c966ce05cc4497ac59c0b54a556e55ae7368165cc8c4129694654f314
-SIZE (openssh-5.8p2.tar.gz) = 1115475
+SHA256 (openssh-5.9p1.tar.gz) = 8d3e8b6b6ff04b525a6dfa6fdeb6a99043ccf6c3310cc32eba84c939b07777d5
+SIZE (openssh-5.9p1.tar.gz) = 1110014
SHA256 (openssh-5.8p1-hpn13v11.diff.gz) = 62b500d29d8889ce76c8b596eb65731d8ac3469d89d9c6eb29fec2a845159df7
SIZE (openssh-5.8p1-hpn13v11.diff.gz) = 22993
SHA256 (openssh-5.8p1+x509-7.0.diff.gz) = 3b578cbf69f25e630e8da52b6586a36c62c0c7ce026f95acda91c023dc47c85b
diff -ruN --exclude=CVS /usr/ports/security/openssh-portable/files/extra-patch-configure ./files/extra-patch-configure
--- /usr/ports/security/openssh-portable/files/extra-patch-configure 2011-10-21 20:18:56.000000000 +0400
+++ ./files/extra-patch-configure 1970-01-01 03:00:00.000000000 +0300
@@ -1,10 +0,0 @@
---- configure.orig 2011-09-01 20:36:35.000000000 +0400
-+++ configure 2011-09-02 13:59:02.000000000 +0400
-@@ -12856,6 +12856,7 @@
-
-
-
-+LIBS="-lutil $LIBS"
- for ac_func in \
- arc4random \
- arc4random_buf \
\ No newline at end of file
diff -ruN --exclude=CVS /usr/ports/security/openssh-portable/files/patch-Makefile.in ./files/patch-Makefile.in
--- /usr/ports/security/openssh-portable/files/patch-Makefile.in 2011-10-21 20:18:56.000000000 +0400
+++ ./files/patch-Makefile.in 2012-12-19 02:33:14.000000000 +0400
@@ -1,11 +1,11 @@
---- Makefile.in.orig 2010-05-12 00:51:39.000000000 -0600
-+++ Makefile.in 2010-09-14 16:14:12.000000000 -0600
-@@ -238,7 +238,7 @@
+--- Makefile.in.orig 2011-08-06 00:15:18.000000000 +0400
++++ Makefile.in 2012-12-19 02:32:58.000000000 +0400
+@@ -231,7 +231,7 @@
$(AUTORECONF)
-rm -rf autom4te.cache
--install: $(CONFIGFILES) ssh_prng_cmds.out $(MANPAGES) $(TARGETS) install-files install-sysconf host-key check-config
-+install: $(CONFIGFILES) ssh_prng_cmds.out $(MANPAGES) $(TARGETS) install-files install-sysconf
- install-nokeys: $(CONFIGFILES) ssh_prng_cmds.out $(MANPAGES) $(TARGETS) install-files install-sysconf
- install-nosysconf: $(CONFIGFILES) ssh_prng_cmds.out $(MANPAGES) $(TARGETS) install-files
+-install: $(CONFIGFILES) $(MANPAGES) $(TARGETS) install-files install-sysconf host-key check-config
++install: $(CONFIGFILES) $(MANPAGES) $(TARGETS) install-files install-sysconf
+ install-nokeys: $(CONFIGFILES) $(MANPAGES) $(TARGETS) install-files install-sysconf
+ install-nosysconf: $(CONFIGFILES) $(MANPAGES) $(TARGETS) install-files
diff -ruN --exclude=CVS /usr/ports/security/openssh-portable/files/patch-configure.ac ./files/patch-configure.ac
--- /usr/ports/security/openssh-portable/files/patch-configure.ac 1970-01-01 03:00:00.000000000 +0300
+++ ./files/patch-configure.ac 2012-12-19 02:13:34.000000000 +0400
@@ -0,0 +1,10 @@
+--- configure.ac.orig 2012-12-19 02:11:30.000000000 +0400
++++ configure.ac 2012-12-19 02:13:30.000000000 +0400
+@@ -679,6 +679,7 @@
+ AC_CHECK_HEADER([net/if_tap.h], ,
+ AC_DEFINE([SSH_TUN_NO_L2], [1], [No layer 2 tunnel support]))
+ AC_DEFINE([BROKEN_GLOB], [1], [FreeBSD glob does not do what we need])
++ LIBS="$LIBS -lutil"
+ ;;
+ *-*-bsdi*)
+ AC_DEFINE([SETEUID_BREAKS_SETUID])
diff -ruN --exclude=CVS /usr/ports/security/openssh-portable/files/sctp.patch ./files/sctp.patch
--- /usr/ports/security/openssh-portable/files/sctp.patch 1970-01-01 03:00:00.000000000 +0300
+++ ./files/sctp.patch 2012-12-18 23:59:28.000000000 +0400
@@ -0,0 +1,788 @@
+Index: configure.ac
+===================================================================
+RCS file: /cvs/openssh/configure.ac,v
+retrieving revision 1.492
+diff -u -r1.492 configure.ac
+--- configure.ac 19 May 2012 05:24:37 -0000 1.492
++++ configure.ac 8 Jun 2012 11:52:49 -0000
+@@ -3479,6 +3479,17 @@
+ AC_SUBST([SSHLIBS])
+ AC_SUBST([SSHDLIBS])
+
++#check whether user wants SCTP support
++SCTP_MSG="no"
++AC_ARG_WITH(sctp,
++ [ --with-sctp Enable SCTP support],
++ [ if test "x$withval" != "xno" ; then
++ AC_DEFINE(SCTP,1,[Define if you want SCTP support.])
++ AC_CHECK_FUNCS(sctp_recvmsg, , AC_CHECK_LIB(sctp, sctp_recvmsg))
++ SCTP_MSG="yes"
++ fi ]
++)
++
+ # Check whether user wants Kerberos 5 support
+ KRB5_MSG="no"
+ AC_ARG_WITH([kerberos5],
+@@ -4338,6 +4349,7 @@
+ echo " OSF SIA support: $SIA_MSG"
+ echo " KerberosV support: $KRB5_MSG"
+ echo " SELinux support: $SELINUX_MSG"
++echo " SCTP support: $SCTP_MSG"
+ echo " Smartcard support: $SCARD_MSG"
+ echo " S/KEY support: $SKEY_MSG"
+ echo " TCP Wrappers support: $TCPW_MSG"
+Index: misc.c
+===================================================================
+RCS file: /cvs/openssh/misc.c,v
+retrieving revision 1.111
+diff -u -r1.111 misc.c
+--- misc.c 22 Sep 2011 11:34:36 -0000 1.111
++++ misc.c 8 Jun 2012 11:52:49 -0000
+@@ -59,6 +59,10 @@
+ #include "log.h"
+ #include "ssh.h"
+
++#ifdef SCTP
++#include <netinet/sctp.h>
++#endif
++
+ /* remove newline at end of string */
+ char *
+ chop(char *s)
+@@ -141,17 +145,29 @@
+
+ optlen = sizeof opt;
+ if (getsockopt(fd, IPPROTO_TCP, TCP_NODELAY, &opt, &optlen) == -1) {
+- debug("getsockopt TCP_NODELAY: %.100s", strerror(errno));
++#ifdef SCTP
++ /* TCP_NODELAY failed, try SCTP_NODELAY */
++ if (getsockopt(fd, IPPROTO_SCTP, SCTP_NODELAY, &opt, &optlen) == -1) {
++ debug("getsockopt TCP_NODELAY/SCTP_NODELAY: %.100s", strerror(errno));
++ return;
++ }
++#else
+ return;
++#endif
+ }
+ if (opt == 1) {
+- debug2("fd %d is TCP_NODELAY", fd);
++ debug2("fd %d is TCP_NODELAY/SCTP_NODELAY", fd);
+ return;
+ }
+ opt = 1;
+- debug2("fd %d setting TCP_NODELAY", fd);
+- if (setsockopt(fd, IPPROTO_TCP, TCP_NODELAY, &opt, sizeof opt) == -1)
+- error("setsockopt TCP_NODELAY: %.100s", strerror(errno));
++ debug2("fd %d setting TCP_NODELAY/SCTP_NODELAY", fd);
++ if (setsockopt(fd, IPPROTO_TCP, TCP_NODELAY, &opt, sizeof opt) == -1) {
++#ifdef SCTP
++ /* TCP_NODELAY failed, try SCTP_NODELAY */
++ if (getsockopt(fd, IPPROTO_SCTP, SCTP_NODELAY, &opt, &optlen) == -1)
++ error("getsockopt TCP_NODELAY/SCTP_NODELAY: %.100s", strerror(errno));
++#endif
++ }
+ }
+
+ /* Characters considered whitespace in strsep calls. */
+Index: readconf.c
+===================================================================
+RCS file: /cvs/openssh/readconf.c,v
+retrieving revision 1.174
+diff -u -r1.174 readconf.c
+--- readconf.c 2 Oct 2011 07:59:03 -0000 1.174
++++ readconf.c 8 Jun 2012 11:52:49 -0000
+@@ -117,6 +117,9 @@
+ oPasswordAuthentication, oRSAAuthentication,
+ oChallengeResponseAuthentication, oXAuthLocation,
+ oIdentityFile, oHostName, oPort, oCipher, oRemoteForward, oLocalForward,
++#ifdef SCTP
++ oTransport,
++#endif
+ oUser, oHost, oEscapeChar, oRhostsRSAAuthentication, oProxyCommand,
+ oGlobalKnownHostsFile, oUserKnownHostsFile, oConnectionAttempts,
+ oBatchMode, oCheckHostIP, oStrictHostKeyChecking, oCompression,
+@@ -182,6 +185,9 @@
+ { "hostname", oHostName },
+ { "hostkeyalias", oHostKeyAlias },
+ { "proxycommand", oProxyCommand },
++#ifdef SCTP
++ { "transport", oTransport },
++#endif
+ { "port", oPort },
+ { "cipher", oCipher },
+ { "ciphers", oCiphers },
+@@ -659,6 +665,22 @@
+ *charptr = xstrdup(s + len);
+ return 0;
+
++#ifdef SCTP
++ case oTransport:
++ arg = strdelim(&s);
++ if (!arg || *arg == '\0')
++ fatal("%s line %d: missing transport protocol specification",
++ filename, linenum);
++ if (strcmp(arg, "tcp") == 0)
++ options->transport = TRANSPORT_TCP;
++ else if (strcmp(arg, "sctp") == 0)
++ options->transport = TRANSPORT_SCTP;
++ else
++ fatal("%s line %d: unknown transport protocol specified",
++ filename, linenum);
++ break;
++#endif
++
+ case oPort:
+ intptr = &options->port;
+ parse_int:
+@@ -1151,6 +1173,9 @@
+ options->compression = -1;
+ options->tcp_keep_alive = -1;
+ options->compression_level = -1;
++#ifdef SCTP
++ options->transport = -1;
++#endif
+ options->port = -1;
+ options->address_family = -1;
+ options->connection_attempts = -1;
+@@ -1261,6 +1286,10 @@
+ options->tcp_keep_alive = 1;
+ if (options->compression_level == -1)
+ options->compression_level = 6;
++#ifdef SCTP
++ if (options->transport == -1)
++ options->transport = TRANSPORT_TCP;
++#endif
+ if (options->port == -1)
+ options->port = 0; /* Filled in ssh_connect. */
+ if (options->address_family == -1)
+Index: readconf.h
+===================================================================
+RCS file: /cvs/openssh/readconf.h,v
+retrieving revision 1.83
+diff -u -r1.83 readconf.h
+--- readconf.h 2 Oct 2011 07:59:03 -0000 1.83
++++ readconf.h 8 Jun 2012 11:52:49 -0000
+@@ -31,6 +31,10 @@
+ #define MAX_SEND_ENV 256
+ #define SSH_MAX_HOSTS_FILES 256
+
++/* Transport protocols */
++#define TRANSPORT_TCP 1
++#define TRANSPORT_SCTP 2
++
+ typedef struct {
+ int forward_agent; /* Forward authentication agent. */
+ int forward_x11; /* Forward X11 display. */
+@@ -65,6 +69,9 @@
+ int ip_qos_bulk; /* IP ToS/DSCP/class for bulk traffic */
+ LogLevel log_level; /* Level for logging. */
+
++#ifdef SCTP
++ int transport; /* Transport protocol used. */
++#endif
+ int port; /* Port to connect. */
+ int address_family;
+ int connection_attempts; /* Max attempts (seconds) before
+Index: scp.c
+===================================================================
+RCS file: /cvs/openssh/scp.c,v
+retrieving revision 1.189
+diff -u -r1.189 scp.c
+--- scp.c 22 Sep 2011 11:38:01 -0000 1.189
++++ scp.c 8 Jun 2012 11:52:50 -0000
+@@ -395,7 +395,11 @@
+ addargs(&args, "-oClearAllForwardings=yes");
+
+ fflag = tflag = 0;
++#ifdef SCTP
++ while ((ch = getopt(argc, argv, "dfl:prtvBCc:i:P:q12346S:o:F:z")) != -1)
++#else
+ while ((ch = getopt(argc, argv, "dfl:prtvBCc:i:P:q12346S:o:F:")) != -1)
++#endif
+ switch (ch) {
+ /* User-visible flags. */
+ case '1':
+@@ -403,6 +407,9 @@
+ case '4':
+ case '6':
+ case 'C':
++#ifdef SCTP
++ case 'z':
++#endif
+ addargs(&args, "-%c", ch);
+ addargs(&remote_remote_args, "-%c", ch);
+ break;
+Index: servconf.c
+===================================================================
+RCS file: /cvs/openssh/servconf.c,v
+retrieving revision 1.223
+diff -u -r1.223 servconf.c
+--- servconf.c 19 May 2012 09:37:01 -0000 1.223
++++ servconf.c 8 Jun 2012 11:52:51 -0000
+@@ -117,6 +117,9 @@
+ options->ciphers = NULL;
+ options->macs = NULL;
+ options->kex_algorithms = NULL;
++#ifdef SCTP
++ options->transport = -1;
++#endif
+ options->protocol = SSH_PROTO_UNKNOWN;
+ options->gateway_ports = -1;
+ options->num_subsystems = 0;
+@@ -249,6 +252,10 @@
+ options->allow_tcp_forwarding = 1;
+ if (options->allow_agent_forwarding == -1)
+ options->allow_agent_forwarding = 1;
++#ifdef SCTP
++ if (options->transport == -1)
++ options->transport = TRANSPORT_TCP;
++#endif
+ if (options->gateway_ports == -1)
+ options->gateway_ports = 0;
+ if (options->max_startups == -1)
+@@ -312,6 +319,9 @@
+ sKerberosTgtPassing, sChallengeResponseAuthentication,
+ sPasswordAuthentication, sKbdInteractiveAuthentication,
+ sListenAddress, sAddressFamily,
++#ifdef SCTP
++ sTransport, sListenMultipleAddresses,
++#endif
+ sPrintMotd, sPrintLastLog, sIgnoreRhosts,
+ sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost,
+ sStrictModes, sEmptyPasswd, sTCPKeepAlive,
+@@ -402,6 +412,9 @@
+ #endif
+ { "checkmail", sDeprecated, SSHCFG_GLOBAL },
+ { "listenaddress", sListenAddress, SSHCFG_GLOBAL },
++#ifdef SCTP
++ { "listenmultipleaddresses", sListenMultipleAddresses, SSHCFG_GLOBAL },
++#endif
+ { "addressfamily", sAddressFamily, SSHCFG_GLOBAL },
+ { "printmotd", sPrintMotd, SSHCFG_GLOBAL },
+ { "printlastlog", sPrintLastLog, SSHCFG_GLOBAL },
+@@ -426,6 +439,9 @@
+ { "denygroups", sDenyGroups, SSHCFG_GLOBAL },
+ { "ciphers", sCiphers, SSHCFG_GLOBAL },
+ { "macs", sMacs, SSHCFG_GLOBAL },
++#ifdef SCTP
++ { "transport", sTransport, SSHCFG_GLOBAL },
++#endif
+ { "protocol", sProtocol, SSHCFG_GLOBAL },
+ { "gatewayports", sGatewayPorts, SSHCFG_ALL },
+ { "subsystem", sSubsystem, SSHCFG_GLOBAL },
+@@ -556,6 +572,81 @@
+ return &ci;
+ }
+
++#ifdef SCTP
++static void
++add_one_listen_multiple_addr(ServerOptions *options, char *addr, int port, int last)
++{
++ struct addrinfo hints, *ai, *aitop;
++ char strport[NI_MAXSERV];
++ int gaierr;
++
++ memset(&hints, 0, sizeof(hints));
++ hints.ai_family = options->address_family;
++ hints.ai_socktype = SOCK_STREAM;
++ hints.ai_flags = (addr == NULL) ? AI_PASSIVE : 0;
++ snprintf(strport, sizeof strport, "%d", port);
++ if ((gaierr = getaddrinfo(addr, strport, &hints, &aitop)) != 0)
++ fatal("bad addr or host: %s (%s)",
++ addr ? addr : "<NULL>",
++ ssh_gai_strerror(gaierr));
++ /* Mark addresses as multihomed */
++ for (ai = aitop; ai->ai_next; ai = ai->ai_next)
++ ai->ai_flags = IS_MULTIPLE_ADDR;
++ ai->ai_flags = IS_MULTIPLE_ADDR;
++ ai->ai_next = options->listen_addrs;
++ options->listen_addrs = aitop;
++
++ if (last) {
++ aitop->ai_flags = 0;
++ }
++}
++
++static void
++add_listen_multiple_addrs(ServerOptions *options, char *addrs, int port)
++{
++ u_int i, num_addrs;
++ char **addrsptr, *p;
++
++ if (options->num_ports == 0)
++ options->ports[options->num_ports++] = SSH_DEFAULT_PORT;
++ if (options->address_family == -1)
++ options->address_family = AF_UNSPEC;
++
++ num_addrs = 1;
++ p = addrs;
++ while ((p = strchr(p, ',')) != NULL) {
++ num_addrs++;
++ p++;
++ }
++ debug("found %d addresses for multi-homing", num_addrs);
++
++ addrsptr = xmalloc(num_addrs * sizeof(char*));
++ p = addrs;
++ for (i = 0; i < num_addrs; i++) {
++ addrsptr[i] = p;
++ p = strchr(p+1, ',');
++ if (p != NULL)
++ *(p++) = '\0';
++ }
++
++ if (port == 0)
++ for (i = 0; i < options->num_ports; i++) {
++ while (--num_addrs) {
++ add_one_listen_multiple_addr(options, addrsptr[num_addrs], options->ports[i], 0);
++ }
++ add_one_listen_multiple_addr(options, addrs, options->ports[i], 1);
++ }
++ else {
++ while (--num_addrs) {
++ add_one_listen_multiple_addr(options, addrsptr[num_addrs], port, 0);
++ }
++ add_one_listen_multiple_addr(options, addrs, port, 1);
++ }
++
++ xfree(addrsptr);
++}
++#endif
++
+ /*
+ * The strategy for the Match blocks is that the config file is parsed twice.
+ *
+@@ -879,6 +970,26 @@
+ intptr = &options->key_regeneration_time;
+ goto parse_time;
+
++#ifdef SCTP
++ case sListenMultipleAddresses:
++ arg = strdelim(&cp);
++ if (arg == NULL || *arg == '\0')
++ fatal("%s line %d: missing addresses",
++ filename, linenum);
++
++ /* Check for appended port */
++ p = strchr(arg, ';');
++ if (p != NULL) {
++ if ((port = a2port(p + 1)) <= 0)
++ fatal("%s line %d: bad port number", filename, linenum);
++ *p = '\0';
++ } else {
++ port = 0;
++ }
++ add_listen_multiple_addrs(options, arg, port);
++ break;
++#endif
++
+ case sListenAddress:
+ arg = strdelim(&cp);
+ if (arg == NULL || *arg == '\0')
+@@ -1216,6 +1327,24 @@
+ options->kex_algorithms = xstrdup(arg);
+ break;
+
++#ifdef SCTP
++ case sTransport:
++ arg = strdelim(&cp);
++ if (!arg || *arg == '\0')
++ fatal("%s line %d: missing transport protocol specification",
++ filename, linenum);
++ if (strcmp(arg, "all") == 0)
++ options->transport = TRANSPORT_ALL;
++ else if (strcmp(arg, "tcp") == 0)
++ options->transport = TRANSPORT_TCP;
++ else if (strcmp(arg, "sctp") == 0)
++ options->transport = TRANSPORT_SCTP;
++ else
++ fatal("%s line %d: unknown transport protocol specified",
++ filename, linenum);
++ break;
++#endif
++
+ case sProtocol:
+ intptr = &options->protocol;
+ arg = strdelim(&cp);
+@@ -1639,6 +1768,9 @@
+ M_CP_INTOPT(allow_tcp_forwarding);
+ M_CP_INTOPT(allow_agent_forwarding);
+ M_CP_INTOPT(permit_tun);
++#ifdef SCTP
++ M_CP_INTOPT(transport);
++#endif
+ M_CP_INTOPT(gateway_ports);
+ M_CP_INTOPT(x11_display_offset);
+ M_CP_INTOPT(x11_forwarding);
+@@ -1875,6 +2007,9 @@
+ dump_cfg_fmtint(sPermitUserEnvironment, o->permit_user_env);
+ dump_cfg_fmtint(sUseLogin, o->use_login);
+ dump_cfg_fmtint(sCompression, o->compression);
++#ifdef SCTP
++ dump_cfg_fmtint(sTransport, o->transport);
++#endif
+ dump_cfg_fmtint(sGatewayPorts, o->gateway_ports);
+ dump_cfg_fmtint(sUseDNS, o->use_dns);
+ dump_cfg_fmtint(sAllowTcpForwarding, o->allow_tcp_forwarding);
+Index: servconf.h
+===================================================================
+RCS file: /cvs/openssh/servconf.h,v
+retrieving revision 1.93
+diff -u -r1.93 servconf.h
+--- servconf.h 19 May 2012 09:37:01 -0000 1.93
++++ servconf.h 8 Jun 2012 11:52:51 -0000
+@@ -47,6 +47,15 @@
+ /* Magic name for internal sftp-server */
+ #define INTERNAL_SFTP_NAME "internal-sftp"
+
++#ifdef SCTP
++/* Transport protocols */
++#define TRANSPORT_TCP 1
++#define TRANSPORT_SCTP 2
++#define TRANSPORT_ALL (TRANSPORT_TCP | TRANSPORT_SCTP)
++
++#define IS_MULTIPLE_ADDR 0x1000
++#endif
++
+ typedef struct {
+ u_int num_ports;
+ u_int ports_from_cmdline;
+@@ -81,6 +90,9 @@
+ char *ciphers; /* Supported SSH2 ciphers. */
+ char *macs; /* Supported SSH2 macs. */
+ char *kex_algorithms; /* SSH2 kex methods in order of preference. */
++#ifdef SCTP
++ int transport; /* Transport protocol(s) used */
++#endif
+ int protocol; /* Supported protocol versions. */
+ int gateway_ports; /* If true, allow remote connects to forwarded ports. */
+ SyslogFacility log_facility; /* Facility for system logging. */
+Index: ssh.c
+===================================================================
+RCS file: /cvs/openssh/ssh.c,v
+retrieving revision 1.364
+diff -u -r1.364 ssh.c
+--- ssh.c 3 Nov 2011 23:54:22 -0000 1.364
++++ ssh.c 8 Jun 2012 11:52:54 -0000
+@@ -196,7 +196,11 @@
+ usage(void)
+ {
+ fprintf(stderr,
++#ifdef SCTP
++"usage: ssh [-1246AaCfgKkMNnqsTtVvXxYyz] [-b bind_address] [-c cipher_spec]\n"
++#else
+ "usage: ssh [-1246AaCfgKkMNnqsTtVvXxYy] [-b bind_address] [-c cipher_spec]\n"
++#endif
+ " [-D [bind_address:]port] [-e escape_char] [-F configfile]\n"
+ " [-I pkcs11] [-i identity_file]\n"
+ " [-L [bind_address:]port:host:hostport]\n"
+@@ -329,7 +335,11 @@
+ argv0 = av[0];
+
+ again:
++#ifdef SCTP
++ while ((opt = getopt(ac, av, "1246ab:c:e:fgi:kl:m:no:p:qstvxz"
++#else
+ while ((opt = getopt(ac, av, "1246ab:c:e:fgi:kl:m:no:p:qstvx"
++#endif
+ "ACD:F:I:KL:MNO:PR:S:TVw:W:XYy")) != -1) {
+ switch (opt) {
+ case '1':
+@@ -526,6 +534,11 @@
+ else
+ options.control_master = SSHCTL_MASTER_YES;
+ break;
++#ifdef SCTP
++ case 'z':
++ options.transport = TRANSPORT_SCTP;
++ break;
++#endif
+ case 'p':
+ options.port = a2port(optarg);
+ if (options.port <= 0) {
+Index: sshconnect.c
+===================================================================
+RCS file: /cvs/openssh/sshconnect.c,v
+retrieving revision 1.207
+diff -u -r1.207 sshconnect.c
+--- sshconnect.c 29 May 2011 11:42:34 -0000 1.207
++++ sshconnect.c 8 Jun 2012 11:52:54 -0000
+@@ -62,6 +62,10 @@
+ #include "ssh2.h"
+ #include "version.h"
+
++#ifdef SCTP
++#include <netinet/sctp.h>
++#endif
++
+ char *client_version_string = NULL;
+ char *server_version_string = NULL;
+
+@@ -189,6 +193,9 @@
+ {
+ int sock, gaierr;
+ struct addrinfo hints, *res;
++#ifdef SCTP
++ char *more_addrs, *next_addr;
++#endif
+
+ /*
+ * If we are running as root and want to connect to a privileged
+@@ -217,10 +224,22 @@
+ if (options.bind_address == NULL)
+ return sock;
+
++#ifdef SCTP
++ /* Check if multiple addresses have been specified */
++ if ((more_addrs = strchr(options.bind_address, ',')) != NULL) {
++ *(more_addrs++) = '\0';
++ }
++#endif
++
+ memset(&hints, 0, sizeof(hints));
+ hints.ai_family = ai->ai_family;
+ hints.ai_socktype = ai->ai_socktype;
++#ifndef SCTP
++ /* Only specify protocol if SCTP is not used, due
++ * to the lack of SCTP support for getaddrinfo()
++ */
+ hints.ai_protocol = ai->ai_protocol;
++#endif
+ hints.ai_flags = AI_PASSIVE;
+ gaierr = getaddrinfo(options.bind_address, NULL, &hints, &res);
+ if (gaierr) {
+@@ -235,6 +254,34 @@
+ freeaddrinfo(res);
+ return -1;
+ }
++#ifdef SCTP
++ /* If there are multiple addresses, bind them too */
++ if (more_addrs) {
++ do {
++ next_addr = strchr(more_addrs, ',');
++ if (next_addr != NULL) {
++ *(next_addr++) = '\0';
++ }
++
++ gaierr = getaddrinfo(more_addrs, NULL, &hints, &res);
++ if (gaierr) {
++ error("getaddrinfo: %s: %s", more_addrs,
++ ssh_gai_strerror(gaierr));
++ close(sock);
++ return -1;
++ }
++ if (sctp_bindx(sock, (struct sockaddr *)res->ai_addr,
++ 1, SCTP_BINDX_ADD_ADDR) != 0) {
++ error("bind: %s: %s", options.bind_address, strerror(errno));
++ close(sock);
++ freeaddrinfo(res);
++ return -1;
++ }
++
++ more_addrs = next_addr;
++ } while (next_addr != NULL);
++ }
++#endif
+ freeaddrinfo(res);
+ return sock;
+ }
+@@ -359,6 +406,15 @@
+ if ((gaierr = getaddrinfo(host, strport, &hints, &aitop)) != 0)
+ fatal("%s: Could not resolve hostname %.100s: %s", __progname,
+ host, ssh_gai_strerror(gaierr));
++
++#ifdef SCTP
++ /* Use SCTP if requested */
++ if (options.transport == TRANSPORT_SCTP) {
++ for (ai = aitop; ai; ai = ai->ai_next) {
++ ai->ai_protocol = IPPROTO_SCTP;
++ }
++ }
++#endif
+
+ for (attempt = 0; attempt < connection_attempts; attempt++) {
+ if (attempt > 0) {
+Index: sshd.c
+===================================================================
+RCS file: /cvs/openssh/sshd.c,v
+retrieving revision 1.414
+diff -u -r1.414 sshd.c
+--- sshd.c 19 May 2012 09:37:01 -0000 1.414
++++ sshd.c 8 Jun 2012 11:52:55 -0000
+@@ -128,6 +128,10 @@
+ int deny_severity;
+ #endif /* LIBWRAP */
+
++#ifdef SCTP
++#include <netinet/sctp.h>
++#endif
++
+ #ifndef O_NOCTTY
+ #define O_NOCTTY 0
+ #endif
+@@ -1033,6 +1037,12 @@
+ for (ai = options.listen_addrs; ai; ai = ai->ai_next) {
+ if (ai->ai_family != AF_INET && ai->ai_family != AF_INET6)
+ continue;
++#ifdef SCTP
++ /* Ignore multi-homing addresses for TCP */
++ if (ai->ai_flags & IS_MULTIPLE_ADDR ||
++ (ai->ai_next != NULL && ai->ai_next->ai_flags & IS_MULTIPLE_ADDR))
++ continue;
++#endif
+ if (num_listen_socks >= MAX_LISTEN_SOCKS)
+ fatal("Too many listen sockets. "
+ "Enlarge MAX_LISTEN_SOCKS");
+@@ -1091,6 +1101,127 @@
+ fatal("Cannot bind any address.");
+ }
+
++#ifdef SCTP
++/*
++ * Listen for SCTP connections
++ */
++static void
++server_listen_sctp(void)
++{
++ int ret, listen_sock, on = 1;
++ struct addrinfo *ai, *aiv6;
++ char ntop[NI_MAXHOST], strport[NI_MAXSERV];
++
++ for (ai = options.listen_addrs; ai; ai = ai->ai_next) {
++ if (ai->ai_family != AF_INET && ai->ai_family != AF_INET6)
++ continue;
++ /* Ignore multi-homing addresses at this point */
++ if (ai->ai_flags & IS_MULTIPLE_ADDR)
++ continue;
++ if (num_listen_socks >= MAX_LISTEN_SOCKS)
++ fatal("Too many listen sockets. "
++ "Enlarge MAX_LISTEN_SOCKS");
++ if ((ret = getnameinfo(ai->ai_addr, ai->ai_addrlen,
++ ntop, sizeof(ntop), strport, sizeof(strport),
++ NI_NUMERICHOST|NI_NUMERICSERV)) != 0) {
++ error("getnameinfo failed: %.100s",
++ ssh_gai_strerror(ret));
++ continue;
++ }
++ /* Check for multi-homed IPv6 addresses if family is IPv4 */
++ if (ai->ai_family == AF_INET) {
++ aiv6 = ai->ai_next;
++ while (aiv6 != NULL && aiv6->ai_flags & IS_MULTIPLE_ADDR) {
++ if (aiv6->ai_family == AF_INET6) {
++ ai->ai_family = AF_INET6;
++ break;
++ }
++ aiv6 = aiv6->ai_next;
++ }
++ }
++
++ /* Create socket for listening. */
++ listen_sock = socket(ai->ai_family, ai->ai_socktype,
++ IPPROTO_SCTP);
++ if (listen_sock < 0) {
++ /* kernel may not support ipv6 */
++ verbose("SCTP socket: %.100s", strerror(errno));
++ continue;
++ }
++ if (set_nonblock(listen_sock) == -1) {
++ close(listen_sock);
++ continue;
++ }
++ /*
++ * Set socket options.
++ * Allow local port reuse in TIME_WAIT.
++ */
++ if (setsockopt(listen_sock, SOL_SOCKET, SO_REUSEADDR,
++ &on, sizeof(on)) == -1)
++ error("SCTP setsockopt SO_REUSEADDR: %s", strerror(errno));
++
++ /* Only communicate in IPv6 over AF_INET6 sockets if not multi-homed. */
++ if (ai->ai_family == AF_INET6 && (ai->ai_next == NULL ||
++ (ai->ai_next != NULL && ai->ai_next->ai_flags == 0)))
++ sock_set_v6only(listen_sock);
++
++ if (ai->ai_next != NULL && ai->ai_next->ai_flags & IS_MULTIPLE_ADDR)
++ debug("Bind multi-homed to SCTP port %s on %s.", strport, ntop);
++ else
++ debug("Bind to SCTP port %s on %s.", strport, ntop);
++
++ /* Bind the socket to the desired port. */
++ if (bind(listen_sock, ai->ai_addr, ai->ai_addrlen) < 0) {
++ error("Bind to SCTP port %s on %s failed: %.200s.",
++ strport, ntop, strerror(errno));
++ close(listen_sock);
++ continue;
++ }
++
++ /* Bind multi-homing addresses */
++ while (ai->ai_next != NULL &&
++ ai->ai_next->ai_flags & IS_MULTIPLE_ADDR) {
++ ai = ai->ai_next;
++
++ if ((ret = getnameinfo(ai->ai_addr, ai->ai_addrlen,
++ ntop, sizeof(ntop), strport, sizeof(strport),
++ NI_NUMERICHOST|NI_NUMERICSERV)) != 0) {
++ error("getnameinfo failed: %.100s",
++ ssh_gai_strerror(ret));
++ continue;
++ }
++
++ debug("Bind multi-homed to SCTP port %s on %s.", strport, ntop);
++
++ if (sctp_bindx(listen_sock, (struct sockaddr *)ai->ai_addr, 1, SCTP_BINDX_ADD_ADDR) != 0) {
++ error("Bind to SCTP port %s on %s failed: %.200s.",
++ strport, ntop, strerror(errno));
++ close(listen_sock);
++ continue;
++ }
++ }
++
++ listen_socks[num_listen_socks] = listen_sock;
++ num_listen_socks++;
++
++ /* Start listening on the port. */
++ if (listen(listen_sock, SSH_LISTEN_BACKLOG) < 0)
++ fatal("SCTP listen on [%s]:%s: %.100s",
++ ntop, strport, strerror(errno));
++ if (ai->ai_flags & IS_MULTIPLE_ADDR)
++ logit("Server listening multi-homed with SCTP on port %s.", strport);
++ else
++ logit("Server listening with SCTP on %s port %s.", ntop, strport);
++ }
++ /* Only free addresses if SCTP is the only used protocol */
++ if (options.transport == TRANSPORT_SCTP)
++ freeaddrinfo(options.listen_addrs);
++
++ if (!num_listen_socks)
++ fatal("Cannot bind any address for SCTP.");
++}
++#endif
++
+ /*
+ * The main TCP accept loop. Note that, for the non-debug case, returns
+ * from this function are in a forked subprocess.
+@@ -1778,7 +1909,14 @@
+ server_accept_inetd(&sock_in, &sock_out);
+ } else {
+ platform_pre_listen();
+- server_listen();
++
++#ifdef SCTP
++ if (options.transport & TRANSPORT_SCTP)
++ server_listen_sctp();
++
++ if (options.transport & TRANSPORT_TCP)
++#endif
++ server_listen();
+
+ if (options.protocol & SSH_PROTO_1)
+ generate_ephemeral_server_key();
+--- sshd_config.orig 2012-12-18 23:50:47.000000000 +0400
++++ sshd_config 2012-12-18 23:51:15.000000000 +0400
+@@ -12,6 +12,7 @@
+
+ #Port 22
+ #AddressFamily any
++#Transport all
+ #ListenAddress 0.0.0.0
+ #ListenAddress ::
>Release-Note:
>Audit-Trail:
>Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201212191121.qBJBLHJg091428>