Attachment #2573 for bug #1604




AC_SUBST([SSHLIBS])
AC_SUBST([SSHDLIBS])

#check whether user wants SCTP support
SCTP_MSG="no"
AC_ARG_WITH(sctp,
	[  --with-sctp             Enable SCTP support],
	[ if test "x$withval" != "xno" ; then
		AC_DEFINE(SCTP,1,[Define if you want SCTP support.])
		AC_CHECK_FUNCS(sctp_recvmsg, , AC_CHECK_LIB(sctp, sctp_recvmsg, ,
			       [AC_MSG_ERROR([*** Can not use SCTP - maybe libsctp-dev is missing ***])]
			       ))
		SCTP_MSG="yes"
	fi ]
)

# Check whether user wants Kerberos 5 support
KRB5_MSG="no"
AC_ARG_WITH([kerberos5],

echo "                   OSF SIA support: $SIA_MSG"
echo "                 KerberosV support: $KRB5_MSG"
echo "                   SELinux support: $SELINUX_MSG"
echo "                      SCTP support: $SCTP_MSG"
echo "                 Smartcard support: $SCARD_MSG"
echo "                     S/KEY support: $SKEY_MSG"
echo "              MD5 password support: $MD5_MSG"

Lines 61-66 Link Here

(-)a/misc.c (-5 / +34 lines)
61	#include "log.h"	61	#include "log.h"
62	#include "ssh.h"	62	#include "ssh.h"
63		63
		64	#ifdef SCTP
		65	#include <netinet/sctp.h>
		66	#endif
		67
64	/* remove newline at end of string */	68	/* remove newline at end of string */
65	char *	69	char *
66	chop(char *s)	70	chop(char *s)
Lines 139-159 void Link Here
139	set_nodelay(int fd)	143	set_nodelay(int fd)
140	{	144	{
141	int opt;	145	int opt;
		146	int is_tcp = 1;
		147	int ret;
142	socklen_t optlen;	148	socklen_t optlen;
143		149
144	optlen = sizeof opt;	150	optlen = sizeof opt;
145	if (getsockopt(fd, IPPROTO_TCP, TCP_NODELAY, &opt, &optlen) == -1) {	151	if (getsockopt(fd, IPPROTO_TCP, TCP_NODELAY, &opt, &optlen) == -1) {
146	debug("getsockopt TCP_NODELAY: %.100s", strerror(errno));	152	#ifdef SCTP
		153	/* TCP_NODELAY failed, try SCTP_NODELAY */
		154	if (getsockopt(fd, IPPROTO_SCTP, SCTP_NODELAY, &opt, &optlen) == -1) {
		155	debug("getsockopt TCP_NODELAY/SCTP_NODELAY: %.100s", strerror(errno));
		156	return;
		157	}
		158	is_tcp = 0;
		159	#else
147	return;	160	return;
		161	#endif
148	}	162	}
149	if (opt == 1) {	163	if (opt == 1) {
150	debug2("fd %d is TCP_NODELAY", fd);	164	debug2("fd %d is TCP_NODELAY/SCTP_NODELAY", fd);
151	return;	165	return;
152	}	166	}
153	opt = 1;	167	opt = 1;
154	debug2("fd %d setting TCP_NODELAY", fd);	168	debug2("fd %d setting TCP_NODELAY/SCTP_NODELAY", fd);
155	if (setsockopt(fd, IPPROTO_TCP, TCP_NODELAY, &opt, sizeof opt) == -1)	169
156	error("setsockopt TCP_NODELAY: %.100s", strerror(errno));	170	if (is_tcp) {
		171	ret = setsockopt(fd, IPPROTO_TCP, TCP_NODELAY, &opt,
		172	sizeof(opt));
		173	if (ret < 0)
		174	error("setsockopt TCP_NODELAY: %.100s",
		175	strerror(errno));
		176	}
		177	#ifdef SCTP
		178	else {
		179	ret = setsockopt(fd, IPPROTO_SCTP, SCTP_NODELAY, &opt,
		180	sizeof(opt));
		181	if (ret < 0)
		182	error("setsockopt SCTP_NODELAY: %.100s",
		183	strerror(errno));
		184	}
		185	#endif
157	}	186	}
158		187
159	/* Characters considered whitespace in strsep calls. */	188	/* Characters considered whitespace in strsep calls. */

Lines 135-141 typedef enum { Link Here

(-)a/readconf.c (-1 / +23 lines)
135	oPasswordAuthentication, oRSAAuthentication,	135	oPasswordAuthentication, oRSAAuthentication,
136	oChallengeResponseAuthentication, oXAuthLocation,	136	oChallengeResponseAuthentication, oXAuthLocation,
137	oIdentityFile, oHostName, oPort, oCipher, oRemoteForward, oLocalForward,	137	oIdentityFile, oHostName, oPort, oCipher, oRemoteForward, oLocalForward,
138	oUser, oEscapeChar, oRhostsRSAAuthentication, oProxyCommand,	138	oTransport, oUser, oEscapeChar, oRhostsRSAAuthentication, oProxyCommand,
139	oGlobalKnownHostsFile, oUserKnownHostsFile, oConnectionAttempts,	139	oGlobalKnownHostsFile, oUserKnownHostsFile, oConnectionAttempts,
140	oBatchMode, oCheckHostIP, oStrictHostKeyChecking, oCompression,	140	oBatchMode, oCheckHostIP, oStrictHostKeyChecking, oCompression,
141	oCompressionLevel, oTCPKeepAlive, oNumberOfPasswordPrompts,	141	oCompressionLevel, oTCPKeepAlive, oNumberOfPasswordPrompts,
Lines 204-209 static struct { Link Here
204	{ "hostname", oHostName },	204	{ "hostname", oHostName },
205	{ "hostkeyalias", oHostKeyAlias },	205	{ "hostkeyalias", oHostKeyAlias },
206	{ "proxycommand", oProxyCommand },	206	{ "proxycommand", oProxyCommand },
		207	#ifdef SCTP
		208	{ "transport", oTransport },
		209	#else
		210	{ "transport", oUnsupported },
		211	#endif
207	{ "port", oPort },	212	{ "port", oPort },
208	{ "cipher", oCipher },	213	{ "cipher", oCipher },
209	{ "ciphers", oCiphers },	214	{ "ciphers", oCiphers },
Lines 1046-1051 parse_command: Link Here
1046	*charptr = xstrdup(s + len);	1051	*charptr = xstrdup(s + len);
1047	return 0;	1052	return 0;
1048		1053
		1054	case oTransport:
		1055	arg = strdelim(&s);
		1056	if (!arg \|\| *arg == '\0')
		1057	fatal("%s line %d: missing transport protocol specification",
		1058	filename, linenum);
		1059	if (strcasecmp(arg, "tcp") == 0)
		1060	options->transport = TRANSPORT_TCP;
		1061	else if (strcasecmp(arg, "sctp") == 0)
		1062	options->transport = TRANSPORT_SCTP;
		1063	else
		1064	fatal("%s line %d: unknown transport protocol specified",
		1065	filename, linenum);
		1066	break;
		1067
1049	case oPort:	1068	case oPort:
1050	intptr = &options->port;	1069	intptr = &options->port;
1051	parse_int:	1070	parse_int:
Lines 1613-1618 initialize_options(Options * options) Link Here
1613	options->compression = -1;	1632	options->compression = -1;
1614	options->tcp_keep_alive = -1;	1633	options->tcp_keep_alive = -1;
1615	options->compression_level = -1;	1634	options->compression_level = -1;
		1635	options->transport = -1;
1616	options->port = -1;	1636	options->port = -1;
1617	options->address_family = -1;	1637	options->address_family = -1;
1618	options->connection_attempts = -1;	1638	options->connection_attempts = -1;
Lines 1750-1755 fill_default_options(Options * options) Link Here
1750	options->tcp_keep_alive = 1;	1770	options->tcp_keep_alive = 1;
1751	if (options->compression_level == -1)	1771	if (options->compression_level == -1)
1752	options->compression_level = 6;	1772	options->compression_level = 6;
		1773	if (options->transport == -1)
		1774	options->transport = TRANSPORT_TCP;
1753	if (options->port == -1)	1775	if (options->port == -1)
1754	options->port = 0; /* Filled in ssh_connect. */	1776	options->port = 0; /* Filled in ssh_connect. */
1755	if (options->address_family == -1)	1777	if (options->address_family == -1)

Lines 28-33 struct allowed_cname { Link Here

(-)a/readconf.h (+5 lines)
28	char *target_list;	28	char *target_list;
29	};	29	};
30		30
		31	/* Transport protocols */
		32	#define TRANSPORT_TCP 1
		33	#define TRANSPORT_SCTP 2
		34
31	typedef struct {	35	typedef struct {
32	int forward_agent; /* Forward authentication agent. */	36	int forward_agent; /* Forward authentication agent. */
33	int forward_x11; /* Forward X11 display. */	37	int forward_x11; /* Forward X11 display. */
Lines 61-66 typedef struct { Link Here
61	int ip_qos_bulk; /* IP ToS/DSCP/class for bulk traffic */	65	int ip_qos_bulk; /* IP ToS/DSCP/class for bulk traffic */
62	LogLevel log_level; /* Level for logging. */	66	LogLevel log_level; /* Level for logging. */
63		67
		68	int transport; /* Transport protocol used. */
64	int port; /* Port to connect. */	69	int port; /* Port to connect. */
65	int address_family;	70	int address_family;
66	int connection_attempts; /* Max attempts (seconds) before	71	int connection_attempts; /* Max attempts (seconds) before

Lines 19-25 Link Here

(-)a/scp.1 (-1 / +4 lines)
19	.Sh SYNOPSIS	19	.Sh SYNOPSIS
20	.Nm scp	20	.Nm scp
21	.Bk -words	21	.Bk -words
22	.Op Fl 12346BCpqrv	22	.Op Fl 12346BCpqrvz
23	.Op Fl c Ar cipher	23	.Op Fl c Ar cipher
24	.Op Fl F Ar ssh_config	24	.Op Fl F Ar ssh_config
25	.Op Fl i Ar identity_file	25	.Op Fl i Ar identity_file
Lines 179-184 For full details of the options listed below, and their possible values, see Link Here
179	.It ServerAliveCountMax	179	.It ServerAliveCountMax
180	.It StrictHostKeyChecking	180	.It StrictHostKeyChecking
181	.It TCPKeepAlive	181	.It TCPKeepAlive
		182	.It Transport
182	.It UpdateHostKeys	183	.It UpdateHostKeys
183	.It UsePrivilegedPort	184	.It UsePrivilegedPort
184	.It User	185	.It User
Lines 220-225 and Link Here
220	to print debugging messages about their progress.	221	to print debugging messages about their progress.
221	This is helpful in	222	This is helpful in
222	debugging connection, authentication, and configuration problems.	223	debugging connection, authentication, and configuration problems.
		224	.It Fl z
		225	Use the SCTP protocol for connection instead of TCP which is the default.
223	.El	226	.El
224	.Sh EXIT STATUS	227	.Sh EXIT STATUS
225	.Ex -std scp	228	.Ex -std scp

Lines 396-402 main(int argc, char **argv) Link Here

(-)a/scp.c (+7 lines)
396	addargs(&args, "-oClearAllForwardings=yes");	396	addargs(&args, "-oClearAllForwardings=yes");
397		397
398	fflag = tflag = 0;	398	fflag = tflag = 0;
		399	#ifdef SCTP
		400	while ((ch = getopt(argc, argv, "dfl:prtvBCc:i:P:q12346S:o:F:z")) != -1)
		401	#else
399	while ((ch = getopt(argc, argv, "dfl:prtvBCc:i:P:q12346S:o:F:")) != -1)	402	while ((ch = getopt(argc, argv, "dfl:prtvBCc:i:P:q12346S:o:F:")) != -1)
		403	#endif
400	switch (ch) {	404	switch (ch) {
401	/* User-visible flags. */	405	/* User-visible flags. */
402	case '1':	406	case '1':
Lines 404-409 main(int argc, char **argv) Link Here
404	case '4':	408	case '4':
405	case '6':	409	case '6':
406	case 'C':	410	case 'C':
		411	#ifdef SCTP
		412	case 'z':
		413	#endif
407	addargs(&args, "-%c", ch);	414	addargs(&args, "-%c", ch);
408	addargs(&remote_remote_args, "-%c", ch);	415	addargs(&remote_remote_args, "-%c", ch);
409	break;	416	break;

Lines 134-139 initialize_server_options(ServerOptions *options) Link Here

(-)a/servconf.c (+123 lines)
134	options->ciphers = NULL;	134	options->ciphers = NULL;
135	options->macs = NULL;	135	options->macs = NULL;
136	options->kex_algorithms = NULL;	136	options->kex_algorithms = NULL;
		137	options->transport = -1;
137	options->protocol = SSH_PROTO_UNKNOWN;	138	options->protocol = SSH_PROTO_UNKNOWN;
138	options->fwd_opts.gateway_ports = -1;	139	options->fwd_opts.gateway_ports = -1;
139	options->fwd_opts.streamlocal_bind_mask = (mode_t)-1;	140	options->fwd_opts.streamlocal_bind_mask = (mode_t)-1;
Lines 295-300 fill_default_server_options(ServerOptions *options) Link Here
295	options->allow_streamlocal_forwarding = FORWARD_ALLOW;	296	options->allow_streamlocal_forwarding = FORWARD_ALLOW;
296	if (options->allow_agent_forwarding == -1)	297	if (options->allow_agent_forwarding == -1)
297	options->allow_agent_forwarding = 1;	298	options->allow_agent_forwarding = 1;
		299	if (options->transport == -1)
		300	options->transport = TRANSPORT_TCP;
298	if (options->fwd_opts.gateway_ports == -1)	301	if (options->fwd_opts.gateway_ports == -1)
299	options->fwd_opts.gateway_ports = 0;	302	options->fwd_opts.gateway_ports = 0;
300	if (options->max_startups == -1)	303	if (options->max_startups == -1)
Lines 380-385 typedef enum { Link Here
380	sKerberosTgtPassing, sChallengeResponseAuthentication,	383	sKerberosTgtPassing, sChallengeResponseAuthentication,
381	sPasswordAuthentication, sKbdInteractiveAuthentication,	384	sPasswordAuthentication, sKbdInteractiveAuthentication,
382	sListenAddress, sAddressFamily,	385	sListenAddress, sAddressFamily,
		386	sTransport, sListenMultipleAddresses,
383	sPrintMotd, sPrintLastLog, sIgnoreRhosts,	387	sPrintMotd, sPrintLastLog, sIgnoreRhosts,
384	sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost,	388	sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost,
385	sPermitTTY, sStrictModes, sEmptyPasswd, sTCPKeepAlive,	389	sPermitTTY, sStrictModes, sEmptyPasswd, sTCPKeepAlive,
Lines 472-477 static struct { Link Here
472	{ "skeyauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL }, /* alias */	476	{ "skeyauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL }, /* alias */
473	{ "checkmail", sDeprecated, SSHCFG_GLOBAL },	477	{ "checkmail", sDeprecated, SSHCFG_GLOBAL },
474	{ "listenaddress", sListenAddress, SSHCFG_GLOBAL },	478	{ "listenaddress", sListenAddress, SSHCFG_GLOBAL },
		479	#ifdef SCTP
		480	{ "listenmultipleaddresses", sListenMultipleAddresses, SSHCFG_GLOBAL },
		481	{ "transport", sTransport, SSHCFG_GLOBAL },
		482	#else
		483	{ "listenmultipleaddresses", sUnsupported, SSHCFG_GLOBAL },
		484	{ "transport", sUnsupported, SSHCFG_GLOBAL },
		485	#endif
475	{ "addressfamily", sAddressFamily, SSHCFG_GLOBAL },	486	{ "addressfamily", sAddressFamily, SSHCFG_GLOBAL },
476	{ "printmotd", sPrintMotd, SSHCFG_GLOBAL },	487	{ "printmotd", sPrintMotd, SSHCFG_GLOBAL },
477	{ "printlastlog", sPrintLastLog, SSHCFG_GLOBAL },	488	{ "printlastlog", sPrintLastLog, SSHCFG_GLOBAL },
Lines 638-643 get_connection_info(int populate, int use_dns) Link Here
638	return &ci;	649	return &ci;
639	}	650	}
640		651
		652	#ifdef SCTP
		653	static void
		654	add_one_listen_multiple_addr(ServerOptions options, char addr, int port, int last)
		655	{
		656	struct addrinfo hints, ai, aitop;
		657	char strport[NI_MAXSERV];
		658	int gaierr;
		659
		660	memset(&hints, 0, sizeof(hints));
		661	hints.ai_family = options->address_family;
		662	hints.ai_socktype = SOCK_STREAM;
		663	hints.ai_flags = (addr == NULL) ? AI_PASSIVE : 0;
		664	snprintf(strport, sizeof strport, "%d", port);
		665	if ((gaierr = getaddrinfo(addr, strport, &hints, &aitop)) != 0)
		666	fatal("bad addr or host: %s (%s)",
		667	addr ? addr : "<NULL>",
		668	ssh_gai_strerror(gaierr));
		669	/* Mark addresses as multihomed */
		670	for (ai = aitop; ai->ai_next; ai = ai->ai_next)
		671	ai->ai_flags = IS_MULTIPLE_ADDR;
		672	ai->ai_flags = IS_MULTIPLE_ADDR;
		673	ai->ai_next = options->listen_addrs;
		674	options->listen_addrs = aitop;
		675
		676	if (last) {
		677	aitop->ai_flags = 0;
		678	}
		679	}
		680
		681	static void
		682	add_listen_multiple_addrs(ServerOptions options, char addrs, int port)
		683	{
		684	u_int i, num_addrs;
		685	char *addrsptr, p;
		686
		687	if (options->num_ports == 0)
		688	options->ports[options->num_ports++] = SSH_DEFAULT_PORT;
		689	if (options->address_family == -1)
		690	options->address_family = AF_UNSPEC;
		691
		692	num_addrs = 1;
		693	p = addrs;
		694	while ((p = strchr(p, ',')) != NULL) {
		695	num_addrs++;
		696	p++;
		697	}
		698	debug("found %d addresses for multi-homing", num_addrs);
		699
		700	addrsptr = xmalloc(num_addrs * sizeof(char*));
		701	p = addrs;
		702	for (i = 0; i < num_addrs; i++) {
		703	addrsptr[i] = p;
		704	p = strchr(p+1, ',');
		705	if (p != NULL)
		706	*(p++) = '\0';
		707	}
		708
		709	if (port == 0)
		710	for (i = 0; i < options->num_ports; i++) {
		711	while (--num_addrs)
		712	add_one_listen_multiple_addr(options, addrsptr[num_addrs], options->ports[i], 0);
		713	add_one_listen_multiple_addr(options, addrs, options->ports[i], 1);
		714	}
		715	else {
716	while (--num_addrs)
717	add_one_listen_multiple_addr(options, addrsptr[num_addrs], port, 0);
718	add_one_listen_multiple_addr(options, addrs, port, 1);
719	}
720
721	free(addrsptr);
722	}
723	#endif
724
641	/*	725	/*
642	* The strategy for the Match blocks is that the config file is parsed twice.	726	* The strategy for the Match blocks is that the config file is parsed twice.
643	*	727	*
Lines 986-991 process_server_config_line(ServerOptions options, char line, Link Here
986	intptr = &options->key_regeneration_time;	1070	intptr = &options->key_regeneration_time;
987	goto parse_time;	1071	goto parse_time;
988		1072
		1073	#ifdef SCTP
		1074	case sListenMultipleAddresses:
		1075	arg = strdelim(&cp);
		1076	if (arg == NULL \|\| *arg == '\0')
		1077	fatal("%s line %d: missing addresses",
		1078	filename, linenum);
		1079
		1080	/* Check for appended port */
		1081	p = strchr(arg, ';');
		1082	if (p != NULL) {
		1083	if ((port = a2port(p + 1)) <= 0)
		1084	fatal("%s line %d: bad port number", filename, linenum);
		1085	*p = '\0';
		1086	} else
		1087	port = 0;
		1088	add_listen_multiple_addrs(options, arg, port);
		1089	break;
		1090	#endif
		1091
989	case sListenAddress:	1092	case sListenAddress:
990	arg = strdelim(&cp);	1093	arg = strdelim(&cp);
991	if (arg == NULL \|\| *arg == '\0')	1094	if (arg == NULL \|\| *arg == '\0')
Lines 1402-1407 process_server_config_line(ServerOptions options, char line, Link Here
1402	options->kex_algorithms = xstrdup(arg);	1505	options->kex_algorithms = xstrdup(arg);
1403	break;	1506	break;
1404		1507
		1508	case sTransport:
		1509	arg = strdelim(&cp);
		1510	if (!arg \|\| *arg == '\0')
		1511	fatal("%s line %d: missing transport protocol specification",
		1512	filename, linenum);
		1513	if (strcasecmp(arg, "all") == 0)
		1514	options->transport = TRANSPORT_ALL;
		1515	else if (strcasecmp(arg, "tcp") == 0)
		1516	options->transport = TRANSPORT_TCP;
		1517	else if (strcasecmp(arg, "sctp") == 0)
		1518	options->transport = TRANSPORT_SCTP;
		1519	else
		1520	fatal("%s line %d: unknown transport protocol specified",
		1521	filename, linenum);
		1522	break;
		1523
1405	case sProtocol:	1524	case sProtocol:
1406	intptr = &options->protocol;	1525	intptr = &options->protocol;
1407	arg = strdelim(&cp);	1526	arg = strdelim(&cp);
Lines 1885-1890 copy_set_server_options(ServerOptions dst, ServerOptions src, int preauth) Link Here
1885	M_CP_INTOPT(allow_streamlocal_forwarding);	2004	M_CP_INTOPT(allow_streamlocal_forwarding);
1886	M_CP_INTOPT(allow_agent_forwarding);	2005	M_CP_INTOPT(allow_agent_forwarding);
1887	M_CP_INTOPT(permit_tun);	2006	M_CP_INTOPT(permit_tun);
		2007	M_CP_INTOPT(transport);
1888	M_CP_INTOPT(fwd_opts.gateway_ports);	2008	M_CP_INTOPT(fwd_opts.gateway_ports);
1889	M_CP_INTOPT(x11_display_offset);	2009	M_CP_INTOPT(x11_display_offset);
1890	M_CP_INTOPT(x11_forwarding);	2010	M_CP_INTOPT(x11_forwarding);
Lines 2144-2149 dump_config(ServerOptions *o) Link Here
2144	dump_cfg_fmtint(sPermitUserEnvironment, o->permit_user_env);	2264	dump_cfg_fmtint(sPermitUserEnvironment, o->permit_user_env);
2145	dump_cfg_fmtint(sUseLogin, o->use_login);	2265	dump_cfg_fmtint(sUseLogin, o->use_login);
2146	dump_cfg_fmtint(sCompression, o->compression);	2266	dump_cfg_fmtint(sCompression, o->compression);
		2267	#ifdef SCTP
		2268	dump_cfg_fmtint(sTransport, o->transport);
		2269	#endif
2147	dump_cfg_fmtint(sGatewayPorts, o->fwd_opts.gateway_ports);	2270	dump_cfg_fmtint(sGatewayPorts, o->fwd_opts.gateway_ports);
2148	dump_cfg_fmtint(sUseDNS, o->use_dns);	2271	dump_cfg_fmtint(sUseDNS, o->use_dns);
2149	dump_cfg_fmtint(sAllowTcpForwarding, o->allow_tcp_forwarding);	2272	dump_cfg_fmtint(sAllowTcpForwarding, o->allow_tcp_forwarding);

Lines 54-59 Link Here

(-)a/servconf.h (+8 lines)
54	/* Magic name for internal sftp-server */	54	/* Magic name for internal sftp-server */
55	#define INTERNAL_SFTP_NAME "internal-sftp"	55	#define INTERNAL_SFTP_NAME "internal-sftp"
56		56
		57	/* Transport protocols */
		58	#define TRANSPORT_TCP 1
		59	#define TRANSPORT_SCTP 2
		60	#define TRANSPORT_ALL (TRANSPORT_TCP \| TRANSPORT_SCTP)
		61
		62	#define IS_MULTIPLE_ADDR 0x1000
		63
57	typedef struct {	64	typedef struct {
58	u_int num_ports;	65	u_int num_ports;
59	u_int ports_from_cmdline;	66	u_int ports_from_cmdline;
Lines 91-96 typedef struct { Link Here
91	char ciphers; / Supported SSH2 ciphers. */	98	char ciphers; / Supported SSH2 ciphers. */
92	char macs; / Supported SSH2 macs. */	99	char macs; / Supported SSH2 macs. */
93	char kex_algorithms; / SSH2 kex methods in order of preference. */	100	char kex_algorithms; / SSH2 kex methods in order of preference. */
		101	int transport; /* Transport protocol(s) used */
94	int protocol; /* Supported protocol versions. */	102	int protocol; /* Supported protocol versions. */
95	struct ForwardOptions fwd_opts; /* forwarding options */	103	struct ForwardOptions fwd_opts; /* forwarding options */
96	SyslogFacility log_facility; /* Facility for system logging. */	104	SyslogFacility log_facility; /* Facility for system logging. */

Lines 43-49 Link Here

(-)a/ssh.1 (-1 / +4 lines)
43	.Sh SYNOPSIS	43	.Sh SYNOPSIS
44	.Nm ssh	44	.Nm ssh
45	.Bk -words	45	.Bk -words
46	.Op Fl 1246AaCfGgKkMNnqsTtVvXxYy	46	.Op Fl 1246AaCfGgKkMNnqsTtVvXxYyz
47	.Op Fl b Ar bind_address	47	.Op Fl b Ar bind_address
48	.Op Fl c Ar cipher_spec	48	.Op Fl c Ar cipher_spec
49	.Op Fl D Oo Ar bind_address : Oc Ns Ar port	49	.Op Fl D Oo Ar bind_address : Oc Ns Ar port
Lines 483-488 For full details of the options listed below, and their possible values, see Link Here
483	.It StreamLocalBindUnlink	483	.It StreamLocalBindUnlink
484	.It StrictHostKeyChecking	484	.It StrictHostKeyChecking
485	.It TCPKeepAlive	485	.It TCPKeepAlive
		486	.It Transport
486	.It Tunnel	487	.It Tunnel
487	.It TunnelDevice	488	.It TunnelDevice
488	.It UpdateHostKeys	489	.It UpdateHostKeys
Lines 678-683 Trusted X11 forwardings are not subjected to the X11 SECURITY extension Link Here
678	controls.	679	controls.
679	.It Fl y	680	.It Fl y
680	Send log information using the	681	Send log information using the
		682	.It Fl z
		683	Use the SCTP protocol for connection instead of TCP which is the default.
681	.Xr syslog 3	684	.Xr syslog 3
682	system module.	685	system module.
683	By default this information is sent to stderr.	686	By default this information is sent to stderr.

Lines 195-206 extern int muxserver_sock; Link Here

(-)a/ssh.c (-2 / +12 lines)
195	extern u_int muxclient_command;	195	extern u_int muxclient_command;
196		196
197	/* Prints a help message to the user. This function never returns. */	197	/* Prints a help message to the user. This function never returns. */
		198	#ifdef SCTP
		199	#define SCTP_OPT "z"
		200	#else
		201	#define SCTP_OPT ""
		202	#endif
198		203
199	static void	204	static void
200	usage(void)	205	usage(void)
201	{	206	{
202	fprintf(stderr,	207	fprintf(stderr,
203	"usage: ssh [-1246AaCfGgKkMNnqsTtVvXxYy] [-b bind_address] [-c cipher_spec]\n"	208	"usage: ssh [-1246AaCfGgKkMNnqsTtVvXxYy" SCTP_OPT "] [-b bind_address] [-c cipher_spec]\n"
204	" [-D [bind_address:]port] [-E log_file] [-e escape_char]\n"	209	" [-D [bind_address:]port] [-E log_file] [-e escape_char]\n"
205	" [-F configfile] [-I pkcs11] [-i identity_file]\n"	210	" [-F configfile] [-I pkcs11] [-i identity_file]\n"
206	" [-L [bind_address:]port:host:hostport] [-l login_name] [-m mac_spec]\n"	211	" [-L [bind_address:]port:host:hostport] [-l login_name] [-m mac_spec]\n"
Lines 596-602 main(int ac, char **av) Link Here
596	argv0 = av[0];	601	argv0 = av[0];
597		602
598	again:	603	again:
599	while ((opt = getopt(ac, av, "1246ab:c:e:fgi:kl:m:no:p:qstvx"	604	while ((opt = getopt(ac, av, "1246ab:c:e:fgi:kl:m:no:p:qstvx" SCTP_OPT
600	"ACD:E:F:GI:KL:MNO:PQ:R:S:TVw:W:XYy")) != -1) {	605	"ACD:E:F:GI:KL:MNO:PQ:R:S:TVw:W:XYy")) != -1) {
601	switch (opt) {	606	switch (opt) {
602	case '1':	607	case '1':
Lines 832-837 main(int ac, char **av) Link Here
832	else	837	else
833	options.control_master = SSHCTL_MASTER_YES;	838	options.control_master = SSHCTL_MASTER_YES;
834	break;	839	break;
		840	#ifdef SCTP
		841	case 'z':
		842	options.transport = TRANSPORT_SCTP;
		843	break;
		844	#endif
835	case 'p':	845	case 'p':
836	options.port = a2port(optarg);	846	options.port = a2port(optarg);
837	if (options.port <= 0) {	847	if (options.port <= 0) {

Lines 1464-1469 This is important in scripts, and many users want it too. Link Here

(-)a/ssh_config.5 (+6 lines)
1464	.Pp	1464	.Pp
1465	To disable TCP keepalive messages, the value should be set to	1465	To disable TCP keepalive messages, the value should be set to
1466	.Dq no .	1466	.Dq no .
		1467	.It Cm Transport
		1468	Specifies the transport protocol while connecting. Valid values are
		1469	.Dq TCP
		1470	and
		1471	.Dq SCTP .
		1472	The default is TCP.
1467	.It Cm Tunnel	1473	.It Cm Tunnel
1468	Request	1474	Request
1469	.Xr tun 4	1475	.Xr tun 4

Lines 66-71 Link Here

(-)a/sshconnect.c (+55 lines)
66	#include "authfile.h"	66	#include "authfile.h"
67	#include "ssherr.h"	67	#include "ssherr.h"
68		68
		69	#ifdef SCTP
		70	#include <netinet/sctp.h>
		71	#endif
		72
69	char *client_version_string = NULL;	73	char *client_version_string = NULL;
70	char *server_version_string = NULL;	74	char *server_version_string = NULL;
71	Key *previous_host_key = NULL;	75	Key *previous_host_key = NULL;
Lines 274-279 ssh_create_socket(int privileged, struct addrinfo *ai) Link Here
274	{	278	{
275	int sock, r, gaierr;	279	int sock, r, gaierr;
276	struct addrinfo hints, *res = NULL;	280	struct addrinfo hints, *res = NULL;
		281	#ifdef SCTP
		282	char more_addrs, next_addr;
		283	#endif
277		284
278	sock = socket(ai->ai_family, ai->ai_socktype, ai->ai_protocol);	285	sock = socket(ai->ai_family, ai->ai_socktype, ai->ai_protocol);
279	if (sock < 0) {	286	if (sock < 0) {
Lines 287-296 ssh_create_socket(int privileged, struct addrinfo *ai) Link Here
287	return sock;	294	return sock;
288		295
289	if (options.bind_address) {	296	if (options.bind_address) {
		297	#ifdef SCTP
		298	/* Check if multiple addresses have been specified */
		299	if ((more_addrs = strchr(options.bind_address, ',')) != NULL) {
		300	*(more_addrs++) = '\0';
		301	}
		302	#endif
290	memset(&hints, 0, sizeof(hints));	303	memset(&hints, 0, sizeof(hints));
291	hints.ai_family = ai->ai_family;	304	hints.ai_family = ai->ai_family;
292	hints.ai_socktype = ai->ai_socktype;	305	hints.ai_socktype = ai->ai_socktype;
		306	#ifndef SCTP
		307	/* Only specify protocol if SCTP is not used, due
		308	* to the lack of SCTP support for getaddrinfo()
		309	*/
293	hints.ai_protocol = ai->ai_protocol;	310	hints.ai_protocol = ai->ai_protocol;
		311	#endif
294	hints.ai_flags = AI_PASSIVE;	312	hints.ai_flags = AI_PASSIVE;
295	gaierr = getaddrinfo(options.bind_address, NULL, &hints, &res);	313	gaierr = getaddrinfo(options.bind_address, NULL, &hints, &res);
296	if (gaierr) {	314	if (gaierr) {
Lines 323-328 ssh_create_socket(int privileged, struct addrinfo *ai) Link Here
323	return -1;	341	return -1;
324	}	342	}
325	}	343	}
		344	#ifdef SCTP
		345	/* If there are multiple addresses, bind them too */
		346	if (more_addrs) {
		347	do {
		348	next_addr = strchr(more_addrs, ',');
		349	if (next_addr != NULL) {
		350	*(next_addr++) = '\0';
		351	}
		352
		353	gaierr = getaddrinfo(more_addrs, NULL, &hints, &res);
		354	if (gaierr) {
		355	error("getaddrinfo: %s: %s", more_addrs,
		356	ssh_gai_strerror(gaierr));
		357	close(sock);
		358	return -1;
		359	}
		360	if (sctp_bindx(sock, (struct sockaddr *)res->ai_addr,
		361	1, SCTP_BINDX_ADD_ADDR) != 0) {
		362	error("bind: %s: %s", options.bind_address, strerror(errno));
		363	close(sock);
		364	freeaddrinfo(res);
		365	return -1;
		366	}
		367
		368	more_addrs = next_addr;
		369	} while (next_addr != NULL);
		370	}
		371	#endif
326	if (res != NULL)	372	if (res != NULL)
327	freeaddrinfo(res);	373	freeaddrinfo(res);
328	return sock;	374	return sock;
Lines 434-439 ssh_connect_direct(const char host, struct addrinfo aitop, Link Here
434		480
435	debug2("ssh_connect: needpriv %d", needpriv);	481	debug2("ssh_connect: needpriv %d", needpriv);
436		482
		483	#ifdef SCTP
		484	/* Use SCTP if requested */
		485	if (options.transport == TRANSPORT_SCTP) {
		486	for (ai = aitop; ai; ai = ai->ai_next) {
		487	ai->ai_protocol = IPPROTO_SCTP;
		488	}
		489	}
		490	#endif
		491
437	for (attempt = 0; attempt < connection_attempts; attempt++) {	492	for (attempt = 0; attempt < connection_attempts; attempt++) {
438	if (attempt > 0) {	493	if (attempt > 0) {
439	/* Sleep a moment before retrying. */	494	/* Sleep a moment before retrying. */

Lines 125-130 Link Here

(-)a/sshd.c (-1 / +139 lines)
125	#include "version.h"	125	#include "version.h"
126	#include "ssherr.h"	126	#include "ssherr.h"
127		127
		128	#ifdef SCTP
		129	#include <netinet/sctp.h>
		130	#endif
		131
128	#ifndef O_NOCTTY	132	#ifndef O_NOCTTY
129	#define O_NOCTTY 0	133	#define O_NOCTTY 0
130	#endif	134	#endif
Lines 1153-1158 server_listen(void) Link Here
1153	for (ai = options.listen_addrs; ai; ai = ai->ai_next) {	1157	for (ai = options.listen_addrs; ai; ai = ai->ai_next) {
1154	if (ai->ai_family != AF_INET && ai->ai_family != AF_INET6)	1158	if (ai->ai_family != AF_INET && ai->ai_family != AF_INET6)
1155	continue;	1159	continue;
		1160	#ifdef SCTP
		1161	/* Ignore multi-homing addresses for TCP */
		1162	if (ai->ai_flags & IS_MULTIPLE_ADDR \|\|
		1163	(ai->ai_next != NULL && ai->ai_next->ai_flags & IS_MULTIPLE_ADDR))
		1164	continue;
		1165	#endif
1156	if (num_listen_socks >= MAX_LISTEN_SOCKS)	1166	if (num_listen_socks >= MAX_LISTEN_SOCKS)
1157	fatal("Too many listen sockets. "	1167	fatal("Too many listen sockets. "
1158	"Enlarge MAX_LISTEN_SOCKS");	1168	"Enlarge MAX_LISTEN_SOCKS");
Lines 1211-1216 server_listen(void) Link Here
1211	fatal("Cannot bind any address.");	1221	fatal("Cannot bind any address.");
1212	}	1222	}
1213		1223
		1224	#ifdef SCTP
		1225	/*
		1226	* Listen for SCTP connections
		1227	*/
		1228	static void
		1229	server_listen_sctp(void)
		1230	{
		1231	int ret, listen_sock, on = 1;
		1232	struct addrinfo ai, aiv6;
		1233	char ntop[NI_MAXHOST], strport[NI_MAXSERV];
		1234
		1235	for (ai = options.listen_addrs; ai; ai = ai->ai_next) {
		1236	if (ai->ai_family != AF_INET && ai->ai_family != AF_INET6)
		1237	continue;
		1238	/* Ignore multi-homing addresses at this point */
		1239	if (ai->ai_flags & IS_MULTIPLE_ADDR)
		1240	continue;
		1241	if (num_listen_socks >= MAX_LISTEN_SOCKS)
		1242	fatal("Too many listen sockets. "
		1243	"Enlarge MAX_LISTEN_SOCKS");
		1244	if ((ret = getnameinfo(ai->ai_addr, ai->ai_addrlen,
		1245	ntop, sizeof(ntop), strport, sizeof(strport),
		1246	NI_NUMERICHOST\|NI_NUMERICSERV)) != 0) {
		1247	error("getnameinfo failed: %.100s",
		1248	ssh_gai_strerror(ret));
		1249	continue;
		1250	}
		1251	/* Check for multi-homed IPv6 addresses if family is IPv4 */
		1252	if (ai->ai_family == AF_INET) {
		1253	aiv6 = ai->ai_next;
		1254	while (aiv6 != NULL && aiv6->ai_flags & IS_MULTIPLE_ADDR) {
		1255	if (aiv6->ai_family == AF_INET6) {
		1256	ai->ai_family = AF_INET6;
		1257	break;
		1258	}
		1259	aiv6 = aiv6->ai_next;
		1260	}
		1261	}
		1262
		1263	/* Create socket for listening. */
		1264	listen_sock = socket(ai->ai_family, ai->ai_socktype,
		1265	IPPROTO_SCTP);
		1266	if (listen_sock < 0) {
		1267	/* kernel may not support ipv6 */
		1268	verbose("SCTP socket: %.100s", strerror(errno));
		1269	continue;
		1270	}
		1271	if (set_nonblock(listen_sock) == -1) {
		1272	close(listen_sock);
		1273	continue;
		1274	}
		1275	/*
		1276	* Set socket options.
		1277	* Allow local port reuse in TIME_WAIT.
		1278	*/
		1279	if (setsockopt(listen_sock, SOL_SOCKET, SO_REUSEADDR,
		1280	&on, sizeof(on)) == -1)
		1281	error("SCTP setsockopt SO_REUSEADDR: %s", strerror(errno));
		1282
		1283	/* Only communicate in IPv6 over AF_INET6 sockets if not multi-homed. */
		1284	if (ai->ai_family == AF_INET6 && (ai->ai_next == NULL \|\|
		1285	(ai->ai_next != NULL && ai->ai_next->ai_flags == 0)))
		1286	sock_set_v6only(listen_sock);
		1287
1288	if (ai->ai_next != NULL && ai->ai_next->ai_flags & IS_MULTIPLE_ADDR)
1289	debug("Bind multi-homed to SCTP port %s on %s.", strport, ntop);
1290	else
1291	debug("Bind to SCTP port %s on %s.", strport, ntop);
1292
1293	/* Bind the socket to the desired port. */
1294	if (bind(listen_sock, ai->ai_addr, ai->ai_addrlen) < 0) {
1295	error("Bind to SCTP port %s on %s failed: %.200s.",
1296	strport, ntop, strerror(errno));
1297	close(listen_sock);
1298	continue;
1299	}
1300
1301	/* Bind multi-homing addresses */
1302	while (ai->ai_next != NULL &&
1303	ai->ai_next->ai_flags & IS_MULTIPLE_ADDR) {
1304	ai = ai->ai_next;
1305
1306	if ((ret = getnameinfo(ai->ai_addr, ai->ai_addrlen,
1307	ntop, sizeof(ntop), strport, sizeof(strport),
1308	NI_NUMERICHOST\|NI_NUMERICSERV)) != 0) {
1309	error("getnameinfo failed: %.100s",
1310	ssh_gai_strerror(ret));
1311	continue;
1312	}
1313
1314	debug("Bind multi-homed to SCTP port %s on %s.", strport, ntop);
1315
1316	if (sctp_bindx(listen_sock, (struct sockaddr *)ai->ai_addr, 1, SCTP_BINDX_ADD_ADDR) != 0) {
1317	error("Bind to SCTP port %s on %s failed: %.200s.",
1318	strport, ntop, strerror(errno));
1319	close(listen_sock);
1320	continue;
1321	}
1322	}
1323
1324	listen_socks[num_listen_socks] = listen_sock;
1325	num_listen_socks++;
1326
1327	/* Start listening on the port. */
1328	if (listen(listen_sock, SSH_LISTEN_BACKLOG) < 0)
1329	fatal("SCTP listen on [%s]:%s: %.100s",
1330	ntop, strport, strerror(errno));
1331	if (ai->ai_flags & IS_MULTIPLE_ADDR)
1332	logit("Server listening multi-homed with SCTP on port %s.", strport);
1333	else
1334	logit("Server listening with SCTP on %s port %s.", ntop, strport);
1335	}
1336	/* Only free addresses if SCTP is the only used protocol */
1337	if (options.transport == TRANSPORT_SCTP)
1338	freeaddrinfo(options.listen_addrs);
1339
1340	if (!num_listen_socks)
1341	fatal("Cannot bind any address for SCTP.");
1342	}
1343	#endif
1344
1214	/*	1345	/*
1215	* The main TCP accept loop. Note that, for the non-debug case, returns	1346	* The main TCP accept loop. Note that, for the non-debug case, returns
1216	* from this function are in a forked subprocess.	1347	* from this function are in a forked subprocess.
Lines 1989-1995 main(int ac, char **av) Link Here
1989	server_accept_inetd(&sock_in, &sock_out);	2120	server_accept_inetd(&sock_in, &sock_out);
1990	} else {	2121	} else {
1991	platform_pre_listen();	2122	platform_pre_listen();
1992	server_listen();	2123
		2124	#ifdef SCTP
		2125	if (options.transport & TRANSPORT_SCTP)
		2126	server_listen_sctp();
		2127
		2128	if (options.transport & TRANSPORT_TCP)
		2129	#endif
		2130	server_listen();
1993		2131
1994	if (options.protocol & SSH_PROTO_1)	2132	if (options.protocol & SSH_PROTO_1)
1995	generate_ephemeral_server_key();	2133	generate_ephemeral_server_key();




.Pp
To disable TCP keepalive messages, the value should be set to
.Dq no .
.It Cm Transport
Specifies the transport protocol that should be used by
.Xr sshd 8 .
Valid values are
.Dq TCP ,
.Dq SCTP ,
.Dq all.
The value
.Dq all
means to listen on TCP and SCTP sockets. The default is to listen only on
TCP sockets.
.It Cm TrustedUserCAKeys
Specifies a file containing public keys of certificate authorities that are
trusted to sign user certificates for authentication.
- 

Return to bug 1604

Lines 3971-3976 AC_ARG_WITH([selinux], Link Here

(-)a/configure.ac (+14 lines)
3971	AC_SUBST([SSHLIBS])	3971	AC_SUBST([SSHLIBS])
3972	AC_SUBST([SSHDLIBS])	3972	AC_SUBST([SSHDLIBS])
3973		3973
		3974	#check whether user wants SCTP support
		3975	SCTP_MSG="no"
		3976	AC_ARG_WITH(sctp,
		3977	[ --with-sctp Enable SCTP support],
		3978	[ if test "x$withval" != "xno" ; then
		3979	AC_DEFINE(SCTP,1,[Define if you want SCTP support.])
		3980	AC_CHECK_FUNCS(sctp_recvmsg, , AC_CHECK_LIB(sctp, sctp_recvmsg, ,
		3981	[AC_MSG_ERROR([* Can not use SCTP - maybe libsctp-dev is missing *])]
		3982	))
		3983	SCTP_MSG="yes"
		3984	fi ]
		3985	)
		3986
3974	# Check whether user wants Kerberos 5 support	3987	# Check whether user wants Kerberos 5 support
3975	KRB5_MSG="no"	3988	KRB5_MSG="no"
3976	AC_ARG_WITH([kerberos5],	3989	AC_ARG_WITH([kerberos5],
Lines 4894-4899 echo " PAM support: $PAM_MSG" Link Here
4894	echo " OSF SIA support: $SIA_MSG"	4907	echo " OSF SIA support: $SIA_MSG"
4895	echo " KerberosV support: $KRB5_MSG"	4908	echo " KerberosV support: $KRB5_MSG"
4896	echo " SELinux support: $SELINUX_MSG"	4909	echo " SELinux support: $SELINUX_MSG"
		4910	echo " SCTP support: $SCTP_MSG"
4897	echo " Smartcard support: $SCARD_MSG"	4911	echo " Smartcard support: $SCARD_MSG"
4898	echo " S/KEY support: $SKEY_MSG"	4912	echo " S/KEY support: $SKEY_MSG"
4899	echo " MD5 password support: $MD5_MSG"	4913	echo " MD5 password support: $MD5_MSG"

Lines 1364-1369 This avoids infinitely hanging sessions. Link Here

(-)a/sshd_config.5 (-1 / +11 lines)
1364	.Pp	1364	.Pp
1365	To disable TCP keepalive messages, the value should be set to	1365	To disable TCP keepalive messages, the value should be set to
1366	.Dq no .	1366	.Dq no .
		1367	.It Cm Transport
		1368	Specifies the transport protocol that should be used by
		1369	.Xr sshd 8 .
		1370	Valid values are
		1371	.Dq TCP ,
		1372	.Dq SCTP ,
		1373	.Dq all.
		1374	The value
		1375	.Dq all
		1376	means to listen on TCP and SCTP sockets. The default is to listen only on
		1377	TCP sockets.
1367	.It Cm TrustedUserCAKeys	1378	.It Cm TrustedUserCAKeys
1368	Specifies a file containing public keys of certificate authorities that are	1379	Specifies a file containing public keys of certificate authorities that are
1369	trusted to sign user certificates for authentication.	1380	trusted to sign user certificates for authentication.
1370	-