aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorDag-Erling Smørgrav <des@FreeBSD.org>2019-05-10 17:31:31 +0000
committerDag-Erling Smørgrav <des@FreeBSD.org>2019-05-10 17:31:31 +0000
commit512745701d468b6ff463bd67cd5be20f05722903 (patch)
tree1b94ce474b5537eaede2b08bfdbd8698476628f1
parentfcf0d3fa333495ded71eb67e4efd5e0bcd5a48ac (diff)
downloadsrc-512745701d468b6ff463bd67cd5be20f05722903.tar.gz
src-512745701d468b6ff463bd67cd5be20f05722903.zip
Import netcat from OpenBSD 6.4.vendor/netcat/6.4
Notes
Notes: svn path=/vendor/netcat/dist/; revision=347454 svn path=/vendor/netcat/6.4/; revision=347455; tag=vendor/netcat/6.4
-rw-r--r--nc.1234
-rw-r--r--netcat.c90
-rw-r--r--socks.c19
3 files changed, 193 insertions, 150 deletions
diff --git a/nc.1 b/nc.1
index e10d385a142d..2c84a0972f36 100644
--- a/nc.1
+++ b/nc.1
@@ -1,4 +1,4 @@
-.\" $OpenBSD: nc.1,v 1.88 2017/11/28 16:59:10 jsing Exp $
+.\" $OpenBSD: nc.1,v 1.91 2018/09/25 20:05:07 jmc Exp $
.\"
.\" Copyright (c) 1996 David Sacerdote
.\" All rights reserved.
@@ -25,7 +25,7 @@
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
-.Dd $Mdocdate: November 28 2017 $
+.Dd $Mdocdate: September 25 2018 $
.Dt NC 1
.Os
.Sh NAME
@@ -96,27 +96,31 @@ and much, much more
The options are as follows:
.Bl -tag -width Ds
.It Fl 4
-Forces
-.Nm
-to use IPv4 addresses only.
+Use IPv4 addresses only.
.It Fl 6
-Forces
-.Nm
-to use IPv6 addresses only.
+Use IPv6 addresses only.
.It Fl C Ar certfile
-Specifies the filename from which the public key part of the TLS
-certificate is loaded, in PEM format.
-May only be used with TLS.
+Load the public key part of the TLS peer certificate from
+.Ar certfile ,
+in PEM format.
+Requires
+.Fl c .
.It Fl c
-If using a TCP socket to connect or listen, use TLS.
-Illegal if not using TCP sockets.
+Use TLS to connect or listen.
+Cannot be used together with any of the options
+.Fl FuU .
.It Fl D
Enable debugging on the socket.
.It Fl d
Do not attempt to read from stdin.
.It Fl e Ar name
-Specify the name that must be present in the peer certificate when using TLS.
-Illegal if not using TLS.
+Only accept the TLS peer certificate if it contains the
+.Ar name .
+Requires
+.Fl c .
+If not specified,
+.Ar destination
+is used.
.It Fl F
Pass the first connected socket using
.Xr sendmsg 2
@@ -132,47 +136,49 @@ using the
.Xr ssh_config 5
.Cm ProxyUseFdpass
option).
+Cannot be used with
+.Fl c
+or
+.Fl U .
.It Fl H Ar hash
-Specifies the required hash string of the peer certificate when using TLS.
-The string format required is that used by
-.Xr tls_peer_cert_hash 3 .
-Illegal if not using TLS, and may not be used with -T noverify.
+Only accept the TLS peer certificate if its hash returned from
+.Xr tls_peer_cert_hash 3
+matches
+.Ar hash .
+Requires
+.Fl c
+and cannot be used with
+.Fl T Cm noverify .
.It Fl h
-Prints out
+Print out the
.Nm
-help.
+help text and exit.
.It Fl I Ar length
-Specifies the size of the TCP receive buffer.
+Specify the size of the TCP receive buffer.
.It Fl i Ar interval
-Specifies a delay time interval between lines of text sent and received.
+Sleep for
+.Ar interval
+seconds between lines of text sent and received.
Also causes a delay time between connections to multiple ports.
.It Fl K Ar keyfile
-Specifies the filename from which the private key
-is loaded in PEM format.
-May only be used with TLS.
+Load the TLS private key from
+.Ar keyfile ,
+in PEM format.
+Requires
+.Fl c .
.It Fl k
-Forces
-.Nm
-to stay listening for another connection after its current connection
-is completed.
-It is an error to use this option without the
-.Fl l
-option.
+When a connection is completed, listen for another one.
+Requires
+.Fl l .
When used together with the
.Fl u
option, the server socket is not connected and it can receive UDP datagrams from
multiple hosts.
.It Fl l
-Used to specify that
-.Nm
-should listen for an incoming connection rather than initiate a
+Listen for an incoming connection rather than initiating a
connection to a remote host.
-It is an error to use this option in conjunction with the
-.Fl p ,
-.Fl s ,
-or
-.Fl z
-options.
+Cannot be used together with any of the options
+.Fl psxz .
Additionally, any timeouts specified with the
.Fl w
option are ignored.
@@ -189,97 +195,111 @@ Some servers require this to finish their work.
Do not do any DNS or service lookups on any specified addresses,
hostnames or ports.
.It Fl O Ar length
-Specifies the size of the TCP send buffer.
+Specify the size of the TCP send buffer.
.It Fl o Ar staplefile
-Specifies the filename from which to load data to be stapled
-during the TLS handshake.
-The file is expected to contain an OCSP response from an OCSP server in
+During the TLS handshake, load data to be stapled from
+.Ar staplefile ,
+which is expected to contain an OCSP response from an OCSP server in
DER format.
-May only be used with TLS and when a certificate is being used.
+Requires
+.Fl c
+and
+.Fl C .
.It Fl P Ar proxy_username
Specifies a username to present to a proxy server that requires authentication.
If no username is specified then authentication will not be attempted.
Proxy authentication is only supported for HTTP CONNECT proxies at present.
.It Fl p Ar source_port
-Specifies the source port
+Specify the source port
.Nm
should use, subject to privilege restrictions and availability.
-It is an error to use this option in conjunction with the
-.Fl l
-option.
+Cannot be used together with
+.Fl l .
.It Fl R Ar CAfile
-Specifies the filename from which the root CA bundle for certificate
-verification is loaded, in PEM format.
-Illegal if not using TLS.
-The default is
+Load the root CA bundle for TLS certificate verification from
+.Ar CAfile ,
+in PEM format, instead of
.Pa /etc/ssl/cert.pem .
+Requires
+.Fl c .
.It Fl r
-Specifies that source and/or destination ports should be chosen randomly
+Choose source and/or destination ports randomly
instead of sequentially within a range or in the order that the system
assigns them.
.It Fl S
-Enables the RFC 2385 TCP MD5 signature option.
+Enable the RFC 2385 TCP MD5 signature option.
.It Fl s Ar source
-Specifies the IP of the interface which is used to send the packets.
+Send packets from the interface with the
+.Ar source
+IP address.
For
.Ux Ns -domain
datagram sockets, specifies the local temporary socket file
to create and use so that datagrams can be received.
-It is an error to use this option in conjunction with the
+Cannot be used together with
.Fl l
-option.
+or
+.Fl x .
.It Fl T Ar keyword
-Change IPv4 TOS value or TLS options.
-For TLS options
+Change the IPv4 TOS/IPv6 traffic class value or the TLS options.
+.Pp
+For TLS options,
.Ar keyword
may be one of:
-.Ar noverify ,
+.Cm noverify ,
which disables certificate verification;
-.Ar noname ,
+.Cm noname ,
which disables certificate name checking;
-.Ar clientcert ,
+.Cm clientcert ,
which requires a client certificate on incoming connections; or
-.Ar muststaple ,
+.Cm muststaple ,
which requires the peer to provide a valid stapled OCSP response
with the handshake.
-The following TLS options specify a value in the form of a key=value pair:
-.Ar ciphers ,
+The following TLS options specify a value in the form of a
+.Ar key Ns = Ns Ar value
+pair:
+.Cm ciphers ,
which allows the supported TLS ciphers to be specified (see
.Xr tls_config_set_ciphers 3
for further details);
-.Ar protocols ,
+.Cm protocols ,
which allows the supported TLS protocols to be specified (see
.Xr tls_config_parse_protocols 3
for further details).
-It is illegal to specify TLS options if not using TLS.
+Specifying TLS options requires
+.Fl c .
.Pp
-For IPv4 TOS value
+For the IPv4 TOS/IPv6 traffic class value,
.Ar keyword
may be one of
-.Ar critical ,
-.Ar inetcontrol ,
-.Ar lowdelay ,
-.Ar netcontrol ,
-.Ar throughput ,
-.Ar reliability ,
+.Cm critical ,
+.Cm inetcontrol ,
+.Cm lowdelay ,
+.Cm netcontrol ,
+.Cm throughput ,
+.Cm reliability ,
or one of the DiffServ Code Points:
-.Ar ef ,
-.Ar af11 ... af43 ,
-.Ar cs0 ... cs7 ;
+.Cm ef ,
+.Cm af11 No ... Cm af43 ,
+.Cm cs0 No ... Cm cs7 ;
or a number in either hex or decimal.
.It Fl t
-Causes
-.Nm
-to send RFC 854 DON'T and WON'T responses to RFC 854 DO and WILL requests.
+Send RFC 854 DON'T and WON'T responses to RFC 854 DO and WILL requests.
This makes it possible to use
.Nm
to script telnet sessions.
.It Fl U
-Specifies to use
+Use
.Ux Ns -domain
sockets.
+Cannot be used together with any of the options
+.Fl cFx .
.It Fl u
-Use UDP instead of the default option of TCP.
+Use UDP instead of TCP.
+Cannot be used together with
+.Fl c
+or
+.Fl x .
For
.Ux Ns -domain
sockets, use a datagram socket instead of a stream socket.
@@ -293,9 +313,7 @@ flag is given.
.It Fl V Ar rtable
Set the routing table to be used.
.It Fl v
-Have
-.Nm
-give more verbose output.
+Produce more verbose output.
.It Fl W Ar recvlimit
Terminate after receiving
.Ar recvlimit
@@ -315,22 +333,20 @@ will listen forever for a connection, with or without the
flag.
The default is no timeout.
.It Fl X Ar proxy_protocol
-Requests that
-.Nm
-should use the specified protocol when talking to the proxy server.
+Use
+.Ar proxy_protocol
+when talking to the proxy server.
Supported protocols are
-.Dq 4
+.Cm 4
(SOCKS v.4),
-.Dq 5
+.Cm 5
(SOCKS v.5)
and
-.Dq connect
+.Cm connect
(HTTPS proxy).
If the protocol is not specified, SOCKS version 5 is used.
.It Fl x Ar proxy_address Ns Op : Ns Ar port
-Requests that
-.Nm
-should connect to
+Connect to
.Ar destination
using a proxy at
.Ar proxy_address
@@ -343,17 +359,18 @@ for SOCKS, 3128 for HTTPS).
An IPv6 address can be specified unambiguously by enclosing
.Ar proxy_address
in square brackets.
+A proxy cannot be used with any of the options
+.Fl lsuU .
.It Fl Z Ar peercertfile
-Specifies the filename in which the peer supplied certificates will be saved
+Save the peer certificates to
+.Ar peercertfile ,
in PEM format.
-May only be used with TLS.
+Requires
+.Fl c .
.It Fl z
-Specifies that
-.Nm
-should just scan for listening daemons, without sending any data to them.
-It is an error to use this option in conjunction with the
-.Fl l
-option.
+Only scan for listening daemons, without sending any data to them.
+Cannot be used together with
+.Fl l .
.El
.Pp
.Ar destination
@@ -375,7 +392,8 @@ option is given).
.Pp
.Ar port
can be a specified as a numeric port number, or as a service name.
-Ports may be specified in a range of the form nn-mm.
+Ports may be specified in a range of the form
+.Ar nn Ns - Ns Ar mm .
In general,
a destination port must be specified,
unless the
@@ -548,8 +566,8 @@ if the proxy requires it:
.Xr cat 1 ,
.Xr ssh 1
.Sh AUTHORS
-Original implementation by *Hobbit*
-.Aq Mt hobbit@avian.org .
+Original implementation by
+.An *Hobbit* Aq Mt hobbit@avian.org .
.br
Rewritten with IPv6 support by
.An Eric Jackson Aq Mt ericj@monkey.org .
diff --git a/netcat.c b/netcat.c
index fcc38897cd93..3798dc760f1d 100644
--- a/netcat.c
+++ b/netcat.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: netcat.c,v 1.190 2018/03/19 16:35:29 jsing Exp $ */
+/* $OpenBSD: netcat.c,v 1.195 2018/10/04 17:04:50 bluhm Exp $ */
/*
* Copyright (c) 2001 Eric Jackson <ericj@monkey.org>
* Copyright (c) 2015 Bob Beck. All rights reserved.
@@ -122,7 +122,7 @@ void atelnet(int, unsigned char *, unsigned int);
int strtoport(char *portstr, int udp);
void build_ports(char *);
void help(void) __attribute__((noreturn));
-int local_listen(char *, char *, struct addrinfo);
+int local_listen(const char *, const char *, struct addrinfo);
void readwrite(int, struct tls *);
void fdpass(int nfd) __attribute__((noreturn));
int remote_connect(const char *, const char *, struct addrinfo);
@@ -349,13 +349,51 @@ main(int argc, char *argv[])
if (setrtable(rtableid) == -1)
err(1, "setrtable");
+ /* Cruft to make sure options are clean, and used properly. */
+ if (argv[0] && !argv[1] && family == AF_UNIX) {
+ host = argv[0];
+ uport = NULL;
+ } else if (argv[0] && !argv[1]) {
+ if (!lflag)
+ usage(1);
+ uport = argv[0];
+ host = NULL;
+ } else if (argv[0] && argv[1]) {
+ host = argv[0];
+ uport = argv[1];
+ } else
+ usage(1);
+
+ if (usetls) {
+ if (Cflag && unveil(Cflag, "r") == -1)
+ err(1, "unveil");
+ if (unveil(Rflag, "r") == -1)
+ err(1, "unveil");
+ if (Kflag && unveil(Kflag, "r") == -1)
+ err(1, "unveil");
+ if (oflag && unveil(oflag, "r") == -1)
+ err(1, "unveil");
+ } else {
+ if (family == AF_UNIX) {
+ if (unveil(host, "rwc") == -1)
+ err(1, "unveil");
+ if (uflag && !lflag) {
+ if (unveil(sflag ? sflag : "/tmp", "rwc") == -1)
+ err(1, "unveil");
+ }
+ } else {
+ if (unveil("/", "") == -1)
+ err(1, "unveil");
+ }
+ }
+
if (family == AF_UNIX) {
if (pledge("stdio rpath wpath cpath tmppath unix", NULL) == -1)
err(1, "pledge");
} else if (Fflag && Pflag) {
if (pledge("stdio inet dns sendfd tty", NULL) == -1)
err(1, "pledge");
- } else if (Fflag) {
+ } else if (Fflag) {
if (pledge("stdio inet dns sendfd", NULL) == -1)
err(1, "pledge");
} else if (Pflag && usetls) {
@@ -370,21 +408,6 @@ main(int argc, char *argv[])
} else if (pledge("stdio inet dns", NULL) == -1)
err(1, "pledge");
- /* Cruft to make sure options are clean, and used properly. */
- if (argv[0] && !argv[1] && family == AF_UNIX) {
- host = argv[0];
- uport = NULL;
- } else if (argv[0] && !argv[1]) {
- if (!lflag)
- usage(1);
- uport = argv[0];
- host = NULL;
- } else if (argv[0] && argv[1]) {
- host = argv[0];
- uport = argv[1];
- } else
- usage(1);
-
if (lflag && sflag)
errx(1, "cannot use -s and -l");
if (lflag && pflag)
@@ -520,8 +543,6 @@ main(int argc, char *argv[])
err(1, "pledge");
}
if (lflag) {
- struct tls *tls_cctx = NULL;
- int connfd;
ret = 0;
if (family == AF_UNIX) {
@@ -541,8 +562,11 @@ main(int argc, char *argv[])
}
/* Allow only one connection at a time, but stay alive. */
for (;;) {
- if (family != AF_UNIX)
+ if (family != AF_UNIX) {
+ if (s != -1)
+ close(s);
s = local_listen(host, uport, hints);
+ }
if (s < 0)
err(1, NULL);
if (uflag && kflag) {
@@ -577,6 +601,9 @@ main(int argc, char *argv[])
readwrite(s, NULL);
} else {
+ struct tls *tls_cctx = NULL;
+ int connfd;
+
len = sizeof(cliaddr);
connfd = accept4(s, (struct sockaddr *)&cliaddr,
&len, SOCK_NONBLOCK);
@@ -592,16 +619,12 @@ main(int argc, char *argv[])
readwrite(connfd, tls_cctx);
if (!usetls)
readwrite(connfd, NULL);
- if (tls_cctx) {
+ if (tls_cctx)
timeout_tls(s, tls_cctx, tls_close);
- tls_free(tls_cctx);
- tls_cctx = NULL;
- }
close(connfd);
+ tls_free(tls_cctx);
}
- if (family != AF_UNIX)
- close(s);
- else if (uflag) {
+ if (family == AF_UNIX && uflag) {
if (connect(s, NULL, 0) < 0)
err(1, "connect");
}
@@ -633,6 +656,8 @@ main(int argc, char *argv[])
for (s = -1, i = 0; portlist[i] != NULL; i++) {
if (s != -1)
close(s);
+ tls_free(tls_ctx);
+ tls_ctx = NULL;
if (usetls) {
if ((tls_ctx = tls_client()) == NULL)
@@ -683,18 +708,15 @@ main(int argc, char *argv[])
tls_setup_client(tls_ctx, s, host);
if (!zflag)
readwrite(s, tls_ctx);
- if (tls_ctx) {
+ if (tls_ctx)
timeout_tls(s, tls_ctx, tls_close);
- tls_free(tls_ctx);
- tls_ctx = NULL;
- }
}
}
}
if (s != -1)
close(s);
-
+ tls_free(tls_ctx);
tls_config_free(tls_cfg);
return ret;
@@ -970,7 +992,7 @@ timeout_connect(int s, const struct sockaddr *name, socklen_t namelen)
* address. Returns -1 on failure.
*/
int
-local_listen(char *host, char *port, struct addrinfo hints)
+local_listen(const char *host, const char *port, struct addrinfo hints)
{
struct addrinfo *res, *res0;
int s = -1, ret, x = 1, save_errno;
diff --git a/socks.c b/socks.c
index c9aa5178c530..5aa191d2840c 100644
--- a/socks.c
+++ b/socks.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: socks.c,v 1.24 2016/06/27 14:43:04 deraadt Exp $ */
+/* $OpenBSD: socks.c,v 1.25 2018/03/27 16:31:10 deraadt Exp $ */
/*
* Copyright (c) 1999 Niklas Hallqvist. All rights reserved.
@@ -109,17 +109,16 @@ proxy_read_line(int fd, char *buf, size_t bufsz)
return (off);
}
-static const char *
-getproxypass(const char *proxyuser, const char *proxyhost)
+static void
+getproxypass(const char *proxyuser, const char *proxyhost,
+ char *pw, size_t pwlen)
{
char prompt[512];
- static char pw[256];
snprintf(prompt, sizeof(prompt), "Proxy password for %s@%s: ",
proxyuser, proxyhost);
- if (readpassphrase(prompt, pw, sizeof(pw), RPP_REQUIRE_TTY) == NULL)
+ if (readpassphrase(prompt, pw, pwlen, RPP_REQUIRE_TTY) == NULL)
errx(1, "Unable to read proxy passphrase");
- return (pw);
}
/*
@@ -188,7 +187,6 @@ socks_connect(const char *host, const char *port,
struct sockaddr_in *in4 = (struct sockaddr_in *)&addr;
struct sockaddr_in6 *in6 = (struct sockaddr_in6 *)&addr;
in_port_t serverport;
- const char *proxypass = NULL;
if (proxyport == NULL)
proxyport = (socksv == -1) ? HTTP_PROXY_PORT : SOCKS_PORT;
@@ -345,11 +343,14 @@ socks_connect(const char *host, const char *port,
err(1, "write failed (%zu/%d)", cnt, r);
if (authretry > 1) {
+ char proxypass[256];
char resp[1024];
- proxypass = getproxypass(proxyuser, proxyhost);
+ getproxypass(proxyuser, proxyhost,
+ proxypass, sizeof proxypass);
r = snprintf(buf, sizeof(buf), "%s:%s",
proxyuser, proxypass);
+ explicit_bzero(proxypass, sizeof proxypass);
if (r == -1 || (size_t)r >= sizeof(buf) ||
b64_ntop(buf, strlen(buf), resp,
sizeof(resp)) == -1)
@@ -361,6 +362,8 @@ socks_connect(const char *host, const char *port,
r = strlen(buf);
if ((cnt = atomicio(vwrite, proxyfd, buf, r)) != r)
err(1, "write failed (%zu/%d)", cnt, r);
+ explicit_bzero(proxypass, sizeof proxypass);
+ explicit_bzero(buf, sizeof buf);
}
/* Terminate headers */