aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorDag-Erling Smørgrav <des@FreeBSD.org>2019-05-10 17:29:44 +0000
committerDag-Erling Smørgrav <des@FreeBSD.org>2019-05-10 17:29:44 +0000
commitfcf0d3fa333495ded71eb67e4efd5e0bcd5a48ac (patch)
tree88ba2e98e3198646e2c0e6da776bd4df41042452
parent61d7c99ff1528b8d57f9cd5f5dea2015b9e6b654 (diff)
downloadsrc-fcf0d3fa333495ded71eb67e4efd5e0bcd5a48ac.tar.gz
src-fcf0d3fa333495ded71eb67e4efd5e0bcd5a48ac.zip
Import netcat from OpenBSD 6.3.vendor/netcat/6.3
Notes
Notes: svn path=/vendor/netcat/dist/; revision=347452 svn path=/vendor/netcat/6.3/; revision=347453; tag=vendor/netcat/6.3
-rw-r--r--nc.126
-rw-r--r--netcat.c89
2 files changed, 68 insertions, 47 deletions
diff --git a/nc.1 b/nc.1
index bb3a8f7cf537..e10d385a142d 100644
--- a/nc.1
+++ b/nc.1
@@ -1,4 +1,4 @@
-.\" $OpenBSD: nc.1,v 1.87 2017/07/15 18:11:47 jmc Exp $
+.\" $OpenBSD: nc.1,v 1.88 2017/11/28 16:59:10 jsing Exp $
.\"
.\" Copyright (c) 1996 David Sacerdote
.\" All rights reserved.
@@ -25,7 +25,7 @@
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
-.Dd $Mdocdate: July 15 2017 $
+.Dd $Mdocdate: November 28 2017 $
.Dt NC 1
.Os
.Sh NAME
@@ -233,10 +233,6 @@ Change IPv4 TOS value or TLS options.
For TLS options
.Ar keyword
may be one of:
-.Ar tlsall ,
-which allows the use of all supported TLS protocols and ciphers;
-.Ar tlscompat ,
-which allows the use of all supported TLS protocols and "compat" ciphers;
.Ar noverify ,
which disables certificate verification;
.Ar noname ,
@@ -246,6 +242,15 @@ which requires a client certificate on incoming connections; or
.Ar muststaple ,
which requires the peer to provide a valid stapled OCSP response
with the handshake.
+The following TLS options specify a value in the form of a key=value pair:
+.Ar ciphers ,
+which allows the supported TLS ciphers to be specified (see
+.Xr tls_config_set_ciphers 3
+for further details);
+.Ar protocols ,
+which allows the supported TLS protocols to be specified (see
+.Xr tls_config_parse_protocols 3
+for further details).
It is illegal to specify TLS options if not using TLS.
.Pp
For IPv4 TOS value
@@ -497,10 +502,15 @@ the source port, with a timeout of 5 seconds:
.Pp
.Dl $ nc -p 31337 -w 5 host.example.com 42
.Pp
+Open a TCP connection to port 443 of www.example.com, and negotiate TLS with
+any supported TLS protocol version and "compat" ciphers:
+.Pp
+.Dl $ nc -cv -T protocols=all -T ciphers=compat www.example.com 443
+.Pp
Open a TCP connection to port 443 of www.google.ca, and negotiate TLS.
-Check for a different name in the certificate for validation.
+Check for a different name in the certificate for validation:
.Pp
-.Dl $ nc -v -c -e adsf.au.doubleclick.net www.google.ca 443
+.Dl $ nc -cv -e adsf.au.doubleclick.net www.google.ca 443
.Pp
Open a UDP connection to port 53 of host.example.com:
.Pp
diff --git a/netcat.c b/netcat.c
index ce55972a7c2f..fcc38897cd93 100644
--- a/netcat.c
+++ b/netcat.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: netcat.c,v 1.187 2017/07/15 17:27:39 jsing Exp $ */
+/* $OpenBSD: netcat.c,v 1.190 2018/03/19 16:35:29 jsing Exp $ */
/*
* Copyright (c) 2001 Eric Jackson <ericj@monkey.org>
* Copyright (c) 2015 Bob Beck. All rights reserved.
@@ -68,12 +68,10 @@
#define BUFSIZE 16384
#define DEFAULT_CA_FILE "/etc/ssl/cert.pem"
-#define TLS_ALL (1 << 1)
-#define TLS_NOVERIFY (1 << 2)
-#define TLS_NONAME (1 << 3)
-#define TLS_CCERT (1 << 4)
-#define TLS_MUSTSTAPLE (1 << 5)
-#define TLS_COMPAT (1 << 6)
+#define TLS_NOVERIFY (1 << 1)
+#define TLS_NONAME (1 << 2)
+#define TLS_CCERT (1 << 3)
+#define TLS_MUSTSTAPLE (1 << 4)
/* Command Line Options */
int dflag; /* detached, no stdin */
@@ -108,6 +106,8 @@ int tls_cachanged; /* Using non-default CA file */
int TLSopt; /* TLS options */
char *tls_expectname; /* required name in peer cert */
char *tls_expecthash; /* required hash of peer cert */
+char *tls_ciphers; /* TLS ciphers */
+char *tls_protocols; /* TLS protocols */
FILE *Zflag; /* file to save peer cert */
int recvcount, recvlimit;
@@ -135,8 +135,8 @@ int unix_bind(char *, int);
int unix_connect(char *);
int unix_listen(char *);
void set_common_sockopts(int, int);
-int map_tos(char *, int *);
-int map_tls(char *, int *);
+int process_tos_opt(char *, int *);
+int process_tls_opt(char *, int *);
void save_peer_cert(struct tls *_tls_ctx, FILE *_fp);
void report_connect(const struct sockaddr *, socklen_t, char *);
void report_tls(struct tls *tls_ctx, char * host);
@@ -161,6 +161,7 @@ main(int argc, char *argv[])
char unix_dg_tmp_socket_buf[UNIX_DG_TMP_SOCKET_SIZE];
struct tls_config *tls_cfg = NULL;
struct tls *tls_ctx = NULL;
+ uint32_t protocols;
ret = 1;
socksv = 5;
@@ -324,9 +325,9 @@ main(int argc, char *argv[])
case 'T':
errstr = NULL;
errno = 0;
- if (map_tos(optarg, &Tflag))
+ if (process_tls_opt(optarg, &TLSopt))
break;
- if (map_tls(optarg, &TLSopt))
+ if (process_tos_opt(optarg, &Tflag))
break;
if (strlen(optarg) > 1 && optarg[0] == '0' &&
optarg[1] == 'x')
@@ -402,8 +403,6 @@ main(int argc, char *argv[])
errx(1, "cannot use -c and -F");
if (TLSopt && !usetls)
errx(1, "you must specify -c to use TLS options");
- if ((TLSopt & (TLS_ALL|TLS_COMPAT)) == (TLS_ALL|TLS_COMPAT))
- errx(1, "cannot use -T tlsall and -T tlscompat");
if (Cflag && !usetls)
errx(1, "you must specify -c to use -C");
if (Kflag && !usetls)
@@ -485,8 +484,6 @@ main(int argc, char *argv[])
}
if (usetls) {
- if (tls_init() == -1)
- errx(1, "unable to initialize TLS");
if ((tls_cfg = tls_config_new()) == NULL)
errx(1, "unable to allocate TLS config");
if (Rflag && tls_config_set_ca_file(tls_cfg, Rflag) == -1)
@@ -497,14 +494,12 @@ main(int argc, char *argv[])
errx(1, "%s", tls_config_error(tls_cfg));
if (oflag && tls_config_set_ocsp_staple_file(tls_cfg, oflag) == -1)
errx(1, "%s", tls_config_error(tls_cfg));
- if (TLSopt & (TLS_ALL|TLS_COMPAT)) {
- if (tls_config_set_protocols(tls_cfg,
- TLS_PROTOCOLS_ALL) != 0)
- errx(1, "%s", tls_config_error(tls_cfg));
- if (tls_config_set_ciphers(tls_cfg,
- (TLSopt & TLS_ALL) ? "all" : "compat") != 0)
- errx(1, "%s", tls_config_error(tls_cfg));
- }
+ if (tls_config_parse_protocols(&protocols, tls_protocols) == -1)
+ errx(1, "invalid TLS protocols `%s'", tls_protocols);
+ if (tls_config_set_protocols(tls_cfg, protocols) == -1)
+ errx(1, "%s", tls_config_error(tls_cfg));
+ if (tls_config_set_ciphers(tls_cfg, tls_ciphers) == -1)
+ errx(1, "%s", tls_config_error(tls_cfg));
if (!lflag && (TLSopt & TLS_CCERT))
errx(1, "clientcert is only valid with -l");
if (TLSopt & TLS_NONAME)
@@ -563,13 +558,12 @@ main(int argc, char *argv[])
* initially to wait for a caller, then use
* the regular functions to talk to the caller.
*/
- int rv, plen;
- char buf[16384];
+ int rv;
+ char buf[2048];
struct sockaddr_storage z;
len = sizeof(z);
- plen = 2048;
- rv = recvfrom(s, buf, plen, MSG_PEEK,
+ rv = recvfrom(s, buf, sizeof(buf), MSG_PEEK,
(struct sockaddr *)&z, &len);
if (rv < 0)
err(1, "recvfrom");
@@ -1510,7 +1504,7 @@ set_common_sockopts(int s, int af)
}
int
-map_tos(char *s, int *val)
+process_tos_opt(char *s, int *val)
{
/* DiffServ Codepoints and other TOS mappings */
const struct toskeywords {
@@ -1558,24 +1552,41 @@ map_tos(char *s, int *val)
}
int
-map_tls(char *s, int *val)
+process_tls_opt(char *s, int *flags)
{
+ size_t len;
+ char *v;
+
const struct tlskeywords {
const char *keyword;
- int val;
+ int flag;
+ char **value;
} *t, tlskeywords[] = {
- { "tlsall", TLS_ALL },
- { "noverify", TLS_NOVERIFY },
- { "noname", TLS_NONAME },
- { "clientcert", TLS_CCERT},
- { "muststaple", TLS_MUSTSTAPLE},
- { "tlscompat", TLS_COMPAT },
- { NULL, -1 },
+ { "ciphers", -1, &tls_ciphers },
+ { "clientcert", TLS_CCERT, NULL },
+ { "muststaple", TLS_MUSTSTAPLE, NULL },
+ { "noverify", TLS_NOVERIFY, NULL },
+ { "noname", TLS_NONAME, NULL },
+ { "protocols", -1, &tls_protocols },
+ { NULL, -1, NULL },
};
+ len = strlen(s);
+ if ((v = strchr(s, '=')) != NULL) {
+ len = v - s;
+ v++;
+ }
+
for (t = tlskeywords; t->keyword != NULL; t++) {
- if (strcmp(s, t->keyword) == 0) {
- *val |= t->val;
+ if (strlen(t->keyword) == len &&
+ strncmp(s, t->keyword, len) == 0) {
+ if (t->value != NULL) {
+ if (v == NULL)
+ errx(1, "invalid tls value `%s'", s);
+ *t->value = v;
+ } else {
+ *flags |= t->flag;
+ }
return 1;
}
}