| GCC Code Coverage Report | |||||||||||||||||||||
|
|||||||||||||||||||||
| Line | Branch | Exec | Source |
1 |
/* $OpenBSD: netcat.c,v 1.187 2017/07/15 17:27:39 jsing Exp $ */ |
||
2 |
/* |
||
3 |
* Copyright (c) 2001 Eric Jackson <ericj@monkey.org> |
||
4 |
* Copyright (c) 2015 Bob Beck. All rights reserved. |
||
5 |
* |
||
6 |
* Redistribution and use in source and binary forms, with or without |
||
7 |
* modification, are permitted provided that the following conditions |
||
8 |
* are met: |
||
9 |
* |
||
10 |
* 1. Redistributions of source code must retain the above copyright |
||
11 |
* notice, this list of conditions and the following disclaimer. |
||
12 |
* 2. Redistributions in binary form must reproduce the above copyright |
||
13 |
* notice, this list of conditions and the following disclaimer in the |
||
14 |
* documentation and/or other materials provided with the distribution. |
||
15 |
* 3. The name of the author may not be used to endorse or promote products |
||
16 |
* derived from this software without specific prior written permission. |
||
17 |
* |
||
18 |
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR |
||
19 |
* IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES |
||
20 |
* OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. |
||
21 |
* IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, |
||
22 |
* INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT |
||
23 |
* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, |
||
24 |
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY |
||
25 |
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT |
||
26 |
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF |
||
27 |
* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
||
28 |
*/ |
||
29 |
|||
30 |
/* |
||
31 |
* Re-written nc(1) for OpenBSD. Original implementation by |
||
32 |
* *Hobbit* <hobbit@avian.org>. |
||
33 |
*/ |
||
34 |
|||
35 |
#include <sys/types.h> |
||
36 |
#include <sys/socket.h> |
||
37 |
#include <sys/uio.h> |
||
38 |
#include <sys/un.h> |
||
39 |
|||
40 |
#include <netinet/in.h> |
||
41 |
#include <netinet/tcp.h> |
||
42 |
#include <netinet/ip.h> |
||
43 |
#include <arpa/telnet.h> |
||
44 |
|||
45 |
#include <err.h> |
||
46 |
#include <errno.h> |
||
47 |
#include <limits.h> |
||
48 |
#include <netdb.h> |
||
49 |
#include <poll.h> |
||
50 |
#include <signal.h> |
||
51 |
#include <stdarg.h> |
||
52 |
#include <stdio.h> |
||
53 |
#include <stdlib.h> |
||
54 |
#include <string.h> |
||
55 |
#include <time.h> |
||
56 |
#include <tls.h> |
||
57 |
#include <unistd.h> |
||
58 |
|||
59 |
#include "atomicio.h" |
||
60 |
|||
61 |
#define PORT_MAX 65535 |
||
62 |
#define UNIX_DG_TMP_SOCKET_SIZE 19 |
||
63 |
|||
64 |
#define POLL_STDIN 0 |
||
65 |
#define POLL_NETOUT 1 |
||
66 |
#define POLL_NETIN 2 |
||
67 |
#define POLL_STDOUT 3 |
||
68 |
#define BUFSIZE 16384 |
||
69 |
#define DEFAULT_CA_FILE "/etc/ssl/cert.pem" |
||
70 |
|||
71 |
#define TLS_ALL (1 << 1) |
||
72 |
#define TLS_NOVERIFY (1 << 2) |
||
73 |
#define TLS_NONAME (1 << 3) |
||
74 |
#define TLS_CCERT (1 << 4) |
||
75 |
#define TLS_MUSTSTAPLE (1 << 5) |
||
76 |
#define TLS_COMPAT (1 << 6) |
||
77 |
|||
78 |
/* Command Line Options */ |
||
79 |
int dflag; /* detached, no stdin */ |
||
80 |
int Fflag; /* fdpass sock to stdout */ |
||
81 |
unsigned int iflag; /* Interval Flag */ |
||
82 |
int kflag; /* More than one connect */ |
||
83 |
int lflag; /* Bind to local port */ |
||
84 |
int Nflag; /* shutdown() network socket */ |
||
85 |
int nflag; /* Don't do name look up */ |
||
86 |
char *Pflag; /* Proxy username */ |
||
87 |
char *pflag; /* Localport flag */ |
||
88 |
int rflag; /* Random ports flag */ |
||
89 |
char *sflag; /* Source Address */ |
||
90 |
int tflag; /* Telnet Emulation */ |
||
91 |
int uflag; /* UDP - Default to TCP */ |
||
92 |
int vflag; /* Verbosity */ |
||
93 |
int xflag; /* Socks proxy */ |
||
94 |
int zflag; /* Port Scan Flag */ |
||
95 |
int Dflag; /* sodebug */ |
||
96 |
int Iflag; /* TCP receive buffer size */ |
||
97 |
int Oflag; /* TCP send buffer size */ |
||
98 |
int Sflag; /* TCP MD5 signature option */ |
||
99 |
int Tflag = -1; /* IP Type of Service */ |
||
100 |
int rtableid = -1; |
||
101 |
|||
102 |
int usetls; /* use TLS */ |
||
103 |
char *Cflag; /* Public cert file */ |
||
104 |
char *Kflag; /* Private key file */ |
||
105 |
char *oflag; /* OCSP stapling file */ |
||
106 |
char *Rflag = DEFAULT_CA_FILE; /* Root CA file */ |
||
107 |
int tls_cachanged; /* Using non-default CA file */ |
||
108 |
int TLSopt; /* TLS options */ |
||
109 |
char *tls_expectname; /* required name in peer cert */ |
||
110 |
char *tls_expecthash; /* required hash of peer cert */ |
||
111 |
FILE *Zflag; /* file to save peer cert */ |
||
112 |
|||
113 |
int recvcount, recvlimit; |
||
114 |
int timeout = -1; |
||
115 |
int family = AF_UNSPEC; |
||
116 |
char *portlist[PORT_MAX+1]; |
||
117 |
char *unix_dg_tmp_socket; |
||
118 |
int ttl = -1; |
||
119 |
int minttl = -1; |
||
120 |
|||
121 |
void atelnet(int, unsigned char *, unsigned int); |
||
122 |
int strtoport(char *portstr, int udp); |
||
123 |
void build_ports(char *); |
||
124 |
void help(void) __attribute__((noreturn)); |
||
125 |
int local_listen(char *, char *, struct addrinfo); |
||
126 |
void readwrite(int, struct tls *); |
||
127 |
void fdpass(int nfd) __attribute__((noreturn)); |
||
128 |
int remote_connect(const char *, const char *, struct addrinfo); |
||
129 |
int timeout_tls(int, struct tls *, int (*)(struct tls *)); |
||
130 |
int timeout_connect(int, const struct sockaddr *, socklen_t); |
||
131 |
int socks_connect(const char *, const char *, struct addrinfo, |
||
132 |
const char *, const char *, struct addrinfo, int, const char *); |
||
133 |
int udptest(int); |
||
134 |
int unix_bind(char *, int); |
||
135 |
int unix_connect(char *); |
||
136 |
int unix_listen(char *); |
||
137 |
void set_common_sockopts(int, int); |
||
138 |
int map_tos(char *, int *); |
||
139 |
int map_tls(char *, int *); |
||
140 |
void save_peer_cert(struct tls *_tls_ctx, FILE *_fp); |
||
141 |
void report_connect(const struct sockaddr *, socklen_t, char *); |
||
142 |
void report_tls(struct tls *tls_ctx, char * host); |
||
143 |
void usage(int); |
||
144 |
ssize_t drainbuf(int, unsigned char *, size_t *, struct tls *); |
||
145 |
ssize_t fillbuf(int, unsigned char *, size_t *, struct tls *); |
||
146 |
void tls_setup_client(struct tls *, int, char *); |
||
147 |
struct tls *tls_setup_server(struct tls *, int, char *); |
||
148 |
|||
149 |
int |
||
150 |
main(int argc, char *argv[]) |
||
151 |
{ |
||
152 |
int ch, s = -1, ret, socksv; |
||
153 |
char *host, *uport; |
||
154 |
90 |
struct addrinfo hints; |
|
155 |
struct servent *sv; |
||
156 |
45 |
socklen_t len; |
|
157 |
45 |
struct sockaddr_storage cliaddr; |
|
158 |
char *proxy = NULL, *proxyport = NULL; |
||
159 |
45 |
const char *errstr; |
|
160 |
45 |
struct addrinfo proxyhints; |
|
161 |
45 |
char unix_dg_tmp_socket_buf[UNIX_DG_TMP_SOCKET_SIZE]; |
|
162 |
struct tls_config *tls_cfg = NULL; |
||
163 |
struct tls *tls_ctx = NULL; |
||
164 |
|||
165 |
ret = 1; |
||
166 |
socksv = 5; |
||
167 |
host = NULL; |
||
168 |
uport = NULL; |
||
169 |
sv = NULL; |
||
170 |
|||
171 |
45 |
signal(SIGPIPE, SIG_IGN); |
|
172 |
|||
173 |
✓✓ | 315 |
while ((ch = getopt(argc, argv, |
174 |
"46C:cDde:FH:hI:i:K:klM:m:NnO:o:P:p:R:rSs:T:tUuV:vW:w:X:x:Z:z")) |
||
175 |
135 |
!= -1) { |
|
176 |
✓✗✗✗ ✗✗✗✗ ✗✗✗✗ ✗✗✓✗ ✗✗✗✗ ✗✗✗✗ ✗✗✗✗ ✗✗✗✗ ✗✗✗✗ ✗✗✗✗ |
90 |
switch (ch) { |
177 |
case '4': |
||
178 |
45 |
family = AF_INET; |
|
179 |
45 |
break; |
|
180 |
case '6': |
||
181 |
family = AF_INET6; |
||
182 |
break; |
||
183 |
case 'U': |
||
184 |
family = AF_UNIX; |
||
185 |
break; |
||
186 |
case 'X': |
||
187 |
if (strcasecmp(optarg, "connect") == 0) |
||
188 |
socksv = -1; /* HTTP proxy CONNECT */ |
||
189 |
else if (strcmp(optarg, "4") == 0) |
||
190 |
socksv = 4; /* SOCKS v.4 */ |
||
191 |
else if (strcmp(optarg, "5") == 0) |
||
192 |
socksv = 5; /* SOCKS v.5 */ |
||
193 |
else |
||
194 |
errx(1, "unsupported proxy protocol"); |
||
195 |
break; |
||
196 |
case 'C': |
||
197 |
Cflag = optarg; |
||
198 |
break; |
||
199 |
case 'c': |
||
200 |
usetls = 1; |
||
201 |
break; |
||
202 |
case 'd': |
||
203 |
dflag = 1; |
||
204 |
break; |
||
205 |
case 'e': |
||
206 |
tls_expectname = optarg; |
||
207 |
break; |
||
208 |
case 'F': |
||
209 |
Fflag = 1; |
||
210 |
break; |
||
211 |
case 'H': |
||
212 |
tls_expecthash = optarg; |
||
213 |
break; |
||
214 |
case 'h': |
||
215 |
help(); |
||
216 |
break; |
||
217 |
case 'i': |
||
218 |
iflag = strtonum(optarg, 0, UINT_MAX, &errstr); |
||
219 |
if (errstr) |
||
220 |
errx(1, "interval %s: %s", errstr, optarg); |
||
221 |
break; |
||
222 |
case 'K': |
||
223 |
Kflag = optarg; |
||
224 |
break; |
||
225 |
case 'k': |
||
226 |
kflag = 1; |
||
227 |
break; |
||
228 |
case 'l': |
||
229 |
45 |
lflag = 1; |
|
230 |
45 |
break; |
|
231 |
case 'M': |
||
232 |
ttl = strtonum(optarg, 0, 255, &errstr); |
||
233 |
if (errstr) |
||
234 |
errx(1, "ttl is %s", errstr); |
||
235 |
break; |
||
236 |
case 'm': |
||
237 |
minttl = strtonum(optarg, 0, 255, &errstr); |
||
238 |
if (errstr) |
||
239 |
errx(1, "minttl is %s", errstr); |
||
240 |
break; |
||
241 |
case 'N': |
||
242 |
Nflag = 1; |
||
243 |
break; |
||
244 |
case 'n': |
||
245 |
nflag = 1; |
||
246 |
break; |
||
247 |
case 'P': |
||
248 |
Pflag = optarg; |
||
249 |
break; |
||
250 |
case 'p': |
||
251 |
pflag = optarg; |
||
252 |
break; |
||
253 |
case 'R': |
||
254 |
tls_cachanged = 1; |
||
255 |
Rflag = optarg; |
||
256 |
break; |
||
257 |
case 'r': |
||
258 |
rflag = 1; |
||
259 |
break; |
||
260 |
case 's': |
||
261 |
sflag = optarg; |
||
262 |
break; |
||
263 |
case 't': |
||
264 |
tflag = 1; |
||
265 |
break; |
||
266 |
case 'u': |
||
267 |
uflag = 1; |
||
268 |
break; |
||
269 |
case 'V': |
||
270 |
rtableid = (int)strtonum(optarg, 0, |
||
271 |
RT_TABLEID_MAX, &errstr); |
||
272 |
if (errstr) |
||
273 |
errx(1, "rtable %s: %s", errstr, optarg); |
||
274 |
break; |
||
275 |
case 'v': |
||
276 |
vflag = 1; |
||
277 |
break; |
||
278 |
case 'W': |
||
279 |
recvlimit = strtonum(optarg, 1, INT_MAX, &errstr); |
||
280 |
if (errstr) |
||
281 |
errx(1, "receive limit %s: %s", errstr, optarg); |
||
282 |
break; |
||
283 |
case 'w': |
||
284 |
timeout = strtonum(optarg, 0, INT_MAX / 1000, &errstr); |
||
285 |
if (errstr) |
||
286 |
errx(1, "timeout %s: %s", errstr, optarg); |
||
287 |
timeout *= 1000; |
||
288 |
break; |
||
289 |
case 'x': |
||
290 |
xflag = 1; |
||
291 |
if ((proxy = strdup(optarg)) == NULL) |
||
292 |
err(1, NULL); |
||
293 |
break; |
||
294 |
case 'Z': |
||
295 |
if (strcmp(optarg, "-") == 0) |
||
296 |
Zflag = stderr; |
||
297 |
else if ((Zflag = fopen(optarg, "w")) == NULL) |
||
298 |
err(1, "can't open %s", optarg); |
||
299 |
break; |
||
300 |
case 'z': |
||
301 |
zflag = 1; |
||
302 |
break; |
||
303 |
case 'D': |
||
304 |
Dflag = 1; |
||
305 |
break; |
||
306 |
case 'I': |
||
307 |
Iflag = strtonum(optarg, 1, 65536 << 14, &errstr); |
||
308 |
if (errstr != NULL) |
||
309 |
errx(1, "TCP receive window %s: %s", |
||
310 |
errstr, optarg); |
||
311 |
break; |
||
312 |
case 'O': |
||
313 |
Oflag = strtonum(optarg, 1, 65536 << 14, &errstr); |
||
314 |
if (errstr != NULL) |
||
315 |
errx(1, "TCP send window %s: %s", |
||
316 |
errstr, optarg); |
||
317 |
break; |
||
318 |
case 'o': |
||
319 |
oflag = optarg; |
||
320 |
break; |
||
321 |
case 'S': |
||
322 |
Sflag = 1; |
||
323 |
break; |
||
324 |
case 'T': |
||
325 |
errstr = NULL; |
||
326 |
errno = 0; |
||
327 |
if (map_tos(optarg, &Tflag)) |
||
328 |
break; |
||
329 |
if (map_tls(optarg, &TLSopt)) |
||
330 |
break; |
||
331 |
if (strlen(optarg) > 1 && optarg[0] == '0' && |
||
332 |
optarg[1] == 'x') |
||
333 |
Tflag = (int)strtol(optarg, NULL, 16); |
||
334 |
else |
||
335 |
Tflag = (int)strtonum(optarg, 0, 255, |
||
336 |
&errstr); |
||
337 |
if (Tflag < 0 || Tflag > 255 || errstr || errno) |
||
338 |
errx(1, "illegal tos/tls value %s", optarg); |
||
339 |
break; |
||
340 |
default: |
||
341 |
usage(1); |
||
342 |
} |
||
343 |
} |
||
344 |
45 |
argc -= optind; |
|
345 |
45 |
argv += optind; |
|
346 |
|||
347 |
✗✓ | 45 |
if (rtableid >= 0) |
348 |
if (setrtable(rtableid) == -1) |
||
349 |
err(1, "setrtable"); |
||
350 |
|||
351 |
✗✓ | 45 |
if (family == AF_UNIX) { |
352 |
if (pledge("stdio rpath wpath cpath tmppath unix flock", NULL) == -1) |
||
353 |
err(1, "pledge"); |
||
354 |
✗✓ | 45 |
} else if (Fflag && Pflag) { |
355 |
if (pledge("stdio inet dns sendfd tty flock rpath cpath wpath", NULL) == -1) |
||
356 |
err(1, "pledge"); |
||
357 |
✗✓ | 45 |
} else if (Fflag) { |
358 |
if (pledge("stdio inet dns sendfd flock rpath cpath wpath", NULL) == -1) |
||
359 |
err(1, "pledge"); |
||
360 |
✗✓ | 45 |
} else if (Pflag && usetls) { |
361 |
if (pledge("stdio rpath inet dns tty flock cpath wpath", NULL) == -1) |
||
362 |
err(1, "pledge"); |
||
363 |
✗✓ | 45 |
} else if (Pflag) { |
364 |
if (pledge("stdio inet dns tty flock rpath cpath wpath", NULL) == -1) |
||
365 |
err(1, "pledge"); |
||
366 |
✗✓ | 45 |
} else if (usetls) { |
367 |
if (pledge("stdio rpath inet dns flock cpath wpath", NULL) == -1) |
||
368 |
err(1, "pledge"); |
||
369 |
✗✓ | 45 |
} else if (pledge("stdio inet dns flock rpath cpath wpath", NULL) == -1) |
370 |
err(1, "pledge"); |
||
371 |
|||
372 |
/* Cruft to make sure options are clean, and used properly. */ |
||
373 |
✓✗✗✓ |
90 |
if (argv[0] && !argv[1] && family == AF_UNIX) { |
374 |
host = argv[0]; |
||
375 |
uport = NULL; |
||
376 |
✓✗✓✗ |
90 |
} else if (argv[0] && !argv[1]) { |
377 |
✗✓ | 45 |
if (!lflag) |
378 |
usage(1); |
||
379 |
45 |
uport = argv[0]; |
|
380 |
host = NULL; |
||
381 |
✗✗✗✗ |
45 |
} else if (argv[0] && argv[1]) { |
382 |
host = argv[0]; |
||
383 |
uport = argv[1]; |
||
384 |
} else |
||
385 |
usage(1); |
||
386 |
|||
387 |
✗✓ | 45 |
if (lflag && sflag) |
388 |
errx(1, "cannot use -s and -l"); |
||
389 |
✗✓ | 45 |
if (lflag && pflag) |
390 |
errx(1, "cannot use -p and -l"); |
||
391 |
✗✓ | 45 |
if (lflag && zflag) |
392 |
errx(1, "cannot use -z and -l"); |
||
393 |
✗✓ | 45 |
if (!lflag && kflag) |
394 |
errx(1, "must use -l with -k"); |
||
395 |
✗✓ | 45 |
if (uflag && usetls) |
396 |
errx(1, "cannot use -c and -u"); |
||
397 |
✗✓ | 45 |
if ((family == AF_UNIX) && usetls) |
398 |
errx(1, "cannot use -c and -U"); |
||
399 |
✗✓ | 45 |
if ((family == AF_UNIX) && Fflag) |
400 |
errx(1, "cannot use -F and -U"); |
||
401 |
✗✓ | 45 |
if (Fflag && usetls) |
402 |
errx(1, "cannot use -c and -F"); |
||
403 |
✗✓ | 45 |
if (TLSopt && !usetls) |
404 |
errx(1, "you must specify -c to use TLS options"); |
||
405 |
✗✓ | 45 |
if ((TLSopt & (TLS_ALL|TLS_COMPAT)) == (TLS_ALL|TLS_COMPAT)) |
406 |
errx(1, "cannot use -T tlsall and -T tlscompat"); |
||
407 |
✗✓ | 45 |
if (Cflag && !usetls) |
408 |
errx(1, "you must specify -c to use -C"); |
||
409 |
✗✓ | 45 |
if (Kflag && !usetls) |
410 |
errx(1, "you must specify -c to use -K"); |
||
411 |
✗✓ | 45 |
if (Zflag && !usetls) |
412 |
errx(1, "you must specify -c to use -Z"); |
||
413 |
✗✓ | 45 |
if (oflag && !Cflag) |
414 |
errx(1, "you must specify -C to use -o"); |
||
415 |
✗✓ | 45 |
if (tls_cachanged && !usetls) |
416 |
errx(1, "you must specify -c to use -R"); |
||
417 |
✗✓ | 45 |
if (tls_expecthash && !usetls) |
418 |
errx(1, "you must specify -c to use -H"); |
||
419 |
✗✓ | 45 |
if (tls_expectname && !usetls) |
420 |
errx(1, "you must specify -c to use -e"); |
||
421 |
|||
422 |
/* Get name of temporary socket for unix datagram client */ |
||
423 |
✗✓ | 45 |
if ((family == AF_UNIX) && uflag && !lflag) { |
424 |
if (sflag) { |
||
425 |
unix_dg_tmp_socket = sflag; |
||
426 |
} else { |
||
427 |
strlcpy(unix_dg_tmp_socket_buf, "/tmp/nc.XXXXXXXXXX", |
||
428 |
UNIX_DG_TMP_SOCKET_SIZE); |
||
429 |
if (mktemp(unix_dg_tmp_socket_buf) == NULL) |
||
430 |
err(1, "mktemp"); |
||
431 |
unix_dg_tmp_socket = unix_dg_tmp_socket_buf; |
||
432 |
} |
||
433 |
} |
||
434 |
|||
435 |
/* Initialize addrinfo structure. */ |
||
436 |
✓✗ | 45 |
if (family != AF_UNIX) { |
437 |
45 |
memset(&hints, 0, sizeof(struct addrinfo)); |
|
438 |
45 |
hints.ai_family = family; |
|
439 |
45 |
hints.ai_socktype = uflag ? SOCK_DGRAM : SOCK_STREAM; |
|
440 |
45 |
hints.ai_protocol = uflag ? IPPROTO_UDP : IPPROTO_TCP; |
|
441 |
✗✓ | 45 |
if (nflag) |
442 |
hints.ai_flags |= AI_NUMERICHOST; |
||
443 |
} |
||
444 |
|||
445 |
✗✓ | 45 |
if (xflag) { |
446 |
if (uflag) |
||
447 |
errx(1, "no proxy support for UDP mode"); |
||
448 |
|||
449 |
if (lflag) |
||
450 |
errx(1, "no proxy support for listen"); |
||
451 |
|||
452 |
if (family == AF_UNIX) |
||
453 |
errx(1, "no proxy support for unix sockets"); |
||
454 |
|||
455 |
if (sflag) |
||
456 |
errx(1, "no proxy support for local source address"); |
||
457 |
|||
458 |
if (*proxy == '[') { |
||
459 |
++proxy; |
||
460 |
proxyport = strchr(proxy, ']'); |
||
461 |
if (proxyport == NULL) |
||
462 |
errx(1, "missing closing bracket in proxy"); |
||
463 |
*proxyport++ = '\0'; |
||
464 |
if (*proxyport == '\0') |
||
465 |
/* Use default proxy port. */ |
||
466 |
proxyport = NULL; |
||
467 |
else { |
||
468 |
if (*proxyport == ':') |
||
469 |
++proxyport; |
||
470 |
else |
||
471 |
errx(1, "garbage proxy port delimiter"); |
||
472 |
} |
||
473 |
} else { |
||
474 |
proxyport = strrchr(proxy, ':'); |
||
475 |
if (proxyport != NULL) |
||
476 |
*proxyport++ = '\0'; |
||
477 |
} |
||
478 |
|||
479 |
memset(&proxyhints, 0, sizeof(struct addrinfo)); |
||
480 |
proxyhints.ai_family = family; |
||
481 |
proxyhints.ai_socktype = SOCK_STREAM; |
||
482 |
proxyhints.ai_protocol = IPPROTO_TCP; |
||
483 |
if (nflag) |
||
484 |
proxyhints.ai_flags |= AI_NUMERICHOST; |
||
485 |
} |
||
486 |
|||
487 |
✗✓ | 45 |
if (usetls) { |
488 |
if (tls_init() == -1) |
||
489 |
errx(1, "unable to initialize TLS"); |
||
490 |
if ((tls_cfg = tls_config_new()) == NULL) |
||
491 |
errx(1, "unable to allocate TLS config"); |
||
492 |
if (Rflag && tls_config_set_ca_file(tls_cfg, Rflag) == -1) |
||
493 |
errx(1, "%s", tls_config_error(tls_cfg)); |
||
494 |
if (Cflag && tls_config_set_cert_file(tls_cfg, Cflag) == -1) |
||
495 |
errx(1, "%s", tls_config_error(tls_cfg)); |
||
496 |
if (Kflag && tls_config_set_key_file(tls_cfg, Kflag) == -1) |
||
497 |
errx(1, "%s", tls_config_error(tls_cfg)); |
||
498 |
if (oflag && tls_config_set_ocsp_staple_file(tls_cfg, oflag) == -1) |
||
499 |
errx(1, "%s", tls_config_error(tls_cfg)); |
||
500 |
if (TLSopt & (TLS_ALL|TLS_COMPAT)) { |
||
501 |
if (tls_config_set_protocols(tls_cfg, |
||
502 |
TLS_PROTOCOLS_ALL) != 0) |
||
503 |
errx(1, "%s", tls_config_error(tls_cfg)); |
||
504 |
if (tls_config_set_ciphers(tls_cfg, |
||
505 |
(TLSopt & TLS_ALL) ? "all" : "compat") != 0) |
||
506 |
errx(1, "%s", tls_config_error(tls_cfg)); |
||
507 |
} |
||
508 |
if (!lflag && (TLSopt & TLS_CCERT)) |
||
509 |
errx(1, "clientcert is only valid with -l"); |
||
510 |
if (TLSopt & TLS_NONAME) |
||
511 |
tls_config_insecure_noverifyname(tls_cfg); |
||
512 |
if (TLSopt & TLS_NOVERIFY) { |
||
513 |
if (tls_expecthash != NULL) |
||
514 |
errx(1, "-H and -T noverify may not be used " |
||
515 |
"together"); |
||
516 |
tls_config_insecure_noverifycert(tls_cfg); |
||
517 |
} |
||
518 |
if (TLSopt & TLS_MUSTSTAPLE) |
||
519 |
tls_config_ocsp_require_stapling(tls_cfg); |
||
520 |
|||
521 |
if (Pflag) { |
||
522 |
if (pledge("stdio inet dns tty flock rpath cpath wpath", NULL) == -1) |
||
523 |
err(1, "pledge"); |
||
524 |
} else if (pledge("stdio inet dns flock rpath cpath wpath", NULL) == -1) |
||
525 |
err(1, "pledge"); |
||
526 |
} |
||
527 |
✓✗ | 45 |
if (lflag) { |
528 |
struct tls *tls_cctx = NULL; |
||
529 |
int connfd; |
||
530 |
ret = 0; |
||
531 |
|||
532 |
✗✓ | 45 |
if (family == AF_UNIX) { |
533 |
if (uflag) |
||
534 |
s = unix_bind(host, 0); |
||
535 |
else |
||
536 |
s = unix_listen(host); |
||
537 |
} |
||
538 |
|||
539 |
✗✓ | 45 |
if (usetls) { |
540 |
tls_config_verify_client_optional(tls_cfg); |
||
541 |
if ((tls_ctx = tls_server()) == NULL) |
||
542 |
errx(1, "tls server creation failed"); |
||
543 |
if (tls_configure(tls_ctx, tls_cfg) == -1) |
||
544 |
errx(1, "tls configuration failed (%s)", |
||
545 |
tls_error(tls_ctx)); |
||
546 |
} |
||
547 |
/* Allow only one connection at a time, but stay alive. */ |
||
548 |
for (;;) { |
||
549 |
✓✗ | 45 |
if (family != AF_UNIX) |
550 |
45 |
s = local_listen(host, uport, hints); |
|
551 |
✗✓ | 45 |
if (s < 0) |
552 |
err(1, NULL); |
||
553 |
✗✓ | 45 |
if (uflag && kflag) { |
554 |
/* |
||
555 |
* For UDP and -k, don't connect the socket, |
||
556 |
* let it receive datagrams from multiple |
||
557 |
* socket pairs. |
||
558 |
*/ |
||
559 |
readwrite(s, NULL); |
||
560 |
✗✓ | 45 |
} else if (uflag && !kflag) { |
561 |
/* |
||
562 |
* For UDP and not -k, we will use recvfrom() |
||
563 |
* initially to wait for a caller, then use |
||
564 |
* the regular functions to talk to the caller. |
||
565 |
*/ |
||
566 |
int rv, plen; |
||
567 |
char buf[16384]; |
||
568 |
struct sockaddr_storage z; |
||
569 |
|||
570 |
len = sizeof(z); |
||
571 |
plen = 2048; |
||
572 |
rv = recvfrom(s, buf, plen, MSG_PEEK, |
||
573 |
(struct sockaddr *)&z, &len); |
||
574 |
if (rv < 0) |
||
575 |
err(1, "recvfrom"); |
||
576 |
|||
577 |
rv = connect(s, (struct sockaddr *)&z, len); |
||
578 |
if (rv < 0) |
||
579 |
err(1, "connect"); |
||
580 |
|||
581 |
if (vflag) |
||
582 |
report_connect((struct sockaddr *)&z, len, NULL); |
||
583 |
|||
584 |
readwrite(s, NULL); |
||
585 |
} else { |
||
586 |
45 |
len = sizeof(cliaddr); |
|
587 |
45 |
connfd = accept4(s, (struct sockaddr *)&cliaddr, |
|
588 |
&len, SOCK_NONBLOCK); |
||
589 |
✗✓ | 45 |
if (connfd == -1) { |
590 |
/* For now, all errnos are fatal */ |
||
591 |
err(1, "accept"); |
||
592 |
} |
||
593 |
✗✓ | 45 |
if (vflag) |
594 |
report_connect((struct sockaddr *)&cliaddr, len, |
||
595 |
family == AF_UNIX ? host : NULL); |
||
596 |
✗✓✗✗ |
45 |
if ((usetls) && |
597 |
(tls_cctx = tls_setup_server(tls_ctx, connfd, host))) |
||
598 |
readwrite(connfd, tls_cctx); |
||
599 |
✓✗ | 45 |
if (!usetls) |
600 |
45 |
readwrite(connfd, NULL); |
|
601 |
✗✓ | 45 |
if (tls_cctx) { |
602 |
timeout_tls(s, tls_cctx, tls_close); |
||
603 |
tls_free(tls_cctx); |
||
604 |
tls_cctx = NULL; |
||
605 |
} |
||
606 |
45 |
close(connfd); |
|
607 |
} |
||
608 |
✓✗ | 45 |
if (family != AF_UNIX) |
609 |
45 |
close(s); |
|
610 |
else if (uflag) { |
||
611 |
if (connect(s, NULL, 0) < 0) |
||
612 |
err(1, "connect"); |
||
613 |
} |
||
614 |
|||
615 |
✗✓ | 45 |
if (!kflag) |
616 |
break; |
||
617 |
} |
||
618 |
✗✗ | 45 |
} else if (family == AF_UNIX) { |
619 |
ret = 0; |
||
620 |
|||
621 |
if ((s = unix_connect(host)) > 0) { |
||
622 |
if (!zflag) |
||
623 |
readwrite(s, NULL); |
||
624 |
close(s); |
||
625 |
} else |
||
626 |
ret = 1; |
||
627 |
|||
628 |
if (uflag) |
||
629 |
unlink(unix_dg_tmp_socket); |
||
630 |
return ret; |
||
631 |
|||
632 |
} else { |
||
633 |
int i = 0; |
||
634 |
|||
635 |
/* Construct the portlist[] array. */ |
||
636 |
build_ports(uport); |
||
637 |
|||
638 |
/* Cycle through portlist, connecting to each port. */ |
||
639 |
for (s = -1, i = 0; portlist[i] != NULL; i++) { |
||
640 |
if (s != -1) |
||
641 |
close(s); |
||
642 |
|||
643 |
if (usetls) { |
||
644 |
if ((tls_ctx = tls_client()) == NULL) |
||
645 |
errx(1, "tls client creation failed"); |
||
646 |
if (tls_configure(tls_ctx, tls_cfg) == -1) |
||
647 |
errx(1, "tls configuration failed (%s)", |
||
648 |
tls_error(tls_ctx)); |
||
649 |
} |
||
650 |
if (xflag) |
||
651 |
s = socks_connect(host, portlist[i], hints, |
||
652 |
proxy, proxyport, proxyhints, socksv, |
||
653 |
Pflag); |
||
654 |
else |
||
655 |
s = remote_connect(host, portlist[i], hints); |
||
656 |
|||
657 |
if (s == -1) |
||
658 |
continue; |
||
659 |
|||
660 |
ret = 0; |
||
661 |
if (vflag || zflag) { |
||
662 |
/* For UDP, make sure we are connected. */ |
||
663 |
if (uflag) { |
||
664 |
if (udptest(s) == -1) { |
||
665 |
ret = 1; |
||
666 |
continue; |
||
667 |
} |
||
668 |
} |
||
669 |
|||
670 |
/* Don't look up port if -n. */ |
||
671 |
if (nflag) |
||
672 |
sv = NULL; |
||
673 |
else { |
||
674 |
sv = getservbyport( |
||
675 |
ntohs(atoi(portlist[i])), |
||
676 |
uflag ? "udp" : "tcp"); |
||
677 |
} |
||
678 |
|||
679 |
fprintf(stderr, |
||
680 |
"Connection to %s %s port [%s/%s] " |
||
681 |
"succeeded!\n", host, portlist[i], |
||
682 |
uflag ? "udp" : "tcp", |
||
683 |
sv ? sv->s_name : "*"); |
||
684 |
} |
||
685 |
if (Fflag) |
||
686 |
fdpass(s); |
||
687 |
else { |
||
688 |
if (usetls) |
||
689 |
tls_setup_client(tls_ctx, s, host); |
||
690 |
if (!zflag) |
||
691 |
readwrite(s, tls_ctx); |
||
692 |
if (tls_ctx) { |
||
693 |
timeout_tls(s, tls_ctx, tls_close); |
||
694 |
tls_free(tls_ctx); |
||
695 |
tls_ctx = NULL; |
||
696 |
} |
||
697 |
} |
||
698 |
} |
||
699 |
} |
||
700 |
|||
701 |
✓✗ | 45 |
if (s != -1) |
702 |
45 |
close(s); |
|
703 |
|||
704 |
45 |
tls_config_free(tls_cfg); |
|
705 |
|||
706 |
45 |
return ret; |
|
707 |
45 |
} |
|
708 |
|||
709 |
/* |
||
710 |
* unix_bind() |
||
711 |
* Returns a unix socket bound to the given path |
||
712 |
*/ |
||
713 |
int |
||
714 |
unix_bind(char *path, int flags) |
||
715 |
{ |
||
716 |
struct sockaddr_un s_un; |
||
717 |
int s, save_errno; |
||
718 |
|||
719 |
/* Create unix domain socket. */ |
||
720 |
if ((s = socket(AF_UNIX, flags | (uflag ? SOCK_DGRAM : SOCK_STREAM), |
||
721 |
0)) < 0) |
||
722 |
return -1; |
||
723 |
|||
724 |
memset(&s_un, 0, sizeof(struct sockaddr_un)); |
||
725 |
s_un.sun_family = AF_UNIX; |
||
726 |
|||
727 |
if (strlcpy(s_un.sun_path, path, sizeof(s_un.sun_path)) >= |
||
728 |
sizeof(s_un.sun_path)) { |
||
729 |
close(s); |
||
730 |
errno = ENAMETOOLONG; |
||
731 |
return -1; |
||
732 |
} |
||
733 |
|||
734 |
if (bind(s, (struct sockaddr *)&s_un, sizeof(s_un)) < 0) { |
||
735 |
save_errno = errno; |
||
736 |
close(s); |
||
737 |
errno = save_errno; |
||
738 |
return -1; |
||
739 |
} |
||
740 |
|||
741 |
return s; |
||
742 |
} |
||
743 |
|||
744 |
int |
||
745 |
timeout_tls(int s, struct tls *tls_ctx, int (*func)(struct tls *)) |
||
746 |
{ |
||
747 |
struct pollfd pfd; |
||
748 |
int ret; |
||
749 |
|||
750 |
while ((ret = (*func)(tls_ctx)) != 0) { |
||
751 |
if (ret == TLS_WANT_POLLIN) |
||
752 |
pfd.events = POLLIN; |
||
753 |
else if (ret == TLS_WANT_POLLOUT) |
||
754 |
pfd.events = POLLOUT; |
||
755 |
else |
||
756 |
break; |
||
757 |
pfd.fd = s; |
||
758 |
if ((ret = poll(&pfd, 1, timeout)) == 1) |
||
759 |
continue; |
||
760 |
else if (ret == 0) { |
||
761 |
errno = ETIMEDOUT; |
||
762 |
ret = -1; |
||
763 |
break; |
||
764 |
} else |
||
765 |
err(1, "poll failed"); |
||
766 |
} |
||
767 |
|||
768 |
return ret; |
||
769 |
} |
||
770 |
|||
771 |
void |
||
772 |
tls_setup_client(struct tls *tls_ctx, int s, char *host) |
||
773 |
{ |
||
774 |
const char *errstr; |
||
775 |
|||
776 |
if (tls_connect_socket(tls_ctx, s, |
||
777 |
tls_expectname ? tls_expectname : host) == -1) { |
||
778 |
errx(1, "tls connection failed (%s)", |
||
779 |
tls_error(tls_ctx)); |
||
780 |
} |
||
781 |
if (timeout_tls(s, tls_ctx, tls_handshake) == -1) { |
||
782 |
if ((errstr = tls_error(tls_ctx)) == NULL) |
||
783 |
errstr = strerror(errno); |
||
784 |
errx(1, "tls handshake failed (%s)", errstr); |
||
785 |
} |
||
786 |
if (vflag) |
||
787 |
report_tls(tls_ctx, host); |
||
788 |
if (tls_expecthash && tls_peer_cert_hash(tls_ctx) && |
||
789 |
strcmp(tls_expecthash, tls_peer_cert_hash(tls_ctx)) != 0) |
||
790 |
errx(1, "peer certificate is not %s", tls_expecthash); |
||
791 |
if (Zflag) { |
||
792 |
save_peer_cert(tls_ctx, Zflag); |
||
793 |
if (Zflag != stderr && (fclose(Zflag) != 0)) |
||
794 |
err(1, "fclose failed saving peer cert"); |
||
795 |
} |
||
796 |
} |
||
797 |
|||
798 |
struct tls * |
||
799 |
tls_setup_server(struct tls *tls_ctx, int connfd, char *host) |
||
800 |
{ |
||
801 |
struct tls *tls_cctx; |
||
802 |
const char *errstr; |
||
803 |
|||
804 |
if (tls_accept_socket(tls_ctx, &tls_cctx, connfd) == -1) { |
||
805 |
warnx("tls accept failed (%s)", tls_error(tls_ctx)); |
||
806 |
} else if (timeout_tls(connfd, tls_cctx, tls_handshake) == -1) { |
||
807 |
if ((errstr = tls_error(tls_cctx)) == NULL) |
||
808 |
errstr = strerror(errno); |
||
809 |
warnx("tls handshake failed (%s)", errstr); |
||
810 |
} else { |
||
811 |
int gotcert = tls_peer_cert_provided(tls_cctx); |
||
812 |
|||
813 |
if (vflag && gotcert) |
||
814 |
report_tls(tls_cctx, host); |
||
815 |
if ((TLSopt & TLS_CCERT) && !gotcert) |
||
816 |
warnx("No client certificate provided"); |
||
817 |
else if (gotcert && tls_peer_cert_hash(tls_ctx) && tls_expecthash && |
||
818 |
strcmp(tls_expecthash, tls_peer_cert_hash(tls_ctx)) != 0) |
||
819 |
warnx("peer certificate is not %s", tls_expecthash); |
||
820 |
else if (gotcert && tls_expectname && |
||
821 |
(!tls_peer_cert_contains_name(tls_cctx, tls_expectname))) |
||
822 |
warnx("name (%s) not found in client cert", |
||
823 |
tls_expectname); |
||
824 |
else { |
||
825 |
return tls_cctx; |
||
826 |
} |
||
827 |
} |
||
828 |
return NULL; |
||
829 |
} |
||
830 |
|||
831 |
/* |
||
832 |
* unix_connect() |
||
833 |
* Returns a socket connected to a local unix socket. Returns -1 on failure. |
||
834 |
*/ |
||
835 |
int |
||
836 |
unix_connect(char *path) |
||
837 |
{ |
||
838 |
struct sockaddr_un s_un; |
||
839 |
int s, save_errno; |
||
840 |
|||
841 |
if (uflag) { |
||
842 |
if ((s = unix_bind(unix_dg_tmp_socket, SOCK_CLOEXEC)) < 0) |
||
843 |
return -1; |
||
844 |
} else { |
||
845 |
if ((s = socket(AF_UNIX, SOCK_STREAM | SOCK_CLOEXEC, 0)) < 0) |
||
846 |
return -1; |
||
847 |
} |
||
848 |
|||
849 |
memset(&s_un, 0, sizeof(struct sockaddr_un)); |
||
850 |
s_un.sun_family = AF_UNIX; |
||
851 |
|||
852 |
if (strlcpy(s_un.sun_path, path, sizeof(s_un.sun_path)) >= |
||
853 |
sizeof(s_un.sun_path)) { |
||
854 |
close(s); |
||
855 |
errno = ENAMETOOLONG; |
||
856 |
return -1; |
||
857 |
} |
||
858 |
if (connect(s, (struct sockaddr *)&s_un, sizeof(s_un)) < 0) { |
||
859 |
save_errno = errno; |
||
860 |
close(s); |
||
861 |
errno = save_errno; |
||
862 |
return -1; |
||
863 |
} |
||
864 |
return s; |
||
865 |
|||
866 |
} |
||
867 |
|||
868 |
/* |
||
869 |
* unix_listen() |
||
870 |
* Create a unix domain socket, and listen on it. |
||
871 |
*/ |
||
872 |
int |
||
873 |
unix_listen(char *path) |
||
874 |
{ |
||
875 |
int s; |
||
876 |
if ((s = unix_bind(path, 0)) < 0) |
||
877 |
return -1; |
||
878 |
|||
879 |
if (listen(s, 5) < 0) { |
||
880 |
close(s); |
||
881 |
return -1; |
||
882 |
} |
||
883 |
return s; |
||
884 |
} |
||
885 |
|||
886 |
/* |
||
887 |
* remote_connect() |
||
888 |
* Returns a socket connected to a remote host. Properly binds to a local |
||
889 |
* port or source address if needed. Returns -1 on failure. |
||
890 |
*/ |
||
891 |
int |
||
892 |
remote_connect(const char *host, const char *port, struct addrinfo hints) |
||
893 |
{ |
||
894 |
struct addrinfo *res, *res0; |
||
895 |
int s = -1, error, on = 1, save_errno; |
||
896 |
|||
897 |
if ((error = getaddrinfo(host, port, &hints, &res0))) |
||
898 |
errx(1, "getaddrinfo for host \"%s\" port %s: %s", host, |
||
899 |
port, gai_strerror(error)); |
||
900 |
|||
901 |
for (res = res0; res; res = res->ai_next) { |
||
902 |
if ((s = socket(res->ai_family, res->ai_socktype | |
||
903 |
SOCK_NONBLOCK, res->ai_protocol)) < 0) |
||
904 |
continue; |
||
905 |
|||
906 |
/* Bind to a local port or source address if specified. */ |
||
907 |
if (sflag || pflag) { |
||
908 |
struct addrinfo ahints, *ares; |
||
909 |
|||
910 |
/* try SO_BINDANY, but don't insist */ |
||
911 |
setsockopt(s, SOL_SOCKET, SO_BINDANY, &on, sizeof(on)); |
||
912 |
memset(&ahints, 0, sizeof(struct addrinfo)); |
||
913 |
ahints.ai_family = res->ai_family; |
||
914 |
ahints.ai_socktype = uflag ? SOCK_DGRAM : SOCK_STREAM; |
||
915 |
ahints.ai_protocol = uflag ? IPPROTO_UDP : IPPROTO_TCP; |
||
916 |
ahints.ai_flags = AI_PASSIVE; |
||
917 |
if ((error = getaddrinfo(sflag, pflag, &ahints, &ares))) |
||
918 |
errx(1, "getaddrinfo: %s", gai_strerror(error)); |
||
919 |
|||
920 |
if (bind(s, (struct sockaddr *)ares->ai_addr, |
||
921 |
ares->ai_addrlen) < 0) |
||
922 |
err(1, "bind failed"); |
||
923 |
freeaddrinfo(ares); |
||
924 |
} |
||
925 |
|||
926 |
set_common_sockopts(s, res->ai_family); |
||
927 |
|||
928 |
if (timeout_connect(s, res->ai_addr, res->ai_addrlen) == 0) |
||
929 |
break; |
||
930 |
if (vflag) |
||
931 |
warn("connect to %s port %s (%s) failed", host, port, |
||
932 |
uflag ? "udp" : "tcp"); |
||
933 |
|||
934 |
save_errno = errno; |
||
935 |
close(s); |
||
936 |
errno = save_errno; |
||
937 |
s = -1; |
||
938 |
} |
||
939 |
|||
940 |
freeaddrinfo(res0); |
||
941 |
|||
942 |
return s; |
||
943 |
} |
||
944 |
|||
945 |
int |
||
946 |
timeout_connect(int s, const struct sockaddr *name, socklen_t namelen) |
||
947 |
{ |
||
948 |
struct pollfd pfd; |
||
949 |
socklen_t optlen; |
||
950 |
int optval; |
||
951 |
int ret; |
||
952 |
|||
953 |
if ((ret = connect(s, name, namelen)) != 0 && errno == EINPROGRESS) { |
||
954 |
pfd.fd = s; |
||
955 |
pfd.events = POLLOUT; |
||
956 |
if ((ret = poll(&pfd, 1, timeout)) == 1) { |
||
957 |
optlen = sizeof(optval); |
||
958 |
if ((ret = getsockopt(s, SOL_SOCKET, SO_ERROR, |
||
959 |
&optval, &optlen)) == 0) { |
||
960 |
errno = optval; |
||
961 |
ret = optval == 0 ? 0 : -1; |
||
962 |
} |
||
963 |
} else if (ret == 0) { |
||
964 |
errno = ETIMEDOUT; |
||
965 |
ret = -1; |
||
966 |
} else |
||
967 |
err(1, "poll failed"); |
||
968 |
} |
||
969 |
|||
970 |
return ret; |
||
971 |
} |
||
972 |
|||
973 |
/* |
||
974 |
* local_listen() |
||
975 |
* Returns a socket listening on a local port, binds to specified source |
||
976 |
* address. Returns -1 on failure. |
||
977 |
*/ |
||
978 |
int |
||
979 |
local_listen(char *host, char *port, struct addrinfo hints) |
||
980 |
{ |
||
981 |
90 |
struct addrinfo *res, *res0; |
|
982 |
45 |
int s = -1, ret, x = 1, save_errno; |
|
983 |
int error; |
||
984 |
|||
985 |
/* Allow nodename to be null. */ |
||
986 |
45 |
hints.ai_flags |= AI_PASSIVE; |
|
987 |
|||
988 |
/* |
||
989 |
* In the case of binding to a wildcard address |
||
990 |
* default to binding to an ipv4 address. |
||
991 |
*/ |
||
992 |
✓✗✗✓ |
90 |
if (host == NULL && hints.ai_family == AF_UNSPEC) |
993 |
hints.ai_family = AF_INET; |
||
994 |
|||
995 |
✗✓ | 45 |
if ((error = getaddrinfo(host, port, &hints, &res0))) |
996 |
errx(1, "getaddrinfo: %s", gai_strerror(error)); |
||
997 |
|||
998 |
✓✗ | 90 |
for (res = res0; res; res = res->ai_next) { |
999 |
✓✗ | 135 |
if ((s = socket(res->ai_family, res->ai_socktype, |
1000 |
90 |
res->ai_protocol)) < 0) |
|
1001 |
continue; |
||
1002 |
|||
1003 |
45 |
ret = setsockopt(s, SOL_SOCKET, SO_REUSEPORT, &x, sizeof(x)); |
|
1004 |
✗✓ | 45 |
if (ret == -1) |
1005 |
err(1, NULL); |
||
1006 |
|||
1007 |
45 |
set_common_sockopts(s, res->ai_family); |
|
1008 |
|||
1009 |
✗✓ | 135 |
if (bind(s, (struct sockaddr *)res->ai_addr, |
1010 |
90 |
res->ai_addrlen) == 0) |
|
1011 |
break; |
||
1012 |
|||
1013 |
save_errno = errno; |
||
1014 |
close(s); |
||
1015 |
errno = save_errno; |
||
1016 |
s = -1; |
||
1017 |
} |
||
1018 |
|||
1019 |
✓✗ | 45 |
if (!uflag && s != -1) { |
1020 |
✗✓ | 45 |
if (listen(s, 1) < 0) |
1021 |
err(1, "listen"); |
||
1022 |
} |
||
1023 |
|||
1024 |
45 |
freeaddrinfo(res0); |
|
1025 |
|||
1026 |
45 |
return s; |
|
1027 |
45 |
} |
|
1028 |
|||
1029 |
/* |
||
1030 |
* readwrite() |
||
1031 |
* Loop that polls on the network file descriptor and stdin. |
||
1032 |
*/ |
||
1033 |
void |
||
1034 |
readwrite(int net_fd, struct tls *tls_ctx) |
||
1035 |
{ |
||
1036 |
90 |
struct pollfd pfd[4]; |
|
1037 |
int stdin_fd = STDIN_FILENO; |
||
1038 |
int stdout_fd = STDOUT_FILENO; |
||
1039 |
45 |
unsigned char netinbuf[BUFSIZE]; |
|
1040 |
45 |
size_t netinbufpos = 0; |
|
1041 |
45 |
unsigned char stdinbuf[BUFSIZE]; |
|
1042 |
45 |
size_t stdinbufpos = 0; |
|
1043 |
int n, num_fds; |
||
1044 |
ssize_t ret; |
||
1045 |
|||
1046 |
/* don't read from stdin if requested */ |
||
1047 |
✗✓ | 45 |
if (dflag) |
1048 |
stdin_fd = -1; |
||
1049 |
|||
1050 |
/* stdin */ |
||
1051 |
45 |
pfd[POLL_STDIN].fd = stdin_fd; |
|
1052 |
45 |
pfd[POLL_STDIN].events = POLLIN; |
|
1053 |
|||
1054 |
/* network out */ |
||
1055 |
45 |
pfd[POLL_NETOUT].fd = net_fd; |
|
1056 |
45 |
pfd[POLL_NETOUT].events = 0; |
|
1057 |
|||
1058 |
/* network in */ |
||
1059 |
45 |
pfd[POLL_NETIN].fd = net_fd; |
|
1060 |
45 |
pfd[POLL_NETIN].events = POLLIN; |
|
1061 |
|||
1062 |
/* stdout */ |
||
1063 |
45 |
pfd[POLL_STDOUT].fd = stdout_fd; |
|
1064 |
45 |
pfd[POLL_STDOUT].events = 0; |
|
1065 |
|||
1066 |
45 |
while (1) { |
|
1067 |
/* both inputs are gone, buffers are empty, we are done */ |
||
1068 |
✓✓✓✓ |
798 |
if (pfd[POLL_STDIN].fd == -1 && pfd[POLL_NETIN].fd == -1 && |
1069 |
352 |
stdinbufpos == 0 && netinbufpos == 0) |
|
1070 |
44 |
return; |
|
1071 |
/* both outputs are gone, we can't continue */ |
||
1072 |
✓✓✗✓ |
358 |
if (pfd[POLL_NETOUT].fd == -1 && pfd[POLL_STDOUT].fd == -1) |
1073 |
return; |
||
1074 |
/* listen and net in gone, queues empty, done */ |
||
1075 |
✓✗✓✓ |
904 |
if (lflag && pfd[POLL_NETIN].fd == -1 && |
1076 |
452 |
stdinbufpos == 0 && netinbufpos == 0) |
|
1077 |
1 |
return; |
|
1078 |
|||
1079 |
/* help says -i is for "wait between lines sent". We read and |
||
1080 |
* write arbitrary amounts of data, and we don't want to start |
||
1081 |
* scanning for newlines, so this is as good as it gets */ |
||
1082 |
✗✓ | 225 |
if (iflag) |
1083 |
sleep(iflag); |
||
1084 |
|||
1085 |
/* poll */ |
||
1086 |
225 |
num_fds = poll(pfd, 4, timeout); |
|
1087 |
|||
1088 |
/* treat poll errors */ |
||
1089 |
✗✓ | 225 |
if (num_fds == -1) |
1090 |
err(1, "polling error"); |
||
1091 |
|||
1092 |
/* timeout happened */ |
||
1093 |
✗✓ | 225 |
if (num_fds == 0) |
1094 |
return; |
||
1095 |
|||
1096 |
/* treat socket error conditions */ |
||
1097 |
✓✓ | 2250 |
for (n = 0; n < 4; n++) { |
1098 |
✗✓ | 900 |
if (pfd[n].revents & (POLLERR|POLLNVAL)) { |
1099 |
pfd[n].fd = -1; |
||
1100 |
} |
||
1101 |
} |
||
1102 |
/* reading is possible after HUP */ |
||
1103 |
✓✗✗✓ |
313 |
if (pfd[POLL_STDIN].events & POLLIN && |
1104 |
✓✓ | 225 |
pfd[POLL_STDIN].revents & POLLHUP && |
1105 |
88 |
!(pfd[POLL_STDIN].revents & POLLIN)) |
|
1106 |
pfd[POLL_STDIN].fd = -1; |
||
1107 |
|||
1108 |
✓✗✗✗ |
225 |
if (pfd[POLL_NETIN].events & POLLIN && |
1109 |
✗✓ | 225 |
pfd[POLL_NETIN].revents & POLLHUP && |
1110 |
!(pfd[POLL_NETIN].revents & POLLIN)) |
||
1111 |
pfd[POLL_NETIN].fd = -1; |
||
1112 |
|||
1113 |
✗✓ | 225 |
if (pfd[POLL_NETOUT].revents & POLLHUP) { |
1114 |
if (Nflag) |
||
1115 |
shutdown(pfd[POLL_NETOUT].fd, SHUT_WR); |
||
1116 |
pfd[POLL_NETOUT].fd = -1; |
||
1117 |
} |
||
1118 |
/* if HUP, stop watching stdout */ |
||
1119 |
✗✓ | 225 |
if (pfd[POLL_STDOUT].revents & POLLHUP) |
1120 |
pfd[POLL_STDOUT].fd = -1; |
||
1121 |
/* if no net out, stop watching stdin */ |
||
1122 |
✓✓ | 225 |
if (pfd[POLL_NETOUT].fd == -1) |
1123 |
132 |
pfd[POLL_STDIN].fd = -1; |
|
1124 |
/* if no stdout, stop watching net in */ |
||
1125 |
✗✓ | 225 |
if (pfd[POLL_STDOUT].fd == -1) { |
1126 |
if (pfd[POLL_NETIN].fd != -1) |
||
1127 |
shutdown(pfd[POLL_NETIN].fd, SHUT_RD); |
||
1128 |
pfd[POLL_NETIN].fd = -1; |
||
1129 |
} |
||
1130 |
|||
1131 |
/* try to read from stdin */ |
||
1132 |
✓✓ | 225 |
if (pfd[POLL_STDIN].revents & POLLIN && stdinbufpos < BUFSIZE) { |
1133 |
89 |
ret = fillbuf(pfd[POLL_STDIN].fd, stdinbuf, |
|
1134 |
&stdinbufpos, NULL); |
||
1135 |
✗✓ | 89 |
if (ret == TLS_WANT_POLLIN) |
1136 |
pfd[POLL_STDIN].events = POLLIN; |
||
1137 |
✗✓ | 89 |
else if (ret == TLS_WANT_POLLOUT) |
1138 |
pfd[POLL_STDIN].events = POLLOUT; |
||
1139 |
✓✓ | 89 |
else if (ret == 0 || ret == -1) |
1140 |
44 |
pfd[POLL_STDIN].fd = -1; |
|
1141 |
/* read something - poll net out */ |
||
1142 |
✓✗ | 89 |
if (stdinbufpos > 0) |
1143 |
89 |
pfd[POLL_NETOUT].events = POLLOUT; |
|
1144 |
/* filled buffer - remove self from polling */ |
||
1145 |
✗✓ | 89 |
if (stdinbufpos == BUFSIZE) |
1146 |
pfd[POLL_STDIN].events = 0; |
||
1147 |
} |
||
1148 |
/* try to write to network */ |
||
1149 |
✓✓ | 225 |
if (pfd[POLL_NETOUT].revents & POLLOUT && stdinbufpos > 0) { |
1150 |
45 |
ret = drainbuf(pfd[POLL_NETOUT].fd, stdinbuf, |
|
1151 |
&stdinbufpos, tls_ctx); |
||
1152 |
✗✓ | 45 |
if (ret == TLS_WANT_POLLIN) |
1153 |
pfd[POLL_NETOUT].events = POLLIN; |
||
1154 |
✗✓ | 45 |
else if (ret == TLS_WANT_POLLOUT) |
1155 |
pfd[POLL_NETOUT].events = POLLOUT; |
||
1156 |
✗✓ | 45 |
else if (ret == -1) |
1157 |
pfd[POLL_NETOUT].fd = -1; |
||
1158 |
/* buffer empty - remove self from polling */ |
||
1159 |
✓✗ | 45 |
if (stdinbufpos == 0) |
1160 |
45 |
pfd[POLL_NETOUT].events = 0; |
|
1161 |
/* buffer no longer full - poll stdin again */ |
||
1162 |
✓✗ | 45 |
if (stdinbufpos < BUFSIZE) |
1163 |
45 |
pfd[POLL_STDIN].events = POLLIN; |
|
1164 |
} |
||
1165 |
/* try to read from network */ |
||
1166 |
✓✓ | 225 |
if (pfd[POLL_NETIN].revents & POLLIN && netinbufpos < BUFSIZE) { |
1167 |
90 |
ret = fillbuf(pfd[POLL_NETIN].fd, netinbuf, |
|
1168 |
&netinbufpos, tls_ctx); |
||
1169 |
✗✓ | 90 |
if (ret == TLS_WANT_POLLIN) |
1170 |
pfd[POLL_NETIN].events = POLLIN; |
||
1171 |
✗✓ | 90 |
else if (ret == TLS_WANT_POLLOUT) |
1172 |
pfd[POLL_NETIN].events = POLLOUT; |
||
1173 |
✗✓ | 90 |
else if (ret == -1) |
1174 |
pfd[POLL_NETIN].fd = -1; |
||
1175 |
/* eof on net in - remove from pfd */ |
||
1176 |
✓✓ | 90 |
if (ret == 0) { |
1177 |
45 |
shutdown(pfd[POLL_NETIN].fd, SHUT_RD); |
|
1178 |
45 |
pfd[POLL_NETIN].fd = -1; |
|
1179 |
45 |
} |
|
1180 |
✗✓✗✗ |
90 |
if (recvlimit > 0 && ++recvcount >= recvlimit) { |
1181 |
if (pfd[POLL_NETIN].fd != -1) |
||
1182 |
shutdown(pfd[POLL_NETIN].fd, SHUT_RD); |
||
1183 |
pfd[POLL_NETIN].fd = -1; |
||
1184 |
pfd[POLL_STDIN].fd = -1; |
||
1185 |
} |
||
1186 |
/* read something - poll stdout */ |
||
1187 |
✓✓ | 90 |
if (netinbufpos > 0) |
1188 |
45 |
pfd[POLL_STDOUT].events = POLLOUT; |
|
1189 |
/* filled buffer - remove self from polling */ |
||
1190 |
✗✓ | 90 |
if (netinbufpos == BUFSIZE) |
1191 |
pfd[POLL_NETIN].events = 0; |
||
1192 |
/* handle telnet */ |
||
1193 |
✗✓ | 90 |
if (tflag) |
1194 |
atelnet(pfd[POLL_NETIN].fd, netinbuf, |
||
1195 |
netinbufpos); |
||
1196 |
} |
||
1197 |
/* try to write to stdout */ |
||
1198 |
✓✓ | 225 |
if (pfd[POLL_STDOUT].revents & POLLOUT && netinbufpos > 0) { |
1199 |
45 |
ret = drainbuf(pfd[POLL_STDOUT].fd, netinbuf, |
|
1200 |
&netinbufpos, NULL); |
||
1201 |
✗✓ | 45 |
if (ret == TLS_WANT_POLLIN) |
1202 |
pfd[POLL_STDOUT].events = POLLIN; |
||
1203 |
✗✓ | 45 |
else if (ret == TLS_WANT_POLLOUT) |
1204 |
pfd[POLL_STDOUT].events = POLLOUT; |
||
1205 |
✗✓ | 45 |
else if (ret == -1) |
1206 |
pfd[POLL_STDOUT].fd = -1; |
||
1207 |
/* buffer empty - remove self from polling */ |
||
1208 |
✓✗ | 45 |
if (netinbufpos == 0) |
1209 |
45 |
pfd[POLL_STDOUT].events = 0; |
|
1210 |
/* buffer no longer full - poll net in again */ |
||
1211 |
✓✗ | 45 |
if (netinbufpos < BUFSIZE) |
1212 |
45 |
pfd[POLL_NETIN].events = POLLIN; |
|
1213 |
} |
||
1214 |
|||
1215 |
/* stdin gone and queue empty? */ |
||
1216 |
✓✓ | 225 |
if (pfd[POLL_STDIN].fd == -1 && stdinbufpos == 0) { |
1217 |
✗✓ | 176 |
if (pfd[POLL_NETOUT].fd != -1 && Nflag) |
1218 |
shutdown(pfd[POLL_NETOUT].fd, SHUT_WR); |
||
1219 |
176 |
pfd[POLL_NETOUT].fd = -1; |
|
1220 |
176 |
} |
|
1221 |
/* net in gone and queue empty? */ |
||
1222 |
✓✓ | 225 |
if (pfd[POLL_NETIN].fd == -1 && netinbufpos == 0) { |
1223 |
45 |
pfd[POLL_STDOUT].fd = -1; |
|
1224 |
45 |
} |
|
1225 |
} |
||
1226 |
45 |
} |
|
1227 |
|||
1228 |
ssize_t |
||
1229 |
drainbuf(int fd, unsigned char *buf, size_t *bufpos, struct tls *tls) |
||
1230 |
{ |
||
1231 |
ssize_t n; |
||
1232 |
ssize_t adjust; |
||
1233 |
|||
1234 |
✗✓ | 180 |
if (tls) |
1235 |
n = tls_write(tls, buf, *bufpos); |
||
1236 |
else { |
||
1237 |
90 |
n = write(fd, buf, *bufpos); |
|
1238 |
/* don't treat EAGAIN, EINTR as error */ |
||
1239 |
✗✓✗✗ ✗✗ |
90 |
if (n == -1 && (errno == EAGAIN || errno == EINTR)) |
1240 |
n = TLS_WANT_POLLOUT; |
||
1241 |
} |
||
1242 |
✗✓ | 90 |
if (n <= 0) |
1243 |
return n; |
||
1244 |
/* adjust buffer */ |
||
1245 |
90 |
adjust = *bufpos - n; |
|
1246 |
✗✓ | 90 |
if (adjust > 0) |
1247 |
memmove(buf, buf + n, adjust); |
||
1248 |
90 |
*bufpos -= n; |
|
1249 |
90 |
return n; |
|
1250 |
90 |
} |
|
1251 |
|||
1252 |
ssize_t |
||
1253 |
fillbuf(int fd, unsigned char *buf, size_t *bufpos, struct tls *tls) |
||
1254 |
{ |
||
1255 |
358 |
size_t num = BUFSIZE - *bufpos; |
|
1256 |
ssize_t n; |
||
1257 |
|||
1258 |
✗✓ | 179 |
if (tls) |
1259 |
n = tls_read(tls, buf + *bufpos, num); |
||
1260 |
else { |
||
1261 |
179 |
n = read(fd, buf + *bufpos, num); |
|
1262 |
/* don't treat EAGAIN, EINTR as error */ |
||
1263 |
✗✓✗✗ ✗✗ |
179 |
if (n == -1 && (errno == EAGAIN || errno == EINTR)) |
1264 |
n = TLS_WANT_POLLIN; |
||
1265 |
} |
||
1266 |
✓✓ | 179 |
if (n <= 0) |
1267 |
89 |
return n; |
|
1268 |
90 |
*bufpos += n; |
|
1269 |
90 |
return n; |
|
1270 |
179 |
} |
|
1271 |
|||
1272 |
/* |
||
1273 |
* fdpass() |
||
1274 |
* Pass the connected file descriptor to stdout and exit. |
||
1275 |
*/ |
||
1276 |
void |
||
1277 |
fdpass(int nfd) |
||
1278 |
{ |
||
1279 |
struct msghdr mh; |
||
1280 |
union { |
||
1281 |
struct cmsghdr hdr; |
||
1282 |
char buf[CMSG_SPACE(sizeof(int))]; |
||
1283 |
} cmsgbuf; |
||
1284 |
struct cmsghdr *cmsg; |
||
1285 |
struct iovec iov; |
||
1286 |
char c = '\0'; |
||
1287 |
ssize_t r; |
||
1288 |
struct pollfd pfd; |
||
1289 |
|||
1290 |
/* Avoid obvious stupidity */ |
||
1291 |
if (isatty(STDOUT_FILENO)) |
||
1292 |
errx(1, "Cannot pass file descriptor to tty"); |
||
1293 |
|||
1294 |
bzero(&mh, sizeof(mh)); |
||
1295 |
bzero(&cmsgbuf, sizeof(cmsgbuf)); |
||
1296 |
bzero(&iov, sizeof(iov)); |
||
1297 |
|||
1298 |
mh.msg_control = (caddr_t)&cmsgbuf.buf; |
||
1299 |
mh.msg_controllen = sizeof(cmsgbuf.buf); |
||
1300 |
cmsg = CMSG_FIRSTHDR(&mh); |
||
1301 |
cmsg->cmsg_len = CMSG_LEN(sizeof(int)); |
||
1302 |
cmsg->cmsg_level = SOL_SOCKET; |
||
1303 |
cmsg->cmsg_type = SCM_RIGHTS; |
||
1304 |
*(int *)CMSG_DATA(cmsg) = nfd; |
||
1305 |
|||
1306 |
iov.iov_base = &c; |
||
1307 |
iov.iov_len = 1; |
||
1308 |
mh.msg_iov = &iov; |
||
1309 |
mh.msg_iovlen = 1; |
||
1310 |
|||
1311 |
bzero(&pfd, sizeof(pfd)); |
||
1312 |
pfd.fd = STDOUT_FILENO; |
||
1313 |
pfd.events = POLLOUT; |
||
1314 |
for (;;) { |
||
1315 |
r = sendmsg(STDOUT_FILENO, &mh, 0); |
||
1316 |
if (r == -1) { |
||
1317 |
if (errno == EAGAIN || errno == EINTR) { |
||
1318 |
if (poll(&pfd, 1, -1) == -1) |
||
1319 |
err(1, "poll"); |
||
1320 |
continue; |
||
1321 |
} |
||
1322 |
err(1, "sendmsg"); |
||
1323 |
} else if (r != 1) |
||
1324 |
errx(1, "sendmsg: unexpected return value %zd", r); |
||
1325 |
else |
||
1326 |
break; |
||
1327 |
} |
||
1328 |
exit(0); |
||
1329 |
} |
||
1330 |
|||
1331 |
/* Deal with RFC 854 WILL/WONT DO/DONT negotiation. */ |
||
1332 |
void |
||
1333 |
atelnet(int nfd, unsigned char *buf, unsigned int size) |
||
1334 |
{ |
||
1335 |
unsigned char *p, *end; |
||
1336 |
unsigned char obuf[4]; |
||
1337 |
|||
1338 |
if (size < 3) |
||
1339 |
return; |
||
1340 |
end = buf + size - 2; |
||
1341 |
|||
1342 |
for (p = buf; p < end; p++) { |
||
1343 |
if (*p != IAC) |
||
1344 |
continue; |
||
1345 |
|||
1346 |
obuf[0] = IAC; |
||
1347 |
p++; |
||
1348 |
if ((*p == WILL) || (*p == WONT)) |
||
1349 |
obuf[1] = DONT; |
||
1350 |
else if ((*p == DO) || (*p == DONT)) |
||
1351 |
obuf[1] = WONT; |
||
1352 |
else |
||
1353 |
continue; |
||
1354 |
|||
1355 |
p++; |
||
1356 |
obuf[2] = *p; |
||
1357 |
if (atomicio(vwrite, nfd, obuf, 3) != 3) |
||
1358 |
warn("Write Error!"); |
||
1359 |
} |
||
1360 |
} |
||
1361 |
|||
1362 |
|||
1363 |
int |
||
1364 |
strtoport(char *portstr, int udp) |
||
1365 |
{ |
||
1366 |
struct servent *entry; |
||
1367 |
const char *errstr; |
||
1368 |
char *proto; |
||
1369 |
int port = -1; |
||
1370 |
|||
1371 |
proto = udp ? "udp" : "tcp"; |
||
1372 |
|||
1373 |
port = strtonum(portstr, 1, PORT_MAX, &errstr); |
||
1374 |
if (errstr == NULL) |
||
1375 |
return port; |
||
1376 |
if (errno != EINVAL) |
||
1377 |
errx(1, "port number %s: %s", errstr, portstr); |
||
1378 |
if ((entry = getservbyname(portstr, proto)) == NULL) |
||
1379 |
errx(1, "service \"%s\" unknown", portstr); |
||
1380 |
return ntohs(entry->s_port); |
||
1381 |
} |
||
1382 |
|||
1383 |
/* |
||
1384 |
* build_ports() |
||
1385 |
* Build an array of ports in portlist[], listing each port |
||
1386 |
* that we should try to connect to. |
||
1387 |
*/ |
||
1388 |
void |
||
1389 |
build_ports(char *p) |
||
1390 |
{ |
||
1391 |
char *n; |
||
1392 |
int hi, lo, cp; |
||
1393 |
int x = 0; |
||
1394 |
|||
1395 |
if ((n = strchr(p, '-')) != NULL) { |
||
1396 |
*n = '\0'; |
||
1397 |
n++; |
||
1398 |
|||
1399 |
/* Make sure the ports are in order: lowest->highest. */ |
||
1400 |
hi = strtoport(n, uflag); |
||
1401 |
lo = strtoport(p, uflag); |
||
1402 |
if (lo > hi) { |
||
1403 |
cp = hi; |
||
1404 |
hi = lo; |
||
1405 |
lo = cp; |
||
1406 |
} |
||
1407 |
|||
1408 |
/* |
||
1409 |
* Initialize portlist with a random permutation. Based on |
||
1410 |
* Knuth, as in ip_randomid() in sys/netinet/ip_id.c. |
||
1411 |
*/ |
||
1412 |
if (rflag) { |
||
1413 |
for (x = 0; x <= hi - lo; x++) { |
||
1414 |
cp = arc4random_uniform(x + 1); |
||
1415 |
portlist[x] = portlist[cp]; |
||
1416 |
if (asprintf(&portlist[cp], "%d", x + lo) < 0) |
||
1417 |
err(1, "asprintf"); |
||
1418 |
} |
||
1419 |
} else { /* Load ports sequentially. */ |
||
1420 |
for (cp = lo; cp <= hi; cp++) { |
||
1421 |
if (asprintf(&portlist[x], "%d", cp) < 0) |
||
1422 |
err(1, "asprintf"); |
||
1423 |
x++; |
||
1424 |
} |
||
1425 |
} |
||
1426 |
} else { |
||
1427 |
char *tmp; |
||
1428 |
|||
1429 |
hi = strtoport(p, uflag); |
||
1430 |
if (asprintf(&tmp, "%d", hi) != -1) |
||
1431 |
portlist[0] = tmp; |
||
1432 |
else |
||
1433 |
err(1, NULL); |
||
1434 |
} |
||
1435 |
} |
||
1436 |
|||
1437 |
/* |
||
1438 |
* udptest() |
||
1439 |
* Do a few writes to see if the UDP port is there. |
||
1440 |
* Fails once PF state table is full. |
||
1441 |
*/ |
||
1442 |
int |
||
1443 |
udptest(int s) |
||
1444 |
{ |
||
1445 |
int i, ret; |
||
1446 |
|||
1447 |
for (i = 0; i <= 3; i++) { |
||
1448 |
if (write(s, "X", 1) == 1) |
||
1449 |
ret = 1; |
||
1450 |
else |
||
1451 |
ret = -1; |
||
1452 |
} |
||
1453 |
return ret; |
||
1454 |
} |
||
1455 |
|||
1456 |
void |
||
1457 |
set_common_sockopts(int s, int af) |
||
1458 |
{ |
||
1459 |
90 |
int x = 1; |
|
1460 |
|||
1461 |
✗✓ | 45 |
if (Sflag) { |
1462 |
if (setsockopt(s, IPPROTO_TCP, TCP_MD5SIG, |
||
1463 |
&x, sizeof(x)) == -1) |
||
1464 |
err(1, NULL); |
||
1465 |
} |
||
1466 |
✗✓ | 45 |
if (Dflag) { |
1467 |
if (setsockopt(s, SOL_SOCKET, SO_DEBUG, |
||
1468 |
&x, sizeof(x)) == -1) |
||
1469 |
err(1, NULL); |
||
1470 |
} |
||
1471 |
✗✓ | 45 |
if (Tflag != -1) { |
1472 |
if (af == AF_INET && setsockopt(s, IPPROTO_IP, |
||
1473 |
IP_TOS, &Tflag, sizeof(Tflag)) == -1) |
||
1474 |
err(1, "set IP ToS"); |
||
1475 |
|||
1476 |
else if (af == AF_INET6 && setsockopt(s, IPPROTO_IPV6, |
||
1477 |
IPV6_TCLASS, &Tflag, sizeof(Tflag)) == -1) |
||
1478 |
err(1, "set IPv6 traffic class"); |
||
1479 |
} |
||
1480 |
✗✓ | 45 |
if (Iflag) { |
1481 |
if (setsockopt(s, SOL_SOCKET, SO_RCVBUF, |
||
1482 |
&Iflag, sizeof(Iflag)) == -1) |
||
1483 |
err(1, "set TCP receive buffer size"); |
||
1484 |
} |
||
1485 |
✗✓ | 45 |
if (Oflag) { |
1486 |
if (setsockopt(s, SOL_SOCKET, SO_SNDBUF, |
||
1487 |
&Oflag, sizeof(Oflag)) == -1) |
||
1488 |
err(1, "set TCP send buffer size"); |
||
1489 |
} |
||
1490 |
|||
1491 |
✗✓ | 45 |
if (ttl != -1) { |
1492 |
if (af == AF_INET && setsockopt(s, IPPROTO_IP, |
||
1493 |
IP_TTL, &ttl, sizeof(ttl))) |
||
1494 |
err(1, "set IP TTL"); |
||
1495 |
|||
1496 |
else if (af == AF_INET6 && setsockopt(s, IPPROTO_IPV6, |
||
1497 |
IPV6_UNICAST_HOPS, &ttl, sizeof(ttl))) |
||
1498 |
err(1, "set IPv6 unicast hops"); |
||
1499 |
} |
||
1500 |
|||
1501 |
✗✓ | 45 |
if (minttl != -1) { |
1502 |
if (af == AF_INET && setsockopt(s, IPPROTO_IP, |
||
1503 |
IP_MINTTL, &minttl, sizeof(minttl))) |
||
1504 |
err(1, "set IP min TTL"); |
||
1505 |
|||
1506 |
else if (af == AF_INET6 && setsockopt(s, IPPROTO_IPV6, |
||
1507 |
IPV6_MINHOPCOUNT, &minttl, sizeof(minttl))) |
||
1508 |
err(1, "set IPv6 min hop count"); |
||
1509 |
} |
||
1510 |
45 |
} |
|
1511 |
|||
1512 |
int |
||
1513 |
map_tos(char *s, int *val) |
||
1514 |
{ |
||
1515 |
/* DiffServ Codepoints and other TOS mappings */ |
||
1516 |
const struct toskeywords { |
||
1517 |
const char *keyword; |
||
1518 |
int val; |
||
1519 |
} *t, toskeywords[] = { |
||
1520 |
{ "af11", IPTOS_DSCP_AF11 }, |
||
1521 |
{ "af12", IPTOS_DSCP_AF12 }, |
||
1522 |
{ "af13", IPTOS_DSCP_AF13 }, |
||
1523 |
{ "af21", IPTOS_DSCP_AF21 }, |
||
1524 |
{ "af22", IPTOS_DSCP_AF22 }, |
||
1525 |
{ "af23", IPTOS_DSCP_AF23 }, |
||
1526 |
{ "af31", IPTOS_DSCP_AF31 }, |
||
1527 |
{ "af32", IPTOS_DSCP_AF32 }, |
||
1528 |
{ "af33", IPTOS_DSCP_AF33 }, |
||
1529 |
{ "af41", IPTOS_DSCP_AF41 }, |
||
1530 |
{ "af42", IPTOS_DSCP_AF42 }, |
||
1531 |
{ "af43", IPTOS_DSCP_AF43 }, |
||
1532 |
{ "critical", IPTOS_PREC_CRITIC_ECP }, |
||
1533 |
{ "cs0", IPTOS_DSCP_CS0 }, |
||
1534 |
{ "cs1", IPTOS_DSCP_CS1 }, |
||
1535 |
{ "cs2", IPTOS_DSCP_CS2 }, |
||
1536 |
{ "cs3", IPTOS_DSCP_CS3 }, |
||
1537 |
{ "cs4", IPTOS_DSCP_CS4 }, |
||
1538 |
{ "cs5", IPTOS_DSCP_CS5 }, |
||
1539 |
{ "cs6", IPTOS_DSCP_CS6 }, |
||
1540 |
{ "cs7", IPTOS_DSCP_CS7 }, |
||
1541 |
{ "ef", IPTOS_DSCP_EF }, |
||
1542 |
{ "inetcontrol", IPTOS_PREC_INTERNETCONTROL }, |
||
1543 |
{ "lowdelay", IPTOS_LOWDELAY }, |
||
1544 |
{ "netcontrol", IPTOS_PREC_NETCONTROL }, |
||
1545 |
{ "reliability", IPTOS_RELIABILITY }, |
||
1546 |
{ "throughput", IPTOS_THROUGHPUT }, |
||
1547 |
{ NULL, -1 }, |
||
1548 |
}; |
||
1549 |
|||
1550 |
for (t = toskeywords; t->keyword != NULL; t++) { |
||
1551 |
if (strcmp(s, t->keyword) == 0) { |
||
1552 |
*val = t->val; |
||
1553 |
return 1; |
||
1554 |
} |
||
1555 |
} |
||
1556 |
|||
1557 |
return 0; |
||
1558 |
} |
||
1559 |
|||
1560 |
int |
||
1561 |
map_tls(char *s, int *val) |
||
1562 |
{ |
||
1563 |
const struct tlskeywords { |
||
1564 |
const char *keyword; |
||
1565 |
int val; |
||
1566 |
} *t, tlskeywords[] = { |
||
1567 |
{ "tlsall", TLS_ALL }, |
||
1568 |
{ "noverify", TLS_NOVERIFY }, |
||
1569 |
{ "noname", TLS_NONAME }, |
||
1570 |
{ "clientcert", TLS_CCERT}, |
||
1571 |
{ "muststaple", TLS_MUSTSTAPLE}, |
||
1572 |
{ "tlscompat", TLS_COMPAT }, |
||
1573 |
{ NULL, -1 }, |
||
1574 |
}; |
||
1575 |
|||
1576 |
for (t = tlskeywords; t->keyword != NULL; t++) { |
||
1577 |
if (strcmp(s, t->keyword) == 0) { |
||
1578 |
*val |= t->val; |
||
1579 |
return 1; |
||
1580 |
} |
||
1581 |
} |
||
1582 |
return 0; |
||
1583 |
} |
||
1584 |
|||
1585 |
void |
||
1586 |
save_peer_cert(struct tls *tls_ctx, FILE *fp) |
||
1587 |
{ |
||
1588 |
const char *pem; |
||
1589 |
size_t plen; |
||
1590 |
|||
1591 |
if ((pem = tls_peer_cert_chain_pem(tls_ctx, &plen)) == NULL) |
||
1592 |
errx(1, "Can't get peer certificate"); |
||
1593 |
if (fprintf(fp, "%.*s", (int)plen, pem) < 0) |
||
1594 |
err(1, "unable to save peer cert"); |
||
1595 |
if (fflush(fp) != 0) |
||
1596 |
err(1, "unable to flush peer cert"); |
||
1597 |
} |
||
1598 |
|||
1599 |
void |
||
1600 |
report_tls(struct tls * tls_ctx, char * host) |
||
1601 |
{ |
||
1602 |
time_t t; |
||
1603 |
const char *ocsp_url; |
||
1604 |
|||
1605 |
fprintf(stderr, "TLS handshake negotiated %s/%s with host %s\n", |
||
1606 |
tls_conn_version(tls_ctx), tls_conn_cipher(tls_ctx), host); |
||
1607 |
fprintf(stderr, "Peer name: %s\n", |
||
1608 |
tls_expectname ? tls_expectname : host); |
||
1609 |
if (tls_peer_cert_subject(tls_ctx)) |
||
1610 |
fprintf(stderr, "Subject: %s\n", |
||
1611 |
tls_peer_cert_subject(tls_ctx)); |
||
1612 |
if (tls_peer_cert_issuer(tls_ctx)) |
||
1613 |
fprintf(stderr, "Issuer: %s\n", |
||
1614 |
tls_peer_cert_issuer(tls_ctx)); |
||
1615 |
if ((t = tls_peer_cert_notbefore(tls_ctx)) != -1) |
||
1616 |
fprintf(stderr, "Valid From: %s", ctime(&t)); |
||
1617 |
if ((t = tls_peer_cert_notafter(tls_ctx)) != -1) |
||
1618 |
fprintf(stderr, "Valid Until: %s", ctime(&t)); |
||
1619 |
if (tls_peer_cert_hash(tls_ctx)) |
||
1620 |
fprintf(stderr, "Cert Hash: %s\n", |
||
1621 |
tls_peer_cert_hash(tls_ctx)); |
||
1622 |
ocsp_url = tls_peer_ocsp_url(tls_ctx); |
||
1623 |
if (ocsp_url != NULL) |
||
1624 |
fprintf(stderr, "OCSP URL: %s\n", ocsp_url); |
||
1625 |
switch (tls_peer_ocsp_response_status(tls_ctx)) { |
||
1626 |
case TLS_OCSP_RESPONSE_SUCCESSFUL: |
||
1627 |
fprintf(stderr, "OCSP Stapling: %s\n", |
||
1628 |
tls_peer_ocsp_result(tls_ctx) == NULL ? "" : |
||
1629 |
tls_peer_ocsp_result(tls_ctx)); |
||
1630 |
fprintf(stderr, |
||
1631 |
" response_status=%d cert_status=%d crl_reason=%d\n", |
||
1632 |
tls_peer_ocsp_response_status(tls_ctx), |
||
1633 |
tls_peer_ocsp_cert_status(tls_ctx), |
||
1634 |
tls_peer_ocsp_crl_reason(tls_ctx)); |
||
1635 |
t = tls_peer_ocsp_this_update(tls_ctx); |
||
1636 |
fprintf(stderr, " this update: %s", |
||
1637 |
t != -1 ? ctime(&t) : "\n"); |
||
1638 |
t = tls_peer_ocsp_next_update(tls_ctx); |
||
1639 |
fprintf(stderr, " next update: %s", |
||
1640 |
t != -1 ? ctime(&t) : "\n"); |
||
1641 |
t = tls_peer_ocsp_revocation_time(tls_ctx); |
||
1642 |
fprintf(stderr, " revocation: %s", |
||
1643 |
t != -1 ? ctime(&t) : "\n"); |
||
1644 |
break; |
||
1645 |
case -1: |
||
1646 |
break; |
||
1647 |
default: |
||
1648 |
fprintf(stderr, "OCSP Stapling: failure - response_status %d (%s)\n", |
||
1649 |
tls_peer_ocsp_response_status(tls_ctx), |
||
1650 |
tls_peer_ocsp_result(tls_ctx) == NULL ? "" : |
||
1651 |
tls_peer_ocsp_result(tls_ctx)); |
||
1652 |
break; |
||
1653 |
|||
1654 |
} |
||
1655 |
} |
||
1656 |
|||
1657 |
void |
||
1658 |
report_connect(const struct sockaddr *sa, socklen_t salen, char *path) |
||
1659 |
{ |
||
1660 |
char remote_host[NI_MAXHOST]; |
||
1661 |
char remote_port[NI_MAXSERV]; |
||
1662 |
int herr; |
||
1663 |
int flags = NI_NUMERICSERV; |
||
1664 |
|||
1665 |
if (path != NULL) { |
||
1666 |
fprintf(stderr, "Connection on %s received!\n", path); |
||
1667 |
return; |
||
1668 |
} |
||
1669 |
|||
1670 |
if (nflag) |
||
1671 |
flags |= NI_NUMERICHOST; |
||
1672 |
|||
1673 |
if ((herr = getnameinfo(sa, salen, |
||
1674 |
remote_host, sizeof(remote_host), |
||
1675 |
remote_port, sizeof(remote_port), |
||
1676 |
flags)) != 0) { |
||
1677 |
if (herr == EAI_SYSTEM) |
||
1678 |
err(1, "getnameinfo"); |
||
1679 |
else |
||
1680 |
errx(1, "getnameinfo: %s", gai_strerror(herr)); |
||
1681 |
} |
||
1682 |
|||
1683 |
fprintf(stderr, |
||
1684 |
"Connection from %s %s " |
||
1685 |
"received!\n", remote_host, remote_port); |
||
1686 |
} |
||
1687 |
|||
1688 |
void |
||
1689 |
help(void) |
||
1690 |
{ |
||
1691 |
usage(0); |
||
1692 |
fprintf(stderr, "\tCommand Summary:\n\ |
||
1693 |
\t-4 Use IPv4\n\ |
||
1694 |
\t-6 Use IPv6\n\ |
||
1695 |
\t-C certfile Public key file\n\ |
||
1696 |
\t-c Use TLS\n\ |
||
1697 |
\t-D Enable the debug socket option\n\ |
||
1698 |
\t-d Detach from stdin\n\ |
||
1699 |
\t-e name\t Required name in peer certificate\n\ |
||
1700 |
\t-F Pass socket fd\n\ |
||
1701 |
\t-H hash\t Hash string of peer certificate\n\ |
||
1702 |
\t-h This help text\n\ |
||
1703 |
\t-I length TCP receive buffer length\n\ |
||
1704 |
\t-i interval Delay interval for lines sent, ports scanned\n\ |
||
1705 |
\t-K keyfile Private key file\n\ |
||
1706 |
\t-k Keep inbound sockets open for multiple connects\n\ |
||
1707 |
\t-l Listen mode, for inbound connects\n\ |
||
1708 |
\t-M ttl Outgoing TTL / Hop Limit\n\ |
||
1709 |
\t-m minttl Minimum incoming TTL / Hop Limit\n\ |
||
1710 |
\t-N Shutdown the network socket after EOF on stdin\n\ |
||
1711 |
\t-n Suppress name/port resolutions\n\ |
||
1712 |
\t-O length TCP send buffer length\n\ |
||
1713 |
\t-o staplefile Staple file\n\ |
||
1714 |
\t-P proxyuser\tUsername for proxy authentication\n\ |
||
1715 |
\t-p port\t Specify local port for remote connects\n\ |
||
1716 |
\t-R CAfile CA bundle\n\ |
||
1717 |
\t-r Randomize remote ports\n\ |
||
1718 |
\t-S Enable the TCP MD5 signature option\n\ |
||
1719 |
\t-s source Local source address\n\ |
||
1720 |
\t-T keyword TOS value or TLS options\n\ |
||
1721 |
\t-t Answer TELNET negotiation\n\ |
||
1722 |
\t-U Use UNIX domain socket\n\ |
||
1723 |
\t-u UDP mode\n\ |
||
1724 |
\t-V rtable Specify alternate routing table\n\ |
||
1725 |
\t-v Verbose\n\ |
||
1726 |
\t-W recvlimit Terminate after receiving a number of packets\n\ |
||
1727 |
\t-w timeout Timeout for connects and final net reads\n\ |
||
1728 |
\t-X proto Proxy protocol: \"4\", \"5\" (SOCKS) or \"connect\"\n\ |
||
1729 |
\t-x addr[:port]\tSpecify proxy address and port\n\ |
||
1730 |
\t-Z Peer certificate file\n\ |
||
1731 |
\t-z Zero-I/O mode [used for scanning]\n\ |
||
1732 |
Port numbers can be individual or ranges: lo-hi [inclusive]\n"); |
||
1733 |
exit(1); |
||
1734 |
} |
||
1735 |
|||
1736 |
void |
||
1737 |
usage(int ret) |
||
1738 |
{ |
||
1739 |
fprintf(stderr, |
||
1740 |
"usage: nc [-46cDdFhklNnrStUuvz] [-C certfile] [-e name] " |
||
1741 |
"[-H hash] [-I length]\n" |
||
1742 |
"\t [-i interval] [-K keyfile] [-M ttl] [-m minttl] [-O length]\n" |
||
1743 |
"\t [-o staplefile] [-P proxy_username] [-p source_port] " |
||
1744 |
"[-R CAfile]\n" |
||
1745 |
"\t [-s source] [-T keyword] [-V rtable] [-W recvlimit] " |
||
1746 |
"[-w timeout]\n" |
||
1747 |
"\t [-X proxy_protocol] [-x proxy_address[:port]] " |
||
1748 |
"[-Z peercertfile]\n" |
||
1749 |
"\t [destination] [port]\n"); |
||
1750 |
if (ret) |
||
1751 |
exit(1); |
||
1752 |
} |
| Generated by: GCOVR (Version 3.3) |