summaryrefslogtreecommitdiff
path: root/package/netcat-openbsd/src/netcat.c
diff options
context:
space:
mode:
Diffstat (limited to 'package/netcat-openbsd/src/netcat.c')
-rw-r--r--package/netcat-openbsd/src/netcat.c2305
1 files changed, 2305 insertions, 0 deletions
diff --git a/package/netcat-openbsd/src/netcat.c b/package/netcat-openbsd/src/netcat.c
new file mode 100644
index 000000000..bd7344fb4
--- /dev/null
+++ b/package/netcat-openbsd/src/netcat.c
@@ -0,0 +1,2305 @@
+/* $OpenBSD: netcat.c,v 1.217 2020/02/12 14:46:36 schwarze Exp $ */
+/*
+ * Copyright (c) 2001 Eric Jackson <ericj@monkey.org>
+ * Copyright (c) 2015 Bob Beck. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ * 3. The name of the author may not be used to endorse or promote products
+ * derived from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+/*
+ * Re-written nc(1) for OpenBSD. Original implementation by
+ * *Hobbit* <hobbit@avian.org>.
+ */
+
+#define _GNU_SOURCE
+
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <sys/uio.h>
+#include <sys/un.h>
+
+#include <netinet/in.h>
+#include <netinet/tcp.h>
+#include <netinet/ip.h>
+#include <arpa/telnet.h>
+#ifdef __linux__
+# include <linux/in6.h>
+#endif
+#if defined(TCP_MD5SIG_EXT) && defined(TCP_MD5SIG_MAXKEYLEN)
+# include <bsd/readpassphrase.h>
+#endif
+
+#ifndef IPTOS_LOWDELAY
+# define IPTOS_LOWDELAY 0x10
+# define IPTOS_THROUGHPUT 0x08
+# define IPTOS_RELIABILITY 0x04
+# define IPTOS_LOWCOST 0x02
+# define IPTOS_MINCOST IPTOS_LOWCOST
+#endif /* IPTOS_LOWDELAY */
+
+# ifndef IPTOS_DSCP_AF11
+# define IPTOS_DSCP_AF11 0x28
+# define IPTOS_DSCP_AF12 0x30
+# define IPTOS_DSCP_AF13 0x38
+# define IPTOS_DSCP_AF21 0x48
+# define IPTOS_DSCP_AF22 0x50
+# define IPTOS_DSCP_AF23 0x58
+# define IPTOS_DSCP_AF31 0x68
+# define IPTOS_DSCP_AF32 0x70
+# define IPTOS_DSCP_AF33 0x78
+# define IPTOS_DSCP_AF41 0x88
+# define IPTOS_DSCP_AF42 0x90
+# define IPTOS_DSCP_AF43 0x98
+# define IPTOS_DSCP_EF 0xb8
+#endif /* IPTOS_DSCP_AF11 */
+
+#ifndef IPTOS_DSCP_CS0
+# define IPTOS_DSCP_CS0 0x00
+# define IPTOS_DSCP_CS1 0x20
+# define IPTOS_DSCP_CS2 0x40
+# define IPTOS_DSCP_CS3 0x60
+# define IPTOS_DSCP_CS4 0x80
+# define IPTOS_DSCP_CS5 0xa0
+# define IPTOS_DSCP_CS6 0xc0
+# define IPTOS_DSCP_CS7 0xe0
+#endif /* IPTOS_DSCP_CS0 */
+
+#ifndef IPTOS_DSCP_EF
+# define IPTOS_DSCP_EF 0xb8
+#endif /* IPTOS_DSCP_EF */
+
+
+#include <ctype.h>
+#include <err.h>
+#include <errno.h>
+#include <fcntl.h>
+#include <limits.h>
+#include <netdb.h>
+#include <poll.h>
+#include <signal.h>
+#include <stddef.h>
+#include <stdarg.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <time.h>
+#ifdef TLS
+# include <tls.h>
+#endif
+#include <unistd.h>
+#include <bsd/stdlib.h>
+#include <bsd/string.h>
+
+#include "atomicio.h"
+
+#define PORT_MAX 65535
+#define UNIX_DG_TMP_SOCKET_SIZE 19
+
+#define POLL_STDIN 0
+#define POLL_NETOUT 1
+#define POLL_NETIN 2
+#define POLL_STDOUT 3
+#define BUFSIZE 16384
+
+#ifdef TLS
+# define TLS_NOVERIFY (1 << 1)
+# define TLS_NONAME (1 << 2)
+# define TLS_CCERT (1 << 3)
+# define TLS_MUSTSTAPLE (1 << 4)
+#endif
+
+#define CONNECTION_SUCCESS 0
+#define CONNECTION_FAILED 1
+#define CONNECTION_TIMEOUT 2
+
+#define UDP_SCAN_TIMEOUT 3 /* Seconds */
+
+/* Command Line Options */
+int bflag; /* Allow Broadcast */
+int dflag; /* detached, no stdin */
+int Fflag; /* fdpass sock to stdout */
+unsigned int iflag; /* Interval Flag */
+int kflag; /* More than one connect */
+int lflag; /* Bind to local port */
+int Nflag; /* shutdown() network socket */
+int nflag; /* Don't do name look up */
+char *Pflag; /* Proxy username */
+char *pflag; /* Localport flag */
+int qflag = -1; /* Quit after some secs */
+int rflag; /* Random ports flag */
+char *sflag; /* Source Address */
+int tflag; /* Telnet Emulation */
+int uflag; /* UDP - Default to TCP */
+int dccpflag; /* DCCP - Default to TCP */
+int vflag; /* Verbosity */
+int xflag; /* Socks proxy */
+int zflag; /* Port Scan Flag */
+int Dflag; /* sodebug */
+int Iflag; /* TCP receive buffer size */
+int Oflag; /* TCP send buffer size */
+int Sflag; /* TCP MD5 signature option */
+int Tflag = -1; /* IP Type of Service */
+int rtableid = -1;
+
+# if defined(TLS)
+int usetls; /* use TLS */
+const char *Cflag; /* Public cert file */
+const char *Kflag; /* Private key file */
+const char *oflag; /* OCSP stapling file */
+const char *Rflag; /* Root CA file */
+int tls_cachanged; /* Using non-default CA file */
+int TLSopt; /* TLS options */
+char *tls_expectname; /* required name in peer cert */
+char *tls_expecthash; /* required hash of peer cert */
+char *tls_ciphers; /* TLS ciphers */
+char *tls_protocols; /* TLS protocols */
+FILE *Zflag; /* file to save peer cert */
+# else
+int Cflag = 0; /* CRLF line-ending */
+# endif
+
+# if defined(TCP_MD5SIG_EXT) && defined(TCP_MD5SIG_MAXKEYLEN)
+char Sflag_password[TCP_MD5SIG_MAXKEYLEN];
+# endif
+int recvcount, recvlimit;
+int timeout = -1;
+int family = AF_UNSPEC;
+char *portlist[PORT_MAX+1];
+char *unix_dg_tmp_socket;
+int ttl = -1;
+int minttl = -1;
+
+void atelnet(int, unsigned char *, unsigned int);
+int strtoport(char *portstr, int udp);
+void build_ports(char **);
+void help(void) __attribute__((noreturn));
+int local_listen(const char *, const char *, struct addrinfo);
+# if defined(TLS)
+void readwrite(int, struct tls *);
+# else
+void readwrite(int);
+# endif
+void fdpass(int nfd) __attribute__((noreturn));
+int remote_connect(const char *, const char *, struct addrinfo, char *);
+# if defined(TLS)
+int timeout_tls(int, struct tls *, int (*)(struct tls *));
+# endif
+int timeout_connect(int, const struct sockaddr *, socklen_t);
+int socks_connect(const char *, const char *, struct addrinfo,
+ const char *, const char *, struct addrinfo, int, const char *);
+int udptest(int);
+int unix_bind(char *, int);
+int unix_connect(char *);
+int unix_listen(char *);
+void set_common_sockopts(int, const struct sockaddr *);
+int process_tos_opt(char *, int *);
+# if defined(TLS)
+int process_tls_opt(char *, int *);
+void save_peer_cert(struct tls *_tls_ctx, FILE *_fp);
+# endif
+void report_sock(const char *, const struct sockaddr *, socklen_t, char *);
+# if defined(TLS)
+void report_tls(struct tls *tls_ctx, char * host);
+# endif
+void usage(int);
+# if defined(TLS)
+ssize_t drainbuf(int, unsigned char *, size_t *, struct tls *);
+ssize_t fillbuf(int, unsigned char *, size_t *, struct tls *);
+void tls_setup_client(struct tls *, int, char *);
+struct tls *tls_setup_server(struct tls *, int, char *);
+# else
+ssize_t drainbuf(int, unsigned char *, size_t *, int);
+ssize_t fillbuf(int, unsigned char *, size_t *);
+# endif
+
+char *proto_name(int uflag, int dccpflag);
+static int connect_with_timeout(int fd, const struct sockaddr *sa,
+ socklen_t salen, int ctimeout);
+
+static void quit();
+
+int
+main(int argc, char *argv[])
+{
+ int ch, s = -1, ret, socksv;
+ char *host, **uport;
+ char ipaddr[NI_MAXHOST];
+ struct addrinfo hints;
+ struct servent *sv;
+ socklen_t len;
+ union {
+ struct sockaddr_storage storage;
+ struct sockaddr_un forunix;
+ } cliaddr;
+ char *proxy = NULL, *proxyport = NULL;
+ const char *errstr;
+ struct addrinfo proxyhints;
+ char unix_dg_tmp_socket_buf[UNIX_DG_TMP_SOCKET_SIZE];
+# if defined(TLS)
+ struct tls_config *tls_cfg = NULL;
+ struct tls *tls_ctx = NULL;
+# endif
+ uint32_t protocols;
+
+ ret = 1;
+ socksv = 5;
+ host = NULL;
+ uport = NULL;
+ sv = NULL;
+# if defined(TLS)
+ Rflag = tls_default_ca_cert_file();
+# endif
+
+ signal(SIGPIPE, SIG_IGN);
+
+ while ((ch = getopt(argc, argv,
+# if defined(TLS)
+ "46bC:cDde:FH:hI:i:K:klM:m:NnO:o:P:p:q:R:rSs:T:tUuV:vW:w:X:x:Z:z"))
+# else
+ "46bCDdFhI:i:klM:m:NnO:P:p:q:rSs:T:tUuV:vW:w:X:x:Zz"))
+# endif
+ != -1) {
+ switch (ch) {
+ case '4':
+ family = AF_INET;
+ break;
+ case '6':
+ family = AF_INET6;
+ break;
+ case 'b':
+# if defined(SO_BROADCAST)
+ bflag = 1;
+# else
+ errx(1, "no broadcast frame support available");
+# endif
+ break;
+ case 'U':
+ family = AF_UNIX;
+ break;
+ case 'X':
+ if (strcasecmp(optarg, "connect") == 0)
+ socksv = -1; /* HTTP proxy CONNECT */
+ else if (strcmp(optarg, "4") == 0)
+ socksv = 4; /* SOCKS v.4 */
+ else if (strcmp(optarg, "5") == 0)
+ socksv = 5; /* SOCKS v.5 */
+ else
+ errx(1, "unsupported proxy protocol");
+ break;
+# if defined(TLS)
+ case 'C':
+ Cflag = optarg;
+ break;
+ case 'c':
+ usetls = 1;
+ break;
+# else
+ case 'C':
+ Cflag = 1;
+ break;
+# endif
+ case 'd':
+ dflag = 1;
+ break;
+# if defined(TLS)
+ case 'e':
+ tls_expectname = optarg;
+ break;
+# endif
+ case 'F':
+ Fflag = 1;
+ break;
+# if defined(TLS)
+ case 'H':
+ tls_expecthash = optarg;
+ break;
+# endif
+ case 'h':
+ help();
+ break;
+ case 'i':
+ iflag = strtonum(optarg, 0, UINT_MAX, &errstr);
+ if (errstr)
+ errx(1, "interval %s: %s", errstr, optarg);
+ break;
+# if defined(TLS)
+ case 'K':
+ Kflag = optarg;
+ break;
+# endif
+ case 'k':
+ kflag = 1;
+ break;
+ case 'l':
+ lflag = 1;
+ break;
+ case 'M':
+ ttl = strtonum(optarg, 0, 255, &errstr);
+ if (errstr)
+ errx(1, "ttl is %s", errstr);
+ break;
+ case 'm':
+ minttl = strtonum(optarg, 0, 255, &errstr);
+ if (errstr)
+ errx(1, "minttl is %s", errstr);
+ break;
+ case 'N':
+ Nflag = 1;
+ break;
+ case 'n':
+ nflag = 1;
+ break;
+ case 'P':
+ Pflag = optarg;
+ break;
+ case 'p':
+ pflag = optarg;
+ break;
+ case 'q':
+ qflag = strtonum(optarg, INT_MIN, INT_MAX, &errstr);
+ if (errstr)
+ errx(1, "quit timer %s: %s", errstr, optarg);
+ if (qflag >= 0)
+ Nflag = 1;
+ break;
+# if defined(TLS)
+ case 'R':
+ tls_cachanged = 1;
+ Rflag = optarg;
+ break;
+# endif
+ case 'r':
+ rflag = 1;
+ break;
+ case 's':
+ sflag = optarg;
+ break;
+ case 't':
+ tflag = 1;
+ break;
+ case 'u':
+ uflag = 1;
+ break;
+ case 'Z':
+# if defined(IPPROTO_DCCP) && defined(SOCK_DCCP)
+ dccpflag = 1;
+# else
+ errx(1, "no DCCP support available");
+# endif
+ break;
+ case 'V':
+# if defined(RT_TABLEID_MAX)
+ rtableid = (int)strtonum(optarg, 0,
+ RT_TABLEID_MAX, &errstr);
+ if (errstr)
+ errx(1, "rtable %s: %s", errstr, optarg);
+# else
+ errx(1, "no alternate routing table support available");
+# endif
+ break;
+ case 'v':
+ vflag = 1;
+ break;
+ case 'W':
+ recvlimit = strtonum(optarg, 1, INT_MAX, &errstr);
+ if (errstr)
+ errx(1, "receive limit %s: %s", errstr, optarg);
+ break;
+ case 'w':
+ timeout = strtonum(optarg, 0, INT_MAX / 1000, &errstr);
+ if (errstr)
+ errx(1, "timeout %s: %s", errstr, optarg);
+ timeout *= 1000;
+ break;
+ case 'x':
+ xflag = 1;
+ if ((proxy = strdup(optarg)) == NULL)
+ err(1, NULL);
+ break;
+# if defined(TLS)
+ case 'Z':
+ if (strcmp(optarg, "-") == 0)
+ Zflag = stderr;
+ else if ((Zflag = fopen(optarg, "w")) == NULL)
+ err(1, "can't open %s", optarg);
+ break;
+# endif
+ case 'z':
+ zflag = 1;
+ break;
+ case 'D':
+ Dflag = 1;
+ break;
+ case 'I':
+ Iflag = strtonum(optarg, 1, 65536 << 14, &errstr);
+ if (errstr != NULL)
+ errx(1, "TCP receive window %s: %s",
+ errstr, optarg);
+ break;
+ case 'O':
+ Oflag = strtonum(optarg, 1, 65536 << 14, &errstr);
+ if (errstr != NULL)
+ errx(1, "TCP send window %s: %s",
+ errstr, optarg);
+ break;
+# if defined(TLS)
+ case 'o':
+ oflag = optarg;
+ break;
+# endif
+ case 'S':
+# if defined(TCP_MD5SIG_EXT) && defined(TCP_MD5SIG_MAXKEYLEN)
+ if (readpassphrase("TCP MD5SIG password: ",
+ Sflag_password, TCP_MD5SIG_MAXKEYLEN, RPP_REQUIRE_TTY) == NULL)
+ errx(1, "Unable to read TCP MD5SIG password");
+ Sflag = 1;
+# else
+ errx(1, "no TCP MD5 signature support available");
+# endif
+ break;
+ case 'T':
+ errstr = NULL;
+ errno = 0;
+# if defined(TLS)
+ if (process_tls_opt(optarg, &TLSopt))
+ break;
+# endif
+ if (process_tos_opt(optarg, &Tflag))
+ break;
+ if (strlen(optarg) > 1 && optarg[0] == '0' &&
+ optarg[1] == 'x')
+ Tflag = (int)strtol(optarg, NULL, 16);
+ else
+ Tflag = (int)strtonum(optarg, 0, 255,
+ &errstr);
+ if (Tflag < 0 || Tflag > 255 || errstr || errno)
+# if defined(TLS)
+ errx(1, "illegal tos/tls value %s", optarg);
+# else
+ errx(1, "illegal tos value %s", optarg);
+# endif
+ break;
+ default:
+ usage(1);
+ }
+ }
+ argc -= optind;
+ argv += optind;
+
+# if defined(RT_TABLEID_MAX)
+ if (rtableid >= 0)
+ if (setrtable(rtableid) == -1)
+ err(1, "setrtable");
+# endif
+
+ /* Cruft to make sure options are clean, and used properly. */
+ if (argc == 0 && lflag) {
+ uport = &pflag;
+ host = sflag;
+ } else if (argc == 1 && !pflag &&
+ /* `nc -l 12345` or `nc -U bar` or `nc -uU -s foo bar` */
+ (!sflag || (family == AF_UNIX && uflag && !lflag))) {
+ if (family == AF_UNIX) {
+ host = argv[0];
+ uport = NULL;
+ } else if (lflag) {
+ host = NULL;
+ uport = argv;
+ }
+ } else if (argc >= 2) {
+ if (lflag && (pflag || sflag || argc > 2))
+ usage(1); /* conflict */
+ host = argv[0];
+ uport = &argv[1];
+ } else
+ usage(1);
+
+ if (family == AF_UNIX) {
+# if defined(IPPROTO_DCCP) && defined(SOCK_DCCP)
+ if (dccpflag)
+ errx(1, "cannot use -Z and -U");
+# endif
+ if (uport && *uport)
+ errx(1, "cannot use port with -U");
+ if (!host)
+ errx(1, "missing socket pathname");
+ } else if (!uport || !*uport)
+ errx(1, "missing port number");
+
+ if (lflag && zflag)
+ errx(1, "cannot use -z and -l");
+
+# if defined(TLS)
+ if (usetls) {
+ if (Cflag && unveil(Cflag, "r") == -1)
+ err(1, "unveil");
+ if (unveil(Rflag, "r") == -1)
+ err(1, "unveil");
+ if (Kflag && unveil(Kflag, "r") == -1)
+ err(1, "unveil");
+ if (oflag && unveil(oflag, "r") == -1)
+ err(1, "unveil");
+ } else if (family == AF_UNIX && uflag && lflag && !kflag) {
+ /*
+ * After recvfrom(2) from client, the server connects
+ * to the client socket. As the client path is determined
+ * during runtime, we cannot unveil(2).
+ */
+ } else {
+ if (family == AF_UNIX) {
+ if (unveil(host, "rwc") == -1)
+ err(1, "unveil");
+ if (uflag && !kflag) {
+ if (sflag) {
+ if (unveil(sflag, "rwc") == -1)
+ err(1, "unveil");
+ } else {
+ if (unveil("/tmp", "rwc") == -1)
+ err(1, "unveil");
+ }
+ }
+ } else {
+ /* no filesystem visibility */
+ if (unveil("/", "") == -1)
+ err(1, "unveil");
+ }
+ }
+# endif
+
+ if (!lflag && kflag)
+ errx(1, "must use -l with -k");
+# if defined(TLS)
+ if (uflag && usetls)
+ errx(1, "cannot use -c and -u");
+ if ((family == AF_UNIX) && usetls)
+ errx(1, "cannot use -c and -U");
+# endif
+ if ((family == AF_UNIX) && Fflag)
+ errx(1, "cannot use -F and -U");
+# if defined(TLS)
+ if (Fflag && usetls)
+ errx(1, "cannot use -c and -F");
+ if (TLSopt && !usetls)
+ errx(1, "you must specify -c to use TLS options");
+ if (Cflag && !usetls)
+ errx(1, "you must specify -c to use -C");
+ if (Kflag && !usetls)
+ errx(1, "you must specify -c to use -K");
+ if (Zflag && !usetls)
+ errx(1, "you must specify -c to use -Z");
+ if (oflag && !Cflag)
+ errx(1, "you must specify -C to use -o");
+ if (tls_cachanged && !usetls)
+ errx(1, "you must specify -c to use -R");
+ if (tls_expecthash && !usetls)
+ errx(1, "you must specify -c to use -H");
+ if (tls_expectname && !usetls)
+ errx(1, "you must specify -c to use -e");
+# endif
+
+ /* Get name of temporary socket for unix datagram client */
+ if ((family == AF_UNIX) && uflag && !lflag) {
+ if (sflag) {
+ unix_dg_tmp_socket = sflag;
+ } else {
+ strlcpy(unix_dg_tmp_socket_buf, "/tmp/nc.XXXXXXXXXX",
+ UNIX_DG_TMP_SOCKET_SIZE);
+ if (mkstemp(unix_dg_tmp_socket_buf) == -1)
+ err(1, "mkstemp");
+ unix_dg_tmp_socket = unix_dg_tmp_socket_buf;
+ }
+ }
+
+ /* Initialize addrinfo structure. */
+ if (family != AF_UNIX) {
+ memset(&hints, 0, sizeof(struct addrinfo));
+ hints.ai_family = family;
+ if (uflag) {
+ hints.ai_socktype = SOCK_DGRAM;
+ hints.ai_protocol = IPPROTO_UDP;
+ }
+# if defined(IPPROTO_DCCP) && defined(SOCK_DCCP)
+ else if (dccpflag) {
+ hints.ai_socktype = SOCK_DCCP;
+ hints.ai_protocol = IPPROTO_DCCP;
+ }
+# endif
+ else {
+ hints.ai_socktype = SOCK_STREAM;
+ hints.ai_protocol = IPPROTO_TCP;
+ }
+ if (nflag)
+ hints.ai_flags |= AI_NUMERICHOST;
+ }
+
+ if (xflag) {
+ if (uflag)
+ errx(1, "no proxy support for UDP mode");
+# if defined(IPPROTO_DCCP) && defined(SOCK_DCCP)
+ if (dccpflag)
+ errx(1, "no proxy support for DCCP mode");
+# endif
+ if (lflag)
+ errx(1, "no proxy support for listen");
+
+ if (family == AF_UNIX)
+ errx(1, "no proxy support for unix sockets");
+
+ if (sflag)
+ errx(1, "no proxy support for local source address");
+
+ if (*proxy == '[') {
+ ++proxy;
+ proxyport = strchr(proxy, ']');
+ if (proxyport == NULL)
+ errx(1, "missing closing bracket in proxy");
+ *proxyport++ = '\0';
+ if (*proxyport == '\0')
+ /* Use default proxy port. */
+ proxyport = NULL;
+ else {
+ if (*proxyport == ':')
+ ++proxyport;
+ else
+ errx(1, "garbage proxy port delimiter");
+ }
+ } else {
+ proxyport = strrchr(proxy, ':');
+ if (proxyport != NULL)
+ *proxyport++ = '\0';
+ }
+
+ memset(&proxyhints, 0, sizeof(struct addrinfo));
+ proxyhints.ai_family = family;
+ proxyhints.ai_socktype = SOCK_STREAM;
+ proxyhints.ai_protocol = IPPROTO_TCP;
+ if (nflag)
+ proxyhints.ai_flags |= AI_NUMERICHOST;
+ }
+
+# if defined(TLS)
+ if (usetls) {
+ if ((tls_cfg = tls_config_new()) == NULL)
+ errx(1, "unable to allocate TLS config");
+ if (Rflag && tls_config_set_ca_file(tls_cfg, Rflag) == -1)
+ errx(1, "%s", tls_config_error(tls_cfg));
+ if (Cflag && tls_config_set_cert_file(tls_cfg, Cflag) == -1)
+ errx(1, "%s", tls_config_error(tls_cfg));
+ if (Kflag && tls_config_set_key_file(tls_cfg, Kflag) == -1)
+ errx(1, "%s", tls_config_error(tls_cfg));
+ if (oflag && tls_config_set_ocsp_staple_file(tls_cfg, oflag) == -1)
+ errx(1, "%s", tls_config_error(tls_cfg));
+ if (tls_config_parse_protocols(&protocols, tls_protocols) == -1)
+ errx(1, "invalid TLS protocols `%s'", tls_protocols);
+ if (tls_config_set_protocols(tls_cfg, protocols) == -1)
+ errx(1, "%s", tls_config_error(tls_cfg));
+ if (tls_config_set_ciphers(tls_cfg, tls_ciphers) == -1)
+ errx(1, "%s", tls_config_error(tls_cfg));
+ if (!lflag && (TLSopt & TLS_CCERT))
+ errx(1, "clientcert is only valid with -l");
+ if (TLSopt & TLS_NONAME)
+ tls_config_insecure_noverifyname(tls_cfg);
+ if (TLSopt & TLS_NOVERIFY) {
+ if (tls_expecthash != NULL)
+ errx(1, "-H and -T noverify may not be used "
+ "together");
+ tls_config_insecure_noverifycert(tls_cfg);
+ }
+ if (TLSopt & TLS_MUSTSTAPLE)
+ tls_config_ocsp_require_stapling(tls_cfg);
+
+ if (Pflag) {
+ if (pledge("stdio inet dns tty", NULL) == -1)
+ err(1, "pledge");
+ } else if (pledge("stdio inet dns", NULL) == -1)
+ err(1, "pledge");
+ }
+# endif
+ if (lflag) {
+ ret = 0;
+
+ if (family == AF_UNIX) {
+ if (uflag)
+ s = unix_bind(host, 0);
+ else
+ s = unix_listen(host);
+ } else
+ s = local_listen(host, *uport, hints);
+ if (s < 0)
+ err(1, NULL);
+
+# if defined(TLS)
+ if (usetls) {
+ tls_config_verify_client_optional(tls_cfg);
+ if ((tls_ctx = tls_server()) == NULL)
+ errx(1, "tls server creation failed");
+ if (tls_configure(tls_ctx, tls_cfg) == -1)
+ errx(1, "tls configuration failed (%s)",
+ tls_error(tls_ctx));
+ }
+# endif
+ /* Allow only one connection at a time, but stay alive. */
+ for (;;) {
+ if (uflag && kflag) {
+ /*
+ * For UDP and -k, don't connect the socket,
+ * let it receive datagrams from multiple
+ * socket pairs.
+ */
+# if defined(TLS)
+ readwrite(s, NULL);
+# else
+ readwrite(s);
+# endif
+ } else if (uflag && !kflag) {
+ /*
+ * For UDP and not -k, we will use recvfrom()
+ * initially to wait for a caller, then use
+ * the regular functions to talk to the caller.
+ */
+ int rv;
+ char buf[2048];
+ struct sockaddr_storage z;
+
+ len = sizeof(z);
+ rv = recvfrom(s, buf, sizeof(buf), MSG_PEEK,
+ (struct sockaddr *)&z, &len);
+ if (rv == -1)
+ err(1, "recvfrom");
+
+ rv = connect(s, (struct sockaddr *)&z, len);
+ if (rv == -1)
+ err(1, "connect");
+
+ if (vflag)
+ report_sock("Connection received",
+ (struct sockaddr *)&z, len,
+ family == AF_UNIX ? host : NULL);
+
+# if defined(TLS)
+ readwrite(s, NULL);
+ } else {
+ struct tls *tls_cctx = NULL;
+# else
+ readwrite(s);
+ } else {
+# endif
+ int connfd;
+
+ len = sizeof(cliaddr);
+ connfd = accept4(s, (struct sockaddr *)&cliaddr,
+ &len, SOCK_NONBLOCK);
+ if (connfd == -1) {
+ /* For now, all errnos are fatal */
+ err(1, "accept");
+ }
+ if (vflag)
+ report_sock("Connection received",
+ (struct sockaddr *)&cliaddr, len,
+ family == AF_UNIX ? host : NULL);
+# if defined(TLS)
+ if ((usetls) &&
+ (tls_cctx = tls_setup_server(tls_ctx, connfd, host)))
+ readwrite(connfd, tls_cctx);
+ if (!usetls)
+ readwrite(connfd, NULL);
+ if (tls_cctx)
+ timeout_tls(s, tls_cctx, tls_close);
+ close(connfd);
+ tls_free(tls_cctx);
+# else
+ readwrite(connfd);
+ close(connfd);
+# endif
+ }
+ if (family == AF_UNIX && uflag) {
+ if (connect(s, NULL, 0) == -1)
+ err(1, "connect");
+ }
+
+ if (!kflag) {
+ if (s != -1)
+ close(s);
+ break;
+ }
+ }
+ } else if (family == AF_UNIX) {
+ ret = 0;
+
+ if ((s = unix_connect(host)) > 0) {
+ if (!zflag)
+# if defined(TLS)
+ readwrite(s, NULL);
+# else
+ readwrite(s);
+# endif
+ close(s);
+ } else {
+ warn("%s", host);
+ ret = 1;
+ }
+
+ if (uflag)
+ unlink(unix_dg_tmp_socket);
+ return ret;
+
+ } else {
+ int i = 0;
+
+ /* Construct the portlist[] array. */
+ build_ports(uport);
+
+ /* Cycle through portlist, connecting to each port. */
+ for (s = -1, i = 0; portlist[i] != NULL; i++) {
+ if (s != -1)
+ close(s);
+# if defined(TLS)
+ tls_free(tls_ctx);
+ tls_ctx = NULL;
+
+ if (usetls) {
+ if ((tls_ctx = tls_client()) == NULL)
+ errx(1, "tls client creation failed");
+ if (tls_configure(tls_ctx, tls_cfg) == -1)
+ errx(1, "tls configuration failed (%s)",
+ tls_error(tls_ctx));
+ }
+# endif
+ if (xflag)
+ s = socks_connect(host, portlist[i], hints,
+ proxy, proxyport, proxyhints, socksv,
+ Pflag);
+ else
+ s = remote_connect(host, portlist[i], hints,
+ ipaddr);
+
+ if (s == -1)
+ continue;
+
+ ret = 0;
+ if (vflag) {
+ /* For UDP, make sure we are connected. */
+ if (uflag) {
+ if (udptest(s) == -1) {
+ ret = 1;
+ continue;
+ }
+ }
+
+ char *proto = proto_name(uflag, dccpflag);
+ /* Don't look up port if -n. */
+ if (nflag)
+ sv = NULL;
+ else {
+ sv = getservbyport(
+ ntohs(atoi(portlist[i])),
+ proto);
+ }
+
+ fprintf(stderr, "Connection to %s", host);
+
+ /*
+ * if we aren't connecting thru a proxy and
+ * there is something to report, print IP
+ */
+ if (!nflag && !xflag
+ && (strcmp(host, ipaddr) != 0))
+ fprintf(stderr, " (%s)", ipaddr);
+
+ fprintf(stderr, " %s port [%s/%s] succeeded!\n",
+ portlist[i], proto,
+ sv ? sv->s_name : "*");
+ }
+ if (Fflag)
+ fdpass(s);
+# if defined(TLS)
+ else {
+ if (usetls)
+ tls_setup_client(tls_ctx, s, host);
+ if (!zflag)
+ readwrite(s, tls_ctx);
+ if (tls_ctx)
+ timeout_tls(s, tls_ctx, tls_close);
+ }
+# else
+ else if (!zflag)
+ readwrite(s);
+# endif
+ }
+ }
+
+ if (s != -1)
+ close(s);
+# if defined(TLS)
+ tls_free(tls_ctx);
+ tls_config_free(tls_cfg);
+# endif
+
+ return ret;
+}
+
+/*
+ * unix_bind()
+ * Returns a unix socket bound to the given path
+ */
+int
+unix_bind(char *path, int flags)
+{
+ struct sockaddr_un s_un;
+ int s, save_errno;
+
+ /* Create unix domain socket. */
+ if ((s = socket(AF_UNIX, flags | (uflag ? SOCK_DGRAM : SOCK_STREAM),
+ 0)) == -1)
+ return -1;
+
+ unlink(path);
+
+ memset(&s_un, 0, sizeof(struct sockaddr_un));
+ s_un.sun_family = AF_UNIX;
+
+ if (strlcpy(s_un.sun_path, path, sizeof(s_un.sun_path)) >=
+ sizeof(s_un.sun_path)) {
+ close(s);
+ errno = ENAMETOOLONG;
+ return -1;
+ }
+
+ if (bind(s, (struct sockaddr *)&s_un, sizeof(s_un)) == -1) {
+ save_errno = errno;
+ close(s);
+ errno = save_errno;
+ return -1;
+ }
+ if (vflag)
+ report_sock("Bound", NULL, 0, path);
+
+ return s;
+}
+
+# if defined(TLS)
+int
+timeout_tls(int s, struct tls *tls_ctx, int (*func)(struct tls *))
+{
+ struct pollfd pfd;
+ int ret;
+
+ while ((ret = (*func)(tls_ctx)) != 0) {
+ if (ret == TLS_WANT_POLLIN)
+ pfd.events = POLLIN;
+ else if (ret == TLS_WANT_POLLOUT)
+ pfd.events = POLLOUT;
+ else
+ break;
+ pfd.fd = s;
+ if ((ret = poll(&pfd, 1, timeout)) == 1)
+ continue;
+ else if (ret == 0) {
+ errno = ETIMEDOUT;
+ ret = -1;
+ break;
+ } else
+ err(1, "poll failed");
+ }
+
+ return ret;
+}
+
+void
+tls_setup_client(struct tls *tls_ctx, int s, char *host)
+{
+ const char *errstr;
+
+ if (tls_connect_socket(tls_ctx, s,
+ tls_expectname ? tls_expectname : host) == -1) {
+ errx(1, "tls connection failed (%s)",
+ tls_error(tls_ctx));
+ }
+ if (timeout_tls(s, tls_ctx, tls_handshake) == -1) {
+ if ((errstr = tls_error(tls_ctx)) == NULL)
+ errstr = strerror(errno);
+ errx(1, "tls handshake failed (%s)", errstr);
+ }
+ if (vflag)
+ report_tls(tls_ctx, host);
+ if (tls_expecthash && (tls_peer_cert_hash(tls_ctx) == NULL ||
+ strcmp(tls_expecthash, tls_peer_cert_hash(tls_ctx)) != 0))
+ errx(1, "peer certificate is not %s", tls_expecthash);
+ if (Zflag) {
+ save_peer_cert(tls_ctx, Zflag);
+ if (Zflag != stderr && (fclose(Zflag) != 0))
+ err(1, "fclose failed saving peer cert");
+ }
+}
+
+struct tls *
+tls_setup_server(struct tls *tls_ctx, int connfd, char *host)
+{
+ struct tls *tls_cctx;
+ const char *errstr;
+
+ if (tls_accept_socket(tls_ctx, &tls_cctx, connfd) == -1) {
+ warnx("tls accept failed (%s)", tls_error(tls_ctx));
+ } else if (timeout_tls(connfd, tls_cctx, tls_handshake) == -1) {
+ if ((errstr = tls_error(tls_cctx)) == NULL)
+ errstr = strerror(errno);
+ warnx("tls handshake failed (%s)", errstr);
+ } else {
+ int gotcert = tls_peer_cert_provided(tls_cctx);
+
+ if (vflag && gotcert)
+ report_tls(tls_cctx, host);
+ if ((TLSopt & TLS_CCERT) && !gotcert)
+ warnx("No client certificate provided");
+ else if (gotcert && tls_expecthash &&
+ (tls_peer_cert_hash(tls_cctx) == NULL ||
+ strcmp(tls_expecthash, tls_peer_cert_hash(tls_cctx)) != 0))
+ warnx("peer certificate is not %s", tls_expecthash);
+ else if (gotcert && tls_expectname &&
+ (!tls_peer_cert_contains_name(tls_cctx, tls_expectname)))
+ warnx("name (%s) not found in client cert",
+ tls_expectname);
+ else {
+ return tls_cctx;
+ }
+ }
+ return NULL;
+}
+# endif
+
+/*
+ * unix_connect()
+ * Returns a socket connected to a local unix socket. Returns -1 on failure.
+ */
+int
+unix_connect(char *path)
+{
+ struct sockaddr_un s_un;
+ int s, save_errno;
+
+ if (uflag) {
+ if ((s = unix_bind(unix_dg_tmp_socket, SOCK_CLOEXEC)) == -1)
+ return -1;
+ } else {
+ if ((s = socket(AF_UNIX, SOCK_STREAM | SOCK_CLOEXEC, 0)) == -1) {
+ errx(1, "create unix socket failed");
+ return -1;
+ }
+ }
+
+ memset(&s_un, 0, sizeof(struct sockaddr_un));
+ s_un.sun_family = AF_UNIX;
+
+ if (strlcpy(s_un.sun_path, path, sizeof(s_un.sun_path)) >=
+ sizeof(s_un.sun_path)) {
+ close(s);
+ errno = ENAMETOOLONG;
+ warn("unix connect abandoned");
+ return -1;
+ }
+ if (connect(s, (struct sockaddr *)&s_un, sizeof(s_un)) == -1) {
+ save_errno = errno;
+ warn("unix connect failed");
+ close(s);
+ errno = save_errno;
+ return -1;
+ }
+ return s;
+
+}
+
+/*
+ * unix_listen()
+ * Create a unix domain socket, and listen on it.
+ */
+int
+unix_listen(char *path)
+{
+ int s;
+
+ if ((s = unix_bind(path, 0)) == -1)
+ return -1;
+ if (listen(s, 5) == -1) {
+ close(s);
+ return -1;
+ }
+ if (vflag)
+ report_sock("Listening", NULL, 0, path);
+
+ return s;
+}
+
+char *proto_name(int uflag, int dccpflag) {
+
+ char *proto = NULL;
+ if (uflag) {
+ proto = "udp";
+ }
+# if defined(IPPROTO_DCCP) && defined(SOCK_DCCP)
+ else if (dccpflag) {
+ proto = "dccp";
+ }
+# endif
+ else {
+ proto = "tcp";
+ }
+
+ return proto;
+}
+
+/*
+ * remote_connect()
+ * Returns a socket connected to a remote host. Properly binds to a local
+ * port or source address if needed. Returns -1 on failure.
+ */
+int
+remote_connect(const char *host, const char *port, struct addrinfo hints,
+ char *ipaddr)
+{
+ struct addrinfo *res, *res0;
+ int s = -1, error, herr, on = 1, save_errno;
+
+ if ((error = getaddrinfo(host, port, &hints, &res0)))
+ errx(1, "getaddrinfo for host \"%s\" port %s: %s", host,
+ port, gai_strerror(error));
+
+ for (res = res0; res; res = res->ai_next) {
+ if ((s = socket(res->ai_family, res->ai_socktype |
+ SOCK_NONBLOCK, res->ai_protocol)) == -1)
+ continue;
+
+ /* Bind to a local port or source address if specified. */
+ if (sflag || pflag) {
+ struct addrinfo ahints, *ares;
+
+# if defined (SO_BINDANY)
+ /* try SO_BINDANY, but don't insist */
+ setsockopt(s, SOL_SOCKET, SO_BINDANY, &on, sizeof(on));
+# endif
+ memset(&ahints, 0, sizeof(struct addrinfo));
+ ahints.ai_family = res->ai_family;
+ if (uflag) {
+ ahints.ai_socktype = SOCK_DGRAM;
+ ahints.ai_protocol = IPPROTO_UDP;
+
+ }
+# if defined(IPPROTO_DCCP) && defined(SOCK_DCCP)
+ else if (dccpflag) {
+ hints.ai_socktype = SOCK_DCCP;
+ hints.ai_protocol = IPPROTO_DCCP;
+ }
+# endif
+ else {
+ ahints.ai_socktype = SOCK_STREAM;
+ ahints.ai_protocol = IPPROTO_TCP;
+ }
+ ahints.ai_flags = AI_PASSIVE;
+ if ((error = getaddrinfo(sflag, pflag, &ahints, &ares)))
+ errx(1, "getaddrinfo: %s", gai_strerror(error));
+
+ if (bind(s, (struct sockaddr *)ares->ai_addr,
+ ares->ai_addrlen) == -1)