clang -cc1 -cc1 -triple amd64-unknown-openbsd7.4 -analyze -disable-free -clear-ast-before-backend -disable-llvm-verifier -discard-value-names -main-file-name netcat.c -analyzer-checker=core -analyzer-checker=apiModeling -analyzer-checker=unix -analyzer-checker=deadcode -analyzer-checker=security.insecureAPI.UncheckedReturn -analyzer-checker=security.insecureAPI.getpw -analyzer-checker=security.insecureAPI.gets -analyzer-checker=security.insecureAPI.mktemp -analyzer-checker=security.insecureAPI.mkstemp -analyzer-checker=security.insecureAPI.vfork -analyzer-checker=nullability.NullPassedToNonnull -analyzer-checker=nullability.NullReturnedFromNonnull -analyzer-output plist -w -setup-static-analyzer -mrelocation-model pic -pic-level 1 -pic-is-pie -mframe-pointer=all -relaxed-aliasing -ffp-contract=on -fno-rounding-math -mconstructor-aliases -funwind-tables=2 -target-cpu x86-64 -target-feature +retpoline-indirect-calls -target-feature +retpoline-indirect-branches -tune-cpu generic -debugger-tuning=gdb -fcoverage-compilation-dir=/usr/src/usr.bin/nc/obj -resource-dir /usr/local/llvm16/lib/clang/16 -internal-isystem /usr/local/llvm16/lib/clang/16/include -internal-externc-isystem /usr/include -O2 -fdebug-compilation-dir=/usr/src/usr.bin/nc/obj -ferror-limit 19 -fwrapv -D_RET_PROTECTOR -ret-protector -fcf-protection=branch -fno-jump-tables -fgnuc-version=4.2.1 -vectorize-loops -vectorize-slp -fno-builtin-malloc -fno-builtin-calloc -fno-builtin-realloc -fno-builtin-valloc -fno-builtin-free -fno-builtin-strdup -fno-builtin-strndup -analyzer-output=html -faddrsig -D__GCC_HAVE_DWARF2_CFI_ASM=1 -o /home/ben/Projects/scan/2024-01-11-140451-98009-1 -x c /usr/src/usr.bin/nc/netcat.c
1 | |
2 | |
3 | |
4 | |
5 | |
6 | |
7 | |
8 | |
9 | |
10 | |
11 | |
12 | |
13 | |
14 | |
15 | |
16 | |
17 | |
18 | |
19 | |
20 | |
21 | |
22 | |
23 | |
24 | |
25 | |
26 | |
27 | |
28 | |
29 | |
30 | |
31 | |
32 | |
33 | |
34 | |
35 | #include <sys/types.h> |
36 | #include <sys/socket.h> |
37 | #include <sys/uio.h> |
38 | #include <sys/un.h> |
39 | |
40 | #include <netinet/in.h> |
41 | #include <netinet/tcp.h> |
42 | #include <netinet/ip.h> |
43 | #include <arpa/telnet.h> |
44 | |
45 | #include <ctype.h> |
46 | #include <err.h> |
47 | #include <errno.h> |
48 | #include <limits.h> |
49 | #include <netdb.h> |
50 | #include <poll.h> |
51 | #include <signal.h> |
52 | #include <stdarg.h> |
53 | #include <stdio.h> |
54 | #include <stdlib.h> |
55 | #include <string.h> |
56 | #include <time.h> |
57 | #include <tls.h> |
58 | #include <unistd.h> |
59 | |
60 | #include "atomicio.h" |
61 | |
62 | #define PORT_MAX 65535 |
63 | #define UNIX_DG_TMP_SOCKET_SIZE 19 |
64 | |
65 | #define POLL_STDIN 0 |
66 | #define POLL_NETOUT 1 |
67 | #define POLL_NETIN 2 |
68 | #define POLL_STDOUT 3 |
69 | #define BUFSIZE 16384 |
70 | |
71 | #define TLS_NOVERIFY (1 << 1) |
72 | #define TLS_NONAME (1 << 2) |
73 | #define TLS_CCERT (1 << 3) |
74 | #define TLS_MUSTSTAPLE (1 << 4) |
75 | |
76 | |
77 | int dflag; |
78 | int Fflag; |
79 | unsigned int iflag; |
80 | int kflag; |
81 | int lflag; |
82 | int Nflag; |
83 | int nflag; |
84 | char *Pflag; |
85 | char *pflag; |
86 | int rflag; |
87 | char *sflag; |
88 | int tflag; |
89 | int uflag; |
90 | int vflag; |
91 | int xflag; |
92 | int zflag; |
93 | int Dflag; |
94 | int Iflag; |
95 | int Oflag; |
96 | int Sflag; |
97 | int Tflag = -1; |
98 | int rtableid = -1; |
99 | |
100 | int usetls; |
101 | const char *Cflag; |
102 | const char *Kflag; |
103 | const char *oflag; |
104 | const char *Rflag; |
105 | int tls_cachanged; |
106 | int TLSopt; |
107 | char *tls_expectname; |
108 | char *tls_expecthash; |
109 | char *tls_ciphers; |
110 | char *tls_protocols; |
111 | FILE *Zflag; |
112 | |
113 | int recvcount, recvlimit; |
114 | int timeout = -1; |
115 | int family = AF_UNSPEC; |
116 | char *portlist[PORT_MAX+1]; |
117 | char *unix_dg_tmp_socket; |
118 | int ttl = -1; |
119 | int minttl = -1; |
120 | |
121 | void atelnet(int, unsigned char *, unsigned int); |
122 | int strtoport(char *portstr, int udp); |
123 | void build_ports(char *); |
124 | void help(void) __attribute__((noreturn)); |
125 | int local_listen(const char *, const char *, struct addrinfo); |
126 | void readwrite(int, struct tls *); |
127 | void fdpass(int nfd) __attribute__((noreturn)); |
128 | int remote_connect(const char *, const char *, struct addrinfo, char *); |
129 | int timeout_tls(int, struct tls *, int (*)(struct tls *)); |
130 | int timeout_connect(int, const struct sockaddr *, socklen_t); |
131 | int socks_connect(const char *, const char *, struct addrinfo, |
132 | const char *, const char *, struct addrinfo, int, const char *); |
133 | int udptest(int); |
134 | void connection_info(const char *, const char *, const char *, const char *); |
135 | int unix_bind(char *, int); |
136 | int unix_connect(char *); |
137 | int unix_listen(char *); |
138 | void set_common_sockopts(int, int); |
139 | int process_tos_opt(char *, int *); |
140 | int process_tls_opt(char *, int *); |
141 | void save_peer_cert(struct tls *_tls_ctx, FILE *_fp); |
142 | void report_sock(const char *, const struct sockaddr *, socklen_t, char *); |
143 | void report_tls(struct tls *tls_ctx, char * host); |
144 | void usage(int); |
145 | ssize_t drainbuf(int, unsigned char *, size_t *, struct tls *); |
146 | ssize_t fillbuf(int, unsigned char *, size_t *, struct tls *); |
147 | void tls_setup_client(struct tls *, int, char *); |
148 | struct tls *tls_setup_server(struct tls *, int, char *); |
149 | |
150 | int |
151 | main(int argc, char *argv[]) |
152 | { |
153 | int ch, s = -1, ret, socksv; |
154 | char *host, *uport; |
155 | char ipaddr[NI_MAXHOST]; |
156 | struct addrinfo hints; |
157 | socklen_t len; |
158 | struct sockaddr_storage cliaddr; |
159 | char *proxy = NULL, *proxyport = NULL; |
| 1 | 'proxy' initialized to a null pointer value | |
|
160 | const char *errstr; |
161 | struct addrinfo proxyhints; |
162 | char unix_dg_tmp_socket_buf[UNIX_DG_TMP_SOCKET_SIZE]; |
163 | struct tls_config *tls_cfg = NULL; |
164 | struct tls *tls_ctx = NULL; |
165 | uint32_t protocols; |
166 | |
167 | ret = 1; |
168 | socksv = 5; |
169 | host = NULL; |
170 | uport = NULL; |
171 | Rflag = tls_default_ca_cert_file(); |
172 | |
173 | signal(SIGPIPE, SIG_IGN); |
174 | |
175 | while ((ch = getopt(argc, argv, |
| 2 | | Assuming the condition is false | |
|
| 3 | | Loop condition is false. Execution continues on line 346 | |
|
176 | "46C:cDde:FH:hI:i:K:klM:m:NnO:o:P:p:R:rSs:T:tUuV:vW:w:X:x:Z:z")) |
177 | != -1) { |
178 | switch (ch) { |
179 | case '4': |
180 | family = AF_INET; |
181 | break; |
182 | case '6': |
183 | family = AF_INET6; |
184 | break; |
185 | case 'U': |
186 | family = AF_UNIX; |
187 | break; |
188 | case 'X': |
189 | if (strcasecmp(optarg, "connect") == 0) |
190 | socksv = -1; |
191 | else if (strcmp(optarg, "4") == 0) |
192 | socksv = 4; |
193 | else if (strcmp(optarg, "5") == 0) |
194 | socksv = 5; |
195 | else |
196 | errx(1, "unsupported proxy protocol"); |
197 | break; |
198 | case 'C': |
199 | Cflag = optarg; |
200 | break; |
201 | case 'c': |
202 | usetls = 1; |
203 | break; |
204 | case 'd': |
205 | dflag = 1; |
206 | break; |
207 | case 'e': |
208 | tls_expectname = optarg; |
209 | break; |
210 | case 'F': |
211 | Fflag = 1; |
212 | break; |
213 | case 'H': |
214 | tls_expecthash = optarg; |
215 | break; |
216 | case 'h': |
217 | help(); |
218 | break; |
219 | case 'i': |
220 | iflag = strtonum(optarg, 0, UINT_MAX, &errstr); |
221 | if (errstr) |
222 | errx(1, "interval %s: %s", errstr, optarg); |
223 | break; |
224 | case 'K': |
225 | Kflag = optarg; |
226 | break; |
227 | case 'k': |
228 | kflag = 1; |
229 | break; |
230 | case 'l': |
231 | lflag = 1; |
232 | break; |
233 | case 'M': |
234 | ttl = strtonum(optarg, 0, 255, &errstr); |
235 | if (errstr) |
236 | errx(1, "ttl is %s", errstr); |
237 | break; |
238 | case 'm': |
239 | minttl = strtonum(optarg, 0, 255, &errstr); |
240 | if (errstr) |
241 | errx(1, "minttl is %s", errstr); |
242 | break; |
243 | case 'N': |
244 | Nflag = 1; |
245 | break; |
246 | case 'n': |
247 | nflag = 1; |
248 | break; |
249 | case 'P': |
250 | Pflag = optarg; |
251 | break; |
252 | case 'p': |
253 | pflag = optarg; |
254 | break; |
255 | case 'R': |
256 | tls_cachanged = 1; |
257 | Rflag = optarg; |
258 | break; |
259 | case 'r': |
260 | rflag = 1; |
261 | break; |
262 | case 's': |
263 | sflag = optarg; |
264 | break; |
265 | case 't': |
266 | tflag = 1; |
267 | break; |
268 | case 'u': |
269 | uflag = 1; |
270 | break; |
271 | case 'V': |
272 | rtableid = (int)strtonum(optarg, 0, |
273 | RT_TABLEID_MAX, &errstr); |
274 | if (errstr) |
275 | errx(1, "rtable %s: %s", errstr, optarg); |
276 | break; |
277 | case 'v': |
278 | vflag = 1; |
279 | break; |
280 | case 'W': |
281 | recvlimit = strtonum(optarg, 1, INT_MAX, &errstr); |
282 | if (errstr) |
283 | errx(1, "receive limit %s: %s", errstr, optarg); |
284 | break; |
285 | case 'w': |
286 | timeout = strtonum(optarg, 0, INT_MAX / 1000, &errstr); |
287 | if (errstr) |
288 | errx(1, "timeout %s: %s", errstr, optarg); |
289 | timeout *= 1000; |
290 | break; |
291 | case 'x': |
292 | xflag = 1; |
293 | if ((proxy = strdup(optarg)) == NULL) |
294 | err(1, NULL); |
295 | break; |
296 | case 'Z': |
297 | if (strcmp(optarg, "-") == 0) |
298 | Zflag = stderr; |
299 | else if ((Zflag = fopen(optarg, "w")) == NULL) |
300 | err(1, "can't open %s", optarg); |
301 | break; |
302 | case 'z': |
303 | zflag = 1; |
304 | break; |
305 | case 'D': |
306 | Dflag = 1; |
307 | break; |
308 | case 'I': |
309 | Iflag = strtonum(optarg, 1, 65536 << 14, &errstr); |
310 | if (errstr != NULL) |
311 | errx(1, "TCP receive window %s: %s", |
312 | errstr, optarg); |
313 | break; |
314 | case 'O': |
315 | Oflag = strtonum(optarg, 1, 65536 << 14, &errstr); |
316 | if (errstr != NULL) |
317 | errx(1, "TCP send window %s: %s", |
318 | errstr, optarg); |
319 | break; |
320 | case 'o': |
321 | oflag = optarg; |
322 | break; |
323 | case 'S': |
324 | Sflag = 1; |
325 | break; |
326 | case 'T': |
327 | errstr = NULL; |
328 | errno = 0; |
329 | if (process_tls_opt(optarg, &TLSopt)) |
330 | break; |
331 | if (process_tos_opt(optarg, &Tflag)) |
332 | break; |
333 | if (strlen(optarg) > 1 && optarg[0] == '0' && |
334 | optarg[1] == 'x') |
335 | Tflag = (int)strtol(optarg, NULL, 16); |
336 | else |
337 | Tflag = (int)strtonum(optarg, 0, 255, |
338 | &errstr); |
339 | if (Tflag < 0 || Tflag > 255 || errstr || errno) |
340 | errx(1, "illegal tos/tls value %s", optarg); |
341 | break; |
342 | default: |
343 | usage(1); |
344 | } |
345 | } |
346 | argc -= optind; |
347 | argv += optind; |
348 | |
349 | if (rtableid >= 0) |
350 | if (setrtable(rtableid) == -1) |
351 | err(1, "setrtable"); |
352 | |
353 | |
354 | if (argc == 1 && family == AF_UNIX) { |
| 4 | | Assuming 'argc' is not equal to 1 | |
|
355 | host = argv[0]; |
356 | } else if (argc == 1 && lflag) { |
357 | uport = argv[0]; |
358 | } else if (argc == 2) { |
| 5 | | Assuming 'argc' is equal to 2 | |
|
| |
359 | host = argv[0]; |
360 | uport = argv[1]; |
361 | } else |
362 | usage(1); |
363 | |
364 | if (usetls) { |
| |
365 | if (Cflag && unveil(Cflag, "r") == -1) |
366 | err(1, "unveil %s", Cflag); |
367 | if (unveil(Rflag, "r") == -1) |
368 | err(1, "unveil %s", Rflag); |
369 | if (Kflag && unveil(Kflag, "r") == -1) |
370 | err(1, "unveil %s", Kflag); |
371 | if (oflag && unveil(oflag, "r") == -1) |
372 | err(1, "unveil %s", oflag); |
373 | } else if (family == AF_UNIX && uflag && lflag && !kflag) { |
374 | |
375 | |
376 | |
377 | |
378 | |
379 | } else { |
380 | if (family == AF_UNIX) { |
| |
381 | if (unveil(host, "rwc") == -1) |
382 | err(1, "unveil %s", host); |
383 | if (uflag && !kflag) { |
384 | if (sflag) { |
385 | if (unveil(sflag, "rwc") == -1) |
386 | err(1, "unveil %s", sflag); |
387 | } else { |
388 | if (unveil("/tmp", "rwc") == -1) |
389 | err(1, "unveil /tmp"); |
390 | } |
391 | } |
392 | } else { |
393 | |
394 | if (unveil("/", "") == -1) |
| 9 | | Assuming the condition is false | |
|
| |
395 | err(1, "unveil /"); |
396 | } |
397 | } |
398 | |
399 | if (family == AF_UNIX) { |
400 | if (pledge("stdio rpath wpath cpath tmppath unix", NULL) == -1) |
401 | err(1, "pledge"); |
402 | } else if (Fflag && Pflag) { |
| 11 | | Assuming 'Fflag' is not equal to 0 | |
|
| 12 | | Assuming 'Pflag' is non-null | |
|
| |
403 | if (pledge("stdio inet dns sendfd tty", NULL) == -1) |
| 14 | | Assuming the condition is false | |
|
404 | err(1, "pledge"); |
405 | } else if (Fflag) { |
406 | if (pledge("stdio inet dns sendfd", NULL) == -1) |
407 | err(1, "pledge"); |
408 | } else if (Pflag && usetls) { |
409 | if (pledge("stdio rpath inet dns tty", NULL) == -1) |
410 | err(1, "pledge"); |
411 | } else if (Pflag) { |
412 | if (pledge("stdio inet dns tty", NULL) == -1) |
413 | err(1, "pledge"); |
414 | } else if (usetls) { |
415 | if (pledge("stdio rpath inet dns", NULL) == -1) |
416 | err(1, "pledge"); |
417 | } else if (pledge("stdio inet dns", NULL) == -1) |
418 | err(1, "pledge"); |
419 | |
420 | if (lflag && sflag) |
| |
421 | errx(1, "cannot use -s and -l"); |
422 | if (lflag && pflag) |
423 | errx(1, "cannot use -p and -l"); |
424 | if (lflag && zflag) |
425 | errx(1, "cannot use -z and -l"); |
426 | if (!lflag && kflag) |
| |
427 | errx(1, "must use -l with -k"); |
428 | if (uflag && usetls) |
| |
429 | errx(1, "cannot use -c and -u"); |
430 | if ((family == AF_UNIX) && usetls) |
431 | errx(1, "cannot use -c and -U"); |
432 | if ((family == AF_UNIX) && Fflag) |
433 | errx(1, "cannot use -F and -U"); |
434 | if (Fflag && usetls) |
435 | errx(1, "cannot use -c and -F"); |
436 | if (TLSopt && !usetls) |
| |
437 | errx(1, "you must specify -c to use TLS options"); |
438 | if (Cflag && !usetls) |
| 19 | | Assuming 'Cflag' is null | |
|
439 | errx(1, "you must specify -c to use -C"); |
440 | if (Kflag && !usetls) |
| 20 | | Assuming 'Kflag' is null | |
|
441 | errx(1, "you must specify -c to use -K"); |
442 | if (Zflag && !usetls) |
| 21 | | Assuming 'Zflag' is null | |
|
443 | errx(1, "you must specify -c to use -Z"); |
444 | if (oflag && !Cflag) |
| 22 | | Assuming 'oflag' is null | |
|
445 | errx(1, "you must specify -C to use -o"); |
446 | if (tls_cachanged && !usetls) |
| 23 | | Assuming 'tls_cachanged' is 0 | |
|
447 | errx(1, "you must specify -c to use -R"); |
448 | if (tls_expecthash && !usetls) |
| 24 | | Assuming 'tls_expecthash' is null | |
|
449 | errx(1, "you must specify -c to use -H"); |
450 | if (tls_expectname && !usetls) |
| 25 | | Assuming 'tls_expectname' is null | |
|
451 | errx(1, "you must specify -c to use -e"); |
452 | |
453 | |
454 | if ((family == AF_UNIX) && uflag && !lflag) { |
455 | if (sflag) { |
456 | unix_dg_tmp_socket = sflag; |
457 | } else { |
458 | strlcpy(unix_dg_tmp_socket_buf, "/tmp/nc.XXXXXXXXXX", |
459 | UNIX_DG_TMP_SOCKET_SIZE); |
460 | if (mktemp(unix_dg_tmp_socket_buf) == NULL) |
461 | err(1, "mktemp"); |
462 | unix_dg_tmp_socket = unix_dg_tmp_socket_buf; |
463 | } |
464 | } |
465 | |
466 | |
467 | if (family != AF_UNIX) { |
| |
468 | memset(&hints, 0, sizeof(struct addrinfo)); |
469 | hints.ai_family = family; |
470 | hints.ai_socktype = uflag ? SOCK_DGRAM : SOCK_STREAM; |
| |
471 | hints.ai_protocol = uflag ? IPPROTO_UDP : IPPROTO_TCP; |
| |
472 | if (nflag) |
| |
| |
473 | hints.ai_flags |= AI_NUMERICHOST; |
474 | } |
475 | |
476 | if (xflag) { |
| 31 | | Assuming 'xflag' is not equal to 0 | |
|
| |
477 | if (uflag) |
| |
478 | errx(1, "no proxy support for UDP mode"); |
479 | |
480 | if (lflag) |
| |
481 | errx(1, "no proxy support for listen"); |
482 | |
483 | if (family == AF_UNIX) |
| 35 | | Assuming 'family' is not equal to AF_UNIX | |
|
| |
484 | errx(1, "no proxy support for unix sockets"); |
485 | |
486 | if (sflag) |
| 37 | | Assuming 'sflag' is null | |
|
| |
487 | errx(1, "no proxy support for local source address"); |
488 | |
489 | if (*proxy == '[') { |
| 39 | | Dereference of null pointer (loaded from variable 'proxy') |
|
490 | ++proxy; |
491 | proxyport = strchr(proxy, ']'); |
492 | if (proxyport == NULL) |
493 | errx(1, "missing closing bracket in proxy"); |
494 | *proxyport++ = '\0'; |
495 | if (*proxyport == '\0') |
496 | |
497 | proxyport = NULL; |
498 | else { |
499 | if (*proxyport == ':') |
500 | ++proxyport; |
501 | else |
502 | errx(1, "garbage proxy port delimiter"); |
503 | } |
504 | } else { |
505 | proxyport = strrchr(proxy, ':'); |
506 | if (proxyport != NULL) |
507 | *proxyport++ = '\0'; |
508 | } |
509 | |
510 | memset(&proxyhints, 0, sizeof(struct addrinfo)); |
511 | proxyhints.ai_family = family; |
512 | proxyhints.ai_socktype = SOCK_STREAM; |
513 | proxyhints.ai_protocol = IPPROTO_TCP; |
514 | if (nflag) |
515 | proxyhints.ai_flags |= AI_NUMERICHOST; |
516 | } |
517 | |
518 | if (usetls) { |
519 | if ((tls_cfg = tls_config_new()) == NULL) |
520 | errx(1, "unable to allocate TLS config"); |
521 | if (Rflag && tls_config_set_ca_file(tls_cfg, Rflag) == -1) |
522 | errx(1, "%s", tls_config_error(tls_cfg)); |
523 | if (Cflag && tls_config_set_cert_file(tls_cfg, Cflag) == -1) |
524 | errx(1, "%s", tls_config_error(tls_cfg)); |
525 | if (Kflag && tls_config_set_key_file(tls_cfg, Kflag) == -1) |
526 | errx(1, "%s", tls_config_error(tls_cfg)); |
527 | if (oflag && tls_config_set_ocsp_staple_file(tls_cfg, oflag) == -1) |
528 | errx(1, "%s", tls_config_error(tls_cfg)); |
529 | if (tls_config_parse_protocols(&protocols, tls_protocols) == -1) |
530 | errx(1, "invalid TLS protocols `%s'", tls_protocols); |
531 | if (tls_config_set_protocols(tls_cfg, protocols) == -1) |
532 | errx(1, "%s", tls_config_error(tls_cfg)); |
533 | if (tls_config_set_ciphers(tls_cfg, tls_ciphers) == -1) |
534 | errx(1, "%s", tls_config_error(tls_cfg)); |
535 | if (!lflag && (TLSopt & TLS_CCERT)) |
536 | errx(1, "clientcert is only valid with -l"); |
537 | if (TLSopt & TLS_NONAME) |
538 | tls_config_insecure_noverifyname(tls_cfg); |
539 | if (TLSopt & TLS_NOVERIFY) { |
540 | if (tls_expecthash != NULL) |
541 | errx(1, "-H and -T noverify may not be used " |
542 | "together"); |
543 | tls_config_insecure_noverifycert(tls_cfg); |
544 | } |
545 | if (TLSopt & TLS_MUSTSTAPLE) |
546 | tls_config_ocsp_require_stapling(tls_cfg); |
547 | |
548 | if (Pflag) { |
549 | if (pledge("stdio inet dns tty", NULL) == -1) |
550 | err(1, "pledge"); |
551 | } else if (pledge("stdio inet dns", NULL) == -1) |
552 | err(1, "pledge"); |
553 | } |
554 | if (lflag) { |
555 | ret = 0; |
556 | |
557 | if (family == AF_UNIX) { |
558 | if (uflag) |
559 | s = unix_bind(host, 0); |
560 | else |
561 | s = unix_listen(host); |
562 | } |
563 | |
564 | if (usetls) { |
565 | tls_config_verify_client_optional(tls_cfg); |
566 | if ((tls_ctx = tls_server()) == NULL) |
567 | errx(1, "tls server creation failed"); |
568 | if (tls_configure(tls_ctx, tls_cfg) == -1) |
569 | errx(1, "tls configuration failed (%s)", |
570 | tls_error(tls_ctx)); |
571 | } |
572 | |
573 | for (;;) { |
574 | if (family != AF_UNIX) { |
575 | if (s != -1) |
576 | close(s); |
577 | s = local_listen(host, uport, hints); |
578 | } |
579 | if (s == -1) |
580 | err(1, NULL); |
581 | if (uflag && kflag) { |
582 | if (family == AF_UNIX) { |
583 | if (pledge("stdio unix", NULL) == -1) |
584 | err(1, "pledge"); |
585 | } |
586 | |
587 | |
588 | |
589 | |
590 | |
591 | readwrite(s, NULL); |
592 | } else if (uflag && !kflag) { |
593 | |
594 | |
595 | |
596 | |
597 | |
598 | int rv; |
599 | char buf[2048]; |
600 | struct sockaddr_storage z; |
601 | |
602 | len = sizeof(z); |
603 | rv = recvfrom(s, buf, sizeof(buf), MSG_PEEK, |
604 | (struct sockaddr *)&z, &len); |
605 | if (rv == -1) |
606 | err(1, "recvfrom"); |
607 | |
608 | rv = connect(s, (struct sockaddr *)&z, len); |
609 | if (rv == -1) |
610 | err(1, "connect"); |
611 | |
612 | if (family == AF_UNIX) { |
613 | if (pledge("stdio unix", NULL) == -1) |
614 | err(1, "pledge"); |
615 | } |
616 | if (vflag) |
617 | report_sock("Connection received", |
618 | (struct sockaddr *)&z, len, |
619 | family == AF_UNIX ? host : NULL); |
620 | |
621 | readwrite(s, NULL); |
622 | } else { |
623 | struct tls *tls_cctx = NULL; |
624 | int connfd; |
625 | |
626 | len = sizeof(cliaddr); |
627 | connfd = accept4(s, (struct sockaddr *)&cliaddr, |
628 | &len, SOCK_NONBLOCK); |
629 | if (connfd == -1) { |
630 | |
631 | err(1, "accept"); |
632 | } |
633 | if (vflag) |
634 | report_sock("Connection received", |
635 | (struct sockaddr *)&cliaddr, len, |
636 | family == AF_UNIX ? host : NULL); |
637 | if ((usetls) && |
638 | (tls_cctx = tls_setup_server(tls_ctx, connfd, host))) |
639 | readwrite(connfd, tls_cctx); |
640 | if (!usetls) |
641 | readwrite(connfd, NULL); |
642 | if (tls_cctx) |
643 | timeout_tls(s, tls_cctx, tls_close); |
644 | close(connfd); |
645 | tls_free(tls_cctx); |
646 | } |
647 | if (family == AF_UNIX && uflag) { |
648 | if (connect(s, NULL, 0) == -1) |
649 | err(1, "connect"); |
650 | } |
651 | |
652 | if (!kflag) |
653 | break; |
654 | } |
655 | } else if (family == AF_UNIX) { |
656 | ret = 0; |
657 | |
658 | if ((s = unix_connect(host)) > 0) { |
659 | if (!zflag) |
660 | readwrite(s, NULL); |
661 | close(s); |
662 | } else { |
663 | warn("%s", host); |
664 | ret = 1; |
665 | } |
666 | |
667 | if (uflag) |
668 | unlink(unix_dg_tmp_socket); |
669 | return ret; |
670 | } else { |
671 | int i = 0; |
672 | |
673 | |
674 | build_ports(uport); |
675 | |
676 | |
677 | for (s = -1, i = 0; portlist[i] != NULL; i++) { |
678 | if (s != -1) |
679 | close(s); |
680 | tls_free(tls_ctx); |
681 | tls_ctx = NULL; |
682 | |
683 | if (usetls) { |
684 | if ((tls_ctx = tls_client()) == NULL) |
685 | errx(1, "tls client creation failed"); |
686 | if (tls_configure(tls_ctx, tls_cfg) == -1) |
687 | errx(1, "tls configuration failed (%s)", |
688 | tls_error(tls_ctx)); |
689 | } |
690 | if (xflag) |
691 | s = socks_connect(host, portlist[i], hints, |
692 | proxy, proxyport, proxyhints, socksv, |
693 | Pflag); |
694 | else |
695 | s = remote_connect(host, portlist[i], hints, |
696 | ipaddr); |
697 | |
698 | if (s == -1) |
699 | continue; |
700 | |
701 | ret = 0; |
702 | if (vflag || zflag) { |
703 | int print_info = 1; |
704 | |
705 | |
706 | if (uflag) { |
707 | |
708 | if ((print_info = udptest(s)) == -1) { |
709 | ret = 1; |
710 | continue; |
711 | } |
712 | } |
713 | if (print_info == 1) |
714 | connection_info(host, portlist[i], |
715 | uflag ? "udp" : "tcp", ipaddr); |
716 | } |
717 | if (Fflag) |
718 | fdpass(s); |
719 | else { |
720 | if (usetls) |
721 | tls_setup_client(tls_ctx, s, host); |
722 | if (!zflag) |
723 | readwrite(s, tls_ctx); |
724 | if (tls_ctx) |
725 | timeout_tls(s, tls_ctx, tls_close); |
726 | } |
727 | } |
728 | } |
729 | |
730 | if (s != -1) |
731 | close(s); |
732 | tls_free(tls_ctx); |
733 | tls_config_free(tls_cfg); |
734 | |
735 | return ret; |
736 | } |
737 | |
738 | |
739 | |
740 | |
741 | |
742 | int |
743 | unix_bind(char *path, int flags) |
744 | { |
745 | struct sockaddr_un s_un; |
746 | int s, save_errno; |
747 | |
748 | |
749 | if ((s = socket(AF_UNIX, flags | (uflag ? SOCK_DGRAM : SOCK_STREAM), |
750 | 0)) == -1) |
751 | return -1; |
752 | |
753 | memset(&s_un, 0, sizeof(struct sockaddr_un)); |
754 | s_un.sun_family = AF_UNIX; |
755 | |
756 | if (strlcpy(s_un.sun_path, path, sizeof(s_un.sun_path)) >= |
757 | sizeof(s_un.sun_path)) { |
758 | close(s); |
759 | errno = ENAMETOOLONG; |
760 | return -1; |
761 | } |
762 | |
763 | if (bind(s, (struct sockaddr *)&s_un, sizeof(s_un)) == -1) { |
764 | save_errno = errno; |
765 | close(s); |
766 | errno = save_errno; |
767 | return -1; |
768 | } |
769 | if (vflag) |
770 | report_sock("Bound", NULL, 0, path); |
771 | |
772 | return s; |
773 | } |
774 | |
775 | int |
776 | timeout_tls(int s, struct tls *tls_ctx, int (*func)(struct tls *)) |
777 | { |
778 | struct pollfd pfd; |
779 | int ret; |
780 | |
781 | while ((ret = (*func)(tls_ctx)) != 0) { |
782 | if (ret == TLS_WANT_POLLIN) |
783 | pfd.events = POLLIN; |
784 | else if (ret == TLS_WANT_POLLOUT) |
785 | pfd.events = POLLOUT; |
786 | else |
787 | break; |
788 | pfd.fd = s; |
789 | if ((ret = poll(&pfd, 1, timeout)) == 1) |
790 | continue; |
791 | else if (ret == 0) { |
792 | errno = ETIMEDOUT; |
793 | ret = -1; |
794 | break; |
795 | } else |
796 | err(1, "poll failed"); |
797 | } |
798 | |
799 | return ret; |
800 | } |
801 | |
802 | void |
803 | tls_setup_client(struct tls *tls_ctx, int s, char *host) |
804 | { |
805 | const char *errstr; |
806 | |
807 | if (tls_connect_socket(tls_ctx, s, |
808 | tls_expectname ? tls_expectname : host) == -1) { |
809 | errx(1, "tls connection failed (%s)", |
810 | tls_error(tls_ctx)); |
811 | } |
812 | if (timeout_tls(s, tls_ctx, tls_handshake) == -1) { |
813 | if ((errstr = tls_error(tls_ctx)) == NULL) |
814 | errstr = strerror(errno); |
815 | errx(1, "tls handshake failed (%s)", errstr); |
816 | } |
817 | if (vflag) |
818 | report_tls(tls_ctx, host); |
819 | if (tls_expecthash && (tls_peer_cert_hash(tls_ctx) == NULL || |
820 | strcmp(tls_expecthash, tls_peer_cert_hash(tls_ctx)) != 0)) |
821 | errx(1, "peer certificate is not %s", tls_expecthash); |
822 | if (Zflag) { |
823 | save_peer_cert(tls_ctx, Zflag); |
824 | if (Zflag != stderr && (fclose(Zflag) != 0)) |
825 | err(1, "fclose failed saving peer cert"); |
826 | } |
827 | } |
828 | |
829 | struct tls * |
830 | tls_setup_server(struct tls *tls_ctx, int connfd, char *host) |
831 | { |
832 | struct tls *tls_cctx; |
833 | const char *errstr; |
834 | |
835 | if (tls_accept_socket(tls_ctx, &tls_cctx, connfd) == -1) { |
836 | warnx("tls accept failed (%s)", tls_error(tls_ctx)); |
837 | } else if (timeout_tls(connfd, tls_cctx, tls_handshake) == -1) { |
838 | if ((errstr = tls_error(tls_cctx)) == NULL) |
839 | errstr = strerror(errno); |
840 | warnx("tls handshake failed (%s)", errstr); |
841 | } else { |
842 | int gotcert = tls_peer_cert_provided(tls_cctx); |
843 | |
844 | if (vflag && gotcert) |
845 | report_tls(tls_cctx, host); |
846 | if ((TLSopt & TLS_CCERT) && !gotcert) |
847 | warnx("No client certificate provided"); |
848 | else if (gotcert && tls_expecthash && |
849 | (tls_peer_cert_hash(tls_cctx) == NULL || |
850 | strcmp(tls_expecthash, tls_peer_cert_hash(tls_cctx)) != 0)) |
851 | warnx("peer certificate is not %s", tls_expecthash); |
852 | else if (gotcert && tls_expectname && |
853 | (!tls_peer_cert_contains_name(tls_cctx, tls_expectname))) |
854 | warnx("name (%s) not found in client cert", |
855 | tls_expectname); |
856 | else { |
857 | return tls_cctx; |
858 | } |
859 | } |
860 | return NULL; |
861 | } |
862 | |
863 | |
864 | |
865 | |
866 | |
867 | int |
868 | unix_connect(char *path) |
869 | { |
870 | struct sockaddr_un s_un; |
871 | int s, save_errno; |
872 | |
873 | if (uflag) { |
874 | if ((s = unix_bind(unix_dg_tmp_socket, SOCK_CLOEXEC)) == -1) |
875 | return -1; |
876 | } else { |
877 | if ((s = socket(AF_UNIX, SOCK_STREAM | SOCK_CLOEXEC, 0)) == -1) |
878 | return -1; |
879 | } |
880 | |
881 | memset(&s_un, 0, sizeof(struct sockaddr_un)); |
882 | s_un.sun_family = AF_UNIX; |
883 | |
884 | if (strlcpy(s_un.sun_path, path, sizeof(s_un.sun_path)) >= |
885 | sizeof(s_un.sun_path)) { |
886 | close(s); |
887 | errno = ENAMETOOLONG; |
888 | return -1; |
889 | } |
890 | if (connect(s, (struct sockaddr *)&s_un, sizeof(s_un)) == -1) { |
891 | save_errno = errno; |
892 | close(s); |
893 | errno = save_errno; |
894 | return -1; |
895 | } |
896 | return s; |
897 | } |
898 | |
899 | |
900 | |
901 | |
902 | |
903 | int |
904 | unix_listen(char *path) |
905 | { |
906 | int s; |
907 | |
908 | if ((s = unix_bind(path, 0)) == -1) |
909 | return -1; |
910 | if (listen(s, 5) == -1) { |
911 | close(s); |
912 | return -1; |
913 | } |
914 | if (vflag) |
915 | report_sock("Listening", NULL, 0, path); |
916 | |
917 | return s; |
918 | } |
919 | |
920 | |
921 | |
922 | |
923 | |
924 | |
925 | int |
926 | remote_connect(const char *host, const char *port, struct addrinfo hints, |
927 | char *ipaddr) |
928 | { |
929 | struct addrinfo *res, *res0; |
930 | int s = -1, error, herr, on = 1, save_errno; |
931 | |
932 | if ((error = getaddrinfo(host, port, &hints, &res0))) |
933 | errx(1, "getaddrinfo for host \"%s\" port %s: %s", host, |
934 | port, gai_strerror(error)); |
935 | |
936 | for (res = res0; res; res = res->ai_next) { |
937 | if ((s = socket(res->ai_family, res->ai_socktype | |
938 | SOCK_NONBLOCK, res->ai_protocol)) == -1) |
939 | continue; |
940 | |
941 | |
942 | if (sflag || pflag) { |
943 | struct addrinfo ahints, *ares; |
944 | |
945 | |
946 | setsockopt(s, SOL_SOCKET, SO_BINDANY, &on, sizeof(on)); |
947 | memset(&ahints, 0, sizeof(struct addrinfo)); |
948 | ahints.ai_family = res->ai_family; |
949 | ahints.ai_socktype = uflag ? SOCK_DGRAM : SOCK_STREAM; |
950 | ahints.ai_protocol = uflag ? IPPROTO_UDP : IPPROTO_TCP; |
951 | ahints.ai_flags = AI_PASSIVE; |
952 | if ((error = getaddrinfo(sflag, pflag, &ahints, &ares))) |
953 | errx(1, "getaddrinfo: %s", gai_strerror(error)); |
954 | |
955 | if (bind(s, (struct sockaddr *)ares->ai_addr, |
956 | ares->ai_addrlen) == -1) |
957 | err(1, "bind failed"); |
958 | freeaddrinfo(ares); |
959 | } |
960 | |
961 | set_common_sockopts(s, res->ai_family); |
962 | |
963 | if (ipaddr != NULL) { |
964 | herr = getnameinfo(res->ai_addr, res->ai_addrlen, |
965 | ipaddr, NI_MAXHOST, NULL, 0, NI_NUMERICHOST); |
966 | switch (herr) { |
967 | case 0: |
968 | break; |
969 | case EAI_SYSTEM: |
970 | err(1, "getnameinfo"); |
971 | default: |
972 | errx(1, "getnameinfo: %s", gai_strerror(herr)); |
973 | } |
974 | } |
975 | |
976 | if (timeout_connect(s, res->ai_addr, res->ai_addrlen) == 0) |
977 | break; |
978 | |
979 | if (vflag) { |
980 | |
981 | if (nflag || ipaddr == NULL || |
982 | (strncmp(host, ipaddr, NI_MAXHOST) == 0)) |
983 | warn("connect to %s port %s (%s) failed", host, |
984 | port, uflag ? "udp" : "tcp"); |
985 | else |
986 | warn("connect to %s (%s) port %s (%s) failed", |
987 | host, ipaddr, port, uflag ? "udp" : "tcp"); |
988 | } |
989 | |
990 | save_errno = errno; |
991 | close(s); |
992 | errno = save_errno; |
993 | s = -1; |
994 | } |
995 | |
996 | freeaddrinfo(res0); |
997 | |
998 | return s; |
999 | } |
1000 | |
1001 | int |
1002 | timeout_connect(int s, const struct sockaddr *name, socklen_t namelen) |
1003 | { |
1004 | struct pollfd pfd; |
1005 | socklen_t optlen; |
1006 | int optval; |
1007 | int ret; |
1008 | |
1009 | if ((ret = connect(s, name, namelen)) != 0 && errno == EINPROGRESS) { |
1010 | pfd.fd = s; |
1011 | pfd.events = POLLOUT; |
1012 | if ((ret = poll(&pfd, 1, timeout)) == 1) { |
1013 | optlen = sizeof(optval); |
1014 | if ((ret = getsockopt(s, SOL_SOCKET, SO_ERROR, |
1015 | &optval, &optlen)) == 0) { |
1016 | errno = optval; |
1017 | ret = optval == 0 ? 0 : -1; |
1018 | } |
1019 | } else if (ret == 0) { |
1020 | errno = ETIMEDOUT; |
1021 | ret = -1; |
1022 | } else |
1023 | err(1, "poll failed"); |
1024 | } |
1025 | |
1026 | return ret; |
1027 | } |
1028 | |
1029 | |
1030 | |
1031 | |
1032 | |
1033 | |
1034 | int |
1035 | local_listen(const char *host, const char *port, struct addrinfo hints) |
1036 | { |
1037 | struct addrinfo *res, *res0; |
1038 | int s = -1, ret, x = 1, save_errno; |
1039 | int error; |
1040 | |
1041 | |
1042 | hints.ai_flags |= AI_PASSIVE; |
1043 | |
1044 | |
1045 | |
1046 | |
1047 | |
1048 | if (host == NULL && hints.ai_family == AF_UNSPEC) |
1049 | hints.ai_family = AF_INET; |
1050 | |
1051 | if ((error = getaddrinfo(host, port, &hints, &res0))) |
1052 | errx(1, "getaddrinfo: %s", gai_strerror(error)); |
1053 | |
1054 | for (res = res0; res; res = res->ai_next) { |
1055 | if ((s = socket(res->ai_family, res->ai_socktype, |
1056 | res->ai_protocol)) == -1) |
1057 | continue; |
1058 | |
1059 | ret = setsockopt(s, SOL_SOCKET, SO_REUSEPORT, &x, sizeof(x)); |
1060 | if (ret == -1) |
1061 | err(1, NULL); |
1062 | |
1063 | set_common_sockopts(s, res->ai_family); |
1064 | |
1065 | if (bind(s, (struct sockaddr *)res->ai_addr, |
1066 | res->ai_addrlen) == 0) |
1067 | break; |
1068 | |
1069 | save_errno = errno; |
1070 | close(s); |
1071 | errno = save_errno; |
1072 | s = -1; |
1073 | } |
1074 | |
1075 | if (!uflag && s != -1) { |
1076 | if (listen(s, 1) == -1) |
1077 | err(1, "listen"); |
1078 | } |
1079 | if (vflag && s != -1) { |
1080 | struct sockaddr_storage ss; |
1081 | socklen_t len; |
1082 | |
1083 | len = sizeof(ss); |
1084 | if (getsockname(s, (struct sockaddr *)&ss, &len) == -1) |
1085 | err(1, "getsockname"); |
1086 | report_sock(uflag ? "Bound" : "Listening", |
1087 | (struct sockaddr *)&ss, len, NULL); |
1088 | } |
1089 | |
1090 | freeaddrinfo(res0); |
1091 | |
1092 | return s; |
1093 | } |
1094 | |
1095 | |
1096 | |
1097 | |
1098 | |
1099 | void |
1100 | readwrite(int net_fd, struct tls *tls_ctx) |
1101 | { |
1102 | struct pollfd pfd[4]; |
1103 | int stdin_fd = STDIN_FILENO; |
1104 | int stdout_fd = STDOUT_FILENO; |
1105 | unsigned char netinbuf[BUFSIZE]; |
1106 | size_t netinbufpos = 0; |
1107 | unsigned char stdinbuf[BUFSIZE]; |
1108 | size_t stdinbufpos = 0; |
1109 | int n, num_fds; |
1110 | ssize_t ret; |
1111 | |
1112 | |
1113 | if (dflag) |
1114 | stdin_fd = -1; |
1115 | |
1116 | |
1117 | pfd[POLL_STDIN].fd = stdin_fd; |
1118 | pfd[POLL_STDIN].events = POLLIN; |
1119 | |
1120 | |
1121 | pfd[POLL_NETOUT].fd = net_fd; |
1122 | pfd[POLL_NETOUT].events = 0; |
1123 | |
1124 | |
1125 | pfd[POLL_NETIN].fd = net_fd; |
1126 | pfd[POLL_NETIN].events = POLLIN; |
1127 | |
1128 | |
1129 | pfd[POLL_STDOUT].fd = stdout_fd; |
1130 | pfd[POLL_STDOUT].events = 0; |
1131 | |
1132 | while (1) { |
1133 | |
1134 | if (pfd[POLL_STDIN].fd == -1 && pfd[POLL_NETIN].fd == -1 && |
1135 | stdinbufpos == 0 && netinbufpos == 0) |
1136 | return; |
1137 | |
1138 | if (pfd[POLL_NETOUT].fd == -1 && pfd[POLL_STDOUT].fd == -1) |
1139 | return; |
1140 | |
1141 | if (lflag && pfd[POLL_NETIN].fd == -1 && |
1142 | stdinbufpos == 0 && netinbufpos == 0) |
1143 | return; |
1144 | |
1145 | |
1146 | |
1147 | |
1148 | if (iflag) |
1149 | sleep(iflag); |
1150 | |
1151 | |
1152 | num_fds = poll(pfd, 4, timeout); |
1153 | |
1154 | |
1155 | if (num_fds == -1) |
1156 | err(1, "polling error"); |
1157 | |
1158 | |
1159 | if (num_fds == 0) |
1160 | return; |
1161 | |
1162 | |
1163 | for (n = 0; n < 4; n++) { |
1164 | if (pfd[n].revents & (POLLERR|POLLNVAL)) { |
1165 | pfd[n].fd = -1; |
1166 | } |
1167 | } |
1168 | |
1169 | if (pfd[POLL_STDIN].events & POLLIN && |
1170 | pfd[POLL_STDIN].revents & POLLHUP && |
1171 | !(pfd[POLL_STDIN].revents & POLLIN)) |
1172 | pfd[POLL_STDIN].fd = -1; |
1173 | |
1174 | if (pfd[POLL_NETIN].events & POLLIN && |
1175 | pfd[POLL_NETIN].revents & POLLHUP && |
1176 | !(pfd[POLL_NETIN].revents & POLLIN)) |
1177 | pfd[POLL_NETIN].fd = -1; |
1178 | |
1179 | if (pfd[POLL_NETOUT].revents & POLLHUP) { |
1180 | if (pfd[POLL_NETOUT].fd != -1 && Nflag) |
1181 | shutdown(pfd[POLL_NETOUT].fd, SHUT_WR); |
1182 | pfd[POLL_NETOUT].fd = -1; |
1183 | } |
1184 | |
1185 | if (pfd[POLL_STDOUT].revents & POLLHUP) |
1186 | pfd[POLL_STDOUT].fd = -1; |
1187 | |
1188 | if (pfd[POLL_NETOUT].fd == -1) |
1189 | pfd[POLL_STDIN].fd = -1; |
1190 | |
1191 | if (pfd[POLL_STDOUT].fd == -1) { |
1192 | if (pfd[POLL_NETIN].fd != -1) |
1193 | shutdown(pfd[POLL_NETIN].fd, SHUT_RD); |
1194 | pfd[POLL_NETIN].fd = -1; |
1195 | } |
1196 | |
1197 | |
1198 | if (pfd[POLL_STDIN].revents & POLLIN && stdinbufpos < BUFSIZE) { |
1199 | ret = fillbuf(pfd[POLL_STDIN].fd, stdinbuf, |
1200 | &stdinbufpos, NULL); |
1201 | if (ret == TLS_WANT_POLLIN) |
1202 | pfd[POLL_STDIN].events = POLLIN; |
1203 | else if (ret == TLS_WANT_POLLOUT) |
1204 | pfd[POLL_STDIN].events = POLLOUT; |
1205 | else if (ret == 0 || ret == -1) |
1206 | pfd[POLL_STDIN].fd = -1; |
1207 | |
1208 | if (stdinbufpos > 0) |
1209 | pfd[POLL_NETOUT].events = POLLOUT; |
1210 | |
1211 | if (stdinbufpos == BUFSIZE) |
1212 | pfd[POLL_STDIN].events = 0; |
1213 | } |
1214 | |
1215 | if (pfd[POLL_NETOUT].revents & POLLOUT && stdinbufpos > 0) { |
1216 | ret = drainbuf(pfd[POLL_NETOUT].fd, stdinbuf, |
1217 | &stdinbufpos, tls_ctx); |
1218 | if (ret == TLS_WANT_POLLIN) |
1219 | pfd[POLL_NETOUT].events = POLLIN; |
1220 | else if (ret == TLS_WANT_POLLOUT) |
1221 | pfd[POLL_NETOUT].events = POLLOUT; |
1222 | else if (ret == -1) |
1223 | pfd[POLL_NETOUT].fd = -1; |
1224 | |
1225 | if (stdinbufpos == 0) |
1226 | pfd[POLL_NETOUT].events = 0; |
1227 | |
1228 | if (stdinbufpos < BUFSIZE) |
1229 | pfd[POLL_STDIN].events = POLLIN; |
1230 | } |
1231 | |
1232 | if (pfd[POLL_NETIN].revents & POLLIN && netinbufpos < BUFSIZE) { |
1233 | ret = fillbuf(pfd[POLL_NETIN].fd, netinbuf, |
1234 | &netinbufpos, tls_ctx); |
1235 | if (ret == TLS_WANT_POLLIN) |
1236 | pfd[POLL_NETIN].events = POLLIN; |
1237 | else if (ret == TLS_WANT_POLLOUT) |
1238 | pfd[POLL_NETIN].events = POLLOUT; |
1239 | else if (ret == -1) |
1240 | pfd[POLL_NETIN].fd = -1; |
1241 | |
1242 | if (ret == 0) { |
1243 | shutdown(pfd[POLL_NETIN].fd, SHUT_RD); |
1244 | pfd[POLL_NETIN].fd = -1; |
1245 | } |
1246 | if (recvlimit > 0 && ++recvcount >= recvlimit) { |
1247 | if (pfd[POLL_NETIN].fd != -1) |
1248 | shutdown(pfd[POLL_NETIN].fd, SHUT_RD); |
1249 | pfd[POLL_NETIN].fd = -1; |
1250 | pfd[POLL_STDIN].fd = -1; |
1251 | } |
1252 | |
1253 | if (netinbufpos > 0) |
1254 | pfd[POLL_STDOUT].events = POLLOUT; |
1255 | |
1256 | if (netinbufpos == BUFSIZE) |
1257 | pfd[POLL_NETIN].events = 0; |
1258 | |
1259 | if (pfd[POLL_NETIN].fd != -1 && tflag) |
1260 | atelnet(pfd[POLL_NETIN].fd, netinbuf, |
1261 | netinbufpos); |
1262 | } |
1263 | |
1264 | if (pfd[POLL_STDOUT].revents & POLLOUT && netinbufpos > 0) { |
1265 | ret = drainbuf(pfd[POLL_STDOUT].fd, netinbuf, |
1266 | &netinbufpos, NULL); |
1267 | if (ret == TLS_WANT_POLLIN) |
1268 | pfd[POLL_STDOUT].events = POLLIN; |
1269 | else if (ret == TLS_WANT_POLLOUT) |
1270 | pfd[POLL_STDOUT].events = POLLOUT; |
1271 | else if (ret == -1) |
1272 | pfd[POLL_STDOUT].fd = -1; |
1273 | |
1274 | if (netinbufpos == 0) |
1275 | pfd[POLL_STDOUT].events = 0; |
1276 | |
1277 | if (netinbufpos < BUFSIZE) |
1278 | pfd[POLL_NETIN].events = POLLIN; |
1279 | } |
1280 | |
1281 | |
1282 | if (pfd[POLL_STDIN].fd == -1 && stdinbufpos == 0) { |
1283 | if (pfd[POLL_NETOUT].fd != -1 && Nflag) |
1284 | shutdown(pfd[POLL_NETOUT].fd, SHUT_WR); |
1285 | pfd[POLL_NETOUT].fd = -1; |
1286 | } |
1287 | |
1288 | if (pfd[POLL_NETIN].fd == -1 && netinbufpos == 0) { |
1289 | pfd[POLL_STDOUT].fd = -1; |
1290 | } |
1291 | } |
1292 | } |
1293 | |
1294 | ssize_t |
1295 | drainbuf(int fd, unsigned char *buf, size_t *bufpos, struct tls *tls) |
1296 | { |
1297 | ssize_t n; |
1298 | ssize_t adjust; |
1299 | |
1300 | if (fd == -1) |
1301 | return -1; |
1302 | |
1303 | if (tls) { |
1304 | n = tls_write(tls, buf, *bufpos); |
1305 | if (n == -1) |
1306 | errx(1, "tls write failed (%s)", tls_error(tls)); |
1307 | } else { |
1308 | n = write(fd, buf, *bufpos); |
1309 | |
1310 | if (n == -1 && (errno == EAGAIN || errno == EINTR)) |
1311 | n = TLS_WANT_POLLOUT; |
1312 | } |
1313 | if (n <= 0) |
1314 | return n; |
1315 | |
1316 | adjust = *bufpos - n; |
1317 | if (adjust > 0) |
1318 | memmove(buf, buf + n, adjust); |
1319 | *bufpos -= n; |
1320 | return n; |
1321 | } |
1322 | |
1323 | ssize_t |
1324 | fillbuf(int fd, unsigned char *buf, size_t *bufpos, struct tls *tls) |
1325 | { |
1326 | size_t num = BUFSIZE - *bufpos; |
1327 | ssize_t n; |
1328 | |
1329 | if (fd == -1) |
1330 | return -1; |
1331 | |
1332 | if (tls) { |
1333 | n = tls_read(tls, buf + *bufpos, num); |
1334 | if (n == -1) |
1335 | errx(1, "tls read failed (%s)", tls_error(tls)); |
1336 | } else { |
1337 | n = read(fd, buf + *bufpos, num); |
1338 | |
1339 | if (n == -1 && (errno == EAGAIN || errno == EINTR)) |
1340 | n = TLS_WANT_POLLIN; |
1341 | } |
1342 | if (n <= 0) |
1343 | return n; |
1344 | *bufpos += n; |
1345 | return n; |
1346 | } |
1347 | |
1348 | |
1349 | |
1350 | |
1351 | |
1352 | void |
1353 | fdpass(int nfd) |
1354 | { |
1355 | struct msghdr mh; |
1356 | union { |
1357 | struct cmsghdr hdr; |
1358 | char buf[CMSG_SPACE(sizeof(int))]; |
1359 | } cmsgbuf; |
1360 | struct cmsghdr *cmsg; |
1361 | struct iovec iov; |
1362 | char c = '\0'; |
1363 | ssize_t r; |
1364 | struct pollfd pfd; |
1365 | |
1366 | |
1367 | if (isatty(STDOUT_FILENO)) |
1368 | errx(1, "Cannot pass file descriptor to tty"); |
1369 | |
1370 | memset(&mh, 0, sizeof(mh)); |
1371 | memset(&cmsgbuf, 0, sizeof(cmsgbuf)); |
1372 | memset(&iov, 0, sizeof(iov)); |
1373 | |
1374 | mh.msg_control = (caddr_t)&cmsgbuf.buf; |
1375 | mh.msg_controllen = sizeof(cmsgbuf.buf); |
1376 | cmsg = CMSG_FIRSTHDR(&mh); |
1377 | cmsg->cmsg_len = CMSG_LEN(sizeof(int)); |
1378 | cmsg->cmsg_level = SOL_SOCKET; |
1379 | cmsg->cmsg_type = SCM_RIGHTS; |
1380 | *(int *)CMSG_DATA(cmsg) = nfd; |
1381 | |
1382 | iov.iov_base = &c; |
1383 | iov.iov_len = 1; |
1384 | mh.msg_iov = &iov; |
1385 | mh.msg_iovlen = 1; |
1386 | |
1387 | memset(&pfd, 0, sizeof(pfd)); |
1388 | pfd.fd = STDOUT_FILENO; |
1389 | pfd.events = POLLOUT; |
1390 | for (;;) { |
1391 | r = sendmsg(STDOUT_FILENO, &mh, 0); |
1392 | if (r == -1) { |
1393 | if (errno == EAGAIN || errno == EINTR) { |
1394 | if (poll(&pfd, 1, -1) == -1) |
1395 | err(1, "poll"); |
1396 | continue; |
1397 | } |
1398 | err(1, "sendmsg"); |
1399 | } else if (r != 1) |
1400 | errx(1, "sendmsg: unexpected return value %zd", r); |
1401 | else |
1402 | break; |
1403 | } |
1404 | exit(0); |
1405 | } |
1406 | |
1407 | |
1408 | void |
1409 | atelnet(int nfd, unsigned char *buf, unsigned int size) |
1410 | { |
1411 | unsigned char *p, *end; |
1412 | unsigned char obuf[4]; |
1413 | |
1414 | if (size < 3) |
1415 | return; |
1416 | end = buf + size - 2; |
1417 | |
1418 | for (p = buf; p < end; p++) { |
1419 | if (*p != IAC) |
1420 | continue; |
1421 | |
1422 | obuf[0] = IAC; |
1423 | p++; |
1424 | if ((*p == WILL) || (*p == WONT)) |
1425 | obuf[1] = DONT; |
1426 | else if ((*p == DO) || (*p == DONT)) |
1427 | obuf[1] = WONT; |
1428 | else |
1429 | continue; |
1430 | |
1431 | p++; |
1432 | obuf[2] = *p; |
1433 | if (atomicio(vwrite, nfd, obuf, 3) != 3) |
1434 | warn("Write Error!"); |
1435 | } |
1436 | } |
1437 | |
1438 | int |
1439 | strtoport(char *portstr, int udp) |
1440 | { |
1441 | struct servent *entry; |
1442 | const char *errstr; |
1443 | char *proto; |
1444 | int port = -1; |
1445 | |
1446 | proto = udp ? "udp" : "tcp"; |
1447 | |
1448 | port = strtonum(portstr, 1, PORT_MAX, &errstr); |
1449 | if (errstr == NULL) |
1450 | return port; |
1451 | if (errno != EINVAL) |
1452 | errx(1, "port number %s: %s", errstr, portstr); |
1453 | if ((entry = getservbyname(portstr, proto)) == NULL) |
1454 | errx(1, "service \"%s\" unknown", portstr); |
1455 | return ntohs(entry->s_port); |
1456 | } |
1457 | |
1458 | |
1459 | |
1460 | |
1461 | |
1462 | |
1463 | void |
1464 | build_ports(char *p) |
1465 | { |
1466 | char *n; |
1467 | int hi, lo, cp; |
1468 | int x = 0; |
1469 | |
1470 | if (isdigit((unsigned char)*p) && (n = strchr(p, '-')) != NULL) { |
1471 | *n = '\0'; |
1472 | n++; |
1473 | |
1474 | |
1475 | hi = strtoport(n, uflag); |
1476 | lo = strtoport(p, uflag); |
1477 | if (lo > hi) { |
1478 | cp = hi; |
1479 | hi = lo; |
1480 | lo = cp; |
1481 | } |
1482 | |
1483 | |
1484 | |
1485 | |
1486 | |
1487 | if (rflag) { |
1488 | for (x = 0; x <= hi - lo; x++) { |
1489 | cp = arc4random_uniform(x + 1); |
1490 | portlist[x] = portlist[cp]; |
1491 | if (asprintf(&portlist[cp], "%d", x + lo) == -1) |
1492 | err(1, "asprintf"); |
1493 | } |
1494 | } else { |
1495 | for (cp = lo; cp <= hi; cp++) { |
1496 | if (asprintf(&portlist[x], "%d", cp) == -1) |
1497 | err(1, "asprintf"); |
1498 | x++; |
1499 | } |
1500 | } |
1501 | } else { |
1502 | char *tmp; |
1503 | |
1504 | hi = strtoport(p, uflag); |
1505 | if (asprintf(&tmp, "%d", hi) != -1) |
1506 | portlist[0] = tmp; |
1507 | else |
1508 | err(1, NULL); |
1509 | } |
1510 | } |
1511 | |
1512 | |
1513 | |
1514 | |
1515 | |
1516 | |
1517 | int |
1518 | udptest(int s) |
1519 | { |
1520 | int i, ret; |
1521 | |
1522 | |
1523 | if (!zflag && !isatty(STDIN_FILENO)) |
1524 | return 0; |
1525 | |
1526 | for (i = 0; i <= 3; i++) { |
1527 | if (write(s, "X", 1) == 1) |
1528 | ret = 1; |
1529 | else |
1530 | ret = -1; |
1531 | } |
1532 | return ret; |
1533 | } |
1534 | |
1535 | void |
1536 | connection_info(const char *host, const char *port, const char *proto, |
1537 | const char *ipaddr) |
1538 | { |
1539 | struct servent *sv; |
1540 | char *service = "*"; |
1541 | |
1542 | |
1543 | if (!nflag) { |
1544 | sv = getservbyport(ntohs(atoi(port)), proto); |
1545 | if (sv != NULL) |
1546 | service = sv->s_name; |
1547 | } |
1548 | |
1549 | fprintf(stderr, "Connection to %s", host); |
1550 | |
1551 | |
1552 | |
1553 | |
1554 | |
1555 | if (!nflag && !xflag && strcmp(host, ipaddr) != 0) |
1556 | fprintf(stderr, " (%s)", ipaddr); |
1557 | |
1558 | fprintf(stderr, " %s port [%s/%s] succeeded!\n", port, proto, service); |
1559 | } |
1560 | |
1561 | void |
1562 | set_common_sockopts(int s, int af) |
1563 | { |
1564 | int x = 1; |
1565 | |
1566 | if (Sflag) { |
1567 | if (setsockopt(s, IPPROTO_TCP, TCP_MD5SIG, |
1568 | &x, sizeof(x)) == -1) |
1569 | err(1, NULL); |
1570 | } |
1571 | if (Dflag) { |
1572 | if (setsockopt(s, SOL_SOCKET, SO_DEBUG, |
1573 | &x, sizeof(x)) == -1) |
1574 | err(1, NULL); |
1575 | } |
1576 | if (Tflag != -1) { |
1577 | if (af == AF_INET && setsockopt(s, IPPROTO_IP, |
1578 | IP_TOS, &Tflag, sizeof(Tflag)) == -1) |
1579 | err(1, "set IP ToS"); |
1580 | |
1581 | else if (af == AF_INET6 && setsockopt(s, IPPROTO_IPV6, |
1582 | IPV6_TCLASS, &Tflag, sizeof(Tflag)) == -1) |
1583 | err(1, "set IPv6 traffic class"); |
1584 | } |
1585 | if (Iflag) { |
1586 | if (setsockopt(s, SOL_SOCKET, SO_RCVBUF, |
1587 | &Iflag, sizeof(Iflag)) == -1) |
1588 | err(1, "set TCP receive buffer size"); |
1589 | } |
1590 | if (Oflag) { |
1591 | if (setsockopt(s, SOL_SOCKET, SO_SNDBUF, |
1592 | &Oflag, sizeof(Oflag)) == -1) |
1593 | err(1, "set TCP send buffer size"); |
1594 | } |
1595 | |
1596 | if (ttl != -1) { |
1597 | if (af == AF_INET && setsockopt(s, IPPROTO_IP, |
1598 | IP_TTL, &ttl, sizeof(ttl))) |
1599 | err(1, "set IP TTL"); |
1600 | |
1601 | else if (af == AF_INET6 && setsockopt(s, IPPROTO_IPV6, |
1602 | IPV6_UNICAST_HOPS, &ttl, sizeof(ttl))) |
1603 | err(1, "set IPv6 unicast hops"); |
1604 | } |
1605 | |
1606 | if (minttl != -1) { |
1607 | if (af == AF_INET && setsockopt(s, IPPROTO_IP, |
1608 | IP_MINTTL, &minttl, sizeof(minttl))) |
1609 | err(1, "set IP min TTL"); |
1610 | |
1611 | else if (af == AF_INET6 && setsockopt(s, IPPROTO_IPV6, |
1612 | IPV6_MINHOPCOUNT, &minttl, sizeof(minttl))) |
1613 | err(1, "set IPv6 min hop count"); |
1614 | } |
1615 | } |
1616 | |
1617 | int |
1618 | process_tos_opt(char *s, int *val) |
1619 | { |
1620 | |
1621 | const struct toskeywords { |
1622 | const char *keyword; |
1623 | int val; |
1624 | } *t, toskeywords[] = { |
1625 | { "af11", IPTOS_DSCP_AF11 }, |
1626 | { "af12", IPTOS_DSCP_AF12 }, |
1627 | { "af13", IPTOS_DSCP_AF13 }, |
1628 | { "af21", IPTOS_DSCP_AF21 }, |
1629 | { "af22", IPTOS_DSCP_AF22 }, |
1630 | { "af23", IPTOS_DSCP_AF23 }, |
1631 | { "af31", IPTOS_DSCP_AF31 }, |
1632 | { "af32", IPTOS_DSCP_AF32 }, |
1633 | { "af33", IPTOS_DSCP_AF33 }, |
1634 | { "af41", IPTOS_DSCP_AF41 }, |
1635 | { "af42", IPTOS_DSCP_AF42 }, |
1636 | { "af43", IPTOS_DSCP_AF43 }, |
1637 | { "critical", IPTOS_PREC_CRITIC_ECP }, |
1638 | { "cs0", IPTOS_DSCP_CS0 }, |
1639 | { "cs1", IPTOS_DSCP_CS1 }, |
1640 | { "cs2", IPTOS_DSCP_CS2 }, |
1641 | { "cs3", IPTOS_DSCP_CS3 }, |
1642 | { "cs4", IPTOS_DSCP_CS4 }, |
1643 | { "cs5", IPTOS_DSCP_CS5 }, |
1644 | { "cs6", IPTOS_DSCP_CS6 }, |
1645 | { "cs7", IPTOS_DSCP_CS7 }, |
1646 | { "ef", IPTOS_DSCP_EF }, |
1647 | { "inetcontrol", IPTOS_PREC_INTERNETCONTROL }, |
1648 | { "lowdelay", IPTOS_LOWDELAY }, |
1649 | { "netcontrol", IPTOS_PREC_NETCONTROL }, |
1650 | { "reliability", IPTOS_RELIABILITY }, |
1651 | { "throughput", IPTOS_THROUGHPUT }, |
1652 | { NULL, -1 }, |
1653 | }; |
1654 | |
1655 | for (t = toskeywords; t->keyword != NULL; t++) { |
1656 | if (strcmp(s, t->keyword) == 0) { |
1657 | *val = t->val; |
1658 | return 1; |
1659 | } |
1660 | } |
1661 | |
1662 | return 0; |
1663 | } |
1664 | |
1665 | int |
1666 | process_tls_opt(char *s, int *flags) |
1667 | { |
1668 | size_t len; |
1669 | char *v; |
1670 | |
1671 | const struct tlskeywords { |
1672 | const char *keyword; |
1673 | int flag; |
1674 | char **value; |
1675 | } *t, tlskeywords[] = { |
1676 | { "ciphers", -1, &tls_ciphers }, |
1677 | { "clientcert", TLS_CCERT, NULL }, |
1678 | { "muststaple", TLS_MUSTSTAPLE, NULL }, |
1679 | { "noverify", TLS_NOVERIFY, NULL }, |
1680 | { "noname", TLS_NONAME, NULL }, |
1681 | { "protocols", -1, &tls_protocols }, |
1682 | { NULL, -1, NULL }, |
1683 | }; |
1684 | |
1685 | len = strlen(s); |
1686 | if ((v = strchr(s, '=')) != NULL) { |
1687 | len = v - s; |
1688 | v++; |
1689 | } |
1690 | |
1691 | for (t = tlskeywords; t->keyword != NULL; t++) { |
1692 | if (strlen(t->keyword) == len && |
1693 | strncmp(s, t->keyword, len) == 0) { |
1694 | if (t->value != NULL) { |
1695 | if (v == NULL) |
1696 | errx(1, "invalid tls value `%s'", s); |
1697 | *t->value = v; |
1698 | } else { |
1699 | *flags |= t->flag; |
1700 | } |
1701 | return 1; |
1702 | } |
1703 | } |
1704 | return 0; |
1705 | } |
1706 | |
1707 | void |
1708 | save_peer_cert(struct tls *tls_ctx, FILE *fp) |
1709 | { |
1710 | const char *pem; |
1711 | size_t plen; |
1712 | |
1713 | if ((pem = tls_peer_cert_chain_pem(tls_ctx, &plen)) == NULL) |
1714 | errx(1, "Can't get peer certificate"); |
1715 | if (fprintf(fp, "%.*s", (int)plen, pem) < 0) |
1716 | err(1, "unable to save peer cert"); |
1717 | if (fflush(fp) != 0) |
1718 | err(1, "unable to flush peer cert"); |
1719 | } |
1720 | |
1721 | void |
1722 | report_tls(struct tls *tls_ctx, char *host) |
1723 | { |
1724 | time_t t; |
1725 | const char *ocsp_url; |
1726 | |
1727 | fprintf(stderr, "TLS handshake negotiated %s/%s with host %s\n", |
1728 | tls_conn_version(tls_ctx), tls_conn_cipher(tls_ctx), host); |
1729 | fprintf(stderr, "Peer name: %s\n", |
1730 | tls_expectname ? tls_expectname : host); |
1731 | if (tls_peer_cert_subject(tls_ctx)) |
1732 | fprintf(stderr, "Subject: %s\n", |
1733 | tls_peer_cert_subject(tls_ctx)); |
1734 | if (tls_peer_cert_issuer(tls_ctx)) |
1735 | fprintf(stderr, "Issuer: %s\n", |
1736 | tls_peer_cert_issuer(tls_ctx)); |
1737 | if ((t = tls_peer_cert_notbefore(tls_ctx)) != -1) |
1738 | fprintf(stderr, "Valid From: %s", ctime(&t)); |
1739 | if ((t = tls_peer_cert_notafter(tls_ctx)) != -1) |
1740 | fprintf(stderr, "Valid Until: %s", ctime(&t)); |
1741 | if (tls_peer_cert_hash(tls_ctx)) |
1742 | fprintf(stderr, "Cert Hash: %s\n", |
1743 | tls_peer_cert_hash(tls_ctx)); |
1744 | ocsp_url = tls_peer_ocsp_url(tls_ctx); |
1745 | if (ocsp_url != NULL) |
1746 | fprintf(stderr, "OCSP URL: %s\n", ocsp_url); |
1747 | switch (tls_peer_ocsp_response_status(tls_ctx)) { |
1748 | case TLS_OCSP_RESPONSE_SUCCESSFUL: |
1749 | fprintf(stderr, "OCSP Stapling: %s\n", |
1750 | tls_peer_ocsp_result(tls_ctx) == NULL ? "" : |
1751 | tls_peer_ocsp_result(tls_ctx)); |
1752 | fprintf(stderr, |
1753 | " response_status=%d cert_status=%d crl_reason=%d\n", |
1754 | tls_peer_ocsp_response_status(tls_ctx), |
1755 | tls_peer_ocsp_cert_status(tls_ctx), |
1756 | tls_peer_ocsp_crl_reason(tls_ctx)); |
1757 | t = tls_peer_ocsp_this_update(tls_ctx); |
1758 | fprintf(stderr, " this update: %s", |
1759 | t != -1 ? ctime(&t) : "\n"); |
1760 | t = tls_peer_ocsp_next_update(tls_ctx); |
1761 | fprintf(stderr, " next update: %s", |
1762 | t != -1 ? ctime(&t) : "\n"); |
1763 | t = tls_peer_ocsp_revocation_time(tls_ctx); |
1764 | fprintf(stderr, " revocation: %s", |
1765 | t != -1 ? ctime(&t) : "\n"); |
1766 | break; |
1767 | case -1: |
1768 | break; |
1769 | default: |
1770 | fprintf(stderr, |
1771 | "OCSP Stapling: failure - response_status %d (%s)\n", |
1772 | tls_peer_ocsp_response_status(tls_ctx), |
1773 | tls_peer_ocsp_result(tls_ctx) == NULL ? "" : |
1774 | tls_peer_ocsp_result(tls_ctx)); |
1775 | break; |
1776 | } |
1777 | } |
1778 | |
1779 | void |
1780 | report_sock(const char *msg, const struct sockaddr *sa, socklen_t salen, |
1781 | char *path) |
1782 | { |
1783 | char host[NI_MAXHOST], port[NI_MAXSERV]; |
1784 | int herr; |
1785 | int flags = NI_NUMERICSERV; |
1786 | |
1787 | if (path != NULL) { |
1788 | fprintf(stderr, "%s on %s\n", msg, path); |
1789 | return; |
1790 | } |
1791 | |
1792 | if (nflag) |
1793 | flags |= NI_NUMERICHOST; |
1794 | |
1795 | herr = getnameinfo(sa, salen, host, sizeof(host), port, sizeof(port), |
1796 | flags); |
1797 | switch (herr) { |
1798 | case 0: |
1799 | break; |
1800 | case EAI_SYSTEM: |
1801 | err(1, "getnameinfo"); |
1802 | default: |
1803 | errx(1, "getnameinfo: %s", gai_strerror(herr)); |
1804 | } |
1805 | |
1806 | fprintf(stderr, "%s on %s %s\n", msg, host, port); |
1807 | } |
1808 | |
1809 | void |
1810 | help(void) |
1811 | { |
1812 | usage(0); |
1813 | fprintf(stderr, "\tCommand Summary:\n\ |
1814 | \t-4 Use IPv4\n\ |
1815 | \t-6 Use IPv6\n\ |
1816 | \t-C certfile Public key file\n\ |
1817 | \t-c Use TLS\n\ |
1818 | \t-D Enable the debug socket option\n\ |
1819 | \t-d Detach from stdin\n\ |
1820 | \t-e name\t Required name in peer certificate\n\ |
1821 | \t-F Pass socket fd\n\ |
1822 | \t-H hash\t Hash string of peer certificate\n\ |
1823 | \t-h This help text\n\ |
1824 | \t-I length TCP receive buffer length\n\ |
1825 | \t-i interval Delay interval for lines sent, ports scanned\n\ |
1826 | \t-K keyfile Private key file\n\ |
1827 | \t-k Keep inbound sockets open for multiple connects\n\ |
1828 | \t-l Listen mode, for inbound connects\n\ |
1829 | \t-M ttl Outgoing TTL / Hop Limit\n\ |
1830 | \t-m minttl Minimum incoming TTL / Hop Limit\n\ |
1831 | \t-N Shutdown the network socket after EOF on stdin\n\ |
1832 | \t-n Suppress name/port resolutions\n\ |
1833 | \t-O length TCP send buffer length\n\ |
1834 | \t-o staplefile Staple file\n\ |
1835 | \t-P proxyuser\tUsername for proxy authentication\n\ |
1836 | \t-p port\t Specify local port for remote connects\n\ |
1837 | \t-R CAfile CA bundle\n\ |
1838 | \t-r Randomize remote ports\n\ |
1839 | \t-S Enable the TCP MD5 signature option\n\ |
1840 | \t-s sourceaddr Local source address\n\ |
1841 | \t-T keyword TOS value or TLS options\n\ |
1842 | \t-t Answer TELNET negotiation\n\ |
1843 | \t-U Use UNIX domain socket\n\ |
1844 | \t-u UDP mode\n\ |
1845 | \t-V rtable Specify alternate routing table\n\ |
1846 | \t-v Verbose\n\ |
1847 | \t-W recvlimit Terminate after receiving a number of packets\n\ |
1848 | \t-w timeout Timeout for connects and final net reads\n\ |
1849 | \t-X proto Proxy protocol: \"4\", \"5\" (SOCKS) or \"connect\"\n\ |
1850 | \t-x addr[:port]\tSpecify proxy address and port\n\ |
1851 | \t-Z Peer certificate file\n\ |
1852 | \t-z Zero-I/O mode [used for scanning]\n\ |
1853 | Port numbers can be individual or ranges: lo-hi [inclusive]\n"); |
1854 | exit(1); |
1855 | } |
1856 | |
1857 | void |
1858 | usage(int ret) |
1859 | { |
1860 | fprintf(stderr, |
1861 | "usage: nc [-46cDdFhklNnrStUuvz] [-C certfile] [-e name] " |
1862 | "[-H hash] [-I length]\n" |
1863 | "\t [-i interval] [-K keyfile] [-M ttl] [-m minttl] [-O length]\n" |
1864 | "\t [-o staplefile] [-P proxy_username] [-p source_port] " |
1865 | "[-R CAfile]\n" |
1866 | "\t [-s sourceaddr] [-T keyword] [-V rtable] [-W recvlimit] " |
1867 | "[-w timeout]\n" |
1868 | "\t [-X proxy_protocol] [-x proxy_address[:port]] " |
1869 | "[-Z peercertfile]\n" |
1870 | "\t [destination] [port]\n"); |
1871 | if (ret) |
1872 | exit(1); |
1873 | } |