Hello community, here is the log from the commit of package netcat-openbsd for openSUSE:Factory checked in at 2018-11-26 10:16:01 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/netcat-openbsd (Old) and /work/SRC/openSUSE:Factory/.netcat-openbsd.new.19453 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "netcat-openbsd" Mon Nov 26 10:16:01 2018 rev:24 rq:648975 version:1.195 Changes: -------- --- /work/SRC/openSUSE:Factory/netcat-openbsd/netcat-openbsd.changes 2017-07-30 11:25:14.311525614 +0200 +++ /work/SRC/openSUSE:Factory/.netcat-openbsd.new.19453/netcat-openbsd.changes 2018-11-26 10:16:05.302029033 +0100 @@ -1,0 +2,23 @@ +Wed Nov 14 13:12:29 UTC 2018 - Tomáš Chvátal <tchva...@suse.com> + +- Update to 1.195 release matching with debian +- Added new patches: + * broadcast-support.patch + * build-without-TLS-support.patch + * destination-port-list.patch + * use-flags-to-specify-listen-address.patch +- Refreshed patches: + * connect-timeout.patch + * dccp-support.patch + * get-sev-by-name.patch + * misc-failures-and-features.patch + * port-to-linux-with-libsd.patch + * quit-timer.patch + * send-crlf.patch + * serialized-handling-multiple-clients.patch + * set-TCP-MD5SIG-correctly-for-client-connections.patch + * udp-scan-timeout.patch + * verbose-numeric-port.patch +- Drop patch compile-without-TLS-support.patch, renamed + +------------------------------------------------------------------- Old: ---- compile-without-TLS-support.patch netcat-openbsd_1.178.orig.tar.gz New: ---- broadcast-support.patch build-without-TLS-support.patch destination-port-list.patch netcat-openbsd_1.195.orig.tar.gz use-flags-to-specify-listen-address.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ netcat-openbsd.spec ++++++ --- /var/tmp/diff_new_pack.ktHEpk/_old 2018-11-26 10:16:06.094028105 +0100 +++ /var/tmp/diff_new_pack.ktHEpk/_new 2018-11-26 10:16:06.094028105 +0100 @@ -1,7 +1,7 @@ # # spec file for package netcat-openbsd # -# Copyright (c) 2017 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -12,21 +12,21 @@ # license that conforms to the Open Source Definition (Version 1.9) # published by the Open Source Initiative. -# Please submit bugfixes or comments via http://bugs.opensuse.org/ +# Please submit bugfixes or comments via https://bugs.opensuse.org/ # Name: netcat-openbsd -Version: 1.178 +Version: 1.195 Release: 0 Summary: TCP/IP swiss army knife License: BSD-3-Clause Group: Productivity/Networking/Other -Url: http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/nc/ +URL: http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/nc/ Source0: http://http.debian.net/debian/pool/main/n/netcat-openbsd/netcat-openbsd_%{version}.orig.tar.gz -#Patches from: http://http.debian.net/debian/pool/main/n/netcat-openbsd/netcat-openbsd_%{version}-2.debian.tar.xz +#Patches from: http://http.debian.net/debian/pool/main/n/netcat-openbsd/netcat-openbsd_%{version}-1.debian.tar.xz Patch0: port-to-linux-with-libsd.patch -Patch1: compile-without-TLS-support.patch +Patch1: build-without-TLS-support.patch Patch2: connect-timeout.patch Patch3: get-sev-by-name.patch Patch4: send-crlf.patch @@ -34,9 +34,12 @@ Patch6: udp-scan-timeout.patch Patch7: verbose-numeric-port.patch Patch8: dccp-support.patch -Patch9: serialized-handling-multiple-clients.patch -Patch10: set-TCP-MD5SIG-correctly-for-client-connections.patch -Patch11: misc-failures-and-features.patch +Patch9: broadcast-support.patch +Patch10: serialized-handling-multiple-clients.patch +Patch11: set-TCP-MD5SIG-correctly-for-client-connections.patch +Patch12: destination-port-list.patch +Patch13: use-flags-to-specify-listen-address.patch +Patch14: misc-failures-and-features.patch BuildRequires: pkgconfig BuildRequires: pkgconfig(libbsd) Provides: nc6 = %{version} @@ -73,7 +76,7 @@ %files %{_bindir}/nc %{_bindir}/netcat -%{_mandir}/man1/nc.1%{ext_man} -%{_mandir}/man1/netcat.1%{ext_man} +%{_mandir}/man1/nc.1%{?ext_man} +%{_mandir}/man1/netcat.1%{?ext_man} %changelog ++++++ broadcast-support.patch ++++++ From: Aron Xu <a...@debian.org> Date: Mon, 13 Feb 2012 19:06:52 +0800 Subject: broadcast support --- nc.1 | 4 +++- netcat.c | 22 ++++++++++++++++++++-- 2 files changed, 23 insertions(+), 3 deletions(-) --- a/nc.1 +++ b/nc.1 @@ -33,7 +33,7 @@ .Nd arbitrary TCP and UDP connections and listens .Sh SYNOPSIS .Nm nc -.Op Fl 46CDdFhklNnrStUuvZz +.Op Fl 46bCDdFhklNnrStUuvZz .Op Fl I Ar length .Op Fl i Ar interval .Op Fl M Ar ttl @@ -93,6 +93,8 @@ The options are as follows: Use IPv4 addresses only. .It Fl 6 Use IPv6 addresses only. +.It Fl b +Allow broadcast. .It Fl C Send CRLF as line-ending. Each line feed (LF) character from the input data is translated into CR+LF before being written to the socket. Line --- a/netcat.c +++ b/netcat.c @@ -133,6 +133,7 @@ #define UDP_SCAN_TIMEOUT 3 /* Seconds */ /* Command Line Options */ +int bflag; /* Allow Broadcast */ int dflag; /* detached, no stdin */ int Fflag; /* fdpass sock to stdout */ unsigned int iflag; /* Interval Flag */ @@ -261,9 +262,9 @@ main(int argc, char *argv[]) while ((ch = getopt(argc, argv, # if defined(TLS) - "46C:cDde:FH:hI:i:K:klM:m:NnO:o:P:p:q:R:rSs:T:tUuV:vW:w:X:x:Z:z")) + "46bC:cDde:FH:hI:i:K:klM:m:NnO:o:P:p:q:R:rSs:T:tUuV:vW:w:X:x:Z:z")) # else - "46CDdFhI:i:klM:m:NnO:P:p:q:rSs:T:tUuV:vW:w:X:x:Zz")) + "46bCDdFhI:i:klM:m:NnO:P:p:q:rSs:T:tUuV:vW:w:X:x:Zz")) # endif != -1) { switch (ch) { @@ -273,6 +274,13 @@ main(int argc, char *argv[]) case '6': family = AF_INET6; break; + case 'b': +# if defined(SO_BROADCAST) + bflag = 1; +# else + errx(1, "no broadcast frame support available"); +# endif + break; case 'U': family = AF_UNIX; break; @@ -1843,6 +1851,15 @@ set_common_sockopts(int s, int af) { int x = 1; +# if defined(SO_BROADCAST) + if (bflag) { + /* allow datagram sockets to send packets to a broadcast address + * (this option has no effect on stream-oriented sockets) */ + if (setsockopt(s, SOL_SOCKET, SO_BROADCAST, + &x, sizeof(x)) == -1) + err(1, NULL); + } +# endif # if defined(TCP_MD5SIG) if (Sflag) { if (setsockopt(s, IPPROTO_TCP, TCP_MD5SIG, @@ -2122,6 +2139,7 @@ help(void) fprintf(stderr, "\tCommand Summary:\n\ \t-4 Use IPv4\n\ \t-6 Use IPv6\n\ + \t-b Allow broadcast\n\ \t-C Send CRLF as line-ending\n\ \t-D Enable the debug socket option\n\ \t-d Detach from stdin\n\ ++++++ build-without-TLS-support.patch ++++++ ++++ 864 lines (skipped) ++++++ connect-timeout.patch ++++++ --- /var/tmp/diff_new_pack.ktHEpk/_old 2018-11-26 10:16:06.126028068 +0100 +++ /var/tmp/diff_new_pack.ktHEpk/_new 2018-11-26 10:16:06.126028068 +0100 @@ -17,7 +17,7 @@ #include <netdb.h> #include <poll.h> @@ -124,6 +125,10 @@ - # define TLS_MUSTSTAPLE (1 << 5) + # define TLS_MUSTSTAPLE (1 << 4) #endif +#define CONNECTION_SUCCESS 0 @@ -27,7 +27,7 @@ /* Command Line Options */ int dflag; /* detached, no stdin */ int Fflag; /* fdpass sock to stdout */ -@@ -208,6 +213,9 @@ ssize_t drainbuf(int, unsigned char *, s +@@ -214,6 +219,9 @@ ssize_t drainbuf(int, unsigned char *, s ssize_t fillbuf(int, unsigned char *, size_t *); # endif @@ -37,7 +37,7 @@ int main(int argc, char *argv[]) { -@@ -1022,11 +1030,14 @@ remote_connect(const char *host, const c +@@ -1066,11 +1074,14 @@ remote_connect(const char *host, const c set_common_sockopts(s, res->ai_family); @@ -54,8 +54,8 @@ save_errno = errno; close(s); -@@ -1067,6 +1078,69 @@ timeout_connect(int s, const struct sock - return (ret); +@@ -1111,6 +1122,69 @@ timeout_connect(int s, const struct sock + return ret; } +static int connect_with_timeout(int fd, const struct sockaddr *sa, ++++++ dccp-support.patch ++++++ --- /var/tmp/diff_new_pack.ktHEpk/_old 2018-11-26 10:16:06.134028059 +0100 +++ /var/tmp/diff_new_pack.ktHEpk/_new 2018-11-26 10:16:06.134028059 +0100 @@ -4,8 +4,8 @@ --- nc.1 | 4 ++ - netcat.c | 93 +++++++++++++++++++++++++++++++++++++++++++++++++++++---------- - 2 files changed, 82 insertions(+), 15 deletions(-) + netcat.c | 89 +++++++++++++++++++++++++++++++++++++++++++++++++++++---------- + 2 files changed, 79 insertions(+), 14 deletions(-) --- a/nc.1 +++ b/nc.1 @@ -18,15 +18,15 @@ .Op Fl I Ar length .Op Fl i Ar interval .Op Fl M Ar ttl -@@ -286,6 +286,8 @@ for SOCKS, 3128 for HTTPS). - An IPv6 address can be specified unambiguously by enclosing - .Ar proxy_address +@@ -289,6 +289,8 @@ An IPv6 address can be specified unambig in square brackets. + A proxy cannot be used with any of the options + .Fl lsuU . +.It Fl Z +DCCP mode. .It Fl z - Specifies that - .Nm + Only scan for listening daemons, without sending any data to them. + Cannot be used together with --- a/netcat.c +++ b/netcat.c @@ -147,6 +147,7 @@ int rflag; /* Random ports flag */ @@ -37,7 +37,7 @@ int vflag; /* Verbosity */ int xflag; /* Socks proxy */ int zflag; /* Port Scan Flag */ -@@ -219,6 +220,7 @@ ssize_t drainbuf(int, unsigned char *, s +@@ -225,6 +226,7 @@ ssize_t drainbuf(int, unsigned char *, s ssize_t fillbuf(int, unsigned char *, size_t *); # endif @@ -45,19 +45,16 @@ static int connect_with_timeout(int fd, const struct sockaddr *sa, socklen_t salen, int ctimeout); -@@ -252,9 +254,9 @@ main(int argc, char *argv[]) - - while ((ch = getopt(argc, argv, +@@ -261,7 +263,7 @@ main(int argc, char *argv[]) # if defined(TLS) -- "46C:cDde:FH:hI:i:K:klM:m:NnO:o:P:p:q:R:rSs:T:tUuV:vw:X:x:z")) != -1) { -+ "46C:cDde:FH:hI:i:K:klM:m:NnO:o:P:p:q:R:rSs:T:tUuV:vw:X:x:Zz")) != -1) { + "46C:cDde:FH:hI:i:K:klM:m:NnO:o:P:p:q:R:rSs:T:tUuV:vW:w:X:x:Z:z")) # else -- "46CDdFhI:i:klM:m:NnO:P:p:q:rSs:T:tUuV:vw:X:x:z")) != -1) { -+ "46CDdFhI:i:klM:m:NnO:P:p:q:rSs:T:tUuV:vw:X:x:Zz")) != -1) { +- "46CDdFhI:i:klM:m:NnO:P:p:q:rSs:T:tUuV:vW:w:X:x:z")) ++ "46CDdFhI:i:klM:m:NnO:P:p:q:rSs:T:tUuV:vW:w:X:x:Zz")) # endif + != -1) { switch (ch) { - case '4': -@@ -370,6 +372,13 @@ main(int argc, char *argv[]) +@@ -378,6 +380,13 @@ main(int argc, char *argv[]) case 'u': uflag = 1; break; @@ -71,12 +68,10 @@ case 'V': # if defined(RT_TABLEID_MAX) rtableid = (int)strtonum(optarg, 0, -@@ -461,6 +470,12 @@ main(int argc, char *argv[]) +@@ -482,6 +491,10 @@ main(int argc, char *argv[]) /* Cruft to make sure options are clean, and used properly. */ if (argv[0] && !argv[1] && family == AF_UNIX) { -+ if (uflag) -+ errx(1, "cannot use -u and -U"); +# if defined(IPPROTO_DCCP) && defined(SOCK_DCCP) + if (dccpflag) + errx(1, "cannot use -Z and -U"); @@ -84,7 +79,7 @@ host = argv[0]; uport = NULL; } else if (!argv[0] && lflag) { -@@ -527,8 +542,20 @@ main(int argc, char *argv[]) +@@ -575,8 +588,20 @@ main(int argc, char *argv[]) if (family != AF_UNIX) { memset(&hints, 0, sizeof(struct addrinfo)); hints.ai_family = family; @@ -107,7 +102,7 @@ if (nflag) hints.ai_flags |= AI_NUMERICHOST; } -@@ -536,7 +563,10 @@ main(int argc, char *argv[]) +@@ -584,7 +609,10 @@ main(int argc, char *argv[]) if (xflag) { if (uflag) errx(1, "no proxy support for UDP mode"); @@ -119,7 +114,7 @@ if (lflag) errx(1, "no proxy support for listen"); -@@ -798,19 +828,20 @@ main(int argc, char *argv[]) +@@ -841,19 +869,20 @@ main(int argc, char *argv[]) } } @@ -142,8 +137,8 @@ sv ? sv->s_name : "*"); } if (Fflag) -@@ -1017,6 +1048,24 @@ unix_listen(char *path) - return (s); +@@ -1063,6 +1092,24 @@ unix_listen(char *path) + return s; } +char *proto_name(int uflag, int dccpflag) { @@ -167,7 +162,7 @@ /* * remote_connect() * Returns a socket connected to a remote host. Properly binds to a local -@@ -1047,8 +1096,21 @@ remote_connect(const char *host, const c +@@ -1093,8 +1140,21 @@ remote_connect(const char *host, const c # endif memset(&ahints, 0, sizeof(struct addrinfo)); ahints.ai_family = res->ai_family; @@ -191,7 +186,7 @@ ahints.ai_flags = AI_PASSIVE; if ((error = getaddrinfo(sflag, pflag, &ahints, &ares))) errx(1, "getaddrinfo: %s", gai_strerror(error)); -@@ -1060,15 +1122,16 @@ remote_connect(const char *host, const c +@@ -1106,15 +1166,16 @@ remote_connect(const char *host, const c } set_common_sockopts(s, res->ai_family); @@ -211,7 +206,7 @@ save_errno = errno; close(s); -@@ -1654,7 +1717,8 @@ build_ports(char *p) +@@ -1706,7 +1767,8 @@ build_ports(char *p) int hi, lo, cp; int x = 0; @@ -221,7 +216,7 @@ if (sv) { if (asprintf(&portlist[0], "%d", ntohs(sv->s_port)) < 0) err(1, "asprintf"); -@@ -1991,6 +2055,7 @@ help(void) +@@ -2090,6 +2152,7 @@ help(void) \t-w timeout Timeout for connects and final net reads\n\ \t-X proto Proxy protocol: \"4\", \"5\" (SOCKS) or \"connect\"\n\ \t-x addr[:port]\tSpecify proxy address and port\n\ @@ -229,12 +224,12 @@ \t-z Zero-I/O mode [used for scanning]\n\ Port numbers can be individual or ranges: lo-hi [inclusive]\n"); exit(0); -@@ -2000,7 +2065,7 @@ void +@@ -2099,7 +2162,7 @@ void usage(int ret) { fprintf(stderr, - "usage: nc [-46CDdFhklNnrStUuvz] [-I length] [-i interval] [-M ttl]\n" + "usage: nc [-46CDdFhklNnrStUuvZz] [-I length] [-i interval] [-M ttl]\n" "\t [-m minttl] [-O length] [-P proxy_username] [-p source_port]\n" - "\t [-q seconds] [-s source] [-T keyword] [-V rtable] [-w timeout] " - "[-X proxy_protocol]\n" + "\t [-q seconds] [-s source] [-T keyword] [-V rtable] [-W recvlimit] " + "[-w timeout]\n" ++++++ destination-port-list.patch ++++++ From: Guilhem Moulin <guil...@debian.org> Date: Mon, 22 Oct 2018 04:15:52 +0200 Subject: destination port list --- nc.1 | 26 ++++++++++++++++--- netcat.c | 86 ++++++++++++++++++++++++++++++++------------------------------- 2 files changed, 68 insertions(+), 44 deletions(-) --- a/nc.1 +++ b/nc.1 @@ -414,15 +414,35 @@ The flag can be used to tell .Nm to report open ports, -rather than initiate a connection. +rather than initiate a connection. Usually it's useful to turn on verbose +output to stderr by use this option in conjunction with +.Fl v +option. +.Pp For example: .Bd -literal -offset indent -$ nc -z host.example.com 20-30 +$ nc \-zv host.example.com 20-30 Connection to host.example.com 22 port [tcp/ssh] succeeded! Connection to host.example.com 25 port [tcp/smtp] succeeded! .Ed .Pp -The port range was specified to limit the search to ports 20 \- 30. +The port range was specified to limit the search to ports 20 \- 30, and is +scanned by increasing order (unless the +.Fl r +flag is set). +.Pp +You can also specify a list of ports to scan, for example: +.Bd -literal -offset indent +$ nc \-zv host.example.com http 20 22-23 +nc: connect to host.example.com 80 (tcp) failed: Connection refused +nc: connect to host.example.com 20 (tcp) failed: Connection refused +Connection to host.example.com port [tcp/ssh] succeeded! +nc: connect to host.example.com 23 (tcp) failed: Connection refused +.Ed +.Pp +The ports are scanned by the order you given (unless the +.Fl r +flag is set). .Pp Alternatively, it might be useful to know which server software is running, and which versions. --- a/netcat.c +++ b/netcat.c @@ -192,7 +192,7 @@ int minttl = -1; void atelnet(int, unsigned char *, unsigned int); int strtoport(char *portstr, int udp); -void build_ports(char *); +void build_ports(char **); void help(void) __attribute__((noreturn)); int local_listen(const char *, const char *, struct addrinfo); # if defined(TLS) @@ -243,7 +243,7 @@ int main(int argc, char *argv[]) { int ch, s = -1, ret, socksv; - char *host, *uport; + char *host, **uport; struct addrinfo hints; struct servent *sv; socklen_t len; @@ -524,11 +524,11 @@ main(int argc, char *argv[]) } else if (argv[0] && !argv[1]) { if (!lflag) usage(1); - uport = argv[0]; + uport = &argv[0]; host = NULL; } else if (argv[0] && argv[1]) { host = argv[0]; - uport = argv[1]; + uport = &argv[1]; } else usage(1); @@ -715,7 +715,7 @@ main(int argc, char *argv[]) else s = unix_listen(host); } else - s = local_listen(host, uport, hints); + s = local_listen(host, *uport, hints); if (s < 0) err(1, NULL); @@ -1775,57 +1775,61 @@ strtoport(char *portstr, int udp) * that we should try to connect to. */ void -build_ports(char *p) +build_ports(char **p) { struct servent *sv; char *n; int hi, lo, cp; int x = 0; + int i; char *proto = proto_name(uflag, dccpflag); - sv = getservbyname(p, proto); - if (sv) { - if (asprintf(&portlist[0], "%d", ntohs(sv->s_port)) < 0) - err(1, "asprintf"); - } else if ((n = strchr(p, '-')) != NULL) { - *n = '\0'; - n++; - - /* Make sure the ports are in order: lowest->highest. */ - hi = strtoport(n, uflag); - lo = strtoport(p, uflag); - if (lo > hi) { - cp = hi; - hi = lo; - lo = cp; - } - - /* - * Initialize portlist with a random permutation. Based on - * Knuth, as in ip_randomid() in sys/netinet/ip_id.c. - */ - if (rflag) { - for (x = 0; x <= hi - lo; x++) { - cp = arc4random_uniform(x + 1); - portlist[x] = portlist[cp]; - if (asprintf(&portlist[cp], "%d", x + lo) < 0) - err(1, "asprintf"); + for (i = 0; p[i] != NULL; i++) { + sv = getservbyname(p[i], proto); + if (sv) { + if (asprintf(&portlist[x], "%d", ntohs(sv->s_port)) < 0) + err(1, "asprintf"); + x++; + } else if ((n = strchr(p[i], '-')) != NULL) { + *n = '\0'; + n++; + + /* Make sure the ports are in order: lowest->highest. */ + hi = strtoport(n, uflag); + lo = strtoport(p[i], uflag); + if (lo > hi) { + cp = hi; + hi = lo; + lo = cp; } - } else { /* Load ports sequentially. */ + + /* Load ports sequentially. */ for (cp = lo; cp <= hi; cp++) { if (asprintf(&portlist[x], "%d", cp) < 0) err(1, "asprintf"); x++; } + } else { + hi = strtoport(p[i], uflag); + if (asprintf(&portlist[x], "%d", hi) < 0) + err(1, "asprintf"); + x++; } - } else { - char *tmp; + } - hi = strtoport(p, uflag); - if (asprintf(&tmp, "%d", hi) != -1) - portlist[0] = tmp; - else - err(1, NULL); + /* + * Initialize portlist with a random permutation using + * Fisher–Yates shuffle. + */ + if (rflag) { + for (i = x-1; i > 0; i--) { + cp = arc4random_uniform(i+1); + if (cp != i) { + n = portlist[i]; + portlist[i] = portlist[cp]; + portlist[cp] = n; + } + } } } ++++++ get-sev-by-name.patch ++++++ --- /var/tmp/diff_new_pack.ktHEpk/_old 2018-11-26 10:16:06.150028040 +0100 +++ /var/tmp/diff_new_pack.ktHEpk/_new 2018-11-26 10:16:06.150028040 +0100 @@ -8,7 +8,7 @@ --- a/netcat.c +++ b/netcat.c -@@ -1603,11 +1603,16 @@ strtoport(char *portstr, int udp) +@@ -1653,11 +1653,16 @@ strtoport(char *portstr, int udp) void build_ports(char *p) { ++++++ misc-failures-and-features.patch ++++++ --- /var/tmp/diff_new_pack.ktHEpk/_old 2018-11-26 10:16:06.158028030 +0100 +++ /var/tmp/diff_new_pack.ktHEpk/_new 2018-11-26 10:16:06.158028030 +0100 @@ -3,10 +3,10 @@ Subject: misc failures and features --- - Makefile | 3 +- - nc.1 | 76 +++++++++++++++++++++++++++++++++++++++++++++++++--- - netcat.c | 91 ++++++++++++++++++++++++++++++++++++++++++++------------------- - 3 files changed, 138 insertions(+), 32 deletions(-) + Makefile | 3 ++- + nc.1 | 51 +++++++++++++++++++++++++++++++++++++++++++++++++++ + netcat.c | 14 ++++++++++++-- + 3 files changed, 65 insertions(+), 3 deletions(-) --- a/Makefile +++ b/Makefile @@ -22,25 +22,7 @@ LDFLAGS= -Wl,--no-add-needed --- a/nc.1 +++ b/nc.1 -@@ -33,7 +33,7 @@ - .Nd arbitrary TCP and UDP connections and listens - .Sh SYNOPSIS - .Nm nc --.Op Fl 46CDdFhklNnrStUuvZz -+.Op Fl 46bCDdFhklNnrStUuvZz - .Op Fl I Ar length - .Op Fl i Ar interval - .Op Fl M Ar ttl -@@ -96,6 +96,8 @@ to use IPv4 addresses only. - Forces - .Nm - to use IPv6 addresses only. -+.It Fl b -+Allow broadcast. - .It Fl C - Send CRLF as line-ending. - .It Fl D -@@ -352,6 +354,54 @@ and which side is being used as a +@@ -365,6 +365,54 @@ and which side is being used as a The connection may be terminated using an .Dv EOF .Pq Sq ^D . @@ -95,41 +77,7 @@ .Sh DATA TRANSFER The example in the previous section can be expanded to build a basic data transfer model. -@@ -411,15 +461,30 @@ The - flag can be used to tell - .Nm - to report open ports, --rather than initiate a connection. -+rather than initiate a connection. Usually it's useful to turn on verbose -+output to stderr by use this option in conjunction with -+.Fl v -+option. -+.Pp - For example: - .Bd -literal -offset indent --$ nc -z host.example.com 20-30 -+$ nc \-zv host.example.com 20-30 - Connection to host.example.com 22 port [tcp/ssh] succeeded! - Connection to host.example.com 25 port [tcp/smtp] succeeded! - .Ed - .Pp --The port range was specified to limit the search to ports 20 \- 30. -+The port range was specified to limit the search to ports 20 \- 30, and is -+scanned by increasing order. -+.Pp -+You can also specify a list of ports to scan, for example: -+.Bd -literal -offset indent -+$ nc \-zv host.example.com 80 20 22 -+nc: connect to host.example.com 80 (tcp) failed: Connection refused -+nc: connect to host.example.com 20 (tcp) failed: Connection refused -+Connection to host.example.com port [tcp/ssh] succeeded! -+.Ed -+.Pp -+The ports are scanned by the order you given. - .Pp - Alternatively, it might be useful to know which server software - is running, and which versions. -@@ -484,6 +549,9 @@ Original implementation by *Hobbit* +@@ -517,6 +565,9 @@ Original implementation by .br Rewritten with IPv6 support by .An Eric Jackson Aq Mt er...@monkey.org . @@ -149,29 +97,7 @@ #include <stdarg.h> #include <stdio.h> #include <stdlib.h> -@@ -136,6 +137,7 @@ - #define UDP_SCAN_TIMEOUT 3 /* Seconds */ - - /* Command Line Options */ -+int bflag; /* Allow Broadcast */ - int dflag; /* detached, no stdin */ - int Fflag; /* fdpass sock to stdout */ - unsigned int iflag; /* Interval Flag */ -@@ -186,7 +188,7 @@ int ttl = -1; - int minttl = -1; - - void atelnet(int, unsigned char *, unsigned int); --void build_ports(char *); -+void build_ports(char **); - void help(void); - int local_listen(char *, char *, struct addrinfo); - # if defined(TLS) -@@ -236,11 +238,14 @@ int - main(int argc, char *argv[]) - { - int ch, s = -1, ret, socksv; -- char *host, *uport; -+ char *host, **uport; +@@ -247,7 +248,10 @@ main(int argc, char *argv[]) struct addrinfo hints; struct servent *sv; socklen_t len; @@ -180,203 +106,40 @@ + struct sockaddr_storage storage; + struct sockaddr_un forunix; + } cliaddr; - char *proxy, *proxyport = NULL; + char *proxy = NULL, *proxyport = NULL; const char *errstr; struct addrinfo proxyhints; -@@ -260,9 +265,9 @@ main(int argc, char *argv[]) - - while ((ch = getopt(argc, argv, - # if defined(TLS) -- "46C:cDde:FH:hI:i:K:klM:m:NnO:o:P:p:q:R:rSs:T:tUuV:vw:X:x:Zz")) != -1) { -+ "46bC:cDde:FH:hI:i:K:klM:m:NnO:o:P:p:q:R:rSs:T:tUuV:vw:X:x:Zz")) != -1) { - # else -- "46CDdFhI:i:klM:m:NnO:P:p:q:rSs:T:tUuV:vw:X:x:Zz")) != -1) { -+ "46bCDdFhI:i:klM:m:NnO:P:p:q:rSs:T:tUuV:vw:X:x:Zz")) != -1) { - # endif - switch (ch) { - case '4': -@@ -271,6 +276,13 @@ main(int argc, char *argv[]) - case '6': - family = AF_INET6; - break; -+ case 'b': -+# if defined(SO_BROADCAST) -+ bflag = 1; -+# else -+ errx(1, "no broadcast frame support available"); -+# endif -+ break; - case 'U': - family = AF_UNIX; - break; -@@ -479,32 +491,39 @@ main(int argc, char *argv[]) - - /* Cruft to make sure options are clean, and used properly. */ - if (argv[0] && !argv[1] && family == AF_UNIX) { -- if (uflag) -- errx(1, "cannot use -u and -U"); - # if defined(IPPROTO_DCCP) && defined(SOCK_DCCP) - if (dccpflag) - errx(1, "cannot use -Z and -U"); - # endif - host = argv[0]; - uport = NULL; -- } else if (!argv[0] && lflag) { -- if (sflag) -- errx(1, "cannot use -s and -l"); -- if (zflag) -- errx(1, "cannot use -z and -l"); -- if (pflag) -- uport=pflag; -- } else if (argv[0] && !argv[1]) { -- if (!lflag) -- usage(1); -- uport = argv[0]; -+ } else if (argv[0] && !argv[1] && lflag) { -+ if (pflag) { -+ uport = &pflag; -+ host = argv[0]; -+ } else { -+ uport = argv; -+ host = NULL; -+ } -+ } else if (!argv[0] && lflag && pflag) { -+ uport = &pflag; - host = NULL; - } else if (argv[0] && argv[1]) { - host = argv[0]; -- uport = argv[1]; -+ uport = &argv[1]; - } else - usage(1); - -+ if (lflag) { -+ if (sflag) -+ errx(1, "cannot use -s and -l"); -+ if (zflag) -+ errx(1, "cannot use -z and -l"); -+ if (pflag) -+ /* This still does not work well because of getopt mess -+ errx(1, "cannot use -p and -l"); */ -+ uport = &pflag; -+ } - if (!lflag && kflag) - errx(1, "must use -l with -k"); - # if defined(TLS) -@@ -674,7 +693,7 @@ main(int argc, char *argv[]) - else - s = unix_listen(host); - } else -- s = local_listen(host, uport, hints); -+ s = local_listen(host, *uport, hints); - if (s < 0) - err(1, NULL); - -@@ -683,7 +702,8 @@ main(int argc, char *argv[]) - local = ":::"; - else - local = "0.0.0.0"; -- fprintf(stderr, "Listening on [%s] (family %d, port %d)\n", -+ if (vflag && (family != AF_UNIX)) -+ fprintf(stderr, "Listening on [%s] (family %d, port %s)\n", - host ?: local, - family, - *uport); -@@ -898,6 +918,8 @@ unix_bind(char *path, int flags) +@@ -952,6 +956,8 @@ unix_bind(char *path, int flags) 0)) < 0) - return (-1); + return -1; -+ unlink(path); ++ unlink(path); + memset(&s_un, 0, sizeof(struct sockaddr_un)); s_un.sun_family = AF_UNIX; -@@ -1015,8 +1037,10 @@ unix_connect(char *path) +@@ -1075,8 +1081,10 @@ unix_connect(char *path) if ((s = unix_bind(unix_dg_tmp_socket, SOCK_CLOEXEC)) < 0) - return (-1); + return -1; } else { - if ((s = socket(AF_UNIX, SOCK_STREAM | SOCK_CLOEXEC, 0)) < 0) + if ((s = socket(AF_UNIX, SOCK_STREAM | SOCK_CLOEXEC, 0)) < 0) { -+ errx(1,"create unix socket failed"); - return (-1); ++ errx(1, "create unix socket failed"); + return -1; + } } memset(&s_un, 0, sizeof(struct sockaddr_un)); -@@ -1026,10 +1050,12 @@ unix_connect(char *path) +@@ -1086,10 +1094,12 @@ unix_connect(char *path) sizeof(s_un.sun_path)) { close(s); errno = ENAMETOOLONG; -+ warn("unix connect abandoned"); - return (-1); ++ warn("unix connect abandoned"); + return -1; } if (connect(s, (struct sockaddr *)&s_un, sizeof(s_un)) < 0) { save_errno = errno; -+ warn("unix connect failed"); ++ warn("unix connect failed"); close(s); errno = save_errno; - return (-1); -@@ -1718,25 +1744,26 @@ strtoport(char *portstr, int udp) - * that we should try to connect to. - */ - void --build_ports(char *p) -+build_ports(char **p) - { - struct servent *sv; - char *n; - int hi, lo, cp; - int x = 0; -+ int i; - - char *proto = proto_name(uflag, dccpflag); -- sv = getservbyname(p, proto); -+ sv = getservbyname(*p, proto); - if (sv) { - if (asprintf(&portlist[0], "%d", ntohs(sv->s_port)) < 0) - err(1, "asprintf"); -- } else if ((n = strchr(p, '-')) != NULL) { -+ } else if ((n = strchr(*p, '-')) != NULL) { - *n = '\0'; - n++; - - /* Make sure the ports are in order: lowest->highest. */ - hi = strtoport(n, uflag); -- lo = strtoport(p, uflag); -+ lo = strtoport(*p, uflag); - if (lo > hi) { - cp = hi; - hi = lo; -@@ -1764,7 +1791,7 @@ build_ports(char *p) - } else { - char *tmp; - -- hi = strtoport(p, uflag); -+ hi = strtoport(*p, uflag); - if (asprintf(&tmp, "%d", hi) != -1) - portlist[0] = tmp; - else -@@ -1802,6 +1829,15 @@ set_common_sockopts(int s, const struct - int x = 1; - int af = sa->sa_family; - -+# if defined(SO_BROADCAST) -+ if (bflag) { -+ /* allow datagram sockets to send packets to a broadcast address -+ * (this option has no effect on stream-oriented sockets) */ -+ if (setsockopt(s, SOL_SOCKET, SO_BROADCAST, -+ &x, sizeof(x)) == -1) -+ err(1, NULL); -+ } -+# endif - # if defined(TCP_MD5SIG) && defined(TCP_MD5SIG_MAXKEYLEN) - if (Sflag) { - struct tcp_md5sig sig; -@@ -2042,6 +2078,7 @@ help(void) - fprintf(stderr, "\tCommand Summary:\n\ - \t-4 Use IPv4\n\ - \t-6 Use IPv6\n\ -+ \t-b Allow broadcast\n\ - \t-C Send CRLF as line-ending\n\ - \t-D Enable the debug socket option\n\ - \t-d Detach from stdin\n\ + return -1; ++++++ netcat-openbsd_1.178.orig.tar.gz -> netcat-openbsd_1.195.orig.tar.gz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/netcat-openbsd-1.178/nc.1 new/netcat-openbsd-1.195/nc.1 --- old/netcat-openbsd-1.178/nc.1 2017-06-09 18:11:34.000000000 +0200 +++ new/netcat-openbsd-1.195/nc.1 2018-10-21 12:34:47.000000000 +0200 @@ -1,4 +1,4 @@ -.\" $OpenBSD: nc.1,v 1.82 2017/02/09 20:15:59 jca Exp $ +.\" $OpenBSD: nc.1,v 1.91 2018/09/25 20:05:07 jmc Exp $ .\" .\" Copyright (c) 1996 David Sacerdote .\" All rights reserved. @@ -25,7 +25,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: February 9 2017 $ +.Dd $Mdocdate: September 25 2018 $ .Dt NC 1 .Os .Sh NAME @@ -50,9 +50,11 @@ .Op Fl s Ar source .Op Fl T Ar keyword .Op Fl V Ar rtable +.Op Fl W Ar recvlimit .Op Fl w Ar timeout .Op Fl X Ar proxy_protocol .Op Fl x Ar proxy_address Ns Op : Ns Ar port +.Op Fl Z Ar peercertfile .Op Ar destination .Op Ar port .Sh DESCRIPTION @@ -94,27 +96,31 @@ The options are as follows: .Bl -tag -width Ds .It Fl 4 -Forces -.Nm -to use IPv4 addresses only. +Use IPv4 addresses only. .It Fl 6 -Forces -.Nm -to use IPv6 addresses only. +Use IPv6 addresses only. .It Fl C Ar certfile -Specifies the filename from which the public key part of the TLS -certificate is loaded, in PEM format. -May only be used with TLS. +Load the public key part of the TLS peer certificate from +.Ar certfile , +in PEM format. +Requires +.Fl c . .It Fl c -If using a TCP socket to connect or listen, use TLS. -Illegal if not using TCP sockets. +Use TLS to connect or listen. +Cannot be used together with any of the options +.Fl FuU . .It Fl D Enable debugging on the socket. .It Fl d Do not attempt to read from stdin. .It Fl e Ar name -Specify the name that must be present in the peer certificate when using TLS. -Illegal if not using TLS. +Only accept the TLS peer certificate if it contains the +.Ar name . +Requires +.Fl c . +If not specified, +.Ar destination +is used. .It Fl F Pass the first connected socket using .Xr sendmsg 2 @@ -130,47 +136,49 @@ .Xr ssh_config 5 .Cm ProxyUseFdpass option). +Cannot be used with +.Fl c +or +.Fl U . .It Fl H Ar hash -Specifies the required hash string of the peer certificate when using TLS. -The string format required is that used by -.Xr tls_peer_cert_hash 3 . -Illegal if not using TLS, and may not be used with -T noverify. +Only accept the TLS peer certificate if its hash returned from +.Xr tls_peer_cert_hash 3 +matches +.Ar hash . +Requires +.Fl c +and cannot be used with +.Fl T Cm noverify . .It Fl h -Prints out +Print out the .Nm -help. +help text and exit. .It Fl I Ar length -Specifies the size of the TCP receive buffer. +Specify the size of the TCP receive buffer. .It Fl i Ar interval -Specifies a delay time interval between lines of text sent and received. +Sleep for +.Ar interval +seconds between lines of text sent and received. Also causes a delay time between connections to multiple ports. .It Fl K Ar keyfile -Specifies the filename from which the private key -is loaded in PEM format. -May only be used with TLS. +Load the TLS private key from +.Ar keyfile , +in PEM format. +Requires +.Fl c . .It Fl k -Forces -.Nm -to stay listening for another connection after its current connection -is completed. -It is an error to use this option without the -.Fl l -option. +When a connection is completed, listen for another one. +Requires +.Fl l . When used together with the .Fl u option, the server socket is not connected and it can receive UDP datagrams from multiple hosts. .It Fl l -Used to specify that -.Nm -should listen for an incoming connection rather than initiate a +Listen for an incoming connection rather than initiating a connection to a remote host. -It is an error to use this option in conjunction with the -.Fl p , -.Fl s , -or -.Fl z -options. +Cannot be used together with any of the options +.Fl psxz . Additionally, any timeouts specified with the .Fl w option are ignored. @@ -187,90 +195,111 @@ Do not do any DNS or service lookups on any specified addresses, hostnames or ports. .It Fl O Ar length -Specifies the size of the TCP send buffer. +Specify the size of the TCP send buffer. .It Fl o Ar staplefile -Specifies the filename from which to load data to be stapled -during the TLS handshake. -The file is expected to contain an OCSP response from an OCSP server in +During the TLS handshake, load data to be stapled from +.Ar staplefile , +which is expected to contain an OCSP response from an OCSP server in DER format. -May only be used with TLS and when a certificate is being used. +Requires +.Fl c +and +.Fl C . .It Fl P Ar proxy_username Specifies a username to present to a proxy server that requires authentication. If no username is specified then authentication will not be attempted. Proxy authentication is only supported for HTTP CONNECT proxies at present. .It Fl p Ar source_port -Specifies the source port +Specify the source port .Nm should use, subject to privilege restrictions and availability. -It is an error to use this option in conjunction with the -.Fl l -option. +Cannot be used together with +.Fl l . .It Fl R Ar CAfile -Specifies the filename from which the root CA bundle for certificate -verification is loaded, in PEM format. -Illegal if not using TLS. -The default is +Load the root CA bundle for TLS certificate verification from +.Ar CAfile , +in PEM format, instead of .Pa /etc/ssl/cert.pem . +Requires +.Fl c . .It Fl r -Specifies that source and/or destination ports should be chosen randomly +Choose source and/or destination ports randomly instead of sequentially within a range or in the order that the system assigns them. .It Fl S -Enables the RFC 2385 TCP MD5 signature option. +Enable the RFC 2385 TCP MD5 signature option. .It Fl s Ar source -Specifies the IP of the interface which is used to send the packets. +Send packets from the interface with the +.Ar source +IP address. For .Ux Ns -domain datagram sockets, specifies the local temporary socket file to create and use so that datagrams can be received. -It is an error to use this option in conjunction with the +Cannot be used together with .Fl l -option. +or +.Fl x . .It Fl T Ar keyword -Change IPv4 TOS value or TLS options. -For TLS options +Change the IPv4 TOS/IPv6 traffic class value or the TLS options. +.Pp +For TLS options, .Ar keyword -may be one of -.Ar tlsall ; -which allows the use of all supported TLS protocols and ciphers, -.Ar noverify ; +may be one of: +.Cm noverify , which disables certificate verification; -.Ar noname , +.Cm noname , which disables certificate name checking; -.Ar clientcert , +.Cm clientcert , which requires a client certificate on incoming connections; or -.Ar muststaple , +.Cm muststaple , which requires the peer to provide a valid stapled OCSP response with the handshake. -It is illegal to specify TLS options if not using TLS. +The following TLS options specify a value in the form of a +.Ar key Ns = Ns Ar value +pair: +.Cm ciphers , +which allows the supported TLS ciphers to be specified (see +.Xr tls_config_set_ciphers 3 +for further details); +.Cm protocols , +which allows the supported TLS protocols to be specified (see +.Xr tls_config_parse_protocols 3 +for further details). +Specifying TLS options requires +.Fl c . .Pp -For IPv4 TOS value +For the IPv4 TOS/IPv6 traffic class value, .Ar keyword may be one of -.Ar critical , -.Ar inetcontrol , -.Ar lowdelay , -.Ar netcontrol , -.Ar throughput , -.Ar reliability , +.Cm critical , +.Cm inetcontrol , +.Cm lowdelay , +.Cm netcontrol , +.Cm throughput , +.Cm reliability , or one of the DiffServ Code Points: -.Ar ef , -.Ar af11 ... af43 , -.Ar cs0 ... cs7 ; +.Cm ef , +.Cm af11 No ... Cm af43 , +.Cm cs0 No ... Cm cs7 ; or a number in either hex or decimal. .It Fl t -Causes -.Nm -to send RFC 854 DON'T and WON'T responses to RFC 854 DO and WILL requests. +Send RFC 854 DON'T and WON'T responses to RFC 854 DO and WILL requests. This makes it possible to use .Nm to script telnet sessions. .It Fl U -Specifies to use +Use .Ux Ns -domain sockets. +Cannot be used together with any of the options +.Fl cFx . .It Fl u -Use UDP instead of the default option of TCP. +Use UDP instead of TCP. +Cannot be used together with +.Fl c +or +.Fl x . For .Ux Ns -domain sockets, use a datagram socket instead of a stream socket. @@ -284,9 +313,11 @@ .It Fl V Ar rtable Set the routing table to be used. .It Fl v -Have -.Nm -give more verbose output. +Produce more verbose output. +.It Fl W Ar recvlimit +Terminate after receiving +.Ar recvlimit +packets from the network. .It Fl w Ar timeout Connections which cannot be established or are idle timeout after .Ar timeout @@ -302,22 +333,20 @@ flag. The default is no timeout. .It Fl X Ar proxy_protocol -Requests that -.Nm -should use the specified protocol when talking to the proxy server. +Use +.Ar proxy_protocol +when talking to the proxy server. Supported protocols are -.Dq 4 +.Cm 4 (SOCKS v.4), -.Dq 5 +.Cm 5 (SOCKS v.5) and -.Dq connect +.Cm connect (HTTPS proxy). If the protocol is not specified, SOCKS version 5 is used. .It Fl x Ar proxy_address Ns Op : Ns Ar port -Requests that -.Nm -should connect to +Connect to .Ar destination using a proxy at .Ar proxy_address @@ -330,13 +359,18 @@ An IPv6 address can be specified unambiguously by enclosing .Ar proxy_address in square brackets. +A proxy cannot be used with any of the options +.Fl lsuU . +.It Fl Z Ar peercertfile +Save the peer certificates to +.Ar peercertfile , +in PEM format. +Requires +.Fl c . .It Fl z -Specifies that -.Nm -should just scan for listening daemons, without sending any data to them. -It is an error to use this option in conjunction with the -.Fl l -option. +Only scan for listening daemons, without sending any data to them. +Cannot be used together with +.Fl l . .El .Pp .Ar destination @@ -358,7 +392,8 @@ .Pp .Ar port can be a specified as a numeric port number, or as a service name. -Ports may be specified in a range of the form nn-mm. +Ports may be specified in a range of the form +.Ar nn Ns - Ns Ar mm . In general, a destination port must be specified, unless the @@ -485,10 +520,15 @@ .Pp .Dl $ nc -p 31337 -w 5 host.example.com 42 .Pp +Open a TCP connection to port 443 of www.example.com, and negotiate TLS with +any supported TLS protocol version and "compat" ciphers: +.Pp +.Dl $ nc -cv -T protocols=all -T ciphers=compat www.example.com 443 +.Pp Open a TCP connection to port 443 of www.google.ca, and negotiate TLS. -Check for a different name in the certificate for validation. +Check for a different name in the certificate for validation: .Pp -.Dl $ nc -v -c -e adsf.au.doubleclick.net www.google.ca 443 +.Dl $ nc -cv -e adsf.au.doubleclick.net www.google.ca 443 .Pp Open a UDP connection to port 53 of host.example.com: .Pp @@ -526,8 +566,8 @@ .Xr cat 1 , .Xr ssh 1 .Sh AUTHORS -Original implementation by *Hobbit* -.Aq Mt hob...@avian.org . +Original implementation by +.An *Hobbit* Aq Mt hob...@avian.org . .br Rewritten with IPv6 support by .An Eric Jackson Aq Mt er...@monkey.org . diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/netcat-openbsd-1.178/netcat.c new/netcat-openbsd-1.195/netcat.c --- old/netcat-openbsd-1.178/netcat.c 2017-06-09 18:11:34.000000000 +0200 +++ new/netcat-openbsd-1.195/netcat.c 2018-10-21 12:34:47.000000000 +0200 @@ -1,4 +1,4 @@ -/* $OpenBSD: netcat.c,v 1.178 2017/03/09 13:58:00 bluhm Exp $ */ +/* $OpenBSD: netcat.c,v 1.195 2018/10/04 17:04:50 bluhm Exp $ */ /* * Copyright (c) 2001 Eric Jackson <er...@monkey.org> * Copyright (c) 2015 Bob Beck. All rights reserved. @@ -53,25 +53,25 @@ #include <stdlib.h> #include <string.h> #include <time.h> -#include <unistd.h> #include <tls.h> +#include <unistd.h> + #include "atomicio.h" #define PORT_MAX 65535 #define UNIX_DG_TMP_SOCKET_SIZE 19 -#define POLL_STDIN 0 -#define POLL_NETOUT 1 -#define POLL_NETIN 2 -#define POLL_STDOUT 3 -#define BUFSIZE 16384 -#define DEFAULT_CA_FILE "/etc/ssl/cert.pem" - -#define TLS_ALL (1 << 1) -#define TLS_NOVERIFY (1 << 2) -#define TLS_NONAME (1 << 3) -#define TLS_CCERT (1 << 4) -#define TLS_MUSTSTAPLE (1 << 5) +#define POLL_STDIN 0 +#define POLL_NETOUT 1 +#define POLL_NETIN 2 +#define POLL_STDOUT 3 +#define BUFSIZE 16384 +#define DEFAULT_CA_FILE "/etc/ssl/cert.pem" + +#define TLS_NOVERIFY (1 << 1) +#define TLS_NONAME (1 << 2) +#define TLS_CCERT (1 << 3) +#define TLS_MUSTSTAPLE (1 << 4) /* Command Line Options */ int dflag; /* detached, no stdin */ @@ -106,7 +106,11 @@ int TLSopt; /* TLS options */ char *tls_expectname; /* required name in peer cert */ char *tls_expecthash; /* required hash of peer cert */ +char *tls_ciphers; /* TLS ciphers */ +char *tls_protocols; /* TLS protocols */ +FILE *Zflag; /* file to save peer cert */ +int recvcount, recvlimit; int timeout = -1; int family = AF_UNSPEC; char *portlist[PORT_MAX+1]; @@ -115,9 +119,10 @@ int minttl = -1; void atelnet(int, unsigned char *, unsigned int); +int strtoport(char *portstr, int udp); void build_ports(char *); -void help(void); -int local_listen(char *, char *, struct addrinfo); +void help(void) __attribute__((noreturn)); +int local_listen(const char *, const char *, struct addrinfo); void readwrite(int, struct tls *); void fdpass(int nfd) __attribute__((noreturn)); int remote_connect(const char *, const char *, struct addrinfo); @@ -130,10 +135,11 @@ int unix_connect(char *); int unix_listen(char *); void set_common_sockopts(int, int); -int map_tos(char *, int *); -int map_tls(char *, int *); +int process_tos_opt(char *, int *); +int process_tls_opt(char *, int *); +void save_peer_cert(struct tls *_tls_ctx, FILE *_fp); void report_connect(const struct sockaddr *, socklen_t, char *); -void report_tls(struct tls *tls_ctx, char * host, char *tls_expectname); +void report_tls(struct tls *tls_ctx, char * host); void usage(int); ssize_t drainbuf(int, unsigned char *, size_t *, struct tls *); ssize_t fillbuf(int, unsigned char *, size_t *, struct tls *); @@ -149,12 +155,13 @@ struct servent *sv; socklen_t len; struct sockaddr_storage cliaddr; - char *proxy, *proxyport = NULL; + char *proxy = NULL, *proxyport = NULL; const char *errstr; struct addrinfo proxyhints; char unix_dg_tmp_socket_buf[UNIX_DG_TMP_SOCKET_SIZE]; struct tls_config *tls_cfg = NULL; struct tls *tls_ctx = NULL; + uint32_t protocols; ret = 1; socksv = 5; @@ -165,7 +172,8 @@ signal(SIGPIPE, SIG_IGN); while ((ch = getopt(argc, argv, - "46C:cDde:FH:hI:i:K:klM:m:NnO:o:P:p:R:rSs:T:tUuV:vw:X:x:z")) != -1) { + "46C:cDde:FH:hI:i:K:klM:m:NnO:o:P:p:R:rSs:T:tUuV:vW:w:X:x:Z:z")) + != -1) { switch (ch) { case '4': family = AF_INET; @@ -268,6 +276,11 @@ case 'v': vflag = 1; break; + case 'W': + recvlimit = strtonum(optarg, 1, INT_MAX, &errstr); + if (errstr) + errx(1, "receive limit %s: %s", errstr, optarg); + break; case 'w': timeout = strtonum(optarg, 0, INT_MAX / 1000, &errstr); if (errstr) @@ -279,6 +292,12 @@ if ((proxy = strdup(optarg)) == NULL) err(1, NULL); break; + case 'Z': + if (strcmp(optarg, "-") == 0) + Zflag = stderr; + else if ((Zflag = fopen(optarg, "w")) == NULL) + err(1, "can't open %s", optarg); + break; case 'z': zflag = 1; break; @@ -306,9 +325,9 @@ case 'T': errstr = NULL; errno = 0; - if (map_tos(optarg, &Tflag)) + if (process_tls_opt(optarg, &TLSopt)) break; - if (map_tls(optarg, &TLSopt)) + if (process_tos_opt(optarg, &Tflag)) break; if (strlen(optarg) > 1 && optarg[0] == '0' && optarg[1] == 'x') @@ -330,30 +349,12 @@ if (setrtable(rtableid) == -1) err(1, "setrtable"); - if (family == AF_UNIX) { - if (pledge("stdio rpath wpath cpath tmppath unix", NULL) == -1) - err(1, "pledge"); - } else if (Fflag) { - if (Pflag) { - if (pledge("stdio inet dns sendfd tty", NULL) == -1) - err(1, "pledge"); - } else if (pledge("stdio inet dns sendfd", NULL) == -1) - err(1, "pledge"); - } else if (Pflag) { - if (pledge("stdio inet dns tty", NULL) == -1) - err(1, "pledge"); - } else if (usetls) { - if (pledge("stdio rpath inet dns", NULL) == -1) - err(1, "pledge"); - } else if (pledge("stdio inet dns", NULL) == -1) - err(1, "pledge"); - /* Cruft to make sure options are clean, and used properly. */ if (argv[0] && !argv[1] && family == AF_UNIX) { host = argv[0]; uport = NULL; } else if (argv[0] && !argv[1]) { - if (!lflag) + if (!lflag) usage(1); uport = argv[0]; host = NULL; @@ -363,6 +364,50 @@ } else usage(1); + if (usetls) { + if (Cflag && unveil(Cflag, "r") == -1) + err(1, "unveil"); + if (unveil(Rflag, "r") == -1) + err(1, "unveil"); + if (Kflag && unveil(Kflag, "r") == -1) + err(1, "unveil"); + if (oflag && unveil(oflag, "r") == -1) + err(1, "unveil"); + } else { + if (family == AF_UNIX) { + if (unveil(host, "rwc") == -1) + err(1, "unveil"); + if (uflag && !lflag) { + if (unveil(sflag ? sflag : "/tmp", "rwc") == -1) + err(1, "unveil"); + } + } else { + if (unveil("/", "") == -1) + err(1, "unveil"); + } + } + + if (family == AF_UNIX) { + if (pledge("stdio rpath wpath cpath tmppath unix", NULL) == -1) + err(1, "pledge"); + } else if (Fflag && Pflag) { + if (pledge("stdio inet dns sendfd tty", NULL) == -1) + err(1, "pledge"); + } else if (Fflag) { + if (pledge("stdio inet dns sendfd", NULL) == -1) + err(1, "pledge"); + } else if (Pflag && usetls) { + if (pledge("stdio rpath inet dns tty", NULL) == -1) + err(1, "pledge"); + } else if (Pflag) { + if (pledge("stdio inet dns tty", NULL) == -1) + err(1, "pledge"); + } else if (usetls) { + if (pledge("stdio rpath inet dns", NULL) == -1) + err(1, "pledge"); + } else if (pledge("stdio inet dns", NULL) == -1) + err(1, "pledge"); + if (lflag && sflag) errx(1, "cannot use -s and -l"); if (lflag && pflag) @@ -385,6 +430,8 @@ errx(1, "you must specify -c to use -C"); if (Kflag && !usetls) errx(1, "you must specify -c to use -K"); + if (Zflag && !usetls) + errx(1, "you must specify -c to use -Z"); if (oflag && !Cflag) errx(1, "you must specify -C to use -o"); if (tls_cachanged && !usetls) @@ -460,14 +507,6 @@ } if (usetls) { - if (Pflag) { - if (pledge("stdio inet dns tty rpath", NULL) == -1) - err(1, "pledge"); - } else if (pledge("stdio inet dns rpath", NULL) == -1) - err(1, "pledge"); - - if (tls_init() == -1) - errx(1, "unable to initialize TLS"); if ((tls_cfg = tls_config_new()) == NULL) errx(1, "unable to allocate TLS config"); if (Rflag && tls_config_set_ca_file(tls_cfg, Rflag) == -1) @@ -478,20 +517,19 @@ errx(1, "%s", tls_config_error(tls_cfg)); if (oflag && tls_config_set_ocsp_staple_file(tls_cfg, oflag) == -1) errx(1, "%s", tls_config_error(tls_cfg)); - if (TLSopt & TLS_ALL) { - if (tls_config_set_protocols(tls_cfg, - TLS_PROTOCOLS_ALL) != 0) - errx(1, "%s", tls_config_error(tls_cfg)); - if (tls_config_set_ciphers(tls_cfg, "all") != 0) - errx(1, "%s", tls_config_error(tls_cfg)); - } + if (tls_config_parse_protocols(&protocols, tls_protocols) == -1) + errx(1, "invalid TLS protocols `%s'", tls_protocols); + if (tls_config_set_protocols(tls_cfg, protocols) == -1) + errx(1, "%s", tls_config_error(tls_cfg)); + if (tls_config_set_ciphers(tls_cfg, tls_ciphers) == -1) + errx(1, "%s", tls_config_error(tls_cfg)); if (!lflag && (TLSopt & TLS_CCERT)) errx(1, "clientcert is only valid with -l"); if (TLSopt & TLS_NONAME) tls_config_insecure_noverifyname(tls_cfg); if (TLSopt & TLS_NOVERIFY) { if (tls_expecthash != NULL) - errx(1, "-H and -T noverify may not be used" + errx(1, "-H and -T noverify may not be used " "together"); tls_config_insecure_noverifycert(tls_cfg); } @@ -505,8 +543,6 @@ err(1, "pledge"); } if (lflag) { - struct tls *tls_cctx = NULL; - int connfd; ret = 0; if (family == AF_UNIX) { @@ -526,29 +562,32 @@ } /* Allow only one connection at a time, but stay alive. */ for (;;) { - if (family != AF_UNIX) + if (family != AF_UNIX) { + if (s != -1) + close(s); s = local_listen(host, uport, hints); + } if (s < 0) err(1, NULL); - /* - * For UDP and -k, don't connect the socket, let it - * receive datagrams from multiple socket pairs. - */ - if (uflag && kflag) + if (uflag && kflag) { + /* + * For UDP and -k, don't connect the socket, + * let it receive datagrams from multiple + * socket pairs. + */ readwrite(s, NULL); - /* - * For UDP and not -k, we will use recvfrom() initially - * to wait for a caller, then use the regular functions - * to talk to the caller. - */ - else if (uflag && !kflag) { - int rv, plen; - char buf[16384]; + } else if (uflag && !kflag) { + /* + * For UDP and not -k, we will use recvfrom() + * initially to wait for a caller, then use + * the regular functions to talk to the caller. + */ + int rv; + char buf[2048]; struct sockaddr_storage z; len = sizeof(z); - plen = 2048; - rv = recvfrom(s, buf, plen, MSG_PEEK, + rv = recvfrom(s, buf, sizeof(buf), MSG_PEEK, (struct sockaddr *)&z, &len); if (rv < 0) err(1, "recvfrom"); @@ -562,6 +601,9 @@ readwrite(s, NULL); } else { + struct tls *tls_cctx = NULL; + int connfd; + len = sizeof(cliaddr); connfd = accept4(s, (struct sockaddr *)&cliaddr, &len, SOCK_NONBLOCK); @@ -577,16 +619,12 @@ readwrite(connfd, tls_cctx); if (!usetls) readwrite(connfd, NULL); - if (tls_cctx) { + if (tls_cctx) timeout_tls(s, tls_cctx, tls_close); - tls_free(tls_cctx); - tls_cctx = NULL; - } close(connfd); + tls_free(tls_cctx); } - if (family != AF_UNIX) - close(s); - else if (uflag) { + if (family == AF_UNIX && uflag) { if (connect(s, NULL, 0) < 0) err(1, "connect"); } @@ -606,7 +644,7 @@ if (uflag) unlink(unix_dg_tmp_socket); - exit(ret); + return ret; } else { int i = 0; @@ -618,6 +656,8 @@ for (s = -1, i = 0; portlist[i] != NULL; i++) { if (s != -1) close(s); + tls_free(tls_ctx); + tls_ctx = NULL; if (usetls) { if ((tls_ctx = tls_client()) == NULL) @@ -668,21 +708,18 @@ tls_setup_client(tls_ctx, s, host); if (!zflag) readwrite(s, tls_ctx); - if (tls_ctx) { + if (tls_ctx) timeout_tls(s, tls_ctx, tls_close); - tls_free(tls_ctx); - tls_ctx = NULL; - } } } } if (s != -1) close(s); - + tls_free(tls_ctx); tls_config_free(tls_cfg); - exit(ret); + return ret; } /* @@ -698,7 +735,7 @@ /* Create unix domain socket. */ if ((s = socket(AF_UNIX, flags | (uflag ? SOCK_DGRAM : SOCK_STREAM), 0)) < 0) - return (-1); + return -1; memset(&s_un, 0, sizeof(struct sockaddr_un)); s_un.sun_family = AF_UNIX; @@ -707,16 +744,17 @@ sizeof(s_un.sun_path)) { close(s); errno = ENAMETOOLONG; - return (-1); + return -1; } if (bind(s, (struct sockaddr *)&s_un, sizeof(s_un)) < 0) { save_errno = errno; close(s); errno = save_errno; - return (-1); + return -1; } - return (s); + + return s; } int @@ -743,7 +781,7 @@ err(1, "poll failed"); } - return (ret); + return ret; } void @@ -762,10 +800,15 @@ errx(1, "tls handshake failed (%s)", errstr); } if (vflag) - report_tls(tls_ctx, host, tls_expectname); + report_tls(tls_ctx, host); if (tls_expecthash && tls_peer_cert_hash(tls_ctx) && strcmp(tls_expecthash, tls_peer_cert_hash(tls_ctx)) != 0) errx(1, "peer certificate is not %s", tls_expecthash); + if (Zflag) { + save_peer_cert(tls_ctx, Zflag); + if (Zflag != stderr && (fclose(Zflag) != 0)) + err(1, "fclose failed saving peer cert"); + } } struct tls * @@ -784,7 +827,7 @@ int gotcert = tls_peer_cert_provided(tls_cctx); if (vflag && gotcert) - report_tls(tls_cctx, host, tls_expectname); + report_tls(tls_cctx, host); if ((TLSopt & TLS_CCERT) && !gotcert) warnx("No client certificate provided"); else if (gotcert && tls_peer_cert_hash(tls_ctx) && tls_expecthash && @@ -813,10 +856,10 @@ if (uflag) { if ((s = unix_bind(unix_dg_tmp_socket, SOCK_CLOEXEC)) < 0) - return (-1); + return -1; } else { if ((s = socket(AF_UNIX, SOCK_STREAM | SOCK_CLOEXEC, 0)) < 0) - return (-1); + return -1; } memset(&s_un, 0, sizeof(struct sockaddr_un)); @@ -826,15 +869,15 @@ sizeof(s_un.sun_path)) { close(s); errno = ENAMETOOLONG; - return (-1); + return -1; } if (connect(s, (struct sockaddr *)&s_un, sizeof(s_un)) < 0) { save_errno = errno; close(s); errno = save_errno; - return (-1); + return -1; } - return (s); + return s; } @@ -847,13 +890,13 @@ { int s; if ((s = unix_bind(path, 0)) < 0) - return (-1); + return -1; if (listen(s, 5) < 0) { close(s); - return (-1); + return -1; } - return (s); + return s; } /* @@ -912,7 +955,7 @@ freeaddrinfo(res0); - return (s); + return s; } int @@ -940,7 +983,7 @@ err(1, "poll failed"); } - return (ret); + return ret; } /* @@ -949,7 +992,7 @@ * address. Returns -1 on failure. */ int -local_listen(char *host, char *port, struct addrinfo hints) +local_listen(const char *host, const char *port, struct addrinfo hints) { struct addrinfo *res, *res0; int s = -1, ret, x = 1, save_errno; @@ -996,7 +1039,7 @@ freeaddrinfo(res0); - return (s); + return s; } /* @@ -1150,6 +1193,12 @@ shutdown(pfd[POLL_NETIN].fd, SHUT_RD); pfd[POLL_NETIN].fd = -1; } + if (recvlimit > 0 && ++recvcount >= recvlimit) { + if (pfd[POLL_NETIN].fd != -1) + shutdown(pfd[POLL_NETIN].fd, SHUT_RD); + pfd[POLL_NETIN].fd = -1; + pfd[POLL_STDIN].fd = -1; + } /* read something - poll stdout */ if (netinbufpos > 0) pfd[POLL_STDOUT].events = POLLOUT; @@ -1417,7 +1466,7 @@ else ret = -1; } - return (ret); + return ret; } void @@ -1477,7 +1526,7 @@ } int -map_tos(char *s, int *val) +process_tos_opt(char *s, int *val) { /* DiffServ Codepoints and other TOS mappings */ const struct toskeywords { @@ -1517,39 +1566,71 @@ for (t = toskeywords; t->keyword != NULL; t++) { if (strcmp(s, t->keyword) == 0) { *val = t->val; - return (1); + return 1; } } - return (0); + return 0; } int -map_tls(char *s, int *val) +process_tls_opt(char *s, int *flags) { + size_t len; + char *v; + const struct tlskeywords { const char *keyword; - int val; + int flag; + char **value; } *t, tlskeywords[] = { - { "tlsall", TLS_ALL }, - { "noverify", TLS_NOVERIFY }, - { "noname", TLS_NONAME }, - { "clientcert", TLS_CCERT}, - { "muststaple", TLS_MUSTSTAPLE}, - { NULL, -1 }, + { "ciphers", -1, &tls_ciphers }, + { "clientcert", TLS_CCERT, NULL }, + { "muststaple", TLS_MUSTSTAPLE, NULL }, + { "noverify", TLS_NOVERIFY, NULL }, + { "noname", TLS_NONAME, NULL }, + { "protocols", -1, &tls_protocols }, + { NULL, -1, NULL }, }; + len = strlen(s); + if ((v = strchr(s, '=')) != NULL) { + len = v - s; + v++; + } + for (t = tlskeywords; t->keyword != NULL; t++) { - if (strcmp(s, t->keyword) == 0) { - *val |= t->val; - return (1); + if (strlen(t->keyword) == len && + strncmp(s, t->keyword, len) == 0) { + if (t->value != NULL) { + if (v == NULL) + errx(1, "invalid tls value `%s'", s); + *t->value = v; + } else { + *flags |= t->flag; + } + return 1; } } - return (0); + return 0; +} + +void +save_peer_cert(struct tls *tls_ctx, FILE *fp) +{ + const char *pem; + size_t plen; + + if ((pem = tls_peer_cert_chain_pem(tls_ctx, &plen)) == NULL) + errx(1, "Can't get peer certificate"); + if (fprintf(fp, "%.*s", (int)plen, pem) < 0) + err(1, "unable to save peer cert"); + if (fflush(fp) != 0) + err(1, "unable to flush peer cert"); } void -report_tls(struct tls * tls_ctx, char * host, char *tls_expectname) +report_tls(struct tls * tls_ctx, char * host) { time_t t; const char *ocsp_url; @@ -1675,9 +1756,11 @@ \t-u UDP mode\n\ \t-V rtable Specify alternate routing table\n\ \t-v Verbose\n\ + \t-W recvlimit Terminate after receiving a number of packets\n\ \t-w timeout Timeout for connects and final net reads\n\ \t-X proto Proxy protocol: \"4\", \"5\" (SOCKS) or \"connect\"\n\ \t-x addr[:port]\tSpecify proxy address and port\n\ + \t-Z Peer certificate file\n\ \t-z Zero-I/O mode [used for scanning]\n\ Port numbers can be individual or ranges: lo-hi [inclusive]\n"); exit(1); @@ -1692,9 +1775,11 @@ "\t [-i interval] [-K keyfile] [-M ttl] [-m minttl] [-O length]\n" "\t [-o staplefile] [-P proxy_username] [-p source_port] " "[-R CAfile]\n" - "\t [-s source] [-T keyword] [-V rtable] [-w timeout] " - "[-X proxy_protocol]\n" - "\t [-x proxy_address[:port]] [destination] [port]\n"); + "\t [-s source] [-T keyword] [-V rtable] [-W recvlimit] " + "[-w timeout]\n" + "\t [-X proxy_protocol] [-x proxy_address[:port]] " + "[-Z peercertfile]\n" + "\t [destination] [port]\n"); if (ret) exit(1); } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/netcat-openbsd-1.178/socks.c new/netcat-openbsd-1.195/socks.c --- old/netcat-openbsd-1.178/socks.c 2017-06-09 18:11:34.000000000 +0200 +++ new/netcat-openbsd-1.195/socks.c 2018-10-21 12:34:47.000000000 +0200 @@ -1,4 +1,4 @@ -/* $OpenBSD: socks.c,v 1.24 2016/06/27 14:43:04 deraadt Exp $ */ +/* $OpenBSD: socks.c,v 1.25 2018/03/27 16:31:10 deraadt Exp $ */ /* * Copyright (c) 1999 Niklas Hallqvist. All rights reserved. @@ -109,17 +109,16 @@ return (off); } -static const char * -getproxypass(const char *proxyuser, const char *proxyhost) +static void +getproxypass(const char *proxyuser, const char *proxyhost, + char *pw, size_t pwlen) { char prompt[512]; - static char pw[256]; snprintf(prompt, sizeof(prompt), "Proxy password for %s@%s: ", proxyuser, proxyhost); - if (readpassphrase(prompt, pw, sizeof(pw), RPP_REQUIRE_TTY) == NULL) + if (readpassphrase(prompt, pw, pwlen, RPP_REQUIRE_TTY) == NULL) errx(1, "Unable to read proxy passphrase"); - return (pw); } /* @@ -188,7 +187,6 @@ struct sockaddr_in *in4 = (struct sockaddr_in *)&addr; struct sockaddr_in6 *in6 = (struct sockaddr_in6 *)&addr; in_port_t serverport; - const char *proxypass = NULL; if (proxyport == NULL) proxyport = (socksv == -1) ? HTTP_PROXY_PORT : SOCKS_PORT; @@ -345,11 +343,14 @@ err(1, "write failed (%zu/%d)", cnt, r); if (authretry > 1) { + char proxypass[256]; char resp[1024]; - proxypass = getproxypass(proxyuser, proxyhost); + getproxypass(proxyuser, proxyhost, + proxypass, sizeof proxypass); r = snprintf(buf, sizeof(buf), "%s:%s", proxyuser, proxypass); + explicit_bzero(proxypass, sizeof proxypass); if (r == -1 || (size_t)r >= sizeof(buf) || b64_ntop(buf, strlen(buf), resp, sizeof(resp)) == -1) @@ -361,6 +362,8 @@ r = strlen(buf); if ((cnt = atomicio(vwrite, proxyfd, buf, r)) != r) err(1, "write failed (%zu/%d)", cnt, r); + explicit_bzero(proxypass, sizeof proxypass); + explicit_bzero(buf, sizeof buf); } /* Terminate headers */ ++++++ port-to-linux-with-libsd.patch ++++++ --- /var/tmp/diff_new_pack.ktHEpk/_old 2018-11-26 10:16:06.290027876 +0100 +++ /var/tmp/diff_new_pack.ktHEpk/_new 2018-11-26 10:16:06.290027876 +0100 @@ -3,11 +3,11 @@ Subject: port to linux with libsd --- - Makefile | 15 +++++++- - nc.1 | 4 -- - netcat.c | 118 +++++++++++++++++++++++++++++++++++++++++++++++---------------- - socks.c | 46 ++++++++++++------------ - 4 files changed, 127 insertions(+), 56 deletions(-) + Makefile | 15 ++++++- + nc.1 | 3 - + netcat.c | 131 ++++++++++++++++++++++++++++++++++++++++++++++++--------------- + socks.c | 46 +++++++++++----------- + 4 files changed, 139 insertions(+), 56 deletions(-) --- a/Makefile +++ b/Makefile @@ -32,24 +32,23 @@ + rm -f $(OBJS) nc --- a/nc.1 +++ b/nc.1 -@@ -202,9 +202,6 @@ Proxy authentication is only supported f - Specifies the source port +@@ -213,8 +213,6 @@ Proxy authentication is only supported f + Specify the source port .Nm should use, subject to privilege restrictions and availability. --It is an error to use this option in conjunction with the --.Fl l --option. +-Cannot be used together with +-.Fl l . .It Fl R Ar CAfile - Specifies the filename from which the root CA bundle for certificate - verification is loaded, in PEM format. -@@ -249,6 +246,7 @@ For IPv4 TOS value + Load the root CA bundle for TLS certificate verification from + .Ar CAfile , +@@ -274,6 +272,7 @@ For the IPv4 TOS/IPv6 traffic class valu may be one of - .Ar critical , - .Ar inetcontrol , -+.Ar lowcost , - .Ar lowdelay , - .Ar netcontrol , - .Ar throughput , + .Cm critical , + .Cm inetcontrol , ++.Cm lowcost , + .Cm lowdelay , + .Cm netcontrol , + .Cm throughput , --- a/netcat.c +++ b/netcat.c @@ -32,6 +32,8 @@ @@ -113,14 +112,14 @@ #include <errno.h> @@ -55,6 +100,8 @@ #include <time.h> - #include <unistd.h> #include <tls.h> + #include <unistd.h> +#include <bsd/stdlib.h> +#include <bsd/string.h> + #include "atomicio.h" - #define PORT_MAX 65535 -@@ -260,10 +307,14 @@ main(int argc, char *argv[]) +@@ -268,10 +315,14 @@ main(int argc, char *argv[]) uflag = 1; break; case 'V': @@ -135,7 +134,7 @@ break; case 'v': vflag = 1; -@@ -301,7 +352,11 @@ main(int argc, char *argv[]) +@@ -320,7 +371,11 @@ main(int argc, char *argv[]) oflag = optarg; break; case 'S': @@ -147,7 +146,7 @@ break; case 'T': errstr = NULL; -@@ -326,32 +381,23 @@ main(int argc, char *argv[]) +@@ -345,14 +400,23 @@ main(int argc, char *argv[]) argc -= optind; argv += optind; @@ -155,24 +154,6 @@ if (rtableid >= 0) if (setrtable(rtableid) == -1) err(1, "setrtable"); -- -- if (family == AF_UNIX) { -- if (pledge("stdio rpath wpath cpath tmppath unix", NULL) == -1) -- err(1, "pledge"); -- } else if (Fflag) { -- if (Pflag) { -- if (pledge("stdio inet dns sendfd tty", NULL) == -1) -- err(1, "pledge"); -- } else if (pledge("stdio inet dns sendfd", NULL) == -1) -- err(1, "pledge"); -- } else if (Pflag) { -- if (pledge("stdio inet dns tty", NULL) == -1) -- err(1, "pledge"); -- } else if (usetls) { -- if (pledge("stdio rpath inet dns", NULL) == -1) -- err(1, "pledge"); -- } else if (pledge("stdio inet dns", NULL) == -1) -- err(1, "pledge"); +# endif /* Cruft to make sure options are clean, and used properly. */ @@ -182,17 +163,38 @@ + } else if (!argv[0] && lflag) { + if (sflag) + errx(1, "cannot use -s and -l"); ++ if (pflag) ++ errx(1, "cannot use -p and -l"); + if (zflag) + errx(1, "cannot use -z and -l"); -+ if (pflag) -+ uport=pflag; } else if (argv[0] && !argv[1]) { - if (!lflag) + if (!lflag) usage(1); -@@ -363,12 +409,6 @@ main(int argc, char *argv[]) - } else - usage(1); +@@ -387,33 +451,6 @@ main(int argc, char *argv[]) + } + } +- if (family == AF_UNIX) { +- if (pledge("stdio rpath wpath cpath tmppath unix", NULL) == -1) +- err(1, "pledge"); +- } else if (Fflag && Pflag) { +- if (pledge("stdio inet dns sendfd tty", NULL) == -1) +- err(1, "pledge"); +- } else if (Fflag) { +- if (pledge("stdio inet dns sendfd", NULL) == -1) +- err(1, "pledge"); +- } else if (Pflag && usetls) { +- if (pledge("stdio rpath inet dns tty", NULL) == -1) +- err(1, "pledge"); +- } else if (Pflag) { +- if (pledge("stdio inet dns tty", NULL) == -1) +- err(1, "pledge"); +- } else if (usetls) { +- if (pledge("stdio rpath inet dns", NULL) == -1) +- err(1, "pledge"); +- } else if (pledge("stdio inet dns", NULL) == -1) +- err(1, "pledge"); +- - if (lflag && sflag) - errx(1, "cannot use -s and -l"); - if (lflag && pflag) @@ -202,7 +204,7 @@ if (!lflag && kflag) errx(1, "must use -l with -k"); if (uflag && usetls) -@@ -401,8 +441,8 @@ main(int argc, char *argv[]) +@@ -448,8 +485,8 @@ main(int argc, char *argv[]) } else { strlcpy(unix_dg_tmp_socket_buf, "/tmp/nc.XXXXXXXXXX", UNIX_DG_TMP_SOCKET_SIZE); @@ -213,7 +215,7 @@ unix_dg_tmp_socket = unix_dg_tmp_socket_buf; } } -@@ -880,8 +920,10 @@ remote_connect(const char *host, const c +@@ -923,8 +960,10 @@ remote_connect(const char *host, const c if (sflag || pflag) { struct addrinfo ahints, *ares; @@ -224,7 +226,7 @@ memset(&ahints, 0, sizeof(struct addrinfo)); ahints.ai_family = res->ai_family; ahints.ai_socktype = uflag ? SOCK_DGRAM : SOCK_STREAM; -@@ -973,9 +1015,15 @@ local_listen(char *host, char *port, str +@@ -1016,9 +1055,15 @@ local_listen(const char *host, const cha res->ai_protocol)) < 0) continue; @@ -240,7 +242,7 @@ set_common_sockopts(s, res->ai_family); -@@ -1425,11 +1473,13 @@ set_common_sockopts(int s, int af) +@@ -1474,11 +1519,13 @@ set_common_sockopts(int s, int af) { int x = 1; @@ -254,33 +256,57 @@ if (Dflag) { if (setsockopt(s, SOL_SOCKET, SO_DEBUG, &x, sizeof(x)) == -1) -@@ -1460,8 +1510,11 @@ set_common_sockopts(int s, int af) +@@ -1489,9 +1536,14 @@ set_common_sockopts(int s, int af) + IP_TOS, &Tflag, sizeof(Tflag)) == -1) + err(1, "set IP ToS"); + ++#if defined(IPV6_TCLASS) + else if (af == AF_INET6 && setsockopt(s, IPPROTO_IPV6, + IPV6_TCLASS, &Tflag, sizeof(Tflag)) == -1) + err(1, "set IPv6 traffic class"); ++#else ++ else if (af == AF_INET6) ++ errx(1, "can't set IPv6 traffic class (unavailable)"); ++#endif + } + if (Iflag) { + if (setsockopt(s, SOL_SOCKET, SO_RCVBUF, +@@ -1509,19 +1561,34 @@ set_common_sockopts(int s, int af) IP_TTL, &ttl, sizeof(ttl))) err(1, "set IP TTL"); -- else if (af == AF_INET6 && setsockopt(s, IPPROTO_IPV6, -+ else +#if defined(IPV6_UNICAST_HOPS) -+ if (af == AF_INET6 && setsockopt(s, IPPROTO_IPV6, + else if (af == AF_INET6 && setsockopt(s, IPPROTO_IPV6, IPV6_UNICAST_HOPS, &ttl, sizeof(ttl))) -+#endif err(1, "set IPv6 unicast hops"); ++#else ++ else if (af == AF_INET6) ++ errx(1, "can't set IPv6 unicast hops (unavailable)"); ++#endif } -@@ -1470,8 +1523,11 @@ set_common_sockopts(int s, int af) + if (minttl != -1) { ++#if defined(IP_MINTTL) + if (af == AF_INET && setsockopt(s, IPPROTO_IP, IP_MINTTL, &minttl, sizeof(minttl))) err(1, "set IP min TTL"); ++#else ++ if (af == AF_INET) ++ errx(1, "can't set IP min TTL (unavailable)"); ++#endif -- else if (af == AF_INET6 && setsockopt(s, IPPROTO_IPV6, -+ else +#if defined(IPV6_MINHOPCOUNT) -+ if (af == AF_INET6 && setsockopt(s, IPPROTO_IPV6, + else if (af == AF_INET6 && setsockopt(s, IPPROTO_IPV6, IPV6_MINHOPCOUNT, &minttl, sizeof(minttl))) -+#endif err(1, "set IPv6 min hop count"); ++#else ++ else if (af == AF_INET6) ++ errx(1, "can't set IPv6 min hop count (unavailable)"); ++#endif } } -@@ -1507,6 +1563,7 @@ map_tos(char *s, int *val) + +@@ -1556,6 +1623,7 @@ process_tos_opt(char *s, int *val) { "cs7", IPTOS_DSCP_CS7 }, { "ef", IPTOS_DSCP_EF }, { "inetcontrol", IPTOS_PREC_INTERNETCONTROL }, @@ -288,7 +314,7 @@ { "lowdelay", IPTOS_LOWDELAY }, { "netcontrol", IPTOS_PREC_NETCONTROL }, { "reliability", IPTOS_RELIABILITY }, -@@ -1640,6 +1697,9 @@ report_connect(const struct sockaddr *sa +@@ -1721,6 +1789,9 @@ report_connect(const struct sockaddr *sa void help(void) { @@ -298,8 +324,8 @@ usage(0); fprintf(stderr, "\tCommand Summary:\n\ \t-4 Use IPv4\n\ -@@ -1680,7 +1740,7 @@ help(void) - \t-x addr[:port]\tSpecify proxy address and port\n\ +@@ -1763,7 +1834,7 @@ help(void) + \t-Z Peer certificate file\n\ \t-z Zero-I/O mode [used for scanning]\n\ Port numbers can be individual or ranges: lo-hi [inclusive]\n"); - exit(1); @@ -318,7 +344,7 @@ #include "atomicio.h" #define SOCKS_PORT "1080" -@@ -219,11 +219,11 @@ socks_connect(const char *host, const ch +@@ -217,11 +217,11 @@ socks_connect(const char *host, const ch buf[2] = SOCKS_NOAUTH; cnt = atomicio(vwrite, proxyfd, buf, 3); if (cnt != 3) @@ -332,7 +358,7 @@ if (buf[1] == SOCKS_NOMETHOD) errx(1, "authentication method negotiation failed"); -@@ -272,11 +272,11 @@ socks_connect(const char *host, const ch +@@ -270,11 +270,11 @@ socks_connect(const char *host, const ch cnt = atomicio(vwrite, proxyfd, buf, wlen); if (cnt != wlen) @@ -346,7 +372,7 @@ if (buf[1] != 0) { errx(1, "connection failed, SOCKSv5 error: %s", socks5_strerror(buf[1])); -@@ -285,12 +285,12 @@ socks_connect(const char *host, const ch +@@ -283,12 +283,12 @@ socks_connect(const char *host, const ch case SOCKS_IPV4: cnt = atomicio(read, proxyfd, buf + 4, 6); if (cnt != 6) @@ -361,7 +387,7 @@ break; default: errx(1, "connection failed, unsupported address type"); -@@ -310,11 +310,11 @@ socks_connect(const char *host, const ch +@@ -308,11 +308,11 @@ socks_connect(const char *host, const ch cnt = atomicio(vwrite, proxyfd, buf, wlen); if (cnt != wlen) @@ -375,7 +401,7 @@ if (buf[1] != 90) { errx(1, "connection failed, SOCKSv4 error: %s", socks4_strerror(buf[1])); -@@ -328,39 +328,39 @@ socks_connect(const char *host, const ch +@@ -326,21 +326,21 @@ socks_connect(const char *host, const ch /* Try to be sane about numeric IPv6 addresses */ if (strchr(host, ':') != NULL) { @@ -400,12 +426,15 @@ + err(1, "write failed (%zu/%d)", (size_t)cnt, (int)r); if (authretry > 1) { - char resp[1024]; + char proxypass[256]; +@@ -348,20 +348,20 @@ socks_connect(const char *host, const ch - proxypass = getproxypass(proxyuser, proxyhost); + getproxypass(proxyuser, proxyhost, + proxypass, sizeof proxypass); - r = snprintf(buf, sizeof(buf), "%s:%s", + r = snprintf((char*)buf, sizeof(buf), "%s:%s", proxyuser, proxypass); + explicit_bzero(proxypass, sizeof proxypass); if (r == -1 || (size_t)r >= sizeof(buf) || - b64_ntop(buf, strlen(buf), resp, + b64_ntop(buf, strlen((char*)buf), resp, @@ -421,10 +450,10 @@ if ((cnt = atomicio(vwrite, proxyfd, buf, r)) != r) - err(1, "write failed (%zu/%d)", cnt, r); + err(1, "write failed (%zu/%d)", (size_t)cnt, r); + explicit_bzero(proxypass, sizeof proxypass); + explicit_bzero(buf, sizeof buf); } - - /* Terminate headers */ -@@ -368,22 +368,22 @@ socks_connect(const char *host, const ch +@@ -371,22 +371,22 @@ socks_connect(const char *host, const ch err(1, "write failed (%zu/2)", cnt); /* Read status reply */ ++++++ quit-timer.patch ++++++ --- /var/tmp/diff_new_pack.ktHEpk/_old 2018-11-26 10:16:06.298027866 +0100 +++ /var/tmp/diff_new_pack.ktHEpk/_new 2018-11-26 10:16:06.298027866 +0100 @@ -17,8 +17,8 @@ .Op Fl s Ar source .Op Fl T Ar keyword .Op Fl V Ar rtable -@@ -173,6 +174,15 @@ Proxy authentication is only supported f - Specifies the source port +@@ -167,6 +168,15 @@ Proxy authentication is only supported f + Specify the source port .Nm should use, subject to privilege restrictions and availability. +.It Fl q Ar seconds @@ -31,7 +31,7 @@ +implies +.Fl N . .It Fl r - Specifies that source and/or destination ports should be chosen randomly + Choose source and/or destination ports randomly instead of sequentially within a range or in the order that the system --- a/netcat.c +++ b/netcat.c @@ -43,7 +43,7 @@ int rflag; /* Random ports flag */ char *sflag; /* Source Address */ int tflag; /* Telnet Emulation */ -@@ -218,6 +219,8 @@ ssize_t fillbuf(int, unsigned char *, si +@@ -224,6 +225,8 @@ ssize_t fillbuf(int, unsigned char *, si static int connect_with_timeout(int fd, const struct sockaddr *sa, socklen_t salen, int ctimeout); @@ -52,23 +52,23 @@ int main(int argc, char *argv[]) { -@@ -246,9 +249,9 @@ main(int argc, char *argv[]) +@@ -253,9 +256,9 @@ main(int argc, char *argv[]) while ((ch = getopt(argc, argv, # if defined(TLS) -- "46C:cDde:FH:hI:i:K:klM:m:NnO:o:P:p:R:rSs:T:tUuV:vw:X:x:z")) != -1) { -+ "46C:cDde:FH:hI:i:K:klM:m:NnO:o:P:p:q:R:rSs:T:tUuV:vw:X:x:z")) != -1) { +- "46C:cDde:FH:hI:i:K:klM:m:NnO:o:P:p:R:rSs:T:tUuV:vW:w:X:x:Z:z")) ++ "46C:cDde:FH:hI:i:K:klM:m:NnO:o:P:p:q:R:rSs:T:tUuV:vW:w:X:x:Z:z")) # else -- "46CDdFhI:i:klM:m:NnO:P:p:rSs:T:tUuV:vw:X:x:z")) != -1) { -+ "46CDdFhI:i:klM:m:NnO:P:p:q:rSs:T:tUuV:vw:X:x:z")) != -1) { +- "46CDdFhI:i:klM:m:NnO:P:p:rSs:T:tUuV:vW:w:X:x:z")) ++ "46CDdFhI:i:klM:m:NnO:P:p:q:rSs:T:tUuV:vW:w:X:x:z")) # endif + != -1) { switch (ch) { - case '4': -@@ -339,6 +342,13 @@ main(int argc, char *argv[]) +@@ -347,6 +350,13 @@ main(int argc, char *argv[]) case 'p': pflag = optarg; break; -+ case 'q': ++ case 'q': + qflag = strtonum(optarg, INT_MIN, INT_MAX, &errstr); + if (errstr) + errx(1, "quit timer %s: %s", errstr, optarg); @@ -78,13 +78,13 @@ # if defined(TLS) case 'R': tls_cachanged = 1; -@@ -1253,15 +1263,27 @@ readwrite(int net_fd) +@@ -1297,15 +1307,27 @@ readwrite(int net_fd) while (1) { /* both inputs are gone, buffers are empty, we are done */ if (pfd[POLL_STDIN].fd == -1 && pfd[POLL_NETIN].fd == -1 && - stdinbufpos == 0 && netinbufpos == 0) - return; -+ stdinbufpos == 0 && netinbufpos == 0) { ++ stdinbufpos == 0 && netinbufpos == 0) { + if (qflag <= 0) + return; + goto delay_exit; @@ -96,7 +96,7 @@ + if (qflag <= 0) + return; + goto delay_exit; -+ } ++ } /* listen and net in gone, queues empty, done */ if (lflag && pfd[POLL_NETIN].fd == -1 && - stdinbufpos == 0 && netinbufpos == 0) @@ -108,11 +108,11 @@ + close(net_fd); + signal(SIGALRM, quit); + alarm(qflag); -+ } ++ } /* poll */ num_fds = poll(pfd, 4, timeout); -@@ -1936,6 +1958,7 @@ help(void) +@@ -2032,6 +2054,7 @@ help(void) \t-O length TCP send buffer length\n\ \t-P proxyuser\tUsername for proxy authentication\n\ \t-p port\t Specify local port for remote connects\n\ @@ -120,14 +120,15 @@ \t-r Randomize remote ports\n\ \t-S Enable the TCP MD5 signature option\n\ \t-s source Local source address\n\ -@@ -1959,9 +1982,18 @@ usage(int ret) +@@ -2056,10 +2079,19 @@ usage(int ret) fprintf(stderr, "usage: nc [-46CDdFhklNnrStUuvz] [-I length] [-i interval] [-M ttl]\n" "\t [-m minttl] [-O length] [-P proxy_username] [-p source_port]\n" -- "\t [-s source] [-T keyword] [-V rtable] [-w timeout] " -+ "\t [-q seconds] [-s source] [-T keyword] [-V rtable] [-w timeout] " - "[-X proxy_protocol]\n" - "\t [-x proxy_address[:port]] [destination] [port]\n"); +- "\t [-s source] [-T keyword] [-V rtable] [-W recvlimit] " ++ "\t [-q seconds] [-s source] [-T keyword] [-V rtable] [-W recvlimit] " + "[-w timeout]\n" + "\t [-X proxy_protocol] [-x proxy_address[:port]] " + "\t [destination] [port]\n"); if (ret) exit(1); } ++++++ send-crlf.patch ++++++ --- /var/tmp/diff_new_pack.ktHEpk/_old 2018-11-26 10:16:06.302027862 +0100 +++ /var/tmp/diff_new_pack.ktHEpk/_new 2018-11-26 10:16:06.302027862 +0100 @@ -3,9 +3,9 @@ Subject: send crlf --- - nc.1 | 6 +++-- + nc.1 | 9 ++++++- netcat.c | 72 +++++++++++++++++++++++++++++++++++---------------------------- - 2 files changed, 45 insertions(+), 33 deletions(-) + 2 files changed, 48 insertions(+), 33 deletions(-) --- a/nc.1 +++ b/nc.1 @@ -18,16 +18,19 @@ .Op Fl I Ar length .Op Fl i Ar interval .Op Fl M Ar ttl -@@ -95,6 +95,8 @@ to use IPv4 addresses only. - Forces - .Nm - to use IPv6 addresses only. +@@ -92,6 +92,11 @@ The options are as follows: + Use IPv4 addresses only. + .It Fl 6 + Use IPv6 addresses only. +.It Fl C -+Send CRLF as line-ending. ++Send CRLF as line-ending. Each line feed (LF) character from the input ++data is translated into CR+LF before being written to the socket. Line ++feed characters that are already preceded with a carriage return (CR) ++are not translated. Received data is not affected. .It Fl D Enable debugging on the socket. .It Fl d -@@ -379,7 +381,7 @@ More complicated examples can be built u +@@ -377,7 +382,7 @@ More complicated examples can be built u of requests required by the server. As another example, an email may be submitted to an SMTP server using: .Bd -literal -offset indent @@ -38,16 +41,16 @@ RCPT TO:\*(ltus...@host.example.com\*(Gt --- a/netcat.c +++ b/netcat.c -@@ -163,6 +163,8 @@ int tls_cachanged; /* Using non-defau - int TLSopt; /* TLS options */ - char *tls_expectname; /* required name in peer cert */ - char *tls_expecthash; /* required hash of peer cert */ +@@ -166,6 +166,8 @@ char *tls_expecthash; /* required hash + char *tls_ciphers; /* TLS ciphers */ + char *tls_protocols; /* TLS protocols */ + FILE *Zflag; /* file to save peer cert */ +# else +int Cflag = 0; /* CRLF line-ending */ # endif - int timeout = -1; -@@ -209,7 +211,7 @@ ssize_t fillbuf(int, unsigned char *, si + int recvcount, recvlimit; +@@ -215,7 +217,7 @@ ssize_t fillbuf(int, unsigned char *, si void tls_setup_client(struct tls *, int, char *); struct tls *tls_setup_server(struct tls *, int, char *); # else @@ -56,16 +59,16 @@ ssize_t fillbuf(int, unsigned char *, size_t *); # endif -@@ -246,7 +248,7 @@ main(int argc, char *argv[]) +@@ -253,7 +255,7 @@ main(int argc, char *argv[]) # if defined(TLS) - "46C:cDde:FH:hI:i:K:klM:m:NnO:o:P:p:R:rSs:T:tUuV:vw:X:x:z")) != -1) { + "46C:cDde:FH:hI:i:K:klM:m:NnO:o:P:p:R:rSs:T:tUuV:vW:w:X:x:Z:z")) # else -- "46DdFhI:i:klM:m:NnO:P:p:rSs:T:tUuV:vw:X:x:z")) != -1) { -+ "46CDdFhI:i:klM:m:NnO:P:p:rSs:T:tUuV:vw:X:x:z")) != -1) { +- "46DdFhI:i:klM:m:NnO:P:p:rSs:T:tUuV:vW:w:X:x:z")) ++ "46CDdFhI:i:klM:m:NnO:P:p:rSs:T:tUuV:vW:w:X:x:z")) # endif + != -1) { switch (ch) { - case '4': -@@ -275,6 +277,10 @@ main(int argc, char *argv[]) +@@ -283,6 +285,10 @@ main(int argc, char *argv[]) case 'c': usetls = 1; break; @@ -76,7 +79,7 @@ # endif case 'd': dflag = 1; -@@ -1257,12 +1263,6 @@ readwrite(int net_fd) +@@ -1301,12 +1307,6 @@ readwrite(int net_fd) stdinbufpos == 0 && netinbufpos == 0) return; @@ -89,7 +92,7 @@ /* poll */ num_fds = poll(pfd, 4, timeout); -@@ -1342,7 +1342,7 @@ readwrite(int net_fd) +@@ -1386,7 +1386,7 @@ readwrite(int net_fd) pfd[POLL_NETOUT].events = POLLOUT; else # else @@ -98,7 +101,7 @@ # endif if (ret == -1) pfd[POLL_NETOUT].fd = -1; -@@ -1395,7 +1395,7 @@ readwrite(int net_fd) +@@ -1445,7 +1445,7 @@ readwrite(int net_fd) pfd[POLL_STDOUT].events = POLLOUT; else # else @@ -107,7 +110,7 @@ # endif if (ret == -1) pfd[POLL_STDOUT].fd = -1; -@@ -1421,31 +1421,40 @@ readwrite(int net_fd) +@@ -1471,31 +1471,40 @@ readwrite(int net_fd) } ssize_t @@ -168,7 +171,7 @@ /* adjust buffer */ adjust = *bufpos - n; if (adjust > 0) -@@ -1911,6 +1920,7 @@ help(void) +@@ -2007,6 +2016,7 @@ help(void) fprintf(stderr, "\tCommand Summary:\n\ \t-4 Use IPv4\n\ \t-6 Use IPv6\n\ @@ -176,12 +179,12 @@ \t-D Enable the debug socket option\n\ \t-d Detach from stdin\n\ \t-F Pass socket fd\n\ -@@ -1947,7 +1957,7 @@ void +@@ -2044,7 +2054,7 @@ void usage(int ret) { fprintf(stderr, - "usage: nc [-46DdFhklNnrStUuvz] [-I length] [-i interval] [-M ttl]\n" + "usage: nc [-46CDdFhklNnrStUuvz] [-I length] [-i interval] [-M ttl]\n" "\t [-m minttl] [-O length] [-P proxy_username] [-p source_port]\n" - "\t [-s source] [-T keyword] [-V rtable] [-w timeout] " - "[-X proxy_protocol]\n" + "\t [-s source] [-T keyword] [-V rtable] [-W recvlimit] " + "[-w timeout]\n" ++++++ serialized-handling-multiple-clients.patch ++++++ --- /var/tmp/diff_new_pack.ktHEpk/_old 2018-11-26 10:16:06.310027853 +0100 +++ /var/tmp/diff_new_pack.ktHEpk/_new 2018-11-26 10:16:06.310027853 +0100 @@ -3,75 +3,74 @@ Subject: serialized handling multiple clients --- - netcat.c | 41 ++++++++++++++++++++--------------------- - 1 file changed, 20 insertions(+), 21 deletions(-) + netcat.c | 44 +++++++++++++++++++++----------------------- + 1 file changed, 21 insertions(+), 23 deletions(-) --- a/netcat.c +++ b/netcat.c -@@ -664,7 +664,20 @@ main(int argc, char *argv[]) +@@ -705,6 +705,23 @@ main(int argc, char *argv[]) s = unix_bind(host, 0); else s = unix_listen(host); -- } + } else + s = local_listen(host, uport, hints); + if (s < 0) + err(1, NULL); + -+ char* local; -+ if (family == AF_INET6) -+ local = ":::"; -+ else -+ local = "0.0.0.0"; -+ fprintf(stderr, "Listening on [%s] (family %d, port %d)\n", -+ host ?: local, -+ family, -+ *uport); ++ if (vflag && (family != AF_UNIX)) { ++ char* local; ++ if (family == AF_INET) ++ local = "0.0.0.0"; ++ else if (family == AF_INET6) ++ local = "::"; ++ else ++ local = "unknown"; ++ fprintf(stderr, "Listening on [%s] (family %d, port %d)\n", ++ host ?: local, ++ family, ++ *uport); + } # if defined(TLS) - if (usetls) { -@@ -678,22 +691,7 @@ main(int argc, char *argv[]) +@@ -719,28 +736,6 @@ main(int argc, char *argv[]) # endif /* Allow only one connection at a time, but stay alive. */ for (;;) { -- if (family != AF_UNIX) +- if (family != AF_UNIX) { +- if (s != -1) +- close(s); - s = local_listen(host, uport, hints); +- } - if (s < 0) - err(1, NULL); - -- char* local; -- if (family == AF_INET6) -- local = "0.0.0.0"; -- else if (family == AF_INET) -- local = ":::"; -- else -- local = "unknown"; -- fprintf(stderr, "Listening on [%s] (family %d, port %d)\n", -- host ?: local, -- family, -- *uport); -+ - /* - * For UDP and -k, don't connect the socket, let it - * receive datagrams from multiple socket pairs. -@@ -760,15 +758,16 @@ main(int argc, char *argv[]) - # endif - close(connfd); - } -- if (family != AF_UNIX) -+ if (kflag) -+ continue; -+ if (family != AF_UNIX) { - close(s); -+ } - else if (uflag) { - if (connect(s, NULL, 0) < 0) +- if (vflag && (family != AF_UNIX)) { +- char* local; +- if (family == AF_INET) +- local = "0.0.0.0"; +- else if (family == AF_INET6) +- local = "::"; +- else +- local = "unknown"; +- fprintf(stderr, "Listening on [%s] (family %d, port %d)\n", +- host ?: local, +- family, +- *uport); +- } +- + if (uflag && kflag) { + /* + * For UDP and -k, don't connect the socket, +@@ -814,8 +809,11 @@ main(int argc, char *argv[]) err(1, "connect"); } -- + - if (!kflag) -- break; -+ break; ++ if (!kflag) { ++ if (s != -1) ++ close(s); + break; ++ } } } else if (family == AF_UNIX) { ret = 0; ++++++ set-TCP-MD5SIG-correctly-for-client-connections.patch ++++++ --- /var/tmp/diff_new_pack.ktHEpk/_old 2018-11-26 10:16:06.318027843 +0100 +++ /var/tmp/diff_new_pack.ktHEpk/_new 2018-11-26 10:16:06.318027843 +0100 @@ -18,26 +18,26 @@ #ifndef IPTOS_LOWDELAY # define IPTOS_LOWDELAY 0x10 -@@ -172,6 +175,9 @@ char *tls_expecthash; /* required hash +@@ -176,6 +179,9 @@ FILE *Zflag; /* file to save peer ce int Cflag = 0; /* CRLF line-ending */ # endif +# if defined(TCP_MD5SIG) && defined(TCP_MD5SIG_MAXKEYLEN) +char Sflag_password[TCP_MD5SIG_MAXKEYLEN]; +# endif + int recvcount, recvlimit; int timeout = -1; int family = AF_UNSPEC; - char *portlist[PORT_MAX+1]; -@@ -200,7 +206,7 @@ int udptest(int); +@@ -206,7 +212,7 @@ int udptest(int); int unix_bind(char *, int); int unix_connect(char *); int unix_listen(char *); -void set_common_sockopts(int, int); +void set_common_sockopts(int, const struct sockaddr *); - int map_tos(char *, int *); + int process_tos_opt(char *, int *); # if defined(TLS) - int map_tls(char *, int *); -@@ -427,7 +433,10 @@ main(int argc, char *argv[]) + int process_tls_opt(char *, int *); +@@ -456,7 +462,10 @@ main(int argc, char *argv[]) break; # endif case 'S': @@ -49,7 +49,7 @@ Sflag = 1; # else errx(1, "no TCP MD5 signature support available"); -@@ -1120,7 +1129,7 @@ remote_connect(const char *host, const c +@@ -1171,7 +1180,7 @@ remote_connect(const char *host, const c freeaddrinfo(ares); } @@ -58,7 +58,7 @@ char *proto = proto_name(uflag, dccpflag); if ((error = connect_with_timeout(s, res->ai_addr, res->ai_addrlen, timeout)) == CONNECTION_SUCCESS) -@@ -1274,7 +1283,7 @@ local_listen(char *host, char *port, str +@@ -1325,7 +1334,7 @@ local_listen(const char *host, const cha err(1, NULL); # endif @@ -67,7 +67,7 @@ if (bind(s, (struct sockaddr *)res->ai_addr, res->ai_addrlen) == 0) -@@ -1788,14 +1797,22 @@ udptest(int s) +@@ -1845,9 +1854,10 @@ udptest(int s) } void @@ -77,6 +77,12 @@ int x = 1; + int af = sa->sa_family; + # if defined(SO_BROADCAST) + if (bflag) { +@@ -1858,10 +1868,17 @@ set_common_sockopts(int s, int af) + err(1, NULL); + } + # endif -# if defined(TCP_MD5SIG) +# if defined(TCP_MD5SIG) && defined(TCP_MD5SIG_MAXKEYLEN) if (Sflag) { ++++++ udp-scan-timeout.patch ++++++ --- /var/tmp/diff_new_pack.ktHEpk/_old 2018-11-26 10:16:06.326027834 +0100 +++ /var/tmp/diff_new_pack.ktHEpk/_new 2018-11-26 10:16:06.326027834 +0100 @@ -17,7 +17,7 @@ /* Command Line Options */ int dflag; /* detached, no stdin */ int Fflag; /* fdpass sock to stdout */ -@@ -774,7 +776,7 @@ main(int argc, char *argv[]) +@@ -815,7 +817,7 @@ main(int argc, char *argv[]) continue; ret = 0; @@ -26,7 +26,7 @@ /* For UDP, make sure we are connected. */ if (uflag) { if (udptest(s) == -1) { -@@ -1693,15 +1695,20 @@ build_ports(char *p) +@@ -1743,15 +1745,20 @@ build_ports(char *p) int udptest(int s) { @@ -49,7 +49,7 @@ + if ((write(s, "X", 1) != 1) && (errno == ECONNREFUSED)) + return -1; } -- return (ret); +- return ret; + return 1; } ++++++ use-flags-to-specify-listen-address.patch ++++++ From: Guilhem Moulin <guil...@debian.org> Date: Mon, 22 Oct 2018 04:50:54 +0200 Subject: use -s/-p flags to specify listen address --- nc.1 | 18 ++++++++++++++---- netcat.c | 49 +++++++++++++++++++++++++++++-------------------- 2 files changed, 43 insertions(+), 24 deletions(-) --- a/nc.1 +++ b/nc.1 @@ -143,8 +143,20 @@ multiple hosts. .It Fl l Listen for an incoming connection rather than initiating a connection to a remote host. -Cannot be used together with any of the options -.Fl psxz . +The +.Ar destination +and +.Ar port +to listen on can be specified either as non-optional arguments, or with +options +.Fl s +and +.Fl p +respectively. +Cannot be used together with +.Fl x +or +.Fl z . Additionally, any timeouts specified with the .Fl w option are ignored. @@ -194,8 +206,6 @@ For datagram sockets, specifies the local temporary socket file to create and use so that datagrams can be received. Cannot be used together with -.Fl l -or .Fl x . .It Fl T Ar keyword Change the IPv4 TOS/IPv6 traffic class value. --- a/netcat.c +++ b/netcat.c @@ -507,31 +507,40 @@ main(int argc, char *argv[]) # endif /* Cruft to make sure options are clean, and used properly. */ - if (argv[0] && !argv[1] && family == AF_UNIX) { -# if defined(IPPROTO_DCCP) && defined(SOCK_DCCP) - if (dccpflag) - errx(1, "cannot use -Z and -U"); -# endif - host = argv[0]; - uport = NULL; - } else if (!argv[0] && lflag) { - if (sflag) - errx(1, "cannot use -s and -l"); - if (pflag) - errx(1, "cannot use -p and -l"); - if (zflag) - errx(1, "cannot use -z and -l"); - } else if (argv[0] && !argv[1]) { - if (!lflag) - usage(1); - uport = &argv[0]; - host = NULL; - } else if (argv[0] && argv[1]) { + if (argc == 0 && lflag) { + uport = &pflag; + host = sflag; + } else if (argc == 1 && !pflag && !sflag) { + if (family == AF_UNIX) { + host = argv[0]; + uport = NULL; + } else if (lflag) { + host = NULL; + uport = argv; + } + } else if (argc >= 2) { + if (lflag && (pflag || sflag || argc > 2)) + usage(1); /* conflict */ host = argv[0]; uport = &argv[1]; } else usage(1); + if (family == AF_UNIX) { +# if defined(IPPROTO_DCCP) && defined(SOCK_DCCP) + if (dccpflag) + errx(1, "cannot use -Z and -U"); +# endif + if (uport && *uport) + errx(1, "cannot use port with -U"); + if (!host) + errx(1, "missing socket pathname"); + } else if (!uport || !*uport) + errx(1, "missing port number"); + + if (lflag && zflag) + errx(1, "cannot use -z and -l"); + # if defined(TLS) if (usetls) { if (Cflag && unveil(Cflag, "r") == -1) ++++++ verbose-numeric-port.patch ++++++ --- /var/tmp/diff_new_pack.ktHEpk/_old 2018-11-26 10:16:06.338027820 +0100 +++ /var/tmp/diff_new_pack.ktHEpk/_new 2018-11-26 10:16:06.338027820 +0100 @@ -3,8 +3,8 @@ Subject: verbose numeric port --- - netcat.c | 19 ++++++++++++++++--- - 1 file changed, 16 insertions(+), 3 deletions(-) + netcat.c | 25 ++++++++++++++++++++----- + 1 file changed, 20 insertions(+), 5 deletions(-) --- a/netcat.c +++ b/netcat.c @@ -16,33 +16,37 @@ #ifdef __linux__ # include <linux/in6.h> #endif -@@ -651,6 +652,18 @@ main(int argc, char *argv[]) - s = local_listen(host, uport, hints); +@@ -689,6 +690,21 @@ main(int argc, char *argv[]) + } if (s < 0) err(1, NULL); + -+ char* local; -+ if (family == AF_INET6) -+ local = "0.0.0.0"; -+ else if (family == AF_INET) -+ local = ":::"; -+ else -+ local = "unknown"; -+ fprintf(stderr, "Listening on [%s] (family %d, port %d)\n", -+ host ?: local, -+ family, -+ *uport); - /* - * For UDP and -k, don't connect the socket, let it - * receive datagrams from multiple socket pairs. -@@ -671,14 +684,14 @@ main(int argc, char *argv[]) - char buf[16384]; - struct sockaddr_storage z; ++ if (vflag && (family != AF_UNIX)) { ++ char* local; ++ if (family == AF_INET) ++ local = "0.0.0.0"; ++ else if (family == AF_INET6) ++ local = "::"; ++ else ++ local = "unknown"; ++ fprintf(stderr, "Listening on [%s] (family %d, port %d)\n", ++ host ?: local, ++ family, ++ *uport); ++ } ++ + if (uflag && kflag) { + /* + * For UDP and -k, don't connect the socket, +@@ -708,20 +724,19 @@ main(int argc, char *argv[]) + */ + int rv; + char buf[2048]; +- struct sockaddr_storage z; - len = sizeof(z); + len = sizeof(cliaddr); - plen = 2048; - rv = recvfrom(s, buf, plen, MSG_PEEK, + rv = recvfrom(s, buf, sizeof(buf), MSG_PEEK, - (struct sockaddr *)&z, &len); + (struct sockaddr *)&cliaddr, &len); if (rv < 0) @@ -53,3 +57,9 @@ if (rv < 0) err(1, "connect"); + if (vflag) +- report_connect((struct sockaddr *)&z, len, NULL); ++ report_connect((struct sockaddr *)&cliaddr, len, NULL); + + # if defined(TLS) + readwrite(s, NULL);
