From owner-svn-src-vendor@freebsd.org Fri May 10 17:31:33 2019 Return-Path: Delivered-To: svn-src-vendor@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 2152A15A8676; Fri, 10 May 2019 17:31:33 +0000 (UTC) (envelope-from des@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id C818B833D9; Fri, 10 May 2019 17:31:32 +0000 (UTC) (envelope-from des@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id A5144781F; Fri, 10 May 2019 17:31:32 +0000 (UTC) (envelope-from des@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id x4AHVWxY012827; Fri, 10 May 2019 17:31:32 GMT (envelope-from des@FreeBSD.org) Received: (from des@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id x4AHVW5L012824; Fri, 10 May 2019 17:31:32 GMT (envelope-from des@FreeBSD.org) Message-Id: <201905101731.x4AHVW5L012824@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: des set sender to des@FreeBSD.org using -f From: =?UTF-8?Q?Dag-Erling_Sm=c3=b8rgrav?= Date: Fri, 10 May 2019 17:31:32 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-vendor@freebsd.org Subject: svn commit: r347454 - vendor/netcat/dist X-SVN-Group: vendor X-SVN-Commit-Author: des X-SVN-Commit-Paths: vendor/netcat/dist X-SVN-Commit-Revision: 347454 X-SVN-Commit-Repository: base MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Rspamd-Queue-Id: C818B833D9 X-Spamd-Bar: -- Authentication-Results: mx1.freebsd.org X-Spamd-Result: default: False [-2.97 / 15.00]; local_wl_from(0.00)[FreeBSD.org]; NEURAL_HAM_MEDIUM(-1.00)[-0.995,0]; NEURAL_HAM_SHORT(-0.97)[-0.972,0]; ASN(0.00)[asn:11403, ipnet:2610:1c1:1::/48, country:US]; NEURAL_HAM_LONG(-1.00)[-1.000,0] X-BeenThere: svn-src-vendor@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: SVN commit messages for the vendor work area tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 10 May 2019 17:31:33 -0000 Author: des Date: Fri May 10 17:31:31 2019 New Revision: 347454 URL: https://svnweb.freebsd.org/changeset/base/347454 Log: Import netcat from OpenBSD 6.4. Modified: vendor/netcat/dist/nc.1 vendor/netcat/dist/netcat.c vendor/netcat/dist/socks.c Modified: vendor/netcat/dist/nc.1 ============================================================================== --- vendor/netcat/dist/nc.1 Fri May 10 17:29:49 2019 (r347453) +++ vendor/netcat/dist/nc.1 Fri May 10 17:31:31 2019 (r347454) @@ -1,4 +1,4 @@ -.\" $OpenBSD: nc.1,v 1.88 2017/11/28 16:59:10 jsing Exp $ +.\" $OpenBSD: nc.1,v 1.91 2018/09/25 20:05:07 jmc Exp $ .\" .\" Copyright (c) 1996 David Sacerdote .\" All rights reserved. @@ -25,7 +25,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: November 28 2017 $ +.Dd $Mdocdate: September 25 2018 $ .Dt NC 1 .Os .Sh NAME @@ -96,27 +96,31 @@ and much, much more The options are as follows: .Bl -tag -width Ds .It Fl 4 -Forces -.Nm -to use IPv4 addresses only. +Use IPv4 addresses only. .It Fl 6 -Forces -.Nm -to use IPv6 addresses only. +Use IPv6 addresses only. .It Fl C Ar certfile -Specifies the filename from which the public key part of the TLS -certificate is loaded, in PEM format. -May only be used with TLS. +Load the public key part of the TLS peer certificate from +.Ar certfile , +in PEM format. +Requires +.Fl c . .It Fl c -If using a TCP socket to connect or listen, use TLS. -Illegal if not using TCP sockets. +Use TLS to connect or listen. +Cannot be used together with any of the options +.Fl FuU . .It Fl D Enable debugging on the socket. .It Fl d Do not attempt to read from stdin. .It Fl e Ar name -Specify the name that must be present in the peer certificate when using TLS. -Illegal if not using TLS. +Only accept the TLS peer certificate if it contains the +.Ar name . +Requires +.Fl c . +If not specified, +.Ar destination +is used. .It Fl F Pass the first connected socket using .Xr sendmsg 2 @@ -132,47 +136,49 @@ using the .Xr ssh_config 5 .Cm ProxyUseFdpass option). +Cannot be used with +.Fl c +or +.Fl U . .It Fl H Ar hash -Specifies the required hash string of the peer certificate when using TLS. -The string format required is that used by -.Xr tls_peer_cert_hash 3 . -Illegal if not using TLS, and may not be used with -T noverify. +Only accept the TLS peer certificate if its hash returned from +.Xr tls_peer_cert_hash 3 +matches +.Ar hash . +Requires +.Fl c +and cannot be used with +.Fl T Cm noverify . .It Fl h -Prints out +Print out the .Nm -help. +help text and exit. .It Fl I Ar length -Specifies the size of the TCP receive buffer. +Specify the size of the TCP receive buffer. .It Fl i Ar interval -Specifies a delay time interval between lines of text sent and received. +Sleep for +.Ar interval +seconds between lines of text sent and received. Also causes a delay time between connections to multiple ports. .It Fl K Ar keyfile -Specifies the filename from which the private key -is loaded in PEM format. -May only be used with TLS. +Load the TLS private key from +.Ar keyfile , +in PEM format. +Requires +.Fl c . .It Fl k -Forces -.Nm -to stay listening for another connection after its current connection -is completed. -It is an error to use this option without the -.Fl l -option. +When a connection is completed, listen for another one. +Requires +.Fl l . When used together with the .Fl u option, the server socket is not connected and it can receive UDP datagrams from multiple hosts. .It Fl l -Used to specify that -.Nm -should listen for an incoming connection rather than initiate a +Listen for an incoming connection rather than initiating a connection to a remote host. -It is an error to use this option in conjunction with the -.Fl p , -.Fl s , -or -.Fl z -options. +Cannot be used together with any of the options +.Fl psxz . Additionally, any timeouts specified with the .Fl w option are ignored. @@ -189,97 +195,111 @@ Some servers require this to finish their work. Do not do any DNS or service lookups on any specified addresses, hostnames or ports. .It Fl O Ar length -Specifies the size of the TCP send buffer. +Specify the size of the TCP send buffer. .It Fl o Ar staplefile -Specifies the filename from which to load data to be stapled -during the TLS handshake. -The file is expected to contain an OCSP response from an OCSP server in +During the TLS handshake, load data to be stapled from +.Ar staplefile , +which is expected to contain an OCSP response from an OCSP server in DER format. -May only be used with TLS and when a certificate is being used. +Requires +.Fl c +and +.Fl C . .It Fl P Ar proxy_username Specifies a username to present to a proxy server that requires authentication. If no username is specified then authentication will not be attempted. Proxy authentication is only supported for HTTP CONNECT proxies at present. .It Fl p Ar source_port -Specifies the source port +Specify the source port .Nm should use, subject to privilege restrictions and availability. -It is an error to use this option in conjunction with the -.Fl l -option. +Cannot be used together with +.Fl l . .It Fl R Ar CAfile -Specifies the filename from which the root CA bundle for certificate -verification is loaded, in PEM format. -Illegal if not using TLS. -The default is +Load the root CA bundle for TLS certificate verification from +.Ar CAfile , +in PEM format, instead of .Pa /etc/ssl/cert.pem . +Requires +.Fl c . .It Fl r -Specifies that source and/or destination ports should be chosen randomly +Choose source and/or destination ports randomly instead of sequentially within a range or in the order that the system assigns them. .It Fl S -Enables the RFC 2385 TCP MD5 signature option. +Enable the RFC 2385 TCP MD5 signature option. .It Fl s Ar source -Specifies the IP of the interface which is used to send the packets. +Send packets from the interface with the +.Ar source +IP address. For .Ux Ns -domain datagram sockets, specifies the local temporary socket file to create and use so that datagrams can be received. -It is an error to use this option in conjunction with the +Cannot be used together with .Fl l -option. +or +.Fl x . .It Fl T Ar keyword -Change IPv4 TOS value or TLS options. -For TLS options +Change the IPv4 TOS/IPv6 traffic class value or the TLS options. +.Pp +For TLS options, .Ar keyword may be one of: -.Ar noverify , +.Cm noverify , which disables certificate verification; -.Ar noname , +.Cm noname , which disables certificate name checking; -.Ar clientcert , +.Cm clientcert , which requires a client certificate on incoming connections; or -.Ar muststaple , +.Cm muststaple , which requires the peer to provide a valid stapled OCSP response with the handshake. -The following TLS options specify a value in the form of a key=value pair: -.Ar ciphers , +The following TLS options specify a value in the form of a +.Ar key Ns = Ns Ar value +pair: +.Cm ciphers , which allows the supported TLS ciphers to be specified (see .Xr tls_config_set_ciphers 3 for further details); -.Ar protocols , +.Cm protocols , which allows the supported TLS protocols to be specified (see .Xr tls_config_parse_protocols 3 for further details). -It is illegal to specify TLS options if not using TLS. +Specifying TLS options requires +.Fl c . .Pp -For IPv4 TOS value +For the IPv4 TOS/IPv6 traffic class value, .Ar keyword may be one of -.Ar critical , -.Ar inetcontrol , -.Ar lowdelay , -.Ar netcontrol , -.Ar throughput , -.Ar reliability , +.Cm critical , +.Cm inetcontrol , +.Cm lowdelay , +.Cm netcontrol , +.Cm throughput , +.Cm reliability , or one of the DiffServ Code Points: -.Ar ef , -.Ar af11 ... af43 , -.Ar cs0 ... cs7 ; +.Cm ef , +.Cm af11 No ... Cm af43 , +.Cm cs0 No ... Cm cs7 ; or a number in either hex or decimal. .It Fl t -Causes -.Nm -to send RFC 854 DON'T and WON'T responses to RFC 854 DO and WILL requests. +Send RFC 854 DON'T and WON'T responses to RFC 854 DO and WILL requests. This makes it possible to use .Nm to script telnet sessions. .It Fl U -Specifies to use +Use .Ux Ns -domain sockets. +Cannot be used together with any of the options +.Fl cFx . .It Fl u -Use UDP instead of the default option of TCP. +Use UDP instead of TCP. +Cannot be used together with +.Fl c +or +.Fl x . For .Ux Ns -domain sockets, use a datagram socket instead of a stream socket. @@ -293,9 +313,7 @@ flag is given. .It Fl V Ar rtable Set the routing table to be used. .It Fl v -Have -.Nm -give more verbose output. +Produce more verbose output. .It Fl W Ar recvlimit Terminate after receiving .Ar recvlimit @@ -315,22 +333,20 @@ will listen forever for a connection, with or without flag. The default is no timeout. .It Fl X Ar proxy_protocol -Requests that -.Nm -should use the specified protocol when talking to the proxy server. +Use +.Ar proxy_protocol +when talking to the proxy server. Supported protocols are -.Dq 4 +.Cm 4 (SOCKS v.4), -.Dq 5 +.Cm 5 (SOCKS v.5) and -.Dq connect +.Cm connect (HTTPS proxy). If the protocol is not specified, SOCKS version 5 is used. .It Fl x Ar proxy_address Ns Op : Ns Ar port -Requests that -.Nm -should connect to +Connect to .Ar destination using a proxy at .Ar proxy_address @@ -343,17 +359,18 @@ for SOCKS, 3128 for HTTPS). An IPv6 address can be specified unambiguously by enclosing .Ar proxy_address in square brackets. +A proxy cannot be used with any of the options +.Fl lsuU . .It Fl Z Ar peercertfile -Specifies the filename in which the peer supplied certificates will be saved +Save the peer certificates to +.Ar peercertfile , in PEM format. -May only be used with TLS. +Requires +.Fl c . .It Fl z -Specifies that -.Nm -should just scan for listening daemons, without sending any data to them. -It is an error to use this option in conjunction with the -.Fl l -option. +Only scan for listening daemons, without sending any data to them. +Cannot be used together with +.Fl l . .El .Pp .Ar destination @@ -375,7 +392,8 @@ option is given). .Pp .Ar port can be a specified as a numeric port number, or as a service name. -Ports may be specified in a range of the form nn-mm. +Ports may be specified in a range of the form +.Ar nn Ns - Ns Ar mm . In general, a destination port must be specified, unless the @@ -548,8 +566,8 @@ if the proxy requires it: .Xr cat 1 , .Xr ssh 1 .Sh AUTHORS -Original implementation by *Hobbit* -.Aq Mt hobbit@avian.org . +Original implementation by +.An *Hobbit* Aq Mt hobbit@avian.org . .br Rewritten with IPv6 support by .An Eric Jackson Aq Mt ericj@monkey.org . Modified: vendor/netcat/dist/netcat.c ============================================================================== --- vendor/netcat/dist/netcat.c Fri May 10 17:29:49 2019 (r347453) +++ vendor/netcat/dist/netcat.c Fri May 10 17:31:31 2019 (r347454) @@ -1,4 +1,4 @@ -/* $OpenBSD: netcat.c,v 1.190 2018/03/19 16:35:29 jsing Exp $ */ +/* $OpenBSD: netcat.c,v 1.195 2018/10/04 17:04:50 bluhm Exp $ */ /* * Copyright (c) 2001 Eric Jackson * Copyright (c) 2015 Bob Beck. All rights reserved. @@ -122,7 +122,7 @@ void atelnet(int, unsigned char *, unsigned int); int strtoport(char *portstr, int udp); void build_ports(char *); void help(void) __attribute__((noreturn)); -int local_listen(char *, char *, struct addrinfo); +int local_listen(const char *, const char *, struct addrinfo); void readwrite(int, struct tls *); void fdpass(int nfd) __attribute__((noreturn)); int remote_connect(const char *, const char *, struct addrinfo); @@ -349,13 +349,51 @@ main(int argc, char *argv[]) if (setrtable(rtableid) == -1) err(1, "setrtable"); + /* Cruft to make sure options are clean, and used properly. */ + if (argv[0] && !argv[1] && family == AF_UNIX) { + host = argv[0]; + uport = NULL; + } else if (argv[0] && !argv[1]) { + if (!lflag) + usage(1); + uport = argv[0]; + host = NULL; + } else if (argv[0] && argv[1]) { + host = argv[0]; + uport = argv[1]; + } else + usage(1); + + if (usetls) { + if (Cflag && unveil(Cflag, "r") == -1) + err(1, "unveil"); + if (unveil(Rflag, "r") == -1) + err(1, "unveil"); + if (Kflag && unveil(Kflag, "r") == -1) + err(1, "unveil"); + if (oflag && unveil(oflag, "r") == -1) + err(1, "unveil"); + } else { + if (family == AF_UNIX) { + if (unveil(host, "rwc") == -1) + err(1, "unveil"); + if (uflag && !lflag) { + if (unveil(sflag ? sflag : "/tmp", "rwc") == -1) + err(1, "unveil"); + } + } else { + if (unveil("/", "") == -1) + err(1, "unveil"); + } + } + if (family == AF_UNIX) { if (pledge("stdio rpath wpath cpath tmppath unix", NULL) == -1) err(1, "pledge"); } else if (Fflag && Pflag) { if (pledge("stdio inet dns sendfd tty", NULL) == -1) err(1, "pledge"); - } else if (Fflag) { + } else if (Fflag) { if (pledge("stdio inet dns sendfd", NULL) == -1) err(1, "pledge"); } else if (Pflag && usetls) { @@ -370,21 +408,6 @@ main(int argc, char *argv[]) } else if (pledge("stdio inet dns", NULL) == -1) err(1, "pledge"); - /* Cruft to make sure options are clean, and used properly. */ - if (argv[0] && !argv[1] && family == AF_UNIX) { - host = argv[0]; - uport = NULL; - } else if (argv[0] && !argv[1]) { - if (!lflag) - usage(1); - uport = argv[0]; - host = NULL; - } else if (argv[0] && argv[1]) { - host = argv[0]; - uport = argv[1]; - } else - usage(1); - if (lflag && sflag) errx(1, "cannot use -s and -l"); if (lflag && pflag) @@ -520,8 +543,6 @@ main(int argc, char *argv[]) err(1, "pledge"); } if (lflag) { - struct tls *tls_cctx = NULL; - int connfd; ret = 0; if (family == AF_UNIX) { @@ -541,8 +562,11 @@ main(int argc, char *argv[]) } /* Allow only one connection at a time, but stay alive. */ for (;;) { - if (family != AF_UNIX) + if (family != AF_UNIX) { + if (s != -1) + close(s); s = local_listen(host, uport, hints); + } if (s < 0) err(1, NULL); if (uflag && kflag) { @@ -577,6 +601,9 @@ main(int argc, char *argv[]) readwrite(s, NULL); } else { + struct tls *tls_cctx = NULL; + int connfd; + len = sizeof(cliaddr); connfd = accept4(s, (struct sockaddr *)&cliaddr, &len, SOCK_NONBLOCK); @@ -592,16 +619,12 @@ main(int argc, char *argv[]) readwrite(connfd, tls_cctx); if (!usetls) readwrite(connfd, NULL); - if (tls_cctx) { + if (tls_cctx) timeout_tls(s, tls_cctx, tls_close); - tls_free(tls_cctx); - tls_cctx = NULL; - } close(connfd); + tls_free(tls_cctx); } - if (family != AF_UNIX) - close(s); - else if (uflag) { + if (family == AF_UNIX && uflag) { if (connect(s, NULL, 0) < 0) err(1, "connect"); } @@ -633,6 +656,8 @@ main(int argc, char *argv[]) for (s = -1, i = 0; portlist[i] != NULL; i++) { if (s != -1) close(s); + tls_free(tls_ctx); + tls_ctx = NULL; if (usetls) { if ((tls_ctx = tls_client()) == NULL) @@ -683,18 +708,15 @@ main(int argc, char *argv[]) tls_setup_client(tls_ctx, s, host); if (!zflag) readwrite(s, tls_ctx); - if (tls_ctx) { + if (tls_ctx) timeout_tls(s, tls_ctx, tls_close); - tls_free(tls_ctx); - tls_ctx = NULL; - } } } } if (s != -1) close(s); - + tls_free(tls_ctx); tls_config_free(tls_cfg); return ret; @@ -970,7 +992,7 @@ timeout_connect(int s, const struct sockaddr *name, so * address. Returns -1 on failure. */ int -local_listen(char *host, char *port, struct addrinfo hints) +local_listen(const char *host, const char *port, struct addrinfo hints) { struct addrinfo *res, *res0; int s = -1, ret, x = 1, save_errno; Modified: vendor/netcat/dist/socks.c ============================================================================== --- vendor/netcat/dist/socks.c Fri May 10 17:29:49 2019 (r347453) +++ vendor/netcat/dist/socks.c Fri May 10 17:31:31 2019 (r347454) @@ -1,4 +1,4 @@ -/* $OpenBSD: socks.c,v 1.24 2016/06/27 14:43:04 deraadt Exp $ */ +/* $OpenBSD: socks.c,v 1.25 2018/03/27 16:31:10 deraadt Exp $ */ /* * Copyright (c) 1999 Niklas Hallqvist. All rights reserved. @@ -109,17 +109,16 @@ proxy_read_line(int fd, char *buf, size_t bufsz) return (off); } -static const char * -getproxypass(const char *proxyuser, const char *proxyhost) +static void +getproxypass(const char *proxyuser, const char *proxyhost, + char *pw, size_t pwlen) { char prompt[512]; - static char pw[256]; snprintf(prompt, sizeof(prompt), "Proxy password for %s@%s: ", proxyuser, proxyhost); - if (readpassphrase(prompt, pw, sizeof(pw), RPP_REQUIRE_TTY) == NULL) + if (readpassphrase(prompt, pw, pwlen, RPP_REQUIRE_TTY) == NULL) errx(1, "Unable to read proxy passphrase"); - return (pw); } /* @@ -188,7 +187,6 @@ socks_connect(const char *host, const char *port, struct sockaddr_in *in4 = (struct sockaddr_in *)&addr; struct sockaddr_in6 *in6 = (struct sockaddr_in6 *)&addr; in_port_t serverport; - const char *proxypass = NULL; if (proxyport == NULL) proxyport = (socksv == -1) ? HTTP_PROXY_PORT : SOCKS_PORT; @@ -345,11 +343,14 @@ socks_connect(const char *host, const char *port, err(1, "write failed (%zu/%d)", cnt, r); if (authretry > 1) { + char proxypass[256]; char resp[1024]; - proxypass = getproxypass(proxyuser, proxyhost); + getproxypass(proxyuser, proxyhost, + proxypass, sizeof proxypass); r = snprintf(buf, sizeof(buf), "%s:%s", proxyuser, proxypass); + explicit_bzero(proxypass, sizeof proxypass); if (r == -1 || (size_t)r >= sizeof(buf) || b64_ntop(buf, strlen(buf), resp, sizeof(resp)) == -1) @@ -361,6 +362,8 @@ socks_connect(const char *host, const char *port, r = strlen(buf); if ((cnt = atomicio(vwrite, proxyfd, buf, r)) != r) err(1, "write failed (%zu/%d)", cnt, r); + explicit_bzero(proxypass, sizeof proxypass); + explicit_bzero(buf, sizeof buf); } /* Terminate headers */