-S enables tcp md5 signature option; ok deraadt@, mcbride@

2 files changed, 25 insertions, 6 deletions

diff --git a/usr.bin/nc/nc.1 b/usr.bin/nc/nc.1
index 29f506945cd..5bf4480433f 100644
--- a/usr.bin/nc/nc.1
+++ b/usr.bin/nc/nc.1
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: nc.1,v 1.26 2003/09/05 16:54:07 jmc Exp $
+.\"     $OpenBSD: nc.1,v 1.27 2004/01/22 13:28:46 markus Exp $
 .\"
 .\" Copyright (c) 1996 David Sacerdote
 .\" All rights reserved.
@@ -33,7 +33,7 @@
 .Nd "arbitrary TCP and UDP connections and listens"
 .Sh SYNOPSIS
 .Nm nc
-.Op Fl 46hklnrtuvzU
+.Op Fl 46hklnrtuvzSU
 .Op Fl i Ar interval
 .Op Fl p Ar source port
 .Op Fl s Ar source ip address
@@ -154,6 +154,8 @@ If port is not specified, port 1080 is used.
 Specifies that
 .Nm
 should just scan for listening daemons, without sending any data to them.
+.It Fl S
+Enables the RFC 2385 TCP MD5 signature option.
 .It Fl U
 Specifies to use Unix Domain Sockets.
 .It Fl X Ar version
diff --git a/usr.bin/nc/netcat.c b/usr.bin/nc/netcat.c
index df5c44a8ce5..baeb3cefd1f 100644
--- a/usr.bin/nc/netcat.c
+++ b/usr.bin/nc/netcat.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: netcat.c,v 1.64 2003/10/19 22:50:35 deraadt Exp $ */
+/* $OpenBSD: netcat.c,v 1.65 2004/01/22 13:28:46 markus Exp $ */
 /*
  * Copyright (c) 2001 Eric Jackson <ericj@monkey.org>
  *
@@ -37,6 +37,7 @@
 #include <sys/un.h>
 
 #include <netinet/in.h>
+#include <netinet/tcp.h>
 #include <arpa/telnet.h>
 
 #include <err.h>
@@ -71,6 +72,7 @@ int	uflag;					/* UDP - Default to TCP */
 int	vflag;					/* Verbosity */
 int	xflag;					/* Socks proxy */
 int	zflag;					/* Port Scan Flag */
+int	Sflag;					/* TCP MD5 signature option */
 
 int timeout = -1;
 int family = AF_UNSPEC;
@@ -111,7 +113,7 @@ main(int argc, char *argv[])
 	endp = NULL;
 	sv = NULL;
 
-	while ((ch = getopt(argc, argv, "46UX:hi:klnp:rs:tuvw:x:z")) != -1) {
+	while ((ch = getopt(argc, argv, "46UX:hi:klnp:rs:tuvw:x:zS")) != -1) {
 		switch (ch) {
 		case '4':
 			family = AF_INET;
@@ -178,6 +180,9 @@ main(int argc, char *argv[])
 		case 'z':
 			zflag = 1;
 			break;
+		case 'S':
+			Sflag = 1;
+			break;
 		default:
 			usage(1);
 		}
@@ -437,7 +442,7 @@ int
 remote_connect(char *host, char *port, struct addrinfo hints)
 {
 	struct addrinfo *res, *res0;
-	int s, error;
+	int s, error, x = 1;
 
 	if ((error = getaddrinfo(host, port, &hints, &res)))
 		errx(1, "getaddrinfo: %s", gai_strerror(error));
@@ -472,6 +477,11 @@ remote_connect(char *host, char *port, struct addrinfo hints)
 				errx(1, "bind failed: %s", strerror(errno));
 			freeaddrinfo(ares);
 		}
+		if (Sflag) {
+			if (setsockopt(s, IPPROTO_TCP, TCP_SIGNATURE_ENABLE,
+			    &x, sizeof(x)) == -1)
+				err(1, NULL);
+		}
 
 		if (connect(s, res0->ai_addr, res0->ai_addrlen) == 0)
 			break;
@@ -519,6 +529,12 @@ local_listen(char *host, char *port, struct addrinfo hints)
 		ret = setsockopt(s, SOL_SOCKET, SO_REUSEPORT, &x, sizeof(x));
 		if (ret == -1)
 			err(1, NULL);
+		if (Sflag) {
+			ret = setsockopt(s, IPPROTO_TCP, TCP_SIGNATURE_ENABLE,
+			    &x, sizeof(x));
+			if (ret == -1)
+				err(1, NULL);
+		}
 
 		if (bind(s, (struct sockaddr *)res0->ai_addr,
 		    res0->ai_addrlen) == 0)
@@ -730,6 +746,7 @@ help(void)
 	fprintf(stderr, "\tCommand Summary:\n\
 	\t-4		Use IPv4\n\
 	\t-6		Use IPv6\n\
+	\t-S		Enable the TCP MD5 signature option\n\
 	\t-U		Use UNIX domain socket\n\
 	\t-X vers\t	SOCKS version (4 or 5)\n\
 	\t-h		This help text\n\
@@ -753,7 +770,7 @@ help(void)
 void
 usage(int ret)
 {
-	fprintf(stderr, "usage: nc [-46Uhklnrtuvz] [-i interval] [-p source port]\n");
+	fprintf(stderr, "usage: nc [-46SUhklnrtuvz] [-i interval] [-p source port]\n");
 	fprintf(stderr, "\t  [-s ip address] [-w timeout] [-X vers] [-x proxy address [:port]]\n");
 	fprintf(stderr, "\t  [hostname] [port[s...]]\n");
 	if (ret)