summaryrefslogtreecommitdiff
path: root/usr.bin/nc/netcat.c
AgeCommit message (Collapse)Author
2021-07-12Change the error reporting pattern throughout the tree when unveilBob Beck
fails to report the path that the failure occured on. Suggested by deraadt@ after some tech discussion. Work done and verified by Ashton Fagg <ashton@fagg.id.au> ok deraadt@ semarie@ claudio@
2020-02-12Standardize argument naming for "sourceaddr" and unify the wording a bit,Ingo Schwarze
similar to what deraadt@ recently did in other manual pages.
2020-01-26revert previous nc loop refactor from 1.211, breaks bluhm's stuffBob Beck
will attempt again later, now that there is new regress
2020-01-07If the client provides a TLS certificate and the user specifies aAlexander Bluhm
hash value on the nc(1) server command line, the netcat server must use the TLS context of the accepted socket for verification. As the listening socket was used instead, the verification was always successful. If the peer provides a certificate, there must be a hash. Make the hash verification fail safe. OK tb@
2020-01-06The unveil(2) for nc -U -u -l was wrong. The server cannot unveilAlexander Bluhm
the file system as it has to connect to the UNIX domain client socket. The path of the latter is determined dynamically. Instead add a restrictive pledge(2) after connect(2). OK tb@
2020-01-06When using UNIX domain sockets, always call report_sock() with theAlexander Bluhm
path name of the socket. This avoids bad errors from getnameinfo(3). Use the same error check for both calls to getnameinfo(3). OK millert@ tb@
2019-11-17fail to usage if extra argv are presentTheo de Raadt
noticed by jsing and beck, ok tedu
2019-11-13refactor the nc pool loop to not shut down the socket early, andBob Beck
to handle tls_shutdown correctly if using TLS, doing tls_shutdown correctly if we are using the -N flag ok sthen@
2019-11-04Fix an out of bound read/write when using a proxy.Todd C. Miller
From Lucas AT sexy DOT is. OK job@ kn@
2019-10-24Print IP address in verbose modejob
OK kn@
2019-10-23Revert previous, which works for -N case but causes regress failuresBob Beck
for tls, since the socket is shut down without calling tls_close(). Since nc appears to have a problem with this in other shutdown() cases I am simply going to bake a new diff for this. noticed by bluhm@.
2019-10-17Fix -N flag to actually shut down the (entire) socket when the inputBob Beck
goes away. This allows for using nc in cases where the network server will no longer expect anything after eof, instead of hanging waiting for more input from our end. Additionaly, shut down if tls is in use if either side of the socket goes away, since we higher level TLS operations (tls_read and write) will require the socket to be both readable and writable as we can get TLS_WANT_POLLIN or TLS_WANT_POLLOUT on either operation. deraadt@ buying it. found by sthen@
2019-08-08added /* no filesystem visibility */ above unveil("/", "") since "" is too easyRicardo Mestre
to misread. as per suggestion by and OK deraadt@
2019-06-28When system calls indicate an error they return -1, not some arbitraryTheo de Raadt
value < 0. errno is only updated in this case. Change all (most?) callers of syscalls to follow this better, and let's see if this strictness helps us in the future.
2019-06-27Some asprintf() calls were checked < 0, rather than the precise == -1.Theo de Raadt
ok millert nicm tb, etc
2019-02-26Correctly handle tls_read() and tls_write() failures.Joel Sing
Otherwise a TLS error (for example the remote end sent a fatal alert) is silently ignored. ok bluhm@ tb@
2019-01-10Revert back previous commit and stop including strings.hRicardo Mestre
Use memset(3) instead of bzero(3) since POSIX recommends using the former and because it's also more portable (conforms to ANSI C standard) OK tedu@ tb@
2019-01-09Include strings.h for bzero in usr.bin/ncKinichiro Inoguchi
bzero is defined in strings.h. ok deraadt@
2018-12-27port ranges can be ambiguous with hypenated port-names.Ted Unangst
specify that ranges must be numeric, and only check for range if first argument is a digit. identified by danj, fix suggest by sthen
2018-11-29update for libtls default cert changes.Ted Unangst
bonus: this exposed a few missing const qualifiers.
2018-11-09In verbose mode netcat reports to stderr when the listen systemAlexander Bluhm
call has finished. This allows to write race free scripts as they can check that the server is up and running. OK sthen@ tb@
2018-11-06Use TLS_CA_CERT_FILE instead of a separate define.Joel Sing
ok beck@ bluhm@ tb@
2018-10-26show what went wrong with a unix domain socket, rather than fail silentlyDavid Gwynne
handy if you type the path wrong or don't have permission... ok deraadt@
2018-10-04Plug TLS context leak in nc(1) server and client mode. MoveAlexander Bluhm
tls_free(3) directly after close(2) to catch all cases. based on a patch from Nan Xiao; OK tb@ deraadt@
2018-09-07Declare strings passed to local_listen() as const. This makes itAlexander Bluhm
consistent to remote_connect() and getaddrinfo(3). from Nan Xiao
2018-09-06Do not close the socket twice in netcat.Alexander Bluhm
from Nan Xiao; OK tb@
2018-08-10In typical swiss-army style, various modes and options causeTheo de Raadt
different unveils. Joint work with beck and florian. Let us know if you hit any corner cases.
2018-04-27trailing whitespace, and move arg checking before pledgeBob Beck
in preparation for pledgepath ok deraadt@
2018-03-19Remove the tls_init() call, since it is no longer necessary.Joel Sing
ok bcook@ beck@ inoguchi@
2017-11-28Allow TLS ciphers and protocols to be specified for nc(1).Joel Sing
Replace the "tlscompat" and "tlsall" options with "cipher" and "protocol" options that are key/value pairs. This allows the user to specify ciphers and protocols in a form that are accepted by tls_config_set_ciphers() and tls_config_set_protocols() respectively. ok beck@ (also ok jmc@ for a previous revision of the man page).
2017-10-24Use a smaller buffer size too peek the receive data. The contentAlexander Bluhm
is discarded anyway, the plen variable is a leftover from the -j jumbo option. reported by Nan Xiao; OK deraadt@
2017-07-15Add a "-T tlscompat" option to nc(1), which enables the use of all TLSJoel Sing
protocols and "compat" ciphers. This allows for TLS connections to TLS servers that are using less than ideal cipher suites, without having to resort to "-T tlsall" which enables all known cipher suites. Diff from Kyle J. McKay <mackyle at gmail dot com> ok beck@
2017-06-11Continue the flattening of the pledge logic started in r1.184 and placeTheo Buehler
a blank space somewhere else. suggested by and ok jsing
2017-06-11Simple style(9) fixes from Juuso Lapinlampi, mostly whitespace andTheo Buehler
omitting parentheses in return statements. Binary change because of return instead of exit(3) from main and because help() is now __dead. ok awolk
2017-06-10If -P and -c were given, a second pledge call tried to add "rpath" to theTheo Buehler
first pledge promises, so nc exited with EPERM. To fix this, merge the pledge of the Pflag && usetls case into the first pledge block. This allows us to get rid of the second pledge block and thus to simplify the logic a bit. While there, add a missing blank to an error string. Joint effort by the #openbsd-daily code reading group, problem found and initial patch by <rain1 openmailbox org>. ok awolk
2017-05-26Fix gcc warnings triggered by WARNINGS=yes.Alexander Bluhm
OK florian@
2017-05-10Implement nc -W recvlimit to terminate netcat after receiving aAlexander Bluhm
number of packets. This allows to send a UDP request, receive a reply and check the result on the command line. input jmc@; OK millert@
2017-04-16Move comments into a block and uses {} to unconfuse reading.Theo de Raadt
2017-04-05- -Z before -z in options listJason McIntyre
- add -Z to help and usage()
2017-04-05Allow nc to save the peer certificate and chain in a pem file specifiedBob Beck
with -Z ok jsing@
2017-03-09The netcat server did not print the correct TLS error message ifAlexander Bluhm
the handshake after accept had failed. Use the context of the accepted TLS connection. OK beck@
2017-02-09When netcat was started with -Uz, the exit status was always 1. IfAlexander Bluhm
the unix connect is successful, let nc -z close the socket and exit with 0. OK jca@
2017-02-09When getaddrinfo fails, print the requested host and port.Jeremie Courreges-Anglas
Should make debugging easier, especially when using -x literal_ipv6_address
2017-02-08Avoid a busy loop in netcat's tls_close(). Reuse the tls_handshake()Alexander Bluhm
wrapper that calls poll(2) and handles the -w timeout. OK beck@
2017-02-08Avoid double close(2) in netcat. After every call to readwrite()Alexander Bluhm
there is already a close(2), so do not do it in readwrite(). OK beck@
2017-02-08Due to non-blocking sockets, tls_handshake() could wait in a busyAlexander Bluhm
loop. Use an additional poll(2) during the handshake and also respect the -w timeout option there. From Shuo Chen; OK beck@
2017-02-05Support IPv6 proxy addressesJeremie Courreges-Anglas
ok beck@
2016-11-30Check return value of tls_config_set_protocols(3) and tls_config_set_ciphers(3)Ricardo Mestre
and bail out in case of failure Feedback and OK jsing@
2016-11-06rename tlslegacy to tlsall, and better describe what it does.Bob Beck
ok jsing@
2016-11-05zap trailing whitespace, and add -o to usage() and help (-h);Jason McIntyre