/* Find a free slot in the subprocesses table. Update subprocesses_max_index to
be one greater than the maximum index containing a non-NULL handle. (It is
assumed that the index returned by this function will be filled by a
handle.) */
static int get_subprocess_slot(void)
{
int i, free_index, max_index;
DWORD rc;
rc = WaitForSingleObject(subprocesses_mutex, INFINITE);
ncat_assert(rc == WAIT_OBJECT_0);
free_index = -1;
max_index = 0;
for (i = 0; i < subprocess_max_index; i++) {
HANDLE proc = subprocesses[i];
if (proc == NULL) {
if (free_index == -1)
free_index = i;
} else {
max_index = i + 1;
}
}
if ((free_index == -1 || free_index == max_index)
&& max_index < sizeof(subprocesses) / sizeof(subprocesses[0]))
free_index = max_index++;
subprocess_max_index = max_index;
rc = ReleaseMutex(subprocesses_mutex);
ncat_assert(rc != 0);
return free_index;
}
static void terminate_subprocesses(void)
{
int i;
DWORD rc;
if (o.debug)
logdebug("Terminating subprocesses\n");
rc = WaitForSingleObject(subprocesses_mutex, INFINITE);
ncat_assert(rc == WAIT_OBJECT_0);
if (o.debug > 1)
logdebug("max_index %d\n", subprocess_max_index);
for (i = 0; i < subprocess_max_index; i++) {
HANDLE proc = subprocesses[i];
DWORD ret;
if (proc == NULL)
continue;
GetExitCodeProcess(proc, &ret);
if (ret == STILL_ACTIVE) {
if (o.debug > 1)
logdebug("kill index %d\n", i);
TerminateProcess(proc, 0);
}
subprocesses[i] = NULL;
}
rc = ReleaseMutex(subprocesses_mutex);
ncat_assert(rc != 0);
}
/* Remove a process handle from the termination handler list. Returns -1 if the
process was not already registered. */
static int unregister_subprocess(HANDLE proc)
{
int i;
DWORD rc;
rc = WaitForSingleObject(subprocesses_mutex, INFINITE);
ncat_assert(rc == WAIT_OBJECT_0);
for (i = 0; i < subprocess_max_index; i++) {
if (proc == subprocesses[i])
break;
}
if (i < subprocess_max_index) {
subprocesses[i] = NULL;
if (o.debug > 1)
logdebug("Unregister subprocess %p from index %d.\n", proc, i);
} else {
i = -1;
}
rc = ReleaseMutex(subprocesses_mutex);
ncat_assert(rc != 0);
return i;
}
static void connect_handler(nsock_pool nsp, nsock_event evt, void *data)
{
enum nse_status status = nse_status(evt);
enum nse_type type = nse_type(evt);
ncat_assert(type == NSE_TYPE_CONNECT || type == NSE_TYPE_CONNECT_SSL);
if (status == NSE_STATUS_ERROR) {
loguser("%s.\n", socket_strerror(nse_errorcode(evt)));
exit(1);
} else if (status == NSE_STATUS_TIMEOUT) {
loguser("%s.\n", socket_strerror(ETIMEDOUT));
exit(1);
} else {
ncat_assert(status == NSE_STATUS_SUCCESS);
}
#ifdef HAVE_OPENSSL
if (nsi_checkssl(cs.sock_nsi)) {
/* Check the domain name. ssl_post_connect_check prints an
error message if appropriate. */
if (!ssl_post_connect_check((SSL *) nsi_getssl(cs.sock_nsi), o.target))
bye("Certificate verification error.");
}
#endif
connect_report(cs.sock_nsi);
/* Create IOD for nsp->stdin */
if ((cs.stdin_nsi = nsi_new2(nsp, 0, NULL)) == NULL)
bye("Failed to create stdin nsiod.");
post_connect(nsp, nse_iod(evt));
}
/* Internal helper for resolve and resolve_numeric. addl_flags is ored into
hints.ai_flags, so you can add AI_NUMERICHOST. */
static int resolve_internal(const char *hostname, unsigned short port,
struct sockaddr_storage *ss, size_t *sslen, int af, int addl_flags)
{
struct addrinfo hints;
struct addrinfo *result;
char portbuf[16];
int rc;
ncat_assert(hostname != NULL);
ncat_assert(ss != NULL);
ncat_assert(sslen != NULL);
memset(&hints, 0, sizeof(hints));
hints.ai_family = af;
hints.ai_socktype = SOCK_DGRAM;
hints.ai_flags |= addl_flags;
/* Make the port number a string to give to getaddrinfo. */
rc = Snprintf(portbuf, sizeof(portbuf), "%hu", port);
ncat_assert(rc >= 0 && (size_t) rc < sizeof(portbuf));
rc = getaddrinfo(hostname, portbuf, &hints, &result);
if (rc != 0)
return rc;
if (result == NULL)
return EAI_NONAME;
ncat_assert(result->ai_addrlen > 0 && result->ai_addrlen <= (int) sizeof(struct sockaddr_storage));
*sslen = result->ai_addrlen;
memcpy(ss, result->ai_addr, *sslen);
freeaddrinfo(result);
return 0;
}
/* Depending on verbosity, print a message that a connection was established. */
static void connect_report(nsock_iod nsi)
{
union sockaddr_u peer;
zmem(&peer, sizeof(peer.storage));
nsi_getlastcommunicationinfo(nsi, NULL, NULL, NULL,
&peer.sockaddr, sizeof(peer.storage));
if (o.verbose) {
#ifdef HAVE_OPENSSL
if (nsi_checkssl(nsi)) {
X509 *cert;
X509_NAME *subject;
char digest_buf[SHA1_STRING_LENGTH + 1];
char *fp;
loguser("SSL connection to %s:%hu.", inet_socktop(&peer), nsi_peerport(nsi));
cert = SSL_get_peer_certificate((SSL *) nsi_getssl(nsi));
ncat_assert(cert != NULL);
subject = X509_get_subject_name(cert);
if (subject != NULL) {
char buf[256];
int n;
n = X509_NAME_get_text_by_NID(subject, NID_organizationName, buf, sizeof(buf));
if (n >= 0 && n <= sizeof(buf) - 1)
loguser_noprefix(" %s", buf);
}
loguser_noprefix("\n");
fp = ssl_cert_fp_str_sha1(cert, digest_buf, sizeof(digest_buf));
ncat_assert(fp == digest_buf);
loguser("SHA-1 fingerprint: %s\n", digest_buf);
} else {
#if HAVE_SYS_UN_H
if (peer.sockaddr.sa_family == AF_UNIX)
loguser("Connected to %s.\n", peer.un.sun_path);
else
#endif
loguser("Connected to %s:%hu.\n", inet_socktop(&peer), nsi_peerport(nsi));
}
#else
#if HAVE_SYS_UN_H
if (peer.sockaddr.sa_family == AF_UNIX)
loguser("Connected to %s.\n", peer.un.sun_path);
else
#endif
loguser("Connected to %s:%hu.\n", inet_socktop(&peer), nsi_peerport(nsi));
#endif
}
}
/* Set a pseudo-signal handler that is called when a thread representing a
child process dies. This is only used on Windows. */
extern void set_pseudo_sigchld_handler(void (*handler)(void))
{
DWORD rc;
if (pseudo_sigchld_mutex == NULL) {
pseudo_sigchld_mutex = CreateMutex(NULL, FALSE, NULL);
ncat_assert(pseudo_sigchld_mutex != NULL);
}
rc = WaitForSingleObject(pseudo_sigchld_mutex, INFINITE);
ncat_assert(rc == WAIT_OBJECT_0);
pseudo_sigchld_handler = handler;
rc = ReleaseMutex(pseudo_sigchld_mutex);
ncat_assert(rc != 0);
}
static void read_stdin_handler(nsock_pool nsp, nsock_event evt, void *data)
{
enum nse_status status = nse_status(evt);
enum nse_type type = nse_type(evt);
char *buf, *tmp = NULL;
int nbytes;
ncat_assert(type == NSE_TYPE_READ);
if (status == NSE_STATUS_EOF) {
if (o.sendonly) {
/* In --send-only mode, exit after EOF on stdin. */
nsock_loop_quit(nsp);
} else {
shutdown(nsi_getsd(cs.sock_nsi), SHUT_WR);
}
return;
} else if (status == NSE_STATUS_ERROR) {
loguser("%s.\n", socket_strerror(nse_errorcode(evt)));
exit(1);
} else if (status == NSE_STATUS_TIMEOUT) {
loguser("%s.\n", socket_strerror(ETIMEDOUT));
exit(1);
} else if (status == NSE_STATUS_CANCELLED || status == NSE_STATUS_KILL) {
return;
} else {
ncat_assert(status == NSE_STATUS_SUCCESS);
}
buf = nse_readbuf(evt, &nbytes);
/* read from stdin */
if (o.linedelay)
ncat_delay_timer(o.linedelay);
if (o.crlf) {
if (fix_line_endings(buf, &nbytes, &tmp, &cs.crlf_state))
buf = tmp;
}
nsock_write(nsp, cs.sock_nsi, write_socket_handler, -1, NULL, buf, nbytes);
ncat_log_send(buf, nbytes);
if (tmp)
free(tmp);
refresh_idle_timer(nsp);
}
static void idle_timer_handler(nsock_pool nsp, nsock_event evt, void *data)
{
enum nse_status status = nse_status(evt);
enum nse_type type = nse_type(evt);
ncat_assert(type == NSE_TYPE_TIMER);
if (status == NSE_STATUS_CANCELLED || status == NSE_STATUS_KILL)
return;
ncat_assert(status == NSE_STATUS_SUCCESS);
loguser("Idle timeout expired (%d ms).\n", o.idletimeout);
exit(1);
}
/* Broadcast a message to all the descriptors in fds. Returns -1 if any of the
sends failed. */
int ncat_broadcast(fd_set *fds, const fd_list_t *fdlist, const char *msg, size_t size)
{
struct fdinfo *fdn;
int i, ret;
if (o.recvonly)
return size;
ret = 0;
for (i = 0; i <= fdlist->fdmax; i++) {
if (!FD_ISSET(i, fds))
continue;
fdn = get_fdinfo(fdlist, i);
ncat_assert(fdn != NULL);
if (blocking_fdinfo_send(fdn, msg, size) <= 0) {
if (o.debug > 1)
logdebug("Error sending to fd %d: %s.\n", i, socket_strerror(socket_errno()));
ret = -1;
}
}
ncat_log_send(msg, size);
return ret;
}
/* This callback is called for every certificate in a chain. ok is true if
OpenSSL's internal verification has verified the certificate. We don't change
anything about the verification, we only need access to the certificates to
provide diagnostics. */
static int verify_callback(int ok, X509_STORE_CTX *store)
{
X509 *cert = X509_STORE_CTX_get_current_cert(store);
int err = X509_STORE_CTX_get_error(store);
/* Print the subject, issuer, and fingerprint depending on the verbosity
level. */
if ((!ok && o.verbose) || o.debug > 1) {
char digest_buf[SHA1_STRING_LENGTH + 1];
char *fp;
loguser("Subject: ");
X509_NAME_print_ex_fp(stderr, X509_get_subject_name(cert), 0, XN_FLAG_COMPAT);
loguser_noprefix("\n");
loguser("Issuer: ");
X509_NAME_print_ex_fp(stderr, X509_get_issuer_name(cert), 0, XN_FLAG_COMPAT);
loguser_noprefix("\n");
fp = ssl_cert_fp_str_sha1(cert, digest_buf, sizeof(digest_buf));
ncat_assert(fp == digest_buf);
loguser("SHA-1 fingerprint: %s\n", digest_buf);
}
if (!ok && o.verbose) {
loguser("Certificate verification failed (%s).\n",
X509_verify_cert_error_string(err));
}
return ok;
}
/* Do a sprintf at the given offset into a malloc-allocated buffer. Reallocates
the buffer and updates the variables to make room if necessary. */
int strbuf_sprintf(char **buf, size_t *size, size_t *offset, const char *fmt, ...)
{
va_list va;
int n;
ncat_assert(*offset <= *size);
if (*buf == NULL) {
*size = 1;
*buf = (char *) safe_malloc(*size);
}
for (;;) {
va_start(va, fmt);
n = Vsnprintf(*buf + *offset, *size - *offset, fmt, va);
va_end(va);
if (n < 0)
*size = MAX(*size, 1) * 2;
else if (n >= *size - *offset)
*size += n + 1;
else
break;
*buf = (char *) safe_realloc(*buf, *size);
}
*offset += n;
return n;
}
/* Internal helper for resolve and resolve_numeric. addl_flags is ored into
hints.ai_flags, so you can add AI_NUMERICHOST.
sl is a pointer to first element of sockaddr linked list, which is always
statically allocated. Next list elements are dynamically allocated.
If multiple_addrs is false then only first address is returned. */
static int resolve_internal(const char *hostname, unsigned short port,
struct sockaddr_list *sl, int af, int addl_flags, int multiple_addrs)
{
struct addrinfo hints;
struct addrinfo *result;
struct addrinfo *next;
struct sockaddr_list **item_ptr = &sl;
struct sockaddr_list *new_item;
char portbuf[16];
int rc;
ncat_assert(hostname != NULL);
memset(&hints, 0, sizeof(hints));
hints.ai_family = af;
hints.ai_socktype = SOCK_DGRAM;
hints.ai_flags |= addl_flags;
/* Make the port number a string to give to getaddrinfo. */
rc = Snprintf(portbuf, sizeof(portbuf), "%hu", port);
ncat_assert(rc >= 0 && (size_t) rc < sizeof(portbuf));
rc = getaddrinfo(hostname, portbuf, &hints, &result);
if (rc != 0)
return rc;
if (result == NULL)
return EAI_NONAME;
ncat_assert(result->ai_addrlen > 0 && result->ai_addrlen <= (int) sizeof(struct sockaddr_storage));
for (next = result; next != NULL; next = next->ai_next) {
if (*item_ptr == NULL)
{
*item_ptr = (struct sockaddr_list *)safe_malloc(sizeof(struct sockaddr_list));
(**item_ptr).next = NULL;
}
new_item = *item_ptr;
new_item->addrlen = next->ai_addrlen;
memcpy(&new_item->addr.storage, next->ai_addr, next->ai_addrlen);
if (!multiple_addrs)
break;
item_ptr = &new_item->next;
}
freeaddrinfo(result);
return 0;
}
static void read_socket_handler(nsock_pool nsp, nsock_event evt, void *data)
{
enum nse_status status = nse_status(evt);
enum nse_type type = nse_type(evt);
char *buf;
int nbytes;
ncat_assert(type == NSE_TYPE_READ);
if (status == NSE_STATUS_EOF) {
Close(STDOUT_FILENO);
/* In --recv-only mode or non-TCP mode, exit after EOF on the socket. */
if (o.proto != IPPROTO_TCP || (o.proto == IPPROTO_TCP && o.recvonly))
nsock_loop_quit(nsp);
return;
} else if (status == NSE_STATUS_ERROR) {
loguser("%s.\n", socket_strerror(nse_errorcode(evt)));
exit(1);
} else if (status == NSE_STATUS_TIMEOUT) {
loguser("%s.\n", socket_strerror(ETIMEDOUT));
exit(1);
} else if (status == NSE_STATUS_CANCELLED || status == NSE_STATUS_KILL) {
return;
} else {
ncat_assert(status == NSE_STATUS_SUCCESS);
}
buf = nse_readbuf(evt, &nbytes);
if (o.linedelay)
ncat_delay_timer(o.linedelay);
if (o.telnet)
dotelnet(nsi_getsd(nse_iod(evt)), (unsigned char *) buf, nbytes);
/* Write socket data to stdout */
Write(STDOUT_FILENO, buf, nbytes);
ncat_log_recv(buf, nbytes);
nsock_readbytes(nsp, cs.sock_nsi, read_socket_handler, -1, NULL, 0);
refresh_idle_timer(nsp);
}
static const char *skip_crlf(const char *s)
{
if (*s == '\n')
return s + 1;
else if (*s == '\r' && *(s + 1) == '\n')
return s + 2;
ncat_assert(0);
return NULL;
}
/* Add a process to the list of processes to kill at program exit. Once you
call this function, the process handle "belongs" to it and you shouldn't
modify the handle until you call unregister_subprocess. Returns -1 on
error. */
static int register_subprocess(HANDLE proc)
{
int i;
DWORD rc;
if (subprocesses_mutex == NULL) {
subprocesses_mutex = CreateMutex(NULL, FALSE, NULL);
ncat_assert(subprocesses_mutex != NULL);
}
if (pseudo_sigchld_mutex == NULL) {
pseudo_sigchld_mutex = CreateMutex(NULL, FALSE, NULL);
ncat_assert(pseudo_sigchld_mutex != NULL);
}
rc = WaitForSingleObject(subprocesses_mutex, INFINITE);
ncat_assert(rc == WAIT_OBJECT_0);
i = get_subprocess_slot();
if (i == -1) {
if (o.verbose)
logdebug("No free process slots for termination handler.\n");
} else {
subprocesses[i] = proc;
if (o.debug > 1)
logdebug("Register subprocess %p at index %d.\n", proc, i);
if (!atexit_registered) {
/* We register both an atexit and a SIGINT handler because ^C
doesn't seem to cause atexit handlers to be called. */
atexit(terminate_subprocesses);
signal(SIGINT, sigint_handler);
atexit_registered = 1;
}
}
rc = ReleaseMutex(subprocesses_mutex);
ncat_assert(rc != 0);
return i;
}
static void write_socket_handler(nsock_pool nsp, nsock_event evt, void *data)
{
enum nse_status status = nse_status(evt);
enum nse_type type = nse_type(evt);
ncat_assert(type == NSE_TYPE_WRITE);
if (status == NSE_STATUS_ERROR) {
loguser("%s.\n", socket_strerror(nse_errorcode(evt)));
exit(1);
} else if (status == NSE_STATUS_TIMEOUT) {
loguser("%s.\n", socket_strerror(ETIMEDOUT));
exit(1);
} else if (status == NSE_STATUS_CANCELLED || status == NSE_STATUS_KILL) {
return;
} else {
ncat_assert(status == NSE_STATUS_SUCCESS);
}
/* The write to the socket was successful. Allow reading more from stdin
now. */
nsock_readbytes(nsp, cs.stdin_nsi, read_stdin_handler, -1, NULL, 0);
}
static void shutdown_sockets(int how)
{
struct fdinfo *fdn;
int i;
for (i = 0; i <= broadcast_fdlist.fdmax; i++) {
if (!FD_ISSET(i, &master_broadcastfds))
continue;
fdn = get_fdinfo(&broadcast_fdlist, i);
ncat_assert(fdn != NULL);
shutdown(fdn->fd, how);
}
}
static int get_conn_count(void)
{
unsigned int count;
/* conn_dec is modified in a signal handler, so loop until it stops
changing. */
do {
conn_dec_changed = 0;
count = conn_inc - conn_dec;
} while (conn_dec_changed);
ncat_assert(count <= INT_MAX);
return count;
}
/* Append n bytes starting at s to a malloc-allocated buffer. Reallocates the
buffer and updates the variables to make room if necessary. */
int strbuf_append(char **buf, size_t *size, size_t *offset, const char *s, size_t n)
{
ncat_assert(*offset <= *size);
if (n >= *size - *offset) {
*size += n + 1;
*buf = (char *) safe_realloc(*buf, *size);
}
memcpy(*buf + *offset, s, n);
*offset += n;
(*buf)[*offset] = '\0';
return n;
}
void lua_setup(void)
{
ncat_assert(o.cmdexec!=NULL);
L = luaL_newstate();
luaL_openlibs(L);
if (luaL_loadfile(L,o.cmdexec) != 0)
report("Error loading the Lua script");
/* install the traceback function */
last_function_number = lua_gettop(L);
lua_pushcfunction(L, traceback);
lua_insert(L, last_function_number);
}
/* Read from a client socket and write to stdout. Return the number of bytes
read from the socket, or -1 on error. */
int read_socket(int recv_fd)
{
char buf[DEFAULT_TCP_BUF_LEN];
struct fdinfo *fdn;
int nbytes, pending;
fdn = get_fdinfo(&client_fdlist, recv_fd);
ncat_assert(fdn != NULL);
nbytes = 0;
do {
int n;
n = ncat_recv(fdn, buf, sizeof(buf), &pending);
if (n <= 0) {
if (o.debug)
logdebug("Closing connection.\n");
#ifdef HAVE_OPENSSL
if (o.ssl && fdn->ssl) {
if (nbytes == 0)
SSL_shutdown(fdn->ssl);
SSL_free(fdn->ssl);
}
#endif
close(recv_fd);
FD_CLR(recv_fd, &master_readfds);
rm_fd(&client_fdlist, recv_fd);
FD_CLR(recv_fd, &master_broadcastfds);
rm_fd(&broadcast_fdlist, recv_fd);
conn_inc--;
if (get_conn_count() == 0)
FD_CLR(STDIN_FILENO, &master_readfds);
return n;
}
Write(STDOUT_FILENO, buf, n);
nbytes += n;
} while (pending);
return nbytes;
}
int ssl_load_default_ca_certs(SSL_CTX *ctx)
{
int rc;
if (o.debug)
logdebug("Using system default trusted CA certificates and those in %s.\n", NCAT_CA_CERTS_PATH);
/* Load distribution-provided defaults, if any. */
rc = SSL_CTX_set_default_verify_paths(ctx);
ncat_assert(rc > 0);
/* Also load the trusted certificates we ship. */
rc = SSL_CTX_load_verify_locations(ctx, NCAT_CA_CERTS_PATH, NULL);
if (rc != 1) {
if (o.debug)
logdebug("Unable to load trusted CA certificates from %s: %s\n",
NCAT_CA_CERTS_PATH, ERR_error_string(ERR_get_error(), NULL));
return -1;
}
return 0;
}
static int ncat_listen_stream(int proto)
{
int rc, i, fds_ready;
fd_set listen_fds;
struct timeval tv;
struct timeval *tvp = NULL;
unsigned int num_sockets;
/* clear out structs */
FD_ZERO(&master_readfds);
FD_ZERO(&master_writefds);
FD_ZERO(&master_broadcastfds);
FD_ZERO(&listen_fds);
#ifdef HAVE_OPENSSL
FD_ZERO(&sslpending_fds);
#endif
zmem(&client_fdlist, sizeof(client_fdlist));
zmem(&broadcast_fdlist, sizeof(broadcast_fdlist));
#ifdef WIN32
set_pseudo_sigchld_handler(decrease_conn_count);
#else
/* Reap on SIGCHLD */
Signal(SIGCHLD, sigchld_handler);
/* Ignore the SIGPIPE that occurs when a client disconnects suddenly and we
send data to it before noticing. */
Signal(SIGPIPE, SIG_IGN);
#endif
#ifdef HAVE_OPENSSL
if (o.ssl)
setup_ssl_listen();
#endif
/* Not sure if this problem exists on Windows, but fcntl and /dev/null don't */
#ifndef WIN32
/* Check whether stdin is closed. Because we treat this fd specially, we
* can't risk it being reopened for an incoming connection, so we'll hold
* it open instead. */
if (fcntl(STDIN_FILENO, F_GETFD) == -1 && errno == EBADF) {
logdebug("stdin is closed, attempting to reserve STDIN_FILENO\n");
rc = open("/dev/null", O_RDONLY);
if (rc >= 0 && rc != STDIN_FILENO) {
/* Oh well, we tried */
logdebug("Couldn't reserve STDIN_FILENO\n");
close(rc);
}
}
#endif
/* We need a list of fds to keep current fdmax. The second parameter is a
number added to the supplied connection limit, that will compensate
maxfds for the added by default listen and stdin sockets. */
init_fdlist(&client_fdlist, sadd(o.conn_limit, num_listenaddrs + 1));
for (i = 0; i < NUM_LISTEN_ADDRS; i++)
listen_socket[i] = -1;
num_sockets = 0;
for (i = 0; i < num_listenaddrs; i++) {
/* setup the main listening socket */
listen_socket[num_sockets] = do_listen(SOCK_STREAM, proto, &listenaddrs[i]);
if (listen_socket[num_sockets] == -1) {
if (o.debug > 0)
logdebug("do_listen(\"%s\"): %s\n", inet_ntop_ez(&listenaddrs[i].storage, sizeof(listenaddrs[i].storage)), socket_strerror(socket_errno()));
continue;
}
/* Make our listening socket non-blocking because there are timing issues
* which could cause us to block on accept() even though select() says it's
* readable. See UNPv1 2nd ed, p422 for more.
*/
unblock_socket(listen_socket[num_sockets]);
/* setup select sets and max fd */
FD_SET(listen_socket[num_sockets], &master_readfds);
add_fd(&client_fdlist, listen_socket[num_sockets]);
FD_SET(listen_socket[num_sockets], &listen_fds);
num_sockets++;
}
if (num_sockets == 0) {
if (num_listenaddrs == 1)
bye("Unable to open listening socket on %s: %s", inet_ntop_ez(&listenaddrs[0].storage, sizeof(listenaddrs[0].storage)), socket_strerror(socket_errno()));
else
bye("Unable to open any listening sockets.");
}
add_fd(&client_fdlist, STDIN_FILENO);
init_fdlist(&broadcast_fdlist, o.conn_limit);
if (o.idletimeout > 0)
tvp = &tv;
while (1) {
/* We pass these temporary descriptor sets to fselect, since fselect
modifies the sets it receives. */
fd_set readfds = master_readfds, writefds = master_writefds;
struct fdinfo *fdi = NULL;
if (o.debug > 1)
logdebug("selecting, fdmax %d\n", client_fdlist.fdmax);
if (o.debug > 1 && o.broker)
logdebug("Broker connection count is %d\n", get_conn_count());
if (o.idletimeout > 0)
ms_to_timeval(tvp, o.idletimeout);
fds_ready = fselect(client_fdlist.fdmax + 1, &readfds, &writefds, NULL, tvp);
if (o.debug > 1)
logdebug("select returned %d fds ready\n", fds_ready);
if (fds_ready == 0)
bye("Idle timeout expired (%d ms).", o.idletimeout);
/*
* FIXME: optimize this loop to look only at the fds in the fd list,
* doing it this way means that if you have one descriptor that is very
* large, say 500, and none close to it, that you'll loop many times for
* nothing.
*/
for (i = 0; i <= client_fdlist.fdmax && fds_ready > 0; i++) {
/* Loop through descriptors until there's something to read */
if (!FD_ISSET(i, &readfds) && !FD_ISSET(i, &writefds))
continue;
if (o.debug > 1)
logdebug("fd %d is ready\n", i);
#ifdef HAVE_OPENSSL
/* Is this an ssl socket pending a handshake? If so handle it. */
if (o.ssl && FD_ISSET(i, &sslpending_fds)) {
FD_CLR(i, &master_readfds);
FD_CLR(i, &master_writefds);
fdi = get_fdinfo(&client_fdlist, i);
ncat_assert(fdi != NULL);
switch (ssl_handshake(fdi)) {
case NCAT_SSL_HANDSHAKE_COMPLETED:
/* Clear from sslpending_fds once ssl is established */
FD_CLR(i, &sslpending_fds);
post_handle_connection(*fdi);
break;
case NCAT_SSL_HANDSHAKE_PENDING_WRITE:
FD_SET(i, &master_writefds);
break;
case NCAT_SSL_HANDSHAKE_PENDING_READ:
FD_SET(i, &master_readfds);
break;
case NCAT_SSL_HANDSHAKE_FAILED:
default:
SSL_free(fdi->ssl);
Close(fdi->fd);
FD_CLR(i, &sslpending_fds);
FD_CLR(i, &master_readfds);
rm_fd(&client_fdlist, i);
/* Are we in single listening mode(without -k)? If so
then we should quit also. */
if (!o.keepopen && !o.broker)
return 1;
--conn_inc;
break;
}
} else
#endif
if (FD_ISSET(i, &listen_fds)) {
/* we have a new connection request */
handle_connection(i);
} else if (i == STDIN_FILENO) {
if (o.broker) {
read_and_broadcast(i);
} else {
/* Read from stdin and write to all clients. */
rc = read_stdin();
if (rc == 0) {
if (o.proto != IPPROTO_TCP || (o.proto == IPPROTO_TCP && o.sendonly)) {
/* There will be nothing more to send. If we're not
receiving anything, we can quit here. */
return 0;
}
if (!o.noshutdown) shutdown_sockets(SHUT_WR);
}
if (rc < 0)
return 1;
}
} else if (!o.sendonly) {
if (o.broker) {
read_and_broadcast(i);
} else {
/* Read from a client and write to stdout. */
rc = read_socket(i);
if (rc <= 0 && !o.keepopen)
return rc == 0 ? 0 : 1;
}
}
fds_ready--;
}
}
return 0;
}
/* Relay data between a socket and a process until the process dies or stops
sending or receiving data. The socket descriptor and process pipe handles
are in the data argument, which must be a pointer to struct subprocess_info.
This function is a workaround for the fact that we can't just run a process
after redirecting its input handles to a socket. If the process, for
example, redirects its own stdin, it somehow confuses the socket and stdout
stops working. This is exactly what ncat does (as part of the Windows stdin
workaround), so it can't be ignored.
This function can be invoked through CreateThread to simulate fork+exec, or
called directly to simulate exec. It frees the subprocess_info struct and
closes the socket and pipe handles before returning. Returns the exit code
of the subprocess. */
static DWORD WINAPI subprocess_thread_func(void *data)
{
struct subprocess_info *info;
char pipe_buffer[BUFSIZ];
OVERLAPPED overlap = { 0 };
HANDLE events[3];
DWORD ret, rc;
int crlf_state = 0;
info = (struct subprocess_info *) data;
/* Three events we watch for: socket read, pipe read, and process end. */
events[0] = (HANDLE) WSACreateEvent();
WSAEventSelect(info->fdn.fd, events[0], FD_READ | FD_CLOSE);
events[1] = info->child_out_r;
events[2] = info->proc;
/* To avoid blocking or polling, we use asynchronous I/O, or what Microsoft
calls "overlapped" I/O, on the process pipe. WaitForMultipleObjects
reports when the read operation is complete. */
ReadFile(info->child_out_r, pipe_buffer, sizeof(pipe_buffer), NULL, &overlap);
/* Loop until EOF or error. */
for (;;) {
DWORD n, nwritten;
int i;
i = WaitForMultipleObjects(3, events, FALSE, INFINITE);
if (i == WAIT_OBJECT_0) {
/* Read from socket, write to process. */
char buffer[BUFSIZ];
int pending;
ResetEvent(events[0]);
do {
n = ncat_recv(&info->fdn, buffer, sizeof(buffer), &pending);
if (n <= 0)
goto loop_end;
if (WriteFile(info->child_in_w, buffer, n, &nwritten, NULL) == 0)
break;
if (nwritten != n)
goto loop_end;
} while (pending);
} else if (i == WAIT_OBJECT_0 + 1) {
char *crlf = NULL, *wbuf;
/* Read from process, write to socket. */
if (GetOverlappedResult(info->child_out_r, &overlap, &n, FALSE)) {
int n_r;
wbuf = pipe_buffer;
n_r = n;
if (o.crlf) {
if (fix_line_endings((char *) pipe_buffer, &n_r, &crlf, &crlf_state))
wbuf = crlf;
}
/* The above call to WSAEventSelect puts the socket in
non-blocking mode, but we want this send to block, not
potentially return WSAEWOULDBLOCK. We call block_socket, but
first we must clear out the select event. */
WSAEventSelect(info->fdn.fd, events[0], 0);
block_socket(info->fdn.fd);
nwritten = ncat_send(&info->fdn, wbuf, n_r);
if (crlf != NULL)
free(crlf);
if (nwritten != n_r)
break;
/* Restore the select event (and non-block the socket again.) */
WSAEventSelect(info->fdn.fd, events[0], FD_READ | FD_CLOSE);
/* Queue another ansychronous read. */
ReadFile(info->child_out_r, pipe_buffer, sizeof(pipe_buffer), NULL, &overlap);
} else {
if (GetLastError() != ERROR_IO_PENDING)
/* Error or end of file. */
break;
}
} else if (i == WAIT_OBJECT_0 + 2) {
/* The child died. There are no more writes left in the pipe
because WaitForMultipleObjects guarantees events with lower
indexes are handled first. */
break;
} else {
break;
}
}
loop_end:
WSACloseEvent(events[0]);
rc = unregister_subprocess(info->proc);
ncat_assert(rc != -1);
GetExitCodeProcess(info->proc, &ret);
if (ret == STILL_ACTIVE) {
if (o.debug > 1)
logdebug("Subprocess still running, terminating it.\n");
rc = TerminateProcess(info->proc, 0);
if (rc == 0) {
if (o.debug > 1)
logdebug("TerminateProcess failed with code %d.\n", rc);
}
}
GetExitCodeProcess(info->proc, &ret);
if (o.debug > 1)
logdebug("Subprocess ended with exit code %d.\n", ret);
shutdown(info->fdn.fd, 2);
subprocess_info_close(info);
free(info);
rc = WaitForSingleObject(pseudo_sigchld_mutex, INFINITE);
ncat_assert(rc == WAIT_OBJECT_0);
if (pseudo_sigchld_handler != NULL)
pseudo_sigchld_handler();
rc = ReleaseMutex(pseudo_sigchld_mutex);
ncat_assert(rc != 0);
return ret;
}
/* Read from recv_fd and broadcast whatever is read to all other descriptors in
read_fds, with the exception of stdin, listen_socket, and recv_fd itself.
Handles EOL translation and chat mode. On read error or end of stream,
closes the socket and removes it from the read_fds list. */
static void read_and_broadcast(int recv_fd)
{
struct fdinfo *fdn;
int pending;
fdn = get_fdinfo(&client_fdlist, recv_fd);
ncat_assert(fdn != NULL);
/* Loop while ncat_recv indicates data is pending. */
do {
char buf[DEFAULT_TCP_BUF_LEN];
char *chatbuf, *outbuf;
char *tempbuf = NULL;
fd_set broadcastfds;
int n;
/* Behavior differs depending on whether this is stdin or a socket. */
if (recv_fd == STDIN_FILENO) {
n = read(recv_fd, buf, sizeof(buf));
if (n <= 0) {
if (n < 0 && o.verbose)
logdebug("Error reading from stdin: %s\n", strerror(errno));
if (n == 0 && o.debug)
logdebug("EOF on stdin\n");
/* Don't close the file because that allows a socket to be
fd 0. */
FD_CLR(recv_fd, &master_readfds);
/* But mark that we've seen EOF so it doesn't get re-added to
the select list. */
stdin_eof = 1;
return;
}
if (o.crlf)
fix_line_endings((char *) buf, &n, &tempbuf, &crlf_state);
pending = 0;
} else {
/* From a connected socket, not stdin. */
n = ncat_recv(fdn, buf, sizeof(buf), &pending);
if (n <= 0) {
if (o.debug)
logdebug("Closing connection.\n");
#ifdef HAVE_OPENSSL
if (o.ssl && fdn->ssl) {
if (n == 0)
SSL_shutdown(fdn->ssl);
SSL_free(fdn->ssl);
}
#endif
close(recv_fd);
FD_CLR(recv_fd, &master_readfds);
rm_fd(&client_fdlist, recv_fd);
FD_CLR(recv_fd, &master_broadcastfds);
rm_fd(&broadcast_fdlist, recv_fd);
conn_inc--;
if (conn_inc == 0)
FD_CLR(STDIN_FILENO, &master_readfds);
if (o.chat)
chat_announce_disconnect(recv_fd);
return;
}
}
if (o.debug > 1)
logdebug("Handling data from client %d.\n", recv_fd);
chatbuf = NULL;
/* tempbuf is in use if we read from STDIN and fixed EOL */
if (tempbuf == NULL)
outbuf = buf;
else
outbuf = tempbuf;
if (o.chat) {
chatbuf = chat_filter(outbuf, n, recv_fd, &n);
if (chatbuf == NULL) {
if (o.verbose)
logdebug("Error formatting chat message from fd %d\n", recv_fd);
} else {
outbuf = chatbuf;
}
}
/* Send to everyone except the one who sent this message. */
broadcastfds = master_broadcastfds;
FD_CLR(recv_fd, &broadcastfds);
ncat_broadcast(&broadcastfds, &broadcast_fdlist, outbuf, n);
free(chatbuf);
free(tempbuf);
tempbuf = NULL;
} while (pending);
}
SSL_CTX *setup_ssl_listen(void)
{
const SSL_METHOD *method;
if (sslctx)
goto done;
SSL_library_init();
OpenSSL_add_all_algorithms();
ERR_load_crypto_strings();
SSL_load_error_strings();
/* RAND_status initializes the random number generator through a variety of
platform-dependent methods, then returns 1 if there is enough entropy or
0 otherwise. This seems to be a good platform-independent way of seeding
the generator, as well as of refusing to continue without enough
entropy. */
if (!RAND_status())
bye("Failed to seed OpenSSL PRNG (RAND_status returned false).");
if (!(method = SSLv23_server_method()))
bye("SSLv23_server_method(): %s.", ERR_error_string(ERR_get_error(), NULL));
if (!(sslctx = SSL_CTX_new(method)))
bye("SSL_CTX_new(): %s.", ERR_error_string(ERR_get_error(), NULL));
SSL_CTX_set_options(sslctx, SSL_OP_ALL | SSL_OP_NO_SSLv2);
/* Secure ciphers list taken from Nsock. */
if (!SSL_CTX_set_cipher_list(sslctx, "ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH"))
bye("Unable to set OpenSSL cipher list: %s", ERR_error_string(ERR_get_error(), NULL));
if (o.sslcert == NULL && o.sslkey == NULL) {
X509 *cert;
EVP_PKEY *key;
char digest_buf[SHA1_STRING_LENGTH + 1];
if (o.verbose)
loguser("Generating a temporary %d-bit RSA key. Use --ssl-key and --ssl-cert to use a permanent one.\n", DEFAULT_KEY_BITS);
if (ssl_gen_cert(&cert, &key) == 0)
bye("ssl_gen_cert(): %s.", ERR_error_string(ERR_get_error(), NULL));
if (o.verbose) {
char *fp;
fp = ssl_cert_fp_str_sha1(cert, digest_buf, sizeof(digest_buf));
ncat_assert(fp == digest_buf);
loguser("SHA-1 fingerprint: %s\n", digest_buf);
}
if (SSL_CTX_use_certificate(sslctx, cert) != 1)
bye("SSL_CTX_use_certificate(): %s.", ERR_error_string(ERR_get_error(), NULL));
if (SSL_CTX_use_PrivateKey(sslctx, key) != 1)
bye("SSL_CTX_use_PrivateKey(): %s.", ERR_error_string(ERR_get_error(), NULL));
X509_free(cert);
EVP_PKEY_free(key);
} else {
if (o.sslcert == NULL || o.sslkey == NULL)
bye("The --ssl-key and --ssl-cert options must be used together.");
if (SSL_CTX_use_certificate_chain_file(sslctx, o.sslcert) != 1)
bye("SSL_CTX_use_certificate_chain_file(): %s.", ERR_error_string(ERR_get_error(), NULL));
if (SSL_CTX_use_PrivateKey_file(sslctx, o.sslkey, SSL_FILETYPE_PEM) != 1)
bye("SSL_CTX_use_Privatekey_file(): %s.", ERR_error_string(ERR_get_error(), NULL));
}
done:
return sslctx;
}
