From owner-svn-src-all@freebsd.org  Fri May 10 17:29:45 2019
Return-Path: <owner-svn-src-all@freebsd.org>
Delivered-To: svn-src-all@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 8F79215A84D9;
 Fri, 10 May 2019 17:29:45 +0000 (UTC) (envelope-from des@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org
 [IPv6:2610:1c1:1:606c::19:3])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 server-signature RSA-PSS (4096 bits)
 client-signature RSA-PSS (4096 bits) client-digest SHA256)
 (Client CN "mxrelay.nyi.freebsd.org",
 Issuer "Let's Encrypt Authority X3" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id 1325A82EAE;
 Fri, 10 May 2019 17:29:45 +0000 (UTC) (envelope-from des@FreeBSD.org)
Received: from repo.freebsd.org (repo.freebsd.org
 [IPv6:2610:1c1:1:6068::e6a:0])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id DB4ED76B1;
 Fri, 10 May 2019 17:29:44 +0000 (UTC) (envelope-from des@FreeBSD.org)
Received: from repo.freebsd.org ([127.0.1.37])
 by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id x4AHTism009574;
 Fri, 10 May 2019 17:29:44 GMT (envelope-from des@FreeBSD.org)
Received: (from des@localhost)
 by repo.freebsd.org (8.15.2/8.15.2/Submit) id x4AHTi67009572;
 Fri, 10 May 2019 17:29:44 GMT (envelope-from des@FreeBSD.org)
Message-Id: <201905101729.x4AHTi67009572@repo.freebsd.org>
X-Authentication-Warning: repo.freebsd.org: des set sender to des@FreeBSD.org
 using -f
From: =?UTF-8?Q?Dag-Erling_Sm=c3=b8rgrav?= <des@FreeBSD.org>
Date: Fri, 10 May 2019 17:29:44 +0000 (UTC)
To: src-committers@freebsd.org, svn-src-all@freebsd.org,
 svn-src-vendor@freebsd.org
Subject: svn commit: r347452 - vendor/netcat/dist
X-SVN-Group: vendor
X-SVN-Commit-Author: des
X-SVN-Commit-Paths: vendor/netcat/dist
X-SVN-Commit-Revision: 347452
X-SVN-Commit-Repository: base
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-Rspamd-Queue-Id: 1325A82EAE
X-Spamd-Bar: --
Authentication-Results: mx1.freebsd.org
X-Spamd-Result: default: False [-2.97 / 15.00];
 local_wl_from(0.00)[FreeBSD.org];
 NEURAL_HAM_MEDIUM(-1.00)[-0.995,0];
 NEURAL_HAM_SHORT(-0.98)[-0.979,0];
 ASN(0.00)[asn:11403, ipnet:2610:1c1:1::/48, country:US];
 NEURAL_HAM_LONG(-1.00)[-1.000,0]
X-BeenThere: svn-src-all@freebsd.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "SVN commit messages for the entire src tree \(except for &quot;
 user&quot; and &quot; projects&quot; \)" <svn-src-all.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/svn-src-all>,
 <mailto:svn-src-all-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-src-all/>
List-Post: <mailto:svn-src-all@freebsd.org>
List-Help: <mailto:svn-src-all-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/svn-src-all>,
 <mailto:svn-src-all-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 10 May 2019 17:29:45 -0000

Author: des
Date: Fri May 10 17:29:44 2019
New Revision: 347452
URL: https://svnweb.freebsd.org/changeset/base/347452

Log:
  Import netcat from OpenBSD 6.3.

Modified:
  vendor/netcat/dist/nc.1
  vendor/netcat/dist/netcat.c

Modified: vendor/netcat/dist/nc.1
==============================================================================
--- vendor/netcat/dist/nc.1	Fri May 10 17:29:37 2019	(r347451)
+++ vendor/netcat/dist/nc.1	Fri May 10 17:29:44 2019	(r347452)
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: nc.1,v 1.87 2017/07/15 18:11:47 jmc Exp $
+.\"     $OpenBSD: nc.1,v 1.88 2017/11/28 16:59:10 jsing Exp $
 .\"
 .\" Copyright (c) 1996 David Sacerdote
 .\" All rights reserved.
@@ -25,7 +25,7 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: July 15 2017 $
+.Dd $Mdocdate: November 28 2017 $
 .Dt NC 1
 .Os
 .Sh NAME
@@ -233,10 +233,6 @@ Change IPv4 TOS value or TLS options.
 For TLS options
 .Ar keyword
 may be one of:
-.Ar tlsall ,
-which allows the use of all supported TLS protocols and ciphers;
-.Ar tlscompat ,
-which allows the use of all supported TLS protocols and "compat" ciphers;
 .Ar noverify ,
 which disables certificate verification;
 .Ar noname ,
@@ -246,6 +242,15 @@ which requires a client certificate on incoming connec
 .Ar muststaple ,
 which requires the peer to provide a valid stapled OCSP response
 with the handshake.
+The following TLS options specify a value in the form of a key=value pair:
+.Ar ciphers ,
+which allows the supported TLS ciphers to be specified (see
+.Xr tls_config_set_ciphers 3
+for further details);
+.Ar protocols ,
+which allows the supported TLS protocols to be specified (see
+.Xr tls_config_parse_protocols 3
+for further details).
 It is illegal to specify TLS options if not using TLS.
 .Pp
 For IPv4 TOS value
@@ -497,10 +502,15 @@ the source port, with a timeout of 5 seconds:
 .Pp
 .Dl $ nc -p 31337 -w 5 host.example.com 42
 .Pp
+Open a TCP connection to port 443 of www.example.com, and negotiate TLS with
+any supported TLS protocol version and "compat" ciphers:
+.Pp
+.Dl $ nc -cv -T protocols=all -T ciphers=compat www.example.com 443
+.Pp
 Open a TCP connection to port 443 of www.google.ca, and negotiate TLS.
-Check for a different name in the certificate for validation.
+Check for a different name in the certificate for validation:
 .Pp
-.Dl $  nc -v -c -e adsf.au.doubleclick.net www.google.ca 443
+.Dl $ nc -cv -e adsf.au.doubleclick.net www.google.ca 443
 .Pp
 Open a UDP connection to port 53 of host.example.com:
 .Pp

Modified: vendor/netcat/dist/netcat.c
==============================================================================
--- vendor/netcat/dist/netcat.c	Fri May 10 17:29:37 2019	(r347451)
+++ vendor/netcat/dist/netcat.c	Fri May 10 17:29:44 2019	(r347452)
@@ -1,4 +1,4 @@
-/* $OpenBSD: netcat.c,v 1.187 2017/07/15 17:27:39 jsing Exp $ */
+/* $OpenBSD: netcat.c,v 1.190 2018/03/19 16:35:29 jsing Exp $ */
 /*
  * Copyright (c) 2001 Eric Jackson <ericj@monkey.org>
  * Copyright (c) 2015 Bob Beck.  All rights reserved.
@@ -68,12 +68,10 @@
 #define BUFSIZE		16384
 #define DEFAULT_CA_FILE	"/etc/ssl/cert.pem"
 
-#define TLS_ALL	(1 << 1)
-#define TLS_NOVERIFY	(1 << 2)
-#define TLS_NONAME	(1 << 3)
-#define TLS_CCERT	(1 << 4)
-#define TLS_MUSTSTAPLE	(1 << 5)
-#define TLS_COMPAT	(1 << 6)
+#define TLS_NOVERIFY	(1 << 1)
+#define TLS_NONAME	(1 << 2)
+#define TLS_CCERT	(1 << 3)
+#define TLS_MUSTSTAPLE	(1 << 4)
 
 /* Command Line Options */
 int	dflag;					/* detached, no stdin */
@@ -108,6 +106,8 @@ int	tls_cachanged;				/* Using non-default CA file */
 int     TLSopt;					/* TLS options */
 char	*tls_expectname;			/* required name in peer cert */
 char	*tls_expecthash;			/* required hash of peer cert */
+char	*tls_ciphers;				/* TLS ciphers */
+char	*tls_protocols;				/* TLS protocols */
 FILE	*Zflag;					/* file to save peer cert */
 
 int recvcount, recvlimit;
@@ -135,8 +135,8 @@ int	unix_bind(char *, int);
 int	unix_connect(char *);
 int	unix_listen(char *);
 void	set_common_sockopts(int, int);
-int	map_tos(char *, int *);
-int	map_tls(char *, int *);
+int	process_tos_opt(char *, int *);
+int	process_tls_opt(char *, int *);
 void	save_peer_cert(struct tls *_tls_ctx, FILE *_fp);
 void	report_connect(const struct sockaddr *, socklen_t, char *);
 void	report_tls(struct tls *tls_ctx, char * host);
@@ -161,6 +161,7 @@ main(int argc, char *argv[])
 	char unix_dg_tmp_socket_buf[UNIX_DG_TMP_SOCKET_SIZE];
 	struct tls_config *tls_cfg = NULL;
 	struct tls *tls_ctx = NULL;
+	uint32_t protocols;
 
 	ret = 1;
 	socksv = 5;
@@ -324,9 +325,9 @@ main(int argc, char *argv[])
 		case 'T':
 			errstr = NULL;
 			errno = 0;
-			if (map_tos(optarg, &Tflag))
+			if (process_tls_opt(optarg, &TLSopt))
 				break;
-			if (map_tls(optarg, &TLSopt))
+			if (process_tos_opt(optarg, &Tflag))
 				break;
 			if (strlen(optarg) > 1 && optarg[0] == '0' &&
 			    optarg[1] == 'x')
@@ -402,8 +403,6 @@ main(int argc, char *argv[])
 		errx(1, "cannot use -c and -F");
 	if (TLSopt && !usetls)
 		errx(1, "you must specify -c to use TLS options");
-	if ((TLSopt & (TLS_ALL|TLS_COMPAT)) == (TLS_ALL|TLS_COMPAT))
-		errx(1, "cannot use -T tlsall and -T tlscompat");
 	if (Cflag && !usetls)
 		errx(1, "you must specify -c to use -C");
 	if (Kflag && !usetls)
@@ -485,8 +484,6 @@ main(int argc, char *argv[])
 	}
 
 	if (usetls) {
-		if (tls_init() == -1)
-			errx(1, "unable to initialize TLS");
 		if ((tls_cfg = tls_config_new()) == NULL)
 			errx(1, "unable to allocate TLS config");
 		if (Rflag && tls_config_set_ca_file(tls_cfg, Rflag) == -1)
@@ -497,14 +494,12 @@ main(int argc, char *argv[])
 			errx(1, "%s", tls_config_error(tls_cfg));
 		if (oflag && tls_config_set_ocsp_staple_file(tls_cfg, oflag) == -1)
 			errx(1, "%s", tls_config_error(tls_cfg));
-		if (TLSopt & (TLS_ALL|TLS_COMPAT)) {
-			if (tls_config_set_protocols(tls_cfg,
-			    TLS_PROTOCOLS_ALL) != 0)
-				errx(1, "%s", tls_config_error(tls_cfg));
-			if (tls_config_set_ciphers(tls_cfg,
-			    (TLSopt & TLS_ALL) ? "all" : "compat") != 0)
-				errx(1, "%s", tls_config_error(tls_cfg));
-		}
+		if (tls_config_parse_protocols(&protocols, tls_protocols) == -1)
+			errx(1, "invalid TLS protocols `%s'", tls_protocols);
+		if (tls_config_set_protocols(tls_cfg, protocols) == -1)
+			errx(1, "%s", tls_config_error(tls_cfg));
+		if (tls_config_set_ciphers(tls_cfg, tls_ciphers) == -1)
+			errx(1, "%s", tls_config_error(tls_cfg));
 		if (!lflag && (TLSopt & TLS_CCERT))
 			errx(1, "clientcert is only valid with -l");
 		if (TLSopt & TLS_NONAME)
@@ -563,13 +558,12 @@ main(int argc, char *argv[])
 				 * initially to wait for a caller, then use
 				 * the regular functions to talk to the caller.
 				 */
-				int rv, plen;
-				char buf[16384];
+				int rv;
+				char buf[2048];
 				struct sockaddr_storage z;
 
 				len = sizeof(z);
-				plen = 2048;
-				rv = recvfrom(s, buf, plen, MSG_PEEK,
+				rv = recvfrom(s, buf, sizeof(buf), MSG_PEEK,
 				    (struct sockaddr *)&z, &len);
 				if (rv < 0)
 					err(1, "recvfrom");
@@ -1510,7 +1504,7 @@ set_common_sockopts(int s, int af)
 }
 
 int
-map_tos(char *s, int *val)
+process_tos_opt(char *s, int *val)
 {
 	/* DiffServ Codepoints and other TOS mappings */
 	const struct toskeywords {
@@ -1558,24 +1552,41 @@ map_tos(char *s, int *val)
 }
 
 int
-map_tls(char *s, int *val)
+process_tls_opt(char *s, int *flags)
 {
+	size_t len;
+	char *v;
+
 	const struct tlskeywords {
 		const char	*keyword;
-		int		 val;
+		int		 flag;
+		char		**value;
 	} *t, tlskeywords[] = {
-		{ "tlsall",		TLS_ALL },
-		{ "noverify",		TLS_NOVERIFY },
-		{ "noname",		TLS_NONAME },
-		{ "clientcert",		TLS_CCERT},
-		{ "muststaple",		TLS_MUSTSTAPLE},
-		{ "tlscompat",		TLS_COMPAT },
-		{ NULL,			-1 },
+		{ "ciphers",		-1,			&tls_ciphers },
+		{ "clientcert",		TLS_CCERT,		NULL },
+		{ "muststaple",		TLS_MUSTSTAPLE,		NULL },
+		{ "noverify",		TLS_NOVERIFY,		NULL },
+		{ "noname",		TLS_NONAME,		NULL },
+		{ "protocols",		-1,			&tls_protocols },
+		{ NULL,			-1,			NULL },
 	};
 
+	len = strlen(s);
+	if ((v = strchr(s, '=')) != NULL) {
+		len = v - s;
+		v++;
+	}
+
 	for (t = tlskeywords; t->keyword != NULL; t++) {
-		if (strcmp(s, t->keyword) == 0) {
-			*val |= t->val;
+		if (strlen(t->keyword) == len &&
+		    strncmp(s, t->keyword, len) == 0) {
+			if (t->value != NULL) {
+				if (v == NULL)
+					errx(1, "invalid tls value `%s'", s);
+				*t->value = v;
+			} else {
+				*flags |= t->flag;
+			}
 			return 1;
 		}
 	}