fix previous;

2 files changed, 48 insertions, 31 deletions

diff --git a/src/usr.bin/nc/nc.1 b/src/usr.bin/nc/nc.1
index 8cb96e8734..461e9e41be 100644
--- a/src/usr.bin/nc/nc.1
+++ b/src/usr.bin/nc/nc.1
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: nc.1,v 1.69 2015/09/11 21:07:01 beck Exp $
+.\"     $OpenBSD: nc.1,v 1.70 2015/09/12 07:56:56 jmc Exp $
 .\"
 .\" Copyright (c) 1996 David Sacerdote
 .\" All rights reserved.
@@ -25,7 +25,7 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: September 11 2015 $
+.Dd $Mdocdate: September 12 2015 $
 .Dt NC 1
 .Os
 .Sh NAME
@@ -34,12 +34,17 @@
 .Sh SYNOPSIS
 .Nm nc
 .Bk -words
-.Op Fl 46DdFhklNnrStUuvz
+.Op Fl 46cDdFhklNnrStUuvz
+.Op Fl C Ar certfile
+.Op Fl e Ar name
+.Op Fl H Ar hash
 .Op Fl I Ar length
 .Op Fl i Ar interval
+.Op Fl K Ar keyfile
 .Op Fl O Ar length
 .Op Fl P Ar proxy_username
 .Op Fl p Ar source_port
+.Op Fl R Ar CAfile
 .Op Fl s Ar source
 .Op Fl T Ar keyword
 .Op Fl V Ar rtable
@@ -98,17 +103,19 @@ to use IPv4 addresses only.
 Forces
 .Nm
 to use IPv6 addresses only.
-.It Fl C Ar certificate_filename
+.It Fl C Ar certfile
 Specifies the filename from which the public key part of the TLS
-certificate is loaded, in PEM format. May only be used with TLS.
+certificate is loaded, in PEM format.
+May only be used with TLS.
 .It Fl c
-If using a TCP socket to connect or listen, use TLS. Illegal if not using TCP sockets.
+If using a TCP socket to connect or listen, use TLS.
+Illegal if not using TCP sockets.
 .It Fl D
 Enable debugging on the socket.
 .It Fl d
 Do not attempt to read from stdin.
 .It Fl e Ar name
-specify the name that must be present in the peer certificate when using TLS.
+Specify the name that must be present in the peer certificate when using TLS.
 Illegal if not using TLS.
 .It Fl F
 Pass the first connected socket using
@@ -125,7 +132,7 @@ using the
 .Xr ssh_config 5
 .Cm ProxyUseFdpass
 option).
-.It Fl H Ar hash_string
+.It Fl H Ar hash
 Specifies the required hash string of the peer certificate when using TLS.
 The string format required is that used by
 .Xr tls_peer_cert_hash 3 .
@@ -139,9 +146,10 @@ Specifies the size of the TCP receive buffer.
 .It Fl i Ar interval
 Specifies a delay time interval between lines of text sent and received.
 Also causes a delay time between connections to multiple ports.
-.It Fl K Ar key_filename
+.It Fl K Ar keyfile
 Specifies the filename from which the private key
-is loaded in PEM format. May only be used with TLS.
+is loaded in PEM format.
+May only be used with TLS.
 .It Fl k
 Forces
 .Nm
@@ -188,10 +196,11 @@ should use, subject to privilege restrictions and availability.
 It is an error to use this option in conjunction with the
 .Fl l
 option.
-.It Fl R Ar CA_filename
-Specifies the filename from which the root CA bundle for Certificate
-verification is loaded in pem format. Illegal if not using TLS.
-Default value is
+.It Fl R Ar CAfile
+Specifies the filename from which the root CA bundle for certificate
+verification is loaded, in PEM format.
+Illegal if not using TLS.
+The default is
 .Pa /etc/ssl/cert.pem .
 .It Fl r
 Specifies that source and/or destination ports should be chosen randomly
@@ -214,14 +223,15 @@ For TLS options
 .Ar keyword
 may be one of
 .Ar tlslegacy ,
-which allows legacy TLS protocols,
+which allows legacy TLS protocols;
 .Ar noverify ,
-which disables certificate verification
+which disables certificate verification;
 .Ar noname ,
-which disables certificate name checking, or
-.Ar clientcert,
-which requires a client certificate on incoming connections .
+which disables certificate name checking; or
+.Ar clientcert ,
+which requires a client certificate on incoming connections.
 It is illegal to specify TLS options if not using TLS.
+.Pp
 For IPv4 TOS value
 .Ar keyword
 may be one of
@@ -463,8 +473,8 @@ the source port, with a timeout of 5 seconds:
 .Pp
 .Dl $ nc -p 31337 -w 5 host.example.com 42
 .Pp
-Open a TCP connection to port 443 of www.google.ca, and negotiate
-TLS. Check for a different name in the certificate for validation.
+Open a TCP connection to port 443 of www.google.ca, and negotiate TLS.
+Check for a different name in the certificate for validation.
 .Pp
 .Dl $  nc -v -c -e adsf.au.doubleclick.net www.google.ca 443
 .Pp
diff --git a/src/usr.bin/nc/netcat.c b/src/usr.bin/nc/netcat.c
index bbd8de0522..acb97870a0 100644
--- a/src/usr.bin/nc/netcat.c
+++ b/src/usr.bin/nc/netcat.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: netcat.c,v 1.134 2015/09/11 21:22:54 deraadt Exp $ */
+/* $OpenBSD: netcat.c,v 1.135 2015/09/12 07:56:56 jmc Exp $ */
 /*
  * Copyright (c) 2001 Eric Jackson <ericj@monkey.org>
  * Copyright (c) 2015 Bob Beck.  All rights reserved.
@@ -1499,12 +1499,17 @@ help(void)
         fprintf(stderr, "\tCommand Summary:\n\
         \t-4            Use IPv4\n\
         \t-6            Use IPv6\n\
+        \t-C certfile   Public key file\n\
+        \t-c            Use TLS\n\
         \t-D            Enable the debug socket option\n\
         \t-d            Detach from stdin\n\
+        \t-e name\t     Required name in peer certificate\n\
         \t-F            Pass socket fd\n\
+        \t-H hash\t     Hash string of peer certificate\n\
         \t-h            This help text\n\
         \t-I length     TCP receive buffer length\n\
-        \t-i secs\t     Delay interval for lines sent, ports scanned\n\
+        \t-i interval   Delay interval for lines sent, ports scanned\n\
+        \t-K keyfile    Private key file\n\
         \t-k            Keep inbound sockets open for multiple connects\n\
         \t-l            Listen mode, for inbound connects\n\
         \t-N            Shutdown the network socket after EOF on stdin\n\
@@ -1512,16 +1517,17 @@ help(void)
         \t-O length     TCP send buffer length\n\
         \t-P proxyuser\tUsername for proxy authentication\n\
         \t-p port\t     Specify local port for remote connects\n\
+        \t-R CAfile     CA bundle\n\
         \t-r            Randomize remote ports\n\
         \t-S            Enable the TCP MD5 signature option\n\
-        \t-s addr\t     Local source address\n\
-        \t-T toskeyword\tSet IP Type of Service\n\
+        \t-s source     Local source address\n\
+        \t-T keyword    TOS value or TLS options\n\
         \t-t            Answer TELNET negotiation\n\
         \t-U            Use UNIX domain socket\n\
         \t-u            UDP mode\n\
         \t-V rtable     Specify alternate routing table\n\
         \t-v            Verbose\n\
-        \t-w secs\t     Timeout for connects and final net reads\n\
+        \t-w timeout    Timeout for connects and final net reads\n\
         \t-X proto      Proxy protocol: \"4\", \"5\" (SOCKS) or \"connect\"\n\
         \t-x addr[:port]\tSpecify proxy address and port\n\
         \t-z            Zero-I/O mode [used for scanning]\n\
@@ -1533,11 +1539,12 @@ void
 usage(int ret)
 {
         fprintf(stderr,
-            "usage: nc [-46cDdFhklNnrStUuvz] [-C certfile] [-e name] \n"
-            "\t  [-I length] [-i interval] [-H hash] [-K keyfile] [-O length]\n"
-            "\t  [-P proxy_username] [-p source_port] [-R cafile] [-s source]\n"
-            "\t  [-T tls|toskeyword] [-V rtable] [-w timeout]\n"
-            "\t  [-X proxy_protocol] [-x proxy_address[:port]]\n"
+            "usage: nc [-46cDdFhklNnrStUuvz] [-C certfile] [-e name] "
+            "[-H hash] [-I length]\n"
+            "\t  [-i interval] [-K keyfile] [-O length] [-P proxy_username]\n"
+            "\t  [-p source_port] [-R CAfile] [-s source] "
+            "[-T keyword] [-V rtable]\n"
+            "\t  [-w timeout] [-X proxy_protocol] [-x proxy_address[:port]]\n"
             "\t  [destination] [port]\n");
         if (ret)
                 exit(1);