2 files changed, 19 insertions, 4 deletions

diff --git a/src/usr.bin/nc/nc.1 b/src/usr.bin/nc/nc.1
index 8c7790f72a..2dda57af92 100644
--- a/src/usr.bin/nc/nc.1
+++ b/src/usr.bin/nc/nc.1
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: nc.1,v 1.76 2016/11/04 07:34:17 jmc Exp $
+.\"     $OpenBSD: nc.1,v 1.77 2016/11/05 15:13:26 beck Exp $
 .\"
 .\" Copyright (c) 1996 David Sacerdote
 .\" All rights reserved.
@@ -25,7 +25,7 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: November 4 2016 $
+.Dd $Mdocdate: November 5 2016 $
 .Dt NC 1
 .Os
 .Sh NAME
@@ -43,6 +43,7 @@
 .Op Fl M Ar ttl
 .Op Fl m Ar minttl
 .Op Fl O Ar length
+.Op Fl o Ar staplefile
 .Op Fl P Ar proxy_username
 .Op Fl p Ar source_port
 .Op Fl R Ar CAfile
@@ -187,6 +188,12 @@ Do not do any DNS or service lookups on any specified addresses,
 hostnames or ports.
 .It Fl O Ar length
 Specifies the size of the TCP send buffer.
+.It Fl o Ar staplefile
+Specifies the filename from which to load data to be stapled
+during the TLS handshake.
+The file is expected to contain an OSCP response from an OCSP server in 
+DER format. 
+May only be used with TLS and when a certificate is being used.
 .It Fl P Ar proxy_username
 Specifies a username to present to a proxy server that requires authentication.
 If no username is specified then authentication will not be attempted.
diff --git a/src/usr.bin/nc/netcat.c b/src/usr.bin/nc/netcat.c
index b71c0426dc..4a841fb96d 100644
--- a/src/usr.bin/nc/netcat.c
+++ b/src/usr.bin/nc/netcat.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: netcat.c,v 1.167 2016/11/04 05:13:13 beck Exp $ */
+/* $OpenBSD: netcat.c,v 1.168 2016/11/05 15:13:26 beck Exp $ */
 /*
  * Copyright (c) 2001 Eric Jackson <ericj@monkey.org>
  * Copyright (c) 2015 Bob Beck.  All rights reserved.
@@ -100,6 +100,7 @@ int	rtableid = -1;
 int     usetls;                                 /* use TLS */
 char    *Cflag;                                 /* Public cert file */
 char    *Kflag;                                 /* Private key file */
+char    *oflag;                                 /* OCSP stapling file */
 char    *Rflag = DEFAULT_CA_FILE;               /* Root CA file */
 int     tls_cachanged;                          /* Using non-default CA file */
 int     TLSopt;                                 /* TLS options */
@@ -163,7 +164,7 @@ main(int argc, char *argv[])
         signal(SIGPIPE, SIG_IGN);
 
         while ((ch = getopt(argc, argv,
-            "46C:cDde:FH:hI:i:K:klM:m:NnO:P:p:R:rSs:T:tUuV:vw:X:x:z")) != -1) {
+            "46C:cDde:FH:hI:i:K:klM:m:NnO:o:P:p:R:rSs:T:tUuV:vw:X:x:z")) != -1) {
                 switch (ch) {
                 case '4':
                         family = AF_INET;
@@ -295,6 +296,9 @@ main(int argc, char *argv[])
                                 errx(1, "TCP send window %s: %s",
                                     errstr, optarg);
                         break;
+                case 'o':
+                        oflag = optarg;
+                        break;
                 case 'S':
                         Sflag = 1;
                         break;
@@ -380,6 +384,8 @@ main(int argc, char *argv[])
                 errx(1, "you must specify -c to use -C");
         if (Kflag && !usetls)
                 errx(1, "you must specify -c to use -K");
+        if (oflag && !Cflag)
+                errx(1, "you must specify -C to use -o");
         if (tls_cachanged && !usetls)
                 errx(1, "you must specify -c to use -R");
         if (tls_expecthash && !usetls)
@@ -455,6 +461,8 @@ main(int argc, char *argv[])
                         errx(1, "%s", tls_config_error(tls_cfg));
                 if (Kflag && tls_config_set_key_file(tls_cfg, Kflag) == -1)
                         errx(1, "%s", tls_config_error(tls_cfg));
+                if (oflag && tls_config_set_ocsp_staple_file(tls_cfg, oflag) == -1)
+                        errx(1, "%s", tls_config_error(tls_cfg));
                 if (TLSopt & TLS_LEGACY) {
                         tls_config_set_protocols(tls_cfg, TLS_PROTOCOLS_ALL);
                         tls_config_set_ciphers(tls_cfg, "all");