Accepting request 648975 from network:utilities

OBS-URL: https://build.opensuse.org/request/show/648975 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/netcat-openbsd?expand=0&rev=24
2018-11-26 09:16:01 +00:00 · 2018-11-26 09:16:01 +00:00 · afd0012796
commit afd0012796
parent 61299b044f ffb1f958b4
19 changed files with 1029 additions and 695 deletions
--- a/broadcast-support.patch
+++ b/broadcast-support.patch
@ -0,0 +1,89 @@
 From: Aron Xu <aron@debian.org>
 Date: Mon, 13 Feb 2012 19:06:52 +0800
 Subject: broadcast support
 ---
 nc.1     |    4 +++-
 netcat.c |   22 ++++++++++++++++++++--
 2 files changed, 23 insertions(+), 3 deletions(-)
 --- a/nc.1
 +++ b/nc.1
@@ -33,7 +33,7 @@
 .Nd arbitrary TCP and UDP connections and listens
 .Sh SYNOPSIS
 .Nm nc
 -.Op Fl 46CDdFhklNnrStUuvZz
 +.Op Fl 46bCDdFhklNnrStUuvZz
 .Op Fl I Ar length
 .Op Fl i Ar interval
 .Op Fl M Ar ttl
@@ -93,6 +93,8 @@ The options are as follows:
 Use IPv4 addresses only.
 .It Fl 6
 Use IPv6 addresses only.
 +.It Fl b
 +Allow broadcast.
 .It Fl C
 Send CRLF as line-ending.  Each line feed (LF) character from the input
 data is translated into CR+LF before being written to the socket.  Line
 --- a/netcat.c
 +++ b/netcat.c
@@ -133,6 +133,7 @@
 #define UDP_SCAN_TIMEOUT 3			/* Seconds */
 /* Command Line Options */
 +int	bflag;					/* Allow Broadcast */
 int	dflag;					/* detached, no stdin */
 int	Fflag;					/* fdpass sock to stdout */
 unsigned int iflag;				/* Interval Flag */
@@ -261,9 +262,9 @@ main(int argc, char *argv[])
 	while ((ch = getopt(argc, argv,
 # if defined(TLS)
 -	    "46C:cDde:FH:hI:i:K:klM:m:NnO:o:P:p:q:R:rSs:T:tUuV:vW:w:X:x:Z:z"))
 +	    "46bC:cDde:FH:hI:i:K:klM:m:NnO:o:P:p:q:R:rSs:T:tUuV:vW:w:X:x:Z:z"))
 # else
 -	    "46CDdFhI:i:klM:m:NnO:P:p:q:rSs:T:tUuV:vW:w:X:x:Zz"))
 +	    "46bCDdFhI:i:klM:m:NnO:P:p:q:rSs:T:tUuV:vW:w:X:x:Zz"))
 # endif
 	    != -1) {
 		switch (ch) {
@@ -273,6 +274,13 @@ main(int argc, char *argv[])
 		case '6':
 			family = AF_INET6;
 			break;
 +		case 'b':
 +# if defined(SO_BROADCAST)
 +			bflag = 1;
 +# else
 +			errx(1, "no broadcast frame support available");
 +# endif
 +			break;
 		case 'U':
 			family = AF_UNIX;
 			break;
@@ -1843,6 +1851,15 @@ set_common_sockopts(int s, int af)
 {
 	int x = 1;
 +# if defined(SO_BROADCAST)
 +	if (bflag) {
 +		/* allow datagram sockets to send packets to a broadcast address
 +		 * (this option has no effect on stream-oriented sockets) */
 +		if (setsockopt(s, SOL_SOCKET, SO_BROADCAST,
 +			&x, sizeof(x)) == -1)
 +			err(1, NULL);
 +	}
 +# endif
 # if defined(TCP_MD5SIG)
 	if (Sflag) {
 		if (setsockopt(s, IPPROTO_TCP, TCP_MD5SIG,
@@ -2122,6 +2139,7 @@ help(void)
 	fprintf(stderr, "\tCommand Summary:\n\
 	\t-4		Use IPv4\n\
 	\t-6		Use IPv6\n\
 +	\t-b		Allow broadcast\n\
 	\t-C		Send CRLF as line-ending\n\
 	\t-D		Enable the debug socket option\n\
 	\t-d		Detach from stdin\n\
--- a/compile-without-TLS-support.patch
+++ b/compile-without-TLS-support.patch
@ -1,15 +1,15 @@
 From: Guilhem Moulin <guilhem@debian.org>
 Date: Fri, 09 Jun 2017 13:21:23 +0200
-Subject: compile without TLS support
+Subject: build without TLS support
-tls.h isn't available in libsd-dev, and -C is already taken for
+tls.h isn't available in libsd-dev, and TLS supports adds options (-C, -Z)
-CRLF line-ending in the Debian-specific patches.
+that are already used by our Debian-specific patches.
 ---
 Makefile |    2 
- nc.1     |   63 -----------------------
+ nc.1     |  114 ++---------------------------------------
- netcat.c |  166 +++++++++++++++++++++++++++++++++++++++++++++++++++++----------
+ netcat.c |  172 +++++++++++++++++++++++++++++++++++++++++++++++++++++----------
- 3 files changed, 144 insertions(+), 87 deletions(-)
+ 3 files changed, 152 insertions(+), 136 deletions(-)
 --- a/Makefile
 +++ b/Makefile
@ -46,145 +46,219 @@ CRLF line-ending in the Debian-specific patches.
 .Op Fl s Ar source
 .Op Fl T Ar keyword
 .Op Fl V Ar rtable
-@@ -101,20 +95,10 @@ to use IPv4 addresses only.
+@@ -54,7 +48,6 @@
- Forces
+ .Op Fl w Ar timeout
- .Nm
+ .Op Fl X Ar proxy_protocol
- to use IPv6 addresses only.
+ .Op Fl x Ar proxy_address Ns Op : Ns Ar port
 -.Op Fl Z Ar peercertfile
 .Op Ar destination
 .Op Ar port
 .Sh DESCRIPTION
@@ -99,28 +92,10 @@ The options are as follows:
 Use IPv4 addresses only.
 .It Fl 6
 Use IPv6 addresses only.
 -.It Fl C Ar certfile
-Specifies the filename from which the public key part of the TLS
+-Load the public key part of the TLS peer certificate from
-certificate is loaded, in PEM format.
+-.Ar certfile ,
-May only be used with TLS.
+-in PEM format.
 -Requires
 -.Fl c .
 -.It Fl c
-If using a TCP socket to connect or listen, use TLS.
+-Use TLS to connect or listen.
-Illegal if not using TCP sockets.
+-Cannot be used together with any of the options
 -.Fl FuU .
 .It Fl D
 Enable debugging on the socket.
 .It Fl d
 Do not attempt to read from stdin.
 -.It Fl e Ar name
-Specify the name that must be present in the peer certificate when using TLS.
+-Only accept the TLS peer certificate if it contains the
-Illegal if not using TLS.
+-.Ar name .
 -Requires
 -.Fl c .
 -If not specified,
 -.Ar destination
 -is used.
 .It Fl F
 Pass the first connected socket using
 .Xr sendmsg 2
-@@ -130,11 +114,6 @@ using the
+@@ -137,18 +112,7 @@ using the
 .Xr ssh_config 5
 .Cm ProxyUseFdpass
 option).
 Cannot be used with
 -.Fl c
 -or
 .Fl U .
 -.It Fl H Ar hash
-Specifies the required hash string of the peer certificate when using TLS.
+-Only accept the TLS peer certificate if its hash returned from
-The string format required is that used by
+-.Xr tls_peer_cert_hash 3
-.Xr tls_peer_cert_hash 3 .
+-matches
-Illegal if not using TLS, and may not be used with -T noverify.
+-.Ar hash .
 -Requires
 -.Fl c
 -and cannot be used with
 -.Fl T Cm noverify .
 .It Fl h
- Prints out
+ Print out the
 .Nm
-@@ -144,10 +123,6 @@ Specifies the size of the TCP receive bu
+@@ -160,12 +124,6 @@ Sleep for
- .It Fl i Ar interval
+ .Ar interval
- Specifies a delay time interval between lines of text sent and received.
+ seconds between lines of text sent and received.
 Also causes a delay time between connections to multiple ports.
 -.It Fl K Ar keyfile
-Specifies the filename from which the private key
+-Load the TLS private key from
-is loaded in PEM format.
+-.Ar keyfile ,
-May only be used with TLS.
+-in PEM format.
 -Requires
 -.Fl c .
 .It Fl k
- Forces
+ When a connection is completed, listen for another one.
- .Nm
+ Requires
-@@ -188,12 +163,6 @@ Do not do any DNS or service lookups on
+@@ -196,15 +154,6 @@ Do not do any DNS or service lookups on
 hostnames or ports.
 .It Fl O Ar length
- Specifies the size of the TCP send buffer.
+ Specify the size of the TCP send buffer.
 -.It Fl o Ar staplefile
-Specifies the filename from which to load data to be stapled
+-During the TLS handshake, load data to be stapled from
-during the TLS handshake.
+-.Ar staplefile ,
-The file is expected to contain an OCSP response from an OCSP server in
+-which is expected to contain an OCSP response from an OCSP server in
 -DER format.
-May only be used with TLS and when a certificate is being used.
+-Requires
 -.Fl c
 -and
 -.Fl C .
 .It Fl P Ar proxy_username
 Specifies a username to present to a proxy server that requires authentication.
 If no username is specified then authentication will not be attempted.
-@@ -202,12 +171,6 @@ Proxy authentication is only supported f
+@@ -213,13 +162,6 @@ Proxy authentication is only supported f
- Specifies the source port
+ Specify the source port
 .Nm
 should use, subject to privilege restrictions and availability.
 -.It Fl R Ar CAfile
-Specifies the filename from which the root CA bundle for certificate
+-Load the root CA bundle for TLS certificate verification from
-verification is loaded, in PEM format.
+-.Ar CAfile ,
-Illegal if not using TLS.
+-in PEM format, instead of
 -The default is
 -.Pa /etc/ssl/cert.pem .
 -Requires
 -.Fl c .
 .It Fl r
- Specifies that source and/or destination ports should be chosen randomly
+ Choose source and/or destination ports randomly
 instead of sequentially within a range or in the order that the system
-@@ -224,24 +187,7 @@ It is an error to use this option in con
+@@ -239,35 +181,7 @@ Cannot be used together with
- .Fl l
+ or
- option.
+ .Fl x .
 .It Fl T Ar keyword
-Change IPv4 TOS value or TLS options.
+-Change the IPv4 TOS/IPv6 traffic class value or the TLS options.
-For TLS options
+-.Pp
 -For TLS options,
 -.Ar keyword
-may be one of
+-may be one of:
-.Ar tlsall ;
+-.Cm noverify ,
 -which allows the use of all supported TLS protocols and ciphers,
 -.Ar noverify ;
 -which disables certificate verification;
-.Ar noname ,
+-.Cm noname ,
 -which disables certificate name checking;
-.Ar clientcert ,
+-.Cm clientcert ,
 -which requires a client certificate on incoming connections; or
-.Ar muststaple ,
+-.Cm muststaple ,
 -which requires the peer to provide a valid stapled OCSP response
 -with the handshake.
-It is illegal to specify TLS options if not using TLS.
+-The following TLS options specify a value in the form of a
 -.Ar key Ns = Ns Ar value
 -pair:
 -.Cm ciphers ,
 -which allows the supported TLS ciphers to be specified (see
 -.Xr tls_config_set_ciphers 3
 -for further details);
 -.Cm protocols ,
 -which allows the supported TLS protocols to be specified (see
 -.Xr tls_config_parse_protocols 3
 -for further details).
 -Specifying TLS options requires
 -.Fl c .
 -.Pp
-For IPv4 TOS value
+-For the IPv4 TOS/IPv6 traffic class value,
-+Change IPv4 TOS value.
+Change the IPv4 TOS/IPv6 traffic class value.
 .Ar keyword
 may be one of
- .Ar critical ,
+ .Cm critical ,
-@@ -483,11 +429,6 @@ the source port, with a timeout of 5 sec
+@@ -291,13 +205,13 @@ to script telnet sessions.
 Use
 .Ux Ns -domain
 sockets.
 -Cannot be used together with any of the options
 -.Fl cFx .
 +Cannot be used together with
 +.Fl F
 +or
 +.Fl x .
 .It Fl u
 Use UDP instead of TCP.
 Cannot be used together with
 -.Fl c
 -or
 .Fl x .
 For
 .Ux Ns -domain
@@ -360,12 +274,6 @@ An IPv6 address can be specified unambig
 in square brackets.
 A proxy cannot be used with any of the options
 .Fl lsuU .
 -.It Fl Z Ar peercertfile
 -Save the peer certificates to
 -.Ar peercertfile ,
 -in PEM format.
 -Requires
 -.Fl c .
 .It Fl z
 Only scan for listening daemons, without sending any data to them.
 Cannot be used together with
@@ -519,16 +427,6 @@ the source port, with a timeout of 5 sec
 .Pp
 .Dl $ nc -p 31337 -w 5 host.example.com 42
 .Pp
-Open a TCP connection to port 443 of www.google.ca, and negotiate TLS.
+-Open a TCP connection to port 443 of www.example.com, and negotiate TLS with
-Check for a different name in the certificate for validation.
+-any supported TLS protocol version and "compat" ciphers:
 -.Pp
-.Dl $  nc -v -c -e adsf.au.doubleclick.net www.google.ca 443
+-.Dl $ nc -cv -T protocols=all -T ciphers=compat www.example.com 443
 -.Pp
 -Open a TCP connection to port 443 of www.google.ca, and negotiate TLS.
 -Check for a different name in the certificate for validation:
 -.Pp
 -.Dl $ nc -cv -e adsf.au.doubleclick.net www.google.ca 443
 -.Pp
 Open a UDP connection to port 53 of host.example.com:
 .Pp
 .Dl $ nc -u host.example.com 53
 --- a/netcat.c
 +++ b/netcat.c
-@@ -99,7 +99,9 @@
+@@ -98,7 +98,9 @@
 #include <stdlib.h>
 #include <string.h>
 #include <time.h>
 #include <unistd.h>
 -#include <tls.h>
 +#ifdef TLS
 +# include <tls.h>
 +#endif
 #include <unistd.h>
 #include <bsd/stdlib.h>
 #include <bsd/string.h>
- #include "atomicio.h"
+@@ -113,12 +115,14 @@
-@@ -112,13 +114,15 @@
+ #define POLL_NETIN	2
- #define POLL_NETIN 2
+ #define POLL_STDOUT	3
- #define POLL_STDOUT 3
+ #define BUFSIZE		16384
- #define BUFSIZE 16384
+-#define DEFAULT_CA_FILE	"/etc/ssl/cert.pem"
 -#define DEFAULT_CA_FILE "/etc/ssl/cert.pem"
 +#ifdef TLS
-+# define DEFAULT_CA_FILE "/etc/ssl/cert.pem"
+# define DEFAULT_CA_FILE	"/etc/ssl/cert.pem"
-#define TLS_ALL	(1 << 1)
+-#define TLS_NOVERIFY	(1 << 1)
-#define TLS_NOVERIFY	(1 << 2)
+-#define TLS_NONAME	(1 << 2)
-#define TLS_NONAME	(1 << 3)
+-#define TLS_CCERT	(1 << 3)
-#define TLS_CCERT	(1 << 4)
+-#define TLS_MUSTSTAPLE	(1 << 4)
-#define TLS_MUSTSTAPLE	(1 << 5)
+# define TLS_NOVERIFY	(1 << 1)
-+# define TLS_ALL	(1 << 1)
+# define TLS_NONAME	(1 << 2)
-+# define TLS_NOVERIFY	(1 << 2)
+# define TLS_CCERT	(1 << 3)
-+# define TLS_NONAME	(1 << 3)
+# define TLS_MUSTSTAPLE	(1 << 4)
 +# define TLS_CCERT	(1 << 4)
 +# define TLS_MUSTSTAPLE	(1 << 5)
 +#endif
 /* Command Line Options */
@ -197,18 +271,18 @@ CRLF line-ending in the Debian-specific patches.
 int	usetls;					/* use TLS */
 char    *Cflag;					/* Public cert file */
 char    *Kflag;					/* Private key file */
-@@ -153,6 +158,7 @@ int	tls_cachanged;				/* Using non-defau
+@@ -156,6 +161,7 @@ char	*tls_expecthash;			/* required hash
- int     TLSopt;					/* TLS options */
+ char	*tls_ciphers;				/* TLS ciphers */
- char	*tls_expectname;			/* required name in peer cert */
+ char	*tls_protocols;				/* TLS protocols */
- char	*tls_expecthash;			/* required hash of peer cert */
+ FILE	*Zflag;					/* file to save peer cert */
 +# endif
 int recvcount, recvlimit;
 int timeout = -1;
- int family = AF_UNSPEC;
+@@ -170,10 +176,16 @@ int	strtoport(char *portstr, int udp);
@@ -165,10 +171,16 @@ void	atelnet(int, unsigned char *, unsig
 void	build_ports(char *);
- void	help(void);
+ void	help(void) __attribute__((noreturn));
- int	local_listen(char *, char *, struct addrinfo);
+ int	local_listen(const char *, const char *, struct addrinfo);
 +# if defined(TLS)
 void	readwrite(int, struct tls *);
 +# else
@ -222,16 +296,17 @@ CRLF line-ending in the Debian-specific patches.
 int	timeout_connect(int, const struct sockaddr *, socklen_t);
 int	socks_connect(const char *, const char *, struct addrinfo,
 	    const char *, const char *, struct addrinfo, int, const char *);
-@@ -178,14 +190,23 @@ int	unix_connect(char *);
+@@ -183,15 +195,24 @@ int	unix_connect(char *);
 int	unix_listen(char *);
 void	set_common_sockopts(int, int);
- int	map_tos(char *, int *);
+ int	process_tos_opt(char *, int *);
 +# if defined(TLS)
- int	map_tls(char *, int *);
+ int	process_tls_opt(char *, int *);
 void	save_peer_cert(struct tls *_tls_ctx, FILE *_fp);
 +# endif
 void	report_connect(const struct sockaddr *, socklen_t, char *);
 +# if defined(TLS)
- void	report_tls(struct tls *tls_ctx, char * host, char *tls_expectname);
+ void	report_tls(struct tls *tls_ctx, char * host);
 +# endif
 void	usage(int);
 +# if defined(TLS)
@ -246,7 +321,7 @@ CRLF line-ending in the Debian-specific patches.
 int
 main(int argc, char *argv[])
-@@ -200,8 +221,10 @@ main(int argc, char *argv[])
+@@ -206,8 +227,10 @@ main(int argc, char *argv[])
 	const char *errstr;
 	struct addrinfo proxyhints;
 	char unix_dg_tmp_socket_buf[UNIX_DG_TMP_SOCKET_SIZE];
@ -254,22 +329,22 @@ CRLF line-ending in the Debian-specific patches.
 	struct tls_config *tls_cfg = NULL;
 	struct tls *tls_ctx = NULL;
 +# endif
 	uint32_t protocols;
 	ret = 1;
- 	socksv = 5;
+@@ -219,7 +242,11 @@ main(int argc, char *argv[])
@@ -212,7 +235,11 @@ main(int argc, char *argv[])
 	signal(SIGPIPE, SIG_IGN);
 	while ((ch = getopt(argc, argv,
 +# if defined(TLS)
- 	    "46C:cDde:FH:hI:i:K:klM:m:NnO:o:P:p:R:rSs:T:tUuV:vw:X:x:z")) != -1) {
+ 	    "46C:cDde:FH:hI:i:K:klM:m:NnO:o:P:p:R:rSs:T:tUuV:vW:w:X:x:Z:z"))
 +# else
-+	    "46DdFhI:i:klM:m:NnO:P:p:rSs:T:tUuV:vw:X:x:z")) != -1) {
+	    "46DdFhI:i:klM:m:NnO:P:p:rSs:T:tUuV:vW:w:X:x:z"))
 +# endif
 	    != -1) {
 		switch (ch) {
 		case '4':
- 			family = AF_INET;
+@@ -241,24 +268,30 @@ main(int argc, char *argv[])
@@ -233,24 +260,30 @@ main(int argc, char *argv[])
 			else
 				errx(1, "unsupported proxy protocol");
 			break;
@ -300,7 +375,7 @@ CRLF line-ending in the Debian-specific patches.
 		case 'h':
 			help();
 			break;
-@@ -259,9 +292,11 @@ main(int argc, char *argv[])
+@@ -267,9 +300,11 @@ main(int argc, char *argv[])
 			if (errstr)
 				errx(1, "interval %s: %s", errstr, optarg);
 			break;
@ -312,7 +387,7 @@ CRLF line-ending in the Debian-specific patches.
 		case 'k':
 			kflag = 1;
 			break;
-@@ -290,10 +325,12 @@ main(int argc, char *argv[])
+@@ -298,10 +333,12 @@ main(int argc, char *argv[])
 		case 'p':
 			pflag = optarg;
 			break;
@ -325,7 +400,22 @@ CRLF line-ending in the Debian-specific patches.
 		case 'r':
 			rflag = 1;
 			break;
-@@ -348,9 +385,11 @@ main(int argc, char *argv[])
+@@ -343,12 +380,14 @@ main(int argc, char *argv[])
 			if ((proxy = strdup(optarg)) == NULL)
 				err(1, NULL);
 			break;
 +# if defined(TLS)
 		case 'Z':
 			if (strcmp(optarg, "-") == 0)
 				Zflag = stderr;
 			else if ((Zflag = fopen(optarg, "w")) == NULL)
 				err(1, "can't open %s", optarg);
 			break;
 +# endif
 		case 'z':
 			zflag = 1;
 			break;
@@ -367,9 +406,11 @@ main(int argc, char *argv[])
 				errx(1, "TCP send window %s: %s",
 				    errstr, optarg);
 			break;
@ -337,18 +427,18 @@ CRLF line-ending in the Debian-specific patches.
 		case 'S':
 # if defined(TCP_MD5SIG)
 			Sflag = 1;
-@@ -363,8 +402,10 @@ main(int argc, char *argv[])
+@@ -380,8 +421,10 @@ main(int argc, char *argv[])
 		case 'T':
 			errstr = NULL;
 			errno = 0;
 			if (map_tos(optarg, &Tflag))
 				break;
 +# if defined(TLS)
- 			if (map_tls(optarg, &TLSopt))
+ 			if (process_tls_opt(optarg, &TLSopt))
 				break;
 +# endif
 			if (process_tos_opt(optarg, &Tflag))
 				break;
 			if (strlen(optarg) > 1 && optarg[0] == '0' &&
- 			    optarg[1] == 'x')
+@@ -391,7 +434,11 @@ main(int argc, char *argv[])
 				Tflag = (int)strtol(optarg, NULL, 16);
@@ -372,7 +413,11 @@ main(int argc, char *argv[])
 				Tflag = (int)strtonum(optarg, 0, 255,
 				    &errstr);
 			if (Tflag < 0 || Tflag > 255 || errstr || errno)
@ -360,7 +450,19 @@ CRLF line-ending in the Debian-specific patches.
 			break;
 		default:
 			usage(1);
-@@ -411,12 +456,15 @@ main(int argc, char *argv[])
+@@ -428,6 +475,7 @@ main(int argc, char *argv[])
 	} else
 		usage(1);
 +# if defined(TLS)
 	if (usetls) {
 		if (Cflag && unveil(Cflag, "r") == -1)
 			err(1, "unveil");
@@ -450,15 +498,19 @@ main(int argc, char *argv[])
 				err(1, "unveil");
 		}
 	}
 +# endif
 	if (!lflag && kflag)
 		errx(1, "must use -l with -k");
@ -376,7 +478,7 @@ CRLF line-ending in the Debian-specific patches.
 	if (Fflag && usetls)
 		errx(1, "cannot use -c and -F");
 	if (TLSopt && !usetls)
-@@ -433,6 +481,7 @@ main(int argc, char *argv[])
+@@ -477,6 +529,7 @@ main(int argc, char *argv[])
 		errx(1, "you must specify -c to use -H");
 	if (tls_expectname && !usetls)
 		errx(1, "you must specify -c to use -e");
@ -384,27 +486,25 @@ CRLF line-ending in the Debian-specific patches.
 	/* Get name of temporary socket for unix datagram client */
 	if ((family == AF_UNIX) && uflag && !lflag) {
-@@ -499,6 +548,7 @@ main(int argc, char *argv[])
+@@ -543,6 +596,7 @@ main(int argc, char *argv[])
 			proxyhints.ai_flags |= AI_NUMERICHOST;
 	}
 +# if defined(TLS)
 	if (usetls) {
- 		if (Pflag) {
+ 		if ((tls_cfg = tls_config_new()) == NULL)
- 			if (pledge("stdio inet dns tty rpath", NULL) == -1)
+ 			errx(1, "unable to allocate TLS config");
-@@ -544,8 +594,11 @@ main(int argc, char *argv[])
+@@ -578,7 +632,8 @@ main(int argc, char *argv[])
 				err(1, "pledge");
 		} else if (pledge("stdio inet dns", NULL) == -1)
 			err(1, "pledge");
- 	}
+-	}
 + 	}
 +# endif
 	if (lflag) {
 +# if defined(TLS)
 		struct tls *tls_cctx = NULL;
 +# endif
 		int connfd;
 		ret = 0;
-@@ -556,6 +609,7 @@ main(int argc, char *argv[])
+@@ -589,6 +644,7 @@ main(int argc, char *argv[])
 				s = unix_listen(host);
 		}
@ -412,39 +512,42 @@ CRLF line-ending in the Debian-specific patches.
 		if (usetls) {
 			tls_config_verify_client_optional(tls_cfg);
 			if ((tls_ctx = tls_server()) == NULL)
-@@ -564,6 +618,7 @@ main(int argc, char *argv[])
+@@ -597,6 +653,7 @@ main(int argc, char *argv[])
 				errx(1, "tls configuration failed (%s)",
 				    tls_error(tls_ctx));
 		}
 +# endif
 		/* Allow only one connection at a time, but stay alive. */
 		for (;;) {
- 			if (family != AF_UNIX)
+ 			if (family != AF_UNIX) {
-@@ -575,7 +630,11 @@ main(int argc, char *argv[])
+@@ -612,7 +669,11 @@ main(int argc, char *argv[])
- 			 * receive datagrams from multiple socket pairs.
+ 				 * let it receive datagrams from multiple
- 			 */
+ 				 * socket pairs.
- 			if (uflag && kflag)
+ 				 */
 +# if defined(TLS)
 				readwrite(s, NULL);
 +# else
 +				readwrite(s);
 +# endif
- 			/*
+ 			} else if (uflag && !kflag) {
- 			 * For UDP and not -k, we will use recvfrom() initially
+ 				/*
- 			 * to wait for a caller, then use the regular functions
+ 				 * For UDP and not -k, we will use recvfrom()
-@@ -600,7 +659,11 @@ main(int argc, char *argv[])
+@@ -636,9 +697,14 @@ main(int argc, char *argv[])
 				if (vflag)
 					report_connect((struct sockaddr *)&z, len, NULL);
 +# if defined(TLS)
 				readwrite(s, NULL);
 			} else {
 				struct tls *tls_cctx = NULL;
 +# else
 +				readwrite(s);
 + 			} else {
 +# endif
- 			} else {
+ 				int connfd;
 				len = sizeof(cliaddr);
- 				connfd = accept4(s, (struct sockaddr *)&cliaddr,
+@@ -651,6 +717,7 @@ main(int argc, char *argv[])
@@ -612,6 +675,7 @@ main(int argc, char *argv[])
 				if (vflag)
 					report_connect((struct sockaddr *)&cliaddr, len,
 					    family == AF_UNIX ? host : NULL);
@ -452,17 +555,18 @@ CRLF line-ending in the Debian-specific patches.
 				if ((usetls) &&
 				    (tls_cctx = tls_setup_server(tls_ctx, connfd, host)))
 					readwrite(connfd, tls_cctx);
-@@ -622,6 +686,9 @@ main(int argc, char *argv[])
+@@ -660,6 +727,10 @@ main(int argc, char *argv[])
- 					tls_free(tls_cctx);
+ 					timeout_tls(s, tls_cctx, tls_close);
- 					tls_cctx = NULL;
+ 				close(connfd);
- 				}
+ 				tls_free(tls_cctx);
 +# else
 +				readwrite(connfd);
 + 				close(connfd);
 +# endif
 				close(connfd);
 			}
- 			if (family != AF_UNIX)
+ 			if (family == AF_UNIX && uflag) {
-@@ -639,7 +706,11 @@ main(int argc, char *argv[])
+ 				if (connect(s, NULL, 0) < 0)
@@ -674,7 +745,11 @@ main(int argc, char *argv[])
 		if ((s = unix_connect(host)) > 0) {
 			if (!zflag)
@ -474,15 +578,15 @@ CRLF line-ending in the Debian-specific patches.
 			close(s);
 		} else
 			ret = 1;
-@@ -659,6 +730,7 @@ main(int argc, char *argv[])
+@@ -693,6 +768,7 @@ main(int argc, char *argv[])
 		for (s = -1, i = 0; portlist[i] != NULL; i++) {
 			if (s != -1)
 				close(s);
 +# if defined(TLS)
- 			if (usetls) {
+ 			tls_free(tls_ctx);
- 				if ((tls_ctx = tls_client()) == NULL)
+ 			tls_ctx = NULL;
- 					errx(1, "tls client creation failed");
+ 
-@@ -666,6 +738,7 @@ main(int argc, char *argv[])
+@@ -703,6 +779,7 @@ main(int argc, char *argv[])
 					errx(1, "tls configuration failed (%s)",
 					    tls_error(tls_ctx));
 			}
@ -490,7 +594,7 @@ CRLF line-ending in the Debian-specific patches.
 			if (xflag)
 				s = socks_connect(host, portlist[i], hints,
 				    proxy, proxyport, proxyhints, socksv,
-@@ -703,6 +776,7 @@ main(int argc, char *argv[])
+@@ -740,6 +817,7 @@ main(int argc, char *argv[])
 			}
 			if (Fflag)
 				fdpass(s);
@ -498,9 +602,9 @@ CRLF line-ending in the Debian-specific patches.
 			else {
 				if (usetls)
 					tls_setup_client(tls_ctx, s, host);
-@@ -714,13 +788,19 @@ main(int argc, char *argv[])
+@@ -748,13 +826,19 @@ main(int argc, char *argv[])
- 					tls_ctx = NULL;
+ 				if (tls_ctx)
- 				}
+ 					timeout_tls(s, tls_ctx, tls_close);
 			}
 +# else
 +			else if (!zflag)
@ -511,22 +615,22 @@ CRLF line-ending in the Debian-specific patches.
 	if (s != -1)
 		close(s);
 +# if defined(TLS)
 	tls_free(tls_ctx);
 	tls_config_free(tls_cfg);
 +# endif
- 	exit(ret);
+ 	return ret;
 }
-@@ -759,6 +839,7 @@ unix_bind(char *path, int flags)
+@@ -794,6 +878,7 @@ unix_bind(char *path, int flags)
- 	return (s);
+ 	return s;
 }
 +# if defined(TLS)
 int
 timeout_tls(int s, struct tls *tls_ctx, int (*func)(struct tls *))
 {
-@@ -840,6 +921,7 @@ tls_setup_server(struct tls *tls_ctx, in
+@@ -880,6 +965,7 @@ tls_setup_server(struct tls *tls_ctx, in
 	}
 	return NULL;
 }
@ -534,7 +638,7 @@ CRLF line-ending in the Debian-specific patches.
 /*
  * unix_connect()
-@@ -1052,7 +1134,11 @@ local_listen(char *host, char *port, str
+@@ -1092,7 +1178,11 @@ local_listen(const char *host, const cha
  * Loop that polls on the network file descriptor and stdin.
  */
 void
@ -546,7 +650,7 @@ CRLF line-ending in the Debian-specific patches.
 {
 	struct pollfd pfd[4];
 	int stdin_fd = STDIN_FILENO;
-@@ -1152,12 +1238,17 @@ readwrite(int net_fd, struct tls *tls_ct
+@@ -1192,12 +1282,17 @@ readwrite(int net_fd, struct tls *tls_ct
 		/* try to read from stdin */
 		if (pfd[POLL_STDIN].revents & POLLIN && stdinbufpos < BUFSIZE) {
 			ret = fillbuf(pfd[POLL_STDIN].fd, stdinbuf,
@ -565,7 +669,7 @@ CRLF line-ending in the Debian-specific patches.
 				pfd[POLL_STDIN].fd = -1;
 			/* read something - poll net out */
 			if (stdinbufpos > 0)
-@@ -1169,12 +1260,17 @@ readwrite(int net_fd, struct tls *tls_ct
+@@ -1209,12 +1304,17 @@ readwrite(int net_fd, struct tls *tls_ct
 		/* try to write to network */
 		if (pfd[POLL_NETOUT].revents & POLLOUT && stdinbufpos > 0) {
 			ret = drainbuf(pfd[POLL_NETOUT].fd, stdinbuf,
@ -584,7 +688,7 @@ CRLF line-ending in the Debian-specific patches.
 				pfd[POLL_NETOUT].fd = -1;
 			/* buffer empty - remove self from polling */
 			if (stdinbufpos == 0)
-@@ -1186,12 +1282,17 @@ readwrite(int net_fd, struct tls *tls_ct
+@@ -1226,12 +1326,17 @@ readwrite(int net_fd, struct tls *tls_ct
 		/* try to read from network */
 		if (pfd[POLL_NETIN].revents & POLLIN && netinbufpos < BUFSIZE) {
 			ret = fillbuf(pfd[POLL_NETIN].fd, netinbuf,
@ -603,7 +707,7 @@ CRLF line-ending in the Debian-specific patches.
 				pfd[POLL_NETIN].fd = -1;
 			/* eof on net in - remove from pfd */
 			if (ret == 0) {
-@@ -1212,12 +1313,17 @@ readwrite(int net_fd, struct tls *tls_ct
+@@ -1258,12 +1363,17 @@ readwrite(int net_fd, struct tls *tls_ct
 		/* try to write to stdout */
 		if (pfd[POLL_STDOUT].revents & POLLOUT && netinbufpos > 0) {
 			ret = drainbuf(pfd[POLL_STDOUT].fd, netinbuf,
@ -622,7 +726,7 @@ CRLF line-ending in the Debian-specific patches.
 				pfd[POLL_STDOUT].fd = -1;
 			/* buffer empty - remove self from polling */
 			if (netinbufpos == 0)
-@@ -1241,19 +1347,29 @@ readwrite(int net_fd, struct tls *tls_ct
+@@ -1287,19 +1397,29 @@ readwrite(int net_fd, struct tls *tls_ct
 }
 ssize_t
@ -652,7 +756,7 @@ CRLF line-ending in the Debian-specific patches.
 	if (n <= 0)
 		return n;
 	/* adjust buffer */
-@@ -1265,19 +1381,29 @@ drainbuf(int fd, unsigned char *buf, siz
+@@ -1311,19 +1431,29 @@ drainbuf(int fd, unsigned char *buf, siz
 }
 ssize_t
@ -682,15 +786,15 @@ CRLF line-ending in the Debian-specific patches.
 	if (n <= 0)
 		return n;
 	*bufpos += n;
-@@ -1581,6 +1707,7 @@ map_tos(char *s, int *val)
+@@ -1641,6 +1771,7 @@ process_tos_opt(char *s, int *val)
- 	return (0);
+ 	return 0;
 }
 +# if defined(TLS)
 int
- map_tls(char *s, int *val)
+ process_tls_opt(char *s, int *flags)
 {
-@@ -1662,6 +1789,7 @@ report_tls(struct tls * tls_ctx, char *
+@@ -1754,6 +1885,7 @@ report_tls(struct tls * tls_ctx, char *
 	}
 }
@ -698,7 +802,7 @@ CRLF line-ending in the Debian-specific patches.
 void
 report_connect(const struct sockaddr *sa, socklen_t salen, char *path)
-@@ -1704,17 +1832,12 @@ help(void)
+@@ -1796,17 +1928,12 @@ help(void)
 	fprintf(stderr, "\tCommand Summary:\n\
 	\t-4		Use IPv4\n\
 	\t-6		Use IPv6\n\
@ -716,7 +820,7 @@ CRLF line-ending in the Debian-specific patches.
 	\t-k		Keep inbound sockets open for multiple connects\n\
 	\t-l		Listen mode, for inbound connects\n\
 	\t-M ttl		Outgoing TTL / Hop Limit\n\
-@@ -1722,14 +1845,12 @@ help(void)
+@@ -1814,14 +1941,12 @@ help(void)
 	\t-N		Shutdown the network socket after EOF on stdin\n\
 	\t-n		Suppress name/port resolutions\n\
 	\t-O length	TCP send buffer length\n\
@ -732,7 +836,15 @@ CRLF line-ending in the Debian-specific patches.
 	\t-t		Answer TELNET negotiation\n\
 	\t-U		Use UNIX domain socket\n\
 	\t-u		UDP mode\n\
-@@ -1747,11 +1868,8 @@ void
+@@ -1831,7 +1956,6 @@ help(void)
 	\t-w timeout	Timeout for connects and final net reads\n\
 	\t-X proto	Proxy protocol: \"4\", \"5\" (SOCKS) or \"connect\"\n\
 	\t-x addr[:port]\tSpecify proxy address and port\n\
 -	\t-Z		Peer certificate file\n\
 	\t-z		Zero-I/O mode [used for scanning]\n\
 	Port numbers can be individual or ranges: lo-hi [inclusive]\n");
 	exit(0);
@@ -1841,15 +1965,11 @@ void
 usage(int ret)
 {
 	fprintf(stderr,
@ -743,6 +855,10 @@ CRLF line-ending in the Debian-specific patches.
 -	    "[-R CAfile]\n"
 +	    "usage: nc [-46DdFhklNnrStUuvz] [-I length] [-i interval] [-M ttl]\n"
 +	    "\t  [-m minttl] [-O length] [-P proxy_username] [-p source_port]\n"
- 	    "\t  [-s source] [-T keyword] [-V rtable] [-w timeout] "
+ 	    "\t  [-s source] [-T keyword] [-V rtable] [-W recvlimit] "
- 	    "[-X proxy_protocol]\n"
+ 	    "[-w timeout]\n"
- 	    "\t  [-x proxy_address[:port]] [destination] [port]\n");
+ 	    "\t  [-X proxy_protocol] [-x proxy_address[:port]] "
 -	    "[-Z peercertfile]\n"
 	    "\t  [destination] [port]\n");
 	if (ret)
 		exit(1);
--- a/connect-timeout.patch
+++ b/connect-timeout.patch
@ -17,7 +17,7 @@ Subject: connect timeout
 #include <netdb.h>
 #include <poll.h>
@@ -124,6 +125,10 @@
- # define TLS_MUSTSTAPLE	(1 << 5)
+ # define TLS_MUSTSTAPLE	(1 << 4)
 #endif
 +#define CONNECTION_SUCCESS 0
@ -27,7 +27,7 @@ Subject: connect timeout
 /* Command Line Options */
 int	dflag;					/* detached, no stdin */
 int	Fflag;					/* fdpass sock to stdout */
-@@ -208,6 +213,9 @@ ssize_t drainbuf(int, unsigned char *, s
+@@ -214,6 +219,9 @@ ssize_t drainbuf(int, unsigned char *, s
 ssize_t fillbuf(int, unsigned char *, size_t *);
 # endif
@ -37,7 +37,7 @@ Subject: connect timeout
 int
 main(int argc, char *argv[])
 {
-@@ -1022,11 +1030,14 @@ remote_connect(const char *host, const c
+@@ -1066,11 +1074,14 @@ remote_connect(const char *host, const c
 		set_common_sockopts(s, res->ai_family);
@ -54,8 +54,8 @@ Subject: connect timeout
 		save_errno = errno;
 		close(s);
-@@ -1067,6 +1078,69 @@ timeout_connect(int s, const struct sock
+@@ -1111,6 +1122,69 @@ timeout_connect(int s, const struct sock
- 	return (ret);
+ 	return ret;
 }
 +static int connect_with_timeout(int fd, const struct sockaddr *sa,
--- a/dccp-support.patch
+++ b/dccp-support.patch
@ -4,8 +4,8 @@ Subject: dccp support
 ---
 nc.1     |    4 ++
- netcat.c |   93 +++++++++++++++++++++++++++++++++++++++++++++++++++++----------
+ netcat.c |   89 +++++++++++++++++++++++++++++++++++++++++++++++++++++----------
- 2 files changed, 82 insertions(+), 15 deletions(-)
+ 2 files changed, 79 insertions(+), 14 deletions(-)
 --- a/nc.1
 +++ b/nc.1
@ -18,15 +18,15 @@ Subject: dccp support
 .Op Fl I Ar length
 .Op Fl i Ar interval
 .Op Fl M Ar ttl
-@@ -286,6 +286,8 @@ for SOCKS, 3128 for HTTPS).
+@@ -289,6 +289,8 @@ An IPv6 address can be specified unambig
 An IPv6 address can be specified unambiguously by enclosing
 .Ar proxy_address
 in square brackets.
 A proxy cannot be used with any of the options
 .Fl lsuU .
 +.It Fl Z
 +DCCP mode.
 .It Fl z
- Specifies that
+ Only scan for listening daemons, without sending any data to them.
- .Nm
+ Cannot be used together with
 --- a/netcat.c
 +++ b/netcat.c
@@ -147,6 +147,7 @@ int	rflag;					/* Random ports flag */
@ -37,7 +37,7 @@ Subject: dccp support
 int	vflag;					/* Verbosity */
 int	xflag;					/* Socks proxy */
 int	zflag;					/* Port Scan Flag */
-@@ -219,6 +220,7 @@ ssize_t drainbuf(int, unsigned char *, s
+@@ -225,6 +226,7 @@ ssize_t drainbuf(int, unsigned char *, s
 ssize_t fillbuf(int, unsigned char *, size_t *);
 # endif
@ -45,19 +45,16 @@ Subject: dccp support
 static int connect_with_timeout(int fd, const struct sockaddr *sa,
         socklen_t salen, int ctimeout);
-@@ -252,9 +254,9 @@ main(int argc, char *argv[])
+@@ -261,7 +263,7 @@ main(int argc, char *argv[])
 	while ((ch = getopt(argc, argv,
 # if defined(TLS)
-	    "46C:cDde:FH:hI:i:K:klM:m:NnO:o:P:p:q:R:rSs:T:tUuV:vw:X:x:z")) != -1) {
+ 	    "46C:cDde:FH:hI:i:K:klM:m:NnO:o:P:p:q:R:rSs:T:tUuV:vW:w:X:x:Z:z"))
 +	    "46C:cDde:FH:hI:i:K:klM:m:NnO:o:P:p:q:R:rSs:T:tUuV:vw:X:x:Zz")) != -1) {
 # else
-	    "46CDdFhI:i:klM:m:NnO:P:p:q:rSs:T:tUuV:vw:X:x:z")) != -1) {
+-	    "46CDdFhI:i:klM:m:NnO:P:p:q:rSs:T:tUuV:vW:w:X:x:z"))
-+	    "46CDdFhI:i:klM:m:NnO:P:p:q:rSs:T:tUuV:vw:X:x:Zz")) != -1) {
+	    "46CDdFhI:i:klM:m:NnO:P:p:q:rSs:T:tUuV:vW:w:X:x:Zz"))
 # endif
 	    != -1) {
 		switch (ch) {
- 		case '4':
+@@ -378,6 +380,13 @@ main(int argc, char *argv[])
@@ -370,6 +372,13 @@ main(int argc, char *argv[])
 		case 'u':
 			uflag = 1;
 			break;
@ -71,12 +68,10 @@ Subject: dccp support
 		case 'V':
 # if defined(RT_TABLEID_MAX)
 			rtableid = (int)strtonum(optarg, 0,
-@@ -461,6 +470,12 @@ main(int argc, char *argv[])
+@@ -482,6 +491,10 @@ main(int argc, char *argv[])
 	/* Cruft to make sure options are clean, and used properly. */
 	if (argv[0] && !argv[1] && family == AF_UNIX) {
 + 		if (uflag)
 + 			errx(1, "cannot use -u and -U");
 +# if defined(IPPROTO_DCCP) && defined(SOCK_DCCP)
 +		if (dccpflag)
 +			errx(1, "cannot use -Z and -U");
@ -84,7 +79,7 @@ Subject: dccp support
 		host = argv[0];
 		uport = NULL;
 	} else if (!argv[0] && lflag) {
-@@ -527,8 +542,20 @@ main(int argc, char *argv[])
+@@ -575,8 +588,20 @@ main(int argc, char *argv[])
 	if (family != AF_UNIX) {
 		memset(&hints, 0, sizeof(struct addrinfo));
 		hints.ai_family = family;
@ -107,7 +102,7 @@ Subject: dccp support
 		if (nflag)
 			hints.ai_flags |= AI_NUMERICHOST;
 	}
-@@ -536,7 +563,10 @@ main(int argc, char *argv[])
+@@ -584,7 +609,10 @@ main(int argc, char *argv[])
 	if (xflag) {
 		if (uflag)
 			errx(1, "no proxy support for UDP mode");
@ -119,7 +114,7 @@ Subject: dccp support
 		if (lflag)
 			errx(1, "no proxy support for listen");
-@@ -798,19 +828,20 @@ main(int argc, char *argv[])
+@@ -841,19 +869,20 @@ main(int argc, char *argv[])
 					}
 				}
@ -142,8 +137,8 @@ Subject: dccp support
 				    sv ? sv->s_name : "*");
 			}
 			if (Fflag)
-@@ -1017,6 +1048,24 @@ unix_listen(char *path)
+@@ -1063,6 +1092,24 @@ unix_listen(char *path)
- 	return (s);
+ 	return s;
 }
 +char *proto_name(int uflag, int dccpflag) {
@ -167,7 +162,7 @@ Subject: dccp support
 /*
  * remote_connect()
  * Returns a socket connected to a remote host. Properly binds to a local
-@@ -1047,8 +1096,21 @@ remote_connect(const char *host, const c
+@@ -1093,8 +1140,21 @@ remote_connect(const char *host, const c
 # endif
 			memset(&ahints, 0, sizeof(struct addrinfo));
 			ahints.ai_family = res->ai_family;
@ -191,7 +186,7 @@ Subject: dccp support
 			ahints.ai_flags = AI_PASSIVE;
 			if ((error = getaddrinfo(sflag, pflag, &ahints, &ares)))
 				errx(1, "getaddrinfo: %s", gai_strerror(error));
-@@ -1060,15 +1122,16 @@ remote_connect(const char *host, const c
+@@ -1106,15 +1166,16 @@ remote_connect(const char *host, const c
 		}
 		set_common_sockopts(s, res->ai_family);
@ -211,7 +206,7 @@ Subject: dccp support
 		save_errno = errno;
 		close(s);
-@@ -1654,7 +1717,8 @@ build_ports(char *p)
+@@ -1706,7 +1767,8 @@ build_ports(char *p)
 	int hi, lo, cp;
 	int x = 0;
@ -221,7 +216,7 @@ Subject: dccp support
 	if (sv) {
 		if (asprintf(&portlist[0], "%d", ntohs(sv->s_port)) < 0)
 			err(1, "asprintf");
-@@ -1991,6 +2055,7 @@ help(void)
+@@ -2090,6 +2152,7 @@ help(void)
 	\t-w timeout	Timeout for connects and final net reads\n\
 	\t-X proto	Proxy protocol: \"4\", \"5\" (SOCKS) or \"connect\"\n\
 	\t-x addr[:port]\tSpecify proxy address and port\n\
@ -229,12 +224,12 @@ Subject: dccp support
 	\t-z		Zero-I/O mode [used for scanning]\n\
 	Port numbers can be individual or ranges: lo-hi [inclusive]\n");
 	exit(0);
-@@ -2000,7 +2065,7 @@ void
+@@ -2099,7 +2162,7 @@ void
 usage(int ret)
 {
 	fprintf(stderr,
 -	    "usage: nc [-46CDdFhklNnrStUuvz] [-I length] [-i interval] [-M ttl]\n"
 +	    "usage: nc [-46CDdFhklNnrStUuvZz] [-I length] [-i interval] [-M ttl]\n"
 	    "\t  [-m minttl] [-O length] [-P proxy_username] [-p source_port]\n"
- 	    "\t  [-q seconds] [-s source] [-T keyword] [-V rtable] [-w timeout] "
+ 	    "\t  [-q seconds] [-s source] [-T keyword] [-V rtable] [-W recvlimit] "
- 	    "[-X proxy_protocol]\n"
+ 	    "[-w timeout]\n"
--- a/destination-port-list.patch
+++ b/destination-port-list.patch
@ -0,0 +1,191 @@
 From: Guilhem Moulin <guilhem@debian.org>
 Date: Mon, 22 Oct 2018 04:15:52 +0200
 Subject: destination port list
 ---
 nc.1     |   26 ++++++++++++++++---
 netcat.c |   86 ++++++++++++++++++++++++++++++++-------------------------------
 2 files changed, 68 insertions(+), 44 deletions(-)
 --- a/nc.1
 +++ b/nc.1
@@ -414,15 +414,35 @@ The
 flag can be used to tell
 .Nm
 to report open ports,
 -rather than initiate a connection.
 +rather than initiate a connection. Usually it's useful to turn on verbose
 +output to stderr by use this option in conjunction with
 +.Fl v
 +option.
 +.Pp
 For example:
 .Bd -literal -offset indent
 -$ nc -z host.example.com 20-30
 +$ nc \-zv host.example.com 20-30
 Connection to host.example.com 22 port [tcp/ssh] succeeded!
 Connection to host.example.com 25 port [tcp/smtp] succeeded!
 .Ed
 .Pp
 -The port range was specified to limit the search to ports 20 \- 30.
 +The port range was specified to limit the search to ports 20 \- 30, and is
 +scanned by increasing order (unless the
 +.Fl r
 +flag is set).
 +.Pp
 +You can also specify a list of ports to scan, for example:
 +.Bd -literal -offset indent
 +$ nc \-zv host.example.com http 20 22-23
 +nc: connect to host.example.com 80 (tcp) failed: Connection refused
 +nc: connect to host.example.com 20 (tcp) failed: Connection refused
 +Connection to host.example.com port [tcp/ssh] succeeded!
 +nc: connect to host.example.com 23 (tcp) failed: Connection refused
 +.Ed
 +.Pp
 +The ports are scanned by the order you given (unless the
 +.Fl r
 +flag is set).
 .Pp
 Alternatively, it might be useful to know which server software
 is running, and which versions.
 --- a/netcat.c
 +++ b/netcat.c
@@ -192,7 +192,7 @@ int minttl = -1;
 void	atelnet(int, unsigned char *, unsigned int);
 int	strtoport(char *portstr, int udp);
 -void	build_ports(char *);
 +void	build_ports(char **);
 void	help(void) __attribute__((noreturn));
 int	local_listen(const char *, const char *, struct addrinfo);
 # if defined(TLS)
@@ -243,7 +243,7 @@ int
 main(int argc, char *argv[])
 {
 	int ch, s = -1, ret, socksv;
 -	char *host, *uport;
 +	char *host, **uport;
 	struct addrinfo hints;
 	struct servent *sv;
 	socklen_t len;
@@ -524,11 +524,11 @@ main(int argc, char *argv[])
 	} else if (argv[0] && !argv[1]) {
 		if (!lflag)
 			usage(1);
 -		uport = argv[0];
 +		uport = &argv[0];
 		host = NULL;
 	} else if (argv[0] && argv[1]) {
 		host = argv[0];
 -		uport = argv[1];
 +		uport = &argv[1];
 	} else
 		usage(1);
@@ -715,7 +715,7 @@ main(int argc, char *argv[])
 			else
 				s = unix_listen(host);
 		} else
 -			s = local_listen(host, uport, hints);
 +			s = local_listen(host, *uport, hints);
 		if (s < 0)
 			err(1, NULL);
@@ -1775,57 +1775,61 @@ strtoport(char *portstr, int udp)
  * that we should try to connect to.
  */
 void
 -build_ports(char *p)
 +build_ports(char **p)
 {
 	struct servent *sv;
 	char *n;
 	int hi, lo, cp;
 	int x = 0;
 +	int i;
 	char *proto = proto_name(uflag, dccpflag);
 -	sv = getservbyname(p, proto);
 -	if (sv) {
 -		if (asprintf(&portlist[0], "%d", ntohs(sv->s_port)) < 0)
 -			err(1, "asprintf");
 -	} else if ((n = strchr(p, '-')) != NULL) {
 -		*n = '\0';
 -		n++;
 -
 -		/* Make sure the ports are in order: lowest->highest. */
 -		hi = strtoport(n, uflag);
 -		lo = strtoport(p, uflag);
 -		if (lo > hi) {
 -			cp = hi;
 -			hi = lo;
 -			lo = cp;
 -		}
 -
 -		/*
 -		 * Initialize portlist with a random permutation.  Based on
 -		 * Knuth, as in ip_randomid() in sys/netinet/ip_id.c.
 -		 */
 -		if (rflag) {
 -			for (x = 0; x <= hi - lo; x++) {
 -				cp = arc4random_uniform(x + 1);
 -				portlist[x] = portlist[cp];
 -				if (asprintf(&portlist[cp], "%d", x + lo) < 0)
 -					err(1, "asprintf");
 +	for (i = 0; p[i] != NULL; i++) {
 +		sv = getservbyname(p[i], proto);
 +		if (sv) {
 +			if (asprintf(&portlist[x], "%d", ntohs(sv->s_port)) < 0)
 +				err(1, "asprintf");
 +			x++;
 +		} else if ((n = strchr(p[i], '-')) != NULL) {
 +			*n = '\0';
 +			n++;
 +
 +			/* Make sure the ports are in order: lowest->highest. */
 +			hi = strtoport(n, uflag);
 +			lo = strtoport(p[i], uflag);
 +			if (lo > hi) {
 +				cp = hi;
 +				hi = lo;
 +				lo = cp;
 			}
 -		} else { /* Load ports sequentially. */
 +
 +			/* Load ports sequentially. */
 			for (cp = lo; cp <= hi; cp++) {
 				if (asprintf(&portlist[x], "%d", cp) < 0)
 					err(1, "asprintf");
 				x++;
 			}
 +		} else {
 +			hi = strtoport(p[i], uflag);
 +			if (asprintf(&portlist[x], "%d", hi) < 0)
 +				err(1, "asprintf");
 +			x++;
 		}
 -	} else {
 -		char *tmp;
 +	}
 -		hi = strtoport(p, uflag);
 -		if (asprintf(&tmp, "%d", hi) != -1)
 -			portlist[0] = tmp;
 -		else
 -			err(1, NULL);
 +	/*
 +	 * Initialize portlist with a random permutation using
 +	 * Fisher–Yates shuffle.
 +	 */
 +	if (rflag) {
 +		for (i = x-1; i > 0; i--) {
 +			cp = arc4random_uniform(i+1);
 +			if (cp != i) {
 +				n = portlist[i];
 +				portlist[i] = portlist[cp];
 +				portlist[cp] = n;
 +			}
 +		}
 	}
 }
--- a/get-sev-by-name.patch
+++ b/get-sev-by-name.patch
@ -8,7 +8,7 @@ Subject: get sev by name
 --- a/netcat.c
 +++ b/netcat.c
-@@ -1603,11 +1603,16 @@ strtoport(char *portstr, int udp)
+@@ -1653,11 +1653,16 @@ strtoport(char *portstr, int udp)
 void
 build_ports(char *p)
 {
--- a/misc-failures-and-features.patch
+++ b/misc-failures-and-features.patch
@ -3,10 +3,10 @@ Date: Mon, 13 Feb 2012 19:06:52 +0800
 Subject: misc failures and features
 ---
- Makefile |    3 +-
+ Makefile |    3 ++-
- nc.1     |   76 +++++++++++++++++++++++++++++++++++++++++++++++++---
+ nc.1     |   51 +++++++++++++++++++++++++++++++++++++++++++++++++++
- netcat.c |   91 ++++++++++++++++++++++++++++++++++++++++++++-------------------
+ netcat.c |   14 ++++++++++++--
- 3 files changed, 138 insertions(+), 32 deletions(-)
+ 3 files changed, 65 insertions(+), 3 deletions(-)
 --- a/Makefile
 +++ b/Makefile
@ -22,25 +22,7 @@ Subject: misc failures and features
 LDFLAGS=  -Wl,--no-add-needed
 --- a/nc.1
 +++ b/nc.1
-@@ -33,7 +33,7 @@
+@@ -365,6 +365,54 @@ and which side is being used as a
 .Nd arbitrary TCP and UDP connections and listens
 .Sh SYNOPSIS
 .Nm nc
 -.Op Fl 46CDdFhklNnrStUuvZz
 +.Op Fl 46bCDdFhklNnrStUuvZz
 .Op Fl I Ar length
 .Op Fl i Ar interval
 .Op Fl M Ar ttl
@@ -96,6 +96,8 @@ to use IPv4 addresses only.
 Forces
 .Nm
 to use IPv6 addresses only.
 +.It Fl b
 +Allow broadcast.
 .It Fl C
 Send CRLF as line-ending.
 .It Fl D
@@ -352,6 +354,54 @@ and which side is being used as a
 The connection may be terminated using an
 .Dv EOF
 .Pq Sq ^D .
@ -95,41 +77,7 @@ Subject: misc failures and features
 .Sh DATA TRANSFER
 The example in the previous section can be expanded to build a
 basic data transfer model.
-@@ -411,15 +461,30 @@ The
+@@ -517,6 +565,9 @@ Original implementation by
 flag can be used to tell
 .Nm
 to report open ports,
 -rather than initiate a connection.
 +rather than initiate a connection. Usually it's useful to turn on verbose
 +output to stderr by use this option in conjunction with
 +.Fl v
 +option.
 +.Pp
 For example:
 .Bd -literal -offset indent
 -$ nc -z host.example.com 20-30
 +$ nc \-zv host.example.com 20-30
 Connection to host.example.com 22 port [tcp/ssh] succeeded!
 Connection to host.example.com 25 port [tcp/smtp] succeeded!
 .Ed
 .Pp
 -The port range was specified to limit the search to ports 20 \- 30.
 +The port range was specified to limit the search to ports 20 \- 30, and is
 +scanned by increasing order.
 +.Pp
 +You can also specify a list of ports to scan, for example:
 +.Bd -literal -offset indent
 +$ nc \-zv host.example.com 80 20 22
 +nc: connect to host.example.com 80 (tcp) failed: Connection refused
 +nc: connect to host.example.com 20 (tcp) failed: Connection refused
 +Connection to host.example.com port [tcp/ssh] succeeded!
 +.Ed
 +.Pp
 +The ports are scanned by the order you given.
 .Pp
 Alternatively, it might be useful to know which server software
 is running, and which versions.
@@ -484,6 +549,9 @@ Original implementation by *Hobbit*
 .br
 Rewritten with IPv6 support by
 .An Eric Jackson Aq Mt ericj@monkey.org .
@ -149,29 +97,7 @@ Subject: misc failures and features
 #include <stdarg.h>
 #include <stdio.h>
 #include <stdlib.h>
-@@ -136,6 +137,7 @@
+@@ -247,7 +248,10 @@ main(int argc, char *argv[])
 #define UDP_SCAN_TIMEOUT 3			/* Seconds */
 /* Command Line Options */
 +int	bflag;					/* Allow Broadcast */
 int	dflag;					/* detached, no stdin */
 int	Fflag;					/* fdpass sock to stdout */
 unsigned int iflag;				/* Interval Flag */
@@ -186,7 +188,7 @@ int ttl = -1;
 int minttl = -1;
 void	atelnet(int, unsigned char *, unsigned int);
 -void	build_ports(char *);
 +void	build_ports(char **);
 void	help(void);
 int	local_listen(char *, char *, struct addrinfo);
 # if defined(TLS)
@@ -236,11 +238,14 @@ int
 main(int argc, char *argv[])
 {
 	int ch, s = -1, ret, socksv;
 -	char *host, *uport;
 +	char *host, **uport;
 	struct addrinfo hints;
 	struct servent *sv;
 	socklen_t len;
@ -180,203 +106,40 @@ Subject: misc failures and features
 +		struct sockaddr_storage storage;
 +		struct sockaddr_un forunix;
 +	} cliaddr;
- 	char *proxy, *proxyport = NULL;
+ 	char *proxy = NULL, *proxyport = NULL;
 	const char *errstr;
 	struct addrinfo proxyhints;
-@@ -260,9 +265,9 @@ main(int argc, char *argv[])
+@@ -952,6 +956,8 @@ unix_bind(char *path, int flags)
 	while ((ch = getopt(argc, argv,
 # if defined(TLS)
 -	    "46C:cDde:FH:hI:i:K:klM:m:NnO:o:P:p:q:R:rSs:T:tUuV:vw:X:x:Zz")) != -1) {
 +	    "46bC:cDde:FH:hI:i:K:klM:m:NnO:o:P:p:q:R:rSs:T:tUuV:vw:X:x:Zz")) != -1) {
 # else
 -	    "46CDdFhI:i:klM:m:NnO:P:p:q:rSs:T:tUuV:vw:X:x:Zz")) != -1) {
 +	    "46bCDdFhI:i:klM:m:NnO:P:p:q:rSs:T:tUuV:vw:X:x:Zz")) != -1) {
 # endif
 		switch (ch) {
 		case '4':
@@ -271,6 +276,13 @@ main(int argc, char *argv[])
 		case '6':
 			family = AF_INET6;
 			break;
 +		case 'b':
 +# if defined(SO_BROADCAST)
 +			bflag = 1;
 +# else
 +			errx(1, "no broadcast frame support available");
 +# endif
 +			break;
 		case 'U':
 			family = AF_UNIX;
 			break;
@@ -479,32 +491,39 @@ main(int argc, char *argv[])
 	/* Cruft to make sure options are clean, and used properly. */
 	if (argv[0] && !argv[1] && family == AF_UNIX) {
 - 		if (uflag)
 - 			errx(1, "cannot use -u and -U");
 # if defined(IPPROTO_DCCP) && defined(SOCK_DCCP)
 		if (dccpflag)
 			errx(1, "cannot use -Z and -U");
 # endif
 		host = argv[0];
 		uport = NULL;
 -	} else if (!argv[0] && lflag) {
 -		if (sflag)
 -			errx(1, "cannot use -s and -l");
 -		if (zflag)
 -			errx(1, "cannot use -z and -l");
 -		if (pflag)
 -			uport=pflag;
 -	} else if (argv[0] && !argv[1]) {
 -		if  (!lflag)
 -			usage(1);
 -		uport = argv[0];
 +	} else if (argv[0] && !argv[1] && lflag) {
 +		if (pflag) {
 +			uport = &pflag;
 +			host = argv[0];
 +		} else {
 +			uport = argv;
 +			host = NULL;
 +		}
 +	} else if (!argv[0] && lflag && pflag) {
 +		uport = &pflag;
 		host = NULL;
 	} else if (argv[0] && argv[1]) {
 		host = argv[0];
 -		uport = argv[1];
 + 		uport = &argv[1];
 	} else
 		usage(1);
 +	if (lflag) {
 +		if (sflag)
 +			errx(1, "cannot use -s and -l");
 +		if (zflag)
 +			errx(1, "cannot use -z and -l");
 +		if (pflag)
 +			/* This still does not work well because of getopt mess
 +			errx(1, "cannot use -p and -l"); */
 +			uport = &pflag;
 +	}
 	if (!lflag && kflag)
 		errx(1, "must use -l with -k");
 # if defined(TLS)
@@ -674,7 +693,7 @@ main(int argc, char *argv[])
 			else
 				s = unix_listen(host);
 		} else
 -			s = local_listen(host, uport, hints);
 +			s = local_listen(host, *uport, hints);
 		if (s < 0)
 			err(1, NULL);
@@ -683,7 +702,8 @@ main(int argc, char *argv[])
 			local = ":::";
 		else
 			local = "0.0.0.0";
 -		fprintf(stderr, "Listening on [%s] (family %d, port %d)\n",
 +		if (vflag && (family != AF_UNIX))
 +		fprintf(stderr, "Listening on [%s] (family %d, port %s)\n",
 			host ?: local,
 			family,
 			*uport);
@@ -898,6 +918,8 @@ unix_bind(char *path, int flags)
 	    0)) < 0)
- 		return (-1);
+ 		return -1;
-+        unlink(path);
+	unlink(path);
 +
 	memset(&s_un, 0, sizeof(struct sockaddr_un));
 	s_un.sun_family = AF_UNIX;
-@@ -1015,8 +1037,10 @@ unix_connect(char *path)
+@@ -1075,8 +1081,10 @@ unix_connect(char *path)
 		if ((s = unix_bind(unix_dg_tmp_socket, SOCK_CLOEXEC)) < 0)
- 			return (-1);
+ 			return -1;
 	} else {
 -		if ((s = socket(AF_UNIX, SOCK_STREAM | SOCK_CLOEXEC, 0)) < 0)
 +		if ((s = socket(AF_UNIX, SOCK_STREAM | SOCK_CLOEXEC, 0)) < 0) {
-+ 			errx(1,"create unix socket failed");
+			errx(1, "create unix socket failed");
- 			return (-1);
+ 			return -1;
 +		}
 	}
 	memset(&s_un, 0, sizeof(struct sockaddr_un));
-@@ -1026,10 +1050,12 @@ unix_connect(char *path)
+@@ -1086,10 +1094,12 @@ unix_connect(char *path)
 	    sizeof(s_un.sun_path)) {
 		close(s);
 		errno = ENAMETOOLONG;
-+ 		warn("unix connect abandoned");
+		warn("unix connect abandoned");
- 		return (-1);
+ 		return -1;
 	}
 	if (connect(s, (struct sockaddr *)&s_un, sizeof(s_un)) < 0) {
 		save_errno = errno;
-+ 		warn("unix connect failed");
+		warn("unix connect failed");
 		close(s);
 		errno = save_errno;
- 		return (-1);
+ 		return -1;
@@ -1718,25 +1744,26 @@ strtoport(char *portstr, int udp)
  * that we should try to connect to.
  */
 void
 -build_ports(char *p)
 +build_ports(char **p)
 {
 	struct servent *sv;
 	char *n;
 	int hi, lo, cp;
 	int x = 0;
 +	int i;
 	char *proto = proto_name(uflag, dccpflag);
 -	sv = getservbyname(p, proto);
 +	sv = getservbyname(*p, proto);
 	if (sv) {
 		if (asprintf(&portlist[0], "%d", ntohs(sv->s_port)) < 0)
 			err(1, "asprintf");
 -	} else if ((n = strchr(p, '-')) != NULL) {
 +	} else if ((n = strchr(*p, '-')) != NULL) {
 		*n = '\0';
 		n++;
 		/* Make sure the ports are in order: lowest->highest. */
 		hi = strtoport(n, uflag);
 -		lo = strtoport(p, uflag);
 +		lo = strtoport(*p, uflag);
 		if (lo > hi) {
 			cp = hi;
 			hi = lo;
@@ -1764,7 +1791,7 @@ build_ports(char *p)
 	} else {
 		char *tmp;
 -		hi = strtoport(p, uflag);
 +		hi = strtoport(*p, uflag);
 		if (asprintf(&tmp, "%d", hi) != -1)
 			portlist[0] = tmp;
 		else
@@ -1802,6 +1829,15 @@ set_common_sockopts(int s, const struct
 	int x = 1;
 	int af = sa->sa_family;
 +# if defined(SO_BROADCAST)
 +	if (bflag) {
 +		/* allow datagram sockets to send packets to a broadcast address
 +		 * (this option has no effect on stream-oriented sockets) */
 +		if (setsockopt(s, SOL_SOCKET, SO_BROADCAST,
 +			&x, sizeof(x)) == -1)
 +			err(1, NULL);
 +	}
 +# endif
 # if defined(TCP_MD5SIG) && defined(TCP_MD5SIG_MAXKEYLEN)
 	if (Sflag) {
 		struct tcp_md5sig sig;
@@ -2042,6 +2078,7 @@ help(void)
 	fprintf(stderr, "\tCommand Summary:\n\
 	\t-4		Use IPv4\n\
 	\t-6		Use IPv6\n\
 +	\t-b		Allow broadcast\n\
 	\t-C		Send CRLF as line-ending\n\
 	\t-D		Enable the debug socket option\n\
 	\t-d		Detach from stdin\n\
--- a/netcat-openbsd.changes
+++ b/netcat-openbsd.changes
@ -1,3 +1,26 @@
 -------------------------------------------------------------------
 Wed Nov 14 13:12:29 UTC 2018 - Tomáš Chvátal <tchvatal@suse.com>
 - Update to 1.195 release matching with debian
 - Added new patches:
  * broadcast-support.patch
  * build-without-TLS-support.patch
  * destination-port-list.patch
  * use-flags-to-specify-listen-address.patch
 - Refreshed patches:
  * connect-timeout.patch
  * dccp-support.patch
  * get-sev-by-name.patch
  * misc-failures-and-features.patch
  * port-to-linux-with-libsd.patch
  * quit-timer.patch
  * send-crlf.patch
  * serialized-handling-multiple-clients.patch
  * set-TCP-MD5SIG-correctly-for-client-connections.patch
  * udp-scan-timeout.patch
  * verbose-numeric-port.patch
 - Drop patch compile-without-TLS-support.patch, renamed
 -------------------------------------------------------------------
 Mon Jul 17 13:11:34 UTC 2017 - tchvatal@suse.com
--- a/netcat-openbsd.spec
+++ b/netcat-openbsd.spec
@ -1,7 +1,7 @@
 #
 # spec file for package netcat-openbsd
 #
-# Copyright (c) 2017 SUSE LINUX GmbH, Nuernberg, Germany.
+# Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany.
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@ -12,21 +12,21 @@
 # license that conforms to the Open Source Definition (Version 1.9)
 # published by the Open Source Initiative.
-# Please submit bugfixes or comments via http://bugs.opensuse.org/
+# Please submit bugfixes or comments via https://bugs.opensuse.org/
 #
 Name:           netcat-openbsd
-Version:        1.178
+Version:        1.195
 Release:        0
 Summary:        TCP/IP swiss army knife
 License:        BSD-3-Clause
 Group:          Productivity/Networking/Other
-Url:            http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/nc/
+URL:            http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/nc/
 Source0:        http://http.debian.net/debian/pool/main/n/netcat-openbsd/netcat-openbsd_%{version}.orig.tar.gz
-#Patches from: http://http.debian.net/debian/pool/main/n/netcat-openbsd/netcat-openbsd_%{version}-2.debian.tar.xz
+#Patches from: http://http.debian.net/debian/pool/main/n/netcat-openbsd/netcat-openbsd_%{version}-1.debian.tar.xz
 Patch0:         port-to-linux-with-libsd.patch
-Patch1:         compile-without-TLS-support.patch
+Patch1:         build-without-TLS-support.patch
 Patch2:         connect-timeout.patch
 Patch3:         get-sev-by-name.patch
 Patch4:         send-crlf.patch
@ -34,9 +34,12 @@ Patch5:         quit-timer.patch
 Patch6:         udp-scan-timeout.patch
 Patch7:         verbose-numeric-port.patch
 Patch8:         dccp-support.patch
-Patch9:         serialized-handling-multiple-clients.patch
+Patch9:         broadcast-support.patch
-Patch10:        set-TCP-MD5SIG-correctly-for-client-connections.patch
+Patch10:        serialized-handling-multiple-clients.patch
-Patch11:        misc-failures-and-features.patch
+Patch11:        set-TCP-MD5SIG-correctly-for-client-connections.patch
 Patch12:        destination-port-list.patch
 Patch13:        use-flags-to-specify-listen-address.patch
 Patch14:        misc-failures-and-features.patch
 BuildRequires:  pkgconfig
 BuildRequires:  pkgconfig(libbsd)
 Provides:       nc6 = %{version}
@ -73,7 +76,7 @@ ln -s -f nc.1%{ext_man} %{buildroot}/%{_mandir}/man1/netcat.1%{ext_man}
 %files
 %{_bindir}/nc
 %{_bindir}/netcat
-%{_mandir}/man1/nc.1%{ext_man}
+%{_mandir}/man1/nc.1%{?ext_man}
-%{_mandir}/man1/netcat.1%{ext_man}
+%{_mandir}/man1/netcat.1%{?ext_man}
 %changelog
--- a/netcat-openbsd_1.178.orig.tar.gz
+++ b/netcat-openbsd_1.178.orig.tar.gz
@ -1,3 +0,0 @@
 version https://git-lfs.github.com/spec/v1
 oid sha256:918330a41ee8ea938144ab1c59fa27533654ebff983bfb5255f730a3d9b06239
 size 21630
--- a/netcat-openbsd_1.195.orig.tar.gz
+++ b/netcat-openbsd_1.195.orig.tar.gz
@ -0,0 +1,3 @@
 version https://git-lfs.github.com/spec/v1
 oid sha256:0e283b2a214313c69447cd962c528ac19afb3ddfe606b25de6d179f187cde4c3
 size 22480
--- a/port-to-linux-with-libsd.patch
+++ b/port-to-linux-with-libsd.patch
@ -3,11 +3,11 @@ Date: Mon, 13 Feb 2012 15:59:31 +0800
 Subject: port to linux with libsd
 ---
- Makefile |   15 +++++++-
+ Makefile |   15 ++++++-
- nc.1     |    4 --
+ nc.1     |    3 -
- netcat.c |  118 +++++++++++++++++++++++++++++++++++++++++++++++----------------
+ netcat.c |  131 ++++++++++++++++++++++++++++++++++++++++++++++++---------------
- socks.c  |   46 ++++++++++++------------
+ socks.c  |   46 +++++++++++-----------
- 4 files changed, 127 insertions(+), 56 deletions(-)
+ 4 files changed, 139 insertions(+), 56 deletions(-)
 --- a/Makefile
 +++ b/Makefile
@ -32,24 +32,23 @@ Subject: port to linux with libsd
 +	rm -f $(OBJS) nc
 --- a/nc.1
 +++ b/nc.1
-@@ -202,9 +202,6 @@ Proxy authentication is only supported f
+@@ -213,8 +213,6 @@ Proxy authentication is only supported f
- Specifies the source port
+ Specify the source port
 .Nm
 should use, subject to privilege restrictions and availability.
-It is an error to use this option in conjunction with the
+-Cannot be used together with
-.Fl l
+-.Fl l .
 -option.
 .It Fl R Ar CAfile
- Specifies the filename from which the root CA bundle for certificate
+ Load the root CA bundle for TLS certificate verification from
- verification is loaded, in PEM format.
+ .Ar CAfile ,
-@@ -249,6 +246,7 @@ For IPv4 TOS value
+@@ -274,6 +272,7 @@ For the IPv4 TOS/IPv6 traffic class valu
 may be one of
- .Ar critical ,
+ .Cm critical ,
- .Ar inetcontrol ,
+ .Cm inetcontrol ,
-+.Ar lowcost ,
+.Cm lowcost ,
- .Ar lowdelay ,
+ .Cm lowdelay ,
- .Ar netcontrol ,
+ .Cm netcontrol ,
- .Ar throughput ,
+ .Cm throughput ,
 --- a/netcat.c
 +++ b/netcat.c
@@ -32,6 +32,8 @@
@ -113,14 +112,14 @@ Subject: port to linux with libsd
 #include <errno.h>
@@ -55,6 +100,8 @@
 #include <time.h>
 #include <unistd.h>
 #include <tls.h>
 #include <unistd.h>
 +#include <bsd/stdlib.h>
 +#include <bsd/string.h>
 #include "atomicio.h"
- #define PORT_MAX	65535
+@@ -268,10 +315,14 @@ main(int argc, char *argv[])
@@ -260,10 +307,14 @@ main(int argc, char *argv[])
 			uflag = 1;
 			break;
 		case 'V':
@ -135,7 +134,7 @@ Subject: port to linux with libsd
 			break;
 		case 'v':
 			vflag = 1;
-@@ -301,7 +352,11 @@ main(int argc, char *argv[])
+@@ -320,7 +371,11 @@ main(int argc, char *argv[])
 			oflag = optarg;
 			break;
 		case 'S':
@ -147,7 +146,7 @@ Subject: port to linux with libsd
 			break;
 		case 'T':
 			errstr = NULL;
-@@ -326,32 +381,23 @@ main(int argc, char *argv[])
+@@ -345,14 +400,23 @@ main(int argc, char *argv[])
 	argc -= optind;
 	argv += optind;
@ -155,24 +154,6 @@ Subject: port to linux with libsd
 	if (rtableid >= 0)
 		if (setrtable(rtableid) == -1)
 			err(1, "setrtable");
 -
 -	if (family == AF_UNIX) {
 -		if (pledge("stdio rpath wpath cpath tmppath unix", NULL) == -1)
 -			err(1, "pledge");
 -	} else if (Fflag) {
 -		if (Pflag) {
 -			if (pledge("stdio inet dns sendfd tty", NULL) == -1)
 -				err(1, "pledge");
 -		} else if (pledge("stdio inet dns sendfd", NULL) == -1)
 -			err(1, "pledge");
 -	} else if (Pflag) {
 -		if (pledge("stdio inet dns tty", NULL) == -1)
 -			err(1, "pledge");
 -	} else if (usetls) {
 -		if (pledge("stdio rpath inet dns", NULL) == -1)
 -			err(1, "pledge");
 -	} else if (pledge("stdio inet dns", NULL) == -1)
 -		err(1, "pledge");
 +# endif
 	/* Cruft to make sure options are clean, and used properly. */
@ -182,17 +163,38 @@ Subject: port to linux with libsd
 +	} else if (!argv[0] && lflag) {
 +		if (sflag)
 +			errx(1, "cannot use -s and -l");
 +		if (pflag)
 +			errx(1, "cannot use -p and -l");
 +		if (zflag)
 +			errx(1, "cannot use -z and -l");
 +		if (pflag)
 +			uport=pflag;
 	} else if (argv[0] && !argv[1]) {
- 		if  (!lflag)
+ 		if (!lflag)
 			usage(1);
-@@ -363,12 +409,6 @@ main(int argc, char *argv[])
+@@ -387,33 +451,6 @@ main(int argc, char *argv[])
- 	} else
+ 		}
- 		usage(1);
+ 	}
 -	if (family == AF_UNIX) {
 -		if (pledge("stdio rpath wpath cpath tmppath unix", NULL) == -1)
 -			err(1, "pledge");
 -	} else if (Fflag && Pflag) {
 -		if (pledge("stdio inet dns sendfd tty", NULL) == -1)
 -			err(1, "pledge");
 -	} else if (Fflag) {
 -		if (pledge("stdio inet dns sendfd", NULL) == -1)
 -			err(1, "pledge");
 -	} else if (Pflag && usetls) {
 -		if (pledge("stdio rpath inet dns tty", NULL) == -1)
 -			err(1, "pledge");
 -	} else if (Pflag) {
 -		if (pledge("stdio inet dns tty", NULL) == -1)
 -			err(1, "pledge");
 -	} else if (usetls) {
 -		if (pledge("stdio rpath inet dns", NULL) == -1)
 -			err(1, "pledge");
 -	} else if (pledge("stdio inet dns", NULL) == -1)
 -		err(1, "pledge");
 -
 -	if (lflag && sflag)
 -		errx(1, "cannot use -s and -l");
 -	if (lflag && pflag)
@ -202,7 +204,7 @@ Subject: port to linux with libsd
 	if (!lflag && kflag)
 		errx(1, "must use -l with -k");
 	if (uflag && usetls)
-@@ -401,8 +441,8 @@ main(int argc, char *argv[])
+@@ -448,8 +485,8 @@ main(int argc, char *argv[])
 		} else {
 			strlcpy(unix_dg_tmp_socket_buf, "/tmp/nc.XXXXXXXXXX",
 			    UNIX_DG_TMP_SOCKET_SIZE);
@ -213,7 +215,7 @@ Subject: port to linux with libsd
 			unix_dg_tmp_socket = unix_dg_tmp_socket_buf;
 		}
 	}
-@@ -880,8 +920,10 @@ remote_connect(const char *host, const c
+@@ -923,8 +960,10 @@ remote_connect(const char *host, const c
 		if (sflag || pflag) {
 			struct addrinfo ahints, *ares;
@ -224,7 +226,7 @@ Subject: port to linux with libsd
 			memset(&ahints, 0, sizeof(struct addrinfo));
 			ahints.ai_family = res->ai_family;
 			ahints.ai_socktype = uflag ? SOCK_DGRAM : SOCK_STREAM;
-@@ -973,9 +1015,15 @@ local_listen(char *host, char *port, str
+@@ -1016,9 +1055,15 @@ local_listen(const char *host, const cha
 		    res->ai_protocol)) < 0)
 			continue;
@ -240,7 +242,7 @@ Subject: port to linux with libsd
 		set_common_sockopts(s, res->ai_family);
-@@ -1425,11 +1473,13 @@ set_common_sockopts(int s, int af)
+@@ -1474,11 +1519,13 @@ set_common_sockopts(int s, int af)
 {
 	int x = 1;
@ -254,33 +256,57 @@ Subject: port to linux with libsd
 	if (Dflag) {
 		if (setsockopt(s, SOL_SOCKET, SO_DEBUG,
 			&x, sizeof(x)) == -1)
-@@ -1460,8 +1510,11 @@ set_common_sockopts(int s, int af)
+@@ -1489,9 +1536,14 @@ set_common_sockopts(int s, int af)
 		    IP_TOS, &Tflag, sizeof(Tflag)) == -1)
 			err(1, "set IP ToS");
 +#if defined(IPV6_TCLASS)
 		else if (af == AF_INET6 && setsockopt(s, IPPROTO_IPV6,
 		    IPV6_TCLASS, &Tflag, sizeof(Tflag)) == -1)
 			err(1, "set IPv6 traffic class");
 +#else
 +		else if (af == AF_INET6)
 +			errx(1, "can't set IPv6 traffic class (unavailable)");
 +#endif
 	}
 	if (Iflag) {
 		if (setsockopt(s, SOL_SOCKET, SO_RCVBUF,
@@ -1509,19 +1561,34 @@ set_common_sockopts(int s, int af)
 		    IP_TTL, &ttl, sizeof(ttl)))
 			err(1, "set IP TTL");
 -		else if (af == AF_INET6 && setsockopt(s, IPPROTO_IPV6,
 +		else
 +#if defined(IPV6_UNICAST_HOPS)
-+			if (af == AF_INET6 && setsockopt(s, IPPROTO_IPV6,
+ 		else if (af == AF_INET6 && setsockopt(s, IPPROTO_IPV6,
 		    IPV6_UNICAST_HOPS, &ttl, sizeof(ttl)))
 +#endif
 			err(1, "set IPv6 unicast hops");
 +#else
 +		else if (af == AF_INET6)
 +			errx(1, "can't set IPv6 unicast hops (unavailable)");
 +#endif
 	}
-@@ -1470,8 +1523,11 @@ set_common_sockopts(int s, int af)
+ 	if (minttl != -1) {
 +#if defined(IP_MINTTL)
 		if (af == AF_INET && setsockopt(s, IPPROTO_IP,
 		    IP_MINTTL, &minttl, sizeof(minttl)))
 			err(1, "set IP min TTL");
- 
+#else
-		else if (af == AF_INET6 && setsockopt(s, IPPROTO_IPV6,
+		if (af == AF_INET)
-+		else
+			errx(1, "can't set IP min TTL (unavailable)");
 +#if defined(IPV6_MINHOPCOUNT)
 +			if (af == AF_INET6 && setsockopt(s, IPPROTO_IPV6,
 		    IPV6_MINHOPCOUNT, &minttl, sizeof(minttl)))
 +#endif
 +#if defined(IPV6_MINHOPCOUNT)
 		else if (af == AF_INET6 && setsockopt(s, IPPROTO_IPV6,
 		    IPV6_MINHOPCOUNT, &minttl, sizeof(minttl)))
 			err(1, "set IPv6 min hop count");
 +#else
 +		else if (af == AF_INET6)
 +			errx(1, "can't set IPv6 min hop count (unavailable)");
 +#endif
 	}
 }
-@@ -1507,6 +1563,7 @@ map_tos(char *s, int *val)
+ 
@@ -1556,6 +1623,7 @@ process_tos_opt(char *s, int *val)
 		{ "cs7",		IPTOS_DSCP_CS7 },
 		{ "ef",			IPTOS_DSCP_EF },
 		{ "inetcontrol",	IPTOS_PREC_INTERNETCONTROL },
@ -288,7 +314,7 @@ Subject: port to linux with libsd
 		{ "lowdelay",		IPTOS_LOWDELAY },
 		{ "netcontrol",		IPTOS_PREC_NETCONTROL },
 		{ "reliability",	IPTOS_RELIABILITY },
-@@ -1640,6 +1697,9 @@ report_connect(const struct sockaddr *sa
+@@ -1721,6 +1789,9 @@ report_connect(const struct sockaddr *sa
 void
 help(void)
 {
@ -298,8 +324,8 @@ Subject: port to linux with libsd
 	usage(0);
 	fprintf(stderr, "\tCommand Summary:\n\
 	\t-4		Use IPv4\n\
-@@ -1680,7 +1740,7 @@ help(void)
+@@ -1763,7 +1834,7 @@ help(void)
- 	\t-x addr[:port]\tSpecify proxy address and port\n\
+ 	\t-Z		Peer certificate file\n\
 	\t-z		Zero-I/O mode [used for scanning]\n\
 	Port numbers can be individual or ranges: lo-hi [inclusive]\n");
 -	exit(1);
@ -318,7 +344,7 @@ Subject: port to linux with libsd
 #include "atomicio.h"
 #define SOCKS_PORT	"1080"
-@@ -219,11 +219,11 @@ socks_connect(const char *host, const ch
+@@ -217,11 +217,11 @@ socks_connect(const char *host, const ch
 		buf[2] = SOCKS_NOAUTH;
 		cnt = atomicio(vwrite, proxyfd, buf, 3);
 		if (cnt != 3)
@ -332,7 +358,7 @@ Subject: port to linux with libsd
 		if (buf[1] == SOCKS_NOMETHOD)
 			errx(1, "authentication method negotiation failed");
-@@ -272,11 +272,11 @@ socks_connect(const char *host, const ch
+@@ -270,11 +270,11 @@ socks_connect(const char *host, const ch
 		cnt = atomicio(vwrite, proxyfd, buf, wlen);
 		if (cnt != wlen)
@ -346,7 +372,7 @@ Subject: port to linux with libsd
 		if (buf[1] != 0) {
 			errx(1, "connection failed, SOCKSv5 error: %s",
 			    socks5_strerror(buf[1]));
-@@ -285,12 +285,12 @@ socks_connect(const char *host, const ch
+@@ -283,12 +283,12 @@ socks_connect(const char *host, const ch
 		case SOCKS_IPV4:
 			cnt = atomicio(read, proxyfd, buf + 4, 6);
 			if (cnt != 6)
@ -361,7 +387,7 @@ Subject: port to linux with libsd
 			break;
 		default:
 			errx(1, "connection failed, unsupported address type");
-@@ -310,11 +310,11 @@ socks_connect(const char *host, const ch
+@@ -308,11 +308,11 @@ socks_connect(const char *host, const ch
 		cnt = atomicio(vwrite, proxyfd, buf, wlen);
 		if (cnt != wlen)
@ -375,7 +401,7 @@ Subject: port to linux with libsd
 		if (buf[1] != 90) {
 			errx(1, "connection failed, SOCKSv4 error: %s",
 			    socks4_strerror(buf[1]));
-@@ -328,39 +328,39 @@ socks_connect(const char *host, const ch
+@@ -326,21 +326,21 @@ socks_connect(const char *host, const ch
 		/* Try to be sane about numeric IPv6 addresses */
 		if (strchr(host, ':') != NULL) {
@ -400,12 +426,15 @@ Subject: port to linux with libsd
 +			err(1, "write failed (%zu/%d)", (size_t)cnt, (int)r);
 		if (authretry > 1) {
- 			char resp[1024];
+ 			char proxypass[256];
@@ -348,20 +348,20 @@ socks_connect(const char *host, const ch
- 			proxypass = getproxypass(proxyuser, proxyhost);
+ 			getproxypass(proxyuser, proxyhost,
 			    proxypass, sizeof proxypass);
 -			r = snprintf(buf, sizeof(buf), "%s:%s",
 +			r = snprintf((char*)buf, sizeof(buf), "%s:%s",
 			    proxyuser, proxypass);
 			explicit_bzero(proxypass, sizeof proxypass);
 			if (r == -1 || (size_t)r >= sizeof(buf) ||
 -			    b64_ntop(buf, strlen(buf), resp,
 +			    b64_ntop(buf, strlen((char*)buf), resp,
@ -421,10 +450,10 @@ Subject: port to linux with libsd
 			if ((cnt = atomicio(vwrite, proxyfd, buf, r)) != r)
 -				err(1, "write failed (%zu/%d)", cnt, r);
 +				err(1, "write failed (%zu/%d)", (size_t)cnt, r);
 			explicit_bzero(proxypass, sizeof proxypass);
 			explicit_bzero(buf, sizeof buf);
 		}
- 
+@@ -371,22 +371,22 @@ socks_connect(const char *host, const ch
 		/* Terminate headers */
@@ -368,22 +368,22 @@ socks_connect(const char *host, const ch
 			err(1, "write failed (%zu/2)", cnt);
 		/* Read status reply */
--- a/quit-timer.patch
+++ b/quit-timer.patch
@ -17,8 +17,8 @@ Subject: quit timer
 .Op Fl s Ar source
 .Op Fl T Ar keyword
 .Op Fl V Ar rtable
-@@ -173,6 +174,15 @@ Proxy authentication is only supported f
+@@ -167,6 +168,15 @@ Proxy authentication is only supported f
- Specifies the source port
+ Specify the source port
 .Nm
 should use, subject to privilege restrictions and availability.
 +.It Fl q Ar seconds
@ -31,7 +31,7 @@ Subject: quit timer
 +implies
 +.Fl N .
 .It Fl r
- Specifies that source and/or destination ports should be chosen randomly
+ Choose source and/or destination ports randomly
 instead of sequentially within a range or in the order that the system
 --- a/netcat.c
 +++ b/netcat.c
@ -43,7 +43,7 @@ Subject: quit timer
 int	rflag;					/* Random ports flag */
 char   *sflag;					/* Source Address */
 int	tflag;					/* Telnet Emulation */
-@@ -218,6 +219,8 @@ ssize_t fillbuf(int, unsigned char *, si
+@@ -224,6 +225,8 @@ ssize_t fillbuf(int, unsigned char *, si
 static int connect_with_timeout(int fd, const struct sockaddr *sa,
         socklen_t salen, int ctimeout);
@ -52,23 +52,23 @@ Subject: quit timer
 int
 main(int argc, char *argv[])
 {
-@@ -246,9 +249,9 @@ main(int argc, char *argv[])
+@@ -253,9 +256,9 @@ main(int argc, char *argv[])
 	while ((ch = getopt(argc, argv,
 # if defined(TLS)
-	    "46C:cDde:FH:hI:i:K:klM:m:NnO:o:P:p:R:rSs:T:tUuV:vw:X:x:z")) != -1) {
+-	    "46C:cDde:FH:hI:i:K:klM:m:NnO:o:P:p:R:rSs:T:tUuV:vW:w:X:x:Z:z"))
-+	    "46C:cDde:FH:hI:i:K:klM:m:NnO:o:P:p:q:R:rSs:T:tUuV:vw:X:x:z")) != -1) {
+	    "46C:cDde:FH:hI:i:K:klM:m:NnO:o:P:p:q:R:rSs:T:tUuV:vW:w:X:x:Z:z"))
 # else
- 	    "46CDdFhI:i:klM:m:NnO:P:p:rSs:T:tUuV:vw:X:x:z")) != -1) {
+-	    "46CDdFhI:i:klM:m:NnO:P:p:rSs:T:tUuV:vW:w:X:x:z"))
-+	    "46CDdFhI:i:klM:m:NnO:P:p:q:rSs:T:tUuV:vw:X:x:z")) != -1) {
+	    "46CDdFhI:i:klM:m:NnO:P:p:q:rSs:T:tUuV:vW:w:X:x:z"))
 # endif
 	    != -1) {
 		switch (ch) {
- 		case '4':
+@@ -347,6 +350,13 @@ main(int argc, char *argv[])
@@ -339,6 +342,13 @@ main(int argc, char *argv[])
 		case 'p':
 			pflag = optarg;
 			break;
-+ 		case 'q':
+		case 'q':
 +			qflag = strtonum(optarg, INT_MIN, INT_MAX, &errstr);
 +			if (errstr)
 +				errx(1, "quit timer %s: %s", errstr, optarg);
@ -78,13 +78,13 @@ Subject: quit timer
 # if defined(TLS)
 		case 'R':
 			tls_cachanged = 1;
-@@ -1253,15 +1263,27 @@ readwrite(int net_fd)
+@@ -1297,15 +1307,27 @@ readwrite(int net_fd)
 	while (1) {
 		/* both inputs are gone, buffers are empty, we are done */
 		if (pfd[POLL_STDIN].fd == -1 && pfd[POLL_NETIN].fd == -1 &&
 -		    stdinbufpos == 0 && netinbufpos == 0)
 -			return;
-+ 		    stdinbufpos == 0 && netinbufpos == 0) {
+		    stdinbufpos == 0 && netinbufpos == 0) {
 +			if (qflag <= 0)
 +				return;
 +			goto delay_exit;
@ -96,7 +96,7 @@ Subject: quit timer
 +			if (qflag <= 0)
 +				return;
 +			goto delay_exit;
-+ 		}
+		}
 		/* listen and net in gone, queues empty, done */
 		if (lflag && pfd[POLL_NETIN].fd == -1 &&
 -		    stdinbufpos == 0 && netinbufpos == 0)
@ -108,11 +108,11 @@ Subject: quit timer
 +			close(net_fd);
 +			signal(SIGALRM, quit);
 +			alarm(qflag);
-+ 		}
+		}
 		/* poll */
 		num_fds = poll(pfd, 4, timeout);
-@@ -1936,6 +1958,7 @@ help(void)
+@@ -2032,6 +2054,7 @@ help(void)
 	\t-O length	TCP send buffer length\n\
 	\t-P proxyuser\tUsername for proxy authentication\n\
 	\t-p port\t	Specify local port for remote connects\n\
@ -120,14 +120,15 @@ Subject: quit timer
 	\t-r		Randomize remote ports\n\
 	\t-S		Enable the TCP MD5 signature option\n\
 	\t-s source	Local source address\n\
-@@ -1959,9 +1982,18 @@ usage(int ret)
+@@ -2056,10 +2079,19 @@ usage(int ret)
 	fprintf(stderr,
 	    "usage: nc [-46CDdFhklNnrStUuvz] [-I length] [-i interval] [-M ttl]\n"
 	    "\t  [-m minttl] [-O length] [-P proxy_username] [-p source_port]\n"
-	    "\t  [-s source] [-T keyword] [-V rtable] [-w timeout] "
+-	    "\t  [-s source] [-T keyword] [-V rtable] [-W recvlimit] "
-+	    "\t  [-q seconds] [-s source] [-T keyword] [-V rtable] [-w timeout] "
+	    "\t  [-q seconds] [-s source] [-T keyword] [-V rtable] [-W recvlimit] "
- 	    "[-X proxy_protocol]\n"
+ 	    "[-w timeout]\n"
- 	    "\t  [-x proxy_address[:port]] [destination] [port]\n");
+ 	    "\t  [-X proxy_protocol] [-x proxy_address[:port]] "
 	    "\t  [destination] [port]\n");
 	if (ret)
 		exit(1);
 }
--- a/send-crlf.patch
+++ b/send-crlf.patch
@ -3,9 +3,9 @@ Date: Mon, 13 Feb 2012 14:57:45 +0800
 Subject: send crlf
 ---
- nc.1     |    6 +++--
+ nc.1     |    9 ++++++-
 netcat.c |   72 +++++++++++++++++++++++++++++++++++----------------------------
- 2 files changed, 45 insertions(+), 33 deletions(-)
+ 2 files changed, 48 insertions(+), 33 deletions(-)
 --- a/nc.1
 +++ b/nc.1
@ -18,16 +18,19 @@ Subject: send crlf
 .Op Fl I Ar length
 .Op Fl i Ar interval
 .Op Fl M Ar ttl
-@@ -95,6 +95,8 @@ to use IPv4 addresses only.
+@@ -92,6 +92,11 @@ The options are as follows:
- Forces
+ Use IPv4 addresses only.
- .Nm
+ .It Fl 6
- to use IPv6 addresses only.
+ Use IPv6 addresses only.
 +.It Fl C
-+Send CRLF as line-ending.
+Send CRLF as line-ending.  Each line feed (LF) character from the input
 +data is translated into CR+LF before being written to the socket.  Line
 +feed characters that are already preceded with a carriage return (CR)
 +are not translated.  Received data is not affected.
 .It Fl D
 Enable debugging on the socket.
 .It Fl d
-@@ -379,7 +381,7 @@ More complicated examples can be built u
+@@ -377,7 +382,7 @@ More complicated examples can be built u
 of requests required by the server.
 As another example, an email may be submitted to an SMTP server using:
 .Bd -literal -offset indent
@ -38,16 +41,16 @@ Subject: send crlf
 RCPT TO:\*(Ltuser2@host.example.com\*(Gt
 --- a/netcat.c
 +++ b/netcat.c
-@@ -163,6 +163,8 @@ int	tls_cachanged;				/* Using non-defau
+@@ -166,6 +166,8 @@ char	*tls_expecthash;			/* required hash
- int     TLSopt;					/* TLS options */
+ char	*tls_ciphers;				/* TLS ciphers */
- char	*tls_expectname;			/* required name in peer cert */
+ char	*tls_protocols;				/* TLS protocols */
- char	*tls_expecthash;			/* required hash of peer cert */
+ FILE	*Zflag;					/* file to save peer cert */
 +# else
 +int	Cflag = 0;			/* CRLF line-ending */
 # endif
- int timeout = -1;
+ int recvcount, recvlimit;
-@@ -209,7 +211,7 @@ ssize_t fillbuf(int, unsigned char *, si
+@@ -215,7 +217,7 @@ ssize_t fillbuf(int, unsigned char *, si
 void	tls_setup_client(struct tls *, int, char *);
 struct tls *tls_setup_server(struct tls *, int, char *);
 # else
@ -56,16 +59,16 @@ Subject: send crlf
 ssize_t fillbuf(int, unsigned char *, size_t *);
 # endif
-@@ -246,7 +248,7 @@ main(int argc, char *argv[])
+@@ -253,7 +255,7 @@ main(int argc, char *argv[])
 # if defined(TLS)
- 	    "46C:cDde:FH:hI:i:K:klM:m:NnO:o:P:p:R:rSs:T:tUuV:vw:X:x:z")) != -1) {
+ 	    "46C:cDde:FH:hI:i:K:klM:m:NnO:o:P:p:R:rSs:T:tUuV:vW:w:X:x:Z:z"))
 # else
-	    "46DdFhI:i:klM:m:NnO:P:p:rSs:T:tUuV:vw:X:x:z")) != -1) {
+-	    "46DdFhI:i:klM:m:NnO:P:p:rSs:T:tUuV:vW:w:X:x:z"))
-+ 	    "46CDdFhI:i:klM:m:NnO:P:p:rSs:T:tUuV:vw:X:x:z")) != -1) {
+	    "46CDdFhI:i:klM:m:NnO:P:p:rSs:T:tUuV:vW:w:X:x:z"))
 # endif
 	    != -1) {
 		switch (ch) {
- 		case '4':
+@@ -283,6 +285,10 @@ main(int argc, char *argv[])
@@ -275,6 +277,10 @@ main(int argc, char *argv[])
 		case 'c':
 			usetls = 1;
 			break;
@ -76,7 +79,7 @@ Subject: send crlf
 # endif
 		case 'd':
 			dflag = 1;
-@@ -1257,12 +1263,6 @@ readwrite(int net_fd)
+@@ -1301,12 +1307,6 @@ readwrite(int net_fd)
 		    stdinbufpos == 0 && netinbufpos == 0)
 			return;
@ -89,7 +92,7 @@ Subject: send crlf
 		/* poll */
 		num_fds = poll(pfd, 4, timeout);
-@@ -1342,7 +1342,7 @@ readwrite(int net_fd)
+@@ -1386,7 +1386,7 @@ readwrite(int net_fd)
 				pfd[POLL_NETOUT].events = POLLOUT;
 			else
 # else
@ -98,7 +101,7 @@ Subject: send crlf
 # endif
 			if (ret == -1)
 				pfd[POLL_NETOUT].fd = -1;
-@@ -1395,7 +1395,7 @@ readwrite(int net_fd)
+@@ -1445,7 +1445,7 @@ readwrite(int net_fd)
 				pfd[POLL_STDOUT].events = POLLOUT;
 			else
 # else
@ -107,7 +110,7 @@ Subject: send crlf
 # endif
 			if (ret == -1)
 				pfd[POLL_STDOUT].fd = -1;
-@@ -1421,31 +1421,40 @@ readwrite(int net_fd)
+@@ -1471,31 +1471,40 @@ readwrite(int net_fd)
 }
 ssize_t
@ -168,7 +171,7 @@ Subject: send crlf
 	/* adjust buffer */
 	adjust = *bufpos - n;
 	if (adjust > 0)
-@@ -1911,6 +1920,7 @@ help(void)
+@@ -2007,6 +2016,7 @@ help(void)
 	fprintf(stderr, "\tCommand Summary:\n\
 	\t-4		Use IPv4\n\
 	\t-6		Use IPv6\n\
@ -176,12 +179,12 @@ Subject: send crlf
 	\t-D		Enable the debug socket option\n\
 	\t-d		Detach from stdin\n\
 	\t-F		Pass socket fd\n\
-@@ -1947,7 +1957,7 @@ void
+@@ -2044,7 +2054,7 @@ void
 usage(int ret)
 {
 	fprintf(stderr,
 -	    "usage: nc [-46DdFhklNnrStUuvz] [-I length] [-i interval] [-M ttl]\n"
 +	    "usage: nc [-46CDdFhklNnrStUuvz] [-I length] [-i interval] [-M ttl]\n"
 	    "\t  [-m minttl] [-O length] [-P proxy_username] [-p source_port]\n"
- 	    "\t  [-s source] [-T keyword] [-V rtable] [-w timeout] "
+ 	    "\t  [-s source] [-T keyword] [-V rtable] [-W recvlimit] "
- 	    "[-X proxy_protocol]\n"
+ 	    "[-w timeout]\n"
--- a/serialized-handling-multiple-clients.patch
+++ b/serialized-handling-multiple-clients.patch
@ -3,75 +3,74 @@ Date: Tue, 14 Feb 2012 23:02:00 +0800
 Subject: serialized handling multiple clients
 ---
- netcat.c |   41 ++++++++++++++++++++---------------------
+ netcat.c |   44 +++++++++++++++++++++-----------------------
- 1 file changed, 20 insertions(+), 21 deletions(-)
+ 1 file changed, 21 insertions(+), 23 deletions(-)
 --- a/netcat.c
 +++ b/netcat.c
-@@ -664,7 +664,20 @@ main(int argc, char *argv[])
+@@ -705,6 +705,23 @@ main(int argc, char *argv[])
 				s = unix_bind(host, 0);
 			else
 				s = unix_listen(host);
 -		}
 +		} else
 +			s = local_listen(host, uport, hints);
 +		if (s < 0)
 +			err(1, NULL);
 +
-+		char* local;
+		if (vflag && (family != AF_UNIX)) {
-+		if (family == AF_INET6)
+			char* local;
-+			local = ":::";
+			if (family == AF_INET)
-+		else
+				local = "0.0.0.0";
-+			local = "0.0.0.0";
+			else if (family == AF_INET6)
-+		fprintf(stderr, "Listening on [%s] (family %d, port %d)\n",
+				local = "::";
-+			host ?: local,
+			else
-+			family,
+				local = "unknown";
-+			*uport);
+			fprintf(stderr, "Listening on [%s] (family %d, port %d)\n",
 +				host ?: local,
 +				family,
 +				*uport);
 		}
 # if defined(TLS)
- 		if (usetls) {
+@@ -719,28 +736,6 @@ main(int argc, char *argv[])
@@ -678,22 +691,7 @@ main(int argc, char *argv[])
 # endif
 		/* Allow only one connection at a time, but stay alive. */
 		for (;;) {
-			if (family != AF_UNIX)
+-			if (family != AF_UNIX) {
 -				if (s != -1)
 -					close(s);
 -				s = local_listen(host, uport, hints);
 -			}
 -			if (s < 0)
 -				err(1, NULL);
 -
-			char* local;
+-			if (vflag && (family != AF_UNIX)) {
-			if (family == AF_INET6)
+-				char* local;
-				local = "0.0.0.0";
+-				if (family == AF_INET)
-			else if (family == AF_INET)
+-					local = "0.0.0.0";
-				local = ":::";
+-				else if (family == AF_INET6)
-			else
+-					local = "::";
-				local = "unknown";
+-				else
-			fprintf(stderr, "Listening on [%s] (family %d, port %d)\n",
+-					local = "unknown";
-				host ?: local,
+-				fprintf(stderr, "Listening on [%s] (family %d, port %d)\n",
-				family,
+-					host ?: local,
-				*uport);
+-					family,
-+
+-					*uport);
- 			/*
+-			}
- 			 * For UDP and -k, don't connect the socket, let it
+-
- 			 * receive datagrams from multiple socket pairs.
+ 			if (uflag && kflag) {
-@@ -760,15 +758,16 @@ main(int argc, char *argv[])
+ 				/*
- # endif
+ 				 * For UDP and -k, don't connect the socket,
- 				close(connfd);
+@@ -814,8 +809,11 @@ main(int argc, char *argv[])
 			}
 -			if (family != AF_UNIX)
 +			if (kflag)
 +				continue;
 +			if (family != AF_UNIX) {
 				close(s);
 +			}
 			else if (uflag) {
 				if (connect(s, NULL, 0) < 0)
 					err(1, "connect");
 			}
-
+ 
 -			if (!kflag)
-				break;
+			if (!kflag) {
-+			break;
+				if (s != -1)
 +					close(s);
 				break;
 +			}
 		}
 	} else if (family == AF_UNIX) {
 		ret = 0;
--- a/set-TCP-MD5SIG-correctly-for-client-connections.patch
+++ b/set-TCP-MD5SIG-correctly-for-client-connections.patch
@ -18,26 +18,26 @@ Subject: Set TCP MD5SIG correctly for client connections
 #ifndef IPTOS_LOWDELAY
 # define IPTOS_LOWDELAY 0x10
-@@ -172,6 +175,9 @@ char	*tls_expecthash;			/* required hash
+@@ -176,6 +179,9 @@ FILE	*Zflag;					/* file to save peer ce
 int	Cflag = 0;			/* CRLF line-ending */
 # endif
 +# if defined(TCP_MD5SIG) && defined(TCP_MD5SIG_MAXKEYLEN)
 +char Sflag_password[TCP_MD5SIG_MAXKEYLEN];
 +# endif
 int recvcount, recvlimit;
 int timeout = -1;
 int family = AF_UNSPEC;
- char *portlist[PORT_MAX+1];
+@@ -206,7 +212,7 @@ int	udptest(int);
@@ -200,7 +206,7 @@ int	udptest(int);
 int	unix_bind(char *, int);
 int	unix_connect(char *);
 int	unix_listen(char *);
 -void	set_common_sockopts(int, int);
 +void	set_common_sockopts(int, const struct sockaddr *);
- int	map_tos(char *, int *);
+ int	process_tos_opt(char *, int *);
 # if defined(TLS)
- int	map_tls(char *, int *);
+ int	process_tls_opt(char *, int *);
-@@ -427,7 +433,10 @@ main(int argc, char *argv[])
+@@ -456,7 +462,10 @@ main(int argc, char *argv[])
 			break;
 # endif
 		case 'S':
@ -49,7 +49,7 @@ Subject: Set TCP MD5SIG correctly for client connections
 			Sflag = 1;
 # else
 			errx(1, "no TCP MD5 signature support available");
-@@ -1120,7 +1129,7 @@ remote_connect(const char *host, const c
+@@ -1171,7 +1180,7 @@ remote_connect(const char *host, const c
 			freeaddrinfo(ares);
 		}
@ -58,7 +58,7 @@ Subject: Set TCP MD5SIG correctly for client connections
 		char *proto = proto_name(uflag, dccpflag);
 		if ((error = connect_with_timeout(s, res->ai_addr, res->ai_addrlen, timeout)) == CONNECTION_SUCCESS)
-@@ -1274,7 +1283,7 @@ local_listen(char *host, char *port, str
+@@ -1325,7 +1334,7 @@ local_listen(const char *host, const cha
 			err(1, NULL);
 # endif
@ -67,7 +67,7 @@ Subject: Set TCP MD5SIG correctly for client connections
 		if (bind(s, (struct sockaddr *)res->ai_addr,
 		    res->ai_addrlen) == 0)
-@@ -1788,14 +1797,22 @@ udptest(int s)
+@@ -1845,9 +1854,10 @@ udptest(int s)
 }
 void
@ -77,6 +77,12 @@ Subject: Set TCP MD5SIG correctly for client connections
 	int x = 1;
 +	int af = sa->sa_family;
 # if defined(SO_BROADCAST)
 	if (bflag) {
@@ -1858,10 +1868,17 @@ set_common_sockopts(int s, int af)
 			err(1, NULL);
 	}
 # endif
 -# if defined(TCP_MD5SIG)
 +# if defined(TCP_MD5SIG) && defined(TCP_MD5SIG_MAXKEYLEN)
 	if (Sflag) {
--- a/udp-scan-timeout.patch
+++ b/udp-scan-timeout.patch
@ -17,7 +17,7 @@ Subject: udp scan timeout
 /* Command Line Options */
 int	dflag;					/* detached, no stdin */
 int	Fflag;					/* fdpass sock to stdout */
-@@ -774,7 +776,7 @@ main(int argc, char *argv[])
+@@ -815,7 +817,7 @@ main(int argc, char *argv[])
 				continue;
 			ret = 0;
@ -26,7 +26,7 @@ Subject: udp scan timeout
 				/* For UDP, make sure we are connected. */
 				if (uflag) {
 					if (udptest(s) == -1) {
-@@ -1693,15 +1695,20 @@ build_ports(char *p)
+@@ -1743,15 +1745,20 @@ build_ports(char *p)
 int
 udptest(int s)
 {
@ -49,7 +49,7 @@ Subject: udp scan timeout
 +		if ((write(s, "X", 1) != 1) && (errno == ECONNREFUSED))
 +			return -1;
 	}
-	return (ret);
+-	return ret;
 +	return 1;
 }
--- a/use-flags-to-specify-listen-address.patch
+++ b/use-flags-to-specify-listen-address.patch
@ -0,0 +1,106 @@
 From: Guilhem Moulin <guilhem@debian.org>
 Date: Mon, 22 Oct 2018 04:50:54 +0200
 Subject: use -s/-p flags to specify listen address
 ---
 nc.1     |   18 ++++++++++++++----
 netcat.c |   49 +++++++++++++++++++++++++++++--------------------
 2 files changed, 43 insertions(+), 24 deletions(-)
 --- a/nc.1
 +++ b/nc.1
@@ -143,8 +143,20 @@ multiple hosts.
 .It Fl l
 Listen for an incoming connection rather than initiating a
 connection to a remote host.
 -Cannot be used together with any of the options
 -.Fl psxz .
 +The
 +.Ar destination
 +and
 +.Ar port
 +to listen on can be specified either as non-optional arguments, or with
 +options
 +.Fl s
 +and
 +.Fl p
 +respectively.
 +Cannot be used together with
 +.Fl x
 +or
 +.Fl z .
 Additionally, any timeouts specified with the
 .Fl w
 option are ignored.
@@ -194,8 +206,6 @@ For
 datagram sockets, specifies the local temporary socket file
 to create and use so that datagrams can be received.
 Cannot be used together with
 -.Fl l
 -or
 .Fl x .
 .It Fl T Ar keyword
 Change the IPv4 TOS/IPv6 traffic class value.
 --- a/netcat.c
 +++ b/netcat.c
@@ -507,31 +507,40 @@ main(int argc, char *argv[])
 # endif
 	/* Cruft to make sure options are clean, and used properly. */
 -	if (argv[0] && !argv[1] && family == AF_UNIX) {
 -# if defined(IPPROTO_DCCP) && defined(SOCK_DCCP)
 -		if (dccpflag)
 -			errx(1, "cannot use -Z and -U");
 -# endif
 -		host = argv[0];
 -		uport = NULL;
 -	} else if (!argv[0] && lflag) {
 -		if (sflag)
 -			errx(1, "cannot use -s and -l");
 -		if (pflag)
 -			errx(1, "cannot use -p and -l");
 -		if (zflag)
 -			errx(1, "cannot use -z and -l");
 -	} else if (argv[0] && !argv[1]) {
 -		if (!lflag)
 -			usage(1);
 -		uport = &argv[0];
 -		host = NULL;
 -	} else if (argv[0] && argv[1]) {
 +	if (argc == 0 && lflag) {
 +		uport = &pflag;
 +		host = sflag;
 +	} else if (argc == 1 && !pflag && !sflag) {
 +		if (family == AF_UNIX) {
 +			host = argv[0];
 +			uport = NULL;
 +		} else if (lflag) {
 +			host  = NULL;
 +			uport = argv;
 +		}
 +	} else if (argc >= 2) {
 +		if (lflag && (pflag || sflag || argc > 2))
 +			usage(1); /* conflict */
 		host = argv[0];
 		uport = &argv[1];
 	} else
 		usage(1);
 +	if (family == AF_UNIX) {
 +# if defined(IPPROTO_DCCP) && defined(SOCK_DCCP)
 +		if (dccpflag)
 +			errx(1, "cannot use -Z and -U");
 +# endif
 +		if (uport && *uport)
 +			errx(1, "cannot use port with -U");
 +		if (!host)
 +			errx(1, "missing socket pathname");
 +	} else if (!uport || !*uport)
 +		errx(1, "missing port number");
 + 
 +	if (lflag && zflag)
 +		errx(1, "cannot use -z and -l");
 +
 # if defined(TLS)
 	if (usetls) {
 		if (Cflag && unveil(Cflag, "r") == -1)
--- a/verbose-numeric-port.patch
+++ b/verbose-numeric-port.patch
@ -3,8 +3,8 @@ Date: Mon, 13 Feb 2012 15:38:15 +0800
 Subject: verbose numeric port
 ---
- netcat.c |   19 ++++++++++++++++---
+ netcat.c |   25 ++++++++++++++++++++-----
- 1 file changed, 16 insertions(+), 3 deletions(-)
+ 1 file changed, 20 insertions(+), 5 deletions(-)
 --- a/netcat.c
 +++ b/netcat.c
@ -16,33 +16,37 @@ Subject: verbose numeric port
 #ifdef __linux__
 # include <linux/in6.h>
 #endif
-@@ -651,6 +652,18 @@ main(int argc, char *argv[])
+@@ -689,6 +690,21 @@ main(int argc, char *argv[])
- 				s = local_listen(host, uport, hints);
+ 			}
 			if (s < 0)
 				err(1, NULL);
 +
-+			char* local;
+			if (vflag && (family != AF_UNIX)) {
-+			if (family == AF_INET6)
+				char* local;
-+				local = "0.0.0.0";
+				if (family == AF_INET)
-+			else if (family == AF_INET)
+					local = "0.0.0.0";
-+				local = ":::";
+				else if (family == AF_INET6)
-+			else
+					local = "::";
-+				local = "unknown";
+				else
-+			fprintf(stderr, "Listening on [%s] (family %d, port %d)\n",
+					local = "unknown";
-+				host ?: local,
+				fprintf(stderr, "Listening on [%s] (family %d, port %d)\n",
-+				family,
+					host ?: local,
-+				*uport);
+					family,
- 			/*
+					*uport);
- 			 * For UDP and -k, don't connect the socket, let it
+			}
- 			 * receive datagrams from multiple socket pairs.
+
-@@ -671,14 +684,14 @@ main(int argc, char *argv[])
+ 			if (uflag && kflag) {
- 				char buf[16384];
+ 				/*
- 				struct sockaddr_storage z;
+ 				 * For UDP and -k, don't connect the socket,
@@ -708,20 +724,19 @@ main(int argc, char *argv[])
 				 */
 				int rv;
 				char buf[2048];
 -				struct sockaddr_storage z;
 -				len = sizeof(z);
 +				len = sizeof(cliaddr);
- 				plen = 2048;
+ 				rv = recvfrom(s, buf, sizeof(buf), MSG_PEEK,
 				rv = recvfrom(s, buf, plen, MSG_PEEK,
 -				    (struct sockaddr *)&z, &len);
 +				    (struct sockaddr *)&cliaddr, &len);
 				if (rv < 0)
@ -53,3 +57,9 @@ Subject: verbose numeric port
 				if (rv < 0)
 					err(1, "connect");
 				if (vflag)
 -					report_connect((struct sockaddr *)&z, len, NULL);
 +					report_connect((struct sockaddr *)&cliaddr, len, NULL);
 # if defined(TLS)
 				readwrite(s, NULL);