UPDATE: security/stunnel-5.24

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

UPDATE: security/stunnel-5.24

Gleydson Soares-3
here is a diff to update stunnel for 5.24.

port changes:
- update stunnel to 5.24
- install stunnel3 perl script to emulate version 3.x
command line options
- zap upstreamed patches \
from changelog: (Added OPENSSL_NO_EGD support (thx to Bernard Spil)

full changelog at:
https://www.stunnel.org/sdf_ChangeLog.html

[1] http://shutupandhack.org/~gsoares/openbsd/stunnel-5.24.diff

OK?

Index: Makefile
===================================================================
RCS file: /cvs/ports/security/stunnel/Makefile,v
retrieving revision 1.77
diff -u -p -u -p -r1.77 Makefile
--- Makefile 25 Jun 2015 14:44:30 -0000 1.77
+++ Makefile 9 Oct 2015 13:25:25 -0000
@@ -2,7 +2,7 @@
 
 COMMENT= SSL encryption wrapper for standard network daemons
 
-DISTNAME= stunnel-5.19
+DISTNAME= stunnel-5.24
 CATEGORIES= security
 
 MAINTAINER= Gleydson Soares <[hidden email]>
@@ -29,10 +29,12 @@ NO_TEST= Yes
 USE_GMAKE= Yes
 
 pre-configure:
+ ${SUBST_CMD} ${WRKSRC}/src/stunnel3.in
  ${SUBST_CMD} ${WRKSRC}/tools/stunnel.conf-sample.in
 
 do-install:
  ${INSTALL_PROGRAM} ${WRKBUILD}/src/stunnel ${PREFIX}/sbin
+ ${INSTALL_SCRIPT} ${WRKBUILD}/src/stunnel3 ${PREFIX}/sbin
  ${INSTALL_MAN} ${WRKBUILD}/doc/stunnel.8 ${PREFIX}/man/man8
  ${INSTALL_DATA_DIR} ${PREFIX}/share/examples/stunnel
  ${INSTALL_DATA} ${WRKSRC}/tools/stunnel.conf-sample.in \
Index: distinfo
===================================================================
RCS file: /cvs/ports/security/stunnel/distinfo,v
retrieving revision 1.35
diff -u -p -u -p -r1.35 distinfo
--- distinfo 25 Jun 2015 14:44:30 -0000 1.35
+++ distinfo 9 Oct 2015 13:25:25 -0000
@@ -1,2 +1,2 @@
-SHA256 (stunnel-5.19.tar.gz) = C1QyQs8mZJrP3Z8A3lZMPo3nrCI31Tk1/9x+sk9NVW0=
-SIZE (stunnel-5.19.tar.gz) = 620810
+SHA256 (stunnel-5.24.tar.gz) = qy5aEDTUIpUd2tIbVy63+o77TEzgS8hlNsaEXz0CsH4=
+SIZE (stunnel-5.24.tar.gz) = 631730
Index: patches/patch-src_options_c
===================================================================
RCS file: /cvs/ports/security/stunnel/patches/patch-src_options_c,v
retrieving revision 1.1
diff -u -p -u -p -r1.1 patch-src_options_c
--- patches/patch-src_options_c 25 Jun 2015 14:44:30 -0000 1.1
+++ patches/patch-src_options_c 9 Oct 2015 13:25:25 -0000
@@ -3,9 +3,9 @@ $OpenBSD: patch-src_options_c,v 1.1 2015
 use SSLv23_client_method() required to build with libressl since that it haven't
 TLS_client_method()  for now.
 
---- src/options.c.orig Mon Jun  1 11:25:32 2015
-+++ src/options.c Mon Jun 22 02:20:12 2015
-@@ -2450,7 +2450,7 @@ NOEXPORT char *parse_service_option(CMD cmd, SERVICE_O
+--- src/options.c.orig Tue Oct  6 13:16:11 2015
++++ src/options.c Tue Oct  6 05:52:42 2015
+@@ -2507,7 +2507,7 @@ NOEXPORT char *parse_service_option(CMD cmd, SERVICE_O
      /* sslVersion */
      switch(cmd) {
      case CMD_BEGIN:
@@ -14,7 +14,7 @@ TLS_client_method()  for now.
          section->client_method=(SSL_METHOD *)TLS_client_method();
          section->server_method=(SSL_METHOD *)TLS_server_method();
  #else
-@@ -2462,7 +2462,7 @@ NOEXPORT char *parse_service_option(CMD cmd, SERVICE_O
+@@ -2519,7 +2519,7 @@ NOEXPORT char *parse_service_option(CMD cmd, SERVICE_O
          if(strcasecmp(opt, "sslVersion"))
              break;
          if(!strcasecmp(arg, "all")) {
Index: patches/patch-src_ssl_c
===================================================================
RCS file: patches/patch-src_ssl_c
diff -N patches/patch-src_ssl_c
--- patches/patch-src_ssl_c 25 Jun 2015 14:44:30 -0000 1.2
+++ /dev/null 1 Jan 1970 00:00:00 -0000
@@ -1,22 +0,0 @@
-$OpenBSD: patch-src_ssl_c,v 1.2 2015/06/25 14:44:30 gsoares Exp $
---- src/ssl.c.orig Tue Jun 16 10:16:35 2015
-+++ src/ssl.c Mon Jun 22 01:56:51 2015
-@@ -201,18 +201,6 @@ NOEXPORT int prng_init(GLOBAL_OPTIONS *global) {
-     }
-     s_log(LOG_DEBUG, "RAND_screen failed to sufficiently seed PRNG");
- #else
--    if(global->egd_sock) {
--        if((bytes=RAND_egd(global->egd_sock))==-1) {
--            s_log(LOG_WARNING, "EGD Socket %s failed", global->egd_sock);
--            bytes=0;
--        } else {
--            totbytes+=bytes;
--            s_log(LOG_DEBUG, "Snagged %d random bytes from EGD Socket %s",
--                bytes, global->egd_sock);
--            return 0; /* OpenSSL always gets what it needs or fails,
--                         so no need to check if seeded sufficiently */
--        }
--    }
-     /* try the good-old default /dev/urandom, if available  */
-     totbytes+=add_rand_file(global, "/dev/urandom");
-     if(RAND_status())
Index: patches/patch-src_stunnel3_in
===================================================================
RCS file: patches/patch-src_stunnel3_in
diff -N patches/patch-src_stunnel3_in
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ patches/patch-src_stunnel3_in 9 Oct 2015 13:25:25 -0000
@@ -0,0 +1,12 @@
+$OpenBSD$
+--- src/stunnel3.in.orig Fri Jul 10 10:25:18 2015
++++ src/stunnel3.in Fri Jul 10 10:25:43 2015
+@@ -22,7 +22,7 @@ use POSIX;
+ use Getopt::Std;
+
+ # Configuration - path to stunnel (version >=4.05)
+-$stunnel_bin='@bindir@/stunnel';
++$stunnel_bin='${TRUEPREFIX}/sbin/stunnel';
+
+ # stunnel3 script body begins here
+ ($read_fd, $write_fd)=POSIX::pipe();
Index: patches/patch-src_verify_c
===================================================================
RCS file: /cvs/ports/security/stunnel/patches/patch-src_verify_c,v
retrieving revision 1.1
diff -u -p -u -p -r1.1 patch-src_verify_c
--- patches/patch-src_verify_c 25 Jun 2015 14:44:30 -0000 1.1
+++ patches/patch-src_verify_c 9 Oct 2015 13:25:25 -0000
@@ -3,9 +3,9 @@ $OpenBSD: patch-src_verify_c,v 1.1 2015/
 disable OpenSSL 1.0.2 X509_check_* functions, so it can build with libressl.
 
 
---- src/verify.c.orig Fri Jun 12 12:45:00 2015
-+++ src/verify.c Fri Jun 12 12:47:35 2015
-@@ -50,7 +50,7 @@ NOEXPORT int add_dir_lookup(X509_STORE *, char *);
+--- src/verify.c.orig Wed Sep 23 07:00:08 2015
++++ src/verify.c Tue Oct  6 05:52:42 2015
+@@ -51,7 +51,7 @@ NOEXPORT int add_dir_lookup(X509_STORE *, char *);
  NOEXPORT int verify_callback(int, X509_STORE_CTX *);
  NOEXPORT int verify_checks(CLI *, int, X509_STORE_CTX *);
  NOEXPORT int cert_check(CLI *, X509_STORE_CTX *, int);
@@ -14,7 +14,7 @@ disable OpenSSL 1.0.2 X509_check_* funct
  NOEXPORT int cert_check_subject(CLI *, X509_STORE_CTX *);
  #endif /* OPENSSL_VERSION_NUMBER>=0x10002000L */
  NOEXPORT int cert_check_local(X509_STORE_CTX *);
-@@ -285,7 +285,7 @@ NOEXPORT int cert_check(CLI *c, X509_STORE_CTX *callba
+@@ -280,7 +280,7 @@ NOEXPORT int cert_check(CLI *c, X509_STORE_CTX *callba
      }
 
      if(depth==0) { /* additional peer certificate checks */
@@ -23,7 +23,7 @@ disable OpenSSL 1.0.2 X509_check_* funct
          if(!cert_check_subject(c, callback_ctx))
              return 0; /* reject */
  #endif /* OPENSSL_VERSION_NUMBER>=0x10002000L */
-@@ -296,7 +296,7 @@ NOEXPORT int cert_check(CLI *c, X509_STORE_CTX *callba
+@@ -291,7 +291,7 @@ NOEXPORT int cert_check(CLI *c, X509_STORE_CTX *callba
      return 1; /* accept */
  }
 
Index: patches/patch-tools_stunnel_conf-sample_in
===================================================================
RCS file: /cvs/ports/security/stunnel/patches/patch-tools_stunnel_conf-sample_in,v
retrieving revision 1.13
diff -u -p -u -p -r1.13 patch-tools_stunnel_conf-sample_in
--- patches/patch-tools_stunnel_conf-sample_in 25 Jun 2015 14:44:30 -0000 1.13
+++ patches/patch-tools_stunnel_conf-sample_in 9 Oct 2015 13:25:25 -0000
@@ -1,6 +1,6 @@
 $OpenBSD: patch-tools_stunnel_conf-sample_in,v 1.13 2015/06/25 14:44:30 gsoares Exp $
---- tools/stunnel.conf-sample.in.orig Fri Jun 12 05:23:01 2015
-+++ tools/stunnel.conf-sample.in Mon Jun 22 02:02:57 2015
+--- tools/stunnel.conf-sample.in.orig Wed Sep 23 11:05:10 2015
++++ tools/stunnel.conf-sample.in Tue Oct  6 06:10:53 2015
 @@ -7,17 +7,18 @@
  ; * Global options                                                         *
  ; **************************************************************************
@@ -33,9 +33,9 @@ $OpenBSD: patch-tools_stunnel_conf-sampl
 
  ; **************************************************************************
  ; * Service definitions (remove all services for inetd mode)               *
-@@ -45,64 +46,64 @@
-
- ; ***************************************** Example TLS client mode services
+@@ -50,72 +51,72 @@
+ ; a hardcoded path of the stunnel package, as it is not related to the
+ ; stunnel configuration in @sysconfdir@/stunnel/.
 
 -[gmail-pop3]
 -client = yes
@@ -44,6 +44,7 @@ $OpenBSD: patch-tools_stunnel_conf-sampl
 -verify = 2
 -CApath = /etc/ssl/certs
 -checkHost = pop.gmail.com
+-OCSPaia = yes
 +;[gmail-pop3]
 +;client = yes
 +;accept = 127.0.0.1:110
@@ -51,6 +52,7 @@ $OpenBSD: patch-tools_stunnel_conf-sampl
 +;verify = 2
 +;CApath = ${SYSCONFDIR}/ssl/certs
 +;checkHost = pop.gmail.com
++;OCSPaia = yes
 
 -[gmail-imap]
 -client = yes
@@ -59,6 +61,7 @@ $OpenBSD: patch-tools_stunnel_conf-sampl
 -verify = 2
 -CApath = /etc/ssl/certs
 -checkHost = imap.gmail.com
+-OCSPaia = yes
 +;[gmail-imap]
 +;client = yes
 +;accept = 127.0.0.1:143
@@ -66,6 +69,7 @@ $OpenBSD: patch-tools_stunnel_conf-sampl
 +;verify = 2
 +;CApath = ${SYSCONFDIR}/ssl/certs
 +;checkHost = imap.gmail.com
++;OCSPaia = yes
 
 -[gmail-smtp]
 -client = yes
@@ -74,6 +78,7 @@ $OpenBSD: patch-tools_stunnel_conf-sampl
 -verify = 2
 -CApath = /etc/ssl/certs
 -checkHost = smtp.gmail.com
+-OCSPaia = yes
 +;[gmail-smtp]
 +;client = yes
 +;accept = 127.0.0.1:25
@@ -81,6 +86,7 @@ $OpenBSD: patch-tools_stunnel_conf-sampl
 +;verify = 2
 +;CApath = ${SYSCONFDIR}/ssl/certs
 +;checkHost = smtp.gmail.com
++;OCSPaia = yes
 
  ; ***************************************** Example TLS server mode services
 
@@ -91,7 +97,7 @@ $OpenBSD: patch-tools_stunnel_conf-sampl
 +[pop3s]
 +accept  = 995
 +connect = 110
-+cert = ${SYSCONFDIR}/ssl/stunnel.pem
++cert = ${SYSCONFDIR}/stunnel/stunnel.pem
 
 -;[imaps]
 -;accept  = 993
@@ -100,7 +106,7 @@ $OpenBSD: patch-tools_stunnel_conf-sampl
 +[imaps]
 +accept  = 993
 +connect = 143
-+cert = ${SYSCONFDIR}/ssl/stunnel.pem
++cert = ${SYSCONFDIR}/stunnel/stunnel.pem
 
 -;[ssmtp]
 -;accept  = 465
@@ -109,14 +115,14 @@ $OpenBSD: patch-tools_stunnel_conf-sampl
 +[ssmtp]
 +accept  = 465
 +connect = 25
-+cert = ${SYSCONFDIR}/ssl/stunnel.pem
++cert = ${SYSCONFDIR}/stunnel/stunnel.pem
 
  ; TLS front-end to a web server
  ;[https]
  ;accept  = 443
  ;connect = 80
 -;cert = @sysconfdir@/stunnel/stunnel.pem
-+;cert = ${SYSCONFDIR}/ssl/stunnel.pem
++;cert = ${SYSCONFDIR}/stunnel/stunnel.pem
  ; "TIMEOUTclose = 0" is a workaround for a design flaw in Microsoft SChannel
  ; Microsoft implementations do not use TLS close-notify alert and thus they
  ; are vulnerable to truncation attacks
@@ -124,13 +130,19 @@ $OpenBSD: patch-tools_stunnel_conf-sampl
 
  ; Remote shell protected with PSK-authenticated TLS
 -; Create "@sysconfdir@/stunnel/secrets.txt" containing IDENTITY:KEY pairs
-+; Create "${SYSCONFDIR}/ssl/secrets.txt" containing IDENTITY:KEY pairs
++; Create "${SYSCONFDIR}/stunnel/secrets.txt" containing IDENTITY:KEY pairs
  ;[shell]
  ;accept = 1337
  ;exec = /bin/sh
  ;execArgs = sh -i
  ;ciphers = PSK
 -;PSKsecrets = @sysconfdir@/stunnel/secrets.txt
-+;PSKsecrets = ${SYSCONFDIR}/ssl/secrets.txt
++;PSKsecrets = ${SYSCONFDIR}/stunnel/secrets.txt
+
+ ; Non-standard MySQL-over-TLS encapsulation connecting the Unix socket
+ ;[mysql]
+-;cert = @sysconfdir@/stunnel/stunnel.pem
++;cert = ${SYSCONFDIR}/stunnel/stunnel.pem
+ ;accept = 3307
+ ;connect = /run/mysqld/mysqld.sock
 
- ; vim:ft=dosini
Index: pkg/PLIST
===================================================================
RCS file: /cvs/ports/security/stunnel/pkg/PLIST,v
retrieving revision 1.12
diff -u -p -u -p -r1.12 PLIST
--- pkg/PLIST 15 Sep 2011 00:42:21 -0000 1.12
+++ pkg/PLIST 9 Oct 2015 13:25:25 -0000
@@ -4,6 +4,7 @@
 @extra /var/stunnel/stunnel.pid
 @man man/man8/stunnel.8
 @bin sbin/stunnel
+sbin/stunnel3
 share/examples/stunnel/
 @sample ${SYSCONFDIR}/stunnel/
 share/examples/stunnel/stunnel.conf-sample
Reply | Threaded
Open this post in threaded view
|

Re: UPDATE: security/stunnel-5.24

Matthias Kilian
Hi,

On Fri, Oct 09, 2015 at 10:42:31AM -0300, Gleydson Soares wrote:

> here is a diff to update stunnel for 5.24.
>
> port changes:
> - update stunnel to 5.24
> - install stunnel3 perl script to emulate version 3.x
> command line options
> - zap upstreamed patches \
> from changelog: (Added OPENSSL_NO_EGD support (thx to Bernard Spil)
>
> full changelog at:
> https://www.stunnel.org/sdf_ChangeLog.html
>
> [1] http://shutupandhack.org/~gsoares/openbsd/stunnel-5.24.diff
>
> OK?

Looks ok and still works for me.

ok

Ciao,
        Kili