here is a diff to update stunnel for 5.24. port changes: - update stunnel to 5.24 - install stunnel3 perl script to emulate version 3.x command line options - zap upstreamed patches \ from changelog: (Added OPENSSL_NO_EGD support (thx to Bernard Spil)
full changelog at: https://www.stunnel.org/sdf_ChangeLog.html [1] http://shutupandhack.org/~gsoares/openbsd/stunnel-5.24.diff OK?
Index: Makefile =================================================================== RCS file: /cvs/ports/security/stunnel/Makefile,v retrieving revision 1.77 diff -u -p -u -p -r1.77 Makefile --- Makefile 25 Jun 2015 14:44:30 -0000 1.77 +++ Makefile 9 Oct 2015 13:25:25 -0000 @@ -2,7 +2,7 @@ COMMENT= SSL encryption wrapper for standard network daemons -DISTNAME= stunnel-5.19 +DISTNAME= stunnel-5.24 CATEGORIES= security MAINTAINER= Gleydson Soares <[email protected]> @@ -29,10 +29,12 @@ NO_TEST= Yes USE_GMAKE= Yes pre-configure: + ${SUBST_CMD} ${WRKSRC}/src/stunnel3.in ${SUBST_CMD} ${WRKSRC}/tools/stunnel.conf-sample.in do-install: ${INSTALL_PROGRAM} ${WRKBUILD}/src/stunnel ${PREFIX}/sbin + ${INSTALL_SCRIPT} ${WRKBUILD}/src/stunnel3 ${PREFIX}/sbin ${INSTALL_MAN} ${WRKBUILD}/doc/stunnel.8 ${PREFIX}/man/man8 ${INSTALL_DATA_DIR} ${PREFIX}/share/examples/stunnel ${INSTALL_DATA} ${WRKSRC}/tools/stunnel.conf-sample.in \ Index: distinfo =================================================================== RCS file: /cvs/ports/security/stunnel/distinfo,v retrieving revision 1.35 diff -u -p -u -p -r1.35 distinfo --- distinfo 25 Jun 2015 14:44:30 -0000 1.35 +++ distinfo 9 Oct 2015 13:25:25 -0000 @@ -1,2 +1,2 @@ -SHA256 (stunnel-5.19.tar.gz) = C1QyQs8mZJrP3Z8A3lZMPo3nrCI31Tk1/9x+sk9NVW0= -SIZE (stunnel-5.19.tar.gz) = 620810 +SHA256 (stunnel-5.24.tar.gz) = qy5aEDTUIpUd2tIbVy63+o77TEzgS8hlNsaEXz0CsH4= +SIZE (stunnel-5.24.tar.gz) = 631730 Index: patches/patch-src_options_c =================================================================== RCS file: /cvs/ports/security/stunnel/patches/patch-src_options_c,v retrieving revision 1.1 diff -u -p -u -p -r1.1 patch-src_options_c --- patches/patch-src_options_c 25 Jun 2015 14:44:30 -0000 1.1 +++ patches/patch-src_options_c 9 Oct 2015 13:25:25 -0000 @@ -3,9 +3,9 @@ $OpenBSD: patch-src_options_c,v 1.1 2015 use SSLv23_client_method() required to build with libressl since that it haven't TLS_client_method() for now. ---- src/options.c.orig Mon Jun 1 11:25:32 2015 -+++ src/options.c Mon Jun 22 02:20:12 2015 -@@ -2450,7 +2450,7 @@ NOEXPORT char *parse_service_option(CMD cmd, SERVICE_O +--- src/options.c.orig Tue Oct 6 13:16:11 2015 ++++ src/options.c Tue Oct 6 05:52:42 2015 +@@ -2507,7 +2507,7 @@ NOEXPORT char *parse_service_option(CMD cmd, SERVICE_O /* sslVersion */ switch(cmd) { case CMD_BEGIN: @@ -14,7 +14,7 @@ TLS_client_method() for now. section->client_method=(SSL_METHOD *)TLS_client_method(); section->server_method=(SSL_METHOD *)TLS_server_method(); #else -@@ -2462,7 +2462,7 @@ NOEXPORT char *parse_service_option(CMD cmd, SERVICE_O +@@ -2519,7 +2519,7 @@ NOEXPORT char *parse_service_option(CMD cmd, SERVICE_O if(strcasecmp(opt, "sslVersion")) break; if(!strcasecmp(arg, "all")) { Index: patches/patch-src_ssl_c =================================================================== RCS file: patches/patch-src_ssl_c diff -N patches/patch-src_ssl_c --- patches/patch-src_ssl_c 25 Jun 2015 14:44:30 -0000 1.2 +++ /dev/null 1 Jan 1970 00:00:00 -0000 @@ -1,22 +0,0 @@ -$OpenBSD: patch-src_ssl_c,v 1.2 2015/06/25 14:44:30 gsoares Exp $ ---- src/ssl.c.orig Tue Jun 16 10:16:35 2015 -+++ src/ssl.c Mon Jun 22 01:56:51 2015 -@@ -201,18 +201,6 @@ NOEXPORT int prng_init(GLOBAL_OPTIONS *global) { - } - s_log(LOG_DEBUG, "RAND_screen failed to sufficiently seed PRNG"); - #else -- if(global->egd_sock) { -- if((bytes=RAND_egd(global->egd_sock))==-1) { -- s_log(LOG_WARNING, "EGD Socket %s failed", global->egd_sock); -- bytes=0; -- } else { -- totbytes+=bytes; -- s_log(LOG_DEBUG, "Snagged %d random bytes from EGD Socket %s", -- bytes, global->egd_sock); -- return 0; /* OpenSSL always gets what it needs or fails, -- so no need to check if seeded sufficiently */ -- } -- } - /* try the good-old default /dev/urandom, if available */ - totbytes+=add_rand_file(global, "/dev/urandom"); - if(RAND_status()) Index: patches/patch-src_stunnel3_in =================================================================== RCS file: patches/patch-src_stunnel3_in diff -N patches/patch-src_stunnel3_in --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ patches/patch-src_stunnel3_in 9 Oct 2015 13:25:25 -0000 @@ -0,0 +1,12 @@ +$OpenBSD$ +--- src/stunnel3.in.orig Fri Jul 10 10:25:18 2015 ++++ src/stunnel3.in Fri Jul 10 10:25:43 2015 +@@ -22,7 +22,7 @@ use POSIX; + use Getopt::Std; + + # Configuration - path to stunnel (version >=4.05) +-$stunnel_bin='@bindir@/stunnel'; ++$stunnel_bin='${TRUEPREFIX}/sbin/stunnel'; + + # stunnel3 script body begins here + ($read_fd, $write_fd)=POSIX::pipe(); Index: patches/patch-src_verify_c =================================================================== RCS file: /cvs/ports/security/stunnel/patches/patch-src_verify_c,v retrieving revision 1.1 diff -u -p -u -p -r1.1 patch-src_verify_c --- patches/patch-src_verify_c 25 Jun 2015 14:44:30 -0000 1.1 +++ patches/patch-src_verify_c 9 Oct 2015 13:25:25 -0000 @@ -3,9 +3,9 @@ $OpenBSD: patch-src_verify_c,v 1.1 2015/ disable OpenSSL 1.0.2 X509_check_* functions, so it can build with libressl. ---- src/verify.c.orig Fri Jun 12 12:45:00 2015 -+++ src/verify.c Fri Jun 12 12:47:35 2015 -@@ -50,7 +50,7 @@ NOEXPORT int add_dir_lookup(X509_STORE *, char *); +--- src/verify.c.orig Wed Sep 23 07:00:08 2015 ++++ src/verify.c Tue Oct 6 05:52:42 2015 +@@ -51,7 +51,7 @@ NOEXPORT int add_dir_lookup(X509_STORE *, char *); NOEXPORT int verify_callback(int, X509_STORE_CTX *); NOEXPORT int verify_checks(CLI *, int, X509_STORE_CTX *); NOEXPORT int cert_check(CLI *, X509_STORE_CTX *, int); @@ -14,7 +14,7 @@ disable OpenSSL 1.0.2 X509_check_* funct NOEXPORT int cert_check_subject(CLI *, X509_STORE_CTX *); #endif /* OPENSSL_VERSION_NUMBER>=0x10002000L */ NOEXPORT int cert_check_local(X509_STORE_CTX *); -@@ -285,7 +285,7 @@ NOEXPORT int cert_check(CLI *c, X509_STORE_CTX *callba +@@ -280,7 +280,7 @@ NOEXPORT int cert_check(CLI *c, X509_STORE_CTX *callba } if(depth==0) { /* additional peer certificate checks */ @@ -23,7 +23,7 @@ disable OpenSSL 1.0.2 X509_check_* funct if(!cert_check_subject(c, callback_ctx)) return 0; /* reject */ #endif /* OPENSSL_VERSION_NUMBER>=0x10002000L */ -@@ -296,7 +296,7 @@ NOEXPORT int cert_check(CLI *c, X509_STORE_CTX *callba +@@ -291,7 +291,7 @@ NOEXPORT int cert_check(CLI *c, X509_STORE_CTX *callba return 1; /* accept */ } Index: patches/patch-tools_stunnel_conf-sample_in =================================================================== RCS file: /cvs/ports/security/stunnel/patches/patch-tools_stunnel_conf-sample_in,v retrieving revision 1.13 diff -u -p -u -p -r1.13 patch-tools_stunnel_conf-sample_in --- patches/patch-tools_stunnel_conf-sample_in 25 Jun 2015 14:44:30 -0000 1.13 +++ patches/patch-tools_stunnel_conf-sample_in 9 Oct 2015 13:25:25 -0000 @@ -1,6 +1,6 @@ $OpenBSD: patch-tools_stunnel_conf-sample_in,v 1.13 2015/06/25 14:44:30 gsoares Exp $ ---- tools/stunnel.conf-sample.in.orig Fri Jun 12 05:23:01 2015 -+++ tools/stunnel.conf-sample.in Mon Jun 22 02:02:57 2015 +--- tools/stunnel.conf-sample.in.orig Wed Sep 23 11:05:10 2015 ++++ tools/stunnel.conf-sample.in Tue Oct 6 06:10:53 2015 @@ -7,17 +7,18 @@ ; * Global options * ; ************************************************************************** @@ -33,9 +33,9 @@ $OpenBSD: patch-tools_stunnel_conf-sampl ; ************************************************************************** ; * Service definitions (remove all services for inetd mode) * -@@ -45,64 +46,64 @@ - - ; ***************************************** Example TLS client mode services +@@ -50,72 +51,72 @@ + ; a hardcoded path of the stunnel package, as it is not related to the + ; stunnel configuration in @sysconfdir@/stunnel/. -[gmail-pop3] -client = yes @@ -44,6 +44,7 @@ $OpenBSD: patch-tools_stunnel_conf-sampl -verify = 2 -CApath = /etc/ssl/certs -checkHost = pop.gmail.com +-OCSPaia = yes +;[gmail-pop3] +;client = yes +;accept = 127.0.0.1:110 @@ -51,6 +52,7 @@ $OpenBSD: patch-tools_stunnel_conf-sampl +;verify = 2 +;CApath = ${SYSCONFDIR}/ssl/certs +;checkHost = pop.gmail.com ++;OCSPaia = yes -[gmail-imap] -client = yes @@ -59,6 +61,7 @@ $OpenBSD: patch-tools_stunnel_conf-sampl -verify = 2 -CApath = /etc/ssl/certs -checkHost = imap.gmail.com +-OCSPaia = yes +;[gmail-imap] +;client = yes +;accept = 127.0.0.1:143 @@ -66,6 +69,7 @@ $OpenBSD: patch-tools_stunnel_conf-sampl +;verify = 2 +;CApath = ${SYSCONFDIR}/ssl/certs +;checkHost = imap.gmail.com ++;OCSPaia = yes -[gmail-smtp] -client = yes @@ -74,6 +78,7 @@ $OpenBSD: patch-tools_stunnel_conf-sampl -verify = 2 -CApath = /etc/ssl/certs -checkHost = smtp.gmail.com +-OCSPaia = yes +;[gmail-smtp] +;client = yes +;accept = 127.0.0.1:25 @@ -81,6 +86,7 @@ $OpenBSD: patch-tools_stunnel_conf-sampl +;verify = 2 +;CApath = ${SYSCONFDIR}/ssl/certs +;checkHost = smtp.gmail.com ++;OCSPaia = yes ; ***************************************** Example TLS server mode services @@ -91,7 +97,7 @@ $OpenBSD: patch-tools_stunnel_conf-sampl +[pop3s] +accept = 995 +connect = 110 -+cert = ${SYSCONFDIR}/ssl/stunnel.pem ++cert = ${SYSCONFDIR}/stunnel/stunnel.pem -;[imaps] -;accept = 993 @@ -100,7 +106,7 @@ $OpenBSD: patch-tools_stunnel_conf-sampl +[imaps] +accept = 993 +connect = 143 -+cert = ${SYSCONFDIR}/ssl/stunnel.pem ++cert = ${SYSCONFDIR}/stunnel/stunnel.pem -;[ssmtp] -;accept = 465 @@ -109,14 +115,14 @@ $OpenBSD: patch-tools_stunnel_conf-sampl +[ssmtp] +accept = 465 +connect = 25 -+cert = ${SYSCONFDIR}/ssl/stunnel.pem ++cert = ${SYSCONFDIR}/stunnel/stunnel.pem ; TLS front-end to a web server ;[https] ;accept = 443 ;connect = 80 -;cert = @sysconfdir@/stunnel/stunnel.pem -+;cert = ${SYSCONFDIR}/ssl/stunnel.pem ++;cert = ${SYSCONFDIR}/stunnel/stunnel.pem ; "TIMEOUTclose = 0" is a workaround for a design flaw in Microsoft SChannel ; Microsoft implementations do not use TLS close-notify alert and thus they ; are vulnerable to truncation attacks @@ -124,13 +130,19 @@ $OpenBSD: patch-tools_stunnel_conf-sampl ; Remote shell protected with PSK-authenticated TLS -; Create "@sysconfdir@/stunnel/secrets.txt" containing IDENTITY:KEY pairs -+; Create "${SYSCONFDIR}/ssl/secrets.txt" containing IDENTITY:KEY pairs ++; Create "${SYSCONFDIR}/stunnel/secrets.txt" containing IDENTITY:KEY pairs ;[shell] ;accept = 1337 ;exec = /bin/sh ;execArgs = sh -i ;ciphers = PSK -;PSKsecrets = @sysconfdir@/stunnel/secrets.txt -+;PSKsecrets = ${SYSCONFDIR}/ssl/secrets.txt ++;PSKsecrets = ${SYSCONFDIR}/stunnel/secrets.txt + + ; Non-standard MySQL-over-TLS encapsulation connecting the Unix socket + ;[mysql] +-;cert = @sysconfdir@/stunnel/stunnel.pem ++;cert = ${SYSCONFDIR}/stunnel/stunnel.pem + ;accept = 3307 + ;connect = /run/mysqld/mysqld.sock - ; vim:ft=dosini Index: pkg/PLIST =================================================================== RCS file: /cvs/ports/security/stunnel/pkg/PLIST,v retrieving revision 1.12 diff -u -p -u -p -r1.12 PLIST --- pkg/PLIST 15 Sep 2011 00:42:21 -0000 1.12 +++ pkg/PLIST 9 Oct 2015 13:25:25 -0000 @@ -4,6 +4,7 @@ @extra /var/stunnel/stunnel.pid @man man/man8/stunnel.8 @bin sbin/stunnel +sbin/stunnel3 share/examples/stunnel/ @sample ${SYSCONFDIR}/stunnel/ share/examples/stunnel/stunnel.conf-sample
