On Sun 21/01/2018 19:10, Klemens Nanni wrote:
> On Sun, Jan 21, 2018 at 05:59:26PM +0100, Björn Ketelaars wrote:
> > Enclosed a diff for bringing net/sslh to the latest version. From the 
> > release
> > announcement:
> > 
> >   - Added 'syslog_facility' configuration option to specify where to log
> >   - TLS now supports SNI and ALPN, including support for Let's Encrypt
> >     challenges
> >   - ADB probe
> >   - Added per-protocol 'fork' option
> >   - Added chroot option
> >   - A truckload of bug fixes and documentation improvements
> > 
> > I'm running this version, in an existing sslh setup, without any issues.
> > 
> > Comments?
> Haven't run tested this properly yet but here are some portwise
> improvements to consider:
> 
> The dance around VERSION with and without "v" prefix can be reduced to
> simply patching genver.sh. This completely avoids the ugly do-configure
> and version string passing.
> 
> Instead of removing all the conditionals from the Makefile and passing
> default values through make's `-D', USE_GMAKE is all you need.
> 
> Combined this reduces a lot of noise; and if we can live with "v1.19"
> instead of "1.19" in sslh's output and manpage, even the now introduced
> genver.sh patch can be dropped.

I prefer your diff, including the genver.sh patch. The overall result is
better for the eyes.

While here I would like to propose to add "--chroot=/var/empty" to the
rc.d-scripts. As long as nothing is placed in this directory there should be
no security implication, even if this chroot is shared with for example
OpenVPN (or any of the other ports that chroot to /var/empty).

Diff below is based on your work, and contains the chroot bit in the rc.d
scripts.


diff --git net/sslh/Makefile net/sslh/Makefile
index 5196ad1f3f6..ed1dec969c6 100644
--- net/sslh/Makefile
+++ net/sslh/Makefile
@@ -2,14 +2,11 @@
 
 COMMENT =      SSL/SSH multiplexer
 
-GH_ACCOUNT =   yrutschle
-GH_PROJECT =   sslh
-V =            1.18
-GH_TAGNAME =   v$V
+DISTNAME =     sslh-v1.19
+PKGNAME =      ${DISTNAME:S/-v/-/}
 CATEGORIES =   security net
-REVISION =     0
 
-HOMEPAGE =     http://www.rutschle.net/tech/sslh.shtml
+HOMEPAGE =     https://www.rutschle.net/tech/sslh.shtml
 
 MAINTAINER =   Bjorn Ketelaars <bjorn.ketela...@hydroxide.nl>
 
@@ -17,16 +14,18 @@ MAINTAINER =        Bjorn Ketelaars 
<bjorn.ketela...@hydroxide.nl>
 PERMIT_PACKAGE_CDROM = Yes
 
 WANTLIB =      c config pcre
+
+MASTER_SITES = https://www.rutschle.net/tech/sslh/
+
 LIB_DEPENDS =  devel/libconfig \
                devel/pcre
 
-MAKE_FLAGS =   CFLAGS="${CFLAGS} -I${LOCALBASE}/include \
-               -DENABLE_REGEX -DLIBCONFIG -DLIBPCRE" \
-               LIBS="-L${LOCALBASE}/lib -lconfig -lpcre" VERSION=$V
+MAKE_FLAGS =   CFLAGS="${CFLAGS} -I${LOCALBASE}/include" \
+               LIBS="-L${LOCALBASE}/lib -lconfig -lpcre" \
+               MAN=sslh.8
 NO_TEST =      Yes
 
-do-configure:
-       printf '#ifndef _VERSION_H_\n#define _VERSION_H_\n#define VERSION 
"$V"\n#endif\n' > ${WRKSRC}/version.h
+USE_GMAKE =    Yes
 
 do-install:
        ${INSTALL_DATA_DIR} ${PREFIX}/share/doc/sslh
diff --git net/sslh/distinfo net/sslh/distinfo
index c18daca89f9..e4dae567aea 100644
--- net/sslh/distinfo
+++ net/sslh/distinfo
@@ -1,2 +1,2 @@
-SHA256 (sslh-1.18.tar.gz) = 9sq/DgxXWu0g0d4j09aT85IcIeJw2F/suhrSpI86/O8=
-SIZE (sslh-1.18.tar.gz) = 53175
+SHA256 (sslh-v1.19.tar.gz) = 75yxg5baQEu3BbLEzUViql/rVU3m+b0HSyTnrEcTZpw=
+SIZE (sslh-v1.19.tar.gz) = 57352
diff --git net/sslh/patches/patch-Makefile net/sslh/patches/patch-Makefile
index 452232e7c77..c8be2213f5c 100644
--- net/sslh/patches/patch-Makefile
+++ net/sslh/patches/patch-Makefile
@@ -1,67 +1,8 @@
 $OpenBSD: patch-Makefile,v 1.5 2016/04/17 09:14:26 landry Exp $
---- Makefile.orig      Fri Feb  5 16:46:47 2016
-+++ Makefile   Sat Mar 19 20:27:50 2016
-@@ -12,58 +12,23 @@ PREFIX?=/usr
- BINDIR?=$(PREFIX)/sbin
- MANDIR?=$(PREFIX)/share/man/man8
- 
--MAN=sslh.8.gz # man page name
-+MAN=sslh.8    # man page name
- 
- # End of configuration -- the rest should take care of
- # itself
- 
--ifneq ($(strip $(COV_TEST)),)
--    CFLAGS_COV=-fprofile-arcs -ftest-coverage
--endif
--
- CC ?= gcc
- CFLAGS ?=-Wall -g $(CFLAGS_COV)
- 
- LIBS=
- OBJS=common.o sslh-main.o probe.o tls.o
- 
--ifneq ($(strip $(USELIBWRAP)),)
--      LIBS:=$(LIBS) -lwrap
--      CPPFLAGS+=-DLIBWRAP
--endif
--
--ifneq ($(strip $(ENABLE_REGEX)),)
--      CPPFLAGS+=-DENABLE_REGEX
--endif
--
--ifneq ($(strip $(USELIBPCRE)),)
--      CPPFLAGS+=-DLIBPCRE
--      LIBS:=$(LIBS) -lpcre
--endif
--
--ifneq ($(strip $(USELIBCONFIG)),)
--      LIBS:=$(LIBS) -lconfig
--      CPPFLAGS+=-DLIBCONFIG
--endif
--
--ifneq ($(strip $(USELIBCAP)),)
--      LIBS:=$(LIBS) -lcap
--      CPPFLAGS+=-DLIBCAP
--endif
--
--ifneq ($(strip $(USESYSTEMD)),)
--        LIBS:=$(LIBS) -lsystemd
--        CPPFLAGS+=-DSYSTEMD
--endif
--
--
- all: sslh $(MAN) echosrv
- 
- .c.o: *.h
-       $(CC) $(CFLAGS) $(CPPFLAGS) -c $<
- 
- version.h:
--      ./genver.sh >version.h
- 
- sslh: sslh-fork sslh-select
- 
-@@ -82,7 +47,7 @@ echosrv: $(OBJS) echosrv.o
+Index: Makefile
+--- Makefile.orig
++++ Makefile
+@@ -87,7 +87,7 @@ echosrv: version.h $(OBJS) echosrv.o
        $(CC) $(CFLAGS) $(LDFLAGS) -o echosrv echosrv.o probe.o common.o tls.o 
$(LIBS)
  
  $(MAN): sslh.pod Makefile
diff --git net/sslh/patches/patch-basic_cfg net/sslh/patches/patch-basic_cfg
index b2971871443..bd0f31b1bad 100644
--- net/sslh/patches/patch-basic_cfg
+++ net/sslh/patches/patch-basic_cfg
@@ -1,6 +1,7 @@
 $OpenBSD: patch-basic_cfg,v 1.4 2016/04/17 09:14:26 landry Exp $
---- basic.cfg.orig     Fri Feb  5 16:46:47 2016
-+++ basic.cfg  Sat Mar 19 20:28:39 2016
+Index: basic.cfg
+--- basic.cfg.orig
++++ basic.cfg
 @@ -7,7 +7,7 @@ inetd: false;
  numeric: false;
  transparent: false;
@@ -8,5 +9,5 @@ $OpenBSD: patch-basic_cfg,v 1.4 2016/04/17 09:14:26 landry Exp $
 -user: "nobody";
 +user: "_sslh";
  pidfile: "/var/run/sslh.pid";
- 
+ chroot: "/var/empty";
  
diff --git net/sslh/patches/patch-example_cfg net/sslh/patches/patch-example_cfg
index 6598c8a75e4..9c21b041f55 100644
--- net/sslh/patches/patch-example_cfg
+++ net/sslh/patches/patch-example_cfg
@@ -1,6 +1,7 @@
 $OpenBSD: patch-example_cfg,v 1.4 2016/04/17 09:14:26 landry Exp $
---- example.cfg.orig   Fri Feb  5 16:46:47 2016
-+++ example.cfg        Sat Mar 19 20:28:56 2016
+Index: example.cfg
+--- example.cfg.orig
++++ example.cfg
 @@ -9,7 +9,7 @@ inetd: false;
  numeric: false;
  transparent: false;
@@ -8,5 +9,5 @@ $OpenBSD: patch-example_cfg,v 1.4 2016/04/17 09:14:26 landry 
Exp $
 -user: "nobody";
 +user: "_sslh";
  pidfile: "/var/run/sslh.pid";
- 
+ chroot: "/var/empty";
  
diff --git net/sslh/patches/patch-genver_sh net/sslh/patches/patch-genver_sh
new file mode 100644
index 00000000000..b447e92056a
--- /dev/null
+++ net/sslh/patches/patch-genver_sh
@@ -0,0 +1,14 @@
+$OpenBSD$
+
+Index: genver.sh
+--- genver.sh.orig
++++ genver.sh
+@@ -14,7 +14,7 @@ if ! `(git status | grep -q "On branch") 2> /dev/null`
+         
+         # If downloaded from the release page, the directory
+         # has the version number.
+-        release=`pwd | sed s/.*sslh-// | grep "[[:digit:]]"`
++        release=`pwd | sed s/.*sslh-v// | grep "[[:digit:]]"`
+         
+         if [ "x$release" = "x" ]; then
+             # If downloaded from the head, Github creates the
diff --git net/sslh/patches/patch-sslh_pod net/sslh/patches/patch-sslh_pod
index 5a84aba561d..97c97bc746e 100644
--- net/sslh/patches/patch-sslh_pod
+++ net/sslh/patches/patch-sslh_pod
@@ -1,6 +1,7 @@
 $OpenBSD: patch-sslh_pod,v 1.6 2016/04/17 09:14:26 landry Exp $
---- sslh.pod.orig      Tue Jul 28 15:14:21 2015
-+++ sslh.pod   Mon Sep 21 12:15:48 2015
+Index: sslh.pod
+--- sslh.pod.orig
++++ sslh.pod
 @@ -26,17 +26,14 @@ Hence B<sslh> acts as a protocol demultiplexer, or a
  switchboard. Its name comes from its original function to
  serve SSH and HTTPS on the same port.
@@ -26,7 +27,7 @@ $OpenBSD: patch-sslh_pod,v 1.6 2016/04/17 09:14:26 landry Exp 
$
  =head2 Configuration file
  
  A configuration file can be supplied to B<sslh>. Command
-@@ -203,24 +200,6 @@ Runs in background. This overrides B<foreground> if se
+@@ -210,24 +207,6 @@ Runs in background. This overrides B<foreground> if se
  the configuration file (or on the command line, but there is
  no point setting both on the command line unless you have a
  personality disorder).
diff --git net/sslh/pkg/sslh_fork.rc net/sslh/pkg/sslh_fork.rc
index 9fe98abb15f..a396991acfb 100644
--- net/sslh/pkg/sslh_fork.rc
+++ net/sslh/pkg/sslh_fork.rc
@@ -3,7 +3,7 @@
 # $OpenBSD: sslh_fork.rc,v 1.5 2018/01/11 19:27:08 rpe Exp $
 
 daemon="${TRUEPREFIX}/sbin/sslh-fork"
-daemon_flags="--user=_sslh --listen 0.0.0.0:443 --ssh 127.0.0.1:22 --ssl 
127.0.0.1:443"
+daemon_flags="--chroot=/var/empty --user=_sslh --listen 0.0.0.0:443 --ssh 
127.0.0.1:22 --ssl 127.0.0.1:443"
 
 . /etc/rc.d/rc.subr
 
diff --git net/sslh/pkg/sslh_select.rc net/sslh/pkg/sslh_select.rc
index 91da71e2ea6..8e66327ec44 100644
--- net/sslh/pkg/sslh_select.rc
+++ net/sslh/pkg/sslh_select.rc
@@ -3,7 +3,7 @@
 # $OpenBSD: sslh_select.rc,v 1.5 2018/01/11 19:27:08 rpe Exp $
 
 daemon="${TRUEPREFIX}/sbin/sslh-select"
-daemon_flags="--user=_sslh --listen 0.0.0.0:443 --ssh 127.0.0.1:22 --ssl 
127.0.0.1:443"
+daemon_flags="--chroot=/var/empty --user=_sslh --listen 0.0.0.0:443 --ssh 
127.0.0.1:22 --ssl 127.0.0.1:443"
 
 . /etc/rc.d/rc.subr
 

Reply via email to