On Sun 21/01/2018 19:10, Klemens Nanni wrote: > On Sun, Jan 21, 2018 at 05:59:26PM +0100, Björn Ketelaars wrote: > > Enclosed a diff for bringing net/sslh to the latest version. From the > > release > > announcement: > > > > - Added 'syslog_facility' configuration option to specify where to log > > - TLS now supports SNI and ALPN, including support for Let's Encrypt > > challenges > > - ADB probe > > - Added per-protocol 'fork' option > > - Added chroot option > > - A truckload of bug fixes and documentation improvements > > > > I'm running this version, in an existing sslh setup, without any issues. > > > > Comments? > Haven't run tested this properly yet but here are some portwise > improvements to consider: > > The dance around VERSION with and without "v" prefix can be reduced to > simply patching genver.sh. This completely avoids the ugly do-configure > and version string passing. > > Instead of removing all the conditionals from the Makefile and passing > default values through make's `-D', USE_GMAKE is all you need. > > Combined this reduces a lot of noise; and if we can live with "v1.19" > instead of "1.19" in sslh's output and manpage, even the now introduced > genver.sh patch can be dropped.
I prefer your diff, including the genver.sh patch. The overall result is better for the eyes. While here I would like to propose to add "--chroot=/var/empty" to the rc.d-scripts. As long as nothing is placed in this directory there should be no security implication, even if this chroot is shared with for example OpenVPN (or any of the other ports that chroot to /var/empty). Diff below is based on your work, and contains the chroot bit in the rc.d scripts. diff --git net/sslh/Makefile net/sslh/Makefile index 5196ad1f3f6..ed1dec969c6 100644 --- net/sslh/Makefile +++ net/sslh/Makefile @@ -2,14 +2,11 @@ COMMENT = SSL/SSH multiplexer -GH_ACCOUNT = yrutschle -GH_PROJECT = sslh -V = 1.18 -GH_TAGNAME = v$V +DISTNAME = sslh-v1.19 +PKGNAME = ${DISTNAME:S/-v/-/} CATEGORIES = security net -REVISION = 0 -HOMEPAGE = http://www.rutschle.net/tech/sslh.shtml +HOMEPAGE = https://www.rutschle.net/tech/sslh.shtml MAINTAINER = Bjorn Ketelaars <bjorn.ketela...@hydroxide.nl> @@ -17,16 +14,18 @@ MAINTAINER = Bjorn Ketelaars <bjorn.ketela...@hydroxide.nl> PERMIT_PACKAGE_CDROM = Yes WANTLIB = c config pcre + +MASTER_SITES = https://www.rutschle.net/tech/sslh/ + LIB_DEPENDS = devel/libconfig \ devel/pcre -MAKE_FLAGS = CFLAGS="${CFLAGS} -I${LOCALBASE}/include \ - -DENABLE_REGEX -DLIBCONFIG -DLIBPCRE" \ - LIBS="-L${LOCALBASE}/lib -lconfig -lpcre" VERSION=$V +MAKE_FLAGS = CFLAGS="${CFLAGS} -I${LOCALBASE}/include" \ + LIBS="-L${LOCALBASE}/lib -lconfig -lpcre" \ + MAN=sslh.8 NO_TEST = Yes -do-configure: - printf '#ifndef _VERSION_H_\n#define _VERSION_H_\n#define VERSION "$V"\n#endif\n' > ${WRKSRC}/version.h +USE_GMAKE = Yes do-install: ${INSTALL_DATA_DIR} ${PREFIX}/share/doc/sslh diff --git net/sslh/distinfo net/sslh/distinfo index c18daca89f9..e4dae567aea 100644 --- net/sslh/distinfo +++ net/sslh/distinfo @@ -1,2 +1,2 @@ -SHA256 (sslh-1.18.tar.gz) = 9sq/DgxXWu0g0d4j09aT85IcIeJw2F/suhrSpI86/O8= -SIZE (sslh-1.18.tar.gz) = 53175 +SHA256 (sslh-v1.19.tar.gz) = 75yxg5baQEu3BbLEzUViql/rVU3m+b0HSyTnrEcTZpw= +SIZE (sslh-v1.19.tar.gz) = 57352 diff --git net/sslh/patches/patch-Makefile net/sslh/patches/patch-Makefile index 452232e7c77..c8be2213f5c 100644 --- net/sslh/patches/patch-Makefile +++ net/sslh/patches/patch-Makefile @@ -1,67 +1,8 @@ $OpenBSD: patch-Makefile,v 1.5 2016/04/17 09:14:26 landry Exp $ ---- Makefile.orig Fri Feb 5 16:46:47 2016 -+++ Makefile Sat Mar 19 20:27:50 2016 -@@ -12,58 +12,23 @@ PREFIX?=/usr - BINDIR?=$(PREFIX)/sbin - MANDIR?=$(PREFIX)/share/man/man8 - --MAN=sslh.8.gz # man page name -+MAN=sslh.8 # man page name - - # End of configuration -- the rest should take care of - # itself - --ifneq ($(strip $(COV_TEST)),) -- CFLAGS_COV=-fprofile-arcs -ftest-coverage --endif -- - CC ?= gcc - CFLAGS ?=-Wall -g $(CFLAGS_COV) - - LIBS= - OBJS=common.o sslh-main.o probe.o tls.o - --ifneq ($(strip $(USELIBWRAP)),) -- LIBS:=$(LIBS) -lwrap -- CPPFLAGS+=-DLIBWRAP --endif -- --ifneq ($(strip $(ENABLE_REGEX)),) -- CPPFLAGS+=-DENABLE_REGEX --endif -- --ifneq ($(strip $(USELIBPCRE)),) -- CPPFLAGS+=-DLIBPCRE -- LIBS:=$(LIBS) -lpcre --endif -- --ifneq ($(strip $(USELIBCONFIG)),) -- LIBS:=$(LIBS) -lconfig -- CPPFLAGS+=-DLIBCONFIG --endif -- --ifneq ($(strip $(USELIBCAP)),) -- LIBS:=$(LIBS) -lcap -- CPPFLAGS+=-DLIBCAP --endif -- --ifneq ($(strip $(USESYSTEMD)),) -- LIBS:=$(LIBS) -lsystemd -- CPPFLAGS+=-DSYSTEMD --endif -- -- - all: sslh $(MAN) echosrv - - .c.o: *.h - $(CC) $(CFLAGS) $(CPPFLAGS) -c $< - - version.h: -- ./genver.sh >version.h - - sslh: sslh-fork sslh-select - -@@ -82,7 +47,7 @@ echosrv: $(OBJS) echosrv.o +Index: Makefile +--- Makefile.orig ++++ Makefile +@@ -87,7 +87,7 @@ echosrv: version.h $(OBJS) echosrv.o $(CC) $(CFLAGS) $(LDFLAGS) -o echosrv echosrv.o probe.o common.o tls.o $(LIBS) $(MAN): sslh.pod Makefile diff --git net/sslh/patches/patch-basic_cfg net/sslh/patches/patch-basic_cfg index b2971871443..bd0f31b1bad 100644 --- net/sslh/patches/patch-basic_cfg +++ net/sslh/patches/patch-basic_cfg @@ -1,6 +1,7 @@ $OpenBSD: patch-basic_cfg,v 1.4 2016/04/17 09:14:26 landry Exp $ ---- basic.cfg.orig Fri Feb 5 16:46:47 2016 -+++ basic.cfg Sat Mar 19 20:28:39 2016 +Index: basic.cfg +--- basic.cfg.orig ++++ basic.cfg @@ -7,7 +7,7 @@ inetd: false; numeric: false; transparent: false; @@ -8,5 +9,5 @@ $OpenBSD: patch-basic_cfg,v 1.4 2016/04/17 09:14:26 landry Exp $ -user: "nobody"; +user: "_sslh"; pidfile: "/var/run/sslh.pid"; - + chroot: "/var/empty"; diff --git net/sslh/patches/patch-example_cfg net/sslh/patches/patch-example_cfg index 6598c8a75e4..9c21b041f55 100644 --- net/sslh/patches/patch-example_cfg +++ net/sslh/patches/patch-example_cfg @@ -1,6 +1,7 @@ $OpenBSD: patch-example_cfg,v 1.4 2016/04/17 09:14:26 landry Exp $ ---- example.cfg.orig Fri Feb 5 16:46:47 2016 -+++ example.cfg Sat Mar 19 20:28:56 2016 +Index: example.cfg +--- example.cfg.orig ++++ example.cfg @@ -9,7 +9,7 @@ inetd: false; numeric: false; transparent: false; @@ -8,5 +9,5 @@ $OpenBSD: patch-example_cfg,v 1.4 2016/04/17 09:14:26 landry Exp $ -user: "nobody"; +user: "_sslh"; pidfile: "/var/run/sslh.pid"; - + chroot: "/var/empty"; diff --git net/sslh/patches/patch-genver_sh net/sslh/patches/patch-genver_sh new file mode 100644 index 00000000000..b447e92056a --- /dev/null +++ net/sslh/patches/patch-genver_sh @@ -0,0 +1,14 @@ +$OpenBSD$ + +Index: genver.sh +--- genver.sh.orig ++++ genver.sh +@@ -14,7 +14,7 @@ if ! `(git status | grep -q "On branch") 2> /dev/null` + + # If downloaded from the release page, the directory + # has the version number. +- release=`pwd | sed s/.*sslh-// | grep "[[:digit:]]"` ++ release=`pwd | sed s/.*sslh-v// | grep "[[:digit:]]"` + + if [ "x$release" = "x" ]; then + # If downloaded from the head, Github creates the diff --git net/sslh/patches/patch-sslh_pod net/sslh/patches/patch-sslh_pod index 5a84aba561d..97c97bc746e 100644 --- net/sslh/patches/patch-sslh_pod +++ net/sslh/patches/patch-sslh_pod @@ -1,6 +1,7 @@ $OpenBSD: patch-sslh_pod,v 1.6 2016/04/17 09:14:26 landry Exp $ ---- sslh.pod.orig Tue Jul 28 15:14:21 2015 -+++ sslh.pod Mon Sep 21 12:15:48 2015 +Index: sslh.pod +--- sslh.pod.orig ++++ sslh.pod @@ -26,17 +26,14 @@ Hence B<sslh> acts as a protocol demultiplexer, or a switchboard. Its name comes from its original function to serve SSH and HTTPS on the same port. @@ -26,7 +27,7 @@ $OpenBSD: patch-sslh_pod,v 1.6 2016/04/17 09:14:26 landry Exp $ =head2 Configuration file A configuration file can be supplied to B<sslh>. Command -@@ -203,24 +200,6 @@ Runs in background. This overrides B<foreground> if se +@@ -210,24 +207,6 @@ Runs in background. This overrides B<foreground> if se the configuration file (or on the command line, but there is no point setting both on the command line unless you have a personality disorder). diff --git net/sslh/pkg/sslh_fork.rc net/sslh/pkg/sslh_fork.rc index 9fe98abb15f..a396991acfb 100644 --- net/sslh/pkg/sslh_fork.rc +++ net/sslh/pkg/sslh_fork.rc @@ -3,7 +3,7 @@ # $OpenBSD: sslh_fork.rc,v 1.5 2018/01/11 19:27:08 rpe Exp $ daemon="${TRUEPREFIX}/sbin/sslh-fork" -daemon_flags="--user=_sslh --listen 0.0.0.0:443 --ssh 127.0.0.1:22 --ssl 127.0.0.1:443" +daemon_flags="--chroot=/var/empty --user=_sslh --listen 0.0.0.0:443 --ssh 127.0.0.1:22 --ssl 127.0.0.1:443" . /etc/rc.d/rc.subr diff --git net/sslh/pkg/sslh_select.rc net/sslh/pkg/sslh_select.rc index 91da71e2ea6..8e66327ec44 100644 --- net/sslh/pkg/sslh_select.rc +++ net/sslh/pkg/sslh_select.rc @@ -3,7 +3,7 @@ # $OpenBSD: sslh_select.rc,v 1.5 2018/01/11 19:27:08 rpe Exp $ daemon="${TRUEPREFIX}/sbin/sslh-select" -daemon_flags="--user=_sslh --listen 0.0.0.0:443 --ssh 127.0.0.1:22 --ssl 127.0.0.1:443" +daemon_flags="--chroot=/var/empty --user=_sslh --listen 0.0.0.0:443 --ssh 127.0.0.1:22 --ssl 127.0.0.1:443" . /etc/rc.d/rc.subr