From owner-svn-ports-head@freebsd.org Mon Nov 5 00:04:06 2018 Return-Path: Delivered-To: svn-ports-head@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 5C9D810F26A6; Mon, 5 Nov 2018 00:04:06 +0000 (UTC) (envelope-from mi@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mxrelay.nyi.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id B84148DF8C; Mon, 5 Nov 2018 00:04:05 +0000 (UTC) (envelope-from mi@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 991AC10175; Mon, 5 Nov 2018 00:04:05 +0000 (UTC) (envelope-from mi@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id wA50452o059878; Mon, 5 Nov 2018 00:04:05 GMT (envelope-from mi@FreeBSD.org) Received: (from mi@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id wA5044ch059874; Mon, 5 Nov 2018 00:04:04 GMT (envelope-from mi@FreeBSD.org) Message-Id: <201811050004.wA5044ch059874@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: mi set sender to mi@FreeBSD.org using -f From: Mikhail Teterin Date: Mon, 5 Nov 2018 00:04:04 +0000 (UTC) To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org Subject: svn commit: r484158 - in head/security/sst: . files X-SVN-Group: ports-head X-SVN-Commit-Author: mi X-SVN-Commit-Paths: in head/security/sst: . files X-SVN-Commit-Revision: 484158 X-SVN-Commit-Repository: ports MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Rspamd-Queue-Id: B84148DF8C X-Spamd-Result: default: False [-0.77 / 200.00]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-0.15)[-0.155,0]; FROM_HAS_DN(0.00)[]; RCPT_COUNT_THREE(0.00)[3]; TO_MATCH_ENVRCPT_ALL(0.00)[]; MIME_GOOD(-0.10)[text/plain]; TO_DN_NONE(0.00)[]; HAS_XAW(0.00)[]; R_SPF_SOFTFAIL(0.00)[~all]; DMARC_NA(0.00)[FreeBSD.org]; RCVD_COUNT_THREE(0.00)[4]; MX_GOOD(-0.01)[cached: mx1.FreeBSD.org]; NEURAL_HAM_SHORT(-0.50)[-0.503,0]; FROM_EQ_ENVFROM(0.00)[]; R_DKIM_NA(0.00)[]; RCVD_TLS_LAST(0.00)[] X-Rspamd-Server: mx1.freebsd.org X-BeenThere: svn-ports-head@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: SVN commit messages for the ports tree for head List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 05 Nov 2018 00:04:06 -0000 Author: mi Date: Mon Nov 5 00:04:04 2018 New Revision: 484158 URL: https://svnweb.freebsd.org/changeset/ports/484158 Log: Upgrade to upstream's 1.23. Try to organize the checks for various methods -- some may be too new to be available in earlier versions of OpenSSL, others -- too old to be found in latest ones. Submitted upstream. Reported by: pkg-fallout Modified: head/security/sst/Makefile head/security/sst/distinfo head/security/sst/files/Makefile head/security/sst/files/patch-sst.c Modified: head/security/sst/Makefile ============================================================================== --- head/security/sst/Makefile Sun Nov 4 22:56:21 2018 (r484157) +++ head/security/sst/Makefile Mon Nov 5 00:04:04 2018 (r484158) @@ -2,11 +2,9 @@ # $FreeBSD$ PORTNAME= sst -PORTVERSION= 1.0 -PORTREVISION= 1 +PORTVERSION= 1.23 CATEGORIES= security MASTER_SITES= http://utcc.utoronto.ca/~pkern/stuff/sst/ -DISTNAME= ${PORTNAME} MAINTAINER= mi@aldan.algebra.com COMMENT= Simple SSL tunneling tool (uses netcat) @@ -16,7 +14,7 @@ RUN_DEPENDS= netcat:net/netcat .endif MAKEFILE= ${FILESDIR}/Makefile -USES= uidfix ssl +USES= uidfix ssl tar:xz PLIST_FILES= sbin/sst \ man/man1/sst.1.gz Modified: head/security/sst/distinfo ============================================================================== --- head/security/sst/distinfo Sun Nov 4 22:56:21 2018 (r484157) +++ head/security/sst/distinfo Mon Nov 5 00:04:04 2018 (r484158) @@ -1,2 +1,3 @@ -SHA256 (sst.tar.gz) = 4becd5f0e70d3875c3497d8965c8bd4ee8310b5090a502409d872d4132510abb -SIZE (sst.tar.gz) = 10109 +TIMESTAMP = 1540048110 +SHA256 (sst-1.23.tar.xz) = 664031f4d2156a50225b27775bed35e94905b1a070a500511bec913200ae68d4 +SIZE (sst-1.23.tar.xz) = 11436 Modified: head/security/sst/files/Makefile ============================================================================== --- head/security/sst/files/Makefile Sun Nov 4 22:56:21 2018 (r484157) +++ head/security/sst/files/Makefile Mon Nov 5 00:04:04 2018 (r484158) @@ -6,7 +6,8 @@ BINDIR=${PREFIX}/sbin MANDIR=${PREFIX}/man/man CFLAGS+= -DCONFDIR='"${OPENSSLDIR}"' -DCERTF='"certs/sst.pem"' \ - -I${OPENSSLINC} + -I${OPENSSLINC} -Wno-comment +# -Wno-dangling-else not available in gcc-4.2, which is still around... .if exists(/usr/bin/nc) CFLAGS+= -DNETCAT='"/usr/bin/nc"' .else Modified: head/security/sst/files/patch-sst.c ============================================================================== --- head/security/sst/files/patch-sst.c Sun Nov 4 22:56:21 2018 (r484157) +++ head/security/sst/files/patch-sst.c Mon Nov 5 00:04:04 2018 (r484158) @@ -1,17 +1,14 @@ ---- sst.c.orig 2000-05-04 19:47:28 UTC -+++ sst.c -@@ -212,7 +212,7 @@ - ***** ***** ***** ***** ***** ***** ***** ***** ***** ***** ***** ***** +--- sst.c 2015-05-06 09:24:06.000000000 -0400 ++++ sst.c 2018-11-04 18:57:40.626302000 -0500 +@@ -213,5 +213,5 @@ */ #ifndef lint --static char rcsid[] = "$Header: /local/src/local.bin/sst/SRC/RCS/sst.c,v 1.12 2000/05/04 19:47:26 pkern Exp $"; -+static const char rcsid[] = "$Header: /local/src/local.bin/sst/SRC/RCS/sst.c,v 1.12 2000/05/04 19:47:26 pkern Exp $"; +-static char rcsid[] = "$Header: /c/src/local.bin/sst/RCS/sst.c,v 1.23 2015/05/06 13:24:00 pkern Exp $"; ++static const char rcsid[] = "$Header: /c/src/local.bin/sst/RCS/sst.c,v 1.23 2015/05/06 13:24:00 pkern Exp $"; #endif - #include -@@ -261,10 +261,10 @@ int timeout = 0; - int inetd = 0; - int eofclnt = 0; +@@ -267,8 +267,8 @@ + int self_signed_ok = 1; -char *prog = "sst"; -char *host = NULL; @@ -23,9 +20,7 @@ +const char *method = NULL; char certfbuf[MAXPATHLEN], ssldbuf[MAXPATHLEN]; - char *certf = NULL, *pkeyf = NULL, *ssld = NULL; -@@ -297,8 +297,8 @@ pid_t pid = 0; - * Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) +@@ -316,6 +316,6 @@ * All rights reserved. */ -void @@ -34,50 +29,87 @@ +ERR_log_errors(void) { unsigned long l; - char buf[200]; -@@ -314,13 +314,17 @@ ERR_log_errors() - } +@@ -333,5 +333,5 @@ } -void --show_SSL_errors() +static void -+show_SSL_errors(void) + show_SSL_errors() { - if (logging) ERR_log_errors(); - else ERR_print_errors_fp(stderr); +@@ -340,4 +340,8 @@ } +#ifndef __GNUC__ +# define __attribute__(x) +#endif + - #define SHOW_x(L,F,x) { \ + #define SHOW_x(L,F,x) do { \ if (logging) syslog((L), "%s", (x)); \ - else fprintf((F), "%d: %s\n", getpid(), (x)); } -@@ -346,7 +350,7 @@ show_SSL_errors() - #define SHOW_info2(f,a1,a2) SHOW_x2(LOG_DEBUG,tty,f,a1,a2) +@@ -367,5 +371,5 @@ -char *usageopts[] = { -+const char *usageopts[] = { ++static const char *usageopts[] = { "", " options:", - " --------", -@@ -374,9 +378,10 @@ char *usageopts[] = { - NULL +@@ -389,5 +393,5 @@ + " -K pkey-file = use instead of the default private key file.", + " -D ssl-conf = use as the path to default cert/keys.", +-" -M method = use a specific SSL method (ssl2, ssl3 or tls1).", ++" -M method = use a specific SSL method (ssl3 or tls1, etc.).", + #ifdef USE_EGD + " -E skt-path = use instead of the default EGD socket.", +@@ -403,7 +407,40 @@ }; -usage() ++struct method { ++ const char *name; ++ const SSL_METHOD * (*meth)(void); ++} methods[] = { ++#if !defined(OPENSSL_NO_SSL2) && OPENSSL_VERSION_NUMBER < 0x1010000fL ++ { "ssl2", SSLv2_method }, ++#endif ++#if !defined(OPENSSL_NO_SSL3) && OPENSSL_VERSION_NUMBER < 0x1020000fL ++ { "ssl3", SSLv3_method }, ++#endif ++#if !defined(OPENSSL_NO_TLS1_METHOD) ++ { "tls1", TLSv1_method }, ++#endif ++#if !defined(OPENSSL_NO_TLS1_1_METHOD) ++ { "tls1.1", TLSv1_1_method }, ++#endif ++#if !defined(OPENSSL_NO_TLS1_2_METHOD) ++ { "tls1.2", TLSv1_2_method }, ++#endif ++#if OPENSSL_VERSION_NUMBER >= 0x1010000fL ++ { "dtls", DTLS_method }, ++#endif ++#if !defined(OPENSSL_NO_DTLS1_METHOD) && OPENSSL_VERSION_NUMBER >= 0x1010000fL ++ { "dtls1", DTLSv1_method }, ++#endif ++#if !defined(OPENSSL_NO_TLS1_2_METHOD) && OPENSSL_VERSION_NUMBER >= 0x1010000fL ++ { "dtls1.2", DTLSv1_2_method }, ++#endif ++ { NULL, SSLv23_method } ++}; ++ +static void +usage(void) { - char **uop = usageopts; + const char **uop = usageopts; ++ const struct method *m; if (logging) { - syslog(LOG_ERR, "usage: %s [ '--' ]", prog); -@@ -389,8 +394,8 @@ usage() +@@ -415,9 +452,14 @@ + while (*uop != NULL) fprintf(stderr, "%s\n", *uop++); + } ++ fprintf(stderr, " methods avalable for the -M option:\n"); ++ fprintf(stderr, " -----------------------------------\n"); ++ for (m = methods; m->name != NULL; m++) ++ fprintf(stderr, " %s", m->name); ++ fprintf(stderr, "\n"); } /* reaper -- zombie prevention */ @@ -87,118 +119,192 @@ +reaper(int signal __attribute__((unused))) { int w; - pid_t p; -@@ -414,6 +419,7 @@ reaper() - * +@@ -459,4 +501,5 @@ * - EOF on rd when in server mode means the actual server has finished. */ +static void relay(ssl, sd, rd, wd) SSL *ssl; - int sd, rd, wd; -@@ -522,22 +528,14 @@ done: - } +@@ -594,28 +637,10 @@ if (verbose) { - if (sizeof(off_t) > 4) { -- SHOW_info1("bytes from ssl: %qd", nsr); -- SHOW_info1("bytes to ssl: %qd", nsw); +- if (ssl != NULL) { +- SHOW_info1("bytes from ssl: %qd", nsr); +- SHOW_info1("bytes to ssl: %qd", nsw); +- } +- else { +- SHOW_info1("bytes from remote: %qd", nsr); +- SHOW_info1("bytes to remote: %qd", nsw); +- } - SHOW_info1("bytes from local: %qd", nlr); - SHOW_info1("bytes to local: %qd", nlw); - } - else { -- SHOW_info1("bytes from ssl: %ld", nsr); -- SHOW_info1("bytes to ssl: %ld", nsw); +- if (ssl != NULL) { +- SHOW_info1("bytes from ssl: %ld", nsr); +- SHOW_info1("bytes to ssl: %ld", nsw); +- } +- else { +- SHOW_info1("bytes from remote: %ld", nsr); +- SHOW_info1("bytes to remote: %ld", nsw); +- } - SHOW_info1("bytes from local: %ld", nlr); - SHOW_info1("bytes to local: %ld", nlw); - } -+ SHOW_info1("bytes from ssl: %qd", (long long int)nsr); -+ SHOW_info1("bytes to ssl: %qd", (long long int)nsw); -+ SHOW_info1("bytes from local: %qd", (long long int)nlr); -+ SHOW_info1("bytes to local: %qd", (long long int)nlw); ++ const char *id = ssl ? "ssl" : "remote"; ++ ++ SHOW_info2("bytes from %5s: %jd", id, (intmax_t)nsr); ++ SHOW_info2("bytes to %5s: %jd", id, (intmax_t)nsw); ++ SHOW_info1("bytes from local: %jd", (intmax_t)nlr); ++ SHOW_info1("bytes to local: %jd", (intmax_t)nlw); } } +@@ -646,5 +671,5 @@ + bp = X509_NAME_oneline(X509_get_subject_name(err_cert), 0, 0); +- if (bp) { subj = strdup(bp); CRYPTO_free(bp); } ++ if (bp) { subj = strdup(bp); OPENSSL_free(bp); } + + /* +@@ -688,9 +713,10 @@ + switch (err) { + case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT: +- bp = X509_NAME_oneline(X509_get_issuer_name(ctx->current_cert), 0, 0); ++ bp = X509_NAME_oneline(X509_get_issuer_name( ++ X509_STORE_CTX_get_current_cert(ctx)), 0, 0); + if (bp == NULL) SHOW_err("verify: cert: no issuer."); + else { + if (debug > 1) SHOW_info1("verify: cert issuer: %s", bp); +- CRYPTO_free(bp); ++ OPENSSL_free(bp); + } + break; +@@ -703,5 +729,5 @@ + } + - +static void + peer_cert_prep(ctx) + SSL_CTX *ctx; +@@ -725,4 +751,5 @@ + * (note: beware of dynamic allocation) + */ ++static void + peer_cert_chk(ctx, ssl) + SSL_CTX *ctx; +@@ -751,5 +778,5 @@ + else { + SHOW_info1("peer cert subject: %s", bp); +- CRYPTO_free(bp); ++ OPENSSL_free(bp); + } + +@@ -758,5 +785,5 @@ + else { + SHOW_info1("peer cert issuer: %s", bp); +- CRYPTO_free(bp); ++ OPENSSL_free(bp); + } + } +@@ -782,5 +809,5 @@ + } + +- ++static void + cert_prep(ctx) + SSL_CTX *ctx; +@@ -804,5 +831,25 @@ + } + ++static const SSL_METHOD * ++discern_ssl_method(requested) ++const char *requested; ++{ ++ const struct method *m; ++ ++ if (requested == NULL) ++ goto highest; ++ ++ for (m = methods; m->name != NULL; m++) { ++ if (strcmp(m->name, requested) == 0) ++ return m->meth(); ++ } ++ ++highest: ++ SHOW_info1("method `%s' not known, trying best available", requested); ++ m = methods + sizeof(methods)/sizeof(methods[0]); /* Last entry */ ++ return m->meth(); ++} + ++static void srvr_prep(ctx, ssl, sd) SSL_CTX **ctx; - SSL **ssl; -@@ -556,10 +554,14 @@ int sd; +@@ -811,6 +858,5 @@ + { + int err; +- SSL_METHOD *meth; +- X509 *client_cert; ++ const SSL_METHOD *meth; - if (method == NULL) - meth = SSLv23_server_method(); -+#ifndef OPENSSL_NO_SSL2 - else if (strcmp(method, "ssl2") == 0) - meth = SSLv2_server_method(); -+#endif -+#ifndef OPENSSL_NO_SSL3_METHOD - else if (strcmp(method, "ssl3") == 0) - meth = SSLv3_server_method(); -+#endif - else if (strcmp(method, "tls1") == 0) - meth = TLSv1_server_method(); - else -@@ -609,8 +611,8 @@ int sd; - SHOW_info1("client cert subject: %s", subj); - SHOW_info1("client cert issuer: %s", issu); + /* +@@ -821,14 +867,5 @@ + SSLeay_add_ssl_algorithms(); -- Free(subj); -- Free(issu); -+ free(subj); -+ free(issu); - - /* - * XXX ... -@@ -624,7 +626,7 @@ int sd; - } +- if (method == NULL) +- meth = SSLv23_server_method(); +- else if (strcmp(method, "ssl2") == 0) +- meth = SSLv2_server_method(); +- else if (strcmp(method, "ssl3") == 0) +- meth = SSLv3_server_method(); +- else if (strcmp(method, "tls1") == 0) +- meth = TLSv1_server_method(); +- else +- meth = SSLv23_server_method(); ++ meth = discern_ssl_method(method); + + *ctx = SSL_CTX_new (meth); +@@ -854,5 +891,5 @@ } - +static void clnt_prep(ctx, ssl, sd) SSL_CTX **ctx; - SSL **ssl; -@@ -643,10 +645,14 @@ int sd; +@@ -861,6 +898,5 @@ + { + int err; +- SSL_METHOD *meth; +- X509 *server_cert; ++ const SSL_METHOD *meth; - if (method == NULL) - meth = SSLv23_client_method(); -+#ifndef OPENSSL_NO_SSL2 - else if (strcmp(method, "ssl2") == 0) - meth = SSLv2_client_method(); -+#endif -+#ifndef OPENSSL_NO_SSL3_METHOD - else if (strcmp(method, "ssl3") == 0) - meth = SSLv3_client_method(); -+#endif - else if (strcmp(method, "tls1") == 0) - meth = TLSv1_client_method(); - else -@@ -699,8 +705,8 @@ int sd; - SHOW_info1("server cert subject: %s", subj); - SHOW_info1("server cert issuer: %s", issu); + /* +@@ -871,14 +907,5 @@ + SSLeay_add_ssl_algorithms(); -- Free(subj); -- Free(issu); -+ free(subj); -+ free(issu); +- if (method == NULL) +- meth = SSLv23_client_method(); +- else if (strcmp(method, "ssl2") == 0) +- meth = SSLv2_client_method(); +- else if (strcmp(method, "ssl3") == 0) +- meth = SSLv3_client_method(); +- else if (strcmp(method, "tls1") == 0) +- meth = TLSv1_client_method(); +- else +- meth = SSLv23_client_method(); ++ meth = discern_ssl_method(method); - /* - * XXX ... -@@ -713,7 +719,7 @@ int sd; - X509_free (server_cert); + *ctx = SSL_CTX_new (meth); +@@ -903,5 +930,5 @@ } - +int main(ac, av) int ac; - char *av[]; -@@ -756,7 +762,6 @@ char *av[]; - if (logging) openlog(prog, LOG_PID, LOG_SSL); +@@ -958,5 +985,4 @@ if (errflg) { -usage: usage(); - exit(1); - } + quit(1);