Mon Aug 29 19:21:25 2016 UTC ()

PR pkg/51449

Update stunnel to 5.35.

- Add patch to provide an explicit chroot option to the default
  configuration sample (option is documented but not found within
  the default conf file). While here, enable setuid/setgid as
  stunnel user/group creations are handled by package.
- Rework SUBSTs so that they apply to the correct sample
  config file.

Changelog:

Version 5.35, 2016.07.18, urgency: HIGH
* Bugfixes
  - Fixed incorrectly enforced client certificate requests.
  - Only default to SO_EXCLUSIVEADDRUSE on Vista and later.
  - Fixed thread safety of the configuration file reopening.

Version 5.34, 2016.07.05, urgency: HIGH
* Security bugfixes
  - Fixed malfunctioning "verify = 4".
* New features
  - Bind sockets with SO_EXCLUSIVEADDRUSE on WIN32.
  - Added three new service-level options: requireCert, verifyChain,
    and verifyPeer for fine-grained certificate verification control.
  - Improved compatibility with the current OpenSSL 1.1.0-dev tree.

Version 5.33, 2016.06.23, urgency: HIGH
* New features
  - Improved memory leak detection performance and accuracy.
  - Improved compatibility with the current OpenSSL 1.1.0-dev tree.
  - SNI support also enabled on OpenSSL 0.9.8f and later (thx to
    Guillermo Rodriguez Garcia).
  - Added support for PKCS #12 (.p12/.pfx) certificates (thx to
    Dmitry Bakshaev).
* Bugfixes
  - Fixed a TLS session caching memory leak (thx to Richard Kraemer).
    Before stunnel 5.27 this leak only emerged with sessiond enabled.
  - Yet another WinCE socket fix (thx to Richard Kraemer).
  - Fixed passphrase/pin dialogs in tstunnel.exe.
  - Fixed a FORK threading build regression bug.
  - OPENSSL_NO_DH compilation fix (thx to Brian Lin).


(jym)

diff -r1.103 -r1.104 pkgsrc/security/stunnel/Makefile
diff -r1.50 -r1.51 pkgsrc/security/stunnel/distinfo
diff -r0 -r1.1 pkgsrc/security/stunnel/patches/patch-stunnel.conf-sample.in

--- pkgsrc/security/stunnel/Makefile 2016/07/09 06:38:57 1.103
+++ pkgsrc/security/stunnel/Makefile 2016/08/29 19:21:24 1.104

 @@ -1,17 +1,16 @@
-# $NetBSD: Makefile,v 1.103 2016/07/09 06:38:57 wiz Exp $
+# $NetBSD: Makefile,v 1.104 2016/08/29 19:21:24 jym Exp $
-DISTNAME=		stunnel-5.32
+DISTNAME=		stunnel-5.35
 PKGREVISION=		1
 CATEGORIES=		security
 MASTER_SITES=		http://www.stunnel.org/downloads/
 MAINTAINER=		jym@NetBSD.org
 HOMEPAGE=		http://www.stunnel.org/
 COMMENT=		Universal SSL tunnel
 LICENSE=		gnu-gpl-v2
 BUILD_DEFS+=		VARBASE
 USE_LIBTOOL=		yes
 GNU_CONFIGURE=		yes
 CONFIGURE_ARGS+=	--localstatedir=${VARBASE}
 CONFIGURE_ARGS+=	--sysconfdir=${PKG_SYSCONFDIR}
 @@ -31,32 +30,24 @@ PKG_HOME.${STUNNEL_USER}?=	${VARBASE}/ch
 PKG_SYSCONFSUBDIR=	stunnel
 PKG_SYSCONFDIR_PERMS=	${REAL_ROOT_USER} ${STUNNEL_GROUP} 0750
 OWN_DIRS=		${PKG_HOME.${STUNNEL_USER}}/certs ${PKG_HOME.${STUNNEL_USER}}/crls
 OWN_DIRS_PERMS=		${PKG_HOME.${STUNNEL_USER}}/pid ${USER_GROUP} 0750
 CONF_FILES+=		${PREFIX}/share/examples/stunnel/stunnel.conf-sample \
 			    ${PKG_SYSCONFDIR}/stunnel.conf
 RCD_SCRIPTS=		stunnel
 REPLACE_PERL+=		src/stunnel3.in
 USE_TOOLS+=		perl:run
 SUBST_CLASSES+=		chroot
 SUBST_MESSAGE.chroot=	Fix chroot path
 SUBST_STAGE.chroot=	pre-configure
 SUBST_FILES.chroot=	tools/stunnel.conf-sample.in
 SUBST_SED.chroot+=	-e 's|@prefix@/var/lib|@localstatedir@/chroot|'
 SUBST_CLASSES+=		stunnel
-SUBST_MESSAGE.stunnel=	Fix user, group and pid
+SUBST_MESSAGE.stunnel=	Fix user and group
-SUBST_STAGE.stunnel=	post-configure
+SUBST_STAGE.stunnel=	pre-configure
-SUBST_FILES.stunnel=	tools/stunnel.conf-sample
+SUBST_FILES.stunnel=	tools/stunnel.conf-sample.in
-SUBST_SED.stunnel=	-e 's|setuid = nobody|setuid = ${STUNNEL_USER}|'
+SUBST_VARS.stunnel=	STUNNEL_USER STUNNEL_GROUP
 SUBST_SED.stunnel+=	-e 's|setgid = nogroup|setgid = ${STUNNEL_GROUP}|'
 SUBST_SED.stunnel+=	-e 's|pid = /stunnel.pid|pid = /pid/stunnel.pid|'
 .include "options.mk"
 .include "../../devel/zlib/buildlink3.mk"
 .include "../../security/openssl/buildlink3.mk"
 .include "../../mk/bsd.pkg.mk"

--- pkgsrc/security/stunnel/distinfo 2016/06/03 23:12:06 1.50
+++ pkgsrc/security/stunnel/distinfo 2016/08/29 19:21:24 1.51

 @@ -1,8 +1,9 @@
-$NetBSD: distinfo,v 1.50 2016/06/03 23:12:06 jym Exp $
+$NetBSD: distinfo,v 1.51 2016/08/29 19:21:24 jym Exp $
-SHA1 (stunnel-5.32.tar.gz) = 44f64ee0f9c7235a00d33b8338d439dbc519c594
+SHA1 (stunnel-5.35.tar.gz) = 90cafc2208aa3acefb503856482e163e9af463c4
-RMD160 (stunnel-5.32.tar.gz) = 13157bd6b1b32ca87465ff11dcd9bceed424c480
+RMD160 (stunnel-5.35.tar.gz) = 92f7c680e9de49740094a531c5b466aa5ac9d453
-SHA512 (stunnel-5.32.tar.gz) = aad3b718a727ae23bc88bda027017a5e4e19d2d08c1d4e95087dae20d4ed994d0ce29e9ae4b4d40456a7d7aaeb10c30a4283c6be2965d7183982204a347781bc
+SHA512 (stunnel-5.35.tar.gz) = cdec7ddafbfac4a1d420704baec72fedbd655871137ec8283c066203c0859019c6e11ce00647e5b471a019409e4eb5e9525166eddd7ddffa25055b95c0cacd9e
-Size (stunnel-5.32.tar.gz) = 641907 bytes
+Size (stunnel-5.35.tar.gz) = 645148 bytes
 SHA1 (patch-aa) = b247aca629197887fb720f7a02d9b73d60bb0d37
 SHA1 (patch-ac) = 91b09d39fb968ad76952acdff250150d3e372c36
 SHA1 (patch-stunnel.conf-sample.in) = 86d195963e5ad2db381ac89ae0fca13a7f641fa5

$NetBSD: patch-stunnel.conf-sample.in,v 1.1 2016/08/29 19:21:24 jym Exp $

--- tools/stunnel.conf-sample.in.orig	2016-07-05 21:27:57.000000000 +0000
+++ tools/stunnel.conf-sample.in
@@ -8,11 +8,14 @@
 ; **************************************************************************
 
 ; It is recommended to drop root privileges if stunnel is started by root
-;setuid = nobody
-;setgid = @DEFAULT_GROUP@
+setuid = @STUNNEL_USER@
+setgid = @STUNNEL_GROUP@
+
+; Default chroot path
+chroot = @localstatedir@/chroot/stunnel/
 
 ; PID file is created inside the chroot jail (if enabled)
-;pid = @localstatedir@/run/stunnel.pid
+pid = /pid/stunnel.pid
 
 ; Debugging stuff (may be useful for troubleshooting)
 ;foreground = yes