Download raw body.
[update] net/sniproxy 0.7.0
On 2025/10/01 16:39, Renaud Allard wrote:
> +@@ -635,8 +635,45 @@ initiate_server_connect(struct Connection *con, struct
> + if (con->listener->transparent_proxy &&
> + con->client.addr.ss_family == con->server.addr.ss_family) {
> + #ifdef IP_TRANSPARENT
> ++ int result;
> ++ /* Make an IPv6 socket if necessary and purge ::ffff: from the v6-mapped address
> ++ * We need to take out the ffff because otherwise it'll be IPv4 on the wire.
this change is a noop on OpenBSD, IP_TRANSPARENT is not defined.
> +Index: tests/bad_dns_request_test
> +--- tests/bad_dns_request_test.orig
> ++++ tests/bad_dns_request_test
> +@@ -60,7 +60,7 @@ sub http_client($$) {
> + $socket->send($request);
> +
> + my $buffer;
> +- $socket->recv($buffer, 4096);
> ++ $socket->recv($buffer, 16388);
typo?
here's an updated diff with the IP_TRANSPARENT bit removed and switched
to pcre2. I left bad_dns_request_test alone for now. I think I'll commit
this as-is for now, so any further changes needed can be done via simpler
diffs.
I had some test failures but I have something on port 8080 already and
didn't feel like changing the sniproxy tests to try a different port.
Index: Makefile
===================================================================
RCS file: /cvs/ports/net/sniproxy/Makefile,v
diff -u -p -r1.10 Makefile
--- Makefile 14 Sep 2023 12:29:16 -0000 1.10
+++ Makefile 1 Oct 2025 15:45:08 -0000
@@ -1,12 +1,12 @@
COMMENT = name-based proxying of HTTPS without decrypting traffic
-GH_ACCOUNT = renaudallard
+GH_ACCOUNT = dlundquist
GH_PROJECT = sniproxy
-GH_TAGNAME = 0.6.8
+GH_TAGNAME = 0.7.0
CATEGORIES = net
-HOMEPAGE = https://github.com/renaudallard/sniproxy
+HOMEPAGE = https://github.com/dlundquist/sniproxy
MAINTAINER = Renaud Allard <renaud@allard.it>
@@ -17,20 +17,21 @@ COMPILER = base-clang ports-gcc
COMPILER_LANGS = c
# use pledge()
-WANTLIB += c ev pcre udns
+WANTLIB += c ev pcre2-8 udns
BUILD_DEPENDS = devel/gettext,-tools
LIB_DEPENDS = net/udns \
devel/libev \
- devel/pcre
+ devel/pcre2
-AUTOCONF_VERSION = 2.69
+AUTOCONF_VERSION = 2.71
AUTOMAKE_VERSION = 1.16
CONFIGURE_STYLE = autoreconf
AUTORECONF = ./autogen.sh
-CONFIGURE_ARGS = --disable-rpath
+CONFIGURE_ARGS = --disable-rpath \
+ --enable-dns
CONFIGURE_ENV = CPPFLAGS="-I${LOCALBASE}/include" \
LDFLAGS="${LDFLAGS} -L${LOCALBASE}/lib"
Index: distinfo
===================================================================
RCS file: /cvs/ports/net/sniproxy/distinfo,v
diff -u -p -r1.6 distinfo
--- distinfo 14 Sep 2023 12:29:16 -0000 1.6
+++ distinfo 1 Oct 2025 15:45:08 -0000
@@ -1,2 +1,2 @@
-SHA256 (sniproxy-0.6.8.tar.gz) = 8LhjJQUNFaY7H5xqNuGsfHS6bx4dE3ARyBNTatw0Z2k=
-SIZE (sniproxy-0.6.8.tar.gz) = 80608
+SHA256 (sniproxy-0.7.0.tar.gz) = u+V5iGwa9g6FC4tb74UPELMX5uvjZssLVHaxIw8ocOQ=
+SIZE (sniproxy-0.7.0.tar.gz) = 79685
Index: patches/patch-README_md
===================================================================
RCS file: patches/patch-README_md
diff -N patches/patch-README_md
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ patches/patch-README_md 1 Oct 2025 15:45:08 -0000
@@ -0,0 +1,16 @@
+Index: README.md
+--- README.md.orig
++++ README.md
+@@ -166,3 +166,12 @@ build without UDNS, but these features will be unavail
+ UDNS uses a single UDP socket for all queries, so it is recommended you use a
+ local caching DNS resolver (with a single socket each DNS query is protected by
+ spoofing by a single 16 bit query ID, which makes it relatively easy to spoof).
++
++
++OpenBSD specific behaviour
++--------------------------
++
++On OpenBSD, sniproxy is protected by pledge(2) and unveil(2).
++Therefore, the configuration file must be /etc/sniproxy.conf, unix sockets
++must be in /var/www/sockets and logs must be in /var/log. Also, sniproxy PID
++file must be /var/run/sniproxy.pid
Index: patches/patch-sniproxy_conf
===================================================================
RCS file: patches/patch-sniproxy_conf
diff -N patches/patch-sniproxy_conf
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ patches/patch-sniproxy_conf 1 Oct 2025 15:45:08 -0000
@@ -0,0 +1,23 @@
+Index: sniproxy.conf
+--- sniproxy.conf.orig
++++ sniproxy.conf
+@@ -2,8 +2,8 @@
+ # lines that start with # are comments
+ # lines with only white space are ignored
+
+-user nobody
+-group nogroup
++user _sniproxy
++group _sniproxy
+
+ # PID file, needs to be placed in directory writable by user
+ pidfile /var/run/sniproxy.pid
+@@ -47,7 +47,7 @@ error_log {
+ # Global access log for all listeners
+ access_log {
+ # Same options as error_log
+- filename /tmp/sniproxy-access.log
++ filename /var/log/sniproxy-access.log
+ }
+
+ # blocks are delimited with {...}
Index: patches/patch-src_cfg_tokenizer_c
===================================================================
RCS file: patches/patch-src_cfg_tokenizer_c
diff -N patches/patch-src_cfg_tokenizer_c
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ patches/patch-src_cfg_tokenizer_c 1 Oct 2025 15:45:08 -0000
@@ -0,0 +1,21 @@
+Index: src/cfg_tokenizer.c
+--- src/cfg_tokenizer.c.orig
++++ src/cfg_tokenizer.c
+@@ -62,7 +62,7 @@ next_token(FILE *config, char *buffer, size_t buffer_l
+ default:
+ /* Rewind one byte, so next_word() can fetch from
+ * the beginning of the word */
+- fseek(config, -1, SEEK_CUR);
++ fseeko(config, -1, SEEK_CUR);
+
+ token_len = next_word(config, buffer, buffer_len);
+ if (token_len <= 0)
+@@ -116,7 +116,7 @@ next_word(FILE *file, char *buffer, int buffer_len) {
+ if (quoted == 0) {
+ /* rewind the file one character, so we don't eat
+ * part of the next token */
+- fseek(file, -1, SEEK_CUR);
++ fseeko(file, -1, SEEK_CUR);
+
+ buffer[len] = '\0';
+ len++;
Index: patches/patch-src_config_c
===================================================================
RCS file: patches/patch-src_config_c
diff -N patches/patch-src_config_c
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ patches/patch-src_config_c 1 Oct 2025 15:45:08 -0000
@@ -0,0 +1,21 @@
+Index: src/config.c
+--- src/config.c.orig
++++ src/config.c
+@@ -238,13 +238,13 @@ init_config(const char *filename, struct ev_loop *loop
+ }
+
+ if (parse_config(config, file, global_grammar) <= 0) {
+- intmax_t whence = ftell(file);
++ off_t whence = ftello(file);
+ char line[256];
+
+- err("error parsing %s at %jd near:", filename, whence);
+- fseek(file, -20, SEEK_CUR);
++ err("error parsing %s at %jd near:", filename, (intmax_t)whence);
++ fseeko(file, -20, SEEK_CUR);
+ for (int i = 0; i < 5; i++)
+- err(" %jd\t%s", ftell(file), fgets(line, sizeof(line), file));
++ err(" %jd\t%s", (intmax_t)ftello(file), fgets(line, sizeof(line), file));
+
+ free_config(config, loop);
+ config = NULL;
Index: patches/patch-src_connection_c
===================================================================
RCS file: patches/patch-src_connection_c
diff -N patches/patch-src_connection_c
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ patches/patch-src_connection_c 1 Oct 2025 15:45:08 -0000
@@ -0,0 +1,19 @@
+Index: src/connection.c
+--- src/connection.c.orig
++++ src/connection.c
+@@ -812,13 +812,13 @@ new_connection(struct ev_loop *loop) {
+ con->query_handle = NULL;
+ con->use_proxy_header = 0;
+
+- con->client.buffer = new_buffer(4096, loop);
++ con->client.buffer = new_buffer(16384, loop);
+ if (con->client.buffer == NULL) {
+ free_connection(con);
+ return NULL;
+ }
+
+- con->server.buffer = new_buffer(4096, loop);
++ con->server.buffer = new_buffer(16384, loop);
+ if (con->server.buffer == NULL) {
+ free_connection(con);
+ return NULL;
Index: patches/patch-src_sniproxy_c
===================================================================
RCS file: patches/patch-src_sniproxy_c
diff -N patches/patch-src_sniproxy_c
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ patches/patch-src_sniproxy_c 1 Oct 2025 15:45:08 -0000
@@ -0,0 +1,39 @@
+Index: src/sniproxy.c
+--- src/sniproxy.c.orig
++++ src/sniproxy.c
+@@ -71,6 +71,35 @@ main(int argc, char **argv) {
+ rlim_t max_nofiles = 65536;
+ int opt;
+
++ #ifdef __OpenBSD__
++ if (unveil("/etc/sniproxy.conf", "r") != 0) {
++ perror("unveil /etc/sniproxy.conf");
++ exit(1);
++ }
++ if (unveil("/var/run/sniproxy.pid", "rwc") != 0) {
++ perror("unveil /var/run/sniproxy.pid");
++ exit(1);
++ }
++ if (unveil("/var/log", "rwc") != 0) {
++ perror("unveil /var/log");
++ exit(1);
++ }
++ if (unveil("/var/www/sockets", "rw") != 0) {
++ perror("unveil /var/www/sockets");
++ exit(1);
++ }
++ if (unveil(NULL, NULL) != 0) {
++ perror("unveil");
++ exit(1);
++ }
++
++ if (pledge("stdio getpw inet dns rpath proc id"
++ " wpath cpath unix", NULL) == -1) {
++ fprintf(stderr, "%s: pledge: %s\n", argv[0], strerror(errno));
++ exit(1);
++ }
++ #endif
++
+ while ((opt = getopt(argc, argv, "fc:n:V")) != -1) {
+ switch (opt) {
+ case 'c':
Index: patches/patch-tests_bad_dns_request_test
===================================================================
RCS file: patches/patch-tests_bad_dns_request_test
diff -N patches/patch-tests_bad_dns_request_test
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ patches/patch-tests_bad_dns_request_test 1 Oct 2025 15:45:08 -0000
@@ -0,0 +1,12 @@
+Index: tests/bad_dns_request_test
+--- tests/bad_dns_request_test.orig
++++ tests/bad_dns_request_test
+@@ -60,7 +60,7 @@ sub http_client($$) {
+ $socket->send($request);
+
+ my $buffer;
+- $socket->recv($buffer, 4096);
++ $socket->recv($buffer, 16388);
+
+ $socket->close();
+
Index: patches/patch-tests_bad_request_test
===================================================================
RCS file: patches/patch-tests_bad_request_test
diff -N patches/patch-tests_bad_request_test
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ patches/patch-tests_bad_request_test 1 Oct 2025 15:45:08 -0000
@@ -0,0 +1,12 @@
+Index: tests/bad_request_test
+--- tests/bad_request_test.orig
++++ tests/bad_request_test
+@@ -282,7 +282,7 @@ sub tls_client($$) {
+ $socket->send($request);
+
+ my $buffer;
+- $socket->recv($buffer, 4096);
++ $socket->recv($buffer, 16384);
+
+ $socket->close();
+
Index: patches/patch-tests_buffer_test_c
===================================================================
RCS file: patches/patch-tests_buffer_test_c
diff -N patches/patch-tests_buffer_test_c
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ patches/patch-tests_buffer_test_c 1 Oct 2025 15:45:08 -0000
@@ -0,0 +1,21 @@
+Index: tests/buffer_test.c
+--- tests/buffer_test.c.orig
++++ tests/buffer_test.c
+@@ -127,7 +127,7 @@ static void test4(void) {
+ struct Buffer *buffer;
+ int read_fd, write_fd;
+
+- buffer = new_buffer(4096, EV_DEFAULT);
++ buffer = new_buffer(16384, EV_DEFAULT);
+
+ read_fd = open("/dev/zero", O_RDONLY);
+ if (read_fd < 0) {
+@@ -155,7 +155,7 @@ static void test_buffer_coalesce(void) {
+ char output[sizeof(input)];
+ int len;
+
+- buffer = new_buffer(4096, EV_DEFAULT);
++ buffer = new_buffer(16384, EV_DEFAULT);
+ len = buffer_push(buffer, input, sizeof(input));
+ assert(len == sizeof(input));
+
Index: patches/patch-tests_connection_reset_test
===================================================================
RCS file: patches/patch-tests_connection_reset_test
diff -N patches/patch-tests_connection_reset_test
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ patches/patch-tests_connection_reset_test 1 Oct 2025 15:45:08 -0000
@@ -0,0 +1,27 @@
+Index: tests/connection_reset_test
+--- tests/connection_reset_test.orig
++++ tests/connection_reset_test
+@@ -42,8 +42,8 @@ sub simple_server($) {
+ "\r\n");
+
+ # Send a bunch of data (more that will be buffered by the kernel
+- for (my $i = 0; $i < 4096; $i++) {
+- $client->send('x' x 4096);
++ for (my $i = 0; $i < 16384; $i++) {
++ $client->send('x' x 16384);
+ }
+ $client->close();
+ exit;
+@@ -76,9 +76,9 @@ sub bad_client($) {
+ "\r\n");
+
+ my $buffer;
+- $socket->recv($buffer, 4096);
+- $socket->recv($buffer, 4096);
+- $socket->recv($buffer, 4096);
++ $socket->recv($buffer, 16384);
++ $socket->recv($buffer, 16384);
++ $socket->recv($buffer, 16384);
+
+ $socket->close();
+
Index: patches/patch-tests_fallback_test
===================================================================
RCS file: patches/patch-tests_fallback_test
diff -N patches/patch-tests_fallback_test
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ patches/patch-tests_fallback_test 1 Oct 2025 15:45:08 -0000
@@ -0,0 +1,12 @@
+Index: tests/fallback_test
+--- tests/fallback_test.orig
++++ tests/fallback_test
+@@ -56,7 +56,7 @@ sub http10_client($$) {
+ $socket->send("GET /$path HTTP/1.0\r\n\r\n");
+
+ my $buffer;
+- $socket->recv($buffer, 4096);
++ $socket->recv($buffer, 16384);
+
+ $socket->close();
+
Index: patches/patch-tests_slow_client_test
===================================================================
RCS file: patches/patch-tests_slow_client_test
diff -N patches/patch-tests_slow_client_test
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ patches/patch-tests_slow_client_test 1 Oct 2025 15:45:08 -0000
@@ -0,0 +1,12 @@
+Index: tests/slow_client_test
+--- tests/slow_client_test.orig
++++ tests/slow_client_test
+@@ -46,7 +46,7 @@ sub slow_client($$) {
+ }
+
+ my $buffer;
+- $socket->recv($buffer, 4096);
++ $socket->recv($buffer, 16384);
+
+ $socket->close();
+
[update] net/sniproxy 0.7.0