Mailing List Archive | ports@openbsd.org

Hello, Here is a diff for net/sniproxy to 0.9.12. It now lies in another repository again, but changes are quite drastic. The new version adds way more features and solves a whole bunch of security and reliability issues. This version is now privilege separated. pledge and unveil are applied following the configuration file instead of relying on static places. The old configuration stanzas are still understood to keep old configurations working. It also now fully understands HTTP/2 and can use DNS over TLS. However, configuration file must now be 0640 at most and it cannot log anymore to a FIFO or a symlink. syslog being the preferred way of logging. It now uses c-ares instead of libudns. PCRE1 support has been completely removed. No more patches are needed. I didn't rename it to keep user and daemon groups without modifications. All patches are also now unneeded. It has been tested on amd64 and aarch64. Best Regards Index: Makefile =================================================================== RCS file: /cvs/ports/net/sniproxy/Makefile,v diff -u -p -r1.11 Makefile --- Makefile 1 Oct 2025 15:46:23 -0000 1.11 +++ Makefile 21 Nov 2025 15:16:03 -0000 @@ -1,12 +1,12 @@ COMMENT = name-based proxying of HTTPS without decrypting traffic -GH_ACCOUNT = dlundquist +GH_ACCOUNT = renaudallard GH_PROJECT = sniproxy -GH_TAGNAME = 0.7.0 +GH_TAGNAME = 0.9.12 CATEGORIES = net -HOMEPAGE = https://github.com/dlundquist/sniproxy +HOMEPAGE = https://github.com/renaudallard/sniproxy MAINTAINER = Renaud Allard <renaud@allard.it> @@ -17,11 +17,11 @@ COMPILER = base-clang ports-gcc COMPILER_LANGS = c # use pledge() -WANTLIB += c ev pcre2-8 udns +WANTLIB += c ev pcre2-8 cares BUILD_DEPENDS = devel/gettext,-tools -LIB_DEPENDS = net/udns \ +LIB_DEPENDS = net/libcares \ devel/libev \ devel/pcre2 @@ -30,8 +30,6 @@ AUTOMAKE_VERSION = 1.16 CONFIGURE_STYLE = autoreconf AUTORECONF = ./autogen.sh -CONFIGURE_ARGS = --disable-rpath \ - --enable-dns CONFIGURE_ENV = CPPFLAGS="-I${LOCALBASE}/include" \ LDFLAGS="${LDFLAGS} -L${LOCALBASE}/lib" Index: distinfo =================================================================== RCS file: /cvs/ports/net/sniproxy/distinfo,v diff -u -p -r1.7 distinfo --- distinfo 1 Oct 2025 15:46:23 -0000 1.7 +++ distinfo 21 Nov 2025 15:16:03 -0000 @@ -1,2 +1,2 @@ -SHA256 (sniproxy-0.7.0.tar.gz) = u+V5iGwa9g6FC4tb74UPELMX5uvjZssLVHaxIw8ocOQ= -SIZE (sniproxy-0.7.0.tar.gz) = 79685 +SHA256 (sniproxy-0.9.12.tar.gz) = 7sNo69EXOmnIP/jWfTtWaOJ1f7LB6WJNAHq6DIEUhcY= +SIZE (sniproxy-0.9.12.tar.gz) = 205666 Index: patches/patch-README_md =================================================================== RCS file: patches/patch-README_md diff -N patches/patch-README_md --- patches/patch-README_md 1 Oct 2025 15:46:23 -0000 1.1 +++ /dev/null 1 Jan 1970 00:00:00 -0000 @@ -1,16 +0,0 @@ -Index: README.md ---- README.md.orig -+++ README.md -@@ -166,3 +166,12 @@ build without UDNS, but these features will be unavail - UDNS uses a single UDP socket for all queries, so it is recommended you use a - local caching DNS resolver (with a single socket each DNS query is protected by - spoofing by a single 16 bit query ID, which makes it relatively easy to spoof). -+ -+ -+OpenBSD specific behaviour -+-------------------------- -+ -+On OpenBSD, sniproxy is protected by pledge(2) and unveil(2). -+Therefore, the configuration file must be /etc/sniproxy.conf, unix sockets -+must be in /var/www/sockets and logs must be in /var/log. Also, sniproxy PID -+file must be /var/run/sniproxy.pid Index: patches/patch-sniproxy_conf =================================================================== RCS file: patches/patch-sniproxy_conf diff -N patches/patch-sniproxy_conf --- patches/patch-sniproxy_conf 1 Oct 2025 15:46:23 -0000 1.3 +++ /dev/null 1 Jan 1970 00:00:00 -0000 @@ -1,23 +0,0 @@ -Index: sniproxy.conf ---- sniproxy.conf.orig -+++ sniproxy.conf -@@ -2,8 +2,8 @@ - # lines that start with # are comments - # lines with only white space are ignored - --user nobody --group nogroup -+user _sniproxy -+group _sniproxy - - # PID file, needs to be placed in directory writable by user - pidfile /var/run/sniproxy.pid -@@ -47,7 +47,7 @@ error_log { - # Global access log for all listeners - access_log { - # Same options as error_log -- filename /tmp/sniproxy-access.log -+ filename /var/log/sniproxy-access.log - } - - # blocks are delimited with {...} Index: patches/patch-src_cfg_tokenizer_c =================================================================== RCS file: patches/patch-src_cfg_tokenizer_c diff -N patches/patch-src_cfg_tokenizer_c --- patches/patch-src_cfg_tokenizer_c 1 Oct 2025 15:46:23 -0000 1.1 +++ /dev/null 1 Jan 1970 00:00:00 -0000 @@ -1,21 +0,0 @@ -Index: src/cfg_tokenizer.c ---- src/cfg_tokenizer.c.orig -+++ src/cfg_tokenizer.c -@@ -62,7 +62,7 @@ next_token(FILE *config, char *buffer, size_t buffer_l - default: - /* Rewind one byte, so next_word() can fetch from - * the beginning of the word */ -- fseek(config, -1, SEEK_CUR); -+ fseeko(config, -1, SEEK_CUR); - - token_len = next_word(config, buffer, buffer_len); - if (token_len <= 0) -@@ -116,7 +116,7 @@ next_word(FILE *file, char *buffer, int buffer_len) { - if (quoted == 0) { - /* rewind the file one character, so we don't eat - * part of the next token */ -- fseek(file, -1, SEEK_CUR); -+ fseeko(file, -1, SEEK_CUR); - - buffer[len] = '\0'; - len++; Index: patches/patch-src_config_c =================================================================== RCS file: patches/patch-src_config_c diff -N patches/patch-src_config_c --- patches/patch-src_config_c 1 Oct 2025 15:46:23 -0000 1.3 +++ /dev/null 1 Jan 1970 00:00:00 -0000 @@ -1,21 +0,0 @@ -Index: src/config.c ---- src/config.c.orig -+++ src/config.c -@@ -238,13 +238,13 @@ init_config(const char *filename, struct ev_loop *loop - } - - if (parse_config(config, file, global_grammar) <= 0) { -- intmax_t whence = ftell(file); -+ off_t whence = ftello(file); - char line[256]; - -- err("error parsing %s at %jd near:", filename, whence); -- fseek(file, -20, SEEK_CUR); -+ err("error parsing %s at %jd near:", filename, (intmax_t)whence); -+ fseeko(file, -20, SEEK_CUR); - for (int i = 0; i < 5; i++) -- err(" %jd\t%s", ftell(file), fgets(line, sizeof(line), file)); -+ err(" %jd\t%s", (intmax_t)ftello(file), fgets(line, sizeof(line), file)); - - free_config(config, loop); - config = NULL; Index: patches/patch-src_connection_c =================================================================== RCS file: patches/patch-src_connection_c diff -N patches/patch-src_connection_c --- patches/patch-src_connection_c 1 Oct 2025 15:46:23 -0000 1.1 +++ /dev/null 1 Jan 1970 00:00:00 -0000 @@ -1,19 +0,0 @@ -Index: src/connection.c ---- src/connection.c.orig -+++ src/connection.c -@@ -812,13 +812,13 @@ new_connection(struct ev_loop *loop) { - con->query_handle = NULL; - con->use_proxy_header = 0; - -- con->client.buffer = new_buffer(4096, loop); -+ con->client.buffer = new_buffer(16384, loop); - if (con->client.buffer == NULL) { - free_connection(con); - return NULL; - } - -- con->server.buffer = new_buffer(4096, loop); -+ con->server.buffer = new_buffer(16384, loop); - if (con->server.buffer == NULL) { - free_connection(con); - return NULL; Index: patches/patch-src_sniproxy_c =================================================================== RCS file: patches/patch-src_sniproxy_c diff -N patches/patch-src_sniproxy_c --- patches/patch-src_sniproxy_c 1 Oct 2025 15:46:23 -0000 1.1 +++ /dev/null 1 Jan 1970 00:00:00 -0000 @@ -1,39 +0,0 @@ -Index: src/sniproxy.c ---- src/sniproxy.c.orig -+++ src/sniproxy.c -@@ -71,6 +71,35 @@ main(int argc, char **argv) { - rlim_t max_nofiles = 65536; - int opt; - -+ #ifdef __OpenBSD__ -+ if (unveil("/etc/sniproxy.conf", "r") != 0) { -+ perror("unveil /etc/sniproxy.conf"); -+ exit(1); -+ } -+ if (unveil("/var/run/sniproxy.pid", "rwc") != 0) { -+ perror("unveil /var/run/sniproxy.pid"); -+ exit(1); -+ } -+ if (unveil("/var/log", "rwc") != 0) { -+ perror("unveil /var/log"); -+ exit(1); -+ } -+ if (unveil("/var/www/sockets", "rw") != 0) { -+ perror("unveil /var/www/sockets"); -+ exit(1); -+ } -+ if (unveil(NULL, NULL) != 0) { -+ perror("unveil"); -+ exit(1); -+ } -+ -+ if (pledge("stdio getpw inet dns rpath proc id" -+ " wpath cpath unix", NULL) == -1) { -+ fprintf(stderr, "%s: pledge: %s\n", argv[0], strerror(errno)); -+ exit(1); -+ } -+ #endif -+ - while ((opt = getopt(argc, argv, "fc:n:V")) != -1) { - switch (opt) { - case 'c': Index: patches/patch-tests_bad_dns_request_test =================================================================== RCS file: patches/patch-tests_bad_dns_request_test diff -N patches/patch-tests_bad_dns_request_test --- patches/patch-tests_bad_dns_request_test 2 Oct 2025 07:08:49 -0000 1.2 +++ /dev/null 1 Jan 1970 00:00:00 -0000 @@ -1,12 +0,0 @@ -Index: tests/bad_dns_request_test ---- tests/bad_dns_request_test.orig -+++ tests/bad_dns_request_test -@@ -60,7 +60,7 @@ sub http_client($$) { - $socket->send($request); - - my $buffer; -- $socket->recv($buffer, 4096); -+ $socket->recv($buffer, 16384); - - $socket->close(); - Index: patches/patch-tests_bad_request_test =================================================================== RCS file: patches/patch-tests_bad_request_test diff -N patches/patch-tests_bad_request_test --- patches/patch-tests_bad_request_test 1 Oct 2025 15:46:23 -0000 1.1 +++ /dev/null 1 Jan 1970 00:00:00 -0000 @@ -1,12 +0,0 @@ -Index: tests/bad_request_test ---- tests/bad_request_test.orig -+++ tests/bad_request_test -@@ -282,7 +282,7 @@ sub tls_client($$) { - $socket->send($request); - - my $buffer; -- $socket->recv($buffer, 4096); -+ $socket->recv($buffer, 16384); - - $socket->close(); - Index: patches/patch-tests_buffer_test_c =================================================================== RCS file: patches/patch-tests_buffer_test_c diff -N patches/patch-tests_buffer_test_c --- patches/patch-tests_buffer_test_c 1 Oct 2025 15:46:23 -0000 1.1 +++ /dev/null 1 Jan 1970 00:00:00 -0000 @@ -1,21 +0,0 @@ -Index: tests/buffer_test.c ---- tests/buffer_test.c.orig -+++ tests/buffer_test.c -@@ -127,7 +127,7 @@ static void test4(void) { - struct Buffer *buffer; - int read_fd, write_fd; - -- buffer = new_buffer(4096, EV_DEFAULT); -+ buffer = new_buffer(16384, EV_DEFAULT); - - read_fd = open("/dev/zero", O_RDONLY); - if (read_fd < 0) { -@@ -155,7 +155,7 @@ static void test_buffer_coalesce(void) { - char output[sizeof(input)]; - int len; - -- buffer = new_buffer(4096, EV_DEFAULT); -+ buffer = new_buffer(16384, EV_DEFAULT); - len = buffer_push(buffer, input, sizeof(input)); - assert(len == sizeof(input)); - Index: patches/patch-tests_connection_reset_test =================================================================== RCS file: patches/patch-tests_connection_reset_test diff -N patches/patch-tests_connection_reset_test --- patches/patch-tests_connection_reset_test 1 Oct 2025 15:46:23 -0000 1.1 +++ /dev/null 1 Jan 1970 00:00:00 -0000 @@ -1,27 +0,0 @@ -Index: tests/connection_reset_test ---- tests/connection_reset_test.orig -+++ tests/connection_reset_test -@@ -42,8 +42,8 @@ sub simple_server($) { - "\r\n"); - - # Send a bunch of data (more that will be buffered by the kernel -- for (my $i = 0; $i < 4096; $i++) { -- $client->send('x' x 4096); -+ for (my $i = 0; $i < 16384; $i++) { -+ $client->send('x' x 16384); - } - $client->close(); - exit; -@@ -76,9 +76,9 @@ sub bad_client($) { - "\r\n"); - - my $buffer; -- $socket->recv($buffer, 4096); -- $socket->recv($buffer, 4096); -- $socket->recv($buffer, 4096); -+ $socket->recv($buffer, 16384); -+ $socket->recv($buffer, 16384); -+ $socket->recv($buffer, 16384); - - $socket->close(); - Index: patches/patch-tests_fallback_test =================================================================== RCS file: patches/patch-tests_fallback_test diff -N patches/patch-tests_fallback_test --- patches/patch-tests_fallback_test 1 Oct 2025 15:46:23 -0000 1.1 +++ /dev/null 1 Jan 1970 00:00:00 -0000 @@ -1,12 +0,0 @@ -Index: tests/fallback_test ---- tests/fallback_test.orig -+++ tests/fallback_test -@@ -56,7 +56,7 @@ sub http10_client($$) { - $socket->send("GET /$path HTTP/1.0\r\n\r\n"); - - my $buffer; -- $socket->recv($buffer, 4096); -+ $socket->recv($buffer, 16384); - - $socket->close(); - Index: patches/patch-tests_slow_client_test =================================================================== RCS file: patches/patch-tests_slow_client_test diff -N patches/patch-tests_slow_client_test --- patches/patch-tests_slow_client_test 1 Oct 2025 15:46:23 -0000 1.1 +++ /dev/null 1 Jan 1970 00:00:00 -0000 @@ -1,12 +0,0 @@ -Index: tests/slow_client_test ---- tests/slow_client_test.orig -+++ tests/slow_client_test -@@ -46,7 +46,7 @@ sub slow_client($$) { - } - - my $buffer; -- $socket->recv($buffer, 4096); -+ $socket->recv($buffer, 16384); - - $socket->close(); -

2025-11-21 15:17 Renaud Allard:
[update] net/sniproxy 0.9.12
- 2025-11-25 08:36 Renaud Allard:
  [update] net/sniproxy 0.9.13
- - 2025-12-04 15:18 Renaud Allard:
    [update] net/sniproxy 0.9.13