Download raw body.
[update] net/sniproxy 0.9.13
Hello,
Given it has not. been updated yet, consider attached 0.9.13 version
instead. It has a few important fixes.
Best Regards
On 21/11/2025 16:17, Renaud Allard wrote:
> Hello,
>
> Here is a diff for net/sniproxy to 0.9.12.
>
> It now lies in another repository again, but changes are quite drastic.
> The new version adds way more features and solves a whole bunch of
> security and reliability issues.
> This version is now privilege separated. pledge and unveil are applied
> following the configuration file instead of relying on static places.
> The old configuration stanzas are still understood to keep old
> configurations working. It also now fully understands HTTP/2 and can use
> DNS over TLS.
>
> However, configuration file must now be 0640 at most and it cannot log
> anymore to a FIFO or a symlink. syslog being the preferred way of logging.
>
> It now uses c-ares instead of libudns. PCRE1 support has been completely
> removed.
> No more patches are needed.
>
> I didn't rename it to keep user and daemon groups without modifications.
> All patches are also now unneeded.
>
> It has been tested on amd64 and aarch64.
>
> Best Regards
>
Index: Makefile
===================================================================
RCS file: /cvs/ports/net/sniproxy/Makefile,v
diff -u -p -r1.11 Makefile
--- Makefile 1 Oct 2025 15:46:23 -0000 1.11
+++ Makefile 25 Nov 2025 08:34:18 -0000
@@ -1,12 +1,12 @@
COMMENT = name-based proxying of HTTPS without decrypting traffic
-GH_ACCOUNT = dlundquist
+GH_ACCOUNT = renaudallard
GH_PROJECT = sniproxy
-GH_TAGNAME = 0.7.0
+GH_TAGNAME = 0.9.13
CATEGORIES = net
-HOMEPAGE = https://github.com/dlundquist/sniproxy
+HOMEPAGE = https://github.com/renaudallard/sniproxy
MAINTAINER = Renaud Allard <renaud@allard.it>
@@ -17,11 +17,11 @@ COMPILER = base-clang ports-gcc
COMPILER_LANGS = c
# use pledge()
-WANTLIB += c ev pcre2-8 udns
+WANTLIB += c ev pcre2-8 cares
BUILD_DEPENDS = devel/gettext,-tools
-LIB_DEPENDS = net/udns \
+LIB_DEPENDS = net/libcares \
devel/libev \
devel/pcre2
@@ -30,8 +30,6 @@ AUTOMAKE_VERSION = 1.16
CONFIGURE_STYLE = autoreconf
AUTORECONF = ./autogen.sh
-CONFIGURE_ARGS = --disable-rpath \
- --enable-dns
CONFIGURE_ENV = CPPFLAGS="-I${LOCALBASE}/include" \
LDFLAGS="${LDFLAGS} -L${LOCALBASE}/lib"
Index: distinfo
===================================================================
RCS file: /cvs/ports/net/sniproxy/distinfo,v
diff -u -p -r1.7 distinfo
--- distinfo 1 Oct 2025 15:46:23 -0000 1.7
+++ distinfo 25 Nov 2025 08:34:18 -0000
@@ -1,2 +1,2 @@
-SHA256 (sniproxy-0.7.0.tar.gz) = u+V5iGwa9g6FC4tb74UPELMX5uvjZssLVHaxIw8ocOQ=
-SIZE (sniproxy-0.7.0.tar.gz) = 79685
+SHA256 (sniproxy-0.9.13.tar.gz) = I56P8lZ1O3b7WonSLDRdPk6N//V6hBg6lqHEnp9lSSY=
+SIZE (sniproxy-0.9.13.tar.gz) = 212617
Index: patches/patch-README_md
===================================================================
RCS file: patches/patch-README_md
diff -N patches/patch-README_md
--- patches/patch-README_md 1 Oct 2025 15:46:23 -0000 1.1
+++ /dev/null 1 Jan 1970 00:00:00 -0000
@@ -1,16 +0,0 @@
-Index: README.md
---- README.md.orig
-+++ README.md
-@@ -166,3 +166,12 @@ build without UDNS, but these features will be unavail
- UDNS uses a single UDP socket for all queries, so it is recommended you use a
- local caching DNS resolver (with a single socket each DNS query is protected by
- spoofing by a single 16 bit query ID, which makes it relatively easy to spoof).
-+
-+
-+OpenBSD specific behaviour
-+--------------------------
-+
-+On OpenBSD, sniproxy is protected by pledge(2) and unveil(2).
-+Therefore, the configuration file must be /etc/sniproxy.conf, unix sockets
-+must be in /var/www/sockets and logs must be in /var/log. Also, sniproxy PID
-+file must be /var/run/sniproxy.pid
Index: patches/patch-sniproxy_conf
===================================================================
RCS file: patches/patch-sniproxy_conf
diff -N patches/patch-sniproxy_conf
--- patches/patch-sniproxy_conf 1 Oct 2025 15:46:23 -0000 1.3
+++ /dev/null 1 Jan 1970 00:00:00 -0000
@@ -1,23 +0,0 @@
-Index: sniproxy.conf
---- sniproxy.conf.orig
-+++ sniproxy.conf
-@@ -2,8 +2,8 @@
- # lines that start with # are comments
- # lines with only white space are ignored
-
--user nobody
--group nogroup
-+user _sniproxy
-+group _sniproxy
-
- # PID file, needs to be placed in directory writable by user
- pidfile /var/run/sniproxy.pid
-@@ -47,7 +47,7 @@ error_log {
- # Global access log for all listeners
- access_log {
- # Same options as error_log
-- filename /tmp/sniproxy-access.log
-+ filename /var/log/sniproxy-access.log
- }
-
- # blocks are delimited with {...}
Index: patches/patch-src_cfg_tokenizer_c
===================================================================
RCS file: patches/patch-src_cfg_tokenizer_c
diff -N patches/patch-src_cfg_tokenizer_c
--- patches/patch-src_cfg_tokenizer_c 1 Oct 2025 15:46:23 -0000 1.1
+++ /dev/null 1 Jan 1970 00:00:00 -0000
@@ -1,21 +0,0 @@
-Index: src/cfg_tokenizer.c
---- src/cfg_tokenizer.c.orig
-+++ src/cfg_tokenizer.c
-@@ -62,7 +62,7 @@ next_token(FILE *config, char *buffer, size_t buffer_l
- default:
- /* Rewind one byte, so next_word() can fetch from
- * the beginning of the word */
-- fseek(config, -1, SEEK_CUR);
-+ fseeko(config, -1, SEEK_CUR);
-
- token_len = next_word(config, buffer, buffer_len);
- if (token_len <= 0)
-@@ -116,7 +116,7 @@ next_word(FILE *file, char *buffer, int buffer_len) {
- if (quoted == 0) {
- /* rewind the file one character, so we don't eat
- * part of the next token */
-- fseek(file, -1, SEEK_CUR);
-+ fseeko(file, -1, SEEK_CUR);
-
- buffer[len] = '\0';
- len++;
Index: patches/patch-src_config_c
===================================================================
RCS file: patches/patch-src_config_c
diff -N patches/patch-src_config_c
--- patches/patch-src_config_c 1 Oct 2025 15:46:23 -0000 1.3
+++ /dev/null 1 Jan 1970 00:00:00 -0000
@@ -1,21 +0,0 @@
-Index: src/config.c
---- src/config.c.orig
-+++ src/config.c
-@@ -238,13 +238,13 @@ init_config(const char *filename, struct ev_loop *loop
- }
-
- if (parse_config(config, file, global_grammar) <= 0) {
-- intmax_t whence = ftell(file);
-+ off_t whence = ftello(file);
- char line[256];
-
-- err("error parsing %s at %jd near:", filename, whence);
-- fseek(file, -20, SEEK_CUR);
-+ err("error parsing %s at %jd near:", filename, (intmax_t)whence);
-+ fseeko(file, -20, SEEK_CUR);
- for (int i = 0; i < 5; i++)
-- err(" %jd\t%s", ftell(file), fgets(line, sizeof(line), file));
-+ err(" %jd\t%s", (intmax_t)ftello(file), fgets(line, sizeof(line), file));
-
- free_config(config, loop);
- config = NULL;
Index: patches/patch-src_connection_c
===================================================================
RCS file: patches/patch-src_connection_c
diff -N patches/patch-src_connection_c
--- patches/patch-src_connection_c 1 Oct 2025 15:46:23 -0000 1.1
+++ /dev/null 1 Jan 1970 00:00:00 -0000
@@ -1,19 +0,0 @@
-Index: src/connection.c
---- src/connection.c.orig
-+++ src/connection.c
-@@ -812,13 +812,13 @@ new_connection(struct ev_loop *loop) {
- con->query_handle = NULL;
- con->use_proxy_header = 0;
-
-- con->client.buffer = new_buffer(4096, loop);
-+ con->client.buffer = new_buffer(16384, loop);
- if (con->client.buffer == NULL) {
- free_connection(con);
- return NULL;
- }
-
-- con->server.buffer = new_buffer(4096, loop);
-+ con->server.buffer = new_buffer(16384, loop);
- if (con->server.buffer == NULL) {
- free_connection(con);
- return NULL;
Index: patches/patch-src_sniproxy_c
===================================================================
RCS file: patches/patch-src_sniproxy_c
diff -N patches/patch-src_sniproxy_c
--- patches/patch-src_sniproxy_c 1 Oct 2025 15:46:23 -0000 1.1
+++ /dev/null 1 Jan 1970 00:00:00 -0000
@@ -1,39 +0,0 @@
-Index: src/sniproxy.c
---- src/sniproxy.c.orig
-+++ src/sniproxy.c
-@@ -71,6 +71,35 @@ main(int argc, char **argv) {
- rlim_t max_nofiles = 65536;
- int opt;
-
-+ #ifdef __OpenBSD__
-+ if (unveil("/etc/sniproxy.conf", "r") != 0) {
-+ perror("unveil /etc/sniproxy.conf");
-+ exit(1);
-+ }
-+ if (unveil("/var/run/sniproxy.pid", "rwc") != 0) {
-+ perror("unveil /var/run/sniproxy.pid");
-+ exit(1);
-+ }
-+ if (unveil("/var/log", "rwc") != 0) {
-+ perror("unveil /var/log");
-+ exit(1);
-+ }
-+ if (unveil("/var/www/sockets", "rw") != 0) {
-+ perror("unveil /var/www/sockets");
-+ exit(1);
-+ }
-+ if (unveil(NULL, NULL) != 0) {
-+ perror("unveil");
-+ exit(1);
-+ }
-+
-+ if (pledge("stdio getpw inet dns rpath proc id"
-+ " wpath cpath unix", NULL) == -1) {
-+ fprintf(stderr, "%s: pledge: %s\n", argv[0], strerror(errno));
-+ exit(1);
-+ }
-+ #endif
-+
- while ((opt = getopt(argc, argv, "fc:n:V")) != -1) {
- switch (opt) {
- case 'c':
Index: patches/patch-tests_bad_dns_request_test
===================================================================
RCS file: patches/patch-tests_bad_dns_request_test
diff -N patches/patch-tests_bad_dns_request_test
--- patches/patch-tests_bad_dns_request_test 2 Oct 2025 07:08:49 -0000 1.2
+++ /dev/null 1 Jan 1970 00:00:00 -0000
@@ -1,12 +0,0 @@
-Index: tests/bad_dns_request_test
---- tests/bad_dns_request_test.orig
-+++ tests/bad_dns_request_test
-@@ -60,7 +60,7 @@ sub http_client($$) {
- $socket->send($request);
-
- my $buffer;
-- $socket->recv($buffer, 4096);
-+ $socket->recv($buffer, 16384);
-
- $socket->close();
-
Index: patches/patch-tests_bad_request_test
===================================================================
RCS file: patches/patch-tests_bad_request_test
diff -N patches/patch-tests_bad_request_test
--- patches/patch-tests_bad_request_test 1 Oct 2025 15:46:23 -0000 1.1
+++ /dev/null 1 Jan 1970 00:00:00 -0000
@@ -1,12 +0,0 @@
-Index: tests/bad_request_test
---- tests/bad_request_test.orig
-+++ tests/bad_request_test
-@@ -282,7 +282,7 @@ sub tls_client($$) {
- $socket->send($request);
-
- my $buffer;
-- $socket->recv($buffer, 4096);
-+ $socket->recv($buffer, 16384);
-
- $socket->close();
-
Index: patches/patch-tests_buffer_test_c
===================================================================
RCS file: patches/patch-tests_buffer_test_c
diff -N patches/patch-tests_buffer_test_c
--- patches/patch-tests_buffer_test_c 1 Oct 2025 15:46:23 -0000 1.1
+++ /dev/null 1 Jan 1970 00:00:00 -0000
@@ -1,21 +0,0 @@
-Index: tests/buffer_test.c
---- tests/buffer_test.c.orig
-+++ tests/buffer_test.c
-@@ -127,7 +127,7 @@ static void test4(void) {
- struct Buffer *buffer;
- int read_fd, write_fd;
-
-- buffer = new_buffer(4096, EV_DEFAULT);
-+ buffer = new_buffer(16384, EV_DEFAULT);
-
- read_fd = open("/dev/zero", O_RDONLY);
- if (read_fd < 0) {
-@@ -155,7 +155,7 @@ static void test_buffer_coalesce(void) {
- char output[sizeof(input)];
- int len;
-
-- buffer = new_buffer(4096, EV_DEFAULT);
-+ buffer = new_buffer(16384, EV_DEFAULT);
- len = buffer_push(buffer, input, sizeof(input));
- assert(len == sizeof(input));
-
Index: patches/patch-tests_connection_reset_test
===================================================================
RCS file: patches/patch-tests_connection_reset_test
diff -N patches/patch-tests_connection_reset_test
--- patches/patch-tests_connection_reset_test 1 Oct 2025 15:46:23 -0000 1.1
+++ /dev/null 1 Jan 1970 00:00:00 -0000
@@ -1,27 +0,0 @@
-Index: tests/connection_reset_test
---- tests/connection_reset_test.orig
-+++ tests/connection_reset_test
-@@ -42,8 +42,8 @@ sub simple_server($) {
- "\r\n");
-
- # Send a bunch of data (more that will be buffered by the kernel
-- for (my $i = 0; $i < 4096; $i++) {
-- $client->send('x' x 4096);
-+ for (my $i = 0; $i < 16384; $i++) {
-+ $client->send('x' x 16384);
- }
- $client->close();
- exit;
-@@ -76,9 +76,9 @@ sub bad_client($) {
- "\r\n");
-
- my $buffer;
-- $socket->recv($buffer, 4096);
-- $socket->recv($buffer, 4096);
-- $socket->recv($buffer, 4096);
-+ $socket->recv($buffer, 16384);
-+ $socket->recv($buffer, 16384);
-+ $socket->recv($buffer, 16384);
-
- $socket->close();
-
Index: patches/patch-tests_fallback_test
===================================================================
RCS file: patches/patch-tests_fallback_test
diff -N patches/patch-tests_fallback_test
--- patches/patch-tests_fallback_test 1 Oct 2025 15:46:23 -0000 1.1
+++ /dev/null 1 Jan 1970 00:00:00 -0000
@@ -1,12 +0,0 @@
-Index: tests/fallback_test
---- tests/fallback_test.orig
-+++ tests/fallback_test
-@@ -56,7 +56,7 @@ sub http10_client($$) {
- $socket->send("GET /$path HTTP/1.0\r\n\r\n");
-
- my $buffer;
-- $socket->recv($buffer, 4096);
-+ $socket->recv($buffer, 16384);
-
- $socket->close();
-
Index: patches/patch-tests_slow_client_test
===================================================================
RCS file: patches/patch-tests_slow_client_test
diff -N patches/patch-tests_slow_client_test
--- patches/patch-tests_slow_client_test 1 Oct 2025 15:46:23 -0000 1.1
+++ /dev/null 1 Jan 1970 00:00:00 -0000
@@ -1,12 +0,0 @@
-Index: tests/slow_client_test
---- tests/slow_client_test.orig
-+++ tests/slow_client_test
-@@ -46,7 +46,7 @@ sub slow_client($$) {
- }
-
- my $buffer;
-- $socket->recv($buffer, 4096);
-+ $socket->recv($buffer, 16384);
-
- $socket->close();
-
[update] net/sniproxy 0.9.13