From: Stuart Henderson Subject: Re: Fwd: [update] net/sniproxy 0.7.0 To: Renaud Allard Cc: ports@openbsd.org Date: Wed, 1 Oct 2025 14:27:06 +0100 On 2025/10/01 12:47, Stuart Henderson wrote: > On 2025/10/01 13:34, Renaud Allard wrote: > > > > > > On 10/1/25 1:23 PM, Stuart Henderson wrote: > > > > -CONFIGURE_ARGS = --disable-rpath > > > > +CONFIGURE_ARGS = --disable-rpath --enable-dns > > > > > > separate line for each CONFIGURE_ARGS entry please > > > > > I have done that > > > > > pcre dependency needs changing > > > > > > sniproxy-0.7.0(net/sniproxy): > > > Missing lib: pcre2-8.0 (/usr/local/sbin/sniproxy) (NOT REACHABLE) > > > Extra: pcre.3 > > > > > > > It seems that if you build on a system with both pcre and pcre2 installed, > > it does this. > > LIB_DEPENDS lists pcre, not pcre2. > > How can I restrict it to pcre and not pcre2? > > You can't do this via the port. You will either have to patch or pass > the relevant info to autoconf. > > devel/pcre is EoL anyway though. > > "The older, but still widely deployed PCRE library, originally released > in 1997, is at version 8.45. This version of PCRE is now at end of life, > and is no longer being actively maintained. Version 8.45 is expected to > be the final release of the older PCRE library, and new projects should > use PCRE2 instead. However, it's still found in various legacy systems > and some platforms, including certain services that continue to use the > original PCRE for compatibility reasons." > also noticed, there isn't really much difference between your fork and the original upstream developer's version, especially if we ignore the non-OpenBSD-related change (IP_TRANSPARENT).. it would feel a bit better to me if it used the original but with the changes required for OpenBSD added in port patches instead... diff -wur dlundquist-sniproxy-0.7.0/ChangeLog renaud-sniproxy-0.7.0/ChangeLog --- dlundquist-sniproxy-0.7.0/ChangeLog 2025-09-05 03:52:46.000000000 +0100 +++ renaud-sniproxy-0.7.0/ChangeLog 2025-09-25 10:50:11.000000000 +0100 @@ -1,20 +1,58 @@ -2025-09-04 Dustin Lundquist +2025-09-04 Renaud Allard 0.7.0 Release - * Deprecate project * Cleanup autoconf * Require autoconf 2.71 * Require explicit --enable-dns for DNS resolution functionality - * Add support for libpcre2 as an alternative to the older libpcre3 * Relax HTTP header parsing to accept CRLF or plain LF * Fix missing stdlib.h include * Fix various warnings reported by gcc 14 and clang 19 compilers -2023-03-16 Dustin Lundquist - 0.6.1 Release +2023-01-31 Renaud Allard + 0.6.8 Release * Fix buffer overflow in address module - * Fix tests + * Fix tests in Debian 11 + +2023-01-31 Renaud Allard + 0.6.7 Release + + * Fix a warning with clang15 and update old functions + +2023-01-30 Renaud Allard + 0.6.6 Release + + * Make proper error codes for unveil + +2021-03-11 Renaud Allard + 0.6.5 Release + + * Add cpath and unix to plegde call for OpenBSD + * Add unveil protections for OpenBSD + * Remove -Wpedantic as it fails on OpenBSD base-gcc + +2021-03-01 Renaud Allard + 0.6.4 Release + + * Add wpath and unix to plegde call for OpenBSD + * fix ipv6 transparent proxy + +2021-02-24 Renaud Allard + 0.6.3 Release + + * Accept CRLF and LF in HTTP headers, fix buffer overflow error. + * Add plegde call for OpenBSD + +2021-02-20 Renaud Allard + 0.6.2 Release + + * Change the default user/group + +2021-02-20 Renaud Allard + 0.6.1 Release + + * Fixes for some security issues + * Fix for compilation with modern compilers 2018-12-05 Dustin Lundquist 0.6.0 Release diff -wur dlundquist-sniproxy-0.7.0/README renaud-sniproxy-0.7.0/README --- dlundquist-sniproxy-0.7.0/README 2025-09-05 03:52:46.000000000 +0100 +++ renaud-sniproxy-0.7.0/README 2025-09-25 10:50:11.000000000 +0100 @@ -166,3 +166,12 @@ UDNS uses a single UDP socket for all queries, so it is recommended you use a local caching DNS resolver (with a single socket each DNS query is protected by spoofing by a single 16 bit query ID, which makes it relatively easy to spoof). + + +OpenBSD specific behaviour +-------------------------- + +On OpenBSD, sniproxy is protected by pledge(2) and unveil(2). +Therefore, the configuration file must be /etc/sniproxy.conf, unix sockets +must be in /var/www/sockets and logs must be in /var/log. Also, sniproxy PID +file must be /var/run/sniproxy.pid diff -wur dlundquist-sniproxy-0.7.0/README.md renaud-sniproxy-0.7.0/README.md --- dlundquist-sniproxy-0.7.0/README.md 2025-09-05 03:52:46.000000000 +0100 +++ renaud-sniproxy-0.7.0/README.md 2025-09-25 10:50:11.000000000 +0100 @@ -166,3 +166,12 @@ UDNS uses a single UDP socket for all queries, so it is recommended you use a local caching DNS resolver (with a single socket each DNS query is protected by spoofing by a single 16 bit query ID, which makes it relatively easy to spoof). + + +OpenBSD specific behaviour +-------------------------- + +On OpenBSD, sniproxy is protected by pledge(2) and unveil(2). +Therefore, the configuration file must be /etc/sniproxy.conf, unix sockets +must be in /var/www/sockets and logs must be in /var/log. Also, sniproxy PID +file must be /var/run/sniproxy.pid diff -wur dlundquist-sniproxy-0.7.0/configure.ac renaud-sniproxy-0.7.0/configure.ac --- dlundquist-sniproxy-0.7.0/configure.ac 2025-09-05 03:52:46.000000000 +0100 +++ renaud-sniproxy-0.7.0/configure.ac 2025-09-25 10:50:11.000000000 +0100 @@ -3,6 +3,8 @@ AC_PREREQ([2.71]) AC_INIT([sniproxy],[0.7.0]) +AC_CONFIG_SRCDIR([src/sniproxy.c]) +AC_CONFIG_MACRO_DIR([m4]) AM_INIT_AUTOMAKE([subdir-objects]) AM_SILENT_RULES([yes]) AC_USE_SYSTEM_EXTENSIONS diff -wur dlundquist-sniproxy-0.7.0/debian/changelog renaud-sniproxy-0.7.0/debian/changelog --- dlundquist-sniproxy-0.7.0/debian/changelog 2025-09-05 03:52:46.000000000 +0100 +++ renaud-sniproxy-0.7.0/debian/changelog 2025-09-25 10:50:11.000000000 +0100 @@ -9,14 +9,55 @@ * Fix missing stdlib.h include * Fix various warnings reported by gcc 14 and clang 19 compilers - -- Dustin Lundquist Thu, 04 Sep 2025 16:37:25 -0700 + -- Renaud Allard Thu, 25 Sep 2025 11:48:00 +0200 -sniproxy (0.6.1) unstable; urgency=high +sniproxy (0.6.8) unstable; urgency=high * Fix buffer overflow in address module - * Fix tests + * Fix tests in Debian 11 - -- Dustin Lundquist Thu, 16 Mar 2023 21:53:48 -0700 +sniproxy (0.6.7) unstable; urgency=low + + * Fix a warning with clang15 and update old functions + +sniproxy (0.6.6) unstable; urgency=low + + * Print proper unveil errors (no influence for linux) + +sniproxy (0.6.5) unstable; urgency=medium + + * Add cpath and unix to plegde call for OpenBSD + * Add unveil protections for OpenBSD + * Remove -Wpedantic as it fails on OpenBSD base-gcc + + -- Renaud Allard Wed, 11 Mar 2021 12:00:00 +0200 + +sniproxy (0.6.4) unstable; urgency=medium + + * Add wpath and unix to plegde call for OpenBSD + * fix ipv6 transparent proxy + + -- Renaud Allard Wed, 01 Mar 2021 14:10:00 +0200 + +sniproxy (0.6.3) unstable; urgency=medium + + * Accept CRLF and LF in HTTP headers, fix buffer overflow error. + * Add plegde call for OpenBSD + + -- Renaud Allard Wed, 24 Feb 2021 13:50:00 +0200 + +sniproxy (0.6.2) unstable; urgency=medium + + * Change the default user/group + + -- Renaud Allard Sat, 22 Feb 2021 09:00:00 +0200 + +sniproxy (0.6.1) unstable; urgency=medium + + * Fixes for some security issues + * Fix for compilation with modern compilers + + -- Renaud Allard Sat, 22 Feb 2021 09:00:00 +0200 sniproxy (0.6.0) unstable; urgency=medium diff -wur dlundquist-sniproxy-0.7.0/redhat/sniproxy.spec renaud-sniproxy-0.7.0/redhat/sniproxy.spec --- dlundquist-sniproxy-0.7.0/redhat/sniproxy.spec 2025-09-05 03:52:46.000000000 +0100 +++ renaud-sniproxy-0.7.0/redhat/sniproxy.spec 2025-09-25 10:50:11.000000000 +0100 @@ -5,7 +5,7 @@ Group: System Environment/Daemons License: BSD -URL: https://github.com/dlundquist/sniproxy +URL: https://github.com/renaudallard/sniproxy Source0: %{name}-%{version}.tar.gz BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) @@ -43,22 +43,41 @@ %{_mandir}/man8/sniproxy.8.gz %{_mandir}/man5/sniproxy.conf.5.gz - - %changelog -* Thu Sep 4 2024 Dustin Lundquist 0.7.0-1 -- Deprecate project +* Thu Sep 25 2025 Renaud Allard 0.7.0 - Cleanup autoconf - Require autoconf 2.71 - Require explicit --enable-dns for DNS resolution functionality -- Add support for libpcre2 as an alternative to the older libpcre3 - Relax HTTP header parsing to accept CRLF or plain LF - Fix missing stdlib.h include - Fix various warnings reported by gcc 14 and clang 19 compilers -* Thu Mar 16 2023 Dustin Lundquist 0.6.1-1 +* Tue, 31 Jan 2023 Renaud Allard 0.6.8 - Fix buffer overflow in address module -- Fix tests +- Fix tests in Debian 11 +* Tue, 31 Jan 2023 Renaud Allard 0.6.7 +- Fix a warning with clang15 and update old functions +* Mon, 30 Jan 2023 Renaud Allard 0.6.6 +- Print proper unveil errors (no influence for linux) +* Mon, 11 Mar 2021 Renaud Allard 0.6.5 +- Add cpath and unix to plegde call for OpenBSD +- Add unveil protections for OpenBSD +- Remove -Wpedantic as it fails on OpenBSD base-gcc + +* Mon, 01 Mar 2021 Renaud Allard 0.6.4 +- Add wpath and unix to plegde call for OpenBSD +- fix ipv6 transparent proxy + +* Wed, 24 Feb 2021 Renaud Allard 0.6.3 +- Accept CRLF and LF in HTTP headers, fix buffer overflow error +- Add plegde call for OpenBSD + +* Sat 22 Feb 2021 Renaud Allard 0.6.2 +- Change the default user/group + +* Sat 22 Feb 2021 Renaud Allard 0.6.1 +- Fixes for some security issues +- Fix for compilation with modern compilers * Wed Dec 5 2018 Dustin Lundquist 0.6.0-1 - PROXY v1 protocol support diff -wur dlundquist-sniproxy-0.7.0/sniproxy.conf renaud-sniproxy-0.7.0/sniproxy.conf --- dlundquist-sniproxy-0.7.0/sniproxy.conf 2025-09-05 03:52:46.000000000 +0100 +++ renaud-sniproxy-0.7.0/sniproxy.conf 2025-09-25 10:50:11.000000000 +0100 @@ -2,8 +2,8 @@ # lines that start with # are comments # lines with only white space are ignored -user nobody -group nogroup +user _sniproxy +group _sniproxy # PID file, needs to be placed in directory writable by user pidfile /var/run/sniproxy.pid @@ -47,7 +47,7 @@ # Global access log for all listeners access_log { # Same options as error_log - filename /tmp/sniproxy-access.log + filename /var/log/sniproxy-access.log } # blocks are delimited with {...} diff -wur dlundquist-sniproxy-0.7.0/src/Makefile.am renaud-sniproxy-0.7.0/src/Makefile.am --- dlundquist-sniproxy-0.7.0/src/Makefile.am 2025-09-05 03:52:46.000000000 +0100 +++ renaud-sniproxy-0.7.0/src/Makefile.am 2025-09-25 10:50:11.000000000 +0100 @@ -1,4 +1,5 @@ -AM_CFLAGS = -fno-strict-aliasing -Wall -Wextra -Wpedantic -Wwrite-strings +AM_CPPFLAGS = $(LIBEV_CFLAGS) $(LIBPCRE_CFLAGS) $(LIBUDNS_CFLAGS) +AM_CFLAGS = -fno-strict-aliasing -Wall -Wextra -Wwrite-strings sbin_PROGRAMS = sniproxy diff -wur dlundquist-sniproxy-0.7.0/src/cfg_tokenizer.c renaud-sniproxy-0.7.0/src/cfg_tokenizer.c --- dlundquist-sniproxy-0.7.0/src/cfg_tokenizer.c 2025-09-05 03:52:46.000000000 +0100 +++ renaud-sniproxy-0.7.0/src/cfg_tokenizer.c 2025-09-25 10:50:11.000000000 +0100 @@ -62,7 +62,7 @@ default: /* Rewind one byte, so next_word() can fetch from * the beginning of the word */ - fseek(config, -1, SEEK_CUR); + fseeko(config, -1, SEEK_CUR); token_len = next_word(config, buffer, buffer_len); if (token_len <= 0) @@ -116,7 +116,7 @@ if (quoted == 0) { /* rewind the file one character, so we don't eat * part of the next token */ - fseek(file, -1, SEEK_CUR); + fseeko(file, -1, SEEK_CUR); buffer[len] = '\0'; len++; diff -wur dlundquist-sniproxy-0.7.0/src/config.c renaud-sniproxy-0.7.0/src/config.c --- dlundquist-sniproxy-0.7.0/src/config.c 2025-09-05 03:52:46.000000000 +0100 +++ renaud-sniproxy-0.7.0/src/config.c 2025-09-25 10:50:11.000000000 +0100 @@ -238,13 +238,13 @@ } if (parse_config(config, file, global_grammar) <= 0) { - intmax_t whence = ftell(file); + off_t whence = ftello(file); char line[256]; - err("error parsing %s at %jd near:", filename, whence); - fseek(file, -20, SEEK_CUR); + err("error parsing %s at %jd near:", filename, (intmax_t)whence); + fseeko(file, -20, SEEK_CUR); for (int i = 0; i < 5; i++) - err(" %jd\t%s", ftell(file), fgets(line, sizeof(line), file)); + err(" %jd\t%s", (intmax_t)ftello(file), fgets(line, sizeof(line), file)); free_config(config, loop); config = NULL; diff -wur dlundquist-sniproxy-0.7.0/src/connection.c renaud-sniproxy-0.7.0/src/connection.c --- dlundquist-sniproxy-0.7.0/src/connection.c 2025-09-05 03:52:46.000000000 +0100 +++ renaud-sniproxy-0.7.0/src/connection.c 2025-09-25 10:50:11.000000000 +0100 @@ -635,8 +635,45 @@ if (con->listener->transparent_proxy && con->client.addr.ss_family == con->server.addr.ss_family) { #ifdef IP_TRANSPARENT + int result; + /* Make an IPv6 socket if necessary and purge ::ffff: from the v6-mapped address + * We need to take out the ffff because otherwise it'll be IPv4 on the wire. + * The result is a connection from IPv6 address ::, + * The return traffic can be marked with nftables in ip6 mangle PREROUTING: + * socket transparent 1 mark set 0x1 + * and then routed to sniproxy using a separate routing table (e.g table 100): + * ip -6 rule add fwmark 0x1 lookup 100 + * ip -6 route add local ::/96 dev lo table 100 + */ + struct in6_addr *saddr = &((struct sockaddr_in6 *)&con->client.addr)->sin6_addr; + if (con->client.addr.ss_family == AF_INET6 && + con->server.addr.ss_family == AF_INET6) + if (saddr->s6_addr[0] == 0 && + saddr->s6_addr[1] == 0 && + saddr->s6_addr[2] == 0 && + saddr->s6_addr[3] == 0 && + saddr->s6_addr[4] == 0 && + saddr->s6_addr[5] == 0 && + saddr->s6_addr[6] == 0 && + saddr->s6_addr[7] == 0 && + saddr->s6_addr[8] == 0 && + saddr->s6_addr[9] == 0 && + saddr->s6_addr[10] == 0xff && + saddr->s6_addr[11] == 0xff) { + + /* Turn (e.g.) IPv4 ::ffff:192.0.2.1 into IPv6 ::192.0.2.1 */ + saddr->s6_addr[10] = 0; + saddr->s6_addr[11] = 0; + } + + /* We want an IPv6 transparent socket */ int on = 1; - int result = setsockopt(sockfd, SOL_IP, IP_TRANSPARENT, &on, sizeof(on)); + result = setsockopt(sockfd, SOL_IPV6, IPV6_TRANSPARENT, &on, sizeof(on)); + } else { + /* We want an IPv4 transparent socket */ + int on = 1; + result = setsockopt(sockfd, SOL_IP, IP_TRANSPARENT, &on, sizeof(on)); + } #else int result = -EPERM; /* XXX error: not implemented would be better, but this shouldn't be @@ -812,13 +849,13 @@ con->query_handle = NULL; con->use_proxy_header = 0; - con->client.buffer = new_buffer(4096, loop); + con->client.buffer = new_buffer(16384, loop); if (con->client.buffer == NULL) { free_connection(con); return NULL; } - con->server.buffer = new_buffer(4096, loop); + con->server.buffer = new_buffer(16384, loop); if (con->server.buffer == NULL) { free_connection(con); return NULL; diff -wur dlundquist-sniproxy-0.7.0/src/sniproxy.c renaud-sniproxy-0.7.0/src/sniproxy.c --- dlundquist-sniproxy-0.7.0/src/sniproxy.c 2025-09-05 03:52:46.000000000 +0100 +++ renaud-sniproxy-0.7.0/src/sniproxy.c 2025-09-25 10:50:11.000000000 +0100 @@ -71,6 +71,35 @@ rlim_t max_nofiles = 65536; int opt; + #ifdef __OpenBSD__ + if (unveil("/etc/sniproxy.conf", "r") != 0) { + perror("unveil /etc/sniproxy.conf"); + exit(1); + } + if (unveil("/var/run/sniproxy.pid", "rwc") != 0) { + perror("unveil /var/run/sniproxy.pid"); + exit(1); + } + if (unveil("/var/log", "rwc") != 0) { + perror("unveil /var/log"); + exit(1); + } + if (unveil("/var/www/sockets", "rw") != 0) { + perror("unveil /var/www/sockets"); + exit(1); + } + if (unveil(NULL, NULL) != 0) { + perror("unveil"); + exit(1); + } + + if (pledge("stdio getpw inet dns rpath proc id" + " wpath cpath unix", NULL) == -1) { + fprintf(stderr, "%s: pledge: %s\n", argv[0], strerror(errno)); + exit(1); + } + #endif + while ((opt = getopt(argc, argv, "fc:n:V")) != -1) { switch (opt) { case 'c': diff -wur dlundquist-sniproxy-0.7.0/src/tls.c renaud-sniproxy-0.7.0/src/tls.c --- dlundquist-sniproxy-0.7.0/src/tls.c 2025-09-05 03:52:46.000000000 +0100 +++ renaud-sniproxy-0.7.0/src/tls.c 2025-09-25 10:50:11.000000000 +0100 @@ -201,7 +201,7 @@ /* Check if it's a server name extension */ if (data[pos] == 0x00 && data[pos + 1] == 0x00) { /* There can be only one extension of each type, so we break - our state and move p to beinnging of the extension here */ + our state and move p to beginning of the extension here */ if (pos + 4 + len > data_len) return -5; return parse_server_name_extension(data + pos + 4, len, hostname); diff -wur dlundquist-sniproxy-0.7.0/tests/bad_dns_request_test renaud-sniproxy-0.7.0/tests/bad_dns_request_test --- dlundquist-sniproxy-0.7.0/tests/bad_dns_request_test 2025-09-05 03:52:46.000000000 +0100 +++ renaud-sniproxy-0.7.0/tests/bad_dns_request_test 2025-09-25 10:50:11.000000000 +0100 @@ -60,7 +60,7 @@ $socket->send($request); my $buffer; - $socket->recv($buffer, 4096); + $socket->recv($buffer, 16388); $socket->close(); diff -wur dlundquist-sniproxy-0.7.0/tests/bad_request_test renaud-sniproxy-0.7.0/tests/bad_request_test --- dlundquist-sniproxy-0.7.0/tests/bad_request_test 2025-09-05 03:52:46.000000000 +0100 +++ renaud-sniproxy-0.7.0/tests/bad_request_test 2025-09-25 10:50:11.000000000 +0100 @@ -282,7 +282,7 @@ $socket->send($request); my $buffer; - $socket->recv($buffer, 4096); + $socket->recv($buffer, 16384); $socket->close(); diff -wur dlundquist-sniproxy-0.7.0/tests/buffer_test.c renaud-sniproxy-0.7.0/tests/buffer_test.c --- dlundquist-sniproxy-0.7.0/tests/buffer_test.c 2025-09-05 03:52:46.000000000 +0100 +++ renaud-sniproxy-0.7.0/tests/buffer_test.c 2025-09-25 10:50:11.000000000 +0100 @@ -127,7 +127,7 @@ struct Buffer *buffer; int read_fd, write_fd; - buffer = new_buffer(4096, EV_DEFAULT); + buffer = new_buffer(16384, EV_DEFAULT); read_fd = open("/dev/zero", O_RDONLY); if (read_fd < 0) { @@ -155,7 +155,7 @@ char output[sizeof(input)]; int len; - buffer = new_buffer(4096, EV_DEFAULT); + buffer = new_buffer(16384, EV_DEFAULT); len = buffer_push(buffer, input, sizeof(input)); assert(len == sizeof(input)); diff -wur dlundquist-sniproxy-0.7.0/tests/connection_reset_test renaud-sniproxy-0.7.0/tests/connection_reset_test --- dlundquist-sniproxy-0.7.0/tests/connection_reset_test 2025-09-05 03:52:46.000000000 +0100 +++ renaud-sniproxy-0.7.0/tests/connection_reset_test 2025-09-25 10:50:11.000000000 +0100 @@ -42,8 +42,8 @@ "\r\n"); # Send a bunch of data (more that will be buffered by the kernel - for (my $i = 0; $i < 4096; $i++) { - $client->send('x' x 4096); + for (my $i = 0; $i < 16384; $i++) { + $client->send('x' x 16384); } $client->close(); exit; @@ -76,9 +76,9 @@ "\r\n"); my $buffer; - $socket->recv($buffer, 4096); - $socket->recv($buffer, 4096); - $socket->recv($buffer, 4096); + $socket->recv($buffer, 16384); + $socket->recv($buffer, 16384); + $socket->recv($buffer, 16384); $socket->close(); diff -wur dlundquist-sniproxy-0.7.0/tests/fallback_test renaud-sniproxy-0.7.0/tests/fallback_test --- dlundquist-sniproxy-0.7.0/tests/fallback_test 2025-09-05 03:52:46.000000000 +0100 +++ renaud-sniproxy-0.7.0/tests/fallback_test 2025-09-25 10:50:11.000000000 +0100 @@ -56,7 +56,7 @@ $socket->send("GET /$path HTTP/1.0\r\n\r\n"); my $buffer; - $socket->recv($buffer, 4096); + $socket->recv($buffer, 16384); $socket->close(); diff -wur dlundquist-sniproxy-0.7.0/tests/slow_client_test renaud-sniproxy-0.7.0/tests/slow_client_test --- dlundquist-sniproxy-0.7.0/tests/slow_client_test 2025-09-05 03:52:46.000000000 +0100 +++ renaud-sniproxy-0.7.0/tests/slow_client_test 2025-09-25 10:50:11.000000000 +0100 @@ -46,7 +46,7 @@ } my $buffer; - $socket->recv($buffer, 4096); + $socket->recv($buffer, 16384); $socket->close();