From: Renaud Allard Subject: Re: [update] net/sniproxy 0.9.13 To: ports Date: Tue, 25 Nov 2025 09:36:12 +0100 Hello, Given it has not. been updated yet, consider attached 0.9.13 version instead. It has a few important fixes. Best Regards On 21/11/2025 16:17, Renaud Allard wrote: > Hello, > > Here is a diff for net/sniproxy to 0.9.12. > > It now lies in another repository again, but changes are quite drastic. > The new version adds way more features and solves a whole bunch of > security and reliability issues. > This version is now privilege separated. pledge and unveil are applied > following the configuration file instead of relying on static places. > The old configuration stanzas are still understood to keep old > configurations working. It also now fully understands HTTP/2 and can use > DNS over TLS. > > However, configuration file must now be 0640 at most and it cannot log > anymore to a FIFO or a symlink. syslog being the preferred way of logging. > > It now uses c-ares instead of libudns. PCRE1 support has been completely > removed. > No more patches are needed. > > I didn't rename it to keep user and daemon groups without modifications. > All patches are also now unneeded. > > It has been tested on amd64 and aarch64. > > Best Regards > Index: Makefile =================================================================== RCS file: /cvs/ports/net/sniproxy/Makefile,v diff -u -p -r1.11 Makefile --- Makefile 1 Oct 2025 15:46:23 -0000 1.11 +++ Makefile 25 Nov 2025 08:34:18 -0000 @@ -1,12 +1,12 @@ COMMENT = name-based proxying of HTTPS without decrypting traffic -GH_ACCOUNT = dlundquist +GH_ACCOUNT = renaudallard GH_PROJECT = sniproxy -GH_TAGNAME = 0.7.0 +GH_TAGNAME = 0.9.13 CATEGORIES = net -HOMEPAGE = https://github.com/dlundquist/sniproxy +HOMEPAGE = https://github.com/renaudallard/sniproxy MAINTAINER = Renaud Allard @@ -17,11 +17,11 @@ COMPILER = base-clang ports-gcc COMPILER_LANGS = c # use pledge() -WANTLIB += c ev pcre2-8 udns +WANTLIB += c ev pcre2-8 cares BUILD_DEPENDS = devel/gettext,-tools -LIB_DEPENDS = net/udns \ +LIB_DEPENDS = net/libcares \ devel/libev \ devel/pcre2 @@ -30,8 +30,6 @@ AUTOMAKE_VERSION = 1.16 CONFIGURE_STYLE = autoreconf AUTORECONF = ./autogen.sh -CONFIGURE_ARGS = --disable-rpath \ - --enable-dns CONFIGURE_ENV = CPPFLAGS="-I${LOCALBASE}/include" \ LDFLAGS="${LDFLAGS} -L${LOCALBASE}/lib" Index: distinfo =================================================================== RCS file: /cvs/ports/net/sniproxy/distinfo,v diff -u -p -r1.7 distinfo --- distinfo 1 Oct 2025 15:46:23 -0000 1.7 +++ distinfo 25 Nov 2025 08:34:18 -0000 @@ -1,2 +1,2 @@ -SHA256 (sniproxy-0.7.0.tar.gz) = u+V5iGwa9g6FC4tb74UPELMX5uvjZssLVHaxIw8ocOQ= -SIZE (sniproxy-0.7.0.tar.gz) = 79685 +SHA256 (sniproxy-0.9.13.tar.gz) = I56P8lZ1O3b7WonSLDRdPk6N//V6hBg6lqHEnp9lSSY= +SIZE (sniproxy-0.9.13.tar.gz) = 212617 Index: patches/patch-README_md =================================================================== RCS file: patches/patch-README_md diff -N patches/patch-README_md --- patches/patch-README_md 1 Oct 2025 15:46:23 -0000 1.1 +++ /dev/null 1 Jan 1970 00:00:00 -0000 @@ -1,16 +0,0 @@ -Index: README.md ---- README.md.orig -+++ README.md -@@ -166,3 +166,12 @@ build without UDNS, but these features will be unavail - UDNS uses a single UDP socket for all queries, so it is recommended you use a - local caching DNS resolver (with a single socket each DNS query is protected by - spoofing by a single 16 bit query ID, which makes it relatively easy to spoof). -+ -+ -+OpenBSD specific behaviour -+-------------------------- -+ -+On OpenBSD, sniproxy is protected by pledge(2) and unveil(2). -+Therefore, the configuration file must be /etc/sniproxy.conf, unix sockets -+must be in /var/www/sockets and logs must be in /var/log. Also, sniproxy PID -+file must be /var/run/sniproxy.pid Index: patches/patch-sniproxy_conf =================================================================== RCS file: patches/patch-sniproxy_conf diff -N patches/patch-sniproxy_conf --- patches/patch-sniproxy_conf 1 Oct 2025 15:46:23 -0000 1.3 +++ /dev/null 1 Jan 1970 00:00:00 -0000 @@ -1,23 +0,0 @@ -Index: sniproxy.conf ---- sniproxy.conf.orig -+++ sniproxy.conf -@@ -2,8 +2,8 @@ - # lines that start with # are comments - # lines with only white space are ignored - --user nobody --group nogroup -+user _sniproxy -+group _sniproxy - - # PID file, needs to be placed in directory writable by user - pidfile /var/run/sniproxy.pid -@@ -47,7 +47,7 @@ error_log { - # Global access log for all listeners - access_log { - # Same options as error_log -- filename /tmp/sniproxy-access.log -+ filename /var/log/sniproxy-access.log - } - - # blocks are delimited with {...} Index: patches/patch-src_cfg_tokenizer_c =================================================================== RCS file: patches/patch-src_cfg_tokenizer_c diff -N patches/patch-src_cfg_tokenizer_c --- patches/patch-src_cfg_tokenizer_c 1 Oct 2025 15:46:23 -0000 1.1 +++ /dev/null 1 Jan 1970 00:00:00 -0000 @@ -1,21 +0,0 @@ -Index: src/cfg_tokenizer.c ---- src/cfg_tokenizer.c.orig -+++ src/cfg_tokenizer.c -@@ -62,7 +62,7 @@ next_token(FILE *config, char *buffer, size_t buffer_l - default: - /* Rewind one byte, so next_word() can fetch from - * the beginning of the word */ -- fseek(config, -1, SEEK_CUR); -+ fseeko(config, -1, SEEK_CUR); - - token_len = next_word(config, buffer, buffer_len); - if (token_len <= 0) -@@ -116,7 +116,7 @@ next_word(FILE *file, char *buffer, int buffer_len) { - if (quoted == 0) { - /* rewind the file one character, so we don't eat - * part of the next token */ -- fseek(file, -1, SEEK_CUR); -+ fseeko(file, -1, SEEK_CUR); - - buffer[len] = '\0'; - len++; Index: patches/patch-src_config_c =================================================================== RCS file: patches/patch-src_config_c diff -N patches/patch-src_config_c --- patches/patch-src_config_c 1 Oct 2025 15:46:23 -0000 1.3 +++ /dev/null 1 Jan 1970 00:00:00 -0000 @@ -1,21 +0,0 @@ -Index: src/config.c ---- src/config.c.orig -+++ src/config.c -@@ -238,13 +238,13 @@ init_config(const char *filename, struct ev_loop *loop - } - - if (parse_config(config, file, global_grammar) <= 0) { -- intmax_t whence = ftell(file); -+ off_t whence = ftello(file); - char line[256]; - -- err("error parsing %s at %jd near:", filename, whence); -- fseek(file, -20, SEEK_CUR); -+ err("error parsing %s at %jd near:", filename, (intmax_t)whence); -+ fseeko(file, -20, SEEK_CUR); - for (int i = 0; i < 5; i++) -- err(" %jd\t%s", ftell(file), fgets(line, sizeof(line), file)); -+ err(" %jd\t%s", (intmax_t)ftello(file), fgets(line, sizeof(line), file)); - - free_config(config, loop); - config = NULL; Index: patches/patch-src_connection_c =================================================================== RCS file: patches/patch-src_connection_c diff -N patches/patch-src_connection_c --- patches/patch-src_connection_c 1 Oct 2025 15:46:23 -0000 1.1 +++ /dev/null 1 Jan 1970 00:00:00 -0000 @@ -1,19 +0,0 @@ -Index: src/connection.c ---- src/connection.c.orig -+++ src/connection.c -@@ -812,13 +812,13 @@ new_connection(struct ev_loop *loop) { - con->query_handle = NULL; - con->use_proxy_header = 0; - -- con->client.buffer = new_buffer(4096, loop); -+ con->client.buffer = new_buffer(16384, loop); - if (con->client.buffer == NULL) { - free_connection(con); - return NULL; - } - -- con->server.buffer = new_buffer(4096, loop); -+ con->server.buffer = new_buffer(16384, loop); - if (con->server.buffer == NULL) { - free_connection(con); - return NULL; Index: patches/patch-src_sniproxy_c =================================================================== RCS file: patches/patch-src_sniproxy_c diff -N patches/patch-src_sniproxy_c --- patches/patch-src_sniproxy_c 1 Oct 2025 15:46:23 -0000 1.1 +++ /dev/null 1 Jan 1970 00:00:00 -0000 @@ -1,39 +0,0 @@ -Index: src/sniproxy.c ---- src/sniproxy.c.orig -+++ src/sniproxy.c -@@ -71,6 +71,35 @@ main(int argc, char **argv) { - rlim_t max_nofiles = 65536; - int opt; - -+ #ifdef __OpenBSD__ -+ if (unveil("/etc/sniproxy.conf", "r") != 0) { -+ perror("unveil /etc/sniproxy.conf"); -+ exit(1); -+ } -+ if (unveil("/var/run/sniproxy.pid", "rwc") != 0) { -+ perror("unveil /var/run/sniproxy.pid"); -+ exit(1); -+ } -+ if (unveil("/var/log", "rwc") != 0) { -+ perror("unveil /var/log"); -+ exit(1); -+ } -+ if (unveil("/var/www/sockets", "rw") != 0) { -+ perror("unveil /var/www/sockets"); -+ exit(1); -+ } -+ if (unveil(NULL, NULL) != 0) { -+ perror("unveil"); -+ exit(1); -+ } -+ -+ if (pledge("stdio getpw inet dns rpath proc id" -+ " wpath cpath unix", NULL) == -1) { -+ fprintf(stderr, "%s: pledge: %s\n", argv[0], strerror(errno)); -+ exit(1); -+ } -+ #endif -+ - while ((opt = getopt(argc, argv, "fc:n:V")) != -1) { - switch (opt) { - case 'c': Index: patches/patch-tests_bad_dns_request_test =================================================================== RCS file: patches/patch-tests_bad_dns_request_test diff -N patches/patch-tests_bad_dns_request_test --- patches/patch-tests_bad_dns_request_test 2 Oct 2025 07:08:49 -0000 1.2 +++ /dev/null 1 Jan 1970 00:00:00 -0000 @@ -1,12 +0,0 @@ -Index: tests/bad_dns_request_test ---- tests/bad_dns_request_test.orig -+++ tests/bad_dns_request_test -@@ -60,7 +60,7 @@ sub http_client($$) { - $socket->send($request); - - my $buffer; -- $socket->recv($buffer, 4096); -+ $socket->recv($buffer, 16384); - - $socket->close(); - Index: patches/patch-tests_bad_request_test =================================================================== RCS file: patches/patch-tests_bad_request_test diff -N patches/patch-tests_bad_request_test --- patches/patch-tests_bad_request_test 1 Oct 2025 15:46:23 -0000 1.1 +++ /dev/null 1 Jan 1970 00:00:00 -0000 @@ -1,12 +0,0 @@ -Index: tests/bad_request_test ---- tests/bad_request_test.orig -+++ tests/bad_request_test -@@ -282,7 +282,7 @@ sub tls_client($$) { - $socket->send($request); - - my $buffer; -- $socket->recv($buffer, 4096); -+ $socket->recv($buffer, 16384); - - $socket->close(); - Index: patches/patch-tests_buffer_test_c =================================================================== RCS file: patches/patch-tests_buffer_test_c diff -N patches/patch-tests_buffer_test_c --- patches/patch-tests_buffer_test_c 1 Oct 2025 15:46:23 -0000 1.1 +++ /dev/null 1 Jan 1970 00:00:00 -0000 @@ -1,21 +0,0 @@ -Index: tests/buffer_test.c ---- tests/buffer_test.c.orig -+++ tests/buffer_test.c -@@ -127,7 +127,7 @@ static void test4(void) { - struct Buffer *buffer; - int read_fd, write_fd; - -- buffer = new_buffer(4096, EV_DEFAULT); -+ buffer = new_buffer(16384, EV_DEFAULT); - - read_fd = open("/dev/zero", O_RDONLY); - if (read_fd < 0) { -@@ -155,7 +155,7 @@ static void test_buffer_coalesce(void) { - char output[sizeof(input)]; - int len; - -- buffer = new_buffer(4096, EV_DEFAULT); -+ buffer = new_buffer(16384, EV_DEFAULT); - len = buffer_push(buffer, input, sizeof(input)); - assert(len == sizeof(input)); - Index: patches/patch-tests_connection_reset_test =================================================================== RCS file: patches/patch-tests_connection_reset_test diff -N patches/patch-tests_connection_reset_test --- patches/patch-tests_connection_reset_test 1 Oct 2025 15:46:23 -0000 1.1 +++ /dev/null 1 Jan 1970 00:00:00 -0000 @@ -1,27 +0,0 @@ -Index: tests/connection_reset_test ---- tests/connection_reset_test.orig -+++ tests/connection_reset_test -@@ -42,8 +42,8 @@ sub simple_server($) { - "\r\n"); - - # Send a bunch of data (more that will be buffered by the kernel -- for (my $i = 0; $i < 4096; $i++) { -- $client->send('x' x 4096); -+ for (my $i = 0; $i < 16384; $i++) { -+ $client->send('x' x 16384); - } - $client->close(); - exit; -@@ -76,9 +76,9 @@ sub bad_client($) { - "\r\n"); - - my $buffer; -- $socket->recv($buffer, 4096); -- $socket->recv($buffer, 4096); -- $socket->recv($buffer, 4096); -+ $socket->recv($buffer, 16384); -+ $socket->recv($buffer, 16384); -+ $socket->recv($buffer, 16384); - - $socket->close(); - Index: patches/patch-tests_fallback_test =================================================================== RCS file: patches/patch-tests_fallback_test diff -N patches/patch-tests_fallback_test --- patches/patch-tests_fallback_test 1 Oct 2025 15:46:23 -0000 1.1 +++ /dev/null 1 Jan 1970 00:00:00 -0000 @@ -1,12 +0,0 @@ -Index: tests/fallback_test ---- tests/fallback_test.orig -+++ tests/fallback_test -@@ -56,7 +56,7 @@ sub http10_client($$) { - $socket->send("GET /$path HTTP/1.0\r\n\r\n"); - - my $buffer; -- $socket->recv($buffer, 4096); -+ $socket->recv($buffer, 16384); - - $socket->close(); - Index: patches/patch-tests_slow_client_test =================================================================== RCS file: patches/patch-tests_slow_client_test diff -N patches/patch-tests_slow_client_test --- patches/patch-tests_slow_client_test 1 Oct 2025 15:46:23 -0000 1.1 +++ /dev/null 1 Jan 1970 00:00:00 -0000 @@ -1,12 +0,0 @@ -Index: tests/slow_client_test ---- tests/slow_client_test.orig -+++ tests/slow_client_test -@@ -46,7 +46,7 @@ sub slow_client($$) { - } - - my $buffer; -- $socket->recv($buffer, 4096); -+ $socket->recv($buffer, 16384); - - $socket->close(); -