update to v4.05

add chroot/privdrop from Michael Schubert

security/stunnel/Makefile

@@ -1,18 +1,20 @@
-# $OpenBSD: Makefile,v 1.28 2003/11/23 02:06:46 pvalchev Exp $
+# $OpenBSD: Makefile,v 1.29 2004/02/16 12:33:18 jakob Exp $
 
 COMMENT=	"SSL encryption wrapper for standard network daemons"
 
-DISTNAME=	stunnel-4.04
+VERSION=	4.05
+DISTNAME=	stunnel-${VERSION}
 CATEGORIES=	security
 
 MAINTAINER=     Jakob Schlyter <jakob@openbsd.org>
 
+# GPL
 PERMIT_PACKAGE_CDROM=	Yes
 PERMIT_PACKAGE_FTP=	Yes
 PERMIT_DISTFILES_CDROM=	Yes
 PERMIT_DISTFILES_FTP=	Yes
 
-HOMEPAGE=	http://stunnel.mirt.net/
+HOMEPAGE=	http://www.stunnel.org/
 
 MASTER_SITES=	ftp://stunnel.mirt.net/stunnel/ \
 		http://www.stunnel.org/download/stunnel/src/ \
@@ -25,9 +27,9 @@ MASTER_SITES=	ftp://stunnel.mirt.net/stunnel/ \
 SEPARATE_BUILD=		concurrent
 CONFIGURE_STYLE=	gnu
 CONFIGURE_ARGS+=	--with-tcp-wrappers \
-			--with-pem-dir=${SYSCONFDIR}/ssl \
 			--with-random=/dev/arandom \
 			--with-ssl=/usr \
+			--sysconfdir=${SYSCONFDIR} \
 			--localstatedir=/var \
 			${CONFIGURE_SHARED}
 NO_REGRESS=		Yes

security/stunnel/distinfo

@@ -1,3 +1,3 @@
-MD5 (stunnel-4.04.tar.gz) = 2fcdf0311a0ab8a3223293c706a84e97
+MD5 (stunnel-4.05.tar.gz) = e28a03cf694a43a7f144ec3d5c064456
-RMD160 (stunnel-4.04.tar.gz) = cefc797f0f9cd3ebfffc5db11f1052b75435975a
+RMD160 (stunnel-4.05.tar.gz) = 69ff19147d9faf721c19b56b393015632a5a30f2
-SHA1 (stunnel-4.04.tar.gz) = 9f0f85eb0620ee4f4f68d833eb3f39eb31960f31
+SHA1 (stunnel-4.05.tar.gz) = a95b09ed88930fa432f47c5c5d3db770681fe715

security/stunnel/patches/patch-Makefile_in

@@ -1,4 +1,4 @@
-$OpenBSD$
+$OpenBSD: patch-Makefile_in,v 1.1 2004/02/16 12:33:18 jakob Exp $
 --- Makefile.in.orig	Mon Sep  2 11:21:17 2002
 +++ Makefile.in	Mon Sep  2 11:21:21 2002
 @@ -78,7 +78,7 @@ VERSION = @VERSION@

security/stunnel/patches/patch-src_stunnel_c

@@ -0,0 +1,12 @@
+--- src/stunnel.c.orig	2004-02-14 15:12:27.000000000 +0100
++++ src/stunnel.c	2004-02-16 13:06:48.000000000 +0100
+@@ -176,8 +176,8 @@ static void daemon_loop(void) {
+ #if !defined (USE_WIN32) && !defined (__vms)
+     if(!(options.option.foreground))
+         daemonize();
+-    drop_privileges();
+     create_pid();
++    drop_privileges();
+ #endif /* !defined USE_WIN32 && !defined (__vms) */
+ 
+     /* create exec+connect services */

security/stunnel/patches/patch-tools_Makefile_in

@@ -1,8 +1,8 @@
-$OpenBSD: patch-tools_Makefile_in,v 1.1 2002/10/30 11:10:35 jakob Exp $
+$OpenBSD: patch-tools_Makefile_in,v 1.2 2004/02/16 12:33:18 jakob Exp $
---- tools/Makefile.in.orig	Mon Sep  2 11:18:34 2002
+--- tools/Makefile.in.orig	2004-02-14 15:31:34.000000000 +0100
-+++ tools/Makefile.in	Mon Sep  2 11:18:43 2002
++++ tools/Makefile.in	2004-02-16 13:06:48.000000000 +0100
 @@ -90,7 +90,7 @@ examplesdir = $(docdir)/examples
- examples_DATA = ca.html ca.pl importCA.html importCA.sh 	stunnel.spec stunnel.init
+ examples_DATA = ca.html ca.pl importCA.html importCA.sh script.sh 	stunnel.spec stunnel.init
  
  
 -openssl = $(ssldir)/bin/openssl

security/stunnel/patches/patch-tools_stunnel_conf-sample_in

@@ -0,0 +1,41 @@
+$OpenBSD: patch-tools_stunnel_conf-sample_in,v 1.1 2004/02/16 12:33:18 jakob Exp $
+--- tools/stunnel.conf-sample.in.orig	2004-01-26 20:26:18.000000000 +0100
++++ tools/stunnel.conf-sample.in	2004-02-16 13:10:46.000000000 +0100
+@@ -1,13 +1,14 @@
+ # Sample stunnel configuration file
+ # Copyright by Michal Trojnara 2002
++# Modified for OpenBSD by Michael Schubert 2003
+ 
+ # Comment it out on Win32
+-cert = @prefix@/etc/stunnel/mail.pem
+-chroot = @prefix@/var/run/stunnel/
++cert = @sysconfdir@/ssl/private/stunnel.pem
++chroot = @localstatedir@/stunnel/
+ # PID is created inside chroot jail
+-pid = /stunnel.pid
+-setuid = nobody
+-setgid = nogroup
++pid = /var/run/stunnel.pid
++setuid = _stunnel
++setgid = _stunnel
+ 
+ # Workaround for Eudora bug
+ #options = DONT_INSERT_EMPTY_FRAGMENTS
+@@ -16,13 +17,13 @@ setgid = nogroup
+ #verify = 2
+ # don't forget about c_rehash CApath
+ # it is located inside chroot jail:
+-#CApath = /certs
++#CApath = @sysconfdir@/ssl/certs
+ # or simply use CAfile instead:
+-#CAfile = @prefix@/etc/stunnel/certs.pem
++#CAfile = @sysconfdir@/ssl/certs.pem
+ # CRL path or file (inside chroot jail):
+-#CRLpath = /crls
++#CRLpath = @sysconfdir@/ssl/crls
+ # or simply use CAfile instead:
+-#CRLfile = @prefix@/etc/stunnel/crls.pem
++#CRLfile = @sysconfdir@/ssl/crls.pem
+ 
+ # Some debugging stuff
+ #debug = 7

security/stunnel/pkg/DEINSTALL

@@ -0,0 +1,26 @@
+#!/bin/sh
+# $OpenBSD: DEINSTALL
+#
+# Stunnel de-installation
+
+PATH=/bin:/usr/bin:/sbin:/usr/sbin
+CONFIG_DIR=${SYSCONFDIR}/stunnel
+CHROOT_DIR=/var/stunnel
+STUNNELUSER=_stunnel
+STUNNELGROUP=_stunnel
+
+echo
+echo " To completely deinstall the $1 package you need to perform"
+echo " these steps as root (make sure stunnel is not running!):"
+echo ""
+echo "           userdel $STUNNELUSER"
+echo "           groupdel $STUNNELGROUP"
+echo "           rm -rf $CONFIG_DIR"
+echo "           rm -rf $CHROOT_DIR"
+echo "           rm /var/run/stunnel.pid"
+echo ""
+echo " Do not do this if you plan on re-installing $1"
+echo " at some future time."
+echo
+
+exit 0

security/stunnel/pkg/INSTALL

@@ -0,0 +1,95 @@
+#!/bin/sh
+#
+# $OpenBSD: INSTALL,v 1.1 2004/02/16 12:33:18 jakob Exp $
+#
+# Pre/post-installation setup of stunnel
+
+PATH=/bin:/usr/bin:/sbin:/usr/sbin
+PREFIX=${PKG_PREFIX:-/usr/local}
+CONFIG_DIR=${SYSCONFDIR}/stunnel
+SAMPLE_CONFIG_DIR=$PREFIX/share/examples/stunnel
+CHROOT_DIR=/var/stunnel
+
+STUNNELUSER=_stunnel
+STUNNELGROUP=_stunnel
+STUNNELUID=528
+STUNNELGID=528
+
+do_usergroup_install()
+{
+  # Create stunnel user and group
+  groupinfo -e $STUNNELGROUP
+  if [ $? -eq 0 ]; then
+    echo "===> Using $STUNNELGROUP group for stunnel"
+  else
+    echo "===> Creating $STUNNELGROUP group for stunnel"
+    groupadd -g $STUNNELGID $STUNNELGROUP
+  fi
+  userinfo -e $STUNNELUSER
+  if [ $? -eq 0 ]; then
+    echo "===> Using $STUNNELUSER user for stunnel"
+  else
+    echo "===> Creating $STUNNELUSER user for stunnel"
+    useradd -u $STUNNELUID -g $STUNNELGROUP -d $CHROOT_DIR \
+      -L daemon -c 'stunnel account' -s /sbin/nologin $STUNNELUSER
+  fi
+}
+
+do_chroot_dir_install()
+{
+  install -d -o root -g wheel -m 755 $CHROOT_DIR
+}
+
+do_notice_conf()
+{
+  echo
+  echo " The existing $1 configuration files in $CONFIG_DIR have NOT"
+  echo " been changed.  You may want to compare them to the current samples in"
+  echo " $SAMPLE_CONFIG_DIR, and update your configuration"
+  echo " files as needed."
+  echo
+}
+
+do_install_conf()
+{
+  install -d -o root -g wheel -m 755 $CONFIG_DIR
+  install -o root -g wheel -m 644 $SAMPLE_CONFIG_DIR/stunnel.conf-sample \
+    $CONFIG_DIR/stunnel.conf
+  echo
+  echo " An $1 sample configuration file has been installed in $CONFIG_DIR."
+  echo " Please view this file and change the configuration to meet your needs."
+  echo
+}
+
+# verify proper execution
+#
+if [ $# -ne 2 ]; then
+    echo "usage: $0 distname { PRE-INSTALL | POST-INSTALL }" >&2
+    exit 1
+fi
+
+# Verify/process the command
+#
+case $2 in
+    PRE-INSTALL)
+	do_usergroup_install
+	;;
+    POST-INSTALL)
+	if [ ! -d $CHROOT_DIR ]; then
+	  do_chroot_dir_install
+	fi
+	if [ ! -d $CONFIG_DIR ]; then
+	   do_install_conf $1
+	elif [ ! -f $CONFIG_DIR/stunnel.conf ]; then
+	   do_install_conf $1
+	else
+	   do_notice_conf $1
+	fi
+	;;
+    *)
+	echo "usage: $0 distname { PRE-INSTALL | POST-INSTALL }" >&2
+	exit 1
+	;;
+esac
+
+exit 0

security/stunnel/pkg/MESSAGE

@@ -2,3 +2,8 @@ After stunnel is installed, you have to create a server certificate and
 put the result in /etc/ssl/private/stunnel.pem. For more information on
 how to create certificates, read ssl(8). For more information on stunnel,
 read stunnel(8).
+
+You can edit /etc/rc.local so that stunnel is started automatically:
+    if [ -x ${PREFIX}/sbin/stunnel ]; then
+        echo -n ' stunnel';       ${PREFIX}/sbin/stunnel
+    fi

security/stunnel/pkg/PLIST

@@ -1,5 +1,5 @@
-@comment $OpenBSD: PLIST,v 1.4 2002/10/31 18:02:36 jakob Exp $
+@comment $OpenBSD: PLIST,v 1.5 2004/02/16 12:33:18 jakob Exp $
-share/examples/stunnel/stunnel.conf-sample
 man/man8/stunnel.8
 sbin/stunnel
+share/examples/stunnel/stunnel.conf-sample
 @dirrm share/examples/stunnel