import ports/security/sslsplit, ok zhuk@

SSLsplit is a tool for man-in-the-middle attacks against SSL/TLS
encrypted network connections. Connections are transparently intercepted
through a firewall/network address translation engine and redirected to
SSLsplit.

SSLsplit terminates SSL/TLS and initiates a new SSL/TLS connection to
the original destination address, while logging all data transmitted.
SSLsplit is intended to be useful for network forensics and penetration
testing.

SSLsplit supports plain TCP, plain SSL, HTTP and HTTPS connections over
both IPv4 and IPv6. For SSL and HTTPS connections, SSLsplit generates
and signs forged X509v3 certificates on-the-fly, based on the original
server certificate subject DN and subjectAltName extension. SSLsplit
fully supports Server Name Indication (SNI) and is able to work with
RSA, DSA and ECDSA keys and DHE and ECDHE cipher suites. SSLsplit can
also use existing certificates of which the private key is available,
instead of generating forged ones. SSLsplit supports NULL-prefix CN
certificates and can deny OCSP requests in a generic way. SSLsplit
removes HPKP response headers in order to prevent public key pinning.

security/sslsplit/Makefile

@@ -0,0 +1,32 @@
+# $OpenBSD: Makefile,v 1.1.1.1 2013/11/28 16:49:10 sthen Exp $
+
+COMMENT=	transparent and scalable SSL/TLS interception
+
+DISTNAME=	sslsplit-0.4.7
+EXTRACT_SUFX=	.tar.bz2
+
+CATEGORIES=	security
+
+HOMEPAGE=	https://www.roe.ch/SSLsplit/
+
+MAINTAINER=	Stuart Henderson <sthen@openbsd.org>
+
+# SSLsplit: BSD, khash.h (header-based library): MIT
+PERMIT_PACKAGE_CDROM=	Yes
+
+WANTLIB += c crypto event_core event_extra event_openssl event_pthreads
+WANTLIB += pthread ssl
+
+MASTER_SITES=	https://mirror.roe.ch/rel/sslsplit/
+
+LIB_DEPENDS=	devel/libevent2
+# following is expected with MALLOC_FLAGS J:
+# "cert.t.c:66:F:cert_refcount_inc:cert_refcount_inc_01:0: refcount mismatch"
+# the test deliberately does a use-after-free
+TEST_DEPENDS=	devel/check
+
+USE_GMAKE=	Yes
+
+MAKE_FILE=	GNUmakefile
+
+.include <bsd.port.mk>

security/sslsplit/distinfo

@@ -0,0 +1,2 @@
+SHA256 (sslsplit-0.4.7.tar.bz2) = fnW3PtAm2cd2z5Oh1+1a0keXPDzpSmszZ/R096VhF9s=
+SIZE (sslsplit-0.4.7.tar.bz2) = 73686

security/sslsplit/patches/patch-GNUmakefile

@@ -0,0 +1,23 @@
+$OpenBSD: patch-GNUmakefile,v 1.1.1.1 2013/11/28 16:49:10 sthen Exp $
+
+enable HAVE_IPFW for divert-to
+
+--- GNUmakefile.orig	Tue Jul  2 15:06:16 2013
++++ GNUmakefile	Thu Nov 28 15:22:53 2013
+@@ -46,6 +46,7 @@ DEBUG_CFLAGS?=	-g
+ # Autodetect pf
+ ifneq ($(wildcard /usr/include/net/pfvar.h),)
+ FEATURES+=	-DHAVE_PF
++FEATURES+=	-DHAVE_IPFW
+ endif
+ 
+ # Autodetect ipfw
+@@ -292,7 +293,7 @@ install: $(TARGET)
+ 	test -d $(PREFIX)/share/man/man1 || \
+ 		$(MKDIR) -p $(PREFIX)/share/man/man1
+ 	$(INSTALL) -o 0 -g 0 -m 0755 $(TARGET) $(PREFIX)/bin/
+-	$(INSTALL) -o 0 -g 0 -m 0644 $(TARGET).1 $(PREFIX)/share/man/man1/
++	$(INSTALL) -o 0 -g 0 -m 0644 $(TARGET).1 $(PREFIX)/man/man1/
+ 
+ deinstall:
+ 	$(RM) -f $(PREFIX)/bin/$(TARGET) $(PREFIX)/share/man/man1/$(TARGET).1

security/sslsplit/patches/patch-main_c

@@ -0,0 +1,21 @@
+$OpenBSD: patch-main_c,v 1.1.1.1 2013/11/28 16:49:10 sthen Exp $
+--- main.c.orig	Thu Nov 28 15:30:57 2013
++++ main.c	Thu Nov 28 15:31:07 2013
+@@ -128,7 +128,7 @@ main_usage(void)
+ "  -s ciphers  use the given OpenSSL cipher suite spec (default: ALL:-aNULL)\n"
+ "  -e engine   specify default NAT engine to use (default: %s)\n"
+ "  -E          list available NAT engines and exit\n"
+-"  -u user     drop privileges to user (default if run as root: nobody)\n"
++"  -u user     drop privileges to user (default if run as root: _sslsplit)\n"
+ "  -j jaildir  chroot() to jaildir (default if run as root: /var/empty)\n"
+ "  -p pidfile  write pid to pidfile (default: no pid file)\n"
+ "  -l logfile  connect log: log one line summary per connection to logfile\n"
+@@ -522,7 +522,7 @@ main(int argc, char *argv[])
+ 	}
+ 	if (!opts->dropuser && !geteuid() && !getuid() &&
+ 	    !opts->contentlogdir) {
+-		opts->dropuser = strdup("nobody");
++		opts->dropuser = strdup("_sslsplit");
+ 	}
+ 	if (opts_has_ssl_spec(opts) && opts->cakey && !opts->key) {
+ 		opts->key = ssl_key_genrsa(1024);

security/sslsplit/patches/patch-sslsplit_1

@@ -0,0 +1,73 @@
+$OpenBSD: patch-sslsplit_1,v 1.1.1.1 2013/11/28 16:49:10 sthen Exp $
+--- sslsplit.1.orig	Tue Jul  2 15:06:16 2013
++++ sslsplit.1	Thu Nov 28 15:49:43 2013
+@@ -231,7 +231,7 @@ Drop privileges after opening sockets and files by set
+ effective and stored user IDs to \fIuser\fP and loading the appropriate
+ primary and ancillary groups.  If \fB-u\fP is not given, SSLsplit will drop
+ privileges to the stored UID if EUID != UID (setuid bit scenario), or to
+-\fBnobody\fP if running with full \fBroot\fP privileges (EUID == UID == 0)
++\fB_sslsplit\fP if running with full \fBroot\fP privileges (EUID == UID == 0)
+ and \fB-S\fP is not used.
+ .TP
+ .B \-V
+@@ -291,26 +291,29 @@ than the NAT rules redirecting the actual connections.
+ SSLsplit currently supports the following NAT engines:
+ .TP
+ .B pf
+-OpenBSD packet filter (pf), also available on FreeBSD and NetBSD.
+-Fully supported, including IPv6.
++OpenBSD packet filter (pf), using NAT redirects (rdr-to), also available
++on FreeBSD and NetBSD.
++Fully supported, including IPv6, but note that divert sockets (divert-to)
++are preferred (see the ipfw NAT engine).
+ Assuming inbound interface \fBem0\fP:
+ .LP
+ .RS
+ .nf
+-\fBrdr pass on em0 proto tcp from 2001:db8::/64 to any port  80 \\
+-         ->       ::1 port 10080\fP
+-\fBrdr pass on em0 proto tcp from 2001:db8::/64 to any port 443 \\
+-         ->       ::1 port 10443\fP
+-\fBrdr pass on em0 proto tcp from  192.0.2.0/24 to any port  80 \\
+-         -> 127.0.0.1 port 10080\fP
+-\fBrdr pass on em0 proto tcp from  192.0.2.0/24 to any port 443 \\
+-         -> 127.0.0.1 port 10443\fP
++\fBpass in quick on em0 proto tcp from 2001:db8::/64 to any port  80 \\
++         rdr-to       ::1 port 10080\fP
++\fBpass in quick on em0 proto tcp from 2001:db8::/64 to any port 443 \\
++         rdr-to       ::1 port 10443\fP
++\fBpass in quick on em0 proto tcp from  192.0.2.0/24 to any port  80 \\
++         rdr-to 127.0.0.1 port 10080\fP
++\fBpass in quick on em0 proto tcp from  192.0.2.0/24 to any port 443 \\
++         rdr-to 127.0.0.1 port 10443\fP
+ .fi
+ .RE
+ .TP
+ .B ipfw
+ FreeBSD IP firewall (IPFW), also available on Mac OS X.
+-Fully supported on FreeBSD, including IPv6.
++Also OpenBSD packet filter (pf), using divert-to.
++Fully supported on FreeBSD and OpenBSD, including IPv6.
+ Only supports IPv4 on Mac OS X due to the ancient version of IPFW included.
+ .LP
+ .RS
+@@ -319,6 +322,19 @@ Only supports IPv4 on Mac OS X due to the ancient vers
+ \fBipfw add fwd       ::1,10443 tcp from 2001:db8::/64 to any 443\fP
+ \fBipfw add fwd 127.0.0.1,10080 tcp from 192.0.2.0/24  to any  80\fP
+ \fBipfw add fwd 127.0.0.1,10443 tcp from 192.0.2.0/24  to any 443\fP
++.fi
++.RE
++.LP
++.RS
++.nf
++\fBpass in quick on em0 proto tcp from 2001:db8::/64 to any port  80 \\
++         divert-to       ::1 port 10080\fP
++\fBpass in quick on em0 proto tcp from 2001:db8::/64 to any port 443 \\
++         divert-to       ::1 port 10443\fP
++\fBpass in quick on em0 proto tcp from  192.0.2.0/24 to any port  80 \\
++         divert-to 127.0.0.1 port 10080\fP
++\fBpass in quick on em0 proto tcp from  192.0.2.0/24 to any port 443 \\
++         divert-to 127.0.0.1 port 10443\fP
+ .fi
+ .RE
+ .TP

security/sslsplit/pkg/DESCR

@@ -0,0 +1,20 @@
+SSLsplit is a tool for man-in-the-middle attacks against SSL/TLS
+encrypted network connections. Connections are transparently intercepted
+through a firewall/network address translation engine and redirected to
+SSLsplit.
+
+SSLsplit terminates SSL/TLS and initiates a new SSL/TLS connection to
+the original destination address, while logging all data transmitted.
+SSLsplit is intended to be useful for network forensics and penetration
+testing.
+
+SSLsplit supports plain TCP, plain SSL, HTTP and HTTPS connections over
+both IPv4 and IPv6. For SSL and HTTPS connections, SSLsplit generates
+and signs forged X509v3 certificates on-the-fly, based on the original
+server certificate subject DN and subjectAltName extension. SSLsplit
+fully supports Server Name Indication (SNI) and is able to work with
+RSA, DSA and ECDSA keys and DHE and ECDHE cipher suites. SSLsplit can
+also use existing certificates of which the private key is available,
+instead of generating forged ones. SSLsplit supports NULL-prefix CN
+certificates and can deny OCSP requests in a generic way. SSLsplit
+removes HPKP response headers in order to prevent public key pinning.

security/sslsplit/pkg/PLIST

@@ -0,0 +1,4 @@
+@comment $OpenBSD: PLIST,v 1.1.1.1 2013/11/28 16:49:10 sthen Exp $
+@newuser _sslsplit:727:_sslsplit:daemon:sslsplit:/nonexistent:/sbin/nologin
+@bin bin/sslsplit
+@man man/man1/sslsplit.1