update to sslsplit-0.5.0

security/sslsplit/Makefile

@@ -1,9 +1,8 @@
-# $OpenBSD: Makefile,v 1.10 2015/08/28 11:05:22 jca Exp $
+# $OpenBSD: Makefile,v 1.11 2016/03/28 21:37:25 sthen Exp $
 
 COMMENT=	transparent and scalable SSL/TLS interception
 
-DISTNAME=	sslsplit-0.4.11
-REVISION=	1
+DISTNAME=	sslsplit-0.5.0
 EXTRACT_SUFX=	.tar.bz2
 
 CATEGORIES=	security
@@ -21,8 +20,8 @@ WANTLIB += pthread ssl
 MASTER_SITES=	https://mirror.roe.ch/rel/sslsplit/
 
 LIB_DEPENDS=	devel/libevent2
-# following is expected with MALLOC_FLAGS J:
-# "cert.t.c:66:F:cert_refcount_inc:cert_refcount_inc_01:0: refcount mismatch"
+# following is expected unless MALLOC_FLAGS includes 'j':
+# "cert.t.c:65:F:cert_refcount_inc:cert_refcount_inc_01:0: refcount mismatch"
 # the test deliberately does a use-after-free
 TEST_DEPENDS=	devel/check
 MAKE_FLAGS=	MANDIR=man PREFIX=${TRUEPREFIX}

security/sslsplit/distinfo

@@ -1,2 +1,2 @@
-SHA256 (sslsplit-0.4.11.tar.bz2) = dVVMoR7jjXJ0VrF7av1TeeXBTAUWDKZnVaJfJItLFzA=
-SIZE (sslsplit-0.4.11.tar.bz2) = 267290
+SHA256 (sslsplit-0.5.0.tar.bz2) = PrE8HQFkvwTnYC2fxF73RgREuVPvruPufVLDV62zqJo=
+SIZE (sslsplit-0.5.0.tar.bz2) = 355795

security/sslsplit/patches/patch-defaults_h

@@ -0,0 +1,12 @@
+$OpenBSD: patch-defaults_h,v 1.1 2016/03/28 21:37:25 sthen Exp $
+--- defaults.h.orig	Mon Mar 28 22:33:15 2016
++++ defaults.h	Mon Mar 28 22:33:43 2016
+@@ -38,7 +38,7 @@
+  * overloading nobody with yet another use case.  Using nobody for source
+  * builds makes sense because chances are high that it exists.
+  */
+-#define DFLT_DROPUSER "nobody"
++#define DFLT_DROPUSER "_sslsplit"
+ 
+ /*
+  * Default file and directory modes for newly created files and directories

security/sslsplit/patches/patch-main_c

@@ -1,21 +0,0 @@
-$OpenBSD: patch-main_c,v 1.3 2014/12/12 21:51:59 sthen Exp $
---- main.c.orig	Fri Nov 28 09:28:58 2014
-+++ main.c	Fri Dec 12 21:50:13 2014
-@@ -140,7 +140,7 @@ main_usage(void)
- "  -s ciphers  use the given OpenSSL cipher suite spec (default: ALL:-aNULL)\n"
- "  -e engine   specify default NAT engine to use (default: %s)\n"
- "  -E          list available NAT engines and exit\n"
--"  -u user     drop privileges to user (default if run as root: nobody)\n"
-+"  -u user     drop privileges to user (default if run as root: _sslsplit)\n"
- "  -m group    when using -u, override group (default: primary group of user)\n"
- "  -j jaildir  chroot() to jaildir (impacts -S/-F and sni, see manual page)\n"
- "  -p pidfile  write pid to pidfile (default: no pid file)\n"
-@@ -630,7 +630,7 @@ main(int argc, char *argv[])
- 		 * if pf has been used in any proxyspec */
- 		if (!nat_used("pf")) {
- #endif /* __APPLE__ */
--		opts->dropuser = strdup("nobody");
-+		opts->dropuser = strdup("_sslsplit");
- 		if (!opts->dropuser)
- 			oom_die(argv0);
- #ifdef __APPLE__

security/sslsplit/patches/patch-opts_c

@@ -1,26 +0,0 @@
-$OpenBSD: patch-opts_c,v 1.3 2015/08/28 11:05:22 jca Exp $
-
-Fixed upstream
-
-  https://github.com/droe/sslsplit/commit/57a2ab85884e8bacec8b03aa5a3f935376f43a2d
-
---- opts.c.orig	Mon Mar 16 00:24:02 2015
-+++ opts.c	Fri Aug 28 12:34:18 2015
-@@ -143,7 +143,7 @@ opts_proto_force(opts_t *opts, const char *optarg, con
- 		opts->sslmethod = SSLv2_method;
- 	} else
- #endif /* SSL_OP_NO_SSLv2 && WITH_SSLV2 */
--#ifdef SSL_OP_NO_SSLv3
-+#if defined(SSL_OP_NO_SSLv3) && !defined(OPENSSL_NO_SSL3_METHOD)
- 	if (!strcmp(optarg, "ssl3")) {
- 		opts->sslmethod = SSLv3_method;
- 	} else
-@@ -219,7 +219,7 @@ opts_proto_dbg_dump(opts_t *opts)
- #if defined(SSL_OP_NO_SSLv2) && defined(WITH_SSLV2)
- 	               (opts->sslmethod == SSLv2_method) ? "nossl2" :
- #endif /* SSL_OP_NO_SSLv2 && WITH_SSLV2 */
--#ifdef SSL_OP_NO_SSLv3
-+#if defined(SSL_OP_NO_SSLv3) && !defined(OPENSSL_NO_SSL3_METHOD)
- 	               (opts->sslmethod == SSLv3_method) ? "ssl3" :
- #endif /* SSL_OP_NO_SSLv3 */
- #ifdef SSL_OP_NO_TLSv1

security/sslsplit/patches/patch-ssl_c

@@ -1,17 +0,0 @@
-$OpenBSD: patch-ssl_c,v 1.4 2015/08/25 17:30:56 jca Exp $
-
-"Fixed" upstream
-
-  https://github.com/droe/sslsplit/commit/79d570fe2e15a22c98451ab9308eaad341fc1167
-
---- ssl.c.orig	Mon Mar 16 08:46:32 2015
-+++ ssl.c	Mon Mar 16 08:47:53 2015
-@@ -898,7 +898,7 @@ ssl_x509chain_load(X509 **crt, STACK_OF(X509) **chain,
- 			goto leave3;
- 	}
- 
--#if (OPENSSL_VERSION_NUMBER < 0x1000200fL)
-+#if defined(LIBRESSL_VERSION_NUMBER) || (OPENSSL_VERSION_NUMBER < 0x1000200fL)
- 	tmpchain = tmpctx->extra_certs;
- #else /* OpenSSL >= 1.0.2 */
- 	rv = SSL_CTX_get0_chain_certs(tmpctx, &tmpchain);

security/sslsplit/patches/patch-sslsplit_1

@@ -1,16 +1,16 @@
-$OpenBSD: patch-sslsplit_1,v 1.4 2014/12/12 21:51:59 sthen Exp $
---- sslsplit.1.orig	Fri Nov 28 09:28:58 2014
-+++ sslsplit.1	Fri Dec 12 21:49:38 2014
-@@ -288,7 +288,7 @@ Drop privileges after opening sockets and files by set
+$OpenBSD: patch-sslsplit_1,v 1.5 2016/03/28 21:37:25 sthen Exp $
+--- sslsplit.1.orig	Sun Mar 27 14:46:35 2016
++++ sslsplit.1	Mon Mar 28 22:31:36 2016
+@@ -299,7 +299,7 @@ Drop privileges after opening sockets and files by set
  effective and stored user IDs to \fIuser\fP and loading the appropriate
  primary and ancillary groups.  If \fB-u\fP is not given, SSLsplit will drop
  privileges to the stored UID if EUID != UID (setuid bit scenario), or to
--\fBnobody\fP if running with full \fBroot\fP privileges (EUID == UID == 0)
-+\fB_sslsplit\fP if running with full \fBroot\fP privileges (EUID == UID == 0)
- and \fB-S\fP is not used.
+-\fBnobody\fP if running with full \fBroot\fP privileges (EUID == UID == 0).
++\fB_sslsplit\fP if running with full \fBroot\fP privileges (EUID == UID == 0).
  Due to an Apple bug, \fB-u\fP cannot be used with \fBpf\fP proxyspecs on
  Mac OS X.
-@@ -455,6 +455,19 @@ First in IPFW, then in pf \fBdivert-to\fP syntax:
+ .TP
+@@ -512,6 +512,19 @@ First in IPFW, then in pf \fBdivert-to\fP syntax:
  \fBipfw add fwd       ::1,10443 tcp from 2001:db8::/64 to any 443\fP
  \fBipfw add fwd 127.0.0.1,10080 tcp from 192.0.2.0/24  to any  80\fP
  \fBipfw add fwd 127.0.0.1,10443 tcp from 192.0.2.0/24  to any 443\fP