Fix permissions, add "cpath" promise for OCSP worker

Hitch may create new staple files at runtime.

Found by Maxim Tarasov <mu@magi.net.ru>, thanks!

Feedback and OK sthen

security/hitch/Makefile

@@ -1,9 +1,9 @@
-# $OpenBSD: Makefile,v 1.2 2018/05/08 23:22:51 jca Exp $
+# $OpenBSD: Makefile,v 1.3 2018/06/02 09:51:33 kn Exp $
 
 COMMENT =		libev-based high performance TLS proxy
 
 DISTNAME =		hitch-1.4.8
-REVISION =		0
+REVISION =		1
 
 CATEGORIES =		security
 

security/hitch/patches/patch-src_hitch_c

@@ -1,4 +1,4 @@
-$OpenBSD: patch-src_hitch_c,v 1.2 2018/05/08 23:22:51 jca Exp $
+$OpenBSD: patch-src_hitch_c,v 1.3 2018/06/02 09:51:33 kn Exp $
 
 Prevent crash after reload with ocsp-dir change:
 https://github.com/varnish/hitch/pull/265
@@ -23,7 +23,7 @@ Index: src/hitch.c
  			    "Refusing to run workers as root.\n");
  			_exit(1);
  		}
-+		if (pledge("stdio rpath wpath inet dns", NULL) == -1)
++		if (pledge("stdio rpath wpath cpath inet dns", NULL) == -1)
 +			fail("pledge");
 +		LOGL("{core} pledge called (ocsp)\n");
  		handle_ocsp_task();

security/hitch/pkg/PLIST

@@ -1,6 +1,15 @@
-@comment $OpenBSD: PLIST,v 1.1.1.1 2018/05/01 13:43:59 kn Exp $
+@comment $OpenBSD: PLIST,v 1.2 2018/06/02 09:51:33 kn Exp $
 @newgroup _hitch:807
 @newuser _hitch:807:_hitch:daemon:Hitch TLS proxy:/var/hitch:/sbin/nologin
+@rcscript ${RCDIR}/hitch
+@extraunexec rm -rf ${LOCALSTATEDIR}/hitch/*
+@mode 700
+@owner _hitch
+@group _hitch
+@sample ${LOCALSTATEDIR}/hitch/
+@mode
+@owner
+@group
 @man man/man5/hitch.conf.5
 @man man/man8/hitch.8
 @bin sbin/hitch
@@ -15,6 +24,3 @@ share/doc/hitch/proxy-protocol.md
 share/doc/hitch/vhosts.md
 share/examples/hitch/
 share/examples/hitch/hitch.conf.example
-@exec-add mkdir -p /var/hitch
-@extraunexec rm -rf /var/hitch
-@rcscript ${RCDIR}/hitch