import ports/net/sslh: from Bjorn Ketelaars, merging in a previous port

from fgsch. ok okan@

sslh accepts HTTPS, SSH, OpenVPN, tinc and XMPP connections on the
same port. This makes it possible to connect to any of these servers
on port 443 (e.g. from inside a corporate firewall, which almost
never block port 443) while still serving HTTPS on that port.

net/sslh/Makefile

@@ -0,0 +1,33 @@
+# $OpenBSD: Makefile,v 1.1.1.1 2012/04/13 14:14:21 sthen Exp $
+
+COMMENT =	ssl/ssh multiplexer
+
+VERSION =	1.10
+DISTNAME =	sslh-${VERSION}
+CATEGORIES =	security net
+
+HOMEPAGE =	http://www.rutschle.net/tech/sslh.shtml
+
+# GPLv2+
+PERMIT_PACKAGE_CDROM =		Yes
+PERMIT_PACKAGE_FTP =		Yes
+PERMIT_DISTFILES_CDROM =	Yes
+PERMIT_DISTFILES_FTP =		Yes
+
+MASTER_SITES =	http://www.rutschle.net/tech/ \
+		http://mirror2.openwrt.org/sources/
+
+WANTLIB =	c wrap
+
+MAKE_FLAGS =	CC="${CC}"
+NO_REGRESS =	Yes
+
+do-install:
+	${INSTALL_DATA_DIR} ${PREFIX}/share/doc/sslh
+	${INSTALL_DATA} ${WRKSRC}/README ${PREFIX}/share/doc/sslh
+	${INSTALL_DATA} ${WRKSRC}/sslh.8 ${PREFIX}/man/man8
+.for p in sslh-fork sslh-select
+	${INSTALL_PROGRAM} ${WRKSRC}/$p ${PREFIX}/sbin
+.endfor
+
+.include <bsd.port.mk>

net/sslh/distinfo

@@ -0,0 +1,5 @@
+MD5 (sslh-1.10.tar.gz) = vDTppHcNY0Yz5wWJxycIzA==
+RMD160 (sslh-1.10.tar.gz) = nCqxeMpk6GX3kWgnmh5U2KVvJ3M=
+SHA1 (sslh-1.10.tar.gz) = c+xTCruimva7SN1W49oakHYIWvE=
+SHA256 (sslh-1.10.tar.gz) = VVTkKWmgCVUEi0XT0ml4W70CEdT7K0z155UDtZJpV3E=
+SIZE (sslh-1.10.tar.gz) = 25293

net/sslh/patches/patch-Makefile

@@ -0,0 +1,46 @@
+--- Makefile.orig	Sat Nov 26 19:06:58 2011
++++ Makefile	Fri Mar 23 19:53:40 2012
+@@ -5,26 +5,19 @@
+ COV_TEST= 	# Perform test coverage?
+ PREFIX=/usr/local
+ 
+-MAN=sslh.8.gz	# man page name
++MAN=sslh.8	# man page name
+ 
+ # End of configuration -- the rest should take care of
+ # itself
+ 
+-ifneq ($(strip $(COV_TEST)),)
+-    CFLAGS_COV=-fprofile-arcs -ftest-coverage
+-endif
+-
+ CC = gcc
+-CFLAGS=-Wall -g $(CFLAGS_COV)
+ 
+ #LIBS=-lnet
+ LIBS=
+ OBJS=common.o sslh-main.o
+ 
+-ifneq ($(strip $(USELIBWRAP)),)
+-	LIBS:=$(LIBS) -lwrap
+-	CFLAGS:=$(CFLAGS) -DLIBWRAP
+-endif
++LIBS:=$(LIBS) -lwrap
++CFLAGS:=$(CFLAGS) -Wall -DLIBWRAP
+ 
+ all: sslh $(MAN) echosrv
+ 
+@@ -46,7 +39,7 @@
+ 	$(CC) $(CFLAGS) -o echosrv echosrv.o common.o $(LIBS)
+ 
+ $(MAN): sslh.pod Makefile
+-	pod2man --section=8 --release=$(VERSION) --center=" " sslh.pod | gzip -9 - > $(MAN)
++	pod2man --section=8 --release=$(VERSION) --center=" " sslh.pod > $(MAN)
+ 
+ # generic install: install binary and man page
+ install: sslh $(MAN)
+@@ -72,4 +65,3 @@
+ 
+ test:
+ 	./t
+-

net/sslh/patches/patch-sslh_fork_c

@@ -0,0 +1,22 @@
+--- sslh-fork.c.orig	Sat Nov 26 22:16:43 2011
++++ sslh-fork.c	Fri Mar 23 19:53:57 2012
+@@ -138,6 +138,7 @@
+     int in_socket, i, res;
+     struct sigaction action;
+ 
++    listener_pid_number = num_addr_listen;
+     listener_pid = malloc(listener_pid_number * sizeof(listener_pid[0]));
+ 
+     /* Start one process for each listening address */
+@@ -170,11 +171,9 @@
+     res = sigaction(SIGTERM, &action, NULL);
+     CHECK_RES_DIE(res, "sigaction");
+ 
+-    listener_pid_number = num_addr_listen;
+     wait(NULL);
+ }
+ 
+ /* The actual main is in common.c: it's the same for both version of
+  * the server
+  */
+-

net/sslh/patches/patch-sslh_main_c

@@ -0,0 +1,22 @@
+--- sslh-main.c.orig	Sat Nov 26 22:16:43 2011
++++ sslh-main.c	Fri Mar 23 19:50:40 2012
+@@ -54,7 +54,7 @@
+ "-t: timeout before connecting to SSH.\n" \
+ "-p: address and port to listen on.\n    Can be used several times to bind to several addresses.\n" \
+ "--[ssh,ssl,...]: where to connect connections from corresponding protocol.\n" \
+-"-P: PID file. Default: /var/run/sslh.pid.\n" \
++"-P: PID file. Default: /var/run/sslh/sslh.pid.\n" \
+ "-i: Run as a inetd service.\n" \
+ "";
+ 
+@@ -154,8 +154,8 @@
+    int *listen_sockets;
+ 
+    /* Init defaults */
+-   pid_file = "/var/run/sslh.pid";
+-   user_name = "nobody";
++   pid_file = "/var/run/sslh/sslh.pid";
++   user_name = "_sslh";
+    foreground = 0;
+ 
+    parse_cmdline(argc, argv);

net/sslh/patches/patch-sslh_pod

@@ -0,0 +1,82 @@
+--- sslh.pod.orig	Sat Nov 26 22:15:31 2011
++++ sslh.pod	Fri Mar 23 19:50:40 2012
+@@ -16,12 +16,19 @@
+ firewall, which almost never block port 443) while still
+ serving HTTPS on that port. 
+ 
+-
+ The idea is to have B<sslh> listen to the external 443 port,
+ accept the incoming connections, work out what type of
+ connection it is, and then fordward to the appropriate
+ server.
+ 
++B<sslh> comes in two versions: B<sslh-fork> forks a new process 
++for each incoming connection. It is well-tested and very
++reliable, but incurs the overhead of many processes. B<sslh-select>
++uses only one thread, which monitors all connections at once.
++It is more recent and less tested, but only incurs a 16 byte
++overhead per connection. Also, if it stops, you'll lose all
++connections, which means you can't upgrade it remotely.
++
+ =head2 Protocol detection
+ 
+ The protocol detection is made based on the first bytes sent
+@@ -45,17 +52,6 @@
+ provides, and connects it to the SSH server if it starts
+ with "SSH-", or connects it to the SSL server otherwise.
+ 
+-=head2 Libwrap support
+-
+-One drawback of B<sslh> is that the B<ssh> and B<httpd>
+-servers do not see the original IP address of the client
+-anymore, as the connection is forwarded through B<sslh>.
+-B<sslh> provides enough logging to circumvent that problem.
+-However it is common to limit access to B<ssh> using
+-B<libwrap> or B<tcpd>. For this reason, B<sslh> can be
+-compiled to check SSH accesses against SSH access lists as
+-defined in F</etc/hosts.allow> and F</etc/hosts.deny>.
+-
+ =head1 OPTIONS
+ 
+ =over 4
+@@ -124,13 +120,12 @@
+ =item B<-u> I<username>, B<--user> I<username>
+ 
+ Requires to run under the specified username. Defaults to
+-I<nobody> (which is not perfect -- ideally B<sslh> should
+-run under its own UID).
++I<_sslh>.
+ 
+ =item B<-P> I<pidfile>, B<--pid-file> I<pidfile>
+ 
+ Specifies the file in which to write the PID of the main
+-server. Defaults to I</var/run/sslh.pid>.
++server. Defaults to I</var/run/sslh/sslh.pid>.
+ 
+ =item B<-i>, B<--inetd>
+ 
+@@ -142,24 +137,6 @@
+ Runs in foreground. The server will not fork and will remain connected
+ to the terminal. Messages normally sent to B<syslog> will also be sent
+ to I<stderr>.
+-
+-=back
+-
+-=head1 FILES
+-
+-=over 4
+-
+-=item F</etc/init.d/sslh>
+-
+-Start-up script. The standard actions B<start>, B<stop> and
+-B<restart> are supported.
+-
+-=item F</etc/default/sslh>
+-
+-Server configuration. These are environment variables
+-loaded by the start-up script and passed to B<sslh> as
+-command-line arguments. Refer to the OPTIONS section for a
+-detailed explanation of the variables used by B<sslh>.
+ 
+ =back
+ 

net/sslh/pkg/DESCR

@@ -0,0 +1,4 @@
+sslh accepts HTTPS, SSH, OpenVPN, tinc and XMPP connections on the
+same port. This makes it possible to connect to any of these servers
+on port 443 (e.g. from inside a corporate firewall, which almost
+never block port 443) while still serving HTTPS on that port.

net/sslh/pkg/PLIST

@@ -0,0 +1,10 @@
+@comment $OpenBSD: PLIST,v 1.1.1.1 2012/04/13 14:14:21 sthen Exp $
+@newgroup _sslh:696
+@newuser _sslh:696:696:daemon:sslh:/nonexistent:/sbin/nologin
+@man man/man8/sslh.8
+@bin sbin/sslh-fork
+@bin sbin/sslh-select
+share/doc/sslh/
+share/doc/sslh/README
+@rcscript ${RCDIR}/sslh_fork
+@rcscript ${RCDIR}/sslh_select

net/sslh/pkg/sslh_fork.rc

@@ -0,0 +1,17 @@
+#!/bin/sh
+#
+# $OpenBSD: sslh_fork.rc,v 1.1.1.1 2012/04/13 14:14:21 sthen Exp $
+
+daemon="${TRUEPREFIX}/sbin/sslh-fork"
+daemon_flags="--listen 0.0.0.0:443 --ssh 127.0.0.1:22 --ssl 127.0.0.1:443"
+
+. /etc/rc.d/rc.subr
+
+pexp="${daemon}"
+rc_reload=NO
+
+rc_pre() {
+        install -d -o _sslh /var/run/sslh
+}
+
+rc_cmd $1

net/sslh/pkg/sslh_select.rc

@@ -0,0 +1,17 @@
+#!/bin/sh
+#
+# $OpenBSD: sslh_select.rc,v 1.1.1.1 2012/04/13 14:14:21 sthen Exp $
+
+daemon="${TRUEPREFIX}/sbin/sslh-select"
+daemon_flags="--listen 0.0.0.0:443 --ssh 127.0.0.1:22 --ssl 127.0.0.1:443"
+
+. /etc/rc.d/rc.subr
+
+pexp="${daemon}"
+rc_reload=NO
+
+rc_pre() {
+        install -d -o _sslh /var/run/sslh
+}
+
+rc_cmd $1