[UPDATE] security/stunnel to 5.62

Index: Makefile
===================================================================
RCS file: /cvs/ports/security/stunnel/Makefile,v
retrieving revision 1.93
diff -u -p -r1.93 Makefile
--- Makefile 12 Jul 2019 20:49:37 -0000 1.93
+++ Makefile 27 Feb 2022 12:40:53 -0000
@@ -2,35 +2,48 @@

COMMENT= SSL encryption wrapper for standard network daemons

-DISTNAME= stunnel-5.44
+DISTNAME= stunnel-5.62
CATEGORIES= security
-REVISION= 2

MAINTAINER= Gleydson Soares <gsoares@openbsd.org>

# GPLv2+ with OpenSSL exemption
PERMIT_PACKAGE= Yes

-WANTLIB += c crypto pthread ssl util
+WANTLIB += c util
+WANTLIB += lib/eopenssl30/ssl lib/eopenssl30/crypto

-HOMEPAGE= http://www.stunnel.org/
+HOMEPAGE= https://www.stunnel.org/

MASTER_SITES= https://www.stunnel.org/downloads/archive/5.x/ \
- http://ftp.nluug.nl/pub/networking/stunnel/archive/5.x/ \
- http://mirror.bit.nl/stunnel/archive/5.x/ \
- ftp://ftp.stunnel.org/stunnel/archive/5.x/
+ https://ftp.nluug.nl/pub/networking/stunnel/ \
+ https://www.usenix.org.uk/mirrors/stunnel/

SEPARATE_BUILD= Yes
CONFIGURE_STYLE= gnu
-CONFIGURE_ARGS+= --with-ssl=/usr \
+CONFIGURE_ARGS += --with-ssl=${WRKSRC}/openssl \
+ --disable-shared \
+ --enable-static \
+ --with-threads=fork \
--disable-libwrap
MODGNU_CONFIG_GUESS_DIRS=${WRKSRC}/auto

USE_GMAKE= Yes

+
+USE_LIBTOOL = gnu
+LIB_DEPENDS += security/openssl/3.0
+EOPENSSL_LIB = ${LOCALBASE}/lib/eopenssl30
+EOPENSSL_INC = ${LOCALBASE}/include/eopenssl30
+LDFLAGS += -L${EOPENSSL_LIB} \
+ -Wl,-rpath,${EOPENSSL_LIB}
+CONFIGURE_ENV += LDFLAGS="${LDFLAGS}"
+
pre-configure:
${SUBST_CMD} ${WRKSRC}/src/stunnel3.in
${SUBST_CMD} ${WRKSRC}/tools/stunnel.conf-sample.in
+ mkdir -p ${WRKSRC}/openssl
+ ln -s ${EOPENSSL_INC} ${WRKSRC}/openssl/include

do-install:
${INSTALL_PROGRAM} ${WRKBUILD}/src/stunnel ${PREFIX}/sbin
Index: distinfo
===================================================================
RCS file: /cvs/ports/security/stunnel/distinfo,v
retrieving revision 1.45
diff -u -p -r1.45 distinfo
--- distinfo 1 Dec 2017 00:08:44 -0000 1.45
+++ distinfo 27 Feb 2022 12:40:53 -0000
@@ -1,2 +1,2 @@
-SHA256 (stunnel-5.44.tar.gz) = mQoyXbtH132Idy3QL7vSfZGx/qPs52yf9EYeypPxIpk=
-SIZE (stunnel-5.44.tar.gz) = 699117
+SHA256 (stunnel-5.62.tar.gz) = nPW7lJAiqmbHNsEyZVTMon0GQWBaY3AnTtxJUetb0zk=
+SIZE (stunnel-5.62.tar.gz) = 862456
Index: patches/patch-Makefile_in
===================================================================
RCS file: /cvs/ports/security/stunnel/patches/patch-Makefile_in,v
retrieving revision 1.15
diff -u -p -r1.15 patch-Makefile_in
--- patches/patch-Makefile_in 1 Dec 2017 00:08:44 -0000 1.15
+++ patches/patch-Makefile_in 27 Feb 2022 12:40:53 -0000
@@ -2,12 +2,12 @@ $OpenBSD: patch-Makefile_in,v 1.15 2017/
Index: Makefile.in
--- Makefile.in.orig
+++ Makefile.in
-@@ -364,7 +364,7 @@ top_build_prefix = @top_build_prefix@
- top_builddir = @top_builddir@
- top_srcdir = @top_srcdir@
+@@ -371,7 +371,7 @@ top_srcdir = @top_srcdir@
+ with_bashcompdir = @with_bashcompdir@
+ AM_DISTCHECK_CONFIGURE_FLAGS = --with-bashcompdir='$$(datarootdir)/bash-completion/completions'
ACLOCAL_AMFLAGS = -I m4
-SUBDIRS = src doc tools tests
-+SUBDIRS = src doc tests
- EXTRA_DIST = PORTS BUGS COPYRIGHT.GPL CREDITS INSTALL.W32 INSTALL.WCE \
- INSTALL.FIPS build-android.sh .travis.yml
- doc_DATA = INSTALL README TODO COPYING AUTHORS ChangeLog PORTS BUGS \
++SUBDIRS = src doc tools
+ doc_DATA = README.md TODO.md COPYING.md AUTHORS.md NEWS.md PORTS.md \
+ BUGS.md COPYRIGHT.md CREDITS.md INSTALL.W32.md INSTALL.WCE.md \
+ INSTALL.FIPS.md
Index: patches/patch-src_ctx_c
===================================================================
RCS file: patches/patch-src_ctx_c
diff -N patches/patch-src_ctx_c
--- patches/patch-src_ctx_c 19 Mar 2019 16:51:13 -0000 1.8
+++ /dev/null 1 Jan 1970 00:00:00 -0000
@@ -1,13 +0,0 @@
-$OpenBSD: patch-src_ctx_c,v 1.8 2019/03/19 16:51:13 jsing Exp $
-Index: src/ctx.c
---- src/ctx.c.orig
-+++ src/ctx.c
-@@ -398,7 +398,7 @@ NOEXPORT int ecdh_init(SERVICE_OPTIONS *section) {
- /**************************************** initialize OpenSSL CONF */
-
- NOEXPORT int conf_init(SERVICE_OPTIONS *section) {
--#if OPENSSL_VERSION_NUMBER>=0x10002000L
-+#if OPENSSL_VERSION_NUMBER>=0x10002000L && !defined(LIBRESSL_VERSION_NUMBER)
- SSL_CONF_CTX *cctx;
- NAME_LIST *curr;
- char *cmd, *param;
Index: patches/patch-src_verify_c
===================================================================
RCS file: patches/patch-src_verify_c
diff -N patches/patch-src_verify_c
--- patches/patch-src_verify_c 12 Sep 2017 16:15:24 -0000 1.6
+++ /dev/null 1 Jan 1970 00:00:00 -0000
@@ -1,13 +0,0 @@
-$OpenBSD: patch-src_verify_c,v 1.6 2017/09/12 16:15:24 gsoares Exp $
-Index: src/verify.c
---- src/verify.c.orig
-+++ src/verify.c
-@@ -353,7 +353,7 @@ NOEXPORT int cert_check_local(X509_STORE_CTX *callback
- cert=X509_STORE_CTX_get_current_cert(callback_ctx);
- subject=X509_get_subject_name(cert);
-
--#if OPENSSL_VERSION_NUMBER<0x10100006L
-+#if OPENSSL_VERSION_NUMBER<0x10100006L || defined(LIBRESSL_VERSION_NUMBER)
- #define X509_STORE_CTX_get1_certs X509_STORE_get1_certs
- #endif
- /* modern API allows retrieving multiple matching certificates */
Index: patches/patch-tools_stunnel_conf-sample_in
===================================================================
RCS file: /cvs/ports/security/stunnel/patches/patch-tools_stunnel_conf-sample_in,v
retrieving revision 1.16
diff -u -p -r1.16 patch-tools_stunnel_conf-sample_in
--- patches/patch-tools_stunnel_conf-sample_in 12 Sep 2017 16:15:24 -0000 1.16
+++ patches/patch-tools_stunnel_conf-sample_in 27 Feb 2022 12:40:53 -0000
@@ -34,9 +34,12 @@ Index: tools/stunnel.conf-sample.in

; **************************************************************************
; * Service definitions (remove all services for inetd mode) *
-@@ -59,32 +60,32 @@
+@@ -57,34 +58,34 @@
+ ; The following examples use /etc/ssl/certs, which is the common location
+ ; of a hashed directory containing trusted CA certificates. This is not
; a hardcoded path of the stunnel package, as it is not related to the
- ; stunnel configuration in @sysconfdir@/stunnel/.
+-; stunnel configuration in @sysconfdir@/stunnel/.
++; stunnel configuration in ${SYSCONFDIR}/stunnel/.

-[gmail-pop3]
-client = yes
@@ -91,36 +94,27 @@ Index: tools/stunnel.conf-sample.in

; Encrypted HTTP proxy authenticated with a client certificate
; located in a cryptographic token
-@@ -98,43 +99,43 @@ OCSPaia = yes
-
- ; ***************************************** Example TLS server mode services
-
--;[pop3s]
--;accept = 995
--;connect = 110
+@@ -101,12 +102,12 @@ OCSPaia = yes
+ ;[pop3s]
+ ;accept = 995
+ ;connect = 110
-;cert = @sysconfdir@/stunnel/stunnel.pem
-+[pop3s]
-+accept = 995
-+connect = 110
-+cert = ${SYSCONFDIR}/stunnel/stunnel.pem
-
--;[imaps]
--;accept = 993
--;connect = 143
++;cert = ${SYSCONFDIR}/stunnel/stunnel.pem
+
+ ;[imaps]
+ ;accept = 993
+ ;connect = 143
-;cert = @sysconfdir@/stunnel/stunnel.pem
-+[imaps]
-+accept = 993
-+connect = 143
-+cert = ${SYSCONFDIR}/stunnel/stunnel.pem
-
--;[ssmtp]
--;accept = 465
--;connect = 25
++;cert = ${SYSCONFDIR}/stunnel/stunnel.pem
+
+ ; Either only expose this service to trusted networks, or require
+ ; authentication when relaying emails originated from loopback.
+@@ -114,29 +115,29 @@ OCSPaia = yes
+ ;[ssmtp]
+ ;accept = 465
+ ;connect = 25
-;cert = @sysconfdir@/stunnel/stunnel.pem
-+[ssmtp]
-+accept = 465
-+connect = 25
-+cert = ${SYSCONFDIR}/stunnel/stunnel.pem
++;cert = ${SYSCONFDIR}/stunnel/stunnel.pem

; TLS front-end to a web server
;[https]
@@ -140,7 +134,6 @@ Index: tools/stunnel.conf-sample.in
;accept = 1337
;exec = /bin/sh
;execArgs = sh -i
- ;ciphers = PSK
-;PSKsecrets = @sysconfdir@/stunnel/secrets.txt
+;PSKsecrets = ${SYSCONFDIR}/stunnel/secrets.txt

Updates security/stunnel to 5.62

Lots of changes, some of which are marked with urgency 'HIGH' and which
might affect OpenBSD users as well: https://www.stunnel.org/NEWS.html

Upstream seems to be opposed to having stunnel linked with LibreSSL, and
the changes between 5.44 (currently in ports) and 5.62 would need a
substantial amount of patches just to make it compile. Since I don't
have the insight necessary not to introduce a bug by doing so, I built
it against OpenSSL from ports, and thought I'd just throw it out there
for discussion.

Port changes:

* Build against OpenSSL 3.0 from ports
-- use --with-threads=fork since OpenSSL is built without threads support
-- add a pre-configure step to link /usr/local/include/eopenssl30 into
the build directory.
-- use LDFLAGS to make the linker pick up the actual OpenSSL libs
That's ugly, but it saves on several patches, because the build system
assumes that both lib/ and include/ are under an openssl/ directory
somewhere in the file system.

* Kept the sections for pop3s, imaps and ssmtp commented out in the
default /etc/stunnel.conf, since I personally can't think of a reason
why I'd want stunnel to listen on those ports by default

* Update mirror sites to those documented at
https://www.stunnel.org/downloads.html

* Changed homepage and mirrors to use https

Built and tested on amd64. What do you think?