Update security/hitch to 1.4.4.

hitch-1.4.4 (2016-12-22) ------------------------ - OpenSSL 1.1.0 compatibility fixes. OpenSSL 1.1.0 is now fully supported with Hitch. - Fix a bug in the OCSP refresh code that could make it loop with immediate refreshes flooding an OCSP responder. - Force the SSL_OP_SINGLE_DH_USE setting. This protects against an OpenSSL vulnerability where a remote attacker could discover private DH exponents (CVE-2016-0701). hitch-1.4.3 (2016-11-14) ------------------------ - OCSP stapling is now enabled by default. Users should create ocsp-dir (default: /var/lib/hitch/) and make it writable for the hitch user. - Build error due to man page generation on FreeBSD (most likely non-Linux) has been fixed. hitch-1.4.2 (2016-11-08) ------------------------ - Example configuration file hitch.conf.example has been shortened and defaults moved into Hitch itself. Default cipher string is now what we believe to be secure. Users are recommended to use the built-in default from now on, unless they have special requirements. - hitch.conf(5) manual has been added. - Hitch will now send a TLS Close notification during connection teardown. This fixes an incomplete read with a GnuTLS client when the backend (thttpd) used EOF to signal end of data, leaving some octets discarded by gnutls client-side. (Issue 127_) - Autotools will now detect SO_REUSEPORT availability. (Issue 122_) - Improved error handling on memory allocation failure.
2017-01-09 13:02:20 +00:00 · 2017-01-09 13:02:20 +00:00 · a0844409c8
commit a0844409c8
parent 39d66efe2d
6 changed files with 64 additions and 57 deletions
--- a/security/hitch/Makefile
+++ b/security/hitch/Makefile
@ -1,6 +1,6 @@
-# $NetBSD: Makefile,v 1.4 2016/10/02 09:19:35 fhajny Exp $
+# $NetBSD: Makefile,v 1.5 2017/01/09 13:02:20 fhajny Exp $

-DISTNAME=	hitch-1.4.1
+DISTNAME=	hitch-1.4.4
 CATEGORIES=	security
 MASTER_SITES=	https://hitch-tls.org/source/

@ -16,6 +16,8 @@ USE_TOOLS+=	pkg-config

 .include "../../mk/bsd.prefs.mk"

+CHECK_PORTABILITY_SKIP+=	src/tests/*
+
 CONFIGURE_ARGS+=	--with-rst2man=${PREFIX}/bin/rst2man.py${PYVERSSUFFIX}

 CPPFLAGS.SunOS+=	-D__EXTENSIONS__
@ -26,6 +28,7 @@ BUILD_DEFS+=		HITCH_USER HITCH_GROUP HITCH_CERTS
 HITCH_USER?=		hitch
 HITCH_GROUP?=		hitch
 HITCH_CERTS?=		${PKG_SYSCONFDIR}/certs.pem
+HITCH_OCSP?=		${VARBASE}/db/hitch

 PKG_GROUPS+=		${HITCH_GROUP}
 PKG_USERS+=		${HITCH_USER}:${HITCH_GROUP}
@ -37,8 +40,8 @@ MESSAGE_SUBST+=		HITCH_CERTS=${HITCH_CERTS}

 SUBST_CLASSES+=		dir
 SUBST_STAGE.dir=	pre-configure
-SUBST_FILES.dir=	hitch.conf.example
-SUBST_VARS.dir=		HITCH_USER HITCH_GROUP HITCH_CERTS
+SUBST_FILES.dir=	hitch.conf.example src/configuration.c
+SUBST_VARS.dir=		HITCH_USER HITCH_GROUP HITCH_CERTS HITCH_OCSP
 SUBST_MESSAGE.dir=	Setting default configuration values

 PKG_SYSCONFSUBDIR=	hitch
@ -47,6 +50,8 @@ CONF_FILES+=		share/examples/hitch/hitch.conf.example \

 INSTALLATION_DIRS+=	share/examples/hitch

+OWN_DIRS_PERMS+=	${HITCH_OCSP} ${HITCH_USER} ${HITCH_GROUP} 0755
+
 post-install:
 	${MV} ${DESTDIR}${PREFIX}/share/doc/hitch/hitch.conf.example \
 		${DESTDIR}${PREFIX}/share/examples/hitch
--- a/security/hitch/PLIST
+++ b/security/hitch/PLIST
@ -1,4 +1,5 @@
-@comment $NetBSD: PLIST,v 1.2 2016/08/22 09:34:40 fhajny Exp $
+@comment $NetBSD: PLIST,v 1.3 2017/01/09 13:02:20 fhajny Exp $
+man/man5/hitch.conf.5
 man/man8/hitch.8
 sbin/hitch
 share/doc/hitch/CHANGES.rst
--- a/security/hitch/distinfo
+++ b/security/hitch/distinfo
@ -1,8 +1,9 @@
-$NetBSD: distinfo,v 1.4 2016/10/02 09:19:35 fhajny Exp $
+$NetBSD: distinfo,v 1.5 2017/01/09 13:02:20 fhajny Exp $

-SHA1 (hitch-1.4.1.tar.gz) = 5af72612306dbd48d363f816494b8cf8ec4e0c19
-RMD160 (hitch-1.4.1.tar.gz) = cd187994b558f1c43eef069e388add6c658fbd5d
-SHA512 (hitch-1.4.1.tar.gz) = e2e788e6239d68371de606f088d39923f1d661fd41d1124cfc269297b328faf51df5c5450460dd61ed4b0dc33e198d9354ebf95ea4c57a4a231cbf444e5d628c
-Size (hitch-1.4.1.tar.gz) = 272769 bytes
-SHA1 (patch-hitch.conf.example) = 3200fedcc6528476f9b5eca599f156def3e743e0
-SHA1 (patch-src_hitch.c) = f16c5010a704291fd1c986b73bb987fd92148616
+SHA1 (hitch-1.4.4.tar.gz) = 6c836d24fce74892dc97217eb733dffa7c91109c
+RMD160 (hitch-1.4.4.tar.gz) = fe48092f9e5ba674db2ac04228fccd3c108aeaba
+SHA512 (hitch-1.4.4.tar.gz) = 33037c6ba2882575d9d4a63adcbef7db9a0294e8fdc2eee5a5cc8a45656d9c9620952e49f71abbfbc94c6d1781911ad1b76237a058d3dda3eaaf2f220d15cd18
+Size (hitch-1.4.4.tar.gz) = 300494 bytes
+SHA1 (patch-hitch.conf.example) = 1c922c2e294362ef009ff60bfe43f746de596087
+SHA1 (patch-src_configuration.c) = ba89c7c987159f66b1694435613aa89a6f9574de
+SHA1 (patch-src_hitch.c) = 7d92f2d83b302e3ca8a2acebc6c4697c1da184b2
--- a/security/hitch/patches/patch-hitch.conf.example
+++ b/security/hitch/patches/patch-hitch.conf.example
@ -1,48 +1,33 @@
-$NetBSD: patch-hitch.conf.example,v 1.1 2016/08/22 09:34:40 fhajny Exp $
+$NetBSD: patch-hitch.conf.example,v 1.2 2017/01/09 13:02:20 fhajny Exp $

 Sane default options.

--- hitch.conf.example.orig	2016-08-15 13:51:51.000000000 +0000
+--- hitch.conf.example.orig	2016-11-14 13:13:10.000000000 +0000
 +++ hitch.conf.example
-@@ -43,7 +43,7 @@ backend = "[127.0.0.1]:6081"
- # only available for a specific listen endpoint.
- #
- # type: string
-pem-file = ""
-+pem-file = "@HITCH_CERTS@"
+@@ -2,15 +2,15 @@
 
- # OCSP settings
- #
-@@ -120,12 +120,12 @@ chroot = ""
- # Set uid after binding a socket
- #
- # type: string
-user = ""
+ 
+ frontend = {
+-    host = "*"
+    host = "127.0.0.1"
+     port = "443"
+ }
+ backend = "[127.0.0.1]:6086"    # 6086 is the default Varnish PROXY port.
+ workers = 4                     # number of CPU cores
+ 
+ daemon = on
+-user = "nobody"
+-group = "nogroup"
 +user = "@HITCH_USER@"
- 
- # Set gid after binding a socket
- #
- # type: string
-group = ""
 +group = "@HITCH_GROUP@"
 
- # Quiet execution, report only error messages
- #
-@@ -135,7 +135,7 @@ quiet = off
- # Use syslog for logging
- #
- # type: boolean
-syslog = off
-+syslog = on
+ # Enable to let clients negotiate HTTP/2 with ALPN. (default off)
+ # alpn-protos = "http/2, http/1.1"
+@@ -18,4 +18,6 @@ group = "nogroup"
+ # run Varnish as backend over PROXY; varnishd -a :80 -a localhost:6086,PROXY ..
+ write-proxy-v2 = on             # Write PROXY header
 
- # Syslog facility to use
- #
-@@ -145,7 +145,7 @@ syslog-facility = "daemon"
- # Run as daemon
- #
- # type: boolean
-daemon = off
-+daemon = on
- 
- # Report client address by writing IP before sending data
- #
+-
+pem-file = {
+    cert = "@HITCH_CERTS@"
+}
--- a/security/hitch/patches/patch-src_configuration.c
+++ b/security/hitch/patches/patch-src_configuration.c
@ -0,0 +1,15 @@
+$NetBSD: patch-src_configuration.c,v 1.1 2017/01/09 13:02:20 fhajny Exp $
+
+Sane default options.
+
+--- src/configuration.c.orig	2016-12-15 10:34:22.000000000 +0000
+++ src/configuration.c
+@@ -193,7 +193,7 @@ config_new(void)
+ 	fa->pspec = strdup("default");
+ 	HASH_ADD_KEYPTR(hh, r->LISTEN_ARGS, fa->pspec, strlen(fa->pspec), fa);
+ 	r->LISTEN_DEFAULT = fa;
+-	r->OCSP_DIR           = strdup("/var/lib/hitch/");
+	r->OCSP_DIR           = strdup("@HITCH_OCSP@/");
+ 	r->OCSP_VFY = 0;
+ 	r->OCSP_RESP_TMO = 10.0;
+ 	r->OCSP_CONN_TMO = 4.0;
--- a/security/hitch/patches/patch-src_hitch.c
+++ b/security/hitch/patches/patch-src_hitch.c
@ -1,10 +1,10 @@
-$NetBSD: patch-src_hitch.c,v 1.1 2016/05/25 20:15:35 fhajny Exp $
+$NetBSD: patch-src_hitch.c,v 1.2 2017/01/09 13:02:20 fhajny Exp $

 Need sys/filio on SunOS for FIONBIO.

--- src/hitch.c.orig	2016-01-26 14:58:56.000000000 +0000
+--- src/hitch.c.orig	2016-11-11 13:10:38.000000000 +0000
 +++ src/hitch.c
-@@ -77,6 +77,10 @@
+@@ -62,6 +62,10 @@
 #include <sys/prctl.h>
 #endif
 
@ -12,6 +12,6 @@ Need sys/filio on SunOS for FIONBIO.
 +#include <sys/filio.h>
 +#endif
 +
- #include "uthash.h"
- #include "ringbuffer.h"
- #include "miniobj.h"
+ #include "config.h"
+ #include "configuration.h"
+ #include "hitch.h"