Import stud-0.3pl53.

Description:

stud is a network proxy that terminates TLS/SSL connections and forwards
the unencrypted traffic to some backend. It's designed to handle 10s
of thousands of connections efficiently on multicore machines.
stud has very few features. It is designed to be paired with an
intelligent backend like haproxy or nginx.

10 files changed, 414 insertions, 0 deletions

diff --git a/security/stud/DESCR b/security/stud/DESCR
new file mode 100644
index 00000000000..c5d3361e94a
--- /dev/null
+++ b/security/stud/DESCR
@@ -0,0 +1,5 @@
+stud is a network proxy that terminates TLS/SSL connections and forwards
+the unencrypted traffic to some backend. It's designed to handle 10s
+of thousands of connections efficiently on multicore machines.
+stud has very few features. It is designed to be paired with an
+intelligent backend like haproxy or nginx.
diff --git a/security/stud/Makefile b/security/stud/Makefile
new file mode 100644
index 00000000000..932194f856f
--- /dev/null
+++ b/security/stud/Makefile
@@ -0,0 +1,62 @@
+# $NetBSD: Makefile,v 1.1 2013/03/16 19:41:35 jym Exp $
+#
+
+PKGNAME=	stud-0.3p53
+CATEGORIES=	security
+MAINTAINER=	jym@NetBSD.org
+HOMEPAGE=	http://github.com/bumptech/stud
+COMMENT=	Scalable TLS Unwrapping Daemon
+LICENSE=	2-clause-bsd
+
+MASTER_SITES=	http://rohara.fedorapeople.org/stud/
+DISTNAME=	bumptech-stud-0.3-51-g0b88039
+WRKSRC=		${WRKDIR}/bumptech-stud-0b88039
+
+USE_TOOLS+=		gmake pax:run
+
+BUILD_DEFS+=		STUD_USER STUD_GROUP VARBASE
+
+STUD_USER?=		stud
+STUD_GROUP?=		stud
+# Default file that should contain the X509 certificates PEM file
+STUD_CERTS?=		${PKG_SYSCONFDIR}/certs.pem
+STUD_HOME?=		${VARBASE}/chroot/stud
+
+PKG_GROUPS?=		${STUD_GROUP}
+PKG_USERS?=		${STUD_USER}:${STUD_GROUP}
+PKG_GECOS.${STUD_USER}=	stud daemon user
+PKG_HOME.${STUD_USER}=	${STUD_HOME}
+
+RCD_SCRIPTS=		stud
+
+EGDIR=			${PREFIX}/share/examples/stud
+OWN_DIRS=		${STUD_HOME}
+INSTALLATION_DIRS+=	bin ${EGDIR}
+
+FILES_SUBST+=		STUD_HOME=${STUD_HOME:Q}
+
+SUBST_CLASSES+=		studconf
+SUBST_STAGE.studconf=	pre-configure
+SUBST_FILES.studconf=	stud.conf
+SUBST_VARS.studconf=	STUD_USER STUD_GROUP STUD_HOME STUD_CERTS
+SUBST_MESSAGE.studconf=	Set default configuration values.
+
+SUBST_CLASSES+=		makefile
+SUBST_STAGE.makefile=	pre-configure
+SUBST_FILES.makefile=	Makefile
+SUBST_VARS.makefile=	PREFIX
+SUBST_MESSAGE.makefile=	Set prefix path.
+
+PKG_SYSCONFSUBDIR=	stud
+PKG_SYSCONFDIR_PERMS=	${ROOT_USER} ${STUD_GROUP} 0750
+CONF_FILES+=		${EGDIR}/stud.conf ${PKG_SYSCONFDIR}/stud.conf
+
+post-extract:
+	${CP} ${FILESDIR}/stud.conf ${WRKSRC}/stud.conf
+
+post-install:
+	${INSTALL_DATA} ${WRKSRC}/stud.conf ${DESTDIR}${EGDIR}/stud.conf
+
+.include "../../devel/libev/buildlink3.mk"
+.include "../../security/openssl/buildlink3.mk"
+.include "../../mk/bsd.pkg.mk"
diff --git a/security/stud/PLIST b/security/stud/PLIST
new file mode 100644
index 00000000000..d8910d42655
--- /dev/null
+++ b/security/stud/PLIST
@@ -0,0 +1,5 @@
+@comment $NetBSD: PLIST,v 1.1 2013/03/16 19:41:35 jym Exp $
+bin/stud
+man/man8/stud.8
+share/examples/stud/stud.conf
+share/examples/rc.d/stud
diff --git a/security/stud/distinfo b/security/stud/distinfo
new file mode 100644
index 00000000000..074f48e21e9
--- /dev/null
+++ b/security/stud/distinfo
@@ -0,0 +1,9 @@
+$NetBSD: distinfo,v 1.1 2013/03/16 19:41:35 jym Exp $
+
+SHA1 (bumptech-stud-0.3-51-g0b88039.tar.gz) = fad22d9cf008b7db8f30d8d7ca0a6fcc177714de
+RMD160 (bumptech-stud-0.3-51-g0b88039.tar.gz) = 66a186e1095fd127945802ab681f5948ee1d4011
+Size (bumptech-stud-0.3-51-g0b88039.tar.gz) = 41000 bytes
+SHA1 (patch-Makefile) = c0794c6ebb3bdc3d55b473acec674a9f98b03ffb
+SHA1 (patch-configuration.c) = 886226a104f84bac6902bb8a8593d37a25653563
+SHA1 (patch-stud.8) = a6b36ab6ac8c65cbc70172a9c230b22965cbdc3d
+SHA1 (patch-stud.c) = 9b11693619291925376f35f1443bbec83a1d798b
diff --git a/security/stud/files/stud.conf b/security/stud/files/stud.conf
new file mode 100644
index 00000000000..6909c9ed786
--- /dev/null
+++ b/security/stud/files/stud.conf
@@ -0,0 +1,121 @@
+#
+# stud(8), The Scalable TLS Unwrapping Daemon's configuration
+#
+
+# NOTE: all config file parameters can be overriden
+#       from command line!
+
+# Listening address. REQUIRED.
+#
+# type: string
+# syntax: [HOST]:PORT
+frontend = "[*]:8443"
+
+# Upstream server address. REQUIRED.
+#
+# type: string
+# syntax: [HOST]:PORT.
+backend = "[127.0.0.1]:8000"
+
+# SSL x509 certificate file. REQUIRED.
+# List multiple certs to use SNI. Certs are used in the order they
+# are listed; the last cert listed will be used if none of the others match
+#
+# type: string
+pem-file = "@STUD_CERTS@"
+
+# SSL protocol.
+#
+# tls = on
+# ssl = off
+
+# List of allowed SSL ciphers.
+#
+# Run openssl ciphers for list of available ciphers.
+# type: string
+ciphers = ""
+
+# Enforce server cipher list order
+#
+# type: boolean
+prefer-server-ciphers = off
+
+# Use specified SSL engine
+#
+# type: string
+ssl-engine = ""
+
+# Number of worker processes
+#
+# type: integer
+workers = 1
+
+# Listen backlog size
+#
+# type: integer
+backlog = 100
+
+# TCP socket keepalive interval in seconds
+#
+# type: integer
+keepalive = 3600
+
+# Chroot directory
+#
+# type: string
+chroot = "@STUD_HOME@"
+
+# Set uid after binding a socket
+#
+# type: string
+user = "@STUD_USER@"
+
+# Set gid after binding a socket
+#
+# type: string
+group = "@STUD_GROUP@"
+
+# Quiet execution, report only error messages
+#
+# type: boolean
+quiet = off
+
+# Use syslog for logging
+#
+# type: boolean
+syslog = off
+
+# Syslog facility to use
+#
+# type: string
+syslog-facility = "daemon"
+
+# Run as daemon
+#
+# type: boolean
+daemon = on
+
+# Report client address by writing IP before sending data
+#
+# NOTE: This option is mutually exclusive with option write-proxy and proxy-proxy.
+#
+# type: boolean
+write-ip = off
+
+# Report client address using SENDPROXY protocol, see
+# http://haproxy.1wt.eu/download/1.5/doc/proxy-protocol.txt
+# for details.
+#
+# NOTE: This option is mutually exclusive with option write-ip and proxy-proxy.
+#
+# type: boolean
+write-proxy = off
+
+# Proxy an existing SENDPROXY protocol header through this request.
+#
+# NOTE: This option is mutually exclusive with option write-ip and write-proxy.
+#
+# type: boolean
+proxy-proxy = off
+
+# EOF
diff --git a/security/stud/files/stud.sh b/security/stud/files/stud.sh
new file mode 100644
index 00000000000..9fd5365cad7
--- /dev/null
+++ b/security/stud/files/stud.sh
@@ -0,0 +1,33 @@
+#!@RCD_SCRIPTS_SHELL@
+#
+# $NetBSD: stud.sh,v 1.1 2013/03/16 19:41:36 jym Exp $
+#
+
+# PROVIDE: stud
+# REQUIRE: LOGIN
+
+. /etc/rc.subr
+
+name="stud"
+rcvar=$name
+command="@PREFIX@/bin/stud"
+command_args="--config=@PKG_SYSCONFDIR@/stud.conf"
+required_files="@PKG_SYSCONFDIR@/stud.conf"
+required_dirs="$stud_chrootdir"
+
+stud_chrootdir="@STUD_HOME@"
+start_precmd="stud_precmd"
+
+stud_precmd()
+{
+	for i in null random urandom; do
+		if [ ! -c "${stud_chrootdir}/dev/$i" ]; then
+			rm -f "${stud_chrootdir}/dev/$i"
+			(cd /dev &&
+			    /bin/pax -rw -pe "$i" "${stud_chrootdir}/dev")
+		fi
+	done
+}
+
+load_rc_config $name
+run_rc_command "$1"
diff --git a/security/stud/patches/patch-Makefile b/security/stud/patches/patch-Makefile
new file mode 100644
index 00000000000..54a850d4b87
--- /dev/null
+++ b/security/stud/patches/patch-Makefile
@@ -0,0 +1,51 @@
+$NetBSD: patch-Makefile,v 1.1 2013/03/16 19:41:36 jym Exp $
+
+pkgsrc standards. SunOS fixes as per https://github.com/bumptech/stud/pull/71
+--- Makefile.orig	2012-08-15 10:33:39.000000000 +0000
++++ Makefile
+@@ -2,15 +2,25 @@
+ #
+ # USE_SHARED_CACHE   :   enable/disable a shared session cache (disabled by default)
+ 
+-DESTDIR =
+-PREFIX  = /usr/local
++DESTDIR?=
++PREFIX ?= @PREFIX@
+ BINDIR  = $(PREFIX)/bin
+-MANDIR  = $(PREFIX)/share/man
++MANDIR  = $(PREFIX)/$(PKGMANDIR)
+ 
+-CFLAGS  = -O2 -g -std=c99 -fno-strict-aliasing -Wall -W -D_GNU_SOURCE -I/usr/local/include
+-LDFLAGS = -lssl -lcrypto -lev -L/usr/local/lib
++CFLAGS += -O2 -g -std=c99 -fno-strict-aliasing -Wall -W -D_GNU_SOURCE -I$(PREFIX)/include
++LDFLAGS+= -lssl -lcrypto -lev -L$(PREFIX)/lib
+ OBJS    = stud.o ringbuffer.o configuration.o
+ 
++UNAME := $(shell uname)
++
++ifeq ($(UNAME),SunOS)
++    # need __EXTENSIONS__ to get signal handling and getopt
++    CFLAGS += -D__EXTENSIONS__
++    LDFLAGS += -lnsl -lsocket
++else
++    CFLAGS += -DUSE_KEEPIDLE
++endif
++
+ all: realall
+ 
+ # Shared cache feature
+@@ -40,10 +50,10 @@ stud: $(OBJS)
+ 	$(CC) -o $@ $^ $(LDFLAGS)
+ 
+ install: $(ALL)
+-	install -d $(DESTDIR)$(BINDIR)
+-	install stud $(DESTDIR)$(BINDIR)
+-	install -d $(DESTDIR)$(MANDIR)/man8
+-	install -m 644 stud.8 $(DESTDIR)$(MANDIR)/man8
++	$(BSD_INSTALL_PROGRAM_DIR) $(DESTDIR)$(BINDIR)
++	$(BSD_INSTALL_PROGRAM) stud $(DESTDIR)$(BINDIR)
++	$(BSD_INSTALL_MAN_DIR) $(DESTDIR)$(MANDIR)/man8
++	$(BSD_INSTALL_MAN) stud.8 $(DESTDIR)$(MANDIR)/man8
+ 
+ clean:
+ 	rm -f stud $(OBJS)
diff --git a/security/stud/patches/patch-configuration.c b/security/stud/patches/patch-configuration.c
new file mode 100644
index 00000000000..438c1d0241a
--- /dev/null
+++ b/security/stud/patches/patch-configuration.c
@@ -0,0 +1,48 @@
+$NetBSD: patch-configuration.c,v 1.1 2013/03/16 19:41:36 jym Exp $
+
+Workaround missing facilities (SunOS).
+
+--- configuration.c.orig	2013-02-12 08:36:11.000000000 +0000
++++ configuration.c
+@@ -637,13 +637,19 @@ void config_param_validate (char *k, cha
+   else if (strcmp(k, CFG_SYSLOG_FACILITY) == 0) {
+     r = 1;
+     if (!strcmp(v, "auth") || !strcmp(v, "authpriv"))
++#ifdef LOG_AUTHPRIV
+       cfg->SYSLOG_FACILITY = LOG_AUTHPRIV;
++#else
++      cfg->SYSLOG_FACILITY = LOG_AUTH;
++#endif
+     else if (!strcmp(v, "cron"))
+       cfg->SYSLOG_FACILITY = LOG_CRON;
+     else if (!strcmp(v, "daemon"))
+       cfg->SYSLOG_FACILITY = LOG_DAEMON;
++#ifdef LOG_FTP
+     else if (!strcmp(v, "ftp"))
+       cfg->SYSLOG_FACILITY = LOG_FTP;
++#endif
+     else if (!strcmp(v, "local0"))
+       cfg->SYSLOG_FACILITY = LOG_LOCAL0;
+     else if (!strcmp(v, "local1"))
+@@ -813,14 +819,21 @@ char * config_disp_hostport (char *host,
+ const char * config_disp_log_facility (int facility) {
+   switch (facility)
+   {
++#ifdef LOG_AUTHPRIV
+     case LOG_AUTHPRIV:
+       return "authpriv";
++#else
++    case LOG_AUTH:
++      return "auth";
++#endif
+     case LOG_CRON:
+       return "cron";
+     case LOG_DAEMON:
+       return "daemon";
++#ifdef LOG_FTP
+     case LOG_FTP:
+       return "ftp";
++#endif
+     case LOG_LOCAL0:
+       return "local0";
+     case LOG_LOCAL1:
diff --git a/security/stud/patches/patch-stud.8 b/security/stud/patches/patch-stud.8
new file mode 100644
index 00000000000..7769f3f9df9
--- /dev/null
+++ b/security/stud/patches/patch-stud.8
@@ -0,0 +1,15 @@
+$NetBSD: patch-stud.8,v 1.1 2013/03/16 19:41:36 jym Exp $
+Give correct man page name for ciphers(1) and dhparam(1).
+--- stud.8.orig	2012-08-10 23:40:19.000000000 +0000
++++ stud.8
+@@ -119,8 +119,8 @@ Write HaProxy's PROXY (IPv4 or IPv6) pro
+ before actual data.
+ .El
+ .Sh SEE ALSO
+-.Xr ciphers 1SSL ,
+-.Xr dhparam 1SSL ,
++.Xr openssl_ciphers 1 ,
++.Xr openssl_dhparam 1 ,
+ .Xr haproxy 1
+ .Sh AUTHORS
+ .Nm
diff --git a/security/stud/patches/patch-stud.c b/security/stud/patches/patch-stud.c
new file mode 100644
index 00000000000..1101fdc4155
--- /dev/null
+++ b/security/stud/patches/patch-stud.c
@@ -0,0 +1,65 @@
+$NetBSD: patch-stud.c,v 1.1 2013/03/16 19:41:36 jym Exp $
+
+SunOS fixes as per https://github.com/bumptech/stud/pull/71.
+--- stud.c.orig	2012-08-15 10:33:39.000000000 +0000
++++ stud.c
+@@ -189,9 +189,17 @@ typedef struct proxystate {
+ 
+ /* Set a file descriptor (socket) to non-blocking mode */
+ static void setnonblocking(int fd) {
+-    int flag = 1;
+-
+-    assert(ioctl(fd, FIONBIO, &flag) == 0);
++    int flag;
++#if defined(O_NONBLOCK)
++    /* O_NONBLOCK is more portable and POSIX-standard */
++    flag = O_NONBLOCK;
++    assert (fcntl(fd, F_SETFL, flag) == 0);
++#elif defined(FIONBIO)
++    flag = 1;
++    assert (ioctl(fd, FIONBIO, &flag) == 0);
++#else
++# error O_NONBLOCK and FIONBIO are both undefined for this platform
++#endif
+ }
+ 
+ /* set a tcp socket to use TCP Keepalive */
+@@ -203,9 +211,9 @@ static void settcpkeepalive(int fd) {
+         ERR("Error activating SO_KEEPALIVE on client socket: %s", strerror(errno));
+     }
+ 
++#ifdef TCP_KEEPIDLE
+     optval = CONFIG->TCP_KEEPALIVE_TIME;
+     optlen = sizeof(optval);
+-#ifdef TCP_KEEPIDLE
+     if(setsockopt(fd, SOL_TCP, TCP_KEEPIDLE, &optval, optlen) < 0) {
+         ERR("Error setting TCP_KEEPIDLE on client socket: %s", strerror(errno));
+     }
+@@ -1751,24 +1759,16 @@ void daemonize () {
+         exit(0);
+     }
+ 
+-    /* close standard streams */
+-    fclose(stdin);
+-    fclose(stdout);
+-    fclose(stderr);
+-
+     /* reopen standard streams to null device */
+-    stdin = fopen(NULL_DEV, "r");
+-    if (stdin == NULL) {
++    if (freopen(NULL_DEV, "r", stdin) == NULL) {
+         ERR("Unable to reopen stdin to %s: %s\n", NULL_DEV, strerror(errno));
+         exit(1);
+     }
+-    stdout = fopen(NULL_DEV, "w");
+-    if (stdout == NULL) {
++    if (freopen(NULL_DEV, "w", stdout) == NULL) {
+         ERR("Unable to reopen stdout to %s: %s\n", NULL_DEV, strerror(errno));
+         exit(1);
+     }
+-    stderr = fopen(NULL_DEV, "w");
+-    if (stderr == NULL) {
++    if (freopen(NULL_DEV, "w", stderr) == NULL) {
+         ERR("Unable to reopen stderr to %s: %s\n", NULL_DEV, strerror(errno));
+         exit(1);
+     }