Update stunnel to 3.9. For NetBSD, if in-tree OpenSSL exists, then the

default certificate directory is now /etc/openssl/certs (matches OpenSSL's
default), but if stunnel uses the pkgsrc OpenSSL, then the default is
${PREFIX}/certs.

Changes from version 3.8 include:

* Updated temporary key generation:
   - stunnel is now honoring requested key-lengths correctly,
   - temporary key is changed every hour.
* transfer() no longer hangs on some platforms.
  Special thanks to Peter Wagemans for the patch.
* Potential security problem with syslog() call fixed.
* use daemon() function instead of daemonize, if available
* added -S flag, allowing you to choose which default verify
  sources to use
* relocated service name output logging until after log_open.
  (no longer outputs log info to inetd socket, causing bad SSL)
* -V flag now outputs the default values used by stunnel
* Added rigerous PRNG seeding
* PID changes (and related security-fix)
* Man page fixes
* Client SSL Session-IDs now used
* -N flag to specify tcpwrapper service name

* UPGRADE NOTE: this version seriously changes several previous stunnel
  default behaviours.  There are no longer any default cert file/dirs
  compilied into stunnel, you must use the --with-cert-dir and
  --with-cert-file configure arguments to set these manually, if desired.
  Stunnel does not use the underlying ssl library defaults by default
  unless configured with --enable-ssllib-cs.  Note that these can always
  be enabled at run time with the -A,-a, and -S flags.
  Additionally, unless --with-pem-dir is specified at compile time,
  stunnel will default to looking for stunnel.pem in the current directory.

8 files changed, 89 insertions, 65 deletions

diff --git a/security/stunnel/Makefile b/security/stunnel/Makefile
index 9494d04dad2..71b11307b6c 100644
--- a/security/stunnel/Makefile
+++ b/security/stunnel/Makefile
@@ -1,21 +1,36 @@
-# $NetBSD: Makefile,v 1.6 2000/06/17 21:21:49 tron Exp $
+# $NetBSD: Makefile,v 1.7 2000/12/19 07:03:21 jlam Exp $
 #
 
-DISTNAME=	stunnel-3.8
-CATEGORIES=	security
-MASTER_SITES=	http://mike.daewoo.com.pl/computer/stunnel/
+DISTNAME=		stunnel-3.9
+CATEGORIES=		security
+MASTER_SITES=		http://www.stunnel.org/download/stunnel/src/
 
-MAINTAINER=	martin@NetBSD.ORG
-HOMEPAGE=	http://mike.daewoo.com.pl/computer/stunnel
+MAINTAINER=		martin@NetBSD.ORG
+HOMEPAGE=		http://www.stunnel.org/
 
-BUILD_DEPENDS+=	${LOCALBASE}/bin/autoconf:../../devel/autoconf
-DEPENDS+=	pth>=1.3.5:../../devel/pth
+BUILD_DEPENDS+=		autoconf:../../devel/autoconf
+DEPENDS+=		pth>=1.3.5:../../devel/pth
 
-GNU_CONFIGURE=	YES
-USE_SSL=	YES
-CONFIGURE_ARGS+=-with-ssl=${SSLBASE}
+USE_SSL=		# defined
+GNU_CONFIGURE=		# defined
+CONFIGURE_ARGS+=	--with-ssl=${SSLBASE}
+CONFIGURE_ARGS+=	--with-cert-dir="${SSL_CERT_DIR}"
 
 pre-configure:
-	(cd ${WRKSRC}; autoreconf)
+	cd ${WRKSRC} && autoreconf
 
 .include "../../mk/bsd.pkg.mk"
+
+# The in-tree OpenSSL uses /etc/openssl/certs as the default location for
+# certificates, while the pkgsrc OpenSSL uses ${PREFIX}/certs.  Define
+# SSL_CERT_DIR appropriately using a shell expression, and make sure that
+# it's only executed once to optimize the build.
+#
+.if !defined(SSL_CERT_DIR)
+SSL_CERT_DIR!=		if ${TEST} -d /etc/openssl/certs; then	\
+				${ECHO} /etc/openssl/certs;	\
+			else					\
+				${ECHO} ${PREFIX}/certs;	\
+			fi
+MAKEFLAGS+=		SSL_CERT_DIR="${SSL_CERT_DIR}"
+.endif
diff --git a/security/stunnel/files/md5 b/security/stunnel/files/md5
index 4e1b2c949c7..87ae7967710 100644
--- a/security/stunnel/files/md5
+++ b/security/stunnel/files/md5
@@ -1,3 +1,3 @@
-$NetBSD: md5,v 1.1.1.1 2000/04/03 09:25:36 martin Exp $
+$NetBSD: md5,v 1.2 2000/12/19 07:03:22 jlam Exp $
 
-MD5 (stunnel-3.8.tar.gz) = f84f3698b50f7028c94340e546acaa01
+MD5 (stunnel-3.9.tar.gz) = 3c73fe4db1944af05afcca233ac4b700
diff --git a/security/stunnel/files/patch-sum b/security/stunnel/files/patch-sum
index 344ba701c44..55e0aec3ee1 100644
--- a/security/stunnel/files/patch-sum
+++ b/security/stunnel/files/patch-sum
@@ -1,4 +1,5 @@
-$NetBSD: patch-sum,v 1.5 2000/06/17 21:52:18 tron Exp $
+$NetBSD: patch-sum,v 1.6 2000/12/19 07:03:22 jlam Exp $
 
-MD5 (patch-aa) = 0d5c228a94cab01f2cbabc2fef5fa19b
-MD5 (patch-ab) = 0fcbda3fef76c54473ff38b56d02e915
+MD5 (patch-aa) = b41e548df25c43ca17c3643d25d863fe
+MD5 (patch-ab) = 4edeb8b7a500e1282f6f340746abe581
+MD5 (patch-ac) = 54c0f72c8fb116d8e4f26fe061d385a9
diff --git a/security/stunnel/patches/patch-aa b/security/stunnel/patches/patch-aa
index 47e2547f3fe..658790178cf 100644
--- a/security/stunnel/patches/patch-aa
+++ b/security/stunnel/patches/patch-aa
@@ -1,32 +1,34 @@
-$NetBSD: patch-aa,v 1.5 2000/06/17 21:52:18 tron Exp $
+$NetBSD: patch-aa,v 1.6 2000/12/19 07:03:22 jlam Exp $
 
---- Makefile.in.orig	Tue Feb 22 13:08:16 2000
-+++ Makefile.in	Sat Jun 17 23:46:38 2000
-@@ -7,9 +7,9 @@
+--- Makefile.in.orig	Sat Oct 21 10:02:03 2000
++++ Makefile.in
+@@ -9,7 +9,7 @@
  sbindir=@sbindir@
  libdir=@libdir@
  man8dir=@mandir@/man8
--piddir=@localstatedir@/stunnel
+-piddir=@localstatedir@/stunnel/
 +piddir=/var/run
  ssldir=@ssldir@
--certdir=$(ssldir)/certs
-+certdir=@prefix@/certs
+ PEM_DIR=@PEM_DIR@
  @SET_MAKE@
- VERSION=stunnel-@VERSION@
- RANDOM_OPT=@RANDOM_OPT@
-@@ -18,7 +18,7 @@
- CFLAGS=@CFLAGS@ @DEFS@ -Dcertdir=\"$(certdir)\" -Dlibdir=\"$(libdir)\" -Dpiddir=\"$(piddir)\"
+@@ -20,11 +20,11 @@
+ CFLAGS=@CFLAGS@ @DEFS@ -Dlibdir=\"$(libdir)\" -DPIDDIR=\"$(piddir)\"
  LIBS=@LIBS@
  OBJS=stunnel.o ssl.o protocol.o sthreads.o pty.o log.o
--DESTFILES=$(sbindir)/stunnel $(libdir)/stunnel.so $(man8dir)/stunnel.8 $(certdir)/stunnel.pem
+-DESTFILES=$(sbindir)/stunnel $(libdir)/stunnel.so $(man8dir)/stunnel.8  $(PEM_DIR)/stunnel.pem
 +DESTFILES=$(sbindir)/stunnel $(libdir)/stunnel.so $(man8dir)/stunnel.8
  
  # standard external rules
  
-@@ -50,7 +50,6 @@
+-all: stunnel stunnel.so stunnel.pem
++all: stunnel stunnel.so
+ 
+ install: all installdirs $(DESTFILES)
+ 
+@@ -52,7 +52,6 @@
  
  installdirs: mkinstalldirs
- 	./mkinstalldirs $(sbindir) $(libdir) $(man8dir) $(certdir) $(piddir)
+ 	./mkinstalldirs $(sbindir) $(libdir) $(man8dir) $(PEM_DIR) $(piddir)
 -	chmod a=rwx,+t $(piddir)
  
  # non-standard external rules
diff --git a/security/stunnel/patches/patch-ab b/security/stunnel/patches/patch-ab
index c84aed9baa4..213543a42d4 100644
--- a/security/stunnel/patches/patch-ab
+++ b/security/stunnel/patches/patch-ab
@@ -1,33 +1,13 @@
-$NetBSD: patch-ab,v 1.2 2000/04/03 16:52:17 tron Exp $
+$NetBSD: patch-ab,v 1.3 2000/12/19 07:03:22 jlam Exp $
 
---- configure.in.orig	Tue Feb 22 14:19:04 2000
-+++ configure.in	Mon Apr  3 18:47:04 2000
-@@ -28,16 +28,14 @@
- )
+--- configure.in.orig	Wed Dec 13 05:48:29 2000
++++ configure.in
+@@ -137,12 +137,14 @@
  
- checkssldir() { :
--    if test -d "$1/certs"; then
--        if test -f "$1/include/openssl/ssl.h"; then
--            AC_DEFINE(HAVE_OPENSSL)
--            ssldir="$1"
--            return 0
--        fi
--        if test -f "$1/include/ssl.h"; then
--            ssldir="$1"
--            return 0
--        fi
-+    if test -f "$1/include/openssl/ssl.h"; then
-+        AC_DEFINE(HAVE_OPENSSL)
-+        ssldir="$1"
-+        return 0
-+    fi
-+    if test -f "$1/include/ssl.h"; then
-+        ssldir="$1"
-+        return 0
-     fi
-     return 1
- }
-@@ -88,8 +86,9 @@
+ dnl Check for libwrap library.
+ AC_MSG_CHECKING([for hosts_access in -lwrap])
++wrap_LIB=
+ saved_LIBS="$LIBS"
  LIBS="-lwrap $saved_LIBS"
  AC_TRY_LINK([int hosts_access(); int allow_severity, deny_severity;],
  [hosts_access()],
@@ -39,10 +19,19 @@ $NetBSD: patch-ab,v 1.2 2000/04/03 16:52:17 tron Exp $
  
  dnl Add SSL includes and libraries
  CFLAGS="$CFLAGS -I$ssldir/include"
-@@ -122,6 +121,8 @@
+@@ -164,7 +166,7 @@
+ # AC_HEADER_DIRENT
+ # AC_HEADER_STDC
+ # AC_HEADER_SYS_WAIT
+-AC_CHECK_HEADERS(getopt.h unistd.h sys/select.h tcpd.h pthread.h pty.h stropts.h)
++AC_CHECK_HEADERS(getopt.h unistd.h sys/select.h tcpd.h pthread.h util.h sys/ioctl.h pty.h stropts.h)
+ 
+ # dnl Checks for typedefs, structures, and compiler characteristics.
+ # AC_C_CONST
+@@ -175,6 +177,8 @@
  
  dnl Checks for library functions.
- AC_CHECK_FUNCS(getopt snprintf vsnprintf openpty _getpty)
+ AC_CHECK_FUNCS(getopt snprintf vsnprintf openpty _getpty daemon)
 +
 +LIBS="$LIBS $wrap_LIB"
  
diff --git a/security/stunnel/patches/patch-ac b/security/stunnel/patches/patch-ac
new file mode 100644
index 00000000000..ae61416a535
--- /dev/null
+++ b/security/stunnel/patches/patch-ac
@@ -0,0 +1,18 @@
+$NetBSD: patch-ac,v 1.1 2000/12/19 07:03:22 jlam Exp $
+
+--- pty.c.orig	Wed Dec 13 17:32:14 2000
++++ pty.c
+@@ -35,8 +35,12 @@
+ #endif
+ 
+ #ifdef HAVE_UTIL_H
+-#include <util.h>
++#include <util.h>        /* openpty */
+ #endif /* HAVE_UTIL_H */
++
++#ifdef HAVE_SYS_IOCTL_H
++#include <sys/ioctl.h>   /* ioctl */
++#endif
+ 
+ /* Pty allocated with _getpty gets broken if we do I_PUSH:es to it. */
+ #if defined(HAVE__GETPTY) || defined(HAVE_OPENPTY)
diff --git a/security/stunnel/pkg/DESCR b/security/stunnel/pkg/DESCR
index 6729fe0ccd6..1d9eee01684 100644
--- a/security/stunnel/pkg/DESCR
+++ b/security/stunnel/pkg/DESCR
@@ -3,5 +3,5 @@ remote client and local (inetd-startable) or remote server. The concept is
 that having non-SSL aware daemons running on your system you can easily setup
 them to communicate with clients over secure SSL channel.
 
-stunnel can be used to add SSL functionality to commonly used inetd  daemons
-like POP-2, POP-3 and IMAP servers without any changes in the programs code.
+stunnel can be used to add SSL functionality to commonly used inetd daemons
+like POP-2, POP-3 and IMAP servers without any changes in the program code.
diff --git a/security/stunnel/pkg/PLIST b/security/stunnel/pkg/PLIST
index 1403fafc4ab..bd330e4d063 100644
--- a/security/stunnel/pkg/PLIST
+++ b/security/stunnel/pkg/PLIST
@@ -1,5 +1,4 @@
-@comment $NetBSD: PLIST,v 1.3 2000/06/17 21:52:19 tron Exp $
+@comment $NetBSD: PLIST,v 1.4 2000/12/19 07:03:23 jlam Exp $
 lib/stunnel.so
 man/man8/stunnel.8
 sbin/stunnel
-@exec mkdir -p %D/certs