Update security/hitch to 1.4.4.

hitch-1.4.4 (2016-12-22) ------------------------ - OpenSSL 1.1.0 compatibility fixes. OpenSSL 1.1.0 is now fully supported with Hitch. - Fix a bug in the OCSP refresh code that could make it loop with immediate refreshes flooding an OCSP responder. - Force the SSL_OP_SINGLE_DH_USE setting. This protects against an OpenSSL vulnerability where a remote attacker could discover private DH exponents (CVE-2016-0701). hitch-1.4.3 (2016-11-14) ------------------------ - OCSP stapling is now enabled by default. Users should create ocsp-dir (default: /var/lib/hitch/) and make it writable for the hitch user. - Build error due to man page generation on FreeBSD (most likely non-Linux) has been fixed. hitch-1.4.2 (2016-11-08) ------------------------ - Example configuration file hitch.conf.example has been shortened and defaults moved into Hitch itself. Default cipher string is now what we believe to be secure. Users are recommended to use the built-in default from now on, unless they have special requirements. - hitch.conf(5) manual has been added. - Hitch will now send a TLS Close notification during connection teardown. This fixes an incomplete read with a GnuTLS client when the backend (thttpd) used EOF to signal end of data, leaving some octets discarded by gnutls client-side. (Issue 127_) - Autotools will now detect SO_REUSEPORT availability. (Issue 122_) - Improved error handling on memory allocation failure.
author: fhajny <fhajny@pkgsrc.org> 2017-01-09 13:02:20 +0000
committer: fhajny <fhajny@pkgsrc.org> 2017-01-09 13:02:20 +0000
commit: 36220b5e9b5803ced89487c7d50c6ee11965282d (patch)
tree: 821f5184306caaab8b7df22e6d11e2b57a5f2320 /security
parent: efb474f92a02529b9ea0e76b230472793abd0c1e (diff)
download: pkgsrc-36220b5e9b5803ced89487c7d50c6ee11965282d.tar.gz
6 files changed, 64 insertions, 57 deletions
diff --git a/security/hitch/Makefile b/security/hitch/Makefile
index 94fd6a73813..281aad85b37 100644
--- a/security/hitch/Makefile
+++ b/security/hitch/Makefile
@@ -1,6 +1,6 @@
-# $NetBSD: Makefile,v 1.4 2016/10/02 09:19:35 fhajny Exp $
+# $NetBSD: Makefile,v 1.5 2017/01/09 13:02:20 fhajny Exp $
 
-DISTNAME=	hitch-1.4.1
+DISTNAME=	hitch-1.4.4
 CATEGORIES=	security
 MASTER_SITES=	https://hitch-tls.org/source/
 
@@ -16,6 +16,8 @@ USE_TOOLS+=	pkg-config
 
 .include "../../mk/bsd.prefs.mk"
 
+CHECK_PORTABILITY_SKIP+=	src/tests/*
+
 CONFIGURE_ARGS+=	--with-rst2man=${PREFIX}/bin/rst2man.py${PYVERSSUFFIX}
 
 CPPFLAGS.SunOS+=	-D__EXTENSIONS__
@@ -26,6 +28,7 @@ BUILD_DEFS+=		HITCH_USER HITCH_GROUP HITCH_CERTS
 HITCH_USER?=		hitch
 HITCH_GROUP?=		hitch
 HITCH_CERTS?=		${PKG_SYSCONFDIR}/certs.pem
+HITCH_OCSP?=		${VARBASE}/db/hitch
 
 PKG_GROUPS+=		${HITCH_GROUP}
 PKG_USERS+=		${HITCH_USER}:${HITCH_GROUP}
@@ -37,8 +40,8 @@ MESSAGE_SUBST+=		HITCH_CERTS=${HITCH_CERTS}
 
 SUBST_CLASSES+=		dir
 SUBST_STAGE.dir=	pre-configure
-SUBST_FILES.dir=	hitch.conf.example
-SUBST_VARS.dir=		HITCH_USER HITCH_GROUP HITCH_CERTS
+SUBST_FILES.dir=	hitch.conf.example src/configuration.c
+SUBST_VARS.dir=		HITCH_USER HITCH_GROUP HITCH_CERTS HITCH_OCSP
 SUBST_MESSAGE.dir=	Setting default configuration values
 
 PKG_SYSCONFSUBDIR=	hitch
@@ -47,6 +50,8 @@ CONF_FILES+=		share/examples/hitch/hitch.conf.example \
 
 INSTALLATION_DIRS+=	share/examples/hitch
 
+OWN_DIRS_PERMS+=	${HITCH_OCSP} ${HITCH_USER} ${HITCH_GROUP} 0755
+
 post-install:
 	${MV} ${DESTDIR}${PREFIX}/share/doc/hitch/hitch.conf.example \
 		${DESTDIR}${PREFIX}/share/examples/hitch
diff --git a/security/hitch/PLIST b/security/hitch/PLIST
index f6670c1b267..25d14da053e 100644
--- a/security/hitch/PLIST
+++ b/security/hitch/PLIST
@@ -1,4 +1,5 @@
-@comment $NetBSD: PLIST,v 1.2 2016/08/22 09:34:40 fhajny Exp $
+@comment $NetBSD: PLIST,v 1.3 2017/01/09 13:02:20 fhajny Exp $
+man/man5/hitch.conf.5
 man/man8/hitch.8
 sbin/hitch
 share/doc/hitch/CHANGES.rst
diff --git a/security/hitch/distinfo b/security/hitch/distinfo
index 4e18d7eb575..66574e8ebde 100644
--- a/security/hitch/distinfo
+++ b/security/hitch/distinfo
@@ -1,8 +1,9 @@
-$NetBSD: distinfo,v 1.4 2016/10/02 09:19:35 fhajny Exp $
+$NetBSD: distinfo,v 1.5 2017/01/09 13:02:20 fhajny Exp $
 
-SHA1 (hitch-1.4.1.tar.gz) = 5af72612306dbd48d363f816494b8cf8ec4e0c19
-RMD160 (hitch-1.4.1.tar.gz) = cd187994b558f1c43eef069e388add6c658fbd5d
-SHA512 (hitch-1.4.1.tar.gz) = e2e788e6239d68371de606f088d39923f1d661fd41d1124cfc269297b328faf51df5c5450460dd61ed4b0dc33e198d9354ebf95ea4c57a4a231cbf444e5d628c
-Size (hitch-1.4.1.tar.gz) = 272769 bytes
-SHA1 (patch-hitch.conf.example) = 3200fedcc6528476f9b5eca599f156def3e743e0
-SHA1 (patch-src_hitch.c) = f16c5010a704291fd1c986b73bb987fd92148616
+SHA1 (hitch-1.4.4.tar.gz) = 6c836d24fce74892dc97217eb733dffa7c91109c
+RMD160 (hitch-1.4.4.tar.gz) = fe48092f9e5ba674db2ac04228fccd3c108aeaba
+SHA512 (hitch-1.4.4.tar.gz) = 33037c6ba2882575d9d4a63adcbef7db9a0294e8fdc2eee5a5cc8a45656d9c9620952e49f71abbfbc94c6d1781911ad1b76237a058d3dda3eaaf2f220d15cd18
+Size (hitch-1.4.4.tar.gz) = 300494 bytes
+SHA1 (patch-hitch.conf.example) = 1c922c2e294362ef009ff60bfe43f746de596087
+SHA1 (patch-src_configuration.c) = ba89c7c987159f66b1694435613aa89a6f9574de
+SHA1 (patch-src_hitch.c) = 7d92f2d83b302e3ca8a2acebc6c4697c1da184b2
diff --git a/security/hitch/patches/patch-hitch.conf.example b/security/hitch/patches/patch-hitch.conf.example
index 1bb520a57bf..73f72dda448 100644
--- a/security/hitch/patches/patch-hitch.conf.example
+++ b/security/hitch/patches/patch-hitch.conf.example
@@ -1,48 +1,33 @@
-$NetBSD: patch-hitch.conf.example,v 1.1 2016/08/22 09:34:40 fhajny Exp $
+$NetBSD: patch-hitch.conf.example,v 1.2 2017/01/09 13:02:20 fhajny Exp $
 
 Sane default options.
 
---- hitch.conf.example.orig	2016-08-15 13:51:51.000000000 +0000
+--- hitch.conf.example.orig	2016-11-14 13:13:10.000000000 +0000
 +++ hitch.conf.example
-@@ -43,7 +43,7 @@ backend = "[127.0.0.1]:6081"
- # only available for a specific listen endpoint.
- #
- # type: string
--pem-file = ""
-+pem-file = "@HITCH_CERTS@"
+@@ -2,15 +2,15 @@
  
- # OCSP settings
- #
-@@ -120,12 +120,12 @@ chroot = ""
- # Set uid after binding a socket
- #
- # type: string
--user = ""
-+user = "@HITCH_USER@"
  
- # Set gid after binding a socket
- #
- # type: string
--group = ""
-+group = "@HITCH_GROUP@"
+ frontend = {
+-    host = "*"
++    host = "127.0.0.1"
+     port = "443"
+ }
+ backend = "[127.0.0.1]:6086"    # 6086 is the default Varnish PROXY port.
+ workers = 4                     # number of CPU cores
  
- # Quiet execution, report only error messages
- #
-@@ -135,7 +135,7 @@ quiet = off
- # Use syslog for logging
- #
- # type: boolean
--syslog = off
-+syslog = on
+ daemon = on
+-user = "nobody"
+-group = "nogroup"
++user = "@HITCH_USER@"
++group = "@HITCH_GROUP@"
  
- # Syslog facility to use
- #
-@@ -145,7 +145,7 @@ syslog-facility = "daemon"
- # Run as daemon
- #
- # type: boolean
--daemon = off
-+daemon = on
+ # Enable to let clients negotiate HTTP/2 with ALPN. (default off)
+ # alpn-protos = "http/2, http/1.1"
+@@ -18,4 +18,6 @@ group = "nogroup"
+ # run Varnish as backend over PROXY; varnishd -a :80 -a localhost:6086,PROXY ..
+ write-proxy-v2 = on             # Write PROXY header
  
- # Report client address by writing IP before sending data
- #
+-
++pem-file = {
++    cert = "@HITCH_CERTS@"
++}
diff --git a/security/hitch/patches/patch-src_configuration.c b/security/hitch/patches/patch-src_configuration.c
new file mode 100644
index 00000000000..d6dae2572db
--- /dev/null
+++ b/security/hitch/patches/patch-src_configuration.c
@@ -0,0 +1,15 @@
+$NetBSD: patch-src_configuration.c,v 1.1 2017/01/09 13:02:20 fhajny Exp $
+
+Sane default options.
+
+--- src/configuration.c.orig	2016-12-15 10:34:22.000000000 +0000
++++ src/configuration.c
+@@ -193,7 +193,7 @@ config_new(void)
+ 	fa->pspec = strdup("default");
+ 	HASH_ADD_KEYPTR(hh, r->LISTEN_ARGS, fa->pspec, strlen(fa->pspec), fa);
+ 	r->LISTEN_DEFAULT = fa;
+-	r->OCSP_DIR           = strdup("/var/lib/hitch/");
++	r->OCSP_DIR           = strdup("@HITCH_OCSP@/");
+ 	r->OCSP_VFY = 0;
+ 	r->OCSP_RESP_TMO = 10.0;
+ 	r->OCSP_CONN_TMO = 4.0;
diff --git a/security/hitch/patches/patch-src_hitch.c b/security/hitch/patches/patch-src_hitch.c
index 268894d48fb..62c2ba52327 100644
--- a/security/hitch/patches/patch-src_hitch.c
+++ b/security/hitch/patches/patch-src_hitch.c
@@ -1,10 +1,10 @@
-$NetBSD: patch-src_hitch.c,v 1.1 2016/05/25 20:15:35 fhajny Exp $
+$NetBSD: patch-src_hitch.c,v 1.2 2017/01/09 13:02:20 fhajny Exp $
 
 Need sys/filio on SunOS for FIONBIO.
 
---- src/hitch.c.orig	2016-01-26 14:58:56.000000000 +0000
+--- src/hitch.c.orig	2016-11-11 13:10:38.000000000 +0000
 +++ src/hitch.c
-@@ -77,6 +77,10 @@
+@@ -62,6 +62,10 @@
  #include <sys/prctl.h>
  #endif
  
@@ -12,6 +12,6 @@ Need sys/filio on SunOS for FIONBIO.
 +#include <sys/filio.h>
 +#endif
 +
- #include "uthash.h"
- #include "ringbuffer.h"
- #include "miniobj.h"
+ #include "config.h"
+ #include "configuration.h"
+ #include "hitch.h"
author	fhajny <fhajny@pkgsrc.org>	2017-01-09 13:02:20 +0000
committer	fhajny <fhajny@pkgsrc.org>	2017-01-09 13:02:20 +0000
commit	36220b5e9b5803ced89487c7d50c6ee11965282d (patch)
tree	821f5184306caaab8b7df22e6d11e2b57a5f2320 /security
parent	efb474f92a02529b9ea0e76b230472793abd0c1e (diff)
download	pkgsrc-36220b5e9b5803ced89487c7d50c6ee11965282d.tar.gz