Upgrade to upstream's 1.23. Try to organize the checks

for various methods -- some may be too new to be available
in earlier versions of OpenSSL, others -- too old to be
found in latest ones.

Submitted upstream.

Reported by:	pkg-fallout

security/sst/Makefile

@@ -2,11 +2,9 @@
 # $FreeBSD$
 
 PORTNAME=	sst
-PORTVERSION=	1.0
-PORTREVISION=	1
+PORTVERSION=	1.23
 CATEGORIES=	security
 MASTER_SITES=	http://utcc.utoronto.ca/~pkern/stuff/sst/
-DISTNAME=	${PORTNAME}
 
 MAINTAINER=	mi@aldan.algebra.com
 COMMENT=	Simple SSL tunneling tool (uses netcat)
@@ -16,7 +14,7 @@ RUN_DEPENDS=	netcat:net/netcat
 .endif
 
 MAKEFILE=	${FILESDIR}/Makefile
-USES=		uidfix ssl
+USES=		uidfix ssl tar:xz
 
 PLIST_FILES=	sbin/sst \
 		man/man1/sst.1.gz

security/sst/distinfo

@@ -1,2 +1,3 @@
-SHA256 (sst.tar.gz) = 4becd5f0e70d3875c3497d8965c8bd4ee8310b5090a502409d872d4132510abb
-SIZE (sst.tar.gz) = 10109
+TIMESTAMP = 1540048110
+SHA256 (sst-1.23.tar.xz) = 664031f4d2156a50225b27775bed35e94905b1a070a500511bec913200ae68d4
+SIZE (sst-1.23.tar.xz) = 11436

security/sst/files/Makefile

@@ -6,7 +6,8 @@ BINDIR=${PREFIX}/sbin
 MANDIR=${PREFIX}/man/man
 
 CFLAGS+=	-DCONFDIR='"${OPENSSLDIR}"' -DCERTF='"certs/sst.pem"' \
-		-I${OPENSSLINC}
+		-I${OPENSSLINC} -Wno-comment
+# -Wno-dangling-else not available in gcc-4.2, which is still around...
 .if exists(/usr/bin/nc)
 CFLAGS+=	-DNETCAT='"/usr/bin/nc"'
 .else

security/sst/files/patch-sst.c

@@ -1,17 +1,14 @@
---- sst.c.orig	2000-05-04 19:47:28 UTC
-+++ sst.c
-@@ -212,7 +212,7 @@
-  ***** ***** ***** ***** ***** ***** ***** ***** ***** ***** ***** *****
+--- sst.c	2015-05-06 09:24:06.000000000 -0400
++++ sst.c	2018-11-04 18:57:40.626302000 -0500
+@@ -213,5 +213,5 @@
   */
  #ifndef lint
--static char rcsid[] = "$Header: /local/src/local.bin/sst/SRC/RCS/sst.c,v 1.12 2000/05/04 19:47:26 pkern Exp $";
-+static const char rcsid[] = "$Header: /local/src/local.bin/sst/SRC/RCS/sst.c,v 1.12 2000/05/04 19:47:26 pkern Exp $";
+-static char rcsid[] = "$Header: /c/src/local.bin/sst/RCS/sst.c,v 1.23 2015/05/06 13:24:00 pkern Exp $";
++static const char rcsid[] = "$Header: /c/src/local.bin/sst/RCS/sst.c,v 1.23 2015/05/06 13:24:00 pkern Exp $";
  #endif
  
- #include <stdio.h>
-@@ -261,10 +261,10 @@ int timeout = 0;
- int inetd = 0;
- int eofclnt = 0;
+@@ -267,8 +267,8 @@
+ int self_signed_ok = 1;
  
 -char *prog = "sst";
 -char *host = NULL;
@@ -23,9 +20,7 @@
 +const char *method = NULL;
  
  char certfbuf[MAXPATHLEN], ssldbuf[MAXPATHLEN];
- char *certf = NULL, *pkeyf = NULL, *ssld = NULL;
-@@ -297,8 +297,8 @@ pid_t pid = 0;
-  *	Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+@@ -316,6 +316,6 @@
   *	All rights reserved.
   */
 -void
@@ -34,50 +29,87 @@
 +ERR_log_errors(void)
  {
  	unsigned long l;
- 	char buf[200];
-@@ -314,13 +314,17 @@ ERR_log_errors()
- 	}
+@@ -333,5 +333,5 @@
  }
  
 -void
--show_SSL_errors()
 +static void
-+show_SSL_errors(void)
+ show_SSL_errors()
  {
- 	if (logging)	ERR_log_errors();
- 	else		ERR_print_errors_fp(stderr);
+@@ -340,4 +340,8 @@
  }
  
 +#ifndef __GNUC__
 +#	define __attribute__(x)
 +#endif
 +
- #define SHOW_x(L,F,x)	{ \
+ #define SHOW_x(L,F,x)	do { \
  	if (logging)	syslog((L), "%s", (x)); \
- 	else 		fprintf((F), "%d: %s\n", getpid(), (x)); }
-@@ -346,7 +350,7 @@ show_SSL_errors()
- #define SHOW_info2(f,a1,a2)	SHOW_x2(LOG_DEBUG,tty,f,a1,a2)
+@@ -367,5 +371,5 @@
  
  
 -char *usageopts[] = {
-+const char *usageopts[] = {
++static const char *usageopts[] = {
  "",
  " options:",
- " --------",
-@@ -374,9 +378,10 @@ char *usageopts[] = {
- NULL
+@@ -389,5 +393,5 @@
+ "  -K pkey-file	= use <pkey-file> instead of the default private key file.",
+ "  -D ssl-conf	= use <ssl-conf> as the path to default cert/keys.",
+-"  -M method	= use a specific SSL method (ssl2, ssl3 or tls1).",
++"  -M method	= use a specific SSL method (ssl3 or tls1, etc.).",
+ #ifdef USE_EGD
+ "  -E skt-path	= use <skt-path> instead of the default EGD socket.",
+@@ -403,7 +407,40 @@
  };
  
 -usage()
++struct method {
++	const char *name;
++	const SSL_METHOD * (*meth)(void);
++} methods[] = {
++#if !defined(OPENSSL_NO_SSL2) && OPENSSL_VERSION_NUMBER < 0x1010000fL
++	{ "ssl2", SSLv2_method },
++#endif
++#if !defined(OPENSSL_NO_SSL3) && OPENSSL_VERSION_NUMBER < 0x1020000fL
++	{ "ssl3", SSLv3_method },
++#endif
++#if !defined(OPENSSL_NO_TLS1_METHOD)
++	{ "tls1", TLSv1_method },
++#endif
++#if !defined(OPENSSL_NO_TLS1_1_METHOD)
++	{ "tls1.1", TLSv1_1_method },
++#endif
++#if !defined(OPENSSL_NO_TLS1_2_METHOD)
++	{ "tls1.2", TLSv1_2_method },
++#endif
++#if OPENSSL_VERSION_NUMBER >= 0x1010000fL
++	{ "dtls", DTLS_method },
++#endif
++#if !defined(OPENSSL_NO_DTLS1_METHOD) && OPENSSL_VERSION_NUMBER >= 0x1010000fL
++	{ "dtls1", DTLSv1_method },
++#endif
++#if !defined(OPENSSL_NO_TLS1_2_METHOD) && OPENSSL_VERSION_NUMBER >= 0x1010000fL
++	{ "dtls1.2", DTLSv1_2_method },
++#endif
++	{ NULL, SSLv23_method }
++};
++
 +static void
 +usage(void)
  {
 -	char **uop = usageopts;
 +	const char **uop = usageopts;
++	const struct method *m;
  
  	if (logging) {
- 		syslog(LOG_ERR, "usage: %s <options> [ '--' <auxiliary command + options> ]", prog);
-@@ -389,8 +394,8 @@ usage()
+@@ -415,9 +452,14 @@
+ 		while (*uop != NULL) fprintf(stderr, "%s\n", *uop++);
+ 	}
++	fprintf(stderr, " methods avalable for the -M option:\n");
++	fprintf(stderr, " -----------------------------------\n");
++	for (m = methods; m->name != NULL; m++)
++		fprintf(stderr, " %s", m->name);
++	fprintf(stderr, "\n");
  }
  
  /* reaper -- zombie prevention */
@@ -87,118 +119,192 @@
 +reaper(int signal __attribute__((unused)))
  {
  	int w;
- 	pid_t p;
-@@ -414,6 +419,7 @@ reaper()
-  *
+@@ -459,4 +501,5 @@
   * - EOF on rd when in server mode means the actual server has finished.
   */
 +static void
  relay(ssl, sd, rd, wd)
  SSL *ssl;
- int sd, rd, wd;
-@@ -522,22 +528,14 @@ done:
- 	}
+@@ -594,28 +637,10 @@
  
  	if (verbose) {
 -		if (sizeof(off_t) > 4) {
--			SHOW_info1("bytes from   ssl: %qd", nsr);
--			SHOW_info1("bytes  to    ssl: %qd", nsw);
+-			if (ssl != NULL) {
+-				SHOW_info1("bytes from   ssl: %qd", nsr);
+-				SHOW_info1("bytes  to    ssl: %qd", nsw);
+-			}
+-			else {
+-				SHOW_info1("bytes from remote: %qd", nsr);
+-				SHOW_info1("bytes  to  remote: %qd", nsw);
+-			}
 -			SHOW_info1("bytes from local: %qd", nlr);
 -			SHOW_info1("bytes  to  local: %qd", nlw);
 -		}
 -		else {
--			SHOW_info1("bytes from   ssl: %ld", nsr);
--			SHOW_info1("bytes  to    ssl: %ld", nsw);
+-			if (ssl != NULL) {
+-				SHOW_info1("bytes from   ssl: %ld", nsr);
+-				SHOW_info1("bytes  to    ssl: %ld", nsw);
+-			}
+-			else {
+-				SHOW_info1("bytes from remote: %ld", nsr);
+-				SHOW_info1("bytes  to  remote: %ld", nsw);
+-			}
 -			SHOW_info1("bytes from local: %ld", nlr);
 -			SHOW_info1("bytes  to  local: %ld", nlw);
 -		}
-+		SHOW_info1("bytes from   ssl: %qd", (long long int)nsr);
-+		SHOW_info1("bytes  to    ssl: %qd", (long long int)nsw);
-+		SHOW_info1("bytes from local: %qd", (long long int)nlr);
-+		SHOW_info1("bytes  to  local: %qd", (long long int)nlw);
++		const char *id = ssl ? "ssl" : "remote";
++
++		SHOW_info2("bytes from %5s: %jd", id, (intmax_t)nsr);
++		SHOW_info2("bytes  to  %5s: %jd", id, (intmax_t)nsw);
++		SHOW_info1("bytes from local: %jd", (intmax_t)nlr);
++		SHOW_info1("bytes  to  local: %jd", (intmax_t)nlw);
  	}
  }
+@@ -646,5 +671,5 @@
+ 
+ 	bp = X509_NAME_oneline(X509_get_subject_name(err_cert), 0, 0);
+-	if (bp) { subj = strdup(bp); CRYPTO_free(bp); }
++	if (bp) { subj = strdup(bp); OPENSSL_free(bp); }
+ 
+ 	/*
+@@ -688,9 +713,10 @@
+ 	switch (err) {
+ 	case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT:
+-		bp = X509_NAME_oneline(X509_get_issuer_name(ctx->current_cert), 0, 0);
++		bp = X509_NAME_oneline(X509_get_issuer_name(
++		    X509_STORE_CTX_get_current_cert(ctx)), 0, 0);
+ 		if (bp == NULL) SHOW_err("verify: cert: no issuer.");
+ 		else {
+ 			if (debug > 1) SHOW_info1("verify: cert issuer: %s", bp);
+-			CRYPTO_free(bp);
++			OPENSSL_free(bp);
+ 		}
+ 		break;
+@@ -703,5 +729,5 @@
+ }
  
 -
++static void
+ peer_cert_prep(ctx)
+ SSL_CTX *ctx;
+@@ -725,4 +751,5 @@
+  * (note: beware of dynamic allocation)
+  */
++static void
+ peer_cert_chk(ctx, ssl)
+ SSL_CTX *ctx;
+@@ -751,5 +778,5 @@
+ 		else {
+ 			SHOW_info1("peer cert subject: %s", bp);
+-			CRYPTO_free(bp);
++			OPENSSL_free(bp);
+ 		}
+ 
+@@ -758,5 +785,5 @@
+ 		else {
+ 			SHOW_info1("peer cert issuer: %s", bp);
+-			CRYPTO_free(bp);
++			OPENSSL_free(bp);
+ 		}
+ 	}
+@@ -782,5 +809,5 @@
+ }
+ 
+-
++static void
+ cert_prep(ctx)
+ SSL_CTX *ctx;
+@@ -804,5 +831,25 @@
+ }
+ 
++static const SSL_METHOD *
++discern_ssl_method(requested)
++const char *requested;
++{
++	const struct method *m;
++
++	if (requested == NULL)
++		goto highest;
++
++	for (m = methods; m->name != NULL; m++) {
++		if (strcmp(m->name, requested) == 0)
++			return m->meth();
++	}
++
++highest:
++	SHOW_info1("method `%s' not known, trying best available", requested);
++	m = methods + sizeof(methods)/sizeof(methods[0]); /* Last entry */
++	return m->meth();
++}
+ 
 +static void
  srvr_prep(ctx, ssl, sd)
  SSL_CTX **ctx;
- SSL **ssl;
-@@ -556,10 +554,14 @@ int sd;
+@@ -811,6 +858,5 @@
+ {
+ 	int err;
+-	SSL_METHOD *meth;
+-	X509 *client_cert;
++	const SSL_METHOD *meth;
  
- 	if (method == NULL)
- 		meth = SSLv23_server_method();
-+#ifndef OPENSSL_NO_SSL2
- 	else if (strcmp(method, "ssl2") == 0)
- 		meth = SSLv2_server_method();
-+#endif
-+#ifndef OPENSSL_NO_SSL3_METHOD
- 	else if (strcmp(method, "ssl3") == 0)
- 		meth = SSLv3_server_method();
-+#endif
- 	else if (strcmp(method, "tls1") == 0)
- 		meth = TLSv1_server_method();
- 	else
-@@ -609,8 +611,8 @@ int sd;
- 			SHOW_info1("client cert subject: %s", subj);
- 			SHOW_info1("client cert issuer: %s", issu);
+ 	/*
+@@ -821,14 +867,5 @@
+ 	SSLeay_add_ssl_algorithms();
  
--			Free(subj);
--			Free(issu);
-+			free(subj);
-+			free(issu);
-     
- 			/*
- 			 * XXX ...
-@@ -624,7 +626,7 @@ int sd;
- 	}
+-	if (method == NULL)
+-		meth = SSLv23_server_method();
+-	else if (strcmp(method, "ssl2") == 0)
+-		meth = SSLv2_server_method();
+-	else if (strcmp(method, "ssl3") == 0)
+-		meth = SSLv3_server_method();
+-	else if (strcmp(method, "tls1") == 0)
+-		meth = TLSv1_server_method();
+-	else
+-		meth = SSLv23_server_method();
++	meth = discern_ssl_method(method);
+ 
+ 	*ctx = SSL_CTX_new (meth);
+@@ -854,5 +891,5 @@
  }
  
 -
 +static void
  clnt_prep(ctx, ssl, sd)
  SSL_CTX **ctx;
- SSL **ssl;
-@@ -643,10 +645,14 @@ int sd;
+@@ -861,6 +898,5 @@
+ {
+ 	int err;
+-	SSL_METHOD *meth;
+-	X509 *server_cert;
++	const SSL_METHOD *meth;
  
- 	if (method == NULL)
- 		meth = SSLv23_client_method();
-+#ifndef OPENSSL_NO_SSL2
- 	else if (strcmp(method, "ssl2") == 0)
- 		meth = SSLv2_client_method();
-+#endif
-+#ifndef OPENSSL_NO_SSL3_METHOD
- 	else if (strcmp(method, "ssl3") == 0)
- 		meth = SSLv3_client_method();
-+#endif
- 	else if (strcmp(method, "tls1") == 0)
- 		meth = TLSv1_client_method();
- 	else
-@@ -699,8 +705,8 @@ int sd;
- 		SHOW_info1("server cert subject: %s", subj);
- 		SHOW_info1("server cert issuer: %s", issu);
+ 	/*
+@@ -871,14 +907,5 @@
+ 	SSLeay_add_ssl_algorithms();
  
--		Free(subj);
--		Free(issu);
-+		free(subj);
-+		free(issu);
+-	if (method == NULL)
+-		meth = SSLv23_client_method();
+-	else if (strcmp(method, "ssl2") == 0)
+-		meth = SSLv2_client_method();
+-	else if (strcmp(method, "ssl3") == 0)
+-		meth = SSLv3_client_method();
+-	else if (strcmp(method, "tls1") == 0)
+-		meth = TLSv1_client_method();
+-	else
+-		meth = SSLv23_client_method();
++	meth = discern_ssl_method(method);
  
- 		/*
- 		 * XXX ...
-@@ -713,7 +719,7 @@ int sd;
- 	X509_free (server_cert);
+ 	*ctx = SSL_CTX_new (meth);
+@@ -903,5 +930,5 @@
  }
  
 -
 +int
  main(ac, av)
  int ac;
- char *av[];
-@@ -756,7 +762,6 @@ char *av[];
- 	if (logging) openlog(prog, LOG_PID, LOG_SSL);
+@@ -958,5 +985,4 @@
  
  	if (errflg) {
 -usage:
  		usage();
- 		exit(1);
- 	}
+ 		quit(1);