diff --git a/COPYING b/COPYING index 5890bc3..e139a18 100644 --- a/COPYING +++ b/COPYING @@ -1,6 +1,6 @@ stunnel license (see COPYRIGHT.GPL for detailed GPL conditions) -Copyright (C) 1998-2012 Michal Trojnara +Copyright (C) 1998-2013 Michal Trojnara This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software diff --git a/ChangeLog b/ChangeLog index 730225c..93a3a67 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,6 +1,80 @@ stunnel change log +Version 4.57, 2015.04.01, urgency: HIGH: +* Security bugfixes + - Added PRNG state update in fork threading (CVE-2014-0016). + +Version 4.56, 2013.03.22, urgency: HIGH: +* New features + - Win32 installer automatically configures firewall exceptions. + - Win32 installer configures administrative shortcuts to invoke UAC. + - Improved Win32 GUI shutdown time. +* Bugfixes + - Fixed a regression bug introduced in version 4.55 causing random + crashes on several platforms, including Windows 7. + - Fixed startup crashes on some Win32 systems. + - Fixed incorrect "stunnel -exit" process synchronisation. + - Fixed FIPS detection with new versions of the OpenSSL library. + - Failure to open the log file at startup is no longer ignored. + +Version 4.55, 2013.03.03, urgency: HIGH: +* Security bugfixes + - Buffer overflow vulnerability fixed in the NTLM authentication + of the CONNECT protocol negotiation. + See https://www.stunnel.org/CVE-2013-1762.html for details. + - OpenSSL updated to version 1.0.1e in Win32/Android builds. +* New features + - SNI wildcard matching in server mode. + - Terminal version of stunnel (tstunnel.exe) build for Win32. +* Bugfixes + - Fixed write half-close handling in the transfer() function (thx to + Dustin Lundquist). + - Fixed EAGAIN error handling in the transfer() function (thx to Jan Bee). + - Restored default signal handlers before execvp() (thx to Michael Weiser). + - Fixed memory leaks in protocol negotiation (thx to Arthur Mesh). + - Fixed a file descriptor leak during configuration file reload (thx to + Arthur Mesh). + - Closed SSL sockets were removed from the transfer() c->fds poll. + - Minor fix in handling exotic inetd-mode configurations. + - WCE compilation fixes. + - IPv6 compilation fix in protocol.c. + - Windows installer fixes. + +Version 4.54, 2012.10.09, urgency: MEDIUM: +* New Win32 features + - FIPS module updated to version 2.0. + - OpenSSL DLLs updated to version 1.0.1c. + - zlib DLL updated to version 1.2.7. + - Engine DLLs added: 4758cca, aep, atalla, capi, chil, cswift, gmp, gost, + nuron, padlock, sureware, ubsec. +* Other new features + - "session" option renamed to more readable "sessionCacheTimeout". + The old name remains accepted for backward compatibility. + - New service-level "sessionCacheSize" option to control session cache size. + - New service-level option "reset" to control whether TCP RST flag is used + to indicate errors. The default value is "reset = yes". + - New service-level option "renegotiation" to disable SSL renegotiation. + This feature is based on a public-domain patch by Janusz Dziemidowicz. + - New FreeBSD socket options: IP_FREEBIND, IP_BINDANY, IPV6_BINDANY (thx + to Janusz Dziemidowicz). + - New parameters to configure TLS v1.1/v1.2 with OpenSSL version 1.0.1 + or higher (thx to Henrik Riomar). +* Bugfixes + - Fixed "Application Failed to Initialize Properly (0xc0150002)" error. + - Fixed missing SSL state debug log entries. + - Fixed a race condition in libwrap code resulting in random stalls (thx + to Andrew Skalski). + - Session cache purged at configuration file reload to reduce memory leak. + Remaining leak of a few kilobytes per section is yet to be fixed. + - Fixed a regression bug in "transparent = destination" functionality (thx + to Stefan Lauterbach). This bug was introduced in stunnel 4.51. + - "transparent = destination" is now a valid endpoint in inetd mode. + - "delay = yes" fixed to work even if specified *after* "connect" option. + - Multiple "connect" targets fixed to also work with delayed resolver. + - The number of resolver retries of EAI_AGAIN error has been limited to 3 + in order to prevent infinite loops. + Version 4.53, 2012.03.19, urgency: MEDIUM: * New features - Added client-mode "sni" option to directly control the value of @@ -94,14 +168,14 @@ Version 4.46, 2011.11.04, urgency: LOW: - Added "verify = 4" mode to ignore CA chain and only verify peer certificate. - Removed the limit of 16 IP addresses for a single 'connect' option. - Removed the limit of 256 stunnel.conf sections in PTHREAD threading model. - It is still not possible have more than 63 sections on WIN32 platform. + It is still not possible have more than 63 sections on Win32 platform. http://msdn.microsoft.com/en-us/library/windows/desktop/ms740141(v=vs.85).aspx * Optimizations - Reduced per-connection memory usage. - Performed a major refactoring of internal data structures. Extensive internal testing was performed, but some regression bugs are expected. * Bugfixes - - Fixed WIN32 compilation with Mingw32. + - Fixed Win32 compilation with Mingw32. - Fixed non-blocking API emulation layer in UCONTEXT threading model. - Fixed signal handling in UCONTEXT threading model. @@ -146,7 +220,7 @@ Version 4.43, 2011.09.07, urgency: MEDIUM: - Major optimization of the logging subsystem. Benchmarks indicate up to 15% stunnel performance improvement. * Bugfixes - - Fixed WIN32 configuration file reload. + - Fixed Win32 configuration file reload. - Fixed FORK and UCONTEXT threading models. - Corrected INSTALL.W32 file. @@ -280,14 +354,14 @@ Version 4.34, 2010.09.19, urgency: LOW: * Bugfixes - Implemented fixes in user interface to enter engine PIN. - Fixed a transfer() loop issue on socket errors. - - Fixed missing WIN32 taskbar icon while displaying a global option error. + - Fixed missing Win32 taskbar icon while displaying a global option error. Version 4.33, 2010.04.05, urgency: MEDIUM: * New features - Win32 DLLs for OpenSSL 1.0.0. This library requires to c_rehash CApath/CRLpath directories on upgrade. - Win32 DLLs for zlib 1.2.4. - - Experimental support for local mode on WIN32 platform. + - Experimental support for local mode on Win32 platform. Try "exec = c:\windows\system32\cmd.exe". * Bugfixes - Inetd mode fixed. diff --git a/Makefile.am b/Makefile.am index bdc33e4..cf9fea1 100644 --- a/Makefile.am +++ b/Makefile.am @@ -23,15 +23,17 @@ distclean-local: rm -rf autom4te.cache rm -f $(distdir)-installer.exe -dist-hook: - makensis -NOCD -DVERSION=${VERSION} -DSRCDIR=$(srcdir) \ - -DDLLS=/usr/src/openssl-0.9.8s-fips/out32dll \ - $(srcdir)/tools/stunnel.nsi +#dist-hook: +# makensis -NOCD -DVERSION=${VERSION} -DSRCDIR=$(srcdir) \ +# -DOPENSSL=/usr/src/openssl-0.9.8u-fips/out32dll \ +# -DZLIB=/usr/src/zlib-1.2.6-i586 \ +# $(srcdir)/tools/stunnel.nsi + +# cp -f $(distdir)-installer.exe ../dist +# gpg --yes --armor --detach-sign --force-v3-sigs ../dist/$(distdir)-installer.exe sign: dist cp -f $(distdir).tar.gz ../dist - cp -f $(distdir)-installer.exe ../dist gpg --yes --armor --detach-sign --force-v3-sigs ../dist/$(distdir).tar.gz - gpg --yes --armor --detach-sign --force-v3-sigs ../dist/$(distdir)-installer.exe sha256sum $(distdir).tar.gz | tee ../dist/$(distdir).tar.gz.sha256 diff --git a/Makefile.in b/Makefile.in index bb6c5d2..806d7bd 100644 --- a/Makefile.in +++ b/Makefile.in @@ -515,9 +515,6 @@ distdir: $(DISTFILES) || exit 1; \ fi; \ done - $(MAKE) $(AM_MAKEFLAGS) \ - top_distdir="$(top_distdir)" distdir="$(distdir)" \ - dist-hook -test -n "$(am__skip_mode_fix)" \ || find "$(distdir)" -type d ! -perm -755 \ -exec chmod u+rwx,go+rx {} \; -o \ @@ -578,7 +575,7 @@ distcheck: dist *.zip*) \ unzip $(distdir).zip ;;\ esac - chmod -R a-w $(distdir); chmod a+w $(distdir) + chmod -R a-w $(distdir); chmod u+w $(distdir) mkdir $(distdir)/_build mkdir $(distdir)/_inst chmod a-w $(distdir) @@ -742,19 +739,19 @@ uninstall-am: uninstall-docDATA .PHONY: $(RECURSIVE_CLEAN_TARGETS) $(RECURSIVE_TARGETS) CTAGS GTAGS \ all all-am am--refresh check check-am clean clean-generic \ clean-libtool ctags ctags-recursive dist dist-all dist-bzip2 \ - dist-gzip dist-hook dist-lzma dist-shar dist-tarZ dist-xz \ - dist-zip distcheck distclean distclean-generic \ - distclean-libtool distclean-local distclean-tags \ - distcleancheck distdir distuninstallcheck dvi dvi-am html \ - html-am info info-am install install-am install-data \ - install-data-am install-docDATA install-dvi install-dvi-am \ - install-exec install-exec-am install-html install-html-am \ - install-info install-info-am install-man install-pdf \ - install-pdf-am install-ps install-ps-am install-strip \ - installcheck installcheck-am installdirs installdirs-am \ - maintainer-clean maintainer-clean-generic mostlyclean \ - mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \ - tags tags-recursive uninstall uninstall-am uninstall-docDATA + dist-gzip dist-lzma dist-shar dist-tarZ dist-xz dist-zip \ + distcheck distclean distclean-generic distclean-libtool \ + distclean-local distclean-tags distcleancheck distdir \ + distuninstallcheck dvi dvi-am html html-am info info-am \ + install install-am install-data install-data-am \ + install-docDATA install-dvi install-dvi-am install-exec \ + install-exec-am install-html install-html-am install-info \ + install-info-am install-man install-pdf install-pdf-am \ + install-ps install-ps-am install-strip installcheck \ + installcheck-am installdirs installdirs-am maintainer-clean \ + maintainer-clean-generic mostlyclean mostlyclean-generic \ + mostlyclean-libtool pdf pdf-am ps ps-am tags tags-recursive \ + uninstall uninstall-am uninstall-docDATA libtool: $(LIBTOOL_DEPS) $(SHELL) ./config.status libtool @@ -763,16 +760,18 @@ distclean-local: rm -rf autom4te.cache rm -f $(distdir)-installer.exe -dist-hook: - makensis -NOCD -DVERSION=${VERSION} -DSRCDIR=$(srcdir) \ - -DDLLS=/usr/src/openssl-0.9.8s-fips/out32dll \ - $(srcdir)/tools/stunnel.nsi +#dist-hook: +# makensis -NOCD -DVERSION=${VERSION} -DSRCDIR=$(srcdir) \ +# -DOPENSSL=/usr/src/openssl-0.9.8u-fips/out32dll \ +# -DZLIB=/usr/src/zlib-1.2.6-i586 \ +# $(srcdir)/tools/stunnel.nsi + +# cp -f $(distdir)-installer.exe ../dist +# gpg --yes --armor --detach-sign --force-v3-sigs ../dist/$(distdir)-installer.exe sign: dist cp -f $(distdir).tar.gz ../dist - cp -f $(distdir)-installer.exe ../dist gpg --yes --armor --detach-sign --force-v3-sigs ../dist/$(distdir).tar.gz - gpg --yes --armor --detach-sign --force-v3-sigs ../dist/$(distdir)-installer.exe sha256sum $(distdir).tar.gz | tee ../dist/$(distdir).tar.gz.sha256 # Tell versions [3.59,3.63) of GNU make to not export all variables. diff --git a/TODO b/TODO index 3a2a660..35d6f0a 100644 --- a/TODO +++ b/TODO @@ -3,6 +3,7 @@ stunnel TODO High priority features. They will likely be supported some day. A sponsor could allocate my time to get them faster. +* Perform protocol negotiations after SSL negotiations if possible. * Command-line server control interface on both Unix and Windows. * Separate GUI process running as current user on Windows. * Optional line-buffering of the log file. @@ -15,6 +16,7 @@ A sponsor could allocate my time to get them faster. * Configuration file option to limit the number of concurrent connections. * SOCKS 4 protocol support. http://archive.socks.permeo.com/protocol/socks4.protocol +* Option to redirect instead of rejecting connections on failed authentication. Low priority features. They will unlikely ever be supported. * Provide 64-bit Windows builds (besides 32-bit builds). @@ -23,6 +25,7 @@ Low priority features. They will unlikely ever be supported. * Service-level logging configuration (separate verbosity and destination). * Key renegotiation (re-handshake) for long connections. * Logging to NT EventLog on Windows. +* Log rotation on Windows. * Internationalization of logged messages (i18n). * Generic scripting engine instead or static protocol.c. @@ -32,8 +35,11 @@ Features I won't support, unless convinced otherwise by a wealthy sponsor. This feature is less useful since PROXY protocol support is available. - Support for adding X-Forwarded-For to SMTP email headers. This feature is most likely to be implemented as a separate proxy. -* Additional certificate checks (including wildcard comparison) based on CN - and X509v3 Subject Alternative Name. +* Additional certificate checks (including wildcard comparison) based on: + - CN (Common Name); + - SAN (Subject Alternative Name); + - O (Organization), and + - OU (Organizational Unit). * Set processes title that appear on the ps(1) and top(1) commands. I could not find a portable *and* non-copyleft library for it. diff --git a/build-android.sh b/build-android.sh index 49d64db..d46771c 100755 --- a/build-android.sh +++ b/build-android.sh @@ -1,6 +1,6 @@ #!/bin/sh set -ev -VERSION=4.53 +VERSION=4.57 DST=stunnel-$VERSION-android # to build Zlib: @@ -15,11 +15,14 @@ DST=stunnel-$VERSION-android # make # make install -./configure --build=i686-pc-linux-gnu --host=arm-linux-androideabi --prefix=/data/local --with-ssl=/opt/androideabi/sysroot +mkdir -p bin/android +cd bin/android +../../configure --build=i686-pc-linux-gnu --host=arm-linux-androideabi --prefix=/data/local --with-ssl=/opt/androideabi/sysroot make clean make +cd ../.. mkdir $DST -cp src/stunnel /opt/androideabi/sysroot/bin/openssl $DST +cp bin/android/src/stunnel /opt/androideabi/sysroot/bin/openssl $DST # arm-linux-androideabi-strip $DST/stunnel $DST/openssl arm-linux-androideabi-strip $DST/openssl zip -r $DST.zip $DST diff --git a/configure b/configure index 5585fe5..61e6e15 100755 --- a/configure +++ b/configure @@ -1,11 +1,9 @@ #! /bin/sh # Guess values for system-dependent variables and create Makefiles. -# Generated by GNU Autoconf 2.67 for stunnel 4.53. +# Generated by GNU Autoconf 2.69 for stunnel 4.57. # # -# Copyright (C) 1992, 1993, 1994, 1995, 1996, 1998, 1999, 2000, 2001, -# 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010 Free Software -# Foundation, Inc. +# Copyright (C) 1992-1996, 1998-2012 Free Software Foundation, Inc. # # # This configure script is free software; the Free Software Foundation @@ -89,6 +87,7 @@ fi IFS=" "" $as_nl" # Find who we are. Look in the path if we contain no directory separator. +as_myself= case $0 in #(( *[\\/]* ) as_myself=$0 ;; *) as_save_IFS=$IFS; IFS=$PATH_SEPARATOR @@ -133,6 +132,31 @@ export LANGUAGE # CDPATH. (unset CDPATH) >/dev/null 2>&1 && unset CDPATH +# Use a proper internal environment variable to ensure we don't fall + # into an infinite loop, continuously re-executing ourselves. + if test x"${_as_can_reexec}" != xno && test "x$CONFIG_SHELL" != x; then + _as_can_reexec=no; export _as_can_reexec; + # We cannot yet assume a decent shell, so we have to provide a +# neutralization value for shells without unset; and this also +# works around shells that cannot unset nonexistent variables. +# Preserve -v and -x to the replacement shell. +BASH_ENV=/dev/null +ENV=/dev/null +(unset BASH_ENV) >/dev/null 2>&1 && unset BASH_ENV ENV +case $- in # (((( + *v*x* | *x*v* ) as_opts=-vx ;; + *v* ) as_opts=-v ;; + *x* ) as_opts=-x ;; + * ) as_opts= ;; +esac +exec $CONFIG_SHELL $as_opts "$as_myself" ${1+"$@"} +# Admittedly, this is quite paranoid, since all the known shells bail +# out after a failed `exec'. +$as_echo "$0: could not re-execute with $CONFIG_SHELL" >&2 +as_fn_exit 255 + fi + # We don't want this to propagate to other subprocesses. + { _as_can_reexec=; unset _as_can_reexec;} if test "x$CONFIG_SHELL" = x; then as_bourne_compatible="if test -n \"\${ZSH_VERSION+set}\" && (emulate sh) >/dev/null 2>&1; then : emulate sh @@ -166,7 +190,8 @@ if ( set x; as_fn_ret_success y && test x = \"\$1\" ); then : else exitcode=1; echo positional parameters were not saved. fi -test x\$exitcode = x0 || exit 1" +test x\$exitcode = x0 || exit 1 +test -x / || exit 1" as_suggested=" as_lineno_1=";as_suggested=$as_suggested$LINENO;as_suggested=$as_suggested" as_lineno_1a=\$LINENO as_lineno_2=";as_suggested=$as_suggested$LINENO;as_suggested=$as_suggested" as_lineno_2a=\$LINENO eval 'test \"x\$as_lineno_1'\$as_run'\" != \"x\$as_lineno_2'\$as_run'\" && @@ -211,14 +236,25 @@ IFS=$as_save_IFS if test "x$CONFIG_SHELL" != x; then : - # We cannot yet assume a decent shell, so we have to provide a - # neutralization value for shells without unset; and this also - # works around shells that cannot unset nonexistent variables. - BASH_ENV=/dev/null - ENV=/dev/null - (unset BASH_ENV) >/dev/null 2>&1 && unset BASH_ENV ENV - export CONFIG_SHELL - exec "$CONFIG_SHELL" "$as_myself" ${1+"$@"} + export CONFIG_SHELL + # We cannot yet assume a decent shell, so we have to provide a +# neutralization value for shells without unset; and this also +# works around shells that cannot unset nonexistent variables. +# Preserve -v and -x to the replacement shell. +BASH_ENV=/dev/null +ENV=/dev/null +(unset BASH_ENV) >/dev/null 2>&1 && unset BASH_ENV ENV +case $- in # (((( + *v*x* | *x*v* ) as_opts=-vx ;; + *v* ) as_opts=-v ;; + *x* ) as_opts=-x ;; + * ) as_opts= ;; +esac +exec $CONFIG_SHELL $as_opts "$as_myself" ${1+"$@"} +# Admittedly, this is quite paranoid, since all the known shells bail +# out after a failed `exec'. +$as_echo "$0: could not re-execute with $CONFIG_SHELL" >&2 +exit 255 fi if test x$as_have_required = xno; then : @@ -320,6 +356,14 @@ $as_echo X"$as_dir" | } # as_fn_mkdir_p + +# as_fn_executable_p FILE +# ----------------------- +# Test if FILE is an executable regular file. +as_fn_executable_p () +{ + test -f "$1" && test -x "$1" +} # as_fn_executable_p # as_fn_append VAR VALUE # ---------------------- # Append the text in VALUE to the end of the definition contained in VAR. Take @@ -441,6 +485,10 @@ as_cr_alnum=$as_cr_Letters$as_cr_digits chmod +x "$as_me.lineno" || { $as_echo "$as_me: error: cannot create $as_me.lineno; rerun with a POSIX shell" >&2; as_fn_exit 1; } + # If we had to re-execute with $CONFIG_SHELL, we're ensured to have + # already done that, so ensure we don't try to do so again and fall + # in an infinite loop. This has already happened in practice. + _as_can_reexec=no; export _as_can_reexec # Don't try to exec as it changes $[0], causing all sort of problems # (the dirname of $[0] is not the place where we might find the # original and so on. Autoconf is especially sensitive to this). @@ -475,16 +523,16 @@ if (echo >conf$$.file) 2>/dev/null; then # ... but there are two gotchas: # 1) On MSYS, both `ln -s file dir' and `ln file dir' fail. # 2) DJGPP < 2.04 has no symlinks; `ln -s' creates a wrapper executable. - # In both cases, we have to default to `cp -p'. + # In both cases, we have to default to `cp -pR'. ln -s conf$$.file conf$$.dir 2>/dev/null && test ! -f conf$$.exe || - as_ln_s='cp -p' + as_ln_s='cp -pR' elif ln conf$$.file conf$$ 2>/dev/null; then as_ln_s=ln else - as_ln_s='cp -p' + as_ln_s='cp -pR' fi else - as_ln_s='cp -p' + as_ln_s='cp -pR' fi rm -f conf$$ conf$$.exe conf$$.dir/conf$$.file conf$$.file rmdir conf$$.dir 2>/dev/null @@ -496,28 +544,8 @@ else as_mkdir_p=false fi -if test -x / >/dev/null 2>&1; then - as_test_x='test -x' -else - if ls -dL / >/dev/null 2>&1; then - as_ls_L_option=L - else - as_ls_L_option= - fi - as_test_x=' - eval sh -c '\'' - if test -d "$1"; then - test -d "$1/."; - else - case $1 in #( - -*)set "./$1";; - esac; - case `ls -ld'$as_ls_L_option' "$1" 2>/dev/null` in #(( - ???[sx]*):;;*)false;;esac;fi - '\'' sh - ' -fi -as_executable_p=$as_test_x +as_test_x='test -x' +as_executable_p=as_fn_executable_p # Sed expression to map a string onto a valid CPP name. as_tr_cpp="eval sed 'y%*$as_cr_letters%P$as_cr_LETTERS%;s%[^_$as_cr_alnum]%_%g'" @@ -698,8 +726,8 @@ MAKEFLAGS= # Identity of this package. PACKAGE_NAME='stunnel' PACKAGE_TARNAME='stunnel' -PACKAGE_VERSION='4.53' -PACKAGE_STRING='stunnel 4.53' +PACKAGE_VERSION='4.57' +PACKAGE_STRING='stunnel 4.57' PACKAGE_BUGREPORT='' PACKAGE_URL='' @@ -1287,7 +1315,7 @@ Try \`$0 --help' for more information" $as_echo "$as_me: WARNING: you should use --build, --host, --target" >&2 expr "x$ac_option" : ".*[^-._$as_cr_alnum]" >/dev/null && $as_echo "$as_me: WARNING: invalid host type: $ac_option" >&2 - : ${build_alias=$ac_option} ${host_alias=$ac_option} ${target_alias=$ac_option} + : "${build_alias=$ac_option} ${host_alias=$ac_option} ${target_alias=$ac_option}" ;; esac @@ -1338,8 +1366,6 @@ target=$target_alias if test "x$host_alias" != x; then if test "x$build_alias" = x; then cross_compiling=maybe - $as_echo "$as_me: WARNING: if you wanted to set the --build type, don't use --host. - If a cross compiler is detected then cross compile mode will be used" >&2 elif test "x$build_alias" != "x$host_alias"; then cross_compiling=yes fi @@ -1425,7 +1451,7 @@ if test "$ac_init_help" = "long"; then # Omit some internal or obsolete options to make the list less imposing. # This message is too long to be a string in the A/UX 3.1 sh. cat <<_ACEOF -\`configure' configures stunnel 4.53 to adapt to many kinds of systems. +\`configure' configures stunnel 4.57 to adapt to many kinds of systems. Usage: $0 [OPTION]... [VAR=VALUE]... @@ -1495,7 +1521,7 @@ fi if test -n "$ac_init_help"; then case $ac_init_help in - short | recursive ) echo "Configuration of stunnel 4.53:";; + short | recursive ) echo "Configuration of stunnel 4.57:";; esac cat <<\_ACEOF @@ -1601,10 +1627,10 @@ fi test -n "$ac_init_help" && exit $ac_status if $ac_init_version; then cat <<\_ACEOF -stunnel configure 4.53 -generated by GNU Autoconf 2.67 +stunnel configure 4.57 +generated by GNU Autoconf 2.69 -Copyright (C) 2010 Free Software Foundation, Inc. +Copyright (C) 2012 Free Software Foundation, Inc. This configure script is free software; the Free Software Foundation gives unlimited permission to copy, distribute and modify it. _ACEOF @@ -1648,7 +1674,7 @@ sed 's/^/| /' conftest.$ac_ext >&5 ac_retval=1 fi - eval $as_lineno_stack; test "x$as_lineno_stack" = x && { as_lineno=; unset as_lineno;} + eval $as_lineno_stack; ${as_lineno_stack:+:} unset as_lineno as_fn_set_status $ac_retval } # ac_fn_c_try_compile @@ -1680,7 +1706,7 @@ $as_echo "$ac_try_echo"; } >&5 test ! -s conftest.err } && test -s conftest$ac_exeext && { test "$cross_compiling" = yes || - $as_test_x conftest$ac_exeext + test -x conftest$ac_exeext }; then : ac_retval=0 else @@ -1694,7 +1720,7 @@ fi # interfere with the next link command; also delete a directory that is # left behind by Apple's compiler. We do this before executing the actions. rm -rf conftest.dSYM conftest_ipa8_conftest.oo - eval $as_lineno_stack; test "x$as_lineno_stack" = x && { as_lineno=; unset as_lineno;} + eval $as_lineno_stack; ${as_lineno_stack:+:} unset as_lineno as_fn_set_status $ac_retval } # ac_fn_c_try_link @@ -1708,7 +1734,7 @@ ac_fn_c_check_header_compile () as_lineno=${as_lineno-"$1"} as_lineno_stack=as_lineno_stack=$as_lineno_stack { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $2" >&5 $as_echo_n "checking for $2... " >&6; } -if eval "test \"\${$3+set}\"" = set; then : +if eval \${$3+:} false; then : $as_echo_n "(cached) " >&6 else cat confdefs.h - <<_ACEOF >conftest.$ac_ext @@ -1726,7 +1752,7 @@ fi eval ac_res=\$$3 { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_res" >&5 $as_echo "$ac_res" >&6; } - eval $as_lineno_stack; test "x$as_lineno_stack" = x && { as_lineno=; unset as_lineno;} + eval $as_lineno_stack; ${as_lineno_stack:+:} unset as_lineno } # ac_fn_c_check_header_compile @@ -1762,7 +1788,7 @@ sed 's/^/| /' conftest.$ac_ext >&5 ac_retval=1 fi - eval $as_lineno_stack; test "x$as_lineno_stack" = x && { as_lineno=; unset as_lineno;} + eval $as_lineno_stack; ${as_lineno_stack:+:} unset as_lineno as_fn_set_status $ac_retval } # ac_fn_c_try_cpp @@ -1804,7 +1830,7 @@ sed 's/^/| /' conftest.$ac_ext >&5 ac_retval=$ac_status fi rm -rf conftest.dSYM conftest_ipa8_conftest.oo - eval $as_lineno_stack; test "x$as_lineno_stack" = x && { as_lineno=; unset as_lineno;} + eval $as_lineno_stack; ${as_lineno_stack:+:} unset as_lineno as_fn_set_status $ac_retval } # ac_fn_c_try_run @@ -1817,7 +1843,7 @@ ac_fn_c_check_func () as_lineno=${as_lineno-"$1"} as_lineno_stack=as_lineno_stack=$as_lineno_stack { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $2" >&5 $as_echo_n "checking for $2... " >&6; } -if eval "test \"\${$3+set}\"" = set; then : +if eval \${$3+:} false; then : $as_echo_n "(cached) " >&6 else cat confdefs.h - <<_ACEOF >conftest.$ac_ext @@ -1872,7 +1898,7 @@ fi eval ac_res=\$$3 { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_res" >&5 $as_echo "$ac_res" >&6; } - eval $as_lineno_stack; test "x$as_lineno_stack" = x && { as_lineno=; unset as_lineno;} + eval $as_lineno_stack; ${as_lineno_stack:+:} unset as_lineno } # ac_fn_c_check_func @@ -1893,7 +1919,8 @@ int main () { static int test_array [1 - 2 * !(($2) >= 0)]; -test_array [0] = 0 +test_array [0] = 0; +return test_array [0]; ; return 0; @@ -1909,7 +1936,8 @@ int main () { static int test_array [1 - 2 * !(($2) <= $ac_mid)]; -test_array [0] = 0 +test_array [0] = 0; +return test_array [0]; ; return 0; @@ -1935,7 +1963,8 @@ int main () { static int test_array [1 - 2 * !(($2) < 0)]; -test_array [0] = 0 +test_array [0] = 0; +return test_array [0]; ; return 0; @@ -1951,7 +1980,8 @@ int main () { static int test_array [1 - 2 * !(($2) >= $ac_mid)]; -test_array [0] = 0 +test_array [0] = 0; +return test_array [0]; ; return 0; @@ -1985,7 +2015,8 @@ int main () { static int test_array [1 - 2 * !(($2) <= $ac_mid)]; -test_array [0] = 0 +test_array [0] = 0; +return test_array [0]; ; return 0; @@ -2049,7 +2080,7 @@ rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext \ rm -f conftest.val fi - eval $as_lineno_stack; test "x$as_lineno_stack" = x && { as_lineno=; unset as_lineno;} + eval $as_lineno_stack; ${as_lineno_stack:+:} unset as_lineno as_fn_set_status $ac_retval } # ac_fn_c_compute_int @@ -2063,7 +2094,7 @@ ac_fn_c_check_type () as_lineno=${as_lineno-"$1"} as_lineno_stack=as_lineno_stack=$as_lineno_stack { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $2" >&5 $as_echo_n "checking for $2... " >&6; } -if eval "test \"\${$3+set}\"" = set; then : +if eval \${$3+:} false; then : $as_echo_n "(cached) " >&6 else eval "$3=no" @@ -2104,7 +2135,7 @@ fi eval ac_res=\$$3 { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_res" >&5 $as_echo "$ac_res" >&6; } - eval $as_lineno_stack; test "x$as_lineno_stack" = x && { as_lineno=; unset as_lineno;} + eval $as_lineno_stack; ${as_lineno_stack:+:} unset as_lineno } # ac_fn_c_check_type @@ -2116,10 +2147,10 @@ $as_echo "$ac_res" >&6; } ac_fn_c_check_header_mongrel () { as_lineno=${as_lineno-"$1"} as_lineno_stack=as_lineno_stack=$as_lineno_stack - if eval "test \"\${$3+set}\"" = set; then : + if eval \${$3+:} false; then : { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $2" >&5 $as_echo_n "checking for $2... " >&6; } -if eval "test \"\${$3+set}\"" = set; then : +if eval \${$3+:} false; then : $as_echo_n "(cached) " >&6 fi eval ac_res=\$$3 @@ -2182,7 +2213,7 @@ $as_echo "$as_me: WARNING: $2: proceeding with the compiler's result" >&2;} esac { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $2" >&5 $as_echo_n "checking for $2... " >&6; } -if eval "test \"\${$3+set}\"" = set; then : +if eval \${$3+:} false; then : $as_echo_n "(cached) " >&6 else eval "$3=\$ac_header_compiler" @@ -2191,7 +2222,7 @@ eval ac_res=\$$3 { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_res" >&5 $as_echo "$ac_res" >&6; } fi - eval $as_lineno_stack; test "x$as_lineno_stack" = x && { as_lineno=; unset as_lineno;} + eval $as_lineno_stack; ${as_lineno_stack:+:} unset as_lineno } # ac_fn_c_check_header_mongrel @@ -2204,7 +2235,7 @@ ac_fn_c_check_member () as_lineno=${as_lineno-"$1"} as_lineno_stack=as_lineno_stack=$as_lineno_stack { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $2.$3" >&5 $as_echo_n "checking for $2.$3... " >&6; } -if eval "test \"\${$4+set}\"" = set; then : +if eval \${$4+:} false; then : $as_echo_n "(cached) " >&6 else cat confdefs.h - <<_ACEOF >conftest.$ac_ext @@ -2248,15 +2279,15 @@ fi eval ac_res=\$$4 { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_res" >&5 $as_echo "$ac_res" >&6; } - eval $as_lineno_stack; test "x$as_lineno_stack" = x && { as_lineno=; unset as_lineno;} + eval $as_lineno_stack; ${as_lineno_stack:+:} unset as_lineno } # ac_fn_c_check_member cat >config.log <<_ACEOF This file contains any messages produced by compilers while running configure, to aid debugging if configure makes a mistake. -It was created by stunnel $as_me 4.53, which was -generated by GNU Autoconf 2.67. Invocation command line was +It was created by stunnel $as_me 4.57, which was +generated by GNU Autoconf 2.69. Invocation command line was $ $0 $@ @@ -2514,7 +2545,7 @@ $as_echo "$as_me: loading site script $ac_site_file" >&6;} || { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5 $as_echo "$as_me: error: in \`$ac_pwd':" >&2;} as_fn_error $? "failed to load site script $ac_site_file -See \`config.log' for more details" "$LINENO" 5 ; } +See \`config.log' for more details" "$LINENO" 5; } fi done @@ -2654,7 +2685,7 @@ am__api_version='1.11' { $as_echo "$as_me:${as_lineno-$LINENO}: checking for a BSD-compatible install" >&5 $as_echo_n "checking for a BSD-compatible install... " >&6; } if test -z "$INSTALL"; then -if test "${ac_cv_path_install+set}" = set; then : +if ${ac_cv_path_install+:} false; then : $as_echo_n "(cached) " >&6 else as_save_IFS=$IFS; IFS=$PATH_SEPARATOR @@ -2674,7 +2705,7 @@ case $as_dir/ in #(( # by default. for ac_prog in ginstall scoinst install; do for ac_exec_ext in '' $ac_executable_extensions; do - if { test -f "$as_dir/$ac_prog$ac_exec_ext" && $as_test_x "$as_dir/$ac_prog$ac_exec_ext"; }; then + if as_fn_executable_p "$as_dir/$ac_prog$ac_exec_ext"; then if test $ac_prog = install && grep dspmsg "$as_dir/$ac_prog$ac_exec_ext" >/dev/null 2>&1; then # AIX install. It has an incompatible calling convention. @@ -2741,11 +2772,11 @@ am_lf=' ' case `pwd` in *[\\\"\#\$\&\'\`$am_lf]*) - as_fn_error $? "unsafe absolute working directory name" "$LINENO" 5 ;; + as_fn_error $? "unsafe absolute working directory name" "$LINENO" 5;; esac case $srcdir in *[\\\"\#\$\&\'\`$am_lf\ \ ]*) - as_fn_error $? "unsafe srcdir value: \`$srcdir'" "$LINENO" 5 ;; + as_fn_error $? "unsafe srcdir value: \`$srcdir'" "$LINENO" 5;; esac # Do `set' in a subshell so we don't clobber the current shell's @@ -2831,7 +2862,7 @@ if test "$cross_compiling" != no; then set dummy ${ac_tool_prefix}strip; ac_word=$2 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 $as_echo_n "checking for $ac_word... " >&6; } -if test "${ac_cv_prog_STRIP+set}" = set; then : +if ${ac_cv_prog_STRIP+:} false; then : $as_echo_n "(cached) " >&6 else if test -n "$STRIP"; then @@ -2843,7 +2874,7 @@ do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. for ac_exec_ext in '' $ac_executable_extensions; do - if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then + if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then ac_cv_prog_STRIP="${ac_tool_prefix}strip" $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 @@ -2871,7 +2902,7 @@ if test -z "$ac_cv_prog_STRIP"; then set dummy strip; ac_word=$2 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 $as_echo_n "checking for $ac_word... " >&6; } -if test "${ac_cv_prog_ac_ct_STRIP+set}" = set; then : +if ${ac_cv_prog_ac_ct_STRIP+:} false; then : $as_echo_n "(cached) " >&6 else if test -n "$ac_ct_STRIP"; then @@ -2883,7 +2914,7 @@ do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. for ac_exec_ext in '' $ac_executable_extensions; do - if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then + if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then ac_cv_prog_ac_ct_STRIP="strip" $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 @@ -2924,7 +2955,7 @@ INSTALL_STRIP_PROGRAM="\$(install_sh) -c -s" { $as_echo "$as_me:${as_lineno-$LINENO}: checking for a thread-safe mkdir -p" >&5 $as_echo_n "checking for a thread-safe mkdir -p... " >&6; } if test -z "$MKDIR_P"; then - if test "${ac_cv_path_mkdir+set}" = set; then : + if ${ac_cv_path_mkdir+:} false; then : $as_echo_n "(cached) " >&6 else as_save_IFS=$IFS; IFS=$PATH_SEPARATOR @@ -2934,7 +2965,7 @@ do test -z "$as_dir" && as_dir=. for ac_prog in mkdir gmkdir; do for ac_exec_ext in '' $ac_executable_extensions; do - { test -f "$as_dir/$ac_prog$ac_exec_ext" && $as_test_x "$as_dir/$ac_prog$ac_exec_ext"; } || continue + as_fn_executable_p "$as_dir/$ac_prog$ac_exec_ext" || continue case `"$as_dir/$ac_prog$ac_exec_ext" --version 2>&1` in #( 'mkdir (GNU coreutils) '* | \ 'mkdir (coreutils) '* | \ @@ -2975,7 +3006,7 @@ do set dummy $ac_prog; ac_word=$2 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 $as_echo_n "checking for $ac_word... " >&6; } -if test "${ac_cv_prog_AWK+set}" = set; then : +if ${ac_cv_prog_AWK+:} false; then : $as_echo_n "(cached) " >&6 else if test -n "$AWK"; then @@ -2987,7 +3018,7 @@ do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. for ac_exec_ext in '' $ac_executable_extensions; do - if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then + if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then ac_cv_prog_AWK="$ac_prog" $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 @@ -3015,7 +3046,7 @@ done $as_echo_n "checking whether ${MAKE-make} sets \$(MAKE)... " >&6; } set x ${MAKE-make} ac_make=`$as_echo "$2" | sed 's/+/p/g; s/[^a-zA-Z0-9_]/_/g'` -if eval "test \"\${ac_cv_prog_make_${ac_make}_set+set}\"" = set; then : +if eval \${ac_cv_prog_make_${ac_make}_set+:} false; then : $as_echo_n "(cached) " >&6 else cat >conftest.make <<\_ACEOF @@ -3073,7 +3104,7 @@ fi # Define the identity of the package. PACKAGE=stunnel - VERSION=4.53 + VERSION=4.57 cat >>confdefs.h <<_ACEOF @@ -3126,7 +3157,7 @@ $SHELL "$ac_aux_dir/config.sub" sun4 >/dev/null 2>&1 || { $as_echo "$as_me:${as_lineno-$LINENO}: checking build system type" >&5 $as_echo_n "checking build system type... " >&6; } -if test "${ac_cv_build+set}" = set; then : +if ${ac_cv_build+:} false; then : $as_echo_n "(cached) " >&6 else ac_build_alias=$build_alias @@ -3142,7 +3173,7 @@ fi $as_echo "$ac_cv_build" >&6; } case $ac_cv_build in *-*-*) ;; -*) as_fn_error $? "invalid value of canonical build" "$LINENO" 5 ;; +*) as_fn_error $? "invalid value of canonical build" "$LINENO" 5;; esac build=$ac_cv_build ac_save_IFS=$IFS; IFS='-' @@ -3160,7 +3191,7 @@ case $build_os in *\ *) build_os=`echo "$build_os" | sed 's/ /-/g'`;; esac { $as_echo "$as_me:${as_lineno-$LINENO}: checking host system type" >&5 $as_echo_n "checking host system type... " >&6; } -if test "${ac_cv_host+set}" = set; then : +if ${ac_cv_host+:} false; then : $as_echo_n "(cached) " >&6 else if test "x$host_alias" = x; then @@ -3175,7 +3206,7 @@ fi $as_echo "$ac_cv_host" >&6; } case $ac_cv_host in *-*-*) ;; -*) as_fn_error $? "invalid value of canonical host" "$LINENO" 5 ;; +*) as_fn_error $? "invalid value of canonical host" "$LINENO" 5;; esac host=$ac_cv_host ac_save_IFS=$IFS; IFS='-' @@ -3221,7 +3252,7 @@ if test -n "$ac_tool_prefix"; then set dummy ${ac_tool_prefix}gcc; ac_word=$2 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 $as_echo_n "checking for $ac_word... " >&6; } -if test "${ac_cv_prog_CC+set}" = set; then : +if ${ac_cv_prog_CC+:} false; then : $as_echo_n "(cached) " >&6 else if test -n "$CC"; then @@ -3233,7 +3264,7 @@ do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. for ac_exec_ext in '' $ac_executable_extensions; do - if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then + if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then ac_cv_prog_CC="${ac_tool_prefix}gcc" $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 @@ -3261,7 +3292,7 @@ if test -z "$ac_cv_prog_CC"; then set dummy gcc; ac_word=$2 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 $as_echo_n "checking for $ac_word... " >&6; } -if test "${ac_cv_prog_ac_ct_CC+set}" = set; then : +if ${ac_cv_prog_ac_ct_CC+:} false; then : $as_echo_n "(cached) " >&6 else if test -n "$ac_ct_CC"; then @@ -3273,7 +3304,7 @@ do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. for ac_exec_ext in '' $ac_executable_extensions; do - if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then + if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then ac_cv_prog_ac_ct_CC="gcc" $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 @@ -3314,7 +3345,7 @@ if test -z "$CC"; then set dummy ${ac_tool_prefix}cc; ac_word=$2 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 $as_echo_n "checking for $ac_word... " >&6; } -if test "${ac_cv_prog_CC+set}" = set; then : +if ${ac_cv_prog_CC+:} false; then : $as_echo_n "(cached) " >&6 else if test -n "$CC"; then @@ -3326,7 +3357,7 @@ do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. for ac_exec_ext in '' $ac_executable_extensions; do - if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then + if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then ac_cv_prog_CC="${ac_tool_prefix}cc" $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 @@ -3354,7 +3385,7 @@ if test -z "$CC"; then set dummy cc; ac_word=$2 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 $as_echo_n "checking for $ac_word... " >&6; } -if test "${ac_cv_prog_CC+set}" = set; then : +if ${ac_cv_prog_CC+:} false; then : $as_echo_n "(cached) " >&6 else if test -n "$CC"; then @@ -3367,7 +3398,7 @@ do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. for ac_exec_ext in '' $ac_executable_extensions; do - if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then + if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then if test "$as_dir/$ac_word$ac_exec_ext" = "/usr/ucb/cc"; then ac_prog_rejected=yes continue @@ -3413,7 +3444,7 @@ if test -z "$CC"; then set dummy $ac_tool_prefix$ac_prog; ac_word=$2 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 $as_echo_n "checking for $ac_word... " >&6; } -if test "${ac_cv_prog_CC+set}" = set; then : +if ${ac_cv_prog_CC+:} false; then : $as_echo_n "(cached) " >&6 else if test -n "$CC"; then @@ -3425,7 +3456,7 @@ do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. for ac_exec_ext in '' $ac_executable_extensions; do - if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then + if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then ac_cv_prog_CC="$ac_tool_prefix$ac_prog" $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 @@ -3457,7 +3488,7 @@ do set dummy $ac_prog; ac_word=$2 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 $as_echo_n "checking for $ac_word... " >&6; } -if test "${ac_cv_prog_ac_ct_CC+set}" = set; then : +if ${ac_cv_prog_ac_ct_CC+:} false; then : $as_echo_n "(cached) " >&6 else if test -n "$ac_ct_CC"; then @@ -3469,7 +3500,7 @@ do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. for ac_exec_ext in '' $ac_executable_extensions; do - if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then + if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then ac_cv_prog_ac_ct_CC="$ac_prog" $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 @@ -3512,7 +3543,7 @@ fi test -z "$CC" && { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5 $as_echo "$as_me: error: in \`$ac_pwd':" >&2;} as_fn_error $? "no acceptable C compiler found in \$PATH -See \`config.log' for more details" "$LINENO" 5 ; } +See \`config.log' for more details" "$LINENO" 5; } # Provide some information about the compiler. $as_echo "$as_me:${as_lineno-$LINENO}: checking for C compiler version" >&5 @@ -3627,7 +3658,7 @@ sed 's/^/| /' conftest.$ac_ext >&5 { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5 $as_echo "$as_me: error: in \`$ac_pwd':" >&2;} as_fn_error 77 "C compiler cannot create executables -See \`config.log' for more details" "$LINENO" 5 ; } +See \`config.log' for more details" "$LINENO" 5; } else { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 $as_echo "yes" >&6; } @@ -3670,7 +3701,7 @@ else { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5 $as_echo "$as_me: error: in \`$ac_pwd':" >&2;} as_fn_error $? "cannot compute suffix of executables: cannot compile and link -See \`config.log' for more details" "$LINENO" 5 ; } +See \`config.log' for more details" "$LINENO" 5; } fi rm -f conftest conftest$ac_cv_exeext { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_exeext" >&5 @@ -3729,7 +3760,7 @@ $as_echo "$ac_try_echo"; } >&5 $as_echo "$as_me: error: in \`$ac_pwd':" >&2;} as_fn_error $? "cannot run C compiled programs. If you meant to cross compile, use \`--host'. -See \`config.log' for more details" "$LINENO" 5 ; } +See \`config.log' for more details" "$LINENO" 5; } fi fi fi @@ -3740,7 +3771,7 @@ rm -f conftest.$ac_ext conftest$ac_cv_exeext conftest.out ac_clean_files=$ac_clean_files_save { $as_echo "$as_me:${as_lineno-$LINENO}: checking for suffix of object files" >&5 $as_echo_n "checking for suffix of object files... " >&6; } -if test "${ac_cv_objext+set}" = set; then : +if ${ac_cv_objext+:} false; then : $as_echo_n "(cached) " >&6 else cat confdefs.h - <<_ACEOF >conftest.$ac_ext @@ -3781,7 +3812,7 @@ sed 's/^/| /' conftest.$ac_ext >&5 { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5 $as_echo "$as_me: error: in \`$ac_pwd':" >&2;} as_fn_error $? "cannot compute suffix of object files: cannot compile -See \`config.log' for more details" "$LINENO" 5 ; } +See \`config.log' for more details" "$LINENO" 5; } fi rm -f conftest.$ac_cv_objext conftest.$ac_ext fi @@ -3791,7 +3822,7 @@ OBJEXT=$ac_cv_objext ac_objext=$OBJEXT { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether we are using the GNU C compiler" >&5 $as_echo_n "checking whether we are using the GNU C compiler... " >&6; } -if test "${ac_cv_c_compiler_gnu+set}" = set; then : +if ${ac_cv_c_compiler_gnu+:} false; then : $as_echo_n "(cached) " >&6 else cat confdefs.h - <<_ACEOF >conftest.$ac_ext @@ -3828,7 +3859,7 @@ ac_test_CFLAGS=${CFLAGS+set} ac_save_CFLAGS=$CFLAGS { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether $CC accepts -g" >&5 $as_echo_n "checking whether $CC accepts -g... " >&6; } -if test "${ac_cv_prog_cc_g+set}" = set; then : +if ${ac_cv_prog_cc_g+:} false; then : $as_echo_n "(cached) " >&6 else ac_save_c_werror_flag=$ac_c_werror_flag @@ -3906,7 +3937,7 @@ else fi { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $CC option to accept ISO C89" >&5 $as_echo_n "checking for $CC option to accept ISO C89... " >&6; } -if test "${ac_cv_prog_cc_c89+set}" = set; then : +if ${ac_cv_prog_cc_c89+:} false; then : $as_echo_n "(cached) " >&6 else ac_cv_prog_cc_c89=no @@ -3915,8 +3946,7 @@ cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ #include #include -#include -#include +struct stat; /* Most of the following tests are stolen from RCS 5.7's src/conf.sh. */ struct buf { int x; }; FILE * (*rcsopen) (struct buf *, struct stat *, int); @@ -4067,7 +4097,7 @@ depcc="$CC" am_compiler_list= { $as_echo "$as_me:${as_lineno-$LINENO}: checking dependency style of $depcc" >&5 $as_echo_n "checking dependency style of $depcc... " >&6; } -if test "${am_cv_CC_dependencies_compiler_type+set}" = set; then : +if ${am_cv_CC_dependencies_compiler_type+:} false; then : $as_echo_n "(cached) " >&6 else if test -z "$AMDEP_TRUE" && test -f "$am_depcomp"; then @@ -4199,7 +4229,7 @@ $as_echo_n "checking whether cc understands -c and -o together... " >&6; } fi set dummy $CC; ac_cc=`$as_echo "$2" | sed 's/[^a-zA-Z0-9_]/_/g;s/^[0-9]/_/'` -if eval "test \"\${ac_cv_prog_cc_${ac_cc}_c_o+set}\"" = set; then : +if eval \${ac_cv_prog_cc_${ac_cc}_c_o+:} false; then : $as_echo_n "(cached) " >&6 else cat confdefs.h - <<_ACEOF >conftest.$ac_ext @@ -4321,7 +4351,7 @@ fi $as_echo_n "checking whether ${MAKE-make} sets \$(MAKE)... " >&6; } set x ${MAKE-make} ac_make=`$as_echo "$2" | sed 's/+/p/g; s/[^a-zA-Z0-9_]/_/g'` -if eval "test \"\${ac_cv_prog_make_${ac_make}_set+set}\"" = set; then : +if eval \${ac_cv_prog_make_${ac_make}_set+:} false; then : $as_echo_n "(cached) " >&6 else cat >conftest.make <<\_ACEOF @@ -4538,7 +4568,7 @@ ltmain="$ac_aux_dir/ltmain.sh" { $as_echo "$as_me:${as_lineno-$LINENO}: checking for a sed that does not truncate output" >&5 $as_echo_n "checking for a sed that does not truncate output... " >&6; } -if test "${ac_cv_path_SED+set}" = set; then : +if ${ac_cv_path_SED+:} false; then : $as_echo_n "(cached) " >&6 else ac_script=s/aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa/bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb/ @@ -4558,7 +4588,7 @@ do for ac_prog in sed gsed; do for ac_exec_ext in '' $ac_executable_extensions; do ac_path_SED="$as_dir/$ac_prog$ac_exec_ext" - { test -f "$ac_path_SED" && $as_test_x "$ac_path_SED"; } || continue + as_fn_executable_p "$ac_path_SED" || continue # Check for GNU ac_path_SED and select it if it is found. # Check for GNU $ac_path_SED case `"$ac_path_SED" --version 2>&1` in @@ -4620,7 +4650,7 @@ Xsed="$SED -e 1s/^X//" { $as_echo "$as_me:${as_lineno-$LINENO}: checking for grep that handles long lines and -e" >&5 $as_echo_n "checking for grep that handles long lines and -e... " >&6; } -if test "${ac_cv_path_GREP+set}" = set; then : +if ${ac_cv_path_GREP+:} false; then : $as_echo_n "(cached) " >&6 else if test -z "$GREP"; then @@ -4634,7 +4664,7 @@ do for ac_prog in grep ggrep; do for ac_exec_ext in '' $ac_executable_extensions; do ac_path_GREP="$as_dir/$ac_prog$ac_exec_ext" - { test -f "$ac_path_GREP" && $as_test_x "$ac_path_GREP"; } || continue + as_fn_executable_p "$ac_path_GREP" || continue # Check for GNU ac_path_GREP and select it if it is found. # Check for GNU $ac_path_GREP case `"$ac_path_GREP" --version 2>&1` in @@ -4683,7 +4713,7 @@ $as_echo "$ac_cv_path_GREP" >&6; } { $as_echo "$as_me:${as_lineno-$LINENO}: checking for egrep" >&5 $as_echo_n "checking for egrep... " >&6; } -if test "${ac_cv_path_EGREP+set}" = set; then : +if ${ac_cv_path_EGREP+:} false; then : $as_echo_n "(cached) " >&6 else if echo a | $GREP -E '(a|b)' >/dev/null 2>&1 @@ -4700,7 +4730,7 @@ do for ac_prog in egrep; do for ac_exec_ext in '' $ac_executable_extensions; do ac_path_EGREP="$as_dir/$ac_prog$ac_exec_ext" - { test -f "$ac_path_EGREP" && $as_test_x "$ac_path_EGREP"; } || continue + as_fn_executable_p "$ac_path_EGREP" || continue # Check for GNU ac_path_EGREP and select it if it is found. # Check for GNU $ac_path_EGREP case `"$ac_path_EGREP" --version 2>&1` in @@ -4750,7 +4780,7 @@ $as_echo "$ac_cv_path_EGREP" >&6; } { $as_echo "$as_me:${as_lineno-$LINENO}: checking for fgrep" >&5 $as_echo_n "checking for fgrep... " >&6; } -if test "${ac_cv_path_FGREP+set}" = set; then : +if ${ac_cv_path_FGREP+:} false; then : $as_echo_n "(cached) " >&6 else if echo 'ab*c' | $GREP -F 'ab*c' >/dev/null 2>&1 @@ -4767,7 +4797,7 @@ do for ac_prog in fgrep; do for ac_exec_ext in '' $ac_executable_extensions; do ac_path_FGREP="$as_dir/$ac_prog$ac_exec_ext" - { test -f "$ac_path_FGREP" && $as_test_x "$ac_path_FGREP"; } || continue + as_fn_executable_p "$ac_path_FGREP" || continue # Check for GNU ac_path_FGREP and select it if it is found. # Check for GNU $ac_path_FGREP case `"$ac_path_FGREP" --version 2>&1` in @@ -4881,7 +4911,7 @@ else { $as_echo "$as_me:${as_lineno-$LINENO}: checking for non-GNU ld" >&5 $as_echo_n "checking for non-GNU ld... " >&6; } fi -if test "${lt_cv_path_LD+set}" = set; then : +if ${lt_cv_path_LD+:} false; then : $as_echo_n "(cached) " >&6 else if test -z "$LD"; then @@ -4921,7 +4951,7 @@ fi test -z "$LD" && as_fn_error $? "no acceptable ld found in \$PATH" "$LINENO" 5 { $as_echo "$as_me:${as_lineno-$LINENO}: checking if the linker ($LD) is GNU ld" >&5 $as_echo_n "checking if the linker ($LD) is GNU ld... " >&6; } -if test "${lt_cv_prog_gnu_ld+set}" = set; then : +if ${lt_cv_prog_gnu_ld+:} false; then : $as_echo_n "(cached) " >&6 else # I'd rather use --version here, but apparently some GNU lds only accept -v. @@ -4948,7 +4978,7 @@ with_gnu_ld=$lt_cv_prog_gnu_ld { $as_echo "$as_me:${as_lineno-$LINENO}: checking for BSD- or MS-compatible name lister (nm)" >&5 $as_echo_n "checking for BSD- or MS-compatible name lister (nm)... " >&6; } -if test "${lt_cv_path_NM+set}" = set; then : +if ${lt_cv_path_NM+:} false; then : $as_echo_n "(cached) " >&6 else if test -n "$NM"; then @@ -5008,7 +5038,7 @@ else set dummy $ac_tool_prefix$ac_prog; ac_word=$2 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 $as_echo_n "checking for $ac_word... " >&6; } -if test "${ac_cv_prog_DUMPBIN+set}" = set; then : +if ${ac_cv_prog_DUMPBIN+:} false; then : $as_echo_n "(cached) " >&6 else if test -n "$DUMPBIN"; then @@ -5020,7 +5050,7 @@ do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. for ac_exec_ext in '' $ac_executable_extensions; do - if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then + if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then ac_cv_prog_DUMPBIN="$ac_tool_prefix$ac_prog" $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 @@ -5052,7 +5082,7 @@ do set dummy $ac_prog; ac_word=$2 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 $as_echo_n "checking for $ac_word... " >&6; } -if test "${ac_cv_prog_ac_ct_DUMPBIN+set}" = set; then : +if ${ac_cv_prog_ac_ct_DUMPBIN+:} false; then : $as_echo_n "(cached) " >&6 else if test -n "$ac_ct_DUMPBIN"; then @@ -5064,7 +5094,7 @@ do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. for ac_exec_ext in '' $ac_executable_extensions; do - if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then + if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then ac_cv_prog_ac_ct_DUMPBIN="$ac_prog" $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 @@ -5115,18 +5145,18 @@ test -z "$NM" && NM=nm { $as_echo "$as_me:${as_lineno-$LINENO}: checking the name lister ($NM) interface" >&5 $as_echo_n "checking the name lister ($NM) interface... " >&6; } -if test "${lt_cv_nm_interface+set}" = set; then : +if ${lt_cv_nm_interface+:} false; then : $as_echo_n "(cached) " >&6 else lt_cv_nm_interface="BSD nm" echo "int some_variable = 0;" > conftest.$ac_ext - (eval echo "\"\$as_me:5123: $ac_compile\"" >&5) + (eval echo "\"\$as_me:5153: $ac_compile\"" >&5) (eval "$ac_compile" 2>conftest.err) cat conftest.err >&5 - (eval echo "\"\$as_me:5126: $NM \\\"conftest.$ac_objext\\\"\"" >&5) + (eval echo "\"\$as_me:5156: $NM \\\"conftest.$ac_objext\\\"\"" >&5) (eval "$NM \"conftest.$ac_objext\"" 2>conftest.err > conftest.out) cat conftest.err >&5 - (eval echo "\"\$as_me:5129: output\"" >&5) + (eval echo "\"\$as_me:5159: output\"" >&5) cat conftest.out >&5 if $GREP 'External.*some_variable' conftest.out > /dev/null; then lt_cv_nm_interface="MS dumpbin" @@ -5150,7 +5180,7 @@ fi # find the maximum length of command line arguments { $as_echo "$as_me:${as_lineno-$LINENO}: checking the maximum length of command line arguments" >&5 $as_echo_n "checking the maximum length of command line arguments... " >&6; } -if test "${lt_cv_sys_max_cmd_len+set}" = set; then : +if ${lt_cv_sys_max_cmd_len+:} false; then : $as_echo_n "(cached) " >&6 else i=0 @@ -5342,7 +5372,7 @@ esac { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $LD option to reload object files" >&5 $as_echo_n "checking for $LD option to reload object files... " >&6; } -if test "${lt_cv_ld_reload_flag+set}" = set; then : +if ${lt_cv_ld_reload_flag+:} false; then : $as_echo_n "(cached) " >&6 else lt_cv_ld_reload_flag='-r' @@ -5378,7 +5408,7 @@ if test -n "$ac_tool_prefix"; then set dummy ${ac_tool_prefix}objdump; ac_word=$2 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 $as_echo_n "checking for $ac_word... " >&6; } -if test "${ac_cv_prog_OBJDUMP+set}" = set; then : +if ${ac_cv_prog_OBJDUMP+:} false; then : $as_echo_n "(cached) " >&6 else if test -n "$OBJDUMP"; then @@ -5390,7 +5420,7 @@ do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. for ac_exec_ext in '' $ac_executable_extensions; do - if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then + if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then ac_cv_prog_OBJDUMP="${ac_tool_prefix}objdump" $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 @@ -5418,7 +5448,7 @@ if test -z "$ac_cv_prog_OBJDUMP"; then set dummy objdump; ac_word=$2 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 $as_echo_n "checking for $ac_word... " >&6; } -if test "${ac_cv_prog_ac_ct_OBJDUMP+set}" = set; then : +if ${ac_cv_prog_ac_ct_OBJDUMP+:} false; then : $as_echo_n "(cached) " >&6 else if test -n "$ac_ct_OBJDUMP"; then @@ -5430,7 +5460,7 @@ do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. for ac_exec_ext in '' $ac_executable_extensions; do - if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then + if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then ac_cv_prog_ac_ct_OBJDUMP="objdump" $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 @@ -5477,7 +5507,7 @@ test -z "$OBJDUMP" && OBJDUMP=objdump { $as_echo "$as_me:${as_lineno-$LINENO}: checking how to recognize dependent libraries" >&5 $as_echo_n "checking how to recognize dependent libraries... " >&6; } -if test "${lt_cv_deplibs_check_method+set}" = set; then : +if ${lt_cv_deplibs_check_method+:} false; then : $as_echo_n "(cached) " >&6 else lt_cv_file_magic_cmd='$MAGIC_CMD' @@ -5693,7 +5723,7 @@ if test -n "$ac_tool_prefix"; then set dummy ${ac_tool_prefix}ar; ac_word=$2 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 $as_echo_n "checking for $ac_word... " >&6; } -if test "${ac_cv_prog_AR+set}" = set; then : +if ${ac_cv_prog_AR+:} false; then : $as_echo_n "(cached) " >&6 else if test -n "$AR"; then @@ -5705,7 +5735,7 @@ do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. for ac_exec_ext in '' $ac_executable_extensions; do - if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then + if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then ac_cv_prog_AR="${ac_tool_prefix}ar" $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 @@ -5733,7 +5763,7 @@ if test -z "$ac_cv_prog_AR"; then set dummy ar; ac_word=$2 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 $as_echo_n "checking for $ac_word... " >&6; } -if test "${ac_cv_prog_ac_ct_AR+set}" = set; then : +if ${ac_cv_prog_ac_ct_AR+:} false; then : $as_echo_n "(cached) " >&6 else if test -n "$ac_ct_AR"; then @@ -5745,7 +5775,7 @@ do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. for ac_exec_ext in '' $ac_executable_extensions; do - if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then + if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then ac_cv_prog_ac_ct_AR="ar" $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 @@ -5798,7 +5828,7 @@ if test -n "$ac_tool_prefix"; then set dummy ${ac_tool_prefix}strip; ac_word=$2 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 $as_echo_n "checking for $ac_word... " >&6; } -if test "${ac_cv_prog_STRIP+set}" = set; then : +if ${ac_cv_prog_STRIP+:} false; then : $as_echo_n "(cached) " >&6 else if test -n "$STRIP"; then @@ -5810,7 +5840,7 @@ do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. for ac_exec_ext in '' $ac_executable_extensions; do - if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then + if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then ac_cv_prog_STRIP="${ac_tool_prefix}strip" $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 @@ -5838,7 +5868,7 @@ if test -z "$ac_cv_prog_STRIP"; then set dummy strip; ac_word=$2 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 $as_echo_n "checking for $ac_word... " >&6; } -if test "${ac_cv_prog_ac_ct_STRIP+set}" = set; then : +if ${ac_cv_prog_ac_ct_STRIP+:} false; then : $as_echo_n "(cached) " >&6 else if test -n "$ac_ct_STRIP"; then @@ -5850,7 +5880,7 @@ do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. for ac_exec_ext in '' $ac_executable_extensions; do - if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then + if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then ac_cv_prog_ac_ct_STRIP="strip" $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 @@ -5897,7 +5927,7 @@ if test -n "$ac_tool_prefix"; then set dummy ${ac_tool_prefix}ranlib; ac_word=$2 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 $as_echo_n "checking for $ac_word... " >&6; } -if test "${ac_cv_prog_RANLIB+set}" = set; then : +if ${ac_cv_prog_RANLIB+:} false; then : $as_echo_n "(cached) " >&6 else if test -n "$RANLIB"; then @@ -5909,7 +5939,7 @@ do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. for ac_exec_ext in '' $ac_executable_extensions; do - if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then + if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then ac_cv_prog_RANLIB="${ac_tool_prefix}ranlib" $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 @@ -5937,7 +5967,7 @@ if test -z "$ac_cv_prog_RANLIB"; then set dummy ranlib; ac_word=$2 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 $as_echo_n "checking for $ac_word... " >&6; } -if test "${ac_cv_prog_ac_ct_RANLIB+set}" = set; then : +if ${ac_cv_prog_ac_ct_RANLIB+:} false; then : $as_echo_n "(cached) " >&6 else if test -n "$ac_ct_RANLIB"; then @@ -5949,7 +5979,7 @@ do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. for ac_exec_ext in '' $ac_executable_extensions; do - if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then + if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then ac_cv_prog_ac_ct_RANLIB="ranlib" $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 @@ -6054,7 +6084,7 @@ compiler=$CC # Check for command to grab the raw symbol name followed by C symbol from nm. { $as_echo "$as_me:${as_lineno-$LINENO}: checking command to parse $NM output from $compiler object" >&5 $as_echo_n "checking command to parse $NM output from $compiler object... " >&6; } -if test "${lt_cv_sys_global_symbol_pipe+set}" = set; then : +if ${lt_cv_sys_global_symbol_pipe+:} false; then : $as_echo_n "(cached) " >&6 else @@ -6331,7 +6361,7 @@ ia64-*-hpux*) ;; *-*-irix6*) # Find out which ABI we are using. - echo '#line 6334 "configure"' > conftest.$ac_ext + echo '#line 6364 "configure"' > conftest.$ac_ext if { { eval echo "\"\$as_me\":${as_lineno-$LINENO}: \"$ac_compile\""; } >&5 (eval $ac_compile) 2>&5 ac_status=$? @@ -6425,7 +6455,7 @@ s390*-*linux*|s390*-*tpf*|sparc*-*linux*) CFLAGS="$CFLAGS -belf" { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether the C compiler needs -belf" >&5 $as_echo_n "checking whether the C compiler needs -belf... " >&6; } -if test "${lt_cv_cc_needs_belf+set}" = set; then : +if ${lt_cv_cc_needs_belf+:} false; then : $as_echo_n "(cached) " >&6 else ac_ext=c @@ -6501,7 +6531,7 @@ need_locks="$enable_libtool_lock" set dummy ${ac_tool_prefix}dsymutil; ac_word=$2 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 $as_echo_n "checking for $ac_word... " >&6; } -if test "${ac_cv_prog_DSYMUTIL+set}" = set; then : +if ${ac_cv_prog_DSYMUTIL+:} false; then : $as_echo_n "(cached) " >&6 else if test -n "$DSYMUTIL"; then @@ -6513,7 +6543,7 @@ do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. for ac_exec_ext in '' $ac_executable_extensions; do - if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then + if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then ac_cv_prog_DSYMUTIL="${ac_tool_prefix}dsymutil" $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 @@ -6541,7 +6571,7 @@ if test -z "$ac_cv_prog_DSYMUTIL"; then set dummy dsymutil; ac_word=$2 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 $as_echo_n "checking for $ac_word... " >&6; } -if test "${ac_cv_prog_ac_ct_DSYMUTIL+set}" = set; then : +if ${ac_cv_prog_ac_ct_DSYMUTIL+:} false; then : $as_echo_n "(cached) " >&6 else if test -n "$ac_ct_DSYMUTIL"; then @@ -6553,7 +6583,7 @@ do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. for ac_exec_ext in '' $ac_executable_extensions; do - if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then + if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then ac_cv_prog_ac_ct_DSYMUTIL="dsymutil" $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 @@ -6593,7 +6623,7 @@ fi set dummy ${ac_tool_prefix}nmedit; ac_word=$2 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 $as_echo_n "checking for $ac_word... " >&6; } -if test "${ac_cv_prog_NMEDIT+set}" = set; then : +if ${ac_cv_prog_NMEDIT+:} false; then : $as_echo_n "(cached) " >&6 else if test -n "$NMEDIT"; then @@ -6605,7 +6635,7 @@ do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. for ac_exec_ext in '' $ac_executable_extensions; do - if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then + if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then ac_cv_prog_NMEDIT="${ac_tool_prefix}nmedit" $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 @@ -6633,7 +6663,7 @@ if test -z "$ac_cv_prog_NMEDIT"; then set dummy nmedit; ac_word=$2 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 $as_echo_n "checking for $ac_word... " >&6; } -if test "${ac_cv_prog_ac_ct_NMEDIT+set}" = set; then : +if ${ac_cv_prog_ac_ct_NMEDIT+:} false; then : $as_echo_n "(cached) " >&6 else if test -n "$ac_ct_NMEDIT"; then @@ -6645,7 +6675,7 @@ do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. for ac_exec_ext in '' $ac_executable_extensions; do - if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then + if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then ac_cv_prog_ac_ct_NMEDIT="nmedit" $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 @@ -6685,7 +6715,7 @@ fi set dummy ${ac_tool_prefix}lipo; ac_word=$2 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 $as_echo_n "checking for $ac_word... " >&6; } -if test "${ac_cv_prog_LIPO+set}" = set; then : +if ${ac_cv_prog_LIPO+:} false; then : $as_echo_n "(cached) " >&6 else if test -n "$LIPO"; then @@ -6697,7 +6727,7 @@ do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. for ac_exec_ext in '' $ac_executable_extensions; do - if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then + if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then ac_cv_prog_LIPO="${ac_tool_prefix}lipo" $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 @@ -6725,7 +6755,7 @@ if test -z "$ac_cv_prog_LIPO"; then set dummy lipo; ac_word=$2 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 $as_echo_n "checking for $ac_word... " >&6; } -if test "${ac_cv_prog_ac_ct_LIPO+set}" = set; then : +if ${ac_cv_prog_ac_ct_LIPO+:} false; then : $as_echo_n "(cached) " >&6 else if test -n "$ac_ct_LIPO"; then @@ -6737,7 +6767,7 @@ do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. for ac_exec_ext in '' $ac_executable_extensions; do - if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then + if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then ac_cv_prog_ac_ct_LIPO="lipo" $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 @@ -6777,7 +6807,7 @@ fi set dummy ${ac_tool_prefix}otool; ac_word=$2 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 $as_echo_n "checking for $ac_word... " >&6; } -if test "${ac_cv_prog_OTOOL+set}" = set; then : +if ${ac_cv_prog_OTOOL+:} false; then : $as_echo_n "(cached) " >&6 else if test -n "$OTOOL"; then @@ -6789,7 +6819,7 @@ do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. for ac_exec_ext in '' $ac_executable_extensions; do - if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then + if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then ac_cv_prog_OTOOL="${ac_tool_prefix}otool" $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 @@ -6817,7 +6847,7 @@ if test -z "$ac_cv_prog_OTOOL"; then set dummy otool; ac_word=$2 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 $as_echo_n "checking for $ac_word... " >&6; } -if test "${ac_cv_prog_ac_ct_OTOOL+set}" = set; then : +if ${ac_cv_prog_ac_ct_OTOOL+:} false; then : $as_echo_n "(cached) " >&6 else if test -n "$ac_ct_OTOOL"; then @@ -6829,7 +6859,7 @@ do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. for ac_exec_ext in '' $ac_executable_extensions; do - if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then + if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then ac_cv_prog_ac_ct_OTOOL="otool" $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 @@ -6869,7 +6899,7 @@ fi set dummy ${ac_tool_prefix}otool64; ac_word=$2 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 $as_echo_n "checking for $ac_word... " >&6; } -if test "${ac_cv_prog_OTOOL64+set}" = set; then : +if ${ac_cv_prog_OTOOL64+:} false; then : $as_echo_n "(cached) " >&6 else if test -n "$OTOOL64"; then @@ -6881,7 +6911,7 @@ do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. for ac_exec_ext in '' $ac_executable_extensions; do - if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then + if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then ac_cv_prog_OTOOL64="${ac_tool_prefix}otool64" $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 @@ -6909,7 +6939,7 @@ if test -z "$ac_cv_prog_OTOOL64"; then set dummy otool64; ac_word=$2 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 $as_echo_n "checking for $ac_word... " >&6; } -if test "${ac_cv_prog_ac_ct_OTOOL64+set}" = set; then : +if ${ac_cv_prog_ac_ct_OTOOL64+:} false; then : $as_echo_n "(cached) " >&6 else if test -n "$ac_ct_OTOOL64"; then @@ -6921,7 +6951,7 @@ do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. for ac_exec_ext in '' $ac_executable_extensions; do - if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then + if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then ac_cv_prog_ac_ct_OTOOL64="otool64" $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 @@ -6984,7 +7014,7 @@ fi { $as_echo "$as_me:${as_lineno-$LINENO}: checking for -single_module linker flag" >&5 $as_echo_n "checking for -single_module linker flag... " >&6; } -if test "${lt_cv_apple_cc_single_mod+set}" = set; then : +if ${lt_cv_apple_cc_single_mod+:} false; then : $as_echo_n "(cached) " >&6 else lt_cv_apple_cc_single_mod=no @@ -7013,7 +7043,7 @@ fi $as_echo "$lt_cv_apple_cc_single_mod" >&6; } { $as_echo "$as_me:${as_lineno-$LINENO}: checking for -exported_symbols_list linker flag" >&5 $as_echo_n "checking for -exported_symbols_list linker flag... " >&6; } -if test "${lt_cv_ld_exported_symbols_list+set}" = set; then : +if ${lt_cv_ld_exported_symbols_list+:} false; then : $as_echo_n "(cached) " >&6 else lt_cv_ld_exported_symbols_list=no @@ -7090,7 +7120,7 @@ if test -n "$CPP" && test -d "$CPP"; then CPP= fi if test -z "$CPP"; then - if test "${ac_cv_prog_CPP+set}" = set; then : + if ${ac_cv_prog_CPP+:} false; then : $as_echo_n "(cached) " >&6 else # Double quotes because CPP needs to be expanded @@ -7206,7 +7236,7 @@ else { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5 $as_echo "$as_me: error: in \`$ac_pwd':" >&2;} as_fn_error $? "C preprocessor \"$CPP\" fails sanity check -See \`config.log' for more details" "$LINENO" 5 ; } +See \`config.log' for more details" "$LINENO" 5; } fi ac_ext=c @@ -7218,7 +7248,7 @@ ac_compiler_gnu=$ac_cv_c_compiler_gnu { $as_echo "$as_me:${as_lineno-$LINENO}: checking for ANSI C header files" >&5 $as_echo_n "checking for ANSI C header files... " >&6; } -if test "${ac_cv_header_stdc+set}" = set; then : +if ${ac_cv_header_stdc+:} false; then : $as_echo_n "(cached) " >&6 else cat confdefs.h - <<_ACEOF >conftest.$ac_ext @@ -7349,7 +7379,7 @@ for ac_header in dlfcn.h do : ac_fn_c_check_header_compile "$LINENO" "dlfcn.h" "ac_cv_header_dlfcn_h" "$ac_includes_default " -if test "x$ac_cv_header_dlfcn_h" = x""yes; then : +if test "x$ac_cv_header_dlfcn_h" = xyes; then : cat >>confdefs.h <<_ACEOF #define HAVE_DLFCN_H 1 _ACEOF @@ -7532,7 +7562,7 @@ fi { $as_echo "$as_me:${as_lineno-$LINENO}: checking for objdir" >&5 $as_echo_n "checking for objdir... " >&6; } -if test "${lt_cv_objdir+set}" = set; then : +if ${lt_cv_objdir+:} false; then : $as_echo_n "(cached) " >&6 else rm -f .libs 2>/dev/null @@ -7640,7 +7670,7 @@ file_magic*) if test "$file_magic_cmd" = '$MAGIC_CMD'; then { $as_echo "$as_me:${as_lineno-$LINENO}: checking for ${ac_tool_prefix}file" >&5 $as_echo_n "checking for ${ac_tool_prefix}file... " >&6; } -if test "${lt_cv_path_MAGIC_CMD+set}" = set; then : +if ${lt_cv_path_MAGIC_CMD+:} false; then : $as_echo_n "(cached) " >&6 else case $MAGIC_CMD in @@ -7706,7 +7736,7 @@ if test -z "$lt_cv_path_MAGIC_CMD"; then if test -n "$ac_tool_prefix"; then { $as_echo "$as_me:${as_lineno-$LINENO}: checking for file" >&5 $as_echo_n "checking for file... " >&6; } -if test "${lt_cv_path_MAGIC_CMD+set}" = set; then : +if ${lt_cv_path_MAGIC_CMD+:} false; then : $as_echo_n "(cached) " >&6 else case $MAGIC_CMD in @@ -7843,7 +7873,7 @@ if test "$GCC" = yes; then { $as_echo "$as_me:${as_lineno-$LINENO}: checking if $compiler supports -fno-rtti -fno-exceptions" >&5 $as_echo_n "checking if $compiler supports -fno-rtti -fno-exceptions... " >&6; } -if test "${lt_cv_prog_compiler_rtti_exceptions+set}" = set; then : +if ${lt_cv_prog_compiler_rtti_exceptions+:} false; then : $as_echo_n "(cached) " >&6 else lt_cv_prog_compiler_rtti_exceptions=no @@ -7859,11 +7889,11 @@ else -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \ -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \ -e 's:$: $lt_compiler_flag:'` - (eval echo "\"\$as_me:7862: $lt_compile\"" >&5) + (eval echo "\"\$as_me:7892: $lt_compile\"" >&5) (eval "$lt_compile" 2>conftest.err) ac_status=$? cat conftest.err >&5 - echo "$as_me:7866: \$? = $ac_status" >&5 + echo "$as_me:7896: \$? = $ac_status" >&5 if (exit $ac_status) && test -s "$ac_outfile"; then # The compiler can only warn and ignore the option if not recognized # So say no if there are warnings other than the usual output. @@ -8182,7 +8212,7 @@ $as_echo "$lt_prog_compiler_pic" >&6; } if test -n "$lt_prog_compiler_pic"; then { $as_echo "$as_me:${as_lineno-$LINENO}: checking if $compiler PIC flag $lt_prog_compiler_pic works" >&5 $as_echo_n "checking if $compiler PIC flag $lt_prog_compiler_pic works... " >&6; } -if test "${lt_cv_prog_compiler_pic_works+set}" = set; then : +if ${lt_cv_prog_compiler_pic_works+:} false; then : $as_echo_n "(cached) " >&6 else lt_cv_prog_compiler_pic_works=no @@ -8198,11 +8228,11 @@ else -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \ -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \ -e 's:$: $lt_compiler_flag:'` - (eval echo "\"\$as_me:8201: $lt_compile\"" >&5) + (eval echo "\"\$as_me:8231: $lt_compile\"" >&5) (eval "$lt_compile" 2>conftest.err) ac_status=$? cat conftest.err >&5 - echo "$as_me:8205: \$? = $ac_status" >&5 + echo "$as_me:8235: \$? = $ac_status" >&5 if (exit $ac_status) && test -s "$ac_outfile"; then # The compiler can only warn and ignore the option if not recognized # So say no if there are warnings other than the usual output. @@ -8241,7 +8271,7 @@ fi wl=$lt_prog_compiler_wl eval lt_tmp_static_flag=\"$lt_prog_compiler_static\" { $as_echo "$as_me:${as_lineno-$LINENO}: checking if $compiler static flag $lt_tmp_static_flag works" >&5 $as_echo_n "checking if $compiler static flag $lt_tmp_static_flag works... " >&6; } -if test "${lt_cv_prog_compiler_static_works+set}" = set; then : +if ${lt_cv_prog_compiler_static_works+:} false; then : $as_echo_n "(cached) " >&6 else lt_cv_prog_compiler_static_works=no @@ -8284,7 +8314,7 @@ fi { $as_echo "$as_me:${as_lineno-$LINENO}: checking if $compiler supports -c -o file.$ac_objext" >&5 $as_echo_n "checking if $compiler supports -c -o file.$ac_objext... " >&6; } -if test "${lt_cv_prog_compiler_c_o+set}" = set; then : +if ${lt_cv_prog_compiler_c_o+:} false; then : $as_echo_n "(cached) " >&6 else lt_cv_prog_compiler_c_o=no @@ -8303,11 +8333,11 @@ else -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \ -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \ -e 's:$: $lt_compiler_flag:'` - (eval echo "\"\$as_me:8306: $lt_compile\"" >&5) + (eval echo "\"\$as_me:8336: $lt_compile\"" >&5) (eval "$lt_compile" 2>out/conftest.err) ac_status=$? cat out/conftest.err >&5 - echo "$as_me:8310: \$? = $ac_status" >&5 + echo "$as_me:8340: \$? = $ac_status" >&5 if (exit $ac_status) && test -s out/conftest2.$ac_objext then # The compiler can only warn and ignore the option if not recognized @@ -8339,7 +8369,7 @@ $as_echo "$lt_cv_prog_compiler_c_o" >&6; } { $as_echo "$as_me:${as_lineno-$LINENO}: checking if $compiler supports -c -o file.$ac_objext" >&5 $as_echo_n "checking if $compiler supports -c -o file.$ac_objext... " >&6; } -if test "${lt_cv_prog_compiler_c_o+set}" = set; then : +if ${lt_cv_prog_compiler_c_o+:} false; then : $as_echo_n "(cached) " >&6 else lt_cv_prog_compiler_c_o=no @@ -8358,11 +8388,11 @@ else -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \ -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \ -e 's:$: $lt_compiler_flag:'` - (eval echo "\"\$as_me:8361: $lt_compile\"" >&5) + (eval echo "\"\$as_me:8391: $lt_compile\"" >&5) (eval "$lt_compile" 2>out/conftest.err) ac_status=$? cat out/conftest.err >&5 - echo "$as_me:8365: \$? = $ac_status" >&5 + echo "$as_me:8395: \$? = $ac_status" >&5 if (exit $ac_status) && test -s out/conftest2.$ac_objext then # The compiler can only warn and ignore the option if not recognized @@ -10484,7 +10514,7 @@ else # if libdl is installed we need to link against it { $as_echo "$as_me:${as_lineno-$LINENO}: checking for dlopen in -ldl" >&5 $as_echo_n "checking for dlopen in -ldl... " >&6; } -if test "${ac_cv_lib_dl_dlopen+set}" = set; then : +if ${ac_cv_lib_dl_dlopen+:} false; then : $as_echo_n "(cached) " >&6 else ac_check_lib_save_LIBS=$LIBS @@ -10518,7 +10548,7 @@ LIBS=$ac_check_lib_save_LIBS fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_dl_dlopen" >&5 $as_echo "$ac_cv_lib_dl_dlopen" >&6; } -if test "x$ac_cv_lib_dl_dlopen" = x""yes; then : +if test "x$ac_cv_lib_dl_dlopen" = xyes; then : lt_cv_dlopen="dlopen" lt_cv_dlopen_libs="-ldl" else @@ -10532,12 +10562,12 @@ fi *) ac_fn_c_check_func "$LINENO" "shl_load" "ac_cv_func_shl_load" -if test "x$ac_cv_func_shl_load" = x""yes; then : +if test "x$ac_cv_func_shl_load" = xyes; then : lt_cv_dlopen="shl_load" else { $as_echo "$as_me:${as_lineno-$LINENO}: checking for shl_load in -ldld" >&5 $as_echo_n "checking for shl_load in -ldld... " >&6; } -if test "${ac_cv_lib_dld_shl_load+set}" = set; then : +if ${ac_cv_lib_dld_shl_load+:} false; then : $as_echo_n "(cached) " >&6 else ac_check_lib_save_LIBS=$LIBS @@ -10571,16 +10601,16 @@ LIBS=$ac_check_lib_save_LIBS fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_dld_shl_load" >&5 $as_echo "$ac_cv_lib_dld_shl_load" >&6; } -if test "x$ac_cv_lib_dld_shl_load" = x""yes; then : +if test "x$ac_cv_lib_dld_shl_load" = xyes; then : lt_cv_dlopen="shl_load" lt_cv_dlopen_libs="-ldld" else ac_fn_c_check_func "$LINENO" "dlopen" "ac_cv_func_dlopen" -if test "x$ac_cv_func_dlopen" = x""yes; then : +if test "x$ac_cv_func_dlopen" = xyes; then : lt_cv_dlopen="dlopen" else { $as_echo "$as_me:${as_lineno-$LINENO}: checking for dlopen in -ldl" >&5 $as_echo_n "checking for dlopen in -ldl... " >&6; } -if test "${ac_cv_lib_dl_dlopen+set}" = set; then : +if ${ac_cv_lib_dl_dlopen+:} false; then : $as_echo_n "(cached) " >&6 else ac_check_lib_save_LIBS=$LIBS @@ -10614,12 +10644,12 @@ LIBS=$ac_check_lib_save_LIBS fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_dl_dlopen" >&5 $as_echo "$ac_cv_lib_dl_dlopen" >&6; } -if test "x$ac_cv_lib_dl_dlopen" = x""yes; then : +if test "x$ac_cv_lib_dl_dlopen" = xyes; then : lt_cv_dlopen="dlopen" lt_cv_dlopen_libs="-ldl" else { $as_echo "$as_me:${as_lineno-$LINENO}: checking for dlopen in -lsvld" >&5 $as_echo_n "checking for dlopen in -lsvld... " >&6; } -if test "${ac_cv_lib_svld_dlopen+set}" = set; then : +if ${ac_cv_lib_svld_dlopen+:} false; then : $as_echo_n "(cached) " >&6 else ac_check_lib_save_LIBS=$LIBS @@ -10653,12 +10683,12 @@ LIBS=$ac_check_lib_save_LIBS fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_svld_dlopen" >&5 $as_echo "$ac_cv_lib_svld_dlopen" >&6; } -if test "x$ac_cv_lib_svld_dlopen" = x""yes; then : +if test "x$ac_cv_lib_svld_dlopen" = xyes; then : lt_cv_dlopen="dlopen" lt_cv_dlopen_libs="-lsvld" else { $as_echo "$as_me:${as_lineno-$LINENO}: checking for dld_link in -ldld" >&5 $as_echo_n "checking for dld_link in -ldld... " >&6; } -if test "${ac_cv_lib_dld_dld_link+set}" = set; then : +if ${ac_cv_lib_dld_dld_link+:} false; then : $as_echo_n "(cached) " >&6 else ac_check_lib_save_LIBS=$LIBS @@ -10692,7 +10722,7 @@ LIBS=$ac_check_lib_save_LIBS fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_dld_dld_link" >&5 $as_echo "$ac_cv_lib_dld_dld_link" >&6; } -if test "x$ac_cv_lib_dld_dld_link" = x""yes; then : +if test "x$ac_cv_lib_dld_dld_link" = xyes; then : lt_cv_dlopen="dld_link" lt_cv_dlopen_libs="-ldld" fi @@ -10733,7 +10763,7 @@ fi { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether a program can dlopen itself" >&5 $as_echo_n "checking whether a program can dlopen itself... " >&6; } -if test "${lt_cv_dlopen_self+set}" = set; then : +if ${lt_cv_dlopen_self+:} false; then : $as_echo_n "(cached) " >&6 else if test "$cross_compiling" = yes; then : @@ -10742,7 +10772,7 @@ else lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2 lt_status=$lt_dlunknown cat > conftest.$ac_ext <<_LT_EOF -#line 10745 "configure" +#line 10775 "configure" #include "confdefs.h" #if HAVE_DLFCN_H @@ -10829,7 +10859,7 @@ $as_echo "$lt_cv_dlopen_self" >&6; } wl=$lt_prog_compiler_wl eval LDFLAGS=\"\$LDFLAGS $lt_prog_compiler_static\" { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether a statically linked program can dlopen itself" >&5 $as_echo_n "checking whether a statically linked program can dlopen itself... " >&6; } -if test "${lt_cv_dlopen_self_static+set}" = set; then : +if ${lt_cv_dlopen_self_static+:} false; then : $as_echo_n "(cached) " >&6 else if test "$cross_compiling" = yes; then : @@ -10838,7 +10868,7 @@ else lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2 lt_status=$lt_dlunknown cat > conftest.$ac_ext <<_LT_EOF -#line 10841 "configure" +#line 10871 "configure" #include "confdefs.h" #if HAVE_DLFCN_H @@ -11075,7 +11105,7 @@ $as_echo "$as_me: **************************************** types" >&6;} # This bug is HP SR number 8606223364. { $as_echo "$as_me:${as_lineno-$LINENO}: checking size of unsigned char" >&5 $as_echo_n "checking size of unsigned char... " >&6; } -if test "${ac_cv_sizeof_unsigned_char+set}" = set; then : +if ${ac_cv_sizeof_unsigned_char+:} false; then : $as_echo_n "(cached) " >&6 else if ac_fn_c_compute_int "$LINENO" "(long int) (sizeof (unsigned char))" "ac_cv_sizeof_unsigned_char" "$ac_includes_default"; then : @@ -11085,7 +11115,7 @@ else { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5 $as_echo "$as_me: error: in \`$ac_pwd':" >&2;} as_fn_error 77 "cannot compute sizeof (unsigned char) -See \`config.log' for more details" "$LINENO" 5 ; } +See \`config.log' for more details" "$LINENO" 5; } else ac_cv_sizeof_unsigned_char=0 fi @@ -11108,7 +11138,7 @@ _ACEOF # This bug is HP SR number 8606223364. { $as_echo "$as_me:${as_lineno-$LINENO}: checking size of unsigned short" >&5 $as_echo_n "checking size of unsigned short... " >&6; } -if test "${ac_cv_sizeof_unsigned_short+set}" = set; then : +if ${ac_cv_sizeof_unsigned_short+:} false; then : $as_echo_n "(cached) " >&6 else if ac_fn_c_compute_int "$LINENO" "(long int) (sizeof (unsigned short))" "ac_cv_sizeof_unsigned_short" "$ac_includes_default"; then : @@ -11118,7 +11148,7 @@ else { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5 $as_echo "$as_me: error: in \`$ac_pwd':" >&2;} as_fn_error 77 "cannot compute sizeof (unsigned short) -See \`config.log' for more details" "$LINENO" 5 ; } +See \`config.log' for more details" "$LINENO" 5; } else ac_cv_sizeof_unsigned_short=0 fi @@ -11141,7 +11171,7 @@ _ACEOF # This bug is HP SR number 8606223364. { $as_echo "$as_me:${as_lineno-$LINENO}: checking size of unsigned int" >&5 $as_echo_n "checking size of unsigned int... " >&6; } -if test "${ac_cv_sizeof_unsigned_int+set}" = set; then : +if ${ac_cv_sizeof_unsigned_int+:} false; then : $as_echo_n "(cached) " >&6 else if ac_fn_c_compute_int "$LINENO" "(long int) (sizeof (unsigned int))" "ac_cv_sizeof_unsigned_int" "$ac_includes_default"; then : @@ -11151,7 +11181,7 @@ else { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5 $as_echo "$as_me: error: in \`$ac_pwd':" >&2;} as_fn_error 77 "cannot compute sizeof (unsigned int) -See \`config.log' for more details" "$LINENO" 5 ; } +See \`config.log' for more details" "$LINENO" 5; } else ac_cv_sizeof_unsigned_int=0 fi @@ -11174,7 +11204,7 @@ _ACEOF # This bug is HP SR number 8606223364. { $as_echo "$as_me:${as_lineno-$LINENO}: checking size of unsigned long" >&5 $as_echo_n "checking size of unsigned long... " >&6; } -if test "${ac_cv_sizeof_unsigned_long+set}" = set; then : +if ${ac_cv_sizeof_unsigned_long+:} false; then : $as_echo_n "(cached) " >&6 else if ac_fn_c_compute_int "$LINENO" "(long int) (sizeof (unsigned long))" "ac_cv_sizeof_unsigned_long" "$ac_includes_default"; then : @@ -11184,7 +11214,7 @@ else { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5 $as_echo "$as_me: error: in \`$ac_pwd':" >&2;} as_fn_error 77 "cannot compute sizeof (unsigned long) -See \`config.log' for more details" "$LINENO" 5 ; } +See \`config.log' for more details" "$LINENO" 5; } else ac_cv_sizeof_unsigned_long=0 fi @@ -11225,7 +11255,7 @@ rm -f conftest* ac_fn_c_check_type "$LINENO" "struct sockaddr_un" "ac_cv_type_struct_sockaddr_un" "#include " -if test "x$ac_cv_type_struct_sockaddr_un" = x""yes; then : +if test "x$ac_cv_type_struct_sockaddr_un" = xyes; then : cat >>confdefs.h <<_ACEOF #define HAVE_STRUCT_SOCKADDR_UN 1 @@ -11236,7 +11266,7 @@ fi ac_fn_c_check_type "$LINENO" "struct addrinfo" "ac_cv_type_struct_addrinfo" "#include " -if test "x$ac_cv_type_struct_addrinfo" = x""yes; then : +if test "x$ac_cv_type_struct_addrinfo" = xyes; then : cat >>confdefs.h <<_ACEOF #define HAVE_STRUCT_ADDRINFO 1 @@ -11252,7 +11282,7 @@ if test "$cross_compiling" = "no"; then as_ac_File=`$as_echo "ac_cv_file_"/dev/ptmx"" | $as_tr_sh` { $as_echo "$as_me:${as_lineno-$LINENO}: checking for \"/dev/ptmx\"" >&5 $as_echo_n "checking for \"/dev/ptmx\"... " >&6; } -if eval "test \"\${$as_ac_File+set}\"" = set; then : +if eval \${$as_ac_File+:} false; then : $as_echo_n "(cached) " >&6 else test "$cross_compiling" = yes && @@ -11275,7 +11305,7 @@ fi as_ac_File=`$as_echo "ac_cv_file_"/dev/ptc"" | $as_tr_sh` { $as_echo "$as_me:${as_lineno-$LINENO}: checking for \"/dev/ptc\"" >&5 $as_echo_n "checking for \"/dev/ptc\"... " >&6; } -if eval "test \"\${$as_ac_File+set}\"" = set; then : +if eval \${$as_ac_File+:} false; then : $as_echo_n "(cached) " >&6 else test "$cross_compiling" = yes && @@ -11330,7 +11360,7 @@ else as_ac_File=`$as_echo "ac_cv_file_"/dev/urandom"" | $as_tr_sh` { $as_echo "$as_me:${as_lineno-$LINENO}: checking for \"/dev/urandom\"" >&5 $as_echo_n "checking for \"/dev/urandom\"... " >&6; } -if eval "test \"\${$as_ac_File+set}\"" = set; then : +if eval \${$as_ac_File+:} false; then : $as_echo_n "(cached) " >&6 else test "$cross_compiling" = yes && @@ -11416,7 +11446,7 @@ $ac_includes_default #include " -if test "x$ac_cv_member_struct_msghdr_msg_control" = x""yes; then : +if test "x$ac_cv_member_struct_msghdr_msg_control" = xyes; then : cat >>confdefs.h <<_ACEOF #define HAVE_STRUCT_MSGHDR_MSG_CONTROL 1 @@ -11436,7 +11466,7 @@ do : #include " -if test "x$ac_cv_header_linux_netfilter_ipv4_h" = x""yes; then : +if test "x$ac_cv_header_linux_netfilter_ipv4_h" = xyes; then : cat >>confdefs.h <<_ACEOF #define HAVE_LINUX_NETFILTER_IPV4_H 1 _ACEOF @@ -11451,7 +11481,7 @@ $as_echo "$as_me: **************************************** libraries" >&6;} # Checks for standard libraries { $as_echo "$as_me:${as_lineno-$LINENO}: checking for library containing gethostbyname" >&5 $as_echo_n "checking for library containing gethostbyname... " >&6; } -if test "${ac_cv_search_gethostbyname+set}" = set; then : +if ${ac_cv_search_gethostbyname+:} false; then : $as_echo_n "(cached) " >&6 else ac_func_search_save_LIBS=$LIBS @@ -11485,11 +11515,11 @@ for ac_lib in '' nsl; do fi rm -f core conftest.err conftest.$ac_objext \ conftest$ac_exeext - if test "${ac_cv_search_gethostbyname+set}" = set; then : + if ${ac_cv_search_gethostbyname+:} false; then : break fi done -if test "${ac_cv_search_gethostbyname+set}" = set; then : +if ${ac_cv_search_gethostbyname+:} false; then : else ac_cv_search_gethostbyname=no @@ -11507,7 +11537,7 @@ fi { $as_echo "$as_me:${as_lineno-$LINENO}: checking for library containing yp_get_default_domain" >&5 $as_echo_n "checking for library containing yp_get_default_domain... " >&6; } -if test "${ac_cv_search_yp_get_default_domain+set}" = set; then : +if ${ac_cv_search_yp_get_default_domain+:} false; then : $as_echo_n "(cached) " >&6 else ac_func_search_save_LIBS=$LIBS @@ -11541,11 +11571,11 @@ for ac_lib in '' nsl; do fi rm -f core conftest.err conftest.$ac_objext \ conftest$ac_exeext - if test "${ac_cv_search_yp_get_default_domain+set}" = set; then : + if ${ac_cv_search_yp_get_default_domain+:} false; then : break fi done -if test "${ac_cv_search_yp_get_default_domain+set}" = set; then : +if ${ac_cv_search_yp_get_default_domain+:} false; then : else ac_cv_search_yp_get_default_domain=no @@ -11563,7 +11593,7 @@ fi { $as_echo "$as_me:${as_lineno-$LINENO}: checking for library containing socket" >&5 $as_echo_n "checking for library containing socket... " >&6; } -if test "${ac_cv_search_socket+set}" = set; then : +if ${ac_cv_search_socket+:} false; then : $as_echo_n "(cached) " >&6 else ac_func_search_save_LIBS=$LIBS @@ -11597,11 +11627,11 @@ for ac_lib in '' socket; do fi rm -f core conftest.err conftest.$ac_objext \ conftest$ac_exeext - if test "${ac_cv_search_socket+set}" = set; then : + if ${ac_cv_search_socket+:} false; then : break fi done -if test "${ac_cv_search_socket+set}" = set; then : +if ${ac_cv_search_socket+:} false; then : else ac_cv_search_socket=no @@ -11619,7 +11649,7 @@ fi { $as_echo "$as_me:${as_lineno-$LINENO}: checking for library containing openpty" >&5 $as_echo_n "checking for library containing openpty... " >&6; } -if test "${ac_cv_search_openpty+set}" = set; then : +if ${ac_cv_search_openpty+:} false; then : $as_echo_n "(cached) " >&6 else ac_func_search_save_LIBS=$LIBS @@ -11653,11 +11683,11 @@ for ac_lib in '' util; do fi rm -f core conftest.err conftest.$ac_objext \ conftest$ac_exeext - if test "${ac_cv_search_openpty+set}" = set; then : + if ${ac_cv_search_openpty+:} false; then : break fi done -if test "${ac_cv_search_openpty+set}" = set; then : +if ${ac_cv_search_openpty+:} false; then : else ac_cv_search_openpty=no @@ -11676,7 +11706,7 @@ fi # Checks for dynamic loader and zlib needed by OpenSSL { $as_echo "$as_me:${as_lineno-$LINENO}: checking for library containing dlopen" >&5 $as_echo_n "checking for library containing dlopen... " >&6; } -if test "${ac_cv_search_dlopen+set}" = set; then : +if ${ac_cv_search_dlopen+:} false; then : $as_echo_n "(cached) " >&6 else ac_func_search_save_LIBS=$LIBS @@ -11710,11 +11740,11 @@ for ac_lib in '' dl; do fi rm -f core conftest.err conftest.$ac_objext \ conftest$ac_exeext - if test "${ac_cv_search_dlopen+set}" = set; then : + if ${ac_cv_search_dlopen+:} false; then : break fi done -if test "${ac_cv_search_dlopen+set}" = set; then : +if ${ac_cv_search_dlopen+:} false; then : else ac_cv_search_dlopen=no @@ -11732,7 +11762,7 @@ fi { $as_echo "$as_me:${as_lineno-$LINENO}: checking for library containing shl_load" >&5 $as_echo_n "checking for library containing shl_load... " >&6; } -if test "${ac_cv_search_shl_load+set}" = set; then : +if ${ac_cv_search_shl_load+:} false; then : $as_echo_n "(cached) " >&6 else ac_func_search_save_LIBS=$LIBS @@ -11766,11 +11796,11 @@ for ac_lib in '' dld; do fi rm -f core conftest.err conftest.$ac_objext \ conftest$ac_exeext - if test "${ac_cv_search_shl_load+set}" = set; then : + if ${ac_cv_search_shl_load+:} false; then : break fi done -if test "${ac_cv_search_shl_load+set}" = set; then : +if ${ac_cv_search_shl_load+:} false; then : else ac_cv_search_shl_load=no @@ -11788,7 +11818,7 @@ fi { $as_echo "$as_me:${as_lineno-$LINENO}: checking for library containing inflateEnd" >&5 $as_echo_n "checking for library containing inflateEnd... " >&6; } -if test "${ac_cv_search_inflateEnd+set}" = set; then : +if ${ac_cv_search_inflateEnd+:} false; then : $as_echo_n "(cached) " >&6 else ac_func_search_save_LIBS=$LIBS @@ -11822,11 +11852,11 @@ for ac_lib in '' z; do fi rm -f core conftest.err conftest.$ac_objext \ conftest$ac_exeext - if test "${ac_cv_search_inflateEnd+set}" = set; then : + if ${ac_cv_search_inflateEnd+:} false; then : break fi done -if test "${ac_cv_search_inflateEnd+set}" = set; then : +if ${ac_cv_search_inflateEnd+:} false; then : else ac_cv_search_inflateEnd=no @@ -11855,7 +11885,7 @@ checkpthreadlib() { : # 1. BSD hack: attempt to use alternative libc implementation if available { $as_echo "$as_me:${as_lineno-$LINENO}: checking for pthread_create in -lc_r" >&5 $as_echo_n "checking for pthread_create in -lc_r... " >&6; } -if test "${ac_cv_lib_c_r_pthread_create+set}" = set; then : +if ${ac_cv_lib_c_r_pthread_create+:} false; then : $as_echo_n "(cached) " >&6 else ac_check_lib_save_LIBS=$LIBS @@ -11889,7 +11919,7 @@ LIBS=$ac_check_lib_save_LIBS fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_c_r_pthread_create" >&5 $as_echo "$ac_cv_lib_c_r_pthread_create" >&6; } -if test "x$ac_cv_lib_c_r_pthread_create" = x""yes; then : +if test "x$ac_cv_lib_c_r_pthread_create" = xyes; then : LIBS="$LIBS -pthread" HAVE_LIBPTHREAD="yes" @@ -11904,7 +11934,7 @@ fi # 2. try to use from standard libc (required by Android and possibly other platforms) { $as_echo "$as_me:${as_lineno-$LINENO}: checking for pthread_create in -lc" >&5 $as_echo_n "checking for pthread_create in -lc... " >&6; } -if test "${ac_cv_lib_c_pthread_create+set}" = set; then : +if ${ac_cv_lib_c_pthread_create+:} false; then : $as_echo_n "(cached) " >&6 else ac_check_lib_save_LIBS=$LIBS @@ -11938,7 +11968,7 @@ LIBS=$ac_check_lib_save_LIBS fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_c_pthread_create" >&5 $as_echo "$ac_cv_lib_c_pthread_create" >&6; } -if test "x$ac_cv_lib_c_pthread_create" = x""yes; then : +if test "x$ac_cv_lib_c_pthread_create" = xyes; then : HAVE_LIBPTHREAD="yes" @@ -12424,43 +12454,42 @@ fi -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for FIPS_mode_set" >&5 -$as_echo_n "checking for FIPS_mode_set... " >&6; } +as_ac_Header=`$as_echo "ac_cv_header_$SSLDIR/include/openssl/fips.h" | $as_tr_sh` +ac_fn_c_check_header_mongrel "$LINENO" "$SSLDIR/include/openssl/fips.h" "$as_ac_Header" "$ac_includes_default" +if eval test \"x\$"$as_ac_Header"\" = x"yes"; then : + +$as_echo "#define HAVE_OSSL_FIPS_H 1" >>confdefs.h + +else + { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: OpenSSL fips header not found" >&5 +$as_echo "$as_me: WARNING: OpenSSL fips header not found" >&2;} +fi + + + if test "$fips" = "auto"; then - cat confdefs.h - <<_ACEOF >conftest.$ac_ext -/* end confdefs.h. */ - -#include - -int -main () -{ - -FIPS_mode_set(1); - - ; - return 0; -} + for ac_func in FIPS_mode_set +do : + ac_fn_c_check_func "$LINENO" "FIPS_mode_set" "ac_cv_func_FIPS_mode_set" +if test "x$ac_cv_func_FIPS_mode_set" = xyes; then : + cat >>confdefs.h <<_ACEOF +#define HAVE_FIPS_MODE_SET 1 _ACEOF -if ac_fn_c_try_link "$LINENO"; then : - { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 -$as_echo "yes" >&6; } + $as_echo "#define USE_FIPS 1" >>confdefs.h + { $as_echo "$as_me:${as_lineno-$LINENO}: FIPS mode detected" >&5 +$as_echo "$as_me: FIPS mode detected" >&6;} else - { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 -$as_echo "no" >&6; } - + { $as_echo "$as_me:${as_lineno-$LINENO}: FIPS mode not detected" >&5 +$as_echo "$as_me: FIPS mode not detected" >&6;} fi -rm -f core conftest.err conftest.$ac_objext \ - conftest$ac_exeext conftest.$ac_ext -else - { $as_echo "$as_me:${as_lineno-$LINENO}: result: test skipped" >&5 -$as_echo "test skipped" >&6; } +done + fi CPPFLAGS="$valid_CPPFLAGS" @@ -12534,10 +12563,21 @@ $as_echo "$as_me: WARNING: cache variable $ac_var contains a newline" >&2;} ;; :end' >>confcache if diff "$cache_file" confcache >/dev/null 2>&1; then :; else if test -w "$cache_file"; then - test "x$cache_file" != "x/dev/null" && + if test "x$cache_file" != "x/dev/null"; then { $as_echo "$as_me:${as_lineno-$LINENO}: updating cache $cache_file" >&5 $as_echo "$as_me: updating cache $cache_file" >&6;} - cat confcache >$cache_file + if test ! -f "$cache_file" || test -h "$cache_file"; then + cat confcache >"$cache_file" + else + case $cache_file in #( + */* | ?:*) + mv -f confcache "$cache_file"$$ && + mv -f "$cache_file"$$ "$cache_file" ;; #( + *) + mv -f confcache "$cache_file" ;; + esac + fi + fi else { $as_echo "$as_me:${as_lineno-$LINENO}: not updating unwritable cache $cache_file" >&5 $as_echo "$as_me: not updating unwritable cache $cache_file" >&6;} @@ -12585,7 +12625,7 @@ if test -z "${am__fastdepCC_TRUE}" && test -z "${am__fastdepCC_FALSE}"; then Usually this means the macro was only invoked conditionally." "$LINENO" 5 fi -: ${CONFIG_STATUS=./config.status} +: "${CONFIG_STATUS=./config.status}" ac_write_fail=0 ac_clean_files_save=$ac_clean_files ac_clean_files="$ac_clean_files $CONFIG_STATUS" @@ -12686,6 +12726,7 @@ fi IFS=" "" $as_nl" # Find who we are. Look in the path if we contain no directory separator. +as_myself= case $0 in #(( *[\\/]* ) as_myself=$0 ;; *) as_save_IFS=$IFS; IFS=$PATH_SEPARATOR @@ -12881,16 +12922,16 @@ if (echo >conf$$.file) 2>/dev/null; then # ... but there are two gotchas: # 1) On MSYS, both `ln -s file dir' and `ln file dir' fail. # 2) DJGPP < 2.04 has no symlinks; `ln -s' creates a wrapper executable. - # In both cases, we have to default to `cp -p'. + # In both cases, we have to default to `cp -pR'. ln -s conf$$.file conf$$.dir 2>/dev/null && test ! -f conf$$.exe || - as_ln_s='cp -p' + as_ln_s='cp -pR' elif ln conf$$.file conf$$ 2>/dev/null; then as_ln_s=ln else - as_ln_s='cp -p' + as_ln_s='cp -pR' fi else - as_ln_s='cp -p' + as_ln_s='cp -pR' fi rm -f conf$$ conf$$.exe conf$$.dir/conf$$.file conf$$.file rmdir conf$$.dir 2>/dev/null @@ -12950,28 +12991,16 @@ else as_mkdir_p=false fi -if test -x / >/dev/null 2>&1; then - as_test_x='test -x' -else - if ls -dL / >/dev/null 2>&1; then - as_ls_L_option=L - else - as_ls_L_option= - fi - as_test_x=' - eval sh -c '\'' - if test -d "$1"; then - test -d "$1/."; - else - case $1 in #( - -*)set "./$1";; - esac; - case `ls -ld'$as_ls_L_option' "$1" 2>/dev/null` in #(( - ???[sx]*):;;*)false;;esac;fi - '\'' sh - ' -fi -as_executable_p=$as_test_x + +# as_fn_executable_p FILE +# ----------------------- +# Test if FILE is an executable regular file. +as_fn_executable_p () +{ + test -f "$1" && test -x "$1" +} # as_fn_executable_p +as_test_x='test -x' +as_executable_p=as_fn_executable_p # Sed expression to map a string onto a valid CPP name. as_tr_cpp="eval sed 'y%*$as_cr_letters%P$as_cr_LETTERS%;s%[^_$as_cr_alnum]%_%g'" @@ -12992,8 +13021,8 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 # report actual input values of CONFIG_FILES etc. instead of their # values after options handling. ac_log=" -This file was extended by stunnel $as_me 4.53, which was -generated by GNU Autoconf 2.67. Invocation command line was +This file was extended by stunnel $as_me 4.57, which was +generated by GNU Autoconf 2.69. Invocation command line was CONFIG_FILES = $CONFIG_FILES CONFIG_HEADERS = $CONFIG_HEADERS @@ -13058,11 +13087,11 @@ _ACEOF cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`" ac_cs_version="\\ -stunnel config.status 4.53 -configured by $0, generated by GNU Autoconf 2.67, +stunnel config.status 4.57 +configured by $0, generated by GNU Autoconf 2.69, with options \\"\$ac_cs_config\\" -Copyright (C) 2010 Free Software Foundation, Inc. +Copyright (C) 2012 Free Software Foundation, Inc. This config.status script is free software; the Free Software Foundation gives unlimited permission to copy, distribute and modify it." @@ -13153,7 +13182,7 @@ fi _ACEOF cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 if \$ac_cs_recheck; then - set X '$SHELL' '$0' $ac_configure_args \$ac_configure_extra_args --no-create --no-recursion + set X $SHELL '$0' $ac_configure_args \$ac_configure_extra_args --no-create --no-recursion shift \$as_echo "running CONFIG_SHELL=$SHELL \$*" >&6 CONFIG_SHELL='$SHELL' @@ -13454,7 +13483,7 @@ do "tools/stunnel.init") CONFIG_FILES="$CONFIG_FILES tools/stunnel.init" ;; "tools/stunnel.service") CONFIG_FILES="$CONFIG_FILES tools/stunnel.service" ;; - *) as_fn_error $? "invalid argument: \`$ac_config_target'" "$LINENO" 5 ;; + *) as_fn_error $? "invalid argument: \`$ac_config_target'" "$LINENO" 5;; esac done @@ -13477,9 +13506,10 @@ fi # after its creation but before its name has been assigned to `$tmp'. $debug || { - tmp= + tmp= ac_tmp= trap 'exit_status=$? - { test -z "$tmp" || test ! -d "$tmp" || rm -fr "$tmp"; } && exit $exit_status + : "${ac_tmp:=$tmp}" + { test ! -d "$ac_tmp" || rm -fr "$ac_tmp"; } && exit $exit_status ' 0 trap 'as_fn_exit 1' 1 2 13 15 } @@ -13487,12 +13517,13 @@ $debug || { tmp=`(umask 077 && mktemp -d "./confXXXXXX") 2>/dev/null` && - test -n "$tmp" && test -d "$tmp" + test -d "$tmp" } || { tmp=./conf$$-$RANDOM (umask 077 && mkdir "$tmp") } || as_fn_error $? "cannot create a temporary directory in ." "$LINENO" 5 +ac_tmp=$tmp # Set up the scripts for CONFIG_FILES section. # No need to generate them if there are no CONFIG_FILES. @@ -13514,7 +13545,7 @@ else ac_cs_awk_cr=$ac_cr fi -echo 'BEGIN {' >"$tmp/subs1.awk" && +echo 'BEGIN {' >"$ac_tmp/subs1.awk" && _ACEOF @@ -13542,7 +13573,7 @@ done rm -f conf$$subs.sh cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 -cat >>"\$tmp/subs1.awk" <<\\_ACAWK && +cat >>"\$ac_tmp/subs1.awk" <<\\_ACAWK && _ACEOF sed -n ' h @@ -13590,7 +13621,7 @@ t delim rm -f conf$$subs.awk cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 _ACAWK -cat >>"\$tmp/subs1.awk" <<_ACAWK && +cat >>"\$ac_tmp/subs1.awk" <<_ACAWK && for (key in S) S_is_set[key] = 1 FS = "" @@ -13622,7 +13653,7 @@ if sed "s/$ac_cr//" < /dev/null > /dev/null 2>&1; then sed "s/$ac_cr\$//; s/$ac_cr/$ac_cs_awk_cr/g" else cat -fi < "$tmp/subs1.awk" > "$tmp/subs.awk" \ +fi < "$ac_tmp/subs1.awk" > "$ac_tmp/subs.awk" \ || as_fn_error $? "could not setup config files machinery" "$LINENO" 5 _ACEOF @@ -13656,7 +13687,7 @@ fi # test -n "$CONFIG_FILES" # No need to generate them if there are no CONFIG_HEADERS. # This happens for instance with `./config.status Makefile'. if test -n "$CONFIG_HEADERS"; then -cat >"$tmp/defines.awk" <<\_ACAWK || +cat >"$ac_tmp/defines.awk" <<\_ACAWK || BEGIN { _ACEOF @@ -13668,8 +13699,8 @@ _ACEOF # handling of long lines. ac_delim='%!_!# ' for ac_last_try in false false :; do - ac_t=`sed -n "/$ac_delim/p" confdefs.h` - if test -z "$ac_t"; then + ac_tt=`sed -n "/$ac_delim/p" confdefs.h` + if test -z "$ac_tt"; then break elif $ac_last_try; then as_fn_error $? "could not make $CONFIG_HEADERS" "$LINENO" 5 @@ -13770,7 +13801,7 @@ do esac case $ac_mode$ac_tag in :[FHL]*:*);; - :L* | :C*:*) as_fn_error $? "invalid tag \`$ac_tag'" "$LINENO" 5 ;; + :L* | :C*:*) as_fn_error $? "invalid tag \`$ac_tag'" "$LINENO" 5;; :[FH]-) ac_tag=-:-;; :[FH]*) ac_tag=$ac_tag:$ac_tag.in;; esac @@ -13789,7 +13820,7 @@ do for ac_f do case $ac_f in - -) ac_f="$tmp/stdin";; + -) ac_f="$ac_tmp/stdin";; *) # Look for the file first in the build tree, then in the source tree # (if the path is not absolute). The absolute path cannot be DOS-style, # because $ac_f cannot contain `:'. @@ -13798,7 +13829,7 @@ do [\\/$]*) false;; *) test -f "$srcdir/$ac_f" && ac_f="$srcdir/$ac_f";; esac || - as_fn_error 1 "cannot find input file: \`$ac_f'" "$LINENO" 5 ;; + as_fn_error 1 "cannot find input file: \`$ac_f'" "$LINENO" 5;; esac case $ac_f in *\'*) ac_f=`$as_echo "$ac_f" | sed "s/'/'\\\\\\\\''/g"`;; esac as_fn_append ac_file_inputs " '$ac_f'" @@ -13824,8 +13855,8 @@ $as_echo "$as_me: creating $ac_file" >&6;} esac case $ac_tag in - *:-:* | *:-) cat >"$tmp/stdin" \ - || as_fn_error $? "could not create $ac_file" "$LINENO" 5 ;; + *:-:* | *:-) cat >"$ac_tmp/stdin" \ + || as_fn_error $? "could not create $ac_file" "$LINENO" 5 ;; esac ;; esac @@ -13961,21 +13992,22 @@ s&@INSTALL@&$ac_INSTALL&;t t s&@MKDIR_P@&$ac_MKDIR_P&;t t $ac_datarootdir_hack " -eval sed \"\$ac_sed_extra\" "$ac_file_inputs" | $AWK -f "$tmp/subs.awk" >$tmp/out \ - || as_fn_error $? "could not create $ac_file" "$LINENO" 5 +eval sed \"\$ac_sed_extra\" "$ac_file_inputs" | $AWK -f "$ac_tmp/subs.awk" \ + >$ac_tmp/out || as_fn_error $? "could not create $ac_file" "$LINENO" 5 test -z "$ac_datarootdir_hack$ac_datarootdir_seen" && - { ac_out=`sed -n '/\${datarootdir}/p' "$tmp/out"`; test -n "$ac_out"; } && - { ac_out=`sed -n '/^[ ]*datarootdir[ ]*:*=/p' "$tmp/out"`; test -z "$ac_out"; } && + { ac_out=`sed -n '/\${datarootdir}/p' "$ac_tmp/out"`; test -n "$ac_out"; } && + { ac_out=`sed -n '/^[ ]*datarootdir[ ]*:*=/p' \ + "$ac_tmp/out"`; test -z "$ac_out"; } && { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: $ac_file contains a reference to the variable \`datarootdir' which seems to be undefined. Please make sure it is defined" >&5 $as_echo "$as_me: WARNING: $ac_file contains a reference to the variable \`datarootdir' which seems to be undefined. Please make sure it is defined" >&2;} - rm -f "$tmp/stdin" + rm -f "$ac_tmp/stdin" case $ac_file in - -) cat "$tmp/out" && rm -f "$tmp/out";; - *) rm -f "$ac_file" && mv "$tmp/out" "$ac_file";; + -) cat "$ac_tmp/out" && rm -f "$ac_tmp/out";; + *) rm -f "$ac_file" && mv "$ac_tmp/out" "$ac_file";; esac \ || as_fn_error $? "could not create $ac_file" "$LINENO" 5 ;; @@ -13986,20 +14018,20 @@ which seems to be undefined. Please make sure it is defined" >&2;} if test x"$ac_file" != x-; then { $as_echo "/* $configure_input */" \ - && eval '$AWK -f "$tmp/defines.awk"' "$ac_file_inputs" - } >"$tmp/config.h" \ + && eval '$AWK -f "$ac_tmp/defines.awk"' "$ac_file_inputs" + } >"$ac_tmp/config.h" \ || as_fn_error $? "could not create $ac_file" "$LINENO" 5 - if diff "$ac_file" "$tmp/config.h" >/dev/null 2>&1; then + if diff "$ac_file" "$ac_tmp/config.h" >/dev/null 2>&1; then { $as_echo "$as_me:${as_lineno-$LINENO}: $ac_file is unchanged" >&5 $as_echo "$as_me: $ac_file is unchanged" >&6;} else rm -f "$ac_file" - mv "$tmp/config.h" "$ac_file" \ + mv "$ac_tmp/config.h" "$ac_file" \ || as_fn_error $? "could not create $ac_file" "$LINENO" 5 fi else $as_echo "/* $configure_input */" \ - && eval '$AWK -f "$tmp/defines.awk"' "$ac_file_inputs" \ + && eval '$AWK -f "$ac_tmp/defines.awk"' "$ac_file_inputs" \ || as_fn_error $? "could not create -" "$LINENO" 5 fi # Compute "$ac_file"'s index in $config_headers. diff --git a/configure.ac b/configure.ac index 0182e5e..7f0087b 100644 --- a/configure.ac +++ b/configure.ac @@ -1,10 +1,10 @@ # Process this file with autoconf to produce a configure script. -AC_INIT([stunnel],[4.53]) +AC_INIT([stunnel],[4.57]) AC_MSG_NOTICE([**************************************** initialization]) AC_CONFIG_AUX_DIR(auto) AC_CONFIG_MACRO_DIR([m4]) -AM_INIT_AUTOMAKE(stunnel, 4.53) +AM_INIT_AUTOMAKE(stunnel, 4.57) AC_CONFIG_HEADERS([src/config.h]) AC_CONFIG_SRCDIR([src/stunnel.c]) AC_DEFINE([_GNU_SOURCE], [1], [Use GNU source]) @@ -455,32 +455,27 @@ valid_CPPFLAGS="$CPPFLAGS"; CPPFLAGS="$CPPFLAGS -I$SSLDIR/include" valid_LIBS="$LIBS"; LIBS="$LIBS -L$SSLDIR/lib64 -L$SSLDIR/lib -lssl -lcrypto" AC_CHECK_HEADER([$SSLDIR/include/openssl/engine.h], - [AC_DEFINE([HAVE_OSSL_ENGINE_H], [1], [Define to 1 if you have header file.])], + [AC_DEFINE([HAVE_OSSL_ENGINE_H], [1], + [Define to 1 if you have header file.])], [AC_MSG_WARN([OpenSSL engine header not found])]) AC_CHECK_HEADER([$SSLDIR/include/openssl/ocsp.h], - [AC_DEFINE([HAVE_OSSL_OCSP_H], [1], [Define to 1 if you have header file.])], + [AC_DEFINE([HAVE_OSSL_OCSP_H], [1], + [Define to 1 if you have header file.])], [AC_MSG_WARN([OpenSSL ocsp header not found])]) -AC_MSG_CHECKING([for FIPS_mode_set]) +AC_CHECK_HEADER([$SSLDIR/include/openssl/fips.h], + [AC_DEFINE([HAVE_OSSL_FIPS_H], [1], + [Define to 1 if you have header file.])], + [AC_MSG_WARN([OpenSSL fips header not found])]) + if test "$fips" = "auto"; then - AC_LINK_IFELSE( - [AC_LANG_PROGRAM( - [ -#include - ], - [ -FIPS_mode_set(1); - ], - )], - [AC_MSG_RESULT([yes]) - AC_DEFINE([USE_FIPS], [1], [Define to 1 to enable OpenSSL FIPS mode.]) - ], [ - AC_MSG_RESULT([no]) - ] - ) -else - AC_MSG_RESULT([test skipped]) + AC_CHECK_FUNCS(FIPS_mode_set, [ + AC_DEFINE([USE_FIPS], [1], [Define to 1 to enable OpenSSL FIPS mode.]) + AC_MSG_NOTICE([FIPS mode detected]) + ], [ + AC_MSG_NOTICE([FIPS mode not detected]) + ]) fi CPPFLAGS="$valid_CPPFLAGS" diff --git a/doc/stunnel.8 b/doc/stunnel.8 index 589d968..7624a27 100644 --- a/doc/stunnel.8 +++ b/doc/stunnel.8 @@ -62,7 +62,7 @@ .\" ======================================================================== .\" .IX Title "STUNNEL 8" -.TH STUNNEL 8 "2012.01.14" "4.53" "stunnel" +.TH STUNNEL 8 "2013.03.20" "4.56" "stunnel" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -132,21 +132,21 @@ Don't display any message boxes .IX Header "CONFIGURATION FILE" Each line of the configuration file can be either: .IP "\(bu" 4 -an empty line (ignored) +An empty line (ignored). .IP "\(bu" 4 -a comment starting with ';' (ignored) +A comment starting with ';' (ignored). .IP "\(bu" 4 -an 'option_name = option_value' pair +An 'option_name = option_value' pair. .IP "\(bu" 4 -\&'[service_name]' indicating a start of a service definition +\&'[service_name]' indicating a start of a service definition. .PP An address parameter of an option may be either: .IP "\(bu" 4 -a port number +A port number. .IP "\(bu" 4 -a colon-separated pair of \s-1IP\s0 address (either IPv4, IPv6, or domain name) and port number +A colon-separated pair of \s-1IP\s0 address (either IPv4, IPv6, or domain name) and port number. .IP "\(bu" 4 -a Unix socket path (Unix only) +A Unix socket path (Unix only). .SS "\s-1GLOBAL\s0 \s-1OPTIONS\s0" .IX Subsection "GLOBAL OPTIONS" .IP "\fBchroot\fR = directory (Unix only)" 4 @@ -156,6 +156,18 @@ directory to chroot \fBstunnel\fR process \&\fBchroot\fR keeps \fBstunnel\fR in chrooted jail. \fICApath\fR, \fICRLpath\fR, \fIpid\fR and \fIexec\fR are located inside the jail and the patches have to be relative to the directory specified with \fBchroot\fR. +.Sp +Several functions of the operating system also need their files to be located within chroot jail, e.g.: +.RS 4 +.IP "\(bu" 4 +Delayed resolver typically needs /etc/nsswitch.conf and /etc/resolv.conf. +.IP "\(bu" 4 +Local time in log files needs /etc/timezone. +.IP "\(bu" 4 +Some other functions may need devices, e.g. /dev/zero or /dev/null. +.RE +.RS 4 +.RE .IP "\fBcompression\fR = deflate | zlib | rle" 4 .IX Item "compression = deflate | zlib | rle" select data compression algorithm @@ -164,10 +176,10 @@ default: no compression .Sp deflate is the standard compression method as described in \s-1RFC\s0 1951. .Sp -zlib compression of OpenSSL 0.9.8 or above is not backward compatible with -OpenSSL 0.9.7. +zlib compression of \fBOpenSSL 0.9.8\fR or above is not backward compatible with +\&\fBOpenSSL 0.9.7\fR. .Sp -rle compression is currently not implemented by the OpenSSL library. +rle compression is currently not implemented by the \fBOpenSSL\fR library. .IP "\fBdebug\fR = [facility.]level" 4 .IX Item "debug = [facility.]level" debugging level @@ -186,8 +198,8 @@ Case is ignored for both facilities and levels. .IX Item "EGD = egd path (Unix only)" path to Entropy Gathering Daemon socket .Sp -Entropy Gathering Daemon socket to use to feed OpenSSL random number -generator. (Available only if compiled with OpenSSL 0.9.5a or higher) +Entropy Gathering Daemon socket to use to feed \fBOpenSSL\fR random number +generator. (Available only if compiled with \fBOpenSSL 0.9.5a\fR or higher) .IP "\fBengine\fR = auto | " 4 .IX Item "engine = auto | " select hardware engine @@ -220,8 +232,8 @@ engine cryptogaphic module. .IX Item "fips = yes | no" Enable or disable \s-1FIPS\s0 140\-2 mode. .Sp -This option allows to disable entering \s-1FIPS\s0 mode if stunnel was compiled with -\&\s-1FIPS\s0 140\-2 support. +This option allows to disable entering \s-1FIPS\s0 mode if \fBstunnel\fR was compiled +with \s-1FIPS\s0 140\-2 support. .Sp default: yes .IP "\fBforeground\fR = yes | no (Unix only)" 4 @@ -249,9 +261,9 @@ If the argument is empty, then no pid file will be created. .IX Item "RNDbytes = bytes" bytes to read from random seed files .Sp -Number of bytes of data read from random seed files. With \s-1SSL\s0 versions -less than 0.9.5a, also determines how many bytes of data are considered -sufficient to seed the \s-1PRNG\s0. More recent OpenSSL versions have a builtin +Number of bytes of data read from random seed files. With \s-1SSL\s0 versions less +than \fB0.9.5a\fR, also determines how many bytes of data are considered +sufficient to seed the \s-1PRNG\s0. More recent \fBOpenSSL\fR versions have a builtin function to determine when sufficient randomness is available. .IP "\fBRNDfile\fR = file" 4 .IX Item "RNDfile = file" @@ -335,8 +347,8 @@ the \fIverify\fR. Note that the certificates in this directory should be named \&\s-1XXXXXXXX\s0.0 where \s-1XXXXXXXX\s0 is the hash value of the \s-1DER\s0 encoded subject of the cert. .Sp -The hash algorithm has been changed in OpenSSL 1.0.0. It is required to -c_rehash the directory on upgrade from OpenSSL 0.x.x to OpenSSL 1.x.x. +The hash algorithm has been changed in \fBOpenSSL 1.0.0\fR. It is required to +c_rehash the directory on upgrade from \fBOpenSSL 0.x.x\fR to \fBOpenSSL 1.x.x\fR. .Sp \&\fICApath\fR path is relative to \fIchroot\fR directory if specified. .IP "\fBCAfile\fR = certfile" 4 @@ -383,8 +395,8 @@ This is the directory in which \fBstunnel\fR will look for CRLs when using the \fIverify\fR. Note that the CRLs in this directory should be named \s-1XXXXXXXX\s0.r0 where \s-1XXXXXXXX\s0 is the hash value of the \s-1CRL\s0. .Sp -The hash algorithm has been changed in OpenSSL 1.0.0. It is required to -c_rehash the directory on upgrade from OpenSSL 0.x.x to OpenSSL 1.x.x. +The hash algorithm has been changed in \fBOpenSSL 1.0.0\fR. It is required to +c_rehash the directory on upgrade from \fBOpenSSL 0.x.x\fR to \fBOpenSSL 1.x.x\fR. .Sp \&\fICRLpath\fR path is relative to \fIchroot\fR directory if specified. .IP "\fBCRLfile\fR = certfile" 4 @@ -408,7 +420,7 @@ default: prime256v1 delay \s-1DNS\s0 lookup for 'connect' option .Sp This option is useful for dynamic \s-1DNS\s0, or when \s-1DNS\s0 is not available during -stunnel startup (road warrior \s-1VPN\s0, dial-up configurations). +\&\fBstunnel\fR startup (road warrior \s-1VPN\s0, dial-up configurations). .IP "\fBengineNum\fR = engine number" 4 .IX Item "engineNum = engine number" select engine number to read private key @@ -461,29 +473,34 @@ default: yes .IX Item "local = host" \&\s-1IP\s0 of the outgoing interface is used as source for remote connections. Use this option to bind a static local \s-1IP\s0 address, instead. -.IP "\fBsni\fR = service_name:server_name (server mode)" 4 -.IX Item "sni = service_name:server_name (server mode)" +.IP "\fBsni\fR = service_name:server_name_pattern (server mode)" 4 +.IX Item "sni = service_name:server_name_pattern (server mode)" Use the service as a slave service (a name-based virtual server) for Server Name Indication \s-1TLS\s0 extension (\s-1RFC\s0 3546). .Sp \&\fIservice_name\fR specifies the master service that accepts client connections -with \fIaccept\fR option. \fIserver_name\fR specifies the host name to be redirected. +with \fIaccept\fR option. \fIserver_name_pattern\fR specifies the host name to be +redirected. The pattern may start with '*' character, e.g. '*.example.com'. Multiple slave services are normally specified for a single master service. -\&\fIsni\fR option can also be specified more than once within a single slave service. +\&\fIsni\fR option can also be specified more than once within a single slave +service. +.Sp +This service, as well as the master service, may not be configured in client +mode. .Sp -This service, as well as the master service, may not be configured in client mode. \&\fIconnect\fR option of the slave service is ignored when \fIprotocol\fR option is specified, as \fIprotocol\fR connects remote host before \s-1TLS\s0 handshake. +.Sp Libwrap checks (Unix only) are performed twice: with master service name after \&\s-1TCP\s0 connection is accepted, and with slave service name during \s-1TLS\s0 handshake. .Sp -Option \fIsni\fR is only available when compiled with OpenSSL 1.0.0 and later. +Option \fIsni\fR is only available when compiled with \fBOpenSSL 1.0.0\fR and later. .IP "\fBsni\fR = server_name (client mode)" 4 .IX Item "sni = server_name (client mode)" Use the parameter as the value of \s-1TLS\s0 Server Name Indication (\s-1RFC\s0 3546) extension. .Sp -Option \fIsni\fR is only available when compiled with OpenSSL 1.0.0 and later. +Option \fIsni\fR is only available when compiled with \fBOpenSSL 1.0.0\fR and later. .IP "\fB\s-1OCSP\s0\fR = url" 4 .IX Item "OCSP = url" select \s-1OCSP\s0 server for certificate verification @@ -497,9 +514,9 @@ currently supported flags: \s-1NOCERTS\s0, \s-1NOINTERN\s0 \s-1NOSIGS\s0, \s-1NO \&\s-1NOEXPLICIT\s0, \s-1NOCASIGN\s0, \s-1NODELEGATED\s0, \s-1NOCHECKS\s0, \s-1TRUSTOTHER\s0, \s-1RESPID_KEY\s0, \s-1NOTIME\s0 .IP "\fBoptions\fR = SSL_options" 4 .IX Item "options = SSL_options" -OpenSSL library options +\&\fBOpenSSL\fR library options .Sp -The parameter is the OpenSSL option name as described in the +The parameter is the \fBOpenSSL\fR option name as described in the \&\fI\fISSL_CTX_set_options\fI\|(3ssl)\fR manual, but without \fI\s-1SSL_OP_\s0\fR prefix. Several \fIoptions\fR can be used to specify multiple options. .Sp @@ -511,8 +528,10 @@ the following option can be used: .Ve .IP "\fBprotocol\fR = proto" 4 .IX Item "protocol = proto" -application protocol to negotiate \s-1SSL\s0 (e.g. \fIstarttls\fR or \fIstls\fR) +application protocol to negotiate \s-1SSL\s0 .Sp +This option enables initial, protocol-specific negotiation of the \s-1SSL/TLS\s0 +encryption. \&\fIprotocol\fR option should not be used with \s-1SSL\s0 encryption on a separate port. .Sp Currently supported protocols: @@ -555,12 +574,18 @@ authentication type for protocol negotiations .Sp currently supported: basic, \s-1NTLM\s0 .Sp -Currently authentication type only applies to 'connect' protocol. +Currently authentication type only applies to the 'connect' protocol. .Sp default: basic .IP "\fBprotocolHost\fR = host:port" 4 .IX Item "protocolHost = host:port" destination address for protocol negotiations +.Sp +\&\fIprotocolHost\fR specifies the final \s-1SSL\s0 server to be connected by the proxy, +and not the proxy server directly connected by \fBstunnel\fR. +The proxy server should be specified with the 'connect' option. +.Sp +Currently protocol destination address only applies to 'connect' protocol. .IP "\fBprotocolPassword\fR = password" 4 .IX Item "protocolPassword = password" password for protocol negotiations @@ -570,14 +595,48 @@ username for protocol negotiations .IP "\fBpty\fR = yes | no (Unix only)" 4 .IX Item "pty = yes | no (Unix only)" allocate pseudo terminal for 'exec' option -.IP "\fBretry\fR = yes | no (Unix only)" 4 -.IX Item "retry = yes | no (Unix only)" +.IP "\fBrenegotiation\fR = yes | no" 4 +.IX Item "renegotiation = yes | no" +support \s-1SSL\s0 renegotiation +.Sp +Applications of the \s-1SSL\s0 renegotiation include some authentication scenarios, +or re-keying long lasting connections. +.Sp +On the other hand this feature can facilitate a trivial CPU-exhaustion +DoS attack: +.Sp +http://vincent.bernat.im/en/blog/2011\-ssl\-dos\-mitigation.html +.Sp +Please note that disabling \s-1SSL\s0 renegotiation does not fully mitigate +this issue. +.Sp +default: yes (if supported by \fBOpenSSL\fR) +.IP "\fBreset\fR = yes | no" 4 +.IX Item "reset = yes | no" +attempt to use \s-1TCP\s0 \s-1RST\s0 flag to indicate an error +.Sp +This option is not supported on some platforms. +.Sp +default: yes +.IP "\fBretry\fR = yes | no" 4 +.IX Item "retry = yes | no" reconnect a connect+exec section after it's disconnected .Sp default: no -.IP "\fBsession\fR = timeout" 4 -.IX Item "session = timeout" +.IP "\fBsessionCacheSize\fR = size" 4 +.IX Item "sessionCacheSize = size" +session cache size +.Sp +\&\fIsessionCacheSize\fR specifies the maximum number of the internal session cache +entries. +.Sp +The value of 0 can be used for unlimited size. It is not recommended +for production use due to the risk of memory exhaustion DoS attack. +.IP "\fBsessionCacheTimeout\fR = timeout" 4 +.IX Item "sessionCacheTimeout = timeout" session cache timeout +.Sp +This is the number of seconds to keep cached \s-1SSL\s0 sessions. .IP "\fBsessiond\fR = host:port" 4 .IX Item "sessiond = host:port" address of sessiond \s-1SSL\s0 cache server @@ -585,7 +644,7 @@ address of sessiond \s-1SSL\s0 cache server .IX Item "sslVersion = version" select version of \s-1SSL\s0 protocol .Sp -Allowed options: all, SSLv2, SSLv3, TLSv1 +Allowed options: all, SSLv2, SSLv3, TLSv1, TLSv1.1, TLSv1.2 .IP "\fBstack\fR = bytes (except for \s-1FORK\s0 model)" 4 .IX Item "stack = bytes (except for FORK model)" thread stack size @@ -619,7 +678,7 @@ This option is currently available in: .RS 4 .IP "Remote mode (\fIconnect\fR option) on \fILinux >=2.6.28\fR" 4 .IX Item "Remote mode (connect option) on Linux >=2.6.28" -This configuration requires stunnel to be executed as root and without +This configuration requires \fBstunnel\fR to be executed as root and without \&\fIsetuid\fR option. .Sp This configuration requires the following setup for iptables and routing @@ -638,9 +697,10 @@ This configuration requires the following setup for iptables and routing \&\fBstunnel\fR must also to be executed as root and without \fIsetuid\fR option. .IP "Remote mode (\fIconnect\fR option) on \fILinux 2.2.x\fR" 4 .IX Item "Remote mode (connect option) on Linux 2.2.x" -This configuration requires kernel to be compiled with \fItransparent proxy\fR option. +This configuration requires kernel to be compiled with \fItransparent proxy\fR +option. Connected service must be installed on a separate host. -Routing towards the clients has to go through the stunnel box. +Routing towards the clients has to go through the \fBstunnel\fR box. .Sp \&\fBstunnel\fR must also to be executed as root and without \fIsetuid\fR option. .IP "Remote mode (\fIconnect\fR option) on \fIFreeBSD >=8.0\fR" 4 @@ -697,22 +757,26 @@ This options has been renamed to \fInone\fR. .IX Item "verify = level" verify peer certificate .RS 4 -.IP "\fIlevel 0\fR \- request and ignore peer certificate" 4 -.IX Item "level 0 - request and ignore peer certificate" -.PD 0 -.IP "\fIlevel 1\fR \- verify peer certificate if present" 4 -.IX Item "level 1 - verify peer certificate if present" -.IP "\fIlevel 2\fR \- verify peer certificate" 4 -.IX Item "level 2 - verify peer certificate" -.IP "\fIlevel 3\fR \- verify peer with locally installed certificate" 4 -.IX Item "level 3 - verify peer with locally installed certificate" -.IP "\fIlevel 4\fR \- ignore \s-1CA\s0 chain and only verify peer certificate" 4 -.IX Item "level 4 - ignore CA chain and only verify peer certificate" -.IP "\fIdefault\fR \- no verify" 4 -.IX Item "default - no verify" +.IP "level 0" 4 +.IX Item "level 0" +Request and ignore peer certificate. +.IP "level 1" 4 +.IX Item "level 1" +Verify peer certificate if present. +.IP "level 2" 4 +.IX Item "level 2" +Verify peer certificate. +.IP "level 3" 4 +.IX Item "level 3" +Verify peer with locally installed certificate. +.IP "level 4" 4 +.IX Item "level 4" +Ignore \s-1CA\s0 chain and only verify peer certificate. +.IP "default" 4 +.IX Item "default" +No verify. .RE .RS 4 -.PD .Sp It is important to understand, that this option was solely designed for access control and not for authorization. Specifically for level 2 every non-revoked @@ -725,7 +789,7 @@ for webservers. Level 3 is preferred for point-to-point connections. \&\fBstunnel\fR returns zero on success, non-zero on error. .SH "SIGNALS" .IX Header "SIGNALS" -The following signals can be used to control stunnel in Unix environment: +The following signals can be used to control \fBstunnel\fR in Unix environment: .IP "\s-1SIGHUP\s0" 4 .IX Item "SIGHUP" Force a reload of the configuration file. @@ -745,20 +809,20 @@ setuid .RE .RS 4 .Sp -The use of 'setuid' option will also prevent stunnel from binding privileged +The use of 'setuid' option will also prevent \fBstunnel\fR from binding privileged (<1024) ports during configuration reloading. .Sp -When 'chroot' option is used, stunnel will look for all its files (including +When 'chroot' option is used, \fBstunnel\fR will look for all its files (including configuration file, certificates, log file and pid file) within the chroot jail. .RE .IP "\s-1SIGUSR1\s0" 4 .IX Item "SIGUSR1" -Close and reopen stunnel log file. +Close and reopen \fBstunnel\fR log file. This function can be used for log rotation. .IP "\s-1SIGTERM\s0, \s-1SIGQUIT\s0, \s-1SIGINT\s0" 4 .IX Item "SIGTERM, SIGQUIT, SIGINT" -Shut stunnel down. +Shut \fBstunnel\fR down. .PP The result of sending any other signals to the server is undefined. .SH "EXAMPLES" @@ -827,7 +891,7 @@ configurations. Each \s-1SSL\s0 enabled daemon needs to present a valid X.509 certificate to the peer. It also needs a private key to decrypt the incoming data. The easiest way to obtain a certificate and a key is to -generate them with the free \fIOpenSSL\fR package. You can find more +generate them with the free \fBOpenSSL\fR package. You can find more information on certificates generation on pages listed below. .PP The order of contents of the \fI.pem\fR file is important. It should contain the @@ -868,10 +932,10 @@ The egd socket specified with '\-\-with\-egd\-sock' at compile time. .IP "\(bu" 4 The /dev/urandom device. .PP -With recent (>=OpenSSL 0.9.5a) version of \s-1SSL\s0 it will stop loading -random data automatically when sufficient entropy has been gathered. -With previous versions it will continue to gather from all the above -sources since no \s-1SSL\s0 function exists to tell when enough data is available. +With recent (\fBOpenSSL 0.9.5a\fR or later) version of \s-1SSL\s0 it will stop loading +random data automatically when sufficient entropy has been gathered. With +previous versions it will continue to gather from all the above sources since +no \s-1SSL\s0 function exists to tell when enough data is available. .PP Note that on Windows machines that do not have console user interaction (mouse movements, creating windows, etc.) the screen contents are not @@ -882,14 +946,13 @@ Note that the file specified with the \fIRNDfile\fR flag should contain random data \*(-- that means it should contain different information each time \fBstunnel\fR is run. This is handled automatically unless the \fIRNDoverwrite\fR flag is used. If you wish to update this file -manually, the \fIopenssl rand\fR command in recent versions of OpenSSL, +manually, the \fIopenssl rand\fR command in recent versions of \fBOpenSSL\fR, would be useful. .PP -One important note \*(-- if /dev/urandom is available, OpenSSL has a habit of -seeding the \s-1PRNG\s0 with it even when checking the random state, so on -systems with /dev/urandom you're likely to use it even though it's listed -at the very bottom of the list above. This isn't \fBstunnel's\fR behaviour, it's -OpenSSLs. +Important note: If /dev/urandom is available, \fBOpenSSL\fR often seeds the \s-1PRNG\s0 +with it while checking the random state. On systems with /dev/urandom +\&\fBOpenSSL\fR is likely to use it even though it is listed at the very bottom of +the list above. This is the behaviour of \fBOpenSSL\fR and not \fBstunnel\fR. .SS "\s-1DH\s0 \s-1PARAMETERS\s0" .IX Subsection "DH PARAMETERS" Stunnel 4.40 and later contains hardcoded 2048\-bit \s-1DH\s0 parameters. @@ -908,7 +971,7 @@ It is also possible to specify \s-1DH\s0 parameters in the certificate file: \&\fBstunnel\fR configuration file .SH "BUGS" .IX Header "BUGS" -Option \fIexecargs\fR does not support quoting. +Option \fIexecargs\fR and Win32 command line does not support quoting. .SH "SEE ALSO" .IX Header "SEE ALSO" .IP "\fItcpd\fR\|(8)" 4 @@ -922,7 +985,7 @@ internet 'super\-server' \&\fBstunnel\fR homepage .IP "\fIhttp://www.openssl.org/\fR" 4 .IX Item "http://www.openssl.org/" -OpenSSL project website +\&\fBOpenSSL\fR project website .SH "AUTHOR" .IX Header "AUTHOR" .IP "Michał Trojnara" 4 diff --git a/doc/stunnel.fr.8 b/doc/stunnel.fr.8 index b6d29fb..9ae901a 100644 --- a/doc/stunnel.fr.8 +++ b/doc/stunnel.fr.8 @@ -62,7 +62,7 @@ .\" ======================================================================== .\" .IX Title "STUNNEL.FR 8" -.TH STUNNEL.FR 8 "2012.01.12" "4.53" "stunnel" +.TH STUNNEL.FR 8 "2013.03.19" "4.56" "stunnel" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/doc/stunnel.html b/doc/stunnel.html index 8c3551e..9eef2c0 100644 --- a/doc/stunnel.html +++ b/doc/stunnel.html @@ -156,29 +156,29 @@ Eric Young (eay@cryptsoft.com)

CONFIGURATION FILE

Each line of the configuration file can be either:

An address parameter of an option may be either:

@@ -192,6 +192,18 @@ Eric Young (eay@cryptsoft.com)

chroot keeps stunnel in chrooted jail. CApath, CRLpath, pid and exec are located inside the jail and the patches have to be relative to the directory specified with chroot.

+

Several functions of the operating system also need their files to be located within chroot jail, e.g.:

+
    +
  • +

    Delayed resolver typically needs /etc/nsswitch.conf and /etc/resolv.conf.

    +
  • +
  • +

    Local time in log files needs /etc/timezone.

    +
  • +
  • +

    Some other functions may need devices, e.g. /dev/zero or /dev/null.

    +
  • +
compression = deflate | zlib | rle
@@ -199,9 +211,9 @@ to the directory specified with chroot.

select data compression algorithm

default: no compression

deflate is the standard compression method as described in RFC 1951.

-

zlib compression of OpenSSL 0.9.8 or above is not backward compatible with -OpenSSL 0.9.7.

-

rle compression is currently not implemented by the OpenSSL library.

+

zlib compression of OpenSSL 0.9.8 or above is not backward compatible with +OpenSSL 0.9.7.

+

rle compression is currently not implemented by the OpenSSL library.

debug = [facility.]level
@@ -216,12 +228,12 @@ all levels numerically less than it will be shown. Use debug = debug o (Facilities are not supported on Win32.)

Case is ignored for both facilities and levels.

-
EGD = egd path (Unix only)
+
EGD = egd path (Unix only)

path to Entropy Gathering Daemon socket

-

Entropy Gathering Daemon socket to use to feed OpenSSL random number -generator. (Available only if compiled with OpenSSL 0.9.5a or higher)

+

Entropy Gathering Daemon socket to use to feed OpenSSL random number +generator. (Available only if compiled with OpenSSL 0.9.5a or higher)

engine = auto | <engine id>
@@ -254,8 +266,8 @@ engine cryptogaphic module.

Enable or disable FIPS 140-2 mode.

-

This option allows to disable entering FIPS mode if stunnel was compiled with -FIPS 140-2 support.

+

This option allows to disable entering FIPS mode if stunnel was compiled +with FIPS 140-2 support.

default: yes

foreground = yes | no (Unix only)
@@ -284,9 +296,9 @@ output (for example to log them with daemontools splogger).

bytes to read from random seed files

-

Number of bytes of data read from random seed files. With SSL versions -less than 0.9.5a, also determines how many bytes of data are considered -sufficient to seed the PRNG. More recent OpenSSL versions have a builtin +

Number of bytes of data read from random seed files. With SSL versions less +than 0.9.5a, also determines how many bytes of data are considered +sufficient to seed the PRNG. More recent OpenSSL versions have a builtin function to determine when sufficient randomness is available.

RNDfile = file
@@ -311,12 +323,12 @@ number generator.

setgid = groupname (Unix only)
-

setgid() to groupname in daemon mode and clears all other groups

+

setgid() to groupname in daemon mode and clears all other groups

setuid = username (Unix only)
-

setuid() to username in daemon mode

+

setuid() to username in daemon mode

socket = a|l|r:option=value[:value]
@@ -377,8 +389,8 @@ below.

the verify. Note that the certificates in this directory should be named XXXXXXXX.0 where XXXXXXXX is the hash value of the DER encoded subject of the cert.

-

The hash algorithm has been changed in OpenSSL 1.0.0. It is required to -c_rehash the directory on upgrade from OpenSSL 0.x.x to OpenSSL 1.x.x.

+

The hash algorithm has been changed in OpenSSL 1.0.0. It is required to +c_rehash the directory on upgrade from OpenSSL 0.x.x to OpenSSL 1.x.x.

CApath path is relative to chroot directory if specified.

CAfile = certfile
@@ -427,8 +439,8 @@ round-robin algorithm.

This is the directory in which stunnel will look for CRLs when using the verify. Note that the CRLs in this directory should be named XXXXXXXX.r0 where XXXXXXXX is the hash value of the CRL.

-

The hash algorithm has been changed in OpenSSL 1.0.0. It is required to -c_rehash the directory on upgrade from OpenSSL 0.x.x to OpenSSL 1.x.x.

+

The hash algorithm has been changed in OpenSSL 1.0.0. It is required to +c_rehash the directory on upgrade from OpenSSL 0.x.x to OpenSSL 1.x.x.

CRLpath path is relative to chroot directory if specified.

CRLfile = certfile
@@ -451,7 +463,7 @@ c_rehash the directory on upgrade from OpenSSL 0.x.x to OpenSSL 1.x.x.

delay DNS lookup for 'connect' option

This option is useful for dynamic DNS, or when DNS is not available during -stunnel startup (road warrior VPN, dial-up configurations).

+stunnel startup (road warrior VPN, dial-up configurations).

engineNum = engine number
@@ -509,28 +521,31 @@ to its owner. On Unix systems you can use the following command:

IP of the outgoing interface is used as source for remote connections. Use this option to bind a static local IP address, instead.

-
sni = service_name:server_name (server mode)
+
sni = service_name:server_name_pattern (server mode)

Use the service as a slave service (a name-based virtual server) for Server Name Indication TLS extension (RFC 3546).

service_name specifies the master service that accepts client connections -with accept option. server_name specifies the host name to be redirected. +with accept option. server_name_pattern specifies the host name to be +redirected. The pattern may start with '*' character, e.g. '*.example.com'. Multiple slave services are normally specified for a single master service. -sni option can also be specified more than once within a single slave service.

-

This service, as well as the master service, may not be configured in client mode. -connect option of the slave service is ignored when protocol option is -specified, as protocol connects remote host before TLS handshake. -Libwrap checks (Unix only) are performed twice: with master service name after +sni option can also be specified more than once within a single slave +service.

+

This service, as well as the master service, may not be configured in client +mode.

+

connect option of the slave service is ignored when protocol option is +specified, as protocol connects remote host before TLS handshake.

+

Libwrap checks (Unix only) are performed twice: with master service name after TCP connection is accepted, and with slave service name during TLS handshake.

-

Option sni is only available when compiled with OpenSSL 1.0.0 and later.

+

Option sni is only available when compiled with OpenSSL 1.0.0 and later.

-
sni = server_name (client mode)
+
sni = server_name (client mode)

Use the parameter as the value of TLS Server Name Indication (RFC 3546) extension.

-

Option sni is only available when compiled with OpenSSL 1.0.0 and later.

+

Option sni is only available when compiled with OpenSSL 1.0.0 and later.

OCSP = url
@@ -548,8 +563,8 @@ NOEXPLICIT, NOCASIGN, NODELEGATED, NOCHECKS, TRUSTOTHER, RESPID_KEY, NOTIME

options = SSL_options
-

OpenSSL library options

-

The parameter is the OpenSSL option name as described in the +

OpenSSL library options

+

The parameter is the OpenSSL option name as described in the SSL_CTX_set_options(3ssl) manual, but without SSL_OP_ prefix. Several options can be used to specify multiple options.

For example for compatibility with erroneous Eudora SSL implementation @@ -560,8 +575,10 @@ the following option can be used:

protocol = proto
-

application protocol to negotiate SSL (e.g. starttls or stls)

-

protocol option should not be used with SSL encryption on a separate port.

+

application protocol to negotiate SSL

+

This option enables initial, protocol-specific negotiation of the SSL/TLS +encryption. +protocol option should not be used with SSL encryption on a separate port.

Currently supported protocols:

cifs
@@ -614,13 +631,17 @@ Support for this extension was dropped in Samba 3.0.0.

authentication type for protocol negotiations

currently supported: basic, NTLM

-

Currently authentication type only applies to 'connect' protocol.

+

Currently authentication type only applies to the 'connect' protocol.

default: basic

protocolHost = host:port

destination address for protocol negotiations

+

protocolHost specifies the final SSL server to be connected by the proxy, +and not the proxy server directly connected by stunnel. +The proxy server should be specified with the 'connect' option.

+

Currently protocol destination address only applies to 'connect' protocol.

protocolPassword = password
@@ -637,16 +658,46 @@ Support for this extension was dropped in Samba 3.0.0.

allocate pseudo terminal for 'exec' option

-
retry = yes | no (Unix only)
+
renegotiation = yes | no
+ +
+

support SSL renegotiation

+

Applications of the SSL renegotiation include some authentication scenarios, +or re-keying long lasting connections.

+

On the other hand this feature can facilitate a trivial CPU-exhaustion +DoS attack:

+

http://vincent.bernat.im/en/blog/2011-ssl-dos-mitigation.html

+

Please note that disabling SSL renegotiation does not fully mitigate +this issue.

+

default: yes (if supported by OpenSSL)

+
+
reset = yes | no
+ +
+

attempt to use TCP RST flag to indicate an error

+

This option is not supported on some platforms.

+

default: yes

+
+
retry = yes | no

reconnect a connect+exec section after it's disconnected

default: no

-
session = timeout
+
sessionCacheSize = size
+ +
+

session cache size

+

sessionCacheSize specifies the maximum number of the internal session cache +entries.

+

The value of 0 can be used for unlimited size. It is not recommended +for production use due to the risk of memory exhaustion DoS attack.

+
+
sessionCacheTimeout = timeout

session cache timeout

+

This is the number of seconds to keep cached SSL sessions.

sessiond = host:port
@@ -657,7 +708,7 @@ Support for this extension was dropped in Samba 3.0.0.

select version of SSL protocol

-

Allowed options: all, SSLv2, SSLv3, TLSv1

+

Allowed options: all, SSLv2, SSLv3, TLSv1, TLSv1.1, TLSv1.2

stack = bytes (except for FORK model)
@@ -705,7 +756,7 @@ from the SSL client machine instead of the machine running stunnelRemote mode (connect option) on Linux >=2.6.28
-

This configuration requires stunnel to be executed as root and without +

This configuration requires stunnel to be executed as root and without setuid option.

This configuration requires the following setup for iptables and routing (possibly in /etc/rc.local or equivalent file):

@@ -722,9 +773,10 @@ from the SSL client machine instead of the machine running stunnelRemote mode (connect option) on Linux 2.2.x
-

This configuration requires kernel to be compiled with transparent proxy option. +

This configuration requires kernel to be compiled with transparent proxy +option. Connected service must be installed on a separate host. -Routing towards the clients has to go through the stunnel box.

+Routing towards the clients has to go through the stunnel box.

stunnel must also to be executed as root and without setuid option.

Remote mode (connect option) on FreeBSD >=8.0
@@ -784,18 +836,36 @@ other platforms.

verify peer certificate

-
level 0 - request and ignore peer certificate
+
level 0
-
level 1 - verify peer certificate if present
+
+

Request and ignore peer certificate.

+
+
level 1
-
level 2 - verify peer certificate
+
+

Verify peer certificate if present.

+
+
level 2
-
level 3 - verify peer with locally installed certificate
+
+

Verify peer certificate.

+
+
level 3
-
level 4 - ignore CA chain and only verify peer certificate
+
+

Verify peer with locally installed certificate.

+
+
level 4
-
default - no verify
+
+

Ignore CA chain and only verify peer certificate.

+
+
default
+
+

No verify.

+

It is important to understand, that this option was solely designed for access control and not for authorization. Specifically for level 2 every non-revoked @@ -813,7 +883,7 @@ for webservers. Level 3 is preferred for point-to-point connections.


SIGNALS

-

The following signals can be used to control stunnel in Unix environment:

+

The following signals can be used to control stunnel in Unix environment:

SIGHUP
@@ -821,38 +891,38 @@ for webservers. Level 3 is preferred for point-to-point connections.

Force a reload of the configuration file.

Some global options will not be reloaded:

-

The use of 'setuid' option will also prevent stunnel from binding privileged +

The use of 'setuid' option will also prevent stunnel from binding privileged (<1024) ports during configuration reloading.

-

When 'chroot' option is used, stunnel will look for all its files (including +

When 'chroot' option is used, stunnel will look for all its files (including configuration file, certificates, log file and pid file) within the chroot jail.

SIGUSR1
-

Close and reopen stunnel log file. +

Close and reopen stunnel log file. This function can be used for log rotation.

SIGTERM, SIGQUIT, SIGINT
-

Shut stunnel down.

+

Shut stunnel down.

The result of sending any other signals to the server is undefined.

@@ -917,7 +987,7 @@ configurations.

Each SSL enabled daemon needs to present a valid X.509 certificate to the peer. It also needs a private key to decrypt the incoming data. The easiest way to obtain a certificate and a key is to -generate them with the free OpenSSL package. You can find more +generate them with the free OpenSSL package. You can find more information on certificates generation on pages listed below.

The order of contents of the .pem file is important. It should contain the unencrypted private key first, then a signed certificate (not certificate @@ -940,35 +1010,35 @@ should be discarded. So the file should look like this:

order for SSL to use good randomness. The following sources are loaded in order until sufficient random data has been gathered:

-

With recent (>=OpenSSL 0.9.5a) version of SSL it will stop loading -random data automatically when sufficient entropy has been gathered. -With previous versions it will continue to gather from all the above -sources since no SSL function exists to tell when enough data is available.

+

With recent (OpenSSL 0.9.5a or later) version of SSL it will stop loading +random data automatically when sufficient entropy has been gathered. With +previous versions it will continue to gather from all the above sources since +no SSL function exists to tell when enough data is available.

Note that on Windows machines that do not have console user interaction (mouse movements, creating windows, etc.) the screen contents are not variable enough to be sufficient, and you should provide a random file @@ -977,13 +1047,12 @@ for use with the RNDfile flag.

random data -- that means it should contain different information each time stunnel is run. This is handled automatically unless the RNDoverwrite flag is used. If you wish to update this file -manually, the openssl rand command in recent versions of OpenSSL, +manually, the openssl rand command in recent versions of OpenSSL, would be useful.

-

One important note -- if /dev/urandom is available, OpenSSL has a habit of -seeding the PRNG with it even when checking the random state, so on -systems with /dev/urandom you're likely to use it even though it's listed -at the very bottom of the list above. This isn't stunnel's behaviour, it's -OpenSSLs.

+

Important note: If /dev/urandom is available, OpenSSL often seeds the PRNG +with it while checking the random state. On systems with /dev/urandom +OpenSSL is likely to use it even though it is listed at the very bottom of +the list above. This is the behaviour of OpenSSL and not stunnel.

DH PARAMETERS

@@ -1007,7 +1076,7 @@ OpenSSLs.


BUGS

-

Option execargs does not support quoting.

+

Option execargs and Win32 command line does not support quoting.


@@ -1031,7 +1100,7 @@ OpenSSLs.

http://www.openssl.org/
-

OpenSSL project website

+

OpenSSL project website

diff --git a/doc/stunnel.pl.8 b/doc/stunnel.pl.8 index 2b692c2..0df17bc 100644 --- a/doc/stunnel.pl.8 +++ b/doc/stunnel.pl.8 @@ -62,7 +62,7 @@ .\" ======================================================================== .\" .IX Title "STUNNEL.PL 8" -.TH STUNNEL.PL 8 "2012.01.14" "4.53" "stunnel" +.TH STUNNEL.PL 8 "2013.03.22" "4.56" "stunnel" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -158,6 +158,18 @@ Opcja okreÅ›la katalog, w którym uwiÄ™ziony zostanie proces programu poÅ‚Ä…czeÅ„. Åšcieżki podane w opcjach \fICApath\fR, \fICRLpath\fR, \fIpid\fR oraz \fIexec\fR muszÄ… być umieszczone wewnÄ…trz katalogu podanego w opcji \&\fIchroot\fR i okreÅ›lone wzglÄ™dem tego katalogu. +.Sp +Niektóre funkcje systemu operacyjnego mogÄ… wymagać dodatkowych plików umieszczonych w katalogu podanego w parametrze chroot: +.RS 4 +.IP "\(bu" 4 +opóźnione rozwiniÄ™cie adresów \s-1DNS\s0 typowo wymaga /etc/nsswitch.conf i /etc/resolv.conf +.IP "\(bu" 4 +lokalizacja strefy czasowej w logach wymaga pliku /etc/timezone +.IP "\(bu" 4 +niektóre inne pliki mogÄ… potrzebować plików urzÄ…dzeÅ„, np. /dev/zero lub /dev/null +.RE +.RS 4 +.RE .IP "\fBcompression\fR = deflate | zlib | rle" 4 .IX Item "compression = deflate | zlib | rle" wybór algorytmu kompresji przesyÅ‚anych danych @@ -166,10 +178,10 @@ domyÅ›lnie: bez kompresji .Sp Algorytm deflate jest standardowÄ… metodÄ… kompresji zgodnie z \s-1RFC\s0 1951. .Sp -Kompresja zlib zaimplementowana w OpenSSL 0.9.8 i nowszych nie jest -kompatybilna implementacjÄ… OpenSSL 0.9.7. +Kompresja zlib zaimplementowana w \fBOpenSSL 0.9.8\fR i nowszych nie jest +kompatybilna implementacjÄ… \fBOpenSSL 0.9.7\fR. .Sp -Kompresja rle nie jest zaimplementowana w aktualnych wersjach OpenSSL. +Kompresja rle nie jest zaimplementowana w aktualnych wersjach \fBOpenSSL\fR. .IP "\fBdebug\fR = poziom[.podsystem]" 4 .IX Item "debug = poziom[.podsystem]" szczegółowość logowania @@ -191,7 +203,7 @@ Wielkość liter jest ignorowana zarówno dla poziomu jak podsystemu. .Sp Opcja pozwala okreÅ›lić Å›cieżkÄ™ do gniazda programu Entropy Gathering Daemon używanego do zainicjalizowania generatora ciÄ…gów pseudolosowych biblioteki -OpenSSL. Opcja jest dostÄ™pna z bibliotekÄ… OpenSSL 0.9.5a lub nowszÄ…. +\&\fBOpenSSL\fR. Opcja jest dostÄ™pna z bibliotekÄ… \fBOpenSSL 0.9.5a\fR lub nowszÄ…. .IP "\fBengine\fR = auto | " 4 .IX Item "engine = auto | " wybór sprzÄ™towego urzÄ…dzenia kryptograficznego @@ -224,15 +236,15 @@ moduÅ‚u kryptograficznego urzÄ…dzenia. .IX Item "fips = yes | no" WÅ‚Ä…cz lub wyÅ‚Ä…cz tryb \s-1FIPS\s0 140\-2. .Sp -Opcja pozwala wyÅ‚Ä…czyć wejÅ›cie w tryb \s-1FIPS\s0, jeÅ›li stunnel zostaÅ‚ skompilowany -ze wsparciem dla \s-1FIPS\s0 140\-2. +Opcja pozwala wyÅ‚Ä…czyć wejÅ›cie w tryb \s-1FIPS\s0, jeÅ›li \fBstunnel\fR zostaÅ‚ +skompilowany ze wsparciem dla \s-1FIPS\s0 140\-2. .Sp domyÅ›lnie: yes (pracuj w trybie \s-1FIPS\s0 140\-2) .IP "\fBforeground\fR = yes | no (tylko Unix)" 4 .IX Item "foreground = yes | no (tylko Unix)" tryb pierwszoplanowy .Sp -Użycie tej opcji powoduje, że \fIstunnel\fR nie przechodzi w tÅ‚o logujÄ…c +Użycie tej opcji powoduje, że \fBstunnel\fR nie przechodzi w tÅ‚o logujÄ…c swoje komunikaty na konsolÄ™ zamiast przez \fIsyslog\fR (o ile nie użyto opcji \fIoutput\fR). .IP "\fBoutput\fR = plik" 4 @@ -256,7 +268,7 @@ wzglÄ™dem tego katalogu. .IX Item "RNDbytes = liczba_bajtów" liczba bajtów do zainicjowania generatora pseudolosowego .Sp -W wersjach biblioteki OpenSSL starszych niż 0.9.5a opcja ta okreÅ›la +W wersjach biblioteki \fBOpenSSL\fR starszych niż \fB0.9.5a\fR opcja ta okreÅ›la również liczbÄ™ bajtów wystarczajÄ…cych do zainicjowania \s-1PRNG\s0. Nowsze wersje biblioteki majÄ… wbudowanÄ… funkcjÄ™ okreÅ›lajÄ…cÄ…, czy dostarczona ilość losowoÅ›ci jest wystarczajÄ…ca do zainicjowania generatora. @@ -264,7 +276,7 @@ dostarczona ilość losowoÅ›ci jest wystarczajÄ…ca do zainicjowania generatora. .IX Item "RNDfile = plik" Å›cieżka do pliku zawierajÄ…cego losowe dane .Sp -Biblioteka OpenSSL użyje danych z tego pliku do zainicjowania +Biblioteka \fBOpenSSL\fR użyje danych z tego pliku do zainicjowania generatora pseudolosowego. .IP "\fBRNDoverwrite\fR = yes | no" 4 .IX Item "RNDoverwrite = yes | no" @@ -278,10 +290,10 @@ użyj parametru jako nazwy serwisu dla biblioteki \s-1TCP\s0 Wrapper w trybie \f domyÅ›lnie: stunnel .IP "\fBsetgid\fR = identyfikator_grupy (tylko Unix)" 4 .IX Item "setgid = identyfikator_grupy (tylko Unix)" -grupa z której prawami pracowaÅ‚ bÄ™dzie \fIstunnel\fR +grupa z której prawami pracowaÅ‚ bÄ™dzie \fBstunnel\fR .IP "\fBsetuid\fR = identyfikator_użytkownika (tylko Unix)" 4 .IX Item "setuid = identyfikator_użytkownika (tylko Unix)" -użytkownik, z którego prawami pracowaÅ‚ bÄ™dzie \fIstunnel\fR +użytkownik, z którego prawami pracowaÅ‚ bÄ™dzie \fBstunnel\fR .IP "\fBsocket\fR = a|l|r:option=value[:value]" 4 .IX Item "socket = a|l|r:option=value[:value]" ustaw opcjÄ™ na akceptujÄ…cym/lokalnym/zdalnym gnieździe @@ -330,7 +342,7 @@ lub \fItcpserver\fR), należy przeczytać sekcjÄ™ \fI\s-1TRYB\s0 \s-1INETD\s0\fR .IX Item "accept = [adres:]port" nasÅ‚uchuje na poÅ‚Ä…czenia na podanym adresie i porcie .Sp -Jeżeli nie zostaÅ‚ podany adres, \fIstunnel\fR domyÅ›lnie nasÅ‚uchuje +Jeżeli nie zostaÅ‚ podany adres, \fBstunnel\fR domyÅ›lnie nasÅ‚uchuje na wszystkich adresach IPv4 lokalnych interfejsów. .Sp Aby nasÅ‚uchiwać na wszystkich adresach IPv6 należy użyć: @@ -347,8 +359,8 @@ jeżeli użyta zostaÅ‚a opcja \fIverify\fR. Pliki z certyfikatami muszÄ… posiadać specjalne nazwy \s-1XXXXXXXX\s0.0, gdzie \s-1XXXXXXXX\s0 jest skrótem kryptograficznym reprezentacji \s-1DER\s0 nazwy podmiotu certyfikatu. .Sp -Funkcja skrótu zostaÅ‚a zmieniona w wersji 1.0.0 biblioteki OpenSSL. -Należy wykonać c_rehash przy zmianie OpenSSL 0.x.x na 1.x.x. +Funkcja skrótu zostaÅ‚a zmieniona w \fBOpenSSL 1.0.0\fR. +Należy wykonać c_rehash przy zmianie \fBOpenSSL 0.x.x\fR na \fB1.x.x\fR. .Sp Jeżeli zdefiniowano katalog \fIchroot\fR, to Å›cieżka do \fICApath\fR jest okreÅ›lona wzglÄ™dem tego katalogu. @@ -381,7 +393,7 @@ domyÅ›lnie: no (tryb serwerowy) .IX Item "connect = [adres:]port" poÅ‚Ä…cz siÄ™ ze zdalnym serwerem na podany port .Sp -Jeżeli nie zostaÅ‚ podany adres, \fIstunnel\fR domyÅ›lnie Å‚Ä…czy siÄ™ +Jeżeli nie zostaÅ‚ podany adres, \fBstunnel\fR domyÅ›lnie Å‚Ä…czy siÄ™ z lokalnym serwerem. .Sp Komenda może byc użyta wielokrotnie w pojedynczej sekcji @@ -396,8 +408,8 @@ jeżeli użyta zostaÅ‚a opcja \fIverify\fR. Pliki z listami \s-1CRL\s0 muszÄ… posiadać specjalne nazwy \s-1XXXXXXXX\s0.r0, gdzie \s-1XXXXXXXX\s0 jest skrótem listy \s-1CRL\s0. .Sp -Funkcja skrótu zostaÅ‚a zmieniona w wersji 1.0.0 biblioteki OpenSSL. -Należy wykonać c_rehash przy zmianie OpenSSL 0.x.x na 1.x.x. +Funkcja skrótu zostaÅ‚a zmieniona \fBOpenSSL 1.0.0\fR. +Należy wykonać c_rehash przy zmianie \fBOpenSSL 0.x.x\fR na \fB1.x.x\fR. .Sp Jeżeli zdefiniowano katalog \fIchroot\fR, to Å›cieżka do \fICRLpath\fR jest okreÅ›lona wzglÄ™dem tego katalogu. @@ -423,7 +435,7 @@ domyÅ›lnie: prime256v1 opóźnij rozwiniÄ™cie adresu \s-1DNS\s0 podanego w opcji \fIconnect\fR .Sp Opcja jest przydatna przy dynamicznym \s-1DNS\s0, albo gdy usÅ‚uga \s-1DNS\s0 nie jest -dostÄ™pna przy starcie programu stunnel (klient \s-1VPN\s0, poÅ‚Ä…czenie wdzwaniane). +dostÄ™pna przy starcie programu \fBstunnel\fR (klient \s-1VPN\s0, poÅ‚Ä…czenie wdzwaniane). .IP "\fBengineNum\fR = " 4 .IX Item "engineNum = " wybierz urzÄ…dzenie do odczyta klucza prywatnego @@ -480,32 +492,36 @@ domyÅ›lnie: yes .Sp DomyÅ›lnie używane jest \s-1IP\s0 najbardziej zewnÄ™trznego interfejsu w stronÄ™ serwera, do którego nawiÄ…zywane jest poÅ‚Ä…czenie. -.IP "\fBsni\fR = nazwa_usÅ‚ugi:nazwa_serwera (tryb serwera)" 4 -.IX Item "sni = nazwa_usÅ‚ugi:nazwa_serwera (tryb serwera)" +.IP "\fBsni\fR = nazwa_usÅ‚ugi:wzorzec_nazwy_serwera (tryb serwera)" 4 +.IX Item "sni = nazwa_usÅ‚ugi:wzorzec_nazwy_serwera (tryb serwera)" Użyj usÅ‚ugi jako podrzÄ™dnej (virtualnego serwera) dla rozszerzenia \s-1TLS\s0 Server Name Indication (\s-1RFC\s0 3546). .Sp \&\fInazwa_usÅ‚ugi\fR wskazuje usÅ‚ugÄ™ nadrzÄ™dnÄ…, która odbiera poÅ‚Ä…czenia od klientów -przy pomocy opcji \fIaccept\fR. \fInazwa_serwera\fR wskazuje nazwÄ™ serwera -wirtualnego. Z pojedyÅ„czÄ… usÅ‚ugÄ… nadrzÄ™dnÄ… powiÄ…zane jest zwykle wiele usÅ‚ug -podrzÄ™dnych. Opcja \fIsni\fR może być rownież użyta wielokrotnie w ramach jednej -usÅ‚ugi podrzÄ™dnej. +przy pomocy opcji \fIaccept\fR. \fIwzorzec_nazwy_serwera\fR wskazuje nazwÄ™ serwera +wirtualnego. Wzorzec może zaczynać siÄ™ znakiem '*', np. '*.example.com". +Z pojedyÅ„czÄ… usÅ‚ugÄ… nadrzÄ™dnÄ… powiÄ…zane jest zwykle wiele usÅ‚ug podrzÄ™dnych. +Opcja \fIsni\fR może być rownież użyta wielokrotnie w ramach jednej usÅ‚ugi +podrzÄ™dnej. .Sp Zarówno usÅ‚uga nadrzÄ™dna jak i podrzÄ™dna nie może być skonfigurowana w trybie -klienckim. Opcja \fIconnect\fR usÅ‚ugi podrzÄ™dnej jest ignorowana w poÅ‚Ä…czeniu z -opcjÄ… \fIprotocol\fR, gdyż poÅ‚Ä…czenie do zdalnego serwera jest w tym wypadku -nawiÄ…zywane przed negocjacjÄ… \s-1TLS\s0. Uwierzytelnienie przy pomocy biblioteki -libwrap jest realizowane dwukrotnie: najpierw dla usÅ‚ugi nadrzÄ™dnej po -odebraniu poÅ‚Ä…czenia \s-1TCP\s0, a nastÄ™pnie dla usÅ‚ugi podrzÄ™dnej podczas negocjacji -\&\s-1TLS\s0. +klienckim. .Sp -Opcja \fIsni\fR jest dostÄ™pna poczÄ…wszy od wersji 1.0.0 biblioteki OpenSSL. +Opcja \fIconnect\fR usÅ‚ugi podrzÄ™dnej jest ignorowana w poÅ‚Ä…czeniu z opcjÄ… +\&\fIprotocol\fR, gdyż poÅ‚Ä…czenie do zdalnego serwera jest w tym wypadku nawiÄ…zywane +przed negocjacjÄ… \s-1TLS\s0. +.Sp +Uwierzytelnienie przy pomocy biblioteki libwrap jest realizowane dwukrotnie: +najpierw dla usÅ‚ugi nadrzÄ™dnej po odebraniu poÅ‚Ä…czenia \s-1TCP\s0, a nastÄ™pnie dla +usÅ‚ugi podrzÄ™dnej podczas negocjacji \s-1TLS\s0. +.Sp +Opcja \fIsni\fR jest dostÄ™pna poczÄ…wszy od \fBOpenSSL 1.0.0\fR. .IP "\fBsni\fR = nazwa_serwera (tryb klienta)" 4 .IX Item "sni = nazwa_serwera (tryb klienta)" Użyj parametru jako wartoÅ›ci rozszerzenia \s-1TLS\s0 Server Name Indication (\s-1RFC\s0 3546). .Sp -Opcja \fIsni\fR jest dostÄ™pna poczÄ…wszy od wersji 1.0.0 biblioteki OpenSSL. +Opcja \fIsni\fR jest dostÄ™pna poczÄ…wszy od \fBOpenSSL 1.0.0\fR. .IP "\fB\s-1OCSP\s0\fR = \s-1URL\s0" 4 .IX Item "OCSP = URL" serwer \s-1OCSP\s0 do weryfikacji certyfikatów @@ -519,7 +535,7 @@ aktualnie wspierane flagi: \s-1NOCERTS\s0, \s-1NOINTERN\s0 \s-1NOSIGS\s0, \s-1NO Aby wyspecyfikować kilka flag należy użyć \fIOCSPflag\fR wielokrotnie. .IP "\fBoptions\fR = opcje_SSL" 4 .IX Item "options = opcje_SSL" -opcje biblioteki OpenSSL +opcje biblioteki \fBOpenSSL\fR .Sp Parametrem jest nazwa opcji zgodnie z opisem w \fI\fISSL_CTX_set_options\fI\|(3ssl)\fR, ale bez przedrostka \fI\s-1SSL_OP_\s0\fR. @@ -533,8 +549,10 @@ w programie Eudora można użyć opcji: .Ve .IP "\fBprotocol\fR = protokół" 4 .IX Item "protocol = protokół" -negocjuj \s-1SSL\s0 podanym protokoÅ‚em aplikacyjnym (np. \fIstarttls\fR lub \fIstls\fR) +negocjuj \s-1SSL\s0 podanym protokoÅ‚em aplikacyjnym .Sp +Opcja ta wÅ‚Ä…cza wstÄ™pnÄ… negocjacjÄ™ szyfrowania \s-1SSL\s0 dla wybranego protokoÅ‚u +aplikacyjnego. Opcji \fIprotocol\fR nie należy używać z szyfrowaniem \s-1SSL\s0 na osobnym porcie. .Sp Aktualnie wspierane protokoÅ‚y: @@ -583,6 +601,13 @@ domyÅ›lnie: basic .IP "\fBprotocolHost\fR = adres:port" 4 .IX Item "protocolHost = adres:port" adres docelowy do negocjacji protokoÅ‚u +.Sp +\&\fIprotocolHost\fR okreÅ›la docelowy serwer \s-1SSL\s0, do którego poÅ‚Ä…czyć ma siÄ™ proxy. +Nie jest to adres serwera proxy, do którego poÅ‚Ä…czenie zestawia \fBstunnel\fR. +Adres serwera proxy powinien być okreÅ›lony przy pomocy opcji 'connect'. +.Sp +W obecnej wersji adres docelowy protokoÅ‚u ma zastosowanie wyÅ‚Ä…cznie w protokole +\&'connect'. .IP "\fBprotocolPassword\fR = hasÅ‚o" 4 .IX Item "protocolPassword = hasÅ‚o" hasÅ‚o do negocjacji protokoÅ‚u @@ -592,14 +617,50 @@ nazwa użytkownika do negocjacji protokoÅ‚u .IP "\fBpty\fR = yes | no (tylko Unix)" 4 .IX Item "pty = yes | no (tylko Unix)" alokuj pseudoterminal dla programu uruchamianego w opcji 'exec' -.IP "\fBretry\fR = yes | no (tylko Unix)" 4 -.IX Item "retry = yes | no (tylko Unix)" +.IP "\fBrenegotiation\fR = yes | no" 4 +.IX Item "renegotiation = yes | no" +pozwalaj na renegocjacjÄ™ \s-1SSL\s0 +.Sp +WÅ›ród zastosowaÅ„ renegocjacji \s-1SSL\s0 sÄ… niektóre scenariusze uwierzytelnienia, +oraz renegocjacja kluczy dla dÅ‚ugotrwaÅ‚ych poÅ‚Ä…czeÅ„. +.Sp +Z drugiej strony wÅ‚asność na może uÅ‚atwić trywialny atak DoS poprzez +wygenerowanie obciążenia procesora: +.Sp +http://vincent.bernat.im/en/blog/2011\-ssl\-dos\-mitigation.html +.Sp +Warto zauważyć, że zablokowanie renegocjacji \s-1SSL\s0 nie zebezpiecza w peÅ‚ni +przed opisanym problemem. +.Sp +domyÅ›lnie: yes (o ile wspierane przez \fBOpenSSL\fR) +.IP "\fBreset\fR = yes | no" 4 +.IX Item "reset = yes | no" +sygnalizuj wystÄ…pienie bÅ‚Ä™du przy pomocy flagi \s-1TCP\s0 \s-1RST\s0 +.Sp +Ta opcja nie jest wspierana na niektórych platformach. +.Sp +domyÅ›lnie: yes +.IP "\fBretry\fR = yes | no" 4 +.IX Item "retry = yes | no" poÅ‚Ä…cz ponownie sekcjÄ™ connect+exec po rozÅ‚Ä…czeniu .Sp domyÅ›lnie: no -.IP "\fBsession\fR = przeterminowanie_pamiÄ™ci_podrÄ™cznej_sesji" 4 -.IX Item "session = przeterminowanie_pamiÄ™ci_podrÄ™cznej_sesji" -czas w sekundach, po którym sesja \s-1SSL\s0 zostanie usuniÄ™ta z pamiÄ™ci podrÄ™cznej +.IP "\fBsessionCacheSize\fR = rozmiar" 4 +.IX Item "sessionCacheSize = rozmiar" +rozmiar pamiÄ™ci podrÄ™cznej sesji \s-1SSL\s0 +.Sp +Parametr okreÅ›la maksymalnÄ… liczbÄ™ pozycji wewnÄ™trznej pamiÄ™ci podrÄ™cznej +sesji. +.Sp +Wartość 0 oznacza brak ograniczenia rozmiaru. Nie jest to zalecane dla +systemów produkcyjnych z uwagi na ryzyko ataku DoS przez wyczerpanie pamiÄ™ci +\&\s-1RAM\s0. +.IP "\fBsessionCacheTimeout\fR = czas" 4 +.IX Item "sessionCacheTimeout = czas" +przeterminowanie pamiÄ™ci podrÄ™cznej sesji \s-1SSL\s0 +.Sp +Parametr okreÅ›la czas w sekundach, po którym sesja \s-1SSL\s0 zostanie usuniÄ™ta z +pamiÄ™ci podrÄ™cznej. .IP "\fBsessiond\fR = adres:port" 4 .IX Item "sessiond = adres:port" adres sessiond \- servera cache sesji \s-1SSL\s0 @@ -607,7 +668,7 @@ adres sessiond \- servera cache sesji \s-1SSL\s0 .IX Item "sslVersion = wersja" wersja protokoÅ‚u \s-1SSL\s0 .Sp -Dozwolone opcje: all, SSLv2, SSLv3, TLSv1 +Dozwolone opcje: all, SSLv2, SSLv3, TLSv1, TLSv1.1, TLSv1.2 .IP "\fBstack\fR = liczba_bajtów (z wyjÄ…tkiem modelu \s-1FORK\s0)" 4 .IX Item "stack = liczba_bajtów (z wyjÄ…tkiem modelu FORK)" rozmiar stosu procesora wÄ…tku @@ -635,7 +696,7 @@ Zablokuj wsparcie dla przezroczystago proxy. Jest to wartość domyÅ›lna. .IP "\fBsource\fR" 4 .IX Item "source" Przepisz adres, aby nawiÄ…zywane poÅ‚Ä…czenie wydawaÅ‚o siÄ™ pochodzić -bezpoÅ›rednio od klienta, a nie od programu \fIstunnel\fR. +bezpoÅ›rednio od klienta, a nie od programu \fBstunnel\fR. .Sp Opcja jest aktualnie obsÅ‚ugiwana w: .RS 4 @@ -659,7 +720,7 @@ Konfiguracja ta wymaga, aby \fBstunnel\fR byÅ‚ wykonywany jako root i bez opcji .IX Item "Trybie zdalnym (opcja connect) w systemie Linux 2.2.x" Konfiguracja ta wymaga skompilowania jÄ…dra z opcjÄ… \fItransparent proxy\fR. Docelowa usÅ‚uga musi być umieszczona na osobnej maszynie, do której routing -kierowany jest poprzez serwer stunnela. +kierowany jest poprzez serwer \fBstunnela\fR. .Sp Dodatkowo \fBstunnel\fR powinien być wykonywany jako root i bez opcji \fIsetuid\fR. .IP "Trybie zdalnym (opcja \fIconnect\fR) w systemie \fIFreeBSD >=8.0\fR" 4 @@ -717,23 +778,27 @@ Opcja zostaÅ‚a przemianowana na \fInone\fR. .IX Item "verify = poziom" weryfikuj certyfikat drugiej strony poÅ‚Ä…czenia .RS 4 -.IP "\fIpoziom 0\fR \- zarzÄ…daj certyfikatu i zignoruj go" 4 -.IX Item "poziom 0 - zarzÄ…daj certyfikatu i zignoruj go" -.PD 0 -.IP "\fIpoziom 1\fR \- weryfikuj, jeżeli zostaÅ‚ przedstawiony" 4 -.IX Item "poziom 1 - weryfikuj, jeżeli zostaÅ‚ przedstawiony" -.IP "\fIpoziom 2\fR \- weryfikuj z zainstalowanym certyfikatem Centrum Certyfikacji" 4 -.IX Item "poziom 2 - weryfikuj z zainstalowanym certyfikatem Centrum Certyfikacji" -.IP "\fIpoziom 3\fR \- weryfikuj z lokalnie zainstalowanym certyfikatem drugiej strony" 4 -.IX Item "poziom 3 - weryfikuj z lokalnie zainstalowanym certyfikatem drugiej strony" -.IP "\fIpoziom 4\fR \- weryfikuj z certyfikatem drugiej strony ignorujÄ…c Å‚aÅ„cuch \s-1CA\s0" 4 -.IX Item "poziom 4 - weryfikuj z certyfikatem drugiej strony ignorujÄ…c Å‚aÅ„cuch CA" -.IP "\fIdomyÅ›lnie\fR \- nie weryfikuj" 4 -.IX Item "domyÅ›lnie - nie weryfikuj" +.IP "\fIpoziom 0\fR" 4 +.IX Item "poziom 0" +zarzÄ…daj certyfikatu i zignoruj go +.IP "\fIpoziom 1\fR" 4 +.IX Item "poziom 1" +weryfikuj, jeżeli zostaÅ‚ przedstawiony +.IP "\fIpoziom 2\fR" 4 +.IX Item "poziom 2" +weryfikuj z zainstalowanym certyfikatem Centrum Certyfikacji +.IP "\fIpoziom 3\fR" 4 +.IX Item "poziom 3" +weryfikuj z lokalnie zainstalowanym certyfikatem drugiej strony +.IP "\fIpoziom 4\fR" 4 +.IX Item "poziom 4" +weryfikuj z certyfikatem drugiej strony ignorujÄ…c Å‚aÅ„cuch \s-1CA\s0 +.IP "\fIdomyÅ›lnie\fR" 4 +.IX Item "domyÅ›lnie" +nie weryfikuj .RE .RS 4 .RE -.PD .SH "ZWRACANA WARTOŚĆ" .IX Header "ZWRACANA WARTOŚĆ" \&\fBstunnel\fR zwraca zero w przypadku sukcesu, lub wartość niezerowÄ… @@ -760,17 +825,17 @@ setuid .RE .RS 4 .Sp -Jeżeli wykorzystywana jest opcja 'setuid' stunnel nie bÄ™dzie mógÅ‚ zaÅ‚adować +Jeżeli wykorzystywana jest opcja 'setuid' \fBstunnel\fR nie bÄ™dzie mógÅ‚ zaÅ‚adować ponownie konfiguracji wykorzystujÄ…cej uprzywilejowane (<1024) porty. .Sp -Jeżeli wykorzystywana jest opcja 'chroot' stunnel bÄ™dzie szukaÅ‚ wszystkich +Jeżeli wykorzystywana jest opcja 'chroot' \fBstunnel\fR bÄ™dzie szukaÅ‚ wszystkich potrzebnych plików (Å‚Ä…cznie z plikiem konfiguracyjnym, certyfikatami, logiem i plikiem pid) wewnÄ…trz katalogu wskazanego przez 'chroot'. .RE .IP "\s-1SIGUSR1\s0" 4 .IX Item "SIGUSR1" Zamknij i otwórz ponownie log. -Funkcja ta może zostać użyta w skrypcie rotujÄ…cym log programu stunnel. +Funkcja ta może zostać użyta w skrypcie rotujÄ…cym log programu \fBstunnel\fR. .IP "\s-1SIGTERM\s0, \s-1SIGQUIT\s0, \s-1SIGINT\s0" 4 .IX Item "SIGTERM, SIGQUIT, SIGINT" ZakoÅ„cz dziaÅ‚anie programu. @@ -819,7 +884,7 @@ konfiguracyjnym nie ma sekcji \fI[nazwa_usÅ‚ugi]\fR. .IX Header "NOTKI" .SS "\s-1OGRANICZENIA\s0" .IX Subsection "OGRANICZENIA" -\&\fIstunnel\fR nie może być używany do szyfrowania protokoÅ‚u \fI\s-1FTP\s0\fR, +\&\fBstunnel\fR nie może być używany do szyfrowania protokoÅ‚u \fI\s-1FTP\s0\fR, ponieważ do przesyÅ‚ania poszczególnych plików używa on dodatkowych poÅ‚Ä…czeÅ„ otwieranych na portach o dynamicznie przydzielanych numerach. IstniejÄ… jednak specjalne wersje klientów i serwerów \s-1FTP\s0 pozwalajÄ…ce @@ -854,9 +919,9 @@ Protokół \s-1SSL\s0 wymaga, aby każdy serwer przedstawiaÅ‚ siÄ™ nawiÄ…zujÄ…ce poÅ‚Ä…czenie klientowi prawidÅ‚owym certyfikatem X.509. Potwierdzenie tożsamoÅ›ci serwera polega na wykazaniu, że posiada on odpowiadajÄ…cy certyfikatowi klucz prywatny. -NajprostszÄ… metodÄ… uzyskania certyfikatu jest wygenerowanie -go przy pomocy wolnego pakietu \fIOpenSSL\fR. WiÄ™cej informacji na temat -generowania certyfikatów można znaleźć na umieszczonych poniżej stronach. +NajprostszÄ… metodÄ… uzyskania certyfikatu jest wygenerowanie go przy pomocy +wolnego pakietu \fBOpenSSL\fR. WiÄ™cej informacji na temat generowania +certyfikatów można znaleźć na umieszczonych poniżej stronach. .PP IstotnÄ… kwestiÄ… jest kolejność zawartoÅ›ci pliku \fI.pem\fR. W pierwszej kolejnoÅ›ci powinien on zawierać klucz prywatny, @@ -902,11 +967,11 @@ programu. .IP "\(bu" 4 UrzÄ…dzenie /dev/urandom. .PP -Współczesne (>=0.9.5a) wersje biblioteki \fIOpenSSL\fR automatycznie +Współczesne (\fB0.9.5a\fR lub nowsze) wersje biblioteki \fBOpenSSL\fR automatycznie zaprzestajÄ… Å‚adowania kolejnych danych w momencie uzyskania wystarczajÄ…cej iloÅ›ci entropii. WczeÅ›niejsze wersje biblioteki wykorzystajÄ… wszystkie -powyższe źródÅ‚a, gdyż nie istnieje tam funkcja pozwalajÄ…ca okreÅ›lić, -czy uzyskano już wystarczajÄ…co dużo danych. +powyższe źródÅ‚a, gdyż nie istnieje tam funkcja pozwalajÄ…ca okreÅ›lić, czy +uzyskano już wystarczajÄ…co dużo danych. .PP Warto zwrócić uwagÄ™, że na maszynach z systemem Windows, na których konsoli nie pracuje użytkownik, zawartość ekranu nie jest wystarczajÄ…co @@ -918,17 +983,17 @@ Plik \fIRNDfile\fR powinien zawierać dane losowe \*(-- również w tym sensie, O ile nie użyta zostaÅ‚a opcja \fIRNDoverwrite\fR jest to robione automatycznie. Do rÄ™cznego uzyskania takiego pliku użyteczna może być komenda \fIopenssl rand\fR dostarczana ze współczesnymi -wersjami pakietu \fIOpenSSL\fR. +wersjami pakietu \fBOpenSSL\fR. .PP Jeszcze jedna istotna informacja \*(-- jeżeli dostÄ™pne jest urzÄ…dzenie -\&\fI/dev/urandom\fR biblioteka \fIOpenSSL\fR ma zwyczaj zasilania nim \s-1PRNG\s0 w trakcie +\&\fI/dev/urandom\fR biblioteka \fBOpenSSL\fR ma zwyczaj zasilania nim \s-1PRNG\s0 w trakcie sprawdzania stanu generatora. W systemach z \fI/dev/urandom\fR urzÄ…dzenie to bÄ™dzie najprawdopodobniej użyte, pomimo że znajduje siÄ™ na samym koÅ„cu -powyższej listy. Jest to wÅ‚aÅ›ciwość biblioteki \fIOpenSSL\fR, a nie programu -\&\fIstunnel\fR. +powyższej listy. Jest to wÅ‚aÅ›ciwość biblioteki \fBOpenSSL\fR, a nie programu +\&\fBstunnel\fR. .SS "\s-1PARAMETRY\s0 \s-1DH\s0" .IX Subsection "PARAMETRY DH" -PoczÄ…wszy od wersji 4.40 stunnel zawiera w kodzie programu 2048\-bitowe +PoczÄ…wszy od wersji 4.40 \fBstunnel\fR zawiera w kodzie programu 2048\-bitowe parametry \s-1DH\s0. .PP Alternatywnie parametry \s-1DH\s0 można umieÅ›cić w pliku razem z certyfikatem: @@ -945,7 +1010,7 @@ Wygenerowanie parametrów \s-1DH\s0 może zająć nawet wiele minut. plik konfiguracyjny programu .SH "BÅĘDY" .IX Header "BÅĘDY" -Opcja \fIexecargs\fR nie obsÅ‚uguje cytowania. +Opcja \fIexecargs\fR oraz linia komend Win32 nie obsÅ‚uguje cytowania. .SH "ZOBACZ RÓWNIEÅ»" .IX Header "ZOBACZ RÓWNIEÅ»" .IP "\fItcpd\fR\|(8)" 4 @@ -956,10 +1021,10 @@ biblioteka kontroli dostÄ™pu do usÅ‚ug internetowych \&'super\-serwer' internetowy .IP "\fIhttp://www.stunnel.org/\fR" 4 .IX Item "http://www.stunnel.org/" -strona domowa programu \fIstunnel\fR +strona domowa programu \fBstunnel\fR .IP "\fIhttp://www.openssl.org/\fR" 4 .IX Item "http://www.openssl.org/" -strona projektu \fIOpenSSL\fR +strona projektu \fBOpenSSL\fR .SH "AUTOR" .IX Header "AUTOR" .IP "MichaÅ‚ Trojnara" 4 diff --git a/doc/stunnel.pl.html b/doc/stunnel.pl.html index a054ee8..e9b2433 100644 --- a/doc/stunnel.pl.html +++ b/doc/stunnel.pl.html @@ -156,29 +156,29 @@ odinstalowaniu

PLIK KONFIGURACYJNY

Linia w pliku konfiguracyjnym może być:

Parametr adres może być:

@@ -194,6 +194,18 @@ odinstalowaniu

połączeń. Ścieżki podane w opcjach CApath, CRLpath, pid oraz exec muszą być umieszczone wewnątrz katalogu podanego w opcji chroot i określone względem tego katalogu.

+

Niektóre funkcje systemu operacyjnego mogą wymagać dodatkowych plików umieszczonych w katalogu podanego w parametrze chroot:

+
    +
  • +

    opóźnione rozwinięcie adresów DNS typowo wymaga /etc/nsswitch.conf i /etc/resolv.conf

    +
  • +
  • +

    lokalizacja strefy czasowej w logach wymaga pliku /etc/timezone

    +
  • +
  • +

    niektóre inne pliki mogą potrzebować plików urządzeń, np. /dev/zero lub /dev/null

    +
  • +
compression = deflate | zlib | rle
@@ -201,9 +213,9 @@ oraz exec muszą być umieszczone wewnątrz katalogu podanego w opcji

wybór algorytmu kompresji przesyłanych danych

domyślnie: bez kompresji

Algorytm deflate jest standardowÄ… metodÄ… kompresji zgodnie z RFC 1951.

-

Kompresja zlib zaimplementowana w OpenSSL 0.9.8 i nowszych nie jest -kompatybilna implementacjÄ… OpenSSL 0.9.7.

-

Kompresja rle nie jest zaimplementowana w aktualnych wersjach OpenSSL.

+

Kompresja zlib zaimplementowana w OpenSSL 0.9.8 i nowszych nie jest +kompatybilna implementacjÄ… OpenSSL 0.9.7.

+

Kompresja rle nie jest zaimplementowana w aktualnych wersjach OpenSSL.

debug = poziom[.podsystem]
@@ -225,7 +237,7 @@ Podsystemy nie sÄ… wspierane przez platformÄ™ Win32.

ścieżka do gniazda programu Entropy Gathering Daemon

Opcja pozwala określić ścieżkę do gniazda programu Entropy Gathering Daemon używanego do zainicjalizowania generatora ciągów pseudolosowych biblioteki -OpenSSL. Opcja jest dostępna z biblioteką OpenSSL 0.9.5a lub nowszą.

+OpenSSL. Opcja jest dostępna z biblioteką OpenSSL 0.9.5a lub nowszą.

engine = auto | <identyfikator urzÄ…dzenia>
@@ -258,15 +270,15 @@ modułu kryptograficznego urządzenia.

Włącz lub wyłącz tryb FIPS 140-2.

-

Opcja pozwala wyłączyć wejście w tryb FIPS, jeśli stunnel został skompilowany -ze wsparciem dla FIPS 140-2.

+

Opcja pozwala wyłączyć wejście w tryb FIPS, jeśli stunnel został +skompilowany ze wsparciem dla FIPS 140-2.

domyślnie: yes (pracuj w trybie FIPS 140-2)

foreground = yes | no (tylko Unix)

tryb pierwszoplanowy

-

Użycie tej opcji powoduje, że stunnel nie przechodzi w tło logując +

Użycie tej opcji powoduje, że stunnel nie przechodzi w tło logując swoje komunikaty na konsolę zamiast przez syslog (o ile nie użyto opcji output).

@@ -291,7 +303,7 @@ względem tego katalogu.

liczba bajtów do zainicjowania generatora pseudolosowego

-

W wersjach biblioteki OpenSSL starszych niż 0.9.5a opcja ta określa +

W wersjach biblioteki OpenSSL starszych niż 0.9.5a opcja ta określa również liczbę bajtów wystarczających do zainicjowania PRNG. Nowsze wersje biblioteki mają wbudowaną funkcję określającą, czy dostarczona ilość losowości jest wystarczająca do zainicjowania generatora.

@@ -300,7 +312,7 @@ dostarczona ilość losowości jest wystarczająca do zainicjowania generatora.<

ścieżka do pliku zawierającego losowe dane

-

Biblioteka OpenSSL użyje danych z tego pliku do zainicjowania +

Biblioteka OpenSSL użyje danych z tego pliku do zainicjowania generatora pseudolosowego.

RNDoverwrite = yes | no
@@ -318,12 +330,12 @@ generatora pseudolosowego.

setgid = identyfikator_grupy (tylko Unix)
-

grupa z której prawami pracował będzie stunnel

+

grupa z której prawami pracował będzie stunnel

setuid = identyfikator_użytkownika (tylko Unix)
-

użytkownik, z którego prawami pracował będzie stunnel

+

użytkownik, z którego prawami pracował będzie stunnel

socket = a|l|r:option=value[:value]
@@ -375,7 +387,7 @@ lub tcpserver), należy przeczytać sekcję TRYB INETD poniże

nasłuchuje na połączenia na podanym adresie i porcie

-

Jeżeli nie został podany adres, stunnel domyślnie nasłuchuje +

Jeżeli nie został podany adres, stunnel domyślnie nasłuchuje na wszystkich adresach IPv4 lokalnych interfejsów.

Aby nasłuchiwać na wszystkich adresach IPv6 należy użyć:

@@ -389,8 +401,8 @@ na wszystkich adresach IPv4 lokalnych interfejsów.

jeżeli użyta została opcja verify. Pliki z certyfikatami muszą posiadać specjalne nazwy XXXXXXXX.0, gdzie XXXXXXXX jest skrótem kryptograficznym reprezentacji DER nazwy podmiotu certyfikatu.

-

Funkcja skrótu została zmieniona w wersji 1.0.0 biblioteki OpenSSL. -Należy wykonać c_rehash przy zmianie OpenSSL 0.x.x na 1.x.x.

+

Funkcja skrótu została zmieniona w OpenSSL 1.0.0. +Należy wykonać c_rehash przy zmianie OpenSSL 0.x.x na 1.x.x.

Jeżeli zdefiniowano katalog chroot, to ścieżka do CApath jest określona względem tego katalogu.

@@ -427,7 +439,7 @@ otwieraniu nowych połączeń SSL, np.: DES-CBC3-SHA:IDEA-CBC-MD5

połącz się ze zdalnym serwerem na podany port

-

Jeżeli nie został podany adres, stunnel domyślnie łączy się +

Jeżeli nie został podany adres, stunnel domyślnie łączy się z lokalnym serwerem.

Komenda może byc użyta wielokrotnie w pojedynczej sekcji celem zapewnienia wysokiej niezawodności lub rozłożenia @@ -441,8 +453,8 @@ ruchu pomiędzy wiele serwerów.

jeżeli użyta została opcja verify. Pliki z listami CRL muszą posiadać specjalne nazwy XXXXXXXX.r0, gdzie XXXXXXXX jest skrótem listy CRL.

-

Funkcja skrótu została zmieniona w wersji 1.0.0 biblioteki OpenSSL. -Należy wykonać c_rehash przy zmianie OpenSSL 0.x.x na 1.x.x.

+

Funkcja skrótu została zmieniona OpenSSL 1.0.0. +Należy wykonać c_rehash przy zmianie OpenSSL 0.x.x na 1.x.x.

Jeżeli zdefiniowano katalog chroot, to ścieżka do CRLpath jest określona względem tego katalogu.

@@ -467,7 +479,7 @@ przez opcjÄ™ verify.

opóźnij rozwinięcie adresu DNS podanego w opcji connect

Opcja jest przydatna przy dynamicznym DNS, albo gdy usługa DNS nie jest -dostępna przy starcie programu stunnel (klient VPN, połączenie wdzwaniane).

+dostępna przy starcie programu stunnel (klient VPN, połączenie wdzwaniane).

engineNum = <numer urzÄ…dzenia>
@@ -528,31 +540,33 @@ komendÄ…:

Domyślnie używane jest IP najbardziej zewnętrznego interfejsu w stronę serwera, do którego nawiązywane jest połączenie.

-
sni = nazwa_usługi:nazwa_serwera (tryb serwera)
+
sni = nazwa_usługi:wzorzec_nazwy_serwera (tryb serwera)

Użyj usługi jako podrzędnej (virtualnego serwera) dla rozszerzenia TLS Server Name Indication (RFC 3546).

nazwa_usługi wskazuje usługę nadrzędną, która odbiera połączenia od klientów -przy pomocy opcji accept. nazwa_serwera wskazuje nazwę serwera -wirtualnego. Z pojedyńczą usługą nadrzędną powiązane jest zwykle wiele usług -podrzędnych. Opcja sni może być rownież użyta wielokrotnie w ramach jednej -usługi podrzędnej.

+przy pomocy opcji accept. wzorzec_nazwy_serwera wskazuje nazwę serwera +wirtualnego. Wzorzec może zaczynać się znakiem '*', np. '*.example.com". +Z pojedyńczą usługą nadrzędną powiązane jest zwykle wiele usług podrzędnych. +Opcja sni może być rownież użyta wielokrotnie w ramach jednej usługi +podrzędnej.

Zarówno usługa nadrzędna jak i podrzędna nie może być skonfigurowana w trybie -klienckim. Opcja connect usługi podrzędnej jest ignorowana w połączeniu z -opcją protocol, gdyż połączenie do zdalnego serwera jest w tym wypadku -nawiązywane przed negocjacją TLS. Uwierzytelnienie przy pomocy biblioteki -libwrap jest realizowane dwukrotnie: najpierw dla usługi nadrzędnej po -odebraniu połączenia TCP, a następnie dla usługi podrzędnej podczas negocjacji -TLS.

-

Opcja sni jest dostępna począwszy od wersji 1.0.0 biblioteki OpenSSL.

+klienckim.

+

Opcja connect usługi podrzędnej jest ignorowana w połączeniu z opcją +protocol, gdyż połączenie do zdalnego serwera jest w tym wypadku nawiązywane +przed negocjacją TLS.

+

Uwierzytelnienie przy pomocy biblioteki libwrap jest realizowane dwukrotnie: +najpierw dla usługi nadrzędnej po odebraniu połączenia TCP, a następnie dla +usługi podrzędnej podczas negocjacji TLS.

+

Opcja sni jest dostępna począwszy od OpenSSL 1.0.0.

-
sni = nazwa_serwera (tryb klienta)
+
sni = nazwa_serwera (tryb klienta)

Użyj parametru jako wartości rozszerzenia TLS Server Name Indication (RFC 3546).

-

Opcja sni jest dostępna począwszy od wersji 1.0.0 biblioteki OpenSSL.

+

Opcja sni jest dostępna począwszy od OpenSSL 1.0.0.

OCSP = URL
@@ -570,7 +584,7 @@ NOEXPLICIT, NOCASIGN, NODELEGATED, NOCHECKS, TRUSTOTHER, RESPID_KEY, NOTIME

options = opcje_SSL
-

opcje biblioteki OpenSSL

+

opcje biblioteki OpenSSL

Parametrem jest nazwa opcji zgodnie z opisem w SSL_CTX_set_options(3ssl), ale bez przedrostka SSL_OP_. Aby wyspecyfikować kilka opcji należy użyć options wielokrotnie.

@@ -582,8 +596,10 @@ w programie Eudora można użyć opcji:

protocol = protokół
-

negocjuj SSL podanym protokołem aplikacyjnym (np. starttls lub stls)

-

Opcji protocol nie należy używać z szyfrowaniem SSL na osobnym porcie.

+

negocjuj SSL podanym protokołem aplikacyjnym

+

Opcja ta włącza wstępną negocjację szyfrowania SSL dla wybranego protokołu +aplikacyjnego. +Opcji protocol nie należy używać z szyfrowaniem SSL na osobnym porcie.

Aktualnie wspierane protokoły:

cifs
@@ -643,6 +659,11 @@ Wsparcie dla tego rozrzeczenia zostało zarzucone w wersji 3.0.0 serwera Samba.<

adres docelowy do negocjacji protokołu

+

protocolHost określa docelowy serwer SSL, do którego połączyć ma się proxy. +Nie jest to adres serwera proxy, do którego połączenie zestawia stunnel. +Adres serwera proxy powinien być określony przy pomocy opcji 'connect'.

+

W obecnej wersji adres docelowy protokołu ma zastosowanie wyłącznie w protokole +'connect'.

protocolPassword = hasło
@@ -659,16 +680,48 @@ Wsparcie dla tego rozrzeczenia zostało zarzucone w wersji 3.0.0 serwera Samba.<

alokuj pseudoterminal dla programu uruchamianego w opcji 'exec'

-
retry = yes | no (tylko Unix)
+
renegotiation = yes | no
+ +
+

pozwalaj na renegocjacjÄ™ SSL

+

Wśród zastosowań renegocjacji SSL są niektóre scenariusze uwierzytelnienia, +oraz renegocjacja kluczy dla długotrwałych połączeń.

+

Z drugiej strony własność na może ułatwić trywialny atak DoS poprzez +wygenerowanie obciążenia procesora:

+

http://vincent.bernat.im/en/blog/2011-ssl-dos-mitigation.html

+

Warto zauważyć, że zablokowanie renegocjacji SSL nie zebezpiecza w pełni +przed opisanym problemem.

+

domyślnie: yes (o ile wspierane przez OpenSSL)

+
+
reset = yes | no
+ +
+

sygnalizuj wystąpienie błędu przy pomocy flagi TCP RST

+

Ta opcja nie jest wspierana na niektórych platformach.

+

domyślnie: yes

+
+
retry = yes | no

połącz ponownie sekcję connect+exec po rozłączeniu

domyślnie: no

-
session = przeterminowanie_pamięci_podręcznej_sesji
+
sessionCacheSize = rozmiar
-

czas w sekundach, po którym sesja SSL zostanie usunięta z pamięci podręcznej

+

rozmiar pamięci podręcznej sesji SSL

+

Parametr określa maksymalną liczbę pozycji wewnętrznej pamięci podręcznej +sesji.

+

Wartość 0 oznacza brak ograniczenia rozmiaru. Nie jest to zalecane dla +systemów produkcyjnych z uwagi na ryzyko ataku DoS przez wyczerpanie pamięci +RAM.

+
+
sessionCacheTimeout = czas
+ +
+

przeterminowanie pamięci podręcznej sesji SSL

+

Parametr określa czas w sekundach, po którym sesja SSL zostanie usunięta z +pamięci podręcznej.

sessiond = adres:port
@@ -679,7 +732,7 @@ Wsparcie dla tego rozrzeczenia zostało zarzucone w wersji 3.0.0 serwera Samba.<

wersja protokołu SSL

-

Dozwolone opcje: all, SSLv2, SSLv3, TLSv1

+

Dozwolone opcje: all, SSLv2, SSLv3, TLSv1, TLSv1.1, TLSv1.2

stack = liczba_bajtów (z wyjątkiem modelu FORK)
@@ -721,7 +774,7 @@ Wsparcie dla tego rozrzeczenia zostało zarzucone w wersji 3.0.0 serwera Samba.<

Przepisz adres, aby nawiązywane połączenie wydawało się pochodzić -bezpośrednio od klienta, a nie od programu stunnel.

+bezpośrednio od klienta, a nie od programu stunnel.

Opcja jest aktualnie obsługiwana w:

Trybie zdalnym (opcja connect) w systemie Linux >=2.6.28
@@ -744,7 +797,7 @@ bezpośrednio od klienta, a nie od programu stunnel.

Konfiguracja ta wymaga skompilowania jądra z opcją transparent proxy. Docelowa usługa musi być umieszczona na osobnej maszynie, do której routing -kierowany jest poprzez serwer stunnela.

+kierowany jest poprzez serwer stunnela.

Dodatkowo stunnel powinien być wykonywany jako root i bez opcji setuid.

Trybie zdalnym (opcja connect) w systemie FreeBSD >=8.0
@@ -805,18 +858,36 @@ dodatkowe opcje:

weryfikuj certyfikat drugiej strony połączenia

-
poziom 0 - zarzÄ…daj certyfikatu i zignoruj go
+
poziom 0
-
poziom 1 - weryfikuj, jeżeli został przedstawiony
+
+

zarzÄ…daj certyfikatu i zignoruj go

+
+
poziom 1
-
poziom 2 - weryfikuj z zainstalowanym certyfikatem Centrum Certyfikacji
+
+

weryfikuj, jeżeli został przedstawiony

+
+
poziom 2
-
poziom 3 - weryfikuj z lokalnie zainstalowanym certyfikatem drugiej strony
+
+

weryfikuj z zainstalowanym certyfikatem Centrum Certyfikacji

+
+
poziom 3
-
poziom 4 - weryfikuj z certyfikatem drugiej strony ignorując łańcuch CA
+
+

weryfikuj z lokalnie zainstalowanym certyfikatem drugiej strony

+
+
poziom 4
-
domyślnie - nie weryfikuj
+
+

weryfikuj z certyfikatem drugiej strony ignorując łańcuch CA

+
+
domyślnie
+
+

nie weryfikuj

+
@@ -838,25 +909,25 @@ w przypadku błędu.

Załaduj ponownie plik konfiguracyjny.

Niektóre globalne opcje nie będą przeładowane:

-

Jeżeli wykorzystywana jest opcja 'setuid' stunnel nie będzie mógł załadować +

Jeżeli wykorzystywana jest opcja 'setuid' stunnel nie będzie mógł załadować ponownie konfiguracji wykorzystującej uprzywilejowane (<1024) porty.

-

Jeżeli wykorzystywana jest opcja 'chroot' stunnel będzie szukał wszystkich +

Jeżeli wykorzystywana jest opcja 'chroot' stunnel będzie szukał wszystkich potrzebnych plików (łącznie z plikiem konfiguracyjnym, certyfikatami, logiem i plikiem pid) wewnątrz katalogu wskazanego przez 'chroot'.

@@ -864,7 +935,7 @@ plikiem pid) wewnÄ…trz katalogu wskazanego przez 'chroot'.

Zamknij i otwórz ponownie log. -Funkcja ta może zostać użyta w skrypcie rotującym log programu stunnel.

+Funkcja ta może zostać użyta w skrypcie rotującym log programu stunnel.

SIGTERM, SIGQUIT, SIGINT
@@ -910,7 +981,7 @@ konfiguracyjnym nie ma sekcji [nazwa_usługi].

OGRANICZENIA

-

stunnel nie może być używany do szyfrowania protokołu FTP, +

stunnel nie może być używany do szyfrowania protokołu FTP, ponieważ do przesyłania poszczególnych plików używa on dodatkowych połączeń otwieranych na portach o dynamicznie przydzielanych numerach. Istnieją jednak specjalne wersje klientów i serwerów FTP pozwalające @@ -943,9 +1014,9 @@ globalnymi. Przykład takiej konfiguracji znajduje się w sekcji połączenie klientowi prawidłowym certyfikatem X.509. Potwierdzenie tożsamości serwera polega na wykazaniu, że posiada on odpowiadający certyfikatowi klucz prywatny. -Najprostszą metodą uzyskania certyfikatu jest wygenerowanie -go przy pomocy wolnego pakietu OpenSSL. Więcej informacji na temat -generowania certyfikatów można znaleźć na umieszczonych poniżej stronach.

+Najprostszą metodą uzyskania certyfikatu jest wygenerowanie go przy pomocy +wolnego pakietu OpenSSL. Więcej informacji na temat generowania +certyfikatów można znaleźć na umieszczonych poniżej stronach.

Istotną kwestią jest kolejność zawartości pliku .pem. W pierwszej kolejności powinien on zawierać klucz prywatny, a dopiero za nim podpisany certyfikat (nie żądanie certyfikatu). @@ -970,39 +1041,39 @@ gdyż protokół SSL wymaga do bezpieczeństwa kryptograficznego źródła dobrej losowości. Następujące źródła są kolejno odczytywane aż do uzyskania wystarczającej ilości entropii:

-

Współczesne (>=0.9.5a) wersje biblioteki OpenSSL automatycznie +

Współczesne (0.9.5a lub nowsze) wersje biblioteki OpenSSL automatycznie zaprzestają ładowania kolejnych danych w momencie uzyskania wystarczającej ilości entropii. Wcześniejsze wersje biblioteki wykorzystają wszystkie -powyższe źródła, gdyż nie istnieje tam funkcja pozwalająca określić, -czy uzyskano już wystarczająco dużo danych.

+powyższe źródła, gdyż nie istnieje tam funkcja pozwalająca określić, czy +uzyskano już wystarczająco dużo danych.

Warto zwrócić uwagę, że na maszynach z systemem Windows, na których konsoli nie pracuje użytkownik, zawartość ekranu nie jest wystarczająco zmienna, aby zainicjować PRNG. W takim przypadku do zainicjowania @@ -1012,17 +1083,17 @@ generatora należy użyć opcji RNDfile.

O ile nie użyta została opcja RNDoverwrite jest to robione automatycznie. Do ręcznego uzyskania takiego pliku użyteczna może być komenda openssl rand dostarczana ze współczesnymi -wersjami pakietu OpenSSL.

+wersjami pakietu OpenSSL.

Jeszcze jedna istotna informacja -- jeżeli dostępne jest urządzenie -/dev/urandom biblioteka OpenSSL ma zwyczaj zasilania nim PRNG w trakcie +/dev/urandom biblioteka OpenSSL ma zwyczaj zasilania nim PRNG w trakcie sprawdzania stanu generatora. W systemach z /dev/urandom urządzenie to będzie najprawdopodobniej użyte, pomimo że znajduje się na samym końcu -powyższej listy. Jest to właściwość biblioteki OpenSSL, a nie programu -stunnel.

+powyższej listy. Jest to właściwość biblioteki OpenSSL, a nie programu +stunnel.

PARAMETRY DH

-

PoczÄ…wszy od wersji 4.40 stunnel zawiera w kodzie programu 2048-bitowe +

PoczÄ…wszy od wersji 4.40 stunnel zawiera w kodzie programu 2048-bitowe parametry DH.

Alternatywnie parametry DH można umieścić w pliku razem z certyfikatem:

@@ -1043,7 +1114,7 @@ parametry DH.


BÅĘDY

-

Opcja execargs nie obsługuje cytowania.

+

Opcja execargs oraz linia komend Win32 nie obsługuje cytowania.


@@ -1062,12 +1133,12 @@ parametry DH.

http://www.stunnel.org/
-

strona domowa programu stunnel

+

strona domowa programu stunnel

http://www.openssl.org/
-

strona projektu OpenSSL

+

strona projektu OpenSSL

diff --git a/doc/stunnel.pl.pod b/doc/stunnel.pl.pod index e467bcf..f203312 100644 --- a/doc/stunnel.pl.pod +++ b/doc/stunnel.pl.pod @@ -94,13 +94,21 @@ Linia w pliku konfiguracyjnym może być: =over 4 -=item * pusta (ignorowana) +=item * -=item * komentarzem rozpoczynajÄ…cym siÄ™ znakiem ';' (ignorowana) +pusta (ignorowana) -=item * parÄ… 'nazwa_opcji = wartość_opcji' +=item * -=item * tekstem '[nazwa_usÅ‚ugi]' wskazujÄ…cym poczÄ…tek definicji usÅ‚ugi +komentarzem rozpoczynajÄ…cym siÄ™ znakiem ';' (ignorowana) + +=item * + +parÄ… 'nazwa_opcji = wartość_opcji' + +=item * + +tekstem '[nazwa_usÅ‚ugi]' wskazujÄ…cym poczÄ…tek definicji usÅ‚ugi =back @@ -108,11 +116,17 @@ Parametr adres może być: =over 4 -=item * numerem portu +=item * -=item * oddzielonÄ… Å›rednikiem parÄ… adresu (IPv4, IPv6, lub nazwÄ… domenowÄ…) i numeru portu +numerem portu -=item * Å›cieżkÄ… do gniazda Unix (tylko Unix) +=item * + +oddzielonÄ… Å›rednikiem parÄ… adresu (IPv4, IPv6, lub nazwÄ… domenowÄ…) i numeru portu + +=item * + +Å›cieżkÄ… do gniazda Unix (tylko Unix) =back @@ -130,6 +144,24 @@ poÅ‚Ä…czeÅ„. Åšcieżki podane w opcjach I, I, I oraz I muszÄ… być umieszczone wewnÄ…trz katalogu podanego w opcji I i okreÅ›lone wzglÄ™dem tego katalogu. +Niektóre funkcje systemu operacyjnego mogÄ… wymagać dodatkowych plików umieszczonych w katalogu podanego w parametrze chroot: + +=over 4 + +=item * + +opóźnione rozwiniÄ™cie adresów DNS typowo wymaga /etc/nsswitch.conf i /etc/resolv.conf + +=item * + +lokalizacja strefy czasowej w logach wymaga pliku /etc/timezone + +=item * + +niektóre inne pliki mogÄ… potrzebować plików urzÄ…dzeÅ„, np. /dev/zero lub /dev/null + +=back + =item B = deflate | zlib | rle wybór algorytmu kompresji przesyÅ‚anych danych @@ -138,10 +170,10 @@ domyÅ›lnie: bez kompresji Algorytm deflate jest standardowÄ… metodÄ… kompresji zgodnie z RFC 1951. -Kompresja zlib zaimplementowana w OpenSSL 0.9.8 i nowszych nie jest -kompatybilna implementacjÄ… OpenSSL 0.9.7. +Kompresja zlib zaimplementowana w B i nowszych nie jest +kompatybilna implementacjÄ… B. -Kompresja rle nie jest zaimplementowana w aktualnych wersjach OpenSSL. +Kompresja rle nie jest zaimplementowana w aktualnych wersjach B. =item B = poziom[.podsystem] @@ -165,7 +197,7 @@ Wielkość liter jest ignorowana zarówno dla poziomu jak podsystemu. Opcja pozwala okreÅ›lić Å›cieżkÄ™ do gniazda programu Entropy Gathering Daemon używanego do zainicjalizowania generatora ciÄ…gów pseudolosowych biblioteki -OpenSSL. Opcja jest dostÄ™pna z bibliotekÄ… OpenSSL 0.9.5a lub nowszÄ…. +B. Opcja jest dostÄ™pna z bibliotekÄ… B lub nowszÄ…. =item B = auto | @@ -199,8 +231,8 @@ moduÅ‚u kryptograficznego urzÄ…dzenia. WÅ‚Ä…cz lub wyÅ‚Ä…cz tryb FIPS 140-2. -Opcja pozwala wyÅ‚Ä…czyć wejÅ›cie w tryb FIPS, jeÅ›li stunnel zostaÅ‚ skompilowany -ze wsparciem dla FIPS 140-2. +Opcja pozwala wyÅ‚Ä…czyć wejÅ›cie w tryb FIPS, jeÅ›li B zostaÅ‚ +skompilowany ze wsparciem dla FIPS 140-2. domyÅ›lnie: yes (pracuj w trybie FIPS 140-2) @@ -208,7 +240,7 @@ domyÅ›lnie: yes (pracuj w trybie FIPS 140-2) tryb pierwszoplanowy -Użycie tej opcji powoduje, że I nie przechodzi w tÅ‚o logujÄ…c +Użycie tej opcji powoduje, że B nie przechodzi w tÅ‚o logujÄ…c swoje komunikaty na konsolÄ™ zamiast przez I (o ile nie użyto opcji I). @@ -235,7 +267,7 @@ wzglÄ™dem tego katalogu. liczba bajtów do zainicjowania generatora pseudolosowego -W wersjach biblioteki OpenSSL starszych niż 0.9.5a opcja ta okreÅ›la +W wersjach biblioteki B starszych niż B<0.9.5a> opcja ta okreÅ›la również liczbÄ™ bajtów wystarczajÄ…cych do zainicjowania PRNG. Nowsze wersje biblioteki majÄ… wbudowanÄ… funkcjÄ™ okreÅ›lajÄ…cÄ…, czy dostarczona ilość losowoÅ›ci jest wystarczajÄ…ca do zainicjowania generatora. @@ -244,7 +276,7 @@ dostarczona ilość losowoÅ›ci jest wystarczajÄ…ca do zainicjowania generatora. Å›cieżka do pliku zawierajÄ…cego losowe dane -Biblioteka OpenSSL użyje danych z tego pliku do zainicjowania +Biblioteka B użyje danych z tego pliku do zainicjowania generatora pseudolosowego. =item B = yes | no @@ -261,11 +293,11 @@ domyÅ›lnie: stunnel =item B = identyfikator_grupy (tylko Unix) -grupa z której prawami pracowaÅ‚ bÄ™dzie I +grupa z której prawami pracowaÅ‚ bÄ™dzie B =item B = identyfikator_użytkownika (tylko Unix) -użytkownik, z którego prawami pracowaÅ‚ bÄ™dzie I +użytkownik, z którego prawami pracowaÅ‚ bÄ™dzie B =item B = a|l|r:option=value[:value] @@ -322,7 +354,7 @@ lub I), należy przeczytać sekcjÄ™ I poniżej. nasÅ‚uchuje na poÅ‚Ä…czenia na podanym adresie i porcie -Jeżeli nie zostaÅ‚ podany adres, I domyÅ›lnie nasÅ‚uchuje +Jeżeli nie zostaÅ‚ podany adres, B domyÅ›lnie nasÅ‚uchuje na wszystkich adresach IPv4 lokalnych interfejsów. Aby nasÅ‚uchiwać na wszystkich adresach IPv6 należy użyć: @@ -338,8 +370,8 @@ jeżeli użyta zostaÅ‚a opcja I. Pliki z certyfikatami muszÄ… posiadać specjalne nazwy XXXXXXXX.0, gdzie XXXXXXXX jest skrótem kryptograficznym reprezentacji DER nazwy podmiotu certyfikatu. -Funkcja skrótu zostaÅ‚a zmieniona w wersji 1.0.0 biblioteki OpenSSL. -Należy wykonać c_rehash przy zmianie OpenSSL 0.x.x na 1.x.x. +Funkcja skrótu zostaÅ‚a zmieniona w B. +Należy wykonać c_rehash przy zmianie B na B<1.x.x>. Jeżeli zdefiniowano katalog I, to Å›cieżka do I jest okreÅ›lona wzglÄ™dem tego katalogu. @@ -377,7 +409,7 @@ domyÅ›lnie: no (tryb serwerowy) poÅ‚Ä…cz siÄ™ ze zdalnym serwerem na podany port -Jeżeli nie zostaÅ‚ podany adres, I domyÅ›lnie Å‚Ä…czy siÄ™ +Jeżeli nie zostaÅ‚ podany adres, B domyÅ›lnie Å‚Ä…czy siÄ™ z lokalnym serwerem. Komenda może byc użyta wielokrotnie w pojedynczej sekcji @@ -393,8 +425,8 @@ jeżeli użyta zostaÅ‚a opcja I. Pliki z listami CRL muszÄ… posiadać specjalne nazwy XXXXXXXX.r0, gdzie XXXXXXXX jest skrótem listy CRL. -Funkcja skrótu zostaÅ‚a zmieniona w wersji 1.0.0 biblioteki OpenSSL. -Należy wykonać c_rehash przy zmianie OpenSSL 0.x.x na 1.x.x. +Funkcja skrótu zostaÅ‚a zmieniona B. +Należy wykonać c_rehash przy zmianie B na B<1.x.x>. Jeżeli zdefiniowano katalog I, to Å›cieżka do I jest okreÅ›lona wzglÄ™dem tego katalogu. @@ -421,7 +453,7 @@ domyÅ›lnie: prime256v1 opóźnij rozwiniÄ™cie adresu DNS podanego w opcji I Opcja jest przydatna przy dynamicznym DNS, albo gdy usÅ‚uga DNS nie jest -dostÄ™pna przy starcie programu stunnel (klient VPN, poÅ‚Ä…czenie wdzwaniane). +dostÄ™pna przy starcie programu B (klient VPN, poÅ‚Ä…czenie wdzwaniane). =item B = @@ -482,33 +514,37 @@ IP źródÅ‚a do nawiÄ…zywania zdalnych poÅ‚Ä…czeÅ„ DomyÅ›lnie używane jest IP najbardziej zewnÄ™trznego interfejsu w stronÄ™ serwera, do którego nawiÄ…zywane jest poÅ‚Ä…czenie. -=item B = nazwa_usÅ‚ugi:nazwa_serwera (tryb serwera) +=item B = nazwa_usÅ‚ugi:wzorzec_nazwy_serwera (tryb serwera) Użyj usÅ‚ugi jako podrzÄ™dnej (virtualnego serwera) dla rozszerzenia TLS Server Name Indication (RFC 3546). I wskazuje usÅ‚ugÄ™ nadrzÄ™dnÄ…, która odbiera poÅ‚Ä…czenia od klientów -przy pomocy opcji I. I wskazuje nazwÄ™ serwera -wirtualnego. Z pojedyÅ„czÄ… usÅ‚ugÄ… nadrzÄ™dnÄ… powiÄ…zane jest zwykle wiele usÅ‚ug -podrzÄ™dnych. Opcja I może być rownież użyta wielokrotnie w ramach jednej -usÅ‚ugi podrzÄ™dnej. +przy pomocy opcji I. I wskazuje nazwÄ™ serwera +wirtualnego. Wzorzec może zaczynać siÄ™ znakiem '*', np. '*.example.com". +Z pojedyÅ„czÄ… usÅ‚ugÄ… nadrzÄ™dnÄ… powiÄ…zane jest zwykle wiele usÅ‚ug podrzÄ™dnych. +Opcja I może być rownież użyta wielokrotnie w ramach jednej usÅ‚ugi +podrzÄ™dnej. Zarówno usÅ‚uga nadrzÄ™dna jak i podrzÄ™dna nie może być skonfigurowana w trybie -klienckim. Opcja I usÅ‚ugi podrzÄ™dnej jest ignorowana w poÅ‚Ä…czeniu z -opcjÄ… I, gdyż poÅ‚Ä…czenie do zdalnego serwera jest w tym wypadku -nawiÄ…zywane przed negocjacjÄ… TLS. Uwierzytelnienie przy pomocy biblioteki -libwrap jest realizowane dwukrotnie: najpierw dla usÅ‚ugi nadrzÄ™dnej po -odebraniu poÅ‚Ä…czenia TCP, a nastÄ™pnie dla usÅ‚ugi podrzÄ™dnej podczas negocjacji -TLS. +klienckim. -Opcja I jest dostÄ™pna poczÄ…wszy od wersji 1.0.0 biblioteki OpenSSL. +Opcja I usÅ‚ugi podrzÄ™dnej jest ignorowana w poÅ‚Ä…czeniu z opcjÄ… +I, gdyż poÅ‚Ä…czenie do zdalnego serwera jest w tym wypadku nawiÄ…zywane +przed negocjacjÄ… TLS. + +Uwierzytelnienie przy pomocy biblioteki libwrap jest realizowane dwukrotnie: +najpierw dla usÅ‚ugi nadrzÄ™dnej po odebraniu poÅ‚Ä…czenia TCP, a nastÄ™pnie dla +usÅ‚ugi podrzÄ™dnej podczas negocjacji TLS. + +Opcja I jest dostÄ™pna poczÄ…wszy od B. =item B = nazwa_serwera (tryb klienta) Użyj parametru jako wartoÅ›ci rozszerzenia TLS Server Name Indication (RFC 3546). -Opcja I jest dostÄ™pna poczÄ…wszy od wersji 1.0.0 biblioteki OpenSSL. +Opcja I jest dostÄ™pna poczÄ…wszy od B. =item B = URL @@ -525,7 +561,7 @@ Aby wyspecyfikować kilka flag należy użyć I wielokrotnie. =item B = opcje_SSL -opcje biblioteki OpenSSL +opcje biblioteki B Parametrem jest nazwa opcji zgodnie z opisem w I, ale bez przedrostka I. @@ -538,8 +574,10 @@ w programie Eudora można użyć opcji: =item B = protokół -negocjuj SSL podanym protokoÅ‚em aplikacyjnym (np. I lub I) +negocjuj SSL podanym protokoÅ‚em aplikacyjnym +Opcja ta wÅ‚Ä…cza wstÄ™pnÄ… negocjacjÄ™ szyfrowania SSL dla wybranego protokoÅ‚u +aplikacyjnego. Opcji I nie należy używać z szyfrowaniem SSL na osobnym porcie. Aktualnie wspierane protokoÅ‚y: @@ -599,6 +637,13 @@ domyÅ›lnie: basic adres docelowy do negocjacji protokoÅ‚u +I okreÅ›la docelowy serwer SSL, do którego poÅ‚Ä…czyć ma siÄ™ proxy. +Nie jest to adres serwera proxy, do którego poÅ‚Ä…czenie zestawia B. +Adres serwera proxy powinien być okreÅ›lony przy pomocy opcji 'connect'. + +W obecnej wersji adres docelowy protokoÅ‚u ma zastosowanie wyÅ‚Ä…cznie w protokole +'connect'. + =item B = hasÅ‚o hasÅ‚o do negocjacji protokoÅ‚u @@ -611,15 +656,54 @@ nazwa użytkownika do negocjacji protokoÅ‚u alokuj pseudoterminal dla programu uruchamianego w opcji 'exec' -=item B = yes | no (tylko Unix) +=item B = yes | no + +pozwalaj na renegocjacjÄ™ SSL + +WÅ›ród zastosowaÅ„ renegocjacji SSL sÄ… niektóre scenariusze uwierzytelnienia, +oraz renegocjacja kluczy dla dÅ‚ugotrwaÅ‚ych poÅ‚Ä…czeÅ„. + +Z drugiej strony wÅ‚asność na może uÅ‚atwić trywialny atak DoS poprzez +wygenerowanie obciążenia procesora: + +http://vincent.bernat.im/en/blog/2011-ssl-dos-mitigation.html + +Warto zauważyć, że zablokowanie renegocjacji SSL nie zebezpiecza w peÅ‚ni +przed opisanym problemem. + +domyÅ›lnie: yes (o ile wspierane przez B) + +=item B = yes | no + +sygnalizuj wystÄ…pienie bÅ‚Ä™du przy pomocy flagi TCP RST + +Ta opcja nie jest wspierana na niektórych platformach. + +domyÅ›lnie: yes + +=item B = yes | no poÅ‚Ä…cz ponownie sekcjÄ™ connect+exec po rozÅ‚Ä…czeniu domyÅ›lnie: no -=item B = przeterminowanie_pamiÄ™ci_podrÄ™cznej_sesji +=item B = rozmiar -czas w sekundach, po którym sesja SSL zostanie usuniÄ™ta z pamiÄ™ci podrÄ™cznej +rozmiar pamiÄ™ci podrÄ™cznej sesji SSL + +Parametr okreÅ›la maksymalnÄ… liczbÄ™ pozycji wewnÄ™trznej pamiÄ™ci podrÄ™cznej +sesji. + +Wartość 0 oznacza brak ograniczenia rozmiaru. Nie jest to zalecane dla +systemów produkcyjnych z uwagi na ryzyko ataku DoS przez wyczerpanie pamiÄ™ci +RAM. + +=item B = czas + +przeterminowanie pamiÄ™ci podrÄ™cznej sesji SSL + +Parametr okreÅ›la czas w sekundach, po którym sesja SSL zostanie usuniÄ™ta z +pamiÄ™ci podrÄ™cznej. =item B = adres:port @@ -629,7 +713,7 @@ adres sessiond - servera cache sesji SSL wersja protokoÅ‚u SSL -Dozwolone opcje: all, SSLv2, SSLv3, TLSv1 +Dozwolone opcje: all, SSLv2, SSLv3, TLSv1, TLSv1.1, TLSv1.2 =item B = liczba_bajtów (z wyjÄ…tkiem modelu FORK) @@ -666,7 +750,7 @@ Zablokuj wsparcie dla przezroczystago proxy. Jest to wartość domyÅ›lna. =item B Przepisz adres, aby nawiÄ…zywane poÅ‚Ä…czenie wydawaÅ‚o siÄ™ pochodzić -bezpoÅ›rednio od klienta, a nie od programu I. +bezpoÅ›rednio od klienta, a nie od programu B. Opcja jest aktualnie obsÅ‚ugiwana w: @@ -691,7 +775,7 @@ Konfiguracja ta wymaga, aby B byÅ‚ wykonywany jako root i bez opcji I. Docelowa usÅ‚uga musi być umieszczona na osobnej maszynie, do której routing -kierowany jest poprzez serwer stunnela. +kierowany jest poprzez serwer B. Dodatkowo B powinien być wykonywany jako root i bez opcji I. @@ -754,17 +838,29 @@ weryfikuj certyfikat drugiej strony poÅ‚Ä…czenia =over 4 -=item I - zarzÄ…daj certyfikatu i zignoruj go +=item I -=item I - weryfikuj, jeżeli zostaÅ‚ przedstawiony +zarzÄ…daj certyfikatu i zignoruj go -=item I - weryfikuj z zainstalowanym certyfikatem Centrum Certyfikacji +=item I -=item I - weryfikuj z lokalnie zainstalowanym certyfikatem drugiej strony +weryfikuj, jeżeli zostaÅ‚ przedstawiony -=item I - weryfikuj z certyfikatem drugiej strony ignorujÄ…c Å‚aÅ„cuch CA +=item I -=item I - nie weryfikuj +weryfikuj z zainstalowanym certyfikatem Centrum Certyfikacji + +=item I + +weryfikuj z lokalnie zainstalowanym certyfikatem drugiej strony + +=item I + +weryfikuj z certyfikatem drugiej strony ignorujÄ…c Å‚aÅ„cuch CA + +=item I + +nie weryfikuj =back @@ -791,29 +887,39 @@ Niektóre globalne opcje nie bÄ™dÄ… przeÅ‚adowane: =over 4 -=item * chroot +=item * -=item * foreground +chroot -=item * pid +=item * -=item * setgid +foreground -=item * setuid +=item * + +pid + +=item * + +setgid + +=item * + +setuid =back -Jeżeli wykorzystywana jest opcja 'setuid' stunnel nie bÄ™dzie mógÅ‚ zaÅ‚adować +Jeżeli wykorzystywana jest opcja 'setuid' B nie bÄ™dzie mógÅ‚ zaÅ‚adować ponownie konfiguracji wykorzystujÄ…cej uprzywilejowane (<1024) porty. -Jeżeli wykorzystywana jest opcja 'chroot' stunnel bÄ™dzie szukaÅ‚ wszystkich +Jeżeli wykorzystywana jest opcja 'chroot' B bÄ™dzie szukaÅ‚ wszystkich potrzebnych plików (Å‚Ä…cznie z plikiem konfiguracyjnym, certyfikatami, logiem i plikiem pid) wewnÄ…trz katalogu wskazanego przez 'chroot'. =item SIGUSR1 Zamknij i otwórz ponownie log. -Funkcja ta może zostać użyta w skrypcie rotujÄ…cym log programu stunnel. +Funkcja ta może zostać użyta w skrypcie rotujÄ…cym log programu B. =item SIGTERM, SIGQUIT, SIGINT @@ -861,7 +967,7 @@ konfiguracyjnym nie ma sekcji I<[nazwa_usÅ‚ugi]>. =head2 OGRANICZENIA -I nie może być używany do szyfrowania protokoÅ‚u I, +B nie może być używany do szyfrowania protokoÅ‚u I, ponieważ do przesyÅ‚ania poszczególnych plików używa on dodatkowych poÅ‚Ä…czeÅ„ otwieranych na portach o dynamicznie przydzielanych numerach. IstniejÄ… jednak specjalne wersje klientów i serwerów FTP pozwalajÄ…ce @@ -896,9 +1002,9 @@ Protokół SSL wymaga, aby każdy serwer przedstawiaÅ‚ siÄ™ nawiÄ…zujÄ…cemu poÅ‚Ä…czenie klientowi prawidÅ‚owym certyfikatem X.509. Potwierdzenie tożsamoÅ›ci serwera polega na wykazaniu, że posiada on odpowiadajÄ…cy certyfikatowi klucz prywatny. -NajprostszÄ… metodÄ… uzyskania certyfikatu jest wygenerowanie -go przy pomocy wolnego pakietu I. WiÄ™cej informacji na temat -generowania certyfikatów można znaleźć na umieszczonych poniżej stronach. +NajprostszÄ… metodÄ… uzyskania certyfikatu jest wygenerowanie go przy pomocy +wolnego pakietu B. WiÄ™cej informacji na temat generowania +certyfikatów można znaleźć na umieszczonych poniżej stronach. IstotnÄ… kwestiÄ… jest kolejność zawartoÅ›ci pliku I<.pem>. W pierwszej kolejnoÅ›ci powinien on zawierać klucz prywatny, @@ -926,32 +1032,48 @@ uzyskania wystarczajÄ…cej iloÅ›ci entropii: =over 4 -=item * Zawartość pliku podanego w opcji I. +=item * -=item * Zawartość pliku o nazwie okreÅ›lonej przez zmiennÄ… Å›rodowiskowÄ… +Zawartość pliku podanego w opcji I. + +=item * + +Zawartość pliku o nazwie okreÅ›lonej przez zmiennÄ… Å›rodowiskowÄ… RANDFILE, o ile jest ona ustawiona. -=item * Plik .rnd umieszczony w katalogu domowym użytkownika, +=item * + +Plik .rnd umieszczony w katalogu domowym użytkownika, jeżeli zmienna RANDFILE nie jest ustawiona. -=item * Plik podany w opcji '--with-random' w czasie konfiguracji programu. +=item * -=item * Zawartość ekranu w systemie Windows. +Plik podany w opcji '--with-random' w czasie konfiguracji programu. -=item * Gniazdo egd, jeżeli użyta zostaÅ‚a opcja I. +=item * -=item * Gniazdo egd podane w opcji '--with-egd-socket' w czasie konfiguracji +Zawartość ekranu w systemie Windows. + +=item * + +Gniazdo egd, jeżeli użyta zostaÅ‚a opcja I. + +=item * + +Gniazdo egd podane w opcji '--with-egd-socket' w czasie konfiguracji programu. -=item * UrzÄ…dzenie /dev/urandom. +=item * + +UrzÄ…dzenie /dev/urandom. =back -Współczesne (>=0.9.5a) wersje biblioteki I automatycznie +Współczesne (B<0.9.5a> lub nowsze) wersje biblioteki B automatycznie zaprzestajÄ… Å‚adowania kolejnych danych w momencie uzyskania wystarczajÄ…cej iloÅ›ci entropii. WczeÅ›niejsze wersje biblioteki wykorzystajÄ… wszystkie -powyższe źródÅ‚a, gdyż nie istnieje tam funkcja pozwalajÄ…ca okreÅ›lić, -czy uzyskano już wystarczajÄ…co dużo danych. +powyższe źródÅ‚a, gdyż nie istnieje tam funkcja pozwalajÄ…ca okreÅ›lić, czy +uzyskano już wystarczajÄ…co dużo danych. Warto zwrócić uwagÄ™, że na maszynach z systemem Windows, na których konsoli nie pracuje użytkownik, zawartość ekranu nie jest wystarczajÄ…co @@ -963,18 +1085,18 @@ Plik I powinien zawierać dane losowe -- również w tym sensie, O ile nie użyta zostaÅ‚a opcja I jest to robione automatycznie. Do rÄ™cznego uzyskania takiego pliku użyteczna może być komenda I dostarczana ze współczesnymi -wersjami pakietu I. +wersjami pakietu B. Jeszcze jedna istotna informacja -- jeżeli dostÄ™pne jest urzÄ…dzenie -I biblioteka I ma zwyczaj zasilania nim PRNG w trakcie +I biblioteka B ma zwyczaj zasilania nim PRNG w trakcie sprawdzania stanu generatora. W systemach z I urzÄ…dzenie to bÄ™dzie najprawdopodobniej użyte, pomimo że znajduje siÄ™ na samym koÅ„cu -powyższej listy. Jest to wÅ‚aÅ›ciwość biblioteki I, a nie programu -I. +powyższej listy. Jest to wÅ‚aÅ›ciwość biblioteki B, a nie programu +B. =head2 PARAMETRY DH -PoczÄ…wszy od wersji 4.40 stunnel zawiera w kodzie programu 2048-bitowe +PoczÄ…wszy od wersji 4.40 B zawiera w kodzie programu 2048-bitowe parametry DH. Alternatywnie parametry DH można umieÅ›cić w pliku razem z certyfikatem: @@ -997,7 +1119,7 @@ plik konfiguracyjny programu =head1 BÅĘDY -Opcja I nie obsÅ‚uguje cytowania. +Opcja I oraz linia komend Win32 nie obsÅ‚uguje cytowania. =head1 ZOBACZ RÓWNIEÅ» @@ -1014,11 +1136,11 @@ biblioteka kontroli dostÄ™pu do usÅ‚ug internetowych =item F -strona domowa programu I +strona domowa programu B =item F -strona projektu I +strona projektu B =back diff --git a/doc/stunnel.pod b/doc/stunnel.pod index f2a551f..4d21676 100644 --- a/doc/stunnel.pod +++ b/doc/stunnel.pod @@ -95,13 +95,21 @@ Each line of the configuration file can be either: =over 4 -=item * an empty line (ignored) +=item * -=item * a comment starting with ';' (ignored) +An empty line (ignored). -=item * an 'option_name = option_value' pair +=item * -=item * '[service_name]' indicating a start of a service definition +A comment starting with ';' (ignored). + +=item * + +An 'option_name = option_value' pair. + +=item * + +'[service_name]' indicating a start of a service definition. =back @@ -109,11 +117,17 @@ An address parameter of an option may be either: =over 4 -=item * a port number +=item * -=item * a colon-separated pair of IP address (either IPv4, IPv6, or domain name) and port number +A port number. -=item * a Unix socket path (Unix only) +=item * + +A colon-separated pair of IP address (either IPv4, IPv6, or domain name) and port number. + +=item * + +A Unix socket path (Unix only). =back @@ -129,6 +143,24 @@ B keeps B in chrooted jail. I, I, I and I are located inside the jail and the patches have to be relative to the directory specified with B. +Several functions of the operating system also need their files to be located within chroot jail, e.g.: + +=over 4 + +=item * + +Delayed resolver typically needs /etc/nsswitch.conf and /etc/resolv.conf. + +=item * + +Local time in log files needs /etc/timezone. + +=item * + +Some other functions may need devices, e.g. /dev/zero or /dev/null. + +=back + =item B = deflate | zlib | rle select data compression algorithm @@ -137,10 +169,10 @@ default: no compression deflate is the standard compression method as described in RFC 1951. -zlib compression of OpenSSL 0.9.8 or above is not backward compatible with -OpenSSL 0.9.7. +zlib compression of B or above is not backward compatible with +B. -rle compression is currently not implemented by the OpenSSL library. +rle compression is currently not implemented by the B library. =item B = [facility.]level @@ -161,8 +193,8 @@ Case is ignored for both facilities and levels. path to Entropy Gathering Daemon socket -Entropy Gathering Daemon socket to use to feed OpenSSL random number -generator. (Available only if compiled with OpenSSL 0.9.5a or higher) +Entropy Gathering Daemon socket to use to feed B random number +generator. (Available only if compiled with B or higher) =item B = auto | @@ -196,8 +228,8 @@ engine cryptogaphic module. Enable or disable FIPS 140-2 mode. -This option allows to disable entering FIPS mode if stunnel was compiled with -FIPS 140-2 support. +This option allows to disable entering FIPS mode if B was compiled +with FIPS 140-2 support. default: yes @@ -229,9 +261,9 @@ I path is relative to I directory if specified. bytes to read from random seed files -Number of bytes of data read from random seed files. With SSL versions -less than 0.9.5a, also determines how many bytes of data are considered -sufficient to seed the PRNG. More recent OpenSSL versions have a builtin +Number of bytes of data read from random seed files. With SSL versions less +than B<0.9.5a>, also determines how many bytes of data are considered +sufficient to seed the PRNG. More recent B versions have a builtin function to determine when sufficient randomness is available. =item B = file @@ -328,8 +360,8 @@ the I. Note that the certificates in this directory should be named XXXXXXXX.0 where XXXXXXXX is the hash value of the DER encoded subject of the cert. -The hash algorithm has been changed in OpenSSL 1.0.0. It is required to -c_rehash the directory on upgrade from OpenSSL 0.x.x to OpenSSL 1.x.x. +The hash algorithm has been changed in B. It is required to +c_rehash the directory on upgrade from B to B. I path is relative to I directory if specified. @@ -382,8 +414,8 @@ This is the directory in which B will look for CRLs when using the I. Note that the CRLs in this directory should be named XXXXXXXX.r0 where XXXXXXXX is the hash value of the CRL. -The hash algorithm has been changed in OpenSSL 1.0.0. It is required to -c_rehash the directory on upgrade from OpenSSL 0.x.x to OpenSSL 1.x.x. +The hash algorithm has been changed in B. It is required to +c_rehash the directory on upgrade from B to B. I path is relative to I directory if specified. @@ -408,7 +440,7 @@ default: prime256v1 delay DNS lookup for 'connect' option This option is useful for dynamic DNS, or when DNS is not available during -stunnel startup (road warrior VPN, dial-up configurations). +B startup (road warrior VPN, dial-up configurations). =item B = engine number @@ -465,30 +497,35 @@ default: yes IP of the outgoing interface is used as source for remote connections. Use this option to bind a static local IP address, instead. -=item B = service_name:server_name (server mode) +=item B = service_name:server_name_pattern (server mode) Use the service as a slave service (a name-based virtual server) for Server Name Indication TLS extension (RFC 3546). I specifies the master service that accepts client connections -with I option. I specifies the host name to be redirected. +with I option. I specifies the host name to be +redirected. The pattern may start with '*' character, e.g. '*.example.com'. Multiple slave services are normally specified for a single master service. -I option can also be specified more than once within a single slave service. +I option can also be specified more than once within a single slave +service. + +This service, as well as the master service, may not be configured in client +mode. -This service, as well as the master service, may not be configured in client mode. I option of the slave service is ignored when I option is specified, as I connects remote host before TLS handshake. + Libwrap checks (Unix only) are performed twice: with master service name after TCP connection is accepted, and with slave service name during TLS handshake. -Option I is only available when compiled with OpenSSL 1.0.0 and later. +Option I is only available when compiled with B and later. =item B = server_name (client mode) Use the parameter as the value of TLS Server Name Indication (RFC 3546) extension. -Option I is only available when compiled with OpenSSL 1.0.0 and later. +Option I is only available when compiled with B and later. =item B = url @@ -505,9 +542,9 @@ NOEXPLICIT, NOCASIGN, NODELEGATED, NOCHECKS, TRUSTOTHER, RESPID_KEY, NOTIME =item B = SSL_options -OpenSSL library options +B library options -The parameter is the OpenSSL option name as described in the +The parameter is the B option name as described in the I manual, but without I prefix. Several I can be used to specify multiple options. @@ -518,8 +555,10 @@ the following option can be used: =item B = proto -application protocol to negotiate SSL (e.g. I or I) +application protocol to negotiate SSL +This option enables initial, protocol-specific negotiation of the SSL/TLS +encryption. I option should not be used with SSL encryption on a separate port. Currently supported protocols: @@ -571,7 +610,7 @@ authentication type for protocol negotiations currently supported: basic, NTLM -Currently authentication type only applies to 'connect' protocol. +Currently authentication type only applies to the 'connect' protocol. default: basic @@ -579,6 +618,12 @@ default: basic destination address for protocol negotiations +I specifies the final SSL server to be connected by the proxy, +and not the proxy server directly connected by B. +The proxy server should be specified with the 'connect' option. + +Currently protocol destination address only applies to 'connect' protocol. + =item B = password password for protocol negotiations @@ -591,16 +636,53 @@ username for protocol negotiations allocate pseudo terminal for 'exec' option -=item B = yes | no (Unix only) +=item B = yes | no + +support SSL renegotiation + +Applications of the SSL renegotiation include some authentication scenarios, +or re-keying long lasting connections. + +On the other hand this feature can facilitate a trivial CPU-exhaustion +DoS attack: + +http://vincent.bernat.im/en/blog/2011-ssl-dos-mitigation.html + +Please note that disabling SSL renegotiation does not fully mitigate +this issue. + +default: yes (if supported by B) + +=item B = yes | no + +attempt to use TCP RST flag to indicate an error + +This option is not supported on some platforms. + +default: yes + +=item B = yes | no reconnect a connect+exec section after it's disconnected default: no -=item B = timeout +=item B = size + +session cache size + +I specifies the maximum number of the internal session cache +entries. + +The value of 0 can be used for unlimited size. It is not recommended +for production use due to the risk of memory exhaustion DoS attack. + +=item B = timeout session cache timeout +This is the number of seconds to keep cached SSL sessions. + =item B = host:port address of sessiond SSL cache server @@ -609,7 +691,7 @@ address of sessiond SSL cache server select version of SSL protocol -Allowed options: all, SSLv2, SSLv3, TLSv1 +Allowed options: all, SSLv2, SSLv3, TLSv1, TLSv1.1, TLSv1.2 =item B = bytes (except for FORK model) @@ -654,7 +736,7 @@ This option is currently available in: =item Remote mode (I option) on I=2.6.28> -This configuration requires stunnel to be executed as root and without +This configuration requires B to be executed as root and without I option. This configuration requires the following setup for iptables and routing @@ -672,9 +754,10 @@ B must also to be executed as root and without I option. =item Remote mode (I option) on I -This configuration requires kernel to be compiled with I option. +This configuration requires kernel to be compiled with I +option. Connected service must be installed on a separate host. -Routing towards the clients has to go through the stunnel box. +Routing towards the clients has to go through the B box. B must also to be executed as root and without I option. @@ -737,17 +820,29 @@ verify peer certificate =over 4 -=item I - request and ignore peer certificate +=item level 0 -=item I - verify peer certificate if present +Request and ignore peer certificate. -=item I - verify peer certificate +=item level 1 -=item I - verify peer with locally installed certificate +Verify peer certificate if present. -=item I - ignore CA chain and only verify peer certificate +=item level 2 -=item I - no verify +Verify peer certificate. + +=item level 3 + +Verify peer with locally installed certificate. + +=item level 4 + +Ignore CA chain and only verify peer certificate. + +=item default + +No verify. =back @@ -767,7 +862,7 @@ B returns zero on success, non-zero on error. =head1 SIGNALS -The following signals can be used to control stunnel in Unix environment: +The following signals can be used to control B in Unix environment: =over 4 @@ -779,33 +874,43 @@ Some global options will not be reloaded: =over 4 -=item * chroot +=item * -=item * foreground +chroot -=item * pid +=item * -=item * setgid +foreground -=item * setuid +=item * + +pid + +=item * + +setgid + +=item * + +setuid =back -The use of 'setuid' option will also prevent stunnel from binding privileged +The use of 'setuid' option will also prevent B from binding privileged (<1024) ports during configuration reloading. -When 'chroot' option is used, stunnel will look for all its files (including +When 'chroot' option is used, B will look for all its files (including configuration file, certificates, log file and pid file) within the chroot jail. =item SIGUSR1 -Close and reopen stunnel log file. +Close and reopen B log file. This function can be used for log rotation. =item SIGTERM, SIGQUIT, SIGINT -Shut stunnel down. +Shut B down. =back @@ -875,7 +980,7 @@ configurations. Each SSL enabled daemon needs to present a valid X.509 certificate to the peer. It also needs a private key to decrypt the incoming data. The easiest way to obtain a certificate and a key is to -generate them with the free I package. You can find more +generate them with the free B package. You can find more information on certificates generation on pages listed below. The order of contents of the I<.pem> file is important. It should contain the @@ -901,28 +1006,44 @@ in order until sufficient random data has been gathered: =over 4 -=item * The file specified with the I flag. +=item * -=item * The file specified by the RANDFILE environment variable, if set. +The file specified with the I flag. -=item * The file .rnd in your home directory, if RANDFILE not set. +=item * -=item * The file specified with '--with-random' at compile time. +The file specified by the RANDFILE environment variable, if set. -=item * The contents of the screen if running on Windows. +=item * -=item * The egd socket specified with the I flag. +The file .rnd in your home directory, if RANDFILE not set. -=item * The egd socket specified with '--with-egd-sock' at compile time. +=item * -=item * The /dev/urandom device. +The file specified with '--with-random' at compile time. + +=item * + +The contents of the screen if running on Windows. + +=item * + +The egd socket specified with the I flag. + +=item * + +The egd socket specified with '--with-egd-sock' at compile time. + +=item * + +The /dev/urandom device. =back -With recent (>=OpenSSL 0.9.5a) version of SSL it will stop loading -random data automatically when sufficient entropy has been gathered. -With previous versions it will continue to gather from all the above -sources since no SSL function exists to tell when enough data is available. +With recent (B or later) version of SSL it will stop loading +random data automatically when sufficient entropy has been gathered. With +previous versions it will continue to gather from all the above sources since +no SSL function exists to tell when enough data is available. Note that on Windows machines that do not have console user interaction (mouse movements, creating windows, etc.) the screen contents are not @@ -933,14 +1054,13 @@ Note that the file specified with the I flag should contain random data -- that means it should contain different information each time B is run. This is handled automatically unless the I flag is used. If you wish to update this file -manually, the I command in recent versions of OpenSSL, +manually, the I command in recent versions of B, would be useful. -One important note -- if /dev/urandom is available, OpenSSL has a habit of -seeding the PRNG with it even when checking the random state, so on -systems with /dev/urandom you're likely to use it even though it's listed -at the very bottom of the list above. This isn't B behaviour, it's -OpenSSLs. +Important note: If /dev/urandom is available, B often seeds the PRNG +with it while checking the random state. On systems with /dev/urandom +B is likely to use it even though it is listed at the very bottom of +the list above. This is the behaviour of B and not B. =head2 DH PARAMETERS @@ -966,7 +1086,7 @@ B configuration file =head1 BUGS -Option I does not support quoting. +Option I and Win32 command line does not support quoting. =head1 SEE ALSO @@ -987,7 +1107,7 @@ B homepage =item F -OpenSSL project website +B project website =back diff --git a/src/Makefile.am b/src/Makefile.am index bbe7f88..fa52148 100644 --- a/src/Makefile.am +++ b/src/Makefile.am @@ -31,36 +31,42 @@ stunnel_CPPFLAGS += -DPIDFILE='"$(localstatedir)/run/stunnel/stunnel.pid"' stunnel_LDFLAGS = -L$(SSLDIR)/lib64 -L$(SSLDIR)/lib -lssl -lcrypto # Win32 executable -EXTRA_DIST = nogui.c make.bat makece.bat makew32.bat +EXTRA_DIST = make.bat makece.bat makew32.bat EXTRA_DIST += mingw.mak evc.mak vc.mak os2.mak -EXTRA_PROGRAMS = stunnel.exe +EXTRA_PROGRAMS = stunnel.exe tstunnel.exe stunnel_exe_SOURCES = $(common_headers) $(common_sources) $(win32_sources) +tstunnel_exe_SOURCES = $(common_headers) $(common_sources) nogui.c -OPENSSLDIR = /usr/src/openssl-0.9.8s-fips -WINCPPFLAGS = -I$(OPENSSLDIR)/inc32 -# OPENSSLDIR = /usr/src/openssl-1.0.0f-i586 -# WINCPPFLAGS = -I$(OPENSSLDIR)/include +# OPENSSLDIR = /usr/src/openssl-0.9.8u-fips +# WINCPPFLAGS = -I$(OPENSSLDIR)/inc32 +OPENSSLDIR = /usr/src/openssl-1.0.2a-i686 +WINCPPFLAGS = -I$(OPENSSLDIR)/include WINCFLAGS = -mthreads -fstack-protector -O2 -Wall -Wextra -Wno-long-long -pedantic -WINLDFLAGS = -mthreads -fstack-protector -mwindows -s +WINLDFLAGS = -mthreads -fstack-protector -s WINLIBS = -L$(OPENSSLDIR) -lcrypto -lssl -lpsapi -lws2_32 -lgdi32 # WINLIBS = -L$(OPENSSLDIR) -lzdll -lcrypto.dll -lssl.dll -lpsapi -lws2_32 -lgdi32 # WINLIBS = -L$(OPENSSLDIR) -lzdll -lcrypto -lssl -lpsapi -lws2_32 -lgdi32 WINOBJ = str.obj file.obj client.obj log.obj options.obj protocol.obj WINOBJ += network.obj resolver.obj ssl.obj ctx.obj verify.obj sthreads.obj -WINOBJ += fd.obj stunnel.obj gui.obj resources.obj -WINPREFIX = i586-mingw32msvc- +WINOBJ += fd.obj stunnel.obj +WINGUIOBJ = $(WINOBJ) gui.obj resources.obj +WINNOGUIOBJ = $(WINOBJ) nogui.obj +WINPREFIX = i686-w64-mingw32- WINGCC = $(WINPREFIX)gcc WINDRES = $(WINPREFIX)windres -dist-hook: stunnel.exe +dist-hook: stunnel.exe tstunnel.exe distclean-local: - rm -f stunnel.exe + rm -f stunnel.exe tstunnel.exe # SUFFIXES = .c .rc .obj -stunnel.exe: $(WINOBJ) - $(WINGCC) $(WINLDFLAGS) -o stunnel.exe $(WINOBJ) $(WINLIBS) +stunnel.exe: $(WINGUIOBJ) + $(WINGCC) -mwindows $(WINLDFLAGS) -o stunnel.exe $(WINGUIOBJ) $(WINLIBS) + +tstunnel.exe: $(WINNOGUIOBJ) + $(WINGCC) $(WINLDFLAGS) -o tstunnel.exe $(WINNOGUIOBJ) $(WINLIBS) %.obj: %.c $(common_headers) $(WINGCC) -c $(WINCPPFLAGS) $(WINCFLAGS) -o $@ $< diff --git a/src/Makefile.in b/src/Makefile.in index 6dbbf93..c53b9a3 100644 --- a/src/Makefile.in +++ b/src/Makefile.in @@ -37,7 +37,7 @@ POST_UNINSTALL = : build_triplet = @build@ host_triplet = @host@ bin_PROGRAMS = stunnel$(EXEEXT) -EXTRA_PROGRAMS = stunnel.exe$(EXEEXT) +EXTRA_PROGRAMS = stunnel.exe$(EXEEXT) tstunnel.exe$(EXEEXT) subdir = src DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in \ $(srcdir)/config.h.in $(srcdir)/stunnel3.in @@ -110,6 +110,10 @@ am_stunnel_exe_OBJECTS = $(am__objects_2) $(am__objects_5) \ $(am__objects_6) stunnel_exe_OBJECTS = $(am_stunnel_exe_OBJECTS) stunnel_exe_LDADD = $(LDADD) +am_tstunnel_exe_OBJECTS = $(am__objects_2) $(am__objects_5) \ + nogui.$(OBJEXT) +tstunnel_exe_OBJECTS = $(am_tstunnel_exe_OBJECTS) +tstunnel_exe_LDADD = $(LDADD) SCRIPTS = $(bin_SCRIPTS) DEFAULT_INCLUDES = -I.@am__isrc@ depcomp = $(SHELL) $(top_srcdir)/auto/depcomp @@ -125,9 +129,9 @@ LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \ --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \ $(LDFLAGS) -o $@ SOURCES = $(libstunnel_la_SOURCES) $(stunnel_SOURCES) \ - $(stunnel_exe_SOURCES) + $(stunnel_exe_SOURCES) $(tstunnel_exe_SOURCES) DIST_SOURCES = $(libstunnel_la_SOURCES) $(stunnel_SOURCES) \ - $(stunnel_exe_SOURCES) + $(stunnel_exe_SOURCES) $(tstunnel_exe_SOURCES) ETAGS = etags CTAGS = ctags DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) @@ -276,22 +280,26 @@ stunnel_CPPFLAGS = -I/usr/kerberos/include -I$(SSLDIR)/include \ -DPIDFILE='"$(localstatedir)/run/stunnel/stunnel.pid"' # Win32 executable -EXTRA_DIST = nogui.c make.bat makece.bat makew32.bat mingw.mak evc.mak \ - vc.mak os2.mak +EXTRA_DIST = make.bat makece.bat makew32.bat mingw.mak evc.mak vc.mak \ + os2.mak stunnel_exe_SOURCES = $(common_headers) $(common_sources) $(win32_sources) -OPENSSLDIR = /usr/src/openssl-0.9.8s-fips -WINCPPFLAGS = -I$(OPENSSLDIR)/inc32 -# OPENSSLDIR = /usr/src/openssl-1.0.0f-i586 -# WINCPPFLAGS = -I$(OPENSSLDIR)/include +tstunnel_exe_SOURCES = $(common_headers) $(common_sources) nogui.c + +# OPENSSLDIR = /usr/src/openssl-0.9.8u-fips +# WINCPPFLAGS = -I$(OPENSSLDIR)/inc32 +OPENSSLDIR = /usr/src/openssl-1.0.1e-i586 +WINCPPFLAGS = -I$(OPENSSLDIR)/include WINCFLAGS = -mthreads -fstack-protector -O2 -Wall -Wextra -Wno-long-long -pedantic -WINLDFLAGS = -mthreads -fstack-protector -mwindows -s +WINLDFLAGS = -mthreads -fstack-protector -s WINLIBS = -L$(OPENSSLDIR) -lcrypto -lssl -lpsapi -lws2_32 -lgdi32 # WINLIBS = -L$(OPENSSLDIR) -lzdll -lcrypto.dll -lssl.dll -lpsapi -lws2_32 -lgdi32 # WINLIBS = -L$(OPENSSLDIR) -lzdll -lcrypto -lssl -lpsapi -lws2_32 -lgdi32 WINOBJ = str.obj file.obj client.obj log.obj options.obj protocol.obj \ network.obj resolver.obj ssl.obj ctx.obj verify.obj \ - sthreads.obj fd.obj stunnel.obj gui.obj resources.obj -WINPREFIX = i586-mingw32msvc- + sthreads.obj fd.obj stunnel.obj +WINGUIOBJ = $(WINOBJ) gui.obj resources.obj +WINNOGUIOBJ = $(WINOBJ) nogui.obj +WINPREFIX = i686-w64-mingw32- WINGCC = $(WINPREFIX)gcc WINDRES = $(WINPREFIX)windres all: config.h @@ -476,6 +484,7 @@ distclean-compile: @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/gui.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/log.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/network.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/nogui.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/options.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/protocol.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/resolver.Po@am__quote@ @@ -962,15 +971,18 @@ uninstall-am: uninstall-binPROGRAMS uninstall-binSCRIPTS \ uninstall-pkglibLTLIBRARIES -dist-hook: stunnel.exe +dist-hook: stunnel.exe tstunnel.exe distclean-local: - rm -f stunnel.exe + rm -f stunnel.exe tstunnel.exe # SUFFIXES = .c .rc .obj -stunnel.exe: $(WINOBJ) - $(WINGCC) $(WINLDFLAGS) -o stunnel.exe $(WINOBJ) $(WINLIBS) +stunnel.exe: $(WINGUIOBJ) + $(WINGCC) -mwindows $(WINLDFLAGS) -o stunnel.exe $(WINGUIOBJ) $(WINLIBS) + +tstunnel.exe: $(WINNOGUIOBJ) + $(WINGCC) $(WINLDFLAGS) -o tstunnel.exe $(WINNOGUIOBJ) $(WINLIBS) %.obj: %.c $(common_headers) $(WINGCC) -c $(WINCPPFLAGS) $(WINCFLAGS) -o $@ $< diff --git a/src/client.c b/src/client.c index 4003d13..ad92e2e 100644 --- a/src/client.c +++ b/src/client.c @@ -1,24 +1,24 @@ /* * stunnel Universal SSL tunnel - * Copyright (C) 1998-2012 Michal Trojnara + * Copyright (C) 1998-2013 Michal Trojnara * * This program is free software; you can redistribute it and/or modify it * under the terms of the GNU General Public License as published by the * Free Software Foundation; either version 2 of the License, or (at your * option) any later version. - * + * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. * See the GNU General Public License for more details. - * + * * You should have received a copy of the GNU General Public License along * with this program; if not, see . - * + * * Linking stunnel statically or dynamically with other modules is making * a combined work based on stunnel. Thus, the terms and conditions of * the GNU General Public License cover the whole combination. - * + * * In addition, as a special exception, the copyright holder of stunnel * gives you permission to combine stunnel with free software programs or * libraries that are released under the GNU LGPL and with code included @@ -26,7 +26,7 @@ * modified versions of such code, with unchanged license). You may copy * and distribute such a system following the terms of the GNU GPL for * stunnel and the licenses of the other code concerned. - * + * * Note that people who make modified versions of stunnel are not obligated * to grant this special exception for their modified versions; it is their * choice whether to do so. The GNU General Public License gives permission @@ -54,7 +54,7 @@ static void init_local(CLI *); static void init_remote(CLI *); static void init_ssl(CLI *); #ifdef USE_WIN32 -static void win_new_chain(CLI *); +static void new_chain(CLI *); #endif static void transfer(CLI *); static int parse_socket_error(CLI *, const char *); @@ -129,7 +129,7 @@ void client_main(CLI *c) { } static void client_run(CLI *c) { - int error; + int err, rst; #ifndef USE_FORK enter_critical_section(CRIT_CLIENTS); /* for multi-cpu machines */ @@ -145,13 +145,13 @@ static void client_run(CLI *c) { c->connect_addr.num=0; c->connect_addr.addr=NULL; - error=setjmp(c->err); - if(!error) + err=setjmp(c->err); + if(!err) client_try(c); - + rst=err==1 && c->opt->option.reset; s_log(LOG_NOTICE, "Connection %s: %d byte(s) sent to SSL, %d byte(s) sent to socket", - error==1 ? "reset" : "closed", c->ssl_bytes, c->sock_bytes); + rst ? "reset" : "closed", c->ssl_bytes, c->sock_bytes); /* cleanup temporary (e.g. IDENT) socket */ if(c->fd>=0) @@ -168,7 +168,7 @@ static void client_run(CLI *c) { /* cleanup remote socket */ if(c->remote_fd.fd>=0) { /* remote socket initialized */ - if(error==1 && c->remote_fd.is_socket) /* reset */ + if(rst && c->remote_fd.is_socket) /* reset */ reset(c->remote_fd.fd, "linger (remote)"); closesocket(c->remote_fd.fd); s_log(LOG_DEBUG, "Remote socket (FD=%d) closed", c->remote_fd.fd); @@ -178,14 +178,14 @@ static void client_run(CLI *c) { /* cleanup local socket */ if(c->local_rfd.fd>=0) { /* local socket initialized */ if(c->local_rfd.fd==c->local_wfd.fd) { - if(error==1 && c->local_rfd.is_socket) + if(rst && c->local_rfd.is_socket) reset(c->local_rfd.fd, "linger (local)"); closesocket(c->local_rfd.fd); s_log(LOG_DEBUG, "Local socket (FD=%d) closed", c->local_rfd.fd); } else { /* stdin/stdout */ - if(error==1 && c->local_rfd.is_socket) + if(rst && c->local_rfd.is_socket) reset(c->local_rfd.fd, "linger (local_rfd)"); - if(error==1 && c->local_wfd.is_socket) + if(rst && c->local_wfd.is_socket) reset(c->local_wfd.fd, "linger (local_wfd)"); } c->local_rfd.fd=c->local_wfd.fd=-1; @@ -217,7 +217,7 @@ static void client_try(CLI *c) { /* server mode and no protocol negotiation needed */ init_ssl(c); init_remote(c); - } else { + } else { /* client mode or protocol negotiation enabled */ protocol(c, PROTOCOL_PRE_CONNECT); init_remote(c); protocol(c, PROTOCOL_PRE_SSL); @@ -269,7 +269,7 @@ static void init_local(CLI *c) { } /* neither of local descriptors is a socket */ - if(!c->local_rfd.is_socket && !c->local_rfd.is_socket) { + if(!c->local_rfd.is_socket && !c->local_wfd.is_socket) { #ifndef USE_WIN32 if(c->opt->option.transparent_src) { s_log(LOG_ERR, "Transparent source needs a socket"); @@ -303,7 +303,12 @@ static void init_remote(CLI *c) { c->bind_addr=NULL; /* don't bind */ /* setup c->remote_fd, now */ - if(c->opt->option.remote) { /* try remote first for exec+connect targets */ + if(c->opt->option.remote +#ifndef USE_WIN32 + || c->opt->option.transparent_dst +#endif + ) { + /* try remote first for exec+connect targets */ c->remote_fd.fd=connect_remote(c); } else if(c->opt->option.program) { /* exec+connect uses local fd */ c->remote_fd.fd=connect_local(c); @@ -332,7 +337,7 @@ static void init_ssl(CLI *c) { if(c->opt->option.client) { #ifndef OPENSSL_NO_TLSEXT if(c->opt->sni) { - s_log(LOG_DEBUG, "SNI: host name: %s", c->opt->sni); + s_log(LOG_DEBUG, "SNI: sending servername: %s", c->opt->sni); if(!SSL_set_tlsext_host_name(c->ssl, c->opt->sni)) { sslerror("SSL_set_tlsext_host_name"); longjmp(c->err, 1); @@ -432,7 +437,7 @@ static void init_ssl(CLI *c) { c->opt->option.client ? "connected" : "accepted"); } else { /* a new session was negotiated */ #ifdef USE_WIN32 - win_new_chain(c); + new_chain(c); #endif if(c->opt->option.client) { s_log(LOG_INFO, "SSL connected: new session negotiated"); @@ -449,7 +454,7 @@ static void init_ssl(CLI *c) { } #ifdef USE_WIN32 -static void win_new_chain(CLI *c) { +static void new_chain(CLI *c) { BIO *bio; int i, len; X509 *peer=NULL; @@ -491,7 +496,7 @@ static void win_new_chain(CLI *c) { BIO_free(bio); str_detach(chain); /* to prevent automatic deallocation of cached value */ c->opt->chain=chain; /* this race condition is safe to ignore */ - PostMessage(hwnd, WM_NEW_CHAIN, c->opt->section_number, 0); + win_new_chain(c->opt->section_number); s_log(LOG_DEBUG, "Peer certificate was cached (%d bytes)", len); } #endif @@ -522,15 +527,18 @@ static void transfer(CLI *c) { s_poll_init(c->fds); /* initialize the structure */ /* for plain socket open data strem = open file descriptor */ /* make sure to add each open socket to receive exceptions! */ - if(sock_open_rd) + if(sock_open_rd) /* only poll if the read file descriptor is open */ s_poll_add(c->fds, c->sock_rfd->fd, c->sock_ptrfds, c->sock_wfd->fd, 0, c->ssl_ptr); - /* for SSL assume that sockets are open if there any pending requests */ - if(read_wants_read || write_wants_read || shutdown_wants_read) - s_poll_add(c->fds, c->ssl_rfd->fd, 1, 0); - if(read_wants_write || write_wants_write || shutdown_wants_write) - s_poll_add(c->fds, c->ssl_wfd->fd, 0, 1); + /* poll SSL file descriptors unless SSL shutdown was completed */ + if(SSL_get_shutdown(c->ssl)!= + (SSL_SENT_SHUTDOWN|SSL_RECEIVED_SHUTDOWN)) { + s_poll_add(c->fds, c->ssl_rfd->fd, + read_wants_read || write_wants_read || shutdown_wants_read, 0); + s_poll_add(c->fds, c->ssl_wfd->fd, 0, + read_wants_write || write_wants_write || shutdown_wants_write); + } /****************************** wait for an event */ err=s_poll_wait(c->fds, @@ -558,39 +566,64 @@ static void transfer(CLI *c) { } /****************************** check for errors on sockets */ - err=s_poll_error(c->fds, c->sock_rfd); - if(err) { - s_log(LOG_NOTICE, - "Error detected on socket (read) file descriptor: %s (%d)", + err=s_poll_error(c->fds, c->sock_rfd->fd); + if(err && err!=S_EWOULDBLOCK && err!=S_EAGAIN) { + s_log(LOG_NOTICE, "Read socket error: %s (%d)", s_strerror(err), err); longjmp(c->err, 1); } - if(c->sock_wfd->fd != c->sock_rfd->fd) { /* performance optimization */ - err=s_poll_error(c->fds, c->sock_wfd); - if(err) { - s_log(LOG_NOTICE, - "Error detected on socket write file descriptor: %s (%d)", + if(c->sock_wfd->fd!=c->sock_rfd->fd) { /* performance optimization */ + err=s_poll_error(c->fds, c->sock_wfd->fd); + if(err && err!=S_EWOULDBLOCK && err!=S_EAGAIN) { + s_log(LOG_NOTICE, "Write socket error: %s (%d)", s_strerror(err), err); longjmp(c->err, 1); } } - err=s_poll_error(c->fds, c->ssl_rfd); - if(err) { - s_log(LOG_NOTICE, - "Error detected on SSL (read) file descriptor: %s (%d)", + err=s_poll_error(c->fds, c->ssl_rfd->fd); + if(err && err!=S_EWOULDBLOCK && err!=S_EAGAIN) { + s_log(LOG_NOTICE, "SSL socket error: %s (%d)", s_strerror(err), err); longjmp(c->err, 1); } - if(c->ssl_wfd->fd != c->ssl_rfd->fd) { /* performance optimization */ - err=s_poll_error(c->fds, c->ssl_wfd); - if(err) { - s_log(LOG_NOTICE, - "Error detected on SSL write file descriptor: %s (%d)", + if(c->ssl_wfd->fd!=c->ssl_rfd->fd) { /* performance optimization */ + err=s_poll_error(c->fds, c->ssl_wfd->fd); + if(err && err!=S_EWOULDBLOCK && err!=S_EAGAIN) { + s_log(LOG_NOTICE, "SSL socket error: %s (%d)", s_strerror(err), err); longjmp(c->err, 1); } } + /****************************** check for hangup conditions */ + if(s_poll_hup(c->fds, c->sock_rfd->fd)) { + s_log(LOG_INFO, "Read socket closed (hangup)"); + sock_open_rd=0; + } + if(s_poll_hup(c->fds, c->sock_wfd->fd)) { + if(c->ssl_ptr) { + s_log(LOG_ERR, + "Write socket closed (hangup) with %d unsent byte(s)", + c->ssl_ptr); + longjmp(c->err, 1); /* reset the socket */ + } + s_log(LOG_INFO, "Write socket closed (hangup)"); + sock_open_wr=0; + } + if(s_poll_hup(c->fds, c->ssl_rfd->fd) || + s_poll_hup(c->fds, c->ssl_wfd->fd)) { + /* hangup -> buggy (e.g. Microsoft) peer: + * SSL socket closed without close_notify alert */ + if(c->sock_ptr) { + s_log(LOG_ERR, + "SSL socket closed (hangup) with %d unsent byte(s)", + c->sock_ptr); + longjmp(c->err, 1); /* reset the socket */ + } + s_log(LOG_INFO, "SSL socket closed (hangup)"); + SSL_set_shutdown(c->ssl, SSL_SENT_SHUTDOWN|SSL_RECEIVED_SHUTDOWN); + } + /****************************** retrieve results from c->fds */ sock_can_rd=s_poll_canread(c->fds, c->sock_rfd->fd); sock_can_wr=s_poll_canwrite(c->fds, c->sock_wfd->fd); @@ -605,6 +638,11 @@ static void transfer(CLI *c) { longjmp(c->err, 1); } + if(c->reneg_state==RENEG_DETECTED && !c->opt->option.renegotiation) { + s_log(LOG_ERR, "Aborting due to renegotiation request"); + longjmp(c->err, 1); + } + /****************************** send SSL close_notify alert */ if(shutdown_wants_read || shutdown_wants_write) { num=SSL_shutdown(c->ssl); /* send close_notify alert */ @@ -650,8 +688,10 @@ static void transfer(CLI *c) { case -1: if(parse_socket_error(c, "readsocket")) break; /* a non-critical error: retry */ + sock_open_rd=sock_open_wr=0; + break; case 0: /* close */ - s_log(LOG_DEBUG, "Socket closed on read"); + s_log(LOG_INFO, "Read socket closed (readsocket)"); sock_open_rd=0; break; default: @@ -667,8 +707,6 @@ static void transfer(CLI *c) { case -1: /* error */ if(parse_socket_error(c, "writesocket")) break; /* a non-critical error: retry */ - case 0: - s_log(LOG_DEBUG, "Socket closed on write"); sock_open_rd=sock_open_wr=0; break; default: @@ -717,15 +755,15 @@ static void transfer(CLI *c) { * SSL socket closed without close_notify alert */ if(c->sock_ptr) { s_log(LOG_ERR, - "SSL socket closed on SSL_read with %d unsent byte(s)", + "SSL socket closed (SSL_read) with %d unsent byte(s)", c->sock_ptr); longjmp(c->err, 1); /* reset the socket */ } - s_log(LOG_DEBUG, "SSL socket closed on SSL_read"); + s_log(LOG_INFO, "SSL socket closed (SSL_read)"); SSL_set_shutdown(c->ssl, SSL_SENT_SHUTDOWN|SSL_RECEIVED_SHUTDOWN); break; case SSL_ERROR_ZERO_RETURN: /* close_notify alert received */ - s_log(LOG_DEBUG, "SSL closed on SSL_read"); + s_log(LOG_INFO, "SSL closed (SSL_read)"); if(SSL_version(c->ssl)==SSL2_VERSION) SSL_set_shutdown(c->ssl, SSL_SENT_SHUTDOWN|SSL_RECEIVED_SHUTDOWN); break; @@ -769,15 +807,15 @@ static void transfer(CLI *c) { * SSL socket closed without close_notify alert */ if(c->sock_ptr) { s_log(LOG_ERR, - "SSL socket closed on SSL_write with %d unsent byte(s)", + "SSL socket closed (SSL_write) with %d unsent byte(s)", c->sock_ptr); longjmp(c->err, 1); /* reset the socket */ } - s_log(LOG_DEBUG, "SSL socket closed on SSL_write"); + s_log(LOG_INFO, "SSL socket closed (SSL_write)"); SSL_set_shutdown(c->ssl, SSL_SENT_SHUTDOWN|SSL_RECEIVED_SHUTDOWN); break; case SSL_ERROR_ZERO_RETURN: /* close_notify alert received */ - s_log(LOG_DEBUG, "SSL closed on SSL_write"); + s_log(LOG_INFO, "SSL closed (SSL_write)"); if(SSL_version(c->ssl)==SSL2_VERSION) SSL_set_shutdown(c->ssl, SSL_SENT_SHUTDOWN|SSL_RECEIVED_SHUTDOWN); break; @@ -794,7 +832,7 @@ static void transfer(CLI *c) { if(sock_open_wr && SSL_get_shutdown(c->ssl)&SSL_RECEIVED_SHUTDOWN && !c->ssl_ptr) { sock_open_wr=0; /* no further write allowed */ if(!c->sock_wfd->is_socket) { - s_log(LOG_DEBUG, "Closing the socket file descriptor"); + s_log(LOG_DEBUG, "Closing the file descriptor"); sock_open_rd=0; /* file descriptor is ready to be closed */ } else if(!shutdown(c->sock_wfd->fd, SHUT_WR)) { /* send TCP FIN */ s_log(LOG_DEBUG, "Sent socket write shutdown"); @@ -1084,8 +1122,15 @@ static int connect_local(CLI *c) { /* spawn local process */ sigemptyset(&newmask); sigprocmask(SIG_SETMASK, &newmask, NULL); #endif + signal(SIGCHLD, SIG_DFL); + signal(SIGHUP, SIG_DFL); + signal(SIGUSR1, SIG_DFL); + signal(SIGPIPE, SIG_DFL); + signal(SIGTERM, SIG_DFL); + signal(SIGQUIT, SIG_DFL); + signal(SIGINT, SIG_DFL); execvp(c->opt->execname, c->opt->execargs); - ioerror(c->opt->execname); /* execv failed */ + ioerror(c->opt->execname); /* execvp failed */ _exit(1); default: /* parent */ s_log(LOG_INFO, "Local mode child started (PID=%lu)", c->pid); @@ -1159,8 +1204,8 @@ static SOCKADDR_LIST *dynamic_remote_addr(CLI *c) { #endif /* SO_ORIGINAL_DST */ if(c->opt->option.delayed_lookup) { - if(!name2addrlist(&c->connect_addr, - c->opt->connect_name, DEFAULT_LOOPBACK)) { + if(!namelist2addrlist(&c->connect_addr, + c->opt->connect_list, DEFAULT_LOOPBACK)) { s_log(LOG_ERR, "No host resolved"); longjmp(c->err, 1); } diff --git a/src/common.h b/src/common.h index 4f85e2f..0efdd7c 100644 --- a/src/common.h +++ b/src/common.h @@ -1,6 +1,6 @@ /* * stunnel Universal SSL tunnel - * Copyright (C) 1998-2012 Michal Trojnara + * Copyright (C) 1998-2013 Michal Trojnara * * This program is free software; you can redistribute it and/or modify it * under the terms of the GNU General Public License as published by the @@ -431,10 +431,10 @@ extern char *sys_errlist[]; #include #endif /* HAVE_OSSL_OCSP_H */ -#ifdef USE_FIPS +#ifdef HAVE_OSSL_FIPS_H #include #include -#endif /* USE_FIPS */ +#endif /* HAVE_OSSL_FIPS_H */ #if OPENSSL_VERSION_NUMBER<0x0090800fL #define OPENSSL_NO_ECDH diff --git a/src/config.h.in b/src/config.h.in index 7ff12b8..0cae712 100644 --- a/src/config.h.in +++ b/src/config.h.in @@ -27,6 +27,9 @@ /* Define to 1 if you have the `endhostent' function. */ #undef HAVE_ENDHOSTENT +/* Define to 1 if you have the `FIPS_mode_set' function. */ +#undef HAVE_FIPS_MODE_SET + /* Define to 1 if you have 'getaddrinfo' function. */ #undef HAVE_GETADDRINFO @@ -78,6 +81,9 @@ /* Define to 1 if you have header file. */ #undef HAVE_OSSL_ENGINE_H +/* Define to 1 if you have header file. */ +#undef HAVE_OSSL_FIPS_H + /* Define to 1 if you have header file. */ #undef HAVE_OSSL_OCSP_H diff --git a/src/ctx.c b/src/ctx.c index ea01e1a..6f1bc26 100644 --- a/src/ctx.c +++ b/src/ctx.c @@ -1,6 +1,6 @@ /* * stunnel Universal SSL tunnel - * Copyright (C) 1998-2012 Michal Trojnara + * Copyright (C) 1998-2013 Michal Trojnara * * This program is free software; you can redistribute it and/or modify it * under the terms of the GNU General Public License as published by the @@ -43,6 +43,7 @@ /* SNI */ #ifndef OPENSSL_NO_TLSEXT static int servername_cb(SSL *, int *, void *); +static int matches_wildcard(char *, char *); #endif /* DH/ECDH initialization */ @@ -126,6 +127,7 @@ int context_init(SERVICE_OPTIONS *section) { /* init SSL context */ } } SSL_CTX_set_session_cache_mode(section->ctx, SSL_SESS_CACHE_BOTH); + SSL_CTX_sess_set_cache_size(section->ctx, section->session_size); SSL_CTX_set_timeout(section->ctx, section->session_timeout); if(section->option.sessiond) { SSL_CTX_sess_set_new_cb(section->ctx, sess_new_cb); @@ -134,8 +136,7 @@ int context_init(SERVICE_OPTIONS *section) { /* init SSL context */ } /* set info callback */ - if(global_options.debug_level==LOG_DEBUG) /* performance optimization */ - SSL_CTX_set_info_callback(section->ctx, info_callback); + SSL_CTX_set_info_callback(section->ctx, info_callback); /* ciphers, options, mode */ if(section->cipher_list) @@ -173,20 +174,25 @@ static int servername_cb(SSL *ssl, int *ad, void *arg) { /* leave the alert type at SSL_AD_UNRECOGNIZED_NAME */ (void)ad; /* skip warning about unused parameter */ - if(!section->servername_list_head) /* no virtual services defined */ + if(!section->servername_list_head) { /* no virtual services defined */ + s_log(LOG_DEBUG, "SNI: no virtual services defined"); return SSL_TLSEXT_ERR_OK; - if(!servername) /* no SNI extension received from the client */ + } + if(!servername) { /* no SNI extension received from the client */ + s_log(LOG_NOTICE, "SNI: extension not received from the client"); return SSL_TLSEXT_ERR_NOACK; + } + s_log(LOG_DEBUG, "SNI: searching service for servername: %s", servername); for(list=section->servername_list_head; list; list=list->next) - if(!strcasecmp(servername, list->servername)) { + if(matches_wildcard((char *)servername, list->servername)) { + s_log(LOG_DEBUG, "SNI: matched pattern: %s", list->servername); c=SSL_get_ex_data(ssl, cli_index); c->opt=list->opt; SSL_set_SSL_CTX(ssl, c->opt->ctx); SSL_set_verify(ssl, SSL_CTX_get_verify_mode(c->opt->ctx), SSL_CTX_get_verify_callback(c->opt->ctx)); - s_log(LOG_NOTICE, "SNI: switched to section %s", - c->opt->servname); + s_log(LOG_INFO, "SNI: switched to service [%s]", c->opt->servname); #ifdef USE_LIBWRAP accepted_address=s_ntop(&c->peer_addr, c->peer_addr_len); libwrap_auth(c, accepted_address); /* retry on a service switch */ @@ -194,7 +200,7 @@ static int servername_cb(SSL *ssl, int *ad, void *arg) { #endif /* USE_LIBWRAP */ return SSL_TLSEXT_ERR_OK; } - s_log(LOG_ERR, "SNI: no service defined for server %s", servername); + s_log(LOG_ERR, "SNI: no pattern matched servername: %s", servername); return SSL_TLSEXT_ERR_ALERT_FATAL; } /* TLSEXT callback return codes: @@ -203,6 +209,20 @@ static int servername_cb(SSL *ssl, int *ad, void *arg) { * - SSL_TLSEXT_ERR_ALERT_FATAL * - SSL_TLSEXT_ERR_NOACK */ +static int matches_wildcard(char *servername, char *pattern) { + int diff; + + if(!servername || !pattern) + return 0; + if(*pattern=='*') { /* wildcard comparison */ + diff=strlen(servername)-strlen(++pattern); + if(diff<0) /* pattern longer than servername */ + return 0; + servername+=diff; + } + return !strcasecmp(servername, pattern); +} + #endif /* OPENSSL_NO_TLSEXT */ /**************************************** DH initialization */ @@ -300,7 +320,8 @@ static int init_ecdh(SERVICE_OPTIONS *section) { ecdh=EC_KEY_new_by_curve_name(section->curve); if(!ecdh) { - s_log(LOG_ERR, "Unable to create curve %s", + sslerror("EC_KEY_new_by_curve_name"); + s_log(LOG_ERR, "Cannot create curve %s", OBJ_nid2ln(section->curve)); return 1; /* FAILED */ } @@ -615,6 +636,31 @@ static void info_callback( const #endif SSL *ssl, int where, int ret) { + CLI *c; + + c=SSL_get_ex_data(ssl, cli_index); + if(c) { + if((where&SSL_CB_HANDSHAKE_DONE) + && c->reneg_state==RENEG_INIT) { + /* first (initial) handshake was completed, remember this, + * so that further renegotiation attempts can be detected */ + c->reneg_state=RENEG_ESTABLISHED; + } else if((where&SSL_CB_ACCEPT_LOOP) + && c->reneg_state==RENEG_ESTABLISHED) { + int state=SSL_get_state(ssl); + + if(state==SSL3_ST_SR_CLNT_HELLO_A + || state==SSL23_ST_SR_CLNT_HELLO_A) { + /* client hello received after initial handshake, + * this means renegotiation -> mark it */ + c->reneg_state=RENEG_DETECTED; + } + } + } + + if(global_options.debug_level + * Copyright (C) 1998-2013 Michal Trojnara * * This program is free software; you can redistribute it and/or modify it * under the terms of the GNU General Public License as published by the * Free Software Foundation; either version 2 of the License, or (at your * option) any later version. - * + * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. * See the GNU General Public License for more details. - * + * * You should have received a copy of the GNU General Public License along * with this program; if not, see . - * + * * Linking stunnel statically or dynamically with other modules is making * a combined work based on stunnel. Thus, the terms and conditions of * the GNU General Public License cover the whole combination. - * + * * In addition, as a special exception, the copyright holder of stunnel * gives you permission to combine stunnel with free software programs or * libraries that are released under the GNU LGPL and with code included @@ -26,7 +26,7 @@ * modified versions of such code, with unchanged license). You may copy * and distribute such a system following the terms of the GNU GPL for * stunnel and the licenses of the other code concerned. - * + * * Note that people who make modified versions of stunnel are not obligated * to grant this special exception for their modified versions; it is their * choice whether to do so. The GNU General Public License gives permission diff --git a/src/evc.mak b/src/evc.mak index 8ac7588..2454c1b 100644 --- a/src/evc.mak +++ b/src/evc.mak @@ -65,7 +65,7 @@ SDKDIR=$(SDKROOT)\$(OSVERSION)\$(PLATFORM) INCLUDES=-I$(SSLDIR)\inc32 -I$(COMPATDIR)\include -I"$(SDKDIR)\include\$(TARGETCPU)" # for X86 and other it appears that /MC or /ML flags are absurd, # we always have to override runtime lib list to coredll and corelibc -LIBS=/NODEFAULTLIB coredll.lib corelibc.lib winsock.lib wcecompatex.lib libeay32.lib ssleay32.lib +LIBS=/NODEFAULTLIB winsock.lib wcecompatex.lib libeay32.lib ssleay32.lib coredll.lib corelibc.lib DEFINES=/DHOST=\"$(TARGETCPU)-WCE-eVC-$(WCEVER)\" # /O1 /Oi more correct vs MS doc diff --git a/src/fd.c b/src/fd.c index b732bf1..0cc78de 100644 --- a/src/fd.c +++ b/src/fd.c @@ -1,6 +1,6 @@ /* * stunnel Universal SSL tunnel - * Copyright (C) 1998-2012 Michal Trojnara + * Copyright (C) 1998-2013 Michal Trojnara * * This program is free software; you can redistribute it and/or modify it * under the terms of the GNU General Public License as published by the diff --git a/src/file.c b/src/file.c index a859bef..126d519 100644 --- a/src/file.c +++ b/src/file.c @@ -1,24 +1,24 @@ /* * stunnel Universal SSL tunnel - * Copyright (C) 1998-2012 Michal Trojnara + * Copyright (C) 1998-2013 Michal Trojnara * * This program is free software; you can redistribute it and/or modify it * under the terms of the GNU General Public License as published by the * Free Software Foundation; either version 2 of the License, or (at your * option) any later version. - * + * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. * See the GNU General Public License for more details. - * + * * You should have received a copy of the GNU General Public License along * with this program; if not, see . - * + * * Linking stunnel statically or dynamically with other modules is making * a combined work based on stunnel. Thus, the terms and conditions of * the GNU General Public License cover the whole combination. - * + * * In addition, as a special exception, the copyright holder of stunnel * gives you permission to combine stunnel with free software programs or * libraries that are released under the GNU LGPL and with code included @@ -26,7 +26,7 @@ * modified versions of such code, with unchanged license). You may copy * and distribute such a system following the terms of the GNU GPL for * stunnel and the licenses of the other code concerned. - * + * * Note that people who make modified versions of stunnel are not obligated * to grant this special exception for their modified versions; it is their * choice whether to do so. The GNU General Public License gives permission @@ -50,11 +50,9 @@ DISK_FILE *file_open(char *name, int wr) { fh=CreateFile(tstr, wr ? GENERIC_WRITE : GENERIC_READ, FILE_SHARE_READ, NULL, wr ? OPEN_ALWAYS : OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, (HANDLE)NULL); - str_free(tstr); - if(fh==INVALID_HANDLE_VALUE) { - ioerror(name); + str_free(tstr); /* str_free() overwrites GetLastError() value */ + if(fh==INVALID_HANDLE_VALUE) return NULL; - } if(wr) /* append */ SetFilePointer(fh, 0, NULL, FILE_END); @@ -92,10 +90,8 @@ DISK_FILE *file_open(char *name, int wr) { flags|=O_CLOEXEC; #endif /* O_CLOEXEC */ fd=open(name, flags, 0640); - if(fd<0) { - ioerror(name); + if(fd<0) return NULL; - } /* setup df structure */ df=str_alloc(sizeof df); diff --git a/src/gui.c b/src/gui.c index 88472f1..8e8e15b 100644 --- a/src/gui.c +++ b/src/gui.c @@ -1,24 +1,24 @@ /* * stunnel Universal SSL tunnel - * Copyright (C) 1998-2012 Michal Trojnara + * Copyright (C) 1998-2013 Michal Trojnara * * This program is free software; you can redistribute it and/or modify it * under the terms of the GNU General Public License as published by the * Free Software Foundation; either version 2 of the License, or (at your * option) any later version. - * + * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. * See the GNU General Public License for more details. - * + * * You should have received a copy of the GNU General Public License along * with this program; if not, see . - * + * * Linking stunnel statically or dynamically with other modules is making * a combined work based on stunnel. Thus, the terms and conditions of * the GNU General Public License cover the whole combination. - * + * * In addition, as a special exception, the copyright holder of stunnel * gives you permission to combine stunnel with free software programs or * libraries that are released under the GNU LGPL and with code included @@ -26,7 +26,7 @@ * modified versions of such code, with unchanged license). You may copy * and distribute such a system following the terms of the GNU GPL for * stunnel and the licenses of the other code concerned. - * + * * Note that people who make modified versions of stunnel are not obligated * to grant this special exception for their modified versions; it is their * choice whether to do so. The GNU General Public License gives permission @@ -79,7 +79,6 @@ static void invalid_config(void); static void update_peer_menu(void); static void update_tray_icon(void); static void error_box(const LPSTR); -static void message_box(const LPSTR, const UINT); static void edit_config(HWND); static BOOL is_admin(void); @@ -109,13 +108,15 @@ static HMENU tray_menu_handle=NULL; #ifndef _WIN32_WCE static HMENU main_menu_handle=NULL; #endif -HWND hwnd=NULL; /* main window handle */ +static HWND hwnd=NULL; /* main window handle */ #ifdef _WIN32_WCE static HWND command_bar_handle; /* command bar handle */ #endif static HANDLE small_icon; /* 16x16 icon */ -static TCHAR *win32_name; -static HANDLE daemon_handle=NULL; + /* win32_name is needed for any error_box(), message_box(), + * and the initial main window title */ +static TCHAR *win32_name=TEXT("stunnel ") TEXT(STUNNEL_VERSION) + TEXT(" on ") TEXT(STUNNEL_PLATFORM) TEXT(" (not configured)"); #ifndef _WIN32_WCE static SERVICE_STATUS serviceStatus; @@ -129,15 +130,9 @@ static LONG new_logs=0; static UI_DATA *ui_data=NULL; -#ifndef _WIN32_WCE -GETADDRINFO s_getaddrinfo; -FREEADDRINFO s_freeaddrinfo; -GETNAMEINFO s_getnameinfo; -#endif - static struct { char *config_file; - unsigned int install:1, uninstall:1, start:1, stop:1, service:1, + unsigned int service:1, install:1, uninstall:1, start:1, stop:1, quiet:1, exit:1; } cmdline; @@ -167,18 +162,18 @@ int WINAPI WinMain(HINSTANCE this_instance, HINSTANCE prev_instance, command_line=lpCmdLine; #endif - /* win32_name is needed for any error_box(), message_box(), - * and the initial main window title */ - win32_name=TEXT("stunnel ") TEXT(STUNNEL_VERSION) TEXT(" on ") - TEXT(STUNNEL_PLATFORM) TEXT(" (not configured)"); - parse_cmdline(command_line); /* setup global cmdline structure */ #ifndef _WIN32_WCE GetModuleFileName(0, stunnel_exe_path, MAX_PATH); /* find previous instances of the same executable */ - EnumWindows(enum_windows, (LPARAM)stunnel_exe_path); + if(!cmdline.service && !cmdline.install && !cmdline.uninstall && + !cmdline.start && !cmdline.stop) { + EnumWindows(enum_windows, (LPARAM)stunnel_exe_path); + if(cmdline.exit) + return 0; /* in case EnumWindows didn't find a previous instance */ + } /* change current working directory */ c=strrchr(stunnel_exe_path, '\\'); /* last backslash */ @@ -190,16 +185,13 @@ int WINAPI WinMain(HINSTANCE this_instance, HINSTANCE prev_instance, str_free(errmsg); return 1; } - - if(cmdline.exit) - return 0; /* in case EnumWindows didn't find a previous instance */ #endif if(initialize_winsock()) return 1; #ifndef _WIN32_WCE - if(cmdline.service) /* it must be checked before "-install" */ + if(cmdline.service) /* "-service" must be processed before "-install" */ return service_initialize(); if(cmdline.install) return service_install(command_line); @@ -216,7 +208,7 @@ int WINAPI WinMain(HINSTANCE this_instance, HINSTANCE prev_instance, #ifndef _WIN32_WCE static BOOL CALLBACK enum_windows(HWND other_window_handle, LPARAM lParam) { - DWORD pid; + DWORD pid, exit_code; HINSTANCE hInstance; char window_exe_path[MAX_PATH]; HANDLE process_handle; @@ -226,9 +218,14 @@ static BOOL CALLBACK enum_windows(HWND other_window_handle, LPARAM lParam) { return TRUE; hInstance=(HINSTANCE)GetWindowLong(other_window_handle, GWL_HINSTANCE); GetWindowThreadProcessId(other_window_handle, &pid); - process_handle=OpenProcess(PROCESS_QUERY_INFORMATION|PROCESS_VM_READ, + process_handle=OpenProcess(SYNCHRONIZE /* WaitForSingleObject() */ | + PROCESS_TERMINATE /* TerminateProcess() */ | + PROCESS_QUERY_INFORMATION|PROCESS_VM_READ /* GetModuleFileNameEx() */, FALSE, pid); - if(!GetModuleFileNameEx(process_handle, hInstance, window_exe_path, MAX_PATH)) { + if(!process_handle) + return TRUE; + if(!GetModuleFileNameEx(process_handle, + hInstance, window_exe_path, MAX_PATH)) { CloseHandle(process_handle); return TRUE; } @@ -237,8 +234,11 @@ static BOOL CALLBACK enum_windows(HWND other_window_handle, LPARAM lParam) { return TRUE; } if(cmdline.exit) { - SendMessage(other_window_handle, WM_COMMAND, IDM_EXIT, 0); - WaitForSingleObject(process_handle, 3000); + PostMessage(other_window_handle, WM_COMMAND, IDM_EXIT, 0); + if(WaitForSingleObject(process_handle, 3000)==WAIT_TIMEOUT) { + TerminateProcess(process_handle, 0); + WaitForSingleObject(process_handle, 3000); + } } else { ShowWindow(other_window_handle, SW_SHOWNORMAL); /* show window */ SetForegroundWindow(other_window_handle); /* bring on top */ @@ -289,37 +289,12 @@ static void parse_cmdline(LPSTR command_line) { /* try to load winsock2 resolver functions from a specified dll name */ static int initialize_winsock() { static struct WSAData wsa_state; -#ifndef _WIN32_WCE - HINSTANCE handle; -#endif if(WSAStartup(MAKEWORD( 2, 2 ), &wsa_state)) { message_box("Failed to initialize winsock", MB_ICONERROR); return 1; /* error */ } -#ifndef _WIN32_WCE - handle=LoadLibrary("ws2_32.dll"); /* IPv6 in Windows XP or higher */ - if(handle) { - s_getaddrinfo=(GETADDRINFO)GetProcAddress(handle, "getaddrinfo"); - s_freeaddrinfo=(FREEADDRINFO)GetProcAddress(handle, "freeaddrinfo"); - s_getnameinfo=(GETNAMEINFO)GetProcAddress(handle, "getnameinfo"); - if(s_getaddrinfo && s_freeaddrinfo && s_getnameinfo) - return 0; /* IPv6 detected -> OK */ - FreeLibrary(handle); - } - handle=LoadLibrary("wship6.dll"); /* experimental IPv6 for Windows 2000 */ - if(handle) { - s_getaddrinfo=(GETADDRINFO)GetProcAddress(handle, "getaddrinfo"); - s_freeaddrinfo=(FREEADDRINFO)GetProcAddress(handle, "freeaddrinfo"); - s_getnameinfo=(GETNAMEINFO)GetProcAddress(handle, "getnameinfo"); - if(s_getaddrinfo && s_freeaddrinfo && s_getnameinfo) - return 0; /* IPv6 detected -> OK */ - FreeLibrary(handle); - } - s_getaddrinfo=NULL; - s_freeaddrinfo=NULL; - s_getnameinfo=NULL; -#endif + resolver_init(); return 0; /* IPv4 detected -> OK */ } @@ -379,7 +354,7 @@ static int gui_loop() { #endif /* auto-reset, non-signaled */ config_ready=CreateEvent(NULL, FALSE, FALSE, NULL); - daemon_handle=(HANDLE)_beginthread(daemon_thread, DEFAULT_STACK_SIZE, NULL); + _beginthread(daemon_thread, DEFAULT_STACK_SIZE, NULL); while(GetMessage(&msg, NULL, 0, 0)) { TranslateMessage(&msg); @@ -517,10 +492,8 @@ static LRESULT CALLBACK window_proc(HWND main_window_handle, ShowWindow(main_window_handle, SW_HIDE); /* hide window */ break; case IDM_EXIT: - if(!error_mode) { /* signal_pipe is active */ + if(!error_mode) /* signal_pipe is active */ signal_post(SIGNAL_TERMINATE); - WaitForSingleObject(daemon_handle, 3000); - } DestroyWindow(main_window_handle); break; case IDM_SAVE_LOG: @@ -937,11 +910,13 @@ static void update_peer_menu(void) { section->file=str2tstr(str); str_free(str); - /* setup section->help */ + /* setup LPTSTR section->file */ str=str_printf("peer-%s.pem", section->servname); section->file=str2tstr(str); str_free(str); - str=str_printf( + + /* setup (char *) section->help */ + section->help=str_printf( "Peer certificate chain has been saved.\n" "Add the following lines to section [%s]:\n" "\tCAfile = peer-%s.pem\n" @@ -949,8 +924,6 @@ static void update_peer_menu(void) { "to enable cryptographic authentication.\n" "Then reload stunnel configuration file.", section->servname, section->servname); - section->help=str2tstr(str); - str_free(str); /* setup section->chain */ section->chain=NULL; @@ -1021,7 +994,7 @@ static void error_box(const LPSTR text) { str_free(fullmsg); } -static void message_box(const LPSTR text, const UINT type) { +void message_box(const LPSTR text, const UINT type) { LPTSTR tstr; if(cmdline.quiet) @@ -1031,6 +1004,18 @@ static void message_box(const LPSTR text, const UINT type) { str_free(tstr); } +void win_new_chain(int section_number) { + PostMessage(hwnd, WM_NEW_CHAIN, section_number, 0); +} + +void win_new_log(char *line) { + SendMessage(hwnd, WM_LOG, (WPARAM)line, 0); +} + +void win_new_config(void) { + PostMessage(hwnd, WM_VALID_CONFIG, 0, 0); +} + static void edit_config(HWND main_window_handle) { char cwd[MAX_PATH], *conf_path; diff --git a/src/libwrap.c b/src/libwrap.c index d1dd209..fe47fa6 100644 --- a/src/libwrap.c +++ b/src/libwrap.c @@ -1,24 +1,24 @@ /* * stunnel Universal SSL tunnel - * Copyright (C) 1998-2012 Michal Trojnara + * Copyright (C) 1998-2013 Michal Trojnara * * This program is free software; you can redistribute it and/or modify it * under the terms of the GNU General Public License as published by the * Free Software Foundation; either version 2 of the License, or (at your * option) any later version. - * + * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. * See the GNU General Public License for more details. - * + * * You should have received a copy of the GNU General Public License along * with this program; if not, see . - * + * * Linking stunnel statically or dynamically with other modules is making * a combined work based on stunnel. Thus, the terms and conditions of * the GNU General Public License cover the whole combination. - * + * * In addition, as a special exception, the copyright holder of stunnel * gives you permission to combine stunnel with free software programs or * libraries that are released under the GNU LGPL and with code included @@ -26,7 +26,7 @@ * modified versions of such code, with unchanged license). You may copy * and distribute such a system following the terms of the GNU GPL for * stunnel and the licenses of the other code concerned. - * + * * Note that people who make modified versions of stunnel are not obligated * to grant this special exception for their modified versions; it is their * choice whether to do so. The GNU General Public License gives permission @@ -168,13 +168,11 @@ void libwrap_auth(CLI *c, char *accepted_address) { } busy[my_process]=0; /* mark the child process as free */ --num_busy; /* the child process has been released */ - if(num_busy==num_processes-1) { /* need to wake up a thread */ - retval=pthread_cond_signal(&cond); /* signal waiting threads */ - if(retval) { - errno=retval; - ioerror("pthread_cond_signal"); - longjmp(c->err, 1); - } + retval=pthread_cond_signal(&cond); /* signal a waiting thread */ + if(retval) { + errno=retval; + ioerror("pthread_cond_signal"); + longjmp(c->err, 1); } retval=pthread_mutex_unlock(&mutex); if(retval) { diff --git a/src/log.c b/src/log.c index 158b182..7dab3cd 100644 --- a/src/log.c +++ b/src/log.c @@ -1,24 +1,24 @@ /* * stunnel Universal SSL tunnel - * Copyright (C) 1998-2012 Michal Trojnara + * Copyright (C) 1998-2013 Michal Trojnara * * This program is free software; you can redistribute it and/or modify it * under the terms of the GNU General Public License as published by the * Free Software Foundation; either version 2 of the License, or (at your * option) any later version. - * + * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. * See the GNU General Public License for more details. - * + * * You should have received a copy of the GNU General Public License along * with this program; if not, see . - * + * * Linking stunnel statically or dynamically with other modules is making * a combined work based on stunnel. Thus, the terms and conditions of * the GNU General Public License cover the whole combination. - * + * * In addition, as a special exception, the copyright holder of stunnel * gives you permission to combine stunnel with free software programs or * libraries that are released under the GNU LGPL and with code included @@ -26,7 +26,7 @@ * modified versions of such code, with unchanged license). You may copy * and distribute such a system following the terms of the GNU GPL for * stunnel and the licenses of the other code concerned. - * + * * Note that people who make modified versions of stunnel are not obligated * to grant this special exception for their modified versions; it is their * choice whether to do so. The GNU General Public License gives permission @@ -73,14 +73,17 @@ void syslog_close(void) { #endif /* !defined(USE_WIN32) && !defined(__vms) */ -void log_open(void) { +int log_open(void) { if(global_options.output_file) { /* 'output' option specified */ outfile=file_open(global_options.output_file, 1); - if(!outfile) - s_log(LOG_ERR, "Unable to open output file: %s", + if(!outfile) { + s_log(LOG_ERR, "Cannot open log file: %s", global_options.output_file); + return 1; + } } log_flush(LOG_MODE_CONFIGURED); + return 0; } void log_close(void) { @@ -198,15 +201,7 @@ static void log_raw(const int level, const char *stamp, if(mode==LOG_MODE_ERROR || /* always log to the GUI window */ (mode==LOG_MODE_INFO && level + * Copyright (C) 1998-2013 Michal Trojnara * * This program is free software; you can redistribute it and/or modify it * under the terms of the GNU General Public License as published by the * Free Software Foundation; either version 2 of the License, or (at your * option) any later version. - * + * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. * See the GNU General Public License for more details. - * + * * You should have received a copy of the GNU General Public License along * with this program; if not, see . - * + * * Linking stunnel statically or dynamically with other modules is making * a combined work based on stunnel. Thus, the terms and conditions of * the GNU General Public License cover the whole combination. - * + * * In addition, as a special exception, the copyright holder of stunnel * gives you permission to combine stunnel with free software programs or * libraries that are released under the GNU LGPL and with code included @@ -26,7 +26,7 @@ * modified versions of such code, with unchanged license). You may copy * and distribute such a system following the terms of the GNU GPL for * stunnel and the licenses of the other code concerned. - * + * * Note that people who make modified versions of stunnel are not obligated * to grant this special exception for their modified versions; it is their * choice whether to do so. The GNU General Public License gives permission @@ -40,6 +40,8 @@ /* #define DEBUG_UCONTEXT */ +static int get_socket_error(const int); + /**************************************** s_poll functions */ #ifdef USE_POLL @@ -88,8 +90,8 @@ int s_poll_canread(s_poll_set *fds, int fd) { for(i=0; infds; i++) if(fds->ufds[i].fd==fd) - return fds->ufds[i].revents&(POLLIN|POLLHUP); /* read or closed */ - return 0; + return fds->ufds[i].revents&POLLIN; + return 0; /* not listed in fds */ } int s_poll_canwrite(s_poll_set *fds, int fd) { @@ -97,20 +99,27 @@ int s_poll_canwrite(s_poll_set *fds, int fd) { for(i=0; infds; i++) if(fds->ufds[i].fd==fd) - return fds->ufds[i].revents&POLLOUT; /* it is possible to write */ - return 0; + return fds->ufds[i].revents&POLLOUT; + return 0; /* not listed in fds */ } -int s_poll_error(s_poll_set *fds, FD *s) { +int s_poll_hup(s_poll_set *fds, int fd) { unsigned int i; - if(!s->is_socket) - return 0; for(i=0; infds; i++) - if(fds->ufds[i].fd==s->fd) + if(fds->ufds[i].fd==fd) + return fds->ufds[i].revents&POLLHUP; + return 0; /* not listed in fds */ +} + +int s_poll_error(s_poll_set *fds, int fd) { + unsigned int i; + + for(i=0; infds; i++) + if(fds->ufds[i].fd==fd) return fds->ufds[i].revents&(POLLERR|POLLNVAL) ? - get_socket_error(s->fd) : 0; - return 0; + get_socket_error(fd) : 0; + return 0; /* not listed in fds */ } #ifdef USE_UCONTEXT @@ -321,14 +330,18 @@ int s_poll_canwrite(s_poll_set *fds, int fd) { return FD_ISSET(fd, &fds->owfds); } -int s_poll_error(s_poll_set *fds, FD *s) { - if(!s->is_socket) - return 0; /* getsockopt is only available on sockets */ +int s_poll_hup(s_poll_set *fds, int fd) { + (void)fds; /* skip warning about unused parameter */ + (void)fd; /* skip warning about unused parameter */ + return 0; /* FIXME: how to detect HUP condition with select()? */ +} + +int s_poll_error(s_poll_set *fds, int fd) { /* error conditions are signaled as read, but apparently *not* in Winsock: * http://msdn.microsoft.com/en-us/library/windows/desktop/ms737625%28v=vs.85%29.aspx */ - if(!(FD_ISSET(s->fd, &fds->orfds) || FD_ISSET(s->fd, &fds->oxfds))) + if(!FD_ISSET(fd, &fds->orfds) && !FD_ISSET(fd, &fds->oxfds)) return 0; - return get_socket_error(s->fd); /* check if it's really an error */ + return get_socket_error(fd); /* check if it's really an error */ } int s_poll_wait(s_poll_set *fds, int sec, int msec) { @@ -400,13 +413,13 @@ int set_socket_options(int s, int type) { return retval; /* returns 0 when all options succeeded */ } -int get_socket_error(const int fd) { +static int get_socket_error(const int fd) { int err; socklen_t optlen=sizeof err; if(getsockopt(fd, SOL_SOCKET, SO_ERROR, (void *)&err, &optlen)) err=get_last_socket_error(); /* failed -> ask why */ - return err; + return err==S_ENOTSOCK ? 0 : err; } /**************************************** simulate blocking I/O */ @@ -550,9 +563,10 @@ void fd_putline(CLI *c, int fd, const char *line) { } char *fd_getline(CLI *c, int fd) { - char *line=NULL, *tmpline; - int ptr=0; + char *line, *tmpline; + int ptr=0, allocated=32; + line=str_alloc(allocated); for(;;) { s_poll_init(c->fds); s_poll_add(c->fds, fd, 1, 0); /* read */ @@ -573,7 +587,10 @@ char *fd_getline(CLI *c, int fd) { str_free(line); longjmp(c->err, 1); /* error */ } - line=str_realloc(line, ptr+1); + if(allocated + * Copyright (C) 1998-2013 Michal Trojnara * * This program is free software; you can redistribute it and/or modify it * under the terms of the GNU General Public License as published by the * Free Software Foundation; either version 2 of the License, or (at your * option) any later version. - * + * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. * See the GNU General Public License for more details. - * + * * You should have received a copy of the GNU General Public License along * with this program; if not, see . - * + * * Linking stunnel statically or dynamically with other modules is making * a combined work based on stunnel. Thus, the terms and conditions of * the GNU General Public License cover the whole combination. - * + * * In addition, as a special exception, the copyright holder of stunnel * gives you permission to combine stunnel with free software programs or * libraries that are released under the GNU LGPL and with code included @@ -26,7 +26,7 @@ * modified versions of such code, with unchanged license). You may copy * and distribute such a system following the terms of the GNU GPL for * stunnel and the licenses of the other code concerned. - * + * * Note that people who make modified versions of stunnel are not obligated * to grant this special exception for their modified versions; it is their * choice whether to do so. The GNU General Public License gives permission @@ -41,21 +41,59 @@ int main(int argc, char *argv[]) { static struct WSAData wsa_state; + str_init(); /* initialize per-thread string management */ if(WSAStartup(MAKEWORD(1, 1), &wsa_state)) return 1; + resolver_init(); main_initialize(); - if(main_configure(argc>1 ? argv[1] : NULL, argc>2 ? argv[2] : NULL)) - return 1; - main_execute(); + if(!main_configure(argc>1 ? argv[1] : NULL, argc>2 ? argv[2] : NULL)) + daemon_loop(); + unbind_ports(); + log_flush(LOG_MODE_ERROR); return 0; } +void message_box(const LPSTR text, const UINT type) { + LPTSTR tstr; + + tstr=str2tstr(text); + MessageBox(NULL, tstr, TEXT("stunnel"), type); + str_free(tstr); +} + +void win_new_chain(int section_number) { + (void)section_number; /* skip warning about unused parameter */ +} + +void win_new_log(char *line) { +#ifdef _WIN32_WCE + /* log to Windows CE debug output stream */ + LPTSTR tstr; + + tstr=str2tstr(line); + RETAILMSG(TRUE, (TEXT("%s\r\n"), tstr)); + str_free(tstr); +#else + printf("%s\n", line); +#endif +} + +void win_new_config(void) { + /* no action */ +} + int passwd_cb(char *buf, int size, int rwflag, void *userdata) { + (void)buf; /* skip warning about unused parameter */ + (void)size; /* skip warning about unused parameter */ + (void)rwflag; /* skip warning about unused parameter */ + (void)userdata; /* skip warning about unused parameter */ return 0; /* not implemented */ } #ifdef HAVE_OSSL_ENGINE_H int pin_cb(UI *ui, UI_STRING *uis) { + (void)ui; /* skip warning about unused parameter */ + (void)uis; /* skip warning about unused parameter */ return 0; /* not implemented */ } #endif diff --git a/src/options.c b/src/options.c index e931114..0a0e909 100644 --- a/src/options.c +++ b/src/options.c @@ -1,24 +1,24 @@ /* * stunnel Universal SSL tunnel - * Copyright (C) 1998-2012 Michal Trojnara + * Copyright (C) 1998-2013 Michal Trojnara * * This program is free software; you can redistribute it and/or modify it * under the terms of the GNU General Public License as published by the * Free Software Foundation; either version 2 of the License, or (at your * option) any later version. - * + * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. * See the GNU General Public License for more details. - * + * * You should have received a copy of the GNU General Public License along * with this program; if not, see . - * + * * Linking stunnel statically or dynamically with other modules is making * a combined work based on stunnel. Thus, the terms and conditions of * the GNU General Public License cover the whole combination. - * + * * In addition, as a special exception, the copyright holder of stunnel * gives you permission to combine stunnel with free software programs or * libraries that are released under the GNU LGPL and with code included @@ -26,7 +26,7 @@ * modified versions of such code, with unchanged license). You may copy * and distribute such a system following the terms of the GNU GPL for * stunnel and the licenses of the other code concerned. - * + * * Note that people who make modified versions of stunnel are not obligated * to grant this special exception for their modified versions; it is their * choice whether to do so. The GNU General Public License gives permission @@ -61,10 +61,8 @@ #define CONFLINELEN (16*1024) -static void init_globals(void); -static int init_section(SERVICE_OPTIONS *); #ifndef OPENSSL_NO_TLSEXT -static int init_sni(SERVICE_OPTIONS *); +static char *init_sni(SERVICE_OPTIONS *); #endif static int parse_debug_level(char *); @@ -89,8 +87,6 @@ static ENGINE *get_engine(int); #endif static void print_syntax(void); -static void config_error(int, const char *, const char *); -static void section_error(const char *, const char *); #ifndef USE_WIN32 static char **argalloc(char *); #endif @@ -102,10 +98,12 @@ static GLOBAL_OPTIONS new_global_options; static SERVICE_OPTIONS new_service_options; typedef enum { - CMD_INIT, /* initialize */ - CMD_EXEC, - CMD_DEFAULT, - CMD_HELP + CMD_BEGIN, /* initialize defaults */ + CMD_EXEC, /* process command */ + CMD_END, /* end of section */ + CMD_FREE, /* TODO: deallocate memory */ + CMD_DEFAULT, /* print default value */ + CMD_HELP /* print help */ } CMD; static char *option_not_found= @@ -131,7 +129,7 @@ static char *parse_global_option(CMD cmd, char *opt, char *arg) { /* chroot */ #ifdef HAVE_CHROOT switch(cmd) { - case CMD_INIT: + case CMD_BEGIN: new_global_options.chroot_dir=NULL; break; case CMD_EXEC: @@ -139,10 +137,14 @@ static char *parse_global_option(CMD cmd, char *opt, char *arg) { break; new_global_options.chroot_dir=str_dup(arg); return NULL; /* OK */ + case CMD_END: + break; + case CMD_FREE: + break; case CMD_DEFAULT: break; case CMD_HELP: - s_log(LOG_NOTICE, "%-15s = directory to chroot stunnel process", "chroot"); + s_log(LOG_NOTICE, "%-22s = directory to chroot stunnel process", "chroot"); break; } #endif /* HAVE_CHROOT */ @@ -150,7 +152,7 @@ static char *parse_global_option(CMD cmd, char *opt, char *arg) { /* compression */ #ifndef OPENSSL_NO_COMP switch(cmd) { - case CMD_INIT: + case CMD_BEGIN: new_global_options.compression=COMP_NONE; break; case CMD_EXEC: @@ -165,10 +167,14 @@ static char *parse_global_option(CMD cmd, char *opt, char *arg) { else return "Specified compression type is not available"; return NULL; /* OK */ + case CMD_END: + break; + case CMD_FREE: + break; case CMD_DEFAULT: break; case CMD_HELP: - s_log(LOG_NOTICE, "%-15s = compression type", + s_log(LOG_NOTICE, "%-22s = compression type", "compression"); break; } @@ -176,7 +182,7 @@ static char *parse_global_option(CMD cmd, char *opt, char *arg) { /* debug */ switch(cmd) { - case CMD_INIT: + case CMD_BEGIN: new_global_options.debug_level=LOG_NOTICE; #if !defined (USE_WIN32) && !defined (__vms) new_global_options.facility=LOG_DAEMON; @@ -188,21 +194,25 @@ static char *parse_global_option(CMD cmd, char *opt, char *arg) { if(parse_debug_level(arg)) return "Illegal debug argument"; return NULL; /* OK */ + case CMD_END: + break; + case CMD_FREE: + break; case CMD_DEFAULT: #if !defined (USE_WIN32) && !defined (__vms) - s_log(LOG_NOTICE, "%-15s = %s", "debug", "daemon.notice"); + s_log(LOG_NOTICE, "%-22s = %s", "debug", "daemon.notice"); #else - s_log(LOG_NOTICE, "%-15s = %s", "debug", "notice"); + s_log(LOG_NOTICE, "%-22s = %s", "debug", "notice"); #endif break; case CMD_HELP: - s_log(LOG_NOTICE, "%-15s = [facility].level (e.g. daemon.info)", "debug"); + s_log(LOG_NOTICE, "%-22s = [facility].level (e.g. daemon.info)", "debug"); break; } /* EGD */ switch(cmd) { - case CMD_INIT: + case CMD_BEGIN: #ifdef EGD_SOCKET new_global_options.egd_sock=EGD_SOCKET; #else @@ -214,36 +224,45 @@ static char *parse_global_option(CMD cmd, char *opt, char *arg) { break; new_global_options.egd_sock=str_dup(arg); return NULL; /* OK */ + case CMD_END: + break; + case CMD_FREE: + break; case CMD_DEFAULT: #ifdef EGD_SOCKET - s_log(LOG_NOTICE, "%-15s = %s", "EGD", EGD_SOCKET); + s_log(LOG_NOTICE, "%-22s = %s", "EGD", EGD_SOCKET); #endif break; case CMD_HELP: - s_log(LOG_NOTICE, "%-15s = path to Entropy Gathering Daemon socket", "EGD"); + s_log(LOG_NOTICE, "%-22s = path to Entropy Gathering Daemon socket", "EGD"); break; } #ifdef HAVE_OSSL_ENGINE_H /* engine */ switch(cmd) { - case CMD_INIT: + case CMD_BEGIN: break; case CMD_EXEC: if(strcasecmp(opt, "engine")) break; return open_engine(arg); + case CMD_END: + close_engine(); + break; + case CMD_FREE: + break; case CMD_DEFAULT: break; case CMD_HELP: - s_log(LOG_NOTICE, "%-15s = auto|engine_id", + s_log(LOG_NOTICE, "%-22s = auto|engine_id", "engine"); break; } /* engineCtrl */ switch(cmd) { - case CMD_INIT: + case CMD_BEGIN: break; case CMD_EXEC: if(strcasecmp(opt, "engineCtrl")) @@ -252,10 +271,14 @@ static char *parse_global_option(CMD cmd, char *opt, char *arg) { if(tmpstr) *tmpstr++='\0'; return ctrl_engine(arg, tmpstr); + case CMD_END: + break; + case CMD_FREE: + break; case CMD_DEFAULT: break; case CMD_HELP: - s_log(LOG_NOTICE, "%-15s = cmd[:arg]", + s_log(LOG_NOTICE, "%-22s = cmd[:arg]", "engineCtrl"); break; } @@ -264,7 +287,7 @@ static char *parse_global_option(CMD cmd, char *opt, char *arg) { /* fips */ #ifdef USE_FIPS switch(cmd) { - case CMD_INIT: + case CMD_BEGIN: new_global_options.option.fips=1; break; case CMD_EXEC: @@ -277,10 +300,14 @@ static char *parse_global_option(CMD cmd, char *opt, char *arg) { else return "Argument should be either 'yes' or 'no'"; return NULL; /* OK */ + case CMD_END: + break; + case CMD_FREE: + break; case CMD_DEFAULT: break; case CMD_HELP: - s_log(LOG_NOTICE, "%-15s = yes|no FIPS 140-2 mode", + s_log(LOG_NOTICE, "%-22s = yes|no FIPS 140-2 mode", "fips"); break; } @@ -289,7 +316,7 @@ static char *parse_global_option(CMD cmd, char *opt, char *arg) { /* foreground */ #ifndef USE_WIN32 switch(cmd) { - case CMD_INIT: + case CMD_BEGIN: new_global_options.option.foreground=0; break; case CMD_EXEC: @@ -302,10 +329,14 @@ static char *parse_global_option(CMD cmd, char *opt, char *arg) { else return "Argument should be either 'yes' or 'no'"; return NULL; /* OK */ + case CMD_END: + break; + case CMD_FREE: + break; case CMD_DEFAULT: break; case CMD_HELP: - s_log(LOG_NOTICE, "%-15s = yes|no foreground mode (don't fork, log to stderr)", + s_log(LOG_NOTICE, "%-22s = yes|no foreground mode (don't fork, log to stderr)", "foreground"); break; } @@ -313,7 +344,7 @@ static char *parse_global_option(CMD cmd, char *opt, char *arg) { /* output */ switch(cmd) { - case CMD_INIT: + case CMD_BEGIN: new_global_options.output_file=NULL; break; case CMD_EXEC: @@ -321,17 +352,21 @@ static char *parse_global_option(CMD cmd, char *opt, char *arg) { break; new_global_options.output_file=str_dup(arg); return NULL; /* OK */ + case CMD_END: + break; + case CMD_FREE: + break; case CMD_DEFAULT: break; case CMD_HELP: - s_log(LOG_NOTICE, "%-15s = file to append log messages", "output"); + s_log(LOG_NOTICE, "%-22s = file to append log messages", "output"); break; } /* pid */ #ifndef USE_WIN32 switch(cmd) { - case CMD_INIT: + case CMD_BEGIN: new_global_options.pidfile=PIDFILE; break; case CMD_EXEC: @@ -342,18 +377,22 @@ static char *parse_global_option(CMD cmd, char *opt, char *arg) { else new_global_options.pidfile=NULL; /* empty -> do not create a pid file */ return NULL; /* OK */ + case CMD_END: + break; + case CMD_FREE: + break; case CMD_DEFAULT: - s_log(LOG_NOTICE, "%-15s = %s", "pid", PIDFILE); + s_log(LOG_NOTICE, "%-22s = %s", "pid", PIDFILE); break; case CMD_HELP: - s_log(LOG_NOTICE, "%-15s = pid file (empty to disable creating)", "pid"); + s_log(LOG_NOTICE, "%-22s = pid file (empty to disable creating)", "pid"); break; } #endif /* RNDbytes */ switch(cmd) { - case CMD_INIT: + case CMD_BEGIN: new_global_options.random_bytes=RANDOM_BYTES; break; case CMD_EXEC: @@ -363,17 +402,21 @@ static char *parse_global_option(CMD cmd, char *opt, char *arg) { if(tmpstr==arg || *tmpstr) /* not a number */ return "Illegal number of bytes to read from random seed files"; return NULL; /* OK */ + case CMD_END: + break; + case CMD_FREE: + break; case CMD_DEFAULT: - s_log(LOG_NOTICE, "%-15s = %d", "RNDbytes", RANDOM_BYTES); + s_log(LOG_NOTICE, "%-22s = %d", "RNDbytes", RANDOM_BYTES); break; case CMD_HELP: - s_log(LOG_NOTICE, "%-15s = bytes to read from random seed files", "RNDbytes"); + s_log(LOG_NOTICE, "%-22s = bytes to read from random seed files", "RNDbytes"); break; } /* RNDfile */ switch(cmd) { - case CMD_INIT: + case CMD_BEGIN: new_global_options.rand_file=NULL; break; case CMD_EXEC: @@ -381,19 +424,23 @@ static char *parse_global_option(CMD cmd, char *opt, char *arg) { break; new_global_options.rand_file=str_dup(arg); return NULL; /* OK */ + case CMD_END: + break; + case CMD_FREE: + break; case CMD_DEFAULT: #ifdef RANDOM_FILE - s_log(LOG_NOTICE, "%-15s = %s", "RNDfile", RANDOM_FILE); + s_log(LOG_NOTICE, "%-22s = %s", "RNDfile", RANDOM_FILE); #endif break; case CMD_HELP: - s_log(LOG_NOTICE, "%-15s = path to file with random seed data", "RNDfile"); + s_log(LOG_NOTICE, "%-22s = path to file with random seed data", "RNDfile"); break; } /* RNDoverwrite */ switch(cmd) { - case CMD_INIT: + case CMD_BEGIN: new_global_options.option.rand_write=1; break; case CMD_EXEC: @@ -406,11 +453,15 @@ static char *parse_global_option(CMD cmd, char *opt, char *arg) { else return "Argument should be either 'yes' or 'no'"; return NULL; /* OK */ + case CMD_END: + break; + case CMD_FREE: + break; case CMD_DEFAULT: - s_log(LOG_NOTICE, "%-15s = yes", "RNDoverwrite"); + s_log(LOG_NOTICE, "%-22s = yes", "RNDoverwrite"); break; case CMD_HELP: - s_log(LOG_NOTICE, "%-15s = yes|no overwrite seed datafiles with new random data", + s_log(LOG_NOTICE, "%-22s = yes|no overwrite seed datafiles with new random data", "RNDoverwrite"); break; } @@ -418,7 +469,7 @@ static char *parse_global_option(CMD cmd, char *opt, char *arg) { #ifndef USE_WIN32 /* service */ switch(cmd) { - case CMD_INIT: + case CMD_BEGIN: new_service_options.servname=str_dup("stunnel"); break; case CMD_EXEC: @@ -426,10 +477,14 @@ static char *parse_global_option(CMD cmd, char *opt, char *arg) { break; new_service_options.servname=str_dup(arg); return NULL; /* OK */ + case CMD_END: + break; + case CMD_FREE: + break; case CMD_DEFAULT: break; case CMD_HELP: - s_log(LOG_NOTICE, "%-15s = service name", "service"); + s_log(LOG_NOTICE, "%-22s = service name", "service"); break; } #endif @@ -437,7 +492,7 @@ static char *parse_global_option(CMD cmd, char *opt, char *arg) { #ifndef USE_WIN32 /* setgid */ switch(cmd) { - case CMD_INIT: + case CMD_BEGIN: new_global_options.gid=0; break; case CMD_EXEC: @@ -452,10 +507,14 @@ static char *parse_global_option(CMD cmd, char *opt, char *arg) { if(tmpstr==arg || *tmpstr) /* not a number */ return "Illegal GID"; return NULL; /* OK */ + case CMD_END: + break; + case CMD_FREE: + break; case CMD_DEFAULT: break; case CMD_HELP: - s_log(LOG_NOTICE, "%-15s = groupname for setgid()", "setgid"); + s_log(LOG_NOTICE, "%-22s = groupname for setgid()", "setgid"); break; } #endif @@ -463,7 +522,7 @@ static char *parse_global_option(CMD cmd, char *opt, char *arg) { #ifndef USE_WIN32 /* setuid */ switch(cmd) { - case CMD_INIT: + case CMD_BEGIN: new_global_options.uid=0; break; case CMD_EXEC: @@ -478,17 +537,21 @@ static char *parse_global_option(CMD cmd, char *opt, char *arg) { if(tmpstr==arg || *tmpstr) /* not a number */ return "Illegal UID"; return NULL; /* OK */ + case CMD_END: + break; + case CMD_FREE: + break; case CMD_DEFAULT: break; case CMD_HELP: - s_log(LOG_NOTICE, "%-15s = username for setuid()", "setuid"); + s_log(LOG_NOTICE, "%-22s = username for setuid()", "setuid"); break; } #endif /* socket */ switch(cmd) { - case CMD_INIT: + case CMD_BEGIN: break; case CMD_EXEC: if(strcasecmp(opt, "socket")) @@ -496,18 +559,22 @@ static char *parse_global_option(CMD cmd, char *opt, char *arg) { if(parse_socket_option(arg)) return "Illegal socket option"; return NULL; /* OK */ + case CMD_END: + break; + case CMD_FREE: + break; case CMD_DEFAULT: break; case CMD_HELP: - s_log(LOG_NOTICE, "%-15s = a|l|r:option=value[:value]", "socket"); - s_log(LOG_NOTICE, "%18sset an option on accept/local/remote socket", ""); + s_log(LOG_NOTICE, "%-22s = a|l|r:option=value[:value]", "socket"); + s_log(LOG_NOTICE, "%25sset an option on accept/local/remote socket", ""); break; } /* syslog */ #ifndef USE_WIN32 switch(cmd) { - case CMD_INIT: + case CMD_BEGIN: new_global_options.option.syslog=1; break; case CMD_EXEC: @@ -520,10 +587,14 @@ static char *parse_global_option(CMD cmd, char *opt, char *arg) { else return "Argument should be either 'yes' or 'no'"; return NULL; /* OK */ + case CMD_END: + break; + case CMD_FREE: + break; case CMD_DEFAULT: break; case CMD_HELP: - s_log(LOG_NOTICE, "%-15s = yes|no send logging messages to syslog", + s_log(LOG_NOTICE, "%-22s = yes|no send logging messages to syslog", "syslog"); break; } @@ -532,7 +603,7 @@ static char *parse_global_option(CMD cmd, char *opt, char *arg) { /* taskbar */ #ifdef USE_WIN32 switch(cmd) { - case CMD_INIT: + case CMD_BEGIN: new_global_options.option.taskbar=1; break; case CMD_EXEC: @@ -545,17 +616,64 @@ static char *parse_global_option(CMD cmd, char *opt, char *arg) { else return "Argument should be either 'yes' or 'no'"; return NULL; /* OK */ + case CMD_END: + break; + case CMD_FREE: + break; case CMD_DEFAULT: - s_log(LOG_NOTICE, "%-15s = yes", "taskbar"); + s_log(LOG_NOTICE, "%-22s = yes", "taskbar"); break; case CMD_HELP: - s_log(LOG_NOTICE, "%-15s = yes|no enable the taskbar icon", "taskbar"); + s_log(LOG_NOTICE, "%-22s = yes|no enable the taskbar icon", "taskbar"); break; } #endif if(cmd==CMD_EXEC) return option_not_found; + + if(cmd==CMD_END) { + /* FIPS needs to be initialized as early as possible */ + if(ssl_configure(&new_global_options)) /* configure global SSL settings */ + return "Failed to initialize SSL"; + + /* prepare default SSL methods */ +#ifdef USE_FIPS + if(new_global_options.option.fips) { + if(!new_service_options.cipher_list) + new_service_options.cipher_list="FIPS"; + if(!new_service_options.client_method) + new_service_options.client_method= + (SSL_METHOD *)TLSv1_client_method(); + if(!new_service_options.server_method) + new_service_options.server_method= + (SSL_METHOD *)TLSv1_server_method(); + } else { +#endif /* USE_FIPS */ + if(!new_service_options.cipher_list) + new_service_options.cipher_list=stunnel_cipher_list; + if(!new_service_options.client_method) +#if !defined(OPENSSL_NO_TLS1) + new_service_options.client_method= + (SSL_METHOD *)TLSv1_client_method(); +#elif !defined(OPENSSL_NO_SSL3) + new_service_options.client_method= + (SSL_METHOD *)SSLv3_client_method(); +#elif !defined(OPENSSL_NO_SSL2) + new_service_options.client_method= + (SSL_METHOD *)SSLv2_client_method(); +#else /* OPENSSL_NO_TLS1, OPENSSL_NO_SSL3, OPENSSL_NO_SSL2 */ +#error No supported SSL methods found +#endif /* OPENSSL_NO_TLS1, OPENSSL_NO_SSL3, OPENSSL_NO_SSL2 */ + /* SSLv23_server_method() is an always available catch-all */ + if(!new_service_options.server_method) + new_service_options.server_method= + (SSL_METHOD *)SSLv23_server_method(); +#ifdef USE_FIPS + } +#endif /* USE_FIPS */ + } + return NULL; /* OK */ } @@ -564,7 +682,8 @@ static char *parse_global_option(CMD cmd, char *opt, char *arg) { static char *parse_service_option(CMD cmd, SERVICE_OPTIONS *section, char *opt, char *arg) { char *tmpstr; - int tmpnum; + int tmpnum, endpoints=0; + NAME_LIST *tmplist; if(cmd==CMD_DEFAULT || cmd==CMD_HELP) { s_log(LOG_NOTICE, " "); @@ -573,7 +692,7 @@ static char *parse_service_option(CMD cmd, SERVICE_OPTIONS *section, /* accept */ switch(cmd) { - case CMD_INIT: + case CMD_BEGIN: section->option.accept=0; memset(§ion->local_addr, 0, sizeof(SOCKADDR_UNION)); section->local_addr.in.sin_family=AF_INET; @@ -586,17 +705,23 @@ static char *parse_service_option(CMD cmd, SERVICE_OPTIONS *section, if(!name2addr(§ion->local_addr, arg, DEFAULT_ANY)) return "Failed to resolve accepting address"; return NULL; /* OK */ + case CMD_END: + if(section->option.accept) + ++endpoints; + break; + case CMD_FREE: + break; case CMD_DEFAULT: break; case CMD_HELP: - s_log(LOG_NOTICE, "%-15s = [host:]port accept connections on specified host:port", + s_log(LOG_NOTICE, "%-22s = [host:]port accept connections on specified host:port", "accept"); break; } /* CApath */ switch(cmd) { - case CMD_INIT: + case CMD_BEGIN: #if 0 section->ca_dir=(char *)X509_get_default_cert_dir(); #endif @@ -610,21 +735,25 @@ static char *parse_service_option(CMD cmd, SERVICE_OPTIONS *section, else section->ca_dir=NULL; return NULL; /* OK */ + case CMD_END: + break; + case CMD_FREE: + break; case CMD_DEFAULT: #if 0 - s_log(LOG_NOTICE, "%-15s = %s", "CApath", + s_log(LOG_NOTICE, "%-22s = %s", "CApath", section->ca_dir ? section->ca_dir : "(none)"); #endif break; case CMD_HELP: - s_log(LOG_NOTICE, "%-15s = CA certificate directory for 'verify' option", + s_log(LOG_NOTICE, "%-22s = CA certificate directory for 'verify' option", "CApath"); break; } /* CAfile */ switch(cmd) { - case CMD_INIT: + case CMD_BEGIN: #if 0 section->ca_file=(char *)X509_get_default_certfile(); #endif @@ -638,21 +767,25 @@ static char *parse_service_option(CMD cmd, SERVICE_OPTIONS *section, else section->ca_file=NULL; return NULL; /* OK */ + case CMD_END: + break; + case CMD_FREE: + break; case CMD_DEFAULT: #if 0 - s_log(LOG_NOTICE, "%-15s = %s", "CAfile", + s_log(LOG_NOTICE, "%-22s = %s", "CAfile", section->ca_file ? section->ca_file : "(none)"); #endif break; case CMD_HELP: - s_log(LOG_NOTICE, "%-15s = CA certificate file for 'verify' option", + s_log(LOG_NOTICE, "%-22s = CA certificate file for 'verify' option", "CAfile"); break; } /* cert */ switch(cmd) { - case CMD_INIT: + case CMD_BEGIN: section->cert=NULL; break; case CMD_EXEC: @@ -660,16 +793,22 @@ static char *parse_service_option(CMD cmd, SERVICE_OPTIONS *section, break; section->cert=str_dup(arg); return NULL; /* OK */ + case CMD_END: + if(!section->option.client && !section->cert) + return "SSL server needs a certificate"; + break; + case CMD_FREE: + break; case CMD_DEFAULT: break; /* no default certificate */ case CMD_HELP: - s_log(LOG_NOTICE, "%-15s = certificate chain", "cert"); + s_log(LOG_NOTICE, "%-22s = certificate chain", "cert"); break; } /* ciphers */ switch(cmd) { - case CMD_INIT: + case CMD_BEGIN: section->cipher_list=NULL; break; case CMD_EXEC: @@ -677,24 +816,28 @@ static char *parse_service_option(CMD cmd, SERVICE_OPTIONS *section, break; section->cipher_list=str_dup(arg); return NULL; /* OK */ + case CMD_END: + break; + case CMD_FREE: + break; case CMD_DEFAULT: #ifdef USE_FIPS - s_log(LOG_NOTICE, "%-15s = %s %s", "ciphers", + s_log(LOG_NOTICE, "%-22s = %s %s", "ciphers", "FIPS", "(with \"fips = yes\")"); - s_log(LOG_NOTICE, "%-15s = %s %s", "ciphers", + s_log(LOG_NOTICE, "%-22s = %s %s", "ciphers", stunnel_cipher_list, "(with \"fips = no\")"); #else - s_log(LOG_NOTICE, "%-15s = %s", "ciphers", stunnel_cipher_list); + s_log(LOG_NOTICE, "%-22s = %s", "ciphers", stunnel_cipher_list); #endif /* USE_FIPS */ break; case CMD_HELP: - s_log(LOG_NOTICE, "%-15s = list of permitted SSL ciphers", "ciphers"); + s_log(LOG_NOTICE, "%-22s = list of permitted SSL ciphers", "ciphers"); break; } /* client */ switch(cmd) { - case CMD_INIT: + case CMD_BEGIN: section->option.client=0; break; case CMD_EXEC: @@ -707,43 +850,59 @@ static char *parse_service_option(CMD cmd, SERVICE_OPTIONS *section, else return "Argument should be either 'yes' or 'no'"; return NULL; /* OK */ + case CMD_END: + break; + case CMD_FREE: + break; case CMD_DEFAULT: break; case CMD_HELP: - s_log(LOG_NOTICE, "%-15s = yes|no client mode (remote service uses SSL)", + s_log(LOG_NOTICE, "%-22s = yes|no client mode (remote service uses SSL)", "client"); break; } /* connect */ switch(cmd) { - case CMD_INIT: + case CMD_BEGIN: section->option.remote=0; - section->connect_name=NULL; + section->connect_list=NULL; section->connect_addr.num=0; break; case CMD_EXEC: if(strcasecmp(opt, "connect")) break; section->option.remote=1; - section->connect_name=str_dup(arg); + tmplist=str_alloc(sizeof(NAME_LIST)); + tmplist->name=str_dup(arg); + tmplist->next=section->connect_list; + section->connect_list=tmplist; + return NULL; /* OK */ + case CMD_END: if(!section->option.delayed_lookup && - !name2addrlist(§ion->connect_addr, arg, DEFAULT_LOOPBACK)) { - s_log(LOG_INFO, "Cannot resolve '%s' - delaying DNS lookup", arg); + section->connect_list && + !namelist2addrlist(§ion->connect_addr, + section->connect_list, DEFAULT_LOOPBACK)) { + s_log(LOG_INFO, + "Cannot resolve connect target - delaying DNS lookup"); section->option.delayed_lookup=1; } - return NULL; /* OK */ + if(section->option.remote) + ++endpoints; + break; + case CMD_FREE: + break; case CMD_DEFAULT: break; case CMD_HELP: - s_log(LOG_NOTICE, "%-15s = [host:]port connect remote host:port", + s_log(LOG_NOTICE, "%-22s = [host:]port connect remote host:port", "connect"); break; } /* CRLpath */ switch(cmd) { - case CMD_INIT: + case CMD_BEGIN: section->crl_dir=NULL; break; case CMD_EXEC: @@ -754,16 +913,20 @@ static char *parse_service_option(CMD cmd, SERVICE_OPTIONS *section, else section->crl_dir=NULL; return NULL; /* OK */ + case CMD_END: + break; + case CMD_FREE: + break; case CMD_DEFAULT: break; case CMD_HELP: - s_log(LOG_NOTICE, "%-15s = CRL directory", "CRLpath"); + s_log(LOG_NOTICE, "%-22s = CRL directory", "CRLpath"); break; } /* CRLfile */ switch(cmd) { - case CMD_INIT: + case CMD_BEGIN: section->crl_file=NULL; break; case CMD_EXEC: @@ -774,10 +937,14 @@ static char *parse_service_option(CMD cmd, SERVICE_OPTIONS *section, else section->crl_file=NULL; return NULL; /* OK */ + case CMD_END: + break; + case CMD_FREE: + break; case CMD_DEFAULT: break; case CMD_HELP: - s_log(LOG_NOTICE, "%-15s = CRL file", "CRLfile"); + s_log(LOG_NOTICE, "%-22s = CRL file", "CRLfile"); break; } @@ -786,7 +953,7 @@ static char *parse_service_option(CMD cmd, SERVICE_OPTIONS *section, /* curve */ #define DEFAULT_CURVE NID_X9_62_prime256v1 switch(cmd) { - case CMD_INIT: + case CMD_BEGIN: section->curve=DEFAULT_CURVE; break; case CMD_EXEC: @@ -796,11 +963,15 @@ static char *parse_service_option(CMD cmd, SERVICE_OPTIONS *section, if(section->curve==NID_undef) return "Curve name not supported"; return NULL; /* OK */ + case CMD_END: + break; + case CMD_FREE: + break; case CMD_DEFAULT: - s_log(LOG_NOTICE, "%-15s = %s", "curve", OBJ_nid2ln(DEFAULT_CURVE)); + s_log(LOG_NOTICE, "%-22s = %s", "curve", OBJ_nid2ln(DEFAULT_CURVE)); break; case CMD_HELP: - s_log(LOG_NOTICE, "%-15s = ECDH curve name", "curve"); + s_log(LOG_NOTICE, "%-22s = ECDH curve name", "curve"); break; } @@ -808,7 +979,7 @@ static char *parse_service_option(CMD cmd, SERVICE_OPTIONS *section, /* delay */ switch(cmd) { - case CMD_INIT: + case CMD_BEGIN: section->option.delayed_lookup=0; break; case CMD_EXEC: @@ -821,10 +992,14 @@ static char *parse_service_option(CMD cmd, SERVICE_OPTIONS *section, else return "Argument should be either 'yes' or 'no'"; return NULL; /* OK */ + case CMD_END: + break; + case CMD_FREE: + break; case CMD_DEFAULT: break; case CMD_HELP: - s_log(LOG_NOTICE, "%-15s = yes|no delay DNS lookup for 'connect' option", + s_log(LOG_NOTICE, "%-22s = yes|no delay DNS lookup for 'connect' option", "delay"); break; } @@ -832,7 +1007,7 @@ static char *parse_service_option(CMD cmd, SERVICE_OPTIONS *section, #ifdef HAVE_OSSL_ENGINE_H /* engineNum */ switch(cmd) { - case CMD_INIT: + case CMD_BEGIN: break; case CMD_EXEC: if(strcasecmp(opt, "engineNum")) @@ -844,10 +1019,14 @@ static char *parse_service_option(CMD cmd, SERVICE_OPTIONS *section, if(!section->engine) return "Illegal engine number"; return NULL; /* OK */ + case CMD_END: + break; + case CMD_FREE: + break; case CMD_DEFAULT: break; case CMD_HELP: - s_log(LOG_NOTICE, "%-15s = number of engine to read the key from", + s_log(LOG_NOTICE, "%-22s = number of engine to read the key from", "engineNum"); break; } @@ -855,7 +1034,7 @@ static char *parse_service_option(CMD cmd, SERVICE_OPTIONS *section, /* exec */ switch(cmd) { - case CMD_INIT: + case CMD_BEGIN: section->option.program=0; section->execname=NULL; break; @@ -874,17 +1053,23 @@ static char *parse_service_option(CMD cmd, SERVICE_OPTIONS *section, } #endif return NULL; /* OK */ + case CMD_END: + if(section->option.program) + ++endpoints; + break; + case CMD_FREE: + break; case CMD_DEFAULT: break; case CMD_HELP: - s_log(LOG_NOTICE, "%-15s = file execute local inetd-type program", + s_log(LOG_NOTICE, "%-22s = file execute local inetd-type program", "exec"); break; } /* execargs */ switch(cmd) { - case CMD_INIT: + case CMD_BEGIN: section->execargs=NULL; break; case CMD_EXEC: @@ -896,17 +1081,21 @@ static char *parse_service_option(CMD cmd, SERVICE_OPTIONS *section, section->execargs=argalloc(arg); #endif return NULL; /* OK */ + case CMD_END: + break; + case CMD_FREE: + break; case CMD_DEFAULT: break; case CMD_HELP: - s_log(LOG_NOTICE, "%-15s = arguments for 'exec' (including $0)", + s_log(LOG_NOTICE, "%-22s = arguments for 'exec' (including $0)", "execargs"); break; } /* failover */ switch(cmd) { - case CMD_INIT: + case CMD_BEGIN: section->failover=FAILOVER_RR; break; case CMD_EXEC: @@ -919,17 +1108,21 @@ static char *parse_service_option(CMD cmd, SERVICE_OPTIONS *section, else return "Argument should be either 'rr' or 'prio'"; return NULL; /* OK */ + case CMD_END: + break; + case CMD_FREE: + break; case CMD_DEFAULT: break; case CMD_HELP: - s_log(LOG_NOTICE, "%-15s = rr|prio failover strategy", + s_log(LOG_NOTICE, "%-22s = rr|prio failover strategy", "failover"); break; } /* ident */ switch(cmd) { - case CMD_INIT: + case CMD_BEGIN: section->username=NULL; break; case CMD_EXEC: @@ -937,16 +1130,20 @@ static char *parse_service_option(CMD cmd, SERVICE_OPTIONS *section, break; section->username=str_dup(arg); return NULL; /* OK */ + case CMD_END: + break; + case CMD_FREE: + break; case CMD_DEFAULT: break; case CMD_HELP: - s_log(LOG_NOTICE, "%-15s = username for IDENT (RFC 1413) checking", "ident"); + s_log(LOG_NOTICE, "%-22s = username for IDENT (RFC 1413) checking", "ident"); break; } /* key */ switch(cmd) { - case CMD_INIT: + case CMD_BEGIN: section->key=NULL; break; case CMD_EXEC: @@ -954,16 +1151,20 @@ static char *parse_service_option(CMD cmd, SERVICE_OPTIONS *section, break; section->key=str_dup(arg); return NULL; /* OK */ + case CMD_END: + break; + case CMD_FREE: + break; case CMD_DEFAULT: break; case CMD_HELP: - s_log(LOG_NOTICE, "%-15s = certificate private key", "key"); + s_log(LOG_NOTICE, "%-22s = certificate private key", "key"); break; } #ifdef USE_LIBWRAP switch(cmd) { - case CMD_INIT: + case CMD_BEGIN: section->option.libwrap=1; /* enable libwrap by default */ break; case CMD_EXEC: @@ -976,10 +1177,14 @@ static char *parse_service_option(CMD cmd, SERVICE_OPTIONS *section, else return "Argument should be either 'yes' or 'no'"; return NULL; /* OK */ + case CMD_END: + break; + case CMD_FREE: + break; case CMD_DEFAULT: break; case CMD_HELP: - s_log(LOG_NOTICE, "%-15s = yes|no use /etc/hosts.allow and /etc/hosts.deny", + s_log(LOG_NOTICE, "%-22s = yes|no use /etc/hosts.allow and /etc/hosts.deny", "libwrap"); break; } @@ -987,7 +1192,7 @@ static char *parse_service_option(CMD cmd, SERVICE_OPTIONS *section, /* local */ switch(cmd) { - case CMD_INIT: + case CMD_BEGIN: section->option.local=0; memset(§ion->source_addr, 0, sizeof(SOCKADDR_UNION)); section->source_addr.in.sin_family=AF_INET; @@ -999,10 +1204,14 @@ static char *parse_service_option(CMD cmd, SERVICE_OPTIONS *section, if(!hostport2addr(§ion->source_addr, arg, "0")) return "Failed to resolve local address"; return NULL; /* OK */ + case CMD_END: + break; + case CMD_FREE: + break; case CMD_DEFAULT: break; case CMD_HELP: - s_log(LOG_NOTICE, "%-15s = IP address to be used as source for remote" + s_log(LOG_NOTICE, "%-22s = IP address to be used as source for remote" " connections", "local"); break; } @@ -1011,7 +1220,7 @@ static char *parse_service_option(CMD cmd, SERVICE_OPTIONS *section, /* OCSP */ switch(cmd) { - case CMD_INIT: + case CMD_BEGIN: section->option.ocsp=0; memset(§ion->ocsp_addr, 0, sizeof(SOCKADDR_UNION)); section->ocsp_addr.in.sin_family=AF_INET; @@ -1021,16 +1230,20 @@ static char *parse_service_option(CMD cmd, SERVICE_OPTIONS *section, break; section->option.ocsp=1; return parse_ocsp_url(section, arg); + case CMD_END: + break; + case CMD_FREE: + break; case CMD_DEFAULT: break; case CMD_HELP: - s_log(LOG_NOTICE, "%-15s = OCSP server URL", "ocsp"); + s_log(LOG_NOTICE, "%-22s = OCSP server URL", "ocsp"); break; } /* OCSPflag */ switch(cmd) { - case CMD_INIT: + case CMD_BEGIN: section->ocsp_flags=0; break; case CMD_EXEC: @@ -1041,10 +1254,14 @@ static char *parse_service_option(CMD cmd, SERVICE_OPTIONS *section, return "Illegal OCSP flag"; section->ocsp_flags|=tmpnum; return NULL; + case CMD_END: + break; + case CMD_FREE: + break; case CMD_DEFAULT: break; case CMD_HELP: - s_log(LOG_NOTICE, "%-15s = OCSP server flags", "OCSPflag"); + s_log(LOG_NOTICE, "%-22s = OCSP server flags", "OCSPflag"); break; } @@ -1052,7 +1269,7 @@ static char *parse_service_option(CMD cmd, SERVICE_OPTIONS *section, /* options */ switch(cmd) { - case CMD_INIT: + case CMD_BEGIN: section->ssl_options=0; break; case CMD_EXEC: @@ -1063,17 +1280,21 @@ static char *parse_service_option(CMD cmd, SERVICE_OPTIONS *section, return "Illegal SSL option"; section->ssl_options|=tmpnum; return NULL; /* OK */ + case CMD_END: + break; + case CMD_FREE: + break; case CMD_DEFAULT: break; case CMD_HELP: - s_log(LOG_NOTICE, "%-15s = SSL option", "options"); - s_log(LOG_NOTICE, "%18sset an SSL option", ""); + s_log(LOG_NOTICE, "%-22s = SSL option", "options"); + s_log(LOG_NOTICE, "%25sset an SSL option", ""); break; } /* protocol */ switch(cmd) { - case CMD_INIT: + case CMD_BEGIN: section->protocol=-1; break; case CMD_EXEC: @@ -1083,18 +1304,23 @@ static char *parse_service_option(CMD cmd, SERVICE_OPTIONS *section, if(section->protocol<0) return "Unknown protocol"; return NULL; /* OK */ + case CMD_END: + break; + case CMD_FREE: + break; case CMD_DEFAULT: break; case CMD_HELP: - s_log(LOG_NOTICE, "%-15s = protocol to negotiate before SSL initialization", + s_log(LOG_NOTICE, "%-22s = protocol to negotiate before SSL initialization", "protocol"); - s_log(LOG_NOTICE, "%18scurrently supported: cifs, connect, imap, nntp, pgsql, pop3, proxy, smtp", ""); + s_log(LOG_NOTICE, "%25scurrently supported: cifs, connect, imap,", ""); + s_log(LOG_NOTICE, "%25s nntp, pgsql, pop3, proxy, smtp", ""); break; } /* protocolAuthentication */ switch(cmd) { - case CMD_INIT: + case CMD_BEGIN: section->protocol_authentication="basic"; break; case CMD_EXEC: @@ -1102,17 +1328,21 @@ static char *parse_service_option(CMD cmd, SERVICE_OPTIONS *section, break; section->protocol_authentication=str_dup(arg); return NULL; /* OK */ + case CMD_END: + break; + case CMD_FREE: + break; case CMD_DEFAULT: break; case CMD_HELP: - s_log(LOG_NOTICE, "%-15s = authentication type for protocol negotiations", + s_log(LOG_NOTICE, "%-22s = authentication type for protocol negotiations", "protocolAuthentication"); break; } /* protocolHost */ switch(cmd) { - case CMD_INIT: + case CMD_BEGIN: section->protocol_host=NULL; break; case CMD_EXEC: @@ -1120,17 +1350,21 @@ static char *parse_service_option(CMD cmd, SERVICE_OPTIONS *section, break; section->protocol_host=str_dup(arg); return NULL; /* OK */ + case CMD_END: + break; + case CMD_FREE: + break; case CMD_DEFAULT: break; case CMD_HELP: - s_log(LOG_NOTICE, "%-15s = host:port for protocol negotiations", + s_log(LOG_NOTICE, "%-22s = host:port for protocol negotiations", "protocolHost"); break; } /* protocolPassword */ switch(cmd) { - case CMD_INIT: + case CMD_BEGIN: section->protocol_password=NULL; break; case CMD_EXEC: @@ -1138,17 +1372,21 @@ static char *parse_service_option(CMD cmd, SERVICE_OPTIONS *section, break; section->protocol_password=str_dup(arg); return NULL; /* OK */ + case CMD_END: + break; + case CMD_FREE: + break; case CMD_DEFAULT: break; case CMD_HELP: - s_log(LOG_NOTICE, "%-15s = password for protocol negotiations", + s_log(LOG_NOTICE, "%-22s = password for protocol negotiations", "protocolPassword"); break; } /* protocolUsername */ switch(cmd) { - case CMD_INIT: + case CMD_BEGIN: section->protocol_username=NULL; break; case CMD_EXEC: @@ -1156,10 +1394,14 @@ static char *parse_service_option(CMD cmd, SERVICE_OPTIONS *section, break; section->protocol_username=str_dup(arg); return NULL; /* OK */ + case CMD_END: + break; + case CMD_FREE: + break; case CMD_DEFAULT: break; case CMD_HELP: - s_log(LOG_NOTICE, "%-15s = username for protocol negotiations", + s_log(LOG_NOTICE, "%-22s = username for protocol negotiations", "protocolUsername"); break; } @@ -1167,7 +1409,7 @@ static char *parse_service_option(CMD cmd, SERVICE_OPTIONS *section, /* pty */ #ifndef USE_WIN32 switch(cmd) { - case CMD_INIT: + case CMD_BEGIN: section->option.pty=0; break; case CMD_EXEC: @@ -1180,18 +1422,76 @@ static char *parse_service_option(CMD cmd, SERVICE_OPTIONS *section, else return "Argument should be either 'yes' or 'no'"; return NULL; /* OK */ + case CMD_END: + break; + case CMD_FREE: + break; case CMD_DEFAULT: break; case CMD_HELP: - s_log(LOG_NOTICE, "%-15s = yes|no allocate pseudo terminal for 'exec' option", + s_log(LOG_NOTICE, "%-22s = yes|no allocate pseudo terminal for 'exec' option", "pty"); break; } #endif + /* renegotiation */ + switch(cmd) { + case CMD_BEGIN: + section->option.renegotiation=1; + break; + case CMD_EXEC: + if(strcasecmp(opt, "renegotiation")) + break; + if(!strcasecmp(arg, "yes")) + section->option.renegotiation=1; + else if(!strcasecmp(arg, "no")) + section->option.renegotiation=0; + else + return "argument should be either 'yes' or 'no'"; + return NULL; /* OK */ + case CMD_END: + break; + case CMD_FREE: + break; + case CMD_DEFAULT: + break; + case CMD_HELP: + s_log(LOG_NOTICE, "%-22s = yes|no support renegotiation", + "renegotiation"); + break; + } + + /* reset */ + switch(cmd) { + case CMD_BEGIN: + section->option.reset=1; /* enabled by default */ + break; + case CMD_EXEC: + if(strcasecmp(opt, "reset")) + break; + if(!strcasecmp(arg, "yes")) + section->option.reset=1; + else if(!strcasecmp(arg, "no")) + section->option.reset=0; + else + return "Argument should be either 'yes' or 'no'"; + return NULL; /* OK */ + case CMD_END: + break; + case CMD_FREE: + break; + case CMD_DEFAULT: + break; + case CMD_HELP: + s_log(LOG_NOTICE, "%-22s = yes|no send TCP RST on error", + "retry"); + break; + } + /* retry */ switch(cmd) { - case CMD_INIT: + case CMD_BEGIN: section->option.retry=0; break; case CMD_EXEC: @@ -1204,37 +1504,70 @@ static char *parse_service_option(CMD cmd, SERVICE_OPTIONS *section, else return "Argument should be either 'yes' or 'no'"; return NULL; /* OK */ + case CMD_END: + break; + case CMD_FREE: + break; case CMD_DEFAULT: break; case CMD_HELP: - s_log(LOG_NOTICE, "%-15s = yes|no retry connect+exec section", + s_log(LOG_NOTICE, "%-22s = yes|no retry connect+exec section", "retry"); break; } - /* session */ + /* sessionCacheSize */ switch(cmd) { - case CMD_INIT: + case CMD_BEGIN: + section->session_size=1000L; + break; + case CMD_EXEC: + if(strcasecmp(opt, "sessionCacheSize")) + break; + section->session_size=strtol(arg, &tmpstr, 10); + if(tmpstr==arg || *tmpstr) /* not a number */ + return "Illegal session cache size"; + return NULL; /* OK */ + case CMD_END: + break; + case CMD_FREE: + break; + case CMD_DEFAULT: + s_log(LOG_NOTICE, "%-22s = %ld", "sessionCacheSize", 1000L); + break; + case CMD_HELP: + s_log(LOG_NOTICE, "%-22s = session cache size", "sessionCacheSize"); + break; + } + + /* sessionCacheTimeout */ + switch(cmd) { + case CMD_BEGIN: section->session_timeout=300L; break; case CMD_EXEC: - if(strcasecmp(opt, "session")) + if(strcasecmp(opt, "sessionCacheTimeout") && strcasecmp(opt, "session")) break; section->session_timeout=strtol(arg, &tmpstr, 10); if(tmpstr==arg || *tmpstr) /* not a number */ - return "Illegal session timeout"; + return "Illegal session cache timeout"; return NULL; /* OK */ + case CMD_END: + break; + case CMD_FREE: + break; case CMD_DEFAULT: - s_log(LOG_NOTICE, "%-15s = %ld seconds", "session", 300L); + s_log(LOG_NOTICE, "%-22s = %ld seconds", "sessionCacheTimeout", 300L); break; case CMD_HELP: - s_log(LOG_NOTICE, "%-15s = session cache timeout (in seconds)", "session"); + s_log(LOG_NOTICE, "%-22s = session cache timeout (in seconds)", + "sessionCacheTimeout"); break; } /* sessiond */ switch(cmd) { - case CMD_INIT: + case CMD_BEGIN: section->option.sessiond=0; memset(§ion->sessiond_addr, 0, sizeof(SOCKADDR_UNION)); section->sessiond_addr.in.sin_family=AF_INET; @@ -1251,10 +1584,14 @@ static char *parse_service_option(CMD cmd, SERVICE_OPTIONS *section, if(!name2addr(§ion->sessiond_addr, arg, DEFAULT_LOOPBACK)) return "Failed to resolve sessiond server address"; return NULL; /* OK */ + case CMD_END: + break; + case CMD_FREE: + break; case CMD_DEFAULT: break; case CMD_HELP: - s_log(LOG_NOTICE, "%-15s = [host:]port use sessiond at host:port", + s_log(LOG_NOTICE, "%-22s = [host:]port use sessiond at host:port", "sessiond"); break; } @@ -1262,7 +1599,7 @@ static char *parse_service_option(CMD cmd, SERVICE_OPTIONS *section, #ifndef OPENSSL_NO_TLSEXT /* sni */ switch(cmd) { - case CMD_INIT: + case CMD_BEGIN: section->servername_list_head=NULL; section->servername_list_tail=NULL; section->option.sni=0; @@ -1272,10 +1609,19 @@ static char *parse_service_option(CMD cmd, SERVICE_OPTIONS *section, break; section->sni=str_dup(arg); return NULL; /* OK */ + case CMD_END: + tmpstr=init_sni(section); + if(tmpstr) + return tmpstr; + if(section->option.sni) + ++endpoints; + break; + case CMD_FREE: + break; case CMD_DEFAULT: break; case CMD_HELP: - s_log(LOG_NOTICE, "%-15s = master_service:host_name for an SNI virtual service", + s_log(LOG_NOTICE, "%-22s = master_service:host_name for an SNI virtual service", "sni"); break; } @@ -1283,7 +1629,7 @@ static char *parse_service_option(CMD cmd, SERVICE_OPTIONS *section, /* sslVersion */ switch(cmd) { - case CMD_INIT: + case CMD_BEGIN: section->client_method=NULL; section->server_method=NULL; break; @@ -1313,31 +1659,61 @@ static char *parse_service_option(CMD cmd, SERVICE_OPTIONS *section, section->server_method=(SSL_METHOD *)TLSv1_server_method(); #else return "TLSv1 not supported"; +#endif + } else if(!strcasecmp(arg, "TLSv1.1")) { +#if !defined(OPENSSL_NO_TLS1) && OPENSSL_VERSION_NUMBER>=0x10001000L + section->client_method=(SSL_METHOD *)TLSv1_1_client_method(); + section->server_method=(SSL_METHOD *)TLSv1_1_server_method(); +#else + return "TLSv1.1 not supported"; +#endif + } else if(!strcasecmp(arg, "TLSv1.2")) { +#if !defined(OPENSSL_NO_TLS1) && OPENSSL_VERSION_NUMBER>=0x10001000L + section->client_method=(SSL_METHOD *)TLSv1_2_client_method(); + section->server_method=(SSL_METHOD *)TLSv1_2_server_method(); +#else + return "TLSv1.2 not supported"; #endif } else return "Incorrect version of SSL protocol"; return NULL; /* OK */ + case CMD_END: +#ifdef USE_FIPS + if(new_global_options.option.fips && + ((section->option.client && + section->client_method!=(SSL_METHOD *)TLSv1_client_method()) || + (!section->option.client && + section->server_method!=(SSL_METHOD *)TLSv1_server_method()))) + return "'sslVersion = TLSv1' is required in FIPS mode"; +#endif /* USE_FIPS */ + break; + case CMD_FREE: + break; case CMD_DEFAULT: #ifdef USE_FIPS - s_log(LOG_NOTICE, "%-15s = TLSv1 (with \"fips = yes\")", + s_log(LOG_NOTICE, "%-22s = TLSv1 (with \"fips = yes\")", "sslVersion"); - s_log(LOG_NOTICE, "%-15s = " DEFAULT_SSLVER_CLIENT " for client, " + s_log(LOG_NOTICE, "%-22s = " DEFAULT_SSLVER_CLIENT " for client, " DEFAULT_SSLVER_SERVER " for server (with \"fips = no\")", "sslVersion"); #else - s_log(LOG_NOTICE, "%-15s = " DEFAULT_SSLVER_CLIENT " for client, " + s_log(LOG_NOTICE, "%-22s = " DEFAULT_SSLVER_CLIENT " for client, " DEFAULT_SSLVER_SERVER " for server", "sslVersion"); #endif break; case CMD_HELP: - s_log(LOG_NOTICE, "%-15s = all|SSLv2|SSLv3|TLSv1 SSL method", "sslVersion"); + s_log(LOG_NOTICE, "%-22s = all|SSLv2|SSLv3|TLSv1" +#if OPENSSL_VERSION_NUMBER>=0x10001000L + "|TLSv1.1|TLSv1.2" +#endif + " SSL method", "sslVersion"); break; } #ifndef USE_FORK /* stack */ switch(cmd) { - case CMD_INIT: + case CMD_BEGIN: section->stack_size=DEFAULT_STACK_SIZE; break; case CMD_EXEC: @@ -1347,18 +1723,22 @@ static char *parse_service_option(CMD cmd, SERVICE_OPTIONS *section, if(tmpstr==arg || *tmpstr) /* not a number */ return "Illegal thread stack size"; return NULL; /* OK */ + case CMD_END: + break; + case CMD_FREE: + break; case CMD_DEFAULT: - s_log(LOG_NOTICE, "%-15s = %d bytes", "stack", DEFAULT_STACK_SIZE); + s_log(LOG_NOTICE, "%-22s = %d bytes", "stack", DEFAULT_STACK_SIZE); break; case CMD_HELP: - s_log(LOG_NOTICE, "%-15s = thread stack size (in bytes)", "stack"); + s_log(LOG_NOTICE, "%-22s = thread stack size (in bytes)", "stack"); break; } #endif /* TIMEOUTbusy */ switch(cmd) { - case CMD_INIT: + case CMD_BEGIN: section->timeout_busy=300; /* 5 minutes */ break; case CMD_EXEC: @@ -1368,17 +1748,21 @@ static char *parse_service_option(CMD cmd, SERVICE_OPTIONS *section, if(tmpstr==arg || *tmpstr) /* not a number */ return "Illegal busy timeout"; return NULL; /* OK */ + case CMD_END: + break; + case CMD_FREE: + break; case CMD_DEFAULT: - s_log(LOG_NOTICE, "%-15s = %d seconds", "TIMEOUTbusy", 300); + s_log(LOG_NOTICE, "%-22s = %d seconds", "TIMEOUTbusy", 300); break; case CMD_HELP: - s_log(LOG_NOTICE, "%-15s = seconds to wait for expected data", "TIMEOUTbusy"); + s_log(LOG_NOTICE, "%-22s = seconds to wait for expected data", "TIMEOUTbusy"); break; } /* TIMEOUTclose */ switch(cmd) { - case CMD_INIT: + case CMD_BEGIN: section->timeout_close=60; /* 1 minute */ break; case CMD_EXEC: @@ -1388,18 +1772,22 @@ static char *parse_service_option(CMD cmd, SERVICE_OPTIONS *section, if(tmpstr==arg || *tmpstr) /* not a number */ return "Illegal close timeout"; return NULL; /* OK */ + case CMD_END: + break; + case CMD_FREE: + break; case CMD_DEFAULT: - s_log(LOG_NOTICE, "%-15s = %d seconds", "TIMEOUTclose", 60); + s_log(LOG_NOTICE, "%-22s = %d seconds", "TIMEOUTclose", 60); break; case CMD_HELP: - s_log(LOG_NOTICE, "%-15s = seconds to wait for close_notify" - " (set to 0 for buggy MSIE)", "TIMEOUTclose"); + s_log(LOG_NOTICE, "%-22s = seconds to wait for close_notify", + "TIMEOUTclose"); break; } /* TIMEOUTconnect */ switch(cmd) { - case CMD_INIT: + case CMD_BEGIN: section->timeout_connect=10; /* 10 seconds */ break; case CMD_EXEC: @@ -1409,17 +1797,21 @@ static char *parse_service_option(CMD cmd, SERVICE_OPTIONS *section, if(tmpstr==arg || *tmpstr) /* not a number */ return "Illegal connect timeout"; return NULL; /* OK */ + case CMD_END: + break; + case CMD_FREE: + break; case CMD_DEFAULT: - s_log(LOG_NOTICE, "%-15s = %d seconds", "TIMEOUTconnect", 10); + s_log(LOG_NOTICE, "%-22s = %d seconds", "TIMEOUTconnect", 10); break; case CMD_HELP: - s_log(LOG_NOTICE, "%-15s = seconds to connect remote host", "TIMEOUTconnect"); + s_log(LOG_NOTICE, "%-22s = seconds to connect remote host", "TIMEOUTconnect"); break; } /* TIMEOUTidle */ switch(cmd) { - case CMD_INIT: + case CMD_BEGIN: section->timeout_idle=43200; /* 12 hours */ break; case CMD_EXEC: @@ -1429,18 +1821,22 @@ static char *parse_service_option(CMD cmd, SERVICE_OPTIONS *section, if(tmpstr==arg || *tmpstr) /* not a number */ return "Illegal idle timeout"; return NULL; /* OK */ + case CMD_END: + break; + case CMD_FREE: + break; case CMD_DEFAULT: - s_log(LOG_NOTICE, "%-15s = %d seconds", "TIMEOUTidle", 43200); + s_log(LOG_NOTICE, "%-22s = %d seconds", "TIMEOUTidle", 43200); break; case CMD_HELP: - s_log(LOG_NOTICE, "%-15s = seconds to keep an idle connection", "TIMEOUTidle"); + s_log(LOG_NOTICE, "%-22s = seconds to keep an idle connection", "TIMEOUTidle"); break; } /* transparent */ #ifndef USE_WIN32 switch(cmd) { - case CMD_INIT: + case CMD_BEGIN: section->option.transparent_src=0; section->option.transparent_dst=0; break; @@ -1464,11 +1860,17 @@ static char *parse_service_option(CMD cmd, SERVICE_OPTIONS *section, } else return "Selected transparent proxy mode is not available"; return NULL; /* OK */ + case CMD_END: + if(section->option.transparent_dst) + ++endpoints; + break; + case CMD_FREE: + break; case CMD_DEFAULT: break; case CMD_HELP: s_log(LOG_NOTICE, - "%-15s = none|source|destination|both transparent proxy mode", + "%-22s = none|source|destination|both transparent proxy mode", "transparent"); break; } @@ -1476,7 +1878,7 @@ static char *parse_service_option(CMD cmd, SERVICE_OPTIONS *section, /* verify */ switch(cmd) { - case CMD_INIT: + case CMD_BEGIN: section->verify_level=-1; /* do not even request a certificate */ break; case CMD_EXEC: @@ -1488,27 +1890,48 @@ static char *parse_service_option(CMD cmd, SERVICE_OPTIONS *section, if(section->verify_level<0 || section->verify_level>4) return "Bad verify level"; return NULL; /* OK */ + case CMD_END: + break; + case CMD_FREE: + break; case CMD_DEFAULT: - s_log(LOG_NOTICE, "%-15s = none", "verify"); + s_log(LOG_NOTICE, "%-22s = none", "verify"); break; case CMD_HELP: s_log(LOG_NOTICE, - "%-15s = level of peer certificate verification", "verify"); + "%-22s = level of peer certificate verification", "verify"); s_log(LOG_NOTICE, - "%18slevel 0 - request and ignore peer certificate", ""); + "%25slevel 0 - request and ignore peer cert", ""); s_log(LOG_NOTICE, - "%18slevel 1 - only validate peer certificate if present", ""); + "%25slevel 1 - only validate peer cert if present", ""); s_log(LOG_NOTICE, - "%18slevel 2 - always require a valid peer certificate", ""); + "%25slevel 2 - always require a valid peer cert", ""); s_log(LOG_NOTICE, - "%18slevel 3 - verify peer with locally installed certificate", ""); + "%25slevel 3 - verify peer with locally installed cert", ""); s_log(LOG_NOTICE, - "%18slevel 4 - ignore CA chain and only verify peer certificate", ""); + "%25slevel 4 - ignore CA chain and only verify peer cert", ""); break; } if(cmd==CMD_EXEC) return option_not_found; + + if(cmd==CMD_END) { + if(new_service_options.next) { /* daemon mode checks */ + if(endpoints!=2) + return "Each service must define two endpoints"; + } else { /* inetd mode checks */ + if(section->option.accept) + return "'accept' option is only allowed in a [section]"; + /* no need to check for section->option.sni in inetd mode, + as it requires valid sections to be set */ + if(endpoints!=1) + return "Inetd mode must define one endpoint"; + } + if(context_init(section)) /* initialize SSL context */ + return "Failed to initialize SSL context"; + } + return NULL; /* OK */ } @@ -1603,8 +2026,8 @@ int parse_conf(char *name, CONF_TYPE type) { memset(&new_service_options, 0, sizeof(SERVICE_OPTIONS)); /* reset local options */ new_service_options.next=NULL; section=&new_service_options; - parse_global_option(CMD_INIT, NULL, NULL); - parse_service_option(CMD_INIT, section, NULL, NULL); + parse_global_option(CMD_BEGIN, NULL, NULL); + parse_service_option(CMD_BEGIN, section, NULL, NULL); if(type!=CONF_RELOAD) { /* provide defaults for gui.c */ memcpy(&global_options, &new_global_options, sizeof(GLOBAL_OPTIONS)); memcpy(&service_options, &new_service_options, sizeof(SERVICE_OPTIONS)); @@ -1623,12 +2046,12 @@ int parse_conf(char *name, CONF_TYPE type) { continue; if(config_opt[0]=='[' && config_opt[strlen(config_opt)-1]==']') { /* new section */ if(!new_service_options.next) { - /* FIPS needs to be initialized as early as possible */ - if(ssl_configure(&new_global_options)) { /* configure global SSL settings */ + errstr=parse_global_option(CMD_END, NULL, NULL); + if(errstr) { + s_log(LOG_ERR, "Line %d: \"%s\": %s", line_number, line_text, errstr); file_close(df); return 1; } - init_globals(); /* defaults need to be set before other options are parsed */ } ++config_opt; config_opt[strlen(config_opt)-1]='\0'; @@ -1643,7 +2066,7 @@ int parse_conf(char *name, CONF_TYPE type) { } config_arg=strchr(config_line, '='); if(!config_arg) { - config_error(line_number, line_text, "No '=' found"); + s_log(LOG_ERR, "Line %d: \"%s\": No '=' found", line_number, line_text); file_close(df); return 1; } @@ -1656,7 +2079,7 @@ int parse_conf(char *name, CONF_TYPE type) { if(!new_service_options.next && errstr==option_not_found) errstr=parse_global_option(CMD_EXEC, config_opt, config_arg); if(errstr) { - config_error(line_number, line_text, errstr); + s_log(LOG_ERR, "Line %d: \"%s\": %s", line_number, line_text, errstr); file_close(df); return 1; } @@ -1665,17 +2088,24 @@ int parse_conf(char *name, CONF_TYPE type) { if(new_service_options.next) { /* daemon mode: initialize sections */ for(section=new_service_options.next; section; section=section->next) { - s_log(LOG_INFO, "Initializing service section [%s]", section->servname); - if(init_section(section)) - return 1; + s_log(LOG_INFO, "Initializing service [%s]", section->servname); + errstr=parse_service_option(CMD_END, section, NULL, NULL); + if(errstr) + break; } } else { /* inetd mode: need to initialize global options */ - if(ssl_configure(&new_global_options)) /* configure global SSL settings */ + errstr=parse_global_option(CMD_END, NULL, NULL); + if(errstr) { + s_log(LOG_ERR, "Global options: %s", errstr); return 1; - init_globals(); + } s_log(LOG_INFO, "Initializing inetd mode configuration"); - if(init_section(&new_service_options)) - return 1; + section=&new_service_options; + errstr=parse_service_option(CMD_END, section, NULL, NULL); + } + if(errstr) { + s_log(LOG_ERR, "Service [%s]: %s", section->servname, errstr); + return 1; } s_log(LOG_NOTICE, "Configuration successful"); @@ -1688,126 +2118,30 @@ void apply_conf() { /* can be used once the configuration was validated */ /* service_options are used for inetd mode and to enumerate services */ memcpy(&service_options, &new_service_options, sizeof(SERVICE_OPTIONS)); #ifdef USE_WIN32 - PostMessage(hwnd, WM_VALID_CONFIG, 0, 0); + win_new_config(); #endif } /**************************************** validate and initialize configuration */ -static void init_globals() { -#ifdef HAVE_OSSL_ENGINE_H - close_engine(); -#endif - - /* prepare default SSL methods */ -#ifdef USE_FIPS - if(new_global_options.option.fips) { - if(!new_service_options.cipher_list) - new_service_options.cipher_list="FIPS"; - if(!new_service_options.client_method) - new_service_options.client_method=(SSL_METHOD *)TLSv1_client_method(); - if(!new_service_options.server_method) - new_service_options.server_method=(SSL_METHOD *)TLSv1_server_method(); - return; - } -#endif /* USE_FIPS */ - if(!new_service_options.cipher_list) - new_service_options.cipher_list=stunnel_cipher_list; - if(!new_service_options.client_method) -#if !defined(OPENSSL_NO_TLS1) - new_service_options.client_method=(SSL_METHOD *)TLSv1_client_method(); -#elif !defined(OPENSSL_NO_SSL3) - new_service_options.client_method=(SSL_METHOD *)SSLv3_client_method(); -#elif !defined(OPENSSL_NO_SSL2) - new_service_options.client_method=(SSL_METHOD *)SSLv2_client_method(); -#else /* OPENSSL_NO_TLS1, OPENSSL_NO_SSL3, OPENSSL_NO_SSL2 */ -#error No supported SSL methods found -#endif /* OPENSSL_NO_TLS1, OPENSSL_NO_SSL3, OPENSSL_NO_SSL2 */ - /* SSLv23_server_method() is an always available catch-all */ - if(!new_service_options.server_method) - new_service_options.server_method=(SSL_METHOD *)SSLv23_server_method(); -} - -static int init_section(SERVICE_OPTIONS *section) { -#ifdef USE_FIPS - if(new_global_options.option.fips && - ((section->option.client && - section->client_method!=(SSL_METHOD *)TLSv1_client_method()) || - (!section->option.client && - section->server_method!=(SSL_METHOD *)TLSv1_server_method()))) { - section_error(section->servname, "sslVersion = TLSv1 is required in FIPS mode"); - return 1; - } -#endif /* USE_FIPS */ - if(!section->option.client && !section->cert) { - section_error(section->servname, "SSL server needs a certificate"); - return 1; - } #ifndef OPENSSL_NO_TLSEXT - if(init_sni(section)) - return 1; -#endif - if(context_init(section)) /* initialize SSL context */ - return 1; - - if(new_service_options.next) { /* daemon mode checks */ - if((unsigned int)section->option.accept - + (unsigned int)section->option.program - + (unsigned int)section->option.remote -#ifndef OPENSSL_NO_TLSEXT - + (unsigned int)section->option.sni -#endif /* OPENSSL_NO_TLSEXT */ -#ifndef USE_WIN32 - + (unsigned int)section->option.transparent_dst -#endif /* USE_WIN32 */ - !=2) { - section_error(section->servname, "Each service must define two endpoints"); - return 1; - } - } else { /* inetd mode checks */ - if(section->option.accept) { - s_log(LOG_ERR, "Accept option is not allowed in inetd mode"); - s_log(LOG_ERR, "Remove accept option or define a [section]"); - return 1; - } - if(!section->option.remote && !section->execname) { - s_log(LOG_ERR, "Inetd mode must have 'connect' or 'exec' options"); - return 1; - } -#if 0 - /* TODO: some additional checks could be useful */ - if((unsigned int)section->option.program + - (unsigned int)section->option.remote != 1) - section_error(section->servname, "Single endpoint is required in inetd mode"); -#endif - } - return 0; /* all tests passed -- continue program execution */ -} - -#ifndef OPENSSL_NO_TLSEXT -static int init_sni(SERVICE_OPTIONS *section) { +static char *init_sni(SERVICE_OPTIONS *section) { char *tmpstr; SERVICE_OPTIONS *tmpsrv; /* server mode: update servername_list based on SNI option */ if(!section->option.client && section->sni) { tmpstr=strchr(section->sni, ':'); - if(!tmpstr) { - section_error(section->servname, "Invalid SNI parameter format"); - return 1; - } + if(!tmpstr) + return "Invalid SNI parameter format"; *tmpstr++='\0'; for(tmpsrv=new_service_options.next; tmpsrv; tmpsrv=tmpsrv->next) if(!strcmp(tmpsrv->servname, section->sni)) break; - if(!tmpsrv) { - section_error(section->servname, "SNI section name not found"); - return 1; - } - if(tmpsrv->option.client) { - section_error(section->servname, "SNI master service is a TLS client"); - return 1; - } + if(!tmpsrv) + return "SNI section name not found"; + if(tmpsrv->option.client) + return "SNI master service is a TLS client"; if(tmpsrv->servername_list_tail) { tmpsrv->servername_list_tail->next=str_alloc(sizeof(SERVERNAME_LIST)); tmpsrv->servername_list_tail=tmpsrv->servername_list_tail->next; @@ -1831,8 +2165,8 @@ static int init_sni(SERVICE_OPTIONS *section) { /* setup host_name for SNI, prefer SNI and protocolHost if specified */ if(section->protocol_host) /* 'protocolHost' option */ section->sni=str_dup(section->protocol_host); - else if(section->connect_name) /* 'connect' option */ - section->sni=str_dup(section->connect_name); + else if(section->connect_list) /* 'connect' option */ + section->sni=str_dup(section->connect_list->name); /* first hostname */ if(section->sni) { /* either 'protocolHost' or 'connect' specified */ tmpstr=strrchr(section->sni, ':'); if(tmpstr) { /* 'host:port' -> drop ':port' */ @@ -1843,7 +2177,7 @@ static int init_sni(SERVICE_OPTIONS *section) { } } } - return 0; + return NULL; } #endif /* OPENSSL_NO_TLSEXT */ @@ -1988,6 +2322,12 @@ static int parse_ssl_option(char *arg) { {"NO_SSLv2", SSL_OP_NO_SSLv2}, {"NO_SSLv3", SSL_OP_NO_SSLv3}, {"NO_TLSv1", SSL_OP_NO_TLSv1}, +#ifdef SSL_OP_NO_TLSv1_1 + {"NO_TLSv1.1", SSL_OP_NO_TLSv1_1}, +#endif +#ifdef SSL_OP_NO_TLSv1_2 + {"NO_TLSv1.2", SSL_OP_NO_TLSv1_2}, +#endif {"PKCS1_CHECK_1", SSL_OP_PKCS1_CHECK_1}, {"PKCS1_CHECK_2", SSL_OP_PKCS1_CHECK_2}, {"NETSCAPE_CA_DN_BUG", SSL_OP_NETSCAPE_CA_DN_BUG}, @@ -2053,6 +2393,15 @@ SOCK_OPT sock_opts[] = { {"TCP_MAXSEG", IPPROTO_TCP, TCP_MAXSEG, TYPE_INT, {NULL, NULL, NULL}}, #endif {"TCP_NODELAY", IPPROTO_TCP, TCP_NODELAY, TYPE_FLAG, {NULL, DEF_ON, DEF_ON}}, +#ifdef IP_FREEBIND + {"IP_FREEBIND", IPPROTO_IP, IP_FREEBIND, TYPE_FLAG, {NULL, NULL, NULL}}, +#endif +#ifdef IP_BINDANY + {"IP_BINDANY", IPPROTO_IP, IP_BINDANY, TYPE_FLAG, {NULL, NULL, NULL}}, +#endif +#ifdef IPV6_BINDANY + {"IPV6_BINDANY", IPPROTO_IPV6,IPV6_BINDANY, TYPE_FLAG, {NULL, NULL, NULL}}, +#endif {NULL, 0, 0, TYPE_NONE, {NULL, NULL, NULL}} }; @@ -2079,6 +2428,7 @@ static int print_socket_options(void) { if(get_last_socket_error()!=S_ENOPROTOOPT) { s_log(LOG_ERR, "Failed to get %s OS default", ptr->opt_str); sockerror("getsockopt"); + closesocket(fd); return 1; /* FAILED */ } td=str_dup("write-only"); @@ -2093,6 +2443,7 @@ static int print_socket_options(void) { ptr->opt_str, ta, tl, tr, td); str_free(ta); str_free(tl); str_free(tr); str_free(td); } + closesocket(fd); return 0; /* OK */ } @@ -2374,14 +2725,6 @@ static void print_syntax(void) { /**************************************** various supporting functions */ -static void config_error(int num, const char *line, const char *str) { - s_log(LOG_ERR, "Line %d: \"%s\": %s", num, line, str); -} - -static void section_error(const char *name, const char *str) { - s_log(LOG_ERR, "Section %s: %s", name, str); -} - #ifndef USE_WIN32 static char **argalloc(char *str) { /* allocate 'exec' argumets */ diff --git a/src/os2.mak b/src/os2.mak index 7234f10..9cce1e1 100644 --- a/src/os2.mak +++ b/src/os2.mak @@ -1,11 +1,11 @@ prefix=. DEFS = -DPACKAGE_NAME=\"stunnel\" \ -DPACKAGE_TARNAME=\"stunnel\" \ - -DPACKAGE_VERSION=\"4.53\" \ - -DPACKAGE_STRING=\"stunnel\ 4.53\" \ + -DPACKAGE_VERSION=\"4.57\" \ + -DPACKAGE_STRING=\"stunnel\ 4.57\" \ -DPACKAGE_BUGREPORT=\"\" \ -DPACKAGE=\"stunnel\" \ - -DVERSION=\"4.53\" \ + -DVERSION=\"4.57\" \ -DSTDC_HEADERS=1 \ -DHAVE_SYS_TYPES_H=1 \ -DHAVE_SYS_STAT_H=1 \ diff --git a/src/protocol.c b/src/protocol.c index d53cb0c..e558384 100644 --- a/src/protocol.c +++ b/src/protocol.c @@ -1,24 +1,24 @@ /* * stunnel Universal SSL tunnel - * Copyright (C) 1998-2012 Michal Trojnara + * Copyright (C) 1998-2013 Michal Trojnara * * This program is free software; you can redistribute it and/or modify it * under the terms of the GNU General Public License as published by the * Free Software Foundation; either version 2 of the License, or (at your * option) any later version. - * + * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. * See the GNU General Public License for more details. - * + * * You should have received a copy of the GNU General Public License along * with this program; if not, see . - * + * * Linking stunnel statically or dynamically with other modules is making * a combined work based on stunnel. Thus, the terms and conditions of * the GNU General Public License cover the whole combination. - * + * * In addition, as a special exception, the copyright holder of stunnel * gives you permission to combine stunnel with free software programs or * libraries that are released under the GNU LGPL and with code included @@ -26,7 +26,7 @@ * modified versions of such code, with unchanged license). You may copy * and distribute such a system following the terms of the GNU GPL for * stunnel and the licenses of the other code concerned. - * + * * Note that people who make modified versions of stunnel are not obligated * to grant this special exception for their modified versions; it is their * choice whether to do so. The GNU General Public License gives permission @@ -38,7 +38,7 @@ #include "common.h" #include "prototypes.h" -#define isprefix(a, b) (strncasecmp((a), (b), strlen(b))==0) +#define is_prefix(a, b) (strncasecmp((a), (b), strlen(b))==0) /* protocol-specific function prototypes */ static void proxy_server(CLI *c); @@ -71,7 +71,7 @@ typedef void (*FUNCTION)(CLI *); static const struct { char *name; struct { - PROTOCOL_TYPE type; + PROTOCOL_PHASE type; FUNCTION func; } handlers[2]; } protocols[]={ @@ -95,7 +95,7 @@ int find_protocol_id(const char *name) { return -1; } -void protocol(CLI *c, const PROTOCOL_TYPE type) { +void protocol(CLI *c, const PROTOCOL_PHASE type) { const int id=c->opt->protocol, mode=(unsigned int)c->opt->option.client; if(id<0 || type!=protocols[id].handlers[mode].type || @@ -112,7 +112,7 @@ void protocol(CLI *c, const PROTOCOL_TYPE type) { /* * PROXY protocol: http://haproxy.1wt.eu/download/1.5/doc/proxy-protocol.txt - * this is a protocol client support for stunnel acting as an SSL server + * this is a protocol client support for stunnel acting as an SSL server * I don't think anything else is useful, but feel free to discuss on the * stunnel-users mailing list if you disagree */ @@ -157,9 +157,11 @@ static void proxy_server(CLI *c) { case AF_INET: proto="TCP4"; break; +#ifdef USE_IPv6 case AF_INET6: proto="TCP6"; break; +#endif default: /* AF_UNIX */ proto="UNKNOWN"; } @@ -203,7 +205,7 @@ static void cifs_server(CLI *c) { longjmp(c->err, 1); } read_blocking(c, c->local_rfd.fd, buffer+4, len); - if(buffer[0]!=0x81){ /* NB_SSN_REQUEST */ + if(buffer[0]!=0x81) { /* NB_SSN_REQUEST */ s_log(LOG_ERR, "Client did not send session setup"); write_blocking(c, c->local_wfd.fd, response_access_denied, 5); longjmp(c->err, 1); @@ -246,28 +248,35 @@ static void pgsql_server(CLI *c) { static void smtp_client(CLI *c) { char *line; + line=str_dup(""); do { /* copy multiline greeting */ + str_free(line); line=fd_getline(c, c->remote_fd.fd); fd_putline(c, c->local_wfd.fd, line); - } while(isprefix(line, "220-")); + } while(is_prefix(line, "220-")); fd_putline(c, c->remote_fd.fd, "EHLO localhost"); do { /* skip multiline reply */ + str_free(line); line=fd_getline(c, c->remote_fd.fd); - } while(isprefix(line, "250-")); - if(!isprefix(line, "250 ")) { /* error */ + } while(is_prefix(line, "250-")); + if(!is_prefix(line, "250 ")) { /* error */ s_log(LOG_ERR, "Remote server is not RFC 1425 compliant"); + str_free(line); longjmp(c->err, 1); } fd_putline(c, c->remote_fd.fd, "STARTTLS"); do { /* skip multiline reply */ + str_free(line); line=fd_getline(c, c->remote_fd.fd); - } while(isprefix(line, "220-")); - if(!isprefix(line, "220 ")) { /* error */ + } while(is_prefix(line, "220-")); + if(!is_prefix(line, "220 ")) { /* error */ s_log(LOG_ERR, "Remote server is not RFC 2487 compliant"); + str_free(line); longjmp(c->err, 1); } + str_free(line); } static void smtp_server(CLI *c) { @@ -288,24 +297,30 @@ static void smtp_server(CLI *c) { } line=fd_getline(c, c->remote_fd.fd); - if(!isprefix(line, "220")) { + if(!is_prefix(line, "220")) { s_log(LOG_ERR, "Unknown server welcome"); + str_free(line); longjmp(c->err, 1); } fd_printf(c, c->local_wfd.fd, "%s + stunnel", line); + str_free(line); line=fd_getline(c, c->local_rfd.fd); - if(!isprefix(line, "EHLO ")) { + if(!is_prefix(line, "EHLO ")) { s_log(LOG_ERR, "Unknown client EHLO"); + str_free(line); longjmp(c->err, 1); } fd_printf(c, c->local_wfd.fd, "250-%s Welcome", line); fd_putline(c, c->local_wfd.fd, "250 STARTTLS"); + str_free(line); line=fd_getline(c, c->local_rfd.fd); - if(!isprefix(line, "STARTTLS")) { + if(!is_prefix(line, "STARTTLS")) { s_log(LOG_ERR, "STARTTLS expected"); + str_free(line); longjmp(c->err, 1); } fd_putline(c, c->local_wfd.fd, "220 Go ahead"); + str_free(line); } /**************************************** pop3 */ @@ -314,17 +329,21 @@ static void pop3_client(CLI *c) { char *line; line=fd_getline(c, c->remote_fd.fd); - if(!isprefix(line, "+OK ")) { + if(!is_prefix(line, "+OK ")) { s_log(LOG_ERR, "Unknown server welcome"); + str_free(line); longjmp(c->err, 1); } fd_putline(c, c->local_wfd.fd, line); fd_putline(c, c->remote_fd.fd, "STLS"); + str_free(line); line=fd_getline(c, c->remote_fd.fd); - if(!isprefix(line, "+OK ")) { + if(!is_prefix(line, "+OK ")) { s_log(LOG_ERR, "Server does not support TLS"); + str_free(line); longjmp(c->err, 1); } + str_free(line); } static void pop3_server(CLI *c) { @@ -332,17 +351,21 @@ static void pop3_server(CLI *c) { line=fd_getline(c, c->remote_fd.fd); fd_printf(c, c->local_wfd.fd, "%s + stunnel", line); + str_free(line); line=fd_getline(c, c->local_rfd.fd); - if(isprefix(line, "CAPA")) { /* client wants RFC 2449 extensions */ + if(is_prefix(line, "CAPA")) { /* client wants RFC 2449 extensions */ fd_putline(c, c->local_wfd.fd, "+OK Stunnel capability list follows"); fd_putline(c, c->local_wfd.fd, "STLS"); fd_putline(c, c->local_wfd.fd, "."); + str_free(line); line=fd_getline(c, c->local_rfd.fd); } - if(!isprefix(line, "STLS")) { + if(!is_prefix(line, "STLS")) { s_log(LOG_ERR, "Client does not want TLS"); + str_free(line); longjmp(c->err, 1); } + str_free(line); fd_putline(c, c->local_wfd.fd, "+OK Stunnel starts TLS negotiation"); } @@ -352,24 +375,28 @@ static void imap_client(CLI *c) { char *line; line=fd_getline(c, c->remote_fd.fd); - if(!isprefix(line, "* OK")) { + if(!is_prefix(line, "* OK")) { s_log(LOG_ERR, "Unknown server welcome"); + str_free(line); longjmp(c->err, 1); } fd_putline(c, c->local_wfd.fd, line); fd_putline(c, c->remote_fd.fd, "stunnel STARTTLS"); + str_free(line); line=fd_getline(c, c->remote_fd.fd); - if(!isprefix(line, "stunnel OK")) { + if(!is_prefix(line, "stunnel OK")) { fd_putline(c, c->local_wfd.fd, "* BYE stunnel: Server does not support TLS"); s_log(LOG_ERR, "Server does not support TLS"); + str_free(line); longjmp(c->err, 2); /* don't reset */ } + str_free(line); } static void imap_server(CLI *c) { char *line, *id, *tail, *capa; - + s_poll_init(c->fds); s_poll_add(c->fds, c->local_rfd.fd, 1, 0); switch(s_poll_wait(c->fds, 0, 200)) { @@ -386,8 +413,9 @@ static void imap_server(CLI *c) { /* process server welcome and send it to client */ line=fd_getline(c, c->remote_fd.fd); - if(!isprefix(line, "* OK")) { + if(!is_prefix(line, "* OK")) { s_log(LOG_ERR, "Unknown server welcome"); + str_free(line); longjmp(c->err, 1); } capa=strstr(line, "CAPABILITY"); @@ -397,41 +425,48 @@ static void imap_server(CLI *c) { *capa='K'; /* disable CAPABILITY within greeting */ fd_printf(c, c->local_wfd.fd, "%s (stunnel)", line); + id=str_dup(""); while(1) { /* process client commands */ + str_free(line); line=fd_getline(c, c->local_rfd.fd); /* split line into id and tail */ + str_free(id); id=str_dup(line); tail=strchr(id, ' '); if(!tail) break; *tail++='\0'; - if(isprefix(tail, "STARTTLS")) { + if(is_prefix(tail, "STARTTLS")) { fd_printf(c, c->local_wfd.fd, "%s OK Begin TLS negotiation now", id); + str_free(line); + str_free(id); return; /* success */ - } else if(isprefix(tail, "CAPABILITY")) { + } else if(is_prefix(tail, "CAPABILITY")) { fd_putline(c, c->remote_fd.fd, line); /* send it to server */ + str_free(line); line=fd_getline(c, c->remote_fd.fd); /* get the capabilites */ if(*line=='*') { - /* + /* * append STARTTLS * should also add LOGINDISABLED, but can't because * of Mozilla bug #324138/#312009 * LOGIN would fail as "unexpected command", anyway */ fd_printf(c, c->local_wfd.fd, "%s STARTTLS", line); + str_free(line); line=fd_getline(c, c->remote_fd.fd); /* next line */ } fd_putline(c, c->local_wfd.fd, line); /* forward to the client */ tail=strchr(line, ' '); - if(!tail || !isprefix(tail+1, "OK")) { /* not OK? */ + if(!tail || !is_prefix(tail+1, "OK")) { /* not OK? */ fd_putline(c, c->local_wfd.fd, "* BYE unexpected server response"); s_log(LOG_ERR, "Unexpected server response: %s", line); break; } - } else if(isprefix(tail, "LOGOUT")) { + } else if(is_prefix(tail, "LOGOUT")) { fd_putline(c, c->local_wfd.fd, "* BYE server terminating"); fd_printf(c, c->local_wfd.fd, "%s OK LOGOUT completed", id); break; @@ -441,12 +476,17 @@ static void imap_server(CLI *c) { s_log(LOG_ERR, "Unexpected client command %s", tail); break; } - } + } /* clean server shutdown */ + str_free(id); fd_putline(c, c->remote_fd.fd, "stunnel LOGOUT"); + str_free(line); line=fd_getline(c, c->remote_fd.fd); - if(*line=='*') + if(*line=='*') { + str_free(line); line=fd_getline(c, c->remote_fd.fd); + } + str_free(line); longjmp(c->err, 2); /* don't reset */ } @@ -456,49 +496,61 @@ static void nntp_client(CLI *c) { char *line; line=fd_getline(c, c->remote_fd.fd); - if(!isprefix(line, "200 ") && !isprefix(line, "201 ")) { + if(!is_prefix(line, "200 ") && !is_prefix(line, "201 ")) { s_log(LOG_ERR, "Unknown server welcome"); + str_free(line); longjmp(c->err, 1); } fd_putline(c, c->local_wfd.fd, line); fd_putline(c, c->remote_fd.fd, "STARTTLS"); + str_free(line); line=fd_getline(c, c->remote_fd.fd); - if(!isprefix(line, "382 ")) { + if(!is_prefix(line, "382 ")) { s_log(LOG_ERR, "Server does not support TLS"); + str_free(line); longjmp(c->err, 1); } + str_free(line); } /**************************************** connect */ static void connect_server(CLI *c) { char *request, *proto, *header; - int not_empty; + NAME_LIST host_list; request=fd_getline(c, c->local_rfd.fd); - if(!isprefix(request, "CONNECT ")) { + if(!is_prefix(request, "CONNECT ")) { fd_putline(c, c->local_wfd.fd, "HTTP/1.0 400 Bad Request Method"); fd_putline(c, c->local_wfd.fd, "Server: stunnel/" STUNNEL_VERSION); fd_putline(c, c->local_wfd.fd, ""); + str_free(request); longjmp(c->err, 1); } proto=strchr(request+8, ' '); - if(!proto || !isprefix(proto, " HTTP/")) { + if(!proto || !is_prefix(proto, " HTTP/")) { fd_putline(c, c->local_wfd.fd, "HTTP/1.0 400 Bad Request Protocol"); fd_putline(c, c->local_wfd.fd, "Server: stunnel/" STUNNEL_VERSION); fd_putline(c, c->local_wfd.fd, ""); + str_free(request); longjmp(c->err, 1); } *proto='\0'; - do { /* ignore any headers*/ - header=fd_getline(c, c->local_rfd.fd); - not_empty=*header; + + header=str_dup(""); + do { /* ignore any headers */ str_free(header); - } while(not_empty); - if(!name2addrlist(&c->connect_addr, request+8, DEFAULT_LOOPBACK)) { + header=fd_getline(c, c->local_rfd.fd); + } while(*header); /* not empty */ + str_free(header); + + host_list.name=request+8; + host_list.next=NULL; + if(!namelist2addrlist(&c->connect_addr, &host_list, DEFAULT_LOOPBACK)) { fd_putline(c, c->local_wfd.fd, "HTTP/1.0 404 Not Found"); fd_putline(c, c->local_wfd.fd, "Server: stunnel/" STUNNEL_VERSION); fd_putline(c, c->local_wfd.fd, ""); + str_free(request); longjmp(c->err, 1); } str_free(request); @@ -541,23 +593,27 @@ static void connect_client(CLI *c) { } fd_putline(c, c->remote_fd.fd, ""); /* empty line */ line=fd_getline(c, c->remote_fd.fd); - if(strlen(line)<12 || line[9]!='2') { - /* not "HTTP/1.0 200 Connection established" */ + if(!is_prefix(line, "HTTP/1.0 2") && !is_prefix(line, "HTTP/1.1 2")) { + /* not "HTTP/1.x 2xx Connection established" */ s_log(LOG_ERR, "CONNECT request rejected"); do { /* read all headers */ + str_free(line); line=fd_getline(c, c->remote_fd.fd); } while(*line); + str_free(line); longjmp(c->err, 1); } s_log(LOG_INFO, "CONNECT request accepted"); do { + str_free(line); line=fd_getline(c, c->remote_fd.fd); /* read all headers */ } while(*line); + str_free(line); } #if !defined(OPENSSL_NO_MD4) && OPENSSL_VERSION_NUMBER>=0x0090700fL -/* +/* * NTLM code is based on the following documentation: * http://davenport.sourceforge.net/ntlm.html * http://www.innovation.ch/personal/ronald/ntlm.html @@ -566,7 +622,7 @@ static void connect_client(CLI *c) { #define s_min(a, b) ((a)>(b)?(b):(a)) static void ntlm(CLI *c) { - char *line, buf[BUFSIZ], *ntlm1_txt, *ntlm2_txt, *ntlm3_txt; + char *line, buf[BUFSIZ], *ntlm1_txt, *ntlm2_txt, *ntlm3_txt, *tmpstr; long content_length=0; /* no HTTP content */ /* send Proxy-Authorization (phase 1) */ @@ -582,28 +638,38 @@ static void ntlm(CLI *c) { line=fd_getline(c, c->remote_fd.fd); /* receive Proxy-Authenticate (phase 2) */ - if(line[9]!='4' || line[10]!='0' || line[11]!='7') { /* code 407 */ - s_log(LOG_ERR, "NTLM authorization request rejected"); + if(!is_prefix(line, "HTTP/1.0 407") && !is_prefix(line, "HTTP/1.1 407")) { + s_log(LOG_ERR, "Proxy-Authenticate: NTLM authorization request rejected"); do { /* read all headers */ + str_free(line); line=fd_getline(c, c->remote_fd.fd); } while(*line); + str_free(line); longjmp(c->err, 1); } ntlm2_txt=NULL; do { /* read all headers */ + str_free(line); line=fd_getline(c, c->remote_fd.fd); - if(isprefix(line, "Proxy-Authenticate: NTLM ")) + if(is_prefix(line, "Proxy-Authenticate: NTLM ")) ntlm2_txt=str_dup(line+25); - else if(isprefix(line, "Content-Length: ")) - content_length=atol(line+16); + else if(is_prefix(line, "Content-Length: ")) { + content_length=strtol(line+16, &tmpstr, 10); + if(tmpstr==line+16 || *tmpstr || content_length<0) { + s_log(LOG_ERR, "Proxy-Authenticate: Invalid Content-Length"); + str_free(line); + longjmp(c->err, 1); + } + } } while(*line); if(!ntlm2_txt) { /* no Proxy-Authenticate: NTLM header */ s_log(LOG_ERR, "Proxy-Authenticate: NTLM header not found"); + str_free(line); longjmp(c->err, 1); } /* read and ignore HTTP content (if any) */ - while(content_length) { + while(content_length>0) { read_blocking(c, c->remote_fd.fd, buf, s_min(content_length, BUFSIZ)); content_length-=s_min(content_length, BUFSIZ); } diff --git a/src/prototypes.h b/src/prototypes.h index 01f39c6..0b02b54 100644 --- a/src/prototypes.h +++ b/src/prototypes.h @@ -1,6 +1,6 @@ /* * stunnel Universal SSL tunnel - * Copyright (C) 1998-2012 Michal Trojnara + * Copyright (C) 1998-2013 Michal Trojnara * * This program is free software; you can redistribute it and/or modify it * under the terms of the GNU General Public License as published by the @@ -60,6 +60,11 @@ typedef union sockaddr_union { #endif } SOCKADDR_UNION; +typedef struct name_list_struct { + char *name; + struct name_list_struct *next; +} NAME_LIST; + typedef struct sockaddr_list { /* list of addresses */ SOCKADDR_UNION *addr; /* the list of addresses */ u16 cur; /* current address for round-robin */ @@ -146,7 +151,7 @@ typedef struct service_options_struct { char *cipher_list; char *cert; /* cert filename */ char *key; /* pem (priv key/cert) filename */ - long session_timeout; + long session_size, session_timeout; long ssl_options; SSL_METHOD *client_method, *server_method; SOCKADDR_UNION sessiond_addr; @@ -173,7 +178,7 @@ typedef struct service_options_struct { SOCKADDR_UNION local_addr, source_addr; SOCKADDR_LIST connect_addr; char *username; - char *connect_name; + NAME_LIST *connect_list; int timeout_busy; /* maximum waiting for data time */ int timeout_close; /* maximum close_notify time */ int timeout_connect; /* maximum connect() time */ @@ -190,8 +195,8 @@ typedef struct service_options_struct { /* service-specific data for gui.c */ #ifdef USE_WIN32 int section_number; - LPTSTR file, help; - char *chain; + LPTSTR file; + char *help, *chain; #endif /* on/off switches */ @@ -218,6 +223,8 @@ typedef struct service_options_struct { #ifdef HAVE_OSSL_OCSP_H unsigned int ocsp:1; #endif + unsigned int reset:1; /* reset sockets on error */ + unsigned int renegotiation:1; } option; } SERVICE_OPTIONS; @@ -322,7 +329,7 @@ void set_nonblock(int, unsigned long); void syslog_open(void); void syslog_close(void); #endif -void log_open(void); +int log_open(void); void log_close(void); void log_flush(LOG_MODE); void s_log(int, const char *, ...) @@ -377,7 +384,8 @@ void s_poll_init(s_poll_set *); void s_poll_add(s_poll_set *, int, int, int); int s_poll_canread(s_poll_set *, int); int s_poll_canwrite(s_poll_set *, int); -int s_poll_error(s_poll_set *, FD *); +int s_poll_hup(s_poll_set *, int); +int s_poll_error(s_poll_set *, int); int s_poll_wait(s_poll_set *, int, int); #ifdef USE_WIN32 @@ -391,11 +399,16 @@ int s_poll_wait(s_poll_set *, int, int); #endif int set_socket_options(int, int); -int get_socket_error(const int); int make_sockets(int [2]); /**************************************** prototypes for client.c */ +typedef enum { + RENEG_INIT, /* initial state */ + RENEG_ESTABLISHED, /* initial handshake completed */ + RENEG_DETECTED /* renegotiation detected */ +} RENEG_STATE; + typedef struct { jmp_buf err; /* exception handler needs to be 16-byte aligned on Itanium */ SSL *ssl; /* SSL connnection */ @@ -410,6 +423,7 @@ typedef struct { /* IP for explicit local bind or transparent proxy */ unsigned long pid; /* PID of the local process */ int fd; /* temporary file descriptor */ + RENEG_STATE reneg_state; /* used to track renegotiation attempts */ /* data for transfer() function */ char sock_buff[BUFFSIZE]; /* socket read buffer */ @@ -447,17 +461,17 @@ typedef enum { PROTOCOL_PRE_CONNECT, PROTOCOL_PRE_SSL, PROTOCOL_POST_SSL -} PROTOCOL_TYPE; +} PROTOCOL_PHASE; int find_protocol_id(const char *); -void protocol(CLI *, const PROTOCOL_TYPE); +void protocol(CLI *, const PROTOCOL_PHASE); /**************************************** prototypes for resolver.c */ +void resolver_init(); int name2addr(SOCKADDR_UNION *, char *, char *); int hostport2addr(SOCKADDR_UNION *, char *, char *); -int name2addrlist(SOCKADDR_LIST *, char *, char *); -int hostport2addrlist(SOCKADDR_LIST *, char *, char *); +int namelist2addrlist(SOCKADDR_LIST *, NAME_LIST *, char *); char *s_ntop(SOCKADDR_UNION *, socklen_t); socklen_t addr_len(const SOCKADDR_UNION *); const char *s_gai_strerror(int); @@ -472,9 +486,22 @@ const char *s_gai_strerror(int); #endif #ifdef USE_WIN32 + /* rename some locally shadowed declarations */ #define getnameinfo local_getnameinfo -#endif /* defined USE_WIN32 */ + +#ifndef _WIN32_WCE +typedef int (CALLBACK * GETADDRINFO) (const char *, + const char *, const struct addrinfo *, struct addrinfo **); +typedef void (CALLBACK * FREEADDRINFO) (struct addrinfo FAR *); +typedef int (CALLBACK * GETNAMEINFO) (const struct sockaddr *, socklen_t, + char *, size_t, char *, size_t, int); +extern GETADDRINFO s_getaddrinfo; +extern FREEADDRINFO s_freeaddrinfo; +extern GETNAMEINFO s_getnameinfo; +#endif /* ! _WIN32_WCE */ + +#endif /* USE_WIN32 */ int getnameinfo(const struct sockaddr *, int, char *, int, char *, int, int); @@ -523,23 +550,14 @@ void stack_info(int); /**************************************** prototypes for gui.c */ #ifdef USE_WIN32 -extern HWND hwnd; - +void message_box(const LPSTR, const UINT); +void win_new_chain(int); +void win_new_log(char *); +void win_new_config(void); int passwd_cb(char *, int, int, void *); #ifdef HAVE_OSSL_ENGINE_H int pin_cb(UI *, UI_STRING *); #endif - -#ifndef _WIN32_WCE -typedef int (CALLBACK * GETADDRINFO) (const char *, - const char *, const struct addrinfo *, struct addrinfo **); -typedef void (CALLBACK * FREEADDRINFO) (struct addrinfo FAR *); -typedef int (CALLBACK * GETNAMEINFO) (const struct sockaddr *, socklen_t, - char *, size_t, char *, size_t, int); -extern GETADDRINFO s_getaddrinfo; -extern FREEADDRINFO s_freeaddrinfo; -extern GETNAMEINFO s_getnameinfo; -#endif /* ! _WIN32_WCE */ #endif /* USE_WIN32 */ /**************************************** prototypes for file.c */ diff --git a/src/pty.c b/src/pty.c index a0835da..5cbc275 100644 --- a/src/pty.c +++ b/src/pty.c @@ -1,24 +1,24 @@ /* * stunnel Universal SSL tunnel - * Copyright (C) 1998-2012 Michal Trojnara + * Copyright (C) 1998-2013 Michal Trojnara * * This program is free software; you can redistribute it and/or modify it * under the terms of the GNU General Public License as published by the * Free Software Foundation; either version 2 of the License, or (at your * option) any later version. - * + * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. * See the GNU General Public License for more details. - * + * * You should have received a copy of the GNU General Public License along * with this program; if not, see . - * + * * Linking stunnel statically or dynamically with other modules is making * a combined work based on stunnel. Thus, the terms and conditions of * the GNU General Public License cover the whole combination. - * + * * In addition, as a special exception, the copyright holder of stunnel * gives you permission to combine stunnel with free software programs or * libraries that are released under the GNU LGPL and with code included @@ -26,7 +26,7 @@ * modified versions of such code, with unchanged license). You may copy * and distribute such a system following the terms of the GNU GPL for * stunnel and the licenses of the other code concerned. - * + * * Note that people who make modified versions of stunnel are not obligated * to grant this special exception for their modified versions; it is their * choice whether to do so. The GNU General Public License gives permission diff --git a/src/resolver.c b/src/resolver.c index b644bd9..d3e594a 100644 --- a/src/resolver.c +++ b/src/resolver.c @@ -1,24 +1,24 @@ /* * stunnel Universal SSL tunnel - * Copyright (C) 1998-2012 Michal Trojnara + * Copyright (C) 1998-2013 Michal Trojnara * * This program is free software; you can redistribute it and/or modify it * under the terms of the GNU General Public License as published by the * Free Software Foundation; either version 2 of the License, or (at your * option) any later version. - * + * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. * See the GNU General Public License for more details. - * + * * You should have received a copy of the GNU General Public License along * with this program; if not, see . - * + * * Linking stunnel statically or dynamically with other modules is making * a combined work based on stunnel. Thus, the terms and conditions of * the GNU General Public License cover the whole combination. - * + * * In addition, as a special exception, the copyright holder of stunnel * gives you permission to combine stunnel with free software programs or * libraries that are released under the GNU LGPL and with code included @@ -26,7 +26,7 @@ * modified versions of such code, with unchanged license). You may copy * and distribute such a system following the terms of the GNU GPL for * stunnel and the licenses of the other code concerned. - * + * * Note that people who make modified versions of stunnel are not obligated * to grant this special exception for their modified versions; it is their * choice whether to do so. The GNU General Public License gives permission @@ -40,6 +40,9 @@ /**************************************** prototypes */ +static int name2addrlist(SOCKADDR_LIST *, char *, char *); +static int hostport2addrlist(SOCKADDR_LIST *, char *, char *); + #ifndef HAVE_GETADDRINFO #ifndef EAI_MEMORY @@ -77,6 +80,42 @@ static void freeaddrinfo(struct addrinfo *); #endif /* !defined HAVE_GETADDRINFO */ +/**************************************** resolver initialization */ + +#if defined(USE_WIN32) && !defined(_WIN32_WCE) +GETADDRINFO s_getaddrinfo; +FREEADDRINFO s_freeaddrinfo; +GETNAMEINFO s_getnameinfo; +#endif + +void resolver_init() { +#if defined(USE_WIN32) && !defined(_WIN32_WCE) + HINSTANCE handle; + + handle=LoadLibrary("ws2_32.dll"); /* IPv6 in Windows XP or higher */ + if(handle) { + s_getaddrinfo=(GETADDRINFO)GetProcAddress(handle, "getaddrinfo"); + s_freeaddrinfo=(FREEADDRINFO)GetProcAddress(handle, "freeaddrinfo"); + s_getnameinfo=(GETNAMEINFO)GetProcAddress(handle, "getnameinfo"); + if(s_getaddrinfo && s_freeaddrinfo && s_getnameinfo) + return; /* IPv6 detected -> OK */ + FreeLibrary(handle); + } + handle=LoadLibrary("wship6.dll"); /* experimental IPv6 for Windows 2000 */ + if(handle) { + s_getaddrinfo=(GETADDRINFO)GetProcAddress(handle, "getaddrinfo"); + s_freeaddrinfo=(FREEADDRINFO)GetProcAddress(handle, "freeaddrinfo"); + s_getnameinfo=(GETNAMEINFO)GetProcAddress(handle, "getnameinfo"); + if(s_getaddrinfo && s_freeaddrinfo && s_getnameinfo) + return; /* IPv6 detected -> OK */ + FreeLibrary(handle); + } + s_getaddrinfo=NULL; + s_freeaddrinfo=NULL; + s_getnameinfo=NULL; +#endif +} + /**************************************** stunnel resolver API */ int name2addr(SOCKADDR_UNION *addr, char *name, char *default_host) { @@ -107,7 +146,15 @@ int hostport2addr(SOCKADDR_UNION *addr, char *hostname, char *portname) { return retval; } -int name2addrlist(SOCKADDR_LIST *addr_list, char *name, char *default_host) { +int namelist2addrlist(SOCKADDR_LIST *addr_list, NAME_LIST *name_list, char *default_host) { + /* recursive implementation to reverse the list */ + if(!name_list) + return 0; + return namelist2addrlist(addr_list, name_list->next, default_host) + + name2addrlist(addr_list, name_list->name, default_host); +} + +static int name2addrlist(SOCKADDR_LIST *addr_list, char *name, char *default_host) { char *tmp, *hostname, *portname; int retval; @@ -146,10 +193,10 @@ int name2addrlist(SOCKADDR_LIST *addr_list, char *name, char *default_host) { return retval; } -int hostport2addrlist(SOCKADDR_LIST *addr_list, +static int hostport2addrlist(SOCKADDR_LIST *addr_list, char *hostname, char *portname) { struct addrinfo hints, *res=NULL, *cur; - int err; + int err, retries=0; memset(&hints, 0, sizeof hints); #if defined(USE_IPv6) || defined(USE_WIN32) @@ -159,15 +206,15 @@ int hostport2addrlist(SOCKADDR_LIST *addr_list, #endif hints.ai_socktype=SOCK_STREAM; hints.ai_protocol=IPPROTO_TCP; - do { + for(;;) { err=getaddrinfo(hostname, portname, &hints, &res); if(err && res) freeaddrinfo(res); - if(err==EAI_AGAIN) { - s_log(LOG_DEBUG, "getaddrinfo: EAI_AGAIN received: retrying"); - sleep(1); - } - } while(err==EAI_AGAIN); + if(err!=EAI_AGAIN || ++retries>=3) + break; + s_log(LOG_DEBUG, "getaddrinfo: EAI_AGAIN received: retrying"); + sleep(1); + } switch(err) { case 0: break; /* success */ diff --git a/src/resources.rc b/src/resources.rc index 3e868ad..e8d74cf 100644 --- a/src/resources.rc +++ b/src/resources.rc @@ -19,7 +19,7 @@ BEGIN VALUE "FileDescription", "stunnel - multiplatform SSL tunneling proxy" VALUE "FileVersion", STUNNEL_VERSION VALUE "InternalName", "stunnel" - VALUE "LegalCopyright", "© by Michal Trojnara, 1998-2012" + VALUE "LegalCopyright", "© by Michal Trojnara, 1998-2013" VALUE "OriginalFilename", "stunnel.exe" VALUE "ProductName", STUNNEL_PRODUCTNAME VALUE "ProductVersion", STUNNEL_VERSION @@ -90,7 +90,7 @@ BEGIN ICON IDI_MYICON, -1, 9, 8, 18, 20 LTEXT "stunnel version", -1, 30, 4, 52, 8 LTEXT STUNNEL_VERSION, -1, 82, 4, 54, 8 - LTEXT "© by Michal Trojnara, 1998-2012", -1, 30, 12, 106, 8 + LTEXT "© by Michal Trojnara, 1998-2013", -1, 30, 12, 106, 8 LTEXT "All Rights Reserved", -1, 30, 20, 106, 8 LTEXT "Licensed under the GNU GPL version 2", -1, 4, 28, 132, 8 LTEXT "with a special exception for OpenSSL", -1, 4, 36, 132, 8 diff --git a/src/ssl.c b/src/ssl.c index d8596d3..f197b49 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -1,24 +1,24 @@ /* * stunnel Universal SSL tunnel - * Copyright (C) 1998-2012 Michal Trojnara + * Copyright (C) 1998-2013 Michal Trojnara * * This program is free software; you can redistribute it and/or modify it * under the terms of the GNU General Public License as published by the * Free Software Foundation; either version 2 of the License, or (at your * option) any later version. - * + * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. * See the GNU General Public License for more details. - * + * * You should have received a copy of the GNU General Public License along * with this program; if not, see . - * + * * Linking stunnel statically or dynamically with other modules is making * a combined work based on stunnel. Thus, the terms and conditions of * the GNU General Public License cover the whole combination. - * + * * In addition, as a special exception, the copyright holder of stunnel * gives you permission to combine stunnel with free software programs or * libraries that are released under the GNU LGPL and with code included @@ -26,7 +26,7 @@ * modified versions of such code, with unchanged license). You may copy * and distribute such a system following the terms of the GNU GPL for * stunnel and the licenses of the other code concerned. - * + * * Note that people who make modified versions of stunnel are not obligated * to grant this special exception for their modified versions; it is their * choice whether to do so. The GNU General Public License gives permission @@ -225,15 +225,15 @@ static int add_rand_file(GLOBAL_OPTIONS *global, const char *filename) { struct stat sb; if(stat(filename, &sb)) - return 0; /* could not stat() file -> return 0 bytes */ + return 0; /* could not stat() file --> return 0 bytes */ if((readbytes=RAND_load_file(filename, global->random_bytes))) s_log(LOG_DEBUG, "Snagged %d random bytes from %s", readbytes, filename); else - s_log(LOG_INFO, "Unable to retrieve any random data from %s", + s_log(LOG_INFO, "Cannot retrieve any random data from %s", filename); /* write new random data for future seeding if it's a regular file */ - if(global->option.rand_write && (sb.st_mode & S_IFREG)){ + if(global->option.rand_write && (sb.st_mode & S_IFREG)) { writebytes=RAND_write_file(filename); if(writebytes==-1) s_log(LOG_WARNING, "Failed to write strong random data to %s - " diff --git a/src/sthreads.c b/src/sthreads.c index 28758d8..0ff1f76 100644 --- a/src/sthreads.c +++ b/src/sthreads.c @@ -1,24 +1,24 @@ /* * stunnel Universal SSL tunnel - * Copyright (C) 1998-2012 Michal Trojnara + * Copyright (C) 1998-2013 Michal Trojnara * * This program is free software; you can redistribute it and/or modify it * under the terms of the GNU General Public License as published by the * Free Software Foundation; either version 2 of the License, or (at your * option) any later version. - * + * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. * See the GNU General Public License for more details. - * + * * You should have received a copy of the GNU General Public License along * with this program; if not, see . - * + * * Linking stunnel statically or dynamically with other modules is making * a combined work based on stunnel. Thus, the terms and conditions of * the GNU General Public License cover the whole combination. - * + * * In addition, as a special exception, the copyright holder of stunnel * gives you permission to combine stunnel with free software programs or * libraries that are released under the GNU LGPL and with code included @@ -26,7 +26,7 @@ * modified versions of such code, with unchanged license). You may copy * and distribute such a system following the terms of the GNU GPL for * stunnel and the licenses of the other code concerned. - * + * * Note that people who make modified versions of stunnel are not obligated * to grant this special exception for their modified versions; it is their * choice whether to do so. The GNU General Public License gives permission @@ -112,7 +112,7 @@ static CONTEXT *new_context(void) { int sthreads_init(void) { /* create the first (listening) context and put it in the running queue */ if(!new_context()) { - s_log(LOG_ERR, "Unable create the listening context"); + s_log(LOG_ERR, "Cannot create the listening context"); return 1; } /* no need to initialize ucontext_t structure here @@ -124,7 +124,7 @@ int create_client(int ls, int s, CLI *arg, void *(*cli)(void *)) { CONTEXT *context; (void)ls; /* this parameter is only used with USE_FORK */ - + s_log(LOG_DEBUG, "Creating a new context"); context=new_context(); if(!context) { diff --git a/src/str.c b/src/str.c index 7d54436..7303abf 100644 --- a/src/str.c +++ b/src/str.c @@ -1,24 +1,24 @@ /* * stunnel Universal SSL tunnel - * Copyright (C) 1998-2012 Michal Trojnara + * Copyright (C) 1998-2013 Michal Trojnara * * This program is free software; you can redistribute it and/or modify it * under the terms of the GNU General Public License as published by the * Free Software Foundation; either version 2 of the License, or (at your * option) any later version. - * + * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. * See the GNU General Public License for more details. - * + * * You should have received a copy of the GNU General Public License along * with this program; if not, see . - * + * * Linking stunnel statically or dynamically with other modules is making * a combined work based on stunnel. Thus, the terms and conditions of * the GNU General Public License cover the whole combination. - * + * * In addition, as a special exception, the copyright holder of stunnel * gives you permission to combine stunnel with free software programs or * libraries that are released under the GNU LGPL and with code included @@ -26,7 +26,7 @@ * modified versions of such code, with unchanged license). You may copy * and distribute such a system following the terms of the GNU GPL for * stunnel and the licenses of the other code concerned. - * + * * Note that people who make modified versions of stunnel are not obligated * to grant this special exception for their modified versions; it is their * choice whether to do so. The GNU General Public License gives permission @@ -172,7 +172,7 @@ static ALLOC_TLS *get_alloc_tls() { #ifdef USE_WIN32 -static DWORD tls_index; +static DWORD tls_index; void str_init() { tls_index=TlsAlloc(); diff --git a/src/stunnel.c b/src/stunnel.c index dbee838..4d04571 100644 --- a/src/stunnel.c +++ b/src/stunnel.c @@ -1,24 +1,24 @@ /* * stunnel Universal SSL tunnel - * Copyright (C) 1998-2012 Michal Trojnara + * Copyright (C) 1998-2013 Michal Trojnara * * This program is free software; you can redistribute it and/or modify it * under the terms of the GNU General Public License as published by the * Free Software Foundation; either version 2 of the License, or (at your * option) any later version. - * + * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. * See the GNU General Public License for more details. - * + * * You should have received a copy of the GNU General Public License along * with this program; if not, see . - * + * * Linking stunnel statically or dynamically with other modules is making * a combined work based on stunnel. Thus, the terms and conditions of * the GNU General Public License cover the whole combination. - * + * * In addition, as a special exception, the copyright holder of stunnel * gives you permission to combine stunnel with free software programs or * libraries that are released under the GNU LGPL and with code included @@ -26,7 +26,7 @@ * modified versions of such code, with unchanged license). You may copy * and distribute such a system following the terms of the GNU GPL for * stunnel and the licenses of the other code concerned. - * + * * Note that people who make modified versions of stunnel are not obligated * to grant this special exception for their modified versions; it is their * choice whether to do so. The GNU General Public License gives permission @@ -44,7 +44,11 @@ #pragma GCC diagnostic push #pragma GCC diagnostic ignored "-pedantic" #endif /* __GNUC__ */ +#ifdef __GNUC__ +#include <../ms/applink.c> +#else /* __GNUC__ */ #include +#endif /* __GNUC__ */ #ifdef __GNUC__ #pragma GCC diagnostic pop #endif /* __GNUC__ */ @@ -119,12 +123,16 @@ static int main_unix(int argc, char* argv[]) { fatal("Could not open /dev/null"); #endif /* standard Unix */ main_initialize(); - if(main_configure(argc>1 ? argv[1] : NULL, argc>2 ? argv[2] : NULL)) + if(main_configure(argc>1 ? argv[1] : NULL, argc>2 ? argv[2] : NULL)) { + close(fd); return 1; + } if(service_options.next) { /* there are service sections -> daemon mode */ #if !defined(__vms) && !defined(USE_OS2) - if(daemonize(fd)) + if(daemonize(fd)) { + close(fd); return 1; + } close(fd); /* create_pid() must be called after drop_privileges() * or it won't be possible to remove the file on exit */ @@ -202,7 +210,8 @@ int main_configure(char *arg1, char *arg2) { * or logfile rotation won't be possible */ /* log_open() must be be called before daemonize() * since daemonize() invalidates stderr */ - log_open(); + if(log_open()) + return 1; return 0; } @@ -269,7 +278,9 @@ static int accept_connection(SERVICE_OPTIONS *opt) { s_log(LOG_DEBUG, "Service [%s] accepted (FD=%d) from %s", opt->servname, s, from_address); str_free(from_address); -#ifndef USE_FORK +#ifdef USE_FORK + RAND_add("", 1, 0.0); /* each child needs a unique entropy pool */ +#else if(max_clients && num_clients>=max_clients) { s_log(LOG_WARNING, "Connection rejected: too many clients (>=%d)", max_clients); @@ -298,7 +309,8 @@ void unbind_ports(void) { s_poll_init(fds); s_poll_add(fds, signal_pipe[0], 1, 0); - for(opt=service_options.next; opt; opt=opt->next) + for(opt=service_options.next; opt; opt=opt->next) { + s_log(LOG_DEBUG, "Closing service [%s]", opt->servname); if(opt->option.accept && opt->fd>=0) { closesocket(opt->fd); s_log(LOG_DEBUG, "Service [%s] closed (FD=%d)", @@ -318,7 +330,22 @@ void unbind_ports(void) { opt->local_addr.un.sun_path); } #endif + } else if(opt->option.program && opt->option.remote) { + /* create exec+connect services */ + /* FIXME: this is just a crude workaround */ + /* is it better to kill the service? */ + opt->option.retry=0; } + if(opt->ctx) { + s_log(LOG_DEBUG, "Sessions cached before flush: %ld", + SSL_CTX_sess_number(opt->ctx)); + SSL_CTX_flush_sessions(opt->ctx, + (long)time(NULL)+opt->session_timeout+1); + s_log(LOG_DEBUG, "Sessions cached after flush: %ld", + SSL_CTX_sess_number(opt->ctx)); + } + s_log(LOG_DEBUG, "Service [%s] closed", opt->servname); + } } /* open new ports, update fds */ @@ -375,6 +402,7 @@ int bind_ports(void) { str_free(local_address); } else if(opt->option.program && opt->option.remote) { /* create exec+connect services */ + /* FIXME: needs to be delayed on reload with opt->option.retry set */ create_client(-1, -1, alloc_client_session(opt, -1, -1), client_thread); } @@ -659,7 +687,7 @@ static void signal_handler(int sig) { #endif /* !defined(USE_WIN32) && !defined(USE_OS2) */ -/**************************************** log messages to identify build */ +/**************************************** log build details */ void stunnel_info(int level) { s_log(level, "stunnel " STUNNEL_VERSION " on " HOST " platform"); @@ -671,6 +699,7 @@ void stunnel_info(int level) { s_log(level, "Update OpenSSL shared libraries or rebuild stunnel"); } s_log(level, + "Threading:" #ifdef USE_UCONTEXT "UCONTEXT" @@ -685,35 +714,37 @@ void stunnel_info(int level) { "FORK" #endif - " SSL:" -#if defined HAVE_OSSL_ENGINE_H || defined HAVE_OSSL_OCSP_H || defined USE_FIPS -#ifdef HAVE_OSSL_ENGINE_H - "+ENGINE" -#endif -#ifdef HAVE_OSSL_OCSP_H - "+OCSP" -#endif -#ifdef USE_FIPS - "+FIPS" -#endif -#else - "none" -#endif - - " Auth:" -#ifdef USE_LIBWRAP - "LIBWRAP" -#else - "none" -#endif - " Sockets:" #ifdef USE_POLL "POLL" #else /* defined(USE_POLL) */ "SELECT" #endif /* defined(USE_POLL) */ - "+IPv%c", + ",IPv%c" + +#if defined HAVE_OSSL_ENGINE_H || defined HAVE_OSSL_OCSP_H || defined USE_FIPS + " SSL:" +#define ITEM_SEPARATOR "" +#ifdef HAVE_OSSL_ENGINE_H + "ENGINE" +#undef ITEM_SEPARATOR +#define ITEM_SEPARATOR "," +#endif /* defined(HAVE_OSSL_ENGINE_H) */ +#ifdef HAVE_OSSL_OCSP_H + ITEM_SEPARATOR "OCSP" +#undef ITEM_SEPARATOR +#define ITEM_SEPARATOR "," +#endif /* HAVE_OSSL_OCSP_H */ +#ifdef USE_FIPS + ITEM_SEPARATOR "FIPS" +#endif /* USE_FIPS */ +#endif /* an SSL optional feature enabled */ + +#ifdef USE_LIBWRAP + " Auth:LIBWRAP" +#endif + + , /* supported IP version parameter */ #if defined(USE_WIN32) && !defined(_WIN32_WCE) s_getaddrinfo ? '6' : '4' #else /* defined(USE_WIN32) */ diff --git a/src/vc.mak b/src/vc.mak index e2d62cc..5273d52 100644 --- a/src/vc.mak +++ b/src/vc.mak @@ -1,4 +1,4 @@ -# vc.mak by Michal Trojnara 1998-2012 +# vc.mak by Michal Trojnara 1998-2013 # with help of David Gillingham # with help of Pierre Delaage @@ -11,13 +11,20 @@ # modify this to point to your OpenSSL directory # either install a precompiled version (*not* the "Light" one) from # http://www.slproweb.com/products/Win32OpenSSL.html -SSLDIR=C:\OpenSSL-Win32 -INCDIR=$(SSLDIR)\include -LIBDIR=$(SSLDIR)\lib +#SSLDIR=C:\OpenSSL-Win32 +#INCDIR=$(SSLDIR)\include +#FIPSDIR=$(SSLDIR)\include +#LIBDIR=$(SSLDIR)\lib # or compile one yourself -#SSLDIR=..\..\openssl-1.0.0f +#SSLDIR=..\..\openssl-1.0.1e #INCDIR=$(SSLDIR)\inc32 +#FIPSDIR=$(SSLDIR)\inc32 #LIBDIR=$(SSLDIR)\out32dll +# or simply install with "nmake -f ms\ntdll.mak install" +SSLDIR=\usr\local\ssl +INCDIR=$(SSLDIR)\include +FIPSDIR=$(SSLDIR)\fips-2.0\include +LIBDIR=$(SSLDIR)\lib TARGETCPU=W32 SRC=..\src @@ -26,21 +33,25 @@ OBJ=$(OBJROOT)\$(TARGETCPU) BINROOT=..\bin BIN=$(BINROOT)\$(TARGETCPU) -OBJS=$(OBJ)\stunnel.obj $(OBJ)\ssl.obj $(OBJ)\ctx.obj \ +SHAREDOBJS=$(OBJ)\stunnel.obj $(OBJ)\ssl.obj $(OBJ)\ctx.obj \ $(OBJ)\verify.obj $(OBJ)\file.obj $(OBJ)\client.obj \ $(OBJ)\protocol.obj $(OBJ)\sthreads.obj $(OBJ)\log.obj \ $(OBJ)\options.obj $(OBJ)\network.obj $(OBJ)\resolver.obj \ - $(OBJ)\gui.obj $(OBJ)\resources.res $(OBJ)\str.obj $(OBJ)/fd.obj + $(OBJ)\str.obj $(OBJ)/fd.obj +GUIOBJS=$(OBJ)\gui.obj $(OBJ)\resources.res +NOGUIOBJS=$(OBJ)\nogui.obj CC=cl LINK=link -CFLAGS=/MD /W3 /O2 /nologo /I"$(INCDIR)" +CFLAGS=/MD /W3 /O2 /nologo /I"$(INCDIR)" /I"$(FIPSDIR)" LDFLAGS=/NOLOGO -LIBS=advapi32.lib comdlg32.lib crypt32.lib gdi32.lib \ - psapi.lib shell32.lib user32.lib ws2_32.lib \ - /LIBPATH:"$(LIBDIR)" libeay32.lib ssleay32.lib +SHAREDLIBS=ws2_32.lib user32.lib +GUILIBS=advapi32.lib comdlg32.lib crypt32.lib gdi32.lib \ + psapi.lib shell32.lib +NOGUILIBS= +SSLLIBS=/LIBPATH:"$(LIBDIR)" libeay32.lib ssleay32.lib # static linking: # /LIBPATH:"$(LIBDIR)\VC\static" libeay32MD.lib ssleay32MD.lib @@ -50,15 +61,19 @@ LIBS=advapi32.lib comdlg32.lib crypt32.lib gdi32.lib \ {$(SRC)\}.rc{$(OBJ)\}.res: $(RC) -fo$@ -r $< -all: makedirs $(BIN)\stunnel.exe +all: makedirs $(BIN)\stunnel.exe $(BIN)\tstunnel.exe clean: - -@ del $(OBJS) >NUL 2>&1 + -@ del $(SHAREDOBJS) >NUL 2>&1 + -@ del $(GUIBJS) >NUL 2>&1 + -@ del $(NOGUIBJS) >NUL 2>&1 # -@ del *.manifest >NUL 2>&1 -@ del $(BIN)\stunnel.exe >NUL 2>&1 -@ del $(BIN)\stunnel.exe.manifest >NUL 2>&1 - -@ rmdir $(OBJ) >NUL 2>&1 - -@ rmdir $(BIN) >NUL 2>&1 + -@ del $(BIN)\tstunnel.exe >NUL 2>&1 + -@ del $(BIN)\tstunnel.exe.manifest >NUL 2>&1 + -@ rmdir $(OBJ) >NUL 2>&1 + -@ rmdir $(BIN) >NUL 2>&1 makedirs: -@ IF NOT EXIST $(OBJROOT) mkdir $(OBJROOT) >NUL 2>&1 @@ -66,10 +81,17 @@ makedirs: -@ IF NOT EXIST $(BINROOT) mkdir $(BINROOT) >NUL 2>&1 -@ IF NOT EXIST $(BIN) mkdir $(BIN) >NUL 2>&1 -$(OBJS): *.h vc.mak +$(SHAREDOBJS): *.h vc.mak +$(GUIOBJS): *.h vc.mak +$(NOGUIOBJS): *.h vc.mak -$(BIN)\stunnel.exe: $(OBJS) - $(LINK) $(LDFLAGS) $(LIBS) /OUT:$@ $** +$(BIN)\stunnel.exe: $(SHAREDOBJS) $(GUIOBJS) + $(LINK) $(LDFLAGS) $(SHAREDLIBS) $(GUILIBS) $(SSLLIBS) /OUT:$@ $** + IF EXIST $@.manifest \ + mt -nologo -manifest $@.manifest -outputresource:$@;1 + +$(BIN)\tstunnel.exe: $(SHAREDOBJS) $(NOGUIOBJS) + $(LINK) $(LDFLAGS) $(SHAREDLIBS) $(NOGUILIBS) $(SSLLIBS) /OUT:$@ $** IF EXIST $@.manifest \ mt -nologo -manifest $@.manifest -outputresource:$@;1 diff --git a/src/verify.c b/src/verify.c index 3519144..c3c7c2a 100644 --- a/src/verify.c +++ b/src/verify.c @@ -1,24 +1,24 @@ /* * stunnel Universal SSL tunnel - * Copyright (C) 1998-2012 Michal Trojnara + * Copyright (C) 1998-2013 Michal Trojnara * * This program is free software; you can redistribute it and/or modify it * under the terms of the GNU General Public License as published by the * Free Software Foundation; either version 2 of the License, or (at your * option) any later version. - * + * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. * See the GNU General Public License for more details. - * + * * You should have received a copy of the GNU General Public License along * with this program; if not, see . - * + * * Linking stunnel statically or dynamically with other modules is making * a combined work based on stunnel. Thus, the terms and conditions of * the GNU General Public License cover the whole combination. - * + * * In addition, as a special exception, the copyright holder of stunnel * gives you permission to combine stunnel with free software programs or * libraries that are released under the GNU LGPL and with code included @@ -26,7 +26,7 @@ * modified versions of such code, with unchanged license). You may copy * and distribute such a system following the terms of the GNU GPL for * stunnel and the licenses of the other code concerned. - * + * * Note that people who make modified versions of stunnel are not obligated * to grant this special exception for their modified versions; it is their * choice whether to do so. The GNU General Public License gives permission @@ -225,7 +225,7 @@ static int cert_check(CLI *c, X509_STORE_CTX *callback_ctx, int preverify_ok) { if(c->opt->verify_level>=4 && depth>0) { s_log(LOG_INFO, "CERT: Invalid CA certificate ignored"); return 1; /* accept connection */ - } else { + } else { s_log(LOG_WARNING, "CERT: Verification error: %s", X509_verify_cert_error_string( X509_STORE_CTX_get_error(callback_ctx))); diff --git a/src/version.h b/src/version.h index 986bcc1..e066c81 100644 --- a/src/version.h +++ b/src/version.h @@ -1,6 +1,6 @@ /* * stunnel Universal SSL tunnel - * Copyright (C) 1998-2012 Michal Trojnara + * Copyright (C) 1998-2013 Michal Trojnara * * This program is free software; you can redistribute it and/or modify it * under the terms of the GNU General Public License as published by the @@ -58,7 +58,7 @@ /* START CUSTOMIZE */ #define VERSION_MAJOR 4 -#define VERSION_MINOR 53 +#define VERSION_MINOR 57 /* END CUSTOMIZE */ /* all the following macros are ABSOLUTELY NECESSARY to have proper string diff --git a/tools/stunnel.cnf b/tools/stunnel.cnf index d8c3174..3ce3948 100644 --- a/tools/stunnel.cnf +++ b/tools/stunnel.cnf @@ -1,5 +1,5 @@ # OpenSSL configuration file to create a server certificate -# by Michal Trojnara 1998-2012 +# by Michal Trojnara 1998-2013 [ req ] # the default key length is secure and quite fast - do not change it diff --git a/tools/stunnel.conf-sample.in b/tools/stunnel.conf-sample.in index 15dc2d9..68b2fb3 100644 --- a/tools/stunnel.conf-sample.in +++ b/tools/stunnel.conf-sample.in @@ -1,4 +1,4 @@ -; Sample stunnel configuration file for Unix by Michal Trojnara 2002-2012 +; Sample stunnel configuration file for Unix by Michal Trojnara 2002-2013 ; Some options used here may be inadequate for your particular configuration ; This sample file does *not* represent stunnel.conf defaults ; Please consult the manual for detailed description of available options diff --git a/tools/stunnel.license b/tools/stunnel.license index cdf68e2..c2b559a 100644 --- a/tools/stunnel.license +++ b/tools/stunnel.license @@ -1,4 +1,4 @@ -Copyright (C) 1998-2012 Michal Trojnara +Copyright (C) 1998-2013 Michal Trojnara This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. diff --git a/tools/stunnel.nsi b/tools/stunnel.nsi index 69a30be..eab1c21 100644 --- a/tools/stunnel.nsi +++ b/tools/stunnel.nsi @@ -1,182 +1,289 @@ -# NSIS stunnel installer by Michal Trojnara 1998-2012 - -!include "Sections.nsh" - -Name "stunnel ${VERSION}" -OutFile "stunnel-${VERSION}-installer.exe" -InstallDir "$PROGRAMFILES\stunnel" -BrandingText "Author: Michal Trojnara" -LicenseData "${SRCDIR}/tools/stunnel.license" -SetCompressor /SOLID LZMA -InstallDirRegKey HKLM "Software\NSIS_stunnel" "Install_Dir" - -RequestExecutionLevel admin - -Page license -Page components -Page directory -Page instfiles - -UninstPage uninstConfirm -UninstPage instfiles - -Section "Stunnel Core Files (required)" - SectionIn RO - SetOutPath "$INSTDIR" - - # stop the service, exit stunnel - ReadRegStr $R0 HKLM \ - "Software\Microsoft\Windows NT\CurrentVersion" CurrentVersion - IfErrors skip_service_stop - ExecWait '"$INSTDIR\stunnel.exe" -stop -quiet' -skip_service_stop: - # skip if the previously installed stunnel version is older than 4.40 - GetDLLVersion "$INSTDIR\stunnel.exe" $R0 $R1 - IfErrors skip_process_exit - ExecWait '"$INSTDIR\stunnel.exe" -exit -quiet' -skip_process_exit: - - # write files - SetOverwrite off - File "${SRCDIR}/tools/stunnel.conf" - SetOverwrite on - #File "${DLLS}/*eay32.dll" - File "${DLLS}/libeay32.dll" - File "${DLLS}/ssleay32.dll" - File "${DLLS}/zlib1.dll" - File "${DLLS}/msvcr90.dll" - File "${DLLS}/Microsoft.VC90.CRT.manifest" - File "src/stunnel.exe" - File "${SRCDIR}/doc/stunnel.html" - WriteUninstaller "uninstall.exe" - - # add uninstaller registry entries - WriteRegStr HKLM "Software\NSIS_stunnel" "Install_Dir" "$INSTDIR" - WriteRegStr HKLM \ - "Software\Microsoft\Windows\CurrentVersion\Uninstall\stunnel" \ - "DisplayName" "stunnel" - WriteRegStr HKLM \ - "Software\Microsoft\Windows\CurrentVersion\Uninstall\stunnel" \ - "UninstallString" '"$INSTDIR\uninstall.exe"' - WriteRegDWORD HKLM \ - "Software\Microsoft\Windows\CurrentVersion\Uninstall\stunnel" \ - "NoModify" 1 - WriteRegDWORD HKLM \ - "Software\Microsoft\Windows\CurrentVersion\Uninstall\stunnel" \ - "NoRepair" 1 -SectionEnd - -Section "Self-signed Certificate Tools" sectionCA - SetOutPath "$INSTDIR" - - # write files - File "${DLLS}/openssl.exe" - File "${SRCDIR}/tools/stunnel.cnf" - IfSilent lbl_skip_new_pem - IfFileExists "$INSTDIR\stunnel.pem" lbl_skip_new_pem - ExecWait '"$INSTDIR\openssl.exe" req -new -x509 -days 365 -config stunnel.cnf -out stunnel.pem -keyout stunnel.pem' -lbl_skip_new_pem: -SectionEnd - -Section "Start Menu Shortcuts" - SetShellVarContext all - CreateDirectory "$SMPROGRAMS\stunnel" - - # remove old links - Delete "$SMPROGRAMS\stunnel\*.lnk" - Delete "$SMPROGRAMS\stunnel\*.url" - - # main link - CreateShortCut "$SMPROGRAMS\stunnel\Run stunnel.lnk" \ - "$INSTDIR\stunnel.exe" "" "$INSTDIR\stunnel.exe" 0 - CreateShortCut "$SMPROGRAMS\stunnel\Exit stunnel.lnk" \ - "$INSTDIR\stunnel.exe" "-exit" "$INSTDIR\stunnel.exe" 0 - - # NT service - ClearErrors - ReadRegStr $R0 HKLM \ - "Software\Microsoft\Windows NT\CurrentVersion" CurrentVersion - IfErrors skip_service_links - CreateShortCut "$SMPROGRAMS\stunnel\Service install.lnk" \ - "$INSTDIR\stunnel.exe" "-install" "$INSTDIR\stunnel.exe" 0 - CreateShortCut "$SMPROGRAMS\stunnel\Service uninstall.lnk" \ - "$INSTDIR\stunnel.exe" "-uninstall" "$INSTDIR\stunnel.exe" 0 - CreateShortCut "$SMPROGRAMS\stunnel\Service start.lnk" \ - "$INSTDIR\stunnel.exe" "-start" "$INSTDIR\stunnel.exe" 0 - CreateShortCut "$SMPROGRAMS\stunnel\Service stop.lnk" \ - "$INSTDIR\stunnel.exe" "-stop" "$INSTDIR\stunnel.exe" 0 -skip_service_links: - - # edit config file - CreateShortCut "$SMPROGRAMS\stunnel\Edit stunnel.conf.lnk" \ - "notepad.exe" "stunnel.conf" "notepad.exe" 0 - - # OpenSSL shell - CreateShortCut "$SMPROGRAMS\stunnel\OpenSSL Shell.lnk" \ - "$INSTDIR\openssl.exe" "" "$INSTDIR\openssl.exe" 0 - - # make stunnel.pem - SectionGetFlags sectionCA $0 - IntOp $0 $0 & SF_SELECTED - IntCmp $0 0 lbl_noCA - CreateShortCut "$SMPROGRAMS\stunnel\Build Self-signed stunnel.pem.lnk" \ - "$INSTDIR\openssl.exe" \ - "req -new -x509 -days 365 -config stunnel.cnf -out stunnel.pem -keyout stunnel.pem" -lbl_noCA: - - # help/uninstall - WriteINIStr "$SMPROGRAMS\stunnel\Manual.url" "InternetShortcut" \ - "URL" "file://$INSTDIR/stunnel.html" - CreateShortCut "$SMPROGRAMS\stunnel\Uninstall stunnel.lnk" \ - "$INSTDIR\uninstall.exe" "" "$INSTDIR\uninstall.exe" 0 -SectionEnd - -Section "Desktop Shortcut" - SetShellVarContext all - Delete "$DESKTOP\stunnel.lnk" - CreateShortCut "$DESKTOP\stunnel.lnk" \ - "$INSTDIR\stunnel.exe" "" "$INSTDIR\stunnel.exe" 0 -SectionEnd - -Section "Uninstall" - ClearErrors - - # stop and remove the service, exit stunnel - ReadRegStr $R0 HKLM \ - "Software\Microsoft\Windows NT\CurrentVersion" CurrentVersion - IfErrors skip_service_uninstall - ExecWait '"$INSTDIR\stunnel.exe" -stop -quiet' - ExecWait '"$INSTDIR\stunnel.exe" -uninstall -quiet' -skip_service_uninstall: - ExecWait '"$INSTDIR\stunnel.exe" -exit -quiet' - - # remove stunnel folder - Delete "$INSTDIR\stunnel.conf" - Delete "$INSTDIR\stunnel.pem" - Delete "$INSTDIR\stunnel.exe" - Delete "$INSTDIR\stunnel.cnf" - Delete "$INSTDIR\openssl.exe" - #Delete "$INSTDIR\*eay32.dll" - Delete "$INSTDIR\libeay32.dll" - Delete "$INSTDIR\ssleay32.dll" - Delete "$INSTDIR\zlib1.dll" - Delete "$INSTDIR\msvcr90.dll" - Delete "$INSTDIR\Microsoft.VC90.CRT.manifest" - Delete "$INSTDIR\stunnel.html" - Delete "$INSTDIR\uninstall.exe" - RMDir "$INSTDIR" - - # remove menu shortcuts - SetShellVarContext all - Delete "$DESKTOP\stunnel.lnk" - Delete "$SMPROGRAMS\stunnel\*.lnk" - Delete "$SMPROGRAMS\stunnel\*.url" - RMDir "$SMPROGRAMS\stunnel" - - # remove uninstaller registry entires - DeleteRegKey HKLM \ - "Software\Microsoft\Windows\CurrentVersion\Uninstall\stunnel" - DeleteRegKey HKLM "Software\NSIS_stunnel" -SectionEnd - -# end of stunnel.nsi +# NSIS stunnel installer by Michal Trojnara 1998-2013 + +!include "Sections.nsh" + +!ifndef VERSION +!define VERSION 4.57 +!endif + +!ifndef ZLIBDIR +!define ZLIBDIR zlib-1.2.7 +!endif + +!ifndef OPENSSLDIR +!define OPENSSLDIR openssl-1.0.1e +!endif + +!addplugindir "plugins/SimpleFC" +!addplugindir "plugins/ShellLink/Plugins" + +Name "stunnel ${VERSION}" +OutFile "stunnel-${VERSION}-installer.exe" +InstallDir "$PROGRAMFILES\stunnel" +BrandingText "Author: Michal Trojnara" +LicenseData "stunnel.license" +SetCompressor /SOLID LZMA +InstallDirRegKey HKLM "Software\NSIS_stunnel" "Install_Dir" + +RequestExecutionLevel admin + +Page license +Page components +Page directory +Page instfiles + +UninstPage uninstConfirm +UninstPage instfiles + +Section "Stunnel Core Files (required)" + SectionIn RO + SetOutPath "$INSTDIR" + + # stop the service, exit stunnel + ReadRegStr $R0 HKLM \ + "Software\Microsoft\Windows NT\CurrentVersion" CurrentVersion + IfErrors skip_service_stop + ExecWait '"$INSTDIR\stunnel.exe" -stop -quiet' +skip_service_stop: + ExecWait '"$INSTDIR\stunnel.exe" -exit -quiet' + + # write files + SetOverwrite off + File "stunnel.conf" + SetOverwrite on + !cd ".." + !cd "doc" + File "stunnel.html" + !cd ".." + !cd "bin" + !cd "W32" + File "stunnel.exe" + File "stunnel.exe.manifest" + !cd ".." + !cd ".." + !cd ".." + !cd "${ZLIBDIR}" + File "zlib1.dll" + File "zlib1.dll.manifest" + !cd ".." + !cd "${OPENSSLDIR}" + !cd "out32dll" + File "*.dll" + File "*.dll.manifest" + !cd ".." + !cd ".." + !cd "redist" + File "msvcr90.dll" + File "Microsoft.VC90.CRT.manifest" + !cd ".." + !cd "stunnel" + !cd "tools" + + # add firewall rule + SimpleFC::AddApplication "stunnel (GUI Version)" \ + "$INSTDIR\stunnel.exe" 0 2 "" 1 + Pop $0 # returns error(1)/success(0) + DetailPrint "SimpleFC::AddApplication: $0" + + # write uninstaller and its registry entries + WriteUninstaller "uninstall.exe" + WriteRegStr HKLM "Software\NSIS_stunnel" "Install_Dir" "$INSTDIR" + WriteRegStr HKLM \ + "Software\Microsoft\Windows\CurrentVersion\Uninstall\stunnel" \ + "DisplayName" "stunnel" + WriteRegStr HKLM \ + "Software\Microsoft\Windows\CurrentVersion\Uninstall\stunnel" \ + "UninstallString" '"$INSTDIR\uninstall.exe"' + WriteRegDWORD HKLM \ + "Software\Microsoft\Windows\CurrentVersion\Uninstall\stunnel" \ + "NoModify" 1 + WriteRegDWORD HKLM \ + "Software\Microsoft\Windows\CurrentVersion\Uninstall\stunnel" \ + "NoRepair" 1 +SectionEnd + +Section "Self-signed Certificate Tools" sectionCA + SetOutPath "$INSTDIR" + !cd ".." + !cd ".." + !cd "${OPENSSLDIR}" + !cd "out32dll" + File "openssl.exe" + File "openssl.exe.manifest" + !cd ".." + !cd ".." + !cd "stunnel" + !cd "tools" + File "stunnel.cnf" + IfSilent lbl_skip_new_pem + IfFileExists "$INSTDIR\stunnel.pem" lbl_skip_new_pem + ExecWait '"$INSTDIR\openssl.exe" req -new -x509 -days 365 -config stunnel.cnf -out stunnel.pem -keyout stunnel.pem' +lbl_skip_new_pem: +SectionEnd + +Section "Terminal Version of stunnel" sectionTERM + SetOutPath "$INSTDIR" + !cd ".." + !cd "bin" + !cd "W32" + File "tstunnel.exe" + File "tstunnel.exe.manifest" + !cd ".." + !cd ".." + !cd "tools" + # add firewall rule + SimpleFC::AddApplication "stunnel (Terminal Version)" \ + "$INSTDIR\tstunnel.exe" 0 2 "" 1 + Pop $0 # returns error(1)/success(0) + DetailPrint "SimpleFC::AddApplication: $0" +SectionEnd + +Section "Start Menu Shortcuts" + SetShellVarContext all + CreateDirectory "$SMPROGRAMS\stunnel" + + # remove old links + Delete "$SMPROGRAMS\stunnel\*.lnk" + Delete "$SMPROGRAMS\stunnel\*.url" + + # main link + CreateShortCut "$SMPROGRAMS\stunnel\stunnel GUI Start.lnk" \ + "$INSTDIR\stunnel.exe" "" "$INSTDIR\stunnel.exe" 0 + CreateShortCut "$SMPROGRAMS\stunnel\stunnel GUI Stop.lnk" \ + "$INSTDIR\stunnel.exe" "-exit" "$INSTDIR\stunnel.exe" 0 + + # tstunnel + SectionGetFlags ${sectionTERM} $0 + IntOp $0 $0 & ${SF_SELECTED} + IntCmp $0 0 lbl_noTERM + CreateShortCut "$SMPROGRAMS\stunnel\stunnel Terminal Start.lnk" \ + "$INSTDIR\tstunnel.exe" "" "$INSTDIR\tstunnel.exe" 0 +lbl_noTERM: + + # NT service + ClearErrors + ReadRegStr $R0 HKLM \ + "Software\Microsoft\Windows NT\CurrentVersion" CurrentVersion + IfErrors skip_service_links + + CreateShortCut "$SMPROGRAMS\stunnel\stunnel Service Install.lnk" \ + "$INSTDIR\stunnel.exe" "-install" "$INSTDIR\stunnel.exe" 0 + ShellLink::SetRunAsAdministrator \ + "$SMPROGRAMS\stunnel\stunnel Service Install.lnk" + Pop $0 # returns error(-1)/success(0) + DetailPrint "ShellLink::SetRunAsAdministrator: $0" + + CreateShortCut "$SMPROGRAMS\stunnel\stunnel Service Uninstall.lnk" \ + "$INSTDIR\stunnel.exe" "-uninstall" "$INSTDIR\stunnel.exe" 0 + ShellLink::SetRunAsAdministrator \ + "$SMPROGRAMS\stunnel\stunnel Service Uninstall.lnk" + Pop $0 # returns error(-1)/success(0) + DetailPrint "ShellLink::SetRunAsAdministrator: $0" + + CreateShortCut "$SMPROGRAMS\stunnel\stunnel Service Start.lnk" \ + "$INSTDIR\stunnel.exe" "-start" "$INSTDIR\stunnel.exe" 0 + ShellLink::SetRunAsAdministrator \ + "$SMPROGRAMS\stunnel\stunnel Service Start.lnk" + Pop $0 # returns error(-1)/success(0) + DetailPrint "ShellLink::SetRunAsAdministrator: $0" + + CreateShortCut "$SMPROGRAMS\stunnel\stunnel Service Stop.lnk" \ + "$INSTDIR\stunnel.exe" "-stop" "$INSTDIR\stunnel.exe" 0 + ShellLink::SetRunAsAdministrator \ + "$SMPROGRAMS\stunnel\stunnel Service Stop.lnk" + Pop $0 # returns error(-1)/success(0) + DetailPrint "ShellLink::SetRunAsAdministrator: $0" +skip_service_links: + + # edit config file + CreateShortCut "$SMPROGRAMS\stunnel\Edit stunnel.conf.lnk" \ + "notepad.exe" "$INSTDIR\stunnel.conf" "notepad.exe" 0 + ShellLink::SetRunAsAdministrator \ + "$SMPROGRAMS\stunnel\Edit stunnel.conf.lnk" + Pop $0 # returns error(-1)/success(0) + DetailPrint "ShellLink::SetRunAsAdministrator: $0" + + SectionGetFlags ${sectionCA} $0 + IntOp $0 $0 & ${SF_SELECTED} + IntCmp $0 0 lbl_noCA + + # OpenSSL shell + CreateShortCut "$SMPROGRAMS\stunnel\OpenSSL Shell.lnk" \ + "$INSTDIR\openssl.exe" "" "$INSTDIR\openssl.exe" 0 + + # make stunnel.pem + CreateShortCut "$SMPROGRAMS\stunnel\Build Self-signed stunnel.pem.lnk" \ + "$INSTDIR\openssl.exe" \ + "req -new -x509 -days 365 -config stunnel.cnf -out stunnel.pem -keyout stunnel.pem" + ShellLink::SetRunAsAdministrator \ + "$SMPROGRAMS\stunnel\\Build Self-signed stunnel.pem.lnk" + Pop $0 # returns error(-1)/success(0) + DetailPrint "ShellLink::SetRunAsAdministrator: $0" + +lbl_noCA: + + # help/uninstall + WriteINIStr "$SMPROGRAMS\stunnel\Manual.url" "InternetShortcut" \ + "URL" "file://$INSTDIR/stunnel.html" + CreateShortCut "$SMPROGRAMS\stunnel\Uninstall stunnel.lnk" \ + "$INSTDIR\uninstall.exe" "" "$INSTDIR\uninstall.exe" 0 +SectionEnd + +Section "Desktop Shortcut" + SetShellVarContext all + Delete "$DESKTOP\stunnel.lnk" + CreateShortCut "$DESKTOP\stunnel.lnk" \ + "$INSTDIR\stunnel.exe" "" "$INSTDIR\stunnel.exe" 0 +SectionEnd + +Section "Uninstall" + ClearErrors + + # stop and remove the service, exit stunnel + ReadRegStr $R0 HKLM \ + "Software\Microsoft\Windows NT\CurrentVersion" CurrentVersion + IfErrors skip_service_uninstall + ExecWait '"$INSTDIR\stunnel.exe" -stop -quiet' + ExecWait '"$INSTDIR\stunnel.exe" -uninstall -quiet' +skip_service_uninstall: + ExecWait '"$INSTDIR\stunnel.exe" -exit -quiet' + + # remove stunnel folder + Delete "$INSTDIR\stunnel.conf" + Delete "$INSTDIR\stunnel.pem" + Delete "$INSTDIR\stunnel.exe" + Delete "$INSTDIR\stunnel.exe.manifest" + Delete "$INSTDIR\tstunnel.exe" + Delete "$INSTDIR\tstunnel.exe.manifest" + Delete "$INSTDIR\stunnel.cnf" + Delete "$INSTDIR\openssl.exe" + Delete "$INSTDIR\openssl.exe.manifest" + Delete "$INSTDIR\*.dll" + Delete "$INSTDIR\*.dll.manifest" + Delete "$INSTDIR\Microsoft.VC90.CRT.manifest" + Delete "$INSTDIR\stunnel.html" + Delete "$INSTDIR\uninstall.exe" + RMDir "$INSTDIR" + + # remove menu shortcuts + SetShellVarContext all + Delete "$DESKTOP\stunnel.lnk" + Delete "$SMPROGRAMS\stunnel\*.lnk" + Delete "$SMPROGRAMS\stunnel\*.url" + RMDir "$SMPROGRAMS\stunnel" + + # remove firewall rules + SimpleFC::RemoveApplication "$INSTDIR\stunnel.exe" + Pop $0 # returns error(1)/success(0) + DetailPrint "SimpleFC::RemoveApplication: $0" + SimpleFC::RemoveApplication "$INSTDIR\tstunnel.exe" + Pop $0 # returns error(1)/success(0) + DetailPrint "SimpleFC::RemoveApplication: $0" + + # remove uninstaller registry entires + DeleteRegKey HKLM \ + "Software\Microsoft\Windows\CurrentVersion\Uninstall\stunnel" + DeleteRegKey HKLM "Software\NSIS_stunnel" +SectionEnd + +# end of stunnel.nsi diff --git a/tools/stunnel.spec b/tools/stunnel.spec index 095ab5b..8a764c7 100644 --- a/tools/stunnel.spec +++ b/tools/stunnel.spec @@ -3,7 +3,7 @@ Summary: Program that wraps normal socket connections with SSL/TLS Name: stunnel -Version: 4.53 +Version: 4.57 Release: 1 Copyright: GPL Group: Applications/Networking